rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

OpenSSH Rebase to 9.0p1

Browse Source 
Related: rhbz#2057466
This commit is contained in:
Dmitry Belyavskiy 2022-08-11 14:54:03 +02:00
parent 9fd6981674
commit 03150f6281
24 changed files with 168 additions and 811 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -54,3 +54,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-8.7p1.tar.gz.asc
/openssh-8.8p1.tar.gz
/openssh-8.8p1.tar.gz.asc
/openssh-9.0p1.tar.gz
/openssh-9.0p1.tar.gz.asc

10
openssh-5.8p2-sigpipe.patch
View File

@ -1,12 +1,14 @@
diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c
--- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200
+++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200
@@ -715,6 +715,8 @@ main(int argc, char **argv)
@@ -715,6 +715,9 @@ main(int argc, char **argv)
if (maxfd > fdlim_get(0))
fdlim_set(maxfd);
fdcon = xcalloc(maxfd, sizeof(con));
+
+ signal(SIGPIPE, SIG_IGN);
+
read_wait_nfdset = howmany(maxfd, NFDBITS);
read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask));
read_wait = xcalloc(maxfd, sizeof(struct pollfd));
for (j = 0; j < maxfd; j++)
read_wait[j].fd = -1;

4
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -207,8 +207,8 @@ diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
{
fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
int i, r, in, out, ch, skipargs = 0, log_stderr = 0;
ssize_t len, olen;
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;

77
openssh-6.7p1-coverity.patch
View File

@ -1,37 +1,3 @@
diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
--- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
return -1;
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
n) == -1) {
@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
return -1;
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
if (sa != NULL) {
- if (slen < ai->ai_addrlen)
+ if (slen < ai->ai_addrlen) {
+ freeaddrinfo(ai);
return -1;
+ }
memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
}
diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
@ -65,15 +31,6 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
debug("channel %d: connection failed: %s",
c->self, strerror(err));
/* Try next address, if any */
- if ((sock = connect_next(&c->connect_ctx)) > 0) {
+ if ((sock = connect_next(&c->connect_ctx)) >= 0) {
close(c->sock);
c->sock = c->rfd = c->wfd = sock;
channel_find_maxfd(ssh->chanctxt);
@@ -3804,7 +3804,7 @@ int
channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
{
@ -411,30 +368,6 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
continue;
}
lname = ls_file(fname, g.gl_statv[i], 1,
diff --git a/sftp-client.c b/sftp-client.c
index 9de9afa20f..ea98d9f8d0 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -2195,6 +2195,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous,
(*nreqsp)--;
}
debug3_f("done: %u outstanding replies", *nreqsp);
+ sshbuf_free(msg);
}
int
diff --git a/sftp-server.c b/sftp-server.c
index 18d1949112..6380c4dd23 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -1553,6 +1553,7 @@ process_extended_expand(u_int32_t id)
npath = xstrdup(path + 2);
free(path);
xasprintf(&path, "%s/%s", cwd, npath);
+ free(npath);
} else {
/* ~user expansions */
if (tilde_expand(path, pw->pw_uid, &npath) != 0) {
diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100
@ -494,16 +427,6 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
return 0;
}
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
explicit_bzero(rnd, sizeof(rnd));
}
}
+
+ if (fdset != NULL)
+ free(fdset);
}
/*
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
if (newstr)

4
openssh-7.3p1-x11-max-displays.patch
View File

@ -10,8 +10,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
+/* Minimum port number for X11 forwarding */
+#define X11_PORT_MIN 6000
/* Per-channel callback for pre/post select() actions */
typedef void chan_fn(struct ssh *, Channel *c,
/* Per-channel callback for pre/post IO actions */
typedef void chan_fn(struct ssh *, Channel *c);
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
*/
int

18
openssh-7.6p1-audit.patch
View File

@ -729,7 +729,7 @@ diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c
--- openssh-8.6p1/auth2.c.audit 2021-04-19 16:47:35.682061561 +0200
+++ openssh-8.6p1/auth2.c 2021-04-19 16:47:35.754062114 +0200
@@ -298,9 +298,6 @@ input_userauth_request(int type, u_int32
} else {
authctxt->valid = 0;
/* Invalid user, fake password information */
authctxt->pw = fakepw();
-#ifdef SSH_AUDIT_EVENTS
@ -1195,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
- sigalg, ssh->compat, &sig_details);
debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key),
debug3_f("%s %s signature using %s %s%s%s", auth_method,
sshkey_type(key), sigalg == NULL ? "default" : sigalg,
(ret == 0) ? "verified" : "unverified",
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
}
@ -2040,7 +2040,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
static char *listener_proctitle;
@@ -279,6 +280,15 @@ close_listen_socks(void)
num_listen_socks = -1;
num_listen_socks = 0;
}
+/*
@ -2049,16 +2049,16 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
+ */
+int listening_for_clients(void)
+{
+ return num_listen_socks >= 0;
+ return num_listen_socks > 0;
+}
+
static void
close_startup_pipes(void)
{
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
}
ssh_remote_port(the_active_state));
}
-/* Destroy the host and server keys. They will no longer be needed. */
+/*
+ * Destroy the host and server keys. They will no longer be needed. Careful,
@ -2196,8 +2196,8 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
-server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
{
fd_set *fdset;
int i, j, ret, maxfd;
struct pollfd *pfd = NULL;
int i, j, ret, npfd;
@@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",

2
openssh-7.7p1-fips.patch
View File

@ -321,7 +321,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200
@@ -66,6 +66,7 @@
#include <grp.h>
#endif
#include <pwd.h>
#include <signal.h>
+#include <syslog.h>

2
openssh-7.8p1-UsePAM-warning.patch
View File

@ -3,7 +3,7 @@ diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
+++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, &includes, NULL);
cfg, &includes, NULL, rexeced_flag);
+ /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam)

6
openssh-7.8p1-role-mls.patch
View File

@ -93,7 +93,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
+#endif
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
(r = sshbuf_put_cstring(b, method)) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
@ -240,14 +240,14 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{
@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
{
struct sshbuf *b;
struct sshkey *hostkey = NULL;
const u_char *p;
- char *userstyle, *cp;
+ char *userstyle, *s, *cp;
size_t len;
u_char type;
int r, fail = 0;
int hostbound = 0, r, fail = 0;
@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)

18
openssh-8.0p1-crypto-policies.patch
View File

@ -92,7 +92,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -1219,29 +1216,25 @@
@@ -1219,30 +1216,25 @@
and
.Cm pam .
.It Cm KexAlgorithms
@ -120,6 +120,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5
-default set.
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
@ -327,7 +328,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased
@@ -799,26 +794,13 @@
@@ -799,25 +794,14 @@
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
@ -338,7 +339,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
+.Pp
Specifies the host key signature algorithms
that the server offers.
-The default for this option is:
The default for this option is:
-.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
@ -348,12 +349,11 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
The list of available signature algorithms may also be obtained using
@ -389,12 +389,13 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -1010,15 +997,6 @@
@@ -1010,16 +997,6 @@
sntrup761x25519-sha512@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com,
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
@ -452,7 +453,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1548,37 +1522,25 @@
@@ -1548,36 +1522,25 @@
The default is
.Cm yes .
.It Cm PubkeyAcceptedAlgorithms
@ -488,12 +489,11 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-rsa-sha2-512,rsa-sha2-256
-.Ed
+built-in openssh default set.
.Pp

24
openssh-8.0p1-gssapi-keyex.patch
View File

@ -16,7 +16,7 @@ index e7549470..b68c1710 100644
monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
srclimit.o sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff -up a/auth.c.gsskex b/auth.c
@ -135,7 +135,7 @@ index 9351e042..d6446c0c 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -224,7 +224,7 @@ index 9351e042..d6446c0c 100644
+
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
NULL,
diff --git a/auth2.c b/auth2.c
index 0e776224..1c217268 100644
--- a/auth2.c
@ -375,8 +375,8 @@ index ebd0dbca..1bdac6a4 100644
+#include "ssh-gss.h"
+#endif
+
/* import options */
extern Options options;
/* Permitted RSA signature algorithms for UpdateHostkeys proofs */
#define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256"
@@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
break;
@ -384,7 +384,7 @@ index ebd0dbca..1bdac6a4 100644
/* Do channel operations unless rekeying in progress. */
- if (!ssh_packet_is_rekeying(ssh))
+ if (!ssh_packet_is_rekeying(ssh)) {
channel_after_select(ssh, readset, writeset);
channel_after_poll(ssh, pfd, npfd_active);
+#ifdef GSSAPI
+ if (options.gss_renewal_rekey &&
@ -396,8 +396,8 @@ index ebd0dbca..1bdac6a4 100644
+ }
+
/* Buffer input from the connection. */
client_process_net_input(ssh, readset);
if (conn_in_ready)
client_process_net_input(ssh);
diff --git a/configure.ac b/configure.ac
index b689db4b..efafb6bd 100644
--- a/configure.ac
@ -1370,9 +1370,9 @@ index ce85f043..574c7609 100644
+#ifdef GSSAPI
+ free(kex->gss_host);
+#endif /* GSSAPI */
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
free(kex->failed_choice);
free(kex->hostkey_alg);
free(kex->name);
diff --git a/kex.h b/kex.h
index a5ae6ac0..fe714141 100644
--- a/kex.h
@ -3011,7 +3011,7 @@ diff -up a/readconf.c.gsskex b/readconf.c
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -2463,8 +2516,18 @@ fill_default_options(Options * options)
options->pubkey_authentication = 1;
options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
+ if (options->gss_keyex == -1)
@ -3886,7 +3886,7 @@ index 57995ee6..fd5b7724 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -154,6 +154,7 @@ static const struct keytype keytypes[] = {
KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 },
# endif /* ENABLE_SK */
# endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 },

49
openssh-8.0p1-pkcs11-uri.patch
View File

@ -92,9 +92,9 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in
rm -f regress/unittests/utf8/test_utf8
+ rm -f regress/unittests/pkcs11/*.o
+ rm -f regress/unittests/pkcs11/test_pkcs11
(cd openbsd-compat && $(MAKE) distclean)
if test -d pkg ; then \
rm -fr pkg ; \
rm -f regress/misc/sk-dummy/*.o
rm -f regress/misc/sk-dummy/*.lo
rm -f regress/misc/sk-dummy/sk-dummy.so
@@ -513,6 +517,7 @@ regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/sshkey
$(MKDIR_P) `pwd`/regress/unittests/sshsig
@ -876,22 +876,23 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
--- openssh-8.7p1/ssh-add.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/ssh-add.c 2021-08-30 13:07:43.664700104 +0200
@@ -68,6 +68,7 @@
#include "digest.h"
#include "ssh-sk.h"
#include "sk-api.h"
#include "hostfile.h"
+#include "ssh-pkcs11-uri.h"
/* argv0 */
extern char *__progname;
@@ -229,6 +230,32 @@ delete_all(int agent_fd, int qflag)
@@ -229,6 +230,34 @@ delete_all(int agent_fd, int qflag)
return ret;
}
+#ifdef ENABLE_PKCS11
+static int update_card(int, int, const char *, int, char *);
+static int update_card(int, int, const char *, int, struct dest_constraint **, size_t, char *);
+
+int
+update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag)
+update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag,
+ struct dest_constraint **dest_constraints, size_t ndest_constraints)
+{
+ char *pin = NULL;
+ struct pkcs11_uri *uri;
@ -909,19 +910,20 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
+ }
+ pkcs11_uri_cleanup(uri);
+
+ return update_card(agent_fd, adding, pkcs11_uri, qflag, pin);
+ return update_card(agent_fd, adding, pkcs11_uri, qflag,
+ dest_constraints, ndest_constraints, pin);
+}
+#endif
+
static int
add_file(int agent_fd, const char *filename, int key_only, int qflag,
const char *skprovider)
const char *skprovider, struct dest_constraint **dest_constraints,
@@ -445,12 +472,11 @@ add_file(int agent_fd, const char *filen
}
static int
-update_card(int agent_fd, int add, const char *id, int qflag)
+update_card(int agent_fd, int add, const char *id, int qflag, char *pin)
update_card(int agent_fd, int add, const char *id, int qflag,
- struct dest_constraint **dest_constraints, size_t ndest_constraints)
+ struct dest_constraint **dest_constraints, size_t ndest_constraints, char *pin)
{
- char *pin = NULL;
int r, ret = -1;
@ -931,15 +933,16 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
if ((pin = read_passphrase("Enter passphrase for PKCS#11: ",
RP_ALLOW_STDIN)) == NULL)
return -1;
@@ -630,6 +656,13 @@ static int
do_file(int agent_fd, int deleting, int key_only, char *file, int qflag,
const char *skprovider)
@@ -630,6 +656,14 @@ static int
const char *skprovider, struct dest_constraint **dest_constraints,
size_t ndest_constraints)
{
+#ifdef ENABLE_PKCS11
+ if (strlen(file) >= strlen(PKCS11_URI_SCHEME) &&
+ strncmp(file, PKCS11_URI_SCHEME,
+ strlen(PKCS11_URI_SCHEME)) == 0) {
+ return update_pkcs11_uri(agent_fd, !deleting, file, qflag);
+ return update_pkcs11_uri(agent_fd, !deleting, file, qflag,
+ dest_constraints, ndest_constraints);
+ }
+#endif
if (deleting) {
@ -949,8 +952,8 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c
}
if (pkcs11provider != NULL) {
if (update_card(agent_fd, !deleting, pkcs11provider,
- qflag) == -1)
+ qflag, NULL) == -1)
- qflag, dest_constraints, ndest_constraints) == -1)
+ qflag, dest_constraints, ndest_constraints, NULL) == -1)
ret = 1;
goto done;
}
@ -1080,7 +1083,7 @@ diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c
+ free(sane_uri);
free(keys);
free(comments);
send_status(e, success);
free_dest_constraints(dest_constraints, ndest_constraints);
@@ -918,7 +976,7 @@ send:
static void
process_remove_smartcard_key(SocketEntry *e)
@ -1544,7 +1547,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
static RSA_METHOD *rsa_method;
@@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method;
static int ec_key_idx = 0;
#endif
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+/*
+ * This can't be in the ssh-pkcs11-uri, becase we can not depend on
@ -1739,9 +1742,9 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c
struct pkcs11_key *k11;
@@ -614,6 +764,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider
k11->keyid = xmalloc(k11->keyid_len);
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
k11->keyid = xmalloc(k11->keyid_len);
memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len);
}
+ if (label_attrib->ulValueLen > 0 ) {
+ k11->label = xmalloc(label_attrib->ulValueLen+1);
+ memcpy(k11->label, label_attrib->pValue, label_attrib->ulValueLen);

151
openssh-8.7p1-host-based-auth.patch
View File

@ -1,151 +0,0 @@
diff --color -rup a/sshconnect2.c b/sshconnect2.c
--- a/sshconnect2.c 2022-07-11 17:00:02.618575727 +0200
+++ b/sshconnect2.c 2022-07-11 17:03:05.096085690 +0200
@@ -2288,9 +2288,9 @@ userauth_hostbased(struct ssh *ssh)
if (authctxt->sensitive->keys[i] == NULL ||
authctxt->sensitive->keys[i]->type == KEY_UNSPEC)
continue;
- if (match_pattern_list(
+ if (!sshkey_match_keyname_to_sigalgs(
sshkey_ssh_name(authctxt->sensitive->keys[i]),
- authctxt->active_ktype, 0) != 1)
+ authctxt->active_ktype))
continue;
/* we take and free the key */
private = authctxt->sensitive->keys[i];
@@ -2316,7 +2316,8 @@ userauth_hostbased(struct ssh *ssh)
error_f("sshkey_fingerprint failed");
goto out;
}
- debug_f("trying hostkey %s %s", sshkey_ssh_name(private), fp);
+ debug_f("trying hostkey %s %s using sigalg %s",
+ sshkey_ssh_name(private), fp, authctxt->active_ktype);
/* figure out a name for the client host */
lname = get_local_name(ssh_packet_get_connection_in(ssh));
diff --color -rup a/sshkey.c b/sshkey.c
--- a/sshkey.c 2022-07-11 17:00:02.609575554 +0200
+++ b/sshkey.c 2022-07-11 17:12:30.905976443 +0200
@@ -252,6 +252,29 @@ sshkey_ecdsa_nid_from_name(const char *n
return -1;
}
+int
+sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs)
+{
+ int ktype;
+
+ if (sigalgs == NULL || *sigalgs == '\0' ||
+ (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)
+ return 0;
+ else if (ktype == KEY_RSA) {
+ return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 ||
+ match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 ||
+ match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;
+ } else if (ktype == KEY_RSA_CERT) {
+ return match_pattern_list("ssh-rsa-cert-v01@openssh.com",
+ sigalgs, 0) == 1 ||
+ match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
+ sigalgs, 0) == 1 ||
+ match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
+ sigalgs, 0) == 1;
+ } else
+ return match_pattern_list(keyname, sigalgs, 0) == 1;
+}
+
char *
sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
{
diff --color -rup a/sshkey.h b/sshkey.h
--- a/sshkey.h 2022-07-11 17:00:02.603575438 +0200
+++ b/sshkey.h 2022-07-11 17:13:01.052556879 +0200
@@ -194,6 +194,10 @@ int sshkey_is_cert(const struct sshkey
int sshkey_is_sk(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
+
+/* Returns non-zero if key name match sigalgs pattern list. (handles RSA) */
+int sshkey_match_keyname_to_sigalgs(const char *, const char *);
+
int sshkey_to_certified(struct sshkey *);
int sshkey_drop_cert(struct sshkey *);
int sshkey_cert_copy(const struct sshkey *, struct sshkey *);
diff --color -rup a/ssh-keysign.c b/ssh-keysign.c
--- a/ssh-keysign.c 2021-08-20 06:03:49.000000000 +0200
+++ b/ssh-keysign.c 2022-07-11 17:00:23.306973667 +0200
@@ -62,7 +62,7 @@
extern char *__progname;
static int
-valid_request(struct passwd *pw, char *host, struct sshkey **ret,
+valid_request(struct passwd *pw, char *host, struct sshkey **ret, char **pkalgp,
u_char *data, size_t datalen)
{
struct sshbuf *b;
@@ -75,6 +75,8 @@ valid_request(struct passwd *pw, char *h
if (ret != NULL)
*ret = NULL;
+ if (pkalgp != NULL)
+ *pkalgp = NULL;
fail = 0;
if ((b = sshbuf_from(data, datalen)) == NULL)
@@ -122,8 +124,6 @@ valid_request(struct passwd *pw, char *h
fail++;
} else if (key->type != pktype)
fail++;
- free(pkalg);
- free(pkblob);
/* client host name, handle trailing dot */
if ((r = sshbuf_get_cstring(b, &p, &len)) != 0)
@@ -154,8 +154,19 @@ valid_request(struct passwd *pw, char *h
if (fail)
sshkey_free(key);
- else if (ret != NULL)
- *ret = key;
+ else {
+ if (ret != NULL) {
+ *ret = key;
+ key = NULL;
+ }
+ if (pkalgp != NULL) {
+ *pkalgp = pkalg;
+ pkalg = NULL;
+ }
+ }
+ sshkey_free(key);
+ free(pkalg);
+ free(pkblob);
return (fail ? -1 : 0);
}
@@ -170,7 +181,7 @@ main(int argc, char **argv)
struct passwd *pw;
int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
u_char *signature, *data, rver;
- char *host, *fp;
+ char *host, *fp, *pkalg;
size_t slen, dlen;
if (pledge("stdio rpath getpw dns id", NULL) != 0)
@@ -258,7 +269,7 @@ main(int argc, char **argv)
if ((r = sshbuf_get_string(b, &data, &dlen)) != 0)
fatal_r(r, "%s: buffer error", __progname);
- if (valid_request(pw, host, &key, data, dlen) < 0)
+ if (valid_request(pw, host, &key, &pkalg, data, dlen) < 0)
fatal("%s: not a valid request", __progname);
free(host);
@@ -279,7 +290,7 @@ main(int argc, char **argv)
}
if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen,
- NULL, NULL, NULL, 0)) != 0)
+ pkalg, NULL, NULL, 0)) != 0)
fatal_r(r, "%s: sshkey_sign failed", __progname);
free(data);

7
openssh-8.7p1-ibmca.patch
View File

@ -4,9 +4,8 @@
#include "includes.h"
-#ifndef HAVE_CLOSEFROM
+#if (!defined HAVE_CLOSEFROM) || (defined __s390__)
-#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM)
+#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) || (defined __s390__)
#include <sys/types.h>
#include <sys/param.h>
#include <unistd.h>

194
openssh-8.7p1-minimize-sha1-use.patch
View File

@ -1,194 +0,0 @@
diff --color -ru a/clientloop.c b/clientloop.c
--- a/clientloop.c 2022-06-29 16:35:06.677597259 +0200
+++ b/clientloop.c 2022-06-29 16:40:29.737926205 +0200
@@ -116,6 +116,9 @@
#include "ssh-gss.h"
#endif
+/* Permitted RSA signature algorithms for UpdateHostkeys proofs */
+#define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256"
+
/* import options */
extern Options options;
@@ -2110,8 +2113,10 @@
struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx;
size_t i, ndone;
struct sshbuf *signdata;
- int r, kexsigtype, use_kexsigtype;
+ int r, plaintype;
const u_char *sig;
+ const char *rsa_kexalg = NULL;
+ char *alg = NULL;
size_t siglen;
if (ctx->nnew == 0)
@@ -2122,9 +2127,9 @@
hostkeys_update_ctx_free(ctx);
return;
}
- kexsigtype = sshkey_type_plain(
- sshkey_type_from_name(ssh->kex->hostkey_alg));
-
+ if (sshkey_type_plain(sshkey_type_from_name(
+ ssh->kex->hostkey_alg)) == KEY_RSA)
+ rsa_kexalg = ssh->kex->hostkey_alg;
if ((signdata = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
/*
@@ -2135,6 +2140,7 @@
for (ndone = i = 0; i < ctx->nkeys; i++) {
if (ctx->keys_match[i])
continue;
+ plaintype = sshkey_type_plain(ctx->keys[i]->type);
/* Prepare data to be signed: session ID, unique string, key */
sshbuf_reset(signdata);
if ( (r = sshbuf_put_cstring(signdata,
@@ -2148,19 +2154,33 @@
error_fr(r, "parse sig");
goto out;
}
+ if ((r = sshkey_get_sigtype(sig, siglen, &alg)) != 0) {
+ error_fr(r, "server gave unintelligible signature "
+ "for %s key %zu", sshkey_type(ctx->keys[i]), i);
+ goto out;
+ }
/*
- * For RSA keys, prefer to use the signature type negotiated
- * during KEX to the default (SHA1).
+ * Special case for RSA keys: if a RSA hostkey was negotiated,
+ * then use its signature type for verification of RSA hostkey
+ * proofs. Otherwise, accept only RSA-SHA256/512 signatures.
*/
- use_kexsigtype = kexsigtype == KEY_RSA &&
- sshkey_type_plain(ctx->keys[i]->type) == KEY_RSA;
- debug3_f("verify %s key %zu using %s sigalg",
- sshkey_type(ctx->keys[i]), i,
- use_kexsigtype ? ssh->kex->hostkey_alg : "default");
+ if (plaintype == KEY_RSA && rsa_kexalg == NULL &&
+ match_pattern_list(alg, HOSTKEY_PROOF_RSA_ALGS, 0) != 1) {
+ debug_f("server used untrusted RSA signature algorithm "
+ "%s for key %zu, disregarding", alg, i);
+ free(alg);
+ /* zap the key from the list */
+ sshkey_free(ctx->keys[i]);
+ ctx->keys[i] = NULL;
+ ndone++;
+ continue;
+ }
+ debug3_f("verify %s key %zu using sigalg %s",
+ sshkey_type(ctx->keys[i]), i, alg);
+ free(alg);
if ((r = sshkey_verify(ctx->keys[i], sig, siglen,
sshbuf_ptr(signdata), sshbuf_len(signdata),
- use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0,
- NULL)) != 0) {
+ plaintype == KEY_RSA ? rsa_kexalg : NULL, 0, NULL)) != 0) {
error_fr(r, "server gave bad signature for %s key %zu",
sshkey_type(ctx->keys[i]), i);
goto out;
diff --color -ru a/kex.c b/kex.c
--- a/kex.c 2022-06-29 16:35:06.775599179 +0200
+++ b/kex.c 2022-06-29 16:42:00.839710940 +0200
@@ -959,6 +959,18 @@
return (1);
}
+/* returns non-zero if proposal contains any algorithm from algs */
+static int
+has_any_alg(const char *proposal, const char *algs)
+{
+ char *cp;
+
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
+ return 0;
+ free(cp);
+ return 1;
+}
+
static int
kex_choose_conf(struct ssh *ssh)
{
@@ -994,6 +1006,16 @@
free(ext);
}
+ /* Check whether client supports rsa-sha2 algorithms */
+ if (kex->server && (kex->flags & KEX_INITIAL)) {
+ if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com"))
+ kex->flags |= KEX_RSA_SHA2_256_SUPPORTED;
+ if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com"))
+ kex->flags |= KEX_RSA_SHA2_512_SUPPORTED;
+ }
+
/* Algorithm Negotiation */
if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS],
sprop[PROPOSAL_KEX_ALGS])) != 0) {
diff --color -ru a/kex.h b/kex.h
--- a/kex.h 2022-06-29 16:35:06.766599003 +0200
+++ b/kex.h 2022-06-29 16:42:24.199168567 +0200
@@ -116,6 +116,8 @@
#define KEX_INIT_SENT 0x0001
#define KEX_INITIAL 0x0002
+#define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */
+#define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */
struct sshenc {
char *name;
diff --color -ru a/serverloop.c b/serverloop.c
--- a/serverloop.c 2021-08-20 06:03:49.000000000 +0200
+++ b/serverloop.c 2022-06-29 16:45:05.902336428 +0200
@@ -684,16 +684,18 @@
struct sshbuf *resp = NULL;
struct sshbuf *sigbuf = NULL;
struct sshkey *key = NULL, *key_pub = NULL, *key_prv = NULL;
- int r, ndx, kexsigtype, use_kexsigtype, success = 0;
+ int r, ndx, success = 0;
const u_char *blob;
+ const char *sigalg, *kex_rsa_sigalg = NULL;
u_char *sig = 0;
size_t blen, slen;
if ((resp = sshbuf_new()) == NULL || (sigbuf = sshbuf_new()) == NULL)
fatal_f("sshbuf_new");
- kexsigtype = sshkey_type_plain(
- sshkey_type_from_name(ssh->kex->hostkey_alg));
+ if (sshkey_type_plain(sshkey_type_from_name(
+ ssh->kex->hostkey_alg)) == KEY_RSA)
+ kex_rsa_sigalg = ssh->kex->hostkey_alg;
while (ssh_packet_remaining(ssh) > 0) {
sshkey_free(key);
key = NULL;
@@ -726,16 +728,24 @@
* For RSA keys, prefer to use the signature type negotiated
* during KEX to the default (SHA1).
*/
- use_kexsigtype = kexsigtype == KEY_RSA &&
- sshkey_type_plain(key->type) == KEY_RSA;
+ sigalg = NULL;
+ if (sshkey_type_plain(key->type) == KEY_RSA) {
+ if (kex_rsa_sigalg != NULL)
+ sigalg = kex_rsa_sigalg;
+ else if (ssh->kex->flags & KEX_RSA_SHA2_512_SUPPORTED)
+ sigalg = "rsa-sha2-512";
+ else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)
+ sigalg = "rsa-sha2-256";
+ }
+ debug3_f("sign %s key (index %d) using sigalg %s",
+ sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
if ((r = sshbuf_put_cstring(sigbuf,
"hostkeys-prove-00@openssh.com")) != 0 ||
(r = sshbuf_put_stringb(sigbuf,
ssh->kex->session_id)) != 0 ||
(r = sshkey_puts(key, sigbuf)) != 0 ||
(r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen,
- sshbuf_ptr(sigbuf), sshbuf_len(sigbuf),
- use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 ||
+ sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), sigalg)) != 0 ||
(r = sshbuf_put_string(resp, sig, slen)) != 0) {
error_fr(r, "assemble signature");
goto out;

19
openssh-8.7p1-minrsabits.patch
View File

@ -204,22 +204,25 @@ index a926cc007..cd13fb879 100644
break;
case SSH_ERR_INTERNAL_ERROR:
case SSH_ERR_ALLOC_FAIL:
@@ -1557,12 +1565,13 @@ main(int ac, char **av)
@@ -1565,7 +1573,7 @@ main(int ac, char **av)
if ((o) >= sensitive_data.nkeys) \
fatal_f("pubkey out of array bounds"); \
check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \
- p, "pubkey"); \
+ &(sensitive_data.keys[o]), p, "pubkey"); \
} while (0)
if (sensitive_data.keys[o] != NULL) \
debug2("hostbased key %d: %s key from \"%s\"", o, \
sshkey_ssh_name(sensitive_data.keys[o]), p); \
@@ -1573,7 +1581,8 @@ main(int ac, char **av)
#define L_CERT(p,o) do { \
if ((o) >= sensitive_data.nkeys) \
fatal_f("cert out of array bounds"); \
- check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert"); \
+ check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), \
+ &(sensitive_data.keys[o]), p, "cert"); \
} while (0)
if (options.hostbased_authentication == 1) {
if (sensitive_data.keys[o] != NULL) \
debug2("hostbased key %d: %s cert from \"%s\"", o, \
sshkey_ssh_name(sensitive_data.keys[o]), p); \
@@ -2244,7 +2253,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo)
filename = default_client_percent_dollar_expand(cp, cinfo);
free(cp);
@ -263,9 +266,9 @@ index 67f8e0309..d050c1656 100644
xxx_conn_info) == -1)
fatal("Host key verification failed.");
@@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
close(agent_fd);
} else {
for (j = 0; j < idlist->nkeys; j++) {
/* list of keys supported by the agent */
if ((r = get_agent_identities(ssh, &agent_fd, &idlist)) == 0) {
for (j = 0; j < idlist->nkeys; j++) {
+ if ((r = sshkey_check_rsa_length(idlist->keys[j],
+ options.rsa_min_size)) != 0) {
+ debug_fr(r, "ignoring %s agent key",

22
openssh-8.7p1-negotiate-supported-algs.patch
View File

@ -2,8 +2,8 @@ diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
--- a/regress/hostkey-agent.sh 2021-08-20 06:03:49.000000000 +0200
+++ b/regress/hostkey-agent.sh 2022-07-14 11:58:12.172786060 +0200
@@ -13,8 +13,12 @@ r=$?
grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig
echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig
${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
@ -12,18 +12,18 @@ diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
trace "load hostkeys"
-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
(
printf 'localhost-with-alias,127.0.0.1,::1 '
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
-I localhost-with-alias $OBJ/agent-key.$k.pub || \
@@ -31,7 +35,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_host
unset SSH_AUTH_SOCK
for ps in yes; do
- for k in $SSH_KEYTYPES ; do
+ for k in $SSH_ACCEPTED_KEYTYPES ; do
verbose "key type $k privsep=$ps"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
-for k in $SSH_KEYTYPES ; do
+for k in $SSH_ACCEPTED_KEYTYPES ; do
verbose "key type $k"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
diff --color -rup a/sshconnect2.c b/sshconnect2.c
--- a/sshconnect2.c 2022-07-14 10:10:07.262975710 +0200
+++ b/sshconnect2.c 2022-07-14 10:10:32.068452067 +0200

51
openssh-8.7p1-recursive-scp.patch
View File

@ -7,9 +7,9 @@ diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c
if (upload_dir(conn, src, abs_dst, pflag,
- SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) {
+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
error("failed to upload directory %s to %s",
src, abs_dst);
errs = 1;
error("failed to upload directory %s to %s", src, targ);
errs = 1;
}
diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
--- openssh-8.7p1/sftp-client.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp-client.c 2022-02-07 12:47:59.117516131 +0100
@ -22,11 +22,13 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
{
struct sshbuf *msg;
u_int expected_id, count, id;
@@ -1012,9 +1012,38 @@ do_realpath_expand(struct sftp_conn *con
if ((r = sshbuf_get_u32(msg, &status)) != 0)
@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con
if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
(r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
fatal_fr(r, "parse status");
- error("Couldn't canonicalize: %s", fx2txt(status));
- error("%s %s: %s", expand ? "expand" : "realpath",
- path, *errmsg == '\0' ? fx2txt(status) : errmsg);
- free(errmsg);
- sshbuf_free(msg);
- return NULL;
+ if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) {
@ -35,29 +37,34 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
+ sshbuf_free(msg);
+ return NULL;
+ }
+
+ debug2("Sending SSH2_FXP_REALPATH \"%s\" - create dir", path);
+ send_string_request(conn, id, SSH2_FXP_REALPATH,
+ path, strlen(path));
+
+ get_msg(conn, msg);
+ if ((r = sshbuf_get_u8(msg, &type)) != 0 ||
+ (r = sshbuf_get_u32(msg, &id)) != 0)
+ (r = sshbuf_get_u32(msg, &id)) != 0)
+ fatal_fr(r, "parse");
+
+ if (id != expected_id)
+ fatal("ID mismatch (%u != %u)", id, expected_id);
+
+ if (type == SSH2_FXP_STATUS) {
+ u_int status;
+ free(errmsg);
+
+ if ((r = sshbuf_get_u32(msg, &status)) != 0)
+ if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
+ (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
+ fatal_fr(r, "parse status");
+ error("Couldn't canonicalize: %s", fx2txt(status));
+ error("%s %s: %s", expand ? "expand" : "realpath",
+ path, *errmsg == '\0' ? fx2txt(status) : errmsg);
+ free(errmsg);
+ sshbuf_free(msg);
+ return NULL;
+ }
+ } else {
+ error("Couldn't canonicalize: %s", fx2txt(status));
+ error("%s %s: %s", expand ? "expand" : "realpath",
+ path, *errmsg == '\0' ? fx2txt(status) : errmsg);
+ free(errmsg);
+ sshbuf_free(msg);
+ return NULL;
+ }
@ -94,9 +101,9 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
- if ((src_canon = do_realpath(conn, src)) == NULL) {
+ if ((src_canon = do_realpath(conn, src, 0)) == NULL) {
error("Unable to canonicalize path \"%s\"", src);
return -1;
}
error("download \"%s\": path canonicalization failed", src);
return -1;
}
@@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co
int
upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
@ -109,18 +116,18 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
- if ((dst_canon = do_realpath(conn, dst)) == NULL) {
+ if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {
error("Unable to canonicalize path \"%s\"", dst);
return -1;
}
error("upload \"%s\": path canonicalization failed", dst);
return -1;
}
@@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st
char *from_path_canon;
int ret;
- if ((from_path_canon = do_realpath(from, from_path)) == NULL) {
+ if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {
error("Unable to canonicalize path \"%s\"", from_path);
return -1;
}
error("crossload \"%s\": path canonicalization failed",
from_path);
return -1;
diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h
--- openssh-8.7p1/sftp-client.h.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp-client.h 2022-02-07 12:31:07.410740433 +0100

37
openssh-8.7p1-scp-clears-file.patch
View File

@ -1,21 +1,20 @@
diff --color -rup a/scp.c b/scp.c
--- a/scp.c 2022-07-26 14:51:40.560120817 +0200
+++ b/scp.c 2022-07-26 14:52:37.118213004 +0200
@@ -1324,12 +1324,12 @@ source_sftp(int argc, char *src, char *t
if (src_is_dir && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
@@ -1324,11 +1324,11 @@ source_sftp(int argc, char *src, char *t
if (src_is_dir && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
- SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
error("failed to upload directory %s to %s",
src, abs_dst);
errs = 1;
}
error("failed to upload directory %s to %s", src, targ);
errs = 1;
}
- } else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) {
+ } else if (do_upload(conn, src, abs_dst, pflag, 0, 0, 1) != 0) {
error("failed to upload file %s to %s", src, abs_dst);
errs = 1;
}
error("failed to upload file %s to %s", src, targ);
errs = 1;
}
@@ -1566,11 +1566,11 @@ sink_sftp(int argc, char *dst, const cha
debug("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
if (globpath_is_dir(g.gl_pathv[i]) && iamrecursive) {
@ -83,9 +82,9 @@ diff --color -rup a/sftp-client.c b/sftp-client.c
- O_WRONLY | O_CREAT | (resume_flag ? 0 : O_TRUNC), mode | S_IWUSR);
+ local_fd = open(local_path, O_WRONLY | O_CREAT |
+ ((resume_flag || inplace_flag) ? 0 : O_TRUNC), mode | S_IWUSR);
if (local_fd == -1) {
error("Couldn't open local file \"%s\" for writing: %s",
local_path, strerror(errno));
if (local_fd == -1) {
error("open local \"%s\": %s", local_path, strerror(errno));
goto fail;
@@ -1661,8 +1661,11 @@ do_download(struct sftp_conn *conn, cons
/* Sanity check */
if (TAILQ_FIRST(&requests) != NULL)
@ -217,8 +216,8 @@ diff --color -rup a/sftp-client.c b/sftp-client.c
+ }
+
if (close(local_fd) == -1) {
error("Couldn't close local file \"%s\": %s", local_path,
strerror(errno));
error("close local \"%s\": %s", local_path, strerror(errno));
status = SSH2_FX_FAILURE;
@@ -2041,7 +2063,7 @@ do_upload(struct sftp_conn *conn, const
static int
upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
@ -241,9 +240,9 @@ diff --color -rup a/sftp-client.c b/sftp-client.c
- preserve_flag, resume, fsync_flag) == -1) {
+ preserve_flag, resume, fsync_flag,
+ inplace_flag) == -1) {
error("Uploading of file %s to %s failed!",
new_src, new_dst);
ret = -1;
error("upload \"%s\" to \"%s\" failed",
new_src, new_dst);
ret = -1;
@@ -2144,7 +2167,7 @@ upload_dir_internal(struct sftp_conn *co
int
upload_dir(struct sftp_conn *conn, const char *src, const char *dst,

87
openssh-8.7p1-sftp-default-protocol.patch
View File

@ -1,87 +0,0 @@
diff --git a/scp.1 b/scp.1
index 68aac04b..a96e95ad 100644
--- a/scp.1
+++ b/scp.1
@@ -18,7 +18,7 @@
.Nd OpenSSH secure file copy
.Sh SYNOPSIS
.Nm scp
-.Op Fl 346ABCOpqRrsTv
+.Op Fl 346ABCOpqRrTv
.Op Fl c Ar cipher
.Op Fl D Ar sftp_server_path
.Op Fl F Ar ssh_config
@@ -79,7 +76,9 @@ The options are as follows:
Copies between two remote hosts are transferred through the local host.
Without this option the data is copied directly between the two remote
hosts.
-Note that, when using the original SCP protocol (the default), this option
+Note that, when using the original SCP protocol (via the
+.Fl O
+flag), this option
selects batch mode for the second host as
.Nm
cannot ask for passwords or passphrases for both hosts.
@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s.
wildcard patterns and for expanding paths with a
.Sq ~
prefix for older SFTP servers.
-This mode is the default.
.It Fl o Ar ssh_option
Can be used to pass options to
.Nm ssh
@@ -258,8 +258,6 @@ to use for the encrypted connection.
The program must understand
.Xr ssh 1
options.
-.It Fl s
-Use the SFTP protocol for transfers rather than the original scp protocol.
.It Fl T
Disable strict filename checking.
By default when copying files from a remote host to a local directory
@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems.
.Xr ssh_config 5 ,
.Xr sftp-server 8 ,
.Xr sshd 8
+.Sh CAVEATS
+The original scp protocol (selected by the
+.Fl O
+flag) requires execution of the remote user's shell to perform
+.Xr glob 3
+pattern matching.
+This requires careful quoting of any characters that have special meaning to
+the remote shell, such as quote characters.
.Sh HISTORY
.Nm
is based on the rcp program in
.Bx
source code from the Regents of the University of California.
+.Pp
+Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
+.Nm
+has use the SFTP protocol for transfers by default.
.Sh AUTHORS
.An Timo Rinne Aq Mt tri@iki.fi
.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
diff --git a/scp.c b/scp.c
index e039350c..c7cf7529 100644
--- a/scp.c
+++ b/scp.c
@@ -448,7 +448,7 @@ main(int argc, char **argv)
const char *errstr;
extern char *optarg;
extern int optind;
- enum scp_mode_e mode = MODE_SCP;
+ enum scp_mode_e mode = MODE_SFTP;
char *sftp_direct = NULL;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -1983,7 +1983,7 @@ void
usage(void)
{
(void) fprintf(stderr,
- "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
+ "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
" [-i identity_file] [-J destination] [-l limit]\n"
" [-o ssh_option] [-P port] [-S program] source ... target\n");
exit(1);

135
openssh-8.7p1-sftpscp-dir-create.patch
View File

@ -1,135 +0,0 @@
diff -up openssh-8.7p1/scp.c.sftpdirs openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.sftpdirs 2022-02-02 14:11:12.553447509 +0100
+++ openssh-8.7p1/scp.c 2022-02-02 14:12:56.081316414 +0100
@@ -130,6 +130,7 @@
#include "misc.h"
#include "progressmeter.h"
#include "utf8.h"
+#include "sftp.h"
#include "sftp-common.h"
#include "sftp-client.h"
@@ -1264,13 +1265,18 @@ tolocal(int argc, char **argv, enum scp_
static char *
prepare_remote_path(struct sftp_conn *conn, const char *path)
{
+ size_t nslash;
+
/* Handle ~ prefixed paths */
- if (*path != '~')
- return xstrdup(path);
if (*path == '\0' || strcmp(path, "~") == 0)
return xstrdup(".");
- if (strncmp(path, "~/", 2) == 0)
- return xstrdup(path + 2);
+ if (*path != '~')
+ return xstrdup(path);
+ if (strncmp(path, "~/", 2) == 0) {
+ if ((nslash = strspn(path + 2, "/")) == strlen(path + 2))
+ return xstrdup(".");
+ return xstrdup(path + 2 + nslash);
+ }
if (can_expand_path(conn))
return do_expand_path(conn, path);
/* No protocol extension */
@@ -1282,10 +1288,16 @@ void
source_sftp(int argc, char *src, char *targ, struct sftp_conn *conn)
{
char *target = NULL, *filename = NULL, *abs_dst = NULL;
- int target_is_dir;
-
+ int src_is_dir, target_is_dir;
+ Attrib a;
+ struct stat st;
+
+ memset(&a, '\0', sizeof(a));
+ if (stat(src, &st) != 0)
+ fatal("stat local \"%s\": %s", src, strerror(errno));
+ src_is_dir = S_ISDIR(st.st_mode);
if ((filename = basename(src)) == NULL)
- fatal("basename %s: %s", src, strerror(errno));
+ fatal("basename \"%s\": %s", src, strerror(errno));
/*
* No need to glob here - the local shell already took care of
@@ -1295,8 +1307,12 @@ source_sftp(int argc, char *src, char *t
cleanup_exit(255);
target_is_dir = remote_is_dir(conn, target);
if (targetshouldbedirectory && !target_is_dir) {
- fatal("Target is not a directory, but more files selected "
- "for upload");
+ debug("target directory \"%s\" does not exist", target);
+ a.flags = SSH2_FILEXFER_ATTR_PERMISSIONS;
+ a.perm = st.st_mode | 0700; /* ensure writable */
+ if (do_mkdir(conn, target, &a, 1) != 0)
+ cleanup_exit(255); /* error already logged */
+ target_is_dir = 1;
}
if (target_is_dir)
abs_dst = path_append(target, filename);
@@ -1306,7 +1322,7 @@ source_sftp(int argc, char *src, char *t
}
debug3_f("copying local %s to remote %s", src, abs_dst);
- if (local_is_dir(src) && iamrecursive) {
+ if (src_is_dir && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) {
error("failed to upload directory %s to %s",
@@ -1487,14 +1506,15 @@ sink_sftp(int argc, char *dst, const cha
char *abs_dst = NULL;
glob_t g;
char *filename, *tmp = NULL;
- int i, r, err = 0;
+ int i, r, err = 0, dst_is_dir;
+ struct stat st;
memset(&g, 0, sizeof(g));
+
/*
* Here, we need remote glob as SFTP can not depend on remote shell
* expansions
*/
-
if ((abs_src = prepare_remote_path(conn, src)) == NULL) {
err = -1;
goto out;
@@ -1510,11 +1530,24 @@ sink_sftp(int argc, char *dst, const cha
goto out;
}
- if (g.gl_matchc > 1 && !local_is_dir(dst)) {
- error("Multiple files match pattern, but destination "
- "\"%s\" is not a directory", dst);
- err = -1;
- goto out;
+ if ((r = stat(dst, &st)) != 0)
+ debug2_f("stat local \"%s\": %s", dst, strerror(errno));
+ dst_is_dir = r == 0 && S_ISDIR(st.st_mode);
+
+ if (g.gl_matchc > 1 && !dst_is_dir) {
+ if (r == 0) {
+ error("Multiple files match pattern, but destination "
+ "\"%s\" is not a directory", dst);
+ err = -1;
+ goto out;
+ }
+ debug2_f("creating destination \"%s\"", dst);
+ if (mkdir(dst, 0777) != 0) {
+ error("local mkdir \"%s\": %s", dst, strerror(errno));
+ err = -1;
+ goto out;
+ }
+ dst_is_dir = 1;
}
for (i = 0; g.gl_pathv[i] && !interrupted; i++) {
@@ -1525,7 +1558,7 @@ sink_sftp(int argc, char *dst, const cha
goto out;
}
- if (local_is_dir(dst))
+ if (dst_is_dir)
abs_dst = path_append(dst, filename);
else
abs_dst = xstrdup(dst);

14
openssh-8.8p1-skip-some-tests.patch
View File

@ -2,14 +2,14 @@ diff -up openssh-8.8p1/regress/hostkey-agent.sh.redhat openssh-8.8p1/regress/hos
--- openssh-8.8p1/regress/hostkey-agent.sh.redhat 2022-08-10 15:54:42.084777662 +0200
+++ openssh-8.8p1/regress/hostkey-agent.sh 2022-08-10 17:01:25.651269994 +0200
@@ -36,6 +36,8 @@ unset SSH_AUTH_SOCK
unset SSH_AUTH_SOCK
for ps in yes; do
for k in $SSH_ACCEPTED_KEYTYPES ; do
+ [ "$k" == "ssh-rsa" ] && continue
+ [ "$k" == "ssh-dss" ] && continue
verbose "key type $k privsep=$ps"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
for k in $SSH_ACCEPTED_KEYTYPES ; do
+ [ "$k" == "ssh-rsa" ] && continue
+ [ "$k" == "ssh-dss" ] && continue
verbose "key type $k"
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
diff -up openssh-8.8p1/regress/hostkey-rotate.sh.redhat openssh-8.8p1/regress/hostkey-rotate.sh
--- openssh-8.8p1/regress/hostkey-rotate.sh.redhat 2022-08-10 16:57:12.720029146 +0200
+++ openssh-8.8p1/regress/hostkey-rotate.sh 2022-08-10 17:15:48.274923865 +0200

42
openssh.spec
View File

@ -50,10 +50,10 @@
%{?static_openssl:%global static_libcrypto 1}
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.8p1
%global openssh_rel 4
%global openssh_ver 9.0p1
%global openssh_rel 1
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 6
%global pam_ssh_agent_rel 7
Summary: An open source implementation of SSH protocol version 2
Name: openssh
@ -195,16 +195,10 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
# sshd provides PAM an incorrect error code (#1879503)
Patch975: openssh-8.0p1-preserve-pam-errors.patch
# Use SFTP protocol by default for scp command
Patch976: openssh-8.7p1-sftp-default-protocol.patch
# Implement kill switch for SCP protocol
Patch977: openssh-8.7p1-scp-kill-switch.patch
# Create non-existent directories when scp works in sftp mode and some more minor fixes
# upstream commits:
# ba61123eef9c6356d438c90c1199a57a0d7bcb0a
# 63670d4e9030bcee490d5a9cce561373ac5b3b23
# ac7c9ec894ed0825d04ef69c55babb49bab1d32e
Patch980: openssh-8.7p1-sftpscp-dir-create.patch
# Workaround for lack of sftp_realpath in older versions of RHEL
# https://bugzilla.redhat.com/show_bug.cgi?id=2038854
# https://github.com/openssh/openssh-portable/pull/299
@ -218,11 +212,6 @@ Patch983: openssh-8.7p1-evpgenkey.patch
# From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14
Patch984: openssh-8.7p1-ibmca.patch
# Minimize the use of SHA1 as a proof of possession for RSA key (#2031868)
# upstream commits:
# 291721bc7c840d113a49518f3fca70e86248b8e8
# 0fa33683223c76289470a954404047bc762be84c
Patch1000: openssh-8.7p1-minimize-sha1-use.patch
# Fix for scp clearing file when src and dest are the same (#2056884)
# upstream commits:
# 7b1cbcb7599d9f6a3bbad79d412604aa1203b5ee
@ -241,12 +230,7 @@ Patch1003: openssh-8.7p1-mem-leak.patch
# upstream MR:
# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
Patch1004: openssh-8.7p1-gssapi-auth.patch
# Fix host-based authentication with rsa keys
# upstream commits:
# 7aa7b096cf2bafe2777085abdeed5ce00581f641
# d9dbb5d9a0326e252d3c7bc13beb9c2434f59409
# fdb1d58d0d3888b042e5a500f6ce524486aaf782
Patch1005: openssh-8.7p1-host-based-auth.patch
# Don't propose disallowed algorithms during hostkey negotiation
# upstream MR:
# https://github.com/openssh/openssh-portable/pull/323
@ -254,7 +238,7 @@ Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
# downstream only
# we skip some ssh-rsa/ssh-dss tests to make native test suite pass
Patch1100: openssh-8.8p1-skip-some-tests.patch
#Patch1100: openssh-8.8p1-skip-some-tests.patch
License: BSD
Requires: /sbin/nologin
@ -432,9 +416,9 @@ popd
%patch966 -p1 -b .x11-ipv6
%patch974 -p1 -b .keygen-strip-doseol
%patch975 -p1 -b .preserve-pam-errors
%patch976 -p1 -b .sftp-by-default
%patch977 -p1 -b .kill-scp
%patch980 -p1 -b .sftpdirs
%patch981 -p1 -b .scp-sftpdirs
%patch982 -p1 -b .minrsabits
%patch983 -p1 -b .evpgenrsa
@ -444,15 +428,14 @@ popd
%patch201 -p1 -b .audit-race
%patch700 -p1 -b .fips
%patch1000 -p1 -b .minimize-sha1-use
%patch1001 -p1 -b .scp-clears-file
%patch1002 -p1 -b .ssh-manpage
%patch1003 -p1 -b .mem-leak
%patch1004 -p1 -b .gssapi-auth
%patch1005 -p1 -b .host-based-auth
%patch1006 -p1 -b .negotiate-supported-algs
%patch1100 -p1 -b .skipsshrsadsstests
#%patch1100 -p1 -b .skipsshrsadsstests
%patch100 -p1 -b .coverity
@ -735,6 +718,9 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
* Thu Aug 11 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.0p1-1 + 0.10.4-7
- Rebase OpenSSH to 9.0p1 (rhbz#2057466)
* Wed Aug 10 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.8p1-4 + 0.10.4-6
- Port patches from CentOS (rhbz#2117264)

4
sources
View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
SHA512 (openssh-9.0p1.tar.gz) = 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9
SHA512 (openssh-9.0p1.tar.gz.asc) = 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21