From 1ddd0ee5d72d19ecaa8154aaccb53a8da9366880 Mon Sep 17 00:00:00 2001 From: Jan F Date: Thu, 21 Apr 2011 17:22:18 +0200 Subject: [PATCH] the private keys may be 640 root:ssh_keys ssh_keysign is sgid --- openssh-5.8p1-keyperm.patch | 25 +++++++++++++++++++++++++ openssh.spec | 19 ++++++++++++++----- 2 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 openssh-5.8p1-keyperm.patch diff --git a/openssh-5.8p1-keyperm.patch b/openssh-5.8p1-keyperm.patch new file mode 100644 index 0000000..6167c14 --- /dev/null +++ b/openssh-5.8p1-keyperm.patch @@ -0,0 +1,25 @@ +diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c +--- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100 ++++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200 +@@ -57,6 +57,7 @@ + #include + #include + #include ++#include + + #include "xmalloc.h" + #include "cipher.h" +@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename + #ifdef HAVE_CYGWIN + if (check_ntsec(filename)) + #endif ++ if (st.st_mode & 040) { ++ struct group *gr; ++ ++ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) ++ st.st_mode &= ~040; ++ } ++ + if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); diff --git a/openssh.spec b/openssh.spec index c0fc843..7d67582 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.8p1 -%define openssh_rel 26 +%define openssh_rel 27 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 30 @@ -109,9 +109,9 @@ Patch2: openssh-5.8p1-audit2.patch Patch3: openssh-5.8p1-audit3.patch Patch4: openssh-5.8p1-audit4.patch Patch5: openssh-5.8p1-audit5.patch -#?https://bugzilla.mindrot.org/show_bug.cgi?id=1889 +#https://bugzilla.mindrot.org/show_bug.cgi?id=1889 Patch6: openssh-5.8p1-packet.patch -#?https://bugzilla.mindrot.org/show_bug.cgi?id=1890 +#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 Patch7: openssh-5.8p1-entropy.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) Patch9: openssh-5.8p1-vendor.patch @@ -145,9 +145,11 @@ Patch32: openssh-5.8p1-randclean.patch Patch34: openssh-5.8p1-kuserok.patch #http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h Patch35: openssh-5.8p1-glob.patch -#?https://bugzilla.mindrot.org/show_bug.cgi?id=1891 +#https://bugzilla.mindrot.org/show_bug.cgi?id=1891 Patch36: openssh-5.8p1-pwchange.patch #? +Patch37: openssh-5.8p1-keyperm.patch +#? Patch50: openssh-5.8p1-fips.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1789 Patch51: openssh-5.5p1-x11.patch @@ -355,6 +357,7 @@ popd %patch34 -p1 -b .kuserok %patch35 -p1 -b .glob %patch36 -p1 -b .pwchange +%patch37 -p1 -b .keyperm %patch50 -p1 -b .fips %patch51 -p1 -b .x11 @@ -543,6 +546,9 @@ popd %clean rm -rf $RPM_BUILD_ROOT +%pre +getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : + %pre server getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : %if %{nologin} @@ -577,7 +583,7 @@ fi %attr(0755,root,root) %{_bindir}/ssh-keygen %attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0755,root,root) %dir %{_libexecdir}/openssh -%attr(4111,root,root) %{_libexecdir}/openssh/ssh-keysign +%attr(2111,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign %attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8* %endif %if %{scard} @@ -661,6 +667,9 @@ fi %endif %changelog +* Thu Apr 21 2011 Jan F. Chadima - 5.8p1-27 + 0.9.2-30 +- the private keys may be 640 root:ssh_keys ssh_keysign is sgid + * Wed Apr 20 2011 Jan F. Chadima - 5.8p1-26 + 0.9.2-30 - improving sshd -> passwd transation