rebase to new upstream release 6.9
This commit is contained in:
parent
21bee694ac
commit
535d341e70
@ -1,7 +1,7 @@
|
||||
diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
|
||||
--- openssh-6.8p1/configure.ac.vendor 2015-03-18 11:17:56.670880303 +0100
|
||||
+++ openssh-6.8p1/configure.ac 2015-03-18 11:17:56.695880243 +0100
|
||||
@@ -4743,6 +4743,12 @@ AC_ARG_WITH([lastlog],
|
||||
diff -up openssh/configure.ac.vendor openssh/configure.ac
|
||||
--- openssh/configure.ac.vendor 2015-06-24 11:05:39.805679794 +0200
|
||||
+++ openssh/configure.ac 2015-06-24 11:05:39.835679719 +0200
|
||||
@@ -4751,6 +4751,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
@ -14,7 +14,7 @@ diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -5005,6 +5011,7 @@ echo " Translate v4 in v6 hack
|
||||
@@ -5013,6 +5019,7 @@ echo " Translate v4 in v6 hack
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
@ -22,10 +22,10 @@ diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
|
||||
--- openssh-6.8p1/servconf.c.vendor 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/servconf.c 2015-03-18 11:19:16.279691126 +0100
|
||||
@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh/servconf.c.vendor openssh/servconf.c
|
||||
--- openssh/servconf.c.vendor 2015-06-23 02:34:47.000000000 +0200
|
||||
+++ openssh/servconf.c 2015-06-24 11:07:07.689460890 +0200
|
||||
@@ -147,6 +147,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
@ -33,7 +33,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -327,6 +328,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -335,6 +336,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
@ -42,7 +42,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -388,7 +391,7 @@ typedef enum {
|
||||
@@ -397,7 +400,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
|
||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
@ -50,8 +50,8 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
|
||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@@ -504,6 +507,7 @@ static struct {
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
@@ -517,6 +520,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
@ -59,7 +59,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1320,6 +1324,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1372,6 +1376,10 @@ process_server_config_line(ServerOptions
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
@ -70,18 +70,18 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -2145,6 +2153,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2249,6 +2257,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
diff -up openssh-6.8p1/servconf.h.vendor openssh-6.8p1/servconf.h
|
||||
--- openssh-6.8p1/servconf.h.vendor 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/servconf.h 2015-03-18 11:17:56.696880241 +0100
|
||||
@@ -151,6 +151,7 @@ typedef struct {
|
||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
diff -up openssh/servconf.h.vendor openssh/servconf.h
|
||||
--- openssh/servconf.h.vendor 2015-06-23 02:34:47.000000000 +0200
|
||||
+++ openssh/servconf.h 2015-06-24 11:05:39.837679714 +0200
|
||||
@@ -154,6 +154,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
@ -137,10 +137,10 @@ diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
|
||||
StreamLocalBindMask
|
||||
Sets the octal file creation mode mask (umask) used when creating
|
||||
a Unix-domain socket file for local or remote port forwarding.
|
||||
diff -up openssh-6.8p1/sshd_config.5.vendor openssh-6.8p1/sshd_config.5
|
||||
--- openssh-6.8p1/sshd_config.5.vendor 2015-03-18 11:17:56.691880253 +0100
|
||||
+++ openssh-6.8p1/sshd_config.5 2015-03-18 11:17:56.697880239 +0100
|
||||
@@ -1276,6 +1276,13 @@ This option applies to protocol version
|
||||
diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5
|
||||
--- openssh/sshd_config.5.vendor 2015-06-24 11:05:39.831679729 +0200
|
||||
+++ openssh/sshd_config.5 2015-06-24 11:05:39.837679714 +0200
|
||||
@@ -1344,6 +1344,13 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The minimum value is 512, and the default is 1024.
|
||||
|
@ -1,31 +1,12 @@
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index b7f3294..bc1e909 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -1550,7 +1550,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
break;
|
||||
|
||||
case sForceCommand:
|
||||
- if (cp == NULL)
|
||||
+ if (cp == NULL || *cp == '\0')
|
||||
fatal("%.200s line %d: Missing argument.", filename,
|
||||
linenum);
|
||||
len = strspn(cp, WHITESPACE);
|
||||
@@ -1595,7 +1595,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
break;
|
||||
|
||||
case sVersionAddendum:
|
||||
- if (cp == NULL)
|
||||
+ if (cp == NULL || *cp == '\0')
|
||||
fatal("%.200s line %d: Missing argument.", filename,
|
||||
linenum);
|
||||
len = strspn(cp, WHITESPACE);
|
||||
@@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
diff -up openssh/servconf.c.servconf openssh/servconf.c
|
||||
--- openssh/servconf.c.servconf 2015-06-24 11:26:26.186527736 +0200
|
||||
+++ openssh/servconf.c 2015-06-24 11:26:39.847493075 +0200
|
||||
@@ -1815,6 +1815,8 @@ process_server_config_line(ServerOptions
|
||||
break;
|
||||
|
||||
case sAuthenticationMethods:
|
||||
+ if (cp == NULL || *cp == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
if (*activep && options->num_auth_methods == 0) {
|
||||
if (options->num_auth_methods == 0) {
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_auth_methods >=
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-serv-krb5.c
|
||||
--- openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-03-18 13:04:21.505306818 +0100
|
||||
+++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 13:04:21.527306764 +0100
|
||||
diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c
|
||||
--- openssh/gss-serv-krb5.c.GSSAPIEnablek5users 2015-06-24 11:40:03.716448353 +0200
|
||||
+++ openssh/gss-serv-krb5.c 2015-06-24 11:40:03.739448295 +0200
|
||||
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
FILE *fp;
|
||||
char file[MAXPATHLEN];
|
||||
@ -18,10 +18,10 @@ diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-ser
|
||||
return ssh_krb5_kuserok(krb_context, principal, luser,
|
||||
k5login_exists);
|
||||
}
|
||||
diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
--- openssh-6.8p1/servconf.c.GSSAPIEnablek5users 2015-03-18 13:04:21.516306791 +0100
|
||||
+++ openssh-6.8p1/servconf.c 2015-03-18 13:05:26.846146608 +0100
|
||||
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
|
||||
--- openssh/servconf.c.GSSAPIEnablek5users 2015-06-24 11:40:03.728448323 +0200
|
||||
+++ openssh/servconf.c 2015-06-24 11:40:03.740448292 +0200
|
||||
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
options->use_kuserok = -1;
|
||||
@ -29,7 +29,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@@ -348,6 +349,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -353,6 +354,8 @@ fill_default_server_options(ServerOption
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
@ -38,7 +38,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = PRIVSEP_NOSANDBOX;
|
||||
@@ -406,7 +409,7 @@ typedef enum {
|
||||
@@ -412,7 +415,7 @@ typedef enum {
|
||||
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@ -47,7 +47,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -484,6 +487,7 @@ static struct {
|
||||
@@ -490,12 +493,14 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
@ -55,7 +55,6 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -491,6 +495,7 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
@ -63,7 +62,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1623,6 +1628,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1663,6 +1668,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->use_kuserok;
|
||||
goto parse_flag;
|
||||
|
||||
@ -74,7 +73,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -1947,6 +1956,7 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -2018,6 +2027,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
M_CP_INTOPT(use_kuserok);
|
||||
@ -82,7 +81,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2207,6 +2217,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2300,6 +2310,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
@ -90,10 +89,10 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
|
||||
--- openssh-6.8p1/servconf.h.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
|
||||
+++ openssh-6.8p1/servconf.h 2015-03-18 13:04:21.528306762 +0100
|
||||
@@ -177,7 +177,8 @@ typedef struct {
|
||||
diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h
|
||||
--- openssh/servconf.h.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
|
||||
+++ openssh/servconf.h 2015-06-24 11:40:03.740448292 +0200
|
||||
@@ -179,7 +179,8 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
@ -103,21 +102,10 @@ diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-6.8p1/sshd_config.GSSAPIEnablek5users openssh-6.8p1/sshd_config
|
||||
--- openssh-6.8p1/sshd_config.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
|
||||
+++ openssh-6.8p1/sshd_config 2015-03-18 13:04:21.528306762 +0100
|
||||
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
+#GSSAPIEnablek5users no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_config.5
|
||||
--- openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
|
||||
+++ openssh-6.8p1/sshd_config.5 2015-03-18 13:04:21.528306762 +0100
|
||||
@@ -576,6 +576,12 @@ on logout.
|
||||
diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5
|
||||
--- openssh/sshd_config.5.GSSAPIEnablek5users 2015-06-24 11:40:03.741448290 +0200
|
||||
+++ openssh/sshd_config.5 2015-06-24 11:40:40.707354263 +0200
|
||||
@@ -628,6 +628,12 @@ on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
@ -128,5 +116,16 @@ diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_conf
|
||||
+The default is
|
||||
+.Dq no .
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against. If
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
diff -up openssh/sshd_config.GSSAPIEnablek5users openssh/sshd_config
|
||||
--- openssh/sshd_config.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
|
||||
+++ openssh/sshd_config 2015-06-24 11:40:03.740448292 +0200
|
||||
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
+#GSSAPIEnablek5users no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
|
@ -133,7 +133,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+ break;
|
||||
+
|
||||
+ total += n;
|
||||
+ buf = xrealloc(buf, total + READ_CHUNK, 1);
|
||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
||||
+ } while(total < MAX_READ_SIZE);
|
||||
+ return buf;
|
||||
+}
|
||||
|
@ -163,7 +163,7 @@ index 413b845..54dd383 100644
|
||||
+ k5users_allowed_cmds[ncommands-1] =
|
||||
+ xstrdup(pw->pw_shell);
|
||||
+ k5users_allowed_cmds =
|
||||
+ xrealloc(k5users_allowed_cmds, ++ncommands,
|
||||
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
|
||||
+ sizeof(*k5users_allowed_cmds));
|
||||
+ break;
|
||||
+ }
|
||||
@ -176,7 +176,7 @@ index 413b845..54dd383 100644
|
||||
+ k5users_allowed_cmds[ncommands-1] =
|
||||
+ xstrdup(token);
|
||||
+ k5users_allowed_cmds =
|
||||
+ xrealloc(k5users_allowed_cmds, ++ncommands,
|
||||
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
|
||||
+ sizeof(*k5users_allowed_cmds));
|
||||
+ token = strtok(NULL, " \t\n");
|
||||
+ }
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,24 @@
|
||||
diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
|
||||
--- openssh-6.8p1/HOWTO.ssh-keycat.keycat 2015-03-18 11:13:43.063482958 +0100
|
||||
+++ openssh-6.8p1/HOWTO.ssh-keycat 2015-03-18 11:13:43.063482958 +0100
|
||||
diff -up openssh/auth2-pubkey.c.keycat openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||
+++ openssh/auth2-pubkey.c 2015-06-24 11:04:23.989868638 +0200
|
||||
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
execve(av[0], av, child_env);
|
||||
error("%s exec \"%s\": %s", tag, command, strerror(errno));
|
||||
_exit(127);
|
||||
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
||||
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
||||
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
||||
@@ -0,0 +1,12 @@
|
||||
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
+of an user in any environment. This includes environments with
|
||||
@ -14,9 +32,9 @@ diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
|
||||
+ PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
|
||||
--- openssh-6.8p1/Makefile.in.keycat 2015-03-18 11:13:43.061482963 +0100
|
||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:14:22.480389291 +0100
|
||||
diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
|
||||
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
@ -52,27 +70,23 @@ diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff -up openssh-6.8p1/auth2-pubkey.c.keycat openssh-6.8p1/auth2-pubkey.c
|
||||
--- openssh-6.8p1/auth2-pubkey.c.keycat 2015-03-18 11:13:43.053482982 +0100
|
||||
+++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:13:43.063482958 +0100
|
||||
@@ -623,6 +623,14 @@ user_key_command_allowed2(struct passwd
|
||||
_exit(1);
|
||||
}
|
||||
diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.keycat 2015-06-24 10:57:50.150849626 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2015-06-24 10:57:50.160849601 +0200
|
||||
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
execl(options.authorized_keys_command,
|
||||
options.authorized_keys_command, user_pw->pw_name, NULL);
|
||||
+int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
+int sshd_selinux_setup_env_variables(void);
|
||||
#endif
|
||||
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat 2015-03-18 11:13:43.057482972 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:13:43.063482958 +0100
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200
|
||||
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
|
||||
extern int inetd_flag;
|
||||
extern int rexeced_flag;
|
||||
@ -166,23 +180,9 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/ope
|
||||
return;
|
||||
|
||||
if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.keycat openssh-6.8p1/openbsd-compat/port-linux.h
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux.h.keycat 2015-03-18 11:13:43.057482972 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:13:43.063482958 +0100
|
||||
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
+int sshd_selinux_setup_env_variables(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
|
||||
--- openssh-6.8p1/platform.c.keycat 2015-03-18 11:13:43.055482977 +0100
|
||||
+++ openssh-6.8p1/platform.c 2015-03-18 11:13:43.063482958 +0100
|
||||
diff -up openssh/platform.c.keycat openssh/platform.c
|
||||
--- openssh/platform.c.keycat 2015-06-24 10:57:50.147849633 +0200
|
||||
+++ openssh/platform.c 2015-06-24 10:57:50.160849601 +0200
|
||||
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
|
||||
{
|
||||
#ifdef WITH_SELINUX
|
||||
@ -192,9 +192,9 @@ diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
|
||||
#endif
|
||||
|
||||
#ifdef USE_SOLARIS_PROJECTS
|
||||
diff -up openssh-6.8p1/ssh-keycat.c.keycat openssh-6.8p1/ssh-keycat.c
|
||||
--- openssh-6.8p1/ssh-keycat.c.keycat 2015-03-18 11:13:43.064482956 +0100
|
||||
+++ openssh-6.8p1/ssh-keycat.c 2015-03-18 11:13:43.064482956 +0100
|
||||
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||
--- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
|
||||
+++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
|
||||
@@ -0,0 +1,238 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -467,25 +467,3 @@ diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
|
||||
#include "match.h"
|
||||
|
||||
/* openssh private key file format */
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 6ff8f6f..2f2fcf8 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1548,6 +1548,7 @@ main(int ac, char **av)
|
||||
int keytype;
|
||||
Authctxt *authctxt;
|
||||
struct connection_info *connection_info = get_connection_info(0, 0);
|
||||
+ char *addr = NULL;
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
@@ -2261,7 +2262,8 @@ main(int ac, char **av)
|
||||
/* Log the connection. */
|
||||
verbose("Connection from %s port %d on %s port %d",
|
||||
remote_ip, remote_port,
|
||||
- get_local_ipaddr(sock_in), get_local_port());
|
||||
+ (addr = get_local_ipaddr(sock_in)), get_local_port());
|
||||
+ free(addr);
|
||||
|
||||
/*
|
||||
* We don't want to listen forever unless the other side
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
|
||||
--- openssh-6.8p1/configure.ac.tcp_wrappers 2015-03-18 13:05:57.365071779 +0100
|
||||
+++ openssh-6.8p1/configure.ac 2015-03-18 13:05:57.408071673 +0100
|
||||
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
|
||||
diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
|
||||
--- openssh/configure.ac.tcp_wrappers 2015-06-24 11:41:04.519293694 +0200
|
||||
+++ openssh/configure.ac 2015-06-24 11:41:04.556293600 +0200
|
||||
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
|
||||
]
|
||||
)
|
||||
|
||||
@ -64,7 +64,7 @@ diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5026,6 +5082,7 @@ echo " KerberosV support
|
||||
@@ -5034,6 +5090,7 @@ echo " KerberosV support
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
@ -72,10 +72,10 @@ diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
|
||||
--- openssh-6.8p1/sshd.8.tcp_wrappers 2015-03-18 13:05:57.377071749 +0100
|
||||
+++ openssh-6.8p1/sshd.8 2015-03-18 13:05:57.408071673 +0100
|
||||
@@ -858,6 +858,12 @@ the user's home directory becomes access
|
||||
diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
|
||||
--- openssh/sshd.8.tcp_wrappers 2015-06-24 11:41:04.527293674 +0200
|
||||
+++ openssh/sshd.8 2015-06-24 11:41:04.556293600 +0200
|
||||
@@ -860,6 +860,12 @@ the user's home directory becomes access
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
@ -88,7 +88,7 @@ diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
@@ -981,6 +987,7 @@ IPv6 address can be used everywhere wher
|
||||
@@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
@ -96,9 +96,9 @@ diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
|
||||
.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.tcp_wrappers 2015-03-18 13:05:57.402071688 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 13:06:48.199947136 +0100
|
||||
diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
|
||||
--- openssh/sshd.c.tcp_wrappers 2015-06-24 11:41:04.549293618 +0200
|
||||
+++ openssh/sshd.c 2015-06-24 11:41:53.331169536 +0200
|
||||
@@ -125,6 +125,13 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
@ -113,7 +113,7 @@ diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
|
||||
#ifndef O_NOCTTY
|
||||
#define O_NOCTTY 0
|
||||
#endif
|
||||
@@ -2150,6 +2157,24 @@ main(int ac, char **av)
|
||||
@@ -2158,6 +2165,24 @@ main(int ac, char **av)
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
@ -137,4 +137,4 @@ diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
|
||||
+#endif /* LIBWRAP */
|
||||
|
||||
/* Log the connection. */
|
||||
verbose("Connection from %s port %d on %s port %d",
|
||||
laddr = get_local_ipaddr(sock_in);
|
||||
|
@ -1,63 +1,6 @@
|
||||
diff -up openssh-6.8p1/Makefile.in.fips openssh-6.8p1/Makefile.in
|
||||
--- openssh-6.8p1/Makefile.in.fips 2015-03-19 13:14:22.221212174 +0100
|
||||
+++ openssh-6.8p1/Makefile.in 2015-03-19 13:14:22.230212157 +0100
|
||||
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-6.8p1/cipher-ctr.c.fips openssh-6.8p1/cipher-ctr.c
|
||||
--- openssh-6.8p1/cipher-ctr.c.fips 2015-03-19 13:14:22.155212302 +0100
|
||||
+++ openssh-6.8p1/cipher-ctr.c 2015-03-19 13:14:22.230212157 +0100
|
||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
||||
+ EVP_CIPH_FLAG_FIPS;
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
|
||||
--- openssh-6.8p1/cipher.c.fips 2015-03-19 13:14:22.224212169 +0100
|
||||
+++ openssh-6.8p1/cipher.c 2015-03-19 13:14:22.230212157 +0100
|
||||
diff -up openssh/cipher.c.fips openssh/cipher.c
|
||||
--- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200
|
||||
+++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200
|
||||
@@ -39,6 +39,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -130,10 +73,23 @@ diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
|
||||
if (strcasecmp(c->name, name) == 0)
|
||||
return c->number;
|
||||
return -1;
|
||||
diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
|
||||
--- openssh-6.8p1/dh.h.fips 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/dh.h 2015-03-19 13:14:22.230212157 +0100
|
||||
@@ -45,6 +45,7 @@ u_int dh_estimate(int);
|
||||
diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
|
||||
--- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200
|
||||
+++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200
|
||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
||||
+ EVP_CIPH_FLAG_FIPS;
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh/dh.h.fips openssh/dh.h
|
||||
--- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200
|
||||
+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200
|
||||
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
|
||||
|
||||
/* Min and max values from RFC4419. */
|
||||
#define DH_GRP_MIN 1024
|
||||
@ -141,9 +97,9 @@ diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
|
||||
--- openssh-6.8p1/entropy.c.fips 2015-03-19 13:14:22.147212317 +0100
|
||||
+++ openssh-6.8p1/entropy.c 2015-03-19 13:14:22.230212157 +0100
|
||||
diff -up openssh/entropy.c.fips openssh/entropy.c
|
||||
--- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200
|
||||
+++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200
|
||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
@ -154,9 +110,9 @@ diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
|
||||
--- openssh-6.8p1/kex.c.fips 2015-03-19 13:14:22.165212282 +0100
|
||||
+++ openssh-6.8p1/kex.c 2015-03-19 13:14:22.230212157 +0100
|
||||
diff -up openssh/kex.c.fips openssh/kex.c
|
||||
--- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200
|
||||
+++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200
|
||||
@@ -35,6 +35,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
@ -165,7 +121,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
|
||||
#endif
|
||||
|
||||
#include "ssh2.h"
|
||||
@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -108,6 +109,25 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
@ -191,7 +147,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -134,7 +154,7 @@ kex_alg_by_name(const char *name)
|
||||
@@ -135,7 +155,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -200,7 +156,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
#ifdef GSSAPI
|
||||
@@ -160,7 +180,10 @@ kex_names_valid(const char *names)
|
||||
@@ -161,7 +181,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
@ -212,54 +168,47 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-6.8p1/kexgexc.c.fips openssh-6.8p1/kexgexc.c
|
||||
--- openssh-6.8p1/kexgexc.c.fips 2015-03-19 13:14:22.196212223 +0100
|
||||
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:15:11.462117016 +0100
|
||||
@@ -28,6 +28,8 @@
|
||||
diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
|
||||
--- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200
|
||||
+++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@@ -62,7 +64,7 @@ kexgex_client(struct ssh *ssh)
|
||||
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
- kex->min = DH_GRP_MIN;
|
||||
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
|
||||
--- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200
|
||||
+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200
|
||||
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
|
||||
(r = sshpkt_get_end(ssh)) != 0)
|
||||
goto out;
|
||||
kex->nbits = nbits;
|
||||
- kex->min = min;
|
||||
+ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
kex->max = max;
|
||||
- min = MAX(DH_GRP_MIN, min);
|
||||
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
||||
max = MIN(DH_GRP_MAX, max);
|
||||
- nbits = MAX(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
|
||||
nbits = MIN(DH_GRP_MAX, nbits);
|
||||
|
||||
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||
diff -up openssh-6.8p1/kexgexs.c.fips openssh-6.8p1/kexgexs.c
|
||||
--- openssh-6.8p1/kexgexs.c.fips 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/kexgexs.c 2015-03-19 13:14:22.231212155 +0100
|
||||
@@ -87,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAX(DH_GRP_MIN, min);
|
||||
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
||||
max = MIN(DH_GRP_MAX, max);
|
||||
- nbits = MAX(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
|
||||
nbits = MIN(DH_GRP_MAX, nbits);
|
||||
break;
|
||||
case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
|
||||
@@ -99,7 +99,7 @@ input_kex_dh_gex_request(int type, u_int
|
||||
goto out;
|
||||
kex->nbits = nbits;
|
||||
/* unused for old GEX */
|
||||
- kex->min = min = DH_GRP_MIN;
|
||||
+ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
kex->max = max = DH_GRP_MAX;
|
||||
break;
|
||||
default:
|
||||
diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
|
||||
--- openssh-6.8p1/mac.c.fips 2015-03-19 13:14:22.224212169 +0100
|
||||
+++ openssh-6.8p1/mac.c 2015-03-19 13:14:22.231212155 +0100
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
diff -up openssh/mac.c.fips openssh/mac.c
|
||||
--- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200
|
||||
+++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200
|
||||
@@ -27,6 +27,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -321,10 +270,54 @@ diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
|
||||
--- openssh-6.8p1/myproposal.h.fips 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/myproposal.h 2015-03-19 13:14:22.231212155 +0100
|
||||
@@ -140,6 +140,28 @@
|
||||
diff -up openssh/Makefile.in.fips openssh/Makefile.in
|
||||
--- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200
|
||||
+++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200
|
||||
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh/myproposal.h.fips openssh/myproposal.h
|
||||
--- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200
|
||||
+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200
|
||||
@@ -143,6 +143,28 @@
|
||||
"hmac-sha1-96," \
|
||||
"hmac-md5-96"
|
||||
|
||||
@ -353,9 +346,36 @@ diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
|
||||
#else
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
|
||||
--- openssh-6.8p1/ssh.c.fips 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/ssh.c 2015-03-19 13:14:22.232212153 +0100
|
||||
diff -up openssh/servconf.c.fips openssh/servconf.c
|
||||
--- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200
|
||||
+++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200
|
||||
@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o)
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
|
||||
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
|
||||
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
|
||||
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
|
||||
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||
- dump_cfg_string(sKexAlgorithms,
|
||||
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
|
||||
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
|
||||
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
|
||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
||||
diff -up openssh/ssh.c.fips openssh/ssh.c
|
||||
--- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200
|
||||
+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200
|
||||
@@ -75,6 +75,8 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
@ -365,7 +385,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -523,6 +525,14 @@ main(int ac, char **av)
|
||||
@@ -521,6 +523,14 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -380,7 +400,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -600,6 +610,9 @@ main(int ac, char **av)
|
||||
@@ -598,6 +608,9 @@ main(int ac, char **av)
|
||||
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
@ -390,7 +410,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -941,7 +954,6 @@ main(int ac, char **av)
|
||||
@@ -939,7 +952,6 @@ main(int ac, char **av)
|
||||
host_arg = xstrdup(host);
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
@ -398,7 +418,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
|
||||
@@ -1115,6 +1127,10 @@ main(int ac, char **av)
|
||||
@@ -1113,6 +1125,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
@ -409,7 +429,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -1192,6 +1208,12 @@ main(int ac, char **av)
|
||||
@@ -1190,6 +1206,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
@ -422,9 +442,9 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts,
|
||||
diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
|
||||
--- openssh-6.8p1/sshconnect2.c.fips 2015-03-19 13:14:22.188212238 +0100
|
||||
+++ openssh-6.8p1/sshconnect2.c 2015-03-19 13:14:22.232212153 +0100
|
||||
diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
||||
--- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200
|
||||
+++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200
|
||||
@@ -46,6 +46,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
@ -510,9 +530,9 @@ diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
|
||||
#ifdef GSSAPI
|
||||
/* If we've got GSSAPI algorithms, then we also support the
|
||||
* 'null' hostkey, as a last resort */
|
||||
diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.fips 2015-03-19 13:14:22.226212165 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-19 13:14:22.232212153 +0100
|
||||
diff -up openssh/sshd.c.fips openssh/sshd.c
|
||||
--- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200
|
||||
+++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200
|
||||
@@ -66,6 +66,7 @@
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
@ -530,7 +550,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
@@ -1543,6 +1546,18 @@ main(int ac, char **av)
|
||||
@@ -1548,6 +1551,18 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
@ -549,7 +569,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@@ -1694,7 +1709,7 @@ main(int ac, char **av)
|
||||
@@ -1700,7 +1715,7 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
@ -558,7 +578,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
|
||||
@@ -1890,6 +1905,10 @@ main(int ac, char **av)
|
||||
@@ -1901,6 +1916,10 @@ main(int ac, char **av)
|
||||
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
|
||||
free(fp);
|
||||
}
|
||||
@ -569,7 +589,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -2058,6 +2077,10 @@ main(int ac, char **av)
|
||||
@@ -2069,6 +2088,10 @@ main(int ac, char **av)
|
||||
/* Reinitialize the log (because of the fork above). */
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
@ -580,7 +600,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
if (chdir("/") == -1)
|
||||
@@ -2642,6 +2665,9 @@ do_ssh2_kex(void)
|
||||
@@ -2654,6 +2677,9 @@ do_ssh2_kex(void)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -590,7 +610,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -2651,6 +2677,9 @@ do_ssh2_kex(void)
|
||||
@@ -2663,6 +2689,9 @@ do_ssh2_kex(void)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -600,7 +620,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
}
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
@@ -2661,6 +2690,8 @@ do_ssh2_kex(void)
|
||||
@@ -2673,6 +2702,8 @@ do_ssh2_kex(void)
|
||||
}
|
||||
if (options.kex_algorithms != NULL)
|
||||
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||
@ -609,7 +629,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
|
||||
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
|
||||
myproposal[PROPOSAL_KEX_ALGS]);
|
||||
@@ -2687,10 +2718,14 @@ do_ssh2_kex(void)
|
||||
@@ -2699,10 +2730,14 @@ do_ssh2_kex(void)
|
||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||
orig = NULL;
|
||||
|
||||
@ -628,9 +648,9 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
|
||||
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
|
||||
--- openssh-6.8p1/sshkey.c.fips 2015-03-19 13:14:22.227212163 +0100
|
||||
+++ openssh-6.8p1/sshkey.c 2015-03-19 13:14:22.233212151 +0100
|
||||
diff -up openssh/sshkey.c.fips openssh/sshkey.c
|
||||
--- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200
|
||||
+++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200
|
||||
@@ -35,6 +35,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
@ -639,7 +659,7 @@ diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
|
||||
#endif
|
||||
|
||||
#include "crypto_api.h"
|
||||
@@ -1562,6 +1563,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
@@ -1586,6 +1587,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
@ -648,30 +668,3 @@ diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-6.8p1/servconf.c.fips openssh-6.8p1/servconf.c
|
||||
--- openssh-6.8p1/servconf.c.fips 2015-03-19 13:14:22.210212196 +0100
|
||||
+++ openssh-6.8p1/servconf.c 2015-03-19 13:14:22.233212151 +0100
|
||||
@@ -2226,8 +2226,10 @@ dump_config(ServerOptions *o)
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
|
||||
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
|
||||
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
|
||||
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
|
||||
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
@@ -2240,8 +2242,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
|
||||
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
|
||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||
- dump_cfg_string(sKexAlgorithms,
|
||||
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
|
||||
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
|
||||
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
|
||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
||||
|
@ -1742,7 +1742,7 @@ diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
|
||||
+ len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
|
||||
+ (options.ssl == 0) ? "" : "s", options.host, options.port);
|
||||
+ options.uri[MAXURILEN - 1] = 0;
|
||||
+ options.uri = xrealloc (options.uri, len + 1, 1);
|
||||
+ options.uri = xreallocarray(options.uri, len + 1, 1);
|
||||
+ }
|
||||
+ if (options.binddn == NULL)
|
||||
+ options.binddn = "";
|
||||
|
@ -1,104 +1,14 @@
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 4065d0e..d59ad44 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||
i*86-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_I386
|
||||
;;
|
||||
- arm*-*)
|
||||
+ aarch64*-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
||||
+ ;;
|
||||
+ arm*-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_ARM
|
||||
- ;;
|
||||
+ ;;
|
||||
esac
|
||||
if test "x$seccomp_audit_arch" != "x" ; then
|
||||
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 095b04a..52f6810 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <sys/resource.h>
|
||||
#include <sys/prctl.h>
|
||||
|
||||
+#include <linux/net.h>
|
||||
#include <linux/audit.h>
|
||||
#include <linux/filter.h>
|
||||
#include <linux/seccomp.h>
|
||||
@@ -80,6 +81,17 @@
|
||||
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
||||
|
||||
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
||||
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
|
||||
+ /* load first syscall argument */ \
|
||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
+ offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
||||
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
||||
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
||||
+ /* reload syscall number; all rules expect it in accumulator */ \
|
||||
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
||||
+ offsetof(struct seccomp_data, nr))
|
||||
+
|
||||
/* Syscall filtering set for preauth. */
|
||||
static const struct sock_filter preauth_insns[] = {
|
||||
/* Ensure the syscall arch convention is as expected. */
|
||||
@@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = {
|
||||
/* Load the syscall number for checking. */
|
||||
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
|
||||
offsetof(struct seccomp_data, nr)),
|
||||
- SC_DENY(open, EACCES),
|
||||
+#ifdef __NR_stat
|
||||
SC_DENY(stat, EACCES),
|
||||
+#endif
|
||||
+ SC_DENY(openat, EACCES),
|
||||
+#ifdef __NR_open
|
||||
+ SC_DENY(open, EACCES), /* not on AArch64 */
|
||||
+#endif
|
||||
+#ifdef __NR_fstat
|
||||
+ SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
|
||||
+#endif
|
||||
+#if defined(__NR_stat64) && defined(__NR_fstat64)
|
||||
+ SC_DENY(stat64, EACCES), /* ix86, arm */
|
||||
+ SC_DENY(fstat64, EACCES),
|
||||
+#endif
|
||||
+#ifdef __NR_newfstatat
|
||||
+ SC_DENY(newfstatat, EACCES), /* Aarch64 */
|
||||
+#endif
|
||||
SC_ALLOW(getpid),
|
||||
SC_ALLOW(gettimeofday),
|
||||
SC_ALLOW(clock_gettime),
|
||||
@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
|
||||
SC_ALLOW(shutdown),
|
||||
#endif
|
||||
SC_ALLOW(brk),
|
||||
+#ifdef __NR_poll /* not on AArch64 */
|
||||
SC_ALLOW(poll),
|
||||
+#endif
|
||||
diff -up openssh/configure.ac.seccomp openssh/configure.ac
|
||||
diff -up openssh/sandbox-seccomp-filter.c.seccomp openssh/sandbox-seccomp-filter.c
|
||||
--- openssh/sandbox-seccomp-filter.c.seccomp 2015-06-24 11:45:44.001581471 +0200
|
||||
+++ openssh/sandbox-seccomp-filter.c 2015-06-24 11:51:54.032635297 +0200
|
||||
@@ -165,6 +165,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(_newselect),
|
||||
#else
|
||||
+#ifdef __NR_select /* not on AArch64 */
|
||||
SC_ALLOW(select),
|
||||
#endif
|
||||
+#ifdef __NR_pselect6 /* AArch64 */
|
||||
+ SC_ALLOW(pselect6),
|
||||
+#endif
|
||||
+#endif
|
||||
SC_ALLOW(madvise),
|
||||
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
|
||||
SC_ALLOW(mmap2),
|
||||
@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#else
|
||||
SC_ALLOW(sigprocmask),
|
||||
#ifdef __NR_poll
|
||||
SC_ALLOW(poll),
|
||||
#endif
|
||||
+#ifdef __NR_socketcall
|
||||
+ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
+#endif
|
||||
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
||||
};
|
||||
|
||||
|
@ -1,11 +0,0 @@
|
||||
--- openssh-6.8p1/authfile.c.orig 2015-03-26 09:59:06.646924879 +0100
|
||||
+++ openssh-6.8p1/authfile.c 2015-03-26 09:59:19.310905998 +0100
|
||||
@@ -194,7 +194,7 @@
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("Permissions 0%3.3o for '%s' are too open.",
|
||||
(u_int)st.st_mode & 0777, filename);
|
||||
- error("It is recommended that your private key files are NOT accessible by others.");
|
||||
+ error("It is required that your private key files are NOT accessible by others.");
|
||||
error("This private key will be ignored.");
|
||||
return SSH_ERR_KEY_BAD_PERMISSIONS;
|
||||
}
|
@ -1,41 +1,7 @@
|
||||
diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
|
||||
--- openssh-6.8p1/servconf.c.sshdt 2015-05-28 13:32:55.728821389 +0200
|
||||
+++ openssh-6.8p1/servconf.c 2015-05-28 13:34:01.937750270 +0200
|
||||
@@ -2118,6 +2118,8 @@ dump_cfg_strarray_oneline(ServerOpCodes
|
||||
{
|
||||
u_int i;
|
||||
|
||||
+ if (count <= 0)
|
||||
+ return;
|
||||
printf("%s", lookup_opcode_name(code));
|
||||
for (i = 0; i < count; i++)
|
||||
printf(" %s", vals[i]);
|
||||
@@ -2156,7 +2158,7 @@ dump_config(ServerOptions *o)
|
||||
|
||||
/* integer arguments */
|
||||
#ifdef USE_PAM
|
||||
- dump_cfg_int(sUsePAM, o->use_pam);
|
||||
+ dump_cfg_fmtint(sUsePAM, o->use_pam);
|
||||
#endif
|
||||
dump_cfg_int(sServerKeyBits, o->server_key_bits);
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
@@ -2166,6 +2168,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
|
||||
+ dump_cfg_int(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
|
||||
|
||||
/* formatted integer arguments */
|
||||
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
|
||||
@@ -2213,6 +2216,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
+ dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
@@ -2224,14 +2228,15 @@ dump_config(ServerOptions *o)
|
||||
diff -up openssh/servconf.c.sshdt openssh/servconf.c
|
||||
--- openssh/servconf.c.sshdt 2015-06-24 11:42:29.041078704 +0200
|
||||
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
||||
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
@ -44,29 +10,10 @@ diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
|
||||
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
|
||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||
o->authorized_principals_file);
|
||||
- dump_cfg_string(sVersionAddendum, o->version_addendum);
|
||||
+ dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
|
||||
+ ? "none" : o->version_addendum);
|
||||
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
|
||||
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
|
||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||
@@ -2251,7 +2256,7 @@ dump_config(ServerOptions *o)
|
||||
o->authorized_keys_files);
|
||||
dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
|
||||
o->host_key_files);
|
||||
- dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
|
||||
+ dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
|
||||
o->host_cert_files);
|
||||
dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
|
||||
dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index cf02526..7fddf46 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -441,7 +441,11 @@ For full details of the options listed below, and their possible values, see
|
||||
diff -up openssh/ssh.1.sshdt openssh/ssh.1
|
||||
--- openssh/ssh.1.sshdt 2015-06-24 11:42:19.565102807 +0200
|
||||
+++ openssh/ssh.1 2015-06-24 11:42:29.042078701 +0200
|
||||
@@ -441,7 +441,11 @@ For full details of the options listed b
|
||||
.It GatewayPorts
|
||||
.It GlobalKnownHostsFile
|
||||
.It GSSAPIAuthentication
|
||||
|
13
openssh.spec
13
openssh.spec
@ -65,10 +65,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.8p1
|
||||
%define openssh_rel 9
|
||||
%define openssh_ver 6.9p1
|
||||
%define openssh_rel 1
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 5
|
||||
%define pam_ssh_agent_rel 6
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
@ -218,8 +218,6 @@ Patch924: openssh-6.7p1-seccomp-aarch64.patch
|
||||
Patch925: openssh-6.7p1-ssh-copy-id-truncated-keys.patch
|
||||
# Add sftp option to force mode of created files (#1191055)
|
||||
Patch926: openssh-6.7p1-sftp-force-permission.patch
|
||||
# Upstream bug #1878 reintroduced in openssh6.7p1
|
||||
Patch927: openssh-6.8p1-880575.patch
|
||||
# Memory problems
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2401
|
||||
Patch928: openssh-6.8p1-memory-problems.patch
|
||||
@ -316,7 +314,7 @@ Requires: openssh = %{version}-%{release}
|
||||
Summary: PAM module for authentication with ssh-agent
|
||||
Group: System Environment/Base
|
||||
Version: %{pam_ssh_agent_ver}
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
|
||||
License: BSD
|
||||
|
||||
%description
|
||||
@ -433,7 +431,7 @@ popd
|
||||
%patch912 -p1 -b .utf8-banner
|
||||
%patch914 -p1 -b .servconf
|
||||
%patch916 -p1 -b .contexts
|
||||
%patch917 -p1 -b .cisco-dh
|
||||
#%patch917 -p1 -b .cisco-dh # investigate
|
||||
%patch918 -p1 -b .log-in-chroot
|
||||
%patch919 -p1 -b .scp
|
||||
%patch920 -p1 -b .config
|
||||
@ -444,7 +442,6 @@ popd
|
||||
%patch924 -p1 -b .seccomp
|
||||
%patch925 -p1 -b .newline
|
||||
%patch926 -p1 -b .sftp-force-mode
|
||||
%patch927 -p1 -b .bz880575
|
||||
%patch928 -p1 -b .memory
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
|
Loading…
Reference in New Issue
Block a user