6.7p1-1 + 0.9.3-4

This commit is contained in:
Petr Lautrbach 2015-01-20 13:18:45 +01:00
parent b457c98bec
commit 1900351913
24 changed files with 1608 additions and 2056 deletions

1
.gitignore vendored
View File

@ -13,3 +13,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-6.3p1.tar.gz /openssh-6.3p1.tar.gz
/openssh-6.4p1.tar.gz /openssh-6.4p1.tar.gz
/openssh-6.6p1.tar.gz /openssh-6.6p1.tar.gz
/openssh-6.7p1.tar.gz

View File

@ -1,14 +0,0 @@
diff -up openssh-5.6p1/channels.c.exit-deadlock openssh-5.6p1/channels.c
--- openssh-5.6p1/channels.c.exit-deadlock 2010-08-05 15:09:48.000000000 +0200
+++ openssh-5.6p1/channels.c 2010-08-23 12:41:43.000000000 +0200
@@ -1647,6 +1647,10 @@ channel_handle_wfd(Channel *c, fd_set *r
u_int dlen, olen = 0;
int len;
+ if(c->wfd != -1 && buffer_len(&c->output) > 0 && c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+ debug("channel %d: forcing write", c->self);
+ FD_SET(c->wfd, writeset);
+ }
/* Send buffered output data to the socket. */
if (c->wfd != -1 &&
FD_ISSET(c->wfd, writeset) &&

View File

@ -1,72 +0,0 @@
diff -up openssh-5.9p1/dns.c.edns openssh-5.9p1/dns.c
--- openssh-5.9p1/dns.c.edns 2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.9p1/dns.c 2011-09-09 08:05:27.782440497 +0200
@@ -177,6 +177,7 @@ verify_host_key_dns(const char *hostname
{
u_int counter;
int result;
+ unsigned int rrset_flags = 0;
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
@@ -200,8 +201,19 @@ verify_host_key_dns(const char *hostname
return -1;
}
+ /*
+ * Original getrrsetbyname function, found on OpenBSD for example,
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
+ * DNS response is set by "options edns0" in resolv.conf.
+ *
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+ */
+#ifndef HAVE_GETRRSETBYNAME
+ rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.c
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.c.edns 2009-07-13 03:38:23.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.c 2011-09-09 15:03:39.930500801 +0200
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, uns
goto fail;
}
- /* don't allow flags yet, unimplemented */
- if (flags) {
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
+ if ((flags & ~RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, uns
#endif /* DEBUG */
#ifdef RES_USE_DNSSEC
- /* turn on DNSSEC if EDNS0 is configured */
- if (_resp->options & RES_USE_EDNS0)
- _resp->options |= RES_USE_DNSSEC;
+ /* turn on DNSSEC if required */
+ if (flags & RRSET_FORCE_EDNS0)
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
#endif /* RES_USE_DNSEC */
/* make query */
diff -up openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns openssh-5.9p1/openbsd-compat/getrrsetbyname.h
--- openssh-5.9p1/openbsd-compat/getrrsetbyname.h.edns 2007-10-26 08:26:50.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/getrrsetbyname.h 2011-09-09 08:05:27.965438689 +0200
@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1
#endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0 0x0001
+#endif
/*
* Return codes for getrrsetbyname()

View File

@ -1,7 +1,8 @@
diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac diff --git a/configure.ac b/configure.ac
--- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100 index 6553074..8dedb95 100644
+++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100 --- a/configure.ac
@@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog], +++ b/configure.ac
@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog],
fi fi
] ]
) )
@ -14,7 +15,7 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack @@ -4938,6 +4944,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE" echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +23,11 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
echo "" echo ""
diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c diff --git a/servconf.c b/servconf.c
--- openssh-6.2p1/servconf.c.vendor 2013-03-25 19:34:01.197494668 +0100 index e3ebaac..c8a3f28 100644
+++ openssh-6.2p1/servconf.c 2013-03-25 19:34:01.379495831 +0100 --- a/servconf.c
@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions +++ b/servconf.c
@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options)
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1; options->max_sessions = -1;
options->banner = NULL; options->banner = NULL;
@ -33,17 +35,16 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
@@ -287,6 +288,9 @@ fill_default_server_options(ServerOption @@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
options->ip_qos_bulk = IPTOS_THROUGHPUT; options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL) if (options->version_addendum == NULL)
options->version_addendum = xstrdup(""); options->version_addendum = xstrdup("");
+ if (options->show_patchlevel == -1) + if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0; + options->show_patchlevel = 0;
+ if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
/* Turn privilege separation on by default */ options->fwd_opts.streamlocal_bind_mask = 0177;
if (use_privsep == -1) if (options->fwd_opts.streamlocal_bind_unlink == -1)
use_privsep = PRIVSEP_NOSANDBOX; @@ -353,7 +356,7 @@ typedef enum {
@@ -324,7 +328,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions, sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -52,7 +53,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -439,6 +443,7 @@ static struct { @@ -467,6 +470,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
@ -60,7 +61,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1163,6 +1168,10 @@ process_server_config_line(ServerOptions @@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line,
multistate_ptr = multistate_privsep; multistate_ptr = multistate_privsep;
goto parse_multistate; goto parse_multistate;
@ -71,18 +72,19 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
case sAllowUsers: case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS) if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1950,6 +1959,7 @@ dump_config(ServerOptions *o) @@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); + dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h diff --git a/servconf.h b/servconf.h
--- openssh-6.2p1/servconf.h.vendor 2013-01-09 05:56:45.000000000 +0100 index 49b228b..21719e2 100644
+++ openssh-6.2p1/servconf.h 2013-03-25 19:34:01.379495831 +0100 --- a/servconf.h
@@ -147,6 +147,7 @@ typedef struct { +++ b/servconf.h
@@ -149,6 +149,7 @@ typedef struct {
int max_authtries; int max_authtries;
int max_sessions; int max_sessions;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
@ -90,10 +92,34 @@ diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*
* poke the client this often to * poke the client this often to
diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config diff --git a/sshd.c b/sshd.c
--- openssh-6.2p1/sshd_config.vendor 2013-03-25 19:34:01.380495837 +0100 index afe9afa..193b206 100644
+++ openssh-6.2p1/sshd_config 2013-03-25 19:44:43.471296362 +0100 --- a/sshd.c
@@ -118,6 +118,7 @@ UsePrivilegeSeparation sandbox # Defaul +++ b/sshd.c
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1677,7 +1677,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %s, %s", SSH_VERSION,
+ debug("sshd version %s, %s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
#ifdef WITH_OPENSSL
SSLeay_version(SSLEAY_VERSION)
#else
diff --git a/sshd_config b/sshd_config
index 3092ac6..da3db5d 100644
--- a/sshd_config
+++ b/sshd_config
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
#Compression delayed #Compression delayed
#ClientAliveInterval 0 #ClientAliveInterval 0
#ClientAliveCountMax 3 #ClientAliveCountMax 3
@ -101,10 +127,11 @@ diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
#UseDNS yes #UseDNS yes
#PidFile /var/run/sshd.pid #PidFile /var/run/sshd.pid
#MaxStartups 10:30:100 #MaxStartups 10:30:100
diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0 diff --git a/sshd_config.0 b/sshd_config.0
--- openssh-6.2p1/sshd_config.0.vendor 2013-03-25 19:34:01.361495716 +0100 index 43867d3..a3898c3 100644
+++ openssh-6.2p1/sshd_config.0 2013-03-25 19:34:01.381495844 +0100 --- a/sshd_config.0
@@ -595,6 +595,11 @@ DESCRIPTION +++ b/sshd_config.0
@@ -700,6 +700,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1 Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024. server key. The minimum value is 512, and the default is 1024.
@ -113,13 +140,14 @@ diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
+ the binary in the server identification string. The patch level + the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^]. + is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+ +
StrictModes StreamLocalBindMask
Specifies whether sshd(8) should check file modes and ownership Sets the octal file creation mode mask (umask) used when creating
of the user's files and home directory before accepting login. a Unix-domain socket file for local or remote port forwarding.
diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5
--- openssh-6.2p1/sshd_config.5.vendor 2013-03-25 19:34:01.362495722 +0100 index 89a0cf2..cccb310 100644
+++ openssh-6.2p1/sshd_config.5 2013-03-25 19:34:01.382495850 +0100 --- a/sshd_config.5
@@ -1019,6 +1019,14 @@ This option applies to protocol version +++ b/sshd_config.5
@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only.
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024. The minimum value is 512, and the default is 1024.
@ -130,29 +158,6 @@ diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
+The patch level is set at compile-time. +The patch level is set at compile-time.
+The default is +The default is
+.Dq no . +.Dq no .
+This option applies to protocol version 1 only. .It Cm StreamLocalBindMask
.It Cm StrictModes Sets the octal file creation mode mask
Specifies whether .Pq umask
.Xr sshd 8
diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c
--- openssh-6.2p1/sshd.c.vendor 2013-03-25 19:34:01.332495531 +0100
+++ openssh-6.2p1/sshd.c 2013-03-25 19:44:11.864112092 +0100
@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1675,7 +1675,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %s, %s", SSH_VERSION,
+ debug("sshd version %s, %s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
SSLeay_version(SSLEAY_VERSION));
/* Store privilege separation user for later use if required. */

View File

@ -1,212 +0,0 @@
diff --git a/audit-bsm.c b/audit-bsm.c
index 5160869..c7a1b47 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -481,7 +481,7 @@ audit_unsupported_body(int what)
}
void
-audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, uid_t uid)
{
/* not implemented */
}
diff --git a/audit-linux.c b/audit-linux.c
index 6954fc1..6686f6a 100644
--- a/audit-linux.c
+++ b/audit-linux.c
@@ -297,7 +297,7 @@ audit_unsupported_body(int what)
const static char *direction[] = { "from-server", "from-client", "both" };
void
-audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid,
uid_t uid)
{
#ifdef AUDIT_CRYPTO_SESSION
@@ -306,8 +306,8 @@ audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
Cipher *cipher = cipher_by_name(enc);
char *s;
- snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
- direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac,
+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, pfs,
(intmax_t)pid, (intmax_t)uid,
get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
free(s);
diff --git a/audit.c b/audit.c
index 13c6849..5b49434 100644
--- a/audit.c
+++ b/audit.c
@@ -135,9 +135,9 @@ audit_unsupported(int what)
}
void
-audit_kex(int ctos, char *enc, char *mac, char *comp)
+audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs)
{
- PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, pfs, getpid(), getuid()));
}
void
@@ -270,11 +270,11 @@ audit_unsupported_body(int what)
* This will be called on succesfull protocol negotiation.
*/
void
-audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid,
uid_t uid)
{
- debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
- (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s pfs %s from pid %ld uid %u",
+ (unsigned)geteuid(), ctos, enc, mac, compress, pfs, (long)pid,
(unsigned)uid);
}
diff --git a/audit.h b/audit.h
index a2dc3ff..903df66 100644
--- a/audit.h
+++ b/audit.h
@@ -61,9 +61,9 @@ ssh_audit_event_t audit_classify_auth(const char *);
int audit_keyusage(int, const char *, unsigned, char *, int);
void audit_key(int, int *, const Key *);
void audit_unsupported(int);
-void audit_kex(int, char *, char *, char *);
+void audit_kex(int, char *, char *, char *, char *);
void audit_unsupported_body(int);
-void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
+void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
void audit_session_key_free(int ctos);
void audit_session_key_free_body(int ctos, pid_t, uid_t);
void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
diff --git a/auditstub.c b/auditstub.c
index 45817e0..116f460 100644
--- a/auditstub.c
+++ b/auditstub.c
@@ -35,7 +35,7 @@ audit_unsupported(int n)
}
void
-audit_kex(int ctos, char *enc, char *mac, char *comp)
+audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs)
{
}
diff --git a/kex.c b/kex.c
index ede7b67..eb5f333 100644
--- a/kex.c
+++ b/kex.c
@@ -553,13 +553,12 @@ kex_choose_conf(Kex *kex)
newkeys->enc.name,
authlen == 0 ? newkeys->mac.name : "<implicit>",
newkeys->comp.name);
-#ifdef SSH_AUDIT_EVENTS
- audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
-#endif
}
+
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
+
need = dh_need = 0;
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = kex->newkeys[mode];
@@ -571,11 +570,16 @@ kex_choose_conf(Kex *kex)
dh_need = MAX(dh_need, newkeys->enc.block_size);
dh_need = MAX(dh_need, newkeys->enc.iv_len);
dh_need = MAX(dh_need, newkeys->mac.key_len);
+ debug("kex: %s need=%d dh_need=%d", kex->name, need, dh_need);
+#ifdef SSH_AUDIT_EVENTS
+ audit_kex(mode, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name);
+#endif
}
/* XXX need runden? */
kex->we_need = need;
kex->dh_need = dh_need;
+
/* ignore the next message if the proposals do not match */
if (first_kex_follows && !proposals_match(my, peer) &&
!(datafellows & SSH_BUG_FIRSTKEX)) {
diff --git a/monitor.c b/monitor.c
index 70b9b4c..81bc9c1 100644
--- a/monitor.c
+++ b/monitor.c
@@ -2396,7 +2396,7 @@ int
mm_answer_audit_kex_body(int sock, Buffer *m)
{
int ctos, len;
- char *cipher, *mac, *compress;
+ char *cipher, *mac, *compress, *pfs;
pid_t pid;
uid_t uid;
@@ -2404,14 +2404,16 @@ mm_answer_audit_kex_body(int sock, Buffer *m)
cipher = buffer_get_string(m, &len);
mac = buffer_get_string(m, &len);
compress = buffer_get_string(m, &len);
+ pfs = buffer_get_string(m, &len);
pid = buffer_get_int64(m);
uid = buffer_get_int64(m);
- audit_kex_body(ctos, cipher, mac, compress, pid, uid);
+ audit_kex_body(ctos, cipher, mac, compress, pfs, pid, uid);
free(cipher);
free(mac);
free(compress);
+ free(pfs);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 93f6535..69b29d8 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1408,7 +1408,7 @@ mm_audit_unsupported_body(int what)
}
void
-mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, char *fps, pid_t pid,
uid_t uid)
{
Buffer m;
@@ -1418,6 +1418,7 @@ mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
buffer_put_cstring(&m, cipher);
buffer_put_cstring(&m, (mac ? mac : ""));
buffer_put_cstring(&m, compress);
+ buffer_put_cstring(&m, fps);
buffer_put_int64(&m, pid);
buffer_put_int64(&m, uid);
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 4cf0c78..e43109f 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -83,7 +83,7 @@ void mm_audit_event(ssh_audit_event_t);
int mm_audit_run_command(const char *);
void mm_audit_end_command(int, const char *);
void mm_audit_unsupported_body(int);
-void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
+void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
void mm_audit_session_key_free_body(int, pid_t, uid_t);
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
#endif
diff --git a/sshd.c b/sshd.c
index ee94825..41a94a7 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2430,7 +2430,7 @@ do_ssh1_kex(void)
packet_disconnect("IP Spoofing check bytes do not match.");
#ifdef SSH_AUDIT_EVENTS
- audit_kex(2, cipher_name(cipher_type), "crc", "none");
+ audit_kex(2, cipher_name(cipher_type), "crc", "none", "none");
#endif
debug("Encryption type: %.200s", cipher_name(cipher_type));

View File

@ -40,10 +40,10 @@ index ae7df25..30c3310 100644
int log_is_on_stderr(void); int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *); void log_redirect_stderr_to(const char *);
diff --git a/monitor.c b/monitor.c diff --git a/monitor.c b/monitor.c
index 7461fae..da2f766 100644 index 7ebc76e..d97e640 100644
--- a/monitor.c --- a/monitor.c
+++ b/monitor.c +++ b/monitor.c
@@ -364,6 +364,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) @@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
close(pmonitor->m_log_sendfd); close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -52,7 +52,7 @@ index 7461fae..da2f766 100644
authctxt = _authctxt; authctxt = _authctxt;
memset(authctxt, 0, sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt));
@@ -472,6 +474,8 @@ monitor_child_postauth(struct monitor *pmonitor) @@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor)
close(pmonitor->m_recvfd); close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1; pmonitor->m_recvfd = -1;
@ -61,7 +61,7 @@ index 7461fae..da2f766 100644
monitor_set_child_handler(pmonitor->m_pid); monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler); signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler);
@@ -552,7 +556,7 @@ monitor_read_log(struct monitor *pmonitor) @@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor)
if (log_level_name(level) == NULL) if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)", fatal("%s: invalid log level %u (corrupted message?)",
__func__, level); __func__, level);
@ -70,7 +70,7 @@ index 7461fae..da2f766 100644
buffer_free(&logmsg); buffer_free(&logmsg);
free(msg); free(msg);
@@ -2083,13 +2087,28 @@ monitor_init(void) @@ -2107,13 +2111,28 @@ monitor_init(void)
mm_init_compression(mon->m_zlib); mm_init_compression(mon->m_zlib);
} }
@ -119,7 +119,7 @@ index ff79fbb..00c2028 100644
struct Authctxt; struct Authctxt;
diff --git a/session.c b/session.c diff --git a/session.c b/session.c
index e4add93..bc4a8dd 100644 index 9c94d8e..40a681e 100644
--- a/session.c --- a/session.c
+++ b/session.c +++ b/session.c
@@ -160,6 +160,8 @@ login_cap_t *lc; @@ -160,6 +160,8 @@ login_cap_t *lc;
@ -131,7 +131,7 @@ index e4add93..bc4a8dd 100644
/* Name and directory of socket for authentication agent forwarding. */ /* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL; static char *auth_sock_name = NULL;
static char *auth_sock_dir = NULL; static char *auth_sock_dir = NULL;
@@ -523,8 +525,8 @@ do_exec_no_pty(Session *s, const char *command) @@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command)
is_child = 1; is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */ /* Child. Reinitialize the log since the pid has changed. */
@ -142,7 +142,7 @@ index e4add93..bc4a8dd 100644
/* /*
* Create a new session and process group since the 4.4BSD * Create a new session and process group since the 4.4BSD
@@ -692,8 +694,8 @@ do_exec_pty(Session *s, const char *command) @@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command)
close(ptymaster); close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */ /* Child. Reinitialize the log because the pid has changed. */
@ -153,7 +153,7 @@ index e4add93..bc4a8dd 100644
/* Close the master side of the pseudo tty. */ /* Close the master side of the pseudo tty. */
close(ptyfd); close(ptyfd);
@@ -797,6 +799,7 @@ do_exec(Session *s, const char *command) @@ -779,6 +781,7 @@ do_exec(Session *s, const char *command)
int ret; int ret;
const char *forced = NULL; const char *forced = NULL;
char session_type[1024], *tty = NULL; char session_type[1024], *tty = NULL;
@ -161,7 +161,7 @@ index e4add93..bc4a8dd 100644
if (options.adm_forced_command) { if (options.adm_forced_command) {
original_command = command; original_command = command;
@@ -854,6 +857,10 @@ do_exec(Session *s, const char *command) @@ -836,6 +839,10 @@ do_exec(Session *s, const char *command)
tty += 5; tty += 5;
} }
@ -172,7 +172,7 @@ index e4add93..bc4a8dd 100644
verbose("Starting session: %s%s%s for %s from %.200s port %d", verbose("Starting session: %s%s%s for %s from %.200s port %d",
session_type, session_type,
tty == NULL ? "" : " on ", tty == NULL ? "" : " on ",
@@ -1681,14 +1688,6 @@ child_close_fds(void) @@ -1677,14 +1684,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later. * descriptors left by system functions. They will be closed later.
*/ */
endpwent(); endpwent();
@ -187,7 +187,7 @@ index e4add93..bc4a8dd 100644
} }
/* /*
@@ -1834,8 +1833,6 @@ do_child(Session *s, const char *command) @@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command)
exit(1); exit(1);
} }
@ -196,7 +196,7 @@ index e4add93..bc4a8dd 100644
if (!options.use_login) if (!options.use_login)
do_rc_files(s, shell); do_rc_files(s, shell);
@@ -1859,9 +1856,17 @@ do_child(Session *s, const char *command) @@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command)
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -227,10 +227,10 @@ index 7e644ab..e162b7a 100644
+ return (sftp_server_main(argc, argv, user_pw, 0)); + return (sftp_server_main(argc, argv, user_pw, 0));
} }
diff --git a/sftp-server.c b/sftp-server.c diff --git a/sftp-server.c b/sftp-server.c
index b8eb59c..a0e644c 100644 index 0177130..8fa7fc7 100644
--- a/sftp-server.c --- a/sftp-server.c
+++ b/sftp-server.c +++ b/sftp-server.c
@@ -1437,7 +1437,7 @@ sftp_server_usage(void) @@ -1440,7 +1440,7 @@ sftp_server_usage(void)
} }
int int
@ -239,7 +239,7 @@ index b8eb59c..a0e644c 100644
{ {
fd_set *rset, *wset; fd_set *rset, *wset;
int i, in, out, max, ch, skipargs = 0, log_stderr = 0; int i, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1450,7 +1450,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) @@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
extern char *__progname; extern char *__progname;
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
@ -248,15 +248,15 @@ index b8eb59c..a0e644c 100644
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
@@ -1521,7 +1521,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) @@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
} }
} }
- log_init(__progname, log_level, log_facility, log_stderr); - log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
if ((cp = getenv("SSH_CONNECTION")) != NULL) { #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
client_addr = xstrdup(cp); /*
diff --git a/sftp.h b/sftp.h diff --git a/sftp.h b/sftp.h
index 2bde8bb..ddf1a39 100644 index 2bde8bb..ddf1a39 100644
--- a/sftp.h --- a/sftp.h
@ -269,10 +269,10 @@ index 2bde8bb..ddf1a39 100644
+int sftp_server_main(int, char **, struct passwd *, int); +int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn)); void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
index 3eee75a..9c00bcb 100644 index 39b9c08..ca55d7f 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -745,7 +745,7 @@ privsep_postauth(Authctxt *authctxt) @@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt)
} }
/* New socket pair */ /* New socket pair */
@ -281,7 +281,7 @@ index 3eee75a..9c00bcb 100644
pmonitor->m_pid = fork(); pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1) if (pmonitor->m_pid == -1)
@@ -763,6 +763,11 @@ privsep_postauth(Authctxt *authctxt) @@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt)
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1; pmonitor->m_sendfd = -1;

View File

@ -1,16 +1,16 @@
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
index 0077dd7..e3f2ced 100644 index 8f32464..18a2ca4 100644
--- a/openbsd-compat/port-linux-sshd.c --- a/openbsd-compat/port-linux-sshd.c
+++ b/openbsd-compat/port-linux-sshd.c +++ b/openbsd-compat/port-linux-sshd.c
@@ -31,6 +31,7 @@ @@ -32,6 +32,7 @@
#include "xmalloc.h" #include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
#include "servconf.h" #include "servconf.h"
#include "port-linux.h" #include "port-linux.h"
+#include "misc.h" +#include "misc.h"
#include "key.h" #include "key.h"
#include "hostfile.h" #include "hostfile.h"
#include "auth.h" #include "auth.h"
@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname) @@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
void void
sshd_selinux_copy_context(void) sshd_selinux_copy_context(void)
{ {
@ -19,7 +19,7 @@ index 0077dd7..e3f2ced 100644
if (!sshd_selinux_enabled()) if (!sshd_selinux_enabled())
return; return;
@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void) @@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
} }
} }
@ -104,10 +104,10 @@ index cb51f99..8b7cda2 100644
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
index 512c7ed..3eee75a 100644 index 2871fe9..39b9c08 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -637,7 +637,7 @@ privsep_preauth_child(void) @@ -629,7 +629,7 @@ privsep_preauth_child(void)
demote_sensitive_data(); demote_sensitive_data();
#ifdef WITH_SELINUX #ifdef WITH_SELINUX

View File

@ -1,5 +1,5 @@
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 0a4930e..a7c0c5f 100644 index 961c564..0fcfd7b 100644
--- a/gss-serv-krb5.c --- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, @@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
@ -20,27 +20,27 @@ index 0a4930e..a7c0c5f 100644
k5login_exists); k5login_exists);
} }
diff --git a/servconf.c b/servconf.c diff --git a/servconf.c b/servconf.c
index d482e79..ad5869b 100644 index e4164b1..87a311b 100644
--- a/servconf.c --- a/servconf.c
+++ b/servconf.c +++ b/servconf.c
@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options) @@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_bulk = -1;
options->version_addendum = NULL; options->version_addendum = NULL;
options->fingerprint_hash = -1;
options->use_kuserok = -1; options->use_kuserok = -1;
+ options->enable_k5users = -1; + options->enable_k5users = -1;
} }
void void
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options) @@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options)
options->show_patchlevel = 0; options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->use_kuserok == -1) if (options->use_kuserok == -1)
options->use_kuserok = 1; options->use_kuserok = 1;
+ if (options->enable_k5users == -1) + if (options->enable_k5users == -1)
+ options->enable_k5users = 0; + options->enable_k5users = 0;
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
@@ -356,7 +359,7 @@ typedef enum { use_privsep = PRIVSEP_NOSANDBOX;
@@ -371,7 +374,7 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveCountMax, sAuthorizedKeysFile,
@ -49,7 +49,7 @@ index d482e79..ad5869b 100644
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -430,6 +433,7 @@ static struct { @@ -447,6 +450,7 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -57,7 +57,7 @@ index d482e79..ad5869b 100644
#else #else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
@@ -437,6 +441,7 @@ static struct { @@ -454,6 +458,7 @@ static struct {
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
@ -65,7 +65,7 @@ index d482e79..ad5869b 100644
#endif #endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line, @@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->use_kuserok; intptr = &options->use_kuserok;
goto parse_flag; goto parse_flag;
@ -76,7 +76,7 @@ index d482e79..ad5869b 100644
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) @@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok); M_CP_INTOPT(use_kuserok);
@ -84,19 +84,19 @@ index d482e79..ad5869b 100644
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o) @@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); + dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h diff --git a/servconf.h b/servconf.h
index 5117dfa..d63cb71 100644 index cf2a505..070a8ed 100644
--- a/servconf.h --- a/servconf.h
+++ b/servconf.h +++ b/servconf.h
@@ -173,7 +173,8 @@ typedef struct { @@ -175,7 +175,8 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -107,7 +107,7 @@ index 5117dfa..d63cb71 100644
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index 43671f6..6ab00ed 100644 index 0d9454d..e731de1 100644
--- a/sshd_config --- a/sshd_config
+++ b/sshd_config +++ b/sshd_config
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes @@ -94,6 +94,7 @@ GSSAPIAuthentication yes
@ -119,10 +119,10 @@ index 43671f6..6ab00ed 100644
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5
index e0e5fff..aa9525d 100644 index eb4dd9e..ce1229b 100644
--- a/sshd_config.5 --- a/sshd_config.5
+++ b/sshd_config.5 +++ b/sshd_config.5
@@ -505,6 +505,12 @@ on logout. @@ -548,6 +548,12 @@ on logout.
The default is The default is
.Dq yes . .Dq yes .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.

View File

@ -1,5 +1,5 @@
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 4ab6717..581b121 100644 index b225217..bbc3034 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@ -10,16 +10,16 @@ index 4ab6717..581b121 100644
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ @@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@ MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBOPENSSH_OBJS=\
canohost.o channels.o cipher.o cipher-aes.o \ ssherr.o \
@@ -180,6 +181,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o @@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@ -29,7 +29,7 @@ index 4ab6717..581b121 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -288,6 +292,7 @@ install-files: @@ -310,6 +314,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)

View File

@ -1,8 +1,8 @@
diff --git a/entropy.c b/entropy.c diff --git a/entropy.c b/entropy.c
index 2d483b3..b361a04 100644 index 1e9d52a..d24e724 100644
--- a/entropy.c --- a/entropy.c
+++ b/entropy.c +++ b/entropy.c
@@ -234,6 +234,9 @@ seed_rng(void) @@ -227,6 +227,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf)); memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */ #endif /* OPENSSL_PRNG_ONLY */
@ -13,12 +13,12 @@ index 2d483b3..b361a04 100644
fatal("PRNG is not seeded"); fatal("PRNG is not seeded");
} }
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index b912dbe..9206337 100644 index 843225d..041bbab 100644
--- a/openbsd-compat/Makefile.in --- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
@ -27,7 +27,7 @@ index b912dbe..9206337 100644
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
new file mode 100644 new file mode 100644
index 0000000..92a617c index 0000000..da84bf2
--- /dev/null --- /dev/null
+++ b/openbsd-compat/port-linux-prng.c +++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,59 @@ @@ -0,0 +1,59 @@
@ -63,6 +63,7 @@ index 0000000..92a617c
+ +
+#include "log.h" +#include "log.h"
+#include "xmalloc.h" +#include "xmalloc.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h" +#include "servconf.h"
+#include "port-linux.h" +#include "port-linux.h"
+#include "key.h" +#include "key.h"
@ -72,10 +73,9 @@ index 0000000..92a617c
+void +void
+linux_seed(void) +linux_seed(void)
+{ +{
+ int len;
+ char *env = getenv("SSH_USE_STRONG_RNG"); + char *env = getenv("SSH_USE_STRONG_RNG");
+ char *random = "/dev/random"; + char *random = "/dev/random";
+ size_t ienv, randlen = 14; + size_t len, ienv, randlen = 14;
+ +
+ if (!env || !strcmp(env, "0")) + if (!env || !strcmp(env, "0"))
+ random = "/dev/urandom"; + random = "/dev/urandom";
@ -91,7 +91,7 @@ index 0000000..92a617c
+ } + }
+} +}
diff --git a/ssh-add.0 b/ssh-add.0 diff --git a/ssh-add.0 b/ssh-add.0
index ba43fee..0b2629a 100644 index f16165a..17d22cf 100644
--- a/ssh-add.0 --- a/ssh-add.0
+++ b/ssh-add.0 +++ b/ssh-add.0
@@ -82,6 +82,16 @@ ENVIRONMENT @@ -82,6 +82,16 @@ ENVIRONMENT
@ -112,10 +112,10 @@ index ba43fee..0b2629a 100644
~/.ssh/identity ~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of Contains the protocol version 1 RSA authentication identity of
diff --git a/ssh-add.1 b/ssh-add.1 diff --git a/ssh-add.1 b/ssh-add.1
index 4812448..16305bf 100644 index 04d1840..db883a4 100644
--- a/ssh-add.1 --- a/ssh-add.1
+++ b/ssh-add.1 +++ b/ssh-add.1
@@ -161,6 +161,20 @@ to make this work.) @@ -170,6 +170,20 @@ to make this work.)
Identifies the path of a Identifies the path of a
.Ux Ns -domain .Ux Ns -domain
socket used to communicate with the agent. socket used to communicate with the agent.
@ -137,10 +137,10 @@ index 4812448..16305bf 100644
.Sh FILES .Sh FILES
.Bl -tag -width Ds .Bl -tag -width Ds
diff --git a/ssh-agent.1 b/ssh-agent.1 diff --git a/ssh-agent.1 b/ssh-agent.1
index 281ecbd..1a9a635 100644 index d7e791b..7332f0d 100644
--- a/ssh-agent.1 --- a/ssh-agent.1
+++ b/ssh-agent.1 +++ b/ssh-agent.1
@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent. @@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner. These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits. The sockets should get automatically removed when the agent exits.
.El .El
@ -166,10 +166,10 @@ index 281ecbd..1a9a635 100644
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-add 1 , .Xr ssh-add 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1 diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 12e00d4..1b51a4a 100644 index 276dacc..a09d9b1 100644
--- a/ssh-keygen.1 --- a/ssh-keygen.1
+++ b/ssh-keygen.1 +++ b/ssh-keygen.1
@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX. @@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in The file format is described in
.Xr moduli 5 . .Xr moduli 5 .
.El .El
@ -224,10 +224,10 @@ index 69d0829..02d79f8 100644
.Xr ssh 1 , .Xr ssh 1 ,
.Xr ssh-keygen 1 , .Xr ssh-keygen 1 ,
diff --git a/ssh.1 b/ssh.1 diff --git a/ssh.1 b/ssh.1
index 929904b..f65e42f 100644 index 4a476c2..410a04a 100644
--- a/ssh.1 --- a/ssh.1
+++ b/ssh.1 +++ b/ssh.1
@@ -1309,6 +1309,23 @@ For more information, see the @@ -1299,6 +1299,23 @@ For more information, see the
.Cm PermitUserEnvironment .Cm PermitUserEnvironment
option in option in
.Xr sshd_config 5 . .Xr sshd_config 5 .
@ -252,10 +252,10 @@ index 929904b..f65e42f 100644
.Bl -tag -width Ds -compact .Bl -tag -width Ds -compact
.It Pa ~/.rhosts .It Pa ~/.rhosts
diff --git a/sshd.8 b/sshd.8 diff --git a/sshd.8 b/sshd.8
index c2c237f..058d37a 100644 index cb866b5..adcaaf9 100644
--- a/sshd.8 --- a/sshd.8
+++ b/sshd.8 +++ b/sshd.8
@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one @@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
started last). started last).
The content of this file is not sensitive; it can be world-readable. The content of this file is not sensitive; it can be world-readable.
.El .El

View File

@ -1,415 +0,0 @@
diff --git a/auth.c b/auth.c
index 9a36f1d..420a85b 100644
--- a/auth.c
+++ b/auth.c
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
case 1:
revoked:
/* Key revoked */
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
error("WARNING: authentication attempt with a revoked "
- "%s key %s ", key_type(key), key_fp);
+ "%s key %s%s ", key_type(key),
+ key_fingerprint_prefix(), key_fp);
free(key_fp);
return 1;
}
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 488008f..eca0069 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -206,16 +206,18 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
if (host_status == HOST_OK) {
if (key_is_cert(key)) {
- fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(key->cert->signature_key,
+ SSH_FP_HEX);
verbose("Accepted certificate ID \"%s\" signed by "
- "%s CA %s from %s@%s", key->cert->key_id,
- key_type(key->cert->signature_key), fp,
+ "%s CA %s%s from %s@%s", key->cert->key_id,
+ key_type(key->cert->signature_key),
+ key_fingerprint_prefix(), fp,
cuser, lookup);
} else {
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- verbose("Accepted %s public key %s from %s@%s",
- key_type(key), fp, cuser, lookup);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ verbose("Accepted %s public key %s%s from %s@%s",
+ key_type(key), key_fingerprint_prefix(),
+ fp, cuser, lookup);
}
free(fp);
}
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0fd27bb..749b11a 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -365,10 +365,10 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
continue;
if (!key_is_cert_authority)
continue;
- fp = key_fingerprint(found, SSH_FP_MD5,
- SSH_FP_HEX);
- debug("matching CA found: file %s, line %lu, %s %s",
- file, linenum, key_type(found), fp);
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
+ debug("matching CA found: file %s, line %lu, %s %s%s",
+ file, linenum, key_type(found),
+ key_fingerprint_prefix(), fp);
/*
* If the user has specified a list of principals as
* a key option, then prefer that list to matching
@@ -406,9 +406,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
if (key_is_cert_authority)
continue;
found_key = 1;
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
- debug("matching key found: file %s, line %lu %s %s",
- file, linenum, key_type(found), fp);
+ fp = key_selected_fingerprint(found, SSH_FP_HEX);
+ verbose("Found matching %s key: %s%s",
+ key_type(found), key_fingerprint_prefix(), fp);
free(fp);
break;
}
@@ -431,13 +431,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0;
- ca_fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
if (key_in_file(key->cert->signature_key,
options.trusted_user_ca_keys, 1) != 1) {
- debug2("%s: CA %s %s is not listed in %s", __func__,
- key_type(key->cert->signature_key), ca_fp,
+ debug2("%s: CA %s%s %s is not listed in %s", __func__,
+ key_type(key->cert->signature_key),
+ key_fingerprint_prefix(), ca_fp,
options.trusted_user_ca_keys);
goto out;
}
diff --git a/key.c b/key.c
index 168e1b7..eb98ea8 100644
--- a/key.c
+++ b/key.c
@@ -628,6 +628,34 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
return retval;
}
+enum fp_type
+key_fingerprint_selection(void)
+{
+ static enum fp_type rv;
+ static char rv_defined = 0;
+ char *env;
+
+ if (!rv_defined) {
+ env = getenv("SSH_FINGERPRINT_TYPE");
+ rv = (env && !strcmp (env, "sha")) ?
+ SSH_FP_SHA1 : SSH_FP_MD5;
+ rv_defined = 1;
+ }
+ return rv;
+}
+
+char *
+key_selected_fingerprint(Key *k, enum fp_rep dgst_rep)
+{
+ return key_fingerprint(k, key_fingerprint_selection(), dgst_rep);
+}
+
+char *
+key_fingerprint_prefix(void)
+{
+ return key_fingerprint_selection() == SSH_FP_SHA1 ? "sha1:" : "";
+}
+
/*
* Reads a multiple-precision integer in decimal from the buffer, and advances
* the pointer. The integer must already be initialized. This function is
diff --git a/key.h b/key.h
index d8ad13d..0e3eea5 100644
--- a/key.h
+++ b/key.h
@@ -104,6 +104,9 @@ int key_equal_public(const Key *, const Key *);
int key_equal(const Key *, const Key *);
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
+enum fp_type key_fingerprint_selection(void);
+char *key_selected_fingerprint(Key *, enum fp_rep);
+char *key_fingerprint_prefix(void);
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *);
diff --git a/ssh-add.c b/ssh-add.c
index 3421452..691949f 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -330,10 +330,10 @@ list_identities(AuthenticationConnection *ac, int do_fp)
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
- fp = key_fingerprint(key, SSH_FP_MD5,
- SSH_FP_HEX);
- printf("%d %s %s (%s)\n",
- key_size(key), fp, comment, key_type(key));
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ printf("%d %s%s %s (%s)\n",
+ key_size(key), key_fingerprint_prefix(),
+ fp, comment, key_type(key));
free(fp);
} else {
if (!key_write(key, stdout))
diff --git a/ssh-agent.c b/ssh-agent.c
index ba24612..117fdde 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -198,9 +198,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
- id->comment, p))
+ p = key_selected_fingerprint(id->key, SSH_FP_HEX);
+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
+ id->comment, key_fingerprint_prefix(), p))
ret = 0;
free(p);
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 2a316bc..482dc1c 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -783,13 +783,14 @@ do_fingerprint(struct passwd *pw)
{
FILE *f;
Key *public;
- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
+ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx;
int i, skip = 0, num = 0, invalid = 1;
enum fp_rep rep;
enum fp_type fptype;
struct stat st;
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity)
@@ -801,8 +802,8 @@ do_fingerprint(struct passwd *pw)
public = key_load_public(identity_file, &comment);
if (public != NULL) {
fp = key_fingerprint(public, fptype, rep);
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment,
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
@@ -867,8 +868,8 @@ do_fingerprint(struct passwd *pw)
}
comment = *cp ? cp : comment;
fp = key_fingerprint(public, fptype, rep);
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp,
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp,
comment ? comment : "no comment", key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
@@ -986,13 +987,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
if (print_fingerprint) {
enum fp_rep rep;
enum fp_type fptype;
- char *fp, *ra;
+ char *fp, *ra, *pfx;
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
+ pfx = print_bubblebabble ? "" : key_fingerprint_prefix();
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+
fp = key_fingerprint(public, fptype, rep);
- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, name,
+ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
+ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name,
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
@@ -1878,16 +1881,17 @@ do_show_cert(struct passwd *pw)
fatal("%s is not a certificate", identity_file);
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- ca_fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
printf("%s:\n", identity_file);
printf(" Type: %s %s certificate\n", key_ssh_name(key),
key_cert_type(key));
- printf(" Public key: %s %s\n", key_type(key), key_fp);
- printf(" Signing CA: %s %s\n",
- key_type(key->cert->signature_key), ca_fp);
+ printf(" Public key: %s %s%s\n", key_type(key),
+ key_fingerprint_prefix(), key_fp);
+ printf(" Signing CA: %s %s%s\n",
+ key_type(key->cert->signature_key),
+ key_fingerprint_prefix(), ca_fp);
printf(" Key ID: \"%s\"\n", key->cert->key_id);
if (!v00) {
printf(" Serial: %llu\n",
@@ -2686,13 +2690,12 @@ passphrase_again:
fclose(f);
if (!quiet) {
- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
- char *ra = key_fingerprint(public, SSH_FP_MD5,
- SSH_FP_RANDOMART);
+ char *fp = key_selected_fingerprint(public, SSH_FP_HEX);
+ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART);
printf("Your public key has been saved in %s.\n",
identity_file);
printf("The key fingerprint is:\n");
- printf("%s %s\n", fp, comment);
+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
printf("The key's randomart image is:\n");
printf("%s\n", ra);
free(ra);
diff --git a/sshconnect.c b/sshconnect.c
index 573d7a8..394cca8 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -914,10 +914,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
"key for IP address '%.128s' to the list "
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+ logit("Host key fingerprint is %s%s\n%s\n",
+ key_fingerprint_prefix(), fp, ra);
free(ra);
free(fp);
}
@@ -955,9 +955,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -972,10 +971,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
- "%s key fingerprint is %s.%s%s\n%s"
+ "%s key fingerprint is %s%s.%s%s\n%s"
"Are you sure you want to continue connecting "
"(yes/no)? ",
- host, ip, msg1, type, fp,
+ host, ip, msg1, type,
+ key_fingerprint_prefix(), fp,
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1220,8 +1220,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
int flags = 0;
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- debug("Server host key: %s %s", key_type(host_key), fp);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ debug("Server host key: %s %s%s", key_type(host_key),
+ key_fingerprint_prefix(), fp);
free(fp);
/* XXX certs are not yet supported for DNS */
@@ -1327,14 +1328,15 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
continue;
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
logit("WARNING: %s key found for host %s\n"
"in %s:%lu\n"
- "%s key fingerprint %s.",
+ "%s key fingerprint %s%s.",
key_type(found->key),
found->host, found->file, found->line,
- key_type(found->key), fp);
+ key_type(found->key),
+ key_fingerprint_prefix(), fp);
if (options.visual_host_key)
logit("%s", ra);
free(ra);
@@ -1349,7 +1351,7 @@ warn_changed_key(Key *host_key)
{
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1357,8 +1359,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- key_type(host_key), fp);
+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
+ key_type(host_key),key_fingerprint_prefix(), fp);
error("Please contact your system administrator.");
free(fp);
diff --git a/sshconnect2.c b/sshconnect2.c
index 7f4ff41..adbbfc7 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -577,8 +577,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
key->type, pktype);
goto done;
}
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- debug2("input_userauth_pk_ok: fp %s", fp);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ debug2("input_userauth_pk_ok: fp %s%s",
+ key_fingerprint_prefix(), fp);
free(fp);
/*
@@ -986,8 +987,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
int have_sig = 1;
char *fp;
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
+ key_fingerprint_prefix(), fp);
free(fp);
if (key_to_blob(id->key, &blob, &bloblen) == 0) {

View File

@ -1,5 +1,5 @@
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 42de994..60de320 100644 index 413b845..54dd383 100644
--- a/gss-serv-krb5.c --- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -32,7 +32,9 @@ @@ -32,7 +32,9 @@
@ -12,12 +12,7 @@ index 42de994..60de320 100644
#include "xmalloc.h" #include "xmalloc.h"
#include "key.h" #include "key.h"
@@ -40,10 +42,12 @@ @@ -45,6 +47,7 @@
#include "auth.h"
#include "log.h"
#include "servconf.h"
+#include "misc.h"
#include "buffer.h" #include "buffer.h"
#include "ssh-gss.h" #include "ssh-gss.h"
@ -25,7 +20,7 @@ index 42de994..60de320 100644
extern ServerOptions options; extern ServerOptions options;
#ifdef HEIMDAL #ifdef HEIMDAL
@@ -55,6 +59,13 @@ extern ServerOptions options; @@ -56,6 +59,13 @@ extern ServerOptions options;
# include <gssapi/gssapi_krb5.h> # include <gssapi/gssapi_krb5.h>
#endif #endif
@ -39,7 +34,7 @@ index 42de994..60de320 100644
static krb5_context krb_context = NULL; static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) @@ -88,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_principal princ; krb5_principal princ;
int retval; int retval;
const char *errmsg; const char *errmsg;
@ -47,7 +42,7 @@ index 42de994..60de320 100644
if (ssh_gssapi_krb5_init() == 0) if (ssh_gssapi_krb5_init() == 0)
return 0; return 0;
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) @@ -99,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_free_error_message(krb_context, errmsg); krb5_free_error_message(krb_context, errmsg);
return 0; return 0;
} }
@ -71,7 +66,7 @@ index 42de994..60de320 100644
} else } else
retval = 0; retval = 0;
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) @@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
return retval; return retval;
} }
@ -208,10 +203,10 @@ index 42de994..60de320 100644
/* This writes out any forwarded credentials from the structure populated /* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */ * during userauth. Called after we have setuid to the user */
diff --git a/session.c b/session.c diff --git a/session.c b/session.c
index b5dc144..ba4589b 100644 index 28659ec..9c94d8e 100644
--- a/session.c --- a/session.c
+++ b/session.c +++ b/session.c
@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command) @@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
command = forced_command; command = forced_command;
forced = "(key-option)"; forced = "(key-option)";
} }
@ -257,10 +252,10 @@ index 0374c88..509109a 100644
/* draft-ietf-secsh-gsskeyex-06 */ /* draft-ietf-secsh-gsskeyex-06 */
diff --git a/sshd.8 b/sshd.8 diff --git a/sshd.8 b/sshd.8
index 058d37a..5c4f15b 100644 index adcaaf9..824163b 100644
--- a/sshd.8 --- a/sshd.8
+++ b/sshd.8 +++ b/sshd.8
@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog. @@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using The client tries to authenticate itself using
host-based authentication, host-based authentication,
public key authentication, public key authentication,

View File

@ -1,8 +1,8 @@
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 581b121..2ad26ff 100644 index bbc3034..c9891e0 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ @@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@ -10,7 +10,7 @@ index 581b121..2ad26ff 100644
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \ ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
@@ -96,7 +97,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ @@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
kexc25519s.o auth-krb5.o \ kexc25519s.o auth-krb5.o \
@ -20,10 +20,10 @@ index 581b121..2ad26ff 100644
sftp-server.o sftp-common.o \ sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \ roaming_common.o roaming_serv.o \
diff --git a/auth2-gss.c b/auth2-gss.c diff --git a/auth2-gss.c b/auth2-gss.c
index 4756dd7..ad65059 100644 index 4803e7e..222e3e0 100644
--- a/auth2-gss.c --- a/auth2-gss.c
+++ b/auth2-gss.c +++ b/auth2-gss.c
@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); @@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *); static void input_gssapi_errtok(int, u_int32_t, void *);
@ -64,7 +64,7 @@ index 4756dd7..ad65059 100644
/* /*
* We only support those mechanisms that we know about (ie ones that we know * We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like) * how to check local user kuserok and the like)
@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) @@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
packet_check_eom(); packet_check_eom();
@ -74,7 +74,7 @@ index 4756dd7..ad65059 100644
authctxt->postponed = 0; authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -277,7 +312,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) @@ -278,7 +313,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
gssbuf.length = buffer_len(&b); gssbuf.length = buffer_len(&b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@ -84,7 +84,7 @@ index 4756dd7..ad65059 100644
else else
logit("GSSAPI MIC check failed"); logit("GSSAPI MIC check failed");
@@ -294,6 +330,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) @@ -295,6 +331,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
} }
@ -98,10 +98,10 @@ index 4756dd7..ad65059 100644
"gssapi-with-mic", "gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
diff --git a/auth2.c b/auth2.c diff --git a/auth2.c b/auth2.c
index 5f4f26f..0f52b68 100644 index d6fbc93..124d02b 100644
--- a/auth2.c --- a/auth2.c
+++ b/auth2.c +++ b/auth2.c
@@ -69,6 +69,7 @@ extern Authmethod method_passwd; @@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint; extern Authmethod method_kbdint;
extern Authmethod method_hostbased; extern Authmethod method_hostbased;
#ifdef GSSAPI #ifdef GSSAPI
@ -109,7 +109,7 @@ index 5f4f26f..0f52b68 100644
extern Authmethod method_gssapi; extern Authmethod method_gssapi;
#endif #endif
@@ -76,6 +77,7 @@ Authmethod *authmethods[] = { @@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
&method_none, &method_none,
&method_pubkey, &method_pubkey,
#ifdef GSSAPI #ifdef GSSAPI
@ -118,7 +118,7 @@ index 5f4f26f..0f52b68 100644
#endif #endif
&method_passwd, &method_passwd,
diff --git a/clientloop.c b/clientloop.c diff --git a/clientloop.c b/clientloop.c
index 59ad3a2..9c60108 100644 index 397c965..20ce0b5 100644
--- a/clientloop.c --- a/clientloop.c
+++ b/clientloop.c +++ b/clientloop.c
@@ -111,6 +111,10 @@ @@ -111,6 +111,10 @@
@ -132,7 +132,7 @@ index 59ad3a2..9c60108 100644
/* import options */ /* import options */
extern Options options; extern Options options;
@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) @@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
/* Do channel operations unless rekeying in progress. */ /* Do channel operations unless rekeying in progress. */
if (!rekeying) { if (!rekeying) {
channel_after_select(readset, writeset); channel_after_select(readset, writeset);
@ -149,7 +149,7 @@ index 59ad3a2..9c60108 100644
debug("need rekeying"); debug("need rekeying");
xxx_kex->done = 0; xxx_kex->done = 0;
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index 74e77db..9bde04e 100644 index 8dedb95..2c4adac 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@ -526,10 +526,10 @@ index b39281b..a3a2289 100644
+ +
#endif /* GSSAPI */ #endif /* GSSAPI */
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 759fa10..42de994 100644 index 795992d..413b845 100644
--- a/gss-serv-krb5.c --- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) @@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
krb5_error_code problem; krb5_error_code problem;
krb5_principal princ; krb5_principal princ;
OM_uint32 maj_status, min_status; OM_uint32 maj_status, min_status;
@ -538,7 +538,7 @@ index 759fa10..42de994 100644
const char *errmsg; const char *errmsg;
if (client->creds == NULL) { if (client->creds == NULL) {
@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) @@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
return; return;
} }
@ -569,7 +569,7 @@ index 759fa10..42de994 100644
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) if (options.use_pam)
@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) @@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
krb5_cc_close(krb_context, ccache); krb5_cc_close(krb_context, ccache);
@ -646,7 +646,7 @@ index 759fa10..42de994 100644
ssh_gssapi_mech gssapi_kerberos_mech = { ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==", "toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos", "Kerberos",
@@ -203,7 +285,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { @@ -204,7 +286,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
NULL, NULL,
&ssh_gssapi_krb5_userok, &ssh_gssapi_krb5_userok,
NULL, NULL,
@ -657,7 +657,7 @@ index 759fa10..42de994 100644
#endif /* KRB5 */ #endif /* KRB5 */
diff --git a/gss-serv.c b/gss-serv.c diff --git a/gss-serv.c b/gss-serv.c
index e61b37b..14f540e 100644 index 5c59924..2289e8e 100644
--- a/gss-serv.c --- a/gss-serv.c
+++ b/gss-serv.c +++ b/gss-serv.c
@@ -45,15 +45,20 @@ @@ -45,15 +45,20 @@
@ -684,7 +684,7 @@ index e61b37b..14f540e 100644
#ifdef KRB5 #ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech; extern ssh_gssapi_mech gssapi_kerberos_mech;
@@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) @@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
char lname[MAXHOSTNAMELEN]; char lname[NI_MAXHOST];
gss_OID_set oidset; gss_OID_set oidset;
- gss_create_empty_oid_set(&status, &oidset); - gss_create_empty_oid_set(&status, &oidset);
@ -693,40 +693,40 @@ index e61b37b..14f540e 100644
+ gss_create_empty_oid_set(&status, &oidset); + gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset); + gss_add_oid_set_member(&status, ctx->oid, &oidset);
- if (gethostname(lname, MAXHOSTNAMELEN)) { - if (gethostname(lname, sizeof(lname))) {
- gss_release_oid_set(&status, &oidset); - gss_release_oid_set(&status, &oidset);
- return (-1); - return (-1);
- } - }
+ if (gethostname(lname, MAXHOSTNAMELEN)) { + if (gethostname(lname, sizeof(lname))) {
+ gss_release_oid_set(&status, &oidset); + gss_release_oid_set(&status, &oidset);
+ return (-1); + return (-1);
+ } + }
+ +
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { + if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset); + gss_release_oid_set(&status, &oidset);
+ return (ctx->major); + return (ctx->major);
+ } + }
+ +
+ if ((ctx->major = gss_acquire_cred(&ctx->minor, + if ((ctx->major = gss_acquire_cred(&ctx->minor,
+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, + ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+ NULL, NULL)))
+ ssh_gssapi_error(ctx); + ssh_gssapi_error(ctx);
- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { - if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset); gss_release_oid_set(&status, &oidset);
return (ctx->major); return (ctx->major);
+ } else { - }
+ ctx->name = GSS_C_NO_NAME;
+ ctx->creds = GSS_C_NO_CREDENTIAL;
}
- -
- if ((ctx->major = gss_acquire_cred(&ctx->minor, - if ((ctx->major = gss_acquire_cred(&ctx->minor,
- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) - ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
- ssh_gssapi_error(ctx); - ssh_gssapi_error(ctx);
- + } else {
+ ctx->name = GSS_C_NO_NAME;
+ ctx->creds = GSS_C_NO_CREDENTIAL;
+ return GSS_S_COMPLETE;
+ }
- gss_release_oid_set(&status, &oidset); - gss_release_oid_set(&status, &oidset);
- return (ctx->major); - return (ctx->major);
+ return GSS_S_COMPLETE;
} }
/* Privileged */ /* Privileged */
@ -796,8 +796,7 @@ index e61b37b..14f540e 100644
+ +
+ ctx->major = gss_compare_name(&ctx->minor, client->name, + ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal); + new_name, &equal);
+
- gss_buffer_desc ename;
+ if (GSS_ERROR(ctx->major)) { + if (GSS_ERROR(ctx->major)) {
+ ssh_gssapi_error(ctx); + ssh_gssapi_error(ctx);
+ return (ctx->major); + return (ctx->major);
@ -809,7 +808,8 @@ index e61b37b..14f540e 100644
+ } + }
+ +
+ debug("Marking rekeyed credentials for export"); + debug("Marking rekeyed credentials for export");
+
- gss_buffer_desc ename;
+ gss_release_name(&ctx->minor, &client->name); + gss_release_name(&ctx->minor, &client->name);
+ gss_release_cred(&ctx->minor, &client->creds); + gss_release_cred(&ctx->minor, &client->creds);
+ client->name = new_name; + client->name = new_name;
@ -991,10 +991,10 @@ index e61b37b..14f540e 100644
#endif #endif
diff --git a/kex.c b/kex.c diff --git a/kex.c b/kex.c
index 74e2b86..bce2ab8 100644 index a173e70..4563920 100644
--- a/kex.c --- a/kex.c
+++ b/kex.c +++ b/kex.c
@@ -51,6 +51,10 @@ @@ -53,6 +53,10 @@
#include "roaming.h" #include "roaming.h"
#include "digest.h" #include "digest.h"
@ -1005,10 +1005,10 @@ index 74e2b86..bce2ab8 100644
#if OPENSSL_VERSION_NUMBER >= 0x00907000L #if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256) # if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256 # define evp_ssh_sha256 EVP_sha256
@@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = { @@ -94,6 +98,11 @@ static const struct kexalg kexalgs[] = {
#ifdef HAVE_EVP_SHA256 #ifdef HAVE_EVP_SHA256
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif #endif /* HAVE_EVP_SHA256 */
+#ifdef GSSAPI +#ifdef GSSAPI
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
@ -1017,7 +1017,7 @@ index 74e2b86..bce2ab8 100644
{ NULL, -1, -1, -1}, { NULL, -1, -1, -1},
}; };
@@ -119,6 +128,12 @@ kex_alg_by_name(const char *name) @@ -123,6 +132,12 @@ kex_alg_by_name(const char *name)
for (k = kexalgs; k->name != NULL; k++) { for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0) if (strcmp(k->name, name) == 0)
return k; return k;
@ -1031,7 +1031,7 @@ index 74e2b86..bce2ab8 100644
return NULL; return NULL;
} }
diff --git a/kex.h b/kex.h diff --git a/kex.h b/kex.h
index c85680e..313bb51 100644 index 4c40ec8..1c76c08 100644
--- a/kex.h --- a/kex.h
+++ b/kex.h +++ b/kex.h
@@ -76,6 +76,11 @@ enum kex_exchange { @@ -76,6 +76,11 @@ enum kex_exchange {
@ -1412,10 +1412,10 @@ index 0000000..e90b567
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff --git a/kexgsss.c b/kexgsss.c diff --git a/kexgsss.c b/kexgsss.c
new file mode 100644 new file mode 100644
index 0000000..6d7518c index 0000000..b880998
--- /dev/null --- /dev/null
+++ b/kexgsss.c +++ b/kexgsss.c
@@ -0,0 +1,288 @@ @@ -0,0 +1,289 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ * + *
@ -1460,6 +1460,7 @@ index 0000000..6d7518c
+#include "dh.h" +#include "dh.h"
+#include "ssh-gss.h" +#include "ssh-gss.h"
+#include "monitor_wrap.h" +#include "monitor_wrap.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h" +#include "servconf.h"
+ +
+extern ServerOptions options; +extern ServerOptions options;
@ -1704,35 +1705,11 @@ index 0000000..6d7518c
+ ssh_gssapi_rekey_creds(); + ssh_gssapi_rekey_creds();
+} +}
+#endif /* GSSAPI */ +#endif /* GSSAPI */
diff --git a/key.c b/key.c
index eb98ea8..900b9e3 100644
--- a/key.c
+++ b/key.c
@@ -1013,6 +1013,7 @@ static const struct keytype keytypes[] = {
KEY_DSA_CERT_V00, 0, 1 },
{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
KEY_ED25519_CERT, 0, 1 },
+ { "null", "null", KEY_NULL, 0, 0 },
{ NULL, NULL, -1, -1, 0 }
};
diff --git a/key.h b/key.h
index 0e3eea5..d51ed81 100644
--- a/key.h
+++ b/key.h
@@ -46,6 +46,7 @@ enum types {
KEY_ED25519_CERT,
KEY_RSA_CERT_V00,
KEY_DSA_CERT_V00,
+ KEY_NULL,
KEY_UNSPEC
};
enum fp_type {
diff --git a/monitor.c b/monitor.c diff --git a/monitor.c b/monitor.c
index 229fada..aa70945 100644 index d3f87e1..7ebc76e 100644
--- a/monitor.c --- a/monitor.c
+++ b/monitor.c +++ b/monitor.c
@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); @@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *);
@ -1741,7 +1718,7 @@ index 229fada..aa70945 100644
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@@ -253,11 +255,18 @@ struct mon_table mon_dispatch_proto20[] = { @@ -261,11 +263,18 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@ -1757,10 +1734,10 @@ index 229fada..aa70945 100644
+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif +#endif
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli}, {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
{MONITOR_REQ_SIGN, 0, mm_answer_sign}, #endif
{MONITOR_REQ_PTY, 0, mm_answer_pty}, @@ -380,6 +389,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
@@ -366,6 +375,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
/* Permit requests for moduli and signatures */ /* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@ -1771,7 +1748,7 @@ index 229fada..aa70945 100644
} else { } else {
mon_dispatch = mon_dispatch_proto15; mon_dispatch = mon_dispatch_proto15;
@@ -471,6 +484,10 @@ monitor_child_postauth(struct monitor *pmonitor) @@ -488,6 +501,10 @@ monitor_child_postauth(struct monitor *pmonitor)
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@ -1782,9 +1759,9 @@ index 229fada..aa70945 100644
} else { } else {
mon_dispatch = mon_dispatch_postauth15; mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1866,6 +1883,13 @@ mm_get_kex(Buffer *m) @@ -1893,6 +1910,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
@ -1796,7 +1773,7 @@ index 229fada..aa70945 100644
kex->server = 1; kex->server = 1;
kex->hostkey_type = buffer_get_int(m); kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m); kex->kex_type = buffer_get_int(m);
@@ -2073,6 +2097,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) @@ -2100,6 +2124,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
OM_uint32 major; OM_uint32 major;
u_int len; u_int len;
@ -1806,7 +1783,7 @@ index 229fada..aa70945 100644
goid.elements = buffer_get_string(m, &len); goid.elements = buffer_get_string(m, &len);
goid.length = len; goid.length = len;
@@ -2100,6 +2127,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) @@ -2127,6 +2154,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
u_int len; u_int len;
@ -1816,7 +1793,7 @@ index 229fada..aa70945 100644
in.value = buffer_get_string(m, &len); in.value = buffer_get_string(m, &len);
in.length = len; in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -2117,6 +2147,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) @@ -2144,6 +2174,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1824,7 +1801,7 @@ index 229fada..aa70945 100644
} }
return (0); return (0);
} }
@@ -2128,6 +2159,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) @@ -2155,6 +2186,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
OM_uint32 ret; OM_uint32 ret;
u_int len; u_int len;
@ -1834,7 +1811,7 @@ index 229fada..aa70945 100644
gssbuf.value = buffer_get_string(m, &len); gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len; gssbuf.length = len;
mic.value = buffer_get_string(m, &len); mic.value = buffer_get_string(m, &len);
@@ -2154,7 +2188,11 @@ mm_answer_gss_userok(int sock, Buffer *m) @@ -2181,7 +2215,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
{ {
int authenticated; int authenticated;
@ -1847,7 +1824,7 @@ index 229fada..aa70945 100644
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, authenticated); buffer_put_int(m, authenticated);
@@ -2167,5 +2205,73 @@ mm_answer_gss_userok(int sock, Buffer *m) @@ -2194,5 +2232,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -1935,10 +1912,10 @@ index 20e2b4a..ff79fbb 100644
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff --git a/monitor_wrap.c b/monitor_wrap.c diff --git a/monitor_wrap.c b/monitor_wrap.c
index d1b6d99..d1e1caa 100644 index 82f114c..7e991e6 100644
--- a/monitor_wrap.c --- a/monitor_wrap.c
+++ b/monitor_wrap.c +++ b/monitor_wrap.c
@@ -1290,7 +1290,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) @@ -1300,7 +1300,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
} }
int int
@ -1947,7 +1924,7 @@ index d1b6d99..d1e1caa 100644
{ {
Buffer m; Buffer m;
int authenticated = 0; int authenticated = 0;
@@ -1307,5 +1307,50 @@ mm_ssh_gssapi_userok(char *user) @@ -1317,5 +1317,50 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated); return (authenticated);
} }
@ -2015,10 +1992,10 @@ index 9d5e5ba..93929e0 100644
#ifdef USE_PAM #ifdef USE_PAM
diff --git a/readconf.c b/readconf.c diff --git a/readconf.c b/readconf.c
index dc884c9..7613ff2 100644 index 3f5c58b..1c07766 100644
--- a/readconf.c --- a/readconf.c
+++ b/readconf.c +++ b/readconf.c
@@ -141,6 +141,8 @@ typedef enum { @@ -143,6 +143,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds, oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -2027,7 +2004,7 @@ index dc884c9..7613ff2 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist, oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts, oHashKnownHosts,
@@ -183,10 +185,19 @@ static struct { @@ -187,10 +189,19 @@ static struct {
{ "afstokenpassing", oUnsupported }, { "afstokenpassing", oUnsupported },
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
@ -2047,7 +2024,7 @@ index dc884c9..7613ff2 100644
#endif #endif
{ "fallbacktorsh", oDeprecated }, { "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated }, { "usersh", oDeprecated },
@@ -841,10 +852,30 @@ parse_time: @@ -868,10 +879,30 @@ parse_time:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2078,7 +2055,7 @@ index dc884c9..7613ff2 100644
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
goto parse_flag; goto parse_flag;
@@ -1497,7 +1528,12 @@ initialize_options(Options * options) @@ -1553,7 +1584,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
@ -2091,7 +2068,7 @@ index dc884c9..7613ff2 100644
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -1616,8 +1652,14 @@ fill_default_options(Options * options) @@ -1677,8 +1713,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1; options->challenge_response_authentication = 1;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2107,10 +2084,10 @@ index dc884c9..7613ff2 100644
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h diff --git a/readconf.h b/readconf.h
index 75e3f8f..5cc97f0 100644 index a028306..1dbe509 100644
--- a/readconf.h --- a/readconf.h
+++ b/readconf.h +++ b/readconf.h
@@ -54,7 +54,12 @@ typedef struct { @@ -45,7 +45,12 @@ typedef struct {
int challenge_response_authentication; int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */ /* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */ int gss_authentication; /* Try GSS authentication */
@ -2150,10 +2127,10 @@ index b093a91..4c8da00 100644
type_has_legacy() { type_has_legacy() {
case $1 in case $1 in
diff --git a/regress/kextype.sh b/regress/kextype.sh diff --git a/regress/kextype.sh b/regress/kextype.sh
index 8c2ac09..a2a87ca 100644 index 6f952f4..bcb609b 100644
--- a/regress/kextype.sh --- a/regress/kextype.sh
+++ b/regress/kextype.sh +++ b/regress/kextype.sh
@@ -9,6 +9,9 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak @@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
tries="1 2 3 4" tries="1 2 3 4"
for k in `${SSH} -Q kex`; do for k in `${SSH} -Q kex`; do
@ -2164,10 +2141,10 @@ index 8c2ac09..a2a87ca 100644
for i in $tries; do for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff --git a/regress/rekey.sh b/regress/rekey.sh diff --git a/regress/rekey.sh b/regress/rekey.sh
index cf9401e..31fb0f7 100644 index fd452b0..1148197 100644
--- a/regress/rekey.sh --- a/regress/rekey.sh
+++ b/regress/rekey.sh +++ b/regress/rekey.sh
@@ -30,6 +30,9 @@ increase_datafile_size 300 @@ -38,6 +38,9 @@ increase_datafile_size 300
opts="" opts=""
for i in `${SSH} -Q kex`; do for i in `${SSH} -Q kex`; do
@ -2177,7 +2154,7 @@ index cf9401e..31fb0f7 100644
opts="$opts KexAlgorithms=$i" opts="$opts KexAlgorithms=$i"
done done
for i in `${SSH} -Q cipher`; do for i in `${SSH} -Q cipher`; do
@@ -48,6 +51,9 @@ done @@ -56,6 +59,9 @@ done
if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
for c in `${SSH} -Q cipher-auth`; do for c in `${SSH} -Q cipher-auth`; do
for kex in `${SSH} -Q kex`; do for kex in `${SSH} -Q kex`; do
@ -2185,13 +2162,13 @@ index cf9401e..31fb0f7 100644
+ continue + continue
+ fi + fi
verbose "client rekey $c $kex" verbose "client rekey $c $kex"
ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done done
diff --git a/servconf.c b/servconf.c diff --git a/servconf.c b/servconf.c
index f763317..68fb9ef 100644 index c8a3f28..179c20d 100644
--- a/servconf.c --- a/servconf.c
+++ b/servconf.c +++ b/servconf.c
@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) @@ -110,7 +110,10 @@ initialize_server_options(ServerOptions *options)
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
@ -2202,7 +2179,7 @@ index f763317..68fb9ef 100644
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->challenge_response_authentication = -1;
@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options) @@ -253,8 +256,14 @@ fill_default_server_options(ServerOptions *options)
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -2217,7 +2194,7 @@ index f763317..68fb9ef 100644
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -344,7 +353,8 @@ typedef enum { @@ -359,7 +368,8 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveCountMax, sAuthorizedKeysFile,
@ -2227,7 +2204,7 @@ index f763317..68fb9ef 100644
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate, sHostCertificate,
@@ -411,10 +421,20 @@ static struct { @@ -428,10 +438,20 @@ static struct {
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2248,7 +2225,7 @@ index f763317..68fb9ef 100644
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
@@ -1091,10 +1111,22 @@ process_server_config_line(ServerOptions *options, char *line, @@ -1113,10 +1133,22 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -2271,7 +2248,7 @@ index f763317..68fb9ef 100644
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
@@ -2005,6 +2037,9 @@ dump_config(ServerOptions *o) @@ -2070,6 +2102,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@ -2282,10 +2259,10 @@ index f763317..68fb9ef 100644
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication, dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff --git a/servconf.h b/servconf.h diff --git a/servconf.h b/servconf.h
index 4572066..37cfa9b 100644 index 21719e2..397698b 100644
--- a/servconf.h --- a/servconf.h
+++ b/servconf.h +++ b/servconf.h
@@ -112,7 +112,10 @@ typedef struct { @@ -113,7 +113,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2398,7 +2375,7 @@ index a99d7f0..0374c88 100644
#endif /* _SSH_GSS_H */ #endif /* _SSH_GSS_H */
diff --git a/ssh_config b/ssh_config diff --git a/ssh_config b/ssh_config
index 6d1abaf..b0d343b 100644 index 3f83c40..4a0fb82 100644
--- a/ssh_config --- a/ssh_config
+++ b/ssh_config +++ b/ssh_config
@@ -26,6 +26,8 @@ @@ -26,6 +26,8 @@
@ -2411,10 +2388,10 @@ index 6d1abaf..b0d343b 100644
# CheckHostIP yes # CheckHostIP yes
# AddressFamily any # AddressFamily any
diff --git a/ssh_config.5 b/ssh_config.5 diff --git a/ssh_config.5 b/ssh_config.5
index b580392..e7accd6 100644 index f9ede7a..e6649ac 100644
--- a/ssh_config.5 --- a/ssh_config.5
+++ b/ssh_config.5 +++ b/ssh_config.5
@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed. @@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -2460,11 +2437,11 @@ index b580392..e7accd6 100644
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c diff --git a/sshconnect2.c b/sshconnect2.c
index adbbfc7..cadf234 100644 index 4724b66..703f8e4 100644
--- a/sshconnect2.c --- a/sshconnect2.c
+++ b/sshconnect2.c +++ b/sshconnect2.c
@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) @@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
{ char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
Kex *kex; Kex *kex;
+#ifdef GSSAPI +#ifdef GSSAPI
@ -2498,9 +2475,9 @@ index adbbfc7..cadf234 100644
if (options.ciphers == (char *)-1) { if (options.ciphers == (char *)-1) {
logit("No valid ciphers for protocol version 2 given, using defaults."); logit("No valid ciphers for protocol version 2 given, using defaults.");
options.ciphers = NULL; options.ciphers = NULL;
@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) @@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; myproposal[PROPOSAL_KEX_ALGS]);
+#ifdef GSSAPI +#ifdef GSSAPI
+ /* If we've got GSSAPI algorithms, then we also support the + /* If we've got GSSAPI algorithms, then we also support the
@ -2516,9 +2493,9 @@ index adbbfc7..cadf234 100644
if (options.rekey_limit || options.rekey_interval) if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit, packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval); (time_t)options.rekey_interval);
@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) @@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
kex->kex[KEX_ECDH_SHA2] = kexecdh_client; kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_client; kex->kex[KEX_C25519_SHA256] = kexc25519_client;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
@ -2547,7 +2524,7 @@ index adbbfc7..cadf234 100644
xxx_kex = kex; xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex); dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
@@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *); @@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
void input_gssapi_hash(int type, u_int32_t, void *); void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *); void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *); void input_gssapi_errtok(int, u_int32_t, void *);
@ -2555,7 +2532,7 @@ index adbbfc7..cadf234 100644
#endif #endif
void userauth(Authctxt *, char *); void userauth(Authctxt *, char *);
@@ -316,6 +373,11 @@ static char *authmethods_get(void); @@ -321,6 +378,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = { Authmethod authmethods[] = {
#ifdef GSSAPI #ifdef GSSAPI
@ -2567,7 +2544,7 @@ index adbbfc7..cadf234 100644
{"gssapi-with-mic", {"gssapi-with-mic",
userauth_gssapi, userauth_gssapi,
NULL, NULL,
@@ -613,19 +675,31 @@ userauth_gssapi(Authctxt *authctxt) @@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0; static u_int mech = 0;
OM_uint32 min; OM_uint32 min;
int ok = 0; int ok = 0;
@ -2601,7 +2578,7 @@ index adbbfc7..cadf234 100644
ok = 1; /* Mechanism works */ ok = 1; /* Mechanism works */
} else { } else {
mech++; mech++;
@@ -722,8 +796,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) @@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
{ {
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
@ -2612,7 +2589,7 @@ index adbbfc7..cadf234 100644
if (authctxt == NULL) if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context"); fatal("input_gssapi_response: no authentication context");
@@ -832,6 +906,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) @@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
free(msg); free(msg);
free(lang); free(lang);
} }
@ -2662,21 +2639,10 @@ index adbbfc7..cadf234 100644
int int
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
index 24ab272..e4e406e 100644 index f7b8aba..2871fe9 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -122,6 +122,10 @@ @@ -1761,10 +1761,13 @@ main(int ac, char **av)
#include "ssh-sandbox.h"
#include "version.h"
+#ifdef USE_SECURITY_SESSION_API
+#include <Security/AuthSession.h>
+#endif
+
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
@@ -1744,10 +1748,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
} }
@ -2690,7 +2656,7 @@ index 24ab272..e4e406e 100644
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting."); logit("sshd: no hostkeys available -- exiting.");
exit(1); exit(1);
@@ -2488,6 +2495,48 @@ do_ssh2_kex(void) @@ -2501,6 +2504,49 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types()); list_hostkey_types());
@ -2735,13 +2701,14 @@ index 24ab272..e4e406e 100644
+ fatal("No supported key exchange algorithms"); + fatal("No supported key exchange algorithms");
+ } + }
+#endif +#endif
+
+ +
/* start key exchange */ /* start key exchange */
kex = kex_setup(myproposal); kex = kex_setup(myproposal);
kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; #ifdef WITH_OPENSSL
@@ -2496,6 +2545,13 @@ do_ssh2_kex(void) @@ -2511,6 +2557,13 @@ do_ssh2_kex(void)
kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
kex->kex[KEX_ECDH_SHA2] = kexecdh_server; kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server; kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI +#ifdef GSSAPI
+ if (options.gss_keyex) { + if (options.gss_keyex) {
@ -2754,7 +2721,7 @@ index 24ab272..e4e406e 100644
kex->client_version_string=client_version_string; kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string; kex->server_version_string=server_version_string;
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index c1b7c03..adfd7b1 100644 index 7061f75..f4796fc 100644
--- a/sshd_config --- a/sshd_config
+++ b/sshd_config +++ b/sshd_config
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no @@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
@ -2767,10 +2734,10 @@ index c1b7c03..adfd7b1 100644
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5
index 95b5f8c..1fb002d 100644 index cccb310..8ad79d9 100644
--- a/sshd_config.5 --- a/sshd_config.5
+++ b/sshd_config.5 +++ b/sshd_config.5
@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. @@ -536,12 +536,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
The default is The default is
.Dq no . .Dq no .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.

View File

@ -17,7 +17,7 @@ index 0000000..630ec62
+ +
+ +
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 411eadb..4ab6717 100644 index f02aa1e..b225217 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
@ -28,16 +28,16 @@ index 411eadb..4ab6717 100644
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@ @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@ MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBOPENSSH_OBJS=\
canohost.o channels.o cipher.o cipher-aes.o \ ssherr.o \
@@ -176,6 +177,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 @@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@ -47,7 +47,7 @@ index 411eadb..4ab6717 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -283,6 +287,7 @@ install-files: @@ -305,6 +309,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi fi
@ -56,10 +56,10 @@ index 411eadb..4ab6717 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/auth2-pubkey.c b/auth2-pubkey.c diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index c0ae0d4..cb0f931 100644 index 12f5afd..269e642 100644
--- a/auth2-pubkey.c --- a/auth2-pubkey.c
+++ b/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -600,6 +600,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) @@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
_exit(1); _exit(1);
} }
@ -75,10 +75,10 @@ index c0ae0d4..cb0f931 100644
options.authorized_keys_command, user_pw->pw_name, NULL); options.authorized_keys_command, user_pw->pw_name, NULL);
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
index d04f4ed..0077dd7 100644 index 265bd3a..8f32464 100644
--- a/openbsd-compat/port-linux-sshd.c --- a/openbsd-compat/port-linux-sshd.c
+++ b/openbsd-compat/port-linux-sshd.c +++ b/openbsd-compat/port-linux-sshd.c
@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt; @@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern int inetd_flag; extern int inetd_flag;
extern int rexeced_flag; extern int rexeced_flag;
@ -99,7 +99,7 @@ index d04f4ed..0077dd7 100644
/* Send audit message */ /* Send audit message */
static int static int
sshd_selinux_send_audit_message(int success, security_context_t default_context, sshd_selinux_send_audit_message(int success, security_context_t default_context,
@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname, @@ -308,7 +322,7 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */ /* Setup environment variables for pam_selinux */
static int static int
@ -108,7 +108,7 @@ index d04f4ed..0077dd7 100644
{ {
const char *reqlvl; const char *reqlvl;
char *role; char *role;
@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void) @@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl); ssh_selinux_get_role_level(&role, &reqlvl);
@ -128,7 +128,7 @@ index d04f4ed..0077dd7 100644
if (role != NULL) if (role != NULL)
free(role); free(role);
@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void) @@ -336,6 +350,24 @@ sshd_selinux_setup_pam_variables(void)
return rv; return rv;
} }
@ -153,7 +153,7 @@ index d04f4ed..0077dd7 100644
/* Set the execution context to the default for the specified user */ /* Set the execution context to the default for the specified user */
void void
sshd_selinux_setup_exec_context(char *pwname) sshd_selinux_setup_exec_context(char *pwname)
@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pwname) @@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname)
int r = 0; int r = 0;
security_context_t default_ctx = NULL; security_context_t default_ctx = NULL;
@ -162,7 +162,7 @@ index d04f4ed..0077dd7 100644
return; return;
if (options.use_pam) { if (options.use_pam) {
@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void) @@ -415,7 +447,7 @@ sshd_selinux_copy_context(void)
{ {
security_context_t *ctx; security_context_t *ctx;
@ -187,10 +187,10 @@ index b18893c..cb51f99 100644
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff --git a/platform.c b/platform.c diff --git a/platform.c b/platform.c
index 0d39ab2..0dae387 100644 index 84c47fa..6d876cb 100644
--- a/platform.c --- a/platform.c
+++ b/platform.c +++ b/platform.c
@@ -102,7 +102,7 @@ platform_setusercontext(struct passwd *pw) @@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw)
{ {
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
/* Cache selinux status for later use */ /* Cache selinux status for later use */

View File

@ -1,15 +1,16 @@
diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c diff --git a/authfile.c b/authfile.c
--- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100 index e93d867..4fc5b3d 100644
+++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200 --- a/authfile.c
@@ -54,6 +54,7 @@ +++ b/authfile.c
@@ -32,6 +32,7 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
+#include <grp.h> +#include <grp.h>
#include <stdarg.h>
#include <stdio.h> #include <stdio.h>
#include <stdarg.h>
#include <stdlib.h> #include <stdlib.h>
@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename @@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
#ifdef HAVE_CYGWIN #ifdef HAVE_CYGWIN
if (check_ntsec(filename)) if (check_ntsec(filename))
#endif #endif

View File

@ -1,8 +1,8 @@
diff --git a/auth-krb5.c b/auth-krb5.c diff --git a/auth-krb5.c b/auth-krb5.c
index 6c62bdf..11c8562 100644 index 0089b18..8480261 100644
--- a/auth-krb5.c --- a/auth-krb5.c
+++ b/auth-krb5.c +++ b/auth-krb5.c
@@ -54,6 +54,21 @@ @@ -55,6 +55,21 @@
extern ServerOptions options; extern ServerOptions options;
@ -24,7 +24,7 @@ index 6c62bdf..11c8562 100644
static int static int
krb5_init(void *context) krb5_init(void *context)
{ {
@@ -157,8 +172,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem) if (problem)
goto out; goto out;
@ -37,7 +37,7 @@ index 6c62bdf..11c8562 100644
goto out; goto out;
} }
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 60de320..0a4930e 100644 index 54dd383..961c564 100644
--- a/gss-serv-krb5.c --- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c +++ b/gss-serv-krb5.c
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *, @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
@ -175,27 +175,27 @@ index 60de320..0a4930e 100644
if ((fp = fopen(file, "r")) == NULL) { if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno; int saved_errno = errno;
diff --git a/servconf.c b/servconf.c diff --git a/servconf.c b/servconf.c
index 68fb9ef..904c869 100644 index 179c20d..d17ed04 100644
--- a/servconf.c --- a/servconf.c
+++ b/servconf.c +++ b/servconf.c
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options) @@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1; options->ip_qos_bulk = -1;
options->version_addendum = NULL; options->version_addendum = NULL;
options->fingerprint_hash = -1;
+ options->use_kuserok = -1; + options->use_kuserok = -1;
} }
void void
@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options) @@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options)
options->version_addendum = xstrdup(""); options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->show_patchlevel == -1) if (options->fingerprint_hash == -1)
options->show_patchlevel = 0; options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->use_kuserok == -1) + if (options->use_kuserok == -1)
+ options->use_kuserok = 1; + options->use_kuserok = 1;
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
@@ -338,7 +341,7 @@ typedef enum { use_privsep = PRIVSEP_NOSANDBOX;
@@ -353,7 +356,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -204,7 +204,7 @@ index 68fb9ef..904c869 100644
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -410,11 +413,13 @@ static struct { @@ -427,11 +430,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -218,7 +218,7 @@ index 68fb9ef..904c869 100644
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions *options, char *line, @@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line,
*activep = value; *activep = value;
break; break;
@ -229,7 +229,7 @@ index 68fb9ef..904c869 100644
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) @@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
@ -237,19 +237,19 @@ index 68fb9ef..904c869 100644
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2062,6 +2072,7 @@ dump_config(ServerOptions *o) @@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h diff --git a/servconf.h b/servconf.h
index 37cfa9b..5117dfa 100644 index 397698b..cf2a505 100644
--- a/servconf.h --- a/servconf.h
+++ b/servconf.h +++ b/servconf.h
@@ -173,6 +173,7 @@ typedef struct { @@ -175,6 +175,7 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -258,7 +258,7 @@ index 37cfa9b..5117dfa 100644
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index adfd7b1..e772ed5 100644 index f4796fc..0d9454d 100644
--- a/sshd_config --- a/sshd_config
+++ b/sshd_config +++ b/sshd_config
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no @@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
@ -270,10 +270,10 @@ index adfd7b1..e772ed5 100644
# GSSAPI options # GSSAPI options
GSSAPIAuthentication yes GSSAPIAuthentication yes
diff --git a/sshd_config.5 b/sshd_config.5 diff --git a/sshd_config.5 b/sshd_config.5
index 1fb002d..e0e5fff 100644 index 8ad79d9..eb4dd9e 100644
--- a/sshd_config.5 --- a/sshd_config.5
+++ b/sshd_config.5 +++ b/sshd_config.5
@@ -697,6 +697,10 @@ Specifies whether to automatically destroy the user's ticket cache @@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache
file on logout. file on logout.
The default is The default is
.Dq yes . .Dq yes .
@ -284,7 +284,7 @@ index 1fb002d..e0e5fff 100644
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
@@ -862,6 +866,7 @@ Available keywords are @@ -961,6 +965,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly , .Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,

View File

@ -25,7 +25,7 @@ index a1a2b52..b109a5a 100644
char ** fetch_pam_child_environment(void); char ** fetch_pam_child_environment(void);
void free_pam_environment(char **); void free_pam_environment(char **);
diff --git a/auth.h b/auth.h diff --git a/auth.h b/auth.h
index 124e597..4605588 100644 index d081c94..847cffd 100644
--- a/auth.h --- a/auth.h
+++ b/auth.h +++ b/auth.h
@@ -59,6 +59,9 @@ struct Authctxt { @@ -59,6 +59,9 @@ struct Authctxt {
@ -39,10 +39,10 @@ index 124e597..4605588 100644
char *info; /* Extra info for next auth_log */ char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH #ifdef BSD_AUTH
diff --git a/auth1.c b/auth1.c diff --git a/auth1.c b/auth1.c
index 0f870b3..df040bb 100644 index 5038828..f0a98d2 100644
--- a/auth1.c --- a/auth1.c
+++ b/auth1.c +++ b/auth1.c
@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt) @@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt)
{ {
u_int ulen; u_int ulen;
char *user, *style = NULL; char *user, *style = NULL;
@ -52,7 +52,7 @@ index 0f870b3..df040bb 100644
/* Get the name of the user that we wish to log in as. */ /* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER); packet_read_expect(SSH_CMSG_USER);
@@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt) @@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen); user = packet_get_cstring(&ulen);
packet_check_eom(); packet_check_eom();
@ -78,10 +78,10 @@ index 0f870b3..df040bb 100644
/* Verify that the user is a valid user. */ /* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff --git a/auth2-gss.c b/auth2-gss.c diff --git a/auth2-gss.c b/auth2-gss.c
index c28a705..4756dd7 100644 index 447f896..4803e7e 100644
--- a/auth2-gss.c --- a/auth2-gss.c
+++ b/auth2-gss.c +++ b/auth2-gss.c
@@ -251,6 +251,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) @@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
int authenticated = 0; int authenticated = 0;
@ -89,7 +89,7 @@ index c28a705..4756dd7 100644
Buffer b; Buffer b;
gss_buffer_desc mic, gssbuf; gss_buffer_desc mic, gssbuf;
u_int len; u_int len;
@@ -263,7 +264,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) @@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
mic.value = packet_get_string(&len); mic.value = packet_get_string(&len);
mic.length = len; mic.length = len;
@ -104,7 +104,7 @@ index c28a705..4756dd7 100644
"gssapi-with-mic"); "gssapi-with-mic");
gssbuf.value = buffer_ptr(&b); gssbuf.value = buffer_ptr(&b);
@@ -275,6 +282,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) @@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
logit("GSSAPI MIC check failed"); logit("GSSAPI MIC check failed");
buffer_free(&b); buffer_free(&b);
@ -114,10 +114,10 @@ index c28a705..4756dd7 100644
authctxt->postponed = 0; authctxt->postponed = 0;
diff --git a/auth2-hostbased.c b/auth2-hostbased.c diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index eca0069..95d678e 100644 index b7ae353..41f1a3f 100644
--- a/auth2-hostbased.c --- a/auth2-hostbased.c
+++ b/auth2-hostbased.c +++ b/auth2-hostbased.c
@@ -112,7 +112,15 @@ userauth_hostbased(Authctxt *authctxt) @@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len); buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */ /* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -135,7 +135,7 @@ index eca0069..95d678e 100644
buffer_put_cstring(&b, "hostbased"); buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen); buffer_put_string(&b, pkalg, alen);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 749b11a..c0ae0d4 100644 index 3f4f789..12f5afd 100644
--- a/auth2-pubkey.c --- a/auth2-pubkey.c
+++ b/auth2-pubkey.c +++ b/auth2-pubkey.c
@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt) @@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
@ -153,10 +153,10 @@ index 749b11a..c0ae0d4 100644
free(userstyle); free(userstyle);
buffer_put_cstring(&b, buffer_put_cstring(&b,
diff --git a/auth2.c b/auth2.c diff --git a/auth2.c b/auth2.c
index a5490c0..5f4f26f 100644 index d9b440a..d6fbc93 100644
--- a/auth2.c --- a/auth2.c
+++ b/auth2.c +++ b/auth2.c
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) @@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
char *user, *service, *method, *style = NULL; char *user, *service, *method, *style = NULL;
@ -166,7 +166,7 @@ index a5490c0..5f4f26f 100644
int authenticated = 0; int authenticated = 0;
if (authctxt == NULL) if (authctxt == NULL)
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) @@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
debug("userauth-request for user %s service %s method %s", user, service, method); debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -178,7 +178,7 @@ index a5490c0..5f4f26f 100644
if ((style = strchr(user, ':')) != NULL) if ((style = strchr(user, ':')) != NULL)
*style++ = 0; *style++ = 0;
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) @@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
use_privsep ? " [net]" : ""); use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service); authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL; authctxt->style = style ? xstrdup(style) : NULL;
@ -196,10 +196,10 @@ index a5490c0..5f4f26f 100644
if (auth2_setup_methods_lists(authctxt) != 0) if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled"); packet_disconnect("no authentication methods enabled");
diff --git a/misc.c b/misc.c diff --git a/misc.c b/misc.c
index e4c8c32..f31cd91 100644 index 94b05b0..651c21b 100644
--- a/misc.c --- a/misc.c
+++ b/misc.c +++ b/misc.c
@@ -430,6 +430,7 @@ char * @@ -431,6 +431,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
int flag = 0; int flag = 0;
@ -207,7 +207,7 @@ index e4c8c32..f31cd91 100644
if (*cp == ':') /* Leading colon is part of file name. */ if (*cp == ':') /* Leading colon is part of file name. */
return NULL; return NULL;
@@ -445,6 +446,13 @@ colon(char *cp) @@ -446,6 +447,13 @@ colon(char *cp)
return (cp); return (cp);
if (*cp == '/') if (*cp == '/')
return NULL; return NULL;
@ -222,10 +222,10 @@ index e4c8c32..f31cd91 100644
return NULL; return NULL;
} }
diff --git a/monitor.c b/monitor.c diff --git a/monitor.c b/monitor.c
index 531c4f9..229fada 100644 index dbe29f1..d3f87e1 100644
--- a/monitor.c --- a/monitor.c
+++ b/monitor.c +++ b/monitor.c
@@ -145,6 +145,9 @@ int mm_answer_sign(int, Buffer *); @@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *); int mm_answer_authserv(int, Buffer *);
@ -235,7 +235,7 @@ index 531c4f9..229fada 100644
int mm_answer_authpassword(int, Buffer *); int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *);
@@ -219,6 +222,9 @@ struct mon_table mon_dispatch_proto20[] = { @@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -245,7 +245,7 @@ index 531c4f9..229fada 100644
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -805,6 +811,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) @@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
else { else {
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -255,7 +255,7 @@ index 531c4f9..229fada 100644
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
} }
#ifdef USE_PAM #ifdef USE_PAM
@@ -846,6 +855,25 @@ mm_answer_authserv(int sock, Buffer *m) @@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0); return (0);
} }
@ -281,7 +281,7 @@ index 531c4f9..229fada 100644
int int
mm_answer_authpassword(int sock, Buffer *m) mm_answer_authpassword(int sock, Buffer *m)
{ {
@@ -1220,7 +1248,7 @@ static int @@ -1241,7 +1269,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen) monitor_valid_userblob(u_char *data, u_int datalen)
{ {
Buffer b; Buffer b;
@ -290,7 +290,7 @@ index 531c4f9..229fada 100644
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1246,6 +1274,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) @@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_cstring(&b, NULL); p = buffer_get_cstring(&b, NULL);
@ -299,7 +299,7 @@ index 531c4f9..229fada 100644
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
@@ -1281,7 +1311,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, @@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
char *chost) char *chost)
{ {
Buffer b; Buffer b;
@ -308,7 +308,7 @@ index 531c4f9..229fada 100644
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1298,6 +1328,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, @@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_cstring(&b, NULL); p = buffer_get_cstring(&b, NULL);
@ -333,10 +333,10 @@ index 5bc41b5..20e2b4a 100644
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
diff --git a/monitor_wrap.c b/monitor_wrap.c diff --git a/monitor_wrap.c b/monitor_wrap.c
index 1a47e41..d1b6d99 100644 index 45dc169..82f114c 100644
--- a/monitor_wrap.c --- a/monitor_wrap.c
+++ b/monitor_wrap.c +++ b/monitor_wrap.c
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *style) @@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style)
buffer_free(&m); buffer_free(&m);
} }
@ -377,12 +377,12 @@ index 18c2501..9d5e5ba 100644
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct Authctxt *, char *);
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 6ecfb93..b912dbe 100644 index ab1a3e3..843225d 100644
--- a/openbsd-compat/Makefile.in --- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
@ -391,10 +391,10 @@ index 6ecfb93..b912dbe 100644
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
new file mode 100644 new file mode 100644
index 0000000..c18524e index 0000000..6310717
--- /dev/null --- /dev/null
+++ b/openbsd-compat/port-linux-sshd.c +++ b/openbsd-compat/port-linux-sshd.c
@@ -0,0 +1,414 @@ @@ -0,0 +1,415 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -426,6 +426,7 @@ index 0000000..c18524e
+ +
+#include "log.h" +#include "log.h"
+#include "xmalloc.h" +#include "xmalloc.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h" +#include "servconf.h"
+#include "port-linux.h" +#include "port-linux.h"
+#include "key.h" +#include "key.h"
@ -868,10 +869,10 @@ index e3d1004..8ef6cc4 100644
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff --git a/platform.c b/platform.c diff --git a/platform.c b/platform.c
index 30fc609..0d39ab2 100644 index ee313da..84c47fa 100644
--- a/platform.c --- a/platform.c
+++ b/platform.c +++ b/platform.c
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) @@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
} }
#endif /* HAVE_SETPCRED */ #endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
@ -881,10 +882,10 @@ index 30fc609..0d39ab2 100644
} }
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
index 7523de9..07f9926 100644 index 481d001..41b317b 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -2138,6 +2138,9 @@ main(int ac, char **av) @@ -2144,6 +2144,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,8 +1,8 @@
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 3bb7f00..294bef5 100644 index 9311e16..1eb2b45 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -154,25 +154,25 @@ libssh.a: $(LIBSSH_OBJS) @@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@ $(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -34,7 +34,7 @@ index 3bb7f00..294bef5 100644
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o @@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -43,77 +43,6 @@ index 3bb7f00..294bef5 100644
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff --git a/auth-rsa.c b/auth-rsa.c
index f225b0b..8bafcd6 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
"actual %d vs. announced %d.",
file, linenum, BN_num_bits(key->rsa->n), bits);
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(key), fp);
free(fp);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 6d1c872..3808ec8 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
}
if (key_is_cert(key)) {
- fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
key_type(key), key->cert->key_id,
(unsigned long long)key->cert->serial,
@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
} else {
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
diff --git a/authfile.c b/authfile.c
index ec4f4ff..2b3d650 100644
--- a/authfile.c
+++ b/authfile.c
@@ -46,6 +46,7 @@
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
+#include <openssl/fips.h>
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
@@ -1068,7 +1069,7 @@ Key *
key_parse_private(Buffer *buffer, const char *filename,
const char *passphrase, char **commentp)
{
- Key *pub, *prv;
+ Key *pub, *prv = NULL;
/* it's a SSH v1 key if the public key part is readable */
pub = key_parse_public_rsa1(buffer, commentp);
@@ -1080,9 +1081,10 @@ key_parse_private(Buffer *buffer, const char *filename,
*commentp = xstrdup(filename);
} else {
key_free(pub);
- /* key_parse_public_rsa1() has already loaded the comment */
- prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
- NULL);
+ if (! FIPS_mode())
+ /* key_parse_public_rsa1() has already loaded the comment */
+ prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
+ NULL);
}
return prv;
}
diff --git a/cipher-ctr.c b/cipher-ctr.c diff --git a/cipher-ctr.c b/cipher-ctr.c
index 73e9c7c..40ee395 100644 index 73e9c7c..40ee395 100644
--- a/cipher-ctr.c --- a/cipher-ctr.c
@ -129,7 +58,7 @@ index 73e9c7c..40ee395 100644
return (&aes_ctr); return (&aes_ctr);
} }
diff --git a/cipher.c b/cipher.c diff --git a/cipher.c b/cipher.c
index 226e56d..b19443c 100644 index 9cc7cf8..5ebfa84 100644
--- a/cipher.c --- a/cipher.c
+++ b/cipher.c +++ b/cipher.c
@@ -39,6 +39,8 @@ @@ -39,6 +39,8 @@
@ -141,11 +70,11 @@ index 226e56d..b19443c 100644
#include <string.h> #include <string.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdio.h> #include <stdio.h>
@@ -90,6 +92,25 @@ static const struct Cipher ciphers[] = { @@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
}; };
+static const struct Cipher fips_ciphers[] = { +static const struct sshcipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
@ -164,38 +93,39 @@ index 226e56d..b19443c 100644
+#endif +#endif
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+}; +};
+
/*--*/ /*--*/
/* Returns a list of supported ciphers separated by the specified char. */ /* Returns a comma-separated list of supported ciphers. */
@@ -100,7 +121,7 @@ cipher_alg_list(char sep, int auth_only) @@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0; size_t nlen, rlen = 0;
const Cipher *c; const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++) { - for (c = ciphers; c->name != NULL; c++) {
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) { + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2) if (c->number != SSH_CIPHER_SSH2)
continue; continue;
if (auth_only && c->auth_len == 0) if (auth_only && c->auth_len == 0)
@@ -180,7 +201,7 @@ const Cipher * @@ -193,7 +215,7 @@ const struct sshcipher *
cipher_by_name(const char *name) cipher_by_name(const char *name)
{ {
const Cipher *c; const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++) - for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0) if (strcmp(c->name, name) == 0)
return c; return c;
return NULL; return NULL;
@@ -190,7 +211,7 @@ const Cipher * @@ -203,7 +225,7 @@ const struct sshcipher *
cipher_by_number(int id) cipher_by_number(int id)
{ {
const Cipher *c; const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++) - for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id) if (c->number == id)
return c; return c;
return NULL; return NULL;
@@ -232,7 +253,7 @@ cipher_number(const char *name) @@ -244,7 +266,7 @@ cipher_number(const char *name)
const Cipher *c; const struct sshcipher *c;
if (name == NULL) if (name == NULL)
return -1; return -1;
- for (c = ciphers; c->name != NULL; c++) - for (c = ciphers; c->name != NULL; c++)
@ -216,10 +146,10 @@ index 48f7b68..9ff39f4 100644
/* /*
diff --git a/entropy.c b/entropy.c diff --git a/entropy.c b/entropy.c
index b361a04..5616643 100644 index d24e724..06b0095 100644
--- a/entropy.c --- a/entropy.c
+++ b/entropy.c +++ b/entropy.c
@@ -222,6 +222,9 @@ seed_rng(void) @@ -215,6 +215,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you " fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -230,18 +160,18 @@ index b361a04..5616643 100644
if (RAND_status() == 1) { if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding"); debug3("RNG is ready, skipping seeding");
diff --git a/kex.c b/kex.c diff --git a/kex.c b/kex.c
index bc3e53e..ede7b67 100644 index e0cf3de..e11198f 100644
--- a/kex.c --- a/kex.c
+++ b/kex.c +++ b/kex.c
@@ -34,6 +34,7 @@ @@ -35,6 +35,7 @@
#include <string.h>
#ifdef WITH_OPENSSL
#include <openssl/crypto.h> #include <openssl/crypto.h>
+#include <openssl/fips.h> +#include <openssl/fips.h>
#endif
#include "xmalloc.h" #include "xmalloc.h"
#include "ssh2.h" @@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
@@ -103,6 +104,25 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1}, { NULL, -1, -1, -1},
}; };
@ -267,7 +197,7 @@ index bc3e53e..ede7b67 100644
char * char *
kex_alg_list(char sep) kex_alg_list(char sep)
{ {
@@ -126,7 +146,7 @@ kex_alg_by_name(const char *name) @@ -130,7 +150,7 @@ kex_alg_by_name(const char *name)
{ {
const struct kexalg *k; const struct kexalg *k;
@ -276,7 +206,7 @@ index bc3e53e..ede7b67 100644
if (strcmp(k->name, name) == 0) if (strcmp(k->name, name) == 0)
return k; return k;
#ifdef GSSAPI #ifdef GSSAPI
@@ -151,7 +171,10 @@ kex_names_valid(const char *names) @@ -155,7 +175,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) { if (kex_alg_by_name(p) == NULL) {
@ -313,7 +243,7 @@ index 2700b72..0820894 100644
} }
#else /* OPENSSL_HAS_ECC */ #else /* OPENSSL_HAS_ECC */
diff --git a/kexgexc.c b/kexgexc.c diff --git a/kexgexc.c b/kexgexc.c
index 355b7ba..427e11f 100644 index 0a91bdd..b75930b 100644
--- a/kexgexc.c --- a/kexgexc.c
+++ b/kexgexc.c +++ b/kexgexc.c
@@ -26,6 +26,8 @@ @@ -26,6 +26,8 @@
@ -358,50 +288,8 @@ index 770ad28..9d4fc6d 100644
omax = max = DH_GRP_MAX; omax = max = DH_GRP_MAX;
break; break;
default: default:
diff --git a/key.c b/key.c
index 62f3edb..a2050f6 100644
--- a/key.c
+++ b/key.c
@@ -42,6 +42,7 @@
#include "crypto_api.h"
#include <openssl/evp.h>
+#include <openssl/fips.h>
#include <openbsd-compat/openssl-compat.h>
#include <stdarg.h>
@@ -636,9 +637,13 @@ key_fingerprint_selection(void)
char *env;
if (!rv_defined) {
- env = getenv("SSH_FINGERPRINT_TYPE");
- rv = (env && !strcmp (env, "sha")) ?
- SSH_FP_SHA1 : SSH_FP_MD5;
+ if (FIPS_mode())
+ rv = SSH_FP_SHA1;
+ else {
+ env = getenv("SSH_FINGERPRINT_TYPE");
+ rv = (env && !strcmp (env, "sha")) ?
+ SSH_FP_SHA1 : SSH_FP_MD5;
+ }
rv_defined = 1;
}
return rv;
@@ -1168,8 +1173,11 @@ rsa_generate_private_key(u_int bits)
fatal("%s: BN_new failed", __func__);
if (!BN_set_word(f4, RSA_F4))
fatal("%s: BN_new failed", __func__);
- if (!RSA_generate_key_ex(private, bits, f4, NULL))
+ if (!RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode())
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
fatal("%s: key generation failed.", __func__);
+ }
BN_free(f4);
return private;
}
diff --git a/mac.c b/mac.c diff --git a/mac.c b/mac.c
index 9388af4..cd7b034 100644 index fd07bf2..fedfbb2 100644
--- a/mac.c --- a/mac.c
+++ b/mac.c +++ b/mac.c
@@ -27,6 +27,8 @@ @@ -27,6 +27,8 @@
@ -466,26 +354,18 @@ index 9388af4..cd7b034 100644
continue; continue;
if (mac != NULL) { if (mac != NULL) {
diff --git a/myproposal.h b/myproposal.h diff --git a/myproposal.h b/myproposal.h
index 3a0f5ae..4f35a44 100644 index b35b2b8..a608d27 100644
--- a/myproposal.h --- a/myproposal.h
+++ b/myproposal.h +++ b/myproposal.h
@@ -88,6 +88,12 @@ @@ -140,6 +140,28 @@
"diffie-hellman-group14-sha1," \ "hmac-sha1-96," \
"diffie-hellman-group1-sha1" "hmac-md5-96"
+#define KEX_DEFAULT_KEX_FIPS \ +#define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \ + KEX_ECDH_METHODS \
+ KEX_SHA256_METHODS \ + KEX_SHA256_METHODS \
+ "diffie-hellman-group-exchange-sha1," \ + "diffie-hellman-group-exchange-sha1," \
+ "diffie-hellman-group14-sha1" + "diffie-hellman-group14-sha1"
+
#define KEX_DEFAULT_PK_ALG \
HOSTKEY_ECDSA_CERT_METHODS \
"ssh-ed25519-cert-v01@openssh.com," \
@@ -133,6 +139,22 @@
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
+#define KEX_FIPS_ENCRYPT \ +#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \ + "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \ + "aes128-cbc,3des-cbc," \
@ -502,59 +382,24 @@ index 3a0f5ae..4f35a44 100644
+#define KEX_FIPS_MAC \ +#define KEX_FIPS_MAC \
+ "hmac-sha1" + "hmac-sha1"
+#endif +#endif
+
#else
static char *myproposal[PROPOSAL_MAX] = { #define KEX_SERVER_KEX \
KEX_DEFAULT_KEX,
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 66198e6..ccf22c8 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bitsp)
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
exit(1);
}
+ if (FIPS_mode()) {
+ if (type == KEY_DSA)
+ fatal("DSA keys are not allowed in FIPS mode");
+ if (type == KEY_ED25519)
+ fatal("ED25519 keys are not allowed in FIPS mode");
+ }
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
@@ -746,7 +752,7 @@ do_download(struct passwd *pw)
enum fp_type fptype;
char *fp, *ra;
- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
pkcs11_init(0);
@@ -756,8 +762,7 @@ do_download(struct passwd *pw)
for (i = 0; i < nkeys; i++) {
if (print_fingerprint) {
fp = key_fingerprint(keys[i], fptype, rep);
- ra = key_fingerprint(keys[i], SSH_FP_MD5,
- SSH_FP_RANDOMART);
+ ra = key_selected_fingerprint(keys[i], SSH_FP_RANDOMART);
printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
fp, key_type(keys[i]));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
diff --git a/ssh.c b/ssh.c diff --git a/ssh.c b/ssh.c
index 1e6cb90..ea9193f 100644 index 26e9681..a0a7c29 100644
--- a/ssh.c --- a/ssh.c
+++ b/ssh.c +++ b/ssh.c
@@ -73,6 +73,8 @@ @@ -75,6 +75,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#endif
+#include <openssl/fips.h> +#include <openssl/fips.h>
+#include <fipscheck.h> +#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -427,6 +429,13 @@ main(int ac, char **av) @@ -433,6 +435,13 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -568,7 +413,7 @@ index 1e6cb90..ea9193f 100644
#ifndef HAVE_SETPROCTITLE #ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */ /* Prepare for later setproctitle emulation */
@@ -504,6 +513,9 @@ main(int ac, char **av) @@ -510,6 +519,9 @@ main(int ac, char **av)
"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) { switch (opt) {
case '1': case '1':
@ -578,15 +423,15 @@ index 1e6cb90..ea9193f 100644
options.protocol = SSH_PROTO_1; options.protocol = SSH_PROTO_1;
break; break;
case '2': case '2':
@@ -828,7 +840,6 @@ main(int ac, char **av) @@ -841,7 +853,6 @@ main(int ac, char **av)
host_arg = xstrdup(host); host_arg = xstrdup(host);
#ifdef WITH_OPENSSL
- OpenSSL_add_all_algorithms(); - OpenSSL_add_all_algorithms();
ERR_load_crypto_strings(); ERR_load_crypto_strings();
#endif
/* Initialize the command to execute on remote host. */ @@ -997,6 +1008,10 @@ main(int ac, char **av)
@@ -973,6 +984,10 @@ main(int ac, char **av)
seed_rng(); seed_rng();
@ -597,7 +442,7 @@ index 1e6cb90..ea9193f 100644
if (options.user == NULL) if (options.user == NULL)
options.user = xstrdup(pw->pw_name); options.user = xstrdup(pw->pw_name);
@@ -1020,6 +1035,12 @@ main(int ac, char **av) @@ -1069,6 +1084,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000; timeout_ms = options.connection_timeout * 1000;
@ -611,10 +456,10 @@ index 1e6cb90..ea9193f 100644
if (ssh_connect(host, addrs, &hostaddr, options.port, if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts, options.address_family, options.connection_attempts,
diff --git a/sshconnect2.c b/sshconnect2.c diff --git a/sshconnect2.c b/sshconnect2.c
index b00658b..6a1562c 100644 index efe6158..5631f39 100644
--- a/sshconnect2.c --- a/sshconnect2.c
+++ b/sshconnect2.c +++ b/sshconnect2.c
@@ -44,6 +44,8 @@ @@ -46,6 +46,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -623,24 +468,13 @@ index b00658b..6a1562c 100644
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -168,20 +170,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) @@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
#ifdef GSSAPI #ifdef GSSAPI
if (options.gss_keyex) { if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this - /* Add the GSSAPI mechanisms currently supported on this
- * client to the key exchange algorithm proposal */ - * client to the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS]; - orig = myproposal[PROPOSAL_KEX_ALGS];
-
- if (options.gss_trust_dns)
- gss_host = (char *)get_canonical_hostname(1);
- else
- gss_host = host;
-
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
+ if (FIPS_mode()) { + if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); + logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0; + options.gss_keyex = 0;
@ -648,12 +482,21 @@ index b00658b..6a1562c 100644
+ /* Add the GSSAPI mechanisms currently supported on this + /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */ + * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS]; + orig = myproposal[PROPOSAL_KEX_ALGS];
+
- if (options.gss_trust_dns)
- gss_host = (char *)get_canonical_hostname(1);
- else
- gss_host = host;
+ if (options.gss_trust_dns) + if (options.gss_trust_dns)
+ gss_host = (char *)get_canonical_hostname(1); + gss_host = (char *)get_canonical_hostname(1);
+ else + else
+ gss_host = host; + gss_host = host;
+
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); + gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+ if (gss) { + if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss); + debug("Offering GSSAPI proposal: %s", gss);
@ -663,7 +506,7 @@ index b00658b..6a1562c 100644
} }
} }
#endif #endif
@@ -193,6 +200,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) @@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -674,7 +517,7 @@ index b00658b..6a1562c 100644
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -208,7 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) @@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -686,7 +529,7 @@ index b00658b..6a1562c 100644
if (options.hostkeyalgorithms != NULL) if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms); compat_pkalg_proposal(options.hostkeyalgorithms);
@@ -220,9 +235,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) @@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
} }
if (options.kex_algorithms != NULL) if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -700,19 +543,27 @@ index b00658b..6a1562c 100644
/* If we've got GSSAPI algorithms, then we also support the /* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */ * 'null' hostkey, as a last resort */
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
index b561ec8..e977de3 100644 index db23ce2..3ce59f0 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -75,6 +75,8 @@ @@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
#include <signal.h>
+#include <syslog.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@@ -76,6 +77,8 @@
#include <openssl/dh.h> #include <openssl/dh.h>
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/rand.h> #include <openssl/rand.h>
+#include <openssl/fips.h> +#include <openssl/fips.h>
+#include <fipscheck.h> +#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#endif
#ifdef HAVE_SECUREWARE @@ -1479,6 +1482,18 @@ main(int ac, char **av)
@@ -1468,6 +1470,18 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -731,16 +582,16 @@ index b561ec8..e977de3 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1619,8 +1633,6 @@ main(int ac, char **av) @@ -1630,7 +1645,7 @@ main(int ac, char **av)
else else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
- OpenSSL_add_all_algorithms(); -#ifdef WITH_OPENSSL
- +#if 0 /* FIPS */
/* If requested, redirect the logs to the specified logfile. */ OpenSSL_add_all_algorithms();
if (logfile != NULL) { #endif
log_redirect_stderr_to(logfile);
@@ -1798,6 +1810,10 @@ main(int ac, char **av) @@ -1816,6 +1831,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, keytype, debug("private host key: #%d type %d %s", i, keytype,
key_type(key ? key : pubkey)); key_type(key ? key : pubkey));
} }
@ -751,7 +602,7 @@ index b561ec8..e977de3 100644
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
@@ -1961,6 +1977,10 @@ main(int ac, char **av) @@ -1982,6 +2001,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */ /* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -762,7 +613,7 @@ index b561ec8..e977de3 100644
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */
if (chdir("/") == -1) if (chdir("/") == -1)
@@ -2530,6 +2550,9 @@ do_ssh2_kex(void) @@ -2541,6 +2564,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -772,7 +623,7 @@ index b561ec8..e977de3 100644
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2539,6 +2562,9 @@ do_ssh2_kex(void) @@ -2550,6 +2576,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -782,7 +633,7 @@ index b561ec8..e977de3 100644
} }
if (options.compression == COMP_NONE) { if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_CTOS] =
@@ -2549,6 +2575,8 @@ do_ssh2_kex(void) @@ -2560,6 +2589,8 @@ do_ssh2_kex(void)
} }
if (options.kex_algorithms != NULL) if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -791,7 +642,7 @@ index b561ec8..e977de3 100644
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]); myproposal[PROPOSAL_KEX_ALGS]);
@@ -2575,10 +2603,14 @@ do_ssh2_kex(void) @@ -2586,10 +2617,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL; orig = NULL;
@ -810,3 +661,24 @@ index b561ec8..e977de3 100644
if (gss && orig) if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig); xasprintf(&newstr, "%s,%s", gss, orig);
diff --git a/sshkey.c b/sshkey.c
index f078e11..5e3d97f 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -34,6 +34,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/fips.h>
#include "crypto_api.h"
@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode())
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}

View File

@ -113,7 +113,7 @@ index 0000000..dd5f5cc
+ Jan F. Chadima <jchadima@redhat.com> + Jan F. Chadima <jchadima@redhat.com>
+ +
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 28a8ec4..411eadb 100644 index 06be3d5..f02aa1e 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh @@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
@ -125,7 +125,7 @@ index 28a8ec4..411eadb 100644
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@ @@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@ MANFMT=@MANFMT@
@ -134,9 +134,9 @@ index 28a8ec4..411eadb 100644
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBOPENSSH_OBJS=\
canohost.o channels.o cipher.o cipher-aes.o \ ssherr.o \
@@ -98,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ @@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-seccomp-filter.o sandbox-capsicum.o
@ -147,7 +147,7 @@ index 28a8ec4..411eadb 100644
MANTYPE = @MANTYPE@ MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES=sshd_config.out ssh_config.out moduli.out
@@ -170,6 +173,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco @@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@ -157,7 +157,7 @@ index 28a8ec4..411eadb 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -273,6 +279,10 @@ install-files: @@ -295,6 +301,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -168,7 +168,7 @@ index 28a8ec4..411eadb 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
@@ -289,6 +299,10 @@ install-files: @@ -311,6 +321,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@ -179,7 +179,7 @@ index 28a8ec4..411eadb 100644
-rm -f $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
@@ -318,6 +332,13 @@ install-sysconf: @@ -340,6 +354,13 @@ install-sysconf:
else \ else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi fi
@ -193,7 +193,7 @@ index 28a8ec4..411eadb 100644
host-key: ssh-keygen$(EXEEXT) host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \ @if [ -z "$(DESTDIR)" ] ; then \
@@ -381,6 +402,8 @@ uninstall: @@ -403,6 +424,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@ -202,19 +202,19 @@ index 28a8ec4..411eadb 100644
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
@@ -392,6 +415,7 @@ uninstall: @@ -414,6 +437,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c regress-prep:
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index 7c6ce08..722a19e 100644 index 67c4486..6553074 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -1625,6 +1625,106 @@ if test "x$use_pie" != "xno"; then @@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then
fi fi
fi fi
@ -1159,7 +1159,7 @@ index 0000000..665dca2
+ +
diff --git a/ldapconf.c b/ldapconf.c diff --git a/ldapconf.c b/ldapconf.c
new file mode 100644 new file mode 100644
index 0000000..525060a index 0000000..b49cae6
--- /dev/null --- /dev/null
+++ b/ldapconf.c +++ b/ldapconf.c
@@ -0,0 +1,722 @@ @@ -0,0 +1,722 @@

View File

@ -63,10 +63,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.6.1p1 %define openssh_ver 6.7p1
%define openssh_rel 11.1 %define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3 %define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 3 %define pam_ssh_agent_rel 4
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -74,8 +74,7 @@ Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}%{?rescue_rel} Release: %{openssh_rel}%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#URL1: http://pamsshagentauth.sourceforge.net #URL1: http://pamsshagentauth.sourceforge.net
# Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam Source2: sshd.pam
Source3: sshd.init Source3: sshd.init
@ -103,10 +102,9 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
Patch103: openssh-5.8p1-packet.patch Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-6.6p1-audit.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248 # https://bugzilla.redhat.com/show_bug.cgi?id=1171248
# record pfs= field in CRYPTO_SESSION audit event # record pfs= field in CRYPTO_SESSION audit event
Patch201: openssh-6.6.1p1-audit-pfs.patch Patch200: openssh-6.7p1-audit.patch
# --- pam_ssh-agent --- # --- pam_ssh-agent ---
# make it build reusing the openssh sources # make it build reusing the openssh sources
@ -117,13 +115,15 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
# don't use xfree (#1024965) # don't use xfree (#1024965)
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
# use SSH_DIGEST_* for fingerprint hashes
Patch304: pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-6.6p1-role-mls.patch Patch400: openssh-6.6p1-role-mls.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634 #https://bugzilla.redhat.com/show_bug.cgi?id=781634
Patch404: openssh-6.6p1-privsep-selinux.patch Patch404: openssh-6.6p1-privsep-selinux.patch
#?-- unwanted child :( #?-- unwanted child :(
Patch501: openssh-6.6p1-ldap.patch Patch501: openssh-6.7p1-ldap.patch
#? #?
Patch502: openssh-6.6p1-keycat.patch Patch502: openssh-6.6p1-keycat.patch
@ -143,15 +143,11 @@ Patch608: openssh-6.1p1-askpass-ld.patch
Patch609: openssh-5.5p1-x11.patch Patch609: openssh-5.5p1-x11.patch
#? #?
Patch700: openssh-6.6p1-fips.patch Patch700: openssh-6.7p1-fips.patch
#?
# drop? Patch701: openssh-5.6p1-exit-deadlock.patch
#? #?
Patch702: openssh-5.1p1-askpass-progress.patch Patch702: openssh-5.1p1-askpass-progress.patch
#? #?
Patch703: openssh-4.3p2-askpass-grab-info.patch Patch703: openssh-4.3p2-askpass-grab-info.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=205842
# drop? Patch704: openssh-5.9p1-edns.patch
#? #?
Patch705: openssh-5.1p1-scp-manpage.patch Patch705: openssh-5.1p1-scp-manpage.patch
#? #?
@ -361,7 +357,7 @@ remote ssh-agent instance.
The module is most useful for su and sudo service stacks. The module is most useful for su and sudo service stacks.
%prep %prep
%setup -q -a 4 -n openssh-6.6p1 %setup -q -a 4
#Do not enable by default #Do not enable by default
%if 0 %if 0
%patch0 -p1 -b .wIm %patch0 -p1 -b .wIm
@ -377,6 +373,7 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
%patch301 -p1 -b .psaa-seteuid %patch301 -p1 -b .psaa-seteuid
%patch302 -p1 -b .psaa-visibility %patch302 -p1 -b .psaa-visibility
%patch303 -p1 -b .psaa-xfree %patch303 -p1 -b .psaa-xfree
%patch304 -p2 -b .psaa-fingerprint
# Remove duplicate headers # Remove duplicate headers
rm -f $(cat %{SOURCE5}) rm -f $(cat %{SOURCE5})
popd popd
@ -399,13 +396,8 @@ popd
%patch607 -p1 -b .sigpipe %patch607 -p1 -b .sigpipe
%patch608 -p1 -b .askpass-ld %patch608 -p1 -b .askpass-ld
%patch609 -p1 -b .x11 %patch609 -p1 -b .x11
#
# drop? %patch701 -p1 -b .exit-deadlock
%patch702 -p1 -b .progress %patch702 -p1 -b .progress
%patch703 -p1 -b .grab-info %patch703 -p1 -b .grab-info
# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
# probably not needed anymore %patch704 -p1 -b .edns
# drop it %patch705 -p1 -b .manpage
%patch706 -p1 -b .localdomain %patch706 -p1 -b .localdomain
%patch707 -p1 -b .redhat %patch707 -p1 -b .redhat
%patch708 -p1 -b .entropy %patch708 -p1 -b .entropy
@ -422,15 +414,10 @@ popd
%patch902 -p1 -b .ccache_name %patch902 -p1 -b .ccache_name
%patch905 -p1 -b .legacy-ssh-copy-id %patch905 -p1 -b .legacy-ssh-copy-id
%patch906 -p1 -b .fromto-remote %patch906 -p1 -b .fromto-remote
%patch907 -p1 -b .CLOCK_BOOTTIME
%patch908 -p1 -b .CVE-2014-2653
%patch909 -p1 -b .6.6.1
%patch910 -p1 -b .NI_MAXHOST
%patch911 -p1 -b .set_remote_ipaddr %patch911 -p1 -b .set_remote_ipaddr
%patch912 -p1 -b .utf8-banner %patch912 -p1 -b .utf8-banner
%patch913 -p1 -b .partial-success %patch913 -p1 -b .partial-success
%patch914 -p1 -b .servconf %patch914 -p1 -b .servconf
%patch915 -p1 -b .SIGXFSZ
%patch916 -p1 -b .contexts %patch916 -p1 -b .contexts
%patch917 -p1 -b .cisco-dh %patch917 -p1 -b .cisco-dh
%patch918 -p1 -b .log-in-chroot %patch918 -p1 -b .log-in-chroot
@ -439,10 +426,10 @@ popd
%patch802 -p1 -b .GSSAPIEnablek5users %patch802 -p1 -b .GSSAPIEnablek5users
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-fps
%patch700 -p1 -b .fips %patch700 -p1 -b .fips
%patch100 -p1 -b .coverity # FIXME rebase 6.7p1
# %patch100 -p1 -b .coverity
%if 0 %if 0
# Nothing here yet # Nothing here yet
@ -751,6 +738,9 @@ getent passwd sshd >/dev/null || \
%endif %endif
%changelog %changelog
* Tue Jan 20 2015 Petr Lautrbach <plautrba@redhat.com> 6.7p1-1 + 0.9.3-4
- new upstream release openssh-6.7p1
* Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3 * Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3
- error message if scp when directory doesn't exist (#1142223) - error message if scp when directory doesn't exist (#1142223)
- parsing configuration file values (#1130733) - parsing configuration file values (#1130733)

View File

@ -0,0 +1,64 @@
diff --git a/pam_ssh_agent_auth-0.9.3/key.c b/pam_ssh_agent_auth-0.9.3/key.c
index 9555e7e..c17aae6 100644
--- a/pam_ssh_agent_auth-0.9.3/key.c
+++ b/pam_ssh_agent_auth-0.9.3/key.c
@@ -55,6 +55,7 @@
#include "uuencode.h"
#include "buffer.h"
#include "log.h"
+#include "digest.h"
Key *
key_new(int type)
@@ -181,7 +182,7 @@ key_equal(const Key *a, const Key *b)
}
u_char*
-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+key_fingerprint_raw(const Key *k, int dgst_type,
u_int *dgst_raw_length)
{
const EVP_MD *md = NULL;
@@ -194,10 +195,10 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
*dgst_raw_length = 0;
switch (dgst_type) {
- case SSH_FP_MD5:
+ case SSH_DIGEST_MD5:
md = EVP_md5();
break;
- case SSH_FP_SHA1:
+ case SSH_DIGEST_SHA1:
md = EVP_sha1();
break;
default:
@@ -302,7 +303,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
}
char *
-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
+key_fingerprint(const Key *k, int dgst_type, enum fp_rep dgst_rep)
{
char *retval = NULL;
u_char *dgst_raw;
diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
index dddcba9..8ba6d87 100644
--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
@@ -43,6 +43,7 @@
#include "buffer.h"
#include "log.h"
#include "compat.h"
+#include "digest.h"
#include "key.h"
#include "pathnames.h"
#include "misc.h"
@@ -118,7 +119,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
found_key = 1;
logit("matching key found: file %s, line %lu",
file, linenum);
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
logit("Found matching %s key: %s",
key_type(found), fp);
free(fp);

View File

@ -1,2 +1,2 @@
9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2 9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2
3e9800e6bca1fbac0eea4d41baa7f239 openssh-6.6p1.tar.gz 3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz