parent
b830398e18
commit
0f83d08dcb
@ -1,3 +1,3 @@
|
||||
SOURCES/DJM-GPG-KEY.gpg
|
||||
SOURCES/openssh-7.8p1.tar.gz
|
||||
SOURCES/openssh-8.0p1.tar.gz
|
||||
SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2
|
||||
|
@ -1,3 +1,3 @@
|
||||
bed7240bb17840b451b8f8457791c33456814d93 SOURCES/DJM-GPG-KEY.gpg
|
||||
27e267e370315561de96577fccae563bc2c37a60 SOURCES/openssh-7.8p1.tar.gz
|
||||
756dbb99193f9541c9206a667eaa27b0fa184a4f SOURCES/openssh-8.0p1.tar.gz
|
||||
a4482a050fdad1d012427e45799564136708cf6b SOURCES/pam_ssh_agent_auth-0.10.3.tar.bz2
|
||||
|
@ -1,78 +0,0 @@
|
||||
diff -up openssh-5.9p1/Makefile.in.wIm openssh-5.9p1/Makefile.in
|
||||
--- openssh-5.9p1/Makefile.in.wIm 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p1/Makefile.in 2011-09-12 16:24:18.643674014 +0200
|
||||
@@ -66,7 +66,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
+ readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
diff -up openssh-5.9p1/log.h.wIm openssh-5.9p1/log.h
|
||||
--- openssh-5.9p1/log.h.wIm 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p1/log.h 2011-09-12 16:34:52.984674326 +0200
|
||||
@@ -65,6 +65,8 @@ void verbose(const char *, ...) __at
|
||||
void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
+void _debug_wIm_body(const char *, int, const char *, const char *, int);
|
||||
+#define debug_wIm(a,b) _debug_wIm_body(a,b,__func__,__FILE__,__LINE__)
|
||||
|
||||
|
||||
void set_log_handler(log_handler_fn *, void *);
|
||||
diff -up openssh-5.9p1/sshd.c.wIm openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.wIm 2011-06-23 11:45:51.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-12 16:38:35.787816490 +0200
|
||||
@@ -140,6 +140,9 @@ int deny_severity;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
+/* trace of fork processes */
|
||||
+extern int whereIam;
|
||||
+
|
||||
/* Server configuration options. */
|
||||
ServerOptions options;
|
||||
|
||||
@@ -666,6 +669,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
return 1;
|
||||
} else {
|
||||
/* child */
|
||||
+ whereIam = 1;
|
||||
close(pmonitor->m_sendfd);
|
||||
close(pmonitor->m_log_recvfd);
|
||||
|
||||
@@ -715,6 +719,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
/* child */
|
||||
|
||||
+ whereIam = 2;
|
||||
close(pmonitor->m_sendfd);
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
@@ -1325,6 +1330,8 @@ main(int ac, char **av)
|
||||
Key *key;
|
||||
Authctxt *authctxt;
|
||||
|
||||
+ whereIam = 0;
|
||||
+
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
diff -up openssh-5.9p1/whereIam.c.wIm openssh-5.9p1/whereIam.c
|
||||
--- openssh-5.9p1/whereIam.c.wIm 2011-09-12 16:24:18.722674167 +0200
|
||||
+++ openssh-5.9p1/whereIam.c 2011-09-12 16:24:18.724674418 +0200
|
||||
@@ -0,0 +1,12 @@
|
||||
+
|
||||
+int whereIam = -1;
|
||||
+
|
||||
+void _debug_wIm_body(const char *txt, int val, const char *func, const char *file, int line)
|
||||
+{
|
||||
+ if (txt)
|
||||
+ debug("%s=%d, %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, val, func, file, line, whereIam, getuid(), geteuid());
|
||||
+ else
|
||||
+ debug("%s(%s:%d) wIm = %d, uid=%d, euid=%d", func, file, line, whereIam, getuid(), geteuid());
|
||||
+}
|
||||
+
|
||||
+
|
@ -1,21 +0,0 @@
|
||||
diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
|
||||
--- openssh-6.1p1/sshconnect2.c.canohost 2012-10-30 10:52:59.593301692 +0100
|
||||
+++ openssh-6.1p1/sshconnect2.c 2012-10-30 11:01:12.870301632 +0100
|
||||
@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int r, ok = 0;
|
||||
- const char *gss_host;
|
||||
+ const char *gss_host = NULL;
|
||||
|
||||
if (options.gss_server_identity)
|
||||
gss_host = options.gss_server_identity;
|
||||
- else if (options.gss_trust_dns)
|
||||
+ else if (options.gss_trust_dns) {
|
||||
gss_host = get_canonical_hostname(active_state, 1);
|
||||
+ if (strcmp(gss_host, "UNKNOWN") == 0)
|
||||
+ gss_host = authctxt->host;
|
||||
+ }
|
||||
else
|
||||
gss_host = authctxt->host;
|
||||
|
@ -1,142 +0,0 @@
|
||||
diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
|
||||
--- openssh-7.4p1/configure.ac.vendor 2016-12-23 13:34:51.681253844 +0100
|
||||
+++ openssh-7.4p1/configure.ac 2016-12-23 13:34:51.694253847 +0100
|
||||
@@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
+AC_ARG_ENABLE(vendor-patchlevel,
|
||||
+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
|
||||
+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
||||
+ SSH_VENDOR_PATCHLEVEL="$enableval"],
|
||||
+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
||||
+ SSH_VENDOR_PATCHLEVEL=none])
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -5194,6 +5200,7 @@ echo " Translate v4 in v6 hack
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
+echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.vendor 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 13:36:07.555268628 +0100
|
||||
@@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
+ options->show_patchlevel = -1;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -402,7 +405,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
|
||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@@ -528,6 +531,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->disable_forwarding;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sShowPatchLevel:
|
||||
+ intptr = &options->show_patchlevel;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (match_user(NULL, NULL, NULL, arg) == -1)
|
||||
@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.vendor 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 13:34:51.694253847 +0100
|
||||
@@ -149,6 +149,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
+ int show_patchlevel; /* Show vendor patch level to clients */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.vendor 2016-12-23 13:34:51.695253847 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:37:17.482282253 +0100
|
||||
@@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
|
||||
.Cm AcceptEnv
|
||||
or
|
||||
.Cm PermitUserEnvironment .
|
||||
+.It Cm ShowPatchLevel
|
||||
+Specifies whether
|
||||
+.Nm sshd
|
||||
+will display the patch level of the binary in the identification string.
|
||||
+The patch level is set at compile-time.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
.It Cm StreamLocalBindMask
|
||||
Sets the octal file creation mode mask
|
||||
.Pq umask
|
||||
diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.vendor 2016-12-23 13:34:51.690253846 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:34:51.695253847 +0100
|
||||
@@ -105,6 +105,7 @@ X11Forwarding yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.vendor 2016-12-23 13:34:51.682253844 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 13:38:32.434296856 +0100
|
||||
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
|
||||
char remote_version[256]; /* Must be at least as big as buf. */
|
||||
|
||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
|
||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
options.version_addendum);
|
||||
|
||||
@@ -1650,7 +1651,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %s, %s", SSH_VERSION,
|
||||
+ debug("sshd version %s, %s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
#ifdef WITH_OPENSSL
|
||||
SSLeay_version(SSLEAY_VERSION)
|
||||
#else
|
@ -1,431 +0,0 @@
|
||||
diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
||||
--- openssh-7.0p1/gss-genr.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
||||
+++ openssh-7.0p1/gss-genr.c 2015-08-19 12:28:38.078518839 +0200
|
||||
@@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() {
|
||||
*/
|
||||
|
||||
char *
|
||||
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
|
||||
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
|
||||
+ const char *kex) {
|
||||
gss_OID_set gss_supported;
|
||||
OM_uint32 min_status;
|
||||
|
||||
@@ -86,12 +87,12 @@ ssh_gssapi_client_mechanisms(const char
|
||||
return NULL;
|
||||
|
||||
return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
|
||||
- host, client));
|
||||
+ host, client, kex));
|
||||
}
|
||||
|
||||
char *
|
||||
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
|
||||
- const char *host, const char *client) {
|
||||
+ const char *host, const char *client, const char *kex) {
|
||||
struct sshbuf *buf;
|
||||
size_t i;
|
||||
int oidpos, enclen, r;
|
||||
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
char deroid[2];
|
||||
const EVP_MD *evp_md = EVP_md5();
|
||||
EVP_MD_CTX md;
|
||||
+ char *s, *cp, *p;
|
||||
|
||||
if (gss_enc2oid != NULL) {
|
||||
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
|
||||
oidpos = 0;
|
||||
+ s = cp = xstrdup(kex);
|
||||
for (i = 0; i < gss_supported->count; i++) {
|
||||
if (gss_supported->elements[i].length < 128 &&
|
||||
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
|
||||
@@ -131,28 +134,25 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||
encoded, EVP_MD_size(evp_md) * 2);
|
||||
|
||||
- if (oidpos != 0)
|
||||
- if ((r = sshbuf_put_u8(buf, ',')) != 0)
|
||||
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
-
|
||||
- if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 ||
|
||||
- (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
|
||||
- (r = sshbuf_put_u8(buf, ',')) != 0 ||
|
||||
- (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 ||
|
||||
- (r = sshbuf_put(buf, encoded, enclen)) != 0 ||
|
||||
- (r = sshbuf_put_u8(buf, ',')) != 0 ||
|
||||
- (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 ||
|
||||
- (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ cp = strncpy(s, kex, strlen(kex));
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (sshbuf_len(buf) != 0)
|
||||
+ if ((r = sshbuf_put_u8(buf, ',')) != 0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||
+ fatal("%s: buffer error: %s",
|
||||
+ __func__, ssh_err(r));
|
||||
+ }
|
||||
|
||||
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||
gss_enc2oid[oidpos].encoded = encoded;
|
||||
oidpos++;
|
||||
}
|
||||
}
|
||||
+ free(s);
|
||||
gss_enc2oid[oidpos].oid = NULL;
|
||||
gss_enc2oid[oidpos].encoded = NULL;
|
||||
|
||||
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
||||
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
||||
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
|
||||
@@ -149,7 +149,8 @@ ssh_gssapi_server_mechanisms() {
|
||||
if (supported_oids == NULL)
|
||||
ssh_gssapi_prepare_supported_oids();
|
||||
return (ssh_gssapi_kex_mechs(supported_oids,
|
||||
- &ssh_gssapi_server_check_mech, NULL, NULL));
|
||||
+ &ssh_gssapi_server_check_mech, NULL, NULL,
|
||||
+ options.gss_kex_algorithms));
|
||||
}
|
||||
|
||||
/* Unprivileged */
|
||||
diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
|
||||
--- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
||||
+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200
|
||||
@@ -50,6 +50,7 @@
|
||||
#include "misc.h"
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
+#include "xmalloc.h"
|
||||
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@@ -232,6 +232,29 @@ kex_assemble_names(const char *def, char
|
||||
return r;
|
||||
}
|
||||
|
||||
+/* Validate GSS KEX method name list */
|
||||
+int
|
||||
+gss_kex_names_valid(const char *names)
|
||||
+{
|
||||
+ char *s, *cp, *p;
|
||||
+
|
||||
+ if (names == NULL || *names == '\0')
|
||||
+ return 0;
|
||||
+ s = cp = xstrdup(names);
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (strncmp(p, "gss-", 4) != 0
|
||||
+ || kex_alg_by_name(p) == NULL) {
|
||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ free(s);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ debug3("gss kex names ok: [%s]", names);
|
||||
+ free(s);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/* put algorithm proposal into buffer */
|
||||
int
|
||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||
diff -up openssh-7.0p1/kex.h.gsskexalg openssh-7.0p1/kex.h
|
||||
--- openssh-7.0p1/kex.h.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
||||
+++ openssh-7.0p1/kex.h 2015-08-19 12:30:52.404218958 +0200
|
||||
@@ -173,6 +173,7 @@ int kex_names_valid(const char *);
|
||||
char *kex_alg_list(char);
|
||||
char *kex_names_cat(const char *, const char *);
|
||||
int kex_assemble_names(char **, const char *, const char *);
|
||||
+int gss_kex_names_valid(const char *);
|
||||
|
||||
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
||||
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
|
||||
diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||
--- openssh-7.0p1/readconf.c.gsskexalg 2015-08-19 12:28:38.026518955 +0200
|
||||
+++ openssh-7.0p1/readconf.c 2015-08-19 12:31:28.333138747 +0200
|
||||
@@ -61,6 +61,7 @@
|
||||
#include "uidswap.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "ssh-gss.h"
|
||||
|
||||
/* Format of the configuration file:
|
||||
|
||||
@@ -148,7 +149,7 @@ typedef enum {
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
|
||||
- oGssServerIdentity,
|
||||
+ oGssServerIdentity, oGssKexAlgorithms,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -200,6 +201,7 @@ static struct {
|
||||
{ "gssapiclientidentity", oGssClientIdentity },
|
||||
{ "gssapiserveridentity", oGssServerIdentity },
|
||||
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||
+ { "gssapikexalgorithms", oGssKexAlgorithms },
|
||||
# else
|
||||
{ "gssapiauthentication", oUnsupported },
|
||||
{ "gssapikeyexchange", oUnsupported },
|
||||
@@ -207,6 +209,7 @@ static struct {
|
||||
{ "gssapitrustdns", oUnsupported },
|
||||
{ "gssapiclientidentity", oUnsupported },
|
||||
{ "gssapirenewalforcesrekey", oUnsupported },
|
||||
+ { "gssapikexalgorithms", oUnsupported },
|
||||
#endif
|
||||
#ifdef ENABLE_PKCS11
|
||||
{ "smartcarddevice", oPKCS11Provider },
|
||||
@@ -929,6 +932,18 @@ parse_time:
|
||||
intptr = &options->gss_renewal_rekey;
|
||||
goto parse_flag;
|
||||
|
||||
+ case oGssKexAlgorithms:
|
||||
+ arg = strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (!gss_kex_names_valid(arg))
|
||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||
+ filename, linenum, arg ? arg : "<NONE>");
|
||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = xstrdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1638,6 +1653,7 @@ initialize_options(Options * options)
|
||||
options->gss_renewal_rekey = -1;
|
||||
options->gss_client_identity = NULL;
|
||||
options->gss_server_identity = NULL;
|
||||
+ options->gss_kex_algorithms = NULL;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1773,6 +1789,10 @@ fill_default_options(Options * options)
|
||||
options->gss_trust_dns = 0;
|
||||
if (options->gss_renewal_rekey == -1)
|
||||
options->gss_renewal_rekey = 0;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||
+#endif
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -2651,6 +2671,8 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_string(oGssClientIdentity, o->gss_client_identity);
|
||||
dump_cfg_string(oGssServerIdentity, o->gss_client_identity);
|
||||
dump_cfg_fmtint(oGssRenewalRekey, o->gss_renewal_rekey);
|
||||
+ dump_cfg_string(oGssKexAlgorithms, o->gss_kex_algorithms ?
|
||||
+ o->gss_kex_algorithms : GSS_KEX_DEFAULT_KEX);
|
||||
#endif /* GSSAPI */
|
||||
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
|
||||
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
|
||||
diff -up openssh-7.9p1/readconf.h.gsskexalg openssh-7.9p1/readconf.h
|
||||
--- openssh-7.9p1/readconf.h.gsskexalg 2018-11-14 09:20:06.616350574 +0100
|
||||
+++ openssh-7.9p1/readconf.h 2018-11-14 09:20:06.647350828 +0100
|
||||
@@ -46,6 +46,7 @@ typedef struct {
|
||||
int gss_renewal_rekey; /* Credential renewal forces rekey */
|
||||
char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
||||
char *gss_server_identity; /* GSSAPI target principal */
|
||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.gsskexalg 2015-08-19 12:28:38.074518847 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-19 12:33:13.599902732 +0200
|
||||
@@ -57,6 +57,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "ssh-gss.h"
|
||||
|
||||
static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
@@ -121,6 +122,7 @@ initialize_server_options(ServerOptions
|
||||
options->gss_cleanup_creds = -1;
|
||||
options->gss_strict_acceptor = -1;
|
||||
options->gss_store_rekey = -1;
|
||||
+ options->gss_kex_algorithms = NULL;
|
||||
options->use_kuserok = -1;
|
||||
options->enable_k5users = -1;
|
||||
options->password_authentication = -1;
|
||||
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
|
||||
options->gss_strict_acceptor = 1;
|
||||
if (options->gss_store_rekey == -1)
|
||||
options->gss_store_rekey = 0;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||
+#endif
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
if (options->enable_k5users == -1)
|
||||
@@ -427,7 +431,7 @@ typedef enum {
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
@@ -506,6 +510,7 @@ static struct {
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||
+ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -513,6 +518,7 @@ static struct {
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||
+ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1273,6 +1279,18 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_store_rekey;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sGssKexAlgorithms:
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (!gss_kex_names_valid(arg))
|
||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||
+ filename, linenum, arg ? arg : "<NONE>");
|
||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = xstrdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2304,6 +2322,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
||||
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
||||
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
||||
+ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
|
||||
#endif
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.gsskexalg 2015-08-19 12:28:38.080518834 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-19 12:34:46.328693944 +0200
|
||||
@@ -122,6 +122,7 @@ typedef struct {
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||
int gss_store_rekey;
|
||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1
|
||||
--- openssh-7.0p1/ssh.1.gsskexalg 2015-08-19 12:28:38.081518832 +0200
|
||||
+++ openssh-7.0p1/ssh.1 2015-08-19 12:35:31.741591692 +0200
|
||||
@@ -496,6 +496,7 @@ For full details of the options listed b
|
||||
.It GSSAPIDelegateCredentials
|
||||
.It GSSAPIRenewalForcesRekey
|
||||
.It GSSAPITrustDNS
|
||||
+.It GSSAPIKexAlgorithms
|
||||
.It HashKnownHosts
|
||||
.It Host
|
||||
.It HostbasedAuthentication
|
||||
diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
|
||||
--- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200
|
||||
+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200
|
||||
@@ -786,6 +786,18 @@ command line will be passed untouched to
|
||||
command line will be passed untouched to the GSSAPI library.
|
||||
The default is
|
||||
.Dq no .
|
||||
+.It Cm GSSAPIKexAlgorithms
|
||||
+The list of key exchange algorithms that are offered for GSSAPI
|
||||
+key exchange. Possible values are
|
||||
+.Bd -literal -offset 3n
|
||||
+gss-gex-sha1-,
|
||||
+gss-group1-sha1-,
|
||||
+gss-group14-sha1-
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
|
||||
--- openssh-7.0p1/sshconnect2.c.gsskexalg 2015-08-19 12:28:38.045518912 +0200
|
||||
+++ openssh-7.0p1/sshconnect2.c 2015-08-19 12:28:38.081518832 +0200
|
||||
@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
else
|
||||
gss_host = host;
|
||||
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
if (gss) {
|
||||
debug("Offering GSSAPI proposal: %s", gss);
|
||||
xasprintf(&options.kex_algorithms,
|
||||
--- openssh-7.1p1/sshd_config.5.gsskexalg 2015-12-10 15:32:48.105418092 +0100
|
||||
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:33:47.771279548 +0100
|
||||
@@ -663,6 +663,18 @@ or updated credentials from a compatible
|
||||
For this to work
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
+.It Cm GSSAPIKexAlgorithms
|
||||
+The list of key exchange algorithms that are accepted by GSSAPI
|
||||
+key exchange. Possible values are
|
||||
+.Bd -literal -offset 3n
|
||||
+gss-gex-sha1-,
|
||||
+gss-group1-sha1-,
|
||||
+gss-group14-sha1-
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a list of comma-separated patterns.
|
||||
diff -up openssh-7.0p1/ssh-gss.h.gsskexalg openssh-7.0p1/ssh-gss.h
|
||||
--- openssh-7.0p1/ssh-gss.h.gsskexalg 2015-08-19 12:28:38.031518944 +0200
|
||||
+++ openssh-7.0p1/ssh-gss.h 2015-08-19 12:28:38.081518832 +0200
|
||||
@@ -76,6 +76,10 @@ extern char **k5users_allowed_cmds;
|
||||
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
|
||||
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
|
||||
|
||||
+#define GSS_KEX_DEFAULT_KEX \
|
||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||
+ KEX_GSS_GRP14_SHA1_ID
|
||||
+
|
||||
typedef struct {
|
||||
char *envvar;
|
||||
char *envval;
|
||||
@@ -147,9 +151,9 @@ int ssh_gssapi_credentials_updated(Gssct
|
||||
/* In the server */
|
||||
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
|
||||
const char *);
|
||||
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
|
||||
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
|
||||
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
|
||||
- const char *);
|
||||
+ const char *, const char *);
|
||||
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
|
||||
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
|
||||
const char *);
|
@ -1,52 +0,0 @@
|
||||
diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
|
||||
--- openssh-7.4p1/ssh_config.5.gss-docs 2016-12-23 14:28:34.051714486 +0100
|
||||
+++ openssh-7.4p1/ssh_config.5 2016-12-23 14:34:24.568522417 +0100
|
||||
@@ -765,10 +765,19 @@ The default is
|
||||
If set to
|
||||
.Dq yes
|
||||
then renewal of the client's GSSAPI credentials will force the rekeying of the
|
||||
-ssh connection. With a compatible server, this can delegate the renewed
|
||||
+ssh connection. With a compatible server, this will delegate the renewed
|
||||
credentials to a session on the server.
|
||||
+.Pp
|
||||
+Checks are made to ensure that credentials are only propagated when the new
|
||||
+credentials match the old ones on the originating client and where the
|
||||
+receiving server still has the old set in its cache.
|
||||
+.Pp
|
||||
The default is
|
||||
.Dq no .
|
||||
+.Pp
|
||||
+For this to work
|
||||
+.Cm GSSAPIKeyExchange
|
||||
+needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIServerIdentity
|
||||
If set, specifies the GSSAPI server identity that ssh should expect when
|
||||
connecting to the server. The default is unset, which means that the
|
||||
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
|
||||
hostname.
|
||||
.It Cm GSSAPITrustDns
|
||||
Set to
|
||||
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
||||
+.Dq yes
|
||||
+to indicate that the DNS is trusted to securely canonicalize
|
||||
the name of the host being connected to. If
|
||||
-.Dq no, the hostname entered on the
|
||||
+.Dq no ,
|
||||
+the hostname entered on the
|
||||
command line will be passed untouched to the GSSAPI library.
|
||||
The default is
|
||||
.Dq no .
|
||||
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.gss-docs 2016-12-23 14:28:34.043714490 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 14:28:34.051714486 +0100
|
||||
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
|
||||
successful connection rekeying. This option can be used to accepted renewed
|
||||
or updated credentials from a compatible client. The default is
|
||||
.Dq no .
|
||||
+.Pp
|
||||
+For this to work
|
||||
+.Cm GSSAPIKeyExchange
|
||||
+needs to be enabled in the server and also used by the client.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a list of comma-separated patterns.
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff