rpms/openssh
7
0
Fork 1
Code Issues Pull Requests Releases Activity

rebase patches to openssh-7.6p1 and make it build

Browse Source
This commit is contained in:
Jakub Jelen 2017-09-26 14:04:45 +02:00
parent 9e46aafab9
commit 5b55d0951d
23 changed files with 1501 additions and 2782 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -34,7 +34,7 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
void log_init(char *, LogLevel, SyslogFacility, int);
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
void log_change_level(LogLevel);
int log_change_level(LogLevel);
int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *);
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
@ -123,30 +123,8 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
static int in_chroot = 0;
+static int have_dev_log = 1;
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */
- log_init(__progname, options.log_level,
- options.log_facility, log_stderr);
+ log_init_handler(__progname, options.log_level,
+ options.log_facility, log_stderr, have_dev_log);
/*
* Create a new session and process group since the 4.4BSD
@@ -523,8 +524,8 @@ do_exec_pty(Session *s, const char *comm
close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */
- log_init(__progname, options.log_level,
- options.log_facility, log_stderr);
+ log_init_handler(__progname, options.log_level,
+ options.log_facility, log_stderr, have_dev_log);
/* Close the master side of the pseudo tty. */
close(ptyfd);
/* File containing userauth info, if ExposeAuthInfo set */
static char *auth_info_file = NULL;
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
int ret;
const char *forced = NULL, *tty = NULL;

46
openssh-6.6p1-GSSAPIEnablek5users.patch
View File

@ -22,22 +22,22 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->gss_strict_acceptor = -1;
options->gss_store_rekey = -1;
options->use_kuserok = -1;
+ options->enable_k5users = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
options->disable_forwarding = 0;
options->gss_store_rekey = 0;
if (options->use_kuserok == -1)
options->use_kuserok = 1;
+ if (options->enable_k5users == -1)
+ options->enable_k5users = 0;
assemble_algorithms(options);
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
@ -80,28 +80,26 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+ M_CP_INTOPT(enable_k5users);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
M_CP_INTOPT(log_level);
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
# endif
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
+++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
@@ -174,7 +174,8 @@ typedef struct {
int num_permitted_opens;
- int use_kuserok;
+ int use_kuserok;
@@ -174,6 +174,7 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int use_kuserok;
+ int enable_k5users;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2016-12-23 15:18:40.630216103 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:36:21.607408435 +0100

2
openssh-6.6p1-ctr-cavstest.patch
View File

@ -20,7 +20,7 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
ssh_api.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)

22
openssh-6.6p1-entropy.patch
View File

@ -16,7 +16,7 @@ diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 18:35:15.890769493 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
@ -123,26 +123,6 @@ diff -up openssh-7.4p1/ssh.1.entropy openssh-7.4p1/ssh.1
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff -up openssh-7.4p1/ssh-add.0.entropy openssh-7.4p1/ssh-add.0
--- openssh-7.4p1/ssh-add.0.entropy 2016-12-19 06:21:21.000000000 +0100
+++ openssh-7.4p1/ssh-add.0 2016-12-23 18:34:27.770753571 +0100
@@ -88,6 +88,16 @@ ENVIRONMENT
Identifies the path of a UNIX-domain socket used to communicate
with the agent.
+ SSH_USE_STRONG_RNG
+ The reseeding of the OpenSSL random generator is usually done
+ from /dev/urandom. If the SSH_USE_STRONG_RNG environment vari-
+ able is set to value other than 0 the OpenSSL random generator is
+ reseeded from /dev/random. The number of bytes read is defined
+ by the SSH_USE_STRONG_RNG value. Minimum is 14 bytes. This set-
+ ting is not recommended on the computers without the hardware
+ random generator because insufficient entropy causes the connec-
+ tion to be blocked until enough entropy is available.
+
FILES
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
diff -up openssh-7.4p1/ssh-add.1.entropy openssh-7.4p1/ssh-add.1
--- openssh-7.4p1/ssh-add.1.entropy 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-add.1 2016-12-23 18:34:27.770753571 +0100

8
openssh-6.6p1-keycat.patch
View File

@ -1,6 +1,6 @@
diff -up openssh/auth2-pubkey.c.keycat openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/auth2-pubkey.c 2015-06-24 11:04:23.989868638 +0200
diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
_exit(1);
}
@ -65,7 +65,7 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(SSHLIBS)
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)

58
openssh-6.6p1-kuserok.patch
View File

@ -175,23 +175,23 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100
@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL;
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
options->gss_store_rekey = -1;
+ options->use_kuserok = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -342,6 +343,8 @@ fill_default_server_options(ServerOption
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
options->gss_strict_acceptor = 1;
if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
assemble_algorithms(options);
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
@ -233,26 +233,26 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
+ M_CP_INTOPT(use_kuserok);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
M_CP_INTOPT(log_level);
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
# ifdef USE_AFS
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
# endif
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100
+++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
@@ -174,6 +174,7 @@ typedef struct {
int num_permitted_opens;
@@ -118,6 +118,7 @@ typedef struct {
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
+ int use_kuserok;
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
@ -272,9 +272,9 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok ,
.Cm LogLevel ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
--- openssh-7.4p1/sshd_config.kuserok 2016-12-23 14:36:07.631465943 +0100
+++ openssh-7.4p1/sshd_config 2016-12-23 14:36:07.646465935 +0100

2
openssh-6.6p1-privsep-selinux.patch
View File

@ -107,7 +107,7 @@ diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
+#endif
+
/* Demote the child */
if (getuid() == 0 || geteuid() == 0) {
if (privsep_chroot) {
/* Change our root directory */
@@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
{

68
openssh-6.6p1-role-mls.patch
View File

@ -2,7 +2,7 @@ diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
--- openssh-7.4p1/auth2.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth2.c 2016-12-23 12:19:58.587459379 +0100
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
@ -44,7 +44,7 @@ diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
--- openssh-7.4p1/auth2-gss.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 12:19:58.586459382 +0100
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Authctxt *authctxt = ssh->authctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
@ -74,34 +74,35 @@ diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
+ free(micuser);
free(mic.value);
authctxt->postponed = 0;
if ((!use_privsep || mm_is_monitor()) &&
diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.c
--- openssh-7.4p1/auth2-hostbased.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 12:19:58.586459382 +0100
@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
@@ -121,7 +121,16 @@ userauth_hostbased(Authctxt *authctxt)
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
- (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+ (authctxt->role
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
+ (r = sshbuf_put(b, authctxt->user, strlen(authctxt->user))) != 0 ||
+ (r = sshbuf_put_u8(b, '/') != 0) ||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
+#else
+ (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
(r = sshbuf_put_cstring(b, service)) != 0 ||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
--- openssh-7.4p1/auth2-pubkey.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 12:19:58.587459379 +0100
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
__func__, ssh_err(r));
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
@ -113,9 +114,9 @@ diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
+#else
+ "", "");
+#endif
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
(r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ?
diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
--- openssh-7.4p1/auth.h.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth.h 2016-12-23 12:19:43.478510375 +0100
@ -126,9 +127,9 @@ diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
--- openssh-7.4p1/auth-pam.c.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/auth-pam.c 2016-12-23 12:19:43.477510378 +0100
@ -320,8 +321,8 @@ diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
--- openssh-7.4p1/monitor_wrap.h.role-mls 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 12:19:58.588459376 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
const char *);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
@ -334,7 +335,7 @@ diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 12:24:06.042643938 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
@ -863,3 +864,16 @@ diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
#ifdef USE_PAM
if (options.use_pam) {
do_pam_setcred(1);
--- openssh/configure.ac.role-mls 2017-09-27 12:54:52.926425979 +0200
+++ openssh/configure.ac 2017-09-27 12:57:06.854224956 +0200
@@ -4158,10 +4158,7 @@
LIBS="$LIBS -lselinux"
],
AC_MSG_ERROR([SELinux support requires libselinux library]))
- SSHLIBS="$SSHLIBS $LIBSELINUX"
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
- LIBS="$save_LIBS"
fi ]
)
AC_SUBST([SSHLIBS])

2
openssh-6.8p1-memory-problems.patch
View File

@ -21,4 +21,4 @@ diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c
+ dst->n[dst->num_n] = src->n[dst->num_n]; \
} \
} while(0)
#define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \

10
openssh-7.0p1-gssKexAlgorithms.patch
View File

@ -245,9 +245,9 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
options->gss_strict_acceptor = -1;
options->gss_store_rekey = -1;
+ options->gss_kex_algorithms = NULL;
options->use_kuserok = -1;
options->enable_k5users = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
options->gss_strict_acceptor = 1;
if (options->gss_store_rekey == -1)
@ -256,9 +256,9 @@ diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
+ if (options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
if (options->use_kuserok == -1)
options->use_kuserok = 1;
if (options->enable_k5users == -1)
@@ -427,7 +431,7 @@ typedef enum {
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,

95
openssh-7.0p1-show-more-fingerprints.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
--- openssh-7.4p1/clientloop.c.fingerprint 2016-12-23 15:38:50.520432387 +0100
+++ openssh-7.4p1/clientloop.c 2016-12-23 15:38:50.564432394 +0100
@@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
diff -up openssh/clientloop.c.fingerprint openssh/clientloop.c
--- openssh/clientloop.c.fingerprint 2017-09-26 15:21:22.582477729 +0200
+++ openssh/clientloop.c 2017-09-26 15:21:22.620477932 +0200
@@ -1854,7 +1854,7 @@ update_known_hosts(struct hostkeys_updat
if (ctx->keys_seen[i] != 2)
continue;
if ((fp = sshkey_fingerprint(ctx->keys[i],
@ -10,7 +10,7 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Learned new hostkey: %s %s",
sshkey_type(ctx->keys[i]), fp);
@@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
@@ -1862,7 +1862,7 @@ update_known_hosts(struct hostkeys_updat
}
for (i = 0; i < ctx->nold; i++) {
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
@ -19,7 +19,7 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
sshkey_type(ctx->old_keys[i]), fp);
@@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
@@ -1905,7 +1905,7 @@ update_known_hosts(struct hostkeys_updat
(r = hostfile_replace_entries(options.user_hostfiles[0],
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
options.hash_known_hosts, 0,
@ -28,7 +28,7 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
error("%s: hostfile_replace_entries failed: %s",
__func__, ssh_err(r));
}
@@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
@@ -2038,7 +2038,7 @@ client_input_hostkeys(void)
error("%s: parse key: %s", __func__, ssh_err(r));
goto out;
}
@ -37,10 +37,10 @@ diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
SSH_FP_DEFAULT);
debug3("%s: received %s key %s", __func__,
sshkey_type(key), fp);
diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
--- openssh-7.4p1/readconf.c.fingerprint 2016-12-23 15:38:50.559432393 +0100
+++ openssh-7.4p1/readconf.c 2016-12-23 15:38:50.565432394 +0100
@@ -1668,16 +1668,18 @@ parse_keytypes:
diff -up openssh/readconf.c.fingerprint openssh/readconf.c
--- openssh/readconf.c.fingerprint 2017-09-26 15:21:22.618477921 +0200
+++ openssh/readconf.c 2017-09-26 15:21:22.621477937 +0200
@@ -1681,16 +1681,18 @@ parse_keytypes:
goto parse_string;
case oFingerprintHash:
@ -69,7 +69,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
break;
case oUpdateHostkeys:
@@ -1905,7 +1907,7 @@ initialize_options(Options * options)
@@ -1917,7 +1919,7 @@ initialize_options(Options * options)
options->canonicalize_fallback_local = -1;
options->canonicalize_hostname = -1;
options->revoked_host_keys = NULL;
@ -78,7 +78,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
options->update_hostkeys = -1;
options->hostbased_key_types = NULL;
options->pubkey_key_types = NULL;
@@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
@@ -2096,8 +2098,10 @@ fill_default_options(Options * options)
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
@ -91,7 +91,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
@@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
@@ -2474,6 +2478,17 @@ dump_cfg_strarray(OpCodes code, u_int co
}
static void
@ -109,7 +109,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
{
u_int i;
@@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
@@ -2549,7 +2564,6 @@ dump_client_config(Options *o, const cha
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
@ -117,7 +117,7 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
dump_cfg_fmtint(oForwardX11, o->forward_x11);
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
@@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
@@ -2618,6 +2632,7 @@ dump_client_config(Options *o, const cha
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
@ -125,9 +125,9 @@ diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
/* Special cases */
diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
--- openssh-7.4p1/readconf.h.fingerprint 2016-12-23 15:38:50.559432393 +0100
+++ openssh-7.4p1/readconf.h 2016-12-23 15:38:50.565432394 +0100
diff -up openssh/readconf.h.fingerprint openssh/readconf.h
--- openssh/readconf.h.fingerprint 2017-09-26 15:21:22.618477921 +0200
+++ openssh/readconf.h 2017-09-26 15:21:22.621477937 +0200
@@ -21,6 +21,7 @@
#define MAX_SEND_ENV 256
#define SSH_MAX_HOSTS_FILES 32
@ -136,7 +136,7 @@ diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
struct allowed_cname {
@@ -162,7 +163,8 @@ typedef struct {
@@ -157,7 +158,8 @@ typedef struct {
char *revoked_host_keys;
@ -146,10 +146,10 @@ diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
--- openssh-7.4p1/ssh_config.5.fingerprint 2016-12-23 15:38:50.565432394 +0100
+++ openssh-7.4p1/ssh_config.5 2016-12-23 15:40:03.754444166 +0100
@@ -652,12 +652,13 @@ or
diff -up openssh/ssh_config.5.fingerprint openssh/ssh_config.5
--- openssh/ssh_config.5.fingerprint 2017-09-26 15:21:22.618477921 +0200
+++ openssh/ssh_config.5 2017-09-26 15:21:22.621477937 +0200
@@ -624,12 +624,13 @@ or
.Cm no
(the default).
.It Cm FingerprintHash
@ -166,10 +166,10 @@ diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
--- openssh-7.4p1/sshconnect2.c.fingerprint 2016-12-23 15:38:50.561432394 +0100
+++ openssh-7.4p1/sshconnect2.c 2016-12-23 15:38:50.566432394 +0100
@@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
diff -up openssh/sshconnect2.c.fingerprint openssh/sshconnect2.c
--- openssh/sshconnect2.c.fingerprint 2017-09-26 15:21:22.619477926 +0200
+++ openssh/sshconnect2.c 2017-09-26 15:21:50.677628003 +0200
@@ -679,7 +679,7 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
@ -178,7 +178,7 @@ diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
SSH_FP_DEFAULT)) == NULL)
goto done;
debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
@@ -1198,7 +1198,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
int matched, ret = -1, have_sig = 1;
char *fp;
@ -187,7 +187,16 @@ diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
SSH_FP_DEFAULT)) == NULL)
return 0;
debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
@@ -1620,7 +1620,7 @@ userauth_pubkey(Authctxt *authctxt)
if (id->key != NULL) {
if (try_identity(id)) {
if ((fp = sshkey_fingerprint(id->key,
- options.fingerprint_hash,
+ options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed",
__func__);
@@ -1914,7 +1914,7 @@ userauth_hostbased(Authctxt *authctxt)
goto out;
}
@ -196,10 +205,10 @@ diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed", __func__);
goto out;
diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
--- openssh-7.4p1/sshconnect.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sshconnect.c 2016-12-23 15:38:50.566432394 +0100
@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
diff -up openssh/sshconnect.c.fingerprint openssh/sshconnect.c
--- openssh/sshconnect.c.fingerprint 2017-09-25 01:48:10.000000000 +0200
+++ openssh/sshconnect.c 2017-09-26 15:21:22.622477943 +0200
@@ -861,9 +861,9 @@ check_host_key(char *hostname, struct so
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
fp = sshkey_fingerprint(host_key,
@ -211,7 +220,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
logit("Host key fingerprint is %s\n%s", fp, ra);
@@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
@@ -907,12 +907,6 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
@ -224,7 +233,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
@@ -926,16 +920,28 @@ check_host_key(char *hostname, struct so
}
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
@ -262,7 +271,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
if (!confirm(msg))
goto fail;
hostkey_trusted = 1; /* user explicitly confirmed */
@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
@@ -1192,7 +1198,7 @@ verify_host_key(char *host, struct socka
struct sshkey *plain = NULL;
if ((fp = sshkey_fingerprint(host_key,
@ -271,7 +280,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
r = -1;
goto out;
@@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
@@ -1200,7 +1206,7 @@ verify_host_key(char *host, struct socka
if (sshkey_is_cert(host_key)) {
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
@ -280,7 +289,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
error("%s: fingerprint CA key: %s",
__func__, ssh_err(r));
r = -1;
@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
@@ -1369,9 +1375,9 @@ show_other_keys(struct hostkeys *hostkey
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
fp = sshkey_fingerprint(found->key,
@ -292,7 +301,7 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
logit("WARNING: %s key found for host %s\n"
@@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
@@ -1394,7 +1400,7 @@ warn_changed_key(struct sshkey *host_key
{
char *fp;
@ -301,9 +310,9 @@ diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
SSH_FP_DEFAULT);
if (fp == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
--- openssh-7.4p1/ssh-keysign.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-keysign.c 2016-12-23 15:38:50.566432394 +0100
diff -up openssh/ssh-keysign.c.fingerprint openssh/ssh-keysign.c
--- openssh/ssh-keysign.c.fingerprint 2017-09-25 01:48:10.000000000 +0200
+++ openssh/ssh-keysign.c 2017-09-26 15:21:22.622477943 +0200
@@ -285,7 +285,7 @@ main(int argc, char **argv)
}
}

12
openssh-7.1p2-audit-race-condition.patch
View File

@ -92,7 +92,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
+ child_destory_sensitive_data();
+
/* Do processing for the child (exec command etc). */
do_child(s, command);
do_child(ssh, s, command);
/* NOTREACHED */
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
/* Close the extra descriptor for the pseudo tty. */
@ -112,7 +112,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
+ fatal("pipe: %s", strerror(errno));
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(s, command);
ret = do_exec_pty(ssh, s, command);
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
*/
buffer_clear(&loginmsg);
@ -134,7 +134,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
return ret;
}
@@ -1538,6 +1565,33 @@ child_close_fds(void)
@@ -1538,6 +1565,34 @@ child_close_fds(void)
endpwent();
}
@ -157,23 +157,25 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
+ * which we can't do using one-way pipe.
+ */
+ packet_destroy_all(0, 1);
+ /* XXX this will clean the rest but should not audit anymore */
+ /* packet_clear_keys(); */
+
+#ifdef SSH_AUDIT_EVENTS
+ /* Notify parent that we are done */
+ close(pparent);
+#endif
+
+}
+
/*
* Performs common processing for the child, such as setting up the
* environment, closing extra file descriptors, setting the user and group
@@ -1554,12 +1608,6 @@ do_child(Session *s, const char *command
@@ -1554,13 +1608,6 @@ do_child(Session *s, const char *command
struct passwd *pw = s->pw;
int r = 0;
- /* remove hostkey from the child's memory */
- destroy_sensitive_data(1);
- packet_clear_keys();
- /* Don't audit this - both us and the parent would be talking to the
- monitor over a single socket, with no synchronization. */
- packet_destroy_all(0, 1);

84
openssh-7.2p1-fips.patch
View File

@ -10,22 +10,29 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
@@ -116,6 +118,20 @@ static const struct sshcipher ciphers[]
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
@@ -116,6 +118,27 @@ static const struct sshcipher ciphers[]
{ NULL, 0, 0, 0, 0, 0, NULL }
};
+static const struct sshcipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+#ifdef WITH_OPENSSL
+ { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
+ { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
+ { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
+ { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se",
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+ 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
+ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
+#else
+ { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
+ { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },
+ { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL },
+#endif
+ { "none", 8, 0, 0, 0, CFLAG_NONE, NULL },
+
+ { NULL, 0, 0, 0, 0, 0, NULL }
+};
+
/*--*/
@ -37,7 +44,7 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
if ((c->flags & CFLAG_INTERNAL) != 0)
continue;
if (auth_only && c->auth_len == 0)
@@ -222,7 +238,7 @@ const struct sshcipher *
@ -49,24 +56,6 @@ diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
if (strcmp(c->name, name) == 0)
return c;
return NULL;
@@ -232,7 +248,7 @@ const struct sshcipher *
cipher_by_number(int id)
{
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id)
return c;
return NULL;
@@ -273,7 +289,7 @@ cipher_number(const char *name)
const struct sshcipher *c;
if (name == NULL)
return -1;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
diff -up openssh-7.5p1/cipher-ctr.c.fips openssh-7.5p1/cipher-ctr.c
--- openssh-7.5p1/cipher-ctr.c.fips 2017-06-30 12:06:36.386713974 +0200
+++ openssh-7.5p1/cipher-ctr.c 2017-06-30 12:06:36.465713761 +0200
@ -394,7 +383,7 @@ diff -up openssh-7.5p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips op
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
+ SSH_FP_HEX);
logit("Found matching %s key: %s",
key_type(found), fp);
sshkey_type(found), fp);
free(fp);
diff -up openssh-7.5p1/readconf.c.fips openssh-7.5p1/readconf.c
--- openssh-7.5p1/readconf.c.fips 2017-06-30 12:06:36.468713753 +0200
@ -492,16 +481,6 @@ diff -up openssh-7.5p1/ssh.c.fips openssh-7.5p1/ssh.c
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -609,6 +619,9 @@ main(int ac, char **av)
"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
+ fatal("Protocol 1 not allowed in the FIPS mode.");
+ }
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -964,7 +977,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
@ -521,19 +500,6 @@ diff -up openssh-7.5p1/ssh.c.fips openssh-7.5p1/ssh.c
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -1263,6 +1279,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
+ if (FIPS_mode()) {
+ options.protocol &= SSH_PROTO_2;
+ if (options.protocol == 0)
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
+ }
+
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff -up openssh-7.5p1/sshconnect2.c.fips openssh-7.5p1/sshconnect2.c
--- openssh-7.5p1/sshconnect2.c.fips 2017-06-30 12:06:36.439713831 +0200
+++ openssh-7.5p1/sshconnect2.c 2017-06-30 12:06:36.469713750 +0200
@ -707,9 +673,9 @@ diff -up openssh-7.5p1/sshkey.c.fips openssh-7.5p1/sshkey.c
#include "crypto_api.h"
@@ -58,6 +59,7 @@
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
#include "xmalloc.h"
+#include "log.h"
/* openssh private key file format */
@ -736,6 +702,6 @@ diff -up openssh-7.5p1/ssh-keygen.c.fips openssh-7.5p1/ssh-keygen.c
+ if (type == KEY_ED25519)
+ fatal("ED25519 keys are not allowed in FIPS mode");
+ }
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)

775
openssh-7.2p1-gsskex.patch
View File

File diff suppressed because it is too large Load Diff

517
openssh-7.2p2-expose-pam.patch
View File

@ -1,517 +0,0 @@
diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
--- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
+++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
{
struct ssh *ssh = active_state; /* XXX */
char *methods;
+ char *prev_auth_details;
int partial = 0;
if (!authctxt->valid && authenticated)
@@ -340,6 +341,18 @@ userauth_finish(Authctxt *authctxt, int
if (authctxt->postponed)
return;
+ if (authenticated || partial) {
+ prev_auth_details = authctxt->auth_details;
+ xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
+ prev_auth_details ? prev_auth_details : "",
+ prev_auth_details ? ", " : "", method,
+ authctxt->last_details ? ": " : "",
+ authctxt->last_details ? authctxt->last_details : "");
+ free(prev_auth_details);
+ }
+ free(authctxt->last_details);
+ authctxt->last_details = NULL;
+
#ifdef USE_PAM
if (options.use_pam && authenticated) {
if (!PRIVSEP(do_pam_account())) {
diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
--- openssh-7.4p1/auth2-gss.c.expose-pam 2016-12-23 15:40:26.769447868 +0100
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 15:40:26.818447876 +0100
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
authctxt->pw));
+ if (authenticated)
+ authctxt->last_details = ssh_gssapi_get_displayname();
+
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
@@ -322,6 +325,9 @@ input_gssapi_mic(int type, u_int32_t ple
else
logit("GSSAPI MIC check failed");
+ if (authenticated)
+ authctxt->last_details = ssh_gssapi_get_displayname();
+
buffer_free(&b);
if (micuser != authctxt->user)
free(micuser);
diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
--- openssh-7.4p1/auth2-hostbased.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 15:40:26.818447876 +0100
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
{
Buffer b;
Key *key = NULL;
- char *pkalg, *cuser, *chost, *service;
+ char *pkalg, *cuser, *chost, *service, *pubkey;
u_char *pkblob, *sig;
u_int alen, blen, slen;
int pktype;
@@ -140,15 +140,21 @@ userauth_hostbased(Authctxt *authctxt)
buffer_dump(&b);
#endif
- pubkey_auth_info(authctxt, key,
- "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
+ auth_info(authctxt,
+ "%s, client user \"%.100s\", client host \"%.100s\"",
+ pubkey, cuser, chost);
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b))) == 1)
+ buffer_len(&b))) == 1) {
authenticated = 1;
+ authctxt->last_details = pubkey;
+ } else {
+ free(pubkey);
+ }
buffer_free(&b);
done:
diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
--- openssh-7.4p1/auth2-pubkey.c.expose-pam 2016-12-23 15:40:26.746447864 +0100
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 15:40:26.819447876 +0100
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
{
Buffer b;
Key *key = NULL;
- char *pkalg, *userstyle, *fp = NULL;
+ char *pkalg, *userstyle, *pubkey, *fp = NULL;
u_char *pkblob, *sig;
u_int alen, blen, slen;
int have_sig, pktype;
@@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
#ifdef DEBUG_PK
buffer_dump(&b);
#endif
- pubkey_auth_info(authctxt, key, NULL);
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
+ auth_info(authctxt, "%s", pubkey);
/* test for correct signature */
authenticated = 0;
@@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
buffer_len(&b))) == 1) {
authenticated = 1;
+ authctxt->last_details = pubkey;
/* Record the successful key to prevent reuse */
auth2_record_userkey(authctxt, key);
key = NULL; /* Don't free below */
+ } else {
+ free(pubkey);
}
buffer_free(&b);
free(sig);
@@ -228,7 +232,7 @@ done:
void
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
{
- char *fp, *extra;
+ char *extra, *pubkey;
va_list ap;
int i;
@@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
i = vasprintf(&extra, fmt, ap);
va_end(ap);
if (i < 0 || extra == NULL)
- fatal("%s: vasprintf failed", __func__);
+ fatal("%s: vasprintf failed", __func__);
}
- if (key_is_cert(key)) {
- fp = sshkey_fingerprint(key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
- auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
- key_type(key), key->cert->key_id,
- (unsigned long long)key->cert->serial,
- key_type(key->cert->signature_key),
- fp == NULL ? "(null)" : fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- } else {
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
- SSH_FP_DEFAULT);
- auth_info(authctxt, "%s %s%s%s", key_type(key),
- fp == NULL ? "(null)" : fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- }
+ pubkey = sshkey_format_oneline(key, options.fingerprint_hash);
+ auth_info(authctxt, "%s%s%s", pubkey, extra == NULL ? "" : ", ",
+ extra == NULL ? "" : extra);
+ free(pubkey);
free(extra);
}
diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
--- openssh-7.4p1/auth.h.expose-pam 2016-12-23 15:40:26.782447870 +0100
+++ openssh-7.4p1/auth.h 2016-12-23 15:40:26.819447876 +0100
@@ -84,6 +84,9 @@ struct Authctxt {
struct sshkey **prev_userkeys;
u_int nprev_userkeys;
+
+ char *last_details;
+ char *auth_details;
};
/*
* Every authentication method has to handle authentication requests for
diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
--- openssh-7.4p1/auth-pam.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
+++ openssh-7.4p1/auth-pam.c 2016-12-23 15:40:26.819447876 +0100
@@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
return (NULL);
}
+ /* Notify PAM about any already successful auth methods */
+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMONLY &&
+ authctxt->auth_details)
+ do_pam_putenv("SSH_USER_AUTH", authctxt->auth_details);
+
ctxt = xcalloc(1, sizeof *ctxt);
/* Start the authentication thread */
diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
--- openssh-7.4p1/gss-serv.c.expose-pam 2016-12-23 15:40:26.808447874 +0100
+++ openssh-7.4p1/gss-serv.c 2016-12-23 15:40:26.819447876 +0100
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
}
/* Privileged */
+char*
+ssh_gssapi_get_displayname(void)
+{
+ if (gssapi_client.displayname.length != 0 &&
+ gssapi_client.displayname.value != NULL)
+ return strdup((char *)gssapi_client.displayname.value);
+ return NULL;
+}
+
+/* Privileged */
int
ssh_gssapi_userok(char *user, struct passwd *pw)
{
diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
struct ssh *ssh = active_state; /* XXX */
struct mon_table *ent;
int authenticated = 0, partial = 0;
+ char *prev_auth_details;
debug3("preauth child monitor started");
@@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
auth_submethod = NULL;
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
+ if (authenticated) {
+ prev_auth_details = authctxt->auth_details;
+ xasprintf(&authctxt->auth_details, "%s%s%s%s%s",
+ prev_auth_details ? prev_auth_details : "",
+ prev_auth_details ? ", " : "", auth_method,
+ authctxt->last_details ? ": " : "",
+ authctxt->last_details ? authctxt->last_details : "");
+ free(prev_auth_details);
+ }
+ free(authctxt->last_details);
+ authctxt->last_details = NULL;
+
/* Special handling for multiple required authentications */
if (options.num_auth_methods != 0) {
if (authenticated &&
@@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified");
+ if (verified == 1)
+ authctxt->last_details = sshkey_format_oneline(key,
+ options.fingerprint_hash);
+
/* If auth was successful then record key to ensure it isn't reused */
if (verified == 1 && key_blobtype == MM_USERKEY)
auth2_record_userkey(authctxt, key);
@@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
auth_method = "gssapi-with-mic";
+ if (authenticated)
+ authctxt->last_details = ssh_gssapi_get_displayname();
+
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:44:04.691482920 +0100
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
options->disable_forwarding = -1;
options->use_kuserok = -1;
options->enable_k5users = -1;
+ options->expose_auth_methods = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
options->use_kuserok = 1;
if (options->enable_k5users == -1)
options->enable_k5users = 0;
+ if (options->expose_auth_methods == -1)
+ options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
assemble_algorithms(options);
@@ -439,6 +442,7 @@ typedef enum {
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
+ sExposeAuthenticationMethods,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -595,6 +599,7 @@ static struct {
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+ { "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -984,6 +989,12 @@ static const struct multistate multistat
{ "local", FORWARD_LOCAL },
{ NULL, -1 }
};
+static const struct multistate multistate_exposeauthmeth[] = {
+ { "never", EXPOSE_AUTHMETH_NEVER },
+ { "pam-only", EXPOSE_AUTHMETH_PAMONLY },
+ { "pam-and-env", EXPOSE_AUTHMETH_PAMENV },
+ { NULL, -1}
+};
int
process_server_config_line(ServerOptions *options, char *line,
@@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
options->fingerprint_hash = value;
break;
+ case sExposeAuthenticationMethods:
+ intptr = &options->expose_auth_methods;
+ multistate_ptr = multistate_exposeauthmeth;
+ goto parse_multistate;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
@@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(enable_k5users);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
+ M_CP_INTOPT(expose_auth_methods);
/*
* The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
return fmt_multistate_int(val, multistate_tcpfwd);
case sFingerprintHash:
return ssh_digest_alg_name(val);
+ case sExposeAuthenticationMethods:
+ return fmt_multistate_int(val, multistate_exposeauthmeth);
default:
switch (val) {
case 0:
@@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
+ dump_cfg_fmtint(sExposeAuthenticationMethods, o->expose_auth_methods);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.4p1/servconf.h 2016-12-23 15:40:26.821447876 +0100
@@ -48,6 +48,11 @@
#define FORWARD_LOCAL (1<<1)
#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
+/* Expose AuthenticationMethods */
+#define EXPOSE_AUTHMETH_NEVER 0
+#define EXPOSE_AUTHMETH_PAMONLY 1
+#define EXPOSE_AUTHMETH_PAMENV 2
+
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
@@ -195,6 +200,8 @@ typedef struct {
char *auth_methods[MAX_AUTH_METHODS];
int fingerprint_hash;
+
+ int expose_auth_methods; /* EXPOSE_AUTHMETH_* above */
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
+++ openssh-7.4p1/session.c 2016-12-23 15:40:26.821447876 +0100
@@ -997,6 +997,12 @@ copy_environment(char **source, char ***
}
*var_val++ = '\0';
+ if (options.expose_auth_methods < EXPOSE_AUTHMETH_PAMENV &&
+ strcmp(var_name, "SSH_USER_AUTH") == 0) {
+ free(var_name);
+ continue;
+ }
+
debug3("Copy environment: %s=%s", var_name, var_val);
child_set_env(env, envsize, var_name, var_val);
@@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
}
#endif /* USE_PAM */
+ if (options.expose_auth_methods >= EXPOSE_AUTHMETH_PAMENV &&
+ s->authctxt->auth_details)
+ child_set_env(&env, &envsize, "SSH_USER_AUTH",
+ s->authctxt->auth_details);
+
if (auth_sock_name != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_sock_name);
@@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
if (authctxt == NULL)
return;
+ free(authctxt->auth_details);
+ authctxt->auth_details = NULL;
+
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
--- openssh-7.4p1/ssh.1.expose-pam 2016-12-23 15:40:26.810447875 +0100
+++ openssh-7.4p1/ssh.1 2016-12-23 15:40:26.822447877 +0100
@@ -1421,6 +1421,10 @@ server IP address, and server port numbe
This variable contains the original command line if a forced command
is executed.
It can be used to extract the original arguments.
+.It Ev SSH_USER_AUTH
+This variable contains, for SSH2 only, a comma-separated list of authentication
+methods that were successfuly used to authenticate. When possible, these
+methods are extended with detailed information on the credential used.
.It Ev SSH_TTY
This is set to the name of the tty (path to the device) associated
with the current shell or command.
diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.expose-pam 2016-12-23 15:40:26.822447877 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:45:22.411495421 +0100
@@ -570,6 +570,21 @@ Disables all forwarding features, includ
TCP and StreamLocal.
This option overrides all other forwarding-related options and may
simplify restricted configurations.
+.It Cm ExposeAuthenticationMethods
+When using SSH2, this option controls the exposure of the list of
+successful authentication methods to PAM during the authentication
+and to the shell environment via the
+.Cm SSH_USER_AUTH
+variable. See the description of this variable for more details.
+Valid options are:
+.Cm never
+(Do not expose successful authentication methods),
+.Cm pam-only
+(Only expose them to PAM during authentication, not afterwards),
+.Cm pam-and-env
+(Expose them to PAM and keep them in the shell environment).
+The default is
+.Cm never .
.It Cm FingerprintHash
Specifies the hash algorithm used when logging key fingerprints.
Valid options are:
diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
--- openssh-7.4p1/ssh-gss.h.expose-pam 2016-12-23 15:40:26.811447875 +0100
+++ openssh-7.4p1/ssh-gss.h 2016-12-23 15:40:26.823447877 +0100
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
const char *);
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
int ssh_gssapi_userok(char *name, struct passwd *);
+char* ssh_gssapi_get_displayname(void);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
--- openssh-7.4p1/sshkey.c.expose-pam 2016-12-23 15:40:26.777447869 +0100
+++ openssh-7.4p1/sshkey.c 2016-12-23 15:40:26.823447877 +0100
@@ -57,6 +57,7 @@
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
+#include "xmalloc.h"
/* openssh private key file format */
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
@@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
return retval;
}
+char *
+sshkey_format_oneline(const struct sshkey *key, int dgst_alg)
+{
+ char *fp, *result;
+
+ if (sshkey_is_cert(key)) {
+ fp = sshkey_fingerprint(key->cert->signature_key, dgst_alg,
+ SSH_FP_DEFAULT);
+ xasprintf(&result, "%s ID %s (serial %llu) CA %s %s",
+ sshkey_type(key), key->cert->key_id,
+ (unsigned long long)key->cert->serial,
+ sshkey_type(key->cert->signature_key),
+ fp == NULL ? "(null)" : fp);
+ free(fp);
+ } else {
+ fp = sshkey_fingerprint(key, dgst_alg, SSH_FP_DEFAULT);
+ xasprintf(&result, "%s %s", sshkey_type(key),
+ fp == NULL ? "(null)" : fp);
+ free(fp);
+ }
+
+ return result;
+}
+
#ifdef WITH_SSH1
/*
* Reads a multiple-precision integer in decimal from the buffer, and advances
diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
--- openssh-7.4p1/sshkey.h.expose-pam 2016-12-23 15:40:26.777447869 +0100
+++ openssh-7.4p1/sshkey.h 2016-12-23 15:40:26.823447877 +0100
@@ -124,6 +124,7 @@ char *sshkey_fingerprint(const struct s
int, enum sshkey_fp_rep);
int sshkey_fingerprint_raw(const struct sshkey *k,
int, u_char **retp, size_t *lenp);
+char *sshkey_format_oneline(const struct sshkey *k, int dgst_alg);
const char *sshkey_type(const struct sshkey *);
const char *sshkey_cert_type(const struct sshkey *);
int sshkey_write(const struct sshkey *, FILE *);

1513
openssh-7.3p1-openssl-1.1.0.patch
View File

File diff suppressed because it is too large Load Diff

41
openssh-7.3p1-x11-max-displays.patch
View File

@ -2,26 +2,25 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
#define FWD_PERMIT_ANY_HOST "*"
/* -- X11 forwarding */
-/* Maximum number of fake X11 displays to try. */
-#define MAX_DISPLAYS 1000
+/* Minimum port number for X11 forwarding */
+#define X11_PORT_MIN 6000
/* Saved X11 local (client) display. */
static char *x11_saved_display = NULL;
@@ -4228,7 +4228,8 @@ channel_send_window_changes(void)
/*
* Data structure for storing which hosts are permitted for forward requests.
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
*/
int
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
- int single_connection, u_int *display_numberp, int **chanids)
+ int x11_max_displays, int single_connection, u_int *display_numberp,
+ int **chanids)
x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
- int x11_use_localhost, int single_connection,
+ int x11_use_localhost, int x11_max_displays, int single_connection,
u_int *display_numberp, int **chanids)
{
Channel *nc = NULL;
int display_number, sock;
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
if (chanids == NULL)
return -1;
@ -38,7 +37,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
+ if (port < X11_PORT_MIN) /* overflow */
+ break;
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
if (num_socks > 0)
@ -51,7 +50,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
}
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_socktype = SOCK_STREAM;
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
+ snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number);
@ -71,8 +70,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
}
freeaddrinfo(aitop);
if (!ai) {
- error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
- strerror(errno));
- error("connect %.100s port %u: %.100s", buf,
- 6000 + display_number, strerror(errno));
+ error("connect %.100s port %u: %.100s", buf,
+ X11_PORT_MIN + display_number, strerror(errno));
return -1;
@ -83,13 +82,13 @@ diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
void channel_set_x11_refuse_time(u_int);
int x11_connect_display(void);
-int x11_create_display_inet(int, int, int, u_int *, int **);
+int x11_create_display_inet(int, int, int, int, u_int *, int **);
int x11_input_open(int, u_int32_t, void *);
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
const char *, int);
void channel_set_x11_refuse_time(struct ssh *, u_int);
int x11_connect_display(struct ssh *);
-int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
+int x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **);
void x11_request_forwarding_with_spoofing(struct ssh *, int,
const char *, const char *, const char *, int);
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100
@ -179,7 +178,7 @@ diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
return 0;
}
if (x11_create_display_inet(options.x11_display_offset,
if (x11_create_display_inet(ssh, options.x11_display_offset,
- options.x11_use_localhost, s->single_connection,
- &s->display_number, &s->x11_chanids) == -1) {
+ options.x11_use_localhost, options.x11_max_displays,

6
openssh-7.5p1-gss-environment.patch
View File

@ -62,8 +62,8 @@ index 954a0dd..0819483 100644
char *krb5_ccname;
+ int krb5_set_env;
#endif
Buffer *loginmsg;
void *methoddata;
struct sshbuf *loginmsg;
@@ -220,7 +221,7 @@ int sys_auth_passwd(Authctxt *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
@ -240,9 +240,9 @@ index 6f2b0ac..73ef2c2 100644
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);
int ssh_gssapi_oid_table_ok();
diff --git a/sshd.c b/sshd.c
index ce2e374..3c4e13e 100644
--- a/sshd.c

25
openssh-7.5p1-sandbox.patch
View File

@ -1,28 +1,3 @@
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 3a1aedce72c2..a8d472a63ccb 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -50,6 +50,9 @@
#include <elf.h>
#include <asm/unistd.h>
+#ifdef __s390__
+#include <asm/zcrypt.h>
+#endif
#include <errno.h>
#include <signal.h>
@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = {
* x86-64 syscall under some circumstances, e.g.
* https://bugs.debian.org/849923
*/
- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT);
+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
#endif
/* Default deny */
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the

605
openssh-7.2p1-audit.patch → openssh-7.6p1-audit.patch
View File

File diff suppressed because it is too large Load Diff

253
openssh-7.6p1-cleanup-selinux.patch Normal file
View File

@ -0,0 +1,253 @@
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.refactor 2017-09-27 13:10:19.556830609 +0200
+++ openssh/auth2-pubkey.c 2017-09-27 13:10:19.677831274 +0200
@@ -72,6 +72,9 @@
extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
+extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt;
static int
userauth_pubkey(struct ssh *ssh)
@@ -432,7 +435,8 @@ match_principals_command(struct passwd *
if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command,
ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out;
uid_swapped = 1;
@@ -762,7 +766,8 @@ user_key_command_allowed2(struct passwd
if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out;
uid_swapped = 1;
diff -up openssh/misc.c.refactor openssh/misc.c
--- openssh/misc.c.refactor 2017-09-27 13:10:19.640831071 +0200
+++ openssh/misc.c 2017-09-27 13:10:19.678831279 +0200
@@ -1435,7 +1435,8 @@ argv_assemble(int argc, char **argv)
*/
pid_t
subprocess(const char *tag, struct passwd *pw, const char *command,
- int ac, char **av, FILE **child, u_int flags)
+ int ac, char **av, FILE **child, u_int flags, int inetd,
+ void *the_authctxt)
{
FILE *f = NULL;
struct stat st;
@@ -1551,7 +1552,7 @@ subprocess(const char *tag, struct passw
}
#ifdef WITH_SELINUX
- if (sshd_selinux_setup_env_variables() < 0) {
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
error ("failed to copy environment: %s",
strerror(errno));
_exit(127);
diff -up openssh/misc.h.refactor openssh/misc.h
--- openssh/misc.h.refactor 2017-09-25 01:48:10.000000000 +0200
+++ openssh/misc.h 2017-09-27 13:10:19.678831279 +0200
@@ -144,7 +144,7 @@ int exited_cleanly(pid_t, const char *,
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
pid_t subprocess(const char *, struct passwd *,
- const char *, int, char **, FILE **, u_int flags);
+ const char *, int, char **, FILE **, u_int flags, int, void *);
struct stat;
int safe_path(const char *, struct stat *, const char *, uid_t,
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.refactor 2017-09-27 13:10:19.634831038 +0200
+++ openssh/openbsd-compat/port-linux.h 2017-09-27 13:10:54.954025248 +0200
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
-void sshd_selinux_setup_exec_context(char *);
-int sshd_selinux_setup_env_variables(void);
+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
+int sshd_selinux_setup_env_variables(int inetd, void *);
void sshd_selinux_change_privsep_preauth_context(void);
#endif
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2017-09-27 13:10:19.634831038 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2017-09-27 13:12:06.811420371 +0200
@@ -48,11 +48,6 @@
#include <unistd.h>
#endif
-extern ServerOptions options;
-extern Authctxt *the_authctxt;
-extern int inetd_flag;
-extern int rexeced_flag;
-
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
sshd_selinux_enabled(void)
@@ -222,7 +217,8 @@ get_user_context(const char *sename, con
}
static void
-ssh_selinux_get_role_level(char **role, const char **level)
+ssh_selinux_get_role_level(char **role, const char **level,
+ Authctxt *the_authctxt)
{
*role = NULL;
*level = NULL;
@@ -240,8 +236,8 @@ ssh_selinux_get_role_level(char **role,
/* Return the default security context for the given username */
static int
-sshd_selinux_getctxbyname(char *pwname,
- security_context_t *default_sc, security_context_t *user_sc)
+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
+ security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
{
char *sename, *lvl;
char *role;
@@ -249,7 +245,7 @@ sshd_selinux_getctxbyname(char *pwname,
int r = 0;
context_t con = NULL;
- ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -271,7 +267,7 @@ sshd_selinux_getctxbyname(char *pwname,
if (r == 0) {
/* If launched from xinetd, we must use current level */
- if (inetd_flag && !rexeced_flag) {
+ if (inetd) {
security_context_t sshdsc=NULL;
if (getcon_raw(&sshdsc) < 0)
@@ -332,7 +328,8 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
+ Authctxt *the_authctxt)
{
const char *reqlvl;
char *role;
@@ -341,11 +338,11 @@ sshd_selinux_setup_variables(int(*set_it
debug3("%s: setting execution context", __func__);
- ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- if (inetd_flag && !rexeced_flag) {
+ if (inetd) {
use_current = "1";
} else {
use_current = "";
@@ -361,9 +358,10 @@ sshd_selinux_setup_variables(int(*set_it
}
static int
-sshd_selinux_setup_pam_variables(void)
+sshd_selinux_setup_pam_variables(int inetd,
+ int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
{
- return sshd_selinux_setup_variables(do_pam_putenv);
+ return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
}
static int
@@ -373,25 +371,28 @@ do_setenv(char *name, const char *value)
}
int
-sshd_selinux_setup_env_variables(void)
+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
{
- return sshd_selinux_setup_variables(do_setenv);
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
+ return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
}
/* Set the execution context to the default for the specified user */
void
-sshd_selinux_setup_exec_context(char *pwname)
+sshd_selinux_setup_exec_context(char *pwname, int inetd,
+ int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
{
security_context_t user_ctx = NULL;
int r = 0;
security_context_t default_ctx = NULL;
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
if (!sshd_selinux_enabled())
return;
- if (options.use_pam) {
+ if (use_pam) {
/* do not compute context, just setup environment for pam_selinux */
- if (sshd_selinux_setup_pam_variables()) {
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
switch (security_getenforce()) {
case -1:
fatal("%s: security_getenforce() failed", __func__);
@@ -409,7 +410,7 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: setting execution context", __func__);
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
if (r >= 0) {
r = setexeccon(user_ctx);
if (r < 0) {
diff -up openssh/platform.c.refactor openssh/platform.c
--- openssh/platform.c.refactor 2017-09-27 13:10:19.574830708 +0200
+++ openssh/platform.c 2017-09-27 13:11:45.475303050 +0200
@@ -33,6 +33,9 @@
extern int use_privsep;
extern ServerOptions options;
+extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt;
void
platform_pre_listen(void)
@@ -184,7 +187,9 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(pw->pw_name);
+ sshd_selinux_setup_exec_context(pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
}
diff -up openssh/sshd.c.refactor openssh/sshd.c
--- openssh/sshd.c.refactor 2017-09-27 13:10:19.674831257 +0200
+++ openssh/sshd.c 2017-09-27 13:12:01.635391909 +0200
@@ -2135,7 +2135,9 @@ main(int ac, char **av)
}
#endif
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
#ifdef USE_PAM
if (options.use_pam) {

21
openssh.spec
View File

@ -65,10 +65,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 7.5p1
%global openssh_rel 6
%global openssh_ver 7.6p1
%global openssh_rel 1
%global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 2
%global pam_ssh_agent_rel 3
Summary: An open source implementation of SSH protocol version 2
Name: openssh
@ -107,7 +107,7 @@ Patch104: openssh-7.3p1-openssl-1.1.0.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
# record pfs= field in CRYPTO_SESSION audit event
Patch200: openssh-7.2p1-audit.patch
Patch200: openssh-7.6p1-audit.patch
# Audit race condition in forked child (#1310684)
Patch201: openssh-7.1p2-audit-race-condition.patch
@ -223,15 +223,14 @@ Patch932: openssh-7.0p1-gssKexAlgorithms.patch
Patch933: openssh-7.0p1-show-more-fingerprints.patch
# make s390 use /dev/ crypto devices -- ignore closefrom
Patch939: openssh-7.2p2-s390-closefrom.patch
# expose more information to PAM
# https://github.com/openssh/openssh-portable/pull/47
Patch940: openssh-7.2p2-expose-pam.patch
# Move MAX_DISPLAYS to a configuration option (#1341302)
Patch944: openssh-7.3p1-x11-max-displays.patch
# Help systemd to track the running service
Patch948: openssh-7.4p1-systemd.patch
# Fix typo in sandbox code; missing header for s390
Patch949: openssh-7.5p1-sandbox.patch
# Pass inetd flags for SELinux down to openbsd compat level
Patch949: openssh-7.6p1-cleanup-selinux.patch
# Sandbox adjustments for s390 and audit
Patch950: openssh-7.5p1-sandbox.patch
License: BSD
@ -451,11 +450,11 @@ popd
%patch932 -p1 -b .gsskexalg
%patch933 -p1 -b .fingerprint
%patch939 -p1 -b .s390-dev
%patch940 -p1 -b .expose-pam
%patch944 -p1 -b .x11max
%patch948 -p1 -b .systemd
%patch949 -p1 -b .sandbox
%patch807 -p1 -b .gsskex-ec
%patch949 -p1 -b .refactor
%patch950 -p1 -b .sandbox
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race

90
pam_ssh_agent_auth-0.9.3-agent_structure.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent 2014-03-31 19:35:16.000000000 +0200
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h 2016-01-22 15:47:15.999919059 +0100
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent 2016-11-13 04:24:32.000000000 +0100
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2017-09-27 14:25:49.421739027 +0200
@@ -38,6 +38,12 @@
typedef struct identity Identity;
typedef struct idlist Idlist;
@ -14,9 +14,9 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7
struct identity {
TAILQ_ENTRY(identity) next;
AuthenticationConnection *ac; /* set if agent supports key */
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent 2016-01-22 15:47:15.998919060 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:53:38.427768239 +0100
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
@@ -39,6 +39,7 @@
#include "buffer.h"
#include "key.h"
@ -25,7 +25,7 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
#include <stdio.h>
#include <openssl/evp.h>
#include "ssh2.h"
@@ -285,36 +286,44 @@ pamsshagentauth_find_authorized_keys(con
@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
{
Buffer session_id2 = { 0 };
Identity *id;
@ -44,8 +44,7 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
+ if ((r = ssh_fetch_identitylist(ac->fd, 2,
+ &idlist)) != 0) {
+ if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
+ fprintf(stderr, "error fetching identities for "
+ "protocol %d: %s\n", 2, ssh_err(r));
@ -79,10 +78,60 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
}
else {
verbose("No ssh-agent could be contacted");
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent 2016-01-22 15:47:15.995919061 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c 2016-01-22 16:06:20.611464261 +0100
@@ -55,10 +55,11 @@ extern uint8_t session_id_len;
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent 2017-09-27 14:26:04.277820716 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-09-27 14:26:34.426986497 +0200
@@ -70,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
char *fp;
found_key = 0;
- found = key_new(key->type);
+ found = sshkey_new(key->type);
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
char *cp = NULL; /* *key_options = NULL; */
@@ -80,7 +80,7 @@ pamsshagentauth_check_authkeys_file(FILE
if(!*cp || *cp == '\n' || *cp == '#')
continue;
- if(key_read(found, &cp) != 1) {
+ if(sshkey_read(found, &cp) != 0) {
/* no key? check if there are options for this key */
int quoted = 0;
@@ -94,24 +94,24 @@ pamsshagentauth_check_authkeys_file(FILE
}
/* Skip remaining whitespace. */
for(; *cp == ' ' || *cp == '\t'; cp++);
- if(key_read(found, &cp) != 1) {
+ if(sshkey_read(found, &cp) != 0) {
verbose("user_key_allowed: advance: '%s'", cp);
/* still no key? advance to next line */
continue;
}
}
- if(key_equal(found, key)) {
+ if(sshkey_equal(found, key)) {
found_key = 1;
logit("matching key found: file/command %s, line %lu", file,
linenum);
fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
logit("Found matching %s key: %s",
- key_type(found), fp);
+ sshkey_type(found), fp);
free(fp);
break;
}
}
- key_free(found);
+ sshkey_free(found);
if(!found_key)
verbose("key not found");
return found_key;
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
@@ -57,10 +57,11 @@ extern uint8_t session_id_len;
int
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
{
@ -96,25 +145,12 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-
int authenticated = 0;
pkalg = (char *) key_ssh_name(id->key);
@@ -82,7 +83,7 @@ userauth_pubkey_from_id(const char *ruse
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, pkblob, blen);
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
goto user_auth_clean_exit;
/* test for correct signature */
diff --git a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
--- a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
+++ b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
@@ -85,7 +85,7 @@ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, pkblob, blen);
- if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
goto user_auth_clean_exit;
/* test for correct signature */