From 5daee12df322764127da93bbe047a59f4da9394b Mon Sep 17 00:00:00 2001 From: Jan F Date: Fri, 5 Nov 2010 17:31:30 +0100 Subject: [PATCH] - add auditing the host based key ussage - repait X11 abstract layer socket (#648896) --- openssh-5.5p1-x11.patch | 26 ++++--- openssh-5.6p1-audit2.patch | 151 +++++++++++++++++++++++++------------ openssh-5.6p1-audit3.patch | 62 +++++++-------- openssh.spec | 10 ++- 4 files changed, 156 insertions(+), 93 deletions(-) diff --git a/openssh-5.5p1-x11.patch b/openssh-5.5p1-x11.patch index bcf0ced..cac5d5e 100644 --- a/openssh-5.5p1-x11.patch +++ b/openssh-5.5p1-x11.patch @@ -1,7 +1,7 @@ -diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c ---- openssh-5.5p1/channels.c.x11 2010-06-30 15:22:45.000000000 +0200 -+++ openssh-5.5p1/channels.c 2010-06-30 15:27:42.000000000 +0200 -@@ -3332,7 +3332,7 @@ x11_create_display_inet(int x11_display_ +diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c +--- openssh-5.3p1/channels.c.bz595935 2010-08-12 14:19:28.000000000 +0200 ++++ openssh-5.3p1/channels.c 2010-08-12 14:33:51.000000000 +0200 +@@ -3185,7 +3185,7 @@ x11_create_display_inet(int x11_display_ } static int @@ -10,20 +10,25 @@ diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c { int sock; struct sockaddr_un addr; -@@ -3342,7 +3342,11 @@ connect_local_xsocket_path(const char *p +@@ -3195,11 +3195,14 @@ connect_local_xsocket_path(const char *p error("socket: %.100s", strerror(errno)); memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); +- if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) + if (len <= 0) + return -1; + if (len > sizeof addr.sun_path) + len = sizeof addr.sun_path; -+ memcpy(addr.sun_path, pathname , len); - if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) ++ memcpy(addr.sun_path, pathname, len); ++ if (connect(sock, (struct sockaddr *)&addr, sizeof addr - (sizeof addr.sun_path - len) ) == 0) return sock; close(sock); -@@ -3354,8 +3358,18 @@ static int +- error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); + return -1; + } + +@@ -3207,8 +3210,21 @@ static int connect_local_xsocket(u_int dnr) { char buf[1024]; @@ -40,7 +45,10 @@ diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c + if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0) + return ret; +#endif -+ return connect_local_xsocket_path(buf + 1, len); ++ if ((ret = connect_local_xsocket_path(buf + 1, len)) >= 0) ++ return ret; ++ error("connect %.100s: %.100s", buf + 1, strerror(errno)); ++ return -1; } int diff --git a/openssh-5.6p1-audit2.patch b/openssh-5.6p1-audit2.patch index e93dd8b..8b683cc 100644 --- a/openssh-5.6p1-audit2.patch +++ b/openssh-5.6p1-audit2.patch @@ -1,12 +1,12 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c ---- openssh-5.6p1/audit-bsm.c.audit2 2010-11-02 21:04:27.000000000 +0100 -+++ openssh-5.6p1/audit-bsm.c 2010-11-02 21:04:28.000000000 +0100 +--- openssh-5.6p1/audit-bsm.c.audit2 2010-11-05 15:41:17.000000000 +0100 ++++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:45:28.000000000 +0100 @@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li /* not implemented */ } +int -+audit_keyusage(const char *type, unsigned len, char *fp, int rv) ++audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv) +{ + /* not implemented */ +} @@ -15,9 +15,43 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c audit_event(ssh_audit_event_t event) { diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c ---- openssh-5.6p1/audit.c.audit2 2010-11-02 21:04:27.000000000 +0100 -+++ openssh-5.6p1/audit.c 2010-11-02 21:04:28.000000000 +0100 -@@ -182,5 +182,17 @@ audit_run_command(const char *command) +--- openssh-5.6p1/audit.c.audit2 2010-11-05 15:41:17.000000000 +0100 ++++ openssh-5.6p1/audit.c 2010-11-05 15:51:37.000000000 +0100 +@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev) + return(event_lookup[i].name); + } + ++int ++audit_key(int type, int *rv, const Key *key) ++{ ++ char *fp; ++ unsigned size = 0; ++ const char *crypto_name[] = { ++ "ssh-rsa1", ++ "ssh-rsa", ++ "ssh-dsa", ++ "unknown" }; ++ ++ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ switch(key->type) { ++ case KEY_RSA1: ++ case KEY_RSA: ++ size = RSA_size(key->rsa); ++ break; ++ case KEY_DSA: ++ size = DSA_size(key->dsa); ++ break; ++ } ++ ++ if (audit_keyusage(0, crypto_name[key->type], size, fp, *rv) == 0) ++ *rv = 0; ++ xfree(fp); ++} ++ + # ifndef CUSTOM_SSH_AUDIT_EVENTS + /* + * Null implementations of audit functions. +@@ -182,5 +209,17 @@ audit_run_command(const char *command) debug("audit run command euid %d user %s command '%.200s'", geteuid(), audit_username(), command); } @@ -28,26 +62,35 @@ diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c + * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key. + */ +int -+audit_keyusage(const char *type, unsigned len, char *fp, int rv) ++audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv) +{ -+ debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", geteuid(), -+ audit_username(), type, len, fp, rv); ++ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", ++ host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv); +} # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h ---- openssh-5.6p1/audit.h.audit2 2010-11-02 21:04:27.000000000 +0100 -+++ openssh-5.6p1/audit.h 2010-11-02 21:04:28.000000000 +0100 -@@ -53,5 +53,6 @@ void audit_session_open(struct logininfo +--- openssh-5.6p1/audit.h.audit2 2010-11-05 15:41:17.000000000 +0100 ++++ openssh-5.6p1/audit.h 2010-11-05 15:41:18.000000000 +0100 +@@ -28,6 +28,7 @@ + # define _SSH_AUDIT_H + + #include "loginrec.h" ++#include "key.h" + + enum ssh_audit_event_type { + SSH_LOGIN_EXCEED_MAXTRIES, +@@ -53,5 +54,7 @@ void audit_session_open(struct logininfo void audit_session_close(struct logininfo *); void audit_run_command(const char *); ssh_audit_event_t audit_classify_auth(const char *); -+int audit_keyusage(const char *, unsigned, char *, int); ++int audit_keyusage(int, const char *, unsigned, char *, int); ++int audit_key(int, int *, const Key *); #endif /* _SSH_AUDIT_H */ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c ---- openssh-5.6p1/audit-linux.c.audit2 2010-11-02 21:04:27.000000000 +0100 -+++ openssh-5.6p1/audit-linux.c 2010-11-02 21:04:28.000000000 +0100 +--- openssh-5.6p1/audit-linux.c.audit2 2010-11-05 15:41:17.000000000 +0100 ++++ openssh-5.6p1/audit-linux.c 2010-11-05 15:41:18.000000000 +0100 @@ -37,6 +37,8 @@ #include "audit.h" #include "canohost.h" @@ -62,7 +105,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c } +int -+audit_keyusage(const char *type, unsigned len, char *fp, int rv) ++audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv) +{ + char buf[AUDIT_LOG_SIZE]; + int audit_fd, rc, saved_errno; @@ -75,12 +118,12 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c + else + return 0; /* Must prevent login */ + } -+ snprintf(buf, sizeof(buf), "pubkey_auth rport=%d", get_remote_port()); ++ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "hostbased" : "pubkey", get_remote_port()); + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, + buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv); + if (rc < 0) + goto out; -+ snprintf(buf, sizeof(buf), "pubkey_auth algo=%s size=%d fp=%s rport=%d", ++ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d", + type, 8 * len, fp, get_remote_port()); + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, + buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv); @@ -94,10 +137,32 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c /* Below is the sshd audit API code */ void +diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c +--- openssh-5.6p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200 ++++ openssh-5.6p1/auth2-hostbased.c 2010-11-05 15:41:18.000000000 +0100 +@@ -136,6 +136,18 @@ done: + return authenticated; + } + ++int ++hostkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) ++{ ++ int rv; ++ ++ rv = key_verify(key, sig, slen, data, datalen); ++#ifdef SSH_AUDIT_EVENTS ++ audit_key(0, &rv, key); ++#endif ++ return rv; ++} ++ + /* return 1 if given hostkey is allowed */ + int + hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c --- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200 -+++ openssh-5.6p1/auth2-pubkey.c 2010-11-02 21:04:28.000000000 +0100 -@@ -177,6 +177,40 @@ done: ++++ openssh-5.6p1/auth2-pubkey.c 2010-11-05 15:41:18.000000000 +0100 +@@ -177,6 +177,18 @@ done: return authenticated; } @@ -105,32 +170,10 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c +pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) +{ + int rv; -+#ifdef SSH_AUDIT_EVENTS -+ char *fp; -+ unsigned size = 0; -+ const char *crypto_name[] = { -+ "ssh-rsa1", -+ "ssh-rsa", -+ "ssh-dsa", -+ "unknown" }; -+#endif + + rv = key_verify(key, sig, slen, data, datalen); +#ifdef SSH_AUDIT_EVENTS -+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ switch(key->type) { -+ case KEY_RSA1: -+ case KEY_RSA: -+ size = RSA_size(key->rsa); -+ break; -+ case KEY_DSA: -+ size = DSA_size(key->dsa); -+ break; -+ } -+ -+ if (audit_keyusage(crypto_name[key->type], size, fp, rv) == 0) -+ rv = 0; -+ xfree(fp); ++ audit_key(1, &rv, key); +#endif + return rv; +} @@ -139,19 +182,27 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c match_principals_option(const char *principal_list, struct KeyCert *cert) { diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h ---- openssh-5.6p1/auth.h.audit2 2010-11-02 21:06:05.000000000 +0100 -+++ openssh-5.6p1/auth.h 2010-11-02 21:07:32.000000000 +0100 +--- openssh-5.6p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200 ++++ openssh-5.6p1/auth.h 2010-11-05 15:41:18.000000000 +0100 @@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); char *authorized_principals_file(struct passwd *); -+int pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); ++int pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); +@@ -185,6 +186,7 @@ Key *get_hostkey_public_by_type(int); + Key *get_hostkey_private_by_type(int); + int get_hostkey_index(Key *); + int ssh1_session_key(BIGNUM *); ++int hostkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); + + /* debug messages during authentication */ + void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c --- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200 -+++ openssh-5.6p1/auth-rsa.c 2010-11-02 21:04:28.000000000 +0100 ++++ openssh-5.6p1/auth-rsa.c 2010-11-05 15:41:18.000000000 +0100 @@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU { u_char buf[32], mdbuf[16]; @@ -175,7 +226,7 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c + +#ifdef SSH_AUDIT_EVENTS + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ if (audit_keyusage("ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) { ++ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) { + debug("unsuccessful audit"); + rv = 0; } @@ -190,7 +241,7 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c /* diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c --- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200 -+++ openssh-5.6p1/monitor.c 2010-11-02 21:04:28.000000000 +0100 ++++ openssh-5.6p1/monitor.c 2010-11-05 15:41:18.000000000 +0100 @@ -1235,7 +1235,19 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); @@ -201,7 +252,7 @@ diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c + verified = pubkey_key_verify(key, signature, signaturelen, data, datalen); + break; + case MM_HOSTKEY: -+ verified = key_verify(key, signature, signaturelen, data, datalen); ++ verified = hostkey_key_verify(key, signature, signaturelen, data, datalen); + valid_data = monitor_valid_hostbasedblob(data, datalen, + hostbased_cuser, hostbased_chost); + break; diff --git a/openssh-5.6p1-audit3.patch b/openssh-5.6p1-audit3.patch index 1f4cd35..61b5efb 100644 --- a/openssh-5.6p1-audit3.patch +++ b/openssh-5.6p1-audit3.patch @@ -1,6 +1,6 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c ---- openssh-5.6p1/audit-bsm.c.audit3 2010-11-03 08:59:55.000000000 +0100 -+++ openssh-5.6p1/audit-bsm.c 2010-11-03 08:59:56.000000000 +0100 +--- openssh-5.6p1/audit-bsm.c.audit3 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:54:35.000000000 +0100 @@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event) debug("%s: unhandled event %d", __func__, event); } @@ -19,8 +19,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c +} #endif /* BSM */ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c ---- openssh-5.6p1/audit.c.audit3 2010-11-03 08:59:56.000000000 +0100 -+++ openssh-5.6p1/audit.c 2010-11-03 08:59:56.000000000 +0100 +--- openssh-5.6p1/audit.c.audit3 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/audit.c 2010-11-05 15:56:19.000000000 +0100 @@ -36,6 +36,8 @@ #include "key.h" #include "hostfile.h" @@ -30,8 +30,8 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c /* * Care must be taken when using this since it WILL NOT be initialized when -@@ -111,6 +113,18 @@ audit_event_lookup(ssh_audit_event_t ev) - return(event_lookup[i].name); +@@ -138,6 +140,18 @@ audit_key(int type, int *rv, const Key * + xfree(fp); } +void @@ -49,9 +49,9 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c # ifndef CUSTOM_SSH_AUDIT_EVENTS /* * Null implementations of audit functions. -@@ -194,5 +208,24 @@ audit_keyusage(const char *type, unsigne - debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", geteuid(), - audit_username(), type, len, fp, rv); +@@ -221,5 +235,24 @@ audit_keyusage(int host_user, const char + debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", + host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv); } + +/* @@ -61,7 +61,7 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c +audit_unsupported_body(int what) +{ + debug("audit unsupported protocol ieuid %d type %d", geteuid(), what); -+} ++ + +/* + * This will be called on succesfull protocol negotiation. @@ -75,12 +75,12 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h ---- openssh-5.6p1/audit.h.audit3 2010-11-03 08:59:56.000000000 +0100 -+++ openssh-5.6p1/audit.h 2010-11-03 08:59:56.000000000 +0100 -@@ -54,5 +54,9 @@ void audit_session_close(struct logininf - void audit_run_command(const char *); +--- openssh-5.6p1/audit.h.audit3 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/audit.h 2010-11-05 15:54:35.000000000 +0100 +@@ -56,5 +56,9 @@ void audit_run_command(const char *); ssh_audit_event_t audit_classify_auth(const char *); - int audit_keyusage(const char *, unsigned, char *, int); + int audit_keyusage(int, const char *, unsigned, char *, int); + int audit_key(int, int *, const Key *); +void audit_unsupported(int); +void audit_kex(int, char *, char *, char *); +void audit_unsupported_body(int); @@ -88,8 +88,8 @@ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h #endif /* _SSH_AUDIT_H */ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c ---- openssh-5.6p1/audit-linux.c.audit3 2010-11-03 08:59:56.000000000 +0100 -+++ openssh-5.6p1/audit-linux.c 2010-11-03 09:01:56.000000000 +0100 +--- openssh-5.6p1/audit-linux.c.audit3 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/audit-linux.c 2010-11-05 15:54:35.000000000 +0100 @@ -36,6 +36,8 @@ #include "log.h" #include "audit.h" @@ -99,7 +99,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c #define AUDIT_LOG_SIZE 128 -@@ -149,4 +150,53 @@ audit_event(ssh_audit_event_t event) +@@ -149,4 +151,53 @@ audit_event(ssh_audit_event_t event) } } @@ -154,8 +154,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c + #endif /* USE_LINUX_AUDIT */ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c ---- openssh-5.6p1/auditstub.c.audit3 2010-11-03 08:59:56.000000000 +0100 -+++ openssh-5.6p1/auditstub.c 2010-11-03 08:59:56.000000000 +0100 +--- openssh-5.6p1/auditstub.c.audit3 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/auditstub.c 2010-11-05 15:54:35.000000000 +0100 @@ -0,0 +1,39 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -198,7 +198,7 @@ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c + diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c --- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200 -+++ openssh-5.6p1/cipher.c 2010-11-03 08:59:56.000000000 +0100 ++++ openssh-5.6p1/cipher.c 2010-11-05 15:54:35.000000000 +0100 @@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX extern const EVP_CIPHER *evp_aes_128_ctr(void); extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); @@ -218,7 +218,7 @@ diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h --- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100 -+++ openssh-5.6p1/cipher.h 2010-11-03 08:59:56.000000000 +0100 ++++ openssh-5.6p1/cipher.h 2010-11-05 15:54:35.000000000 +0100 @@ -61,7 +61,16 @@ typedef struct Cipher Cipher; typedef struct CipherContext CipherContext; @@ -239,7 +239,7 @@ diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h EVP_CIPHER_CTX evp; diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c --- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100 -+++ openssh-5.6p1/kex.c 2010-11-03 08:59:56.000000000 +0100 ++++ openssh-5.6p1/kex.c 2010-11-05 15:54:35.000000000 +0100 @@ -49,6 +49,7 @@ #include "dispatch.h" #include "monitor.h" @@ -303,8 +303,8 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in ---- openssh-5.6p1/Makefile.in.audit3 2010-11-03 08:59:55.000000000 +0100 -+++ openssh-5.6p1/Makefile.in 2010-11-03 08:59:56.000000000 +0100 +--- openssh-5.6p1/Makefile.in.audit3 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/Makefile.in 2010-11-05 15:54:35.000000000 +0100 @@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ @@ -315,8 +315,8 @@ diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c ---- openssh-5.6p1/monitor.c.audit3 2010-11-03 08:59:56.000000000 +0100 -+++ openssh-5.6p1/monitor.c 2010-11-03 08:59:56.000000000 +0100 +--- openssh-5.6p1/monitor.c.audit3 2010-11-05 15:54:35.000000000 +0100 ++++ openssh-5.6p1/monitor.c 2010-11-05 15:54:35.000000000 +0100 @@ -89,6 +89,7 @@ #include "ssh2.h" #include "jpake.h" @@ -395,7 +395,7 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c +#endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h --- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100 -+++ openssh-5.6p1/monitor.h 2010-11-03 08:59:56.000000000 +0100 ++++ openssh-5.6p1/monitor.h 2010-11-05 15:54:35.000000000 +0100 @@ -66,6 +66,8 @@ enum monitor_reqtype { MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, @@ -407,7 +407,7 @@ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h struct mm_master; diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c --- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.c 2010-11-03 08:59:56.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.c 2010-11-05 15:54:35.000000000 +0100 @@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k, return success; } @@ -449,7 +449,7 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c +#endif /* SSH_AUDIT_EVENTS */ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h --- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100 -+++ openssh-5.6p1/monitor_wrap.h 2010-11-03 08:59:56.000000000 +0100 ++++ openssh-5.6p1/monitor_wrap.h 2010-11-05 15:54:35.000000000 +0100 @@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *); #include "audit.h" void mm_audit_event(ssh_audit_event_t); @@ -461,7 +461,7 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h struct Session; diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c --- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200 -+++ openssh-5.6p1/sshd.c 2010-11-03 08:59:56.000000000 +0100 ++++ openssh-5.6p1/sshd.c 2010-11-05 15:54:35.000000000 +0100 @@ -118,6 +118,7 @@ #endif #include "monitor_wrap.h" diff --git a/openssh.spec b/openssh.spec index 44a6bcb..815ca54 100644 --- a/openssh.spec +++ b/openssh.spec @@ -71,7 +71,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 5.6p1 -%define openssh_rel 15 +%define openssh_rel 16 %define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_rel 27 @@ -99,7 +99,7 @@ Patch1: openssh-5.6p1-audit.patch Patch2: openssh-5.6p1-audit2.patch Patch3: openssh-5.6p1-audit3.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 -Patch4: openssh-5.2p1-vendor.patch +Patch5: openssh-5.2p1-vendor.patch Patch10: pam_ssh_agent_auth-0.9-build.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Patch12: openssh-5.4p1-selinux.patch @@ -272,7 +272,7 @@ The module is most useful for su and sudo service stacks. %patch1 -p1 -b .audit %patch2 -p1 -b .audit2 %patch3 -p1 -b .audit3 -%patch4 -p1 -b .vendor +%patch5 -p1 -b .vendor %if %{pam_ssh_agent} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} @@ -589,6 +589,10 @@ fi %endif %changelog +* Fri Nov 5 2010 Jan F. Chadima - 5.6p1-16 + 0.9.2-27 +- add auditing the host based key ussage +- repait X11 abstract layer socket (#648896) + * Wed Nov 3 2010 Jan F. Chadima - 5.6p1-15 + 0.9.2-27 - add auditing the kex result