Rebase OpenSSH to 9.8p1

Resolves: RHEL-42635
This commit is contained in:
Dmitry Belyavskiy 2024-07-25 12:54:19 +02:00
parent 9195080dcb
commit 089d798931
32 changed files with 2483 additions and 690 deletions

2
.gitignore vendored
View File

@ -60,3 +60,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-9.3p1.tar.gz.asc /openssh-9.3p1.tar.gz.asc
/openssh-9.6p1.tar.gz /openssh-9.6p1.tar.gz
/openssh-9.6p1.tar.gz.asc /openssh-9.6p1.tar.gz.asc
/openssh-9.8p1.tar.gz
/openssh-9.8p1.tar.gz.asc

View File

@ -237,11 +237,11 @@ diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-serve
- return (sftp_server_main(argc, argv, user_pw)); - return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0)); + return (sftp_server_main(argc, argv, user_pw, 0));
} }
diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c diff -up openssh-8.6p1/sshd-session.c.log-in-chroot openssh-8.6p1/sshd-session.c
--- openssh-8.6p1/sshd.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200 --- openssh-8.6p1/sshd-session.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:43:08.545843441 +0200 +++ openssh-8.6p1/sshd-session.c 2021-04-19 14:43:08.545843441 +0200
@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct @@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
} #endif
/* New socket pair */ /* New socket pair */
- monitor_reinit(pmonitor); - monitor_reinit(pmonitor);

View File

@ -116,10 +116,10 @@ index cb51f99..8b7cda2 100644
#endif #endif
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff --git a/sshd.c b/sshd.c diff --git a/sshd-session.c b/sshd-session.c
index 2871fe9..39b9c08 100644 index 2871fe9..39b9c08 100644
--- a/sshd.c --- a/sshd-session.c
+++ b/sshd.c +++ b/sshd-session.c
@@ -629,7 +629,7 @@ privsep_preauth_child(void) @@ -629,7 +629,7 @@ privsep_preauth_child(void)
demote_sensitive_data(); demote_sensitive_data();

View File

@ -38,16 +38,16 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum { @@ -578,7 +578,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sPerSourcePenalties, sPerSourcePenaltyExemptList,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey, sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
sAcceptEnv, sSetEnv, sPermitTunnel, sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
@@ -497,14 +500,16 @@ static struct { @@ -600,14 +600,16 @@ static struct {
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL }, { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
@ -129,3 +129,6 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff -up openssh-9.8p1/servconf.c.xxx openssh-9.8p1/servconf.c
--- openssh-9.8p1/servconf.c.xxx 2024-07-11 13:51:19.969960781 +0200
+++ openssh-9.8p1/servconf.c 2024-07-11 13:51:30.938231250 +0200

View File

@ -1,6 +1,6 @@
diff -up openssh/sshd.c.ip-opts openssh/sshd.c diff -up openssh/sshd.c.ip-opts openssh/sshd.c
--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200 --- openssh/sshd-session.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
+++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200 +++ openssh/sshd-session.c 2016-07-25 14:01:28.346469878 +0200
@@ -1507,12 +1507,32 @@ check_ip_options(struct ssh *ssh) @@ -1507,12 +1507,32 @@ check_ip_options(struct ssh *ssh)
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts, if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,

View File

@ -39,9 +39,9 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
SFTP_SERVER=$(libexecdir)/sftp-server SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+SSH_KEYCAT=$(libexecdir)/ssh-keycat +SSH_KEYCAT=$(libexecdir)/ssh-keycat
SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@ @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
K5LIBS=@K5LIBS@ K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@ GSSLIBS=@GSSLIBS@
@ -54,8 +54,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
.SUFFIXES: .lo .SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
XMSS_OBJS=\ XMSS_OBJS=\
ssh-xmss.o \ ssh-xmss.o \
@ -95,8 +95,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/
--- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200 --- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt; @@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern Authctxt *the_authctxt;
extern int inetd_flag; extern int inetd_flag;
extern int rexeced_flag;
+/* Wrapper around is_selinux_enabled() to log its return value once only */ +/* Wrapper around is_selinux_enabled() to log its return value once only */
+int +int
@ -131,7 +131,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); - rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
if (inetd_flag && !rexeced_flag) { if (inetd_flag) {
use_current = "1"; use_current = "1";
} else { } else {
use_current = ""; use_current = "";

View File

@ -266,8 +266,8 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
+The default is +The default is
+.Cm yes . +.Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the permitted KEX (Key Exchange) algorithms that the server will
Multiple algorithms must be comma-separated. offer to clients.
@@ -1078,6 +1082,7 @@ Available keywords are @@ -1078,6 +1082,7 @@ Available keywords are
.Cm IPQoS , .Cm IPQoS ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,

View File

@ -49,7 +49,7 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
platform_setusercontext(pw); platform_setusercontext(pw);
- if (platform_privileged_uidswap()) { - if (platform_privileged_uidswap()) {
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) { + if (platform_privileged_uidswap() && !is_child) {
#ifdef HAVE_LOGIN_CAP #ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid, if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@ -96,8 +96,8 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
} }
diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100 --- openssh-7.4p1/sshd-session.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 18:59:13.808124269 +0100 +++ openssh-7.4p1/sshd-session.c 2016-12-23 18:59:13.808124269 +0100
@@ -540,6 +540,10 @@ privsep_preauth_child(void) @@ -540,6 +540,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
demote_sensitive_data(); demote_sensitive_data();
@ -109,13 +109,12 @@ diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
/* Demote the child */ /* Demote the child */
if (privsep_chroot) { if (privsep_chroot) {
/* Change our root directory */ /* Change our root directory */
@@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt) @@ -403,7 +403,7 @@ privsep_postauth(struct ssh *ssh, Authct
{ * fd passing, as AFAIK PTY allocation on this platform doesn't require
#ifdef DISABLE_FD_PASSING * special privileges to begin with.
if (1) { */
+#elif defined(WITH_SELINUX) -#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
+ if (0) { +#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX)
+ /* even root user can be confined by SELinux */ skip_privdrop = 1;
#else
if (authctxt->pw->pw_uid == 0) {
#endif #endif

View File

@ -27,7 +27,7 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
- -
+#pragma GCC diagnostic ignored "-Wstringop-overflow" +#pragma GCC diagnostic ignored "-Wstringop-overflow"
cp = strncpy(s, kex, strlen(kex)); cp = strncpy(s, kex, strlen(kex));
+#pragma pop +#pragma GCC diagnostic pop
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 && if (sshbuf_len(buf) != 0 &&
@ -221,9 +221,9 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
return NULL; return NULL;
} }
/* validate also provider from URI */ /* validate also provider from URI */
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c diff -up openssh-7.4p1/sshd-session.c.coverity openssh-7.4p1/sshd-session.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100 --- openssh-7.4p1/sshd-session.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100 +++ openssh-7.4p1/sshd-session.c 2016-12-23 16:40:26.904788692 +0100
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt) @@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
privsep_preauth_child(ssh); privsep_preauth_child(ssh);

View File

@ -109,7 +109,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command) @@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
} }
if (s->command != NULL && s->ptyfd == -1) if (s->command != NULL && s->ptyfd == -1)
s->command_handle = PRIVSEP(audit_run_command(ssh, s->command)); s->command_handle = mm_audit_run_command(ssh, s->command);
+ if (pipe(paudit) < 0) + if (pipe(paudit) < 0)
+ fatal("pipe: %s", strerror(errno)); + fatal("pipe: %s", strerror(errno));
#endif #endif
@ -121,7 +121,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ close(paudit[1]); + close(paudit[1]);
+ if (use_privsep && ret == 0) { + if (ret == 0) {
+ /* + /*
+ * Read the audit messages from forked child and send them + * Read the audit messages from forked child and send them
+ * back to monitor. We don't want to communicate directly, + * back to monitor. We don't want to communicate directly,
@ -136,7 +136,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
return ret; return ret;
} }
@@ -1538,6 +1565,34 @@ child_close_fds(void) @@ -1538,6 +1565,33 @@ child_close_fds(void)
log_redirect_stderr_to(NULL); log_redirect_stderr_to(NULL);
} }
@ -147,12 +147,11 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
+ int pparent = paudit[1]; + int pparent = paudit[1];
+ close(paudit[0]); + close(paudit[0]);
+ /* Hack the monitor pipe to avoid race condition with parent */ + /* Hack the monitor pipe to avoid race condition with parent */
+ if (use_privsep) + mm_set_monitor_pipe(pparent);
+ mm_set_monitor_pipe(pparent);
+#endif +#endif
+ +
+ /* remove hostkey from the child's memory */ + /* remove hostkey from the child's memory */
+ destroy_sensitive_data(ssh, use_privsep); + destroy_sensitive_data(ssh);
+ /* + /*
+ * We can audit this, because we hacked the pipe to direct the + * We can audit this, because we hacked the pipe to direct the
+ * messages over postauth child. But this message requires answer + * messages over postauth child. But this message requires answer
@ -176,7 +175,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
- /* remove hostkey from the child's memory */ - /* remove hostkey from the child's memory */
- destroy_sensitive_data(ssh, 1); - destroy_sensitive_data(ssh);
- ssh_packet_clear_keys(ssh); - ssh_packet_clear_keys(ssh);
- /* Don't audit this - both us and the parent would be talking to the - /* Don't audit this - both us and the parent would be talking to the
- monitor over a single socket, with no synchronization. */ - monitor over a single socket, with no synchronization. */

View File

@ -11,8 +11,8 @@ diff --git a/channels.c b/channels.c
int sock; int sock;
struct sockaddr_un addr; struct sockaddr_un addr;
+ if (len <= 0) + if (len <= 0)
+ return -1; + return -1;
sock = socket(AF_UNIX, SOCK_STREAM, 0); sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock == -1) { if (sock == -1) {
error("socket: %.100s", strerror(errno)); error("socket: %.100s", strerror(errno));

View File

@ -2,7 +2,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100 --- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0; @@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
#define FWD_PERMIT_ANY_HOST "*" #define NUM_SOCKS 10
/* -- X11 forwarding */ /* -- X11 forwarding */
-/* Maximum number of fake X11 displays to try. */ -/* Maximum number of fake X11 displays to try. */

View File

@ -1,98 +0,0 @@
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
Author: Jakub Jelen <jjelen@redhat.com>
Date: Mon Nov 21 15:04:06 2016 +0100
systemd stuff
diff --git a/configure.ac b/configure.ac
index 2ffc369..162ce92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([K5LIBS])
AC_SUBST([CHANNELLIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
+AC_ARG_WITH(systemd,
+ [ --with-systemd Enable systemd support],
+ [ if test "x$withval" != "xno" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "$PKGCONFIG" != "no"; then
+ AC_MSG_CHECKING([for libsystemd])
+ if $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+ SYSTEMD_MSG="yes"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ fi ]
+)
+
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
+echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/contrib/sshd.service b/contrib/sshd.service
new file mode 100644
index 0000000..e0d4923
--- /dev/null
+++ b/contrib/sshd.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/sshd -D $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/sshd.c b/sshd.c
index 816611c..b8b9d13 100644
--- a/sshd.c
+++ b/sshd.c
@@ -85,6 +85,10 @@
#include <prot.h>
#endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -1888,6 +1892,11 @@ main(int ac, char **av)
}
}
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are ready to accept connections */
+ sd_notify(0, "READY=1");
+#endif
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);

View File

@ -129,19 +129,19 @@ diff -up openssh-8.6p1/audit.c.audit openssh-8.6p1/audit.c
+void +void
+audit_unsupported(struct ssh *ssh, int what) +audit_unsupported(struct ssh *ssh, int what)
+{ +{
+ PRIVSEP(audit_unsupported_body(ssh, what)); + mm_audit_unsupported_body(ssh, what);
+} +}
+ +
+void +void
+audit_kex(struct ssh *ssh, int ctos, char *enc, char *mac, char *comp, char *pfs) +audit_kex(struct ssh *ssh, int ctos, char *enc, char *mac, char *comp, char *pfs)
+{ +{
+ PRIVSEP(audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid())); + mm_audit_kex_body(ssh, ctos, enc, mac, comp, pfs, getpid(), getuid());
+} +}
+ +
+void +void
+audit_session_key_free(struct ssh *ssh, int ctos) +audit_session_key_free(struct ssh *ssh, int ctos)
+{ +{
+ PRIVSEP(audit_session_key_free_body(ssh, ctos, getpid(), getuid())); + mm_audit_session_key_free_body(ssh, ctos, getpid(), getuid());
+} +}
+ +
# ifndef CUSTOM_SSH_AUDIT_EVENTS # ifndef CUSTOM_SSH_AUDIT_EVENTS
@ -446,7 +446,7 @@ diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
/* Below is the sshd audit API code */ /* Below is the sshd audit API code */
void void
@@ -76,49 +176,210 @@ audit_connection_from(const char *host, @@ -76,49 +176,211 @@ audit_connection_from(const char *host,
/* not implemented */ /* not implemented */
} }
@ -525,6 +525,7 @@ diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
case SSH_AUTH_FAIL_PASSWD: case SSH_AUTH_FAIL_PASSWD:
+ if (options.use_pam) + if (options.use_pam)
+ break; + break;
+ /* Fallthrough */
+ case SSH_LOGIN_EXCEED_MAXTRIES: + case SSH_LOGIN_EXCEED_MAXTRIES:
case SSH_AUTH_FAIL_KBDINT: case SSH_AUTH_FAIL_KBDINT:
case SSH_AUTH_FAIL_PUBKEY: case SSH_AUTH_FAIL_PUBKEY:
@ -564,7 +565,7 @@ diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
+{ +{
+#ifdef AUDIT_CRYPTO_SESSION +#ifdef AUDIT_CRYPTO_SESSION
+ char buf[AUDIT_LOG_SIZE]; + char buf[AUDIT_LOG_SIZE];
+ const static char *name[] = { "cipher", "mac", "comp" }; + static const char *name[] = { "cipher", "mac", "comp" };
+ char *s; + char *s;
+ int audit_fd; + int audit_fd;
+ +
@ -582,7 +583,7 @@ diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
+#endif +#endif
+} +}
+ +
+const static char *direction[] = { "from-server", "from-client", "both" }; +static const char *direction[] = { "from-server", "from-client", "both" };
+ +
+void +void
+audit_kex_body(struct ssh *ssh, int ctos, char *enc, char *mac, char *compress, +audit_kex_body(struct ssh *ssh, int ctos, char *enc, char *mac, char *compress,
@ -661,7 +662,7 @@ diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
+ } + }
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, + audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
+ buf, NULL, + buf, NULL,
+ listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh), + ssh_remote_ipaddr(ssh), /*FIXME listening_for_clients() ? NULL : ssh_remote_ipaddr(ssh) */
+ NULL, 1); + NULL, 1);
+ audit_close(audit_fd); + audit_close(audit_fd);
+ /* do not abort if the error is EPERM and sshd is run as non root user */ + /* do not abort if the error is EPERM and sshd is run as non root user */
@ -733,7 +734,7 @@ diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c
/* Invalid user, fake password information */ /* Invalid user, fake password information */
authctxt->pw = fakepw(); authctxt->pw = fakepw();
-#ifdef SSH_AUDIT_EVENTS -#ifdef SSH_AUDIT_EVENTS
- PRIVSEP(audit_event(ssh, SSH_INVALID_USER)); - mm_audit_event(ssh, SSH_INVALID_USER);
-#endif -#endif
} }
#ifdef USE_PAM #ifdef USE_PAM
@ -743,11 +744,11 @@ diff -up openssh-8.6p1/auth2-hostbased.c.audit openssh-8.6p1/auth2-hostbased.c
+++ openssh-8.6p1/auth2-hostbased.c 2021-04-19 16:47:35.754062114 +0200 +++ openssh-8.6p1/auth2-hostbased.c 2021-04-19 16:47:35.754062114 +0200
@@ -158,7 +158,7 @@ userauth_hostbased(struct ssh *ssh) @@ -158,7 +158,7 @@ userauth_hostbased(struct ssh *ssh)
authenticated = 0; authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, if (mm_hostbased_key_allowed(ssh, authctxt->pw, cuser,
chost, key)) && chost, key) &&
- PRIVSEP(sshkey_verify(key, sig, slen, - mm_sshkey_verify(key, sig, slen,
+ PRIVSEP(hostbased_key_verify(ssh, key, sig, slen, + mm_hostbased_key_verify(ssh, key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL) == 0)
authenticated = 1; authenticated = 1;
@@ -175,6 +175,20 @@ done: @@ -175,6 +175,20 @@ done:
@ -777,12 +778,12 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
@@ -213,7 +213,7 @@ userauth_pubkey(struct ssh *ssh) @@ -213,7 +213,7 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && if (mm_user_key_allowed(ssh, pw, key, 1, &authopts) &&
- PRIVSEP(sshkey_verify(key, sig, slen, - mm_sshkey_verify(key, sig, slen,
+ PRIVSEP(user_key_verify(ssh, key, sig, slen, + mm_user_key_verify(ssh, key, sig, slen,
sshbuf_ptr(b), sshbuf_len(b), sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat, &sig_details)) == 0) { ssh->compat, &sig_details) == 0) {
@@ -305,6 +305,20 @@ done: @@ -305,6 +305,20 @@ done:
return authenticated; return authenticated;
} }
@ -828,7 +829,7 @@ diff -up openssh-8.6p1/auth.h.audit openssh-8.6p1/auth.h
+ const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
/* Key / cert options linkage to auth layer */ /* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *); int auth_activate_options(struct ssh *, struct sshauthopt *);
@@ -239,6 +241,8 @@ struct passwd * getpwnamallow(struct ssh @@ -239,6 +241,8 @@ struct passwd * getpwnamallow(struct ssh
char *, const char *, const char *, const char *, struct sshauthopt **); char *, const char *, const char *, const char *, struct sshauthopt **);
int auth_check_authkeys_file(struct passwd *, FILE *, char *, int auth_check_authkeys_file(struct passwd *, FILE *, char *,
@ -915,8 +916,8 @@ diff -up openssh-8.6p1/kex.c.audit openssh-8.6p1/kex.c
#include "xmalloc.h" #include "xmalloc.h"
+#include "audit.h" +#include "audit.h"
#ifdef GSSAPI /* prototype */
#include "ssh-gss.h" static int kex_choose_conf(struct ssh *, uint32_t seq);
@@ -816,12 +817,16 @@ kex_start_rekex(struct ssh *ssh) @@ -816,12 +817,16 @@ kex_start_rekex(struct ssh *ssh)
} }
@ -1108,7 +1109,7 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
+extern void destroy_sensitive_data(struct ssh *, int); +extern void destroy_sensitive_data(struct ssh *);
+ +
/* State exported from the child */ /* State exported from the child */
static struct sshbuf *child_state; static struct sshbuf *child_state;
@ -1241,7 +1242,7 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
sshpam_cleanup(); sshpam_cleanup();
#endif #endif
+ destroy_sensitive_data(ssh, 0); + destroy_sensitive_data(ssh);
+ +
while (waitpid(pmonitor->m_pid, &status, 0) == -1) while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR) if (errno != EINTR)
@ -1536,9 +1537,9 @@ diff -up openssh-8.6p1/monitor_wrap.c.audit openssh-8.6p1/monitor_wrap.c
} }
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
@@ -1095,3 +1137,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc @@ -1095,3 +1137,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
return &ci;
} }
#endif /* GSSAPI */
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+void +void
+mm_audit_unsupported_body(struct ssh *ssh, int what) +mm_audit_unsupported_body(struct ssh *ssh, int what)
@ -1632,7 +1633,7 @@ diff -up openssh-8.6p1/monitor_wrap.h.audit openssh-8.6p1/monitor_wrap.h
+int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t, +int mm_user_key_verify(struct ssh*, const struct sshkey *, const u_char *, size_t,
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
#ifdef GSSAPI void mm_decode_activate_server_options(struct ssh *ssh, struct sshbuf *m);
@@ -86,7 +88,12 @@ void mm_sshpam_free_ctx(void *); @@ -86,7 +88,12 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
#include "audit.h" #include "audit.h"
@ -1817,7 +1818,7 @@ diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
extern u_int utmp_len; extern u_int utmp_len;
extern int startup_pipe; extern int startup_pipe;
-extern void destroy_sensitive_data(void); -extern void destroy_sensitive_data(void);
+extern void destroy_sensitive_data(struct ssh *, int); +extern void destroy_sensitive_data(struct ssh *);
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; extern struct sshauthopt *auth_opts;
extern char *tun_fwd_ifnames; /* serverloop.c */ extern char *tun_fwd_ifnames; /* serverloop.c */
@ -1843,18 +1844,18 @@ diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
+ if (s->command != NULL || s->command_handle != -1) + if (s->command != NULL || s->command_handle != -1)
+ fatal("do_exec: command already set"); + fatal("do_exec: command already set");
if (command != NULL) if (command != NULL)
- PRIVSEP(audit_run_command(command)); - mm_audit_run_command(command);
+ s->command = xstrdup(command); + s->command = xstrdup(command);
else if (s->ttyfd == -1) { else if (s->ttyfd == -1) {
char *shell = s->pw->pw_shell; char *shell = s->pw->pw_shell;
if (shell[0] == '\0') /* empty shell means /bin/sh */ if (shell[0] == '\0') /* empty shell means /bin/sh */
shell =_PATH_BSHELL; shell =_PATH_BSHELL;
- PRIVSEP(audit_run_command(shell)); - mm_audit_run_command(shell);
+ s->command = xstrdup(shell); + s->command = xstrdup(shell);
} }
+ if (s->command != NULL && s->ptyfd == -1) + if (s->command != NULL && s->ptyfd == -1)
+ s->command_handle = PRIVSEP(audit_run_command(ssh, s->command)); + s->command_handle = mm_audit_run_command(ssh, s->command);
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command); ret = do_exec_pty(ssh, s, command);
@ -1863,7 +1864,7 @@ diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
- destroy_sensitive_data(); - destroy_sensitive_data();
+ destroy_sensitive_data(ssh, 1); + destroy_sensitive_data(ssh);
ssh_packet_clear_keys(ssh); ssh_packet_clear_keys(ssh);
+ /* Don't audit this - both us and the parent would be talking to the + /* Don't audit this - both us and the parent would be talking to the
+ monitor over a single socket, with no synchronization. */ + monitor over a single socket, with no synchronization. */
@ -1923,7 +1924,7 @@ diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
+{ +{
+ if (s->command != NULL) { + if (s->command != NULL) {
+ if (s->command_handle != -1) + if (s->command_handle != -1)
+ PRIVSEP(audit_end_command(ssh, s->command_handle, s->command)); + mm_audit_end_command(ssh, s->command_handle, s->command);
+ free(s->command); + free(s->command);
+ s->command = NULL; + s->command = NULL;
+ s->command_handle = -1; + s->command_handle = -1;
@ -1981,7 +1982,7 @@ diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au @@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor. * or if running in monitor.
*/ */
if (!use_privsep || mm_is_monitor()) if (mm_is_monitor())
- session_destroy_all(ssh, session_pty_cleanup2); - session_destroy_all(ssh, session_pty_cleanup2);
+ session_destroy_all(ssh, do_cleanup_one_session); + session_destroy_all(ssh, do_cleanup_one_session);
} }
@ -2020,25 +2021,6 @@ diff -up openssh-8.6p1/session.h.audit openssh-8.6p1/session.h
diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.audit 2021-04-19 16:47:35.727061907 +0200 --- openssh-8.6p1/sshd.c.audit 2021-04-19 16:47:35.727061907 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 16:47:35.759062152 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 16:47:35.759062152 +0200
@@ -122,6 +122,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "auth-options.h"
#include "version.h"
@@ -260,8 +261,8 @@ struct sshbuf *loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
-void destroy_sensitive_data(void);
-void demote_sensitive_data(void);
+void destroy_sensitive_data(struct ssh *, int);
+void demote_sensitive_data(struct ssh *);
static void do_ssh2_kex(struct ssh *);
static char *listener_proctitle;
@@ -279,6 +280,15 @@ close_listen_socks(void) @@ -279,6 +280,15 @@ close_listen_socks(void)
num_listen_socks = 0; num_listen_socks = 0;
} }
@ -2052,11 +2034,41 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
+ return num_listen_socks > 0; + return num_listen_socks > 0;
+} +}
+ +
/* Allocate and initialise the children array */
static void static void
close_startup_pipes(void) child_alloc(void)
{ @@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig) if (received_sigterm) {
ssh_remote_port(the_active_state)); logit("Received signal %d; terminating.",
(int) received_sigterm);
+ /* destroy_sensitive_data(ssh, 0); FIXME */
close_listen_socks();
if (options.pid_file != NULL)
unlink(options.pid_file);
diff -up openssh-8.6p1/sshd-session.c.audit openssh-8.6p1/sshd-session.c
--- openssh-8.6p1/sshd-session.c.audit 2021-04-19 16:47:35.727061907 +0200
+++ openssh-8.6p1/sshd-session.c 2021-04-19 16:47:35.759062152 +0200
@@ -122,6 +122,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "auth-options.h"
#include "version.h"
@@ -260,8 +261,8 @@ struct sshbuf *loginmsg;
struct sshbuf *loginmsg;
/* Prototypes for various functions defined later in this file. */
-void destroy_sensitive_data(void);
-void demote_sensitive_data(void);
+void destroy_sensitive_data(struct ssh *);
+void demote_sensitive_data(struct ssh *);
static void do_ssh2_kex(struct ssh *);
/*
@@ -377,18 +387,40 @@ grace_alarm_handler(int sig)
_exit(EXIT_LOGIN_GRACE);
} }
-/* Destroy the host and server keys. They will no longer be needed. */ -/* Destroy the host and server keys. They will no longer be needed. */
@ -2066,7 +2078,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
+ */ + */
void void
-destroy_sensitive_data(void) -destroy_sensitive_data(void)
+destroy_sensitive_data(struct ssh *ssh, int privsep) +destroy_sensitive_data(struct ssh *ssh)
{ {
u_int i; u_int i;
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
@ -2088,12 +2100,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
sensitive_data.host_keys[i] = NULL; sensitive_data.host_keys[i] = NULL;
+ if (fp != NULL) { + if (fp != NULL) {
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ if (privsep) + audit_destroy_sensitive_data(ssh, fp, pid, uid);
+ PRIVSEP(audit_destroy_sensitive_data(ssh, fp,
+ pid, uid));
+ else
+ audit_destroy_sensitive_data(ssh, fp,
+ pid, uid);
+#endif +#endif
+ free(fp); + free(fp);
+ } + }
@ -2163,9 +2170,9 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
sshd_selinux_change_privsep_preauth_context(); sshd_selinux_change_privsep_preauth_context();
@@ -492,7 +547,7 @@ privsep_preauth(struct ssh *ssh) @@ -492,7 +547,7 @@ privsep_preauth(struct ssh *ssh)
pmonitor->m_pkex = &ssh->kex;
if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor);
box = ssh_sandbox_init(pmonitor);
- pid = fork(); - pid = fork();
+ pmonitor->m_pid = pid = fork(); + pmonitor->m_pid = pid = fork();
if (pid == -1) { if (pid == -1) {
@ -2189,48 +2196,21 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
reseed_prngs(); reseed_prngs();
@@ -1143,7 +1198,7 @@ server_listen(void)
* from this function are in a forked subprocess.
*/
static void
-server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s)
{
struct pollfd *pfd = NULL;
int i, j, ret, npfd;
@@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
+ destroy_sensitive_data(ssh, 0);
close_listen_socks();
if (options.pid_file != NULL)
unlink(options.pid_file);
@@ -2098,7 +2154,7 @@ main(int ac, char **av)
#endif
/* Accept a connection and return in a forked child */
- server_accept_loop(&sock_in, &sock_out,
+ server_accept_loop(ssh, &sock_in, &sock_out,
&newsock, config_s);
}
@@ -2333,6 +2389,9 @@ main(int ac, char **av) @@ -2333,6 +2389,9 @@ main(int ac, char **av)
do_authenticated(ssh, authctxt); do_authenticated(ssh, authctxt);
/* The connection has been terminated. */ /* The connection has been terminated. */
+ packet_destroy_all(ssh, 1, 1); + packet_destroy_all(ssh, 1, 1);
+ destroy_sensitive_data(ssh, 1); + destroy_sensitive_data(ssh);
+ +
ssh_packet_get_bytes(ssh, &ibytes, &obytes); ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes", verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes); (unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2513,6 +2572,15 @@ do_ssh2_kex(struct ssh *ssh) @@ -2513,6 +2572,14 @@ do_ssh2_kex(struct ssh *ssh)
void void
cleanup_exit(int i) cleanup_exit(int i)
{ {
+ static int in_cleanup = 0; + static int in_cleanup = 0;
+ int is_privsep_child;
+ +
+ /* cleanup_exit can be called at the very least from the privsep + /* cleanup_exit can be called at the very least from the privsep
+ wrappers used for auditing. Make sure we don't recurse + wrappers used for auditing. Make sure we don't recurse
@ -2238,24 +2218,17 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
+ if (in_cleanup) + if (in_cleanup)
+ _exit(i); + _exit(i);
+ in_cleanup = 1; + in_cleanup = 1;
extern int auth_attempted; /* monitor.c */
if (the_active_state != NULL && the_authctxt != NULL) { if (the_active_state != NULL && the_authctxt != NULL) {
do_cleanup(the_active_state, the_authctxt); @@ -2525,7 +2593,9 @@ cleanup_exit(int i)
if (use_privsep && privsep_is_preauth && _exit(EXIT_AUTH_ATTEMPTED);
@@ -2525,9 +2593,16 @@ cleanup_exit(int i)
}
}
}
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
+ if (sensitive_data.host_keys != NULL && the_active_state != NULL)
+ destroy_sensitive_data(the_active_state, is_privsep_child);
+ if (the_active_state != NULL)
+ packet_destroy_all(the_active_state, 1, is_privsep_child);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */ /* done after do_cleanup so it can cancel the PAM auth 'thread' */
- if (the_active_state != NULL && (!use_privsep || mm_is_monitor())) - if (the_active_state != NULL && mm_is_monitor())
+ if (the_active_state != NULL && + if (the_active_state != NULL &&
+ (the_authctxt == NULL || !the_authctxt->authenticated) && + (the_authctxt == NULL || !the_authctxt->authenticated) &&
+ (!use_privsep || mm_is_monitor())) + mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON); audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif #endif
_exit(i); _exit(i);

View File

@ -1,23 +1,22 @@
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200 --- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200 +++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
@@ -72,6 +72,9 @@ @@ -72,6 +72,8 @@
/* import */ /* import */
extern ServerOptions options; extern ServerOptions options;
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
extern struct authmethod_cfg methodcfg_pubkey;
static char * static char *
format_key(const struct sshkey *key)
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh @@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
if ((pid = subprocess("AuthorizedPrincipalsCommand", command, if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
ac, av, &f, ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0) - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid, + runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + inetd_flag, the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
@ -27,7 +26,7 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0) - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid, + runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + inetd_flag, the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
@ -82,14 +81,13 @@ diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/por
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200 --- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200
@@ -49,11 +49,6 @@ @@ -49,10 +49,6 @@
#include <unistd.h> #include <unistd.h>
#endif #endif
-extern ServerOptions options; -extern ServerOptions options;
-extern Authctxt *the_authctxt; -extern Authctxt *the_authctxt;
-extern int inetd_flag; -extern int inetd_flag;
-extern int rexeced_flag;
- -
/* Wrapper around is_selinux_enabled() to log its return value once only */ /* Wrapper around is_selinux_enabled() to log its return value once only */
int int
@ -128,7 +126,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
if (r == 0) { if (r == 0) {
/* If launched from xinetd, we must use current level */ /* If launched from xinetd, we must use current level */
- if (inetd_flag && !rexeced_flag) { - if (inetd_flag) {
+ if (inetd) { + if (inetd) {
security_context_t sshdsc=NULL; security_context_t sshdsc=NULL;
@ -152,7 +150,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- if (inetd_flag && !rexeced_flag) { - if (inetd_flag) {
+ if (inetd) { + if (inetd) {
use_current = "1"; use_current = "1";
} else { } else {
@ -216,55 +214,45 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
diff -up openssh/platform.c.refactor openssh/platform.c diff -up openssh/platform.c.refactor openssh/platform.c
--- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200 --- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200
+++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200 +++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200
@@ -32,6 +32,9 @@ @@ -32,6 +32,8 @@
#include "openbsd-compat/openbsd-compat.h"
extern int use_privsep;
extern ServerOptions options; extern ServerOptions options;
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
void /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
platform_pre_listen(void) int
@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru @@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
} }
#endif /* HAVE_SETPCRED */ #endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(pw->pw_name); - sshd_selinux_setup_exec_context(pw->pw_name);
+ sshd_selinux_setup_exec_context(pw->pw_name, + sshd_selinux_setup_exec_context(pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, + inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam); + options.use_pam);
#endif #endif
} }
diff -up openssh/sshd.c.refactor openssh/sshd.c diff -up openssh/sshd-session.c.refactor openssh/sshd-session.c
--- openssh/sshd.c.refactor 2019-04-04 13:19:12.275822068 +0200 --- openssh/sshd-session.c.refactor 2019-04-04 13:19:12.275822068 +0200
+++ openssh/sshd.c 2019-04-04 13:19:51.270195262 +0200 +++ openssh/sshd-session.c 2019-04-04 13:19:51.270195262 +0200
@@ -158,7 +158,7 @@ int debug_flag = 0; @@ -158,7 +158,7 @@ int debug_flag = 0;
static int test_flag = 0; int debug_flag = 0;
/* Flag indicating that the daemon is being started from inetd. */ /* Flag indicating that the daemon is being started from inetd. */
-static int inetd_flag = 0; -static int inetd_flag = 0;
+int inetd_flag = 0; +int inetd_flag = 0;
/* Flag indicating that sshd should not detach and become a daemon. */ /* debug goes to stderr unless inetd_flag is set */
static int no_daemon_flag = 0; static int log_stderr = 0;
@@ -171,7 +171,7 @@ static char **saved_argv;
static int saved_argc;
/* re-exec */
-static int rexeced_flag = 0;
+int rexeced_flag = 0;
static int rexec_flag = 1;
static int rexec_argc = 0;
static char **rexec_argv;
@@ -2192,7 +2192,9 @@ main(int ac, char **av) @@ -2192,7 +2192,9 @@ main(int ac, char **av)
} }
#endif #endif
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name); - sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name, + sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, + inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam); + options.use_pam);
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM

View File

@ -72,17 +72,17 @@ diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
u_int dh_estimate(int); u_int dh_estimate(int);
void dh_set_moduli_file(const char *); void dh_set_moduli_file(const char *);
diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c diff -up openssh-8.6p1/kex-names.c.fips openssh-8.6p1/kex-names.c
--- openssh-8.6p1/kex.c.fips 2021-05-06 12:08:36.489926807 +0200 --- openssh-8.6p1/kex-names.c.fips 2021-05-06 12:08:36.489926807 +0200
+++ openssh-8.6p1/kex.c 2021-05-06 12:08:36.498926877 +0200 +++ openssh-8.6p1/kex-names.c 2021-05-06 12:08:36.498926877 +0200
@@ -39,6 +39,7 @@ @@ -39,6 +39,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
#include <openssl/crypto.h> #include <openssl/crypto.h>
+#include <openssl/fips.h> +#include <openssl/fips.h>
#include <openssl/dh.h> #include <openssl/evp.h>
# ifdef HAVE_EVP_KDF_CTX_NEW_ID #endif
# include <openssl/kdf.h>
@@ -203,7 +203,10 @@ kex_names_valid(const char *names) @@ -203,7 +203,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
@ -361,8 +361,8 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
@@ -77,6 +78,7 @@ @@ -77,6 +78,7 @@
#include <openssl/dh.h> #ifdef WITH_OPENSSL
#include <openssl/bn.h> #include <openssl/evp.h>
#include <openssl/rand.h> #include <openssl/rand.h>
+#include <openssl/fips.h> +#include <openssl/fips.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
@ -393,7 +393,18 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
/* /*
* Chdir to the root directory so that the current disk can be * Chdir to the root directory so that the current disk can be
* unmounted if desired. * unmounted if desired.
@@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh) diff -up openssh-8.6p1/sshd-session.c.fips openssh-8.6p1/sshd-session.c
--- a/sshd-session.c.fips 2021-05-06 12:08:36.493926838 +0200
+++ b/sshd-session.c 2021-05-06 12:13:56.501492639 +0200
@@ -78,6 +79,7 @@
#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
+#include <openssl/fips.h>
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -2506,10 +2513,14 @@ do_ssh2_kex(struct ssh *ssh)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL; orig = NULL;
@ -475,11 +486,11 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
*lenp = 0; *lenp = 0;
if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE) if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
return SSH_ERR_INVALID_ARGUMENT; return SSH_ERR_INVALID_ARGUMENT;
+ if (FIPS_mode() && ((key->type == KEY_ED25519_SK) || (key->type == KEY_ED25519_SK_CERT))) { + if (FIPS_mode() && ((key->type == KEY_ED25519_SK) || (key->type == KEY_ED25519_SK_CERT))) {
+ logit_f("Ed25519 keys are not allowed in FIPS mode"); + logit_f("Ed25519 keys are not allowed in FIPS mode");
+ return SSH_ERR_INVALID_ARGUMENT; + return SSH_ERR_INVALID_ARGUMENT;
+ } + }
+ /* Fallthrough */ + /* Fallthrough */
if ((impl = sshkey_impl_from_key(key)) == NULL) if ((impl = sshkey_impl_from_key(key)) == NULL)
return SSH_ERR_KEY_TYPE_UNKNOWN; return SSH_ERR_KEY_TYPE_UNKNOWN;
if ((r = sshkey_unshield_private(key)) != 0) if ((r = sshkey_unshield_private(key)) != 0)
@ -487,10 +498,10 @@ diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
*detailsp = NULL; *detailsp = NULL;
if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE) if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
return SSH_ERR_INVALID_ARGUMENT; return SSH_ERR_INVALID_ARGUMENT;
+ if (FIPS_mode() && ((key->type == KEY_ED25519_SK) || (key->type == KEY_ED25519_SK_CERT))) { + if (FIPS_mode() && ((key->type == KEY_ED25519_SK) || (key->type == KEY_ED25519_SK_CERT))) {
+ logit_f("Ed25519 keys are not allowed in FIPS mode"); + logit_f("Ed25519 keys are not allowed in FIPS mode");
+ return SSH_ERR_INVALID_ARGUMENT; + return SSH_ERR_INVALID_ARGUMENT;
+ } + }
if ((impl = sshkey_impl_from_key(key)) == NULL) if ((impl = sshkey_impl_from_key(key)) == NULL)
return SSH_ERR_KEY_TYPE_UNKNOWN; return SSH_ERR_KEY_TYPE_UNKNOWN;
return impl->funcs->verify(key, sig, siglen, data, dlen, return impl->funcs->verify(key, sig, siglen, data, dlen,

View File

@ -368,7 +368,7 @@ diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
+ if (gssapi_client.store.envval == NULL) + if (gssapi_client.store.envval == NULL)
return; return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); ok = mm_ssh_gssapi_update_creds(&gssapi_client.store);
diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
--- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200 --- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200 +++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200
@ -579,9 +579,9 @@ diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
child_set_env(&env, &envsize, "KRB5CCNAME", child_set_env(&env, &envsize, "KRB5CCNAME",
s->authctxt->krb5_ccname); s->authctxt->krb5_ccname);
#endif #endif
diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c diff -up openssh-8.6p1/sshd-session.c.ccache_name openssh-8.6p1/sshd-session.c
--- openssh-8.6p1/sshd.c.ccache_name 2021-04-19 14:05:10.849744540 +0200 --- openssh-8.6p1/sshd-session.c.ccache_name 2021-04-19 14:05:10.849744540 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:05:10.855744584 +0200 +++ openssh-8.6p1/sshd-session.c 2021-04-19 14:05:10.855744584 +0200
@@ -2284,7 +2284,7 @@ main(int ac, char **av) @@ -2284,7 +2284,7 @@ main(int ac, char **av)
#ifdef GSSAPI #ifdef GSSAPI
if (options.gss_authentication) { if (options.gss_authentication) {
@ -607,8 +607,8 @@ diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
+can lead to overwriting previous tickets by subseqent connections to the same +can lead to overwriting previous tickets by subseqent connections to the same
+user account. +user account.
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the permitted KEX (Key Exchange) algorithms that the server will
Multiple algorithms must be comma-separated. offer to clients.
diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
--- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200 --- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200 +++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200

View File

@ -1,13 +1,13 @@
diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200 --- openssh-8.6p1/sshd-session.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200 +++ openssh-8.6p1/sshd-session.c 2021-04-19 14:03:21.140920974 +0200
@@ -1749,6 +1749,10 @@ main(int ac, char **av) @@ -1749,6 +1749,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, "enabled authentication methods");
cfg, &includes, NULL, rexeced_flag); }
+ /* 'UsePAM no' is not supported in Fedora */ + /* 'UsePAM no' is not supported in our builds */
+ if (! options.use_pam) + if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + logit("WARNING: 'UsePAM no' is not supported in this build and may cause several problems.");
+ +
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
if (options.moduli_file != NULL) if (options.moduli_file != NULL)
@ -19,7 +19,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# WARNING: 'UsePAM no' is not supported in this build and may cause several
+# problems. +# problems.
#UsePAM no #UsePAM no

View File

@ -23,20 +23,17 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
if ((style = strchr(user, ':')) != NULL) if ((style = strchr(user, ':')) != NULL)
*style++ = 0; *style++ = 0;
@@ -314,8 +314,15 @@ input_userauth_request(int type, u_int32 @@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : ""); setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service); authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL; authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL; + authctxt->role = role ? xstrdup(role) : NULL;
+#endif +#endif
+ if (use_privsep) { mm_inform_authserv(service, style);
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ mm_inform_authrole(role); + mm_inform_authrole(role);
+#endif +#endif
+ }
userauth_banner(ssh); userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0) if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed"); fatal_fr(r, "kex_server_update_ext_info failed");
@ -50,7 +47,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
+ char *micuser; + char *micuser;
struct sshbuf *b; struct sshbuf *b;
gss_buffer_desc mic, gssbuf; gss_buffer_desc mic, gssbuf;
const char *displayname; u_char *p;
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple @@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal_f("sshbuf_new failed"); fatal_f("sshbuf_new failed");
mic.value = p; mic.value = p;
@ -74,7 +71,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
+ free(micuser); + free(micuser);
free(mic.value); free(mic.value);
if ((!use_privsep || mm_is_monitor()) && authctxt->postponed = 0;
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200 --- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 +++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
@ -147,7 +144,7 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200 +++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
@@ -33,7 +33,7 @@ u_int do_pam_account(void); @@ -33,7 +33,7 @@ u_int do_pam_account(void);
void do_pam_session(struct ssh *); void do_pam_session(struct ssh *);
void do_pam_setcred(int ); void do_pam_setcred(void);
void do_pam_chauthtok(void); void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *); -int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *); +int do_pam_putenv(char *, const char *);
@ -418,7 +415,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 --- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
@@ -0,0 +1,421 @@ @@ -0,0 +1,420 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -472,7 +469,6 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+extern ServerOptions options; +extern ServerOptions options;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag;
+ +
+/* Send audit message */ +/* Send audit message */
+static int +static int
@ -678,7 +674,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ +
+ if (r == 0) { + if (r == 0) {
+ /* If launched from xinetd, we must use current level */ + /* If launched from xinetd, we must use current level */
+ if (inetd_flag && !rexeced_flag) { + if (inetd_flag) {
+ security_context_t sshdsc=NULL; + security_context_t sshdsc=NULL;
+ +
+ if (getcon_raw(&sshdsc) < 0) + if (getcon_raw(&sshdsc) < 0)
@ -752,7 +748,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ +
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ +
+ if (inetd_flag && !rexeced_flag) { + if (inetd_flag) {
+ use_current = "1"; + use_current = "1";
+ } else { + } else {
+ use_current = ""; + use_current = "";
@ -853,8 +849,8 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
} }
diff -up openssh/sshd.c.role-mls openssh/sshd.c diff -up openssh/sshd.c.role-mls openssh/sshd.c
--- openssh/sshd.c.role-mls 2018-08-20 07:57:29.000000000 +0200 --- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/sshd.c 2018-08-22 11:14:56.820430957 +0200 +++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
@@ -2186,6 +2186,9 @@ main(int ac, char **av) @@ -2186,6 +2186,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
@ -864,4 +860,4 @@ diff -up openssh/sshd.c.role-mls openssh/sshd.c
+#endif +#endif
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) { if (options.use_pam) {
do_pam_setcred(1); do_pam_setcred();

View File

@ -155,7 +155,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
.It Cm HostKeyAlias .It Cm HostKeyAlias
Specifies an alias that should be used instead of the Specifies an alias that should be used instead of the
real host name when looking up or saving the host key real host name when looking up or saving the host key
@@ -1232,30 +1229,25 @@ @@ -1330,6 +1330,11 @@ it may be zero or more of:
and and
.Cm pam . .Cm pam .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -164,8 +164,11 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page +Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
Specifies the available KEX (Key Exchange) algorithms. Specifies the permitted KEX (Key Exchange) algorithms that will be used and
Multiple algorithms must be comma-separated. their preference order.
The selected algorithm will the the first algorithm in this list that
@@ -1338,28 +1343,17 @@ Multiple algorithms must be comma-separa
.Pp
If the specified list begins with a If the specified list begins with a
.Sq + .Sq +
-character, then the specified algorithms will be appended to the default set -character, then the specified algorithms will be appended to the default set
@ -181,6 +184,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
.Sq ^ .Sq ^
character, then the specified algorithms will be placed at the head of the character, then the specified algorithms will be placed at the head of the
-default set. -default set.
-.Pp
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-sntrup761x25519-sha512@openssh.com, -sntrup761x25519-sha512@openssh.com,
@ -191,10 +195,11 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
-diffie-hellman-group18-sha512, -diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256 -diffie-hellman-group14-sha256
-.Ed -.Ed
+built-in openssh default set.
.Pp .Pp
The list of available key exchange algorithms may also be obtained using +built-in openssh default set.
The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .
.It Cm KnownHostsCommand
@@ -1365,37 +1357,33 @@ @@ -1365,37 +1357,33 @@
file. file.
This option is intended for debugging and no overrides are enabled by default. This option is intended for debugging and no overrides are enabled by default.
@ -479,7 +484,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
The list of available signature algorithms may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms . .Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts .It Cm IgnoreRhosts
@@ -1044,20 +1017,25 @@ @@ -1025,6 +1025,11 @@ Specifies whether to look at .k5login fi
The default is The default is
.Cm yes . .Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -488,9 +493,12 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
+Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page +Information about defaults, how to modify the defaults and how to customize existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
Specifies the available KEX (Key Exchange) algorithms. Specifies the permitted KEX (Key Exchange) algorithms that the server will
Multiple algorithms must be comma-separated. offer to clients.
Alternately if the specified list begins with a The ordering of this list is not important, as the client specifies the
@@ -1033,16 +1038,16 @@ Multiple algorithms must be comma-separa
.Pp
If the specified list begins with a
.Sq + .Sq +
-character, then the specified algorithms will be appended to the default set -character, then the specified algorithms will be appended to the default set
-instead of replacing them. -instead of replacing them.
@ -506,10 +514,10 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
character, then the specified algorithms will be placed at the head of the character, then the specified algorithms will be placed at the head of the
-default set. -default set.
+built-in openssh default set. +built-in openssh default set.
.Pp
The supported algorithms are: The supported algorithms are:
.Pp .Pp
.Bl -item -compact -offset indent @@ -1075,16 +1080,6 @@ ecdh-sha2-nistp521
@@ -1089,16 +1067,6 @@
sntrup761x25519-sha512@openssh.com sntrup761x25519-sha512@openssh.com
.El .El
.Pp .Pp
@ -523,7 +531,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
-diffie-hellman-group14-sha256 -diffie-hellman-group14-sha256
-.Ed -.Ed
-.Pp -.Pp
The list of available key exchange algorithms may also be obtained using The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms . .Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress .It Cm ListenAddress
@@ -1184,21 +1152,26 @@ @@ -1184,21 +1152,26 @@

View File

@ -3,7 +3,7 @@ index e7549470..b68c1710 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kex.o kex-names.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \ kexgexc.o kexgexs.o \
kexsntrup761x25519.o sntrup761.o kexgen.o \ kexsntrup761x25519.o sntrup761.o kexgen.o \
+ kexgssc.o \ + kexgssc.o \
@ -11,14 +11,14 @@ index e7549470..b68c1710 100644
sshbuf-io.o sshbuf-io.o
@@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ @@ -125,7 +126,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
auth2-chall.o groupaccess.o \
auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \
monitor.o monitor_wrap.o auth-krb5.o \ - monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \ + monitor.o monitor_wrap.o auth-krb5.o kexgsss.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o \
srclimit.o sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
@@ -523,7 +523,7 @@ regress-prep: @@ -523,7 +523,7 @@ regress-prep:
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
@ -41,117 +41,10 @@ diff -up a/auth.c.gsskex b/auth.c
return 1; return 1;
break; break;
case PERMIT_FORCED_ONLY: case PERMIT_FORCED_ONLY:
@@ -730,97 +731,6 @@ fakepw(void)
}
/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on based on conflation of hostnames and IP addresses.
- */
-
-static char *
-remote_hostname(struct ssh *ssh)
-{
- struct sockaddr_storage from;
- socklen_t fromlen;
- struct addrinfo hints, *ai, *aitop;
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
- const char *ntop = ssh_remote_ipaddr(ssh);
-
- /* Get IP address of client. */
- fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) == -1) {
- debug("getpeername failed: %.100s", strerror(errno));
- return xstrdup(ntop);
- }
-
- ipv64_normalise_mapped(&from, &fromlen);
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
-
- debug3("Trying to reverse map address %.100s.", ntop);
- /* Map the IP address to a host name. */
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
- return xstrdup(ntop);
- }
-
- /*
- * if reverse lookup result looks like a numeric hostname,
- * someone is trying to trick us by PTR record like following:
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
- hints.ai_flags = AI_NUMERICHOST;
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
- name, ntop);
- freeaddrinfo(ai);
- return xstrdup(ntop);
- }
-
- /* Names are stored in lowercase. */
- lowercase(name);
-
- /*
- * Map it back to an IP address and check that the given
- * address actually is an address of this host. This is
- * necessary because anyone with access to a name server can
- * define arbitrary names for an IP address. Mapping from
- * name to IP address can be trusted better (but can still be
- * fooled if the intruder has access to the name server of
- * the domain).
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = from.ss_family;
- hints.ai_socktype = SOCK_STREAM;
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
- logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed.", name, ntop);
- return xstrdup(ntop);
- }
- /* Look for the address from the list of addresses. */
- for (ai = aitop; ai; ai = ai->ai_next) {
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
- (strcmp(ntop, ntop2) == 0))
- break;
- }
- freeaddrinfo(aitop);
- /* If we reached the end of the list, the address was not there. */
- if (ai == NULL) {
- /* Address not found for the host name. */
- logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address.", ntop, name);
- return xstrdup(ntop);
- }
- return xstrdup(name);
-}
-
-/*
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
* several times.
diff --git a/auth2-gss.c b/auth2-gss.c diff --git a/auth2-gss.c b/auth2-gss.c
index 9351e042..d6446c0c 100644 index 9351e042..d6446c0c 100644
--- a/auth2-gss.c --- a/auth2-gss.c
+++ b/auth2-gss.c +++ b/auth2-gss.c
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -54,6 +54,48 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); @@ -54,6 +54,48 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh);
static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh);
static int input_gssapi_errtok(int, u_int32_t, struct ssh *); static int input_gssapi_errtok(int, u_int32_t, struct ssh *);
@ -187,10 +80,10 @@ index 9351e042..d6446c0c 100644
+ gssbuf.length = sshbuf_len(b); + gssbuf.length = sshbuf_len(b);
+ +
+ /* gss_kex_context is NULL with privsep, so we can't check it here */ + /* gss_kex_context is NULL with privsep, so we can't check it here */
+ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, + if (!GSS_ERROR(mm_ssh_gssapi_checkmic(gss_kex_context,
+ &gssbuf, &mic)))) + &gssbuf, &mic)))
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, + authenticated = mm_ssh_gssapi_userok(authctxt->user,
+ authctxt->pw, 1)); + authctxt->pw, 1);
+ +
+ sshbuf_free(b); + sshbuf_free(b);
+ free(mic.value); + free(mic.value);
@ -201,40 +94,42 @@ index 9351e042..d6446c0c 100644
/* /*
* We only support those mechanisms that we know about (ie ones that we know * We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like) * how to check local user kuserok and the like)
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) @@ -260,7 +302,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0) if ((r = sshpkt_get_end(ssh)) != 0)
fatal_fr(r, "parse packet"); fatal_fr(r, "parse packet");
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); - authenticated = mm_ssh_gssapi_userok(authctxt->user);
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, + authenticated = mm_ssh_gssapi_userok(authctxt->user, authctxt->pw, 1);
+ authctxt->pw, 1));
if ((!use_privsep || mm_is_monitor()) && authctxt->postponed = 0;
(displayname = ssh_gssapi_displayname()) != NULL) ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -306,7 +349,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) @@ -306,7 +349,7 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
gssbuf.length = sshbuf_len(b); gssbuf.length = sshbuf_len(b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) if (!GSS_ERROR(mm_ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); - authenticated = mm_ssh_gssapi_userok(authctxt->user);
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, + authenticated = mm_ssh_gssapi_userok(authctxt->user, authctxt->pw, 0);
+ authctxt->pw, 0));
else else
logit("GSSAPI MIC check failed"); logit("GSSAPI MIC check failed");
@@ -326,6 +370,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) @@ -326,6 +370,17 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
return 0; return 0;
} }
+Authmethod method_gsskeyex = { +struct authmethod_cfg methodcfg_gsskeyex = {
+ "gssapi-keyex", + "gssapi-keyex",
+ NULL, + NULL,
+ userauth_gsskeyex,
+ &options.gss_authentication + &options.gss_authentication
+}; +};
+
+Authmethod method_gsskeyex = {
+ &methodcfg_gsskeyex,
+ userauth_gsskeyex,
+};
+ +
Authmethod method_gssapi = { Authmethod method_gssapi = {
"gssapi-with-mic", &methodcfg_gssapi,
NULL, userauth_gssapi,
diff --git a/auth2.c b/auth2.c diff --git a/auth2.c b/auth2.c
index 0e776224..1c217268 100644 index 0e776224..1c217268 100644
--- a/auth2.c --- a/auth2.c
@ -442,15 +337,6 @@ diff --git a/gss-genr.c b/gss-genr.c
index d56257b4..763a63ff 100644 index d56257b4..763a63ff 100644
--- a/gss-genr.c --- a/gss-genr.c
+++ b/gss-genr.c +++ b/gss-genr.c
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
/*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -41,9 +41,33 @@ @@ -41,9 +41,33 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "log.h" #include "log.h"
@ -736,7 +622,7 @@ index d56257b4..763a63ff 100644
/* RFC 4462 says we MUST NOT do SPNEGO */ /* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length && if (oid->length == spnego_oid.length &&
@@ -287,6 +519,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) @@ -500,6 +500,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
ssh_gssapi_build_ctx(ctx); ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid); ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host); major = ssh_gssapi_import_name(*ctx, host);
@ -747,7 +633,7 @@ index d56257b4..763a63ff 100644
if (!GSS_ERROR(major)) { if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL); NULL);
@@ -296,10 +532,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) @@ -527,10 +527,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER); GSS_C_NO_BUFFER);
} }
@ -1012,7 +898,7 @@ index ab3a15f0..6ce56e92 100644
+ Gssctxt *ctx = NULL; + Gssctxt *ctx = NULL;
+ int res; + int res;
+ +
+ res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid))); + res = !GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctx, oid));
+ ssh_gssapi_delete_ctx(&ctx); + ssh_gssapi_delete_ctx(&ctx);
+ +
+ return (res); + return (res);
@ -1158,7 +1044,7 @@ index ab3a15f0..6ce56e92 100644
/* Destroy delegated credentials if userok fails */ /* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname); gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname); gss_release_buffer(&lmin, &gssapi_client.exportedname);
@@ -382,14 +471,90 @@ ssh_gssapi_userok(char *user) @@ -382,14 +471,85 @@ ssh_gssapi_userok(char *user)
return (0); return (0);
} }
@ -1201,7 +1087,7 @@ index ab3a15f0..6ce56e92 100644
+ gssapi_client.store.envvar == NULL) + gssapi_client.store.envvar == NULL)
+ return; + return;
+ +
+ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); + ok = mm_ssh_gssapi_update_creds(&gssapi_client.store);
+ +
+ if (!ok) + if (!ok)
+ return; + return;
@ -1213,11 +1099,6 @@ index ab3a15f0..6ce56e92 100644
+ * for rekeying. So, use our own :) + * for rekeying. So, use our own :)
+ */ + */
+#ifdef USE_PAM +#ifdef USE_PAM
+ if (!use_privsep) {
+ debug("Not even going to try and do PAM with privsep disabled");
+ return;
+ }
+
+ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, + ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
+ &pamconv, &pamh); + &pamconv, &pamh);
+ if (ret) + if (ret)
@ -1256,20 +1137,34 @@ index ab3a15f0..6ce56e92 100644
/* Privileged */ /* Privileged */
diff --git a/kex.c b/kex.c diff --git a/kex.c b/kex.c
index ce85f043..574c7609 100644 index a5ae6ac0..fe714141 100644
--- a/kex.c --- a/kex.c
+++ b/kex.c +++ b/kex.c
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->server_version);
sshbuf_free(kex->client_pub);
sshbuf_free(kex->session_id);
+#ifdef GSSAPI
+ free(kex->gss_host);
+#endif /* GSSAPI */
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
free(kex->failed_choice);
diff --git a/kex-names.c b/kex-names.c
index ce85f043..574c7609 100644
--- a/kex-names.c
+++ b/kex-names.c
@@ -57,6 +57,10 @@ @@ -57,6 +57,10 @@
#include "digest.h" #include "ssherr.h"
#include "xmalloc.h" #include "xmalloc.h"
+#ifdef GSSAPI +#ifdef GSSAPI
+#include "ssh-gss.h" +#include "ssh-gss.h"
+#endif +#endif
+ +
/* prototype */ struct kexalg {
static int kex_choose_conf(struct ssh *, uint32_t seq); char *name;
static int kex_input_newkeys(int, u_int32_t, struct ssh *); u_int type;
@@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = { @@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, 0, -1, -1}, { NULL, 0, -1, -1},
@ -1332,10 +1227,11 @@ index ce85f043..574c7609 100644
return NULL; return NULL;
} }
@@ -315,6 +349,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) @@ -315,3 +349,26 @@ kex_assemble_names(char **listp, const char *def, const char *all)
free(ret);
return r; return r;
} }
+
+/* Validate GSS KEX method name list */ +/* Validate GSS KEX method name list */
+int +int
+kex_gss_names_valid(const char *names) +kex_gss_names_valid(const char *names)
@ -1358,20 +1254,6 @@ index ce85f043..574c7609 100644
+ free(s); + free(s);
+ return 1; + return 1;
+} +}
+
/*
* Fill out a proposal array with dynamically allocated values, which may
* be modified as required for compatibility reasons.
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->server_version);
sshbuf_free(kex->client_pub);
sshbuf_free(kex->session_id);
+#ifdef GSSAPI
+ free(kex->gss_host);
+#endif /* GSSAPI */
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
free(kex->failed_choice);
diff --git a/kex.h b/kex.h diff --git a/kex.h b/kex.h
index a5ae6ac0..fe714141 100644 index a5ae6ac0..fe714141 100644
--- a/kex.h --- a/kex.h
@ -1406,16 +1288,16 @@ index a5ae6ac0..fe714141 100644
int (*verify_host_key)(struct sshkey *, struct ssh *); int (*verify_host_key)(struct sshkey *, struct ssh *);
struct sshkey *(*load_host_public_key)(int, int, struct ssh *); struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
@@ -174,8 +189,10 @@ struct kex { @@ -174,8 +189,10 @@ struct kex {
int kex_nid_from_name(const char *);
int kex_names_valid(const char *); int kex_names_valid(const char *);
char *kex_alg_list(char); char *kex_alg_list(char);
+char *kex_gss_alg_list(char); +char *kex_gss_alg_list(char);
char *kex_names_cat(const char *, const char *); char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *); int kex_has_any_alg(const char *, const char *);
+int kex_gss_names_valid(const char *); +int kex_gss_names_valid(const char *);
int kex_assemble_names(char **, const char *, const char *);
void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX], void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
const char *, const char *, const char *, const char *, const char *); const char *, const char *, const char *, const char *, const char *);
void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
@@ -202,6 +219,12 @@ int kexgex_client(struct ssh *); @@ -202,6 +219,12 @@ int kexgex_client(struct ssh *);
int kexgex_server(struct ssh *); int kexgex_server(struct ssh *);
int kex_gen_client(struct ssh *); int kex_gen_client(struct ssh *);
@ -2205,7 +2087,7 @@ index 00000000..60bc02de
+ +
+ debug2_f("Acquiring credentials"); + debug2_f("Acquiring credentials");
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + if (GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctxt, oid)))
+ fatal("Unable to acquire credentials for the server"); + fatal("Unable to acquire credentials for the server");
+ +
+ do { + do {
@ -2282,8 +2164,8 @@ index 00000000..60bc02de
+ type); + type);
+ } + }
+ +
+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, + maj_status = mm_ssh_gssapi_accept_ctx(ctxt, &recv_tok,
+ &send_tok, &ret_flags)); + &send_tok, &ret_flags);
+ +
+ gss_release_buffer(&min_status, &recv_tok); + gss_release_buffer(&min_status, &recv_tok);
+ +
@ -2319,7 +2201,7 @@ index 00000000..60bc02de
+ if (!(ret_flags & GSS_C_INTEG_FLAG)) + if (!(ret_flags & GSS_C_INTEG_FLAG))
+ fatal("Integrity flag wasn't set"); + fatal("Integrity flag wasn't set");
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))) + if (GSS_ERROR(mm_ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))
+ fatal("Couldn't get MIC"); + fatal("Couldn't get MIC");
+ +
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 || + if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 ||
@ -2409,7 +2291,7 @@ index 00000000..60bc02de
+ +
+ debug2_f("Acquiring credentials"); + debug2_f("Acquiring credentials");
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + if (GSS_ERROR(mm_ssh_gssapi_server_ctx(&ctxt, oid)))
+ fatal("Unable to acquire credentials for the server"); + fatal("Unable to acquire credentials for the server");
+ +
+ /* 5. S generates an ephemeral key pair (do the allocations early) */ + /* 5. S generates an ephemeral key pair (do the allocations early) */
@ -2431,7 +2313,7 @@ index 00000000..60bc02de
+ if (max < min || nbits < min || max < nbits) + if (max < min || nbits < min || max < nbits)
+ fatal("GSS_GEX, bad parameters: %d !< %d !< %d", + fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
+ min, nbits, max); + min, nbits, max);
+ kex->dh = PRIVSEP(choose_dh(min, nbits, max)); + kex->dh = mm_choose_dh(min, nbits, max);
+ if (kex->dh == NULL) { + if (kex->dh == NULL) {
+ sshpkt_disconnect(ssh, "Protocol error: no matching group found"); + sshpkt_disconnect(ssh, "Protocol error: no matching group found");
+ fatal("Protocol error: no matching group found"); + fatal("Protocol error: no matching group found");
@ -2478,8 +2360,8 @@ index 00000000..60bc02de
+ type); + type);
+ } + }
+ +
+ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, + maj_status = mm_ssh_gssapi_accept_ctx(ctxt, &recv_tok,
+ &send_tok, &ret_flags)); + &send_tok, &ret_flags);
+ +
+ gss_release_buffer(&min_status, &recv_tok); + gss_release_buffer(&min_status, &recv_tok);
+ +
@ -2544,7 +2426,7 @@ index 00000000..60bc02de
+ gssbuf.value = hash; + gssbuf.value = hash;
+ gssbuf.length = hashlen; + gssbuf.length = hashlen;
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))) + if (GSS_ERROR(mm_ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok)))
+ fatal("Couldn't get MIC"); + fatal("Couldn't get MIC");
+ +
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 || + if ((r = sshpkt_start(ssh, SSH2_MSG_KEXGSS_COMPLETE)) != 0 ||
@ -2873,7 +2755,7 @@ index 001a8fa1..6edb509a 100644
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
mm_request_receive_expect(pmonitor->m_recvfd, mm_request_receive_expect(pmonitor->m_recvfd,
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user) @@ -1012,6 +1014,59 @@ mm_ssh_gssapi_userok(char *user)
debug3_f("user %sauthenticated", authenticated ? "" : "not "); debug3_f("user %sauthenticated", authenticated ? "" : "not ");
return (authenticated); return (authenticated);
} }
@ -2931,6 +2813,8 @@ index 001a8fa1..6edb509a 100644
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
/*
diff --git a/monitor_wrap.h b/monitor_wrap.h diff --git a/monitor_wrap.h b/monitor_wrap.h
index 23ab096a..485590c1 100644 index 23ab096a..485590c1 100644
--- a/monitor_wrap.h --- a/monitor_wrap.h
@ -3107,8 +2991,8 @@ diff -up a/servconf.c.gsskex b/servconf.c
#include "digest.h" #include "digest.h"
+#include "ssh-gss.h" +#include "ssh-gss.h"
static void add_listen_addr(ServerOptions *, const char *, #if !defined(SSHD_PAM_SERVICE)
const char *, int); # define SSHD_PAM_SERVICE "sshd"
@@ -136,8 +137,11 @@ initialize_server_options(ServerOptions @@ -136,8 +137,11 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
@ -3141,7 +3025,7 @@ diff -up a/servconf.c.gsskex b/servconf.c
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -506,6 +518,7 @@ typedef enum { @@ -506,6 +518,7 @@ typedef enum {
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sPerSourcePenalties, sPerSourcePenaltyExemptList,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey, + sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
@ -3262,14 +3146,6 @@ diff --git a/ssh-gss.h b/ssh-gss.h
index 36180d07..70dd3665 100644 index 36180d07..70dd3665 100644
--- a/ssh-gss.h --- a/ssh-gss.h
+++ b/ssh-gss.h +++ b/ssh-gss.h
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -61,10 +61,34 @@ @@ -61,10 +61,34 @@
#define SSH_GSS_OIDTYPE 0x06 #define SSH_GSS_OIDTYPE 0x06
@ -3523,17 +3399,8 @@ diff --git a/sshconnect2.c b/sshconnect2.c
index af00fb30..03bc87eb 100644 index af00fb30..03bc87eb 100644
--- a/sshconnect2.c --- a/sshconnect2.c
+++ b/sshconnect2.c +++ b/sshconnect2.c
@@ -80,8 +80,6 @@
#endif
/* import */
-extern char *client_version_string;
-extern char *server_version_string;
extern Options options;
/*
@@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) @@ -163,6 +161,11 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
char *s, *all_key, *hkalgs = NULL; char *all_key, *hkalgs = NULL;
int r, use_known_hosts_order = 0; int r, use_known_hosts_order = 0;
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3545,8 +3412,8 @@ index af00fb30..03bc87eb 100644
xxx_hostaddr = hostaddr; xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo; xxx_conn_info = cinfo;
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) @@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers, options.kex_algorithms, options.ciphers, options.macs,
options.macs, compression_alg_list(options.compression), compression_alg_list(options.compression),
hkalgs ? hkalgs : options.hostkeyalgorithms); hkalgs ? hkalgs : options.hostkeyalgorithms);
+ +
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3587,7 +3454,7 @@ index af00fb30..03bc87eb 100644
free(hkalgs); free(hkalgs);
@@ -224,17 +256,47 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) @@ -224,14 +256,44 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
# ifdef OPENSSL_HAS_ECC # ifdef OPENSSL_HAS_ECC
ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client;
# endif # endif
@ -3618,11 +3485,8 @@ index af00fb30..03bc87eb 100644
+#endif +#endif
+ +
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
kex_proposal_free_entries(myproposal);
/* remove ext-info from the KEX proposals for rekeying */
free(myproposal[PROPOSAL_KEX_ALGS]);
myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(ssh, options.kex_algorithms);
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ /* repair myproposal after it was crumpled by the */ + /* repair myproposal after it was crumpled by the */
+ /* ext-info removal above */ + /* ext-info removal above */
@ -3633,9 +3497,9 @@ index af00fb30..03bc87eb 100644
+ free(gss); + free(gss);
+ } + }
+#endif +#endif
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) #ifdef DEBUG_KEXDH
fatal_r(r, "kex_prop2buf"); /* send 1st encrypted/maced/compressed message */
if ((r = sshpkt_start(ssh, SSH2_MSG_IGNORE)) != 0 ||
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); @@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
static int input_gssapi_token(int type, u_int32_t, struct ssh *); static int input_gssapi_token(int type, u_int32_t, struct ssh *);
static int input_gssapi_error(int, u_int32_t, struct ssh *); static int input_gssapi_error(int, u_int32_t, struct ssh *);
@ -3767,6 +3631,20 @@ diff --git a/sshd.c b/sshd.c
index 60b2aaf7..d92f03aa 100644 index 60b2aaf7..d92f03aa 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -1852,7 +1852,8 @@ main(int ac, char **av)
free(fp);
}
accumulate_host_timing_secret(cfg, NULL);
- if (!sensitive_data.have_ssh2_key) {
+ /* The GSSAPI key exchange can run without a host key */
+ if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
}
diff --git a/sshd-session.c b/sshd-session.c
index 60b2aaf7..d92f03aa 100644
--- a/sshd-session.c
+++ b/sshd-session.c
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) @@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
} }
debug3_f("sent %u hostkeys", nkeys); debug3_f("sent %u hostkeys", nkeys);
@ -3778,16 +3656,6 @@ index 60b2aaf7..d92f03aa 100644
sshpkt_fatal(ssh, r, "%s: send", __func__); sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf); sshbuf_free(buf);
} }
@@ -1852,7 +1852,8 @@ main(int ac, char **av)
free(fp);
}
accumulate_host_timing_secret(cfg, NULL);
- if (!sensitive_data.have_ssh2_key) {
+ /* The GSSAPI key exchange can run without a host key */
+ if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
}
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) @@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
free(hkalgs); free(hkalgs);
@ -3838,9 +3706,9 @@ index 60b2aaf7..d92f03aa 100644
if ((r = kex_setup(ssh, myproposal)) != 0) if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup"); fatal_r(r, "kex_setup");
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) @@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
# ifdef OPENSSL_HAS_ECC #ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server; kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
# endif #endif
-#endif -#endif
+# ifdef GSSAPI +# ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
@ -4036,9 +3904,9 @@ diff --git a/packet.h b/packet.h
int ssh_packet_read(struct ssh *); int ssh_packet_read(struct ssh *);
+int ssh_packet_read_expect(struct ssh *, u_int type); +int ssh_packet_read_expect(struct ssh *, u_int type);
int ssh_packet_read_poll(struct ssh *);
int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p); int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len); int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
int ssh_packet_process_read(struct ssh *, int);
diff --git a/packet.c b/packet.c diff --git a/packet.c b/packet.c
--- a/packet.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99) --- a/packet.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/packet.c (date 1703172586447) +++ b/packet.c (date 1703172586447)

View File

@ -965,9 +965,9 @@ diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
--- openssh-9.6p1/ssh-agent.c.pkcs11-uri 2023-12-18 15:59:50.000000000 +0100 --- openssh-9.6p1/ssh-agent.c.pkcs11-uri 2023-12-18 15:59:50.000000000 +0100
+++ openssh-9.6p1/ssh-agent.c 2024-01-12 14:25:25.234942360 +0100 +++ openssh-9.6p1/ssh-agent.c 2024-01-12 14:25:25.234942360 +0100
@@ -1549,10 +1549,72 @@ add_p11_identity(struct sshkey *key, cha @@ -1549,10 +1549,72 @@ add_p11_identity(struct sshkey *key, cha
idtab->nentries++;
} }
#ifdef ENABLE_PKCS11
+static char * +static char *
+sanitize_pkcs11_provider(const char *provider) +sanitize_pkcs11_provider(const char *provider)
+{ +{

View File

@ -19,4 +19,4 @@ diff --git a/servconf.c b/servconf.c
+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */ + { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL }, { "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL }, { "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },
{ NULL, sBadOption, 0 } { "sshdsessionpath", sSshdSessionPath, SSHCFG_GLOBAL },

View File

@ -79,12 +79,12 @@ diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
const struct ssh_conn_info *cinfo) const struct ssh_conn_info *cinfo)
{ {
char *myproposal[PROPOSAL_MAX]; char *myproposal[PROPOSAL_MAX];
- char *s, *all_key, *hkalgs = NULL; - char *all_key, *hkalgs = NULL;
+ char *s, *all_key, *hkalgs = NULL, *filtered_algs = NULL; + char *all_key, *hkalgs = NULL, *filtered_algs = NULL;
int r, use_known_hosts_order = 0; int r, use_known_hosts_order = 0;
#if defined(GSSAPI) && defined(WITH_OPENSSL) #if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -260,9 +260,21 @@ ssh_kex2(struct ssh *ssh, char *host, st @@ -260,10 +260,22 @@ ssh_kex2(struct ssh *ssh, char *host, st
if (use_known_hosts_order) if (use_known_hosts_order)
hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo); hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
@ -100,8 +100,9 @@ diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
+ options.hostkeyalgorithms, options.pubkey_accepted_algos); + options.hostkeyalgorithms, options.pubkey_accepted_algos);
+ } + }
+ +
kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers, kex_proposal_populate_entries(ssh, myproposal,
options.macs, compression_alg_list(options.compression), options.kex_algorithms, options.ciphers, options.macs,
compression_alg_list(options.compression),
- hkalgs ? hkalgs : options.hostkeyalgorithms); - hkalgs ? hkalgs : options.hostkeyalgorithms);
+ filtered_algs); + filtered_algs);

View File

@ -148,15 +148,6 @@ diff -up openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-8.7p
ASSERT_PTR_NE(keyname, NULL); ASSERT_PTR_NE(keyname, NULL);
kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname; kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0); ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
@@ -180,7 +181,7 @@ do_kex(char *kex)
{
#ifdef WITH_OPENSSL
do_kex_with_key(kex, KEY_RSA, 2048);
- do_kex_with_key(kex, KEY_DSA, 1024);
+ /* do_kex_with_key(kex, KEY_DSA, 1024); */
#ifdef OPENSSL_HAS_ECC
do_kex_with_key(kex, KEY_ECDSA, 256);
#endif /* OPENSSL_HAS_ECC */
diff -up openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_file.c diff -up openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_file.c
--- openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck 2023-01-26 12:04:55.946343408 +0100 --- openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck 2023-01-26 12:04:55.946343408 +0100
+++ openssh-8.7p1/regress/unittests/sshkey/test_file.c 2023-01-26 12:06:35.235164432 +0100 +++ openssh-8.7p1/regress/unittests/sshkey/test_file.c 2023-01-26 12:06:35.235164432 +0100
@ -196,22 +187,6 @@ diff -up openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-
TEST_START("fuzz RSA SHA256 sig"); TEST_START("fuzz RSA SHA256 sig");
buf = load_file("rsa_1"); buf = load_file("rsa_1");
@@ -357,6 +358,7 @@ sshkey_fuzz_tests(void)
sshkey_free(k1);
TEST_DONE();
+ /* Skip this test, SHA1 signatures are not supported
TEST_START("fuzz DSA sig");
buf = load_file("dsa_1");
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
@@ -364,6 +366,7 @@ sshkey_fuzz_tests(void)
sig_fuzz(k1, NULL);
sshkey_free(k1);
TEST_DONE();
+ */
#ifdef OPENSSL_HAS_ECC
TEST_START("fuzz ECDSA sig");
diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c
--- openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck 2023-01-26 11:02:52.339413463 +0100 --- openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck 2023-01-26 11:02:52.339413463 +0100
+++ openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c 2023-01-26 11:58:42.324253896 +0100 +++ openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c 2023-01-26 11:58:42.324253896 +0100
@ -241,10 +216,10 @@ diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openss
{ {
size_t len; size_t len;
u_char *sig; u_char *sig;
+ /* ssh-rsa implies SHA1, forbidden in DEFAULT cp */ + /* ssh-rsa implies SHA1, forbidden in DEFAULT cp in RHEL, permitted in Fedora */
+ int expected = (sig_alg && strcmp(sig_alg, "ssh-rsa") == 0) ? SSH_ERR_LIBCRYPTO_ERROR : 0; + int expected = (sig_alg && strcmp(sig_alg, "ssh-rsa") == 0) ? sshkey_sign(k, &sig, &len, d, l, sig_alg, NULL, NULL, 0) : 0;
+ if (k && (sshkey_type_plain(k->type) == KEY_DSA || sshkey_type_plain(k->type) == KEY_DSA_CERT)) + if (k && (sshkey_type_plain(k->type) == KEY_DSA || sshkey_type_plain(k->type) == KEY_DSA_CERT))
+ expected = SSH_ERR_LIBCRYPTO_ERROR; + expected = sshkey_sign(k, &sig, &len, d, l, sig_alg, NULL, NULL, 0);
ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg, ASSERT_INT_EQ(sshkey_sign(k, &sig, &len, d, l, sig_alg,
- NULL, NULL, 0), 0); - NULL, NULL, 0), 0);
@ -277,21 +252,6 @@ diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openss
ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4), ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
SSH_ERR_KEY_CERT_INVALID_SIGN_KEY); SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);
ASSERT_PTR_EQ(k4, NULL); ASSERT_PTR_EQ(k4, NULL);
diff -up openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck openssh-8.7p1/regress/unittests/sshsig/tests.c
--- openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck 2023-01-26 12:19:23.659513651 +0100
+++ openssh-8.7p1/regress/unittests/sshsig/tests.c 2023-01-26 12:20:28.021044803 +0100
@@ -102,9 +102,11 @@ tests(void)
check_sig("rsa.pub", "rsa.sig", msg, namespace);
TEST_DONE();
+ /* Skip this test, SHA1 signatures are not supported
TEST_START("check DSA signature");
check_sig("dsa.pub", "dsa.sig", msg, namespace);
TEST_DONE();
+ */
#ifdef OPENSSL_HAS_ECC
TEST_START("check ECDSA signature");
diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c
--- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100 --- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100
+++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100 +++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100
@ -332,61 +292,6 @@ diff -up openssh-8.7p1/sshconnect2.c.sshrsacheck openssh-8.7p1/sshconnect2.c
goto out; goto out;
} }
diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c
--- openssh-8.7p1/sshd.c.sshrsacheck 2023-01-12 13:29:06.355711140 +0100
+++ openssh-8.7p1/sshd.c 2023-01-12 13:29:06.358711178 +0100
@@ -1640,6 +1651,7 @@ main(int ac, char **av)
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
sigset_t sigmask;
+ int forbid_ssh_rsa = 0;
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
@@ -1938,6 +1950,33 @@ main(int ac, char **av)
key = NULL;
continue;
}
+ if (key && (sshkey_type_plain(key->type) == KEY_RSA || sshkey_type_plain(key->type) == KEY_RSA_CERT)) {
+ size_t sign_size = 0;
+ u_char *tmp = NULL;
+ u_char data[] = "Test SHA1 vector";
+ int res;
+
+ res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0);
+ free(tmp);
+ if (res == SSH_ERR_LIBCRYPTO_ERROR) {
+ verbose_f("sshd: SHA1 in signatures is disabled for RSA keys");
+ forbid_ssh_rsa = 1;
+ }
+ }
+ if (key && (sshkey_type_plain(key->type) == KEY_DSA || sshkey_type_plain(key->type) == KEY_DSA_CERT)) {
+ size_t sign_size = 0;
+ u_char *tmp = NULL;
+ u_char data[] = "Test SHA1 vector";
+ int res;
+
+ res = sshkey_sign(key, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0);
+ free(tmp);
+ if (res == SSH_ERR_LIBCRYPTO_ERROR) {
+ logit_f("sshd: ssh-dss is disabled, skipping key file %s", options.host_key_files[i]);
+ key = NULL;
+ continue;
+ }
+ }
if (sshkey_is_sk(key) &&
key->sk_flags & SSH_SK_USER_PRESENCE_REQD) {
debug("host key %s requires user presence, ignoring",
@@ -2275,6 +2306,9 @@ main(int ac, char **av)
check_ip_options(ssh);
+ if (forbid_ssh_rsa)
+ ssh->compat |= SSH_RH_RSASIGSHA;
+
/* Prepare the channels layer */
channel_init_channels(ssh);
channel_set_af(ssh, options.address_family);
diff -up openssh-8.7p1/ssh-rsa.c.sshrsacheck openssh-8.7p1/ssh-rsa.c diff -up openssh-8.7p1/ssh-rsa.c.sshrsacheck openssh-8.7p1/ssh-rsa.c
--- openssh-8.7p1/ssh-rsa.c.sshrsacheck 2023-01-20 13:07:54.180676144 +0100 --- openssh-8.7p1/ssh-rsa.c.sshrsacheck 2023-01-20 13:07:54.180676144 +0100
+++ openssh-8.7p1/ssh-rsa.c 2023-01-20 13:07:54.290677074 +0100 +++ openssh-8.7p1/ssh-rsa.c 2023-01-20 13:07:54.290677074 +0100
@ -400,3 +305,34 @@ diff -up openssh-8.7p1/ssh-rsa.c.sshrsacheck openssh-8.7p1/ssh-rsa.c
ret = SSH_ERR_SIGNATURE_INVALID; ret = SSH_ERR_SIGNATURE_INVALID;
goto out; goto out;
} }
diff -up openssh-9.8p1/sshd-session.c.xxx openssh-9.8p1/sshd-session.c
--- openssh-9.8p1/sshd-session.c.xxx 2024-07-23 15:08:14.794350818 +0200
+++ openssh-9.8p1/sshd-session.c 2024-07-23 15:40:21.658456636 +0200
@@ -1305,6 +1305,27 @@ main(int ac, char **av)
check_ip_options(ssh);
+ {
+ struct sshkey *rsakey = NULL;
+ rsakey = get_hostkey_private_by_type(KEY_RSA, 0, ssh);
+ if (rsakey == NULL)
+ rsakey = get_hostkey_private_by_type(KEY_RSA_CERT, 0, ssh);
+
+ if (rsakey != NULL) {
+ size_t sign_size = 0;
+ u_char *tmp = NULL;
+ u_char data[] = "Test SHA1 vector";
+ int res;
+
+ res = sshkey_sign(rsakey, &tmp, &sign_size, data, sizeof(data), NULL, NULL, NULL, 0);
+ free(tmp);
+ if (res == SSH_ERR_LIBCRYPTO_ERROR) {
+ verbose_f("SHA1 in signatures is disabled for RSA keys");
+ ssh->compat |= SSH_RH_RSASIGSHA;
+ }
+ }
+ }
+
/* Prepare the channels layer */
channel_init_channels(ssh);
channel_set_af(ssh, options.address_family);

View File

@ -200,7 +200,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
u_char *kbuf = NULL; u_char *kbuf = NULL;
size_t klen = 0; size_t klen = 0;
- int kout, r; - int kout, r;
+ int kout, r = 0; + int r = 0;
#ifdef DEBUG_KEXDH #ifdef DEBUG_KEXDH
fprintf(stderr, "dh_pub= "); fprintf(stderr, "dh_pub= ");

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,32 @@
From 26f366e263e575c4e1a18e2e64ba418f58878b37 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 20 Mar 2023 20:22:14 +0100
Subject: [PATCH] Only set PAM_RHOST if the remote host is not "UNKNOWN"
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.
To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
---
auth-pam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth-pam.c b/auth-pam.c
index e143304e3..39b4e4563 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
sshpam_laddr = get_local_ipaddr(
ssh_packet_get_connection_in(ssh));
}
- if (sshpam_rhost != NULL) {
+ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) {
debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
sshpam_rhost);
--
2.44.0

View File

@ -38,13 +38,13 @@
# rpm -ba|--rebuild --define "static_openssl 1" # rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%global static_libcrypto 1} %{?static_openssl:%global static_libcrypto 1}
%global openssh_ver 9.6p1 %global openssh_ver 9.8p1
%global openssh_rel 1 %global openssh_rel 1
Summary: An open source implementation of SSH protocol version 2 Summary: An open source implementation of SSH protocol version 2
Name: openssh Name: openssh
Version: %{openssh_ver} Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}.5 Release: %{openssh_rel}%{?dist}.0
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@ -63,6 +63,8 @@ Source17: ssh-agent.socket
Source19: openssh-server-systemd-sysusers.conf Source19: openssh-server-systemd-sysusers.conf
Source20: ssh-host-keys-migration.sh Source20: ssh-host-keys-migration.sh
Source21: ssh-host-keys-migration.service Source21: ssh-host-keys-migration.service
Source22: parallel_test.sh
Source23: parallel_test.Makefile
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
Patch100: openssh-6.7p1-coverity.patch Patch100: openssh-6.7p1-coverity.patch
@ -122,7 +124,8 @@ Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
Patch804: openssh-7.7p1-gssapi-new-unique.patch Patch804: openssh-7.7p1-gssapi-new-unique.patch
# Respect k5login_directory option in krk5.conf (#1328243) # Respect k5login_directory option in krk5.conf (#1328243)
Patch805: openssh-7.2p2-k5login_directory.patch Patch805: openssh-7.2p2-k5login_directory.patch
# Rewriting OpenSSH GSS KEX to use new packet API
Patch806: openssh-9.6p1-gsskex-new-api.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-6.6p1-kuserok.patch Patch901: openssh-6.6p1-kuserok.patch
@ -142,8 +145,6 @@ Patch926: openssh-6.7p1-sftp-force-permission.patch
Patch939: openssh-7.2p2-s390-closefrom.patch Patch939: openssh-7.2p2-s390-closefrom.patch
# Move MAX_DISPLAYS to a configuration option (#1341302) # Move MAX_DISPLAYS to a configuration option (#1341302)
Patch944: openssh-7.3p1-x11-max-displays.patch Patch944: openssh-7.3p1-x11-max-displays.patch
# Help systemd to track the running service
Patch948: openssh-7.4p1-systemd.patch
# Pass inetd flags for SELinux down to openbsd compat level # Pass inetd flags for SELinux down to openbsd compat level
Patch949: openssh-7.6p1-cleanup-selinux.patch Patch949: openssh-7.6p1-cleanup-selinux.patch
# Sandbox adjustments for s390 and audit # Sandbox adjustments for s390 and audit
@ -199,6 +200,8 @@ Patch1012: openssh-9.0p1-evp-fips-dh.patch
Patch1013: openssh-9.0p1-evp-fips-ecdh.patch Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
Patch1014: openssh-8.7p1-nohostsha1proof.patch Patch1014: openssh-8.7p1-nohostsha1proof.patch
Patch1015: openssh-9.6p1-pam-rhost.patch
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
Requires: /sbin/nologin Requires: /sbin/nologin
@ -329,6 +332,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
%patch -P 801 -p1 -b .force_krb %patch -P 801 -p1 -b .force_krb
%patch -P 804 -p1 -b .ccache_name %patch -P 804 -p1 -b .ccache_name
%patch -P 805 -p1 -b .k5login %patch -P 805 -p1 -b .k5login
%patch -P 806 -p1 -b .gsskex-new-api
# #
%patch -P 901 -p1 -b .kuserok %patch -P 901 -p1 -b .kuserok
%patch -P 906 -p1 -b .fromto-remote %patch -P 906 -p1 -b .fromto-remote
@ -340,7 +344,6 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
%patch -P 926 -p1 -b .sftp-force-mode %patch -P 926 -p1 -b .sftp-force-mode
%patch -P 939 -p1 -b .s390-dev %patch -P 939 -p1 -b .s390-dev
%patch -P 944 -p1 -b .x11max %patch -P 944 -p1 -b .x11max
%patch -P 948 -p1 -b .systemd
%patch -P 949 -p1 -b .refactor %patch -P 949 -p1 -b .refactor
%patch -P 950 -p1 -b .sandbox %patch -P 950 -p1 -b .sandbox
%patch -P 951 -p1 -b .pkcs11-uri %patch -P 951 -p1 -b .pkcs11-uri
@ -372,6 +375,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
%patch -P 1012 -p1 -b .evp-fips-dh %patch -P 1012 -p1 -b .evp-fips-dh
%patch -P 1013 -p1 -b .evp-fips-ecdh %patch -P 1013 -p1 -b .evp-fips-ecdh
%patch -P 1014 -p1 -b .nosha1hostproof %patch -P 1014 -p1 -b .nosha1hostproof
%patch -P 1015 -p1 -b .pam-rhost
%patch -P 100 -p1 -b .coverity %patch -P 100 -p1 -b .coverity
@ -470,10 +474,7 @@ popd
%endif %endif
%check %check
#to run tests use "--with check" %{SOURCE22} %{SOURCE23} # ./parallel_tests.sh parallel_tests.Makefile
%if %{?_with_check:1}%{!?_with_check:0}
make tests
%endif
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
@ -613,6 +614,7 @@ test -f %{sysconfig_anaconda} && \
%files server %files server
%dir %attr(0711,root,root) %{_datadir}/empty.sshd %dir %attr(0711,root,root) %{_datadir}/empty.sshd
%attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-session
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5* %attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
@ -651,6 +653,10 @@ test -f %{sysconfig_anaconda} && \
%attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
%changelog %changelog
* Thu Jul 25 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.8p1-1.0
- Rebase OpenSSH to 9.8p1
Resolves: RHEL-42635
* Fri Jul 12 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.5 * Fri Jul 12 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.5
- Build OpenSSH without ENGINE API - Build OpenSSH without ENGINE API
Resolves: RHEL-45507 Resolves: RHEL-45507

14
parallel_test.Makefile Normal file
View File

@ -0,0 +1,14 @@
# just a Makefile parallel_test.sh uses to run stuff in parallel with make
%:
$(MAKE) -j1 -C .t/$* $*
t-exec-%:
$(MAKE) -j1 -C ".t/t-exec-$*" \
TEST_SSH_PORT=10$*0 \
SKIP_LTESTS="$(shell cat .ltests/not-in/$*)" \
BUILDDIR="$(shell pwd)/.t/t-exec-$*" \
TEST_SHELL=sh \
MAKE=make \
TEST_SSH_TRACE=yes \
TEST_SSH_FAIL_FATAL=yes \
t-exec \

91
parallel_test.sh Executable file
View File

@ -0,0 +1,91 @@
#!/usr/bin/bash
set -uexo pipefail
# The custom %check script to run the OpenSSH upstream testsuite in parallel.
#
# The upstream testsuite is serial,
# so the idea here is to split the testsuite into several $PARTS:
# * file-tests
# * interop-tests
# * unit
# * ltests-00
# * ltests-01
# * ...
# * ltests-23
# and run them in parallel, using make, each in its own build subtree.
PARALLEL_MAKEFILE=$1
SPLIT=24
PARTS='file-tests interop-tests unit '
for ((i = 1; i < SPLIT; i++)); do ii=$(printf %02d $i);
PARTS+="t-exec-$ii "
done
# work around a selinux restriction:
chcon -t unconfined_exec_t ssh-sk-helper || :
# work around something else that only crops up in brew
export TEST_SSH_UNSAFE_PERMISSIONS=1
# create a .test directory to store all our files in:
mkdir -p .t .ltests/{in,not-in}
# patch testsuite: use different ports to avoid port collisions
grep -REi 'port=[2-9][0-9]*' regress
sed -i 's|PORT=4242|PORT=$(expr $TEST_SSH_PORT + 1)|' \
regress/test-exec.sh*
sed -i 's|^P=3301 # test port|P=$(expr $TEST_SSH_PORT + 1)|' \
regress/multiplex.sh*
sed -i 's|^fwdport=3301|fwdport=$(expr $TEST_SSH_PORT + 1)|' \
regress/cfgmatch.sh* regress/cfgmatchlisten.sh*
sed -i 's|^LFWD_PORT=.*|LFWD_PORT=$(expr $TEST_SSH_PORT + 1)|' \
regress/forward-control.sh*
sed -i 's|^RFWD_PORT=.*|RFWD_PORT=$(expr $TEST_SSH_PORT + 2)|' \
regress/forward-control.sh*
( ! grep -REi 'port=[2-9][0-9]*' regress) # try to find more of those
# patch testsuite: speed up
sed -i 's|sleep 1$|sleep .25|' regress/forward-control.sh
# extract LTESTS list to .tests/ltests/all:
grep -Ex 'tests:[[:space:]]*file-tests t-exec interop-tests extra-tests unit' Makefile
echo -ne '\necho-ltests:\n\techo ${LTESTS}' >> regress/Makefile
make -s -C regress echo-ltests | tr ' ' '\n' > .ltests/all
# separate ltests into $SPLIT roughly equal .tests/ltests/in/$ii parts:
grep -qFx connect .ltests/all
( ! grep -qFx nonex .ltests/all )
split -d -a2 --number=l/$SPLIT .ltests/all .ltests/in/
wc -l .ltests/in/*
grep -qFx connect .ltests/in/*
# generate the inverses of them --- .ltests/not-in/$ii:
( ! grep -qFx nonex .ltests/in/* )
for ((i = 0; i < SPLIT; i++)); do ii=$(printf %02d $i);
while read -r tname; do
if ! grep -qFx "$tname" ".ltests/in/$ii"; then
echo -n "$tname " >> ".ltests/not-in/$ii"
fi
done < .ltests/all
done
grep . .ltests/not-in/*
( ! grep -q ^connect .ltests/not-in/0 )
for ((i = 1; i < SPLIT; i++)); do ii=$(printf %02d $i);
grep -q ^connect .ltests/not-in/$ii
done
# prepare several test directories:
for PART in $PARTS; do
mkdir .t/${PART}
cp -ra * .t/${PART}/
sed -i "s|abs_top_srcdir=.*|abs_top_srcdir=$(pwd)/.t/${PART}|" \
.t/${PART}/Makefile
sed -i "s|abs_top_builddir=.*|abs_top_builddir=$(pwd)/.t/${PART}|" \
.t/${PART}/Makefile
sed -i "s|^BUILDDIR=.*|BUILDDIR=$(pwd)/.t/${PART}|" \
.t/${PART}/Makefile
done
# finally, run tests $PARTS in parallel in their own subtrees:
time make -f "$PARALLEL_MAKEFILE" -j$(nproc) $PARTS

View File

@ -1,4 +1,3 @@
SHA512 (openssh-9.6p1.tar.gz) = 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509 SHA512 (openssh-9.8p1.tar.gz) = 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
SHA512 (openssh-9.6p1.tar.gz.asc) = aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d SHA512 (openssh-9.8p1.tar.gz.asc) = 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21 SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21