openssh-7.2p1-1 (#1312870)

This commit is contained in:
Jakub Jelen 2016-02-19 14:42:33 +01:00
parent 46445f1c7a
commit 13073f8d9c
25 changed files with 430 additions and 1444 deletions

1
.gitignore vendored
View File

@ -20,3 +20,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-7.1p1.tar.gz /openssh-7.1p1.tar.gz
/openssh-7.1p2.tar.gz /openssh-7.1p2.tar.gz
/pam_ssh_agent_auth-0.10.2.tar.bz2 /pam_ssh_agent_auth-0.10.2.tar.bz2
/openssh-7.2p1.tar.gz

View File

@ -117,15 +117,14 @@ diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100 --- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100
+++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100 +++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100
@@ -161,6 +161,8 @@ login_cap_t *lc; @@ -161,6 +161,7 @@ login_cap_t *lc;
static int is_child = 0; static int is_child = 0;
static int in_chroot = 0;
+static int have_dev_log = 1; +static int have_dev_log = 1;
+
/* Name and directory of socket for authentication agent forwarding. */ /* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL; static char *auth_sock_name = NULL;
static char *auth_sock_dir = NULL;
@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c @@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
is_child = 1; is_child = 1;
@ -150,8 +149,8 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command) @@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
int ret; int ret;
const char *forced = NULL; const char *forced = NULL, *tty = NULL;
char session_type[1024], *tty = NULL; char session_type[1024];
+ struct stat dev_log_stat; + struct stat dev_log_stat;
if (options.adm_forced_command) { if (options.adm_forced_command) {
@ -164,7 +163,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
+ have_dev_log = 0; + have_dev_log = 0;
+ } + }
+ +
verbose("Starting session: %s%s%s for %s from %.200s port %d", verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type, session_type,
tty == NULL ? "" : " on ", tty == NULL ? "" : " on ",
@@ -1678,14 +1685,6 @@ child_close_fds(void) @@ -1678,14 +1685,6 @@ child_close_fds(void)
@ -233,8 +232,8 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
fd_set *rset, *wset; fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv, @@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
- log_init(__progname, log_level, log_facility, log_stderr); - log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);

View File

@ -115,7 +115,7 @@ index 2871fe9..39b9c08 100644
+ sshd_selinux_change_privsep_preauth_context(); + sshd_selinux_change_privsep_preauth_context();
#endif #endif
/* Change our root directory */ /* Demote the child */
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 12c014e..c5ef2ff 100644 index 12c014e..c5ef2ff 100644
--- a/openbsd-compat/port-linux.c --- a/openbsd-compat/port-linux.c

View File

@ -106,9 +106,9 @@ diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_conf
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 --- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200 +++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200
@@ -633,6 +633,12 @@ on logout. @@ -633,6 +633,12 @@ on logout.
on logout.
The default is The default is
.Dq yes . .Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIEnablek5users +.It Cm GSSAPIEnablek5users
+Specifies whether to look at .k5users file for GSSAPI authentication +Specifies whether to look at .k5users file for GSSAPI authentication
+access control. Further details are described in +access control. Further details are described in

View File

@ -25,8 +25,8 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -326,6 +330,7 @@ install-files: @@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \

View File

@ -59,8 +59,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) + $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -321,6 +325,7 @@ install-files: @@ -321,6 +325,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \

View File

@ -190,8 +190,8 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
+ if (options->use_kuserok == -1) + if (options->use_kuserok == -1)
+ options->use_kuserok = 1; + options->use_kuserok = 1;
if (kex_assemble_names(KEX_SERVER_ENCRYPT, &options->ciphers) != 0 || assemble_algorithms(options);
kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
@@ -404,7 +407,7 @@ typedef enum { @@ -404,7 +407,7 @@ typedef enum {
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,

View File

@ -47,15 +47,6 @@ diff --git a/session.c b/session.c
index 2bcf818..b5dc144 100644 index 2bcf818..b5dc144 100644
--- a/session.c --- a/session.c
+++ b/session.c +++ b/session.c
@@ -1532,7 +1532,7 @@ void
do_setusercontext(struct passwd *pw)
{
char *chroot_path, *tmp;
-#ifdef USE_LIBIAF
+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
int doing_chroot = 0;
#endif
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw) @@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid); pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir, chroot_path = percent_expand(tmp, "h", pw->pw_dir,
@ -66,22 +57,13 @@ index 2bcf818..b5dc144 100644
safely_chroot(chroot_path, pw->pw_uid); safely_chroot(chroot_path, pw->pw_uid);
free(tmp); free(tmp);
free(chroot_path); free(chroot_path);
@@ -1557,7 +1557,7 @@ do_setusercontext(struct passwd *pw)
/* Make sure we don't attempt to chroot again */
free(options.chroot_directory);
options.chroot_directory = NULL;
-#ifdef USE_LIBIAF
+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
doing_chroot = 1;
#endif
}
@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw) @@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */ /* Permanently switch to the desired uid. */
permanently_set_uid(pw); permanently_set_uid(pw);
#endif #endif
+ +
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ if (doing_chroot == 0) + if (in_chroot == 0)
+ sshd_selinux_copy_context(); + sshd_selinux_copy_context();
+#endif +#endif
} else if (options.chroot_directory != NULL && } else if (options.chroot_directory != NULL &&
@ -119,9 +101,9 @@ index 07f9926..a97f8b7 100644
+ ssh_selinux_change_context("sshd_net_t"); + ssh_selinux_change_context("sshd_net_t");
+#endif +#endif
+ +
/* Demote the child */
if (getuid() == 0 || geteuid() == 0) {
/* Change our root directory */ /* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt) @@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt)
#ifdef DISABLE_FD_PASSING #ifdef DISABLE_FD_PASSING

View File

@ -355,7 +355,7 @@ diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h
+++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100 +++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void); @@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int); DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int); int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
void mm_inform_authserv(char *, char *); void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+void mm_inform_authrole(char *); +void mm_inform_authrole(char *);

View File

@ -59,9 +59,9 @@ diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c
--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100 --- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100 +++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100
@@ -65,6 +65,7 @@ @@ -65,6 +65,7 @@
#include "version.h"
#include "authfile.h" #include "authfile.h"
#include "ssherr.h" #include "ssherr.h"
#include "authfd.h"
+#include "canohost.h" +#include "canohost.h"
char *client_version_string = NULL; char *client_version_string = NULL;

View File

@ -415,7 +415,7 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100 --- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100 +++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt) @@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child(); privsep_preauth_child();
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
- if (box != NULL) - if (box != NULL)

View File

@ -92,7 +92,7 @@ diff -up openssh-7.0p1/dh.h.fips openssh-7.0p1/dh.h
@@ -46,6 +46,7 @@ u_int dh_estimate(int); @@ -46,6 +46,7 @@ u_int dh_estimate(int);
/* Min and max values from RFC4419. */ /* Min and max values from RFC4419. */
#define DH_GRP_MIN 1024 #define DH_GRP_MIN 2048
+#define DH_GRP_MIN_FIPS 2048 +#define DH_GRP_MIN_FIPS 2048
#define DH_GRP_MAX 8192 #define DH_GRP_MAX 8192
@ -296,18 +296,18 @@ diff -up openssh-7.0p1/Makefile.in.fips openssh-7.0p1/Makefile.in
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a @@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

View File

@ -22,11 +22,11 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o roaming_dummy.o +ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
+ $(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -331,6 +335,8 @@ install-files: @@ -331,6 +335,8 @@ install-files:
fi fi

View File

@ -148,8 +148,8 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
LIBOPENSSH_OBJS=\ LIBOPENSSH_OBJS=\
ssh_api.o \ ssh_api.o \
@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw @@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-solaris.o
-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -165,8 +165,8 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -311,6 +317,10 @@ install-files: @@ -311,6 +317,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
@ -187,9 +187,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \ + $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \ + $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
+ fi + fi
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin install-sysconf:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
@@ -356,6 +370,13 @@ install-sysconf: @@ -356,6 +370,13 @@ install-sysconf:
else \ else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
@ -218,9 +218,9 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress-prep: regress-prep:
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100 --- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100 +++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100

View File

@ -95,9 +95,9 @@ diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
--- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200 --- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200
+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200 +++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200
@@ -50,6 +50,7 @@ @@ -50,6 +50,7 @@
#include "misc.h"
#include "dispatch.h" #include "dispatch.h"
#include "monitor.h" #include "monitor.h"
#include "roaming.h"
+#include "xmalloc.h" +#include "xmalloc.h"
#include "ssherr.h" #include "ssherr.h"
@ -336,9 +336,9 @@ diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
--- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200 --- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200
+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200 +++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200
@@ -786,6 +786,18 @@ command line will be passed untouched to @@ -786,6 +786,18 @@ command line will be passed untouched to
command line will be passed untouched to the GSSAPI library.
The default is The default is
.Dq no . .Dq no .
This option only applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPIKexAlgorithms +.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI +The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are +key exchange. Possible values are

View File

@ -199,7 +199,7 @@ index f41960c..e12932f 100644
+ options.fingerprint_hash[0], SSH_FP_RANDOMART); + options.fingerprint_hash[0], SSH_FP_RANDOMART);
if (fp == NULL || ra == NULL) if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__); fatal("%s: sshkey_fingerprint fail", __func__);
logit("Host key fingerprint is %s\n%s\n", fp, ra); logit("Host key fingerprint is %s\n%s", fp, ra);
@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, @@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
else else
snprintf(msg1, sizeof(msg1), "."); snprintf(msg1, sizeof(msg1), ".");
@ -295,14 +295,14 @@ index 7751031..82ed92e 100644
goto done; goto done;
debug2("input_userauth_pk_ok: fp %s", fp); debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) @@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
int have_sig = 1; int matched, ret = -1, have_sig = 1;
char *fp; char *fp;
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash, - if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0], + if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL) SSH_FP_DEFAULT)) == NULL)
return 0; return 0;
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt) @@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
goto out; goto out;
} }
@ -323,10 +323,23 @@ index 1dca3e2..23bff7d 100644
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, - if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0], + if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL) SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__); fatal("%s: sshkey_fingerprint failed", __progname);
fatal("no matching hostkey found for key %s %s", fatal("no matching hostkey found for key %s %s",
-- --
2.1.0 2.1.0
diff --git a/sshconnect.c b/sshconnect.c
index de7ace6..f16e606 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
if (sshkey_is_cert(host_key)) {
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
error("%s: fingerprint CA key: %s",
__func__, ssh_err(r));
r = -1;

View File

@ -1,46 +0,0 @@
diff --git a/readconf.c b/readconf.c
index 374e741..23d74fb 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host)
int i;
char vbuf[5];
+ /* This is normally prepared in ssh_kex2 */
+ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
+ fatal("%s: kex_assemble_names failed", __func__);
+
/* Most interesting options first: user, host, port */
dump_cfg_string(oUser, o->user);
dump_cfg_string(oHostName, host);
@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oBindAddress, o->bind_address);
dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
dump_cfg_string(oControlPath, o->control_path);
- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
dump_cfg_string(oHostKeyAlias, o->host_key_alias);
dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
diff --git a/servconf.c b/servconf.c
index 04404a4..08c8139 100644
--- a/servconf.c
+++ b/servconf.c
@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options)
options->hostbased_authentication = 0;
if (options->hostbased_uses_name_from_packet_only == -1)
options->hostbased_uses_name_from_packet_only = 0;
- if (options->hostkeyalgorithms == NULL)
- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
if (options->rsa_authentication == -1)
options->rsa_authentication = 1;
if (options->pubkey_authentication == -1)
@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options)
kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
+ &options->hostkeyalgorithms) != 0 ||
+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->hostbased_key_types) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->pubkey_key_types) != 0)

View File

@ -1,532 +0,0 @@
From 1a52b2d612b1d0c2a15dfcdc8da560704909ec72 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Sat, 27 Jul 2013 14:16:52 +0100
Subject: [PATCH] echo --> printf "%s: ERROR... (for consistency)
---
ssh-copy-id | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index ae88e99..516b87f 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -200,7 +200,7 @@ populate_new_ids() {
umask 0177
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
- echo "mktemp failed" 1>&2
+ printf '%s: ERROR: mktemp failed\n' "$0" >&2
exit 1
fi
trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
--
1.9.1
From baebbb9e18e4a1af7554d939710eacb665a24b68 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Wed, 25 Nov 2015 17:05:39 +0100
Subject: [PATCH] Deal with remote user shell being e.g. tcsh (fixes: 2206)
as suggested by Jakub Jelen <jjelen@redhat.com>
---
ssh-copy-id | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 516b87f..6a0447a 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -269,10 +269,8 @@ case "$REMOTE_VERSION" in
*)
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
populate_new_ids 0
- [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
- umask 077 ;
- mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
- if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
+ [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
+ ssh "$@" "exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;
--
1.9.1
From 35f05e39cda8670b3f6797330a3e521fda509a4c Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Wed, 25 Nov 2015 21:14:00 +0100
Subject: [PATCH] set LogLevel to ensure that it's not set to 'None' (closes:
2214)
As pointed out by Sami Haahtinen <sami@badwolf.fi>,
the LogLevel is set to 'None' we'll not get the
Permission Denied we're looking for.
---
ssh-copy-id | 1 +
1 file changed, 1 insertion(+)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 6a0447a..70d3866 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -215,6 +215,7 @@ populate_new_ids() {
# The point being that if file based, ssh needs the private key, which it cannot
# find if only given the contents of the .pub file in an unrelated tmpfile
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
+ -o LogLevel=INFO \
-o PreferredAuthentications=publickey \
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
if [ "$?" = "$L_SUCCESS" ] ; then
--
1.9.1
From e129c91dc474d73671304403fafda785df440105 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Wed, 25 Nov 2015 22:30:43 +0100
Subject: [PATCH] set ControlPath=none (closes: 2488)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
Thanks to Salvador Fandiño <sfandino@yahoo.com> for the patch
This seems to be the same problem as described in 2195
---
ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 70d3866..7df7fad 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -215,6 +215,7 @@ populate_new_ids() {
# The point being that if file based, ssh needs the private key, which it cannot
# find if only given the contents of the .pub file in an unrelated tmpfile
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
+ -o ControlPath=none \
-o LogLevel=INFO \
-o PreferredAuthentications=publickey \
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
@@ -244,7 +245,7 @@ populate_new_ids() {
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
}
-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
+REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 |
sed -ne 's/.*remote software version //p')
case "$REMOTE_VERSION" in
--
1.9.1
From 6fa6f1e3dbec32636e77d01228ceecfa3851c7e8 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Wed, 25 Nov 2015 23:24:13 +0100
Subject: [PATCH] add -f (forced) option to install keys unconditionally
(closes: 2110)
Thanks for the patch from Petr Lautrbach <plautrba@redhat.com>
which inspired this.
---
ssh-copy-id | 15 +++++++++++++--
ssh-copy-id.1 | 5 +++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 7df7fad..3121171 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -59,7 +59,10 @@ fi
DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
usage () {
- printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
+ printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
+ printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2
+ printf '\t-n: dry run -- no keys are actually copied\n' >&2
+ printf '\t-h|-?: print this help\n' >&2
exit 1
}
@@ -121,7 +124,7 @@ do
}
shift
;;
- -n|-h|-\?)
+ -f|-n|-h|-\?)
OPT="$1"
OPTARG=
shift
@@ -154,6 +157,9 @@ do
-o|-p)
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
;;
+ -f)
+ FORCED=1
+ ;;
-n)
DRY_RUN=1
;;
@@ -194,6 +200,11 @@ fi
populate_new_ids() {
local L_SUCCESS="$1"
+ if [ "$FORCED" ] ; then
+ NEW_IDS=$(eval $GET_ID)
+ return
+ fi
+
# repopulate "$@" inside this function
eval set -- "$SSH_OPTS"
diff --git $1/contrib/ssh-copy-id.1 $1/contrib/ssh-copy-id.1
index 67a59e4..8850cce 100644
--- $1/contrib/ssh-copy-id.1
+++ $1/contrib/ssh-copy-id.1
@@ -29,6 +29,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.Nd use locally available keys to authorise logins on a remote machine
.Sh SYNOPSIS
.Nm
+.Op Fl f
.Op Fl n
.Op Fl i Op Ar identity_file
.Op Fl p Ar port
@@ -76,6 +77,10 @@ is used.
Note that this can be used to ensure that the keys copied have the
comment one prefers and/or extra options applied, by ensuring that the
key file has these set as preferred before the copy is attempted.
+.It Fl f
+Forced mode: doesn't check if the keys are present on the remote server.
+This means that it does not need the private key. Of course, this can result
+in more than one copy of the key being installed on the remote system.
.It Fl n
do a dry-run. Instead of installing keys on the remote system simply
prints the key(s) that would have been installed.
--
1.9.1
From ab185eea5a03cdd846c909d83e5dd0a07a44fb54 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Wed, 25 Nov 2015 23:47:06 +0100
Subject: [PATCH] deal with #2331 by suggesting the use of the -f option
---
ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 3121171..8666cea 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -250,7 +250,8 @@ populate_new_ids() {
exit 1
fi
if [ -z "$NEW_IDS" ] ; then
- printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
+ printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
exit 0
fi
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
--
1.9.1
From de78897ada50ed12f4b0c9faa6e935ce82ee49a6 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Thu, 26 Nov 2015 00:25:56 +0100
Subject: [PATCH] handle keys with missing trailing newline (closes: 2350)
---
ssh-copy-id | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 8666cea..362b49b 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -218,7 +218,7 @@ populate_new_ids() {
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
NEW_IDS=$(
eval $GET_ID | {
- while read ID ; do
+ while read ID || [ "$ID" ] ; do
printf '%s\n' "$ID" > $L_TMP_ID_FILE
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
--
1.9.1
From 6b903ab99a3f0107bb0dbde748a4372033bab00c Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Thu, 26 Nov 2015 00:36:09 +0100
Subject: [PATCH] add a cd to ensure we're in the remote's home directory
(closes: 2349)
---
ssh-copy-id | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 362b49b..2932936 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -284,7 +284,7 @@ case "$REMOTE_VERSION" in
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
populate_new_ids 0
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
- ssh "$@" "exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;
--
1.9.1
From 441892cbf4ff96fd96908582b8170f51890b5deb Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Sat, 28 Nov 2015 14:42:36 +0100
Subject: [PATCH] add comment about why the ugly one-line remote command is as
it is
In case anyone looks here for the details:
* tcsh doesn't support multi-line strings,
which is why it's a one-liner.
* tcsh doesn't do 2>&1, and fish doesn't do
'command || command' which is why we're runnig this under
sh (which is very likely to be a POSIX shell on any vaguely
Unix-like system)
* The 'cd' is there to make sure we're in the home dir, because
there was a bug report about having a cd in ~/.bashrc that resulted
in a .ssh being created elsewhere.
* the 'exec' ensures that we're not relying on anything beyond the
(hopefully POSIX) shell that's available as 'sh' on the remote system
---
ssh-copy-id | 1 +
1 file changed, 1 insertion(+)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 2932936..04c03eb 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -283,6 +283,7 @@ case "$REMOTE_VERSION" in
*)
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
populate_new_ids 0
+ # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; 'cd' to be at $HOME; and all on one line, because tcsh.
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|| exit 1
--
1.9.1
From 8b59b122d321b97badd15c41e1a22863aa922a02 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Sat, 28 Nov 2015 14:46:47 +0100
Subject: [PATCH] with '-f' there's no need to have access to the private key
---
ssh-copy-id | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 04c03eb..d3ff83b 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -80,7 +80,7 @@ use_id_file() {
PUB_ID_FILE="$L_ID_FILE.pub"
fi
- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
+ [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
# check that the files are readable
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
--
1.9.1
From 1b931894de0614099255244be789ad097fd0948a Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Sat, 28 Nov 2015 14:47:35 +0100
Subject: [PATCH] if the private key is missing, point out that '-f' might be
what's needed
---
ssh-copy-id | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index d3ff83b..f0b01aa 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -85,7 +85,9 @@ use_id_file() {
# check that the files are readable
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
ErrMSG=$( { : < $f ; } 2>&1 ) || {
- printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
+ local L_PRIVMSG=""
+ [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
+ printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
exit 1
}
done
--
1.9.1
From fd3e8b115e160a1332773cd8e06a3305d0d680ab Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Sat, 28 Nov 2015 21:10:39 +0100
Subject: [PATCH] +INFO message to mitigate the surprise described in #2196
---
ssh-copy-id | 1 +
1 file changed, 1 insertion(+)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index f0b01aa..994194e 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -91,6 +91,7 @@ use_id_file() {
exit 1
}
done
+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" $PUB_ID_FILE >&2
GET_ID="cat \"$PUB_ID_FILE\""
}
--
1.9.1
From 783ef08b0a757402aba67313f08f8dbfa9bf85f3 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Mon, 30 Nov 2015 20:46:19 +0100
Subject: [PATCH] deal with $HOME and id filenames that include a space
---
ssh-copy-id | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git $1/contrib/ssh-copy-id $1/contrib/ssh-copy-id
index 994194e..afde8b1 100755
--- $1/contrib/ssh-copy-id
+++ $1/contrib/ssh-copy-id
@@ -56,7 +56,7 @@ then
fi
fi
-DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
+DEFAULT_PUB_ID_FILE="$HOME/$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)"
usage () {
printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
@@ -83,15 +83,15 @@ use_id_file() {
[ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
# check that the files are readable
- for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
- ErrMSG=$( { : < $f ; } 2>&1 ) || {
+ for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
+ ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
local L_PRIVMSG=""
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
exit 1
}
done
- printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" $PUB_ID_FILE >&2
+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2
GET_ID="cat \"$PUB_ID_FILE\""
}
@@ -217,12 +217,13 @@ populate_new_ids() {
printf '%s: ERROR: mktemp failed\n' "$0" >&2
exit 1
fi
- trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
+ local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+ trap "$L_CLEANUP" EXIT TERM INT QUIT
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
NEW_IDS=$(
eval $GET_ID | {
while read ID || [ "$ID" ] ; do
- printf '%s\n' "$ID" > $L_TMP_ID_FILE
+ printf '%s\n' "$ID" > "$L_TMP_ID_FILE"
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
# assumption will break if we implement the possibility of multiple -i options.
@@ -246,7 +247,7 @@ populate_new_ids() {
done
}
)
- rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
+ eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
--
1.9.1
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index afde8b1..cd52764 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -99,6 +99,8 @@ if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
GET_ID="ssh-add -L"
fi
+[ "x$SSH_COPY_ID_LEGACY" != "x" ] && FORCED=1
+
while test "$#" -gt 0
do
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
index 8850cce..62f112d 100644
--- a/contrib/ssh-copy-id.1
+++ b/contrib/ssh-copy-id.1
@@ -185,6 +185,22 @@ should prove enlightening (N.B. the modern approach is to use the
.Fl W
option, rather than
.Xr nc 1 ) .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds
+.Pp
+.It Pa SSH_COPY_ID_LEGACY
+If the
+.Cm SSH_COPY_ID_LEGACY
+environment variable is set, the
+.Nm
+is run in a legacy mode. In this mode, the
+.Nm
+doesn't check an existence of a private key and doesn't do remote checks
+of the remote server versions or if public keys are already installed
+(equivalent to
+.Fl f
+switch).
+.El
.Sh "SEE ALSO"
.Xr ssh 1 ,
.Xr ssh-agent 1 ,

View File

@ -77,7 +77,7 @@ index 8949fd1..9afb764 100644
+#endif +#endif
+ +
static int is_child = 0; static int is_child = 0;
static int in_chroot = 0;
static int have_dev_log = 1; static int have_dev_log = 1;
@@ -875,6 +879,8 @@ do_exec(Session *s, const char *command) @@ -875,6 +879,8 @@ do_exec(Session *s, const char *command)
} }

View File

@ -1,387 +0,0 @@
From f98a09cacff7baad8748c9aa217afd155a4d493f Mon Sep 17 00:00:00 2001
From: "mmcc@openbsd.org" <mmcc@openbsd.org>
Date: Tue, 20 Oct 2015 03:36:35 +0000
Subject: [PATCH] upstream commit
Replace a function-local allocation with stack memory.
ok djm@
Upstream-ID: c09fbbab637053a2ab9f33ca142b4e20a4c5a17e
---
clientloop.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 87ceb3d..1e05cba 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -311,11 +311,10 @@ client_x11_get_proto(const char *display, const char *xauth_path,
static char proto[512], data[512];
FILE *f;
int got_data = 0, generated = 0, do_unlink = 0, i;
- char *xauthdir, *xauthfile;
+ char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
struct stat st;
u_int now, x11_timeout_real;
- xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
proto[0] = data[0] = '\0';
@@ -343,8 +342,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
display = xdisplay;
}
if (trusted == 0) {
- xauthdir = xmalloc(PATH_MAX);
- xauthfile = xmalloc(PATH_MAX);
mktemp_proto(xauthdir, PATH_MAX);
/*
* The authentication cookie should briefly outlive
@@ -407,8 +404,6 @@ client_x11_get_proto(const char *display, const char *xauth_path,
unlink(xauthfile);
rmdir(xauthdir);
}
- free(xauthdir);
- free(xauthfile);
/*
* If we didn't get authentication data, just make up some
--
2.5.0
From ed4ce82dbfa8a3a3c8ea6fa0db113c71e234416c Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 13 Jan 2016 23:04:47 +0000
Subject: [PATCH] upstream commit
eliminate fallback from untrusted X11 forwarding to trusted
forwarding when the X server disables the SECURITY extension; Reported by
Thomas Hoger; ok deraadt@
Upstream-ID: f76195bd2064615a63ef9674a0e4096b0713f938
---
clientloop.c | 114 ++++++++++++++++++++++++++++++++++++-----------------------
clientloop.h | 4 +--
mux.c | 22 ++++++------
ssh.c | 23 +++++-------
4 files changed, 93 insertions(+), 70 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index f555451..c0386d5 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -288,6 +288,9 @@ client_x11_display_valid(const char *display)
{
size_t i, dlen;
+ if (display == NULL)
+ return 0;
+
dlen = strlen(display);
for (i = 0; i < dlen; i++) {
if (!isalnum((u_char)display[i]) &&
@@ -301,34 +304,33 @@ client_x11_display_valid(const char *display)
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
#define X11_TIMEOUT_SLACK 60
-void
+int
client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, u_int timeout, char **_proto, char **_data)
{
- char cmd[1024];
- char line[512];
- char xdisplay[512];
+ char cmd[1024], line[512], xdisplay[512];
+ char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
static char proto[512], data[512];
FILE *f;
- int got_data = 0, generated = 0, do_unlink = 0, i;
- char xauthdir[PATH_MAX] = "", xauthfile[PATH_MAX] = "";
+ int got_data = 0, generated = 0, do_unlink = 0, i, r;
struct stat st;
u_int now, x11_timeout_real;
*_proto = proto;
*_data = data;
- proto[0] = data[0] = '\0';
+ proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
- if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
- debug("No xauth program.");
- } else if (!client_x11_display_valid(display)) {
- logit("DISPLAY '%s' invalid, falling back to fake xauth data",
+ if (!client_x11_display_valid(display)) {
+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
display);
- } else {
- if (display == NULL) {
- debug("x11_get_proto: DISPLAY not set");
- return;
- }
+ return -1;
+ }
+ if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
+ debug("No xauth program.");
+ xauth_path = NULL;
+ }
+
+ if (xauth_path != NULL) {
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
@@ -337,43 +339,60 @@ client_x11_get_proto(const char *display, const char *xauth_path,
* is not perfect.
*/
if (strncmp(display, "localhost:", 10) == 0) {
- snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
- display + 10);
+ if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+ display + 10)) < 0 ||
+ (size_t)r >= sizeof(xdisplay)) {
+ error("%s: display name too long", __func__);
+ return -1;
+ }
display = xdisplay;
}
if (trusted == 0) {
- mktemp_proto(xauthdir, PATH_MAX);
/*
+ * Generate an untrusted X11 auth cookie.
+ *
* The authentication cookie should briefly outlive
* ssh's willingness to forward X11 connections to
* avoid nasty fail-open behaviour in the X server.
*/
+ mktemp_proto(xauthdir, sizeof(xauthdir));
+ if (mkdtemp(xauthdir) == NULL) {
+ error("%s: mkdtemp: %s",
+ __func__, strerror(errno));
+ return -1;
+ }
+ do_unlink = 1;
+ if ((r = snprintf(xauthfile, sizeof(xauthfile),
+ "%s/xauthfile", xauthdir)) < 0 ||
+ (size_t)r >= sizeof(xauthfile)) {
+ error("%s: xauthfile path too long", __func__);
+ unlink(xauthfile);
+ rmdir(xauthdir);
+ return -1;
+ }
+
if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
x11_timeout_real = UINT_MAX;
else
x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
- if (mkdtemp(xauthdir) != NULL) {
- do_unlink = 1;
- snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
- xauthdir);
- snprintf(cmd, sizeof(cmd),
- "%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout %u 2>" _PATH_DEVNULL,
- xauth_path, xauthfile, display,
- x11_timeout_real);
- debug2("x11_get_proto: %s", cmd);
- if (x11_refuse_time == 0) {
- now = monotime() + 1;
- if (UINT_MAX - timeout < now)
- x11_refuse_time = UINT_MAX;
- else
- x11_refuse_time = now + timeout;
- channel_set_x11_refuse_time(
- x11_refuse_time);
- }
- if (system(cmd) == 0)
- generated = 1;
+ if ((r = snprintf(cmd, sizeof(cmd),
+ "%s -f %s generate %s " SSH_X11_PROTO
+ " untrusted timeout %u 2>" _PATH_DEVNULL,
+ xauth_path, xauthfile, display,
+ x11_timeout_real)) < 0 ||
+ (size_t)r >= sizeof(cmd))
+ fatal("%s: cmd too long", __func__);
+ debug2("%s: %s", __func__, cmd);
+ if (x11_refuse_time == 0) {
+ now = monotime() + 1;
+ if (UINT_MAX - timeout < now)
+ x11_refuse_time = UINT_MAX;
+ else
+ x11_refuse_time = now + timeout;
+ channel_set_x11_refuse_time(x11_refuse_time);
}
+ if (system(cmd) == 0)
+ generated = 1;
}
/*
@@ -395,9 +414,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
got_data = 1;
if (f)
pclose(f);
- } else
- error("Warning: untrusted X11 forwarding setup failed: "
- "xauth key data not generated");
+ }
}
if (do_unlink) {
@@ -405,6 +422,13 @@ client_x11_get_proto(const char *display, const char *xauth_path,
rmdir(xauthdir);
}
+ /* Don't fall back to fake X11 data for untrusted forwarding */
+ if (!trusted && !got_data) {
+ error("Warning: untrusted X11 forwarding setup failed: "
+ "xauth key data not generated");
+ return -1;
+ }
+
/*
* If we didn't get authentication data, just make up some
* data. The forwarding code will check the validity of the
@@ -427,6 +451,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
rnd >>= 8;
}
}
+
+ return 0;
}
/*
diff --git a/clientloop.h b/clientloop.h
index 338d451..f4d4c69 100644
--- a/clientloop.h
+++ b/clientloop.h
@@ -39,7 +39,7 @@
/* Client side main loop for the interactive session. */
int client_loop(int, int, int);
-void client_x11_get_proto(const char *, const char *, u_int, u_int,
+int client_x11_get_proto(const char *, const char *, u_int, u_int,
char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
diff --git a/mux.c b/mux.c
index f9c3af6..6bf53eb 100644
--- a/mux.c
+++ b/mux.c
@@ -1354,16 +1354,18 @@ mux_session_confirm(int id, int success, void *arg)
char *proto, *data;
/* Get reasonable local authentication information. */
- client_x11_get_proto(display, options.xauth_location,
+ if (client_x11_get_proto(display, options.xauth_location,
options.forward_x11_trusted, options.forward_x11_timeout,
- &proto, &data);
- /* Request forwarding with authentication spoofing. */
- debug("Requesting X11 forwarding with authentication "
- "spoofing.");
- x11_request_forwarding_with_spoofing(id, display, proto,
- data, 1);
- client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN);
- /* XXX exit_on_forward_failure */
+ &proto, &data) == 0) {
+ /* Request forwarding with authentication spoofing. */
+ debug("Requesting X11 forwarding with authentication "
+ "spoofing.");
+ x11_request_forwarding_with_spoofing(id, display, proto,
+ data, 1);
+ /* XXX exit_on_forward_failure */
+ client_expect_confirm(id, "X11 forwarding",
+ CONFIRM_WARN);
+ }
}
if (cctx->want_agent_fwd && options.forward_agent) {
diff --git a/ssh.c b/ssh.c
index 81704ab..096c5b5 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1626,6 +1626,7 @@ ssh_session(void)
struct winsize ws;
char *cp;
const char *display;
+ char *proto = NULL, *data = NULL;
/* Enable compression if requested. */
if (options.compression) {
@@ -1696,13 +1697,9 @@ ssh_session(void)
display = getenv("DISPLAY");
if (display == NULL && options.forward_x11)
debug("X11 forwarding requested but DISPLAY not set");
- if (options.forward_x11 && display != NULL) {
- char *proto, *data;
- /* Get reasonable local authentication information. */
- client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted,
- options.forward_x11_timeout,
- &proto, &data);
+ if (options.forward_x11 && client_x11_get_proto(display,
+ options.xauth_location, options.forward_x11_trusted,
+ options.forward_x11_timeout, &proto, &data) == 0) {
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
@@ -1792,6 +1789,7 @@ ssh_session2_setup(int id, int success, void *arg)
extern char **environ;
const char *display;
int interactive = tty_flag;
+ char *proto = NULL, *data = NULL;
if (!success)
return; /* No need for error message, channels code sens one */
@@ -1799,12 +1797,9 @@ ssh_session2_setup(int id, int success, void *arg)
display = getenv("DISPLAY");
if (display == NULL && options.forward_x11)
debug("X11 forwarding requested but DISPLAY not set");
- if (options.forward_x11 && display != NULL) {
- char *proto, *data;
- /* Get reasonable local authentication information. */
- client_x11_get_proto(display, options.xauth_location,
- options.forward_x11_trusted,
- options.forward_x11_timeout, &proto, &data);
+ if (options.forward_x11 && client_x11_get_proto(display,
+ options.xauth_location, options.forward_x11_trusted,
+ options.forward_x11_timeout, &proto, &data) == 0) {
/* Request forwarding with authentication spoofing. */
debug("Requesting X11 forwarding with authentication "
"spoofing.");
--
2.5.0
From 5658ef2501e785fbbdf5de2dc33b1ff7a4dca73a Mon Sep 17 00:00:00 2001
From: "millert@openbsd.org" <millert@openbsd.org>
Date: Mon, 1 Feb 2016 21:18:17 +0000
Subject: upstream commit
Avoid ugly "DISPLAY "(null)" invalid; disabling X11
forwarding" message when DISPLAY is not set. This could also result in a
crash on systems with a printf that doesn't handle NULL. OK djm@
Upstream-ID: 20ee0cfbda678a247264c20ed75362042b90b412
---
clientloop.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index f8f9a3f..f0a08f2 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -318,8 +318,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
if (!client_x11_display_valid(display)) {
- logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
- display);
+ if (display != NULL)
+ logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
+ display);
return -1;
}
if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
--
cgit v0.11.2

View File

@ -1,6 +1,6 @@
diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c diff -up openssh-7.2p1/audit-bsm.c.audit openssh-7.2p1/audit-bsm.c
--- openssh-7.0p1/audit-bsm.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/audit-bsm.c.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/audit-bsm.c 2015-08-12 11:33:00.409914290 +0200 +++ openssh-7.2p1/audit-bsm.c 2016-02-12 18:24:34.212825181 +0100
@@ -375,10 +375,23 @@ audit_connection_from(const char *host, @@ -375,10 +375,23 @@ audit_connection_from(const char *host,
#endif #endif
} }
@ -80,9 +80,9 @@ diff -up openssh-7.0p1/audit-bsm.c.audit openssh-7.0p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c diff -up openssh-7.2p1/audit.c.audit openssh-7.2p1/audit.c
--- openssh-7.0p1/audit.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/audit.c.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/audit.c 2015-08-12 11:33:00.410914289 +0200 +++ openssh-7.2p1/audit.c 2016-02-12 18:24:34.216825179 +0100
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#include <stdarg.h> #include <stdarg.h>
@ -280,9 +280,9 @@ diff -up openssh-7.0p1/audit.c.audit openssh-7.0p1/audit.c
} }
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h diff -up openssh-7.2p1/audit.h.audit openssh-7.2p1/audit.h
--- openssh-7.0p1/audit.h.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/audit.h.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/audit.h 2015-08-12 11:33:00.410914289 +0200 +++ openssh-7.2p1/audit.h 2016-02-12 18:24:34.216825179 +0100
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
# define _SSH_AUDIT_H # define _SSH_AUDIT_H
@ -318,9 +318,9 @@ diff -up openssh-7.0p1/audit.h.audit openssh-7.0p1/audit.h
+void audit_generate_ephemeral_server_key(const char *); +void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c diff -up openssh-7.2p1/audit-linux.c.audit openssh-7.2p1/audit-linux.c
--- openssh-7.0p1/audit-linux.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/audit-linux.c.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/audit-linux.c 2015-08-12 11:33:00.411914287 +0200 +++ openssh-7.2p1/audit-linux.c 2016-02-12 18:24:34.219825178 +0100
@@ -35,13 +35,25 @@ @@ -35,13 +35,25 @@
#include "log.h" #include "log.h"
@ -712,9 +712,9 @@ diff -up openssh-7.0p1/audit-linux.c.audit openssh-7.0p1/audit-linux.c
+ error("cannot write into audit"); + error("cannot write into audit");
+} +}
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c diff -up openssh-7.2p1/auditstub.c.audit openssh-7.2p1/auditstub.c
--- openssh-7.0p1/auditstub.c.audit 2015-08-12 11:33:00.411914287 +0200 --- openssh-7.2p1/auditstub.c.audit 2016-02-12 18:24:34.219825178 +0100
+++ openssh-7.0p1/auditstub.c 2015-08-12 11:33:00.411914287 +0200 +++ openssh-7.2p1/auditstub.c 2016-02-12 18:24:34.219825178 +0100
@@ -0,0 +1,50 @@ @@ -0,0 +1,50 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+ +
@ -766,9 +766,9 @@ diff -up openssh-7.0p1/auditstub.c.audit openssh-7.0p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{ +{
+} +}
diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c diff -up openssh-7.2p1/auth2.c.audit openssh-7.2p1/auth2.c
--- openssh-7.0p1/auth2.c.audit 2015-08-12 11:33:00.349914384 +0200 --- openssh-7.2p1/auth2.c.audit 2016-02-12 18:24:34.148825205 +0100
+++ openssh-7.0p1/auth2.c 2015-08-12 11:33:00.411914287 +0200 +++ openssh-7.2p1/auth2.c 2016-02-12 18:24:34.219825178 +0100
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32 @@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
} else { } else {
logit("input_userauth_request: invalid user %s", user); logit("input_userauth_request: invalid user %s", user);
@ -779,9 +779,9 @@ diff -up openssh-7.0p1/auth2.c.audit openssh-7.0p1/auth2.c
} }
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) if (options.use_pam)
diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c diff -up openssh-7.2p1/auth2-hostbased.c.audit openssh-7.2p1/auth2-hostbased.c
--- openssh-7.0p1/auth2-hostbased.c.audit 2015-08-12 11:33:00.303914456 +0200 --- openssh-7.2p1/auth2-hostbased.c.audit 2016-02-12 18:24:34.109825220 +0100
+++ openssh-7.0p1/auth2-hostbased.c 2015-08-12 11:33:00.412914286 +0200 +++ openssh-7.2p1/auth2-hostbased.c 2016-02-12 18:24:34.220825178 +0100
@@ -146,7 +146,7 @@ userauth_hostbased(Authctxt *authctxt) @@ -146,7 +146,7 @@ userauth_hostbased(Authctxt *authctxt)
/* test for allowed key and correct signature */ /* test for allowed key and correct signature */
authenticated = 0; authenticated = 0;
@ -810,10 +810,10 @@ diff -up openssh-7.0p1/auth2-hostbased.c.audit openssh-7.0p1/auth2-hostbased.c
/* return 1 if given hostkey is allowed */ /* return 1 if given hostkey is allowed */
int int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c diff -up openssh-7.2p1/auth2-pubkey.c.audit openssh-7.2p1/auth2-pubkey.c
--- openssh-7.0p1/auth2-pubkey.c.audit 2015-08-12 11:33:00.318914432 +0200 --- openssh-7.2p1/auth2-pubkey.c.audit 2016-02-12 18:24:34.122825215 +0100
+++ openssh-7.0p1/auth2-pubkey.c 2015-08-12 11:33:00.412914286 +0200 +++ openssh-7.2p1/auth2-pubkey.c 2016-02-12 18:24:34.220825178 +0100
@@ -175,7 +175,7 @@ userauth_pubkey(Authctxt *authctxt) @@ -178,7 +178,7 @@ userauth_pubkey(Authctxt *authctxt)
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) && if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
@ -822,7 +822,7 @@ diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c
buffer_len(&b))) == 1) { buffer_len(&b))) == 1) {
authenticated = 1; authenticated = 1;
/* Record the successful key to prevent reuse */ /* Record the successful key to prevent reuse */
@@ -253,6 +253,18 @@ pubkey_auth_info(Authctxt *authctxt, con @@ -258,6 +258,18 @@ pubkey_auth_info(Authctxt *authctxt, con
free(extra); free(extra);
} }
@ -841,10 +841,10 @@ diff -up openssh-7.0p1/auth2-pubkey.c.audit openssh-7.0p1/auth2-pubkey.c
/* /*
* Splits 's' into an argument vector. Handles quoted string and basic * Splits 's' into an argument vector. Handles quoted string and basic
* escape characters (\\, \", \'). Caller must free the argument vector * escape characters (\\, \", \'). Caller must free the argument vector
diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c diff -up openssh-7.2p1/auth.c.audit openssh-7.2p1/auth.c
--- openssh-7.0p1/auth.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/auth.c.audit 2016-02-12 18:24:34.148825205 +0100
+++ openssh-7.0p1/auth.c 2015-08-12 11:33:00.412914286 +0200 +++ openssh-7.2p1/auth.c 2016-02-12 18:24:34.220825178 +0100
@@ -645,9 +645,6 @@ getpwnamallow(const char *user) @@ -646,9 +646,6 @@ getpwnamallow(const char *user)
record_failed_login(user, record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh"); get_canonical_hostname(options.use_dns), "ssh");
#endif #endif
@ -854,9 +854,9 @@ diff -up openssh-7.0p1/auth.c.audit openssh-7.0p1/auth.c
return (NULL); return (NULL);
} }
if (!allowed_user(pw)) if (!allowed_user(pw))
diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h diff -up openssh-7.2p1/auth.h.audit openssh-7.2p1/auth.h
--- openssh-7.0p1/auth.h.audit 2015-08-12 11:33:00.302914457 +0200 --- openssh-7.2p1/auth.h.audit 2016-02-12 18:24:34.108825221 +0100
+++ openssh-7.0p1/auth.h 2015-08-12 11:33:00.412914286 +0200 +++ openssh-7.2p1/auth.h 2016-02-12 18:32:46.085636046 +0100
@@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt @@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt
char *expand_authorized_keys(const char *, struct passwd *pw); char *expand_authorized_keys(const char *, struct passwd *pw);
@ -868,14 +868,14 @@ diff -up openssh-7.0p1/auth.h.audit openssh-7.0p1/auth.h
@@ -213,6 +214,7 @@ int get_hostkey_index(Key *, int, struc @@ -213,6 +214,7 @@ int get_hostkey_index(Key *, int, struc
int ssh1_session_key(BIGNUM *); int ssh1_session_key(BIGNUM *);
int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
const u_char *, size_t, u_int); const u_char *, size_t, const char *, u_int);
+int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); +int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
/* debug messages during authentication */ /* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c diff -up openssh-7.2p1/auth-rsa.c.audit openssh-7.2p1/auth-rsa.c
--- openssh-7.0p1/auth-rsa.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/auth-rsa.c.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/auth-rsa.c 2015-08-12 11:33:00.412914286 +0200 +++ openssh-7.2p1/auth-rsa.c 2016-02-12 18:24:34.221825177 +0100
@@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNU @@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNU
{ {
u_char buf[32], mdbuf[16]; u_char buf[32], mdbuf[16];
@ -912,9 +912,9 @@ diff -up openssh-7.0p1/auth-rsa.c.audit openssh-7.0p1/auth-rsa.c
} }
/* /*
diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c diff -up openssh-7.2p1/cipher.c.audit openssh-7.2p1/cipher.c
--- openssh-7.0p1/cipher.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/cipher.c.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/cipher.c 2015-08-12 11:33:00.412914286 +0200 +++ openssh-7.2p1/cipher.c 2016-02-12 18:24:34.221825177 +0100
@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v @@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v
extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
#endif #endif
@ -942,9 +942,9 @@ diff -up openssh-7.0p1/cipher.c.audit openssh-7.0p1/cipher.c
static const struct sshcipher ciphers[] = { static const struct sshcipher ciphers[] = {
#ifdef WITH_SSH1 #ifdef WITH_SSH1
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h diff -up openssh-7.2p1/cipher.h.audit openssh-7.2p1/cipher.h
--- openssh-7.0p1/cipher.h.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/cipher.h.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/cipher.h 2015-08-12 11:33:00.413914284 +0200 +++ openssh-7.2p1/cipher.h 2016-02-12 18:24:34.221825177 +0100
@@ -62,7 +62,26 @@ @@ -62,7 +62,26 @@
#define CIPHER_ENCRYPT 1 #define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0 #define CIPHER_DECRYPT 0
@ -973,9 +973,9 @@ diff -up openssh-7.0p1/cipher.h.audit openssh-7.0p1/cipher.h
struct sshcipher_ctx { struct sshcipher_ctx {
int plaintext; int plaintext;
int encrypt; int encrypt;
diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c diff -up openssh-7.2p1/kex.c.audit openssh-7.2p1/kex.c
--- openssh-7.0p1/kex.c.audit 2015-08-12 11:33:00.351914381 +0200 --- openssh-7.2p1/kex.c.audit 2016-02-12 18:24:34.201825185 +0100
+++ openssh-7.0p1/kex.c 2015-08-12 11:33:00.413914284 +0200 +++ openssh-7.2p1/kex.c 2016-02-12 18:24:34.221825177 +0100
@@ -54,6 +54,7 @@ @@ -54,6 +54,7 @@
#include "ssherr.h" #include "ssherr.h"
#include "sshbuf.h" #include "sshbuf.h"
@ -984,7 +984,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
#ifdef GSSAPI #ifdef GSSAPI
#include "ssh-gss.h" #include "ssh-gss.h"
@@ -549,8 +550,12 @@ choose_enc(struct sshenc *enc, char *cli @@ -669,8 +670,12 @@ choose_enc(struct sshenc *enc, char *cli
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -998,7 +998,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
if ((enc->cipher = cipher_by_name(name)) == NULL) if ((enc->cipher = cipher_by_name(name)) == NULL)
return SSH_ERR_INTERNAL_ERROR; return SSH_ERR_INTERNAL_ERROR;
enc->name = name; enc->name = name;
@@ -568,8 +573,12 @@ choose_mac(struct ssh *ssh, struct sshma @@ -688,8 +693,12 @@ choose_mac(struct ssh *ssh, struct sshma
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -1012,7 +1012,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
if (mac_setup(mac, name) < 0) if (mac_setup(mac, name) < 0)
return SSH_ERR_INTERNAL_ERROR; return SSH_ERR_INTERNAL_ERROR;
/* truncate the key */ /* truncate the key */
@@ -586,8 +595,12 @@ choose_comp(struct sshcomp *comp, char * @@ -706,8 +715,12 @@ choose_comp(struct sshcomp *comp, char *
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -1026,7 +1026,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
if (strcmp(name, "zlib@openssh.com") == 0) { if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED; comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) { } else if (strcmp(name, "zlib") == 0) {
@@ -753,6 +766,10 @@ kex_choose_conf(struct ssh *ssh) @@ -878,6 +891,10 @@ kex_choose_conf(struct ssh *ssh)
dh_need = MAX(dh_need, newkeys->enc.block_size); dh_need = MAX(dh_need, newkeys->enc.block_size);
dh_need = MAX(dh_need, newkeys->enc.iv_len); dh_need = MAX(dh_need, newkeys->enc.iv_len);
dh_need = MAX(dh_need, newkeys->mac.key_len); dh_need = MAX(dh_need, newkeys->mac.key_len);
@ -1037,7 +1037,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
} }
/* XXX need runden? */ /* XXX need runden? */
kex->we_need = need; kex->we_need = need;
@@ -928,3 +945,34 @@ dump_digest(char *msg, u_char *digest, i @@ -1052,3 +1069,34 @@ dump_digest(char *msg, u_char *digest, i
sshbuf_dump_data(digest, len, stderr); sshbuf_dump_data(digest, len, stderr);
} }
#endif #endif
@ -1054,7 +1054,7 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
+ } + }
+ +
+ if (enc->iv) { + if (enc->iv) {
+ memset(enc->iv, 0, enc->block_size); + memset(enc->iv, 0, enc->iv_len);
+ free(enc->iv); + free(enc->iv);
+ } + }
+ +
@ -1072,10 +1072,10 @@ diff -up openssh-7.0p1/kex.c.audit openssh-7.0p1/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp)); + memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+} +}
+ +
diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h diff -up openssh-7.2p1/kex.h.audit openssh-7.2p1/kex.h
--- openssh-7.0p1/kex.h.audit 2015-08-12 11:33:00.352914379 +0200 --- openssh-7.2p1/kex.h.audit 2016-02-12 18:24:34.201825185 +0100
+++ openssh-7.0p1/kex.h 2015-08-12 11:33:00.413914284 +0200 +++ openssh-7.2p1/kex.h 2016-02-12 18:24:34.222825177 +0100
@@ -202,6 +202,8 @@ int kexgss_client(struct ssh *); @@ -206,6 +206,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *); int kexgss_server(struct ssh *);
#endif #endif
@ -1084,9 +1084,9 @@ diff -up openssh-7.0p1/kex.h.audit openssh-7.0p1/kex.h
int kex_dh_hash(const char *, const char *, int kex_dh_hash(const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h
--- openssh-7.0p1/key.h.audit 2015-08-12 11:33:00.413914284 +0200 --- openssh-7.2p1/key.h.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/key.h 2015-08-12 11:33:45.908843298 +0200 +++ openssh-7.2p1/key.h 2016-02-12 18:24:34.222825177 +0100
@@ -50,6 +50,7 @@ typedef struct sshkey Key; @@ -50,6 +50,7 @@ typedef struct sshkey Key;
#define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid #define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
@ -1095,9 +1095,9 @@ diff -up openssh-7.0p1/key.h.audit openssh-7.0p1/key.h
#define key_type_plain sshkey_type_plain #define key_type_plain sshkey_type_plain
#define key_curve_name_to_nid sshkey_curve_name_to_nid #define key_curve_name_to_nid sshkey_curve_name_to_nid
#define key_curve_nid_to_bits sshkey_curve_nid_to_bits #define key_curve_nid_to_bits sshkey_curve_nid_to_bits
diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c diff -up openssh-7.2p1/mac.c.audit openssh-7.2p1/mac.c
--- openssh-7.0p1/mac.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/mac.c.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/mac.c 2015-08-12 11:33:00.413914284 +0200 +++ openssh-7.2p1/mac.c 2016-02-12 18:24:34.222825177 +0100
@@ -226,6 +226,20 @@ mac_clear(struct sshmac *mac) @@ -226,6 +226,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL; mac->umac_ctx = NULL;
} }
@ -1119,9 +1119,9 @@ diff -up openssh-7.0p1/mac.c.audit openssh-7.0p1/mac.c
/* XXX copied from ciphers_valid */ /* XXX copied from ciphers_valid */
#define MAC_SEP "," #define MAC_SEP ","
int int
diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h diff -up openssh-7.2p1/mac.h.audit openssh-7.2p1/mac.h
--- openssh-7.0p1/mac.h.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/mac.h.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/mac.h 2015-08-12 11:33:00.413914284 +0200 +++ openssh-7.2p1/mac.h 2016-02-12 18:24:34.222825177 +0100
@@ -47,5 +47,6 @@ int mac_init(struct sshmac *); @@ -47,5 +47,6 @@ int mac_init(struct sshmac *);
int mac_compute(struct sshmac *, u_int32_t, const u_char *, int, int mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
u_char *, size_t); u_char *, size_t);
@ -1129,30 +1129,30 @@ diff -up openssh-7.0p1/mac.h.audit openssh-7.0p1/mac.h
+void mac_destroy(struct sshmac *); +void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */ #endif /* SSHMAC_H */
diff -up openssh-7.0p1/Makefile.in.audit openssh-7.0p1/Makefile.in diff -up openssh-7.2p1/Makefile.in.audit openssh-7.2p1/Makefile.in
--- openssh-7.0p1/Makefile.in.audit 2015-08-12 11:33:00.402914301 +0200 --- openssh-7.2p1/Makefile.in.audit 2016-02-12 18:24:34.222825177 +0100
+++ openssh-7.0p1/Makefile.in 2015-08-12 11:33:00.414914283 +0200 +++ openssh-7.2p1/Makefile.in 2016-02-12 18:33:38.858629492 +0100
@@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -99,7 +99,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auditstub.o - platform-pledge.o
+ platform-pledge.o auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o
diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c diff -up openssh-7.2p1/monitor.c.audit openssh-7.2p1/monitor.c
--- openssh-7.0p1/monitor.c.audit 2015-08-12 11:33:00.378914339 +0200 --- openssh-7.2p1/monitor.c.audit 2016-02-12 18:24:34.176825195 +0100
+++ openssh-7.0p1/monitor.c 2015-08-12 11:33:00.414914283 +0200 +++ openssh-7.2p1/monitor.c 2016-02-12 18:34:05.184629882 +0100
@@ -102,6 +102,7 @@ @@ -101,6 +101,7 @@
#include "compat.h"
#include "ssh2.h" #include "ssh2.h"
#include "roaming.h"
#include "authfd.h" #include "authfd.h"
+#include "audit.h" +#include "audit.h"
#include "match.h" #include "match.h"
#include "ssherr.h" #include "ssherr.h"
@@ -117,6 +118,8 @@ extern Buffer auth_debug; @@ -116,6 +117,8 @@ extern Buffer auth_debug;
extern int auth_debug_init; extern int auth_debug_init;
extern Buffer loginmsg; extern Buffer loginmsg;
@ -1161,7 +1161,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
/* State exported from the child */ /* State exported from the child */
static struct sshbuf *child_state; static struct sshbuf *child_state;
@@ -167,6 +170,11 @@ int mm_answer_gss_updatecreds(int, Buffe @@ -166,6 +169,11 @@ int mm_answer_gss_updatecreds(int, Buffe
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_event(int, Buffer *);
int mm_answer_audit_command(int, Buffer *); int mm_answer_audit_command(int, Buffer *);
@ -1173,7 +1173,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
#endif #endif
static int monitor_read_log(struct monitor *); static int monitor_read_log(struct monitor *);
@@ -226,6 +234,10 @@ struct mon_table mon_dispatch_proto20[] @@ -225,6 +233,10 @@ struct mon_table mon_dispatch_proto20[]
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1184,7 +1184,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
#endif #endif
#ifdef BSD_AUTH #ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -264,6 +276,11 @@ struct mon_table mon_dispatch_postauth20 @@ -263,6 +275,11 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -1196,7 +1196,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -296,6 +313,10 @@ struct mon_table mon_dispatch_proto15[] @@ -295,6 +312,10 @@ struct mon_table mon_dispatch_proto15[]
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@ -1207,7 +1207,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
#endif #endif
#endif /* WITH_SSH1 */ #endif /* WITH_SSH1 */
{0, 0, NULL} {0, 0, NULL}
@@ -309,6 +330,11 @@ struct mon_table mon_dispatch_postauth15 @@ -308,6 +329,11 @@ struct mon_table mon_dispatch_postauth15
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
@ -1219,7 +1219,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
#endif #endif
#endif /* WITH_SSH1 */ #endif /* WITH_SSH1 */
{0, 0, NULL} {0, 0, NULL}
@@ -1467,9 +1493,11 @@ mm_answer_keyverify(int sock, Buffer *m) @@ -1464,9 +1490,11 @@ mm_answer_keyverify(int sock, Buffer *m)
Key *key; Key *key;
u_char *signature, *data, *blob; u_char *signature, *data, *blob;
u_int signaturelen, datalen, bloblen; u_int signaturelen, datalen, bloblen;
@ -1231,7 +1231,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
blob = buffer_get_string(m, &bloblen); blob = buffer_get_string(m, &bloblen);
signature = buffer_get_string(m, &signaturelen); signature = buffer_get_string(m, &signaturelen);
data = buffer_get_string(m, &datalen); data = buffer_get_string(m, &datalen);
@@ -1477,6 +1505,8 @@ mm_answer_keyverify(int sock, Buffer *m) @@ -1474,6 +1502,8 @@ mm_answer_keyverify(int sock, Buffer *m)
if (hostbased_cuser == NULL || hostbased_chost == NULL || if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen)) !monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__); fatal("%s: bad key, not previously allowed", __func__);
@ -1240,7 +1240,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
key = key_from_blob(blob, bloblen); key = key_from_blob(blob, bloblen);
if (key == NULL) if (key == NULL)
@@ -1497,7 +1527,17 @@ mm_answer_keyverify(int sock, Buffer *m) @@ -1494,7 +1524,17 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data) if (!valid_data)
fatal("%s: bad signature data blob", __func__); fatal("%s: bad signature data blob", __func__);
@ -1259,7 +1259,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
debug3("%s: key %p signature %s", debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified"); __func__, key, (verified == 1) ? "verified" : "unverified");
@@ -1558,6 +1598,12 @@ mm_session_close(Session *s) @@ -1555,6 +1595,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s); session_pty_cleanup2(s);
} }
@ -1272,7 +1272,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
session_unused(s->self); session_unused(s->self);
} }
@@ -1840,6 +1886,8 @@ mm_answer_term(int sock, Buffer *req) @@ -1837,6 +1883,8 @@ mm_answer_term(int sock, Buffer *req)
sshpam_cleanup(); sshpam_cleanup();
#endif #endif
@ -1281,7 +1281,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1) while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR) if (errno != EINTR)
exit(1); exit(1);
@@ -1882,11 +1930,43 @@ mm_answer_audit_command(int socket, Buff @@ -1879,11 +1927,43 @@ mm_answer_audit_command(int socket, Buff
{ {
u_int len; u_int len;
char *cmd; char *cmd;
@ -1326,7 +1326,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
free(cmd); free(cmd);
return (0); return (0);
} }
@@ -1943,6 +2023,7 @@ monitor_apply_keystate(struct monitor *p @@ -1940,6 +2020,7 @@ monitor_apply_keystate(struct monitor *p
void void
mm_get_keystate(struct monitor *pmonitor) mm_get_keystate(struct monitor *pmonitor)
{ {
@ -1334,7 +1334,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
debug3("%s: Waiting for new keys", __func__); debug3("%s: Waiting for new keys", __func__);
if ((child_state = sshbuf_new()) == NULL) if ((child_state = sshbuf_new()) == NULL)
@@ -1950,6 +2031,21 @@ mm_get_keystate(struct monitor *pmonitor @@ -1947,6 +2028,21 @@ mm_get_keystate(struct monitor *pmonitor
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
child_state); child_state);
debug3("%s: GOT new keys", __func__); debug3("%s: GOT new keys", __func__);
@ -1356,7 +1356,7 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
} }
@@ -2216,3 +2312,86 @@ mm_answer_gss_updatecreds(int socket, Bu @@ -2213,3 +2309,86 @@ mm_answer_gss_updatecreds(int socket, Bu
#endif /* GSSAPI */ #endif /* GSSAPI */
@ -1443,9 +1443,9 @@ diff -up openssh-7.0p1/monitor.c.audit openssh-7.0p1/monitor.c
+ return 0; + return 0;
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h diff -up openssh-7.2p1/monitor.h.audit openssh-7.2p1/monitor.h
--- openssh-7.0p1/monitor.h.audit 2015-08-12 11:33:00.378914339 +0200 --- openssh-7.2p1/monitor.h.audit 2016-02-12 18:24:34.177825194 +0100
+++ openssh-7.0p1/monitor.h 2015-08-12 11:33:00.414914283 +0200 +++ openssh-7.2p1/monitor.h 2016-02-12 18:24:34.224825176 +0100
@@ -69,7 +69,13 @@ enum monitor_reqtype { @@ -69,7 +69,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1461,9 +1461,9 @@ diff -up openssh-7.0p1/monitor.h.audit openssh-7.0p1/monitor.h
}; };
diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c diff -up openssh-7.2p1/monitor_wrap.c.audit openssh-7.2p1/monitor_wrap.c
--- openssh-7.0p1/monitor_wrap.c.audit 2015-08-12 11:33:00.353914378 +0200 --- openssh-7.2p1/monitor_wrap.c.audit 2016-02-12 18:24:34.151825204 +0100
+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:33:00.414914283 +0200 +++ openssh-7.2p1/monitor_wrap.c 2016-02-12 18:24:34.224825176 +0100
@@ -462,7 +462,7 @@ mm_key_allowed(enum mm_keytype type, cha @@ -462,7 +462,7 @@ mm_key_allowed(enum mm_keytype type, cha
*/ */
@ -1611,9 +1611,9 @@ diff -up openssh-7.0p1/monitor_wrap.c.audit openssh-7.0p1/monitor_wrap.c
+ buffer_free(&m); + buffer_free(&m);
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h diff -up openssh-7.2p1/monitor_wrap.h.audit openssh-7.2p1/monitor_wrap.h
--- openssh-7.0p1/monitor_wrap.h.audit 2015-08-12 11:33:00.353914378 +0200 --- openssh-7.2p1/monitor_wrap.h.audit 2016-02-12 18:24:34.152825204 +0100
+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:33:00.415914281 +0200 +++ openssh-7.2p1/monitor_wrap.h 2016-02-12 18:24:34.224825176 +0100
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char @@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
int mm_user_key_allowed(struct passwd *, Key *, int); int mm_user_key_allowed(struct passwd *, Key *, int);
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
@ -1638,9 +1638,9 @@ diff -up openssh-7.0p1/monitor_wrap.h.audit openssh-7.0p1/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c diff -up openssh-7.2p1/packet.c.audit openssh-7.2p1/packet.c
--- openssh-7.0p1/packet.c.audit 2015-08-12 11:33:00.288914479 +0200 --- openssh-7.2p1/packet.c.audit 2016-02-12 18:24:34.095825226 +0100
+++ openssh-7.0p1/packet.c 2015-08-12 11:33:00.415914281 +0200 +++ openssh-7.2p1/packet.c 2016-02-12 18:43:47.268638489 +0100
@@ -67,6 +67,7 @@ @@ -67,6 +67,7 @@
#include "key.h" /* typedefs XXX */ #include "key.h" /* typedefs XXX */
@ -1649,7 +1649,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
#include "crc32.h" #include "crc32.h"
#include "deattack.h" #include "deattack.h"
#include "compat.h" #include "compat.h"
@@ -449,6 +450,13 @@ ssh_packet_get_connection_out(struct ssh @@ -456,6 +457,13 @@ ssh_packet_get_connection_out(struct ssh
return ssh->state->connection_out; return ssh->state->connection_out;
} }
@ -1663,7 +1663,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
/* /*
* Returns the IP-address of the remote host as a string. The returned * Returns the IP-address of the remote host as a string. The returned
* string must not be freed. * string must not be freed.
@@ -479,13 +487,6 @@ ssh_packet_close(struct ssh *ssh) @@ -500,13 +508,6 @@ ssh_packet_close(struct ssh *ssh)
if (!state->initialized) if (!state->initialized)
return; return;
state->initialized = 0; state->initialized = 0;
@ -1677,7 +1677,7 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
sshbuf_free(state->input); sshbuf_free(state->input);
sshbuf_free(state->output); sshbuf_free(state->output);
sshbuf_free(state->outgoing_packet); sshbuf_free(state->outgoing_packet);
@@ -517,14 +518,24 @@ ssh_packet_close(struct ssh *ssh) @@ -538,12 +539,22 @@ ssh_packet_close(struct ssh *ssh)
inflateEnd(stream); inflateEnd(stream);
} }
} }
@ -1692,10 +1692,8 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
+ error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); + error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
+ audit_session_key_free(2); + audit_session_key_free(2);
+ } + }
if (ssh->remote_ipaddr) {
free(ssh->remote_ipaddr); free(ssh->remote_ipaddr);
ssh->remote_ipaddr = NULL; ssh->remote_ipaddr = NULL;
}
+ if (state->connection_in == state->connection_out) { + if (state->connection_in == state->connection_out) {
+ shutdown(state->connection_out, SHUT_RDWR); + shutdown(state->connection_out, SHUT_RDWR);
+ close(state->connection_out); + close(state->connection_out);
@ -1706,15 +1704,15 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
free(ssh->state); free(ssh->state);
ssh->state = NULL; ssh->state = NULL;
} }
@@ -944,6 +955,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod @@ -968,6 +979,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
} (unsigned long long)state->p_read.blocks,
if (state->newkeys[mode] != NULL) { (unsigned long long)state->p_send.bytes,
debug("set_newkeys: rekeying"); (unsigned long long)state->p_send.blocks);
+ audit_session_key_free(mode); + audit_session_key_free(mode);
if ((r = cipher_cleanup(cc)) != 0) if ((r = cipher_cleanup(cc)) != 0)
return r; return r;
enc = &state->newkeys[mode]->enc; enc = &state->newkeys[mode]->enc;
@@ -2292,6 +2304,75 @@ ssh_packet_get_output(struct ssh *ssh) @@ -2408,6 +2420,75 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output; return (void *)ssh->state->output;
} }
@ -1787,55 +1785,13 @@ diff -up openssh-7.0p1/packet.c.audit openssh-7.0p1/packet.c
+ } + }
+} +}
+ +
/* XXX TODO update roaming to new API (does not work anyway) */
/*
* Save the state for the real connection, and use a separate state when
@@ -2301,18 +2382,12 @@ void
ssh_packet_backup_state(struct ssh *ssh,
struct ssh *backup_state)
{
- struct ssh *tmp;
-
close(ssh->state->connection_in);
ssh->state->connection_in = -1;
close(ssh->state->connection_out);
ssh->state->connection_out = -1;
- if (backup_state)
- tmp = backup_state;
- else
- tmp = ssh_alloc_session_state();
backup_state = ssh;
- ssh = tmp;
+ ssh = ssh_alloc_session_state();
}
/* XXX FIXME FIXME FIXME */
@@ -2331,9 +2406,7 @@ ssh_packet_restore_state(struct ssh *ssh
backup_state = ssh;
ssh = tmp;
ssh->state->connection_in = backup_state->state->connection_in;
- backup_state->state->connection_in = -1;
ssh->state->connection_out = backup_state->state->connection_out;
- backup_state->state->connection_out = -1;
len = sshbuf_len(backup_state->state->input);
if (len > 0) {
if ((r = sshbuf_putb(ssh->state->input,
@@ -2342,6 +2415,11 @@ ssh_packet_restore_state(struct ssh *ssh
sshbuf_reset(backup_state->state->input);
add_recv_bytes(len);
}
+ backup_state->state->connection_in = -1;
+ backup_state->state->connection_out = -1;
+ packet_destroy_state(backup_state->state);
+ free(backup_state);
+ backup_state = NULL;
}
/* Reset after_authentication and reset compression in post-auth privsep */ /* Reset after_authentication and reset compression in post-auth privsep */
diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h static int
--- openssh-7.0p1/packet.h.audit 2015-08-11 10:57:29.000000000 +0200 ssh_packet_set_postauth(struct ssh *ssh)
+++ openssh-7.0p1/packet.h 2015-08-12 11:33:00.415914281 +0200 diff -up openssh-7.2p1/packet.h.audit openssh-7.2p1/packet.h
@@ -189,7 +189,7 @@ int sshpkt_get_end(struct ssh *ssh); --- openssh-7.2p1/packet.h.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.2p1/packet.h 2016-02-12 18:24:34.226825175 +0100
@@ -186,7 +186,7 @@ int sshpkt_get_end(struct ssh *ssh);
const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
/* OLD API */ /* OLD API */
@ -1844,16 +1800,16 @@ diff -up openssh-7.0p1/packet.h.audit openssh-7.0p1/packet.h
#include "opacket.h" #include "opacket.h"
#if !defined(WITH_OPENSSL) #if !defined(WITH_OPENSSL)
@@ -203,4 +203,5 @@ extern struct ssh *active_state; @@ -200,4 +200,5 @@ extern struct ssh *active_state;
# undef EC_POINT # undef EC_POINT
#endif #endif
+void packet_destroy_all(int, int); +void packet_destroy_all(int, int);
#endif /* PACKET_H */ #endif /* PACKET_H */
diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-seccomp-filter.c diff -up openssh-7.2p1/sandbox-seccomp-filter.c.audit openssh-7.2p1/sandbox-seccomp-filter.c
--- openssh-7.0p1/sandbox-seccomp-filter.c.audit 2015-08-12 11:33:00.394914314 +0200 --- openssh-7.2p1/sandbox-seccomp-filter.c.audit 2016-02-12 18:24:34.193825188 +0100
+++ openssh-7.0p1/sandbox-seccomp-filter.c 2015-08-12 11:33:00.415914281 +0200 +++ openssh-7.2p1/sandbox-seccomp-filter.c 2016-02-12 18:24:34.226825175 +0100
@@ -150,6 +150,12 @@ static const struct sock_filter preauth_ @@ -153,6 +153,12 @@ static const struct sock_filter preauth_
#ifdef __NR_gettimeofday #ifdef __NR_gettimeofday
SC_ALLOW(gettimeofday), SC_ALLOW(gettimeofday),
#endif #endif
@ -1866,9 +1822,9 @@ diff -up openssh-7.0p1/sandbox-seccomp-filter.c.audit openssh-7.0p1/sandbox-secc
#ifdef __NR_madvise #ifdef __NR_madvise
SC_ALLOW(madvise), SC_ALLOW(madvise),
#endif #endif
diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c diff -up openssh-7.2p1/session.c.audit openssh-7.2p1/session.c
--- openssh-7.0p1/session.c.audit 2015-08-12 11:33:00.379914337 +0200 --- openssh-7.2p1/session.c.audit 2016-02-12 18:24:34.177825194 +0100
+++ openssh-7.0p1/session.c 2015-08-12 11:33:00.416914280 +0200 +++ openssh-7.2p1/session.c 2016-02-12 18:24:34.226825175 +0100
@@ -139,7 +139,7 @@ extern int log_stderr; @@ -139,7 +139,7 @@ extern int log_stderr;
extern int debug_flag; extern int debug_flag;
extern u_int utmp_len; extern u_int utmp_len;
@ -1894,7 +1850,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
s->ptymaster = ptymaster; s->ptymaster = ptymaster;
packet_set_interactive(1, packet_set_interactive(1,
@@ -853,15 +861,19 @@ do_exec(Session *s, const char *command) @@ -853,15 +861,19 @@ do_exec(Session *s, const char *command)
get_remote_port()); s->self);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
+ if (s->command != NULL || s->command_handle != -1) + if (s->command != NULL || s->command_handle != -1)
@ -1915,7 +1871,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(s, command); ret = do_exec_pty(s, command);
@@ -1704,7 +1716,10 @@ do_child(Session *s, const char *command @@ -1695,7 +1707,10 @@ do_child(Session *s, const char *command
int r = 0; int r = 0;
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
@ -1927,7 +1883,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
/* Force a password change */ /* Force a password change */
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
@@ -1934,6 +1949,7 @@ session_unused(int id) @@ -1925,6 +1940,7 @@ session_unused(int id)
sessions[id].ttyfd = -1; sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1; sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL; sessions[id].x11_chanids = NULL;
@ -1935,7 +1891,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
sessions[id].next_unused = sessions_first_unused; sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id; sessions_first_unused = id;
} }
@@ -2016,6 +2032,19 @@ session_open(Authctxt *authctxt, int cha @@ -2007,6 +2023,19 @@ session_open(Authctxt *authctxt, int cha
} }
Session * Session *
@ -1955,7 +1911,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
session_by_tty(char *tty) session_by_tty(char *tty)
{ {
int i; int i;
@@ -2532,6 +2561,32 @@ session_exit_message(Session *s, int sta @@ -2523,6 +2552,32 @@ session_exit_message(Session *s, int sta
chan_write_failed(c); chan_write_failed(c);
} }
@ -1988,8 +1944,8 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
void void
session_close(Session *s) session_close(Session *s)
{ {
@@ -2540,6 +2595,10 @@ session_close(Session *s) @@ -2531,6 +2586,10 @@ session_close(Session *s)
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1) if (s->ttyfd != -1)
session_pty_cleanup(s); session_pty_cleanup(s);
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
@ -1999,7 +1955,7 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
free(s->term); free(s->term);
free(s->display); free(s->display);
free(s->x11_chanids); free(s->x11_chanids);
@@ -2754,6 +2813,15 @@ do_authenticated2(Authctxt *authctxt) @@ -2745,6 +2804,15 @@ do_authenticated2(Authctxt *authctxt)
server_loop2(authctxt); server_loop2(authctxt);
} }
@ -2015,16 +1971,16 @@ diff -up openssh-7.0p1/session.c.audit openssh-7.0p1/session.c
void void
do_cleanup(Authctxt *authctxt) do_cleanup(Authctxt *authctxt)
{ {
@@ -2802,5 +2870,5 @@ do_cleanup(Authctxt *authctxt) @@ -2793,5 +2861,5 @@ do_cleanup(Authctxt *authctxt)
* or if running in monitor. * or if running in monitor.
*/ */
if (!use_privsep || mm_is_monitor()) if (!use_privsep || mm_is_monitor())
- session_destroy_all(session_pty_cleanup2); - session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session); + session_destroy_all(do_cleanup_one_session);
} }
diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h
--- openssh-7.0p1/session.h.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/session.h.audit 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/session.h 2015-08-12 11:33:00.416914280 +0200 +++ openssh-7.2p1/session.h 2016-02-12 18:24:34.226825175 +0100
@@ -61,6 +61,12 @@ struct Session { @@ -61,6 +61,12 @@ struct Session {
char *name; char *name;
char *val; char *val;
@ -2049,18 +2005,18 @@ diff -up openssh-7.0p1/session.h.audit openssh-7.0p1/session.h
Session *session_by_tty(char *); Session *session_by_tty(char *);
void session_close(Session *); void session_close(Session *);
void do_setusercontext(struct passwd *); void do_setusercontext(struct passwd *);
diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c diff -up openssh-7.2p1/sshd.c.audit openssh-7.2p1/sshd.c
--- openssh-7.0p1/sshd.c.audit 2015-08-12 11:33:00.388914323 +0200 --- openssh-7.2p1/sshd.c.audit 2016-02-12 18:24:34.189825190 +0100
+++ openssh-7.0p1/sshd.c 2015-08-12 11:33:00.417914278 +0200 +++ openssh-7.2p1/sshd.c 2016-02-12 18:44:44.650639338 +0100
@@ -122,6 +122,7 @@ @@ -121,6 +121,7 @@
#include "ssh-gss.h"
#endif #endif
#include "monitor_wrap.h" #include "monitor_wrap.h"
#include "roaming.h"
+#include "audit.h" +#include "audit.h"
#include "ssh-sandbox.h" #include "ssh-sandbox.h"
#include "version.h" #include "version.h"
#include "ssherr.h" #include "ssherr.h"
@@ -261,7 +262,7 @@ Buffer loginmsg; @@ -260,7 +261,7 @@ Buffer loginmsg;
struct passwd *privsep_pw = NULL; struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */ /* Prototypes for various functions defined later in this file. */
@ -2069,7 +2025,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
void demote_sensitive_data(void); void demote_sensitive_data(void);
#ifdef WITH_SSH1 #ifdef WITH_SSH1
@@ -282,6 +283,15 @@ close_listen_socks(void) @@ -281,6 +282,15 @@ close_listen_socks(void)
num_listen_socks = -1; num_listen_socks = -1;
} }
@ -2085,7 +2041,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
static void static void
close_startup_pipes(void) close_startup_pipes(void)
{ {
@@ -561,22 +571,45 @@ sshd_exchange_identification(int sock_in @@ -560,22 +570,45 @@ sshd_exchange_identification(int sock_in
} }
} }
@ -2134,7 +2090,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
key_free(sensitive_data.host_certificates[i]); key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL; sensitive_data.host_certificates[i] = NULL;
} }
@@ -590,6 +623,8 @@ void @@ -589,6 +622,8 @@ void
demote_sensitive_data(void) demote_sensitive_data(void)
{ {
Key *tmp; Key *tmp;
@ -2143,7 +2099,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
int i; int i;
if (sensitive_data.server_key) { if (sensitive_data.server_key) {
@@ -598,13 +633,25 @@ demote_sensitive_data(void) @@ -597,13 +632,25 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp; sensitive_data.server_key = tmp;
} }
@ -2169,7 +2125,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
} }
/* Certs do not need demotion */ /* Certs do not need demotion */
} }
@@ -676,7 +723,7 @@ privsep_preauth(Authctxt *authctxt) @@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt)
if (use_privsep == PRIVSEP_ON) if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor); box = ssh_sandbox_init(pmonitor);
@ -2191,7 +2147,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
monitor_child_postauth(pmonitor); monitor_child_postauth(pmonitor);
/* NEVERREACHED */ /* NEVERREACHED */
@@ -1292,6 +1345,7 @@ server_accept_loop(int *sock_in, int *so @@ -1293,6 +1346,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) { if (received_sigterm) {
logit("Received signal %d; terminating.", logit("Received signal %d; terminating.",
(int) received_sigterm); (int) received_sigterm);
@ -2199,7 +2155,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
close_listen_socks(); close_listen_socks();
if (options.pid_file != NULL) if (options.pid_file != NULL)
unlink(options.pid_file); unlink(options.pid_file);
@@ -2255,6 +2309,7 @@ main(int ac, char **av) @@ -2256,6 +2310,7 @@ main(int ac, char **av)
*/ */
if (use_privsep) { if (use_privsep) {
mm_send_keystate(pmonitor); mm_send_keystate(pmonitor);
@ -2207,7 +2163,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
exit(0); exit(0);
} }
@@ -2300,7 +2355,7 @@ main(int ac, char **av) @@ -2301,7 +2356,7 @@ main(int ac, char **av)
privsep_postauth(authctxt); privsep_postauth(authctxt);
/* the monitor process [priv] will not return */ /* the monitor process [priv] will not return */
if (!compat20) if (!compat20)
@ -2216,7 +2172,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
} }
packet_set_timeout(options.client_alive_interval, packet_set_timeout(options.client_alive_interval,
@@ -2314,6 +2369,9 @@ main(int ac, char **av) @@ -2315,6 +2370,9 @@ main(int ac, char **av)
do_authenticated(authctxt); do_authenticated(authctxt);
/* The connection has been terminated. */ /* The connection has been terminated. */
@ -2226,7 +2182,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
packet_get_bytes(&ibytes, &obytes); packet_get_bytes(&ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes", verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes); (unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2474,6 +2532,10 @@ do_ssh1_kex(void) @@ -2475,6 +2533,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char()) if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match."); packet_disconnect("IP Spoofing check bytes do not match.");
@ -2237,7 +2193,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
debug("Encryption type: %.200s", cipher_name(cipher_type)); debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */ /* Get the encrypted integer. */
@@ -2533,7 +2595,7 @@ do_ssh1_kex(void) @@ -2534,7 +2596,7 @@ do_ssh1_kex(void)
} }
/* Destroy the private and public keys. No longer. */ /* Destroy the private and public keys. No longer. */
@ -2246,7 +2202,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
if (use_privsep) if (use_privsep)
mm_ssh1_session_id(session_id); mm_ssh1_session_id(session_id);
@@ -2705,6 +2767,16 @@ do_ssh2_kex(void) @@ -2708,6 +2770,16 @@ do_ssh2_kex(void)
void void
cleanup_exit(int i) cleanup_exit(int i)
{ {
@ -2263,7 +2219,7 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
if (the_authctxt) { if (the_authctxt) {
do_cleanup(the_authctxt); do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth && if (use_privsep && privsep_is_preauth &&
@@ -2716,9 +2788,14 @@ cleanup_exit(int i) @@ -2719,9 +2791,14 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno)); pmonitor->m_pid, strerror(errno));
} }
} }
@ -2279,10 +2235,10 @@ diff -up openssh-7.0p1/sshd.c.audit openssh-7.0p1/sshd.c
audit_event(SSH_CONNECTION_ABANDON); audit_event(SSH_CONNECTION_ABANDON);
#endif #endif
_exit(i); _exit(i);
diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c diff -up openssh-7.2p1/sshkey.c.audit openssh-7.2p1/sshkey.c
--- openssh-7.0p1/sshkey.c.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/sshkey.c.audit 2016-02-12 18:24:34.157825202 +0100
+++ openssh-7.0p1/sshkey.c 2015-08-12 11:33:00.417914278 +0200 +++ openssh-7.2p1/sshkey.c 2016-02-12 18:24:34.228825175 +0100
@@ -299,6 +299,33 @@ sshkey_type_is_valid_ca(int type) @@ -303,6 +303,33 @@ sshkey_type_is_valid_ca(int type)
} }
int int
@ -2316,10 +2272,10 @@ diff -up openssh-7.0p1/sshkey.c.audit openssh-7.0p1/sshkey.c
sshkey_is_cert(const struct sshkey *k) sshkey_is_cert(const struct sshkey *k)
{ {
if (k == NULL) if (k == NULL)
diff -up openssh-7.0p1/sshkey.h.audit openssh-7.0p1/sshkey.h diff -up openssh-7.2p1/sshkey.h.audit openssh-7.2p1/sshkey.h
--- openssh-7.0p1/sshkey.h.audit 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/sshkey.h.audit 2016-02-12 18:24:34.157825202 +0100
+++ openssh-7.0p1/sshkey.h 2015-08-12 11:33:00.417914278 +0200 +++ openssh-7.2p1/sshkey.h 2016-02-12 18:24:34.228825175 +0100
@@ -132,6 +132,7 @@ u_int sshkey_size(const struct sshkey @@ -133,6 +133,7 @@ u_int sshkey_size(const struct sshkey
int sshkey_generate(int type, u_int bits, struct sshkey **keyp); int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
int sshkey_from_private(const struct sshkey *, struct sshkey **); int sshkey_from_private(const struct sshkey *, struct sshkey **);
int sshkey_type_from_name(const char *); int sshkey_type_from_name(const char *);

View File

@ -1,6 +1,6 @@
diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c
--- openssh-7.0p1/auth2.c.gsskex 2015-08-12 11:15:43.625548999 +0200 --- openssh-7.2p1/auth2.c.gsskex 2016-02-19 10:01:04.829969345 +0100
+++ openssh-7.0p1/auth2.c 2015-08-12 11:15:43.692548892 +0200 +++ openssh-7.2p1/auth2.c 2016-02-19 10:01:04.865969325 +0100
@@ -70,6 +70,7 @@ extern Authmethod method_passwd; @@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint; extern Authmethod method_kbdint;
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
@ -17,9 +17,9 @@ diff -up openssh-7.0p1/auth2.c.gsskex openssh-7.0p1/auth2.c
&method_gssapi, &method_gssapi,
#endif #endif
&method_passwd, &method_passwd,
diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c
--- openssh-7.0p1/auth2-gss.c.gsskex 2015-08-12 11:15:43.624549001 +0200 --- openssh-7.2p1/auth2-gss.c.gsskex 2016-02-19 10:01:04.829969345 +0100
+++ openssh-7.0p1/auth2-gss.c 2015-08-12 11:15:43.692548892 +0200 +++ openssh-7.2p1/auth2-gss.c 2016-02-19 10:01:04.865969325 +0100
@@ -31,6 +31,7 @@ @@ -31,6 +31,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -102,10 +102,21 @@ diff -up openssh-7.0p1/auth2-gss.c.gsskex openssh-7.0p1/auth2-gss.c
Authmethod method_gssapi = { Authmethod method_gssapi = {
"gssapi-with-mic", "gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c diff -up openssh-7.2p1/auth.c.gsskex openssh-7.2p1/auth.c
--- openssh-7.0p1/clientloop.c.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/auth.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/clientloop.c 2015-08-12 11:15:43.693548890 +0200 +++ openssh-7.2p1/auth.c 2016-02-19 10:01:04.866969324 +0100
@@ -115,6 +115,10 @@ @@ -354,6 +354,7 @@ auth_root_allowed(const char *method)
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
+ strcmp(method, "gssapi-keyex") == 0 ||
strcmp(method, "gssapi-with-mic") == 0)
return 1;
break;
diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
--- openssh-7.2p1/clientloop.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.2p1/clientloop.c 2016-02-19 10:01:04.866969324 +0100
@@ -114,6 +114,10 @@
#include "ssherr.h" #include "ssherr.h"
#include "hostfile.h" #include "hostfile.h"
@ -116,11 +127,14 @@ diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1610,6 +1614,15 @@ client_loop(int have_pty, int escape_cha @@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_cha
break;
/* Do channel operations unless rekeying in progress. */ /* Do channel operations unless rekeying in progress. */
if (!rekeying) { - if (!ssh_packet_is_rekeying(active_state))
+ if (!ssh_packet_is_rekeying(active_state)) {
channel_after_select(readset, writeset); channel_after_select(readset, writeset);
+
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_renewal_rekey && + if (options.gss_renewal_rekey &&
+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) { + ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
@ -128,14 +142,15 @@ diff -up openssh-7.0p1/clientloop.c.gsskex openssh-7.0p1/clientloop.c
+ need_rekeying = 1; + need_rekeying = 1;
+ } + }
+#endif +#endif
+ }
+ +
if (need_rekeying || packet_need_rekeying()) { /* Buffer input from the connection. */
debug("need rekeying"); client_process_net_input(readset);
active_state->kex->done = 0;
diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
--- openssh-7.0p1/configure.ac.gsskex 2015-08-12 11:15:43.675548919 +0200 --- openssh-7.2p1/configure.ac.gsskex 2016-02-19 10:01:04.857969329 +0100
+++ openssh-7.0p1/configure.ac 2015-08-12 11:15:43.694548889 +0200 +++ openssh-7.2p1/configure.ac 2016-02-19 10:01:04.867969323 +0100
@@ -625,6 +625,30 @@ main() { if (NSVersionOfRunTimeLibrary(" @@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD]) [Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1], AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic]) [Prepend the address family to IP tunnel traffic])
@ -166,9 +181,9 @@ diff -up openssh-7.0p1/configure.ac.gsskex openssh-7.0p1/configure.ac
m4_pattern_allow([AU_IPv]) m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [], AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
--- openssh-7.0p1/gss-genr.c.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/gss-genr.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/gss-genr.c 2015-08-12 11:15:43.694548889 +0200 +++ openssh-7.2p1/gss-genr.c 2016-02-19 10:01:04.867969323 +0100
@@ -41,12 +41,167 @@ @@ -41,12 +41,167 @@
#include "buffer.h" #include "buffer.h"
#include "log.h" #include "log.h"
@ -506,9 +521,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskex openssh-7.0p1/gss-genr.c
+} +}
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
--- openssh-7.0p1/gss-serv.c.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/gss-serv.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/gss-serv.c 2015-08-12 11:15:43.694548889 +0200 +++ openssh-7.2p1/gss-serv.c 2016-02-19 10:01:04.867969323 +0100
@@ -45,17 +45,19 @@ @@ -45,17 +45,19 @@
#include "session.h" #include "session.h"
#include "misc.h" #include "misc.h"
@ -791,9 +806,9 @@ diff -up openssh-7.0p1/gss-serv.c.gsskex openssh-7.0p1/gss-serv.c
} }
#endif #endif
diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/gss-serv-krb5.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:15:43.694548889 +0200 +++ openssh-7.2p1/gss-serv-krb5.c 2016-02-19 10:01:04.867969323 +0100
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_error_code problem; krb5_error_code problem;
krb5_principal princ; krb5_principal princ;
@ -921,10 +936,10 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.gsskex openssh-7.0p1/gss-serv-krb5.c
}; };
#endif /* KRB5 */ #endif /* KRB5 */
diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
--- openssh-7.0p1/kex.c.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/kex.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/kex.c 2015-08-12 11:15:43.695548887 +0200 +++ openssh-7.2p1/kex.c 2016-02-19 10:01:04.868969323 +0100
@@ -55,6 +55,10 @@ @@ -54,6 +54,10 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "digest.h" #include "digest.h"
@ -935,7 +950,7 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256) # if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256 # define evp_ssh_sha256 EVP_sha256
@@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = { @@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
@ -947,7 +962,7 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
{ NULL, -1, -1, -1}, { NULL, -1, -1, -1},
}; };
@@ -128,6 +137,12 @@ kex_alg_by_name(const char *name) @@ -140,6 +149,12 @@ kex_alg_by_name(const char *name)
for (k = kexalgs; k->name != NULL; k++) { for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0) if (strcmp(k->name, name) == 0)
return k; return k;
@ -960,9 +975,9 @@ diff -up openssh-7.0p1/kex.c.gsskex openssh-7.0p1/kex.c
} }
return NULL; return NULL;
} }
diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c
--- openssh-7.0p1/kexgssc.c.gsskex 2015-08-12 11:15:43.695548887 +0200 --- openssh-7.2p1/kexgssc.c.gsskex 2016-02-19 10:01:04.868969323 +0100
+++ openssh-7.0p1/kexgssc.c 2015-08-12 11:15:43.695548887 +0200 +++ openssh-7.2p1/kexgssc.c 2016-02-19 10:01:04.868969323 +0100
@@ -0,0 +1,338 @@ @@ -0,0 +1,338 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1302,9 +1317,9 @@ diff -up openssh-7.0p1/kexgssc.c.gsskex openssh-7.0p1/kexgssc.c
+} +}
+ +
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
--- openssh-7.0p1/kexgsss.c.gsskex 2015-08-12 11:15:43.695548887 +0200 --- openssh-7.2p1/kexgsss.c.gsskex 2016-02-19 10:01:04.868969323 +0100
+++ openssh-7.0p1/kexgsss.c 2015-08-12 11:15:43.695548887 +0200 +++ openssh-7.2p1/kexgsss.c 2016-02-19 10:01:04.868969323 +0100
@@ -0,0 +1,295 @@ @@ -0,0 +1,295 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1601,10 +1616,10 @@ diff -up openssh-7.0p1/kexgsss.c.gsskex openssh-7.0p1/kexgsss.c
+ return 0; + return 0;
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
--- openssh-7.0p1/kex.h.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/kex.h.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/kex.h 2015-08-12 11:17:44.694354889 +0200 +++ openssh-7.2p1/kex.h 2016-02-19 10:01:04.868969323 +0100
@@ -93,6 +93,11 @@ enum kex_exchange { @@ -92,6 +92,11 @@ enum kex_exchange {
KEX_DH_GEX_SHA256, KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2, KEX_ECDH_SHA2,
KEX_C25519_SHA256, KEX_C25519_SHA256,
@ -1616,7 +1631,7 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
KEX_MAX KEX_MAX
}; };
@@ -139,6 +144,12 @@ struct kex { @@ -140,6 +145,12 @@ struct kex {
u_int flags; u_int flags;
int hash_alg; int hash_alg;
int ec_nid; int ec_nid;
@ -1629,7 +1644,7 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
char *client_version_string; char *client_version_string;
char *server_version_string; char *server_version_string;
char *failed_choice; char *failed_choice;
@@ -186,6 +197,10 @@ int kexecdh_client(struct ssh *); @@ -189,6 +200,10 @@ int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *); int kexecdh_server(struct ssh *);
int kexc25519_client(struct ssh *); int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *); int kexc25519_server(struct ssh *);
@ -1640,9 +1655,9 @@ diff -up openssh-7.0p1/kex.h.gsskex openssh-7.0p1/kex.h
int kex_dh_hash(const char *, const char *, int kex_dh_hash(const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in diff -up openssh-7.2p1/Makefile.in.gsskex openssh-7.2p1/Makefile.in
--- openssh-7.0p1/Makefile.in.gsskex 2015-08-12 11:15:43.686548901 +0200 --- openssh-7.2p1/Makefile.in.gsskex 2016-02-19 10:01:04.864969325 +0100
+++ openssh-7.0p1/Makefile.in 2015-08-12 11:15:43.695548887 +0200 +++ openssh-7.2p1/Makefile.in 2016-02-19 10:01:04.868969323 +0100
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
@ -1659,11 +1674,11 @@ diff -up openssh-7.0p1/Makefile.in.gsskex openssh-7.0p1/Makefile.in
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
--- openssh-7.0p1/monitor.c.gsskex 2015-08-12 11:15:43.626548998 +0200 --- openssh-7.2p1/monitor.c.gsskex 2016-02-19 10:01:04.830969345 +0100
+++ openssh-7.0p1/monitor.c 2015-08-12 11:15:43.696548885 +0200 +++ openssh-7.2p1/monitor.c 2016-02-19 10:01:04.869969322 +0100
@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer @@ -159,6 +159,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *);
@ -1672,7 +1687,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@@ -240,11 +242,18 @@ struct mon_table mon_dispatch_proto20[] @@ -239,11 +241,18 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@ -1691,7 +1706,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif #endif
@@ -359,6 +368,10 @@ monitor_child_preauth(Authctxt *_authctx @@ -358,6 +367,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */ /* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@ -1702,7 +1717,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
} else { } else {
mon_dispatch = mon_dispatch_proto15; mon_dispatch = mon_dispatch_proto15;
@@ -467,6 +480,10 @@ monitor_child_postauth(struct monitor *p @@ -466,6 +479,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@ -1713,7 +1728,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
} else { } else {
mon_dispatch = mon_dispatch_postauth15; mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1896,6 +1913,13 @@ monitor_apply_keystate(struct monitor *p @@ -1893,6 +1910,13 @@ monitor_apply_keystate(struct monitor *p
# endif # endif
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -1727,7 +1742,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type; kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index; kex->host_key_index=&get_hostkey_index;
@@ -1995,6 +2019,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer @@ -1992,6 +2016,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major; OM_uint32 major;
u_int len; u_int len;
@ -1737,7 +1752,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
goid.elements = buffer_get_string(m, &len); goid.elements = buffer_get_string(m, &len);
goid.length = len; goid.length = len;
@@ -2022,6 +2049,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2019,6 +2046,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
u_int len; u_int len;
@ -1747,7 +1762,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
in.value = buffer_get_string(m, &len); in.value = buffer_get_string(m, &len);
in.length = len; in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2039,6 +2069,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe @@ -2036,6 +2066,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1755,7 +1770,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
} }
return (0); return (0);
} }
@@ -2050,6 +2081,9 @@ mm_answer_gss_checkmic(int sock, Buffer @@ -2047,6 +2078,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret; OM_uint32 ret;
u_int len; u_int len;
@ -1765,7 +1780,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
gssbuf.value = buffer_get_string(m, &len); gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len; gssbuf.length = len;
mic.value = buffer_get_string(m, &len); mic.value = buffer_get_string(m, &len);
@@ -2076,7 +2110,11 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2073,7 +2107,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{ {
int authenticated; int authenticated;
@ -1778,7 +1793,7 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, authenticated); buffer_put_int(m, authenticated);
@@ -2089,5 +2127,73 @@ mm_answer_gss_userok(int sock, Buffer *m @@ -2086,5 +2124,73 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -1852,9 +1867,9 @@ diff -up openssh-7.0p1/monitor.c.gsskex openssh-7.0p1/monitor.c
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h
--- openssh-7.0p1/monitor.h.gsskex 2015-08-12 11:15:43.626548998 +0200 --- openssh-7.2p1/monitor.h.gsskex 2016-02-19 10:01:04.830969345 +0100
+++ openssh-7.0p1/monitor.h 2015-08-12 11:15:43.696548885 +0200 +++ openssh-7.2p1/monitor.h 2016-02-19 10:01:04.869969322 +0100
@@ -60,6 +60,8 @@ enum monitor_reqtype { @@ -60,6 +60,8 @@ enum monitor_reqtype {
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
MONITOR_REQ_AUTHROLE = 80, MONITOR_REQ_AUTHROLE = 80,
@ -1864,9 +1879,9 @@ diff -up openssh-7.0p1/monitor.h.gsskex openssh-7.0p1/monitor.h
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
--- openssh-7.0p1/monitor_wrap.c.gsskex 2015-08-12 11:15:43.626548998 +0200 --- openssh-7.2p1/monitor_wrap.c.gsskex 2016-02-19 10:01:04.830969345 +0100
+++ openssh-7.0p1/monitor_wrap.c 2015-08-12 11:15:43.697548884 +0200 +++ openssh-7.2p1/monitor_wrap.c 2016-02-19 10:01:04.869969322 +0100
@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss @@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
} }
@ -1927,9 +1942,9 @@ diff -up openssh-7.0p1/monitor_wrap.c.gsskex openssh-7.0p1/monitor_wrap.c
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h
--- openssh-7.0p1/monitor_wrap.h.gsskex 2015-08-12 11:15:43.626548998 +0200 --- openssh-7.2p1/monitor_wrap.h.gsskex 2016-02-19 10:01:04.830969345 +0100
+++ openssh-7.0p1/monitor_wrap.h 2015-08-12 11:15:43.697548884 +0200 +++ openssh-7.2p1/monitor_wrap.h 2016-02-19 10:01:04.869969322 +0100
@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K @@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -1942,10 +1957,10 @@ diff -up openssh-7.0p1/monitor_wrap.h.gsskex openssh-7.0p1/monitor_wrap.h
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
--- openssh-7.0p1/readconf.c.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/readconf.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/readconf.c 2015-08-12 11:15:43.697548884 +0200 +++ openssh-7.2p1/readconf.c 2016-02-19 10:01:04.870969322 +0100
@@ -147,6 +147,8 @@ typedef enum { @@ -148,6 +148,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds, oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -1954,7 +1969,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist, oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts, oHashKnownHosts,
@@ -192,10 +194,19 @@ static struct { @@ -193,10 +195,19 @@ static struct {
{ "afstokenpassing", oUnsupported }, { "afstokenpassing", oUnsupported },
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
@ -1974,7 +1989,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
#endif #endif
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
@@ -894,10 +905,30 @@ parse_time: @@ -926,10 +937,30 @@ parse_time:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2005,7 +2020,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
goto parse_flag; goto parse_flag;
@@ -1601,7 +1632,12 @@ initialize_options(Options * options) @@ -1648,7 +1679,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
@ -2018,7 +2033,7 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -1729,8 +1765,14 @@ fill_default_options(Options * options) @@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2033,9 +2048,9 @@ diff -up openssh-7.0p1/readconf.c.gsskex openssh-7.0p1/readconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
--- openssh-7.0p1/readconf.h.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/readconf.h.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/readconf.h 2015-08-12 11:15:43.697548884 +0200 +++ openssh-7.2p1/readconf.h 2016-02-19 10:01:04.870969322 +0100
@@ -45,7 +45,12 @@ typedef struct { @@ -45,7 +45,12 @@ typedef struct {
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
@ -2049,9 +2064,9 @@ diff -up openssh-7.0p1/readconf.h.gsskex openssh-7.0p1/readconf.h
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert-hostkey.sh diff -up openssh-7.2p1/regress/cert-hostkey.sh.gsskex openssh-7.2p1/regress/cert-hostkey.sh
--- openssh-7.0p1/regress/cert-hostkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200 --- openssh-7.2p1/regress/cert-hostkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/regress/cert-hostkey.sh 2015-08-12 11:16:52.511438554 +0200 +++ openssh-7.2p1/regress/cert-hostkey.sh 2016-02-19 10:01:04.870969322 +0100
@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain @@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain
touch $OBJ/host_revoked_cert touch $OBJ/host_revoked_cert
cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
@ -2061,9 +2076,9 @@ diff -up openssh-7.0p1/regress/cert-hostkey.sh.gsskex openssh-7.0p1/regress/cert
# Prepare certificate, plain key and CA KRLs # Prepare certificate, plain key and CA KRLs
${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert-userkey.sh diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert-userkey.sh
--- openssh-7.0p1/regress/cert-userkey.sh.gsskex 2015-08-12 11:15:43.698548882 +0200 --- openssh-7.2p1/regress/cert-userkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/regress/cert-userkey.sh 2015-08-12 11:20:30.110089677 +0200 +++ openssh-7.2p1/regress/cert-userkey.sh 2016-02-19 10:01:04.870969322 +0100
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
@ -2073,9 +2088,9 @@ diff -up openssh-7.0p1/regress/cert-userkey.sh.gsskex openssh-7.0p1/regress/cert
kname() { kname() {
n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.sh diff -up openssh-7.2p1/regress/kextype.sh.gsskex openssh-7.2p1/regress/kextype.sh
--- openssh-7.0p1/regress/kextype.sh.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/regress/kextype.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/regress/kextype.sh 2015-08-12 11:15:43.698548882 +0200 +++ openssh-7.2p1/regress/kextype.sh 2016-02-19 10:01:04.870969322 +0100
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh @@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
tries="1 2 3 4" tries="1 2 3 4"
@ -2086,9 +2101,9 @@ diff -up openssh-7.0p1/regress/kextype.sh.gsskex openssh-7.0p1/regress/kextype.s
verbose "kex $k" verbose "kex $k"
for i in $tries; do for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh
--- openssh-7.0p1/regress/rekey.sh.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/regress/rekey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/regress/rekey.sh 2015-08-12 11:15:43.698548882 +0200 +++ openssh-7.2p1/regress/rekey.sh 2016-02-19 10:01:04.870969322 +0100
@@ -38,6 +38,9 @@ increase_datafile_size 300 @@ -38,6 +38,9 @@ increase_datafile_size 300
opts="" opts=""
@ -2109,9 +2124,9 @@ diff -up openssh-7.0p1/regress/rekey.sh.gsskex openssh-7.0p1/regress/rekey.sh
verbose "client rekey $c $kex" verbose "client rekey $c $kex"
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done done
diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
--- openssh-7.0p1/servconf.c.gsskex 2015-08-12 11:15:43.676548918 +0200 --- openssh-7.2p1/servconf.c.gsskex 2016-02-19 10:01:04.857969329 +0100
+++ openssh-7.0p1/servconf.c 2015-08-12 11:22:32.686893730 +0200 +++ openssh-7.2p1/servconf.c 2016-02-19 10:01:04.870969322 +0100
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions @@ -117,8 +117,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
@ -2123,7 +2138,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -276,10 +278,14 @@ fill_default_server_options(ServerOption @@ -288,10 +290,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2138,7 +2153,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -415,7 +421,7 @@ typedef enum { @@ -422,7 +428,7 @@ typedef enum {
sHostKeyAlgorithms, sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@ -2147,7 +2162,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate, sHostCertificate,
@@ -489,11 +495,17 @@ static struct { @@ -496,11 +502,17 @@ static struct {
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
@ -2165,7 +2180,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1235,6 +1247,10 @@ process_server_config_line(ServerOptions @@ -1246,6 +1258,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2176,7 +2191,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
case sGssCleanupCreds: case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds; intptr = &options->gss_cleanup_creds;
goto parse_flag; goto parse_flag;
@@ -1243,6 +1259,10 @@ process_server_config_line(ServerOptions @@ -1254,6 +1270,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_strict_acceptor; intptr = &options->gss_strict_acceptor;
goto parse_flag; goto parse_flag;
@ -2187,7 +2202,7 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
@@ -2255,6 +2275,9 @@ dump_config(ServerOptions *o) @@ -2274,6 +2294,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2197,9 +2212,9 @@ diff -up openssh-7.0p1/servconf.c.gsskex openssh-7.0p1/servconf.c
#endif #endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication, dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h
--- openssh-7.0p1/servconf.h.gsskex 2015-08-12 11:15:43.676548918 +0200 --- openssh-7.2p1/servconf.h.gsskex 2016-02-19 10:01:04.857969329 +0100
+++ openssh-7.0p1/servconf.h 2015-08-12 11:15:43.700548879 +0200 +++ openssh-7.2p1/servconf.h 2016-02-19 10:01:04.871969321 +0100
@@ -118,8 +118,10 @@ typedef struct { @@ -118,8 +118,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
@ -2211,19 +2226,18 @@ diff -up openssh-7.0p1/servconf.h.gsskex openssh-7.0p1/servconf.h
int password_authentication; /* If true, permit password int password_authentication; /* If true, permit password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* If true, permit */ int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5 diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
--- openssh-7.0p1/ssh_config.5.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/ssh_config.5.gsskex 2016-02-19 10:01:04.871969321 +0100
+++ openssh-7.0p1/ssh_config.5 2015-08-12 11:15:43.700548879 +0200 +++ openssh-7.2p1/ssh_config.5 2016-02-19 10:05:58.630146245 +0100
@@ -749,11 +749,43 @@ Specifies whether user authentication ba @@ -824,10 +824,40 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange +.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI may be used. When using +Specifies whether key exchange based on GSSAPI may be used. When using
+GSSAPI key exchange the server need not have a host key. +GSSAPI key exchange the server need not have a host key.
+The default is +The default is
+.Dq no . +.Dq no .
+Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIClientIdentity +.It Cm GSSAPIClientIdentity
+If set, specifies the GSSAPI client identity that ssh should use when +If set, specifies the GSSAPI client identity that ssh should use when
+connecting to the server. The default is unset, which means that the default +connecting to the server. The default is unset, which means that the default
@ -2237,8 +2251,6 @@ diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5
Forward (delegate) credentials to the server. Forward (delegate) credentials to the server.
The default is The default is
.Dq no . .Dq no .
-Note that this option applies to protocol version 2 only.
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPIRenewalForcesRekey +.It Cm GSSAPIRenewalForcesRekey
+If set to +If set to
+.Dq yes +.Dq yes
@ -2255,13 +2267,12 @@ diff -up openssh-7.0p1/ssh_config.5.gsskex openssh-7.0p1/ssh_config.5
+command line will be passed untouched to the GSSAPI library. +command line will be passed untouched to the GSSAPI library.
+The default is +The default is
+.Dq no . +.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config
--- openssh-7.0p1/ssh_config.gsskex 2015-08-12 11:15:43.667548932 +0200 --- openssh-7.2p1/ssh_config.gsskex 2016-02-19 10:01:04.852969332 +0100
+++ openssh-7.0p1/ssh_config 2015-08-12 11:15:43.700548879 +0200 +++ openssh-7.2p1/ssh_config 2016-02-19 10:01:04.871969321 +0100
@@ -26,6 +26,8 @@ @@ -26,6 +26,8 @@
# HostbasedAuthentication no # HostbasedAuthentication no
# GSSAPIAuthentication no # GSSAPIAuthentication no
@ -2271,10 +2282,10 @@ diff -up openssh-7.0p1/ssh_config.gsskex openssh-7.0p1/ssh_config
# BatchMode no # BatchMode no
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
--- openssh-7.0p1/sshconnect2.c.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/sshconnect2.c.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/sshconnect2.c 2015-08-12 11:25:12.486644393 +0200 +++ openssh-7.2p1/sshconnect2.c 2016-02-19 10:01:04.872969321 +0100
@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho
struct kex *kex; struct kex *kex;
int r; int r;
@ -2306,10 +2317,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
+ } + }
+#endif +#endif
+ +
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
options.kex_algorithms); fatal("%s: kex_names_cat", __func__);
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
@@ -193,6 +218,17 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -195,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho
order_hostkeyalgs(host, hostaddr, port)); order_hostkeyalgs(host, hostaddr, port));
} }
@ -2327,7 +2338,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
if (options.rekey_limit || options.rekey_interval) if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit, packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval); (time_t)options.rekey_interval);
@@ -210,11 +246,31 @@ ssh_kex2(char *host, struct sockaddr *ho @@ -212,11 +248,31 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_ECDH_SHA2] = kexecdh_client; kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
# endif # endif
#endif #endif
@ -2358,8 +2369,8 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
+ +
dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
if (options.use_roaming && !kex->roaming) { /* remove ext-info from the KEX proposals for rekeying */
@@ -306,6 +362,7 @@ int input_gssapi_token(int type, u_int32 @@ -311,6 +367,7 @@ int input_gssapi_token(int type, u_int32
int input_gssapi_hash(int type, u_int32_t, void *); int input_gssapi_hash(int type, u_int32_t, void *);
int input_gssapi_error(int, u_int32_t, void *); int input_gssapi_error(int, u_int32_t, void *);
int input_gssapi_errtok(int, u_int32_t, void *); int input_gssapi_errtok(int, u_int32_t, void *);
@ -2367,7 +2378,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
#endif #endif
void userauth(Authctxt *, char *); void userauth(Authctxt *, char *);
@@ -321,6 +378,11 @@ static char *authmethods_get(void); @@ -326,6 +383,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = { Authmethod authmethods[] = {
#ifdef GSSAPI #ifdef GSSAPI
@ -2379,7 +2390,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
{"gssapi-with-mic", {"gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
NULL, NULL,
@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt) @@ -656,19 +718,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0; static u_int mech = 0;
OM_uint32 min; OM_uint32 min;
int ok = 0; int ok = 0;
@ -2413,7 +2424,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
ok = 1; /* Mechanism works */ ok = 1; /* Mechanism works */
} else { } else {
mech++; mech++;
@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_ @@ -765,8 +839,8 @@ input_gssapi_response(int type, u_int32_
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
@ -2424,7 +2435,7 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
if (authctxt == NULL) if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context"); fatal("input_gssapi_response: no authentication context");
@@ -850,6 +924,48 @@ input_gssapi_error(int type, u_int32_t p @@ -879,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang); free(lang);
return 0; return 0;
} }
@ -2473,10 +2484,10 @@ diff -up openssh-7.0p1/sshconnect2.c.gsskex openssh-7.0p1/sshconnect2.c
#endif /* GSSAPI */ #endif /* GSSAPI */
int int
diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
--- openssh-7.0p1/sshd.c.gsskex 2015-08-12 11:15:43.679548913 +0200 --- openssh-7.2p1/sshd.c.gsskex 2016-02-19 10:01:04.860969328 +0100
+++ openssh-7.0p1/sshd.c 2015-08-12 11:15:43.702548876 +0200 +++ openssh-7.2p1/sshd.c 2016-02-19 10:01:04.872969321 +0100
@@ -1043,8 +1043,9 @@ notify_hostkeys(struct ssh *ssh) @@ -974,8 +974,9 @@ notify_hostkeys(struct ssh *ssh)
} }
debug3("%s: sent %d hostkeys", __func__, nkeys); debug3("%s: sent %d hostkeys", __func__, nkeys);
if (nkeys == 0) if (nkeys == 0)
@ -2488,7 +2499,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
sshbuf_free(buf); sshbuf_free(buf);
} }
@@ -1843,10 +1843,13 @@ main(int ac, char **av) @@ -1845,10 +1846,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
} }
@ -2502,7 +2513,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting."); logit("sshd: no hostkeys available -- exiting.");
exit(1); exit(1);
@@ -2582,6 +2585,48 @@ do_ssh2_kex(void) @@ -2586,6 +2590,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types()); list_hostkey_types());
@ -2551,7 +2562,7 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
/* start key exchange */ /* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0) if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r)); fatal("kex_setup: %s", ssh_err(r));
@@ -2596,6 +2641,13 @@ do_ssh2_kex(void) @@ -2600,6 +2646,13 @@ do_ssh2_kex(void)
# endif # endif
#endif #endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@ -2565,23 +2576,22 @@ diff -up openssh-7.0p1/sshd.c.gsskex openssh-7.0p1/sshd.c
kex->server = 1; kex->server = 1;
kex->client_version_string=client_version_string; kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string; kex->server_version_string=server_version_string;
diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5 diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.gsskex 2015-08-12 11:15:43.677548916 +0200 --- openssh-7.2p1/sshd_config.5.gsskex 2016-02-19 10:01:04.858969329 +0100
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:15:43.702548876 +0200 +++ openssh-7.2p1/sshd_config.5 2016-02-19 10:06:26.651172355 +0100
@@ -621,6 +621,12 @@ Specifies whether user authentication ba @@ -623,6 +623,11 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only.
+.It Cm GSSAPIKeyExchange +.It Cm GSSAPIKeyExchange
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange +Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
+doesn't rely on ssh keys to verify host identity. +doesn't rely on ssh keys to verify host identity.
+The default is +The default is
+.Dq no . +.Dq no .
+Note that this option applies to protocol version 2 only.
.It Cm GSSAPICleanupCredentials .It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache Specifies whether to automatically destroy the user's credentials cache
on logout. on logout.
@@ -642,6 +648,11 @@ machine's default store. @@ -643,6 +648,11 @@ machine's default store.
This facility is provided to assist with operation on multi homed machines. This facility is provided to assist with operation on multi homed machines.
The default is The default is
.Dq yes . .Dq yes .
@ -2593,9 +2603,9 @@ diff -up openssh-7.0p1/sshd_config.5.gsskex openssh-7.0p1/sshd_config.5
.It Cm HostbasedAcceptedKeyTypes .It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list. as a comma-separated pattern list.
diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config
--- openssh-7.0p1/sshd_config.gsskex 2015-08-12 11:15:43.679548913 +0200 --- openssh-7.2p1/sshd_config.gsskex 2016-02-19 10:01:04.860969328 +0100
+++ openssh-7.0p1/sshd_config 2015-08-12 11:15:43.702548876 +0200 +++ openssh-7.2p1/sshd_config 2016-02-19 10:01:04.873969320 +0100
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no @@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
# GSSAPI options # GSSAPI options
GSSAPIAuthentication yes GSSAPIAuthentication yes
@ -2605,9 +2615,9 @@ diff -up openssh-7.0p1/sshd_config.gsskex openssh-7.0p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h
--- openssh-7.0p1/ssh-gss.h.gsskex 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.2p1/ssh-gss.h.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.0p1/ssh-gss.h 2015-08-12 11:15:43.702548876 +0200 +++ openssh-7.2p1/ssh-gss.h 2016-02-19 10:01:04.873969320 +0100
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
/* /*
@ -2707,21 +2717,20 @@ diff -up openssh-7.0p1/ssh-gss.h.gsskex openssh-7.0p1/ssh-gss.h
#endif /* GSSAPI */ #endif /* GSSAPI */
#endif /* _SSH_GSS_H */ #endif /* _SSH_GSS_H */
diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c
diff -up openssh-7.1p1/sshkey.c.gsskex openssh-7.1p1/sshkey.c --- openssh-7.2p1/sshkey.c.gsskex 2016-02-12 11:47:25.000000000 +0100
--- openssh-7.1p1/sshkey.c.gsskex 2015-09-17 15:54:32.135673460 +0200 +++ openssh-7.2p1/sshkey.c 2016-02-19 10:01:04.874969320 +0100
+++ openssh-7.1p1/sshkey.c 2015-09-17 15:55:23.014666159 +0200 @@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
@@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
# endif /* OPENSSL_HAS_NISTP521 */ # endif /* OPENSSL_HAS_NISTP521 */
# endif /* OPENSSL_HAS_ECC */ # endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
+ { "null", "null", KEY_NULL, 0, 0 }, + { "null", "null", KEY_NULL, 0, 0, 1 },
{ NULL, NULL, -1, -1, 0 } { NULL, NULL, -1, -1, 0, 0 }
}; };
diff -up openssh-7.1p1/sshkey.h.gsskex openssh-7.1p1/sshkey.h diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
--- openssh-7.1p1/sshkey.h.gsskex 2015-09-17 15:54:32.135673460 +0200 --- openssh-7.2p1/sshkey.h.gsskex 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.1p1/sshkey.h 2015-09-17 15:55:45.885662877 +0200 +++ openssh-7.2p1/sshkey.h 2016-02-19 10:01:04.874969320 +0100
@@ -62,6 +62,7 @@ enum sshkey_types { @@ -62,6 +62,7 @@ enum sshkey_types {
KEY_DSA_CERT, KEY_DSA_CERT,
KEY_ECDSA_CERT, KEY_ECDSA_CERT,
@ -2730,15 +2739,3 @@ diff -up openssh-7.1p1/sshkey.h.gsskex openssh-7.1p1/sshkey.h
KEY_UNSPEC KEY_UNSPEC
}; };
diff --git a/auth.c b/auth.c
index 4d1fbbe..5db39c4 100644
--- a/auth.c
+++ b/auth.c
@@ -354,6 +354,7 @@ auth_root_allowed(const char *method)
case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 ||
+ strcmp(method, "gssapi-keyex") == 0 ||
strcmp(method, "gssapi-with-mic") == 0)
return 1;
break;

View File

@ -65,10 +65,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 7.1p2 %global openssh_ver 7.2p1
%global openssh_rel 4 %global openssh_rel 1
%global pam_ssh_agent_ver 0.10.2 %global pam_ssh_agent_ver 0.10.2
%global pam_ssh_agent_rel 1 %global pam_ssh_agent_rel 2
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -105,7 +105,7 @@ Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248 # https://bugzilla.redhat.com/show_bug.cgi?id=1171248
# record pfs= field in CRYPTO_SESSION audit event # record pfs= field in CRYPTO_SESSION audit event
Patch200: openssh-6.7p1-audit.patch Patch200: openssh-7.2p1-audit.patch
# Audit race condition in forked child (#1310684) # Audit race condition in forked child (#1310684)
Patch201: openssh-7.1p2-audit-race-condition.patch Patch201: openssh-7.1p2-audit-race-condition.patch
@ -143,7 +143,7 @@ Patch607: openssh-5.8p2-sigpipe.patch
Patch609: openssh-5.5p1-x11.patch Patch609: openssh-5.5p1-x11.patch
#? #?
Patch700: openssh-6.7p1-fips.patch Patch700: openssh-7.2p1-fips.patch
#? #?
Patch702: openssh-5.1p1-askpass-progress.patch Patch702: openssh-5.1p1-askpass-progress.patch
#? #?
@ -168,7 +168,7 @@ Patch714: openssh-6.7p1-kdf-cavs.patch
#http://www.sxw.org.uk/computing/patches/openssh.html #http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228 #changed cache storage type - #848228
Patch800: openssh-6.6p1-gsskex.patch Patch800: openssh-7.2p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-6.6p1-force_krb.patch Patch801: openssh-6.6p1-force_krb.patch
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843) # add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
@ -225,17 +225,9 @@ Patch931: openssh-6.9p1-scp-progressmeter.patch
Patch932: openssh-7.0p1-gssKexAlgorithms.patch Patch932: openssh-7.0p1-gssKexAlgorithms.patch
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439) # Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
Patch933: openssh-7.0p1-show-more-fingerprints.patch Patch933: openssh-7.0p1-show-more-fingerprints.patch
# Brokend HostKeyAlgorthms on server using + sign
# from http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-August/034324.html
Patch934: openssh-7.1p1-hostkeyalgorithms.patch
# Updated version of ssh-copy-id
# http://git.hands.com/ssh-copy-id
Patch935: openssh-7.1p1-ssh-copy-id.patch
# Preserve IUTF8 tty mode flag over ssh connections (#1270248) # Preserve IUTF8 tty mode flag over ssh connections (#1270248)
# https://bugzilla.mindrot.org/show_bug.cgi?id=2477 # https://bugzilla.mindrot.org/show_bug.cgi?id=2477
Patch936: openssh-7.1p1-iutf8.patch Patch936: openssh-7.1p1-iutf8.patch
# CVE-2016-1908: possible fallback from untrusted to trusted X11 forwarding
Patch937: openssh-7.1p2-fallback-x11-untrusted.patch
License: BSD License: BSD
@ -469,10 +461,7 @@ popd
%patch931 -p1 -b .progressmeter %patch931 -p1 -b .progressmeter
%patch932 -p1 -b .gsskexalg %patch932 -p1 -b .gsskexalg
%patch933 -p1 -b .fingerprint %patch933 -p1 -b .fingerprint
%patch934 -p1 -b .hostkey
%patch935 -p1 -b .ssh-copy-id
%patch936 -p1 -b .iutf8 %patch936 -p1 -b .iutf8
%patch937 -p1 -b .x11-fallback
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
@ -734,8 +723,6 @@ getent passwd sshd >/dev/null || \
%attr(0755,root,root) %{_bindir}/scp %attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(0755,root,root) %{_bindir}/slogin
%attr(0644,root,root) %{_mandir}/man1/slogin.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5* %attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%if ! %{rescue} %if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-agent
@ -813,6 +800,9 @@ getent passwd sshd >/dev/null || \
%endif %endif
%changelog %changelog
* Mon Feb 29 2016 Jakub Jelen <jjelen@redhat.com> 7.2p1-1 + 0.10.2-2
- New upstream release (#1312870)
* Wed Feb 24 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-4.1 + 0.10.2-1 * Wed Feb 24 2016 Jakub Jelen <jjelen@redhat.com> 7.1p2-4.1 + 0.10.2-1
- Fix race condition in auditing events when using multiplexing (#1308295) - Fix race condition in auditing events when using multiplexing (#1308295)
- Fix X11 forwarding CVE according to upstream - Fix X11 forwarding CVE according to upstream

View File

@ -104,3 +104,16 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-
goto user_auth_clean_exit; goto user_auth_clean_exit;
/* test for correct signature */ /* test for correct signature */
diff --git a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
--- a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
+++ b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
@@ -85,7 +85,7 @@ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, pkblob, blen);
- if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
goto user_auth_clean_exit;
/* test for correct signature */

View File

@ -1,2 +1,2 @@
a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2 a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2
4d8547670e2a220d5ef805ad9e47acf2 openssh-7.1p2.tar.gz b984775f0cfff1f7ff18b8797fce8a28 openssh-7.2p1.tar.gz