diff --git a/openssh.spec b/openssh.spec index dda9063..8fa1699 100644 --- a/openssh.spec +++ b/openssh.spec @@ -118,6 +118,9 @@ Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch # use SSH_DIGEST_* for fingerprint hashes Patch304: pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch +# update to current version of agent structure +Patch305: pam_ssh_agent_auth-0.9.3-agent_structure.patch + #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) Patch400: openssh-6.6p1-role-mls.patch #https://bugzilla.redhat.com/show_bug.cgi?id=781634 @@ -382,6 +385,7 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch302 -p1 -b .psaa-visibility %patch303 -p1 -b .psaa-xfree %patch304 -p2 -b .psaa-fingerprint +%patch305 -p2 -b .psaa-agent # Remove duplicate headers rm -f $(cat %{SOURCE5}) popd diff --git a/pam_ssh_agent-rmheaders b/pam_ssh_agent-rmheaders index a0c1872..03ab05a 100644 --- a/pam_ssh_agent-rmheaders +++ b/pam_ssh_agent-rmheaders @@ -1,3 +1,4 @@ +authfd.h atomicio.h buffer.h cipher.h diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/pam_ssh_agent_auth-0.9.3-agent_structure.patch new file mode 100644 index 0000000..67ab394 --- /dev/null +++ b/pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -0,0 +1,90 @@ +diff --git a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c +index 9555e7e..c17aae6 100644 +--- a/iterate_ssh_agent_keys.c 2015-05-27 14:09:13.591407306 +0200 ++++ b/iterate_ssh_agent_keys.c 2015-05-27 14:10:33.216267826 +0200 +@@ -37,6 +37,7 @@ + #include "buffer.h" + #include "key.h" + #include "authfd.h" ++#include "ssherr.h" + #include "ssh.h" + #include + #include +@@ -177,22 +177,28 @@ int + find_authorized_keys(uid_t uid) + { + Identity *id; +- Key *key; + AuthenticationConnection *ac; +- char *comment; + uint8_t retval = 0; ++ struct ssh_identitylist *idlist; ++ int r, i; + + OpenSSL_add_all_digests(); + session_id2 = session_id2_gen(); + + if ((ac = ssh_get_authentication_connection_for_uid(uid))) { + verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid); +- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) ++ if ((r = ssh_fetch_identitylist(ac->fd, 2, ++ &idlist)) != 0) { ++ if (r != SSH_ERR_AGENT_NO_IDENTITIES) ++ fprintf(stderr, "error fetching identities for " ++ "protocol %d: %s\n", 2, ssh_err(r)); ++ } ++ for (i = 0; i < idlist->nkeys; i++) + { +- if(key != NULL) { ++ if(idlist->keys[i] != NULL) { + id = xcalloc(1, sizeof(*id)); +- id->key = key; +- id->filename = comment; ++ id->key = idlist->keys[i]; ++ id->filename = idlist->comments[i]; + id->ac = ac; + if(userauth_pubkey_from_id(id)) { + retval = 1; +@@ -204,7 +211,10 @@ find_authorized_keys(uid_t uid) + break; + } + } ++ ssh_free_identitylist(idlist); ++ ssh_close_authentication_socket(ac->fd); ++ buffer_free(&ac->identities); ++ free(ac); +- ssh_close_authentication_connection(ac); + } + else { + verbose("No ssh-agent could be contacted"); +diff --git a/pam_ssh_agent_auth-0.9.3/identity.h b/pam_ssh_agent_auth-0.9.3/identity.h +index eb21320..c00da34 100644 +--- a/pam_ssh_agent_auth-0.9.3/identity.h ++++ b/pam_ssh_agent_auth-0.9.3/identity.h +@@ -14,6 +14,12 @@ + typedef struct identity Identity; + typedef struct idlist Idlist; + ++typedef struct { ++ int fd; ++ Buffer identities; ++ int howmany; ++} AuthenticationConnection; ++ + struct identity { + TAILQ_ENTRY(identity) next; + AuthenticationConnection *ac; /* set if agent supports key */ +diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c +index 323817a..93b928f 100644 +--- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c ++++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c +@@ -81,7 +81,7 @@ userauth_pubkey_from_id(Identity * id) + buffer_put_cstring(&b, pkalg); + buffer_put_string(&b, pkblob, blen); + +- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0) ++ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 1) != 0) + goto user_auth_clean_exit; + + /* test for correct signature */ +