From 394f1022a004189394f45ee93fbff3ce0b41677d Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 12 Mar 2026 12:46:12 +0100 Subject: [PATCH] First property value in config should win Only the first value of MaxStartups, PerSourceNetBlockSize and IPQoS in sshd_config should count when defined multiple times Resolves: RHEL-150365 Signed-off-by: Zoltan Fridrich --- openssh-9.9p1-first-match-wins.patch | 106 +++++++++++++++++++++++++++ openssh.spec | 10 +++ 2 files changed, 116 insertions(+) create mode 100644 openssh-9.9p1-first-match-wins.patch diff --git a/openssh-9.9p1-first-match-wins.patch b/openssh-9.9p1-first-match-wins.patch new file mode 100644 index 0000000..7d76437 --- /dev/null +++ b/openssh-9.9p1-first-match-wins.patch @@ -0,0 +1,106 @@ +diff --color -ruNp a/regress/cfgparse.sh b/regress/cfgparse.sh +--- a/regress/cfgparse.sh 2024-09-20 00:20:48.000000000 +0200 ++++ b/regress/cfgparse.sh 2026-03-05 17:30:54.959690744 +0100 +@@ -51,7 +51,7 @@ listenaddress ::1 + EOD + + ($SUDO ${SSHD} -T -f $OBJ/sshd_config.1 | \ +- grep 'listenaddress ' >$OBJ/sshd_config.2 && ++ grep '^listenaddress ' >$OBJ/sshd_config.2 && + diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \ + fail "listenaddress order 1" + # test 2: listenaddress first +@@ -67,9 +67,22 @@ listenaddress ::1 + EOD + + ($SUDO ${SSHD} -T -f $OBJ/sshd_config.1 | \ +- grep 'listenaddress ' >$OBJ/sshd_config.2 && ++ grep '^listenaddress ' >$OBJ/sshd_config.2 && + diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \ + fail "listenaddress order 2" + ++# Check idempotence of MaxStartups ++verbose "maxstartups idempotent" ++echo "maxstartups 1:2:3" > $OBJ/sshd_config.0 ++cat > $OBJ/sshd_config.1 <$OBJ/sshd_config.2 && ++ diff $OBJ/sshd_config.0 $OBJ/sshd_config.2) || \ ++ fail "maxstartups idempotence" ++ + # cleanup + rm -f $OBJ/sshd_config.[012] +diff --color -ruNp a/servconf.c b/servconf.c +--- a/servconf.c 2026-03-05 16:15:49.035275297 +0100 ++++ b/servconf.c 2026-03-05 17:13:29.915897329 +0100 +@@ -1366,7 +1366,7 @@ process_server_config_line_depth(ServerO + struct include_list *includes) + { + char *str, ***chararrayptr, **charptr, *arg, *arg2, *p, *keyword; +- int cmdline = 0, *intptr, value, value2, n, port, oactive, r; ++ int cmdline = 0, *intptr, value, value2, value3, n, port, oactive, r; + int ca_only = 0, found = 0; + SyslogFacility *log_facility_ptr; + LogLevel *log_level_ptr; +@@ -2095,25 +2095,27 @@ process_server_config_line_depth(ServerO + if (!arg || *arg == '\0') + fatal("%s line %d: %s missing argument.", + filename, linenum, keyword); ++ /* begin:rate:max */ + if ((n = sscanf(arg, "%d:%d:%d", +- &options->max_startups_begin, +- &options->max_startups_rate, +- &options->max_startups)) == 3) { +- if (options->max_startups_begin > +- options->max_startups || +- options->max_startups_rate > 100 || +- options->max_startups_rate < 1) ++ &value, &value2, &value3)) == 3) { ++ if (value > value3 || value2 > 100 || value2 < 1) + fatal("%s line %d: Invalid %s spec.", + filename, linenum, keyword); +- } else if (n != 1) ++ } else if (n == 1) { ++ value3 = value; ++ value = value2 = -1; ++ } else { + fatal("%s line %d: Invalid %s spec.", + filename, linenum, keyword); +- else +- options->max_startups = options->max_startups_begin; +- if (options->max_startups <= 0 || +- options->max_startups_begin <= 0) ++ } ++ if (value3 <= 0 || (value2 != -1 && value <= 0)) + fatal("%s line %d: Invalid %s spec.", + filename, linenum, keyword); ++ if (*activep && options->max_startups == -1) { ++ options->max_startups_begin = value; ++ options->max_startups_rate = value2; ++ options->max_startups = value3; ++ } + break; + + case sPerSourceNetBlockSize: +@@ -2133,7 +2135,7 @@ process_server_config_line_depth(ServerO + if (n != 1 && n != 2) + fatal("%s line %d: Invalid %s spec.", + filename, linenum, keyword); +- if (*activep) { ++ if (*activep && options->per_source_masklen_ipv4 == -1) { + options->per_source_masklen_ipv4 = value; + options->per_source_masklen_ipv6 = value2; + } +@@ -2621,7 +2623,7 @@ process_server_config_line_depth(ServerO + else if ((value2 = parse_ipqos(arg)) == -1) + fatal("%s line %d: Bad %s value: %s", + filename, linenum, keyword, arg); +- if (*activep) { ++ if (*activep && options->ip_qos_interactive == -1) { + options->ip_qos_interactive = value; + options->ip_qos_bulk = value2; + } diff --git a/openssh.spec b/openssh.spec index babf0ad..4e73516 100644 --- a/openssh.spec +++ b/openssh.spec @@ -228,6 +228,12 @@ Patch1033: openssh-9.9p1-reject-null-char-in-url-string.patch Patch1034: openssh-9.9p1-sshd-no-delegate-credentials.patch Patch1035: openssh-10.0-mlkem-nist-fips.patch Patch1036: openssh-9.9p1-gssapi-s4u.patch +# upstream 683d0abe596b069a896f1688f86256f1beeb0cdc +# upstream 9313233a735733821dfd170b70782fb7da492962 +# upstream 2b0f4a72bd87bef7cc9f0a1889cfc98545cbb158 +# upstream 19f7cb39eecb4b8f768f37e8294dc3a9142e022b +# upstream 97b32fa2af25c16aec4de85c5cbb63fd038b4dfa +Patch1037: openssh-9.9p1-first-match-wins.patch License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant Requires: /sbin/nologin @@ -428,6 +434,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0} %patch -P 1034 -p1 -b .sshd-nogsscreds %patch -P 1035 -p1 -b .mlkem-nist-fips %patch -P 1036 -p1 -b .gssapi-s4u +%patch -P 1037 -p1 -b .first-match-wins %patch -P 100 -p1 -b .coverity @@ -711,6 +718,9 @@ test -f %{sysconfig_anaconda} && \ * Thu Mar 12 2026 Zoltan Fridrich - 9.9p1-22 - Remove recommendation of p11-kit Resolves: RHEL-139070 +- Only the first value of MaxStartups, PerSourceNetBlockSize and IPQoS + in sshd_config should count when defined multiple times + Resolves: RHEL-150365 * Wed Mar 11 2026 Dmitry Belyavskiy - 9.9p1-21 - Implement obtaining Kerberos tickets on behalf of user on SSH authentication