openssh-7.2p1-1 (#1312870)
This commit is contained in:
parent
46445f1c7a
commit
13073f8d9c
1
.gitignore
vendored
1
.gitignore
vendored
@ -20,3 +20,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-7.1p1.tar.gz
|
||||
/openssh-7.1p2.tar.gz
|
||||
/pam_ssh_agent_auth-0.10.2.tar.bz2
|
||||
/openssh-7.2p1.tar.gz
|
||||
|
@ -117,15 +117,14 @@ diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
|
||||
diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100
|
||||
+++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100
|
||||
@@ -161,6 +161,8 @@ login_cap_t *lc;
|
||||
@@ -161,6 +161,7 @@ login_cap_t *lc;
|
||||
|
||||
static int is_child = 0;
|
||||
|
||||
static int in_chroot = 0;
|
||||
+static int have_dev_log = 1;
|
||||
+
|
||||
|
||||
/* Name and directory of socket for authentication agent forwarding. */
|
||||
static char *auth_sock_name = NULL;
|
||||
static char *auth_sock_dir = NULL;
|
||||
@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
is_child = 1;
|
||||
|
||||
@ -150,8 +149,8 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
|
||||
@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
|
||||
int ret;
|
||||
const char *forced = NULL;
|
||||
char session_type[1024], *tty = NULL;
|
||||
const char *forced = NULL, *tty = NULL;
|
||||
char session_type[1024];
|
||||
+ struct stat dev_log_stat;
|
||||
|
||||
if (options.adm_forced_command) {
|
||||
@ -164,7 +163,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
+ have_dev_log = 0;
|
||||
+ }
|
||||
+
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d",
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||
session_type,
|
||||
tty == NULL ? "" : " on ",
|
||||
@@ -1678,14 +1685,6 @@ child_close_fds(void)
|
||||
@ -233,8 +232,8 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
|
||||
fd_set *rset, *wset;
|
||||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||
@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
|
||||
extern char *__progname;
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||
|
@ -115,7 +115,7 @@ index 2871fe9..39b9c08 100644
|
||||
+ sshd_selinux_change_privsep_preauth_context();
|
||||
#endif
|
||||
|
||||
/* Change our root directory */
|
||||
/* Demote the child */
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 12c014e..c5ef2ff 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
|
@ -106,9 +106,9 @@ diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_conf
|
||||
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200
|
||||
@@ -633,6 +633,12 @@ on logout.
|
||||
on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
+.It Cm GSSAPIEnablek5users
|
||||
+Specifies whether to look at .k5users file for GSSAPI authentication
|
||||
+access control. Further details are described in
|
||||
|
@ -25,8 +25,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -326,6 +330,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
|
@ -59,8 +59,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -321,6 +325,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
|
@ -190,8 +190,8 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
|
||||
if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 ||
|
||||
kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
|
||||
assemble_algorithms(options);
|
||||
|
||||
@@ -404,7 +407,7 @@ typedef enum {
|
||||
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
|
@ -47,15 +47,6 @@ diff --git a/session.c b/session.c
|
||||
index 2bcf818..b5dc144 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1532,7 +1532,7 @@ void
|
||||
do_setusercontext(struct passwd *pw)
|
||||
{
|
||||
char *chroot_path, *tmp;
|
||||
-#ifdef USE_LIBIAF
|
||||
+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
|
||||
int doing_chroot = 0;
|
||||
#endif
|
||||
|
||||
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
@ -66,22 +57,13 @@ index 2bcf818..b5dc144 100644
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1557,7 +1557,7 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Make sure we don't attempt to chroot again */
|
||||
free(options.chroot_directory);
|
||||
options.chroot_directory = NULL;
|
||||
-#ifdef USE_LIBIAF
|
||||
+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
|
||||
doing_chroot = 1;
|
||||
#endif
|
||||
}
|
||||
@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
+
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (doing_chroot == 0)
|
||||
+ if (in_chroot == 0)
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
@ -119,9 +101,9 @@ index 07f9926..a97f8b7 100644
|
||||
+ ssh_selinux_change_context("sshd_net_t");
|
||||
+#endif
|
||||
+
|
||||
/* Change our root directory */
|
||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||
/* Demote the child */
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
/* Change our root directory */
|
||||
@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
|
@ -355,7 +355,7 @@ diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h
|
||||
+++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100
|
||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
|
@ -59,9 +59,9 @@ diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c
|
||||
--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100
|
||||
@@ -65,6 +65,7 @@
|
||||
#include "version.h"
|
||||
#include "authfile.h"
|
||||
#include "ssherr.h"
|
||||
#include "authfd.h"
|
||||
+#include "canohost.h"
|
||||
|
||||
char *client_version_string = NULL;
|
||||
|
@ -415,8 +415,8 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
|
||||
@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
if (getuid() == 0 || geteuid() == 0)
|
||||
privsep_preauth_child();
|
||||
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
- if (box != NULL)
|
||||
+ if (box != NULL) {
|
||||
|
@ -92,7 +92,7 @@ diff -up openssh-7.0p1/dh.h.fips openssh-7.0p1/dh.h
|
||||
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
|
||||
|
||||
/* Min and max values from RFC4419. */
|
||||
#define DH_GRP_MIN 1024
|
||||
#define DH_GRP_MIN 2048
|
||||
+#define DH_GRP_MIN_FIPS 2048
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
@ -296,18 +296,18 @@ diff -up openssh-7.0p1/Makefile.in.fips openssh-7.0p1/Makefile.in
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
@ -22,11 +22,11 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o roaming_dummy.o
|
||||
+ $(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
|
||||
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -331,6 +335,8 @@ install-files:
|
||||
fi
|
||||
|
@ -148,8 +148,8 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
|
||||
sandbox-solaris.o
|
||||
|
||||
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||
@ -165,8 +165,8 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
|
||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -311,6 +317,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
@ -187,9 +187,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
|
||||
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
|
||||
+ fi
|
||||
-rm -f $(DESTDIR)$(bindir)/slogin
|
||||
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
install-sysconf:
|
||||
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
||||
@@ -356,6 +370,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
@ -218,9 +218,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
regress-prep:
|
||||
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
|
||||
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
|
||||
|
@ -95,9 +95,9 @@ diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
|
||||
--- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
||||
+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200
|
||||
@@ -50,6 +50,7 @@
|
||||
#include "misc.h"
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
#include "roaming.h"
|
||||
+#include "xmalloc.h"
|
||||
|
||||
#include "ssherr.h"
|
||||
@ -336,9 +336,9 @@ diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
|
||||
--- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200
|
||||
+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200
|
||||
@@ -786,6 +786,18 @@ command line will be passed untouched to
|
||||
command line will be passed untouched to the GSSAPI library.
|
||||
The default is
|
||||
.Dq no .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
+.It Cm GSSAPIKexAlgorithms
|
||||
+The list of key exchange algorithms that are offered for GSSAPI
|
||||
+key exchange. Possible values are
|
||||
|
@ -199,7 +199,7 @@ index f41960c..e12932f 100644
|
||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
||||
logit("Host key fingerprint is %s\n%s", fp, ra);
|
||||
@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
@ -295,14 +295,14 @@ index 7751031..82ed92e 100644
|
||||
goto done;
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
|
||||
int have_sig = 1;
|
||||
int matched, ret = -1, have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
return 0;
|
||||
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
|
||||
debug3("%s: %s %s", __func__, key_type(id->key), fp);
|
||||
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
goto out;
|
||||
}
|
||||
@ -323,10 +323,23 @@ index 1dca3e2..23bff7d 100644
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
fatal("%s: sshkey_fingerprint failed", __progname);
|
||||
fatal("no matching hostkey found for key %s %s",
|
||||
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index de7ace6..f16e606 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
|
||||
if (sshkey_is_cert(host_key)) {
|
||||
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint CA key: %s",
|
||||
__func__, ssh_err(r));
|
||||
r = -1;
|
||||
|
@ -1,46 +0,0 @@
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 374e741..23d74fb 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host)
|
||||
int i;
|
||||
char vbuf[5];
|
||||
|
||||
+ /* This is normally prepared in ssh_kex2 */
|
||||
+ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
|
||||
+ fatal("%s: kex_assemble_names failed", __func__);
|
||||
+
|
||||
/* Most interesting options first: user, host, port */
|
||||
dump_cfg_string(oUser, o->user);
|
||||
dump_cfg_string(oHostName, host);
|
||||
@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host)
|
||||
dump_cfg_string(oBindAddress, o->bind_address);
|
||||
dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
|
||||
dump_cfg_string(oControlPath, o->control_path);
|
||||
- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
|
||||
+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
|
||||
dump_cfg_string(oHostKeyAlias, o->host_key_alias);
|
||||
dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
|
||||
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 04404a4..08c8139 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->hostbased_authentication = 0;
|
||||
if (options->hostbased_uses_name_from_packet_only == -1)
|
||||
options->hostbased_uses_name_from_packet_only = 0;
|
||||
- if (options->hostkeyalgorithms == NULL)
|
||||
- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
||||
if (options->rsa_authentication == -1)
|
||||
options->rsa_authentication = 1;
|
||||
if (options->pubkey_authentication == -1)
|
||||
@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
|
||||
kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
+ &options->hostkeyalgorithms) != 0 ||
|
||||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
&options->hostbased_key_types) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
&options->pubkey_key_types) != 0)
|
@ -1,532 +0,0 @@
|
||||
From 1a52b2d612b1d0c2a15dfcdc8da560704909ec72 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Sat, 27 Jul 2013 14:16:52 +0100
|
||||
Subject: [PATCH] echo --> printf "%s: ERROR... (for consistency)
|
||||
|
||||
---
|
||||
ssh-copy-id | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index ae88e99..516b87f 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -200,7 +200,7 @@ populate_new_ids() {
|
||||
umask 0177
|
||||
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
||||
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
||||
- echo "mktemp failed" 1>&2
|
||||
+ printf '%s: ERROR: mktemp failed\n' "$0" >&2
|
||||
exit 1
|
||||
fi
|
||||
trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From baebbb9e18e4a1af7554d939710eacb665a24b68 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Wed, 25 Nov 2015 17:05:39 +0100
|
||||
Subject: [PATCH] Deal with remote user shell being e.g. tcsh (fixes: 2206)
|
||||
|
||||
as suggested by Jakub Jelen <jjelen@redhat.com>
|
||||
---
|
||||
ssh-copy-id | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 516b87f..6a0447a 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -269,10 +269,8 @@ case "$REMOTE_VERSION" in
|
||||
*)
|
||||
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
|
||||
populate_new_ids 0
|
||||
- [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
|
||||
- umask 077 ;
|
||||
- mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
|
||||
- if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
|
||||
+ [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
|
||||
+ ssh "$@" "exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
||||
|| exit 1
|
||||
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
|
||||
;;
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From 35f05e39cda8670b3f6797330a3e521fda509a4c Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Wed, 25 Nov 2015 21:14:00 +0100
|
||||
Subject: [PATCH] set LogLevel to ensure that it's not set to 'None' (closes:
|
||||
2214)
|
||||
|
||||
As pointed out by Sami Haahtinen <sami@badwolf.fi>,
|
||||
the LogLevel is set to 'None' we'll not get the
|
||||
Permission Denied we're looking for.
|
||||
---
|
||||
ssh-copy-id | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 6a0447a..70d3866 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -215,6 +215,7 @@ populate_new_ids() {
|
||||
# The point being that if file based, ssh needs the private key, which it cannot
|
||||
# find if only given the contents of the .pub file in an unrelated tmpfile
|
||||
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
|
||||
+ -o LogLevel=INFO \
|
||||
-o PreferredAuthentications=publickey \
|
||||
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
|
||||
if [ "$?" = "$L_SUCCESS" ] ; then
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From e129c91dc474d73671304403fafda785df440105 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Wed, 25 Nov 2015 22:30:43 +0100
|
||||
Subject: [PATCH] set ControlPath=none (closes: 2488)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=utf8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Thanks to Salvador Fandiño <sfandino@yahoo.com> for the patch
|
||||
This seems to be the same problem as described in 2195
|
||||
---
|
||||
ssh-copy-id | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 70d3866..7df7fad 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -215,6 +215,7 @@ populate_new_ids() {
|
||||
# The point being that if file based, ssh needs the private key, which it cannot
|
||||
# find if only given the contents of the .pub file in an unrelated tmpfile
|
||||
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
|
||||
+ -o ControlPath=none \
|
||||
-o LogLevel=INFO \
|
||||
-o PreferredAuthentications=publickey \
|
||||
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
|
||||
@@ -244,7 +245,7 @@ populate_new_ids() {
|
||||
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
||||
}
|
||||
|
||||
-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
|
||||
+REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 |
|
||||
sed -ne 's/.*remote software version //p')
|
||||
|
||||
case "$REMOTE_VERSION" in
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From 6fa6f1e3dbec32636e77d01228ceecfa3851c7e8 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Wed, 25 Nov 2015 23:24:13 +0100
|
||||
Subject: [PATCH] add -f (forced) option to install keys unconditionally
|
||||
(closes: 2110)
|
||||
|
||||
Thanks for the patch from Petr Lautrbach <plautrba@redhat.com>
|
||||
which inspired this.
|
||||
---
|
||||
ssh-copy-id | 15 +++++++++++++--
|
||||
ssh-copy-id.1 | 5 +++++
|
||||
2 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 7df7fad..3121171 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -59,7 +59,10 @@ fi
|
||||
DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
|
||||
|
||||
usage () {
|
||||
- printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
|
||||
+ printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
|
||||
+ printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2
|
||||
+ printf '\t-n: dry run -- no keys are actually copied\n' >&2
|
||||
+ printf '\t-h|-?: print this help\n' >&2
|
||||
exit 1
|
||||
}
|
||||
|
||||
@@ -121,7 +124,7 @@ do
|
||||
}
|
||||
shift
|
||||
;;
|
||||
- -n|-h|-\?)
|
||||
+ -f|-n|-h|-\?)
|
||||
OPT="$1"
|
||||
OPTARG=
|
||||
shift
|
||||
@@ -154,6 +157,9 @@ do
|
||||
-o|-p)
|
||||
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
|
||||
;;
|
||||
+ -f)
|
||||
+ FORCED=1
|
||||
+ ;;
|
||||
-n)
|
||||
DRY_RUN=1
|
||||
;;
|
||||
@@ -194,6 +200,11 @@ fi
|
||||
populate_new_ids() {
|
||||
local L_SUCCESS="$1"
|
||||
|
||||
+ if [ "$FORCED" ] ; then
|
||||
+ NEW_IDS=$(eval $GET_ID)
|
||||
+ return
|
||||
+ fi
|
||||
+
|
||||
# repopulate "$@" inside this function
|
||||
eval set -- "$SSH_OPTS"
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id.1 $1/contrib/ssh-copy-id.1
|
||||
index 67a59e4..8850cce 100644
|
||||
--- $1/contrib/ssh-copy-id.1
|
||||
+++ $1/contrib/ssh-copy-id.1
|
||||
@@ -29,6 +29,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.Nd use locally available keys to authorise logins on a remote machine
|
||||
.Sh SYNOPSIS
|
||||
.Nm
|
||||
+.Op Fl f
|
||||
.Op Fl n
|
||||
.Op Fl i Op Ar identity_file
|
||||
.Op Fl p Ar port
|
||||
@@ -76,6 +77,10 @@ is used.
|
||||
Note that this can be used to ensure that the keys copied have the
|
||||
comment one prefers and/or extra options applied, by ensuring that the
|
||||
key file has these set as preferred before the copy is attempted.
|
||||
+.It Fl f
|
||||
+Forced mode: doesn't check if the keys are present on the remote server.
|
||||
+This means that it does not need the private key. Of course, this can result
|
||||
+in more than one copy of the key being installed on the remote system.
|
||||
.It Fl n
|
||||
do a dry-run. Instead of installing keys on the remote system simply
|
||||
prints the key(s) that would have been installed.
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From ab185eea5a03cdd846c909d83e5dd0a07a44fb54 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Wed, 25 Nov 2015 23:47:06 +0100
|
||||
Subject: [PATCH] deal with #2331 by suggesting the use of the -f option
|
||||
|
||||
---
|
||||
ssh-copy-id | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 3121171..8666cea 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -250,7 +250,8 @@ populate_new_ids() {
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$NEW_IDS" ] ; then
|
||||
- printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
|
||||
+ printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
|
||||
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
|
||||
exit 0
|
||||
fi
|
||||
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From de78897ada50ed12f4b0c9faa6e935ce82ee49a6 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Thu, 26 Nov 2015 00:25:56 +0100
|
||||
Subject: [PATCH] handle keys with missing trailing newline (closes: 2350)
|
||||
|
||||
---
|
||||
ssh-copy-id | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 8666cea..362b49b 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -218,7 +218,7 @@ populate_new_ids() {
|
||||
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
||||
NEW_IDS=$(
|
||||
eval $GET_ID | {
|
||||
- while read ID ; do
|
||||
+ while read ID || [ "$ID" ] ; do
|
||||
printf '%s\n' "$ID" > $L_TMP_ID_FILE
|
||||
|
||||
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From 6b903ab99a3f0107bb0dbde748a4372033bab00c Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Thu, 26 Nov 2015 00:36:09 +0100
|
||||
Subject: [PATCH] add a cd to ensure we're in the remote's home directory
|
||||
(closes: 2349)
|
||||
|
||||
---
|
||||
ssh-copy-id | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 362b49b..2932936 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -284,7 +284,7 @@ case "$REMOTE_VERSION" in
|
||||
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
|
||||
populate_new_ids 0
|
||||
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
|
||||
- ssh "$@" "exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
||||
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
||||
|| exit 1
|
||||
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
|
||||
;;
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From 441892cbf4ff96fd96908582b8170f51890b5deb Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Sat, 28 Nov 2015 14:42:36 +0100
|
||||
Subject: [PATCH] add comment about why the ugly one-line remote command is as
|
||||
it is
|
||||
|
||||
In case anyone looks here for the details:
|
||||
* tcsh doesn't support multi-line strings,
|
||||
which is why it's a one-liner.
|
||||
* tcsh doesn't do 2>&1, and fish doesn't do
|
||||
'command || command' which is why we're runnig this under
|
||||
sh (which is very likely to be a POSIX shell on any vaguely
|
||||
Unix-like system)
|
||||
* The 'cd' is there to make sure we're in the home dir, because
|
||||
there was a bug report about having a cd in ~/.bashrc that resulted
|
||||
in a .ssh being created elsewhere.
|
||||
* the 'exec' ensures that we're not relying on anything beyond the
|
||||
(hopefully POSIX) shell that's available as 'sh' on the remote system
|
||||
---
|
||||
ssh-copy-id | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 2932936..04c03eb 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -283,6 +283,7 @@ case "$REMOTE_VERSION" in
|
||||
*)
|
||||
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
|
||||
populate_new_ids 0
|
||||
+ # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; 'cd' to be at $HOME; and all on one line, because tcsh.
|
||||
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
|
||||
ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
||||
|| exit 1
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From 8b59b122d321b97badd15c41e1a22863aa922a02 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Sat, 28 Nov 2015 14:46:47 +0100
|
||||
Subject: [PATCH] with '-f' there's no need to have access to the private key
|
||||
|
||||
---
|
||||
ssh-copy-id | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 04c03eb..d3ff83b 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -80,7 +80,7 @@ use_id_file() {
|
||||
PUB_ID_FILE="$L_ID_FILE.pub"
|
||||
fi
|
||||
|
||||
- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||
+ [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||
|
||||
# check that the files are readable
|
||||
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From 1b931894de0614099255244be789ad097fd0948a Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Sat, 28 Nov 2015 14:47:35 +0100
|
||||
Subject: [PATCH] if the private key is missing, point out that '-f' might be
|
||||
what's needed
|
||||
|
||||
---
|
||||
ssh-copy-id | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index d3ff83b..f0b01aa 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -85,7 +85,9 @@ use_id_file() {
|
||||
# check that the files are readable
|
||||
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
|
||||
ErrMSG=$( { : < $f ; } 2>&1 ) || {
|
||||
- printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
|
||||
+ local L_PRIVMSG=""
|
||||
+ [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
|
||||
+ printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From fd3e8b115e160a1332773cd8e06a3305d0d680ab Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Sat, 28 Nov 2015 21:10:39 +0100
|
||||
Subject: [PATCH] +INFO message to mitigate the surprise described in #2196
|
||||
|
||||
---
|
||||
ssh-copy-id | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index f0b01aa..994194e 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -91,6 +91,7 @@ use_id_file() {
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" $PUB_ID_FILE >&2
|
||||
GET_ID="cat \"$PUB_ID_FILE\""
|
||||
}
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
|
||||
From 783ef08b0a757402aba67313f08f8dbfa9bf85f3 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Mon, 30 Nov 2015 20:46:19 +0100
|
||||
Subject: [PATCH] deal with $HOME and id filenames that include a space
|
||||
|
||||
---
|
||||
ssh-copy-id | 15 ++++++++-------
|
||||
1 file changed, 8 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
|
||||
index 994194e..afde8b1 100755
|
||||
--- $1/contrib/ssh-copy-id
|
||||
+++ $1/contrib/ssh-copy-id
|
||||
@@ -56,7 +56,7 @@ then
|
||||
fi
|
||||
fi
|
||||
|
||||
-DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
|
||||
+DEFAULT_PUB_ID_FILE="$HOME/$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)"
|
||||
|
||||
usage () {
|
||||
printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
|
||||
@@ -83,15 +83,15 @@ use_id_file() {
|
||||
[ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||
|
||||
# check that the files are readable
|
||||
- for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
|
||||
- ErrMSG=$( { : < $f ; } 2>&1 ) || {
|
||||
+ for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
|
||||
+ ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
|
||||
local L_PRIVMSG=""
|
||||
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
|
||||
printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
- printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" $PUB_ID_FILE >&2
|
||||
+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2
|
||||
GET_ID="cat \"$PUB_ID_FILE\""
|
||||
}
|
||||
|
||||
@@ -217,12 +217,13 @@ populate_new_ids() {
|
||||
printf '%s: ERROR: mktemp failed\n' "$0" >&2
|
||||
exit 1
|
||||
fi
|
||||
- trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
|
||||
+ local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
||||
+ trap "$L_CLEANUP" EXIT TERM INT QUIT
|
||||
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
||||
NEW_IDS=$(
|
||||
eval $GET_ID | {
|
||||
while read ID || [ "$ID" ] ; do
|
||||
- printf '%s\n' "$ID" > $L_TMP_ID_FILE
|
||||
+ printf '%s\n' "$ID" > "$L_TMP_ID_FILE"
|
||||
|
||||
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
|
||||
# assumption will break if we implement the possibility of multiple -i options.
|
||||
@@ -246,7 +247,7 @@ populate_new_ids() {
|
||||
done
|
||||
}
|
||||
)
|
||||
- rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
|
||||
+ eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT
|
||||
|
||||
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
|
||||
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||
index afde8b1..cd52764 100644
|
||||
--- a/contrib/ssh-copy-id
|
||||
+++ b/contrib/ssh-copy-id
|
||||
@@ -99,6 +99,8 @@ if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
|
||||
GET_ID="ssh-add -L"
|
||||
fi
|
||||
|
||||
+[ "x$SSH_COPY_ID_LEGACY" != "x" ] && FORCED=1
|
||||
+
|
||||
while test "$#" -gt 0
|
||||
do
|
||||
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
|
||||
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
|
||||
index 8850cce..62f112d 100644
|
||||
--- a/contrib/ssh-copy-id.1
|
||||
+++ b/contrib/ssh-copy-id.1
|
||||
@@ -185,6 +185,22 @@ should prove enlightening (N.B. the modern approach is to use the
|
||||
.Fl W
|
||||
option, rather than
|
||||
.Xr nc 1 ) .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds
|
||||
+.Pp
|
||||
+.It Pa SSH_COPY_ID_LEGACY
|
||||
+If the
|
||||
+.Cm SSH_COPY_ID_LEGACY
|
||||
+environment variable is set, the
|
||||
+.Nm
|
||||
+is run in a legacy mode. In this mode, the
|
||||
+.Nm
|
||||
+doesn't check an existence of a private key and doesn't do remote checks
|
||||
+of the remote server versions or if public keys are already installed
|
||||
+(equivalent to
|
||||
+.Fl f
|
||||
+switch).
|
||||
+.El
|
||||
.Sh "SEE ALSO"
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-agent 1 ,
|
@ -77,7 +77,7 @@ index 8949fd1..9afb764 100644
|
||||
+#endif
|
||||
+
|
||||
static int is_child = 0;
|
||||
|
||||
static int in_chroot = 0;
|
||||
static int have_dev_log = 1;
|
||||
@@ -875,6 +879,8 @@ do_exec(Session *s, const char *command)
|
||||
}
|
||||
|
@ -1,387 +0,0 @@
|
||||
From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001
|
||||
From: "mmcc@openbsd.org" <mmcc@openbsd.org>
|
||||
Date: Tue, 20 Oct 2015 03:36:35 +0000
|
||||
Subject: [PATCH] upstream commit
|
||||
|
||||
Replace a function-local allocation with stack memory.
|
||||
|
||||
ok djm@
|
||||
|
||||
Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
|
||||
---
|
||||
clientloop.c | 9 ++-------
|
||||
1 file changed, 2 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 87ceb3d..1e05cba 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
static char proto[512], data[512];
|
||||
FILE *f;
|
||||
int got_data = 0, generated = 0, do_unlink = 0, i;
|
||||
- char *xauthdir, *xauthfile;
|
||||
+ char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
|
||||
struct stat st;
|
||||
u_int now, x11_timeout_real;
|
||||
|
||||
- xauthdir = xauthfile = NULL;
|
||||
*_proto = proto;
|
||||
*_data = data;
|
||||
proto[0] = data[0] = '\0';
|
||||
@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
display = xdisplay;
|
||||
}
|
||||
if (trusted == 0) {
|
||||
- xauthdir = xmalloc(PATH_MAX);
|
||||
- xauthfile = xmalloc(PATH_MAX);
|
||||
mktemp_proto(xauthdir, PATH_MAX);
|
||||
/*
|
||||
* The authentication cookie should briefly outlive
|
||||
@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
unlink(xauthfile);
|
||||
rmdir(xauthdir);
|
||||
}
|
||||
- free(xauthdir);
|
||||
- free(xauthfile);
|
||||
|
||||
/*
|
||||
* If we didn't get authentication data, just make up some
|
||||
--
|
||||
2.5.0
|
||||
|
||||
From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001
|
||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||
Date: Wed, 13 Jan 2016 23:04:47 +0000
|
||||
Subject: [PATCH] upstream commit
|
||||
|
||||
eliminate fallback from untrusted X11 forwarding to trusted
|
||||
forwarding when the X server disables the SECURITY extension; Reported by
|
||||
Thomas Hoger; ok deraadt@
|
||||
|
||||
Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
|
||||
---
|
||||
clientloop.c | 114 ++++++++++++++++++++++++++++++++++++-----------------------
|
||||
clientloop.h | 4 +--
|
||||
mux.c | 22 ++++++------
|
||||
ssh.c | 23 +++++-------
|
||||
4 files changed, 93 insertions(+), 70 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index f555451..c0386d5 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -288,6 +288,9 @@ client_x11_display_valid(const char *display)
|
||||
{
|
||||
size_t i, dlen;
|
||||
|
||||
+ if (display == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
dlen = strlen(display);
|
||||
for (i = 0; i < dlen; i++) {
|
||||
if (!isalnum((u_char)display[i]) &&
|
||||
@@ -301,34 +304,33 @@ client_x11_display_valid(const char *display)
|
||||
|
||||
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
|
||||
#define X11_TIMEOUT_SLACK 60
|
||||
-void
|
||||
+int
|
||||
client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
u_int trusted, u_int timeout, char **_proto, char **_data)
|
||||
{
|
||||
- char cmd[1024];
|
||||
- char line[512];
|
||||
- char xdisplay[512];
|
||||
+ char cmd[1024], line[512], xdisplay[512];
|
||||
+ char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
|
||||
static char proto[512], data[512];
|
||||
FILE *f;
|
||||
- int got_data = 0, generated = 0, do_unlink = 0, i;
|
||||
- char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
|
||||
+ int got_data = 0, generated = 0, do_unlink = 0, i, r;
|
||||
struct stat st;
|
||||
u_int now, x11_timeout_real;
|
||||
|
||||
*_proto = proto;
|
||||
*_data = data;
|
||||
- proto[0] = data[0] = '\0';
|
||||
+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
|
||||
|
||||
- if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
|
||||
- debug("No xauth program.");
|
||||
- } else if (!client_x11_display_valid(display)) {
|
||||
- logit("DISPLAY '%s' invalid, falling back to fake xauth data",
|
||||
+ if (!client_x11_display_valid(display)) {
|
||||
+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
|
||||
display);
|
||||
- } else {
|
||||
- if (display == NULL) {
|
||||
- debug("x11_get_proto: DISPLAY not set");
|
||||
- return;
|
||||
- }
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
|
||||
+ debug("No xauth program.");
|
||||
+ xauth_path = NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (xauth_path != NULL) {
|
||||
/*
|
||||
* Handle FamilyLocal case where $DISPLAY does
|
||||
* not match an authorization entry. For this we
|
||||
@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
* is not perfect.
|
||||
*/
|
||||
if (strncmp(display, "localhost:", 10) == 0) {
|
||||
- snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
|
||||
- display + 10);
|
||||
+ if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
|
||||
+ display + 10)) < 0 ||
|
||||
+ (size_t)r >= sizeof(xdisplay)) {
|
||||
+ error("%s: display name too long", __func__);
|
||||
+ return -1;
|
||||
+ }
|
||||
display = xdisplay;
|
||||
}
|
||||
if (trusted == 0) {
|
||||
- mktemp_proto(xauthdir, PATH_MAX);
|
||||
/*
|
||||
+ * Generate an untrusted X11 auth cookie.
|
||||
+ *
|
||||
* The authentication cookie should briefly outlive
|
||||
* ssh's willingness to forward X11 connections to
|
||||
* avoid nasty fail-open behaviour in the X server.
|
||||
*/
|
||||
+ mktemp_proto(xauthdir, sizeof(xauthdir));
|
||||
+ if (mkdtemp(xauthdir) == NULL) {
|
||||
+ error("%s: mkdtemp: %s",
|
||||
+ __func__, strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
+ do_unlink = 1;
|
||||
+ if ((r = snprintf(xauthfile, sizeof(xauthfile),
|
||||
+ "%s/xauthfile", xauthdir)) < 0 ||
|
||||
+ (size_t)r >= sizeof(xauthfile)) {
|
||||
+ error("%s: xauthfile path too long", __func__);
|
||||
+ unlink(xauthfile);
|
||||
+ rmdir(xauthdir);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
|
||||
x11_timeout_real = UINT_MAX;
|
||||
else
|
||||
x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
|
||||
- if (mkdtemp(xauthdir) != NULL) {
|
||||
- do_unlink = 1;
|
||||
- snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
|
||||
- xauthdir);
|
||||
- snprintf(cmd, sizeof(cmd),
|
||||
- "%s -f %s generate %s " SSH_X11_PROTO
|
||||
- " untrusted timeout %u 2>" _PATH_DEVNULL,
|
||||
- xauth_path, xauthfile, display,
|
||||
- x11_timeout_real);
|
||||
- debug2("x11_get_proto: %s", cmd);
|
||||
- if (x11_refuse_time == 0) {
|
||||
- now = monotime() + 1;
|
||||
- if (UINT_MAX - timeout < now)
|
||||
- x11_refuse_time = UINT_MAX;
|
||||
- else
|
||||
- x11_refuse_time = now + timeout;
|
||||
- channel_set_x11_refuse_time(
|
||||
- x11_refuse_time);
|
||||
- }
|
||||
- if (system(cmd) == 0)
|
||||
- generated = 1;
|
||||
+ if ((r = snprintf(cmd, sizeof(cmd),
|
||||
+ "%s -f %s generate %s " SSH_X11_PROTO
|
||||
+ " untrusted timeout %u 2>" _PATH_DEVNULL,
|
||||
+ xauth_path, xauthfile, display,
|
||||
+ x11_timeout_real)) < 0 ||
|
||||
+ (size_t)r >= sizeof(cmd))
|
||||
+ fatal("%s: cmd too long", __func__);
|
||||
+ debug2("%s: %s", __func__, cmd);
|
||||
+ if (x11_refuse_time == 0) {
|
||||
+ now = monotime() + 1;
|
||||
+ if (UINT_MAX - timeout < now)
|
||||
+ x11_refuse_time = UINT_MAX;
|
||||
+ else
|
||||
+ x11_refuse_time = now + timeout;
|
||||
+ channel_set_x11_refuse_time(x11_refuse_time);
|
||||
}
|
||||
+ if (system(cmd) == 0)
|
||||
+ generated = 1;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
got_data = 1;
|
||||
if (f)
|
||||
pclose(f);
|
||||
- } else
|
||||
- error("Warning: untrusted X11 forwarding setup failed: "
|
||||
- "xauth key data not generated");
|
||||
+ }
|
||||
}
|
||||
|
||||
if (do_unlink) {
|
||||
@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
rmdir(xauthdir);
|
||||
}
|
||||
|
||||
+ /* Don't fall back to fake X11 data for untrusted forwarding */
|
||||
+ if (!trusted && !got_data) {
|
||||
+ error("Warning: untrusted X11 forwarding setup failed: "
|
||||
+ "xauth key data not generated");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* If we didn't get authentication data, just make up some
|
||||
* data. The forwarding code will check the validity of the
|
||||
@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
rnd >>= 8;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/clientloop.h b/clientloop.h
|
||||
index 338d451..f4d4c69 100644
|
||||
--- a/clientloop.h
|
||||
+++ b/clientloop.h
|
||||
@@ -39,7 +39,7 @@
|
||||
|
||||
/* Client side main loop for the interactive session. */
|
||||
int client_loop(int, int, int);
|
||||
-void client_x11_get_proto(const char *, const char *, u_int, u_int,
|
||||
+int client_x11_get_proto(const char *, const char *, u_int, u_int,
|
||||
char **, char **);
|
||||
void client_global_request_reply_fwd(int, u_int32_t, void *);
|
||||
void client_session2_setup(int, int, int, const char *, struct termios *,
|
||||
diff --git a/mux.c b/mux.c
|
||||
index f9c3af6..6bf53eb 100644
|
||||
--- a/mux.c
|
||||
+++ b/mux.c
|
||||
@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success, void *arg)
|
||||
char *proto, *data;
|
||||
|
||||
/* Get reasonable local authentication information. */
|
||||
- client_x11_get_proto(display, options.xauth_location,
|
||||
+ if (client_x11_get_proto(display, options.xauth_location,
|
||||
options.forward_x11_trusted, options.forward_x11_timeout,
|
||||
- &proto, &data);
|
||||
- /* Request forwarding with authentication spoofing. */
|
||||
- debug("Requesting X11 forwarding with authentication "
|
||||
- "spoofing.");
|
||||
- x11_request_forwarding_with_spoofing(id, display, proto,
|
||||
- data, 1);
|
||||
- client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
|
||||
- /* XXX exit_on_forward_failure */
|
||||
+ &proto, &data) == 0) {
|
||||
+ /* Request forwarding with authentication spoofing. */
|
||||
+ debug("Requesting X11 forwarding with authentication "
|
||||
+ "spoofing.");
|
||||
+ x11_request_forwarding_with_spoofing(id, display, proto,
|
||||
+ data, 1);
|
||||
+ /* XXX exit_on_forward_failure */
|
||||
+ client_expect_confirm(id, "X11 forwarding",
|
||||
+ CONFIRM_WARN);
|
||||
+ }
|
||||
}
|
||||
|
||||
if (cctx->want_agent_fwd && options.forward_agent) {
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 81704ab..096c5b5 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -1626,6 +1626,7 @@ ssh_session(void)
|
||||
struct winsize ws;
|
||||
char *cp;
|
||||
const char *display;
|
||||
+ char *proto = NULL, *data = NULL;
|
||||
|
||||
/* Enable compression if requested. */
|
||||
if (options.compression) {
|
||||
@@ -1696,13 +1697,9 @@ ssh_session(void)
|
||||
display = getenv("DISPLAY");
|
||||
if (display == NULL && options.forward_x11)
|
||||
debug("X11 forwarding requested but DISPLAY not set");
|
||||
- if (options.forward_x11 && display != NULL) {
|
||||
- char *proto, *data;
|
||||
- /* Get reasonable local authentication information. */
|
||||
- client_x11_get_proto(display, options.xauth_location,
|
||||
- options.forward_x11_trusted,
|
||||
- options.forward_x11_timeout,
|
||||
- &proto, &data);
|
||||
+ if (options.forward_x11 && client_x11_get_proto(display,
|
||||
+ options.xauth_location, options.forward_x11_trusted,
|
||||
+ options.forward_x11_timeout, &proto, &data) == 0) {
|
||||
/* Request forwarding with authentication spoofing. */
|
||||
debug("Requesting X11 forwarding with authentication "
|
||||
"spoofing.");
|
||||
@@ -1792,6 +1789,7 @@ ssh_session2_setup(int id, int success, void *arg)
|
||||
extern char **environ;
|
||||
const char *display;
|
||||
int interactive = tty_flag;
|
||||
+ char *proto = NULL, *data = NULL;
|
||||
|
||||
if (!success)
|
||||
return; /* No need for error message, channels code sens one */
|
||||
@@ -1799,12 +1797,9 @@ ssh_session2_setup(int id, int success, void *arg)
|
||||
display = getenv("DISPLAY");
|
||||
if (display == NULL && options.forward_x11)
|
||||
debug("X11 forwarding requested but DISPLAY not set");
|
||||
- if (options.forward_x11 && display != NULL) {
|
||||
- char *proto, *data;
|
||||
- /* Get reasonable local authentication information. */
|
||||
- client_x11_get_proto(display, options.xauth_location,
|
||||
- options.forward_x11_trusted,
|
||||
- options.forward_x11_timeout, &proto, &data);
|
||||
+ if (options.forward_x11 && client_x11_get_proto(display,
|
||||
+ options.xauth_location, options.forward_x11_trusted,
|
||||
+ options.forward_x11_timeout, &proto, &data) == 0) {
|
||||
/* Request forwarding with authentication spoofing. */
|
||||
debug("Requesting X11 forwarding with authentication "
|
||||
"spoofing.");
|
||||
--
|
||||
2.5.0
|
||||
|
||||
From 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a Mon Sep 17 00:00:00 2001
|
||||
From: "millert@openbsd.org" <millert@openbsd.org>
|
||||
Date: Mon, 1 Feb 2016 21:18:17 +0000
|
||||
Subject: upstream commit
|
||||
|
||||
Avoid ugly "DISPLAY "(null)" invalid; disabling X11
|
||||
forwarding" message when DISPLAY is not set. This could also result in a
|
||||
crash on systems with a printf that doesn't handle NULL. OK djm@
|
||||
|
||||
Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
|
||||
---
|
||||
clientloop.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index f8f9a3f..f0a08f2 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -318,8 +318,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
|
||||
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
|
||||
|
||||
if (!client_x11_display_valid(display)) {
|
||||
- logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
|
||||
- display);
|
||||
+ if (display != NULL)
|
||||
+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
|
||||
+ display);
|
||||
return -1;
|
||||
}
|
||||
if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c
|
||||
--- openssh-7.0p1/audit-bsm.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/audit-bsm.c 2015-08-12 11:33:00.409914290 +0200
|
||||
diff -up openssh-7.2p1/audit-bsm.c.audit openssh-7.2p1/audit-bsm.c
|
||||
--- openssh-7.2p1/audit-bsm.c.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/audit-bsm.c 2016-02-12 18:24:34.212825181 +0100
|
||||
@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
|
||||
#endif
|
||||
}
|
||||
@ -80,9 +80,9 @@ diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c
|
||||
--- openssh-7.0p1/audit.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/audit.c 2015-08-12 11:33:00.410914289 +0200
|
||||
diff -up openssh-7.2p1/audit.c.audit openssh-7.2p1/audit.c
|
||||
--- openssh-7.2p1/audit.c.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/audit.c 2016-02-12 18:24:34.216825179 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -280,9 +280,9 @@ diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h
|
||||
--- openssh-7.0p1/audit.h.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/audit.h 2015-08-12 11:33:00.410914289 +0200
|
||||
diff -up openssh-7.2p1/audit.h.audit openssh-7.2p1/audit.h
|
||||
--- openssh-7.2p1/audit.h.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/audit.h 2016-02-12 18:24:34.216825179 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
@ -318,9 +318,9 @@ diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h
|
||||
+void audit_generate_ephemeral_server_key(const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c
|
||||
--- openssh-7.0p1/audit-linux.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/audit-linux.c 2015-08-12 11:33:00.411914287 +0200
|
||||
diff -up openssh-7.2p1/audit-linux.c.audit openssh-7.2p1/audit-linux.c
|
||||
--- openssh-7.2p1/audit-linux.c.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/audit-linux.c 2016-02-12 18:24:34.219825178 +0100
|
||||
@@ -35,13 +35,25 @@
|
||||
|
||||
#include "log.h"
|
||||
@ -712,9 +712,9 @@ diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c
|
||||
--- openssh-7.0p1/auditstub.c.audit 2015-08-12 11:33:00.411914287 +0200
|
||||
+++ openssh-7.0p1/auditstub.c 2015-08-12 11:33:00.411914287 +0200
|
||||
diff -up openssh-7.2p1/auditstub.c.audit openssh-7.2p1/auditstub.c
|
||||
--- openssh-7.2p1/auditstub.c.audit 2016-02-12 18:24:34.219825178 +0100
|
||||
+++ openssh-7.2p1/auditstub.c 2016-02-12 18:24:34.219825178 +0100
|
||||
@@ -0,0 +1,50 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -766,9 +766,9 @@ diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c
|
||||
--- openssh-7.0p1/auth2.c.audit 2015-08-12 11:33:00.349914384 +0200
|
||||
+++ openssh-7.0p1/auth2.c 2015-08-12 11:33:00.411914287 +0200
|
||||
diff -up openssh-7.2p1/auth2.c.audit openssh-7.2p1/auth2.c
|
||||
--- openssh-7.2p1/auth2.c.audit 2016-02-12 18:24:34.148825205 +0100
|
||||
+++ openssh-7.2p1/auth2.c 2016-02-12 18:24:34.219825178 +0100
|
||||
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
|
||||
} else {
|
||||
logit("input_userauth_request: invalid user %s", user);
|
||||
@ -779,9 +779,9 @@ diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c
|
||||
--- openssh-7.0p1/auth2-hostbased.c.audit 2015-08-12 11:33:00.303914456 +0200
|
||||
+++ openssh-7.0p1/auth2-hostbased.c 2015-08-12 11:33:00.412914286 +0200
|
||||
diff -up openssh-7.2p1/auth2-hostbased.c.audit openssh-7.2p1/auth2-hostbased.c
|
||||
--- openssh-7.2p1/auth2-hostbased.c.audit 2016-02-12 18:24:34.109825220 +0100
|
||||
+++ openssh-7.2p1/auth2-hostbased.c 2016-02-12 18:24:34.220825178 +0100
|
||||
@@ -146,7 +146,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
/* test for allowed key and correct signature */
|
||||
authenticated = 0;
|
||||
@ -810,10 +810,10 @@ diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c
|
||||
/* return 1 if given hostkey is allowed */
|
||||
int
|
||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c
|
||||
--- openssh-7.0p1/auth2-pubkey.c.audit 2015-08-12 11:33:00.318914432 +0200
|
||||
+++ openssh-7.0p1/auth2-pubkey.c 2015-08-12 11:33:00.412914286 +0200
|
||||
@@ -175,7 +175,7 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
diff -up openssh-7.2p1/auth2-pubkey.c.audit openssh-7.2p1/auth2-pubkey.c
|
||||
--- openssh-7.2p1/auth2-pubkey.c.audit 2016-02-12 18:24:34.122825215 +0100
|
||||
+++ openssh-7.2p1/auth2-pubkey.c 2016-02-12 18:24:34.220825178 +0100
|
||||
@@ -178,7 +178,7 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
|
||||
@ -822,7 +822,7 @@ diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c
|
||||
buffer_len(&b))) == 1) {
|
||||
authenticated = 1;
|
||||
/* Record the successful key to prevent reuse */
|
||||
@@ -253,6 +253,18 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
@@ -258,6 +258,18 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
free(extra);
|
||||
}
|
||||
|
||||
@ -841,10 +841,10 @@ diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c
|
||||
/*
|
||||
* Splits 's' into an argument vector. Handles quoted string and basic
|
||||
* escape characters (\\, \", \'). Caller must free the argument vector
|
||||
diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c
|
||||
--- openssh-7.0p1/auth.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/auth.c 2015-08-12 11:33:00.412914286 +0200
|
||||
@@ -645,9 +645,6 @@ getpwnamallow(const char *user)
|
||||
diff -up openssh-7.2p1/auth.c.audit openssh-7.2p1/auth.c
|
||||
--- openssh-7.2p1/auth.c.audit 2016-02-12 18:24:34.148825205 +0100
|
||||
+++ openssh-7.2p1/auth.c 2016-02-12 18:24:34.220825178 +0100
|
||||
@@ -646,9 +646,6 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
@ -854,9 +854,9 @@ diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c
|
||||
return (NULL);
|
||||
}
|
||||
if (!allowed_user(pw))
|
||||
diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h
|
||||
--- openssh-7.0p1/auth.h.audit 2015-08-12 11:33:00.302914457 +0200
|
||||
+++ openssh-7.0p1/auth.h 2015-08-12 11:33:00.412914286 +0200
|
||||
diff -up openssh-7.2p1/auth.h.audit openssh-7.2p1/auth.h
|
||||
--- openssh-7.2p1/auth.h.audit 2016-02-12 18:24:34.108825221 +0100
|
||||
+++ openssh-7.2p1/auth.h 2016-02-12 18:32:46.085636046 +0100
|
||||
@@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt
|
||||
|
||||
char *expand_authorized_keys(const char *, struct passwd *pw);
|
||||
@ -868,14 +868,14 @@ diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h
|
||||
@@ -213,6 +214,7 @@ int get_hostkey_index(Key *, int, struc
|
||||
int ssh1_session_key(BIGNUM *);
|
||||
int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
|
||||
const u_char *, size_t, u_int);
|
||||
const u_char *, size_t, const char *, u_int);
|
||||
+int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
|
||||
|
||||
/* debug messages during authentication */
|
||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||
diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c
|
||||
--- openssh-7.0p1/auth-rsa.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/auth-rsa.c 2015-08-12 11:33:00.412914286 +0200
|
||||
diff -up openssh-7.2p1/auth-rsa.c.audit openssh-7.2p1/auth-rsa.c
|
||||
--- openssh-7.2p1/auth-rsa.c.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/auth-rsa.c 2016-02-12 18:24:34.221825177 +0100
|
||||
@@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
{
|
||||
u_char buf[32], mdbuf[16];
|
||||
@ -912,9 +912,9 @@ diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c
|
||||
--- openssh-7.0p1/cipher.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/cipher.c 2015-08-12 11:33:00.412914286 +0200
|
||||
diff -up openssh-7.2p1/cipher.c.audit openssh-7.2p1/cipher.c
|
||||
--- openssh-7.2p1/cipher.c.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/cipher.c 2016-02-12 18:24:34.221825177 +0100
|
||||
@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v
|
||||
extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
|
||||
#endif
|
||||
@ -942,9 +942,9 @@ diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c
|
||||
static const struct sshcipher ciphers[] = {
|
||||
#ifdef WITH_SSH1
|
||||
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
|
||||
diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h
|
||||
--- openssh-7.0p1/cipher.h.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/cipher.h 2015-08-12 11:33:00.413914284 +0200
|
||||
diff -up openssh-7.2p1/cipher.h.audit openssh-7.2p1/cipher.h
|
||||
--- openssh-7.2p1/cipher.h.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/cipher.h 2016-02-12 18:24:34.221825177 +0100
|
||||
@@ -62,7 +62,26 @@
|
||||
#define CIPHER_ENCRYPT 1
|
||||
#define CIPHER_DECRYPT 0
|
||||
@ -973,9 +973,9 @@ diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h
|
||||
struct sshcipher_ctx {
|
||||
int plaintext;
|
||||
int encrypt;
|
||||
diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
--- openssh-7.0p1/kex.c.audit 2015-08-12 11:33:00.351914381 +0200
|
||||
+++ openssh-7.0p1/kex.c 2015-08-12 11:33:00.413914284 +0200
|
||||
diff -up openssh-7.2p1/kex.c.audit openssh-7.2p1/kex.c
|
||||
--- openssh-7.2p1/kex.c.audit 2016-02-12 18:24:34.201825185 +0100
|
||||
+++ openssh-7.2p1/kex.c 2016-02-12 18:24:34.221825177 +0100
|
||||
@@ -54,6 +54,7 @@
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@ -984,7 +984,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
|
||||
#ifdef GSSAPI
|
||||
#include "ssh-gss.h"
|
||||
@@ -549,8 +550,12 @@ choose_enc(struct sshenc *enc, char *cli
|
||||
@@ -669,8 +670,12 @@ choose_enc(struct sshenc *enc, char *cli
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
|
||||
@ -998,7 +998,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
if ((enc->cipher = cipher_by_name(name)) == NULL)
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
enc->name = name;
|
||||
@@ -568,8 +573,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
@@ -688,8 +693,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
|
||||
@ -1012,7 +1012,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
if (mac_setup(mac, name) < 0)
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
/* truncate the key */
|
||||
@@ -586,8 +595,12 @@ choose_comp(struct sshcomp *comp, char *
|
||||
@@ -706,8 +715,12 @@ choose_comp(struct sshcomp *comp, char *
|
||||
{
|
||||
char *name = match_list(client, server, NULL);
|
||||
|
||||
@ -1026,7 +1026,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
if (strcmp(name, "zlib@openssh.com") == 0) {
|
||||
comp->type = COMP_DELAYED;
|
||||
} else if (strcmp(name, "zlib") == 0) {
|
||||
@@ -753,6 +766,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||
@@ -878,6 +891,10 @@ kex_choose_conf(struct ssh *ssh)
|
||||
dh_need = MAX(dh_need, newkeys->enc.block_size);
|
||||
dh_need = MAX(dh_need, newkeys->enc.iv_len);
|
||||
dh_need = MAX(dh_need, newkeys->mac.key_len);
|
||||
@ -1037,7 +1037,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
}
|
||||
/* XXX need runden? */
|
||||
kex->we_need = need;
|
||||
@@ -928,3 +945,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
@@ -1052,3 +1069,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
sshbuf_dump_data(digest, len, stderr);
|
||||
}
|
||||
#endif
|
||||
@ -1054,7 +1054,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
+ }
|
||||
+
|
||||
+ if (enc->iv) {
|
||||
+ memset(enc->iv, 0, enc->block_size);
|
||||
+ memset(enc->iv, 0, enc->iv_len);
|
||||
+ free(enc->iv);
|
||||
+ }
|
||||
+
|
||||
@ -1072,10 +1072,10 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
|
||||
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
|
||||
+}
|
||||
+
|
||||
diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h
|
||||
--- openssh-7.0p1/kex.h.audit 2015-08-12 11:33:00.352914379 +0200
|
||||
+++ openssh-7.0p1/kex.h 2015-08-12 11:33:00.413914284 +0200
|
||||
@@ -202,6 +202,8 @@ int kexgss_client(struct ssh *);
|
||||
diff -up openssh-7.2p1/kex.h.audit openssh-7.2p1/kex.h
|
||||
--- openssh-7.2p1/kex.h.audit 2016-02-12 18:24:34.201825185 +0100
|
||||
+++ openssh-7.2p1/kex.h 2016-02-12 18:24:34.222825177 +0100
|
||||
@@ -206,6 +206,8 @@ int kexgss_client(struct ssh *);
|
||||
int kexgss_server(struct ssh *);
|
||||
#endif
|
||||
|
||||
@ -1084,9 +1084,9 @@ diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h
|
||||
int kex_dh_hash(const char *, const char *,
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
|
||||
diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h
|
||||
--- openssh-7.0p1/key.h.audit 2015-08-12 11:33:00.413914284 +0200
|
||||
+++ openssh-7.0p1/key.h 2015-08-12 11:33:45.908843298 +0200
|
||||
diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h
|
||||
--- openssh-7.2p1/key.h.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/key.h 2016-02-12 18:24:34.222825177 +0100
|
||||
@@ -50,6 +50,7 @@ typedef struct sshkey Key;
|
||||
#define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid
|
||||
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
|
||||
@ -1095,9 +1095,9 @@ diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h
|
||||
#define key_type_plain sshkey_type_plain
|
||||
#define key_curve_name_to_nid sshkey_curve_name_to_nid
|
||||
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits
|
||||
diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c
|
||||
--- openssh-7.0p1/mac.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/mac.c 2015-08-12 11:33:00.413914284 +0200
|
||||
diff -up openssh-7.2p1/mac.c.audit openssh-7.2p1/mac.c
|
||||
--- openssh-7.2p1/mac.c.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/mac.c 2016-02-12 18:24:34.222825177 +0100
|
||||
@@ -226,6 +226,20 @@ mac_clear(struct sshmac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -1119,9 +1119,9 @@ diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c
|
||||
/* XXX copied from ciphers_valid */
|
||||
#define MAC_SEP ","
|
||||
int
|
||||
diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h
|
||||
--- openssh-7.0p1/mac.h.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/mac.h 2015-08-12 11:33:00.413914284 +0200
|
||||
diff -up openssh-7.2p1/mac.h.audit openssh-7.2p1/mac.h
|
||||
--- openssh-7.2p1/mac.h.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/mac.h 2016-02-12 18:24:34.222825177 +0100
|
||||
@@ -47,5 +47,6 @@ int mac_init(struct sshmac *);
|
||||
int mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
|
||||
u_char *, size_t);
|
||||
@ -1129,30 +1129,30 @@ diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h
|
||||
+void mac_destroy(struct sshmac *);
|
||||
|
||||
#endif /* SSHMAC_H */
|
||||
diff -up openssh-7.0p1/Makefile.in.audit openssh-7.0p1/Makefile.in
|
||||
--- openssh-7.0p1/Makefile.in.audit 2015-08-12 11:33:00.402914301 +0200
|
||||
+++ openssh-7.0p1/Makefile.in 2015-08-12 11:33:00.414914283 +0200
|
||||
@@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
|
||||
diff -up openssh-7.2p1/Makefile.in.audit openssh-7.2p1/Makefile.in
|
||||
--- openssh-7.2p1/Makefile.in.audit 2016-02-12 18:24:34.222825177 +0100
|
||||
+++ openssh-7.2p1/Makefile.in 2016-02-12 18:33:38.858629492 +0100
|
||||
@@ -99,7 +99,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
||||
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
|
||||
+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auditstub.o
|
||||
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
|
||||
- platform-pledge.o
|
||||
+ platform-pledge.o auditstub.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
--- openssh-7.0p1/monitor.c.audit 2015-08-12 11:33:00.378914339 +0200
|
||||
+++ openssh-7.0p1/monitor.c 2015-08-12 11:33:00.414914283 +0200
|
||||
@@ -102,6 +102,7 @@
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o
|
||||
diff -up openssh-7.2p1/monitor.c.audit openssh-7.2p1/monitor.c
|
||||
--- openssh-7.2p1/monitor.c.audit 2016-02-12 18:24:34.176825195 +0100
|
||||
+++ openssh-7.2p1/monitor.c 2016-02-12 18:34:05.184629882 +0100
|
||||
@@ -101,6 +101,7 @@
|
||||
#include "compat.h"
|
||||
#include "ssh2.h"
|
||||
#include "roaming.h"
|
||||
#include "authfd.h"
|
||||
+#include "audit.h"
|
||||
#include "match.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
@@ -117,6 +118,8 @@ extern Buffer auth_debug;
|
||||
@@ -116,6 +117,8 @@ extern Buffer auth_debug;
|
||||
extern int auth_debug_init;
|
||||
extern Buffer loginmsg;
|
||||
|
||||
@ -1161,7 +1161,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
/* State exported from the child */
|
||||
static struct sshbuf *child_state;
|
||||
|
||||
@@ -167,6 +170,11 @@ int mm_answer_gss_updatecreds(int, Buffe
|
||||
@@ -166,6 +169,11 @@ int mm_answer_gss_updatecreds(int, Buffe
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(int, Buffer *);
|
||||
int mm_answer_audit_command(int, Buffer *);
|
||||
@ -1173,7 +1173,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
#endif
|
||||
|
||||
static int monitor_read_log(struct monitor *);
|
||||
@@ -226,6 +234,10 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -225,6 +233,10 @@ struct mon_table mon_dispatch_proto20[]
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
@ -1184,7 +1184,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -264,6 +276,11 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -263,6 +275,11 @@ struct mon_table mon_dispatch_postauth20
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
|
||||
@ -1196,7 +1196,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -296,6 +313,10 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -295,6 +312,10 @@ struct mon_table mon_dispatch_proto15[]
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
@ -1207,7 +1207,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
#endif
|
||||
#endif /* WITH_SSH1 */
|
||||
{0, 0, NULL}
|
||||
@@ -309,6 +330,11 @@ struct mon_table mon_dispatch_postauth15
|
||||
@@ -308,6 +329,11 @@ struct mon_table mon_dispatch_postauth15
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
|
||||
@ -1219,7 +1219,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
#endif
|
||||
#endif /* WITH_SSH1 */
|
||||
{0, 0, NULL}
|
||||
@@ -1467,9 +1493,11 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1464,9 +1490,11 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
Key *key;
|
||||
u_char *signature, *data, *blob;
|
||||
u_int signaturelen, datalen, bloblen;
|
||||
@ -1231,7 +1231,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
blob = buffer_get_string(m, &bloblen);
|
||||
signature = buffer_get_string(m, &signaturelen);
|
||||
data = buffer_get_string(m, &datalen);
|
||||
@@ -1477,6 +1505,8 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1474,6 +1502,8 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
fatal("%s: bad key, not previously allowed", __func__);
|
||||
@ -1240,7 +1240,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
|
||||
key = key_from_blob(blob, bloblen);
|
||||
if (key == NULL)
|
||||
@@ -1497,7 +1527,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1494,7 +1524,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (!valid_data)
|
||||
fatal("%s: bad signature data blob", __func__);
|
||||
|
||||
@ -1259,7 +1259,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
debug3("%s: key %p signature %s",
|
||||
__func__, key, (verified == 1) ? "verified" : "unverified");
|
||||
|
||||
@@ -1558,6 +1598,12 @@ mm_session_close(Session *s)
|
||||
@@ -1555,6 +1595,12 @@ mm_session_close(Session *s)
|
||||
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
||||
session_pty_cleanup2(s);
|
||||
}
|
||||
@ -1272,7 +1272,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
session_unused(s->self);
|
||||
}
|
||||
|
||||
@@ -1840,6 +1886,8 @@ mm_answer_term(int sock, Buffer *req)
|
||||
@@ -1837,6 +1883,8 @@ mm_answer_term(int sock, Buffer *req)
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
@ -1281,7 +1281,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1882,11 +1930,43 @@ mm_answer_audit_command(int socket, Buff
|
||||
@@ -1879,11 +1927,43 @@ mm_answer_audit_command(int socket, Buff
|
||||
{
|
||||
u_int len;
|
||||
char *cmd;
|
||||
@ -1326,7 +1326,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
free(cmd);
|
||||
return (0);
|
||||
}
|
||||
@@ -1943,6 +2023,7 @@ monitor_apply_keystate(struct monitor *p
|
||||
@@ -1940,6 +2020,7 @@ monitor_apply_keystate(struct monitor *p
|
||||
void
|
||||
mm_get_keystate(struct monitor *pmonitor)
|
||||
{
|
||||
@ -1334,7 +1334,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
debug3("%s: Waiting for new keys", __func__);
|
||||
|
||||
if ((child_state = sshbuf_new()) == NULL)
|
||||
@@ -1950,6 +2031,21 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -1947,6 +2028,21 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||
child_state);
|
||||
debug3("%s: GOT new keys", __func__);
|
||||
@ -1356,7 +1356,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
}
|
||||
|
||||
|
||||
@@ -2216,3 +2312,86 @@ mm_answer_gss_updatecreds(int socket, Bu
|
||||
@@ -2213,3 +2309,86 @@ mm_answer_gss_updatecreds(int socket, Bu
|
||||
|
||||
#endif /* GSSAPI */
|
||||
|
||||
@ -1443,9 +1443,9 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h
|
||||
--- openssh-7.0p1/monitor.h.audit 2015-08-12 11:33:00.378914339 +0200
|
||||
+++ openssh-7.0p1/monitor.h 2015-08-12 11:33:00.414914283 +0200
|
||||
diff -up openssh-7.2p1/monitor.h.audit openssh-7.2p1/monitor.h
|
||||
--- openssh-7.2p1/monitor.h.audit 2016-02-12 18:24:34.177825194 +0100
|
||||
+++ openssh-7.2p1/monitor.h 2016-02-12 18:24:34.224825176 +0100
|
||||
@@ -69,7 +69,13 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
|
||||
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
|
||||
@ -1461,9 +1461,9 @@ diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h
|
||||
|
||||
};
|
||||
|
||||
diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c
|
||||
--- openssh-7.0p1/monitor_wrap.c.audit 2015-08-12 11:33:00.353914378 +0200
|
||||
+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:33:00.414914283 +0200
|
||||
diff -up openssh-7.2p1/monitor_wrap.c.audit openssh-7.2p1/monitor_wrap.c
|
||||
--- openssh-7.2p1/monitor_wrap.c.audit 2016-02-12 18:24:34.151825204 +0100
|
||||
+++ openssh-7.2p1/monitor_wrap.c 2016-02-12 18:24:34.224825176 +0100
|
||||
@@ -462,7 +462,7 @@ mm_key_allowed(enum mm_keytype type, cha
|
||||
*/
|
||||
|
||||
@ -1611,9 +1611,9 @@ diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h
|
||||
--- openssh-7.0p1/monitor_wrap.h.audit 2015-08-12 11:33:00.353914378 +0200
|
||||
+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:33:00.415914281 +0200
|
||||
diff -up openssh-7.2p1/monitor_wrap.h.audit openssh-7.2p1/monitor_wrap.h
|
||||
--- openssh-7.2p1/monitor_wrap.h.audit 2016-02-12 18:24:34.152825204 +0100
|
||||
+++ openssh-7.2p1/monitor_wrap.h 2016-02-12 18:24:34.224825176 +0100
|
||||
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
|
||||
int mm_user_key_allowed(struct passwd *, Key *, int);
|
||||
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
|
||||
@ -1638,9 +1638,9 @@ diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
|
||||
--- openssh-7.0p1/packet.c.audit 2015-08-12 11:33:00.288914479 +0200
|
||||
+++ openssh-7.0p1/packet.c 2015-08-12 11:33:00.415914281 +0200
|
||||
diff -up openssh-7.2p1/packet.c.audit openssh-7.2p1/packet.c
|
||||
--- openssh-7.2p1/packet.c.audit 2016-02-12 18:24:34.095825226 +0100
|
||||
+++ openssh-7.2p1/packet.c 2016-02-12 18:43:47.268638489 +0100
|
||||
@@ -67,6 +67,7 @@
|
||||
#include "key.h" /* typedefs XXX */
|
||||
|
||||
@ -1649,7 +1649,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
|
||||
#include "crc32.h"
|
||||
#include "deattack.h"
|
||||
#include "compat.h"
|
||||
@@ -449,6 +450,13 @@ ssh_packet_get_connection_out(struct ssh
|
||||
@@ -456,6 +457,13 @@ ssh_packet_get_connection_out(struct ssh
|
||||
return ssh->state->connection_out;
|
||||
}
|
||||
|
||||
@ -1663,7 +1663,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
|
||||
/*
|
||||
* Returns the IP-address of the remote host as a string. The returned
|
||||
* string must not be freed.
|
||||
@@ -479,13 +487,6 @@ ssh_packet_close(struct ssh *ssh)
|
||||
@@ -500,13 +508,6 @@ ssh_packet_close(struct ssh *ssh)
|
||||
if (!state->initialized)
|
||||
return;
|
||||
state->initialized = 0;
|
||||
@ -1677,7 +1677,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
|
||||
sshbuf_free(state->input);
|
||||
sshbuf_free(state->output);
|
||||
sshbuf_free(state->outgoing_packet);
|
||||
@@ -517,14 +518,24 @@ ssh_packet_close(struct ssh *ssh)
|
||||
@@ -538,12 +539,22 @@ ssh_packet_close(struct ssh *ssh)
|
||||
inflateEnd(stream);
|
||||
}
|
||||
}
|
||||
@ -1692,10 +1692,8 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
|
||||
+ error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
|
||||
+ audit_session_key_free(2);
|
||||
+ }
|
||||
if (ssh->remote_ipaddr) {
|
||||
free(ssh->remote_ipaddr);
|
||||
ssh->remote_ipaddr = NULL;
|
||||
}
|
||||
free(ssh->remote_ipaddr);
|
||||
ssh->remote_ipaddr = NULL;
|
||||
+ if (state->connection_in == state->connection_out) {
|
||||
+ shutdown(state->connection_out, SHUT_RDWR);
|
||||
+ close(state->connection_out);
|
||||
@ -1706,15 +1704,15 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
|
||||
free(ssh->state);
|
||||
ssh->state = NULL;
|
||||
}
|
||||
@@ -944,6 +955,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
|
||||
}
|
||||
if (state->newkeys[mode] != NULL) {
|
||||
debug("set_newkeys: rekeying");
|
||||
@@ -968,6 +979,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
|
||||
(unsigned long long)state->p_read.blocks,
|
||||
(unsigned long long)state->p_send.bytes,
|
||||
(unsigned long long)state->p_send.blocks);
|
||||
+ audit_session_key_free(mode);
|
||||
if ((r = cipher_cleanup(cc)) != 0)
|
||||
return r;
|
||||
enc = &state->newkeys[mode]->enc;
|
||||
@@ -2292,6 +2304,75 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
@@ -2408,6 +2420,75 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
return (void *)ssh->state->output;
|
||||
}
|
||||
|
||||
@ -1787,55 +1785,13 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/* XXX TODO update roaming to new API (does not work anyway) */
|
||||
/*
|
||||
* Save the state for the real connection, and use a separate state when
|
||||
@@ -2301,18 +2382,12 @@ void
|
||||
ssh_packet_backup_state(struct ssh *ssh,
|
||||
struct ssh *backup_state)
|
||||
{
|
||||
- struct ssh *tmp;
|
||||
-
|
||||
close(ssh->state->connection_in);
|
||||
ssh->state->connection_in = -1;
|
||||
close(ssh->state->connection_out);
|
||||
ssh->state->connection_out = -1;
|
||||
- if (backup_state)
|
||||
- tmp = backup_state;
|
||||
- else
|
||||
- tmp = ssh_alloc_session_state();
|
||||
backup_state = ssh;
|
||||
- ssh = tmp;
|
||||
+ ssh = ssh_alloc_session_state();
|
||||
}
|
||||
|
||||
/* XXX FIXME FIXME FIXME */
|
||||
@@ -2331,9 +2406,7 @@ ssh_packet_restore_state(struct ssh *ssh
|
||||
backup_state = ssh;
|
||||
ssh = tmp;
|
||||
ssh->state->connection_in = backup_state->state->connection_in;
|
||||
- backup_state->state->connection_in = -1;
|
||||
ssh->state->connection_out = backup_state->state->connection_out;
|
||||
- backup_state->state->connection_out = -1;
|
||||
len = sshbuf_len(backup_state->state->input);
|
||||
if (len > 0) {
|
||||
if ((r = sshbuf_putb(ssh->state->input,
|
||||
@@ -2342,6 +2415,11 @@ ssh_packet_restore_state(struct ssh *ssh
|
||||
sshbuf_reset(backup_state->state->input);
|
||||
add_recv_bytes(len);
|
||||
}
|
||||
+ backup_state->state->connection_in = -1;
|
||||
+ backup_state->state->connection_out = -1;
|
||||
+ packet_destroy_state(backup_state->state);
|
||||
+ free(backup_state);
|
||||
+ backup_state = NULL;
|
||||
}
|
||||
|
||||
/* Reset after_authentication and reset compression in post-auth privsep */
|
||||
diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h
|
||||
--- openssh-7.0p1/packet.h.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/packet.h 2015-08-12 11:33:00.415914281 +0200
|
||||
@@ -189,7 +189,7 @@ int sshpkt_get_end(struct ssh *ssh);
|
||||
static int
|
||||
ssh_packet_set_postauth(struct ssh *ssh)
|
||||
diff -up openssh-7.2p1/packet.h.audit openssh-7.2p1/packet.h
|
||||
--- openssh-7.2p1/packet.h.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/packet.h 2016-02-12 18:24:34.226825175 +0100
|
||||
@@ -186,7 +186,7 @@ int sshpkt_get_end(struct ssh *ssh);
|
||||
const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
|
||||
|
||||
/* OLD API */
|
||||
@ -1844,16 +1800,16 @@ diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h
|
||||
#include "opacket.h"
|
||||
|
||||
#if !defined(WITH_OPENSSL)
|
||||
@@ -203,4 +203,5 @@ extern struct ssh *active_state;
|
||||
@@ -200,4 +200,5 @@ extern struct ssh *active_state;
|
||||
# undef EC_POINT
|
||||
#endif
|
||||
|
||||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.0p1/sandbox-seccomp-filter.c.audit 2015-08-12 11:33:00.394914314 +0200
|
||||
+++ openssh-7.0p1/sandbox-seccomp-filter.c 2015-08-12 11:33:00.415914281 +0200
|
||||
@@ -150,6 +150,12 @@ static const struct sock_filter preauth_
|
||||
diff -up openssh-7.2p1/sandbox-seccomp-filter.c.audit openssh-7.2p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.2p1/sandbox-seccomp-filter.c.audit 2016-02-12 18:24:34.193825188 +0100
|
||||
+++ openssh-7.2p1/sandbox-seccomp-filter.c 2016-02-12 18:24:34.226825175 +0100
|
||||
@@ -153,6 +153,12 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(gettimeofday),
|
||||
#endif
|
||||
@ -1866,9 +1822,9 @@ diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-secc
|
||||
#ifdef __NR_madvise
|
||||
SC_ALLOW(madvise),
|
||||
#endif
|
||||
diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
--- openssh-7.0p1/session.c.audit 2015-08-12 11:33:00.379914337 +0200
|
||||
+++ openssh-7.0p1/session.c 2015-08-12 11:33:00.416914280 +0200
|
||||
diff -up openssh-7.2p1/session.c.audit openssh-7.2p1/session.c
|
||||
--- openssh-7.2p1/session.c.audit 2016-02-12 18:24:34.177825194 +0100
|
||||
+++ openssh-7.2p1/session.c 2016-02-12 18:24:34.226825175 +0100
|
||||
@@ -139,7 +139,7 @@ extern int log_stderr;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
@ -1894,7 +1850,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
s->ptymaster = ptymaster;
|
||||
packet_set_interactive(1,
|
||||
@@ -853,15 +861,19 @@ do_exec(Session *s, const char *command)
|
||||
get_remote_port());
|
||||
s->self);
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
+ if (s->command != NULL || s->command_handle != -1)
|
||||
@ -1915,7 +1871,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(s, command);
|
||||
@@ -1704,7 +1716,10 @@ do_child(Session *s, const char *command
|
||||
@@ -1695,7 +1707,10 @@ do_child(Session *s, const char *command
|
||||
int r = 0;
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -1927,7 +1883,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1934,6 +1949,7 @@ session_unused(int id)
|
||||
@@ -1925,6 +1940,7 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
@ -1935,7 +1891,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -2016,6 +2032,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
@@ -2007,6 +2023,19 @@ session_open(Authctxt *authctxt, int cha
|
||||
}
|
||||
|
||||
Session *
|
||||
@ -1955,7 +1911,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
session_by_tty(char *tty)
|
||||
{
|
||||
int i;
|
||||
@@ -2532,6 +2561,32 @@ session_exit_message(Session *s, int sta
|
||||
@@ -2523,6 +2552,32 @@ session_exit_message(Session *s, int sta
|
||||
chan_write_failed(c);
|
||||
}
|
||||
|
||||
@ -1988,8 +1944,8 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
void
|
||||
session_close(Session *s)
|
||||
{
|
||||
@@ -2540,6 +2595,10 @@ session_close(Session *s)
|
||||
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
|
||||
@@ -2531,6 +2586,10 @@ session_close(Session *s)
|
||||
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
@ -1999,7 +1955,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2754,6 +2813,15 @@ do_authenticated2(Authctxt *authctxt)
|
||||
@@ -2745,6 +2804,15 @@ do_authenticated2(Authctxt *authctxt)
|
||||
server_loop2(authctxt);
|
||||
}
|
||||
|
||||
@ -2015,16 +1971,16 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
|
||||
void
|
||||
do_cleanup(Authctxt *authctxt)
|
||||
{
|
||||
@@ -2802,5 +2870,5 @@ do_cleanup(Authctxt *authctxt)
|
||||
@@ -2793,5 +2861,5 @@ do_cleanup(Authctxt *authctxt)
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
- session_destroy_all(session_pty_cleanup2);
|
||||
+ session_destroy_all(do_cleanup_one_session);
|
||||
}
|
||||
diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h
|
||||
--- openssh-7.0p1/session.h.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/session.h 2015-08-12 11:33:00.416914280 +0200
|
||||
diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h
|
||||
--- openssh-7.2p1/session.h.audit 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/session.h 2016-02-12 18:24:34.226825175 +0100
|
||||
@@ -61,6 +61,12 @@ struct Session {
|
||||
char *name;
|
||||
char *val;
|
||||
@ -2049,18 +2005,18 @@ diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h
|
||||
Session *session_by_tty(char *);
|
||||
void session_close(Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
--- openssh-7.0p1/sshd.c.audit 2015-08-12 11:33:00.388914323 +0200
|
||||
+++ openssh-7.0p1/sshd.c 2015-08-12 11:33:00.417914278 +0200
|
||||
@@ -122,6 +122,7 @@
|
||||
diff -up openssh-7.2p1/sshd.c.audit openssh-7.2p1/sshd.c
|
||||
--- openssh-7.2p1/sshd.c.audit 2016-02-12 18:24:34.189825190 +0100
|
||||
+++ openssh-7.2p1/sshd.c 2016-02-12 18:44:44.650639338 +0100
|
||||
@@ -121,6 +121,7 @@
|
||||
#include "ssh-gss.h"
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
#include "roaming.h"
|
||||
+#include "audit.h"
|
||||
#include "ssh-sandbox.h"
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
@@ -261,7 +262,7 @@ Buffer loginmsg;
|
||||
@@ -260,7 +261,7 @@ Buffer loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
/* Prototypes for various functions defined later in this file. */
|
||||
@ -2069,7 +2025,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
void demote_sensitive_data(void);
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
@@ -282,6 +283,15 @@ close_listen_socks(void)
|
||||
@@ -281,6 +282,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = -1;
|
||||
}
|
||||
|
||||
@ -2085,7 +2041,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
@@ -561,22 +571,45 @@ sshd_exchange_identification(int sock_in
|
||||
@@ -560,22 +570,45 @@ sshd_exchange_identification(int sock_in
|
||||
}
|
||||
}
|
||||
|
||||
@ -2134,7 +2090,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
key_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -590,6 +623,8 @@ void
|
||||
@@ -589,6 +622,8 @@ void
|
||||
demote_sensitive_data(void)
|
||||
{
|
||||
Key *tmp;
|
||||
@ -2143,7 +2099,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
int i;
|
||||
|
||||
if (sensitive_data.server_key) {
|
||||
@@ -598,13 +633,25 @@ demote_sensitive_data(void)
|
||||
@@ -597,13 +632,25 @@ demote_sensitive_data(void)
|
||||
sensitive_data.server_key = tmp;
|
||||
}
|
||||
|
||||
@ -2169,7 +2125,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -676,7 +723,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
@@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
|
||||
if (use_privsep == PRIVSEP_ON)
|
||||
box = ssh_sandbox_init(pmonitor);
|
||||
@ -2191,7 +2147,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@@ -1292,6 +1345,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1293,6 +1346,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
@ -2199,7 +2155,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
close_listen_socks();
|
||||
if (options.pid_file != NULL)
|
||||
unlink(options.pid_file);
|
||||
@@ -2255,6 +2309,7 @@ main(int ac, char **av)
|
||||
@@ -2256,6 +2310,7 @@ main(int ac, char **av)
|
||||
*/
|
||||
if (use_privsep) {
|
||||
mm_send_keystate(pmonitor);
|
||||
@ -2207,7 +2163,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2300,7 +2355,7 @@ main(int ac, char **av)
|
||||
@@ -2301,7 +2356,7 @@ main(int ac, char **av)
|
||||
privsep_postauth(authctxt);
|
||||
/* the monitor process [priv] will not return */
|
||||
if (!compat20)
|
||||
@ -2216,7 +2172,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
}
|
||||
|
||||
packet_set_timeout(options.client_alive_interval,
|
||||
@@ -2314,6 +2369,9 @@ main(int ac, char **av)
|
||||
@@ -2315,6 +2370,9 @@ main(int ac, char **av)
|
||||
do_authenticated(authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
@ -2226,7 +2182,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
packet_get_bytes(&ibytes, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
(unsigned long long)obytes, (unsigned long long)ibytes);
|
||||
@@ -2474,6 +2532,10 @@ do_ssh1_kex(void)
|
||||
@@ -2475,6 +2533,10 @@ do_ssh1_kex(void)
|
||||
if (cookie[i] != packet_get_char())
|
||||
packet_disconnect("IP Spoofing check bytes do not match.");
|
||||
|
||||
@ -2237,7 +2193,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
debug("Encryption type: %.200s", cipher_name(cipher_type));
|
||||
|
||||
/* Get the encrypted integer. */
|
||||
@@ -2533,7 +2595,7 @@ do_ssh1_kex(void)
|
||||
@@ -2534,7 +2596,7 @@ do_ssh1_kex(void)
|
||||
}
|
||||
|
||||
/* Destroy the private and public keys. No longer. */
|
||||
@ -2246,7 +2202,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
|
||||
if (use_privsep)
|
||||
mm_ssh1_session_id(session_id);
|
||||
@@ -2705,6 +2767,16 @@ do_ssh2_kex(void)
|
||||
@@ -2708,6 +2770,16 @@ do_ssh2_kex(void)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
@ -2263,7 +2219,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
if (the_authctxt) {
|
||||
do_cleanup(the_authctxt);
|
||||
if (use_privsep && privsep_is_preauth &&
|
||||
@@ -2716,9 +2788,14 @@ cleanup_exit(int i)
|
||||
@@ -2719,9 +2791,14 @@ cleanup_exit(int i)
|
||||
pmonitor->m_pid, strerror(errno));
|
||||
}
|
||||
}
|
||||
@ -2279,10 +2235,10 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
|
||||
audit_event(SSH_CONNECTION_ABANDON);
|
||||
#endif
|
||||
_exit(i);
|
||||
diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c
|
||||
--- openssh-7.0p1/sshkey.c.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/sshkey.c 2015-08-12 11:33:00.417914278 +0200
|
||||
@@ -299,6 +299,33 @@ sshkey_type_is_valid_ca(int type)
|
||||
diff -up openssh-7.2p1/sshkey.c.audit openssh-7.2p1/sshkey.c
|
||||
--- openssh-7.2p1/sshkey.c.audit 2016-02-12 18:24:34.157825202 +0100
|
||||
+++ openssh-7.2p1/sshkey.c 2016-02-12 18:24:34.228825175 +0100
|
||||
@@ -303,6 +303,33 @@ sshkey_type_is_valid_ca(int type)
|
||||
}
|
||||
|
||||
int
|
||||
@ -2316,10 +2272,10 @@ diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c
|
||||
sshkey_is_cert(const struct sshkey *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
diff -up openssh-7.0p1/sshkey.h.audit openssh-7.0p1/sshkey.h
|
||||
--- openssh-7.0p1/sshkey.h.audit 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/sshkey.h 2015-08-12 11:33:00.417914278 +0200
|
||||
@@ -132,6 +132,7 @@ u_int sshkey_size(const struct sshkey
|
||||
diff -up openssh-7.2p1/sshkey.h.audit openssh-7.2p1/sshkey.h
|
||||
--- openssh-7.2p1/sshkey.h.audit 2016-02-12 18:24:34.157825202 +0100
|
||||
+++ openssh-7.2p1/sshkey.h 2016-02-12 18:24:34.228825175 +0100
|
||||
@@ -133,6 +133,7 @@ u_int sshkey_size(const struct sshkey
|
||||
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
|
||||
int sshkey_from_private(const struct sshkey *, struct sshkey **);
|
||||
int sshkey_type_from_name(const char *);
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c
|
||||
--- openssh-7.0p1/auth2.c.gsskex 2015-08-12 11:15:43.625548999 +0200
|
||||
+++ openssh-7.0p1/auth2.c 2015-08-12 11:15:43.692548892 +0200
|
||||
diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c
|
||||
--- openssh-7.2p1/auth2.c.gsskex 2016-02-19 10:01:04.829969345 +0100
|
||||
+++ openssh-7.2p1/auth2.c 2016-02-19 10:01:04.865969325 +0100
|
||||
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
@ -17,9 +17,9 @@ diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c
|
||||
&method_gssapi,
|
||||
#endif
|
||||
&method_passwd,
|
||||
diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c
|
||||
--- openssh-7.0p1/auth2-gss.c.gsskex 2015-08-12 11:15:43.624549001 +0200
|
||||
+++ openssh-7.0p1/auth2-gss.c 2015-08-12 11:15:43.692548892 +0200
|
||||
diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c
|
||||
--- openssh-7.2p1/auth2-gss.c.gsskex 2016-02-19 10:01:04.829969345 +0100
|
||||
+++ openssh-7.2p1/auth2-gss.c 2016-02-19 10:01:04.865969325 +0100
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -102,10 +102,21 @@ diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c
|
||||
Authmethod method_gssapi = {
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c
|
||||
--- openssh-7.0p1/clientloop.c.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/clientloop.c 2015-08-12 11:15:43.693548890 +0200
|
||||
@@ -115,6 +115,10 @@
|
||||
diff -up openssh-7.2p1/auth.c.gsskex openssh-7.2p1/auth.c
|
||||
--- openssh-7.2p1/auth.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/auth.c 2016-02-19 10:01:04.866969324 +0100
|
||||
@@ -354,6 +354,7 @@ auth_root_allowed(const char *method)
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "publickey") == 0 ||
|
||||
strcmp(method, "hostbased") == 0 ||
|
||||
+ strcmp(method, "gssapi-keyex") == 0 ||
|
||||
strcmp(method, "gssapi-with-mic") == 0)
|
||||
return 1;
|
||||
break;
|
||||
diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
|
||||
--- openssh-7.2p1/clientloop.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/clientloop.c 2016-02-19 10:01:04.866969324 +0100
|
||||
@@ -114,6 +114,10 @@
|
||||
#include "ssherr.h"
|
||||
#include "hostfile.h"
|
||||
|
||||
@ -116,11 +127,14 @@ diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_cha
|
||||
@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_cha
|
||||
break;
|
||||
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
if (!rekeying) {
|
||||
- if (!ssh_packet_is_rekeying(active_state))
|
||||
+ if (!ssh_packet_is_rekeying(active_state)) {
|
||||
channel_after_select(readset, writeset);
|
||||
+
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_renewal_rekey &&
|
||||
+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
|
||||
@ -128,14 +142,15 @@ diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c
|
||||
+ need_rekeying = 1;
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
if (need_rekeying || packet_need_rekeying()) {
|
||||
debug("need rekeying");
|
||||
active_state->kex->done = 0;
|
||||
diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac
|
||||
--- openssh-7.0p1/configure.ac.gsskex 2015-08-12 11:15:43.675548919 +0200
|
||||
+++ openssh-7.0p1/configure.ac 2015-08-12 11:15:43.694548889 +0200
|
||||
@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
/* Buffer input from the connection. */
|
||||
client_process_net_input(readset);
|
||||
|
||||
diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
|
||||
--- openssh-7.2p1/configure.ac.gsskex 2016-02-19 10:01:04.857969329 +0100
|
||||
+++ openssh-7.2p1/configure.ac 2016-02-19 10:01:04.867969323 +0100
|
||||
@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||
[Prepend the address family to IP tunnel traffic])
|
||||
@ -166,9 +181,9 @@ diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac
|
||||
m4_pattern_allow([AU_IPv])
|
||||
AC_CHECK_DECL([AU_IPv4], [],
|
||||
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
||||
diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c
|
||||
--- openssh-7.0p1/gss-genr.c.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/gss-genr.c 2015-08-12 11:15:43.694548889 +0200
|
||||
diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
--- openssh-7.2p1/gss-genr.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/gss-genr.c 2016-02-19 10:01:04.867969323 +0100
|
||||
@@ -41,12 +41,167 @@
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
@ -506,9 +521,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c
|
||||
--- openssh-7.0p1/gss-serv.c.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/gss-serv.c 2015-08-12 11:15:43.694548889 +0200
|
||||
diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
|
||||
--- openssh-7.2p1/gss-serv.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/gss-serv.c 2016-02-19 10:01:04.867969323 +0100
|
||||
@@ -45,17 +45,19 @@
|
||||
#include "session.h"
|
||||
#include "misc.h"
|
||||
@ -791,9 +806,9 @@ diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c
|
||||
}
|
||||
|
||||
#endif
|
||||
diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c
|
||||
--- openssh-7.0p1/gss-serv-krb5.c.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:15:43.694548889 +0200
|
||||
diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c
|
||||
--- openssh-7.2p1/gss-serv-krb5.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/gss-serv-krb5.c 2016-02-19 10:01:04.867969323 +0100
|
||||
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
krb5_error_code problem;
|
||||
krb5_principal princ;
|
||||
@ -921,10 +936,10 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c
|
||||
};
|
||||
|
||||
#endif /* KRB5 */
|
||||
diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
|
||||
--- openssh-7.0p1/kex.c.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/kex.c 2015-08-12 11:15:43.695548887 +0200
|
||||
@@ -55,6 +55,10 @@
|
||||
diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
|
||||
--- openssh-7.2p1/kex.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kex.c 2016-02-19 10:01:04.868969323 +0100
|
||||
@@ -54,6 +54,10 @@
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
|
||||
@ -935,7 +950,7 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
# define evp_ssh_sha256 EVP_sha256
|
||||
@@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
|
||||
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
|
||||
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||
@ -947,7 +962,7 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
@@ -128,6 +137,12 @@ kex_alg_by_name(const char *name)
|
||||
@@ -140,6 +149,12 @@ kex_alg_by_name(const char *name)
|
||||
for (k = kexalgs; k->name != NULL; k++) {
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
@ -960,9 +975,9 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c
|
||||
--- openssh-7.0p1/kexgssc.c.gsskex 2015-08-12 11:15:43.695548887 +0200
|
||||
+++ openssh-7.0p1/kexgssc.c 2015-08-12 11:15:43.695548887 +0200
|
||||
diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c
|
||||
--- openssh-7.2p1/kexgssc.c.gsskex 2016-02-19 10:01:04.868969323 +0100
|
||||
+++ openssh-7.2p1/kexgssc.c 2016-02-19 10:01:04.868969323 +0100
|
||||
@@ -0,0 +1,338 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1302,9 +1317,9 @@ diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c
|
||||
+}
|
||||
+
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c
|
||||
--- openssh-7.0p1/kexgsss.c.gsskex 2015-08-12 11:15:43.695548887 +0200
|
||||
+++ openssh-7.0p1/kexgsss.c 2015-08-12 11:15:43.695548887 +0200
|
||||
diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
|
||||
--- openssh-7.2p1/kexgsss.c.gsskex 2016-02-19 10:01:04.868969323 +0100
|
||||
+++ openssh-7.2p1/kexgsss.c 2016-02-19 10:01:04.868969323 +0100
|
||||
@@ -0,0 +1,295 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1601,10 +1616,10 @@ diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
|
||||
--- openssh-7.0p1/kex.h.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/kex.h 2015-08-12 11:17:44.694354889 +0200
|
||||
@@ -93,6 +93,11 @@ enum kex_exchange {
|
||||
diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
|
||||
--- openssh-7.2p1/kex.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kex.h 2016-02-19 10:01:04.868969323 +0100
|
||||
@@ -92,6 +92,11 @@ enum kex_exchange {
|
||||
KEX_DH_GEX_SHA256,
|
||||
KEX_ECDH_SHA2,
|
||||
KEX_C25519_SHA256,
|
||||
@ -1616,7 +1631,7 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
|
||||
KEX_MAX
|
||||
};
|
||||
|
||||
@@ -139,6 +144,12 @@ struct kex {
|
||||
@@ -140,6 +145,12 @@ struct kex {
|
||||
u_int flags;
|
||||
int hash_alg;
|
||||
int ec_nid;
|
||||
@ -1629,7 +1644,7 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
|
||||
char *client_version_string;
|
||||
char *server_version_string;
|
||||
char *failed_choice;
|
||||
@@ -186,6 +197,10 @@ int kexecdh_client(struct ssh *);
|
||||
@@ -189,6 +200,10 @@ int kexecdh_client(struct ssh *);
|
||||
int kexecdh_server(struct ssh *);
|
||||
int kexc25519_client(struct ssh *);
|
||||
int kexc25519_server(struct ssh *);
|
||||
@ -1640,9 +1655,9 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
|
||||
|
||||
int kex_dh_hash(const char *, const char *,
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in
|
||||
--- openssh-7.0p1/Makefile.in.gsskex 2015-08-12 11:15:43.686548901 +0200
|
||||
+++ openssh-7.0p1/Makefile.in 2015-08-12 11:15:43.695548887 +0200
|
||||
diff -up openssh-7.2p1/Makefile.in.gsskex openssh-7.2p1/Makefile.in
|
||||
--- openssh-7.2p1/Makefile.in.gsskex 2016-02-19 10:01:04.864969325 +0100
|
||||
+++ openssh-7.2p1/Makefile.in 2016-02-19 10:01:04.868969323 +0100
|
||||
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
|
||||
@ -1659,11 +1674,11 @@ diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in
|
||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
roaming_common.o roaming_serv.o \
|
||||
diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
--- openssh-7.0p1/monitor.c.gsskex 2015-08-12 11:15:43.626548998 +0200
|
||||
+++ openssh-7.0p1/monitor.c 2015-08-12 11:15:43.696548885 +0200
|
||||
@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
--- openssh-7.2p1/monitor.c.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor.c 2016-02-19 10:01:04.869969322 +0100
|
||||
@@ -159,6 +159,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
int mm_answer_gss_checkmic(int, Buffer *);
|
||||
@ -1672,7 +1687,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@@ -240,11 +242,18 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -239,11 +241,18 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
|
||||
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
|
||||
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
|
||||
@ -1691,7 +1706,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
#ifdef WITH_OPENSSL
|
||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||
#endif
|
||||
@@ -359,6 +368,10 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
@@ -358,6 +367,10 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
/* Permit requests for moduli and signatures */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
@ -1702,7 +1717,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_proto15;
|
||||
|
||||
@@ -467,6 +480,10 @@ monitor_child_postauth(struct monitor *p
|
||||
@@ -466,6 +479,10 @@ monitor_child_postauth(struct monitor *p
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@ -1713,7 +1728,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_postauth15;
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@@ -1896,6 +1913,13 @@ monitor_apply_keystate(struct monitor *p
|
||||
@@ -1893,6 +1910,13 @@ monitor_apply_keystate(struct monitor *p
|
||||
# endif
|
||||
#endif /* WITH_OPENSSL */
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||
@ -1727,7 +1742,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
kex->load_host_private_key=&get_hostkey_private_by_type;
|
||||
kex->host_key_index=&get_hostkey_index;
|
||||
@@ -1995,6 +2019,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
@@ -1992,6 +2016,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
OM_uint32 major;
|
||||
u_int len;
|
||||
|
||||
@ -1737,7 +1752,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
goid.elements = buffer_get_string(m, &len);
|
||||
goid.length = len;
|
||||
|
||||
@@ -2022,6 +2049,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -2019,6 +2046,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
u_int len;
|
||||
|
||||
@ -1747,7 +1762,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
in.value = buffer_get_string(m, &len);
|
||||
in.length = len;
|
||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||
@@ -2039,6 +2069,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -2036,6 +2066,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -1755,7 +1770,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -2050,6 +2081,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
@@ -2047,6 +2078,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
OM_uint32 ret;
|
||||
u_int len;
|
||||
|
||||
@ -1765,7 +1780,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
gssbuf.value = buffer_get_string(m, &len);
|
||||
gssbuf.length = len;
|
||||
mic.value = buffer_get_string(m, &len);
|
||||
@@ -2076,7 +2110,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2073,7 +2107,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
{
|
||||
int authenticated;
|
||||
|
||||
@ -1778,7 +1793,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, authenticated);
|
||||
@@ -2089,5 +2127,73 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -2086,5 +2124,73 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -1852,9 +1867,9 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
|
||||
diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h
|
||||
--- openssh-7.0p1/monitor.h.gsskex 2015-08-12 11:15:43.626548998 +0200
|
||||
+++ openssh-7.0p1/monitor.h 2015-08-12 11:15:43.696548885 +0200
|
||||
diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h
|
||||
--- openssh-7.2p1/monitor.h.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor.h 2016-02-19 10:01:04.869969322 +0100
|
||||
@@ -60,6 +60,8 @@ enum monitor_reqtype {
|
||||
#ifdef WITH_SELINUX
|
||||
MONITOR_REQ_AUTHROLE = 80,
|
||||
@ -1864,9 +1879,9 @@ diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h
|
||||
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c
|
||||
--- openssh-7.0p1/monitor_wrap.c.gsskex 2015-08-12 11:15:43.626548998 +0200
|
||||
+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:15:43.697548884 +0200
|
||||
diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
|
||||
--- openssh-7.2p1/monitor_wrap.c.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor_wrap.c 2016-02-19 10:01:04.869969322 +0100
|
||||
@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
}
|
||||
|
||||
@ -1927,9 +1942,9 @@ diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
|
||||
diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h
|
||||
--- openssh-7.0p1/monitor_wrap.h.gsskex 2015-08-12 11:15:43.626548998 +0200
|
||||
+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:15:43.697548884 +0200
|
||||
diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h
|
||||
--- openssh-7.2p1/monitor_wrap.h.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor_wrap.h 2016-02-19 10:01:04.869969322 +0100
|
||||
@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
@ -1942,10 +1957,10 @@ diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
|
||||
--- openssh-7.0p1/readconf.c.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/readconf.c 2015-08-12 11:15:43.697548884 +0200
|
||||
@@ -147,6 +147,8 @@ typedef enum {
|
||||
diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
|
||||
--- openssh-7.2p1/readconf.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/readconf.c 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -148,6 +148,8 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
@ -1954,7 +1969,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -192,10 +194,19 @@ static struct {
|
||||
@@ -193,10 +195,19 @@ static struct {
|
||||
{ "afstokenpassing", oUnsupported },
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
@ -1974,7 +1989,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -894,10 +905,30 @@ parse_time:
|
||||
@@ -926,10 +937,30 @@ parse_time:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2005,7 +2020,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
|
||||
@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -2018,7 +2033,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1729,8 +1765,14 @@ fill_default_options(Options * options)
|
||||
@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2033,9 +2048,9 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h
|
||||
--- openssh-7.0p1/readconf.h.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/readconf.h 2015-08-12 11:15:43.697548884 +0200
|
||||
diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
|
||||
--- openssh-7.2p1/readconf.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/readconf.h 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -45,7 +45,12 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
@ -2049,9 +2064,9 @@ diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert-hostkey.sh
|
||||
--- openssh-7.0p1/regress/cert-hostkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200
|
||||
+++ openssh-7.0p1/regress/cert-hostkey.sh 2015-08-12 11:16:52.511438554 +0200
|
||||
diff -up openssh-7.2p1/regress/cert-hostkey.sh.gsskex openssh-7.2p1/regress/cert-hostkey.sh
|
||||
--- openssh-7.2p1/regress/cert-hostkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/cert-hostkey.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain
|
||||
touch $OBJ/host_revoked_cert
|
||||
cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
|
||||
@ -2061,9 +2076,9 @@ diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert
|
||||
|
||||
# Prepare certificate, plain key and CA KRLs
|
||||
${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
|
||||
diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert-userkey.sh
|
||||
--- openssh-7.0p1/regress/cert-userkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200
|
||||
+++ openssh-7.0p1/regress/cert-userkey.sh 2015-08-12 11:20:30.110089677 +0200
|
||||
diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert-userkey.sh
|
||||
--- openssh-7.2p1/regress/cert-userkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/cert-userkey.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
@ -2073,9 +2088,9 @@ diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert
|
||||
|
||||
kname() {
|
||||
n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
|
||||
diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.sh
|
||||
--- openssh-7.0p1/regress/kextype.sh.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/regress/kextype.sh 2015-08-12 11:15:43.698548882 +0200
|
||||
diff -up openssh-7.2p1/regress/kextype.sh.gsskex openssh-7.2p1/regress/kextype.sh
|
||||
--- openssh-7.2p1/regress/kextype.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/kextype.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
|
||||
|
||||
tries="1 2 3 4"
|
||||
@ -2086,9 +2101,9 @@ diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.s
|
||||
verbose "kex $k"
|
||||
for i in $tries; do
|
||||
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
||||
diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh
|
||||
--- openssh-7.0p1/regress/rekey.sh.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/regress/rekey.sh 2015-08-12 11:15:43.698548882 +0200
|
||||
diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh
|
||||
--- openssh-7.2p1/regress/rekey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/rekey.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -38,6 +38,9 @@ increase_datafile_size 300
|
||||
|
||||
opts=""
|
||||
@ -2109,9 +2124,9 @@ diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh
|
||||
verbose "client rekey $c $kex"
|
||||
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
|
||||
done
|
||||
diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.gsskex 2015-08-12 11:15:43.676548918 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-12 11:22:32.686893730 +0200
|
||||
diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
--- openssh-7.2p1/servconf.c.gsskex 2016-02-19 10:01:04.857969329 +0100
|
||||
+++ openssh-7.2p1/servconf.c 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
@ -2123,7 +2138,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -276,10 +278,14 @@ fill_default_server_options(ServerOption
|
||||
@@ -288,10 +290,14 @@ fill_default_server_options(ServerOption
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2138,7 +2153,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -415,7 +421,7 @@ typedef enum {
|
||||
@@ -422,7 +428,7 @@ typedef enum {
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
@ -2147,7 +2162,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
@@ -489,11 +495,17 @@ static struct {
|
||||
@@ -496,11 +502,17 @@ static struct {
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
@ -2165,7 +2180,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
@@ -1235,6 +1247,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1246,6 +1258,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2176,7 +2191,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
case sGssCleanupCreds:
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
@@ -1243,6 +1259,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1254,6 +1270,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_strict_acceptor;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2187,7 +2202,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2255,6 +2275,9 @@ dump_config(ServerOptions *o)
|
||||
@@ -2274,6 +2294,9 @@ dump_config(ServerOptions *o)
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
@ -2197,9 +2212,9 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
|
||||
#endif
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.gsskex 2015-08-12 11:15:43.676548918 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-12 11:15:43.700548879 +0200
|
||||
diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h
|
||||
--- openssh-7.2p1/servconf.h.gsskex 2016-02-19 10:01:04.857969329 +0100
|
||||
+++ openssh-7.2p1/servconf.h 2016-02-19 10:01:04.871969321 +0100
|
||||
@@ -118,8 +118,10 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
@ -2211,19 +2226,18 @@ diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5
|
||||
--- openssh-7.0p1/ssh_config.5.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/ssh_config.5 2015-08-12 11:15:43.700548879 +0200
|
||||
@@ -749,11 +749,43 @@ Specifies whether user authentication ba
|
||||
diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
|
||||
--- openssh-7.2p1/ssh_config.5.gsskex 2016-02-19 10:01:04.871969321 +0100
|
||||
+++ openssh-7.2p1/ssh_config.5 2016-02-19 10:05:58.630146245 +0100
|
||||
@@ -824,10 +824,40 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
+.It Cm GSSAPIKeyExchange
|
||||
+Specifies whether key exchange based on GSSAPI may be used. When using
|
||||
+GSSAPI key exchange the server need not have a host key.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+Note that this option applies to protocol version 2 only.
|
||||
+.It Cm GSSAPIClientIdentity
|
||||
+If set, specifies the GSSAPI client identity that ssh should use when
|
||||
+connecting to the server. The default is unset, which means that the default
|
||||
@ -2237,8 +2251,6 @@ diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5
|
||||
Forward (delegate) credentials to the server.
|
||||
The default is
|
||||
.Dq no .
|
||||
-Note that this option applies to protocol version 2 only.
|
||||
+Note that this option applies to protocol version 2 connections using GSSAPI.
|
||||
+.It Cm GSSAPIRenewalForcesRekey
|
||||
+If set to
|
||||
+.Dq yes
|
||||
@ -2255,13 +2267,12 @@ diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5
|
||||
+command line will be passed untouched to the GSSAPI library.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config
|
||||
--- openssh-7.0p1/ssh_config.gsskex 2015-08-12 11:15:43.667548932 +0200
|
||||
+++ openssh-7.0p1/ssh_config 2015-08-12 11:15:43.700548879 +0200
|
||||
diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config
|
||||
--- openssh-7.2p1/ssh_config.gsskex 2016-02-19 10:01:04.852969332 +0100
|
||||
+++ openssh-7.2p1/ssh_config 2016-02-19 10:01:04.871969321 +0100
|
||||
@@ -26,6 +26,8 @@
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
@ -2271,10 +2282,10 @@ diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
--- openssh-7.0p1/sshconnect2.c.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/sshconnect2.c 2015-08-12 11:25:12.486644393 +0200
|
||||
@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
|
||||
--- openssh-7.2p1/sshconnect2.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/sshconnect2.c 2016-02-19 10:01:04.872969321 +0100
|
||||
@@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
struct kex *kex;
|
||||
int r;
|
||||
|
||||
@ -2306,10 +2317,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
||||
options.kex_algorithms);
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
|
||||
fatal("%s: kex_names_cat", __func__);
|
||||
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
|
||||
@@ -195,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
order_hostkeyalgs(host, hostaddr, port));
|
||||
}
|
||||
|
||||
@ -2327,7 +2338,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
if (options.rekey_limit || options.rekey_interval)
|
||||
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
||||
(time_t)options.rekey_interval);
|
||||
@@ -210,11 +246,31 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
@@ -212,11 +248,31 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
|
||||
# endif
|
||||
#endif
|
||||
@ -2358,8 +2369,8 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
+
|
||||
dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
|
||||
|
||||
if (options.use_roaming && !kex->roaming) {
|
||||
@@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32
|
||||
/* remove ext-info from the KEX proposals for rekeying */
|
||||
@@ -311,6 +367,7 @@ int input_gssapi_token(int type, u_int32
|
||||
int input_gssapi_hash(int type, u_int32_t, void *);
|
||||
int input_gssapi_error(int, u_int32_t, void *);
|
||||
int input_gssapi_errtok(int, u_int32_t, void *);
|
||||
@ -2367,7 +2378,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
#endif
|
||||
|
||||
void userauth(Authctxt *, char *);
|
||||
@@ -321,6 +378,11 @@ static char *authmethods_get(void);
|
||||
@@ -326,6 +383,11 @@ static char *authmethods_get(void);
|
||||
|
||||
Authmethod authmethods[] = {
|
||||
#ifdef GSSAPI
|
||||
@ -2379,7 +2390,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
{"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
NULL,
|
||||
@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
@@ -656,19 +718,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
@ -2413,7 +2424,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
mech++;
|
||||
@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_
|
||||
@@ -765,8 +839,8 @@ input_gssapi_response(int type, u_int32_
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
@ -2424,7 +2435,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
|
||||
if (authctxt == NULL)
|
||||
fatal("input_gssapi_response: no authentication context");
|
||||
@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
@@ -879,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
free(lang);
|
||||
return 0;
|
||||
}
|
||||
@ -2473,10 +2484,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
|
||||
#endif /* GSSAPI */
|
||||
|
||||
int
|
||||
diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
|
||||
--- openssh-7.0p1/sshd.c.gsskex 2015-08-12 11:15:43.679548913 +0200
|
||||
+++ openssh-7.0p1/sshd.c 2015-08-12 11:15:43.702548876 +0200
|
||||
@@ -1043,8 +1043,9 @@ notify_hostkeys(struct ssh *ssh)
|
||||
diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
|
||||
--- openssh-7.2p1/sshd.c.gsskex 2016-02-19 10:01:04.860969328 +0100
|
||||
+++ openssh-7.2p1/sshd.c 2016-02-19 10:01:04.872969321 +0100
|
||||
@@ -974,8 +974,9 @@ notify_hostkeys(struct ssh *ssh)
|
||||
}
|
||||
debug3("%s: sent %d hostkeys", __func__, nkeys);
|
||||
if (nkeys == 0)
|
||||
@ -2488,7 +2499,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
|
||||
sshbuf_free(buf);
|
||||
}
|
||||
|
||||
@@ -1843,10 +1843,13 @@ main(int ac, char **av)
|
||||
@@ -1845,10 +1846,13 @@ main(int ac, char **av)
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
}
|
||||
@ -2502,7 +2513,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
|
||||
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
@@ -2582,6 +2585,48 @@ do_ssh2_kex(void)
|
||||
@@ -2586,6 +2590,48 @@ do_ssh2_kex(void)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||
list_hostkey_types());
|
||||
|
||||
@ -2551,7 +2562,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
|
||||
/* start key exchange */
|
||||
if ((r = kex_setup(active_state, myproposal)) != 0)
|
||||
fatal("kex_setup: %s", ssh_err(r));
|
||||
@@ -2596,6 +2641,13 @@ do_ssh2_kex(void)
|
||||
@@ -2600,6 +2646,13 @@ do_ssh2_kex(void)
|
||||
# endif
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||
@ -2565,23 +2576,22 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
|
||||
kex->server = 1;
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5
|
||||
--- openssh-7.0p1/sshd_config.5.gsskex 2015-08-12 11:15:43.677548916 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:15:43.702548876 +0200
|
||||
@@ -621,6 +621,12 @@ Specifies whether user authentication ba
|
||||
diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5
|
||||
--- openssh-7.2p1/sshd_config.5.gsskex 2016-02-19 10:01:04.858969329 +0100
|
||||
+++ openssh-7.2p1/sshd_config.5 2016-02-19 10:06:26.651172355 +0100
|
||||
@@ -623,6 +623,11 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
+.It Cm GSSAPIKeyExchange
|
||||
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
|
||||
+doesn't rely on ssh keys to verify host identity.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+Note that this option applies to protocol version 2 only.
|
||||
.It Cm GSSAPICleanupCredentials
|
||||
Specifies whether to automatically destroy the user's credentials cache
|
||||
on logout.
|
||||
@@ -642,6 +648,11 @@ machine's default store.
|
||||
@@ -643,6 +648,11 @@ machine's default store.
|
||||
This facility is provided to assist with operation on multi homed machines.
|
||||
The default is
|
||||
.Dq yes .
|
||||
@ -2593,9 +2603,9 @@ diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.gsskex 2015-08-12 11:15:43.679548913 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:15:43.702548876 +0200
|
||||
diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config
|
||||
--- openssh-7.2p1/sshd_config.gsskex 2016-02-19 10:01:04.860969328 +0100
|
||||
+++ openssh-7.2p1/sshd_config 2016-02-19 10:01:04.873969320 +0100
|
||||
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication yes
|
||||
@ -2605,9 +2615,9 @@ diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h
|
||||
--- openssh-7.0p1/ssh-gss.h.gsskex 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/ssh-gss.h 2015-08-12 11:15:43.702548876 +0200
|
||||
diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h
|
||||
--- openssh-7.2p1/ssh-gss.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/ssh-gss.h 2016-02-19 10:01:04.873969320 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
|
||||
/*
|
||||
@ -2707,21 +2717,20 @@ diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#endif /* _SSH_GSS_H */
|
||||
|
||||
diff -up openssh-7.1p1/sshkey.c.gsskex openssh-7.1p1/sshkey.c
|
||||
--- openssh-7.1p1/sshkey.c.gsskex 2015-09-17 15:54:32.135673460 +0200
|
||||
+++ openssh-7.1p1/sshkey.c 2015-09-17 15:55:23.014666159 +0200
|
||||
@@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
|
||||
diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c
|
||||
--- openssh-7.2p1/sshkey.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/sshkey.c 2016-02-19 10:01:04.874969320 +0100
|
||||
@@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
|
||||
# endif /* OPENSSL_HAS_NISTP521 */
|
||||
# endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* WITH_OPENSSL */
|
||||
+ { "null", "null", KEY_NULL, 0, 0 },
|
||||
{ NULL, NULL, -1, -1, 0 }
|
||||
+ { "null", "null", KEY_NULL, 0, 0, 1 },
|
||||
{ NULL, NULL, -1, -1, 0, 0 }
|
||||
};
|
||||
|
||||
diff -up openssh-7.1p1/sshkey.h.gsskex openssh-7.1p1/sshkey.h
|
||||
--- openssh-7.1p1/sshkey.h.gsskex 2015-09-17 15:54:32.135673460 +0200
|
||||
+++ openssh-7.1p1/sshkey.h 2015-09-17 15:55:45.885662877 +0200
|
||||
diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
|
||||
--- openssh-7.2p1/sshkey.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/sshkey.h 2016-02-19 10:01:04.874969320 +0100
|
||||
@@ -62,6 +62,7 @@ enum sshkey_types {
|
||||
KEY_DSA_CERT,
|
||||
KEY_ECDSA_CERT,
|
||||
@ -2730,15 +2739,3 @@ diff -up openssh-7.1p1/sshkey.h.gsskex openssh-7.1p1/sshkey.h
|
||||
KEY_UNSPEC
|
||||
};
|
||||
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 4d1fbbe..5db39c4 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -354,6 +354,7 @@ auth_root_allowed(const char *method)
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "publickey") == 0 ||
|
||||
strcmp(method, "hostbased") == 0 ||
|
||||
+ strcmp(method, "gssapi-keyex") == 0 ||
|
||||
strcmp(method, "gssapi-with-mic") == 0)
|
||||
return 1;
|
||||
break;
|
28
openssh.spec
28
openssh.spec
@ -65,10 +65,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 7.1p2
|
||||
%global openssh_rel 4
|
||||
%global openssh_ver 7.2p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.2
|
||||
%global pam_ssh_agent_rel 1
|
||||
%global pam_ssh_agent_rel 2
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
@ -105,7 +105,7 @@ Patch103: openssh-5.8p1-packet.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
||||
# record pfs= field in CRYPTO_SESSION audit event
|
||||
Patch200: openssh-6.7p1-audit.patch
|
||||
Patch200: openssh-7.2p1-audit.patch
|
||||
# Audit race condition in forked child (#1310684)
|
||||
Patch201: openssh-7.1p2-audit-race-condition.patch
|
||||
|
||||
@ -143,7 +143,7 @@ Patch607: openssh-5.8p2-sigpipe.patch
|
||||
Patch609: openssh-5.5p1-x11.patch
|
||||
|
||||
#?
|
||||
Patch700: openssh-6.7p1-fips.patch
|
||||
Patch700: openssh-7.2p1-fips.patch
|
||||
#?
|
||||
Patch702: openssh-5.1p1-askpass-progress.patch
|
||||
#?
|
||||
@ -168,7 +168,7 @@ Patch714: openssh-6.7p1-kdf-cavs.patch
|
||||
|
||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
||||
#changed cache storage type - #848228
|
||||
Patch800: openssh-6.6p1-gsskex.patch
|
||||
Patch800: openssh-7.2p1-gsskex.patch
|
||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||
Patch801: openssh-6.6p1-force_krb.patch
|
||||
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
||||
@ -225,17 +225,9 @@ Patch931: openssh-6.9p1-scp-progressmeter.patch
|
||||
Patch932: openssh-7.0p1-gssKexAlgorithms.patch
|
||||
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
|
||||
Patch933: openssh-7.0p1-show-more-fingerprints.patch
|
||||
# Brokend HostKeyAlgorthms on server using + sign
|
||||
# from http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034324.html
|
||||
Patch934: openssh-7.1p1-hostkeyalgorithms.patch
|
||||
# Updated version of ssh-copy-id
|
||||
# http://git.hands.com/ssh-copy-id
|
||||
Patch935: openssh-7.1p1-ssh-copy-id.patch
|
||||
# Preserve IUTF8 tty mode flag over ssh connections (#1270248)
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2477
|
||||
Patch936: openssh-7.1p1-iutf8.patch
|
||||
# CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding
|
||||
Patch937: openssh-7.1p2-fallback-x11-untrusted.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -469,10 +461,7 @@ popd
|
||||
%patch931 -p1 -b .progressmeter
|
||||
%patch932 -p1 -b .gsskexalg
|
||||
%patch933 -p1 -b .fingerprint
|
||||
%patch934 -p1 -b .hostkey
|
||||
%patch935 -p1 -b .ssh-copy-id
|
||||
%patch936 -p1 -b .iutf8
|
||||
%patch937 -p1 -b .x11-fallback
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
@ -734,8 +723,6 @@ getent passwd sshd >/dev/null || \
|
||||
%attr(0755,root,root) %{_bindir}/scp
|
||||
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%attr(0755,root,root) %{_bindir}/slogin
|
||||
%attr(0644,root,root) %{_mandir}/man1/slogin.1*
|
||||
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||
%if ! %{rescue}
|
||||
%attr(0755,root,root) %{_bindir}/ssh-agent
|
||||
@ -813,6 +800,9 @@ getent passwd sshd >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 29 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-1 + 0.10.2-2
|
||||
- New upstream release (#1312870)
|
||||
|
||||
* Wed Feb 24 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-4.1 + 0.10.2-1
|
||||
- Fix race condition in auditing events when using multiplexing (#1308295)
|
||||
- Fix X11 forwarding CVE according to upstream
|
||||
|
@ -104,3 +104,16 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
diff --git a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||
--- a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||
+++ b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||
@@ -85,7 +85,7 @@ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
||||
buffer_put_cstring(&b, pkalg);
|
||||
buffer_put_string(&b, pkblob, blen);
|
||||
|
||||
- if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
|
||||
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user