openssh-8.5p1-1 + 0.10.4-2
This commit is contained in:
parent
6e1851c5ba
commit
25c16c68f5
3
.gitignore
vendored
3
.gitignore
vendored
@ -45,3 +45,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/openssh-8.4p1.tar.gz
|
/openssh-8.4p1.tar.gz
|
||||||
/openssh-8.4p1.tar.gz.asc
|
/openssh-8.4p1.tar.gz.asc
|
||||||
/pam_ssh_agent_auth-0.10.4.tar.gz
|
/pam_ssh_agent_auth-0.10.4.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz.asc
|
||||||
|
/gpgkey-736060BA.gpg
|
||||||
|
@ -2,14 +2,14 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
|||||||
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
||||||
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
||||||
void
|
log_init(const char *av0, LogLevel level, SyslogFacility facility,
|
||||||
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
|
int on_stderr)
|
||||||
{
|
{
|
||||||
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+void
|
||||||
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||||
#endif
|
#endif
|
||||||
@ -30,10 +30,10 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
|||||||
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
||||||
@@ -49,6 +49,7 @@ typedef enum {
|
@@ -49,6 +49,7 @@ typedef enum {
|
||||||
typedef void (log_handler_fn)(LogLevel, const char *, void *);
|
const char *, void *);
|
||||||
|
|
||||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
void log_init(const char *, LogLevel, SyslogFacility, int);
|
||||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
+void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
|
||||||
LogLevel log_level_get(void);
|
LogLevel log_level_get(void);
|
||||||
int log_change_level(LogLevel);
|
int log_change_level(LogLevel);
|
||||||
int log_is_on_stderr(void);
|
int log_is_on_stderr(void);
|
||||||
@ -59,14 +59,14 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
ssh_signal(SIGHUP, &monitor_child_handler);
|
ssh_signal(SIGHUP, &monitor_child_handler);
|
||||||
ssh_signal(SIGTERM, &monitor_child_handler);
|
ssh_signal(SIGTERM, &monitor_child_handler);
|
||||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
||||||
|
/* Log it */
|
||||||
if (log_level_name(level) == NULL)
|
if (log_level_name(level) == NULL)
|
||||||
fatal("%s: invalid log level %u (corrupted message?)",
|
fatal_f("invalid log level %u (corrupted message?)", level);
|
||||||
__func__, level);
|
- sshlog(file, func, line, 0, level, NULL, "%s [preauth]", msg);
|
||||||
- do_log2(level, "%s [preauth]", msg);
|
+ sshlog(file, func, line, 0, level, NULL, "%s [%s]", msg, pmonitor->m_state);
|
||||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
|
||||||
|
|
||||||
sshbuf_free(logmsg);
|
sshbuf_free(logmsg);
|
||||||
free(msg);
|
free(file);
|
||||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
||||||
mon = xcalloc(1, sizeof(*mon));
|
mon = xcalloc(1, sizeof(*mon));
|
||||||
monitor_openfds(mon, 1);
|
monitor_openfds(mon, 1);
|
||||||
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
||||||
+
|
+
|
||||||
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
||||||
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
|
+ debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
|
||||||
+ do_logfds = 1;
|
+ do_logfds = 1;
|
||||||
+ }
|
+ }
|
||||||
+ free(dev_log_path);
|
+ free(dev_log_path);
|
||||||
|
@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
|
|||||||
+
|
+
|
||||||
+ contexts_path = selinux_openssh_contexts_path();
|
+ contexts_path = selinux_openssh_contexts_path();
|
||||||
+ if (contexts_path == NULL) {
|
+ if (contexts_path == NULL) {
|
||||||
+ debug3("%s: Failed to get the path to SELinux context", __func__);
|
+ debug3_f("Failed to get the path to SELinux context");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||||
+ debug("%s: Failed to open SELinux context file", __func__);
|
+ debug_f("Failed to open SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||||
+ logit("%s: SELinux context file needs to be owned by root"
|
+ logit_f("SELinux context file needs to be owned by root"
|
||||||
+ " and not writable by anyone else", __func__);
|
+ " and not writable by anyone else");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||||
+ arg = strdelim(&cp);
|
+ arg = strdelim(&cp);
|
||||||
+ if (!arg || *arg == '\0') {
|
+ if (!arg || *arg == '\0') {
|
||||||
+ debug("%s: privsep_preauth is empty", __func__);
|
+ debug_f("privsep_preauth is empty");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+
|
+
|
||||||
+ if (preauth_context == NULL) {
|
+ if (preauth_context == NULL) {
|
||||||
+ debug("%s: Unable to find 'privsep_preauth' option in"
|
+ debug_f("Unable to find 'privsep_preauth' option in"
|
||||||
+ " SELinux context file", __func__);
|
+ " SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644
|
|||||||
if ((cx = index(cx + 1, ':')))
|
if ((cx = index(cx + 1, ':')))
|
||||||
strlcat(newctx, cx, newlen);
|
strlcat(newctx, cx, newlen);
|
||||||
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
||||||
+ debug("%s: setting context from '%s' to '%s'", __func__,
|
+ debug_f("setting context from '%s' to '%s'",
|
||||||
oldctx, newctx);
|
oldctx, newctx);
|
||||||
if (setcon(newctx) < 0)
|
if (setcon(newctx) < 0)
|
||||||
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
do_log2(log_level, "%s: setcon %s from %s failed with %s",
|
||||||
|
__func__, newctx, oldctx, strerror(errno));
|
||||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||||
index cb51f99..8b7cda2 100644
|
index cb51f99..8b7cda2 100644
|
||||||
--- a/openbsd-compat/port-linux.h
|
--- a/openbsd-compat/port-linux.h
|
||||||
|
@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -418,7 +421,7 @@ typedef enum {
|
@@ -418,7 +421,7 @@ typedef enum {
|
||||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
diff -up openssh/auth.c.keycat openssh/misc.c
|
diff -up openssh/misc.c.keycat openssh/misc.c
|
||||||
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||||
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
|
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
|
||||||
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
|
@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
|
||||||
|
error("%s: dup2: %s", tag, strerror(errno));
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ error ("failed to copy environment: %s",
|
+ error ("failed to copy environment: %s",
|
||||||
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
|
|||||||
+ _exit(127);
|
+ _exit(127);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
if (env != NULL)
|
||||||
execve(av[0], av, child_env);
|
execve(av[0], av, env);
|
||||||
error("%s exec \"%s\": %s", tag, command, strerror(errno));
|
else
|
||||||
_exit(127);
|
|
||||||
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
||||||
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
|
@ -193,7 +193,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -399,7 +402,7 @@ typedef enum {
|
@@ -399,7 +402,7 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
|
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
||||||
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
debug3("%s: done", __func__);
|
debug3_f("done");
|
||||||
}
|
}
|
||||||
|
|
||||||
+void
|
+void
|
||||||
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
+ return;
|
+ return;
|
||||||
+
|
+
|
||||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||||
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno));
|
+ logit_f("getexeccon failed with %s", strerror(errno));
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+ if (ctx != NULL) {
|
+ if (ctx != NULL) {
|
||||||
+ /* unset exec context before we will lose this capabililty */
|
+ /* unset exec context before we will lose this capabililty */
|
||||||
+ if (setexeccon(NULL) != 0)
|
+ if (setexeccon(NULL) != 0)
|
||||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setexeccon failed with %s", strerror(errno));
|
||||||
+ if (setcon(ctx) != 0)
|
+ if (setcon(ctx) != 0)
|
||||||
+ fatal("%s: setcon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setcon failed with %s", strerror(errno));
|
||||||
+ freecon(ctx);
|
+ freecon(ctx);
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
|
@ -34,7 +34,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
|||||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||||
error("%s: cannot allocate fds for pty", __func__);
|
error_f("cannot allocate fds for pty");
|
||||||
- if (tmp1 > 0)
|
- if (tmp1 > 0)
|
||||||
+ if (tmp1 >= 0)
|
+ if (tmp1 >= 0)
|
||||||
close(tmp1);
|
close(tmp1);
|
||||||
@ -120,11 +120,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
|||||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||||
debug2("%s: reading", __func__);
|
debug2_f("reading");
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||||
debug("%s: invalid tun", __func__);
|
debug_f("invalid tun");
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
- if (auth_opts->force_tun_device != -1) {
|
- if (auth_opts->force_tun_device != -1) {
|
||||||
|
@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+ int r, ret = 0;
|
+ int r, ret = 0;
|
||||||
+
|
+
|
||||||
+ debug3("%s: entering", __func__);
|
+ debug3_f("entering");
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ do {
|
+ do {
|
||||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||||
+ if (blen == 0) /* closed pipe */
|
+ if (blen == 0) /* closed pipe */
|
||||||
+ break;
|
+ break;
|
||||||
+ if (blen != sizeof(buf)) {
|
+ if (blen != sizeof(buf)) {
|
||||||
+ error("%s: Failed to read the buffer from child", __func__);
|
+ error_f("Failed to read the buffer from child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ msg_len = get_u32(buf);
|
+ msg_len = get_u32(buf);
|
||||||
+ if (msg_len > 256 * 1024)
|
+ if (msg_len > 256 * 1024)
|
||||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
+ fatal_f("read: bad msg_len %d", msg_len);
|
||||||
+ sshbuf_reset(m);
|
+ sshbuf_reset(m);
|
||||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
+ error_f("Failed to read the the buffer content from the child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
+ error_f("Failed to write the message to the monitor");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
|
@ -49,7 +49,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+
|
+
|
||||||
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
||||||
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
|
+ debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
|
||||||
+ if (k5login_directory == NULL || ret != 0) {
|
+ if (k5login_directory == NULL || ret != 0) {
|
||||||
+ /* If not set, the library will look for k5login
|
+ /* If not set, the library will look for k5login
|
||||||
+ * files in the user's home directory, with the filename .k5login.
|
+ * files in the user's home directory, with the filename .k5login.
|
||||||
@ -64,7 +64,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
||||||
+ pw->pw_name);
|
+ pw->pw_name);
|
||||||
+ }
|
+ }
|
||||||
+ debug("%s: Checking existence of file %s", __func__, file);
|
+ debug_f("Checking existence of file %s", file);
|
||||||
|
|
||||||
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||||
return access(file, F_OK) == 0;
|
return access(file, F_OK) == 0;
|
||||||
|
@ -943,7 +943,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
|
|||||||
return SSH_ERR_NO_CIPHER_ALG_MATCH;
|
return SSH_ERR_NO_CIPHER_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||||
error("%s: unsupported cipher %s", __func__, name);
|
error_f("unsupported cipher %s", name);
|
||||||
free(name);
|
free(name);
|
||||||
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||||
{
|
{
|
||||||
@ -957,7 +957,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
|
|||||||
return SSH_ERR_NO_MAC_ALG_MATCH;
|
return SSH_ERR_NO_MAC_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
if (mac_setup(mac, name) < 0) {
|
if (mac_setup(mac, name) < 0) {
|
||||||
error("%s: unsupported MAC %s", __func__, name);
|
error_f("unsupported MAC %s", name);
|
||||||
free(name);
|
free(name);
|
||||||
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
|
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||||
}
|
}
|
||||||
@ -1094,7 +1094,7 @@ diff -up openssh/Makefile.in.audit openssh/Makefile.in
|
|||||||
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
|
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
|
||||||
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
|
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
|
||||||
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||||
kexgssc.o \
|
kexgssc.o \
|
||||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
- sshbuf-io.o
|
- sshbuf-io.o
|
||||||
@ -1172,15 +1172,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||||
!monitor_allowed_key(blob, bloblen))
|
!monitor_allowed_key(blob, bloblen))
|
||||||
fatal("%s: bad key, not previously allowed", __func__);
|
fatal_f("bad key, not previously allowed");
|
||||||
+ if (type != key_blobtype)
|
+ if (type != key_blobtype)
|
||||||
+ fatal("%s: bad key type", __func__);
|
+ fatal_f("bad key type");
|
||||||
|
|
||||||
/* Empty signature algorithm means NULL. */
|
/* Empty signature algorithm means NULL. */
|
||||||
if (*sigalg == '\0') {
|
if (*sigalg == '\0') {
|
||||||
@@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int
|
@@ -1470,27 +1491,30 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||||
case MM_USERKEY:
|
case MM_USERKEY:
|
||||||
valid_data = monitor_valid_userblob(data, datalen);
|
valid_data = monitor_valid_userblob(ssh, data, datalen);
|
||||||
auth_method = "publickey";
|
auth_method = "publickey";
|
||||||
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
||||||
+ datalen, sigalg, ssh->compat, &sig_details);
|
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||||
@ -1198,15 +1198,17 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (!valid_data)
|
if (!valid_data)
|
||||||
fatal("%s: bad signature data blob", __func__);
|
fatal_f("bad %s signature data blob",
|
||||||
|
key_blobtype == MM_USERKEY ? "userkey" :
|
||||||
|
(key_blobtype == MM_HOSTKEY ? "hostkey" : "unknown"));
|
||||||
|
|
||||||
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
SSH_FP_DEFAULT)) == NULL)
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
fatal_f("sshkey_fingerprint failed");
|
||||||
|
|
||||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||||
- sigalg, ssh->compat, &sig_details);
|
- sigalg, ssh->compat, &sig_details);
|
||||||
debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
|
debug3_f("%s %p signature %s%s%s", auth_method, key,
|
||||||
(ret == 0) ? "verified" : "unverified",
|
(ret == 0) ? "verified" : "unverified",
|
||||||
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||||
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
|
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
|
||||||
@ -1216,14 +1218,14 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
-mm_session_close(Session *s)
|
-mm_session_close(Session *s)
|
||||||
+mm_session_close(struct ssh *ssh, Session *s)
|
+mm_session_close(struct ssh *ssh, Session *s)
|
||||||
{
|
{
|
||||||
debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
|
debug3_f("session %d pid %ld", s->self, (long)s->pid);
|
||||||
if (s->ttyfd != -1) {
|
if (s->ttyfd != -1) {
|
||||||
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
debug3_f("tty %s ptyfd %d", s->tty, s->ptyfd);
|
||||||
session_pty_cleanup2(s);
|
session_pty_cleanup2(s);
|
||||||
}
|
}
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ if (s->command != NULL) {
|
+ if (s->command != NULL) {
|
||||||
+ debug3("%s: command %d", __func__, s->command_handle);
|
+ debug3_f("command %d", s->command_handle);
|
||||||
+ session_end_command2(ssh, s);
|
+ session_end_command2(ssh, s);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
@ -1237,11 +1239,11 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
- mm_session_close(s);
|
- mm_session_close(s);
|
||||||
+ mm_session_close(ssh, s);
|
+ mm_session_close(ssh, s);
|
||||||
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "assemble 0");
|
||||||
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
||||||
@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
|
@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
|
||||||
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse tty");
|
||||||
if ((s = session_by_tty(tty)) != NULL)
|
if ((s = session_by_tty(tty)) != NULL)
|
||||||
- mm_session_close(s);
|
- mm_session_close(s);
|
||||||
+ mm_session_close(ssh, s);
|
+ mm_session_close(ssh, s);
|
||||||
@ -1271,7 +1273,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
- audit_run_command(cmd);
|
- audit_run_command(cmd);
|
||||||
+ s = session_new();
|
+ s = session_new();
|
||||||
+ if (s == NULL)
|
+ if (s == NULL)
|
||||||
+ fatal("%s: error allocating a session", __func__);
|
+ fatal_f("error allocating a session");
|
||||||
+ s->command = cmd;
|
+ s->command = cmd;
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ s->command_handle = audit_run_command(ssh, cmd);
|
+ s->command_handle = audit_run_command(ssh, cmd);
|
||||||
@ -1293,15 +1295,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+ u_char *cmd = NULL;
|
+ u_char *cmd = NULL;
|
||||||
+ Session *s;
|
+ Session *s;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering", __func__);
|
+ debug3_f("entering");
|
||||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0)
|
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ s = session_by_id(handle);
|
+ s = session_by_id(handle);
|
||||||
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
||||||
+ strcmp(s->command, cmd) != 0)
|
+ strcmp(s->command, cmd) != 0)
|
||||||
+ fatal("%s: invalid handle", __func__);
|
+ fatal_f("invalid handle");
|
||||||
+ mm_session_close(ssh, s);
|
+ mm_session_close(ssh, s);
|
||||||
free(cmd);
|
free(cmd);
|
||||||
return (0);
|
return (0);
|
||||||
@ -1311,13 +1313,13 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
{
|
{
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
debug3("%s: Waiting for new keys", __func__);
|
debug3_f("Waiting for new keys");
|
||||||
|
|
||||||
if ((child_state = sshbuf_new()) == NULL)
|
if ((child_state = sshbuf_new()) == NULL)
|
||||||
@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct
|
@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct
|
||||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||||
child_state);
|
child_state);
|
||||||
debug3("%s: GOT new keys", __func__);
|
debug3_f("GOT new keys");
|
||||||
+
|
+
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ m = sshbuf_new();
|
+ m = sshbuf_new();
|
||||||
@ -1345,7 +1347,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+ int what, r;
|
+ int what, r;
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &what)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &what)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ audit_unsupported_body(ssh, what);
|
+ audit_unsupported_body(ssh, what);
|
||||||
+
|
+
|
||||||
@ -1370,10 +1372,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
|
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
|
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ pid = (pid_t) tmp;
|
+ pid = (pid_t) tmp;
|
||||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ uid = (pid_t) tmp;
|
+ uid = (pid_t) tmp;
|
||||||
+
|
+
|
||||||
+ audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
|
+ audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
|
||||||
@ -1398,10 +1400,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
||||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ pid = (pid_t) tmp;
|
+ pid = (pid_t) tmp;
|
||||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ uid = (uid_t) tmp;
|
+ uid = (uid_t) tmp;
|
||||||
+
|
+
|
||||||
+ audit_session_key_free_body(ssh, ctos, pid, uid);
|
+ audit_session_key_free_body(ssh, ctos, pid, uid);
|
||||||
@ -1423,10 +1425,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
|
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
|
||||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ pid = (pid_t) tmp;
|
+ pid = (pid_t) tmp;
|
||||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ uid = (uid_t) tmp;
|
+ uid = (uid_t) tmp;
|
||||||
+
|
+
|
||||||
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
||||||
@ -1470,7 +1472,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||||
*sig_detailsp = NULL;
|
*sig_detailsp = NULL;
|
||||||
if ((m = sshbuf_new()) == NULL)
|
if ((m = sshbuf_new()) == NULL)
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
- if ((r = sshkey_puts(key, m)) != 0 ||
|
- if ((r = sshkey_puts(key, m)) != 0 ||
|
||||||
+ if ((r = sshbuf_put_u32(m, type)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, type)) != 0 ||
|
||||||
+ (r = sshkey_puts(key, m)) != 0 ||
|
+ (r = sshkey_puts(key, m)) != 0 ||
|
||||||
@ -1522,7 +1524,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &handle)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
+ return (handle);
|
+ return (handle);
|
||||||
@ -1534,13 +1536,13 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ int r;
|
+ int r;
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering command %s", __func__, command);
|
+ debug3_f("entering command %s", command);
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, handle)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, handle)) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m, command)) != 0)
|
+ (r = sshbuf_put_cstring(m, command)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
|
||||||
sshbuf_free(m);
|
sshbuf_free(m);
|
||||||
@ -1558,9 +1560,9 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, what)) != 0)
|
+ if ((r = sshbuf_put_u32(m, what)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||||
@ -1577,7 +1579,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m, cipher)) != 0 ||
|
+ (r = sshbuf_put_cstring(m, cipher)) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
|
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
|
||||||
@ -1585,7 +1587,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ (r = sshbuf_put_cstring(m, fps)) != 0 ||
|
+ (r = sshbuf_put_cstring(m, fps)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
||||||
@ -1601,11 +1603,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||||
@ -1620,11 +1622,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
|
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
@ -1903,7 +1905,7 @@ diff -up openssh/session.c.audit openssh/session.c
|
|||||||
+ if (s->used)
|
+ if (s->used)
|
||||||
+ return s;
|
+ return s;
|
||||||
+ }
|
+ }
|
||||||
+ debug("%s: unknown id %d", __func__, id);
|
+ debug_f("unknown id %d", id);
|
||||||
+ session_dump();
|
+ session_dump();
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
+}
|
+}
|
||||||
@ -2115,7 +2117,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
|
|||||||
sshkey_free(sensitive_data.host_certificates[i]);
|
sshkey_free(sensitive_data.host_certificates[i]);
|
||||||
sensitive_data.host_certificates[i] = NULL;
|
sensitive_data.host_certificates[i] = NULL;
|
||||||
}
|
}
|
||||||
@@ -400,14 +437,26 @@ destroy_sensitive_data(void)
|
@@ -400,20 +437,38 @@ destroy_sensitive_data(void)
|
||||||
|
|
||||||
/* Demote private to public keys for network child */
|
/* Demote private to public keys for network child */
|
||||||
void
|
void
|
||||||
@ -2142,9 +2144,8 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
|
|||||||
+ fp = NULL;
|
+ fp = NULL;
|
||||||
if ((r = sshkey_from_private(
|
if ((r = sshkey_from_private(
|
||||||
sensitive_data.host_keys[i], &tmp)) != 0)
|
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||||
fatal("could not demote host %s key: %s",
|
fatal_r(r, "could not demote host %s key",
|
||||||
@@ -415,6 +464,12 @@ demote_sensitive_data(void)
|
sshkey_type(sensitive_data.host_keys[i]));
|
||||||
ssh_err(r));
|
|
||||||
sshkey_free(sensitive_data.host_keys[i]);
|
sshkey_free(sensitive_data.host_keys[i]);
|
||||||
sensitive_data.host_keys[i] = tmp;
|
sensitive_data.host_keys[i] = tmp;
|
||||||
+ if (fp != NULL) {
|
+ if (fp != NULL) {
|
||||||
@ -2254,7 +2255,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
|
|||||||
do_cleanup(the_active_state, the_authctxt);
|
do_cleanup(the_active_state, the_authctxt);
|
||||||
if (use_privsep && privsep_is_preauth &&
|
if (use_privsep && privsep_is_preauth &&
|
||||||
@@ -2414,9 +2482,16 @@ cleanup_exit(int i)
|
@@ -2414,9 +2482,16 @@ cleanup_exit(int i)
|
||||||
pmonitor->m_pid, strerror(errno));
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
||||||
|
@ -2,9 +2,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
|||||||
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
||||||
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -72,6 +72,9 @@
|
@@ -72,6 +72,9 @@
|
||||||
|
|
||||||
|
/* import */
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
extern u_char *session_id2;
|
|
||||||
extern u_int session_id2_len;
|
|
||||||
+extern int inetd_flag;
|
+extern int inetd_flag;
|
||||||
+extern int rexeced_flag;
|
+extern int rexeced_flag;
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
@ -12,59 +12,59 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
|||||||
static char *
|
static char *
|
||||||
format_key(const struct sshkey *key)
|
format_key(const struct sshkey *key)
|
||||||
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
||||||
|
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
||||||
|
if ((pid = subprocess("AuthorizedKeysCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
diff -up openssh/auth.c.refactor openssh/auth.c
|
diff -up openssh/misc.c.refactor openssh/misc.c
|
||||||
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
--- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
||||||
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
||||||
*/
|
|
||||||
pid_t
|
pid_t
|
||||||
subprocess(const char *tag, struct passwd *pw, const char *command,
|
subprocess(const char *tag, const char *command,
|
||||||
- int ac, char **av, FILE **child, u_int flags)
|
int ac, char **av, FILE **child, u_int flags,
|
||||||
+ int ac, char **av, FILE **child, u_int flags, int inetd,
|
- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
|
||||||
+ void *the_authctxt)
|
+ struct passwd *pw, privdrop_fn *drop_privs,
|
||||||
|
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
|
||||||
{
|
{
|
||||||
FILE *f = NULL;
|
FILE *f = NULL;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
||||||
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
- if (sshd_selinux_setup_env_variables() < 0) {
|
- if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
||||||
error ("failed to copy environment: %s",
|
error ("failed to copy environment: %s",
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
_exit(127);
|
_exit(127);
|
||||||
diff -up openssh/auth.h.refactor openssh/auth.h
|
diff -up openssh/misc.h.refactor openssh/misc.h
|
||||||
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
--- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
||||||
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
||||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
#define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
|
||||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
#define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
|
||||||
pid_t subprocess(const char *, struct passwd *,
|
pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
|
||||||
- const char *, int, char **, FILE **, u_int flags);
|
- struct passwd *, privdrop_fn *, privrestore_fn *);
|
||||||
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
+ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
|
||||||
|
|
||||||
int sys_auth_passwd(struct ssh *, const char *);
|
|
||||||
|
|
||||||
|
typedef struct arglist arglist;
|
||||||
|
struct arglist {
|
||||||
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
||||||
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@ -145,7 +145,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
char *role;
|
char *role;
|
||||||
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||||
@ -203,10 +203,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
||||||
switch (security_getenforce()) {
|
switch (security_getenforce()) {
|
||||||
case -1:
|
case -1:
|
||||||
fatal("%s: security_getenforce() failed", __func__);
|
fatal_f("security_getenforce() failed");
|
||||||
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
||||||
@ -269,3 +269,15 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam) {
|
if (options.use_pam) {
|
||||||
|
diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
|
||||||
|
--- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100
|
||||||
|
+++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100
|
||||||
|
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
|
||||||
|
|
||||||
|
if ((pid = subprocess(tag, command, ac, av, &f,
|
||||||
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
|
||||||
|
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
|
||||||
|
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
|
||||||
|
@ -165,7 +165,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
|||||||
+
|
+
|
||||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||||
#define SSH_ALLOWED_CA_SIGALGS \
|
#define SSH_ALLOWED_CA_SIGALGS \
|
||||||
"ecdsa-sha2-nistp256," \
|
"ssh-ed25519," \
|
||||||
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
||||||
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
||||||
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
@ -416,7 +416,7 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
|
|||||||
if (!BN_set_word(f4, RSA_F4) ||
|
if (!BN_set_word(f4, RSA_F4) ||
|
||||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||||
+ if (FIPS_mode())
|
+ if (FIPS_mode())
|
||||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
+ logit_f("the key length might be unsupported by FIPS mode approved key generation method");
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
@ -151,7 +151,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ssh_krb5_expand_template(char **result, const char *template) {
|
+ssh_krb5_expand_template(char **result, const char *template) {
|
||||||
+ char *p_n, *p_o, *r, *tmp_template;
|
+ char *p_n, *p_o, *r, *tmp_template;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called, template = %s", __func__, template);
|
+ debug3_f("called, template = %s", template);
|
||||||
+ if (template == NULL)
|
+ if (template == NULL)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+
|
+
|
||||||
@ -179,7 +179,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ } else {
|
+ } else {
|
||||||
+ p_o = strchr(p_n, '}') + 1;
|
+ p_o = strchr(p_n, '}') + 1;
|
||||||
+ *p_o = '\0';
|
+ *p_o = '\0';
|
||||||
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
+ debug_f("unsupported token %s in %s", p_n, template);
|
||||||
+ /* unknown token, fallback to the default */
|
+ /* unknown token, fallback to the default */
|
||||||
+ goto cleanup;
|
+ goto cleanup;
|
||||||
+ }
|
+ }
|
||||||
@ -207,7 +207,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+ char *value = NULL;
|
+ char *value = NULL;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ ret = krb5_get_profile(ctx, &p);
|
+ ret = krb5_get_profile(ctx, &p);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
@ -218,7 +218,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+
|
+
|
||||||
+ ret = ssh_krb5_expand_template(ccname, value);
|
+ ret = ssh_krb5_expand_template(ccname, value);
|
||||||
+
|
+
|
||||||
+ debug3("%s: returning with ccname = %s", __func__, *ccname);
|
+ debug3_f("returning with ccname = %s", *ccname);
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
@ -242,7 +242,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
- return oerrno;
|
- return oerrno;
|
||||||
- }
|
- }
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ if (need_environment)
|
+ if (need_environment)
|
||||||
+ *need_environment = 0;
|
+ *need_environment = 0;
|
||||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||||
@ -283,7 +283,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- close(tmpfd);
|
- close(tmpfd);
|
||||||
|
|
||||||
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ debug3("%s: setting default ccname to %s", __func__, ccname);
|
+ debug3_f("setting default ccname to %s", ccname);
|
||||||
+ /* set the default with already expanded user IDs */
|
+ /* set the default with already expanded user IDs */
|
||||||
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
@ -304,13 +304,13 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * a primary cache for this collection, if it supports that (non-FILE)
|
+ * a primary cache for this collection, if it supports that (non-FILE)
|
||||||
+ */
|
+ */
|
||||||
+ if (krb5_cc_support_switch(ctx, type)) {
|
+ if (krb5_cc_support_switch(ctx, type)) {
|
||||||
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
|
+ debug3_f("calling cc_new_unique(%s)", ccname);
|
||||||
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+
|
+
|
||||||
+ debug3("%s: calling cc_switch()", __func__);
|
+ debug3_f("calling cc_switch()");
|
||||||
+ return krb5_cc_switch(ctx, *ccache);
|
+ return krb5_cc_switch(ctx, *ccache);
|
||||||
+ } else {
|
+ } else {
|
||||||
+ /* Otherwise, we can not create a unique ccname here (either
|
+ /* Otherwise, we can not create a unique ccname here (either
|
||||||
@ -318,7 +318,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * collections
|
+ * collections
|
||||||
+ */
|
+ */
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname);
|
+ debug3_f("calling cc_resolve(%s)", ccname);
|
||||||
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
@ -513,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_keyex == -1)
|
if (options->gss_keyex == -1)
|
||||||
@@ -447,7 +450,8 @@ typedef enum {
|
@@ -447,7 +450,8 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||||
|
@ -52,7 +52,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
gss_buffer_desc mic, gssbuf;
|
gss_buffer_desc mic, gssbuf;
|
||||||
const char *displayname;
|
const char *displayname;
|
||||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
mic.value = p;
|
mic.value = p;
|
||||||
mic.length = len;
|
mic.length = len;
|
||||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
@ -63,7 +63,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
+#endif
|
+#endif
|
||||||
+ micuser = authctxt->user;
|
+ micuser = authctxt->user;
|
||||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||||
"gssapi-with-mic");
|
"gssapi-with-mic", ssh->kex->session_id);
|
||||||
|
|
||||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
@ -80,7 +80,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
|||||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ (authctxt->role
|
+ (authctxt->role
|
||||||
@ -224,8 +224,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
+ monitor_permit_authentications(1);
|
+ monitor_permit_authentications(1);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ debug3("%s: role=%s", __func__, authctxt->role);
|
+ debug3_f("role=%s", authctxt->role);
|
||||||
+
|
+
|
||||||
+ if (strlen(authctxt->role) == 0) {
|
+ if (strlen(authctxt->role) == 0) {
|
||||||
+ free(authctxt->role);
|
+ free(authctxt->role);
|
||||||
@ -251,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(cp, '/')) != NULL)
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
@ -269,7 +269,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(p, '/')) != NULL)
|
+ if ((s = strchr(p, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
@ -305,12 +305,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
|||||||
+ int r;
|
+ int r;
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering", __func__);
|
+ debug3_f("entering");
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
@ -357,7 +357,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
-void
|
-void
|
||||||
-ssh_selinux_setup_exec_context(char *pwname)
|
-ssh_selinux_setup_exec_context(char *pwname)
|
||||||
-{
|
-{
|
||||||
- security_context_t user_ctx = NULL;
|
- char *user_ctx = NULL;
|
||||||
-
|
-
|
||||||
- if (!ssh_selinux_enabled())
|
- if (!ssh_selinux_enabled())
|
||||||
- return;
|
- return;
|
||||||
@ -393,7 +393,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
|
|
||||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||||
+ if (getexeccon(&user_ctx) != 0) {
|
+ if (getexeccon(&user_ctx) != 0) {
|
||||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
+ error_f("getexeccon: %s", strerror(errno));
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -418,7 +418,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
|
|||||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -0,0 +1,425 @@
|
@@ -0,0 +1,421 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||||
@ -530,7 +530,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ access_vector_t bit;
|
+ access_vector_t bit;
|
||||||
+ security_class_t class;
|
+ security_class_t class;
|
||||||
+
|
+
|
||||||
+ debug("%s: src:%s dst:%s", __func__, src, dst);
|
+ debug_f("src:%s dst:%s", src, dst);
|
||||||
+ class = string_to_security_class("context");
|
+ class = string_to_security_class("context");
|
||||||
+ if (!class) {
|
+ if (!class) {
|
||||||
+ error("string_to_security_class failed to translate security class context");
|
+ error("string_to_security_class failed to translate security class context");
|
||||||
@ -692,7 +692,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ /* we actually don't change level */
|
+ /* we actually don't change level */
|
||||||
+ reqlvl = "";
|
+ reqlvl = "";
|
||||||
+
|
+
|
||||||
+ debug("%s: current connection level '%s'", __func__, reqlvl);
|
+ debug_f("current connection level '%s'", reqlvl);
|
||||||
+
|
+
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -720,8 +720,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0) {
|
+ if (r != 0) {
|
||||||
+ error("%s: Failed to get default SELinux security "
|
+ error_f("Failed to get default SELinux security "
|
||||||
+ "context for %s", __func__, pwname);
|
+ "context for %s", pwname);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+#ifdef HAVE_GETSEUSERBYNAME
|
+#ifdef HAVE_GETSEUSERBYNAME
|
||||||
@ -746,7 +746,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ char *use_current;
|
+ char *use_current;
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+
|
+
|
||||||
@ -783,32 +783,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables()) {
|
+ if (sshd_selinux_setup_pam_variables()) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
|
+ error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
|
+ fatal_f("SELinux PAM variable setup failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ if (r >= 0) {
|
+ if (r >= 0) {
|
||||||
+ r = setexeccon(user_ctx);
|
+ r = setexeccon(user_ctx);
|
||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ error("%s: Failed to set SELinux execution context %s for %s",
|
+ error_f("Failed to set SELinux execution context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#ifdef HAVE_SETKEYCREATECON
|
+#ifdef HAVE_SETKEYCREATECON
|
||||||
+ else if (setkeycreatecon(user_ctx) < 0) {
|
+ else if (setkeycreatecon(user_ctx) < 0) {
|
||||||
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
|
+ error_f("Failed to set SELinux keyring creation context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
+ }
|
||||||
@ -823,14 +821,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux failure. Continuing in permissive mode.",
|
+ error_f("ELinux failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux failure. Aborting connection.",
|
+ fatal_f("SELinux failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
||||||
@ -838,7 +834,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (default_ctx != NULL)
|
+ if (default_ctx != NULL)
|
||||||
+ freecon(default_ctx);
|
+ freecon(default_ctx);
|
||||||
+
|
+
|
||||||
+ debug3("%s: done", __func__);
|
+ debug3_f("done");
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Tue, 29 Sep 2020 10:02:45 +0000
|
|
||||||
Subject: [PATCH] Fail hard on the first failed attempt to write the
|
|
||||||
authorized_keys_file
|
|
||||||
|
|
||||||
---
|
|
||||||
ssh-copy-id | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 392f64f..e69a23f 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -251,7 +251,7 @@ installkeys_sh() {
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
|
|
||||||
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
|
||||||
cat >> ${AUTH_KEY_FILE} ||
|
|
||||||
exit 1;
|
|
||||||
if type restorecon >/dev/null 2>&1; then
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
||||||
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
||||||
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
||||||
@@ -359,17 +359,17 @@ or
|
@@ -359,14 +359,13 @@ or
|
||||||
.Qq *.c.example.com
|
.Qq *.c.example.com
|
||||||
domains.
|
domains.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -14,19 +14,15 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
will not accept host certificates signed using algorithms other than those
|
will not accept host certificates signed using algorithms other than those
|
||||||
specified.
|
specified.
|
||||||
+.Pp
|
|
||||||
.It Cm CertificateFile
|
|
||||||
Specifies a file from which the user's certificate is read.
|
|
||||||
A corresponding private key must be provided separately in order
|
|
||||||
@@ -424,20 +424,25 @@ If the option is set to
|
@@ -424,20 +424,25 @@ If the option is set to
|
||||||
.Cm no ,
|
(the default),
|
||||||
the check will not be executed.
|
the check will not be executed.
|
||||||
.It Cm Ciphers
|
.It Cm Ciphers
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
@ -133,8 +129,8 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q kex .
|
||||||
@@ -1231,37 +1228,33 @@ The default is INFO.
|
@@ -1231,37 +1228,33 @@ The default is INFO.
|
||||||
DEBUG and DEBUG1 are equivalent.
|
file.
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -179,56 +175,57 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm NoHostAuthenticationForLocalhost
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
@@ -1394,37 +1387,25 @@ instead of continuing to execute and pas
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the key types that will be used for public key authentication
|
Specifies the signature algorithms that will be used for public key
|
||||||
as a comma-separated list of patterns.
|
authentication as a comma-separated list of patterns.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq +
|
.Sq +
|
||||||
-character, then the key types after it will be appended to the default
|
-character, then the algorithms after it will be appended to the default
|
||||||
-instead of replacing it.
|
-instead of replacing it.
|
||||||
+character, then the key types after it will be appended to the built-in
|
+character, then the algorithms after it will be appended to the built-in
|
||||||
+openssh default instead of replacing it.
|
+openssh default instead of replacing it.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq -
|
.Sq -
|
||||||
character, then the specified key types (including wildcards) will be removed
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
-from the default set instead of replacing them.
|
-from the default set instead of replacing them.
|
||||||
+from the built-in openssh default set instead of replacing them.
|
+from the built-in openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified algorithms will be placed at the head of the
|
||||||
-default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+built-in openssh default set.
|
+built-in openssh default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
||||||
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
||||||
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
||||||
@@ -375,16 +375,16 @@ If the argument is
|
@@ -375,14 +375,13 @@ If the argument is
|
||||||
then no banner is displayed.
|
then no banner is displayed.
|
||||||
By default, no banner is displayed.
|
By default, no banner is displayed.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -241,16 +238,13 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
Certificates signed using other algorithms will not be accepted for
|
Certificates signed using other algorithms will not be accepted for
|
||||||
public key or host-based authentication.
|
public key or host-based authentication.
|
||||||
+.Pp
|
|
||||||
.It Cm ChallengeResponseAuthentication
|
.It Cm ChallengeResponseAuthentication
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
|
||||||
PAM or through authentication styles supported in
|
|
||||||
@@ -446,20 +446,25 @@ The default is
|
@@ -446,20 +446,25 @@ The default is
|
||||||
indicating not to
|
indicating not to
|
||||||
.Xr chroot 2 .
|
.Xr chroot 2 .
|
||||||
@ -295,7 +289,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
.It Cm ClientAliveCountMax
|
.It Cm ClientAliveCountMax
|
||||||
@@ -681,22 +679,24 @@ For this to work
|
@@ -681,21 +679,22 @@ For this to work
|
||||||
.Cm GSSAPIKeyExchange
|
.Cm GSSAPIKeyExchange
|
||||||
needs to be enabled in the server and also used by the client.
|
needs to be enabled in the server and also used by the client.
|
||||||
.It Cm GSSAPIKexAlgorithms
|
.It Cm GSSAPIKexAlgorithms
|
||||||
@ -326,11 +320,9 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
This option only applies to connections using GSSAPI.
|
This option only applies to connections using GSSAPI.
|
||||||
+.Pp
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
@@ -793,26 +793,13 @@ is specified, the location of the socket
|
||||||
as a list of comma-separated patterns.
|
|
||||||
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
|
||||||
.Ev SSH_AUTH_SOCK
|
.Ev SSH_AUTH_SOCK
|
||||||
environment variable.
|
environment variable.
|
||||||
.It Cm HostKeyAlgorithms
|
.It Cm HostKeyAlgorithms
|
||||||
@ -339,26 +331,27 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the host key algorithms
|
Specifies the host key signature algorithms
|
||||||
that the server offers.
|
that the server offers.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q HostKeyAlgorithms .
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
.It Cm IgnoreRhosts
|
.It Cm IgnoreRhosts
|
||||||
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
||||||
@ -392,7 +385,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
.Bl -item -compact -offset indent
|
.Bl -item -compact -offset indent
|
||||||
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
||||||
sntrup4591761x25519-sha512@tinyssh.org
|
sntrup761x25519-sha512@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -408,8 +401,8 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
.Qq ssh -Q KexAlgorithms .
|
.Qq ssh -Q KexAlgorithms .
|
||||||
.It Cm ListenAddress
|
.It Cm ListenAddress
|
||||||
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
file.
|
||||||
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -454,49 +447,50 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm Match
|
.It Cm Match
|
||||||
@@ -1480,36 +1460,25 @@ or equivalent.)
|
@@ -1480,37 +1460,25 @@ or equivalent.)
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the key types that will be accepted for public key authentication
|
Specifies the signature algorithms that will be accepted for public key
|
||||||
as a list of comma-separated patterns.
|
authentication as a list of comma-separated patterns.
|
||||||
Alternately if the specified list begins with a
|
Alternately if the specified list begins with a
|
||||||
.Sq +
|
.Sq +
|
||||||
-character, then the specified key types will be appended to the default set
|
-character, then the specified algorithms will be appended to the default set
|
||||||
-instead of replacing them.
|
-instead of replacing them.
|
||||||
+character, then the specified key types will be appended to the built-in
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
+openssh default set instead of replacing them.
|
+openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq -
|
.Sq -
|
||||||
character, then the specified key types (including wildcards) will be removed
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
-from the default set instead of replacing them.
|
-from the default set instead of replacing them.
|
||||||
+from the built-in openssh default set instead of replacing them.
|
+from the built-in openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified algorithms will be placed at the head of the
|
||||||
-default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+built-in openssh default set.
|
+built-in openssh default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
|
@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
|
|||||||
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||||
kexgexc.o kexgexs.o \
|
kexgexc.o kexgexs.o \
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||||
+ kexgssc.o \
|
+ kexgssc.o \
|
||||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
sshbuf-io.o
|
sshbuf-io.o
|
||||||
@ -17,7 +17,7 @@ index e7549470..b68c1710 100644
|
|||||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
sftp-server.o sftp-common.o \
|
srclimit.o sftp-server.o sftp-common.o \
|
||||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||||
diff --git a/auth.c b/auth.c
|
diff --git a/auth.c b/auth.c
|
||||||
index 086b8ebb..687c57b4 100644
|
index 086b8ebb..687c57b4 100644
|
||||||
@ -138,7 +138,7 @@ index 9351e042..d6446c0c 100644
|
|||||||
--- a/auth2-gss.c
|
--- a/auth2-gss.c
|
||||||
+++ b/auth2-gss.c
|
+++ b/auth2-gss.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
|
/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
@ -165,19 +165,19 @@ index 9351e042..d6446c0c 100644
|
|||||||
+
|
+
|
||||||
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
|
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
|
||||||
+ (r = sshpkt_get_end(ssh)) != 0)
|
+ (r = sshpkt_get_end(ssh)) != 0)
|
||||||
+ fatal("%s: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "parsing");
|
||||||
+
|
+
|
||||||
+ if ((b = sshbuf_new()) == NULL)
|
+ if ((b = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ mic.value = p;
|
+ mic.value = p;
|
||||||
+ mic.length = len;
|
+ mic.length = len;
|
||||||
+
|
+
|
||||||
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
+ "gssapi-keyex");
|
+ "gssapi-keyex", ssh->kex->session_id);
|
||||||
+
|
+
|
||||||
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
|
+ fatal_f("sshbuf_mutable_ptr failed");
|
||||||
+ gssbuf.length = sshbuf_len(b);
|
+ gssbuf.length = sshbuf_len(b);
|
||||||
+
|
+
|
||||||
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
||||||
@ -197,7 +197,7 @@ index 9351e042..d6446c0c 100644
|
|||||||
* how to check local user kuserok and the like)
|
* how to check local user kuserok and the like)
|
||||||
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
|
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
|
||||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||||
fatal("%s: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse packet");
|
||||||
|
|
||||||
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
||||||
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
||||||
@ -441,7 +441,7 @@ index d56257b4..763a63ff 100644
|
|||||||
--- a/gss-genr.c
|
--- a/gss-genr.c
|
||||||
+++ b/gss-genr.c
|
+++ b/gss-genr.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
|
/* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
||||||
@ -449,7 +449,7 @@ index d56257b4..763a63ff 100644
|
|||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions
|
* modification, are permitted provided that the following conditions
|
||||||
@@ -41,12 +41,36 @@
|
@@ -41,9 +41,33 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
@ -461,9 +461,6 @@ index d56257b4..763a63ff 100644
|
|||||||
|
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
|
|
||||||
extern u_char *session_id2;
|
|
||||||
extern u_int session_id2_len;
|
|
||||||
|
|
||||||
+typedef struct {
|
+typedef struct {
|
||||||
+ char *encoded;
|
+ char *encoded;
|
||||||
+ gss_OID oid;
|
+ gss_OID oid;
|
||||||
@ -486,7 +483,7 @@ index d56257b4..763a63ff 100644
|
|||||||
/* sshbuf_get for gss_buffer_desc */
|
/* sshbuf_get for gss_buffer_desc */
|
||||||
int
|
int
|
||||||
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||||
@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
@@ -62,6 +86,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -548,7 +545,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ (gss_supported->count + 1));
|
+ (gss_supported->count + 1));
|
||||||
+
|
+
|
||||||
+ if ((buf = sshbuf_new()) == NULL)
|
+ if ((buf = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ oidpos = 0;
|
+ oidpos = 0;
|
||||||
+ s = cp = xstrdup(kex);
|
+ s = cp = xstrdup(kex);
|
||||||
@ -565,8 +562,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ gss_supported->elements[i].elements,
|
+ gss_supported->elements[i].elements,
|
||||||
+ gss_supported->elements[i].length)) != 0 ||
|
+ gss_supported->elements[i].length)) != 0 ||
|
||||||
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
|
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
|
||||||
+ fatal("%s: digest failed: %s", __func__,
|
+ fatal_fr(r, "digest failed");
|
||||||
+ ssh_err(r));
|
|
||||||
+ ssh_digest_free(md);
|
+ ssh_digest_free(md);
|
||||||
+ md = NULL;
|
+ md = NULL;
|
||||||
+
|
+
|
||||||
@ -581,12 +577,10 @@ index d56257b4..763a63ff 100644
|
|||||||
+ (p = strsep(&cp, ","))) {
|
+ (p = strsep(&cp, ","))) {
|
||||||
+ if (sshbuf_len(buf) != 0 &&
|
+ if (sshbuf_len(buf) != 0 &&
|
||||||
+ (r = sshbuf_put_u8(buf, ',')) != 0)
|
+ (r = sshbuf_put_u8(buf, ',')) != 0)
|
||||||
+ fatal("%s: sshbuf_put_u8 error: %s",
|
+ fatal_fr(r, "sshbuf_put_u8 error");
|
||||||
+ __func__, ssh_err(r));
|
|
||||||
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
||||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||||
+ fatal("%s: sshbuf_put error: %s",
|
+ fatal_fr(r, "sshbuf_put error");
|
||||||
+ __func__, ssh_err(r));
|
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||||
@ -599,7 +593,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ gss_enc2oid[oidpos].encoded = NULL;
|
+ gss_enc2oid[oidpos].encoded = NULL;
|
||||||
+
|
+
|
||||||
+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
|
+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
|
||||||
+ fatal("%s: sshbuf_dup_string failed", __func__);
|
+ fatal_f("sshbuf_dup_string failed");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(buf);
|
+ sshbuf_free(buf);
|
||||||
+
|
+
|
||||||
@ -721,7 +715,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+
|
+
|
||||||
void
|
void
|
||||||
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||||
const char *context)
|
const char *context, const struct sshbuf *session_id)
|
||||||
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1123,10 +1117,10 @@ index ab3a15f0..6ce56e92 100644
|
|||||||
+
|
+
|
||||||
+ if (gssapi_client.store.data != NULL) {
|
+ if (gssapi_client.store.data != NULL) {
|
||||||
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
|
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
|
||||||
+ debug("%s: krb5_cc_resolve(): %.100s", __func__,
|
+ debug_f("krb5_cc_resolve(): %.100s",
|
||||||
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
||||||
+ debug("%s: krb5_cc_destroy(): %.100s", __func__,
|
+ debug_f("krb5_cc_destroy(): %.100s",
|
||||||
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
+ } else {
|
+ } else {
|
||||||
+ krb5_free_context(gssapi_client.store.data);
|
+ krb5_free_context(gssapi_client.store.data);
|
||||||
@ -1375,7 +1369,7 @@ index ce85f043..574c7609 100644
|
|||||||
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
|
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
|
||||||
sshbuf_free(kex->server_version);
|
sshbuf_free(kex->server_version);
|
||||||
sshbuf_free(kex->client_pub);
|
sshbuf_free(kex->client_pub);
|
||||||
free(kex->session_id);
|
sshbuf_free(kex->session_id);
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+ free(kex->gss_host);
|
+ free(kex->gss_host);
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
@ -1389,7 +1383,7 @@ index a5ae6ac0..fe714141 100644
|
|||||||
@@ -102,6 +102,15 @@ enum kex_exchange {
|
@@ -102,6 +102,15 @@ enum kex_exchange {
|
||||||
KEX_ECDH_SHA2,
|
KEX_ECDH_SHA2,
|
||||||
KEX_C25519_SHA256,
|
KEX_C25519_SHA256,
|
||||||
KEX_KEM_SNTRUP4591761X25519_SHA512,
|
KEX_KEM_SNTRUP761X25519_SHA512,
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+ KEX_GSS_GRP1_SHA1,
|
+ KEX_GSS_GRP1_SHA1,
|
||||||
+ KEX_GSS_GRP14_SHA1,
|
+ KEX_GSS_GRP14_SHA1,
|
||||||
@ -1498,7 +1492,7 @@ new file mode 100644
|
|||||||
index 00000000..f6e1405e
|
index 00000000..f6e1405e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kexgssc.c
|
+++ b/kexgssc.c
|
||||||
@@ -0,0 +1,606 @@
|
@@ -0,0 +1,599 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -1597,7 +1591,7 @@ index 00000000..f6e1405e
|
|||||||
+ r = kex_c25519_keypair(kex);
|
+ r = kex_c25519_keypair(kex);
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0)
|
||||||
+ return r;
|
+ return r;
|
||||||
@ -1785,7 +1779,7 @@ index 00000000..f6e1405e
|
|||||||
+ server_blob,
|
+ server_blob,
|
||||||
+ shared_secret,
|
+ shared_secret,
|
||||||
+ hash, &hashlen)) != 0)
|
+ hash, &hashlen)) != 0)
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+
|
+
|
||||||
+ gssbuf.value = hash;
|
+ gssbuf.value = hash;
|
||||||
+ gssbuf.length = hashlen;
|
+ gssbuf.length = hashlen;
|
||||||
@ -2074,13 +2068,6 @@ index 00000000..f6e1405e
|
|||||||
+
|
+
|
||||||
+ gss_release_buffer(&min_status, &msg_tok);
|
+ gss_release_buffer(&min_status, &msg_tok);
|
||||||
+
|
+
|
||||||
+ /* save session id */
|
|
||||||
+ if (kex->session_id == NULL) {
|
|
||||||
+ kex->session_id_len = hashlen;
|
|
||||||
+ kex->session_id = xmalloc(kex->session_id_len);
|
|
||||||
+ memcpy(kex->session_id, hash, kex->session_id_len);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (kex->gss_deleg_creds)
|
+ if (kex->gss_deleg_creds)
|
||||||
+ ssh_gssapi_credentials_updated(ctxt);
|
+ ssh_gssapi_credentials_updated(ctxt);
|
||||||
+
|
+
|
||||||
@ -2202,12 +2189,12 @@ index 00000000..60bc02de
|
|||||||
+ free(mechs);
|
+ free(mechs);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ debug2("%s: Identifying %s", __func__, kex->name);
|
+ debug2_f("Identifying %s", kex->name);
|
||||||
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
||||||
+ if (oid == GSS_C_NO_OID)
|
+ if (oid == GSS_C_NO_OID)
|
||||||
+ fatal("Unknown gssapi mechanism");
|
+ fatal("Unknown gssapi mechanism");
|
||||||
+
|
+
|
||||||
+ debug2("%s: Acquiring credentials", __func__);
|
+ debug2_f("Acquiring credentials");
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
||||||
+ fatal("Unable to acquire credentials for the server");
|
+ fatal("Unable to acquire credentials for the server");
|
||||||
@ -2242,7 +2229,7 @@ index 00000000..60bc02de
|
|||||||
+ &shared_secret);
|
+ &shared_secret);
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0)
|
||||||
+ goto out;
|
+ goto out;
|
||||||
@ -2398,12 +2385,12 @@ index 00000000..60bc02de
|
|||||||
+ if ((mechs = ssh_gssapi_server_mechanisms()))
|
+ if ((mechs = ssh_gssapi_server_mechanisms()))
|
||||||
+ free(mechs);
|
+ free(mechs);
|
||||||
+
|
+
|
||||||
+ debug2("%s: Identifying %s", __func__, kex->name);
|
+ debug2_f("Identifying %s", kex->name);
|
||||||
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
||||||
+ if (oid == GSS_C_NO_OID)
|
+ if (oid == GSS_C_NO_OID)
|
||||||
+ fatal("Unknown gssapi mechanism");
|
+ fatal("Unknown gssapi mechanism");
|
||||||
+
|
+
|
||||||
+ debug2("%s: Acquiring credentials", __func__);
|
+ debug2_f("Acquiring credentials");
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
||||||
+ fatal("Unable to acquire credentials for the server");
|
+ fatal("Unable to acquire credentials for the server");
|
||||||
@ -2641,44 +2628,44 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||||
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||||
# endif
|
# endif
|
||||||
+# ifdef GSSAPI
|
+# ifdef GSSAPI
|
||||||
+ if (options.gss_keyex) {
|
+ if (options.gss_keyex) {
|
||||||
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
|
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
|
||||||
+ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
|
+ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
|
+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
|
||||||
+ }
|
+ }
|
||||||
+# endif
|
+# endif
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||||
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
u_char *p;
|
u_char *p;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse");
|
||||||
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
OM_uint32 flags = 0; /* GSI needs this */
|
OM_uint32 flags = 0; /* GSI needs this */
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "ssh_gssapi_get_buffer_desc");
|
||||||
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||||
@ -2692,9 +2679,9 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
||||||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
||||||
@ -2707,13 +2694,13 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
const char *displayname;
|
const char *displayname;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
||||||
+ if ((r = sshbuf_get_u32(m, &kex)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &kex)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ authenticated = authctxt->valid &&
|
+ authenticated = authctxt->valid &&
|
||||||
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
|
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
|
||||||
@ -2721,7 +2708,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
sshbuf_reset(m);
|
sshbuf_reset(m);
|
||||||
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
||||||
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
debug3("%s: sending result %d", __func__, authenticated);
|
debug3_f("sending result %d", authenticated);
|
||||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||||
|
|
||||||
- auth_method = "gssapi-with-mic";
|
- auth_method = "gssapi-with-mic";
|
||||||
@ -2733,7 +2720,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
|
|
||||||
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
||||||
auth2_record_info(authctxt, "%s", displayname);
|
auth2_record_info(authctxt, "%s", displayname);
|
||||||
@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1921,5 +1958,84 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
/* Monitor loop will terminate if authenticated */
|
/* Monitor loop will terminate if authenticated */
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
@ -2749,16 +2736,15 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ data.value = p;
|
+ data.value = p;
|
||||||
+ data.length = len;
|
+ data.length = len;
|
||||||
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
|
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
|
||||||
+ if (data.length != 20 && data.length != 32 && data.length != 64)
|
+ if (data.length != 20 && data.length != 32 && data.length != 64)
|
||||||
+ fatal("%s: data length incorrect: %d", __func__,
|
+ fatal_f("data length incorrect: %d", (int) data.length);
|
||||||
+ (int) data.length);
|
|
||||||
+
|
+
|
||||||
+ /* Save the session ID on the first time around */
|
+ /* Save the session ID on the first time around */
|
||||||
+ if (session_id2_len == 0) {
|
+ if (session_id2_len == 0) {
|
||||||
@ -2774,7 +2760,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+
|
+
|
||||||
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
|
||||||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
|
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
|
||||||
+
|
+
|
||||||
@ -2795,12 +2781,12 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+ int r, ok;
|
+ int r, ok;
|
||||||
+
|
+
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
|
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
|
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
|
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ ok = ssh_gssapi_update_creds(&store);
|
+ ok = ssh_gssapi_update_creds(&store);
|
||||||
+
|
+
|
||||||
@ -2810,7 +2796,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+
|
+
|
||||||
+ sshbuf_reset(m);
|
+ sshbuf_reset(m);
|
||||||
+ if ((r = sshbuf_put_u32(m, ok)) != 0)
|
+ if ((r = sshbuf_put_u32(m, ok)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
|
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
|
||||||
+
|
+
|
||||||
@ -2847,14 +2833,14 @@ index 001a8fa1..6edb509a 100644
|
|||||||
int r, authenticated = 0;
|
int r, authenticated = 0;
|
||||||
|
|
||||||
if ((m = sshbuf_new()) == NULL)
|
if ((m = sshbuf_new()) == NULL)
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, kex)) != 0)
|
+ if ((r = sshbuf_put_u32(m, kex)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
|
|
||||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
||||||
mm_request_receive_expect(pmonitor->m_recvfd,
|
mm_request_receive_expect(pmonitor->m_recvfd,
|
||||||
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
||||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
debug3_f("user %sauthenticated", authenticated ? "" : "not ");
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
@ -2866,16 +2852,16 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
|
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
|
||||||
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
|
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
@ -2889,7 +2875,7 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ int r, ok;
|
+ int r, ok;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_put_cstring(m,
|
+ if ((r = sshbuf_put_cstring(m,
|
||||||
+ store->filename ? store->filename : "")) != 0 ||
|
+ store->filename ? store->filename : "")) != 0 ||
|
||||||
@ -2897,13 +2883,13 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ store->envvar ? store->envvar : "")) != 0 ||
|
+ store->envvar ? store->envvar : "")) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m,
|
+ (r = sshbuf_put_cstring(m,
|
||||||
+ store->envval ? store->envval : "")) != 0)
|
+ store->envval ? store->envval : "")) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
@ -3124,7 +3110,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -531,6 +543,7 @@ typedef enum {
|
@@ -531,6 +543,7 @@ typedef enum {
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
||||||
@ -3246,7 +3232,7 @@ index 36180d07..70dd3665 100644
|
|||||||
--- a/ssh-gss.h
|
--- a/ssh-gss.h
|
||||||
+++ b/ssh-gss.h
|
+++ b/ssh-gss.h
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
|
/* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
@ -3332,7 +3318,7 @@ index 36180d07..70dd3665 100644
|
|||||||
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
|
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
|
||||||
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||||
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
|
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
|
||||||
const char *, const char *);
|
const char *, const char *, const struct sshbuf *);
|
||||||
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
|
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
|
||||||
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
|
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
|
||||||
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
|
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
|
||||||
@ -3382,7 +3368,7 @@ index 60de6087..db5c65bc 100644
|
|||||||
+.It GSSAPITrustDns
|
+.It GSSAPITrustDns
|
||||||
.It HashKnownHosts
|
.It HashKnownHosts
|
||||||
.It Host
|
.It Host
|
||||||
.It HostbasedAuthentication
|
.It HostbasedAcceptedAlgorithms
|
||||||
@@ -579,6 +585,8 @@ flag),
|
@@ -579,6 +585,8 @@ flag),
|
||||||
(supported message integrity codes),
|
(supported message integrity codes),
|
||||||
.Ar kex
|
.Ar kex
|
||||||
@ -3526,9 +3512,9 @@ index af00fb30..03bc87eb 100644
|
|||||||
+
|
+
|
||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
xxx_hostaddr = hostaddr;
|
xxx_hostaddr = hostaddr;
|
||||||
|
xxx_conn_info = cinfo;
|
||||||
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3588,7 +3574,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+# endif
|
+# endif
|
||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||||
ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
|
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||||
ssh->kex->verify_host_key=&verify_host_key_callback;
|
ssh->kex->verify_host_key=&verify_host_key_callback;
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3604,7 +3590,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
|
|
||||||
/* remove ext-info from the KEX proposals for rekeying */
|
/* remove ext-info from the KEX proposals for rekeying */
|
||||||
myproposal[PROPOSAL_KEX_ALGS] =
|
myproposal[PROPOSAL_KEX_ALGS] =
|
||||||
compat_kex_proposal(options.kex_algorithms);
|
compat_kex_proposal(ssh, options.kex_algorithms);
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ /* repair myproposal after it was crumpled by the */
|
+ /* repair myproposal after it was crumpled by the */
|
||||||
+ /* ext-info removal above */
|
+ /* ext-info removal above */
|
||||||
@ -3616,7 +3602,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
||||||
fatal("kex_prop2buf: %s", ssh_err(r));
|
fatal_r(r, "kex_prop2buf");
|
||||||
|
|
||||||
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
||||||
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
||||||
@ -3714,13 +3700,13 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((b = sshbuf_new()) == NULL)
|
+ if ((b = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
|
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
|
||||||
+ "gssapi-keyex");
|
+ "gssapi-keyex", ssh->kex->session_id);
|
||||||
+
|
+
|
||||||
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
|
+ fatal_f("sshbuf_mutable_ptr failed");
|
||||||
+ gssbuf.length = sshbuf_len(b);
|
+ gssbuf.length = sshbuf_len(b);
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
|
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
|
||||||
@ -3734,7 +3720,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
|
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
|
||||||
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
|
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
|
||||||
+ (r = sshpkt_send(ssh)) != 0)
|
+ (r = sshpkt_send(ssh)) != 0)
|
||||||
+ fatal("%s: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "parsing");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(b);
|
+ sshbuf_free(b);
|
||||||
+ gss_release_buffer(&ms, &mic);
|
+ gss_release_buffer(&ms, &mic);
|
||||||
@ -3751,11 +3737,11 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
|
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||||
}
|
}
|
||||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
debug3_f("sent %u hostkeys", nkeys);
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
- fatal("%s: no hostkeys", __func__);
|
- fatal_f("no hostkeys");
|
||||||
- if ((r = sshpkt_send(ssh)) != 0)
|
- if ((r = sshpkt_send(ssh)) != 0)
|
||||||
+ debug3("%s: no hostkeys", __func__);
|
+ debug3_f("no hostkeys");
|
||||||
+ else if ((r = sshpkt_send(ssh)) != 0)
|
+ else if ((r = sshpkt_send(ssh)) != 0)
|
||||||
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
||||||
sshbuf_free(buf);
|
sshbuf_free(buf);
|
||||||
@ -3772,7 +3758,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
}
|
}
|
||||||
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||||
list_hostkey_types());
|
ssh, list_hostkey_types());
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ {
|
+ {
|
||||||
@ -3818,7 +3804,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+
|
+
|
||||||
/* start key exchange */
|
/* start key exchange */
|
||||||
if ((r = kex_setup(ssh, myproposal)) != 0)
|
if ((r = kex_setup(ssh, myproposal)) != 0)
|
||||||
fatal("kex_setup: %s", ssh_err(r));
|
fatal_r(r, "kex_setup");
|
||||||
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||||
@ -3837,7 +3823,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+# endif
|
+# endif
|
||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||||
diff --git a/sshd_config b/sshd_config
|
diff --git a/sshd_config b/sshd_config
|
||||||
index 19b7c91a..2c48105f 100644
|
index 19b7c91a..2c48105f 100644
|
||||||
@ -3898,9 +3884,9 @@ index 70ccea44..f6b41a2f 100644
|
|||||||
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
+This option only applies to connections using GSSAPI.
|
+This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
as a list of comma-separated patterns.
|
authentication as a list of comma-separated patterns.
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
diff --git a/sshkey.c b/sshkey.c
|
||||||
index 57995ee6..fd5b7724 100644
|
index 57995ee6..fd5b7724 100644
|
||||||
--- a/sshkey.c
|
--- a/sshkey.c
|
||||||
|
@ -96,7 +96,7 @@ index b6f041f4..1fbce2bb 100644
|
|||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||||
+ kex->session_id, kex->session_id_len);
|
+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
|
||||||
+ if (r != 1) {
|
+ if (r != 1) {
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
|
@ -57,26 +57,26 @@ index e7549470..4511f82a 100644
|
|||||||
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
|
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
|
||||||
+ rm -f regress/unittests/pkcs11/*.o
|
+ rm -f regress/unittests/pkcs11/*.o
|
||||||
+ rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
|
+ rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
|
||||||
rm -f regress/misc/kexfuzz/*.o
|
|
||||||
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
|
||||||
rm -f regress/misc/sk-dummy/*.o
|
rm -f regress/misc/sk-dummy/*.o
|
||||||
|
rm -f regress/misc/sk-dummy/*.lo
|
||||||
|
rm -f regress/misc/sk-dummy/sk-dummy.so
|
||||||
@@ -322,6 +324,8 @@ distclean: regressclean
|
@@ -322,6 +324,8 @@ distclean: regressclean
|
||||||
rm -f regress/unittests/match/test_match
|
rm -f regress/unittests/match/test_match
|
||||||
rm -f regress/unittests/utf8/*.o
|
rm -f regress/unittests/utf8/*.o
|
||||||
rm -f regress/unittests/utf8/test_utf8
|
rm -f regress/unittests/utf8/test_utf8
|
||||||
+ rm -f regress/unittests/pkcs11/*.o
|
+ rm -f regress/unittests/pkcs11/*.o
|
||||||
+ rm -f regress/unittests/pkcs11/test_pkcs11
|
+ rm -f regress/unittests/pkcs11/test_pkcs11
|
||||||
rm -f regress/misc/kexfuzz/*.o
|
|
||||||
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
|
||||||
(cd openbsd-compat && $(MAKE) distclean)
|
(cd openbsd-compat && $(MAKE) distclean)
|
||||||
|
if test -d pkg ; then \
|
||||||
|
rm -fr pkg ; \
|
||||||
@@ -490,6 +494,7 @@ regress-prep:
|
@@ -490,6 +494,7 @@ regress-prep:
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/kex
|
$(MKDIR_P) `pwd`/regress/unittests/kex
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/match
|
$(MKDIR_P) `pwd`/regress/unittests/match
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/utf8
|
$(MKDIR_P) `pwd`/regress/unittests/utf8
|
||||||
+ $(MKDIR_P) `pwd`/regress/unittests/pkcs11
|
+ $(MKDIR_P) `pwd`/regress/unittests/pkcs11
|
||||||
$(MKDIR_P) `pwd`/regress/misc/kexfuzz
|
|
||||||
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
|
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
|
||||||
[ -f `pwd`/regress/Makefile ] || \
|
[ -f `pwd`/regress/Makefile ] || \
|
||||||
|
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||||
@@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
|
@@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
|
||||||
regress/unittests/test_helper/libtest_helper.a \
|
regress/unittests/test_helper/libtest_helper.a \
|
||||||
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
@ -91,17 +91,17 @@ index e7549470..4511f82a 100644
|
|||||||
+ regress/unittests/test_helper/libtest_helper.a \
|
+ regress/unittests/test_helper/libtest_helper.a \
|
||||||
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
+
|
+
|
||||||
MISC_KEX_FUZZ_OBJS=\
|
# These all need to be compiled -fPIC, so they are treated differently.
|
||||||
regress/misc/kexfuzz/kexfuzz.o \
|
SK_DUMMY_OBJS=\
|
||||||
$(SKOBJS)
|
regress/misc/sk-dummy/sk-dummy.lo \
|
||||||
@@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
|
@@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
|
||||||
regress/unittests/kex/test_kex$(EXEEXT) \
|
regress/unittests/kex/test_kex$(EXEEXT) \
|
||||||
regress/unittests/match/test_match$(EXEEXT) \
|
regress/unittests/match/test_match$(EXEEXT) \
|
||||||
regress/unittests/utf8/test_utf8$(EXEEXT) \
|
regress/unittests/utf8/test_utf8$(EXEEXT) \
|
||||||
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
||||||
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
|
||||||
|
|
||||||
tests: file-tests t-exec interop-tests unit
|
tests: file-tests t-exec interop-tests unit
|
||||||
|
echo all tests passed
|
||||||
diff --git a/configure.ac b/configure.ac
|
diff --git a/configure.ac b/configure.ac
|
||||||
index b689db4b..98d3ce4f 100644
|
index b689db4b..98d3ce4f 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
@ -1075,10 +1075,10 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
+ char *provider = NULL, *pin = NULL, *sane_uri = NULL;
|
+ char *provider = NULL, *pin = NULL, *sane_uri = NULL;
|
||||||
char **comments = NULL;
|
char **comments = NULL;
|
||||||
int r, i, count = 0, success = 0, confirm = 0;
|
int r, i, count = 0, success = 0, confirm = 0;
|
||||||
u_int seconds;
|
u_int seconds = 0;
|
||||||
@@ -681,33 +743,28 @@ process_add_smartcard_key(SocketEntry *e)
|
@@ -681,33 +743,28 @@ process_add_smartcard_key(SocketEntry *e)
|
||||||
goto send;
|
error_f("failed to parse constraints");
|
||||||
}
|
goto send;
|
||||||
}
|
}
|
||||||
- if (realpath(provider, canonical_provider) == NULL) {
|
- if (realpath(provider, canonical_provider) == NULL) {
|
||||||
- verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
- verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
||||||
@ -1093,13 +1093,13 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
+ if (sane_uri == NULL)
|
+ if (sane_uri == NULL)
|
||||||
goto send;
|
goto send;
|
||||||
- }
|
- }
|
||||||
- debug("%s: add %.100s", __func__, canonical_provider);
|
- debug_f("add %.100s", canonical_provider);
|
||||||
+
|
+
|
||||||
if (lifetime && !death)
|
if (lifetime && !death)
|
||||||
death = monotime() + lifetime;
|
death = monotime() + lifetime;
|
||||||
|
|
||||||
- count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments);
|
- count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments);
|
||||||
+ debug("%s: add %.100s", __func__, sane_uri);
|
+ debug_f("add %.100s", sane_uri);
|
||||||
+ count = pkcs11_add_provider(sane_uri, pin, &keys, &comments);
|
+ count = pkcs11_add_provider(sane_uri, pin, &keys, &comments);
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
k = keys[i];
|
k = keys[i];
|
||||||
@ -1147,8 +1147,8 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
goto send;
|
goto send;
|
||||||
- }
|
- }
|
||||||
|
|
||||||
- debug("%s: remove %.100s", __func__, canonical_provider);
|
- debug_f("remove %.100s", canonical_provider);
|
||||||
+ debug("%s: remove %.100s", __func__, sane_uri);
|
+ debug_f("remove %.100s", sane_uri);
|
||||||
for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {
|
for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {
|
||||||
nxt = TAILQ_NEXT(id, next);
|
nxt = TAILQ_NEXT(id, next);
|
||||||
/* Skip file--based keys */
|
/* Skip file--based keys */
|
||||||
@ -1165,7 +1165,7 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
+ if (pkcs11_del_provider(sane_uri) == 0)
|
+ if (pkcs11_del_provider(sane_uri) == 0)
|
||||||
success = 1;
|
success = 1;
|
||||||
else
|
else
|
||||||
error("%s: pkcs11_del_provider failed", __func__);
|
error_f("pkcs11_del_provider failed");
|
||||||
send:
|
send:
|
||||||
free(provider);
|
free(provider);
|
||||||
+ free(sane_uri);
|
+ free(sane_uri);
|
||||||
@ -1198,7 +1198,7 @@ index 8a0ffef5..ead8a562 100644
|
|||||||
u_int nkeys, i;
|
u_int nkeys, i;
|
||||||
struct sshbuf *msg;
|
struct sshbuf *msg;
|
||||||
|
|
||||||
+ debug("%s: called, name = %s", __func__, name);
|
+ debug_f("called, name = %s", name);
|
||||||
+
|
+
|
||||||
if (fd < 0 && pkcs11_start_helper() < 0)
|
if (fd < 0 && pkcs11_start_helper() < 0)
|
||||||
return (-1);
|
return (-1);
|
||||||
@ -1207,7 +1207,7 @@ index 8a0ffef5..ead8a562 100644
|
|||||||
*keysp = xcalloc(nkeys, sizeof(struct sshkey *));
|
*keysp = xcalloc(nkeys, sizeof(struct sshkey *));
|
||||||
if (labelsp)
|
if (labelsp)
|
||||||
*labelsp = xcalloc(nkeys, sizeof(char *));
|
*labelsp = xcalloc(nkeys, sizeof(char *));
|
||||||
+ debug("%s: nkeys = %u", __func__, nkeys);
|
+ debug_f("nkeys = %u", nkeys);
|
||||||
for (i = 0; i < nkeys; i++) {
|
for (i = 0; i < nkeys; i++) {
|
||||||
/* XXX clean up properly instead of fatal() */
|
/* XXX clean up properly instead of fatal() */
|
||||||
if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
|
if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
|
||||||
@ -1216,7 +1216,7 @@ new file mode 100644
|
|||||||
index 00000000..e1a7b4e0
|
index 00000000..e1a7b4e0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/ssh-pkcs11-uri.c
|
+++ b/ssh-pkcs11-uri.c
|
||||||
@@ -0,0 +1,425 @@
|
@@ -0,0 +1,419 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2017 Red Hat
|
+ * Copyright (c) 2017 Red Hat
|
||||||
+ *
|
+ *
|
||||||
@ -1493,13 +1493,12 @@ index 00000000..e1a7b4e0
|
|||||||
+ size_t scheme_len = strlen(PKCS11_URI_SCHEME);
|
+ size_t scheme_len = strlen(PKCS11_URI_SCHEME);
|
||||||
+ if (strlen(uri) < scheme_len || /* empty URI matches everything */
|
+ if (strlen(uri) < scheme_len || /* empty URI matches everything */
|
||||||
+ strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) {
|
+ strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) {
|
||||||
+ error("%s: The '%s' does not look like PKCS#11 URI",
|
+ error_f("The '%s' does not look like PKCS#11 URI", uri);
|
||||||
+ __func__, uri);
|
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (pkcs11 == NULL) {
|
+ if (pkcs11 == NULL) {
|
||||||
+ error("%s: Bad arguments. The pkcs11 can't be null", __func__);
|
+ error_f("Bad arguments. The pkcs11 can't be null");
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1510,7 +1509,7 @@ index 00000000..e1a7b4e0
|
|||||||
+ /* everything before ? */
|
+ /* everything before ? */
|
||||||
+ tok = strtok_r(str1, "?", &saveptr1);
|
+ tok = strtok_r(str1, "?", &saveptr1);
|
||||||
+ if (tok == NULL) {
|
+ if (tok == NULL) {
|
||||||
+ error("%s: pk11-path expected, got EOF", __func__);
|
+ error_f("pk11-path expected, got EOF");
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
@ -1536,35 +1535,32 @@ index 00000000..e1a7b4e0
|
|||||||
+ case pId:
|
+ case pId:
|
||||||
+ /* CKA_ID */
|
+ /* CKA_ID */
|
||||||
+ if (pkcs11->id != NULL) {
|
+ if (pkcs11->id != NULL) {
|
||||||
+ verbose("%s: The id already set in the PKCS#11 URI",
|
+ verbose_f("The id already set in the PKCS#11 URI");
|
||||||
+ __func__);
|
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ len = percent_decode(arg, &pkcs11->id);
|
+ len = percent_decode(arg, &pkcs11->id);
|
||||||
+ if (len <= 0) {
|
+ if (len <= 0) {
|
||||||
+ verbose("%s: Failed to percent-decode CKA_ID: %s",
|
+ verbose_f("Failed to percent-decode CKA_ID: %s", arg);
|
||||||
+ __func__, arg);
|
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ } else
|
+ } else
|
||||||
+ pkcs11->id_len = len;
|
+ pkcs11->id_len = len;
|
||||||
+ debug3("%s: Setting CKA_ID = %s from PKCS#11 URI",
|
+ debug3_f("Setting CKA_ID = %s from PKCS#11 URI", arg);
|
||||||
+ __func__, arg);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ case pToken:
|
+ case pToken:
|
||||||
+ /* CK_TOKEN_INFO -> label */
|
+ /* CK_TOKEN_INFO -> label */
|
||||||
+ charptr = &pkcs11->token;
|
+ charptr = &pkcs11->token;
|
||||||
+ parse_string:
|
+ parse_string:
|
||||||
+ if (*charptr != NULL) {
|
+ if (*charptr != NULL) {
|
||||||
+ verbose("%s: The %s already set in the PKCS#11 URI",
|
+ verbose_f("The %s already set in the PKCS#11 URI",
|
||||||
+ keywords[opcode].name, __func__);
|
+ keywords[opcode].name);
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ percent_decode(arg, charptr);
|
+ percent_decode(arg, charptr);
|
||||||
+ debug3("%s: Setting %s = %s from PKCS#11 URI",
|
+ debug3_f("Setting %s = %s from PKCS#11 URI",
|
||||||
+ __func__, keywords[opcode].name, *charptr);
|
+ keywords[opcode].name, *charptr);
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ case pObject:
|
+ case pObject:
|
||||||
@ -1584,8 +1580,7 @@ index 00000000..e1a7b4e0
|
|||||||
+
|
+
|
||||||
+ default:
|
+ default:
|
||||||
+ /* Unrecognized attribute in the URI path SHOULD be error */
|
+ /* Unrecognized attribute in the URI path SHOULD be error */
|
||||||
+ verbose("%s: Unknown part of path in PKCS#11 URI: %s",
|
+ verbose_f("Unknown part of path in PKCS#11 URI: %s", tok);
|
||||||
+ __func__, tok);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1608,32 +1603,31 @@ index 00000000..e1a7b4e0
|
|||||||
+ case pModulePath:
|
+ case pModulePath:
|
||||||
+ /* module-path is PKCS11Provider */
|
+ /* module-path is PKCS11Provider */
|
||||||
+ if (pkcs11->module_path != NULL) {
|
+ if (pkcs11->module_path != NULL) {
|
||||||
+ verbose("%s: Multiple module-path attributes are"
|
+ verbose_f("Multiple module-path attributes are"
|
||||||
+ "not supported the PKCS#11 URI", __func__);
|
+ "not supported the PKCS#11 URI");
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ percent_decode(arg, &pkcs11->module_path);
|
+ percent_decode(arg, &pkcs11->module_path);
|
||||||
+ debug3("%s: Setting PKCS11Provider = %s from PKCS#11 URI",
|
+ debug3_f("Setting PKCS11Provider = %s from PKCS#11 URI",
|
||||||
+ __func__, pkcs11->module_path);
|
+ pkcs11->module_path);
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ case pPinValue:
|
+ case pPinValue:
|
||||||
+ /* pin-value */
|
+ /* pin-value */
|
||||||
+ if (pkcs11->pin != NULL) {
|
+ if (pkcs11->pin != NULL) {
|
||||||
+ verbose("%s: Multiple pin-value attributes are"
|
+ verbose_f("Multiple pin-value attributes are"
|
||||||
+ "not supported the PKCS#11 URI", __func__);
|
+ "not supported the PKCS#11 URI");
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ percent_decode(arg, &pkcs11->pin);
|
+ percent_decode(arg, &pkcs11->pin);
|
||||||
+ debug3("%s: Setting PIN from PKCS#11 URI", __func__);
|
+ debug3_f("Setting PIN from PKCS#11 URI");
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ default:
|
+ default:
|
||||||
+ /* Unrecognized attribute in the URI query SHOULD be ignored */
|
+ /* Unrecognized attribute in the URI query SHOULD be ignored */
|
||||||
+ verbose("%s: Unknown part of query in PKCS#11 URI: %s",
|
+ verbose_f("Unknown part of query in PKCS#11 URI: %s", tok);
|
||||||
+ __func__, tok);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+out:
|
+out:
|
||||||
@ -1727,7 +1721,7 @@ index a302c79c..879fe917 100644
|
|||||||
};
|
};
|
||||||
|
|
||||||
int pkcs11_interactive = 0;
|
int pkcs11_interactive = 0;
|
||||||
@@ -106,26 +114,63 @@ pkcs11_init(int interactive)
|
@@ -106,26 +114,61 @@ pkcs11_init(int interactive)
|
||||||
* this is called when a provider gets unregistered.
|
* this is called when a provider gets unregistered.
|
||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
@ -1740,8 +1734,7 @@ index a302c79c..879fe917 100644
|
|||||||
- debug("pkcs11_provider_finalize: %p refcount %d valid %d",
|
- debug("pkcs11_provider_finalize: %p refcount %d valid %d",
|
||||||
- p, p->refcount, p->valid);
|
- p, p->refcount, p->valid);
|
||||||
- if (!p->valid)
|
- if (!p->valid)
|
||||||
+ debug("%s: %p refcount %d valid %d", __func__,
|
+ debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
|
||||||
+ m, m->refcount, m->valid);
|
|
||||||
+ if (!m->valid)
|
+ if (!m->valid)
|
||||||
return;
|
return;
|
||||||
- for (i = 0; i < p->nslots; i++) {
|
- for (i = 0; i < p->nslots; i++) {
|
||||||
@ -1769,11 +1762,11 @@ index a302c79c..879fe917 100644
|
|||||||
+static void
|
+static void
|
||||||
+pkcs11_module_unref(struct pkcs11_module *m)
|
+pkcs11_module_unref(struct pkcs11_module *m)
|
||||||
+{
|
+{
|
||||||
+ debug("%s: %p refcount %d", __func__, m, m->refcount);
|
+ debug_f("%p refcount %d", m, m->refcount);
|
||||||
+ if (--m->refcount <= 0) {
|
+ if (--m->refcount <= 0) {
|
||||||
+ pkcs11_module_finalize(m);
|
+ pkcs11_module_finalize(m);
|
||||||
+ if (m->valid)
|
+ if (m->valid)
|
||||||
+ error("%s: %p still valid", __func__, m);
|
+ error_f("%p still valid", m);
|
||||||
+ free(m->slotlist);
|
+ free(m->slotlist);
|
||||||
+ free(m->slotinfo);
|
+ free(m->slotinfo);
|
||||||
+ free(m->module_path);
|
+ free(m->module_path);
|
||||||
@ -1790,8 +1783,7 @@ index a302c79c..879fe917 100644
|
|||||||
+static void
|
+static void
|
||||||
+pkcs11_provider_finalize(struct pkcs11_provider *p)
|
+pkcs11_provider_finalize(struct pkcs11_provider *p)
|
||||||
+{
|
+{
|
||||||
+ debug("%s: %p refcount %d valid %d", __func__,
|
+ debug_f("%p refcount %d valid %d", p, p->refcount, p->valid);
|
||||||
+ p, p->refcount, p->valid);
|
|
||||||
+ if (!p->valid)
|
+ if (!p->valid)
|
||||||
+ return;
|
+ return;
|
||||||
+ pkcs11_module_unref(p->module);
|
+ pkcs11_module_unref(p->module);
|
||||||
@ -1807,7 +1799,7 @@ index a302c79c..879fe917 100644
|
|||||||
pkcs11_provider_unref(struct pkcs11_provider *p)
|
pkcs11_provider_unref(struct pkcs11_provider *p)
|
||||||
{
|
{
|
||||||
- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
|
- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
|
||||||
+ debug("%s: %p refcount %d", __func__, p, p->refcount);
|
+ debug_f("%p refcount %d", p, p->refcount);
|
||||||
if (--p->refcount <= 0) {
|
if (--p->refcount <= 0) {
|
||||||
- if (p->valid)
|
- if (p->valid)
|
||||||
- error("pkcs11_provider_unref: %p still valid", p);
|
- error("pkcs11_provider_unref: %p still valid", p);
|
||||||
@ -1853,7 +1845,7 @@ index a302c79c..879fe917 100644
|
|||||||
+ int rv;
|
+ int rv;
|
||||||
+ struct pkcs11_uri *uri;
|
+ struct pkcs11_uri *uri;
|
||||||
+
|
+
|
||||||
+ debug("%s: called, provider_id = %s", __func__, provider_id);
|
+ debug_f("called, provider_id = %s", provider_id);
|
||||||
+
|
+
|
||||||
+ uri = pkcs11_uri_init();
|
+ uri = pkcs11_uri_init();
|
||||||
+ if (uri == NULL)
|
+ if (uri == NULL)
|
||||||
@ -1881,7 +1873,7 @@ index a302c79c..879fe917 100644
|
|||||||
+ char *provider_uri = pkcs11_uri_get(uri);
|
+ char *provider_uri = pkcs11_uri_get(uri);
|
||||||
|
|
||||||
- if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
|
- if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
|
||||||
+ debug3("%s(%s): called", __func__, provider_uri);
|
+ debug3_f("called with provider %s", provider_uri);
|
||||||
+
|
+
|
||||||
+ if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) {
|
+ if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) {
|
||||||
TAILQ_REMOVE(&pkcs11_providers, p, next);
|
TAILQ_REMOVE(&pkcs11_providers, p, next);
|
||||||
@ -1977,7 +1969,7 @@ index a302c79c..879fe917 100644
|
|||||||
si->token.label);
|
si->token.label);
|
||||||
- if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) {
|
- if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) {
|
||||||
+ if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) {
|
+ if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) {
|
||||||
debug("%s: no pin specified", __func__);
|
debug_f("no pin specified");
|
||||||
return (-1); /* bail out */
|
return (-1); /* bail out */
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2296,7 +2288,7 @@ index a302c79c..879fe917 100644
|
|||||||
error("BN_bin2bn failed");
|
error("BN_bin2bn failed");
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -871,7 +1032,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
@@ -871,7 +1032,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
fatal("%s: set key", __func__);
|
fatal_f("set key");
|
||||||
rsa_n = rsa_e = NULL; /* transferred */
|
rsa_n = rsa_e = NULL; /* transferred */
|
||||||
|
|
||||||
- if (pkcs11_rsa_wrap(p, slotidx, &key_attr[0], rsa))
|
- if (pkcs11_rsa_wrap(p, slotidx, &key_attr[0], rsa))
|
||||||
@ -2508,7 +2500,7 @@ index a302c79c..879fe917 100644
|
|||||||
int ret = -1;
|
int ret = -1;
|
||||||
struct pkcs11_provider *p = NULL;
|
struct pkcs11_provider *p = NULL;
|
||||||
void *handle = NULL;
|
void *handle = NULL;
|
||||||
@@ -1484,167 +1670,303 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
@@ -1484,164 +1670,298 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_TOKEN_INFO *token;
|
CK_TOKEN_INFO *token;
|
||||||
CK_ULONG i;
|
CK_ULONG i;
|
||||||
@ -2522,7 +2514,7 @@ index a302c79c..879fe917 100644
|
|||||||
+#ifdef PKCS11_DEFAULT_PROVIDER
|
+#ifdef PKCS11_DEFAULT_PROVIDER
|
||||||
+ provider_module = strdup(PKCS11_DEFAULT_PROVIDER);
|
+ provider_module = strdup(PKCS11_DEFAULT_PROVIDER);
|
||||||
+#else
|
+#else
|
||||||
+ error("%s: No module path provided", __func__);
|
+ error_f("No module path provided");
|
||||||
goto fail;
|
goto fail;
|
||||||
- *providerp = NULL;
|
- *providerp = NULL;
|
||||||
-
|
-
|
||||||
@ -2536,16 +2528,14 @@ index a302c79c..879fe917 100644
|
|||||||
+ }
|
+ }
|
||||||
|
|
||||||
- if (pkcs11_provider_lookup(provider_id) != NULL) {
|
- if (pkcs11_provider_lookup(provider_id) != NULL) {
|
||||||
- debug("%s: provider already registered: %s",
|
- debug_f("provider already registered: %s", provider_id);
|
||||||
- __func__, provider_id);
|
|
||||||
- goto fail;
|
- goto fail;
|
||||||
+ p = xcalloc(1, sizeof(*p));
|
+ p = xcalloc(1, sizeof(*p));
|
||||||
+ p->name = pkcs11_uri_get(uri);
|
+ p->name = pkcs11_uri_get(uri);
|
||||||
+
|
+
|
||||||
+ if ((m = pkcs11_provider_lookup_module(provider_module)) != NULL
|
+ if ((m = pkcs11_provider_lookup_module(provider_module)) != NULL
|
||||||
+ && m->valid) {
|
+ && m->valid) {
|
||||||
+ debug("%s: provider module already initialized: %s",
|
+ debug_f("provider module already initialized: %s", provider_module);
|
||||||
+ __func__, provider_module);
|
|
||||||
+ free(provider_module);
|
+ free(provider_module);
|
||||||
+ /* Skip the initialization of PKCS#11 module */
|
+ /* Skip the initialization of PKCS#11 module */
|
||||||
+ m->refcount++;
|
+ m->refcount++;
|
||||||
@ -2605,8 +2595,8 @@ index a302c79c..879fe917 100644
|
|||||||
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
||||||
+ if (uri->lib_manuf != NULL &&
|
+ if (uri->lib_manuf != NULL &&
|
||||||
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
|
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
|
||||||
+ debug("%s: Skipping provider %s not matching library_manufacturer",
|
+ debug_f("Skipping provider %s not matching library_manufacturer",
|
||||||
+ __func__, m->info.manufacturerID);
|
+ m->info.manufacturerID);
|
||||||
+ goto fail;
|
+ goto fail;
|
||||||
+ }
|
+ }
|
||||||
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
||||||
@ -2634,9 +2624,8 @@ index a302c79c..879fe917 100644
|
|||||||
}
|
}
|
||||||
- if (p->nslots == 0) {
|
- if (p->nslots == 0) {
|
||||||
+ if (m->nslots == 0) {
|
+ if (m->nslots == 0) {
|
||||||
debug("%s: provider %s returned no slots", __func__,
|
- debug_f("provider %s returned no slots", provider_id);
|
||||||
- provider_id);
|
+ debug_f("provider %s returned no slots", provider_module);
|
||||||
+ provider_module);
|
|
||||||
ret = -SSH_PKCS11_ERR_NO_SLOTS;
|
ret = -SSH_PKCS11_ERR_NO_SLOTS;
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
@ -2663,8 +2652,8 @@ index a302c79c..879fe917 100644
|
|||||||
+ if ((rv = f->C_GetTokenInfo(m->slotlist[i], token))
|
+ if ((rv = f->C_GetTokenInfo(m->slotlist[i], token))
|
||||||
!= CKR_OK) {
|
!= CKR_OK) {
|
||||||
error("C_GetTokenInfo for provider %s slot %lu "
|
error("C_GetTokenInfo for provider %s slot %lu "
|
||||||
- "failed: %lu", provider_id, (unsigned long)i, rv);
|
- "failed: %lu", provider_id, (u_long)i, rv);
|
||||||
+ "failed: %lu", provider_module, (unsigned long)i, rv);
|
+ "failed: %lu", provider_module, (u_long)i, rv);
|
||||||
+ token->flags = 0;
|
+ token->flags = 0;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -2735,25 +2724,23 @@ index a302c79c..879fe917 100644
|
|||||||
+ for (i = 0; i < p->module->nslots; i++) {
|
+ for (i = 0; i < p->module->nslots; i++) {
|
||||||
+ token = &p->module->slotinfo[i].token;
|
+ token = &p->module->slotinfo[i].token;
|
||||||
if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {
|
if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {
|
||||||
debug2("%s: ignoring uninitialised token in "
|
debug2_f("ignoring uninitialised token in "
|
||||||
"provider %s slot %lu", __func__,
|
- "provider %s slot %lu", provider_id, (u_long)i);
|
||||||
- provider_id, (unsigned long)i);
|
+ "provider %s slot %lu", provider_uri, (u_long)i);
|
||||||
+ provider_uri, (unsigned long)i);
|
|
||||||
+ continue;
|
+ continue;
|
||||||
+ }
|
+ }
|
||||||
+ if (uri->token != NULL &&
|
+ if (uri->token != NULL &&
|
||||||
+ strcmp(token->label, uri->token) != 0) {
|
+ strcmp(token->label, uri->token) != 0) {
|
||||||
+ debug2("%s: ignoring token not matching label (%s) "
|
+ debug2_f("ignoring token not matching label (%s) "
|
||||||
+ "specified by PKCS#11 URI in slot %lu", __func__,
|
+ "specified by PKCS#11 URI in slot %lu",
|
||||||
+ token->label, (unsigned long)i);
|
+ token->label, (unsigned long)i);
|
||||||
+ continue;
|
+ continue;
|
||||||
+ }
|
+ }
|
||||||
+ if (uri->manuf != NULL &&
|
+ if (uri->manuf != NULL &&
|
||||||
+ strcmp(token->manufacturerID, uri->manuf) != 0) {
|
+ strcmp(token->manufacturerID, uri->manuf) != 0) {
|
||||||
+ debug2("%s: ignoring token not matching requrested "
|
+ debug2_f("ignoring token not matching requrested "
|
||||||
+ "manufacturerID (%s) specified by PKCS#11 URI in "
|
+ "manufacturerID (%s) specified by PKCS#11 URI in "
|
||||||
+ "slot %lu", __func__,
|
+ "slot %lu", token->manufacturerID, (unsigned long)i);
|
||||||
+ token->manufacturerID, (unsigned long)i);
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
- rmspace(token->label, sizeof(token->label));
|
- rmspace(token->label, sizeof(token->label));
|
||||||
@ -2789,8 +2776,7 @@ index a302c79c..879fe917 100644
|
|||||||
* expose keys.
|
* expose keys.
|
||||||
*/
|
*/
|
||||||
- if (pkcs11_login_slot(p, &p->slotinfo[i],
|
- if (pkcs11_login_slot(p, &p->slotinfo[i],
|
||||||
+ debug3("%s: Trying to login as there were no keys found",
|
+ debug3_f("Trying to login as there were no keys found");
|
||||||
+ __func__);
|
|
||||||
+ if (pkcs11_login_slot(p, &p->module->slotinfo[i],
|
+ if (pkcs11_login_slot(p, &p->module->slotinfo[i],
|
||||||
CKU_USER) < 0) {
|
CKU_USER) < 0) {
|
||||||
error("login failed");
|
error("login failed");
|
||||||
@ -2802,8 +2788,8 @@ index a302c79c..879fe917 100644
|
|||||||
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
||||||
+ }
|
+ }
|
||||||
+ if (nkeys == 0 && uri->object != NULL) {
|
+ if (nkeys == 0 && uri->object != NULL) {
|
||||||
+ debug3("%s: No keys found. Retrying without label (%s) ",
|
+ debug3_f("No keys found. Retrying without label (%s) ",
|
||||||
+ __func__, uri->object);
|
+ uri->object);
|
||||||
+ /* Try once more without the label filter */
|
+ /* Try once more without the label filter */
|
||||||
+ char *label = uri->object;
|
+ char *label = uri->object;
|
||||||
+ uri->object = NULL; /* XXX clone uri? */
|
+ uri->object = NULL; /* XXX clone uri? */
|
||||||
@ -2852,7 +2838,7 @@ index a302c79c..879fe917 100644
|
|||||||
+ struct pkcs11_uri *uri = NULL;
|
+ struct pkcs11_uri *uri = NULL;
|
||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ debug("%s: called, provider_id = %s", __func__, provider_id);
|
+ debug_f("called, provider_id = %s", provider_id);
|
||||||
+
|
+
|
||||||
+ uri = pkcs11_uri_init();
|
+ uri = pkcs11_uri_init();
|
||||||
+ if (uri == NULL)
|
+ if (uri == NULL)
|
||||||
@ -2878,12 +2864,11 @@ index a302c79c..879fe917 100644
|
|||||||
+pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin,
|
+pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin,
|
||||||
+ struct sshkey ***keyp, char ***labelsp)
|
+ struct sshkey ***keyp, char ***labelsp)
|
||||||
{
|
{
|
||||||
- struct pkcs11_provider *p = NULL;
|
struct pkcs11_provider *p = NULL;
|
||||||
int nkeys;
|
int nkeys;
|
||||||
+ struct pkcs11_provider *p = NULL;
|
|
||||||
+ char *provider_uri = pkcs11_uri_get(uri);
|
+ char *provider_uri = pkcs11_uri_get(uri);
|
||||||
+
|
+
|
||||||
+ debug("%s: called, provider_uri = %s", __func__, provider_uri);
|
+ debug_f("called, provider_uri = %s", provider_uri);
|
||||||
|
|
||||||
- nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp,
|
- nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp,
|
||||||
- &p, CKU_USER);
|
- &p, CKU_USER);
|
||||||
@ -2892,11 +2877,11 @@ index a302c79c..879fe917 100644
|
|||||||
/* no keys found or some other error, de-register provider */
|
/* no keys found or some other error, de-register provider */
|
||||||
if (nkeys <= 0 && p != NULL) {
|
if (nkeys <= 0 && p != NULL) {
|
||||||
@@ -1652,7 +1974,37 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp,
|
@@ -1652,7 +1974,37 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp,
|
||||||
|
pkcs11_provider_unref(p);
|
||||||
}
|
}
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
debug("%s: provider %s returned no keys", __func__,
|
- debug_f("provider %s returned no keys", provider_id);
|
||||||
- provider_id);
|
+ debug_f("provider %s returned no keys", provider_uri);
|
||||||
+ provider_uri);
|
|
||||||
+
|
+
|
||||||
+ free(provider_uri);
|
+ free(provider_uri);
|
||||||
+ return nkeys;
|
+ return nkeys;
|
||||||
@ -2930,26 +2915,6 @@ index a302c79c..879fe917 100644
|
|||||||
|
|
||||||
return (nkeys);
|
return (nkeys);
|
||||||
}
|
}
|
||||||
@@ -1674,7 +2026,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label,
|
|
||||||
|
|
||||||
if ((p = pkcs11_provider_lookup(provider_id)) != NULL)
|
|
||||||
debug("%s: provider \"%s\" available", __func__, provider_id);
|
|
||||||
- else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, NULL,
|
|
||||||
+ else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL,
|
|
||||||
&p, CKU_SO)) < 0) {
|
|
||||||
debug("%s: could not register provider %s", __func__,
|
|
||||||
provider_id);
|
|
||||||
@@ -1746,8 +2098,8 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx,
|
|
||||||
|
|
||||||
if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
|
|
||||||
debug("%s: using provider \"%s\"", __func__, provider_id);
|
|
||||||
- } else if (pkcs11_register_provider(provider_id, pin, NULL, NULL, &p,
|
|
||||||
- CKU_SO) < 0) {
|
|
||||||
+ } else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL,
|
|
||||||
+ &p, CKU_SO)) < 0) {
|
|
||||||
debug("%s: could not register provider %s", __func__,
|
|
||||||
provider_id);
|
|
||||||
goto out;
|
|
||||||
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
|
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
|
||||||
index 81f1d7c5..feaf74de 100644
|
index 81f1d7c5..feaf74de 100644
|
||||||
--- a/ssh-pkcs11.h
|
--- a/ssh-pkcs11.h
|
||||||
@ -2995,7 +2960,7 @@ index 15aee569..976844cb 100644
|
|||||||
+ pkcs11_terminate();
|
+ pkcs11_terminate();
|
||||||
|
|
||||||
skip_connect:
|
skip_connect:
|
||||||
exit_status = ssh_session2(ssh, pw);
|
exit_status = ssh_session2(ssh, cinfo);
|
||||||
@@ -2076,6 +2085,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
|
@@ -2076,6 +2085,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
|
||||||
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
||||||
}
|
}
|
||||||
@ -3041,7 +3006,7 @@ index 15aee569..976844cb 100644
|
|||||||
+
|
+
|
||||||
/* Loads all IdentityFile and CertificateFile keys */
|
/* Loads all IdentityFile and CertificateFile keys */
|
||||||
static void
|
static void
|
||||||
load_public_identity_files(struct passwd *pw)
|
load_public_identity_files(const struct ssh_conn_info *cinfo)
|
||||||
@@ -2090,11 +2138,6 @@ load_public_identity_files(struct passwd *pw)
|
@@ -2090,11 +2138,6 @@ load_public_identity_files(struct passwd *pw)
|
||||||
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
|
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
|
||||||
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
|
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
|
||||||
@ -3117,9 +3082,9 @@ index 15aee569..976844cb 100644
|
|||||||
+ }
|
+ }
|
||||||
+#endif /* ENABLE_PKCS11 */
|
+#endif /* ENABLE_PKCS11 */
|
||||||
+ cp = tilde_expand_filename(name, getuid());
|
+ cp = tilde_expand_filename(name, getuid());
|
||||||
filename = default_client_percent_dollar_expand(cp,
|
filename = default_client_percent_dollar_expand(cp, cinfo);
|
||||||
pw->pw_dir, host, options.user, pw->pw_name);
|
|
||||||
free(cp);
|
free(cp);
|
||||||
|
check_load(sshkey_load_public(filename, &public, NULL),
|
||||||
diff --git a/ssh_config.5 b/ssh_config.5
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
index 06a32d31..4b2763bd 100644
|
index 06a32d31..4b2763bd 100644
|
||||||
--- a/ssh_config.5
|
--- a/ssh_config.5
|
||||||
|
@ -7,8 +7,8 @@ diff --git a/channels.c b/channels.c
|
|||||||
if (x11_use_localhost)
|
if (x11_use_localhost)
|
||||||
set_reuseaddr(sock);
|
set_reuseaddr(sock);
|
||||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
debug2("%s: bind port %d: %.100s", __func__,
|
debug2_f("bind port %d: %.100s", port,
|
||||||
port, strerror(errno));
|
strerror(errno));
|
||||||
close(sock);
|
close(sock);
|
||||||
+
|
+
|
||||||
+ /* do not remove successfully opened
|
+ /* do not remove successfully opened
|
||||||
|
@ -37,8 +37,8 @@
|
|||||||
+ * SHA2 signature types.
|
+ * SHA2 signature types.
|
||||||
+ */
|
+ */
|
||||||
+ if (alg == NULL &&
|
+ if (alg == NULL &&
|
||||||
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
|
+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
|
||||||
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
|
+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
|
||||||
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||||
+ if (sshkey_type_from_name(cp) != key->type)
|
+ if (sshkey_type_from_name(cp) != key->type)
|
||||||
+ continue;
|
+ continue;
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index e0768c06..5065ae7e 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
#ifdef __NR_pselect6
|
|
||||||
SC_ALLOW(__NR_pselect6),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_pselect6_time64
|
|
||||||
+ SC_ALLOW(__NR_pselect6_time64),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_read
|
|
||||||
SC_ALLOW(__NR_read),
|
|
||||||
#endif
|
|
@ -1,130 +0,0 @@
|
|||||||
From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Oleg <Fallmay@users.noreply.github.com>
|
|
||||||
Date: Thu, 1 Oct 2020 12:09:08 +0300
|
|
||||||
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
|
|
||||||
|
|
||||||
---
|
|
||||||
contrib/ssh-copy-id | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 392f64f94..a76907717 100644
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -247,7 +247,7 @@ installkeys_sh() {
|
|
||||||
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
|
|
||||||
# the cat adds the keys we're getting via STDIN
|
|
||||||
# and if available restorecon is used to restore the SELinux context
|
|
||||||
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
|
|
||||||
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
@@ -258,6 +258,7 @@ installkeys_sh() {
|
|
||||||
restorecon -F .ssh ${AUTH_KEY_FILE};
|
|
||||||
fi
|
|
||||||
EOF
|
|
||||||
+ )
|
|
||||||
|
|
||||||
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
|
|
||||||
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
|
|
||||||
|
|
||||||
From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Philip Hands <phil@hands.com>
|
|
||||||
Date: Sat, 3 Oct 2020 00:20:07 +0200
|
|
||||||
Subject: [PATCH] un-nest $() to make ksh cheerful
|
|
||||||
|
|
||||||
---
|
|
||||||
ssh-copy-id | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Philip Hands <phil@hands.com>
|
|
||||||
Date: Fri, 2 Oct 2020 21:30:10 +0200
|
|
||||||
Subject: [PATCH] ksh doesn't grok 'local'
|
|
||||||
|
|
||||||
and AFAICT it's not actually doing anything useful in the code, so let's
|
|
||||||
see how things go without it.
|
|
||||||
---
|
|
||||||
ssh-copy-id | 11 +++++------
|
|
||||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index a769077..11c9463 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -76,7 +76,7 @@ quote() {
|
|
||||||
}
|
|
||||||
|
|
||||||
use_id_file() {
|
|
||||||
- local L_ID_FILE="$1"
|
|
||||||
+ L_ID_FILE="$1"
|
|
||||||
|
|
||||||
if [ -z "$L_ID_FILE" ] ; then
|
|
||||||
printf '%s: ERROR: no ID file found\n' "$0"
|
|
||||||
@@ -94,7 +94,7 @@ use_id_file() {
|
|
||||||
# check that the files are readable
|
|
||||||
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
|
|
||||||
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
|
|
||||||
- local L_PRIVMSG=""
|
|
||||||
+ L_PRIVMSG=""
|
|
||||||
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
|
|
||||||
printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
|
|
||||||
exit 1
|
|
||||||
@@ -169,7 +169,7 @@ fi
|
|
||||||
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
|
|
||||||
# and has the side effect of setting $NEW_IDS
|
|
||||||
populate_new_ids() {
|
|
||||||
- local L_SUCCESS="$1"
|
|
||||||
+ L_SUCCESS="$1"
|
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
if [ "$FORCED" ] ; then
|
|
||||||
@@ -181,13 +181,12 @@ populate_new_ids() {
|
|
||||||
eval set -- "$SSH_OPTS"
|
|
||||||
|
|
||||||
umask 0177
|
|
||||||
- local L_TMP_ID_FILE
|
|
||||||
L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
|
||||||
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
|
||||||
printf '%s: ERROR: mktemp failed\n' "$0" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
- local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
|
||||||
+ L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
|
||||||
# shellcheck disable=SC2064
|
|
||||||
trap "$L_CLEANUP" EXIT TERM INT QUIT
|
|
||||||
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
|
||||||
@@ -237,7 +236,7 @@ populate_new_ids() {
|
|
||||||
# produce a one-liner to add the keys to remote authorized_keys file
|
|
||||||
# optionally takes an alternative path for authorized_keys
|
|
||||||
installkeys_sh() {
|
|
||||||
- local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
+ AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
|
|
||||||
# In setting INSTALLKEYS_SH:
|
|
||||||
# the tr puts it all on one line (to placate tcsh)
|
|
||||||
--
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 11c9463..ee3f637 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -237,6 +237,7 @@ populate_new_ids() {
|
|
||||||
# optionally takes an alternative path for authorized_keys
|
|
||||||
installkeys_sh() {
|
|
||||||
AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
+ AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
|
|
||||||
|
|
||||||
# In setting INSTALLKEYS_SH:
|
|
||||||
# the tr puts it all on one line (to placate tcsh)
|
|
||||||
@@ -249,7 +250,7 @@ installkeys_sh() {
|
|
||||||
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
+ mkdir -p "${AUTH_KEY_DIR}" &&
|
|
||||||
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
|
||||||
cat >> ${AUTH_KEY_FILE} ||
|
|
||||||
exit 1;
|
|
||||||
--
|
|
24
openssh.spec
24
openssh.spec
@ -50,21 +50,21 @@
|
|||||||
%{?static_openssl:%global static_libcrypto 1}
|
%{?static_openssl:%global static_libcrypto 1}
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.4p1
|
%global openssh_ver 8.5p1
|
||||||
%global openssh_rel 5
|
%global openssh_rel 1
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 1
|
%global pam_ssh_agent_rel 2
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: %{openssh_ver}
|
Version: %{openssh_ver}
|
||||||
Release: %{openssh_rel}%{?dist}.2
|
Release: %{openssh_rel}%{?dist}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
||||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||||
Source2: sshd.pam
|
Source2: sshd.pam
|
||||||
Source3: DJM-GPG-KEY.gpg
|
Source3: gpgkey-736060BA.gpg
|
||||||
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
|
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
|
||||||
Source5: pam_ssh_agent-rmheaders
|
Source5: pam_ssh_agent-rmheaders
|
||||||
Source6: ssh-keycat.pam
|
Source6: ssh-keycat.pam
|
||||||
@ -178,9 +178,6 @@ Patch950: openssh-7.5p1-sandbox.patch
|
|||||||
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
||||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||||
# ssh-copy-id is unmaintained: Aggreagete patches
|
|
||||||
# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
|
|
||||||
Patch958: openssh-7.9p1-ssh-copy-id.patch
|
|
||||||
# Mention crypto-policies in manual pages (#1668325)
|
# Mention crypto-policies in manual pages (#1668325)
|
||||||
Patch962: openssh-8.0p1-crypto-policies.patch
|
Patch962: openssh-8.0p1-crypto-policies.patch
|
||||||
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
||||||
@ -191,9 +188,6 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
|
|||||||
Patch965: openssh-8.2p1-visibility.patch
|
Patch965: openssh-8.2p1-visibility.patch
|
||||||
# Do not break X11 without IPv6
|
# Do not break X11 without IPv6
|
||||||
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||||
Patch967: openssh-8.4p1-ssh-copy-id.patch
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
|
|
||||||
Patch968: openssh-8.4p1-sandbox-seccomp.patch
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
||||||
Patch969: openssh-8.4p1-debian-compat.patch
|
Patch969: openssh-8.4p1-debian-compat.patch
|
||||||
|
|
||||||
@ -266,7 +260,7 @@ Requires: openssh = %{version}-%{release}
|
|||||||
%package -n pam_ssh_agent_auth
|
%package -n pam_ssh_agent_auth
|
||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.4
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -364,14 +358,11 @@ popd
|
|||||||
%patch950 -p1 -b .sandbox
|
%patch950 -p1 -b .sandbox
|
||||||
%patch951 -p1 -b .pkcs11-uri
|
%patch951 -p1 -b .pkcs11-uri
|
||||||
%patch953 -p1 -b .scp-ipv6
|
%patch953 -p1 -b .scp-ipv6
|
||||||
%patch958 -p1 -b .ssh-copy-id
|
|
||||||
%patch962 -p1 -b .crypto-policies
|
%patch962 -p1 -b .crypto-policies
|
||||||
%patch963 -p1 -b .openssl-evp
|
%patch963 -p1 -b .openssl-evp
|
||||||
%patch964 -p1 -b .openssl-kdf
|
%patch964 -p1 -b .openssl-kdf
|
||||||
%patch965 -p1 -b .visibility
|
%patch965 -p1 -b .visibility
|
||||||
%patch966 -p1 -b .x11-ipv6
|
%patch966 -p1 -b .x11-ipv6
|
||||||
%patch967 -p1 -b .ssh-copy-id
|
|
||||||
%patch968 -p1 -b .seccomp
|
|
||||||
%patch969 -p0 -b .debian
|
%patch969 -p0 -b .debian
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
@ -648,6 +639,9 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 03 2021 Jakub Jelen <jjelen@redhat.com> - 8.5p1-1 + 0.10.4-2
|
||||||
|
- New upstream release (#1934336)
|
||||||
|
|
||||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.4p1-5.2
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.4p1-5.2
|
||||||
- Rebuilt for updated systemd-rpm-macros
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
See https://pagure.io/fesco/issue/2583.
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
6
sources
6
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
|
SHA512 (openssh-8.5p1.tar.gz) = af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
|
||||||
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
|
SHA512 (openssh-8.5p1.tar.gz.asc) = 264a991c7207f2215875e2b472a649ede1a69f6486d25777bf522047c26ea77c2995d34b6917a993ea9a250b7dd5298a30f1975e20e471f079c9064ce283cec2
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21
|
||||||
|
Loading…
Reference in New Issue
Block a user