rebase to new upstream release 6.9

This commit is contained in:
Jakub Jelen 2015-06-24 14:11:59 +02:00
parent 21bee694ac
commit 535d341e70
16 changed files with 1404 additions and 1680 deletions

View File

@ -1,7 +1,7 @@
diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac diff -up openssh/configure.ac.vendor openssh/configure.ac
--- openssh-6.8p1/configure.ac.vendor 2015-03-18 11:17:56.670880303 +0100 --- openssh/configure.ac.vendor 2015-06-24 11:05:39.805679794 +0200
+++ openssh-6.8p1/configure.ac 2015-03-18 11:17:56.695880243 +0100 +++ openssh/configure.ac 2015-06-24 11:05:39.835679719 +0200
@@ -4743,6 +4743,12 @@ AC_ARG_WITH([lastlog], @@ -4751,6 +4751,12 @@ AC_ARG_WITH([lastlog],
fi fi
] ]
) )
@ -14,7 +14,7 @@ diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -5005,6 +5011,7 @@ echo " Translate v4 in v6 hack @@ -5013,6 +5019,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE" echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
echo "" echo ""
diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c diff -up openssh/servconf.c.vendor openssh/servconf.c
--- openssh-6.8p1/servconf.c.vendor 2015-03-17 06:49:20.000000000 +0100 --- openssh/servconf.c.vendor 2015-06-23 02:34:47.000000000 +0200
+++ openssh-6.8p1/servconf.c 2015-03-18 11:19:16.279691126 +0100 +++ openssh/servconf.c 2015-06-24 11:07:07.689460890 +0200
@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions @@ -147,6 +147,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1; options->max_sessions = -1;
options->banner = NULL; options->banner = NULL;
@ -33,7 +33,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
@@ -327,6 +328,8 @@ fill_default_server_options(ServerOption @@ -335,6 +336,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT; options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL) if (options->version_addendum == NULL)
options->version_addendum = xstrdup(""); options->version_addendum = xstrdup("");
@ -42,7 +42,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177; options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1) if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -388,7 +391,7 @@ typedef enum { @@ -397,7 +400,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -50,8 +50,8 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -504,6 +507,7 @@ static struct { @@ -517,6 +520,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1320,6 +1324,10 @@ process_server_config_line(ServerOptions @@ -1372,6 +1376,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep; multistate_ptr = multistate_privsep;
goto parse_multistate; goto parse_multistate;
@ -70,18 +70,18 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
case sAllowUsers: case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS) if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2145,6 +2153,7 @@ dump_config(ServerOptions *o) @@ -2249,6 +2257,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); + dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
diff -up openssh-6.8p1/servconf.h.vendor openssh-6.8p1/servconf.h diff -up openssh/servconf.h.vendor openssh/servconf.h
--- openssh-6.8p1/servconf.h.vendor 2015-03-17 06:49:20.000000000 +0100 --- openssh/servconf.h.vendor 2015-06-23 02:34:47.000000000 +0200
+++ openssh-6.8p1/servconf.h 2015-03-18 11:17:56.696880241 +0100 +++ openssh/servconf.h 2015-06-24 11:05:39.837679714 +0200
@@ -151,6 +151,7 @@ typedef struct { @@ -154,6 +154,7 @@ typedef struct {
int max_authtries; int max_authtries;
int max_sessions; int max_sessions;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
@ -137,10 +137,10 @@ diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
StreamLocalBindMask StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding. a Unix-domain socket file for local or remote port forwarding.
diff -up openssh-6.8p1/sshd_config.5.vendor openssh-6.8p1/sshd_config.5 diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5
--- openssh-6.8p1/sshd_config.5.vendor 2015-03-18 11:17:56.691880253 +0100 --- openssh/sshd_config.5.vendor 2015-06-24 11:05:39.831679729 +0200
+++ openssh-6.8p1/sshd_config.5 2015-03-18 11:17:56.697880239 +0100 +++ openssh/sshd_config.5 2015-06-24 11:05:39.837679714 +0200
@@ -1276,6 +1276,13 @@ This option applies to protocol version @@ -1344,6 +1344,13 @@ This option applies to protocol version
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024. The minimum value is 512, and the default is 1024.

View File

@ -1,31 +1,12 @@
diff --git a/servconf.c b/servconf.c diff -up openssh/servconf.c.servconf openssh/servconf.c
index b7f3294..bc1e909 100644 --- openssh/servconf.c.servconf 2015-06-24 11:26:26.186527736 +0200
--- a/servconf.c +++ openssh/servconf.c 2015-06-24 11:26:39.847493075 +0200
+++ b/servconf.c @@ -1815,6 +1815,8 @@ process_server_config_line(ServerOptions
@@ -1550,7 +1550,7 @@ process_server_config_line(ServerOptions *options, char *line,
break;
case sForceCommand:
- if (cp == NULL)
+ if (cp == NULL || *cp == '\0')
fatal("%.200s line %d: Missing argument.", filename,
linenum);
len = strspn(cp, WHITESPACE);
@@ -1595,7 +1595,7 @@ process_server_config_line(ServerOptions *options, char *line,
break;
case sVersionAddendum:
- if (cp == NULL)
+ if (cp == NULL || *cp == '\0')
fatal("%.200s line %d: Missing argument.", filename,
linenum);
len = strspn(cp, WHITESPACE);
@@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line,
break; break;
case sAuthenticationMethods: case sAuthenticationMethods:
+ if (cp == NULL || *cp == '\0') + if (cp == NULL || *cp == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum); + fatal("%.200s line %d: Missing argument.", filename, linenum);
if (*activep && options->num_auth_methods == 0) { if (options->num_auth_methods == 0) {
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_auth_methods >= if (options->num_auth_methods >=

View File

@ -1,6 +1,6 @@
diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-serv-krb5.c diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c
--- openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-03-18 13:04:21.505306818 +0100 --- openssh/gss-serv-krb5.c.GSSAPIEnablek5users 2015-06-24 11:40:03.716448353 +0200
+++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 13:04:21.527306764 +0100 +++ openssh/gss-serv-krb5.c 2015-06-24 11:40:03.739448295 +0200
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp; FILE *fp;
char file[MAXPATHLEN]; char file[MAXPATHLEN];
@ -18,10 +18,10 @@ diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-ser
return ssh_krb5_kuserok(krb_context, principal, luser, return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists); k5login_exists);
} }
diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
--- openssh-6.8p1/servconf.c.GSSAPIEnablek5users 2015-03-18 13:04:21.516306791 +0100 --- openssh/servconf.c.GSSAPIEnablek5users 2015-06-24 11:40:03.728448323 +0200
+++ openssh-6.8p1/servconf.c 2015-03-18 13:05:26.846146608 +0100 +++ openssh/servconf.c 2015-06-24 11:40:03.740448292 +0200
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions @@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL; options->version_addendum = NULL;
options->fingerprint_hash = -1; options->fingerprint_hash = -1;
options->use_kuserok = -1; options->use_kuserok = -1;
@ -29,7 +29,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
} }
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -348,6 +349,8 @@ fill_default_server_options(ServerOption @@ -353,6 +354,8 @@ fill_default_server_options(ServerOption
options->fingerprint_hash = SSH_FP_HASH_DEFAULT; options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->use_kuserok == -1) if (options->use_kuserok == -1)
options->use_kuserok = 1; options->use_kuserok = 1;
@ -38,7 +38,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX; use_privsep = PRIVSEP_NOSANDBOX;
@@ -406,7 +409,7 @@ typedef enum { @@ -412,7 +415,7 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@ -47,7 +47,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -484,6 +487,7 @@ static struct { @@ -490,12 +493,14 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -55,7 +55,6 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
#else #else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
@@ -491,6 +495,7 @@ static struct {
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
@ -63,7 +62,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
#endif #endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1623,6 +1628,10 @@ process_server_config_line(ServerOptions @@ -1663,6 +1668,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok; intptr = &options->use_kuserok;
goto parse_flag; goto parse_flag;
@ -74,7 +73,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1947,6 +1956,7 @@ copy_set_server_options(ServerOptions *d @@ -2018,6 +2027,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok); M_CP_INTOPT(use_kuserok);
@ -82,7 +81,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
@@ -2207,6 +2217,7 @@ dump_config(ServerOptions *o) @@ -2300,6 +2310,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -90,10 +89,10 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h
--- openssh-6.8p1/servconf.h.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100 --- openssh/servconf.h.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
+++ openssh-6.8p1/servconf.h 2015-03-18 13:04:21.528306762 +0100 +++ openssh/servconf.h 2015-06-24 11:40:03.740448292 +0200
@@ -177,7 +177,8 @@ typedef struct { @@ -179,7 +179,8 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -103,21 +102,10 @@ diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-6.8p1/sshd_config.GSSAPIEnablek5users openssh-6.8p1/sshd_config diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5
--- openssh-6.8p1/sshd_config.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100 --- openssh/sshd_config.5.GSSAPIEnablek5users 2015-06-24 11:40:03.741448290 +0200
+++ openssh-6.8p1/sshd_config 2015-03-18 13:04:21.528306762 +0100 +++ openssh/sshd_config.5 2015-06-24 11:40:40.707354263 +0200
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes @@ -628,6 +628,12 @@ on logout.
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_config.5
--- openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
+++ openssh-6.8p1/sshd_config.5 2015-03-18 13:04:21.528306762 +0100
@@ -576,6 +576,12 @@ on logout.
The default is The default is
.Dq yes . .Dq yes .
Note that this option applies to protocol version 2 only. Note that this option applies to protocol version 2 only.
@ -128,5 +116,16 @@ diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_conf
+The default is +The default is
+.Dq no . +.Dq no .
.It Cm GSSAPIStrictAcceptorCheck .It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. If a client authenticates against.
diff -up openssh/sshd_config.GSSAPIEnablek5users openssh/sshd_config
--- openssh/sshd_config.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
+++ openssh/sshd_config 2015-06-24 11:40:03.740448292 +0200
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will

View File

@ -133,7 +133,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ break; + break;
+ +
+ total += n; + total += n;
+ buf = xrealloc(buf, total + READ_CHUNK, 1); + buf = xreallocarray(buf, total + READ_CHUNK, 1);
+ } while(total < MAX_READ_SIZE); + } while(total < MAX_READ_SIZE);
+ return buf; + return buf;
+} +}

View File

@ -163,7 +163,7 @@ index 413b845..54dd383 100644
+ k5users_allowed_cmds[ncommands-1] = + k5users_allowed_cmds[ncommands-1] =
+ xstrdup(pw->pw_shell); + xstrdup(pw->pw_shell);
+ k5users_allowed_cmds = + k5users_allowed_cmds =
+ xrealloc(k5users_allowed_cmds, ++ncommands, + xreallocarray(k5users_allowed_cmds, ++ncommands,
+ sizeof(*k5users_allowed_cmds)); + sizeof(*k5users_allowed_cmds));
+ break; + break;
+ } + }
@ -176,7 +176,7 @@ index 413b845..54dd383 100644
+ k5users_allowed_cmds[ncommands-1] = + k5users_allowed_cmds[ncommands-1] =
+ xstrdup(token); + xstrdup(token);
+ k5users_allowed_cmds = + k5users_allowed_cmds =
+ xrealloc(k5users_allowed_cmds, ++ncommands, + xreallocarray(k5users_allowed_cmds, ++ncommands,
+ sizeof(*k5users_allowed_cmds)); + sizeof(*k5users_allowed_cmds));
+ token = strtok(NULL, " \t\n"); + token = strtok(NULL, " \t\n");
+ } + }

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,24 @@
diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat diff -up openssh/auth2-pubkey.c.keycat openssh/auth2-pubkey.c
--- openssh-6.8p1/HOWTO.ssh-keycat.keycat 2015-03-18 11:13:43.063482958 +0100 --- openssh/auth2-pubkey.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh-6.8p1/HOWTO.ssh-keycat 2015-03-18 11:13:43.063482958 +0100 +++ openssh/auth2-pubkey.c 2015-06-24 11:04:23.989868638 +0200
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
_exit(1);
}
+#ifdef WITH_SELINUX
+ if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
execve(av[0], av, child_env);
error("%s exec \"%s\": %s", tag, command, strerror(errno));
_exit(127);
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
@@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with +of an user in any environment. This includes environments with
@ -14,9 +32,9 @@ diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
+ PubkeyAuthentication yes + PubkeyAuthentication yes
+ +
+ +
diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in diff -up openssh/Makefile.in.keycat openssh/Makefile.in
--- openssh-6.8p1/Makefile.in.keycat 2015-03-18 11:13:43.061482963 +0100 --- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:14:22.480389291 +0100 +++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -52,27 +70,23 @@ diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/auth2-pubkey.c.keycat openssh-6.8p1/auth2-pubkey.c diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-linux.h
--- openssh-6.8p1/auth2-pubkey.c.keycat 2015-03-18 11:13:43.053482982 +0100 --- openssh/openbsd-compat/port-linux.h.keycat 2015-06-24 10:57:50.150849626 +0200
+++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:13:43.063482958 +0100 +++ openssh/openbsd-compat/port-linux.h 2015-06-24 10:57:50.160849601 +0200
@@ -623,6 +623,14 @@ user_key_command_allowed2(struct passwd @@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
_exit(1); void ssh_selinux_change_context(const char *);
} void ssh_selinux_setfscreatecon(const char *);
+#ifdef WITH_SELINUX +int sshd_selinux_enabled(void);
+ if (sshd_selinux_setup_env_variables() < 0) { void sshd_selinux_copy_context(void);
+ error ("failed to copy environment: %s", void sshd_selinux_setup_exec_context(char *);
+ strerror(errno)); +int sshd_selinux_setup_env_variables(void);
+ _exit(127); #endif
+ }
+#endif
+
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/openbsd-compat/port-linux-sshd.c #ifdef LINUX_OOM_ADJUST
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat 2015-03-18 11:13:43.057482972 +0100 diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/port-linux-sshd.c
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:13:43.063482958 +0100 --- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt; @@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern int inetd_flag; extern int inetd_flag;
extern int rexeced_flag; extern int rexeced_flag;
@ -166,23 +180,9 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/ope
return; return;
if (getexeccon((security_context_t *)&ctx) != 0) { if (getexeccon((security_context_t *)&ctx) != 0) {
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.keycat openssh-6.8p1/openbsd-compat/port-linux.h diff -up openssh/platform.c.keycat openssh/platform.c
--- openssh-6.8p1/openbsd-compat/port-linux.h.keycat 2015-03-18 11:13:43.057482972 +0100 --- openssh/platform.c.keycat 2015-06-24 10:57:50.147849633 +0200
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:13:43.063482958 +0100 +++ openssh/platform.c 2015-06-24 10:57:50.160849601 +0200
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
+int sshd_selinux_setup_env_variables(void);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
--- openssh-6.8p1/platform.c.keycat 2015-03-18 11:13:43.055482977 +0100
+++ openssh-6.8p1/platform.c 2015-03-18 11:13:43.063482958 +0100
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p @@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
{ {
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
@ -192,9 +192,9 @@ diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
#endif #endif
#ifdef USE_SOLARIS_PROJECTS #ifdef USE_SOLARIS_PROJECTS
diff -up openssh-6.8p1/ssh-keycat.c.keycat openssh-6.8p1/ssh-keycat.c diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
--- openssh-6.8p1/ssh-keycat.c.keycat 2015-03-18 11:13:43.064482956 +0100 --- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
+++ openssh-6.8p1/ssh-keycat.c 2015-03-18 11:13:43.064482956 +0100 +++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
@@ -0,0 +1,238 @@ @@ -0,0 +1,238 @@
+/* +/*
+ * Redistribution and use in source and binary forms, with or without + * Redistribution and use in source and binary forms, with or without

File diff suppressed because it is too large Load Diff

View File

@ -467,25 +467,3 @@ diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
#include "match.h" #include "match.h"
/* openssh private key file format */ /* openssh private key file format */
diff --git a/sshd.c b/sshd.c
index 6ff8f6f..2f2fcf8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1548,6 +1548,7 @@ main(int ac, char **av)
int keytype;
Authctxt *authctxt;
struct connection_info *connection_info = get_connection_info(0, 0);
+ char *addr = NULL;
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
@@ -2261,7 +2262,8 @@ main(int ac, char **av)
/* Log the connection. */
verbose("Connection from %s port %d on %s port %d",
remote_ip, remote_port,
- get_local_ipaddr(sock_in), get_local_port());
+ (addr = get_local_ipaddr(sock_in)), get_local_port());
+ free(addr);
/*
* We don't want to listen forever unless the other side

View File

@ -1,7 +1,7 @@
diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
--- openssh-6.8p1/configure.ac.tcp_wrappers 2015-03-18 13:05:57.365071779 +0100 --- openssh/configure.ac.tcp_wrappers 2015-06-24 11:41:04.519293694 +0200
+++ openssh-6.8p1/configure.ac 2015-03-18 13:05:57.408071673 +0100 +++ openssh/configure.ac 2015-06-24 11:41:04.556293600 +0200
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey], @@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
] ]
) )
@ -64,7 +64,7 @@ diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
# Check whether user wants to use ldns # Check whether user wants to use ldns
LDNS_MSG="no" LDNS_MSG="no"
AC_ARG_WITH(ldns, AC_ARG_WITH(ldns,
@@ -5026,6 +5082,7 @@ echo " KerberosV support @@ -5034,6 +5090,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG" echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
@ -72,10 +72,10 @@ diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
echo " MD5 password support: $MD5_MSG" echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG" echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG" echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8 diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
--- openssh-6.8p1/sshd.8.tcp_wrappers 2015-03-18 13:05:57.377071749 +0100 --- openssh/sshd.8.tcp_wrappers 2015-06-24 11:41:04.527293674 +0200
+++ openssh-6.8p1/sshd.8 2015-03-18 13:05:57.408071673 +0100 +++ openssh/sshd.8 2015-06-24 11:41:04.556293600 +0200
@@ -858,6 +858,12 @@ the user's home directory becomes access @@ -860,6 +860,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be This file should be writable only by the user, and need not be
readable by anyone else. readable by anyone else.
.Pp .Pp
@ -88,7 +88,7 @@ diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
.It Pa /etc/hosts.equiv .It Pa /etc/hosts.equiv
This file is for host-based authentication (see This file is for host-based authentication (see
.Xr ssh 1 ) . .Xr ssh 1 ) .
@@ -981,6 +987,7 @@ IPv6 address can be used everywhere wher @@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher
.Xr ssh-keygen 1 , .Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 , .Xr ssh-keyscan 1 ,
.Xr chroot 2 , .Xr chroot 2 ,
@ -96,9 +96,9 @@ diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
.Xr login.conf 5 , .Xr login.conf 5 ,
.Xr moduli 5 , .Xr moduli 5 ,
.Xr sshd_config 5 , .Xr sshd_config 5 ,
diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
--- openssh-6.8p1/sshd.c.tcp_wrappers 2015-03-18 13:05:57.402071688 +0100 --- openssh/sshd.c.tcp_wrappers 2015-06-24 11:41:04.549293618 +0200
+++ openssh-6.8p1/sshd.c 2015-03-18 13:06:48.199947136 +0100 +++ openssh/sshd.c 2015-06-24 11:41:53.331169536 +0200
@@ -125,6 +125,13 @@ @@ -125,6 +125,13 @@
#include "version.h" #include "version.h"
#include "ssherr.h" #include "ssherr.h"
@ -113,7 +113,7 @@ diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
#ifndef O_NOCTTY #ifndef O_NOCTTY
#define O_NOCTTY 0 #define O_NOCTTY 0
#endif #endif
@@ -2150,6 +2157,24 @@ main(int ac, char **av) @@ -2158,6 +2165,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port); audit_connection_from(remote_ip, remote_port);
#endif #endif
@ -137,4 +137,4 @@ diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
+#endif /* LIBWRAP */ +#endif /* LIBWRAP */
/* Log the connection. */ /* Log the connection. */
verbose("Connection from %s port %d on %s port %d", laddr = get_local_ipaddr(sock_in);

View File

@ -1,63 +1,6 @@
diff -up openssh-6.8p1/Makefile.in.fips openssh-6.8p1/Makefile.in diff -up openssh/cipher.c.fips openssh/cipher.c
--- openssh-6.8p1/Makefile.in.fips 2015-03-19 13:14:22.221212174 +0100 --- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200
+++ openssh-6.8p1/Makefile.in 2015-03-19 13:14:22.230212157 +0100 +++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-6.8p1/cipher-ctr.c.fips openssh-6.8p1/cipher-ctr.c
--- openssh-6.8p1/cipher-ctr.c.fips 2015-03-19 13:14:22.155212302 +0100
+++ openssh-6.8p1/cipher-ctr.c 2015-03-19 13:14:22.230212157 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
--- openssh-6.8p1/cipher.c.fips 2015-03-19 13:14:22.224212169 +0100
+++ openssh-6.8p1/cipher.c 2015-03-19 13:14:22.230212157 +0100
@@ -39,6 +39,8 @@ @@ -39,6 +39,8 @@
#include <sys/types.h> #include <sys/types.h>
@ -130,10 +73,23 @@ diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
if (strcasecmp(c->name, name) == 0) if (strcasecmp(c->name, name) == 0)
return c->number; return c->number;
return -1; return -1;
diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
--- openssh-6.8p1/dh.h.fips 2015-03-17 06:49:20.000000000 +0100 --- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200
+++ openssh-6.8p1/dh.h 2015-03-19 13:14:22.230212157 +0100 +++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200
@@ -45,6 +45,7 @@ u_int dh_estimate(int); @@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh/dh.h.fips openssh/dh.h
--- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
/* Min and max values from RFC4419. */ /* Min and max values from RFC4419. */
#define DH_GRP_MIN 1024 #define DH_GRP_MIN 1024
@ -141,9 +97,9 @@ diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
#define DH_GRP_MAX 8192 #define DH_GRP_MAX 8192
/* /*
diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c diff -up openssh/entropy.c.fips openssh/entropy.c
--- openssh-6.8p1/entropy.c.fips 2015-03-19 13:14:22.147212317 +0100 --- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200
+++ openssh-6.8p1/entropy.c 2015-03-19 13:14:22.230212157 +0100 +++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200
@@ -217,6 +217,9 @@ seed_rng(void) @@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you " fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -154,9 +110,9 @@ diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
#ifndef OPENSSL_PRNG_ONLY #ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) { if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding"); debug3("RNG is ready, skipping seeding");
diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c diff -up openssh/kex.c.fips openssh/kex.c
--- openssh-6.8p1/kex.c.fips 2015-03-19 13:14:22.165212282 +0100 --- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200
+++ openssh-6.8p1/kex.c 2015-03-19 13:14:22.230212157 +0100 +++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200
@@ -35,6 +35,7 @@ @@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -165,7 +121,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
#endif #endif
#include "ssh2.h" #include "ssh2.h"
@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = { @@ -108,6 +109,25 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1}, { NULL, -1, -1, -1},
}; };
@ -191,7 +147,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
char * char *
kex_alg_list(char sep) kex_alg_list(char sep)
{ {
@@ -134,7 +154,7 @@ kex_alg_by_name(const char *name) @@ -135,7 +155,7 @@ kex_alg_by_name(const char *name)
{ {
const struct kexalg *k; const struct kexalg *k;
@ -200,7 +156,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
if (strcmp(k->name, name) == 0) if (strcmp(k->name, name) == 0)
return k; return k;
#ifdef GSSAPI #ifdef GSSAPI
@@ -160,7 +180,10 @@ kex_names_valid(const char *names) @@ -161,7 +181,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) { if (kex_alg_by_name(p) == NULL) {
@ -212,54 +168,47 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
free(s); free(s);
return 0; return 0;
} }
diff -up openssh-6.8p1/kexgexc.c.fips openssh-6.8p1/kexgexc.c diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
--- openssh-6.8p1/kexgexc.c.fips 2015-03-19 13:14:22.196212223 +0100 --- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:15:11.462117016 +0100 +++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200
@@ -28,6 +28,8 @@ @@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
+#include <openssl/fips.h> +#include <openssl/fips.h>
+ #include <sys/param.h>
#include <sys/types.h> #include <sys/types.h>
#include <openssl/dh.h> @@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
@@ -62,7 +64,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8); nbits = dh_estimate(kex->dh_need * 8);
- kex->min = DH_GRP_MIN; - kex->min = DH_GRP_MIN;
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = DH_GRP_MAX; kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
--- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200
+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
(r = sshpkt_get_end(ssh)) != 0)
goto out;
kex->nbits = nbits;
- kex->min = min;
+ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
- nbits = MAX(DH_GRP_MIN, nbits);
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
nbits = MIN(DH_GRP_MAX, nbits);
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096. if (kex->max < kex->min || kex->nbits < kex->min ||
diff -up openssh-6.8p1/kexgexs.c.fips openssh-6.8p1/kexgexs.c diff -up openssh/mac.c.fips openssh/mac.c
--- openssh-6.8p1/kexgexs.c.fips 2015-03-17 06:49:20.000000000 +0100 --- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200
+++ openssh-6.8p1/kexgexs.c 2015-03-19 13:14:22.231212155 +0100 +++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200
@@ -87,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
- nbits = MAX(DH_GRP_MIN, nbits);
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
nbits = MIN(DH_GRP_MAX, nbits);
break;
case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
@@ -99,7 +99,7 @@ input_kex_dh_gex_request(int type, u_int
goto out;
kex->nbits = nbits;
/* unused for old GEX */
- kex->min = min = DH_GRP_MIN;
+ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = max = DH_GRP_MAX;
break;
default:
diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
--- openssh-6.8p1/mac.c.fips 2015-03-19 13:14:22.224212169 +0100
+++ openssh-6.8p1/mac.c 2015-03-19 13:14:22.231212155 +0100
@@ -27,6 +27,8 @@ @@ -27,6 +27,8 @@
#include <sys/types.h> #include <sys/types.h>
@ -321,10 +270,54 @@ diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
if (strcmp(name, m->name) != 0) if (strcmp(name, m->name) != 0)
continue; continue;
if (mac != NULL) if (mac != NULL)
diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h diff -up openssh/Makefile.in.fips openssh/Makefile.in
--- openssh-6.8p1/myproposal.h.fips 2015-03-17 06:49:20.000000000 +0100 --- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200
+++ openssh-6.8p1/myproposal.h 2015-03-19 13:14:22.231212155 +0100 +++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200
@@ -140,6 +140,28 @@ @@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh/myproposal.h.fips openssh/myproposal.h
--- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200
@@ -143,6 +143,28 @@
"hmac-sha1-96," \ "hmac-sha1-96," \
"hmac-md5-96" "hmac-md5-96"
@ -353,9 +346,36 @@ diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
#else #else
#define KEX_SERVER_KEX \ #define KEX_SERVER_KEX \
diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c diff -up openssh/servconf.c.fips openssh/servconf.c
--- openssh-6.8p1/ssh.c.fips 2015-03-17 06:49:20.000000000 +0100 --- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200
+++ openssh-6.8p1/ssh.c 2015-03-19 13:14:22.232212153 +0100 +++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200
@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
diff -up openssh/ssh.c.fips openssh/ssh.c
--- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200
@@ -75,6 +75,8 @@ @@ -75,6 +75,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -365,7 +385,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -523,6 +525,14 @@ main(int ac, char **av) @@ -521,6 +523,14 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -380,7 +400,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
#ifndef HAVE_SETPROCTITLE #ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */ /* Prepare for later setproctitle emulation */
@@ -600,6 +610,9 @@ main(int ac, char **av) @@ -598,6 +608,9 @@ main(int ac, char **av)
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) { switch (opt) {
case '1': case '1':
@ -390,7 +410,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
options.protocol = SSH_PROTO_1; options.protocol = SSH_PROTO_1;
break; break;
case '2': case '2':
@@ -941,7 +954,6 @@ main(int ac, char **av) @@ -939,7 +952,6 @@ main(int ac, char **av)
host_arg = xstrdup(host); host_arg = xstrdup(host);
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -398,7 +418,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
ERR_load_crypto_strings(); ERR_load_crypto_strings();
#endif #endif
@@ -1115,6 +1127,10 @@ main(int ac, char **av) @@ -1113,6 +1125,10 @@ main(int ac, char **av)
seed_rng(); seed_rng();
@ -409,7 +429,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
if (options.user == NULL) if (options.user == NULL)
options.user = xstrdup(pw->pw_name); options.user = xstrdup(pw->pw_name);
@@ -1192,6 +1208,12 @@ main(int ac, char **av) @@ -1190,6 +1206,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000; timeout_ms = options.connection_timeout * 1000;
@ -422,9 +442,9 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
/* Open a connection to the remote host. */ /* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port, if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts, options.address_family, options.connection_attempts,
diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
--- openssh-6.8p1/sshconnect2.c.fips 2015-03-19 13:14:22.188212238 +0100 --- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200
+++ openssh-6.8p1/sshconnect2.c 2015-03-19 13:14:22.232212153 +0100 +++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200
@@ -46,6 +46,8 @@ @@ -46,6 +46,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -510,9 +530,9 @@ diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
#ifdef GSSAPI #ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the /* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */ * 'null' hostkey, as a last resort */
diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c diff -up openssh/sshd.c.fips openssh/sshd.c
--- openssh-6.8p1/sshd.c.fips 2015-03-19 13:14:22.226212165 +0100 --- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200
+++ openssh-6.8p1/sshd.c 2015-03-19 13:14:22.232212153 +0100 +++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200
@@ -66,6 +66,7 @@ @@ -66,6 +66,7 @@
#include <grp.h> #include <grp.h>
#include <pwd.h> #include <pwd.h>
@ -530,7 +550,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#endif #endif
@@ -1543,6 +1546,18 @@ main(int ac, char **av) @@ -1548,6 +1551,18 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -549,7 +569,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1694,7 +1709,7 @@ main(int ac, char **av) @@ -1700,7 +1715,7 @@ main(int ac, char **av)
else else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -558,7 +578,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
#endif #endif
@@ -1890,6 +1905,10 @@ main(int ac, char **av) @@ -1901,6 +1916,10 @@ main(int ac, char **av)
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp); sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
free(fp); free(fp);
} }
@ -569,7 +589,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
@@ -2058,6 +2077,10 @@ main(int ac, char **av) @@ -2069,6 +2088,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */ /* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -580,7 +600,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */
if (chdir("/") == -1) if (chdir("/") == -1)
@@ -2642,6 +2665,9 @@ do_ssh2_kex(void) @@ -2654,6 +2677,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -590,7 +610,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2651,6 +2677,9 @@ do_ssh2_kex(void) @@ -2663,6 +2689,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -600,7 +620,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
} }
if (options.compression == COMP_NONE) { if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_CTOS] =
@@ -2661,6 +2690,8 @@ do_ssh2_kex(void) @@ -2673,6 +2702,8 @@ do_ssh2_kex(void)
} }
if (options.kex_algorithms != NULL) if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -609,7 +629,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]); myproposal[PROPOSAL_KEX_ALGS]);
@@ -2687,10 +2718,14 @@ do_ssh2_kex(void) @@ -2699,10 +2730,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL; orig = NULL;
@ -628,9 +648,9 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
if (gss && orig) if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig); xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c diff -up openssh/sshkey.c.fips openssh/sshkey.c
--- openssh-6.8p1/sshkey.c.fips 2015-03-19 13:14:22.227212163 +0100 --- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200
+++ openssh-6.8p1/sshkey.c 2015-03-19 13:14:22.233212151 +0100 +++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200
@@ -35,6 +35,7 @@ @@ -35,6 +35,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -639,7 +659,7 @@ diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
#endif #endif
#include "crypto_api.h" #include "crypto_api.h"
@@ -1562,6 +1563,8 @@ rsa_generate_private_key(u_int bits, RSA @@ -1586,6 +1587,8 @@ rsa_generate_private_key(u_int bits, RSA
} }
if (!BN_set_word(f4, RSA_F4) || if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) { !RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -648,30 +668,3 @@ diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
ret = SSH_ERR_LIBCRYPTO_ERROR; ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out; goto out;
} }
diff -up openssh-6.8p1/servconf.c.fips openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.fips 2015-03-19 13:14:22.210212196 +0100
+++ openssh-6.8p1/servconf.c 2015-03-19 13:14:22.233212151 +0100
@@ -2226,8 +2226,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2240,8 +2242,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?

View File

@ -1742,7 +1742,7 @@ diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
+ len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d", + len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
+ (options.ssl == 0) ? "" : "s", options.host, options.port); + (options.ssl == 0) ? "" : "s", options.host, options.port);
+ options.uri[MAXURILEN - 1] = 0; + options.uri[MAXURILEN - 1] = 0;
+ options.uri = xrealloc (options.uri, len + 1, 1); + options.uri = xreallocarray(options.uri, len + 1, 1);
+ } + }
+ if (options.binddn == NULL) + if (options.binddn == NULL)
+ options.binddn = ""; + options.binddn = "";

View File

@ -1,104 +1,14 @@
diff --git a/configure.ac b/configure.ac diff -up openssh/configure.ac.seccomp openssh/configure.ac
index 4065d0e..d59ad44 100644 diff -up openssh/sandbox-seccomp-filter.c.seccomp openssh/sandbox-seccomp-filter.c
--- a/configure.ac --- openssh/sandbox-seccomp-filter.c.seccomp 2015-06-24 11:45:44.001581471 +0200
+++ b/configure.ac +++ openssh/sandbox-seccomp-filter.c 2015-06-24 11:51:54.032635297 +0200
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) @@ -165,6 +165,9 @@ static const struct sock_filter preauth_
i*86-*)
seccomp_audit_arch=AUDIT_ARCH_I386
;;
- arm*-*)
+ aarch64*-*)
+ seccomp_audit_arch=AUDIT_ARCH_AARCH64
+ ;;
+ arm*-*)
seccomp_audit_arch=AUDIT_ARCH_ARM
- ;;
+ ;;
esac
if test "x$seccomp_audit_arch" != "x" ; then
AC_MSG_RESULT(["$seccomp_audit_arch"])
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 095b04a..52f6810 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -43,6 +43,7 @@
#include <sys/resource.h>
#include <sys/prctl.h>
+#include <linux/net.h>
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
@@ -80,6 +81,17 @@
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+ /* load first syscall argument */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+ offsetof(struct seccomp_data, args[(_arg_nr)])), \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
+ /* reload syscall number; all rules expect it in accumulator */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+ offsetof(struct seccomp_data, nr))
+
/* Syscall filtering set for preauth. */
static const struct sock_filter preauth_insns[] = {
/* Ensure the syscall arch convention is as expected. */
@@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = {
/* Load the syscall number for checking. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, nr)),
- SC_DENY(open, EACCES),
+#ifdef __NR_stat
SC_DENY(stat, EACCES),
+#endif
+ SC_DENY(openat, EACCES),
+#ifdef __NR_open
+ SC_DENY(open, EACCES), /* not on AArch64 */
+#endif
+#ifdef __NR_fstat
+ SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
+#endif
+#if defined(__NR_stat64) && defined(__NR_fstat64)
+ SC_DENY(stat64, EACCES), /* ix86, arm */
+ SC_DENY(fstat64, EACCES),
+#endif
+#ifdef __NR_newfstatat
+ SC_DENY(newfstatat, EACCES), /* Aarch64 */
+#endif
SC_ALLOW(getpid),
SC_ALLOW(gettimeofday),
SC_ALLOW(clock_gettime),
@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW(shutdown),
#endif
SC_ALLOW(brk),
+#ifdef __NR_poll /* not on AArch64 */
SC_ALLOW(poll),
+#endif
#ifdef __NR__newselect #ifdef __NR__newselect
SC_ALLOW(_newselect), SC_ALLOW(_newselect),
#else
+#ifdef __NR_select /* not on AArch64 */
SC_ALLOW(select),
#endif #endif
+#ifdef __NR_pselect6 /* AArch64 */ +#ifdef __NR_pselect6 /* AArch64 */
+ SC_ALLOW(pselect6), + SC_ALLOW(pselect6),
+#endif +#endif
+#endif #ifdef __NR_poll
SC_ALLOW(madvise), SC_ALLOW(poll),
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
SC_ALLOW(mmap2),
@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
#else
SC_ALLOW(sigprocmask),
#endif #endif
+#ifdef __NR_socketcall
+ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
};

View File

@ -1,11 +0,0 @@
--- openssh-6.8p1/authfile.c.orig 2015-03-26 09:59:06.646924879 +0100
+++ openssh-6.8p1/authfile.c 2015-03-26 09:59:19.310905998 +0100
@@ -194,7 +194,7 @@
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
- error("It is recommended that your private key files are NOT accessible by others.");
+ error("It is required that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return SSH_ERR_KEY_BAD_PERMISSIONS;
}

View File

@ -1,41 +1,7 @@
diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c diff -up openssh/servconf.c.sshdt openssh/servconf.c
--- openssh-6.8p1/servconf.c.sshdt 2015-05-28 13:32:55.728821389 +0200 --- openssh/servconf.c.sshdt 2015-06-24 11:42:29.041078704 +0200
+++ openssh-6.8p1/servconf.c 2015-05-28 13:34:01.937750270 +0200 +++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
@@ -2118,6 +2118,8 @@ dump_cfg_strarray_oneline(ServerOpCodes @@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
{
u_int i;
+ if (count <= 0)
+ return;
printf("%s", lookup_opcode_name(code));
for (i = 0; i < count; i++)
printf(" %s", vals[i]);
@@ -2156,7 +2158,7 @@ dump_config(ServerOptions *o)
/* integer arguments */
#ifdef USE_PAM
- dump_cfg_int(sUsePAM, o->use_pam);
+ dump_cfg_fmtint(sUsePAM, o->use_pam);
#endif
dump_cfg_int(sServerKeyBits, o->server_key_bits);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
@@ -2166,6 +2168,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
+ dump_cfg_int(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
@@ -2213,6 +2216,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@@ -2224,14 +2228,15 @@ dump_config(ServerOptions *o)
dump_cfg_string(sXAuthLocation, o->xauth_location); dump_cfg_string(sXAuthLocation, o->xauth_location);
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
@ -44,29 +10,10 @@ diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory); dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
dump_cfg_string(sRevokedKeys, o->revoked_keys_file); diff -up openssh/ssh.1.sshdt openssh/ssh.1
dump_cfg_string(sAuthorizedPrincipalsFile, --- openssh/ssh.1.sshdt 2015-06-24 11:42:19.565102807 +0200
o->authorized_principals_file); +++ openssh/ssh.1 2015-06-24 11:42:29.042078701 +0200
- dump_cfg_string(sVersionAddendum, o->version_addendum); @@ -441,7 +441,11 @@ For full details of the options listed b
+ dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
+ ? "none" : o->version_addendum);
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
@@ -2251,7 +2256,7 @@ dump_config(ServerOptions *o)
o->authorized_keys_files);
dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
o->host_key_files);
- dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
+ dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
o->host_cert_files);
dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
diff --git a/ssh.1 b/ssh.1
index cf02526..7fddf46 100644
--- a/ssh.1
+++ b/ssh.1
@@ -441,7 +441,11 @@ For full details of the options listed below, and their possible values, see
.It GatewayPorts .It GatewayPorts
.It GlobalKnownHostsFile .It GlobalKnownHostsFile
.It GSSAPIAuthentication .It GSSAPIAuthentication

View File

@ -65,10 +65,10 @@
%endif %endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.8p1 %define openssh_ver 6.9p1
%define openssh_rel 9 %define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3 %define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 5 %define pam_ssh_agent_rel 6
Summary: An open source implementation of SSH protocol versions 1 and 2 Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh Name: openssh
@ -218,8 +218,6 @@ Patch924: openssh-6.7p1-seccomp-aarch64.patch
Patch925: openssh-6.7p1-ssh-copy-id-truncated-keys.patch Patch925: openssh-6.7p1-ssh-copy-id-truncated-keys.patch
# Add sftp option to force mode of created files (#1191055) # Add sftp option to force mode of created files (#1191055)
Patch926: openssh-6.7p1-sftp-force-permission.patch Patch926: openssh-6.7p1-sftp-force-permission.patch
# Upstream bug #1878 reintroduced in openssh6.7p1
Patch927: openssh-6.8p1-880575.patch
# Memory problems # Memory problems
# https://bugzilla.mindrot.org/show_bug.cgi?id=2401 # https://bugzilla.mindrot.org/show_bug.cgi?id=2401
Patch928: openssh-6.8p1-memory-problems.patch Patch928: openssh-6.8p1-memory-problems.patch
@ -316,7 +314,7 @@ Requires: openssh = %{version}-%{release}
Summary: PAM module for authentication with ssh-agent Summary: PAM module for authentication with ssh-agent
Group: System Environment/Base Group: System Environment/Base
Version: %{pam_ssh_agent_ver} Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2 Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
License: BSD License: BSD
%description %description
@ -433,7 +431,7 @@ popd
%patch912 -p1 -b .utf8-banner %patch912 -p1 -b .utf8-banner
%patch914 -p1 -b .servconf %patch914 -p1 -b .servconf
%patch916 -p1 -b .contexts %patch916 -p1 -b .contexts
%patch917 -p1 -b .cisco-dh #%patch917 -p1 -b .cisco-dh # investigate
%patch918 -p1 -b .log-in-chroot %patch918 -p1 -b .log-in-chroot
%patch919 -p1 -b .scp %patch919 -p1 -b .scp
%patch920 -p1 -b .config %patch920 -p1 -b .config
@ -444,7 +442,6 @@ popd
%patch924 -p1 -b .seccomp %patch924 -p1 -b .seccomp
%patch925 -p1 -b .newline %patch925 -p1 -b .newline
%patch926 -p1 -b .sftp-force-mode %patch926 -p1 -b .sftp-force-mode
%patch927 -p1 -b .bz880575
%patch928 -p1 -b .memory %patch928 -p1 -b .memory
%patch200 -p1 -b .audit %patch200 -p1 -b .audit