6.7p1-1 + 0.9.3-4
This commit is contained in:
parent
b457c98bec
commit
1900351913
1
.gitignore
vendored
1
.gitignore
vendored
@ -13,3 +13,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-6.3p1.tar.gz
|
||||
/openssh-6.4p1.tar.gz
|
||||
/openssh-6.6p1.tar.gz
|
||||
/openssh-6.7p1.tar.gz
|
||||
|
@ -1,14 +0,0 @@
|
||||
diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c
|
||||
--- openssh-5.6p1/channels.c.exit-deadlock 2010-08-05 15:09:48.000000000 +0200
|
||||
+++ openssh-5.6p1/channels.c 2010-08-23 12:41:43.000000000 +0200
|
||||
@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r
|
||||
u_int dlen, olen = 0;
|
||||
int len;
|
||||
|
||||
+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
|
||||
+ debug("channel %d: forcing write", c->self);
|
||||
+ FD_SET(c->wfd, writeset);
|
||||
+ }
|
||||
/* Send buffered output data to the socket. */
|
||||
if (c->wfd != -1 &&
|
||||
FD_ISSET(c->wfd, writeset) &&
|
@ -1,72 +0,0 @@
|
||||
diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c
|
||||
--- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200
|
||||
@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname
|
||||
{
|
||||
u_int counter;
|
||||
int result;
|
||||
+ unsigned int rrset_flags = 0;
|
||||
struct rrsetinfo *fingerprints = NULL;
|
||||
|
||||
u_int8_t hostkey_algorithm;
|
||||
@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Original getrrsetbyname function, found on OpenBSD for example,
|
||||
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
|
||||
+ * DNS response is set by "options edns0" in resolv.conf.
|
||||
+ *
|
||||
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
|
||||
+ */
|
||||
+#ifndef HAVE_GETRRSETBYNAME
|
||||
+ rrset_flags |= RRSET_FORCE_EDNS0;
|
||||
+#endif
|
||||
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
|
||||
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
|
||||
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
|
||||
+
|
||||
if (result) {
|
||||
verbose("DNS lookup error: %s", dns_result_totext(result));
|
||||
return -1;
|
||||
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c
|
||||
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200
|
||||
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- /* don't allow flags yet, unimplemented */
|
||||
- if (flags) {
|
||||
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
|
||||
+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
|
||||
result = ERRSET_INVAL;
|
||||
goto fail;
|
||||
}
|
||||
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns
|
||||
#endif /* DEBUG */
|
||||
|
||||
#ifdef RES_USE_DNSSEC
|
||||
- /* turn on DNSSEC if EDNS0 is configured */
|
||||
- if (_resp->options & RES_USE_EDNS0)
|
||||
- _resp->options |= RES_USE_DNSSEC;
|
||||
+ /* turn on DNSSEC if required */
|
||||
+ if (flags & RRSET_FORCE_EDNS0)
|
||||
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
|
||||
#endif /* RES_USE_DNSEC */
|
||||
|
||||
/* make query */
|
||||
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h
|
||||
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200
|
||||
@@ -72,6 +72,9 @@
|
||||
#ifndef RRSET_VALIDATED
|
||||
# define RRSET_VALIDATED 1
|
||||
#endif
|
||||
+#ifndef RRSET_FORCE_EDNS0
|
||||
+# define RRSET_FORCE_EDNS0 0x0001
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Return codes for getrrsetbyname()
|
@ -1,7 +1,8 @@
|
||||
diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
|
||||
--- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100
|
||||
+++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100
|
||||
@@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog],
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 6553074..8dedb95 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
@ -14,7 +15,7 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack
|
||||
@@ -4938,6 +4944,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
@ -22,10 +23,11 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
||||
--- openssh-6.2p1/servconf.c.vendor 2013-03-25 19:34:01.197494668 +0100
|
||||
+++ openssh-6.2p1/servconf.c 2013-03-25 19:34:01.379495831 +0100
|
||||
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index e3ebaac..c8a3f28 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
@ -33,17 +35,16 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -287,6 +288,9 @@ fill_default_server_options(ServerOption
|
||||
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
+
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = PRIVSEP_NOSANDBOX;
|
||||
@@ -324,7 +328,7 @@ typedef enum {
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -353,7 +356,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
@ -52,7 +53,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@@ -439,6 +443,7 @@ static struct {
|
||||
@@ -467,6 +470,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
@ -60,7 +61,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1163,6 +1168,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
@ -71,18 +72,19 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -1950,6 +1959,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
|
||||
--- openssh-6.2p1/servconf.h.vendor 2013-01-09 05:56:45.000000000 +0100
|
||||
+++ openssh-6.2p1/servconf.h 2013-03-25 19:34:01.379495831 +0100
|
||||
@@ -147,6 +147,7 @@ typedef struct {
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 49b228b..21719e2 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -149,6 +149,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
@ -90,10 +92,34 @@ diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
|
||||
--- openssh-6.2p1/sshd_config.vendor 2013-03-25 19:34:01.380495837 +0100
|
||||
+++ openssh-6.2p1/sshd_config 2013-03-25 19:44:43.471296362 +0100
|
||||
@@ -118,6 +118,7 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index afe9afa..193b206 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
|
||||
}
|
||||
|
||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
||||
- major, minor, SSH_VERSION,
|
||||
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
options.version_addendum, newline);
|
||||
|
||||
@@ -1677,7 +1677,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %s, %s", SSH_VERSION,
|
||||
+ debug("sshd version %s, %s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
#ifdef WITH_OPENSSL
|
||||
SSLeay_version(SSLEAY_VERSION)
|
||||
#else
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 3092ac6..da3db5d 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
@ -101,10 +127,11 @@ diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
|
||||
--- openssh-6.2p1/sshd_config.0.vendor 2013-03-25 19:34:01.361495716 +0100
|
||||
+++ openssh-6.2p1/sshd_config.0 2013-03-25 19:34:01.381495844 +0100
|
||||
@@ -595,6 +595,11 @@ DESCRIPTION
|
||||
diff --git a/sshd_config.0 b/sshd_config.0
|
||||
index 43867d3..a3898c3 100644
|
||||
--- a/sshd_config.0
|
||||
+++ b/sshd_config.0
|
||||
@@ -700,6 +700,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 1024.
|
||||
|
||||
@ -113,13 +140,14 @@ diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
|
||||
--- openssh-6.2p1/sshd_config.5.vendor 2013-03-25 19:34:01.362495722 +0100
|
||||
+++ openssh-6.2p1/sshd_config.5 2013-03-25 19:34:01.382495850 +0100
|
||||
@@ -1019,6 +1019,14 @@ This option applies to protocol version
|
||||
StreamLocalBindMask
|
||||
Sets the octal file creation mode mask (umask) used when creating
|
||||
a Unix-domain socket file for local or remote port forwarding.
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 89a0cf2..cccb310 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only.
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The minimum value is 512, and the default is 1024.
|
||||
@ -130,29 +158,6 @@ diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
|
||||
+The patch level is set at compile-time.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+This option applies to protocol version 1 only.
|
||||
.It Cm StrictModes
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c
|
||||
--- openssh-6.2p1/sshd.c.vendor 2013-03-25 19:34:01.332495531 +0100
|
||||
+++ openssh-6.2p1/sshd.c 2013-03-25 19:44:11.864112092 +0100
|
||||
@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in
|
||||
}
|
||||
|
||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
||||
- major, minor, SSH_VERSION,
|
||||
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
options.version_addendum, newline);
|
||||
|
||||
@@ -1675,7 +1675,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %s, %s", SSH_VERSION,
|
||||
+ debug("sshd version %s, %s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
SSLeay_version(SSLEAY_VERSION));
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
.It Cm StreamLocalBindMask
|
||||
Sets the octal file creation mode mask
|
||||
.Pq umask
|
||||
|
@ -1,212 +0,0 @@
|
||||
diff --git a/audit-bsm.c b/audit-bsm.c
|
||||
index 5160869..c7a1b47 100644
|
||||
--- a/audit-bsm.c
|
||||
+++ b/audit-bsm.c
|
||||
@@ -481,7 +481,7 @@ audit_unsupported_body(int what)
|
||||
}
|
||||
|
||||
void
|
||||
-audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, uid_t uid)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
diff --git a/audit-linux.c b/audit-linux.c
|
||||
index 6954fc1..6686f6a 100644
|
||||
--- a/audit-linux.c
|
||||
+++ b/audit-linux.c
|
||||
@@ -297,7 +297,7 @@ audit_unsupported_body(int what)
|
||||
const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
|
||||
void
|
||||
-audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid,
|
||||
uid_t uid)
|
||||
{
|
||||
#ifdef AUDIT_CRYPTO_SESSION
|
||||
@@ -306,8 +306,8 @@ audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||
Cipher *cipher = cipher_by_name(enc);
|
||||
char *s;
|
||||
|
||||
- snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
|
||||
- direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac,
|
||||
+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
|
||||
+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, pfs,
|
||||
(intmax_t)pid, (intmax_t)uid,
|
||||
get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
|
||||
free(s);
|
||||
diff --git a/audit.c b/audit.c
|
||||
index 13c6849..5b49434 100644
|
||||
--- a/audit.c
|
||||
+++ b/audit.c
|
||||
@@ -135,9 +135,9 @@ audit_unsupported(int what)
|
||||
}
|
||||
|
||||
void
|
||||
-audit_kex(int ctos, char *enc, char *mac, char *comp)
|
||||
+audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs)
|
||||
{
|
||||
- PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||
+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, pfs, getpid(), getuid()));
|
||||
}
|
||||
|
||||
void
|
||||
@@ -270,11 +270,11 @@ audit_unsupported_body(int what)
|
||||
* This will be called on succesfull protocol negotiation.
|
||||
*/
|
||||
void
|
||||
-audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid,
|
||||
uid_t uid)
|
||||
{
|
||||
- debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
|
||||
- (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
||||
+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s pfs %s from pid %ld uid %u",
|
||||
+ (unsigned)geteuid(), ctos, enc, mac, compress, pfs, (long)pid,
|
||||
(unsigned)uid);
|
||||
}
|
||||
|
||||
diff --git a/audit.h b/audit.h
|
||||
index a2dc3ff..903df66 100644
|
||||
--- a/audit.h
|
||||
+++ b/audit.h
|
||||
@@ -61,9 +61,9 @@ ssh_audit_event_t audit_classify_auth(const char *);
|
||||
int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||
void audit_key(int, int *, const Key *);
|
||||
void audit_unsupported(int);
|
||||
-void audit_kex(int, char *, char *, char *);
|
||||
+void audit_kex(int, char *, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
-void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
+void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void audit_session_key_free(int ctos);
|
||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
diff --git a/auditstub.c b/auditstub.c
|
||||
index 45817e0..116f460 100644
|
||||
--- a/auditstub.c
|
||||
+++ b/auditstub.c
|
||||
@@ -35,7 +35,7 @@ audit_unsupported(int n)
|
||||
}
|
||||
|
||||
void
|
||||
-audit_kex(int ctos, char *enc, char *mac, char *comp)
|
||||
+audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs)
|
||||
{
|
||||
}
|
||||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index ede7b67..eb5f333 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -553,13 +553,12 @@ kex_choose_conf(Kex *kex)
|
||||
newkeys->enc.name,
|
||||
authlen == 0 ? newkeys->mac.name : "<implicit>",
|
||||
newkeys->comp.name);
|
||||
-#ifdef SSH_AUDIT_EVENTS
|
||||
- audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
|
||||
-#endif
|
||||
}
|
||||
+
|
||||
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
|
||||
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
|
||||
+
|
||||
need = dh_need = 0;
|
||||
for (mode = 0; mode < MODE_MAX; mode++) {
|
||||
newkeys = kex->newkeys[mode];
|
||||
@@ -571,11 +570,16 @@ kex_choose_conf(Kex *kex)
|
||||
dh_need = MAX(dh_need, newkeys->enc.block_size);
|
||||
dh_need = MAX(dh_need, newkeys->enc.iv_len);
|
||||
dh_need = MAX(dh_need, newkeys->mac.key_len);
|
||||
+ debug("kex: %s need=%d dh_need=%d", kex->name, need, dh_need);
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ audit_kex(mode, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name);
|
||||
+#endif
|
||||
}
|
||||
/* XXX need runden? */
|
||||
kex->we_need = need;
|
||||
kex->dh_need = dh_need;
|
||||
|
||||
+
|
||||
/* ignore the next message if the proposals do not match */
|
||||
if (first_kex_follows && !proposals_match(my, peer) &&
|
||||
!(datafellows & SSH_BUG_FIRSTKEX)) {
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 70b9b4c..81bc9c1 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -2396,7 +2396,7 @@ int
|
||||
mm_answer_audit_kex_body(int sock, Buffer *m)
|
||||
{
|
||||
int ctos, len;
|
||||
- char *cipher, *mac, *compress;
|
||||
+ char *cipher, *mac, *compress, *pfs;
|
||||
pid_t pid;
|
||||
uid_t uid;
|
||||
|
||||
@@ -2404,14 +2404,16 @@ mm_answer_audit_kex_body(int sock, Buffer *m)
|
||||
cipher = buffer_get_string(m, &len);
|
||||
mac = buffer_get_string(m, &len);
|
||||
compress = buffer_get_string(m, &len);
|
||||
+ pfs = buffer_get_string(m, &len);
|
||||
pid = buffer_get_int64(m);
|
||||
uid = buffer_get_int64(m);
|
||||
|
||||
- audit_kex_body(ctos, cipher, mac, compress, pid, uid);
|
||||
+ audit_kex_body(ctos, cipher, mac, compress, pfs, pid, uid);
|
||||
|
||||
free(cipher);
|
||||
free(mac);
|
||||
free(compress);
|
||||
+ free(pfs);
|
||||
buffer_clear(m);
|
||||
|
||||
mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 93f6535..69b29d8 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -1408,7 +1408,7 @@ mm_audit_unsupported_body(int what)
|
||||
}
|
||||
|
||||
void
|
||||
-mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
|
||||
+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, char *fps, pid_t pid,
|
||||
uid_t uid)
|
||||
{
|
||||
Buffer m;
|
||||
@@ -1418,6 +1418,7 @@ mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
|
||||
buffer_put_cstring(&m, cipher);
|
||||
buffer_put_cstring(&m, (mac ? mac : ""));
|
||||
buffer_put_cstring(&m, compress);
|
||||
+ buffer_put_cstring(&m, fps);
|
||||
buffer_put_int64(&m, pid);
|
||||
buffer_put_int64(&m, uid);
|
||||
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index 4cf0c78..e43109f 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -83,7 +83,7 @@ void mm_audit_event(ssh_audit_event_t);
|
||||
int mm_audit_run_command(const char *);
|
||||
void mm_audit_end_command(int, const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
-void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
+void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
#endif
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index ee94825..41a94a7 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -2430,7 +2430,7 @@ do_ssh1_kex(void)
|
||||
packet_disconnect("IP Spoofing check bytes do not match.");
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
- audit_kex(2, cipher_name(cipher_type), "crc", "none");
|
||||
+ audit_kex(2, cipher_name(cipher_type), "crc", "none", "none");
|
||||
#endif
|
||||
|
||||
debug("Encryption type: %.200s", cipher_name(cipher_type));
|
@ -40,10 +40,10 @@ index ae7df25..30c3310 100644
|
||||
int log_is_on_stderr(void);
|
||||
void log_redirect_stderr_to(const char *);
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 7461fae..da2f766 100644
|
||||
index 7ebc76e..d97e640 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -364,6 +364,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
|
||||
@@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
|
||||
close(pmonitor->m_log_sendfd);
|
||||
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
||||
|
||||
@ -52,7 +52,7 @@ index 7461fae..da2f766 100644
|
||||
authctxt = _authctxt;
|
||||
memset(authctxt, 0, sizeof(*authctxt));
|
||||
|
||||
@@ -472,6 +474,8 @@ monitor_child_postauth(struct monitor *pmonitor)
|
||||
@@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor)
|
||||
close(pmonitor->m_recvfd);
|
||||
pmonitor->m_recvfd = -1;
|
||||
|
||||
@ -61,7 +61,7 @@ index 7461fae..da2f766 100644
|
||||
monitor_set_child_handler(pmonitor->m_pid);
|
||||
signal(SIGHUP, &monitor_child_handler);
|
||||
signal(SIGTERM, &monitor_child_handler);
|
||||
@@ -552,7 +556,7 @@ monitor_read_log(struct monitor *pmonitor)
|
||||
@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor)
|
||||
if (log_level_name(level) == NULL)
|
||||
fatal("%s: invalid log level %u (corrupted message?)",
|
||||
__func__, level);
|
||||
@ -70,7 +70,7 @@ index 7461fae..da2f766 100644
|
||||
|
||||
buffer_free(&logmsg);
|
||||
free(msg);
|
||||
@@ -2083,13 +2087,28 @@ monitor_init(void)
|
||||
@@ -2107,13 +2111,28 @@ monitor_init(void)
|
||||
mm_init_compression(mon->m_zlib);
|
||||
}
|
||||
|
||||
@ -119,7 +119,7 @@ index ff79fbb..00c2028 100644
|
||||
|
||||
struct Authctxt;
|
||||
diff --git a/session.c b/session.c
|
||||
index e4add93..bc4a8dd 100644
|
||||
index 9c94d8e..40a681e 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -160,6 +160,8 @@ login_cap_t *lc;
|
||||
@ -131,7 +131,7 @@ index e4add93..bc4a8dd 100644
|
||||
/* Name and directory of socket for authentication agent forwarding. */
|
||||
static char *auth_sock_name = NULL;
|
||||
static char *auth_sock_dir = NULL;
|
||||
@@ -523,8 +525,8 @@ do_exec_no_pty(Session *s, const char *command)
|
||||
@@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command)
|
||||
is_child = 1;
|
||||
|
||||
/* Child. Reinitialize the log since the pid has changed. */
|
||||
@ -142,7 +142,7 @@ index e4add93..bc4a8dd 100644
|
||||
|
||||
/*
|
||||
* Create a new session and process group since the 4.4BSD
|
||||
@@ -692,8 +694,8 @@ do_exec_pty(Session *s, const char *command)
|
||||
@@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command)
|
||||
close(ptymaster);
|
||||
|
||||
/* Child. Reinitialize the log because the pid has changed. */
|
||||
@ -153,7 +153,7 @@ index e4add93..bc4a8dd 100644
|
||||
/* Close the master side of the pseudo tty. */
|
||||
close(ptyfd);
|
||||
|
||||
@@ -797,6 +799,7 @@ do_exec(Session *s, const char *command)
|
||||
@@ -779,6 +781,7 @@ do_exec(Session *s, const char *command)
|
||||
int ret;
|
||||
const char *forced = NULL;
|
||||
char session_type[1024], *tty = NULL;
|
||||
@ -161,7 +161,7 @@ index e4add93..bc4a8dd 100644
|
||||
|
||||
if (options.adm_forced_command) {
|
||||
original_command = command;
|
||||
@@ -854,6 +857,10 @@ do_exec(Session *s, const char *command)
|
||||
@@ -836,6 +839,10 @@ do_exec(Session *s, const char *command)
|
||||
tty += 5;
|
||||
}
|
||||
|
||||
@ -172,7 +172,7 @@ index e4add93..bc4a8dd 100644
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d",
|
||||
session_type,
|
||||
tty == NULL ? "" : " on ",
|
||||
@@ -1681,14 +1688,6 @@ child_close_fds(void)
|
||||
@@ -1677,14 +1684,6 @@ child_close_fds(void)
|
||||
* descriptors left by system functions. They will be closed later.
|
||||
*/
|
||||
endpwent();
|
||||
@ -187,7 +187,7 @@ index e4add93..bc4a8dd 100644
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1834,8 +1833,6 @@ do_child(Session *s, const char *command)
|
||||
@@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -196,7 +196,7 @@ index e4add93..bc4a8dd 100644
|
||||
if (!options.use_login)
|
||||
do_rc_files(s, shell);
|
||||
|
||||
@@ -1859,9 +1856,17 @@ do_child(Session *s, const char *command)
|
||||
@@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command)
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
@ -227,10 +227,10 @@ index 7e644ab..e162b7a 100644
|
||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||
}
|
||||
diff --git a/sftp-server.c b/sftp-server.c
|
||||
index b8eb59c..a0e644c 100644
|
||||
index 0177130..8fa7fc7 100644
|
||||
--- a/sftp-server.c
|
||||
+++ b/sftp-server.c
|
||||
@@ -1437,7 +1437,7 @@ sftp_server_usage(void)
|
||||
@@ -1440,7 +1440,7 @@ sftp_server_usage(void)
|
||||
}
|
||||
|
||||
int
|
||||
@ -239,7 +239,7 @@ index b8eb59c..a0e644c 100644
|
||||
{
|
||||
fd_set *rset, *wset;
|
||||
int i, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||
@@ -1450,7 +1450,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
@@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
extern char *__progname;
|
||||
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
@ -248,15 +248,15 @@ index b8eb59c..a0e644c 100644
|
||||
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
@@ -1521,7 +1521,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
@@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
|
||||
}
|
||||
}
|
||||
|
||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||
|
||||
if ((cp = getenv("SSH_CONNECTION")) != NULL) {
|
||||
client_addr = xstrdup(cp);
|
||||
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
||||
/*
|
||||
diff --git a/sftp.h b/sftp.h
|
||||
index 2bde8bb..ddf1a39 100644
|
||||
--- a/sftp.h
|
||||
@ -269,10 +269,10 @@ index 2bde8bb..ddf1a39 100644
|
||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 3eee75a..9c00bcb 100644
|
||||
index 39b9c08..ca55d7f 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -745,7 +745,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
}
|
||||
|
||||
/* New socket pair */
|
||||
@ -281,7 +281,7 @@ index 3eee75a..9c00bcb 100644
|
||||
|
||||
pmonitor->m_pid = fork();
|
||||
if (pmonitor->m_pid == -1)
|
||||
@@ -763,6 +763,11 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
@ -1,16 +1,16 @@
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index 0077dd7..e3f2ced 100644
|
||||
index 8f32464..18a2ca4 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include "xmalloc.h"
|
||||
@@ -32,6 +32,7 @@
|
||||
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "misc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
void
|
||||
sshd_selinux_copy_context(void)
|
||||
{
|
||||
@ -19,7 +19,7 @@ index 0077dd7..e3f2ced 100644
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void)
|
||||
@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
|
||||
}
|
||||
}
|
||||
|
||||
@ -104,10 +104,10 @@ index cb51f99..8b7cda2 100644
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 512c7ed..3eee75a 100644
|
||||
index 2871fe9..39b9c08 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -637,7 +637,7 @@ privsep_preauth_child(void)
|
||||
@@ -629,7 +629,7 @@ privsep_preauth_child(void)
|
||||
demote_sensitive_data();
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
|
@ -1,5 +1,5 @@
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index 0a4930e..a7c0c5f 100644
|
||||
index 961c564..0fcfd7b 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
||||
@ -20,27 +20,27 @@ index 0a4930e..a7c0c5f 100644
|
||||
k5login_exists);
|
||||
}
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index d482e79..ad5869b 100644
|
||||
index e4164b1..87a311b 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->ip_qos_bulk = -1;
|
||||
@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
options->use_kuserok = -1;
|
||||
+ options->enable_k5users = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->show_patchlevel = 0;
|
||||
@@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
+ if (options->enable_k5users == -1)
|
||||
+ options->enable_k5users = 0;
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -356,7 +359,7 @@ typedef enum {
|
||||
use_privsep = PRIVSEP_NOSANDBOX;
|
||||
@@ -371,7 +374,7 @@ typedef enum {
|
||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@ -49,7 +49,7 @@ index d482e79..ad5869b 100644
|
||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -430,6 +433,7 @@ static struct {
|
||||
@@ -447,6 +450,7 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
@ -57,7 +57,7 @@ index d482e79..ad5869b 100644
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -437,6 +441,7 @@ static struct {
|
||||
@@ -454,6 +458,7 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
@ -65,7 +65,7 @@ index d482e79..ad5869b 100644
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
@@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
intptr = &options->use_kuserok;
|
||||
goto parse_flag;
|
||||
|
||||
@ -76,7 +76,7 @@ index d482e79..ad5869b 100644
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
@@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
M_CP_INTOPT(use_kuserok);
|
||||
@ -84,19 +84,19 @@ index d482e79..ad5869b 100644
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
@@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 5117dfa..d63cb71 100644
|
||||
index cf2a505..070a8ed 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -173,7 +173,8 @@ typedef struct {
|
||||
@@ -175,7 +175,8 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
@ -107,7 +107,7 @@ index 5117dfa..d63cb71 100644
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 43671f6..6ab00ed 100644
|
||||
index 0d9454d..e731de1 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
|
||||
@ -119,10 +119,10 @@ index 43671f6..6ab00ed 100644
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index e0e5fff..aa9525d 100644
|
||||
index eb4dd9e..ce1229b 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -505,6 +505,12 @@ on logout.
|
||||
@@ -548,6 +548,12 @@ on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
|
@ -1,5 +1,5 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 4ab6717..581b121 100644
|
||||
index b225217..bbc3034 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
@ -10,16 +10,16 @@ index 4ab6717..581b121 100644
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -180,6 +181,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssherr.o \
|
||||
@@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
|
||||
|
||||
@ -29,7 +29,7 @@ index 4ab6717..581b121 100644
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -288,6 +292,7 @@ install-files:
|
||||
@@ -310,6 +314,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
|
@ -1,8 +1,8 @@
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index 2d483b3..b361a04 100644
|
||||
index 1e9d52a..d24e724 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -234,6 +234,9 @@ seed_rng(void)
|
||||
@@ -227,6 +227,9 @@ seed_rng(void)
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
@ -13,12 +13,12 @@ index 2d483b3..b361a04 100644
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index b912dbe..9206337 100644
|
||||
index 843225d..041bbab 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
@ -27,7 +27,7 @@ index b912dbe..9206337 100644
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
index 0000000..92a617c
|
||||
index 0000000..da84bf2
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,59 @@
|
||||
@ -63,6 +63,7 @@ index 0000000..92a617c
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
@ -72,10 +73,9 @@ index 0000000..92a617c
|
||||
+void
|
||||
+linux_seed(void)
|
||||
+{
|
||||
+ int len;
|
||||
+ char *env = getenv("SSH_USE_STRONG_RNG");
|
||||
+ char *random = "/dev/random";
|
||||
+ size_t ienv, randlen = 14;
|
||||
+ size_t len, ienv, randlen = 14;
|
||||
+
|
||||
+ if (!env || !strcmp(env, "0"))
|
||||
+ random = "/dev/urandom";
|
||||
@ -91,7 +91,7 @@ index 0000000..92a617c
|
||||
+ }
|
||||
+}
|
||||
diff --git a/ssh-add.0 b/ssh-add.0
|
||||
index ba43fee..0b2629a 100644
|
||||
index f16165a..17d22cf 100644
|
||||
--- a/ssh-add.0
|
||||
+++ b/ssh-add.0
|
||||
@@ -82,6 +82,16 @@ ENVIRONMENT
|
||||
@ -112,10 +112,10 @@ index ba43fee..0b2629a 100644
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
diff --git a/ssh-add.1 b/ssh-add.1
|
||||
index 4812448..16305bf 100644
|
||||
index 04d1840..db883a4 100644
|
||||
--- a/ssh-add.1
|
||||
+++ b/ssh-add.1
|
||||
@@ -161,6 +161,20 @@ to make this work.)
|
||||
@@ -170,6 +170,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
@ -137,10 +137,10 @@ index 4812448..16305bf 100644
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index 281ecbd..1a9a635 100644
|
||||
index d7e791b..7332f0d 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent.
|
||||
@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
@ -166,10 +166,10 @@ index 281ecbd..1a9a635 100644
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 12e00d4..1b51a4a 100644
|
||||
index 276dacc..a09d9b1 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
@ -224,10 +224,10 @@ index 69d0829..02d79f8 100644
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 929904b..f65e42f 100644
|
||||
index 4a476c2..410a04a 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1309,6 +1309,23 @@ For more information, see the
|
||||
@@ -1299,6 +1299,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
@ -252,10 +252,10 @@ index 929904b..f65e42f 100644
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index c2c237f..058d37a 100644
|
||||
index cb866b5..adcaaf9 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one
|
||||
@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
|
@ -1,415 +0,0 @@
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 9a36f1d..420a85b 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
|
||||
case 1:
|
||||
revoked:
|
||||
/* Key revoked */
|
||||
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
error("WARNING: authentication attempt with a revoked "
|
||||
- "%s key %s ", key_type(key), key_fp);
|
||||
+ "%s key %s%s ", key_type(key),
|
||||
+ key_fingerprint_prefix(), key_fp);
|
||||
free(key_fp);
|
||||
return 1;
|
||||
}
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index 488008f..eca0069 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
@@ -206,16 +206,18 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
|
||||
if (host_status == HOST_OK) {
|
||||
if (key_is_cert(key)) {
|
||||
- fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_selected_fingerprint(key->cert->signature_key,
|
||||
+ SSH_FP_HEX);
|
||||
verbose("Accepted certificate ID \"%s\" signed by "
|
||||
- "%s CA %s from %s@%s", key->cert->key_id,
|
||||
- key_type(key->cert->signature_key), fp,
|
||||
+ "%s CA %s%s from %s@%s", key->cert->key_id,
|
||||
+ key_type(key->cert->signature_key),
|
||||
+ key_fingerprint_prefix(), fp,
|
||||
cuser, lookup);
|
||||
} else {
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- verbose("Accepted %s public key %s from %s@%s",
|
||||
- key_type(key), fp, cuser, lookup);
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ verbose("Accepted %s public key %s%s from %s@%s",
|
||||
+ key_type(key), key_fingerprint_prefix(),
|
||||
+ fp, cuser, lookup);
|
||||
}
|
||||
free(fp);
|
||||
}
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 0fd27bb..749b11a 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -365,10 +365,10 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
continue;
|
||||
if (!key_is_cert_authority)
|
||||
continue;
|
||||
- fp = key_fingerprint(found, SSH_FP_MD5,
|
||||
- SSH_FP_HEX);
|
||||
- debug("matching CA found: file %s, line %lu, %s %s",
|
||||
- file, linenum, key_type(found), fp);
|
||||
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
|
||||
+ debug("matching CA found: file %s, line %lu, %s %s%s",
|
||||
+ file, linenum, key_type(found),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
/*
|
||||
* If the user has specified a list of principals as
|
||||
* a key option, then prefer that list to matching
|
||||
@@ -406,9 +406,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
if (key_is_cert_authority)
|
||||
continue;
|
||||
found_key = 1;
|
||||
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug("matching key found: file %s, line %lu %s %s",
|
||||
- file, linenum, key_type(found), fp);
|
||||
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
|
||||
+ verbose("Found matching %s key: %s%s",
|
||||
+ key_type(found), key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
break;
|
||||
}
|
||||
@@ -431,13 +431,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
|
||||
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
|
||||
return 0;
|
||||
|
||||
- ca_fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
|
||||
|
||||
if (key_in_file(key->cert->signature_key,
|
||||
options.trusted_user_ca_keys, 1) != 1) {
|
||||
- debug2("%s: CA %s %s is not listed in %s", __func__,
|
||||
- key_type(key->cert->signature_key), ca_fp,
|
||||
+ debug2("%s: CA %s%s %s is not listed in %s", __func__,
|
||||
+ key_type(key->cert->signature_key),
|
||||
+ key_fingerprint_prefix(), ca_fp,
|
||||
options.trusted_user_ca_keys);
|
||||
goto out;
|
||||
}
|
||||
diff --git a/key.c b/key.c
|
||||
index 168e1b7..eb98ea8 100644
|
||||
--- a/key.c
|
||||
+++ b/key.c
|
||||
@@ -628,6 +628,34 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
|
||||
return retval;
|
||||
}
|
||||
|
||||
+enum fp_type
|
||||
+key_fingerprint_selection(void)
|
||||
+{
|
||||
+ static enum fp_type rv;
|
||||
+ static char rv_defined = 0;
|
||||
+ char *env;
|
||||
+
|
||||
+ if (!rv_defined) {
|
||||
+ env = getenv("SSH_FINGERPRINT_TYPE");
|
||||
+ rv = (env && !strcmp (env, "sha")) ?
|
||||
+ SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ rv_defined = 1;
|
||||
+ }
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
|
||||
+{
|
||||
+ return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+key_fingerprint_prefix(void)
|
||||
+{
|
||||
+ return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Reads a multiple-precision integer in decimal from the buffer, and advances
|
||||
* the pointer. The integer must already be initialized. This function is
|
||||
diff --git a/key.h b/key.h
|
||||
index d8ad13d..0e3eea5 100644
|
||||
--- a/key.h
|
||||
+++ b/key.h
|
||||
@@ -104,6 +104,9 @@ int key_equal_public(const Key *, const Key *);
|
||||
int key_equal(const Key *, const Key *);
|
||||
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
|
||||
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
|
||||
+enum fp_type key_fingerprint_selection(void);
|
||||
+char *key_selected_fingerprint(Key *, enum fp_rep);
|
||||
+char *key_fingerprint_prefix(void);
|
||||
const char *key_type(const Key *);
|
||||
const char *key_cert_type(const Key *);
|
||||
int key_write(const Key *, FILE *);
|
||||
diff --git a/ssh-add.c b/ssh-add.c
|
||||
index 3421452..691949f 100644
|
||||
--- a/ssh-add.c
|
||||
+++ b/ssh-add.c
|
||||
@@ -330,10 +330,10 @@ list_identities(AuthenticationConnection *ac, int do_fp)
|
||||
key = ssh_get_next_identity(ac, &comment, version)) {
|
||||
had_identities = 1;
|
||||
if (do_fp) {
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5,
|
||||
- SSH_FP_HEX);
|
||||
- printf("%d %s %s (%s)\n",
|
||||
- key_size(key), fp, comment, key_type(key));
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ printf("%d %s%s %s (%s)\n",
|
||||
+ key_size(key), key_fingerprint_prefix(),
|
||||
+ fp, comment, key_type(key));
|
||||
free(fp);
|
||||
} else {
|
||||
if (!key_write(key, stdout))
|
||||
diff --git a/ssh-agent.c b/ssh-agent.c
|
||||
index ba24612..117fdde 100644
|
||||
--- a/ssh-agent.c
|
||||
+++ b/ssh-agent.c
|
||||
@@ -198,9 +198,9 @@ confirm_key(Identity *id)
|
||||
char *p;
|
||||
int ret = -1;
|
||||
|
||||
- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
|
||||
- id->comment, p))
|
||||
+ p = key_selected_fingerprint(id->key, SSH_FP_HEX);
|
||||
+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
|
||||
+ id->comment, key_fingerprint_prefix(), p))
|
||||
ret = 0;
|
||||
free(p);
|
||||
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 2a316bc..482dc1c 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -783,13 +783,14 @@ do_fingerprint(struct passwd *pw)
|
||||
{
|
||||
FILE *f;
|
||||
Key *public;
|
||||
- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
|
||||
+ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
|
||||
int i, skip = 0, num = 0, invalid = 1;
|
||||
enum fp_rep rep;
|
||||
enum fp_type fptype;
|
||||
struct stat st;
|
||||
|
||||
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
|
||||
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
if (!have_identity)
|
||||
@@ -801,8 +802,8 @@ do_fingerprint(struct passwd *pw)
|
||||
public = key_load_public(identity_file, &comment);
|
||||
if (public != NULL) {
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
|
||||
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
|
||||
key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -867,8 +868,8 @@ do_fingerprint(struct passwd *pw)
|
||||
}
|
||||
comment = *cp ? cp : comment;
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
- printf("%u %s %s (%s)\n", key_size(public), fp,
|
||||
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
|
||||
comment ? comment : "no comment", key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -986,13 +987,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
|
||||
if (print_fingerprint) {
|
||||
enum fp_rep rep;
|
||||
enum fp_type fptype;
|
||||
- char *fp, *ra;
|
||||
+ char *fp, *ra, *pfx;
|
||||
|
||||
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
|
||||
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
+
|
||||
fp = key_fingerprint(public, fptype, rep);
|
||||
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
- printf("%u %s %s (%s)\n", key_size(public), fp, name,
|
||||
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
|
||||
key_type(public));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
printf("%s\n", ra);
|
||||
@@ -1878,16 +1881,17 @@ do_show_cert(struct passwd *pw)
|
||||
fatal("%s is not a certificate", identity_file);
|
||||
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
|
||||
|
||||
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ca_fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
|
||||
|
||||
printf("%s:\n", identity_file);
|
||||
printf(" Type: %s %s certificate\n", key_ssh_name(key),
|
||||
key_cert_type(key));
|
||||
- printf(" Public key: %s %s\n", key_type(key), key_fp);
|
||||
- printf(" Signing CA: %s %s\n",
|
||||
- key_type(key->cert->signature_key), ca_fp);
|
||||
+ printf(" Public key: %s %s%s\n", key_type(key),
|
||||
+ key_fingerprint_prefix(), key_fp);
|
||||
+ printf(" Signing CA: %s %s%s\n",
|
||||
+ key_type(key->cert->signature_key),
|
||||
+ key_fingerprint_prefix(), ca_fp);
|
||||
printf(" Key ID: \"%s\"\n", key->cert->key_id);
|
||||
if (!v00) {
|
||||
printf(" Serial: %llu\n",
|
||||
@@ -2686,13 +2690,12 @@ passphrase_again:
|
||||
fclose(f);
|
||||
|
||||
if (!quiet) {
|
||||
- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- char *ra = key_fingerprint(public, SSH_FP_MD5,
|
||||
- SSH_FP_RANDOMART);
|
||||
+ char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
|
||||
+ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
|
||||
printf("Your public key has been saved in %s.\n",
|
||||
identity_file);
|
||||
printf("The key fingerprint is:\n");
|
||||
- printf("%s %s\n", fp, comment);
|
||||
+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
|
||||
printf("The key's randomart image is:\n");
|
||||
printf("%s\n", ra);
|
||||
free(ra);
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index 573d7a8..394cca8 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -914,10 +914,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
"key for IP address '%.128s' to the list "
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(host_key, SSH_FP_MD5,
|
||||
- SSH_FP_RANDOMART);
|
||||
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
|
||||
+ logit("Host key fingerprint is %s%s\n%s\n",
|
||||
+ key_fingerprint_prefix(), fp, ra);
|
||||
free(ra);
|
||||
free(fp);
|
||||
}
|
||||
@@ -955,9 +955,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(host_key, SSH_FP_MD5,
|
||||
- SSH_FP_RANDOMART);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
if (matching_host_key_dns)
|
||||
@@ -972,10 +971,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
"established%s\n"
|
||||
- "%s key fingerprint is %s.%s%s\n%s"
|
||||
+ "%s key fingerprint is %s%s.%s%s\n%s"
|
||||
"Are you sure you want to continue connecting "
|
||||
"(yes/no)? ",
|
||||
- host, ip, msg1, type, fp,
|
||||
+ host, ip, msg1, type,
|
||||
+ key_fingerprint_prefix(), fp,
|
||||
options.visual_host_key ? "\n" : "",
|
||||
options.visual_host_key ? ra : "",
|
||||
msg2);
|
||||
@@ -1220,8 +1220,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
int flags = 0;
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug("Server host key: %s %s", key_type(host_key), fp);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
+ debug("Server host key: %s %s%s", key_type(host_key),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
|
||||
/* XXX certs are not yet supported for DNS */
|
||||
@@ -1327,14 +1328,15 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
|
||||
continue;
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
|
||||
+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
|
||||
+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
|
||||
logit("WARNING: %s key found for host %s\n"
|
||||
"in %s:%lu\n"
|
||||
- "%s key fingerprint %s.",
|
||||
+ "%s key fingerprint %s%s.",
|
||||
key_type(found->key),
|
||||
found->host, found->file, found->line,
|
||||
- key_type(found->key), fp);
|
||||
+ key_type(found->key),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
if (options.visual_host_key)
|
||||
logit("%s", ra);
|
||||
free(ra);
|
||||
@@ -1349,7 +1351,7 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
|
||||
@@ -1357,8 +1359,8 @@ warn_changed_key(Key *host_key)
|
||||
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
|
||||
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
|
||||
error("It is also possible that a host key has just been changed.");
|
||||
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
|
||||
- key_type(host_key), fp);
|
||||
+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
|
||||
+ key_type(host_key),key_fingerprint_prefix(), fp);
|
||||
error("Please contact your system administrator.");
|
||||
|
||||
free(fp);
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 7f4ff41..adbbfc7 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -577,8 +577,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
+ debug2("input_userauth_pk_ok: fp %s%s",
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
|
||||
/*
|
||||
@@ -986,8 +987,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
|
||||
int have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
|
||||
+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
|
||||
+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
|
||||
+ key_fingerprint_prefix(), fp);
|
||||
free(fp);
|
||||
|
||||
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
|
@ -1,5 +1,5 @@
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index 42de994..60de320 100644
|
||||
index 413b845..54dd383 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -32,7 +32,9 @@
|
||||
@ -12,12 +12,7 @@ index 42de994..60de320 100644
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
@@ -40,10 +42,12 @@
|
||||
#include "auth.h"
|
||||
#include "log.h"
|
||||
#include "servconf.h"
|
||||
+#include "misc.h"
|
||||
|
||||
@@ -45,6 +47,7 @@
|
||||
#include "buffer.h"
|
||||
#include "ssh-gss.h"
|
||||
|
||||
@ -25,7 +20,7 @@ index 42de994..60de320 100644
|
||||
extern ServerOptions options;
|
||||
|
||||
#ifdef HEIMDAL
|
||||
@@ -55,6 +59,13 @@ extern ServerOptions options;
|
||||
@@ -56,6 +59,13 @@ extern ServerOptions options;
|
||||
# include <gssapi/gssapi_krb5.h>
|
||||
#endif
|
||||
|
||||
@ -39,7 +34,7 @@ index 42de994..60de320 100644
|
||||
static krb5_context krb_context = NULL;
|
||||
|
||||
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
|
||||
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
@@ -88,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
krb5_principal princ;
|
||||
int retval;
|
||||
const char *errmsg;
|
||||
@ -47,7 +42,7 @@ index 42de994..60de320 100644
|
||||
|
||||
if (ssh_gssapi_krb5_init() == 0)
|
||||
return 0;
|
||||
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
@@ -99,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
krb5_free_error_message(krb_context, errmsg);
|
||||
return 0;
|
||||
}
|
||||
@ -71,7 +66,7 @@ index 42de994..60de320 100644
|
||||
} else
|
||||
retval = 0;
|
||||
|
||||
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
return retval;
|
||||
}
|
||||
|
||||
@ -208,10 +203,10 @@ index 42de994..60de320 100644
|
||||
/* This writes out any forwarded credentials from the structure populated
|
||||
* during userauth. Called after we have setuid to the user */
|
||||
diff --git a/session.c b/session.c
|
||||
index b5dc144..ba4589b 100644
|
||||
index 28659ec..9c94d8e 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command)
|
||||
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
|
||||
command = forced_command;
|
||||
forced = "(key-option)";
|
||||
}
|
||||
@ -257,10 +252,10 @@ index 0374c88..509109a 100644
|
||||
|
||||
/* draft-ietf-secsh-gsskeyex-06 */
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index 058d37a..5c4f15b 100644
|
||||
index adcaaf9..824163b 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog.
|
||||
@@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog.
|
||||
The client tries to authenticate itself using
|
||||
host-based authentication,
|
||||
public key authentication,
|
||||
|
@ -1,8 +1,8 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 581b121..2ad26ff 100644
|
||||
index bbc3034..c9891e0 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
@ -10,7 +10,7 @@ index 581b121..2ad26ff 100644
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
|
||||
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
|
||||
@@ -96,7 +97,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
|
||||
kexc25519s.o auth-krb5.o \
|
||||
@ -20,10 +20,10 @@ index 581b121..2ad26ff 100644
|
||||
sftp-server.o sftp-common.o \
|
||||
roaming_common.o roaming_serv.o \
|
||||
diff --git a/auth2-gss.c b/auth2-gss.c
|
||||
index 4756dd7..ad65059 100644
|
||||
index 4803e7e..222e3e0 100644
|
||||
--- a/auth2-gss.c
|
||||
+++ b/auth2-gss.c
|
||||
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
|
||||
@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
|
||||
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
|
||||
static void input_gssapi_errtok(int, u_int32_t, void *);
|
||||
|
||||
@ -64,7 +64,7 @@ index 4756dd7..ad65059 100644
|
||||
/*
|
||||
* We only support those mechanisms that we know about (ie ones that we know
|
||||
* how to check local user kuserok and the like)
|
||||
@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
|
||||
|
||||
packet_check_eom();
|
||||
|
||||
@ -74,7 +74,7 @@ index 4756dd7..ad65059 100644
|
||||
|
||||
authctxt->postponed = 0;
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
||||
@@ -277,7 +312,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -278,7 +313,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
gssbuf.length = buffer_len(&b);
|
||||
|
||||
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
|
||||
@ -84,7 +84,7 @@ index 4756dd7..ad65059 100644
|
||||
else
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
@@ -294,6 +330,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -295,6 +331,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
||||
}
|
||||
|
||||
@ -98,10 +98,10 @@ index 4756dd7..ad65059 100644
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index 5f4f26f..0f52b68 100644
|
||||
index d6fbc93..124d02b 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
|
||||
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
#ifdef GSSAPI
|
||||
@ -109,7 +109,7 @@ index 5f4f26f..0f52b68 100644
|
||||
extern Authmethod method_gssapi;
|
||||
#endif
|
||||
|
||||
@@ -76,6 +77,7 @@ Authmethod *authmethods[] = {
|
||||
@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
|
||||
&method_none,
|
||||
&method_pubkey,
|
||||
#ifdef GSSAPI
|
||||
@ -118,7 +118,7 @@ index 5f4f26f..0f52b68 100644
|
||||
#endif
|
||||
&method_passwd,
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 59ad3a2..9c60108 100644
|
||||
index 397c965..20ce0b5 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -111,6 +111,10 @@
|
||||
@ -132,7 +132,7 @@ index 59ad3a2..9c60108 100644
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
|
||||
@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
if (!rekeying) {
|
||||
channel_after_select(readset, writeset);
|
||||
@ -149,7 +149,7 @@ index 59ad3a2..9c60108 100644
|
||||
debug("need rekeying");
|
||||
xxx_kex->done = 0;
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 74e77db..9bde04e 100644
|
||||
index 8dedb95..2c4adac 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||
@ -526,10 +526,10 @@ index b39281b..a3a2289 100644
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index 759fa10..42de994 100644
|
||||
index 795992d..413b845 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||
krb5_error_code problem;
|
||||
krb5_principal princ;
|
||||
OM_uint32 maj_status, min_status;
|
||||
@ -538,7 +538,7 @@ index 759fa10..42de994 100644
|
||||
const char *errmsg;
|
||||
|
||||
if (client->creds == NULL) {
|
||||
@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||
@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||
return;
|
||||
}
|
||||
|
||||
@ -569,7 +569,7 @@ index 759fa10..42de994 100644
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||
@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||
|
||||
krb5_cc_close(krb_context, ccache);
|
||||
|
||||
@ -646,7 +646,7 @@ index 759fa10..42de994 100644
|
||||
ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
"toWM5Slw5Ew8Mqkay+al2g==",
|
||||
"Kerberos",
|
||||
@@ -203,7 +285,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
@@ -204,7 +286,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
|
||||
NULL,
|
||||
&ssh_gssapi_krb5_userok,
|
||||
NULL,
|
||||
@ -657,7 +657,7 @@ index 759fa10..42de994 100644
|
||||
|
||||
#endif /* KRB5 */
|
||||
diff --git a/gss-serv.c b/gss-serv.c
|
||||
index e61b37b..14f540e 100644
|
||||
index 5c59924..2289e8e 100644
|
||||
--- a/gss-serv.c
|
||||
+++ b/gss-serv.c
|
||||
@@ -45,15 +45,20 @@
|
||||
@ -684,7 +684,7 @@ index e61b37b..14f540e 100644
|
||||
#ifdef KRB5
|
||||
extern ssh_gssapi_mech gssapi_kerberos_mech;
|
||||
@@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
|
||||
char lname[MAXHOSTNAMELEN];
|
||||
char lname[NI_MAXHOST];
|
||||
gss_OID_set oidset;
|
||||
|
||||
- gss_create_empty_oid_set(&status, &oidset);
|
||||
@ -693,40 +693,40 @@ index e61b37b..14f540e 100644
|
||||
+ gss_create_empty_oid_set(&status, &oidset);
|
||||
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
|
||||
|
||||
- if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
- if (gethostname(lname, sizeof(lname))) {
|
||||
- gss_release_oid_set(&status, &oidset);
|
||||
- return (-1);
|
||||
- }
|
||||
+ if (gethostname(lname, MAXHOSTNAMELEN)) {
|
||||
+ if (gethostname(lname, sizeof(lname))) {
|
||||
+ gss_release_oid_set(&status, &oidset);
|
||||
+ return (-1);
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||
+ gss_release_oid_set(&status, &oidset);
|
||||
+ return (ctx->major);
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||
+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
|
||||
+ NULL, NULL)))
|
||||
+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
|
||||
+ ssh_gssapi_error(ctx);
|
||||
|
||||
- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
|
||||
gss_release_oid_set(&status, &oidset);
|
||||
return (ctx->major);
|
||||
+ } else {
|
||||
+ ctx->name = GSS_C_NO_NAME;
|
||||
+ ctx->creds = GSS_C_NO_CREDENTIAL;
|
||||
}
|
||||
- }
|
||||
-
|
||||
- if ((ctx->major = gss_acquire_cred(&ctx->minor,
|
||||
- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
|
||||
- ssh_gssapi_error(ctx);
|
||||
-
|
||||
+ } else {
|
||||
+ ctx->name = GSS_C_NO_NAME;
|
||||
+ ctx->creds = GSS_C_NO_CREDENTIAL;
|
||||
+ return GSS_S_COMPLETE;
|
||||
+ }
|
||||
|
||||
- gss_release_oid_set(&status, &oidset);
|
||||
- return (ctx->major);
|
||||
+ return GSS_S_COMPLETE;
|
||||
}
|
||||
|
||||
/* Privileged */
|
||||
@ -796,8 +796,7 @@ index e61b37b..14f540e 100644
|
||||
+
|
||||
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
|
||||
+ new_name, &equal);
|
||||
|
||||
- gss_buffer_desc ename;
|
||||
+
|
||||
+ if (GSS_ERROR(ctx->major)) {
|
||||
+ ssh_gssapi_error(ctx);
|
||||
+ return (ctx->major);
|
||||
@ -809,7 +808,8 @@ index e61b37b..14f540e 100644
|
||||
+ }
|
||||
+
|
||||
+ debug("Marking rekeyed credentials for export");
|
||||
+
|
||||
|
||||
- gss_buffer_desc ename;
|
||||
+ gss_release_name(&ctx->minor, &client->name);
|
||||
+ gss_release_cred(&ctx->minor, &client->creds);
|
||||
+ client->name = new_name;
|
||||
@ -991,10 +991,10 @@ index e61b37b..14f540e 100644
|
||||
|
||||
#endif
|
||||
diff --git a/kex.c b/kex.c
|
||||
index 74e2b86..bce2ab8 100644
|
||||
index a173e70..4563920 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -51,6 +51,10 @@
|
||||
@@ -53,6 +53,10 @@
|
||||
#include "roaming.h"
|
||||
#include "digest.h"
|
||||
|
||||
@ -1005,10 +1005,10 @@ index 74e2b86..bce2ab8 100644
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
# define evp_ssh_sha256 EVP_sha256
|
||||
@@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -94,6 +98,11 @@ static const struct kexalg kexalgs[] = {
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
#endif
|
||||
#endif /* HAVE_EVP_SHA256 */
|
||||
+#ifdef GSSAPI
|
||||
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@ -1017,7 +1017,7 @@ index 74e2b86..bce2ab8 100644
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
@@ -119,6 +128,12 @@ kex_alg_by_name(const char *name)
|
||||
@@ -123,6 +132,12 @@ kex_alg_by_name(const char *name)
|
||||
for (k = kexalgs; k->name != NULL; k++) {
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
@ -1031,7 +1031,7 @@ index 74e2b86..bce2ab8 100644
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/kex.h b/kex.h
|
||||
index c85680e..313bb51 100644
|
||||
index 4c40ec8..1c76c08 100644
|
||||
--- a/kex.h
|
||||
+++ b/kex.h
|
||||
@@ -76,6 +76,11 @@ enum kex_exchange {
|
||||
@ -1412,10 +1412,10 @@ index 0000000..e90b567
|
||||
+#endif /* GSSAPI */
|
||||
diff --git a/kexgsss.c b/kexgsss.c
|
||||
new file mode 100644
|
||||
index 0000000..6d7518c
|
||||
index 0000000..b880998
|
||||
--- /dev/null
|
||||
+++ b/kexgsss.c
|
||||
@@ -0,0 +1,288 @@
|
||||
@@ -0,0 +1,289 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
+ *
|
||||
@ -1460,6 +1460,7 @@ index 0000000..6d7518c
|
||||
+#include "dh.h"
|
||||
+#include "ssh-gss.h"
|
||||
+#include "monitor_wrap.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+
|
||||
+extern ServerOptions options;
|
||||
@ -1704,35 +1705,11 @@ index 0000000..6d7518c
|
||||
+ ssh_gssapi_rekey_creds();
|
||||
+}
|
||||
+#endif /* GSSAPI */
|
||||
diff --git a/key.c b/key.c
|
||||
index eb98ea8..900b9e3 100644
|
||||
--- a/key.c
|
||||
+++ b/key.c
|
||||
@@ -1013,6 +1013,7 @@ static const struct keytype keytypes[] = {
|
||||
KEY_DSA_CERT_V00, 0, 1 },
|
||||
{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
|
||||
KEY_ED25519_CERT, 0, 1 },
|
||||
+ { "null", "null", KEY_NULL, 0, 0 },
|
||||
{ NULL, NULL, -1, -1, 0 }
|
||||
};
|
||||
|
||||
diff --git a/key.h b/key.h
|
||||
index 0e3eea5..d51ed81 100644
|
||||
--- a/key.h
|
||||
+++ b/key.h
|
||||
@@ -46,6 +46,7 @@ enum types {
|
||||
KEY_ED25519_CERT,
|
||||
KEY_RSA_CERT_V00,
|
||||
KEY_DSA_CERT_V00,
|
||||
+ KEY_NULL,
|
||||
KEY_UNSPEC
|
||||
};
|
||||
enum fp_type {
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 229fada..aa70945 100644
|
||||
index d3f87e1..7ebc76e 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
|
||||
@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
|
||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
int mm_answer_gss_checkmic(int, Buffer *);
|
||||
@ -1741,7 +1718,7 @@ index 229fada..aa70945 100644
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@@ -253,11 +255,18 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
@@ -261,11 +263,18 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
|
||||
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
|
||||
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
|
||||
@ -1757,10 +1734,10 @@ index 229fada..aa70945 100644
|
||||
+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
|
||||
+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
|
||||
+#endif
|
||||
#ifdef WITH_OPENSSL
|
||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||
{MONITOR_REQ_SIGN, 0, mm_answer_sign},
|
||||
{MONITOR_REQ_PTY, 0, mm_answer_pty},
|
||||
@@ -366,6 +375,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
|
||||
#endif
|
||||
@@ -380,6 +389,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
|
||||
/* Permit requests for moduli and signatures */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
@ -1771,7 +1748,7 @@ index 229fada..aa70945 100644
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_proto15;
|
||||
|
||||
@@ -471,6 +484,10 @@ monitor_child_postauth(struct monitor *pmonitor)
|
||||
@@ -488,6 +501,10 @@ monitor_child_postauth(struct monitor *pmonitor)
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@ -1782,9 +1759,9 @@ index 229fada..aa70945 100644
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_postauth15;
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@@ -1866,6 +1883,13 @@ mm_get_kex(Buffer *m)
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||
@@ -1893,6 +1910,13 @@ mm_get_kex(Buffer *m)
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_keyex) {
|
||||
@ -1796,7 +1773,7 @@ index 229fada..aa70945 100644
|
||||
kex->server = 1;
|
||||
kex->hostkey_type = buffer_get_int(m);
|
||||
kex->kex_type = buffer_get_int(m);
|
||||
@@ -2073,6 +2097,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
|
||||
@@ -2100,6 +2124,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
|
||||
OM_uint32 major;
|
||||
u_int len;
|
||||
|
||||
@ -1806,7 +1783,7 @@ index 229fada..aa70945 100644
|
||||
goid.elements = buffer_get_string(m, &len);
|
||||
goid.length = len;
|
||||
|
||||
@@ -2100,6 +2127,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
|
||||
@@ -2127,6 +2154,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
u_int len;
|
||||
|
||||
@ -1816,7 +1793,7 @@ index 229fada..aa70945 100644
|
||||
in.value = buffer_get_string(m, &len);
|
||||
in.length = len;
|
||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||
@@ -2117,6 +2147,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
|
||||
@@ -2144,6 +2174,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -1824,7 +1801,7 @@ index 229fada..aa70945 100644
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -2128,6 +2159,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
|
||||
@@ -2155,6 +2186,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
|
||||
OM_uint32 ret;
|
||||
u_int len;
|
||||
|
||||
@ -1834,7 +1811,7 @@ index 229fada..aa70945 100644
|
||||
gssbuf.value = buffer_get_string(m, &len);
|
||||
gssbuf.length = len;
|
||||
mic.value = buffer_get_string(m, &len);
|
||||
@@ -2154,7 +2188,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
|
||||
@@ -2181,7 +2215,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
|
||||
{
|
||||
int authenticated;
|
||||
|
||||
@ -1847,7 +1824,7 @@ index 229fada..aa70945 100644
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, authenticated);
|
||||
@@ -2167,5 +2205,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
|
||||
@@ -2194,5 +2232,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -1935,10 +1912,10 @@ index 20e2b4a..ff79fbb 100644
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index d1b6d99..d1e1caa 100644
|
||||
index 82f114c..7e991e6 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -1290,7 +1290,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
|
||||
@@ -1300,7 +1300,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
|
||||
}
|
||||
|
||||
int
|
||||
@ -1947,7 +1924,7 @@ index d1b6d99..d1e1caa 100644
|
||||
{
|
||||
Buffer m;
|
||||
int authenticated = 0;
|
||||
@@ -1307,5 +1307,50 @@ mm_ssh_gssapi_userok(char *user)
|
||||
@@ -1317,5 +1317,50 @@ mm_ssh_gssapi_userok(char *user)
|
||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
||||
return (authenticated);
|
||||
}
|
||||
@ -2015,10 +1992,10 @@ index 9d5e5ba..93929e0 100644
|
||||
|
||||
#ifdef USE_PAM
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index dc884c9..7613ff2 100644
|
||||
index 3f5c58b..1c07766 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -141,6 +141,8 @@ typedef enum {
|
||||
@@ -143,6 +143,8 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
@ -2027,7 +2004,7 @@ index dc884c9..7613ff2 100644
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -183,10 +185,19 @@ static struct {
|
||||
@@ -187,10 +189,19 @@ static struct {
|
||||
{ "afstokenpassing", oUnsupported },
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
@ -2047,7 +2024,7 @@ index dc884c9..7613ff2 100644
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -841,10 +852,30 @@ parse_time:
|
||||
@@ -868,10 +879,30 @@ parse_time:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2078,7 +2055,7 @@ index dc884c9..7613ff2 100644
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1497,7 +1528,12 @@ initialize_options(Options * options)
|
||||
@@ -1553,7 +1584,12 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -2091,7 +2068,7 @@ index dc884c9..7613ff2 100644
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1616,8 +1652,14 @@ fill_default_options(Options * options)
|
||||
@@ -1677,8 +1713,14 @@ fill_default_options(Options * options)
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2107,10 +2084,10 @@ index dc884c9..7613ff2 100644
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index 75e3f8f..5cc97f0 100644
|
||||
index a028306..1dbe509 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
@@ -54,7 +54,12 @@ typedef struct {
|
||||
@@ -45,7 +45,12 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
int gss_authentication; /* Try GSS authentication */
|
||||
@ -2150,10 +2127,10 @@ index b093a91..4c8da00 100644
|
||||
type_has_legacy() {
|
||||
case $1 in
|
||||
diff --git a/regress/kextype.sh b/regress/kextype.sh
|
||||
index 8c2ac09..a2a87ca 100644
|
||||
index 6f952f4..bcb609b 100644
|
||||
--- a/regress/kextype.sh
|
||||
+++ b/regress/kextype.sh
|
||||
@@ -9,6 +9,9 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
|
||||
|
||||
tries="1 2 3 4"
|
||||
for k in `${SSH} -Q kex`; do
|
||||
@ -2164,10 +2141,10 @@ index 8c2ac09..a2a87ca 100644
|
||||
for i in $tries; do
|
||||
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
||||
diff --git a/regress/rekey.sh b/regress/rekey.sh
|
||||
index cf9401e..31fb0f7 100644
|
||||
index fd452b0..1148197 100644
|
||||
--- a/regress/rekey.sh
|
||||
+++ b/regress/rekey.sh
|
||||
@@ -30,6 +30,9 @@ increase_datafile_size 300
|
||||
@@ -38,6 +38,9 @@ increase_datafile_size 300
|
||||
|
||||
opts=""
|
||||
for i in `${SSH} -Q kex`; do
|
||||
@ -2177,7 +2154,7 @@ index cf9401e..31fb0f7 100644
|
||||
opts="$opts KexAlgorithms=$i"
|
||||
done
|
||||
for i in `${SSH} -Q cipher`; do
|
||||
@@ -48,6 +51,9 @@ done
|
||||
@@ -56,6 +59,9 @@ done
|
||||
if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
|
||||
for c in `${SSH} -Q cipher-auth`; do
|
||||
for kex in `${SSH} -Q kex`; do
|
||||
@ -2185,13 +2162,13 @@ index cf9401e..31fb0f7 100644
|
||||
+ continue
|
||||
+ fi
|
||||
verbose "client rekey $c $kex"
|
||||
ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
|
||||
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
|
||||
done
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index f763317..68fb9ef 100644
|
||||
index c8a3f28..179c20d 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options)
|
||||
@@ -110,7 +110,10 @@ initialize_server_options(ServerOptions *options)
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
@ -2202,7 +2179,7 @@ index f763317..68fb9ef 100644
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options)
|
||||
@@ -253,8 +256,14 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2217,7 +2194,7 @@ index f763317..68fb9ef 100644
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -344,7 +353,8 @@ typedef enum {
|
||||
@@ -359,7 +368,8 @@ typedef enum {
|
||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@ -2227,7 +2204,7 @@ index f763317..68fb9ef 100644
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
@@ -411,10 +421,20 @@ static struct {
|
||||
@@ -428,10 +438,20 @@ static struct {
|
||||
#ifdef GSSAPI
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
@ -2248,7 +2225,7 @@ index f763317..68fb9ef 100644
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
@@ -1091,10 +1111,22 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
@@ -1113,10 +1133,22 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2271,7 +2248,7 @@ index f763317..68fb9ef 100644
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2005,6 +2037,9 @@ dump_config(ServerOptions *o)
|
||||
@@ -2070,6 +2102,9 @@ dump_config(ServerOptions *o)
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
@ -2282,10 +2259,10 @@ index f763317..68fb9ef 100644
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 4572066..37cfa9b 100644
|
||||
index 21719e2..397698b 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -112,7 +112,10 @@ typedef struct {
|
||||
@@ -113,7 +113,10 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
@ -2398,7 +2375,7 @@ index a99d7f0..0374c88 100644
|
||||
|
||||
#endif /* _SSH_GSS_H */
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
index 6d1abaf..b0d343b 100644
|
||||
index 3f83c40..4a0fb82 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -26,6 +26,8 @@
|
||||
@ -2411,10 +2388,10 @@ index 6d1abaf..b0d343b 100644
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index b580392..e7accd6 100644
|
||||
index f9ede7a..e6649ac 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
|
||||
@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
@ -2460,11 +2437,11 @@ index b580392..e7accd6 100644
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index adbbfc7..cadf234 100644
|
||||
index 4724b66..703f8e4 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
{
|
||||
@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
|
||||
Kex *kex;
|
||||
|
||||
+#ifdef GSSAPI
|
||||
@ -2498,9 +2475,9 @@ index adbbfc7..cadf234 100644
|
||||
if (options.ciphers == (char *)-1) {
|
||||
logit("No valid ciphers for protocol version 2 given, using defaults.");
|
||||
options.ciphers = NULL;
|
||||
@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
if (options.kex_algorithms != NULL)
|
||||
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||
@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
||||
myproposal[PROPOSAL_KEX_ALGS]);
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+ /* If we've got GSSAPI algorithms, then we also support the
|
||||
@ -2516,9 +2493,9 @@ index adbbfc7..cadf234 100644
|
||||
if (options.rekey_limit || options.rekey_interval)
|
||||
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
|
||||
(time_t)options.rekey_interval);
|
||||
@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
|
||||
@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_client;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_keyex) {
|
||||
@ -2547,7 +2524,7 @@ index adbbfc7..cadf234 100644
|
||||
xxx_kex = kex;
|
||||
|
||||
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
|
||||
@@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
|
||||
@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
|
||||
void input_gssapi_hash(int type, u_int32_t, void *);
|
||||
void input_gssapi_error(int, u_int32_t, void *);
|
||||
void input_gssapi_errtok(int, u_int32_t, void *);
|
||||
@ -2555,7 +2532,7 @@ index adbbfc7..cadf234 100644
|
||||
#endif
|
||||
|
||||
void userauth(Authctxt *, char *);
|
||||
@@ -316,6 +373,11 @@ static char *authmethods_get(void);
|
||||
@@ -321,6 +378,11 @@ static char *authmethods_get(void);
|
||||
|
||||
Authmethod authmethods[] = {
|
||||
#ifdef GSSAPI
|
||||
@ -2567,7 +2544,7 @@ index adbbfc7..cadf234 100644
|
||||
{"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
NULL,
|
||||
@@ -613,19 +675,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
@ -2601,7 +2578,7 @@ index adbbfc7..cadf234 100644
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
mech++;
|
||||
@@ -722,8 +796,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
@ -2612,7 +2589,7 @@ index adbbfc7..cadf234 100644
|
||||
|
||||
if (authctxt == NULL)
|
||||
fatal("input_gssapi_response: no authentication context");
|
||||
@@ -832,6 +906,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
|
||||
free(msg);
|
||||
free(lang);
|
||||
}
|
||||
@ -2662,21 +2639,10 @@ index adbbfc7..cadf234 100644
|
||||
|
||||
int
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 24ab272..e4e406e 100644
|
||||
index f7b8aba..2871fe9 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -122,6 +122,10 @@
|
||||
#include "ssh-sandbox.h"
|
||||
#include "version.h"
|
||||
|
||||
+#ifdef USE_SECURITY_SESSION_API
|
||||
+#include <Security/AuthSession.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef LIBWRAP
|
||||
#include <tcpd.h>
|
||||
#include <syslog.h>
|
||||
@@ -1744,10 +1748,13 @@ main(int ac, char **av)
|
||||
@@ -1761,10 +1761,13 @@ main(int ac, char **av)
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
}
|
||||
@ -2690,7 +2656,7 @@ index 24ab272..e4e406e 100644
|
||||
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
@@ -2488,6 +2495,48 @@ do_ssh2_kex(void)
|
||||
@@ -2501,6 +2504,49 @@ do_ssh2_kex(void)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||
list_hostkey_types());
|
||||
|
||||
@ -2735,13 +2701,14 @@ index 24ab272..e4e406e 100644
|
||||
+ fatal("No supported key exchange algorithms");
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
/* start key exchange */
|
||||
kex = kex_setup(myproposal);
|
||||
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
|
||||
@@ -2496,6 +2545,13 @@ do_ssh2_kex(void)
|
||||
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
|
||||
#ifdef WITH_OPENSSL
|
||||
@@ -2511,6 +2557,13 @@ do_ssh2_kex(void)
|
||||
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_keyex) {
|
||||
@ -2754,7 +2721,7 @@ index 24ab272..e4e406e 100644
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index c1b7c03..adfd7b1 100644
|
||||
index 7061f75..f4796fc 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
|
||||
@ -2767,10 +2734,10 @@ index c1b7c03..adfd7b1 100644
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 95b5f8c..1fb002d 100644
|
||||
index cccb310..8ad79d9 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
|
||||
@@ -536,12 +536,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Dq no .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
|
@ -17,7 +17,7 @@ index 0000000..630ec62
|
||||
+
|
||||
+
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 411eadb..4ab6717 100644
|
||||
index f02aa1e..b225217 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
@ -28,16 +28,16 @@ index 411eadb..4ab6717 100644
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -176,6 +177,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssherr.o \
|
||||
@@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
@ -47,7 +47,7 @@ index 411eadb..4ab6717 100644
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -283,6 +287,7 @@ install-files:
|
||||
@@ -305,6 +309,7 @@ install-files:
|
||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
@ -56,10 +56,10 @@ index 411eadb..4ab6717 100644
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index c0ae0d4..cb0f931 100644
|
||||
index 12f5afd..269e642 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -600,6 +600,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
|
||||
@@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
@ -75,10 +75,10 @@ index c0ae0d4..cb0f931 100644
|
||||
options.authorized_keys_command, user_pw->pw_name, NULL);
|
||||
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index d04f4ed..0077dd7 100644
|
||||
index 265bd3a..8f32464 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
|
||||
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
|
||||
@ -99,7 +99,7 @@ index d04f4ed..0077dd7 100644
|
||||
/* Send audit message */
|
||||
static int
|
||||
sshd_selinux_send_audit_message(int success, security_context_t default_context,
|
||||
@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
@@ -308,7 +322,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
@ -108,7 +108,7 @@ index d04f4ed..0077dd7 100644
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
@ -128,7 +128,7 @@ index d04f4ed..0077dd7 100644
|
||||
|
||||
if (role != NULL)
|
||||
free(role);
|
||||
@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void)
|
||||
@@ -336,6 +350,24 @@ sshd_selinux_setup_pam_variables(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -153,7 +153,7 @@ index d04f4ed..0077dd7 100644
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
|
||||
@ -162,7 +162,7 @@ index d04f4ed..0077dd7 100644
|
||||
return;
|
||||
|
||||
if (options.use_pam) {
|
||||
@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void)
|
||||
@@ -415,7 +447,7 @@ sshd_selinux_copy_context(void)
|
||||
{
|
||||
security_context_t *ctx;
|
||||
|
||||
@ -187,10 +187,10 @@ index b18893c..cb51f99 100644
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff --git a/platform.c b/platform.c
|
||||
index 0d39ab2..0dae387 100644
|
||||
index 84c47fa..6d876cb 100644
|
||||
--- a/platform.c
|
||||
+++ b/platform.c
|
||||
@@ -102,7 +102,7 @@ platform_setusercontext(struct passwd *pw)
|
||||
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw)
|
||||
{
|
||||
#ifdef WITH_SELINUX
|
||||
/* Cache selinux status for later use */
|
||||
|
@ -1,15 +1,16 @@
|
||||
diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c
|
||||
--- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100
|
||||
+++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200
|
||||
@@ -54,6 +54,7 @@
|
||||
diff --git a/authfile.c b/authfile.c
|
||||
index e93d867..4fc5b3d 100644
|
||||
--- a/authfile.c
|
||||
+++ b/authfile.c
|
||||
@@ -32,6 +32,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
+#include <grp.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename
|
||||
@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (check_ntsec(filename))
|
||||
#endif
|
||||
|
@ -1,8 +1,8 @@
|
||||
diff --git a/auth-krb5.c b/auth-krb5.c
|
||||
index 6c62bdf..11c8562 100644
|
||||
index 0089b18..8480261 100644
|
||||
--- a/auth-krb5.c
|
||||
+++ b/auth-krb5.c
|
||||
@@ -54,6 +54,21 @@
|
||||
@@ -55,6 +55,21 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
@ -24,7 +24,7 @@ index 6c62bdf..11c8562 100644
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -157,8 +172,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
@ -37,7 +37,7 @@ index 6c62bdf..11c8562 100644
|
||||
goto out;
|
||||
}
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index 60de320..0a4930e 100644
|
||||
index 54dd383..961c564 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
|
||||
@ -175,27 +175,27 @@ index 60de320..0a4930e 100644
|
||||
if ((fp = fopen(file, "r")) == NULL) {
|
||||
int saved_errno = errno;
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 68fb9ef..904c869 100644
|
||||
index 179c20d..d17ed04 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->ip_qos_interactive = -1;
|
||||
@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
+ options->use_kuserok = -1;
|
||||
}
|
||||
|
||||
void
|
||||
@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->show_patchlevel == -1)
|
||||
options->show_patchlevel = 0;
|
||||
@@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -338,7 +341,7 @@ typedef enum {
|
||||
use_privsep = PRIVSEP_NOSANDBOX;
|
||||
@@ -353,7 +356,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
@ -204,7 +204,7 @@ index 68fb9ef..904c869 100644
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -410,11 +413,13 @@ static struct {
|
||||
@@ -427,11 +430,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
@ -218,7 +218,7 @@ index 68fb9ef..904c869 100644
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
@@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
@ -229,7 +229,7 @@ index 68fb9ef..904c869 100644
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
@@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
@ -237,19 +237,19 @@ index 68fb9ef..904c869 100644
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2062,6 +2072,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
@@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 37cfa9b..5117dfa 100644
|
||||
index 397698b..cf2a505 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -173,6 +173,7 @@ typedef struct {
|
||||
@@ -175,6 +175,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
@ -258,7 +258,7 @@ index 37cfa9b..5117dfa 100644
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index adfd7b1..e772ed5 100644
|
||||
index f4796fc..0d9454d 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
|
||||
@ -270,10 +270,10 @@ index adfd7b1..e772ed5 100644
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication yes
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 1fb002d..e0e5fff 100644
|
||||
index 8ad79d9..eb4dd9e 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -697,6 +697,10 @@ Specifies whether to automatically destroy the user's ticket cache
|
||||
@@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
@ -284,7 +284,7 @@ index 1fb002d..e0e5fff 100644
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -862,6 +866,7 @@ Available keywords are
|
||||
@@ -961,6 +965,7 @@ Available keywords are
|
||||
.Cm HostbasedUsesNameFromPacketOnly ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
|
@ -25,7 +25,7 @@ index a1a2b52..b109a5a 100644
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff --git a/auth.h b/auth.h
|
||||
index 124e597..4605588 100644
|
||||
index d081c94..847cffd 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -59,6 +59,9 @@ struct Authctxt {
|
||||
@ -39,10 +39,10 @@ index 124e597..4605588 100644
|
||||
char *info; /* Extra info for next auth_log */
|
||||
#ifdef BSD_AUTH
|
||||
diff --git a/auth1.c b/auth1.c
|
||||
index 0f870b3..df040bb 100644
|
||||
index 5038828..f0a98d2 100644
|
||||
--- a/auth1.c
|
||||
+++ b/auth1.c
|
||||
@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt)
|
||||
@@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
char *user, *style = NULL;
|
||||
@ -52,7 +52,7 @@ index 0f870b3..df040bb 100644
|
||||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt)
|
||||
@@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_cstring(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
@ -78,10 +78,10 @@ index 0f870b3..df040bb 100644
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff --git a/auth2-gss.c b/auth2-gss.c
|
||||
index c28a705..4756dd7 100644
|
||||
index 447f896..4803e7e 100644
|
||||
--- a/auth2-gss.c
|
||||
+++ b/auth2-gss.c
|
||||
@@ -251,6 +251,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
@ -89,7 +89,7 @@ index c28a705..4756dd7 100644
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -263,7 +264,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
@ -104,7 +104,7 @@ index c28a705..4756dd7 100644
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -275,6 +282,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
@@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
@ -114,10 +114,10 @@ index c28a705..4756dd7 100644
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
|
||||
index eca0069..95d678e 100644
|
||||
index b7ae353..41f1a3f 100644
|
||||
--- a/auth2-hostbased.c
|
||||
+++ b/auth2-hostbased.c
|
||||
@@ -112,7 +112,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
@@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
@ -135,7 +135,7 @@ index eca0069..95d678e 100644
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 749b11a..c0ae0d4 100644
|
||||
index 3f4f789..12f5afd 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
@ -153,10 +153,10 @@ index 749b11a..c0ae0d4 100644
|
||||
free(userstyle);
|
||||
buffer_put_cstring(&b,
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index a5490c0..5f4f26f 100644
|
||||
index d9b440a..d6fbc93 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user, *service, *method, *style = NULL;
|
||||
@ -166,7 +166,7 @@ index a5490c0..5f4f26f 100644
|
||||
int authenticated = 0;
|
||||
|
||||
if (authctxt == NULL)
|
||||
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
@ -178,7 +178,7 @@ index a5490c0..5f4f26f 100644
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
@ -196,10 +196,10 @@ index a5490c0..5f4f26f 100644
|
||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||
packet_disconnect("no authentication methods enabled");
|
||||
diff --git a/misc.c b/misc.c
|
||||
index e4c8c32..f31cd91 100644
|
||||
index 94b05b0..651c21b 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -430,6 +430,7 @@ char *
|
||||
@@ -431,6 +431,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -207,7 +207,7 @@ index e4c8c32..f31cd91 100644
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -445,6 +446,13 @@ colon(char *cp)
|
||||
@@ -446,6 +447,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -222,10 +222,10 @@ index e4c8c32..f31cd91 100644
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index 531c4f9..229fada 100644
|
||||
index dbe29f1..d3f87e1 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -145,6 +145,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
@ -235,7 +235,7 @@ index 531c4f9..229fada 100644
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -219,6 +222,9 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
@@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -245,7 +245,7 @@ index 531c4f9..229fada 100644
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -805,6 +811,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
|
||||
@@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -255,7 +255,7 @@ index 531c4f9..229fada 100644
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
@@ -846,6 +855,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
@@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -281,7 +281,7 @@ index 531c4f9..229fada 100644
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1220,7 +1248,7 @@ static int
|
||||
@@ -1241,7 +1269,7 @@ static int
|
||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
{
|
||||
Buffer b;
|
||||
@ -290,7 +290,7 @@ index 531c4f9..229fada 100644
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1246,6 +1274,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
@@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
@ -299,7 +299,7 @@ index 531c4f9..229fada 100644
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1281,7 +1311,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
|
||||
@@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
|
||||
char *chost)
|
||||
{
|
||||
Buffer b;
|
||||
@ -308,7 +308,7 @@ index 531c4f9..229fada 100644
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1298,6 +1328,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
|
||||
@@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
@ -333,10 +333,10 @@ index 5bc41b5..20e2b4a 100644
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 1a47e41..d1b6d99 100644
|
||||
index 45dc169..82f114c 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *style)
|
||||
@@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style)
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
@ -377,12 +377,12 @@ index 18c2501..9d5e5ba 100644
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index 6ecfb93..b912dbe 100644
|
||||
index ab1a3e3..843225d 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
@ -391,10 +391,10 @@ index 6ecfb93..b912dbe 100644
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
new file mode 100644
|
||||
index 0000000..c18524e
|
||||
index 0000000..6310717
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -0,0 +1,414 @@
|
||||
@@ -0,0 +1,415 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
@ -426,6 +426,7 @@ index 0000000..c18524e
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
@ -868,10 +869,10 @@ index e3d1004..8ef6cc4 100644
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff --git a/platform.c b/platform.c
|
||||
index 30fc609..0d39ab2 100644
|
||||
index ee313da..84c47fa 100644
|
||||
--- a/platform.c
|
||||
+++ b/platform.c
|
||||
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
|
||||
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
@ -881,10 +882,10 @@ index 30fc609..0d39ab2 100644
|
||||
}
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 7523de9..07f9926 100644
|
||||
index 481d001..41b317b 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -2138,6 +2138,9 @@ main(int ac, char **av)
|
||||
@@ -2144,6 +2144,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,8 +1,8 @@
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 3bb7f00..294bef5 100644
|
||||
index 9311e16..1eb2b45 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -154,25 +154,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
@@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
@ -34,7 +34,7 @@ index 3bb7f00..294bef5 100644
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
@@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
@ -43,77 +43,6 @@ index 3bb7f00..294bef5 100644
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff --git a/auth-rsa.c b/auth-rsa.c
|
||||
index f225b0b..8bafcd6 100644
|
||||
--- a/auth-rsa.c
|
||||
+++ b/auth-rsa.c
|
||||
@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
|
||||
"actual %d vs. announced %d.",
|
||||
file, linenum, BN_num_bits(key->rsa->n), bits);
|
||||
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
debug("matching key found: file %s, line %lu %s %s",
|
||||
file, linenum, key_type(key), fp);
|
||||
free(fp);
|
||||
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
|
||||
index 6d1c872..3808ec8 100644
|
||||
--- a/auth2-pubkey.c
|
||||
+++ b/auth2-pubkey.c
|
||||
@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
|
||||
}
|
||||
|
||||
if (key_is_cert(key)) {
|
||||
- fp = key_fingerprint(key->cert->signature_key,
|
||||
- SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
|
||||
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
|
||||
key_type(key), key->cert->key_id,
|
||||
(unsigned long long)key->cert->serial,
|
||||
@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
|
||||
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
free(fp);
|
||||
} else {
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
|
||||
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
|
||||
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
|
||||
free(fp);
|
||||
diff --git a/authfile.c b/authfile.c
|
||||
index ec4f4ff..2b3d650 100644
|
||||
--- a/authfile.c
|
||||
+++ b/authfile.c
|
||||
@@ -46,6 +46,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
/* compatibility with old or broken OpenSSL versions */
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
@@ -1068,7 +1069,7 @@ Key *
|
||||
key_parse_private(Buffer *buffer, const char *filename,
|
||||
const char *passphrase, char **commentp)
|
||||
{
|
||||
- Key *pub, *prv;
|
||||
+ Key *pub, *prv = NULL;
|
||||
|
||||
/* it's a SSH v1 key if the public key part is readable */
|
||||
pub = key_parse_public_rsa1(buffer, commentp);
|
||||
@@ -1080,9 +1081,10 @@ key_parse_private(Buffer *buffer, const char *filename,
|
||||
*commentp = xstrdup(filename);
|
||||
} else {
|
||||
key_free(pub);
|
||||
- /* key_parse_public_rsa1() has already loaded the comment */
|
||||
- prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
|
||||
- NULL);
|
||||
+ if (! FIPS_mode())
|
||||
+ /* key_parse_public_rsa1() has already loaded the comment */
|
||||
+ prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
|
||||
+ NULL);
|
||||
}
|
||||
return prv;
|
||||
}
|
||||
diff --git a/cipher-ctr.c b/cipher-ctr.c
|
||||
index 73e9c7c..40ee395 100644
|
||||
--- a/cipher-ctr.c
|
||||
@ -129,7 +58,7 @@ index 73e9c7c..40ee395 100644
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index 226e56d..b19443c 100644
|
||||
index 9cc7cf8..5ebfa84 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -39,6 +39,8 @@
|
||||
@ -141,11 +70,11 @@ index 226e56d..b19443c 100644
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
@@ -90,6 +92,25 @@ static const struct Cipher ciphers[] = {
|
||||
@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = {
|
||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
+static const struct Cipher fips_ciphers[] = {
|
||||
+static const struct sshcipher fips_ciphers[] = {
|
||||
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
|
||||
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
|
||||
@ -164,38 +93,39 @@ index 226e56d..b19443c 100644
|
||||
+#endif
|
||||
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
+};
|
||||
+
|
||||
/*--*/
|
||||
|
||||
/* Returns a list of supported ciphers separated by the specified char. */
|
||||
@@ -100,7 +121,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
|
||||
- for (c = ciphers; c->name != NULL; c++) {
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
|
||||
if (c->number != SSH_CIPHER_SSH2)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -180,7 +201,7 @@ const Cipher *
|
||||
@@ -193,7 +215,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -190,7 +211,7 @@ const Cipher *
|
||||
@@ -203,7 +225,7 @@ const struct sshcipher *
|
||||
cipher_by_number(int id)
|
||||
{
|
||||
const Cipher *c;
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (c->number == id)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -232,7 +253,7 @@ cipher_number(const char *name)
|
||||
const Cipher *c;
|
||||
@@ -244,7 +266,7 @@ cipher_number(const char *name)
|
||||
const struct sshcipher *c;
|
||||
if (name == NULL)
|
||||
return -1;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
@ -216,10 +146,10 @@ index 48f7b68..9ff39f4 100644
|
||||
|
||||
/*
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index b361a04..5616643 100644
|
||||
index d24e724..06b0095 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -222,6 +222,9 @@ seed_rng(void)
|
||||
@@ -215,6 +215,9 @@ seed_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
@ -230,18 +160,18 @@ index b361a04..5616643 100644
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
diff --git a/kex.c b/kex.c
|
||||
index bc3e53e..ede7b67 100644
|
||||
index e0cf3de..e11198f 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <string.h>
|
||||
@@ -35,6 +35,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
+#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh2.h"
|
||||
@@ -103,6 +104,25 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
@ -267,7 +197,7 @@ index bc3e53e..ede7b67 100644
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -126,7 +146,7 @@ kex_alg_by_name(const char *name)
|
||||
@@ -130,7 +150,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -276,7 +206,7 @@ index bc3e53e..ede7b67 100644
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
#ifdef GSSAPI
|
||||
@@ -151,7 +171,10 @@ kex_names_valid(const char *names)
|
||||
@@ -155,7 +175,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
@ -313,7 +243,7 @@ index 2700b72..0820894 100644
|
||||
}
|
||||
#else /* OPENSSL_HAS_ECC */
|
||||
diff --git a/kexgexc.c b/kexgexc.c
|
||||
index 355b7ba..427e11f 100644
|
||||
index 0a91bdd..b75930b 100644
|
||||
--- a/kexgexc.c
|
||||
+++ b/kexgexc.c
|
||||
@@ -26,6 +26,8 @@
|
||||
@ -358,50 +288,8 @@ index 770ad28..9d4fc6d 100644
|
||||
omax = max = DH_GRP_MAX;
|
||||
break;
|
||||
default:
|
||||
diff --git a/key.c b/key.c
|
||||
index 62f3edb..a2050f6 100644
|
||||
--- a/key.c
|
||||
+++ b/key.c
|
||||
@@ -42,6 +42,7 @@
|
||||
#include "crypto_api.h"
|
||||
|
||||
#include <openssl/evp.h>
|
||||
+#include <openssl/fips.h>
|
||||
#include <openbsd-compat/openssl-compat.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
@@ -636,9 +637,13 @@ key_fingerprint_selection(void)
|
||||
char *env;
|
||||
|
||||
if (!rv_defined) {
|
||||
- env = getenv("SSH_FINGERPRINT_TYPE");
|
||||
- rv = (env && !strcmp (env, "sha")) ?
|
||||
- SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ if (FIPS_mode())
|
||||
+ rv = SSH_FP_SHA1;
|
||||
+ else {
|
||||
+ env = getenv("SSH_FINGERPRINT_TYPE");
|
||||
+ rv = (env && !strcmp (env, "sha")) ?
|
||||
+ SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ }
|
||||
rv_defined = 1;
|
||||
}
|
||||
return rv;
|
||||
@@ -1168,8 +1173,11 @@ rsa_generate_private_key(u_int bits)
|
||||
fatal("%s: BN_new failed", __func__);
|
||||
if (!BN_set_word(f4, RSA_F4))
|
||||
fatal("%s: BN_new failed", __func__);
|
||||
- if (!RSA_generate_key_ex(private, bits, f4, NULL))
|
||||
+ if (!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
+ if (FIPS_mode())
|
||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||
fatal("%s: key generation failed.", __func__);
|
||||
+ }
|
||||
BN_free(f4);
|
||||
return private;
|
||||
}
|
||||
diff --git a/mac.c b/mac.c
|
||||
index 9388af4..cd7b034 100644
|
||||
index fd07bf2..fedfbb2 100644
|
||||
--- a/mac.c
|
||||
+++ b/mac.c
|
||||
@@ -27,6 +27,8 @@
|
||||
@ -466,26 +354,18 @@ index 9388af4..cd7b034 100644
|
||||
continue;
|
||||
if (mac != NULL) {
|
||||
diff --git a/myproposal.h b/myproposal.h
|
||||
index 3a0f5ae..4f35a44 100644
|
||||
index b35b2b8..a608d27 100644
|
||||
--- a/myproposal.h
|
||||
+++ b/myproposal.h
|
||||
@@ -88,6 +88,12 @@
|
||||
"diffie-hellman-group14-sha1," \
|
||||
"diffie-hellman-group1-sha1"
|
||||
@@ -140,6 +140,28 @@
|
||||
"hmac-sha1-96," \
|
||||
"hmac-md5-96"
|
||||
|
||||
+#define KEX_DEFAULT_KEX_FIPS \
|
||||
+ KEX_ECDH_METHODS \
|
||||
+ KEX_SHA256_METHODS \
|
||||
+ "diffie-hellman-group-exchange-sha1," \
|
||||
+ "diffie-hellman-group14-sha1"
|
||||
+
|
||||
#define KEX_DEFAULT_PK_ALG \
|
||||
HOSTKEY_ECDSA_CERT_METHODS \
|
||||
"ssh-ed25519-cert-v01@openssh.com," \
|
||||
@@ -133,6 +139,22 @@
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
#define KEX_DEFAULT_LANG ""
|
||||
|
||||
+#define KEX_FIPS_ENCRYPT \
|
||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
+ "aes128-cbc,3des-cbc," \
|
||||
@ -502,59 +382,24 @@ index 3a0f5ae..4f35a44 100644
|
||||
+#define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1"
|
||||
+#endif
|
||||
+
|
||||
#else
|
||||
|
||||
static char *myproposal[PROPOSAL_MAX] = {
|
||||
KEX_DEFAULT_KEX,
|
||||
diff --git a/ssh-keygen.c b/ssh-keygen.c
|
||||
index 66198e6..ccf22c8 100644
|
||||
--- a/ssh-keygen.c
|
||||
+++ b/ssh-keygen.c
|
||||
@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bitsp)
|
||||
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
|
||||
exit(1);
|
||||
}
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (type == KEY_DSA)
|
||||
+ fatal("DSA keys are not allowed in FIPS mode");
|
||||
+ if (type == KEY_ED25519)
|
||||
+ fatal("ED25519 keys are not allowed in FIPS mode");
|
||||
+ }
|
||||
if (type == KEY_DSA && *bitsp != 1024)
|
||||
fatal("DSA keys must be 1024 bits");
|
||||
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
|
||||
@@ -746,7 +752,7 @@ do_download(struct passwd *pw)
|
||||
enum fp_type fptype;
|
||||
char *fp, *ra;
|
||||
|
||||
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
|
||||
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
|
||||
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
|
||||
|
||||
pkcs11_init(0);
|
||||
@@ -756,8 +762,7 @@ do_download(struct passwd *pw)
|
||||
for (i = 0; i < nkeys; i++) {
|
||||
if (print_fingerprint) {
|
||||
fp = key_fingerprint(keys[i], fptype, rep);
|
||||
- ra = key_fingerprint(keys[i], SSH_FP_MD5,
|
||||
- SSH_FP_RANDOMART);
|
||||
+ ra = key_selected_fingerprint(keys[i], SSH_FP_RANDOMART);
|
||||
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
|
||||
fp, key_type(keys[i]));
|
||||
if (log_level >= SYSLOG_LEVEL_VERBOSE)
|
||||
#define KEX_SERVER_KEX \
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 1e6cb90..ea9193f 100644
|
||||
index 26e9681..a0a7c29 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -73,6 +73,8 @@
|
||||
|
||||
@@ -75,6 +75,8 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -427,6 +429,13 @@ main(int ac, char **av)
|
||||
@@ -433,6 +435,13 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -568,7 +413,7 @@ index 1e6cb90..ea9193f 100644
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -504,6 +513,9 @@ main(int ac, char **av)
|
||||
@@ -510,6 +519,9 @@ main(int ac, char **av)
|
||||
"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
@ -578,15 +423,15 @@ index 1e6cb90..ea9193f 100644
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -828,7 +840,6 @@ main(int ac, char **av)
|
||||
|
||||
@@ -841,7 +853,6 @@ main(int ac, char **av)
|
||||
host_arg = xstrdup(host);
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
- OpenSSL_add_all_algorithms();
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
|
||||
/* Initialize the command to execute on remote host. */
|
||||
@@ -973,6 +984,10 @@ main(int ac, char **av)
|
||||
@@ -997,6 +1008,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
@ -597,7 +442,7 @@ index 1e6cb90..ea9193f 100644
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -1020,6 +1035,12 @@ main(int ac, char **av)
|
||||
@@ -1069,6 +1084,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
@ -611,10 +456,10 @@ index 1e6cb90..ea9193f 100644
|
||||
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts,
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index b00658b..6a1562c 100644
|
||||
index efe6158..5631f39 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -44,6 +44,8 @@
|
||||
@@ -46,6 +46,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
|
||||
@ -623,24 +468,13 @@ index b00658b..6a1562c 100644
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -168,20 +170,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
@@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_keyex) {
|
||||
- /* Add the GSSAPI mechanisms currently supported on this
|
||||
- * client to the key exchange algorithm proposal */
|
||||
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||
-
|
||||
- if (options.gss_trust_dns)
|
||||
- gss_host = (char *)get_canonical_hostname(1);
|
||||
- else
|
||||
- gss_host = host;
|
||||
-
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
||||
- if (gss) {
|
||||
- debug("Offering GSSAPI proposal: %s", gss);
|
||||
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||
- "%s,%s", gss, orig);
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||
+ options.gss_keyex = 0;
|
||||
@ -648,12 +482,21 @@ index b00658b..6a1562c 100644
|
||||
+ /* Add the GSSAPI mechanisms currently supported on this
|
||||
+ * client to the key exchange algorithm proposal */
|
||||
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||
+
|
||||
|
||||
- if (options.gss_trust_dns)
|
||||
- gss_host = (char *)get_canonical_hostname(1);
|
||||
- else
|
||||
- gss_host = host;
|
||||
+ if (options.gss_trust_dns)
|
||||
+ gss_host = (char *)get_canonical_hostname(1);
|
||||
+ else
|
||||
+ gss_host = host;
|
||||
+
|
||||
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
||||
- if (gss) {
|
||||
- debug("Offering GSSAPI proposal: %s", gss);
|
||||
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||
- "%s,%s", gss, orig);
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
||||
+ if (gss) {
|
||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||
@ -663,7 +506,7 @@ index b00658b..6a1562c 100644
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@@ -193,6 +200,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -674,7 +517,7 @@ index b00658b..6a1562c 100644
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -208,7 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -686,7 +529,7 @@ index b00658b..6a1562c 100644
|
||||
if (options.hostkeyalgorithms != NULL)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||
@@ -220,9 +235,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
|
||||
}
|
||||
if (options.kex_algorithms != NULL)
|
||||
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||
@ -700,19 +543,27 @@ index b00658b..6a1562c 100644
|
||||
/* If we've got GSSAPI algorithms, then we also support the
|
||||
* 'null' hostkey, as a last resort */
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index b561ec8..e977de3 100644
|
||||
index db23ce2..3ce59f0 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -75,6 +75,8 @@
|
||||
@@ -66,6 +66,7 @@
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
+#include <syslog.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@@ -76,6 +77,8 @@
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
@@ -1468,6 +1470,18 @@ main(int ac, char **av)
|
||||
@@ -1479,6 +1482,18 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
@ -731,16 +582,16 @@ index b561ec8..e977de3 100644
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@@ -1619,8 +1633,6 @@ main(int ac, char **av)
|
||||
@@ -1630,7 +1645,7 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
- OpenSSL_add_all_algorithms();
|
||||
-
|
||||
/* If requested, redirect the logs to the specified logfile. */
|
||||
if (logfile != NULL) {
|
||||
log_redirect_stderr_to(logfile);
|
||||
@@ -1798,6 +1810,10 @@ main(int ac, char **av)
|
||||
-#ifdef WITH_OPENSSL
|
||||
+#if 0 /* FIPS */
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
|
||||
@@ -1816,6 +1831,10 @@ main(int ac, char **av)
|
||||
debug("private host key: #%d type %d %s", i, keytype,
|
||||
key_type(key ? key : pubkey));
|
||||
}
|
||||
@ -751,7 +602,7 @@ index b561ec8..e977de3 100644
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -1961,6 +1977,10 @@ main(int ac, char **av)
|
||||
@@ -1982,6 +2001,10 @@ main(int ac, char **av)
|
||||
/* Reinitialize the log (because of the fork above). */
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
@ -762,7 +613,7 @@ index b561ec8..e977de3 100644
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
if (chdir("/") == -1)
|
||||
@@ -2530,6 +2550,9 @@ do_ssh2_kex(void)
|
||||
@@ -2541,6 +2564,9 @@ do_ssh2_kex(void)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -772,7 +623,7 @@ index b561ec8..e977de3 100644
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -2539,6 +2562,9 @@ do_ssh2_kex(void)
|
||||
@@ -2550,6 +2576,9 @@ do_ssh2_kex(void)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -782,7 +633,7 @@ index b561ec8..e977de3 100644
|
||||
}
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
@@ -2549,6 +2575,8 @@ do_ssh2_kex(void)
|
||||
@@ -2560,6 +2589,8 @@ do_ssh2_kex(void)
|
||||
}
|
||||
if (options.kex_algorithms != NULL)
|
||||
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||
@ -791,7 +642,7 @@ index b561ec8..e977de3 100644
|
||||
|
||||
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
||||
myproposal[PROPOSAL_KEX_ALGS]);
|
||||
@@ -2575,10 +2603,14 @@ do_ssh2_kex(void)
|
||||
@@ -2586,10 +2617,14 @@ do_ssh2_kex(void)
|
||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||
orig = NULL;
|
||||
|
||||
@ -810,3 +661,24 @@ index b561ec8..e977de3 100644
|
||||
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index f078e11..5e3d97f 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/pem.h>
|
||||
+#include <openssl/fips.h>
|
||||
|
||||
#include "crypto_api.h"
|
||||
|
||||
@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
+ if (FIPS_mode())
|
||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
@ -113,7 +113,7 @@ index 0000000..dd5f5cc
|
||||
+ Jan F. Chadima <jchadima@redhat.com>
|
||||
+
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 28a8ec4..411eadb 100644
|
||||
index 06be3d5..f02aa1e 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
|
||||
@ -125,7 +125,7 @@ index 28a8ec4..411eadb 100644
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@
|
||||
@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
|
||||
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
@ -134,9 +134,9 @@ index 28a8ec4..411eadb 100644
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||
|
||||
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
@@ -98,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssherr.o \
|
||||
@@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
sandbox-seccomp-filter.o sandbox-capsicum.o
|
||||
|
||||
@ -147,7 +147,7 @@ index 28a8ec4..411eadb 100644
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
@@ -170,6 +173,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
|
||||
@@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@ -157,7 +157,7 @@ index 28a8ec4..411eadb 100644
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -273,6 +279,10 @@ install-files:
|
||||
@@ -295,6 +301,10 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -168,7 +168,7 @@ index 28a8ec4..411eadb 100644
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
@@ -289,6 +299,10 @@ install-files:
|
||||
@@ -311,6 +321,10 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -179,7 +179,7 @@ index 28a8ec4..411eadb 100644
|
||||
-rm -f $(DESTDIR)$(bindir)/slogin
|
||||
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
@@ -318,6 +332,13 @@ install-sysconf:
|
||||
@@ -340,6 +354,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
@ -193,7 +193,7 @@ index 28a8ec4..411eadb 100644
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
@@ -381,6 +402,8 @@ uninstall:
|
||||
@@ -403,6 +424,8 @@ uninstall:
|
||||
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
@ -202,19 +202,19 @@ index 28a8ec4..411eadb 100644
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||
@@ -392,6 +415,7 @@ uninstall:
|
||||
@@ -414,6 +437,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
|
||||
regress-prep:
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 7c6ce08..722a19e 100644
|
||||
index 67c4486..6553074 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1625,6 +1625,106 @@ if test "x$use_pie" != "xno"; then
|
||||
@@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then
|
||||
fi
|
||||
fi
|
||||
|
||||
@ -1159,7 +1159,7 @@ index 0000000..665dca2
|
||||
+
|
||||
diff --git a/ldapconf.c b/ldapconf.c
|
||||
new file mode 100644
|
||||
index 0000000..525060a
|
||||
index 0000000..b49cae6
|
||||
--- /dev/null
|
||||
+++ b/ldapconf.c
|
||||
@@ -0,0 +1,722 @@
|
42
openssh.spec
42
openssh.spec
@ -63,10 +63,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.6.1p1
|
||||
%define openssh_rel 11.1
|
||||
%define openssh_ver 6.7p1
|
||||
%define openssh_rel 1
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 3
|
||||
%define pam_ssh_agent_rel 4
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
@ -74,8 +74,7 @@ Version: %{openssh_ver}
|
||||
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: http://pamsshagentauth.sourceforge.net
|
||||
# Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
Source2: sshd.pam
|
||||
Source3: sshd.init
|
||||
@ -103,10 +102,9 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||
Patch103: openssh-5.8p1-packet.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch200: openssh-6.6p1-audit.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
||||
# record pfs= field in CRYPTO_SESSION audit event
|
||||
Patch201: openssh-6.6.1p1-audit-pfs.patch
|
||||
Patch200: openssh-6.7p1-audit.patch
|
||||
|
||||
# --- pam_ssh-agent ---
|
||||
# make it build reusing the openssh sources
|
||||
@ -117,13 +115,15 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
|
||||
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
|
||||
# don't use xfree (#1024965)
|
||||
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
|
||||
# use SSH_DIGEST_* for fingerprint hashes
|
||||
Patch304: pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||
Patch400: openssh-6.6p1-role-mls.patch
|
||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
||||
Patch404: openssh-6.6p1-privsep-selinux.patch
|
||||
|
||||
#?-- unwanted child :(
|
||||
Patch501: openssh-6.6p1-ldap.patch
|
||||
Patch501: openssh-6.7p1-ldap.patch
|
||||
#?
|
||||
Patch502: openssh-6.6p1-keycat.patch
|
||||
|
||||
@ -143,15 +143,11 @@ Patch608: openssh-6.1p1-askpass-ld.patch
|
||||
Patch609: openssh-5.5p1-x11.patch
|
||||
|
||||
#?
|
||||
Patch700: openssh-6.6p1-fips.patch
|
||||
#?
|
||||
# drop? Patch701: openssh-5.6p1-exit-deadlock.patch
|
||||
Patch700: openssh-6.7p1-fips.patch
|
||||
#?
|
||||
Patch702: openssh-5.1p1-askpass-progress.patch
|
||||
#?
|
||||
Patch703: openssh-4.3p2-askpass-grab-info.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=205842
|
||||
# drop? Patch704: openssh-5.9p1-edns.patch
|
||||
#?
|
||||
Patch705: openssh-5.1p1-scp-manpage.patch
|
||||
#?
|
||||
@ -361,7 +357,7 @@ remote ssh-agent instance.
|
||||
The module is most useful for su and sudo service stacks.
|
||||
|
||||
%prep
|
||||
%setup -q -a 4 -n openssh-6.6p1
|
||||
%setup -q -a 4
|
||||
#Do not enable by default
|
||||
%if 0
|
||||
%patch0 -p1 -b .wIm
|
||||
@ -377,6 +373,7 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
%patch301 -p1 -b .psaa-seteuid
|
||||
%patch302 -p1 -b .psaa-visibility
|
||||
%patch303 -p1 -b .psaa-xfree
|
||||
%patch304 -p2 -b .psaa-fingerprint
|
||||
# Remove duplicate headers
|
||||
rm -f $(cat %{SOURCE5})
|
||||
popd
|
||||
@ -399,13 +396,8 @@ popd
|
||||
%patch607 -p1 -b .sigpipe
|
||||
%patch608 -p1 -b .askpass-ld
|
||||
%patch609 -p1 -b .x11
|
||||
#
|
||||
# drop? %patch701 -p1 -b .exit-deadlock
|
||||
%patch702 -p1 -b .progress
|
||||
%patch703 -p1 -b .grab-info
|
||||
# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
|
||||
# probably not needed anymore %patch704 -p1 -b .edns
|
||||
# drop it %patch705 -p1 -b .manpage
|
||||
%patch706 -p1 -b .localdomain
|
||||
%patch707 -p1 -b .redhat
|
||||
%patch708 -p1 -b .entropy
|
||||
@ -422,15 +414,10 @@ popd
|
||||
%patch902 -p1 -b .ccache_name
|
||||
%patch905 -p1 -b .legacy-ssh-copy-id
|
||||
%patch906 -p1 -b .fromto-remote
|
||||
%patch907 -p1 -b .CLOCK_BOOTTIME
|
||||
%patch908 -p1 -b .CVE-2014-2653
|
||||
%patch909 -p1 -b .6.6.1
|
||||
%patch910 -p1 -b .NI_MAXHOST
|
||||
%patch911 -p1 -b .set_remote_ipaddr
|
||||
%patch912 -p1 -b .utf8-banner
|
||||
%patch913 -p1 -b .partial-success
|
||||
%patch914 -p1 -b .servconf
|
||||
%patch915 -p1 -b .SIGXFSZ
|
||||
%patch916 -p1 -b .contexts
|
||||
%patch917 -p1 -b .cisco-dh
|
||||
%patch918 -p1 -b .log-in-chroot
|
||||
@ -439,10 +426,10 @@ popd
|
||||
%patch802 -p1 -b .GSSAPIEnablek5users
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-fps
|
||||
%patch700 -p1 -b .fips
|
||||
|
||||
%patch100 -p1 -b .coverity
|
||||
# FIXME rebase 6.7p1
|
||||
# %patch100 -p1 -b .coverity
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
@ -751,6 +738,9 @@ getent passwd sshd >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jan 20 2015 Petr Lautrbach <plautrba@redhat.com> 6.7p1-1 + 0.9.3-4
|
||||
- new upstream release openssh-6.7p1
|
||||
|
||||
* Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3
|
||||
- error message if scp when directory doesn't exist (#1142223)
|
||||
- parsing configuration file values (#1130733)
|
||||
|
64
pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
Normal file
64
pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
Normal file
@ -0,0 +1,64 @@
|
||||
diff --git a/pam_ssh_agent_auth-0.9.3/key.c b/pam_ssh_agent_auth-0.9.3/key.c
|
||||
index 9555e7e..c17aae6 100644
|
||||
--- a/pam_ssh_agent_auth-0.9.3/key.c
|
||||
+++ b/pam_ssh_agent_auth-0.9.3/key.c
|
||||
@@ -55,6 +55,7 @@
|
||||
#include "uuencode.h"
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
+#include "digest.h"
|
||||
|
||||
Key *
|
||||
key_new(int type)
|
||||
@@ -181,7 +182,7 @@ key_equal(const Key *a, const Key *b)
|
||||
}
|
||||
|
||||
u_char*
|
||||
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
|
||||
+key_fingerprint_raw(const Key *k, int dgst_type,
|
||||
u_int *dgst_raw_length)
|
||||
{
|
||||
const EVP_MD *md = NULL;
|
||||
@@ -194,10 +195,10 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
|
||||
*dgst_raw_length = 0;
|
||||
|
||||
switch (dgst_type) {
|
||||
- case SSH_FP_MD5:
|
||||
+ case SSH_DIGEST_MD5:
|
||||
md = EVP_md5();
|
||||
break;
|
||||
- case SSH_FP_SHA1:
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
md = EVP_sha1();
|
||||
break;
|
||||
default:
|
||||
@@ -302,7 +303,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
|
||||
}
|
||||
|
||||
char *
|
||||
-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
|
||||
+key_fingerprint(const Key *k, int dgst_type, enum fp_rep dgst_rep)
|
||||
{
|
||||
char *retval = NULL;
|
||||
u_char *dgst_raw;
|
||||
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
|
||||
index dddcba9..8ba6d87 100644
|
||||
--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
|
||||
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
|
||||
@@ -43,6 +43,7 @@
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "compat.h"
|
||||
+#include "digest.h"
|
||||
#include "key.h"
|
||||
#include "pathnames.h"
|
||||
#include "misc.h"
|
||||
@@ -118,7 +119,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
||||
found_key = 1;
|
||||
logit("matching key found: file %s, line %lu",
|
||||
file, linenum);
|
||||
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||
logit("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
free(fp);
|
Loading…
Reference in New Issue
Block a user