diff --git a/.gitignore b/.gitignore index 9c83f33..a2916ba 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/gpgkey-736060BA.gpg -SOURCES/openssh-8.6p1.tar.gz +SOURCES/openssh-8.7p1.tar.gz SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz diff --git a/.openssh.metadata b/.openssh.metadata index 7546aa6..5891957 100644 --- a/.openssh.metadata +++ b/.openssh.metadata @@ -1,3 +1,3 @@ dbb35b4e9ae3f72b930a82c6fd5e83e9dcd7b193 SOURCES/gpgkey-736060BA.gpg -8f9f0c94317baeb97747d6258f3997b4542762c0 SOURCES/openssh-8.6p1.tar.gz +8719032c1e47732c8fdb14adfb24b5e9e71de802 SOURCES/openssh-8.7p1.tar.gz 66dd8274346fd006ff40f525c082cfb701085b5f SOURCES/pam_ssh_agent_auth-0.10.4.tar.gz diff --git a/SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch b/SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch index 6ee2535..cccb3e0 100644 --- a/SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/SOURCES/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c + options->enable_k5users = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; + options->permit_empty_passwd = -1; @@ -345,6 +346,8 @@ fill_default_server_options(ServerOption #endif if (options->use_kuserok == -1) @@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c + intptr = &options->enable_k5users; + goto parse_flag; + - case sPermitListen: - case sPermitOpen: - if (opcode == sPermitListen) { + case sMatch: + if (cmdline) + fatal("Match directive not supported as a command-line " @@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); diff --git a/SOURCES/openssh-6.6p1-kuserok.patch b/SOURCES/openssh-6.6p1-kuserok.patch index 407ff4c..1831f27 100644 --- a/SOURCES/openssh-6.6p1-kuserok.patch +++ b/SOURCES/openssh-6.6p1-kuserok.patch @@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c + options->use_kuserok = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; + options->permit_empty_passwd = -1; @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption if (options->gss_kex_algorithms == NULL) options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX); @@ -193,9 +193,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -399,7 +402,7 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, - sRhostsRSAAuthentication, sRSAAuthentication, - sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, + sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sKerberosUniqueCCache, + sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sChallengeResponseAuthentication, @@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions - *inc_flags &= ~SSHCFG_MATCH_ONLY; - break; - + } + break; + + case sKerberosUseKuserok: + intptr = &options->use_kuserok; + goto parse_flag; + - case sPermitListen: - case sPermitOpen: - if (opcode == sPermitListen) { + case sMatch: + if (cmdline) + fatal("Match directive not supported as a command-line " @@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(client_alive_interval); M_CP_INTOPT(ip_qos_interactive); diff --git a/SOURCES/openssh-6.7p1-coverity.patch b/SOURCES/openssh-6.7p1-coverity.patch index 9051869..6852384 100644 --- a/SOURCES/openssh-6.7p1-coverity.patch +++ b/SOURCES/openssh-6.7p1-coverity.patch @@ -54,18 +54,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c --- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100 -@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const - errstr = "invalid environment string"; - goto fail; - } -- if ((cp = strdup(opt)) == NULL) -+ if ((cp = strdup(opt)) == NULL) { -+ free(opt); - goto alloc_fail; -+ } - cp[tmp - opt] = '\0'; /* truncate at '=' */ - if (!valid_env_name(cp)) { - free(cp); @@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char * return r; } @@ -133,13 +121,13 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c --- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 @@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname - &hostkey_digest_len, hostkey)) { - error("Error calculating key fingerprint."); - freerrset(fingerprints); + &hostkey_digest, &hostkey_digest_len, hostkey)) { + error("Error calculating key fingerprint."); + freerrset(fingerprints); + free(dnskey_digest); - return -1; - } - } + return -1; + } + diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c --- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100 +++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100 @@ -301,6 +289,36 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open int i; if (sa == NULL) { +diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c +--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200 ++++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200 +@@ -113,13 +113,13 @@ pselect_notify_setup(void) + static void + pselect_notify_parent(void) + { +- if (notify_pipe[1] != -1) ++ if (notify_pipe[1] >= 0) + (void)write(notify_pipe[1], "", 1); + } + static void + pselect_notify_prepare(fd_set *readset) + { +- if (notify_pipe[0] != -1) ++ if (notify_pipe[0] >= 0) + FD_SET(notify_pipe[0], readset); + } + static void +@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset) + { + char c; + +- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) { +- while (read(notify_pipe[0], &c, 1) != -1) ++ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) { ++ while (read(notify_pipe[0], &c, 1) >= 0) + debug2_f("reading"); + FD_CLR(notify_pipe[0], readset); + } diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c --- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100 +++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100 @@ -309,33 +327,29 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c error("%.200s line %d: glob failed for %s.", filename, linenum, arg2); + free(arg2); - return -1; + goto out; } free(arg2); -diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c ---- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100 -+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100 -@@ -157,7 +157,7 @@ killchild(int signo) +diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c +--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200 ++++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200 +@@ -186,11 +186,11 @@ killchild(int signo) { if (do_cmd_pid > 1) { kill(do_cmd_pid, signo ? signo : SIGTERM); - waitpid(do_cmd_pid, NULL, 0); + (void) waitpid(do_cmd_pid, NULL, 0); } + if (do_cmd_pid2 > 1) { + kill(do_cmd_pid2, signo ? signo : SIGTERM); +- waitpid(do_cmd_pid2, NULL, 0); ++ (void) waitpid(do_cmd_pid2, NULL, 0); + } if (signo) diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100 -@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions - fatal("%s line %d: Missing subsystem name.", - filename, linenum); - if (!*activep) { -- arg = strdelim(&cp); -+ /*arg =*/ (void) strdelim(&cp); - break; - } - for (i = 0; i < options->num_subsystems; i++) @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); @@ -348,37 +362,10 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c } break; -diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c ---- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100 -+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100 -@@ -125,13 +125,13 @@ notify_setup(void) - static void - notify_parent(void) - { -- if (notify_pipe[1] != -1) -+ if (notify_pipe[1] >= 0) - (void)write(notify_pipe[1], "", 1); - } - static void - notify_prepare(fd_set *readset) - { -- if (notify_pipe[0] != -1) -+ if (notify_pipe[0] >= 0) - FD_SET(notify_pipe[0], readset); - } - static void -@@ -139,8 +139,8 @@ notify_done(fd_set *readset) - { - char c; - -- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) -- while (read(notify_pipe[0], &c, 1) != -1) -+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) -+ while (read(notify_pipe[0], &c, 1) >= 0) - debug2_f("reading"); - } - -@@ -518,7 +518,7 @@ server_request_tun(void) +diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c +--- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200 ++++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200 +@@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh) debug_f("invalid tun"); goto done; } @@ -434,6 +421,30 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c continue; } lname = ls_file(fname, g.gl_statv[i], 1, +diff --git a/sftp-client.c b/sftp-client.c +index 9de9afa20f..ea98d9f8d0 100644 +--- a/sftp-client.c ++++ b/sftp-client.c +@@ -2195,6 +2195,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous, + (*nreqsp)--; + } + debug3_f("done: %u outstanding replies", *nreqsp); ++ sshbuf_free(msg); + } + + int +diff --git a/sftp-server.c b/sftp-server.c +index 18d1949112..6380c4dd23 100644 +--- a/sftp-server.c ++++ b/sftp-server.c +@@ -1553,6 +1553,7 @@ process_extended_expand(u_int32_t id) + npath = xstrdup(path + 2); + free(path); + xasprintf(&path, "%s/%s", cwd, npath); ++ free(npath); + } else { + /* ~user expansions */ + if (tilde_expand(path, pw->pw_uid, &npath) != 0) { diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c --- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100 diff --git a/SOURCES/openssh-7.6p1-audit.patch b/SOURCES/openssh-7.6p1-audit.patch index f37ac2b..fa40053 100644 --- a/SOURCES/openssh-7.6p1-audit.patch +++ b/SOURCES/openssh-7.6p1-audit.patch @@ -807,15 +807,6 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c --- openssh-8.6p1/auth.c.audit 2021-05-06 12:05:27.304463967 +0200 +++ openssh-8.6p1/auth.c 2021-05-06 12:05:27.378464540 +0200 -@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica - # endif - #endif - #ifdef SSH_AUDIT_EVENTS -- if (authenticated == 0 && !authctxt->postponed) -+ if (authenticated == 0 && !authctxt->postponed && !partial) - audit_event(ssh, audit_classify_auth(method)); - #endif - } @@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha record_failed_login(ssh, user, auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); @@ -1204,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c - ret = sshkey_verify(key, signature, signaturelen, data, datalen, - sigalg, ssh->compat, &sig_details); - debug3_f("%s %p signature %s%s%s", auth_method, key, - (ret == 0) ? "verified" : "unverified", - (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); + debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key), + (ret == 0) ? "verified" : "unverified", + (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); @@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session } @@ -2065,7 +2056,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c close_startup_pipes(void) { @@ -377,18 +387,45 @@ grace_alarm_handler(int sig) - ssh_remote_port(the_active_state)); + } } -/* Destroy the host and server keys. They will no longer be needed. */ diff --git a/SOURCES/openssh-7.7p1-gssapi-new-unique.patch b/SOURCES/openssh-7.7p1-gssapi-new-unique.patch index 151796b..b2d2209 100644 --- a/SOURCES/openssh-7.7p1-gssapi-new-unique.patch +++ b/SOURCES/openssh-7.7p1-gssapi-new-unique.patch @@ -504,15 +504,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c options->gss_authentication = 0; if (options->gss_keyex == -1) @@ -506,7 +509,8 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, - sRhostsRSAAuthentication, sRSAAuthentication, - sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + sPort, sHostKeyFile, sLoginGraceTime, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, + sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sChallengeResponseAuthentication, + sKerberosGetAFSToken, sKerberosUniqueCCache, + sChallengeResponseAuthentication, - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, - sPrintMotd, sPrintLastLog, sIgnoreRhosts, + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, + sPrintMotd, sPrintLastLog, sIgnoreRhosts, @@ -593,11 +597,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, diff --git a/SOURCES/openssh-7.7p1-redhat.patch b/SOURCES/openssh-7.7p1-redhat.patch index fcda6c6..85ebc82 100644 --- a/SOURCES/openssh-7.7p1-redhat.patch +++ b/SOURCES/openssh-7.7p1-redhat.patch @@ -15,7 +15,7 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat --- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100 +++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100 -@@ -0,0 +1,21 @@ +@@ -0,0 +1,15 @@ +# The options here are in the "Match final block" to be applied as the last +# options and could be potentially overwritten by the user configuration +Match final all @@ -29,12 +29,6 @@ diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat +# mode correctly we set this to yes. + ForwardX11Trusted yes + -+# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+ SendEnv XMODIFIERS -+ +# Uncomment this if you want to use .local domain +# Host *.local diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0 @@ -86,7 +80,7 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat --- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100 +++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100 -@@ -0,0 +1,28 @@ +@@ -0,0 +1,22 @@ +# This system is following system-wide crypto policy. The changes to +# crypto properties (Ciphers, MACs, ...) will not have any effect in +# this or following included files. To override some configuration option, @@ -109,9 +103,3 @@ diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat +# as it is more configurable and versatile than the built-in version. +PrintMotd no + -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+AcceptEnv XMODIFIERS -+ diff --git a/SOURCES/openssh-7.8p1-UsePAM-warning.patch b/SOURCES/openssh-7.8p1-UsePAM-warning.patch index 519ee29..8560c9f 100644 --- a/SOURCES/openssh-7.8p1-UsePAM-warning.patch +++ b/SOURCES/openssh-7.8p1-UsePAM-warning.patch @@ -18,7 +18,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config @@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. + # and KbdInteractiveAuthentication to 'no'. +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# problems. #UsePAM no diff --git a/SOURCES/openssh-7.8p1-role-mls.patch b/SOURCES/openssh-7.8p1-role-mls.patch index 145eac0..48f9f10 100644 --- a/SOURCES/openssh-7.8p1-role-mls.patch +++ b/SOURCES/openssh-7.8p1-role-mls.patch @@ -337,7 +337,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make --- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 @@ -92,7 +92,8 @@ PORTS= port-aix.o \ - port-linux.o \ + port-prngd.o \ port-solaris.o \ port-net.o \ - port-uw.o diff --git a/SOURCES/openssh-8.0p1-crypto-policies.patch b/SOURCES/openssh-8.0p1-crypto-policies.patch index 4baa024..762825e 100644 --- a/SOURCES/openssh-8.0p1-crypto-policies.patch +++ b/SOURCES/openssh-8.0p1-crypto-policies.patch @@ -1,7 +1,7 @@ -diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 ---- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200 -+++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200 -@@ -368,15 +368,13 @@ or +diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5 +--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200 ++++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200 +@@ -373,17 +373,13 @@ or .Qq *.c.example.com domains. .It Cm CASignatureAlgorithms @@ -14,15 +14,17 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 by certificate authorities (CAs). -The default is: -.Bd -literal -offset indent --ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +-ssh-ed25519,ecdsa-sha2-nistp256, +-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-sk-ssh-ed25519@openssh.com, +-sk-ecdsa-sha2-nistp256@openssh.com, -rsa-sha2-512,rsa-sha2-256 -.Ed -.Pp - .Xr ssh 1 - will not accept host certificates signed using algorithms other than those - specified. -@@ -436,20 +434,25 @@ If the option is set to + If the specified list begins with a + .Sq + + character, then the specified algorithms will be appended to the default set +@@ -445,20 +441,25 @@ If the option is set to (the default), the check will not be executed. .It Cm Ciphers @@ -52,7 +54,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .Pp The supported ciphers are: .Bd -literal -offset indent -@@ -465,13 +468,6 @@ aes256-gcm@openssh.com +@@ -474,13 +475,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .Ed .Pp @@ -66,7 +68,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClearAllForwardings -@@ -826,6 +822,11 @@ command line will be passed untouched to +@@ -874,6 +868,11 @@ command line will be passed untouched to The default is .Dq no . .It Cm GSSAPIKexAlgorithms @@ -78,7 +80,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 The list of key exchange algorithms that are offered for GSSAPI key exchange. Possible values are .Bd -literal -offset 3n -@@ -838,10 +839,8 @@ gss-nistp256-sha256-, +@@ -886,10 +885,8 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp @@ -90,7 +92,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -@@ -1169,29 +1168,25 @@ it may be zero or more of: +@@ -1219,29 +1216,25 @@ it may be zero or more of: and .Cm pam . .It Cm KexAlgorithms @@ -129,7 +131,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .Pp The list of available key exchange algorithms may also be obtained using .Qq ssh -Q kex . -@@ -1301,37 +1296,33 @@ function, and all code in the +@@ -1351,37 +1344,33 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs @@ -176,7 +178,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm NoHostAuthenticationForLocalhost -@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas +@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas The default is .Cm no . .It Cm PubkeyAcceptedAlgorithms @@ -223,10 +225,10 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 .Pp The list of available signature algorithms may also be obtained using .Qq ssh -Q PubkeyAcceptedAlgorithms . -diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 ---- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200 -+++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200 -@@ -373,15 +373,13 @@ If the argument is +diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5 +--- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200 ++++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200 +@@ -373,17 +373,13 @@ If the argument is then no banner is displayed. By default, no banner is displayed. .It Cm CASignatureAlgorithms @@ -239,15 +241,17 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 by certificate authorities (CAs). -The default is: -.Bd -literal -offset indent --ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, +-ssh-ed25519,ecdsa-sha2-nistp256, +-ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-sk-ssh-ed25519@openssh.com, +-sk-ecdsa-sha2-nistp256@openssh.com, -rsa-sha2-512,rsa-sha2-256 -.Ed -.Pp - Certificates signed using other algorithms will not be accepted for - public key or host-based authentication. - .It Cm ChallengeResponseAuthentication -@@ -445,20 +443,25 @@ The default is + If the specified list begins with a + .Sq + + character, then the specified algorithms will be appended to the default set +@@ -450,20 +446,25 @@ The default is indicating not to .Xr chroot 2 . .It Cm Ciphers @@ -277,7 +281,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 .Pp The supported ciphers are: .Pp -@@ -485,13 +488,6 @@ aes256-gcm@openssh.com +@@ -490,13 +491,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .El .Pp @@ -291,7 +295,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClientAliveCountMax -@@ -680,21 +676,22 @@ For this to work +@@ -685,21 +679,22 @@ For this to work .Cm GSSAPIKeyExchange needs to be enabled in the server and also used by the client. .It Cm GSSAPIKexAlgorithms @@ -324,7 +328,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 This option only applies to connections using GSSAPI. .It Cm HostbasedAcceptedAlgorithms Specifies the signature algorithms that will be accepted for hostbased -@@ -794,26 +791,13 @@ is specified, the location of the socket +@@ -799,26 +794,13 @@ is specified, the location of the socket .Ev SSH_AUTH_SOCK environment variable. .It Cm HostKeyAlgorithms @@ -356,7 +360,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available signature algorithms may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi +@@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi The default is .Cm yes . .It Cm KexAlgorithms @@ -386,7 +390,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The supported algorithms are: .Pp .Bl -item -compact -offset indent -@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521 +@@ -1010,15 +997,6 @@ ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com .El .Pp @@ -402,7 +406,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available key exchange algorithms may also be obtained using .Qq ssh -Q KexAlgorithms . .It Cm ListenAddress -@@ -1097,21 +1077,26 @@ function, and all code in the +@@ -1104,21 +1082,26 @@ function, and all code in the file. This option is intended for debugging and no overrides are enabled by default. .It Cm MACs @@ -433,7 +437,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 .Pp The algorithms that contain .Qq -etm -@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com +@@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com umac-128-etm@openssh.com .El .Pp @@ -449,7 +453,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm Match -@@ -1541,37 +1517,25 @@ or equivalent.) +@@ -1548,37 +1522,25 @@ or equivalent.) The default is .Cm yes . .It Cm PubkeyAcceptedAlgorithms diff --git a/SOURCES/openssh-8.0p1-gssapi-keyex.patch b/SOURCES/openssh-8.0p1-gssapi-keyex.patch index 0eea429..64d8925 100644 --- a/SOURCES/openssh-8.0p1-gssapi-keyex.patch +++ b/SOURCES/openssh-8.0p1-gssapi-keyex.patch @@ -19,11 +19,10 @@ index e7549470..b68c1710 100644 loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ srclimit.o sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -diff --git a/auth.c b/auth.c -index 086b8ebb..687c57b4 100644 ---- a/auth.c -+++ b/auth.c -@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) +diff -up a/auth.c.gsskex b/auth.c +--- a/auth.c.gsskex 2021-08-20 06:03:49.000000000 +0200 ++++ b/auth.c 2021-08-27 12:41:51.262788953 +0200 +@@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const case PERMIT_NO_PASSWD: if (strcmp(method, "publickey") == 0 || strcmp(method, "hostbased") == 0 || @@ -33,18 +32,15 @@ index 086b8ebb..687c57b4 100644 return 1; break; case PERMIT_FORCED_ONLY: -@@ -724,99 +725,6 @@ fakepw(void) - return (&fake); +@@ -730,97 +731,6 @@ fakepw(void) } --/* + /* - * Returns the remote DNS hostname as a string. The returned string must not - * be freed. NB. this will usually trigger a DNS query the first time it is - * called. - * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- * attacks on based on conflation of hostnames and IP addresses. - */ - -static char * @@ -130,9 +126,10 @@ index 086b8ebb..687c57b4 100644 - return xstrdup(name); -} - - /* +-/* * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this + * several times. diff --git a/auth2-gss.c b/auth2-gss.c index 9351e042..d6446c0c 100644 --- a/auth2-gss.c @@ -2933,10 +2930,9 @@ index 23ab096a..485590c1 100644 #endif #ifdef USE_PAM -diff --git a/readconf.c b/readconf.c -index f3cac6b3..da8022dd 100644 ---- a/readconf.c -+++ b/readconf.c +diff -up a/readconf.c.gsskex b/readconf.c +--- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200 ++++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200 @@ -67,6 +67,7 @@ #include "uidswap.h" #include "myproposal.h" @@ -2945,7 +2941,7 @@ index f3cac6b3..da8022dd 100644 /* Format of the configuration file: -@@ -160,6 +161,8 @@ typedef enum { +@@ -161,6 +162,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2954,7 +2950,7 @@ index f3cac6b3..da8022dd 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -204,10 +207,22 @@ static struct { +@@ -206,10 +209,22 @@ static struct { /* Sometimes-unsupported options */ #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2977,7 +2973,7 @@ index f3cac6b3..da8022dd 100644 #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -1029,10 +1044,42 @@ parse_time: +@@ -1113,10 +1128,42 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -3006,7 +3002,7 @@ index f3cac6b3..da8022dd 100644 + goto parse_flag; + + case oGssKexAlgorithms: -+ arg = strdelim(&s); ++ arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); @@ -3020,9 +3016,9 @@ index f3cac6b3..da8022dd 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1911,7 +1958,13 @@ initialize_options(Options * options) +@@ -2306,7 +2353,13 @@ initialize_options(Options * options) + options->fwd_opts.streamlocal_bind_unlink = -1; options->pubkey_authentication = -1; - options->challenge_response_authentication = -1; options->gss_authentication = -1; + options->gss_keyex = -1; options->gss_deleg_creds = -1; @@ -3034,8 +3030,8 @@ index f3cac6b3..da8022dd 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2059,8 +2112,18 @@ fill_default_options(Options * options) - options->challenge_response_authentication = 1; +@@ -2463,8 +2516,18 @@ fill_default_options(Options * options) + options->pubkey_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; + if (options->gss_keyex == -1) @@ -3053,7 +3049,7 @@ index f3cac6b3..da8022dd 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) +@@ -3246,7 +3309,14 @@ dump_client_config(Options *o, const cha dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); #ifdef GSSAPI dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); @@ -3068,13 +3064,12 @@ index f3cac6b3..da8022dd 100644 #endif /* GSSAPI */ dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); -diff --git a/readconf.h b/readconf.h -index feedb3d2..a8a8870d 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -41,7 +41,13 @@ typedef struct { - int challenge_response_authentication; - /* Try S/Key or TIS, authentication. */ +diff -up a/readconf.h.gsskex b/readconf.h +--- a/readconf.h.gsskex 2021-08-27 12:05:29.248142431 +0200 ++++ b/readconf.h 2021-08-27 12:22:19.270679852 +0200 +@@ -39,7 +39,13 @@ typedef struct { + int pubkey_authentication; /* Try ssh2 pubkey authentication. */ + int hostbased_authentication; /* ssh2's rhosts_rsa */ int gss_authentication; /* Try GSS authentication */ + int gss_keyex; /* Try GSS key exchange */ int gss_deleg_creds; /* Delegate GSS credentials */ @@ -3086,11 +3081,10 @@ index feedb3d2..a8a8870d 100644 int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/servconf.c b/servconf.c -index 70f5f73f..191575a1 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -69,6 +69,7 @@ +diff -up a/servconf.c.gsskex b/servconf.c +--- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200 ++++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200 +@@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -3098,7 +3092,7 @@ index 70f5f73f..191575a1 100644 static void add_listen_addr(ServerOptions *, const char *, const char *, int); -@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options) +@@ -136,8 +137,11 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -3109,8 +3103,8 @@ index 70f5f73f..191575a1 100644 + options->gss_kex_algorithms = NULL; options->password_authentication = -1; options->kbd_interactive_authentication = -1; - options->challenge_response_authentication = -1; -@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options) + options->permit_empty_passwd = -1; +@@ -356,10 +360,18 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -3129,7 +3123,7 @@ index 70f5f73f..191575a1 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -531,6 +543,7 @@ typedef enum { +@@ -506,6 +518,7 @@ typedef enum { sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, @@ -3137,7 +3131,7 @@ index 70f5f73f..191575a1 100644 sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -607,12 +620,22 @@ static struct { +@@ -587,12 +600,22 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -3159,8 +3153,8 @@ index 70f5f73f..191575a1 100644 + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, - { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, + { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */ +@@ -1576,6 +1599,10 @@ process_server_config_line_depth(ServerO intptr = &options->gss_authentication; goto parse_flag; @@ -3171,7 +3165,7 @@ index 70f5f73f..191575a1 100644 case sGssCleanupCreds: intptr = &options->gss_cleanup_creds; goto parse_flag; -@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, +@@ -1584,6 +1611,22 @@ process_server_config_line_depth(ServerO intptr = &options->gss_strict_acceptor; goto parse_flag; @@ -3180,7 +3174,7 @@ index 70f5f73f..191575a1 100644 + goto parse_flag; + + case sGssKexAlgorithms: -+ arg = strdelim(&cp); ++ arg = argv_next(&ac, &av); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", + filename, linenum); @@ -3194,7 +3188,7 @@ index 70f5f73f..191575a1 100644 case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) +@@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); diff --git a/SOURCES/openssh-8.0p1-pkcs11-uri.patch b/SOURCES/openssh-8.0p1-pkcs11-uri.patch index 000df67..d908981 100644 --- a/SOURCES/openssh-8.0p1-pkcs11-uri.patch +++ b/SOURCES/openssh-8.0p1-pkcs11-uri.patch @@ -120,10 +120,12 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in # These all need to be compiled -fPIC, so they are treated differently. SK_DUMMY_OBJS=\ regress/misc/sk-dummy/sk-dummy.lo \ -@@ -709,6 +724,7 @@ regress-unit-binaries: regress-prep $(RE +@@ -711,7 +726,8 @@ regress-unit-binaries: regress-prep $(RE + regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \ regress/unittests/sshkey/test_sshkey$(EXEEXT) \ regress/unittests/sshsig/test_sshsig$(EXEEXT) \ - regress/unittests/utf8/test_utf8$(EXEEXT) \ +- regress/unittests/utf8/test_utf8$(EXEEXT) ++ regress/unittests/utf8/test_utf8$(EXEEXT) \ + regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \ tests: file-tests t-exec interop-tests unit @@ -1379,8 +1381,8 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c CK_RV rv; CK_ULONG i; -- debug("pkcs11_provider_finalize: %p refcount %d valid %d", -- p, p->refcount, p->valid); +- debug_f("provider \"%s\" refcount %d valid %d", +- p->name, p->refcount, p->valid); - if (!p->valid) + debug_f("%p refcount %d valid %d", m, m->refcount, m->valid); + if (!m->valid) @@ -1423,9 +1425,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c +} + +/* -+ * finalize a provider shared libarary, it's no longer usable. ++ * finalize a provider shared library, it's no longer usable. + * however, there might still be keys referencing this provider, -+ * so the actuall freeing of memory is handled by pkcs11_provider_unref(). ++ * so the actual freeing of memory is handled by pkcs11_provider_unref(). + * this is called when a provider gets unregistered. + */ +static void @@ -1442,15 +1444,12 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c } /* -@@ -135,13 +178,11 @@ pkcs11_provider_finalize(struct pkcs11_p - static void - pkcs11_provider_unref(struct pkcs11_provider *p) +@@ -137,11 +180,9 @@ pkcs11_provider_unref(struct pkcs11_prov { -- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount); -+ debug_f("%p refcount %d", p, p->refcount); + debug_f("provider \"%s\" refcount %d", p->name, p->refcount); if (--p->refcount <= 0) { - if (p->valid) -- error("pkcs11_provider_unref: %p still valid", p); +- error_f("provider \"%s\" still valid", p->name); free(p->name); - free(p->slotlist); - free(p->slotinfo); @@ -2123,16 +2122,16 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c + key_attr[nattr].ulValueLen = strlen(uri->object); + nattr++; + } -+ -+ session = p->module->slotinfo[slotidx].session; -+ f = p->module->function_list; - rv = f->C_FindObjectsInit(session, key_attr, 1); ++ session = p->module->slotinfo[slotidx].session; ++ f = p->module->function_list; ++ + rv = f->C_FindObjectsInit(session, key_attr, nattr); if (rv != CKR_OK) { error("C_FindObjectsInit failed: %lu", rv); goto fail; -@@ -1499,16 +1687,10 @@ pkcs11_ecdsa_generate_private_key(struct +@@ -1499,16 +1690,10 @@ pkcs11_ecdsa_generate_private_key(struct } #endif /* WITH_PKCS11_KEYGEN */ @@ -2237,17 +2236,17 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c error("C_GetInfo for provider %s failed: %lu", - provider_id, rv); + provider_module, rv); - goto fail; - } -- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); -- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); ++ goto fail; ++ } + rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID)); + if (uri->lib_manuf != NULL && + strcmp(uri->lib_manuf, m->info.manufacturerID)) { + debug_f("Skipping provider %s not matching library_manufacturer", + m->info.manufacturerID); -+ goto fail; -+ } + goto fail; + } +- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID)); +- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription)); + rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription)); debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d" " libraryDescription <%s> libraryVersion %d.%d", diff --git a/SOURCES/openssh-8.0p1-restore-nonblock.patch b/SOURCES/openssh-8.0p1-restore-nonblock.patch deleted file mode 100644 index dbdf7ed..0000000 --- a/SOURCES/openssh-8.0p1-restore-nonblock.patch +++ /dev/null @@ -1,320 +0,0 @@ -diff --git a/channels.c b/channels.c -index 32d1f617..0024f751 100644 ---- a/channels.c -+++ b/channels.c -@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, - #endif - - /* enable nonblocking mode */ -- if (nonblock) { -+ c->restore_block = 0; -+ if (nonblock == CHANNEL_NONBLOCK_STDIO) { -+ /* -+ * Special handling for stdio file descriptors: do not set -+ * non-blocking mode if they are TTYs. Otherwise prepare to -+ * restore their blocking state on exit to avoid interfering -+ * with other programs that follow. -+ */ -+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) { -+ c->restore_block |= CHANNEL_RESTORE_RFD; -+ set_nonblock(rfd); -+ } -+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) { -+ c->restore_block |= CHANNEL_RESTORE_WFD; -+ set_nonblock(wfd); -+ } -+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) { -+ c->restore_block |= CHANNEL_RESTORE_EFD; -+ set_nonblock(efd); -+ } -+ } else if (nonblock) { - if (rfd != -1) - set_nonblock(rfd); - if (wfd != -1) -@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *sc) - } - - int --channel_close_fd(struct ssh *ssh, int *fdp) -+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp) - { - struct ssh_channels *sc = ssh->chanctxt; -- int ret = 0, fd = *fdp; -+ int ret, fd = *fdp; - -- if (fd != -1) { -- ret = close(fd); -- *fdp = -1; -- if (fd == sc->channel_max_fd) -- channel_find_maxfd(sc); -- } -+ if (fd == -1) -+ return 0; -+ -+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) || -+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) || -+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0)) -+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */ -+ -+ ret = close(fd); -+ *fdp = -1; -+ if (fd == sc->channel_max_fd) -+ channel_find_maxfd(sc); - return ret; - } - -@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Channel *c) - { - int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd; - -- channel_close_fd(ssh, &c->sock); -+ channel_close_fd(ssh, c, &c->sock); - if (rfd != sock) -- channel_close_fd(ssh, &c->rfd); -+ channel_close_fd(ssh, c, &c->rfd); - if (wfd != sock && wfd != rfd) -- channel_close_fd(ssh, &c->wfd); -+ channel_close_fd(ssh, c, &c->wfd); - if (efd != sock && efd != rfd && efd != wfd) -- channel_close_fd(ssh, &c->efd); -+ channel_close_fd(ssh, c, &c->efd); - } - - static void -@@ -702,7 +728,7 @@ channel_stop_listening(struct ssh *ssh) - case SSH_CHANNEL_X11_LISTENER: - case SSH_CHANNEL_UNIX_LISTENER: - case SSH_CHANNEL_RUNIX_LISTENER: -- channel_close_fd(ssh, &c->sock); -+ channel_close_fd(ssh, c, &c->sock); - channel_free(ssh, c); - break; - } -@@ -1491,7 +1517,8 @@ channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) - - Channel * - channel_connect_stdio_fwd(struct ssh *ssh, -- const char *host_to_connect, u_short port_to_connect, int in, int out) -+ const char *host_to_connect, u_short port_to_connect, -+ int in, int out, int nonblock) - { - Channel *c; - -@@ -1499,7 +1526,7 @@ channel_connect_stdio_fwd(struct ssh *ssh, - - c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out, - -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, -- 0, "stdio-forward", /*nonblock*/0); -+ 0, "stdio-forward", nonblock); - - c->path = xstrdup(host_to_connect); - c->host_port = port_to_connect; -@@ -1649,7 +1676,7 @@ channel_post_x11_listener(struct ssh *ssh, Channel *c, - if (c->single_connection) { - oerrno = errno; - debug2("single_connection: closing X11 listener."); -- channel_close_fd(ssh, &c->sock); -+ channel_close_fd(ssh, c, &c->sock); - chan_mark_dead(ssh, c); - errno = oerrno; - } -@@ -2058,7 +2085,7 @@ channel_handle_efd_write(struct ssh *ssh, Channel *c, - return 1; - if (len <= 0) { - debug2("channel %d: closing write-efd %d", c->self, c->efd); -- channel_close_fd(ssh, &c->efd); -+ channel_close_fd(ssh, c, &c->efd); - } else { - if ((r = sshbuf_consume(c->extended, len)) != 0) - fatal_fr(r, "channel %i: consume", c->self); -@@ -2087,7 +2114,7 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c, - return 1; - if (len <= 0) { - debug2("channel %d: closing read-efd %d", c->self, c->efd); -- channel_close_fd(ssh, &c->efd); -+ channel_close_fd(ssh, c, &c->efd); - } else if (c->extended_usage == CHAN_EXTENDED_IGNORE) - debug3("channel %d: discard efd", c->self); - else if ((r = sshbuf_put(c->extended, buf, len)) != 0) -diff --git a/channels.h b/channels.h -index 378d987c..6bf86b00 100644 ---- a/channels.h -+++ b/channels.h -@@ -63,6 +63,16 @@ - - #define CHANNEL_CANCEL_PORT_STATIC -1 - -+/* nonblocking flags for channel_new */ -+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */ -+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */ -+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */ -+ -+/* c->restore_block mask flags */ -+#define CHANNEL_RESTORE_RFD 0x01 -+#define CHANNEL_RESTORE_WFD 0x02 -+#define CHANNEL_RESTORE_EFD 0x04 -+ - /* TCP forwarding */ - #define FORWARD_DENY 0 - #define FORWARD_REMOTE (1) -@@ -139,6 +149,7 @@ struct Channel { - * to a matching pre-select handler. - * this way post-select handlers are not - * accidentally called if a FD gets reused */ -+ int restore_block; /* fd mask to restore blocking status */ - struct sshbuf *input; /* data read from socket, to be sent over - * encrypted connection */ - struct sshbuf *output; /* data received over encrypted connection for -@@ -266,7 +277,7 @@ void channel_register_filter(struct ssh *, int, channel_infilter_fn *, - void channel_register_status_confirm(struct ssh *, int, - channel_confirm_cb *, channel_confirm_abandon_cb *, void *); - void channel_cancel_cleanup(struct ssh *, int); --int channel_close_fd(struct ssh *, int *); -+int channel_close_fd(struct ssh *, Channel *, int *); - void channel_send_window_changes(struct ssh *); - - /* mux proxy support */ -@@ -313,7 +324,7 @@ Channel *channel_connect_to_port(struct ssh *, const char *, u_short, - char *, char *, int *, const char **); - Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *); - Channel *channel_connect_stdio_fwd(struct ssh *, const char*, -- u_short, int, int); -+ u_short, int, int, int); - Channel *channel_connect_by_listen_address(struct ssh *, const char *, - u_short, char *, char *); - Channel *channel_connect_by_listen_path(struct ssh *, const char *, -diff --git a/clientloop.c b/clientloop.c -index 219f0e90..bdd67686 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -1405,14 +1405,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, - if (have_pty) - leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); - -- /* restore blocking io */ -- if (!isatty(fileno(stdin))) -- unset_nonblock(fileno(stdin)); -- if (!isatty(fileno(stdout))) -- unset_nonblock(fileno(stdout)); -- if (!isatty(fileno(stderr))) -- unset_nonblock(fileno(stderr)); -- - /* - * If there was no shell or command requested, there will be no remote - * exit status to be returned. In that case, clear error code if the -diff --git a/mux.c b/mux.c -index faf4ef1e..9454bfed 100644 ---- a/mux.c -+++ b/mux.c -@@ -452,14 +452,6 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid, - if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) - error_f("tcgetattr: %s", strerror(errno)); - -- /* enable nonblocking unless tty */ -- if (!isatty(new_fd[0])) -- set_nonblock(new_fd[0]); -- if (!isatty(new_fd[1])) -- set_nonblock(new_fd[1]); -- if (!isatty(new_fd[2])) -- set_nonblock(new_fd[2]); -- - window = CHAN_SES_WINDOW_DEFAULT; - packetmax = CHAN_SES_PACKET_DEFAULT; - if (cctx->want_tty) { -@@ -469,7 +461,7 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid, - - nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, - new_fd[0], new_fd[1], new_fd[2], window, packetmax, -- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); -+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); - - nc->ctl_chan = c->self; /* link session -> control channel */ - c->remote_id = nc->self; /* link control -> session channel */ -@@ -1025,13 +1017,8 @@ mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid, - } - } - -- /* enable nonblocking unless tty */ -- if (!isatty(new_fd[0])) -- set_nonblock(new_fd[0]); -- if (!isatty(new_fd[1])) -- set_nonblock(new_fd[1]); -- -- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]); -+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1], -+ CHANNEL_NONBLOCK_STDIO); - free(chost); - - nc->ctl_chan = c->self; /* link session -> control channel */ -diff --git a/nchan.c b/nchan.c -index 4a4494b8..7ef3a350 100644 ---- a/nchan.c -+++ b/nchan.c -@@ -384,7 +384,7 @@ chan_shutdown_write(struct ssh *ssh, Channel *c) - c->istate, c->ostate, strerror(errno)); - } - } else { -- if (channel_close_fd(ssh, &c->wfd) < 0) { -+ if (channel_close_fd(ssh, c, &c->wfd) < 0) { - logit_f("channel %d: close() failed for " - "fd %d [i%d o%d]: %.100s", c->self, c->wfd, - c->istate, c->ostate, strerror(errno)); -@@ -412,7 +412,7 @@ chan_shutdown_read(struct ssh *ssh, Channel *c) - c->istate, c->ostate, strerror(errno)); - } - } else { -- if (channel_close_fd(ssh, &c->rfd) < 0) { -+ if (channel_close_fd(ssh, c, &c->rfd) < 0) { - logit_f("channel %d: close() failed for " - "fd %d [i%d o%d]: %.100s", c->self, c->rfd, - c->istate, c->ostate, strerror(errno)); -@@ -431,7 +431,7 @@ chan_shutdown_extended_read(struct ssh *ssh, Channel *c) - debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])", - c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd, - channel_format_extended_usage(c)); -- if (channel_close_fd(ssh, &c->efd) < 0) { -+ if (channel_close_fd(ssh, c, &c->efd) < 0) { - logit_f("channel %d: close() failed for " - "extended fd %d [i%d o%d]: %.100s", c->self, c->efd, - c->istate, c->ostate, strerror(errno)); -diff --git a/ssh.c b/ssh.c -index 696dc3bc..6243db76 100644 ---- a/ssh.c -+++ b/ssh.c -@@ -1876,9 +1876,10 @@ ssh_init_stdio_forwarding(struct ssh *ssh) - - if ((in = dup(STDIN_FILENO)) == -1 || - (out = dup(STDOUT_FILENO)) == -1) -- fatal("channel_connect_stdio_fwd: dup() in/out failed"); -+ fatal_f("dup() in/out failed"); - if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host, -- options.stdio_forward_port, in, out)) == NULL) -+ options.stdio_forward_port, in, out, -+ CHANNEL_NONBLOCK_STDIO)) == NULL) - fatal_f("channel_connect_stdio_fwd failed"); - channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0); - channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL); -@@ -2074,14 +2075,6 @@ ssh_session2_open(struct ssh *ssh) - if (in == -1 || out == -1 || err == -1) - fatal("dup() in/out/err failed"); - -- /* enable nonblocking unless tty */ -- if (!isatty(in)) -- set_nonblock(in); -- if (!isatty(out)) -- set_nonblock(out); -- if (!isatty(err)) -- set_nonblock(err); -- - window = CHAN_SES_WINDOW_DEFAULT; - packetmax = CHAN_SES_PACKET_DEFAULT; - if (tty_flag) { -@@ -2091,7 +2084,7 @@ ssh_session2_open(struct ssh *ssh) - c = channel_new(ssh, - "session", SSH_CHANNEL_OPENING, in, out, err, - window, packetmax, CHAN_EXTENDED_WRITE, -- "client-session", /*nonblock*/0); -+ "client-session", CHANNEL_NONBLOCK_STDIO); - - debug3_f("channel_new: %d", c->self); - diff --git a/SOURCES/openssh-8.4p1-debian-compat.patch b/SOURCES/openssh-8.4p1-debian-compat.patch deleted file mode 100644 index 1285979..0000000 --- a/SOURCES/openssh-8.4p1-debian-compat.patch +++ /dev/null @@ -1,57 +0,0 @@ ---- compat.h.orig 2020-10-05 10:09:02.953505129 -0700 -+++ compat.h 2020-10-05 10:10:17.587733113 -0700 -@@ -34,7 +34,7 @@ - - #define SSH_BUG_UTF8TTYMODE 0x00000001 - #define SSH_BUG_SIGTYPE 0x00000002 --/* #define unused 0x00000004 */ -+#define SSH_BUG_SIGTYPE74 0x00000004 - /* #define unused 0x00000008 */ - #define SSH_OLD_SESSIONID 0x00000010 - /* #define unused 0x00000020 */ ---- compat.c.orig 2020-10-05 10:25:02.088720562 -0700 -+++ compat.c 2020-10-05 10:13:11.637282492 -0700 -@@ -65,11 +65,12 @@ - { "OpenSSH_6.5*," - "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD| - SSH_BUG_SIGTYPE}, -+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE| -+ SSH_BUG_SIGTYPE74}, - { "OpenSSH_7.0*," - "OpenSSH_7.1*," - "OpenSSH_7.2*," - "OpenSSH_7.3*," -- "OpenSSH_7.4*," - "OpenSSH_7.5*," - "OpenSSH_7.6*," - "OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE}, ---- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700 -+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700 -@@ -1305,6 +1305,26 @@ - break; - } - free(oallowed); -+ /* -+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its -+ * support. For that release, check the local policy against the -+ * SHA2 signature types. -+ */ -+ if (alg == NULL && -+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) { -+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos); -+ while ((cp = strsep(&allowed, ",")) != NULL) { -+ if (sshkey_type_from_name(cp) != key->type) -+ continue; -+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL); -+ if (tmp != NULL) -+ alg = xstrdup(cp); -+ free(tmp); -+ if (alg != NULL) -+ break; -+ } -+ free(oallowed); -+ } - return alg; - } - - diff --git a/SOURCES/openssh-8.6p1.tar.gz.asc b/SOURCES/openssh-8.6p1.tar.gz.asc deleted file mode 100644 index f7b48bc..0000000 --- a/SOURCES/openssh-8.6p1.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmB5CwgACgkQKj9BTnNg -YLp01RAArXrAALtwTnWDysxBKTxGAUmXsPQOeaBCPd3zND3n0si6iinwwatSbu4d -eYj/EOlzXydJkgMImoq6ErZrP2LyApe9RQDHfn/zEr+k5iflOK4su59TK6Dwuy86 -SPYsSNSBhABiVyH9HQelRyVLJfHwVU+DP/SaUemHGbeDLcczp5wh+mtXQPG7hMLi -yuZ1e9W4pO5HOXwoccS69amO0nhqpLb2qBYhenFjY4lZPmIf7UFkGsqIkYeAqHU4 -/uhM0anxo7y+ezc2YD6eZHLrOZcRj1eYxh9IHGZnDcW2+6twks4aVK1kU+HI7xqt -m9bhB+RTVKit0hvNjyhZP3XrDksgCQyyiWuXOe323ane42noH1NP6W075lmnC11Q -JGueXJ+/vGPq3aYiad2mSZoHS82VfK43cCwXY9psCmZOMuWgARy/rxOWUZa3FBV7 -bIS59Mr4hzjyODXArXc+z98Q3Y0qV8jT7xDHCfmsmivBjNcEWH2fX4KvyPHNogJP -C+4bA4WbOy9X6s3mKfQFgeLKA4MbeIhGTNFKl3Utyt7bl8dBzPU4nzBx5754e6Q2 -2vRuLsTfAAGWTNwu+XfS5wvhjPMLkXBH4IUxY8acUTxLYY4uPnPFS2ZqCC94Ysrr -Af4DzNuqm8lkiglggwRwRLopVCuAHfScyqETdTOA1kLsILWdn8Q= -=Jsrn ------END PGP SIGNATURE----- diff --git a/SOURCES/openssh-8.7p1-scp-kill-switch.patch b/SOURCES/openssh-8.7p1-scp-kill-switch.patch new file mode 100644 index 0000000..6710304 --- /dev/null +++ b/SOURCES/openssh-8.7p1-scp-kill-switch.patch @@ -0,0 +1,46 @@ +diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h +--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200 ++++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200 +@@ -42,6 +42,7 @@ + #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" + #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" + #define _PATH_DH_MODULI SSHDIR "/moduli" ++#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp" + + #ifndef _PATH_SSH_PROGRAM + #define _PATH_SSH_PROGRAM "/usr/bin/ssh" +diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1 +--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200 ++++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200 +@@ -278,6 +278,13 @@ to print debugging messages about their + This is helpful in + debugging connection, authentication, and configuration problems. + .El ++.Pp ++Usage of SCP protocol can be blocked by creating a world-readable ++.Ar /etc/ssh/disable_scp ++file. If this file exists, when SCP protocol is in use (either remotely or ++via the ++.Fl O ++option), the program will exit. + .Sh EXIT STATUS + .Ex -std scp + .Sh SEE ALSO +diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c +--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200 ++++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200 +@@ -596,6 +596,14 @@ main(int argc, char **argv) + if (iamremote) + mode = MODE_SCP; + ++ if (mode == MODE_SCP) { ++ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r"); ++ if (f != NULL) { ++ fclose(f); ++ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH); ++ } ++ } ++ + if ((pwd = getpwuid(userid = getuid())) == NULL) + fatal("unknown user %u", (u_int) userid); + diff --git a/SOURCES/openssh-8.7p1-sftp-default-protocol.patch b/SOURCES/openssh-8.7p1-sftp-default-protocol.patch new file mode 100644 index 0000000..ec25944 --- /dev/null +++ b/SOURCES/openssh-8.7p1-sftp-default-protocol.patch @@ -0,0 +1,129 @@ +diff --git a/scp.1 b/scp.1 +index 68aac04b..a96e95ad 100644 +--- a/scp.1 ++++ b/scp.1 +@@ -8,9 +8,9 @@ + .\" + .\" Created: Sun May 7 00:14:37 1995 ylo + .\" +-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $ ++.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $ + .\" +-.Dd $Mdocdate: August 11 2021 $ ++.Dd $Mdocdate: September 8 2021 $ + .Dt SCP 1 + .Os + .Sh NAME +@@ -18,7 +18,7 @@ + .Nd OpenSSH secure file copy + .Sh SYNOPSIS + .Nm scp +-.Op Fl 346ABCOpqRrsTv ++.Op Fl 346ABCOpqRrTv + .Op Fl c Ar cipher + .Op Fl D Ar sftp_server_path + .Op Fl F Ar ssh_config +@@ -37,9 +37,6 @@ It uses + .Xr ssh 1 + for data transfer, and uses the same authentication and provides the + same security as a login session. +-The scp protocol requires execution of the remote user's shell to perform +-.Xr glob 3 +-pattern matching. + .Pp + .Nm + will ask for passwords or passphrases if they are needed for +@@ -79,7 +76,9 @@ The options are as follows: + Copies between two remote hosts are transferred through the local host. + Without this option the data is copied directly between the two remote + hosts. +-Note that, when using the legacy SCP protocol (the default), this option ++Note that, when using the legacy SCP protocol (via the ++.Fl O ++flag), this option + selects batch mode for the second host as + .Nm + cannot ask for passwords or passphrases for both hosts. +@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s. + .It Fl O + Use the legacy SCP protocol for file transfers instead of the SFTP protocol. + Forcing the use of the SCP protocol may be necessary for servers that do +-not implement SFTP or for backwards-compatibility for particular filename +-wildcard patterns. +-This mode is the default. ++not implement SFTP, for backwards-compatibility for particular filename ++wildcard patterns and for expanding paths with a ++.Sq ~ ++prefix for older SFTP servers. + .It Fl o Ar ssh_option + Can be used to pass options to + .Nm ssh +@@ -258,16 +258,6 @@ to use for the encrypted connection. + The program must understand + .Xr ssh 1 + options. +-.It Fl s +-Use the SFTP protocol for file transfers instead of the legacy SCP protocol. +-Using SFTP avoids invoking a shell on the remote side and provides +-more predictable filename handling, as the SCP protocol +-relied on the remote shell for expanding +-.Xr glob 3 +-wildcards. +-.Pp +-A near-future release of OpenSSH will make the SFTP protocol the default. +-This option will be deleted before the end of 2022. + .It Fl T + Disable strict filename checking. + By default when copying files from a remote host to a local directory +@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems. + .Xr ssh_config 5 , + .Xr sftp-server 8 , + .Xr sshd 8 ++.Sh CAVEATS ++The original scp protocol (selected by the ++.Fl O ++flag) requires execution of the remote user's shell to perform ++.Xr glob 3 ++pattern matching. ++This requires careful quoting of any characters that have special meaning to ++the remote shell, such as quote characters. + .Sh HISTORY + .Nm + is based on the rcp program in + .Bx + source code from the Regents of the University of California. ++.Pp ++Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds), ++.Nm ++has use the SFTP protocol for transfers by default. + .Sh AUTHORS + .An Timo Rinne Aq Mt tri@iki.fi + .An Tatu Ylonen Aq Mt ylo@cs.hut.fi +diff --git a/scp.c b/scp.c +index e039350c..c7cf7529 100644 +--- a/scp.c ++++ b/scp.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */ ++/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */ + /* + * scp - secure remote copy. This is basically patched BSD rcp which + * uses ssh to do the data transfer (instead of using rcmd). +@@ -448,7 +448,7 @@ main(int argc, char **argv) + const char *errstr; + extern char *optarg; + extern int optind; +- enum scp_mode_e mode = MODE_SCP; ++ enum scp_mode_e mode = MODE_SFTP; + char *sftp_direct = NULL; + + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ +@@ -1983,7 +1983,7 @@ void + usage(void) + { + (void) fprintf(stderr, +- "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" ++ "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" + " [-i identity_file] [-J destination] [-l limit]\n" + " [-o ssh_option] [-P port] [-S program] source ... target\n"); + exit(1); diff --git a/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch b/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch new file mode 100644 index 0000000..15d49f2 --- /dev/null +++ b/SOURCES/openssh-8.7p1-upstream-cve-2021-41617.patch @@ -0,0 +1,25 @@ +diff --git a/misc.c b/misc.c +index b8d1040d..0134d694 100644 +--- a/misc.c ++++ b/misc.c +@@ -56,6 +56,7 @@ + #ifdef HAVE_PATHS_H + # include + #include ++#include + #endif + #ifdef SSH_TUN_OPENBSD + #include +@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command, + } + closefrom(STDERR_FILENO + 1); + ++ if (geteuid() == 0 && ++ initgroups(pw->pw_name, pw->pw_gid) == -1) { ++ error("%s: initgroups(%s, %u): %s", tag, ++ pw->pw_name, (u_int)pw->pw_gid, strerror(errno)); ++ _exit(1); ++ } + if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) { + error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, + strerror(errno)); diff --git a/SOURCES/openssh-8.7p1.tar.gz.asc b/SOURCES/openssh-8.7p1.tar.gz.asc new file mode 100644 index 0000000..1bdc93b --- /dev/null +++ b/SOURCES/openssh-8.7p1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmEfKn8ACgkQKj9BTnNg +YLo2qQ/9EHkk64DFIOZz9xmKdogiVvuYue9LE1ex52rgLhxkeAmXQ0Ta2VjK0S81 +9/oWJP5N+gcHLO01Og2bVuUPim/S1Op69a5hmFWaYvIlKCeCBONwE1O+n6IIhf+p +HUXkY9cFXOoSEHhQ1D+/f8axv7WtZ4ZtHlxejqcsjyyIDqG+i4kReiZJP0D06dUk +cv2U6YsQ9hTvXBTeUANCgLzH6DvEoyQyy7LOpaHsO1VKMlctslrVWdWRiAn7V934 +8TuhZB0NoHAGZIgFFCINSfFAxnqxPyZtLdTxSF5EwPXqdnwFfGk4nprLZA1vT2yT +HeZiXhx919L+trDVmCycqcSCj8vOlNWl9A8VaodTW01SG75D7b1f5XqLGmSP4ujf ++9UnYKVm0OAU8jpbGXd1D2REuXRspRU6NPNW/3MkO2I46sG+KHhD6OMipOaiY8p2 +WrCsryadBThUqSKAo/zdIAJgVVt23Y7ykIIkhxebaRBIS4v6fdXg4aIjHfOjlsDX +Mh2JFEbP93bKC0wCJWcR7NXFR4nN2ddTen1jLC+m+ABMae0AoMCFy7VW4FK33ZAJ ++Plovu62bBUXeVhXhLC76vdQo7geRpBs0RQV0gtj6HlZL5BReEKwApPEVce8K9F5 ++ZYbmF5ZQNMcdR9zZ+QV+ykv6y4SG1+rPI9/Ufo/ZZp5jRnsq+M= +=xI/+ +-----END PGP SIGNATURE----- diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index 8954cba..da665e7 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -50,15 +50,15 @@ %{?static_openssl:%global static_libcrypto 1} # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 8.6p1 -%global openssh_rel 7 +%global openssh_ver 8.7p1 +%global openssh_rel 4 %global pam_ssh_agent_ver 0.10.4 -%global pam_ssh_agent_rel 3 +%global pam_ssh_agent_rel 4 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}.1 +Release: %{openssh_rel}%{?dist} URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -189,14 +189,16 @@ Patch964: openssh-8.0p1-openssl-kdf.patch Patch965: openssh-8.2p1-visibility.patch # Do not break X11 without IPv6 Patch966: openssh-8.2p1-x11-without-ipv6.patch -# https://bugzilla.mindrot.org/show_bug.cgi?id=3213 -Patch969: openssh-8.4p1-debian-compat.patch # ssh-keygen printing fingerprint issue with Windows keys (#1901518) Patch974: openssh-8.0p1-keygen-strip-doseol.patch # sshd provides PAM an incorrect error code (#1879503) Patch975: openssh-8.0p1-preserve-pam-errors.patch -# ssh incorrectly restores the blocking mode on standard output (#1942901) -Patch976: openssh-8.0p1-restore-nonblock.patch +# Use SFTP protocol by default for scp command +Patch976: openssh-8.7p1-sftp-default-protocol.patch +# Implement kill switch for SCP protocol +Patch977: openssh-8.7p1-scp-kill-switch.patch +# CVE-2021-41617 +Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch License: BSD Requires: /sbin/nologin @@ -267,7 +269,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist} License: BSD %description @@ -370,10 +372,11 @@ popd %patch964 -p1 -b .openssl-kdf %patch965 -p1 -b .visibility %patch966 -p1 -b .x11-ipv6 -%patch969 -p0 -b .debian %patch974 -p1 -b .keygen-strip-doseol %patch975 -p1 -b .preserve-pam-errors -%patch976 -p1 -b .restore-nonblock +%patch976 -p1 -b .sftp-by-default +%patch977 -p1 -b .kill-scp +%patch978 -p1 -b .cve-2021-41617 %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -658,6 +661,24 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Oct 25 2021 Dmitry Belyavskiy - 8.7p1-4 +- Fix memory leaks introduced in OpenSSH 8.7 + Related: rhbz#2001002 + +* Tue Oct 19 2021 Dmitry Belyavskiy - 8.7p1-3 +- Disable locale forwarding in default configurations + Related: rhbz#2002734 + +* Fri Oct 01 2021 Dmitry Belyavskiy - 8.7p1-2 +- Upstream fix for CVE-2021-41617 + Related: rhbz#2008886 + +* Fri Sep 24 2021 Dmitry Belyavskiy - 8.7p1-1 + 0.10.4-4 +- New upstream release +- Switch to SFTP protocol in scp utility by default +- Enable SCP protocol kill switch + Related: rhbz#2001002 + * Mon Aug 09 2021 Mohan Boddu - 8.6p1-7.1 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688