rebase to openssh-6.0p1

6.0p1-1 + 0.9.3-2
This commit is contained in:
Petr Lautrbach 2012-08-06 21:32:10 +02:00
parent 90e11f338c
commit 65ba94ef1a
9 changed files with 1936 additions and 996 deletions

1
.gitignore vendored
View File

@ -6,3 +6,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-5.8p2-noacss.tar.bz2
/openssh-5.9p1-noacss.tar.bz2
/pam_ssh_agent_auth-0.9.3.tar.bz2
/openssh-6.0p1-noacss.tar.bz2

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p0/audit-bsm.c.audit1 openssh-5.9p0/audit-bsm.c
--- openssh-5.9p0/audit-bsm.c.audit1 2011-01-17 11:15:29.000000000 +0100
+++ openssh-5.9p0/audit-bsm.c 2011-08-30 10:46:57.704148875 +0200
@@ -298,10 +298,23 @@ audit_connection_from(const char *host,
diff -up openssh-6.0p1/audit-bsm.c.audit1 openssh-6.0p1/audit-bsm.c
--- openssh-6.0p1/audit-bsm.c.audit1 2012-02-24 00:40:43.000000000 +0100
+++ openssh-6.0p1/audit-bsm.c 2012-08-06 20:33:24.416382804 +0200
@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
#endif
}
@ -26,9 +26,78 @@ diff -up openssh-5.9p0/audit-bsm.c.audit1 openssh-5.9p0/audit-bsm.c
}
void
diff -up openssh-5.9p0/audit-linux.c.audit1 openssh-5.9p0/audit-linux.c
--- openssh-5.9p0/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.9p0/audit-linux.c 2011-08-30 10:46:58.059024733 +0200
diff -up openssh-6.0p1/audit.c.audit1 openssh-6.0p1/audit.c
--- openssh-6.0p1/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-6.0p1/audit.c 2012-08-06 20:33:24.417382801 +0200
@@ -140,6 +140,17 @@ audit_event(ssh_audit_event_t event)
}
/*
+ * Called when a child process has called, or will soon call,
+ * audit_session_open.
+ */
+void
+audit_count_session_open(void)
+{
+ debug("audit count session open euid %d user %s", geteuid(),
+ audit_username());
+}
+
+/*
* Called when a user session is started. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
*
@@ -174,13 +185,29 @@ audit_session_close(struct logininfo *li
/*
* This will be called when a user runs a non-interactive command. Note that
* it may be called multiple times for a single connection since SSH2 allows
- * multiple sessions within a single connection.
+ * multiple sessions within a single connection. Returns a "handle" for
+ * audit_end_command.
*/
-void
+int
audit_run_command(const char *command)
{
debug("audit run command euid %d user %s command '%.200s'", geteuid(),
audit_username(), command);
+ return 0;
+}
+
+/*
+ * This will be called when the non-interactive command finishes. Note that
+ * it may be called multiple times for a single connection since SSH2 allows
+ * multiple sessions within a single connection. "handle" should come from
+ * the corresponding audit_run_command.
+ */
+void
+audit_end_command(int handle, const char *command)
+{
+ debug("audit end nopty exec euid %d user %s command '%.200s'", geteuid(),
+ audit_username(), command);
}
+
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.0p1/audit.h.audit1 openssh-6.0p1/audit.h
--- openssh-6.0p1/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-6.0p1/audit.h 2012-08-06 20:33:24.417382801 +0200
@@ -49,9 +49,11 @@ typedef enum ssh_audit_event_type ssh_au
void audit_connection_from(const char *, int);
void audit_event(ssh_audit_event_t);
+void audit_count_session_open(void);
void audit_session_open(struct logininfo *);
void audit_session_close(struct logininfo *);
-void audit_run_command(const char *);
+int audit_run_command(const char *);
+void audit_end_command(int, const char *);
ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */
diff -up openssh-6.0p1/audit-linux.c.audit1 openssh-6.0p1/audit-linux.c
--- openssh-6.0p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-6.0p1/audit-linux.c 2012-08-06 20:33:24.416382804 +0200
@@ -35,13 +35,20 @@
#include "log.h"
@ -244,78 +313,9 @@ diff -up openssh-5.9p0/audit-linux.c.audit1 openssh-5.9p0/audit-linux.c
break;
default:
diff -up openssh-5.9p0/audit.c.audit1 openssh-5.9p0/audit.c
--- openssh-5.9p0/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.9p0/audit.c 2011-08-30 10:46:57.822025769 +0200
@@ -140,6 +140,17 @@ audit_event(ssh_audit_event_t event)
}
/*
+ * Called when a child process has called, or will soon call,
+ * audit_session_open.
+ */
+void
+audit_count_session_open(void)
+{
+ debug("audit count session open euid %d user %s", geteuid(),
+ audit_username());
+}
+
+/*
* Called when a user session is started. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
*
@@ -174,13 +185,29 @@ audit_session_close(struct logininfo *li
/*
* This will be called when a user runs a non-interactive command. Note that
* it may be called multiple times for a single connection since SSH2 allows
- * multiple sessions within a single connection.
+ * multiple sessions within a single connection. Returns a "handle" for
+ * audit_end_command.
*/
-void
+int
audit_run_command(const char *command)
{
debug("audit run command euid %d user %s command '%.200s'", geteuid(),
audit_username(), command);
+ return 0;
+}
+
+/*
+ * This will be called when the non-interactive command finishes. Note that
+ * it may be called multiple times for a single connection since SSH2 allows
+ * multiple sessions within a single connection. "handle" should come from
+ * the corresponding audit_run_command.
+ */
+void
+audit_end_command(int handle, const char *command)
+{
+ debug("audit end nopty exec euid %d user %s command '%.200s'", geteuid(),
+ audit_username(), command);
}
+
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p0/audit.h.audit1 openssh-5.9p0/audit.h
--- openssh-5.9p0/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100
+++ openssh-5.9p0/audit.h 2011-08-30 10:46:57.952035525 +0200
@@ -49,9 +49,11 @@ typedef enum ssh_audit_event_type ssh_au
void audit_connection_from(const char *, int);
void audit_event(ssh_audit_event_t);
+void audit_count_session_open(void);
void audit_session_open(struct logininfo *);
void audit_session_close(struct logininfo *);
-void audit_run_command(const char *);
+int audit_run_command(const char *);
+void audit_end_command(int, const char *);
ssh_audit_event_t audit_classify_auth(const char *);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p0/monitor.c.audit1 openssh-5.9p0/monitor.c
--- openssh-5.9p0/monitor.c.audit1 2011-08-05 22:15:18.000000000 +0200
+++ openssh-5.9p0/monitor.c 2011-08-30 10:50:47.074038891 +0200
diff -up openssh-6.0p1/monitor.c.audit1 openssh-6.0p1/monitor.c
--- openssh-6.0p1/monitor.c.audit1 2012-08-06 20:33:24.410382828 +0200
+++ openssh-6.0p1/monitor.c 2012-08-06 20:33:24.418382797 +0200
@@ -185,6 +185,7 @@ int mm_answer_gss_checkmic(int, Buffer *
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
@ -324,7 +324,7 @@ diff -up openssh-5.9p0/monitor.c.audit1 openssh-5.9p0/monitor.c
#endif
static int monitor_read_log(struct monitor *);
@@ -271,6 +272,7 @@ struct mon_table mon_dispatch_postauth20
@@ -272,6 +273,7 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@ -332,7 +332,7 @@ diff -up openssh-5.9p0/monitor.c.audit1 openssh-5.9p0/monitor.c
#endif
{0, 0, NULL}
};
@@ -313,6 +315,7 @@ struct mon_table mon_dispatch_postauth15
@@ -314,6 +316,7 @@ struct mon_table mon_dispatch_postauth15
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
@ -340,7 +340,7 @@ diff -up openssh-5.9p0/monitor.c.audit1 openssh-5.9p0/monitor.c
#endif
{0, 0, NULL}
};
@@ -1398,6 +1401,12 @@ mm_session_close(Session *s)
@@ -1427,6 +1430,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s);
}
@ -353,7 +353,7 @@ diff -up openssh-5.9p0/monitor.c.audit1 openssh-5.9p0/monitor.c
session_unused(s->self);
}
@@ -1720,11 +1729,44 @@ mm_answer_audit_command(int socket, Buff
@@ -1751,11 +1760,44 @@ mm_answer_audit_command(int socket, Buff
{
u_int len;
char *cmd;
@ -399,9 +399,9 @@ diff -up openssh-5.9p0/monitor.c.audit1 openssh-5.9p0/monitor.c
xfree(cmd);
return (0);
}
diff -up openssh-5.9p0/monitor.h.audit1 openssh-5.9p0/monitor.h
--- openssh-5.9p0/monitor.h.audit1 2011-06-20 06:42:23.000000000 +0200
+++ openssh-5.9p0/monitor.h 2011-08-30 10:46:58.392112520 +0200
diff -up openssh-6.0p1/monitor.h.audit1 openssh-6.0p1/monitor.h
--- openssh-6.0p1/monitor.h.audit1 2011-06-20 06:42:23.000000000 +0200
+++ openssh-6.0p1/monitor.h 2012-08-06 20:33:24.418382797 +0200
@@ -60,6 +60,7 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
@ -410,9 +410,9 @@ diff -up openssh-5.9p0/monitor.h.audit1 openssh-5.9p0/monitor.h
MONITOR_REQ_TERM,
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-5.9p0/monitor_wrap.c.audit1 openssh-5.9p0/monitor_wrap.c
--- openssh-5.9p0/monitor_wrap.c.audit1 2011-06-20 06:42:23.000000000 +0200
+++ openssh-5.9p0/monitor_wrap.c 2011-08-30 10:46:58.505031574 +0200
diff -up openssh-6.0p1/monitor_wrap.c.audit1 openssh-6.0p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.audit1 2012-08-06 20:33:24.384382930 +0200
+++ openssh-6.0p1/monitor_wrap.c 2012-08-06 20:33:24.419382793 +0200
@@ -1188,10 +1188,11 @@ mm_audit_event(ssh_audit_event_t event)
buffer_free(&m);
}
@ -453,9 +453,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.audit1 openssh-5.9p0/monitor_wrap.c
buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p0/monitor_wrap.h.audit1 openssh-5.9p0/monitor_wrap.h
--- openssh-5.9p0/monitor_wrap.h.audit1 2011-06-20 06:42:23.000000000 +0200
+++ openssh-5.9p0/monitor_wrap.h 2011-08-30 10:46:58.616212835 +0200
diff -up openssh-6.0p1/monitor_wrap.h.audit1 openssh-6.0p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.audit1 2011-06-20 06:42:23.000000000 +0200
+++ openssh-6.0p1/monitor_wrap.h 2012-08-06 20:33:24.419382793 +0200
@@ -74,7 +74,8 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
@ -466,9 +466,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.audit1 openssh-5.9p0/monitor_wrap.h
#endif
struct Session;
diff -up openssh-5.9p0/session.c.audit1 openssh-5.9p0/session.c
--- openssh-5.9p0/session.c.audit1 2011-05-20 03:23:10.000000000 +0200
+++ openssh-5.9p0/session.c 2011-08-30 10:46:58.756024849 +0200
diff -up openssh-6.0p1/session.c.audit1 openssh-6.0p1/session.c
--- openssh-6.0p1/session.c.audit1 2011-11-04 00:55:24.000000000 +0100
+++ openssh-6.0p1/session.c 2012-08-06 20:33:24.420382789 +0200
@@ -742,6 +742,14 @@ do_exec_pty(Session *s, const char *comm
/* Parent. Close the slave side of the pseudo tty. */
close(ttyfd);
@ -599,9 +599,9 @@ diff -up openssh-5.9p0/session.c.audit1 openssh-5.9p0/session.c
- session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session);
}
diff -up openssh-5.9p0/session.h.audit1 openssh-5.9p0/session.h
--- openssh-5.9p0/session.h.audit1 2008-05-19 07:34:50.000000000 +0200
+++ openssh-5.9p0/session.h 2011-08-30 10:46:58.884024597 +0200
diff -up openssh-6.0p1/session.h.audit1 openssh-6.0p1/session.h
--- openssh-6.0p1/session.h.audit1 2008-05-19 07:34:50.000000000 +0200
+++ openssh-6.0p1/session.h 2012-08-06 20:33:24.420382789 +0200
@@ -60,6 +60,12 @@ struct Session {
char *name;
char *val;
@ -626,11 +626,11 @@ diff -up openssh-5.9p0/session.h.audit1 openssh-5.9p0/session.h
Session *session_by_tty(char *);
void session_close(Session *);
void do_setusercontext(struct passwd *);
diff -up openssh-5.9p0/sshd.c.audit1 openssh-5.9p0/sshd.c
--- openssh-5.9p0/sshd.c.audit1 2011-06-23 11:45:51.000000000 +0200
+++ openssh-5.9p0/sshd.c 2011-08-30 10:46:59.009025421 +0200
@@ -2364,7 +2364,8 @@ cleanup_exit(int i)
do_cleanup(the_authctxt);
diff -up openssh-6.0p1/sshd.c.audit1 openssh-6.0p1/sshd.c
--- openssh-6.0p1/sshd.c.audit1 2012-08-06 20:33:24.392382898 +0200
+++ openssh-6.0p1/sshd.c 2012-08-06 20:33:24.421382785 +0200
@@ -2381,7 +2381,8 @@ cleanup_exit(int i)
}
#ifdef SSH_AUDIT_EVENTS
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
- if (!use_privsep || mm_is_monitor())

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit4 2012-07-27 14:27:56.149474798 +0200
+++ openssh-5.9p1/audit-bsm.c 2012-07-27 14:27:56.164474882 +0200
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
diff -up openssh-6.0p1/audit-bsm.c.audit4 openssh-6.0p1/audit-bsm.c
--- openssh-6.0p1/audit-bsm.c.audit4 2012-08-06 20:35:56.306789054 +0200
+++ openssh-6.0p1/audit-bsm.c 2012-08-06 20:35:56.314789022 +0200
@@ -485,4 +485,10 @@ audit_kex_body(int ctos, char *enc, char
{
/* not implemented */
}
@ -12,9 +12,9 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit4 2012-07-27 14:27:56.150474804 +0200
+++ openssh-5.9p1/audit.c 2012-07-27 14:27:56.165474888 +0200
diff -up openssh-6.0p1/audit.c.audit4 openssh-6.0p1/audit.c
--- openssh-6.0p1/audit.c.audit4 2012-08-06 20:35:56.307789050 +0200
+++ openssh-6.0p1/audit.c 2012-08-06 20:35:56.315789018 +0200
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
}
@ -44,9 +44,9 @@ diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit4 2012-07-27 14:27:56.151474810 +0200
+++ openssh-5.9p1/audit.h 2012-07-27 14:27:56.165474888 +0200
diff -up openssh-6.0p1/audit.h.audit4 openssh-6.0p1/audit.h
--- openssh-6.0p1/audit.h.audit4 2012-08-06 20:35:56.308789046 +0200
+++ openssh-6.0p1/audit.h 2012-08-06 20:35:56.315789018 +0200
@@ -62,5 +62,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int);
@ -55,9 +55,9 @@ diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit4 2012-07-27 14:27:56.149474798 +0200
+++ openssh-5.9p1/audit-linux.c 2012-07-27 14:27:56.166474894 +0200
diff -up openssh-6.0p1/audit-linux.c.audit4 openssh-6.0p1/audit-linux.c
--- openssh-6.0p1/audit-linux.c.audit4 2012-08-06 20:35:56.307789050 +0200
+++ openssh-6.0p1/audit-linux.c 2012-08-06 20:35:56.315789018 +0200
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
#endif
}
@ -108,9 +108,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
--- openssh-5.9p1/auditstub.c.audit4 2012-07-27 14:27:56.151474810 +0200
+++ openssh-5.9p1/auditstub.c 2012-07-27 14:27:56.166474894 +0200
diff -up openssh-6.0p1/auditstub.c.audit4 openssh-6.0p1/auditstub.c
--- openssh-6.0p1/auditstub.c.audit4 2012-08-06 20:35:56.308789046 +0200
+++ openssh-6.0p1/auditstub.c 2012-08-06 20:35:56.316789015 +0200
@@ -27,6 +27,8 @@
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
*/
@ -133,9 +133,9 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
--- openssh-5.9p1/kex.c.audit4 2012-07-27 14:27:56.153474822 +0200
+++ openssh-5.9p1/kex.c 2012-07-27 14:27:56.167474900 +0200
diff -up openssh-6.0p1/kex.c.audit4 openssh-6.0p1/kex.c
--- openssh-6.0p1/kex.c.audit4 2012-08-06 20:35:56.309789042 +0200
+++ openssh-6.0p1/kex.c 2012-08-06 20:35:56.317789011 +0200
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
fprintf(stderr, "\n");
}
@ -171,9 +171,9 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
--- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
+++ openssh-5.9p1/kex.h 2012-07-27 14:27:56.168474905 +0200
diff -up openssh-6.0p1/kex.h.audit4 openssh-6.0p1/kex.h
--- openssh-6.0p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
+++ openssh-6.0p1/kex.h 2012-08-06 20:35:56.317789011 +0200
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void kexecdh_server(Kex *);
@ -183,10 +183,10 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
--- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200
+++ openssh-5.9p1/mac.c 2012-07-27 14:27:56.168474905 +0200
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
diff -up openssh-6.0p1/mac.c.audit4 openssh-6.0p1/mac.c
--- openssh-6.0p1/mac.c.audit4 2012-01-17 04:03:38.000000000 +0100
+++ openssh-6.0p1/mac.c 2012-08-06 20:35:56.318789007 +0200
@@ -171,6 +171,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL;
}
@ -207,17 +207,17 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
--- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
+++ openssh-5.9p1/mac.h 2012-07-27 14:27:56.169474910 +0200
diff -up openssh-6.0p1/mac.h.audit4 openssh-6.0p1/mac.h
--- openssh-6.0p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
+++ openssh-6.0p1/mac.h 2012-08-06 20:35:56.318789007 +0200
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit4 2012-07-27 14:27:56.154474827 +0200
+++ openssh-5.9p1/monitor.c 2012-07-27 14:31:20.311655098 +0200
diff -up openssh-6.0p1/monitor.c.audit4 openssh-6.0p1/monitor.c
--- openssh-6.0p1/monitor.c.audit4 2012-08-06 20:35:56.310789038 +0200
+++ openssh-6.0p1/monitor.c 2012-08-06 20:35:56.319789003 +0200
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *);
@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__);
if (strcmp(auth_method, "unknown") == 0)
@@ -1952,11 +1953,13 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1953,11 +1954,13 @@ mm_get_keystate(struct monitor *pmonitor
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
xfree(blob);
/* Now get sequence numbers for the packets */
@@ -2002,6 +2005,21 @@ mm_get_keystate(struct monitor *pmonitor
@@ -2003,6 +2006,21 @@ mm_get_keystate(struct monitor *pmonitor
}
buffer_free(&m);
@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
}
@@ -2448,4 +2466,22 @@ mm_answer_audit_kex_body(int sock, Buffe
@@ -2449,4 +2467,22 @@ mm_answer_audit_kex_body(int sock, Buffe
return 0;
}
@ -328,9 +328,9 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit4 2012-07-27 14:27:56.155474832 +0200
+++ openssh-5.9p1/monitor.h 2012-07-27 14:27:56.171474920 +0200
diff -up openssh-6.0p1/monitor.h.audit4 openssh-6.0p1/monitor.h
--- openssh-6.0p1/monitor.h.audit4 2012-08-06 20:35:56.310789038 +0200
+++ openssh-6.0p1/monitor.h 2012-08-06 20:35:56.319789003 +0200
@@ -63,6 +63,7 @@ enum monitor_reqtype {
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -339,9 +339,9 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
MONITOR_REQ_TERM,
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit4 2012-07-27 14:27:56.156474837 +0200
+++ openssh-5.9p1/monitor_wrap.c 2012-07-27 14:27:56.172474926 +0200
diff -up openssh-6.0p1/monitor_wrap.c.audit4 openssh-6.0p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.audit4 2012-08-06 20:35:56.311789034 +0200
+++ openssh-6.0p1/monitor_wrap.c 2012-08-06 20:35:56.320788999 +0200
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
fatal("%s: conversion of newkeys failed", __func__);
@ -377,9 +377,9 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit4 2012-07-27 14:27:56.157474843 +0200
+++ openssh-5.9p1/monitor_wrap.h 2012-07-27 14:27:56.173474932 +0200
diff -up openssh-6.0p1/monitor_wrap.h.audit4 openssh-6.0p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.audit4 2012-08-06 20:35:56.311789034 +0200
+++ openssh-6.0p1/monitor_wrap.h 2012-08-06 20:35:56.320788999 +0200
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
void mm_audit_end_command(int, const char *);
void mm_audit_unsupported_body(int);
@ -388,9 +388,9 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
#endif
struct Session;
diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.audit4 2012-07-27 14:27:56.099474520 +0200
+++ openssh-5.9p1/packet.c 2012-07-27 14:27:56.174474938 +0200
diff -up openssh-6.0p1/packet.c.audit4 openssh-6.0p1/packet.c
--- openssh-6.0p1/packet.c.audit4 2012-08-06 20:35:56.282789147 +0200
+++ openssh-6.0p1/packet.c 2012-08-06 20:35:56.321788995 +0200
@@ -60,6 +60,7 @@
#include <signal.h>
@ -399,7 +399,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
#include "buffer.h"
#include "packet.h"
#include "crc32.h"
@@ -472,6 +473,13 @@ packet_get_connection_out(void)
@@ -470,6 +471,13 @@ packet_get_connection_out(void)
return active_state->connection_out;
}
@ -413,7 +413,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
/* Closes the connection and clears and frees internal data structures. */
void
@@ -480,13 +488,6 @@ packet_close(void)
@@ -478,13 +486,6 @@ packet_close(void)
if (!active_state->initialized)
return;
active_state->initialized = 0;
@ -427,7 +427,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
buffer_free(&active_state->input);
buffer_free(&active_state->output);
buffer_free(&active_state->outgoing_packet);
@@ -495,8 +496,18 @@ packet_close(void)
@@ -493,8 +494,18 @@ packet_close(void)
buffer_free(&active_state->compression_buffer);
buffer_compress_uninit();
}
@ -448,7 +448,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
}
/* Sets remote side protocol flags. */
@@ -731,6 +742,23 @@ packet_send1(void)
@@ -729,6 +740,23 @@ packet_send1(void)
*/
}
@ -472,7 +472,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
void
set_newkeys(int mode)
{
@@ -756,18 +784,9 @@ set_newkeys(int mode)
@@ -754,18 +782,9 @@ set_newkeys(int mode)
}
if (active_state->newkeys[mode] != NULL) {
debug("set_newkeys: rekeying");
@ -493,7 +493,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
}
active_state->newkeys[mode] = kex_get_newkeys(mode);
if (active_state->newkeys[mode] == NULL)
@@ -1927,6 +1946,47 @@ packet_get_newkeys(int mode)
@@ -1921,6 +1940,47 @@ packet_get_newkeys(int mode)
return (void *)active_state->newkeys[mode];
}
@ -541,7 +541,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
/*
* Save the state for the real connection, and use a separate state when
* resuming a suspended connection.
@@ -1934,18 +1994,12 @@ packet_get_newkeys(int mode)
@@ -1928,18 +1988,12 @@ packet_get_newkeys(int mode)
void
packet_backup_state(void)
{
@ -561,7 +561,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
}
/*
@@ -1962,9 +2016,7 @@ packet_restore_state(void)
@@ -1956,9 +2010,7 @@ packet_restore_state(void)
backup_state = active_state;
active_state = tmp;
active_state->connection_in = backup_state->connection_in;
@ -571,7 +571,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
len = buffer_len(&backup_state->input);
if (len > 0) {
buf = buffer_ptr(&backup_state->input);
@@ -1972,4 +2024,10 @@ packet_restore_state(void)
@@ -1966,4 +2018,10 @@ packet_restore_state(void)
buffer_clear(&backup_state->input);
add_recv_bytes(len);
}
@ -582,18 +582,18 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
+ backup_state = NULL;
}
+
diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
--- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200
+++ openssh-5.9p1/packet.h 2012-07-27 14:27:56.175474944 +0200
@@ -124,4 +124,5 @@ void packet_restore_state(void);
diff -up openssh-6.0p1/packet.h.audit4 openssh-6.0p1/packet.h
--- openssh-6.0p1/packet.h.audit4 2012-02-10 22:19:21.000000000 +0100
+++ openssh-6.0p1/packet.h 2012-08-06 20:35:56.321788995 +0200
@@ -123,4 +123,5 @@ void packet_restore_state(void);
void *packet_get_input(void);
void *packet_get_output(void);
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit4 2012-07-27 14:27:56.130474693 +0200
+++ openssh-5.9p1/session.c 2012-07-27 14:27:56.176474950 +0200
diff -up openssh-6.0p1/session.c.audit4 openssh-6.0p1/session.c
--- openssh-6.0p1/session.c.audit4 2012-08-06 20:35:56.296789093 +0200
+++ openssh-6.0p1/session.c 2012-08-06 20:35:56.322788991 +0200
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
/* remove hostkey from the child's memory */
@ -604,10 +604,10 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
/* Force a password change */
if (s->authctxt->force_pwchange) {
diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit4 2012-07-27 14:27:56.159474855 +0200
+++ openssh-5.9p1/sshd.c 2012-07-27 14:27:56.178474961 +0200
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
diff -up openssh-6.0p1/sshd.c.audit4 openssh-6.0p1/sshd.c
--- openssh-6.0p1/sshd.c.audit4 2012-08-06 20:35:56.312789030 +0200
+++ openssh-6.0p1/sshd.c 2012-08-06 20:35:56.323788987 +0200
@@ -690,6 +690,8 @@ privsep_preauth(Authctxt *authctxt)
}
}
@ -616,7 +616,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
static void
privsep_postauth(Authctxt *authctxt)
{
@@ -710,6 +712,10 @@ privsep_postauth(Authctxt *authctxt)
@@ -714,6 +716,10 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg);
@ -627,7 +627,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
@@ -2001,6 +2007,7 @@ main(int ac, char **av)
@@ -2005,6 +2011,7 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
@ -635,7 +635,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
exit(0);
}
@@ -2053,6 +2060,8 @@ main(int ac, char **av)
@@ -2057,6 +2064,8 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
@ -644,7 +644,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
@@ -2370,8 +2379,20 @@ do_ssh2_kex(void)
@@ -2374,6 +2383,16 @@ do_ssh2_kex(void)
void
cleanup_exit(int i)
{
@ -658,8 +658,13 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
+ _exit(i);
+ in_cleanup = 1;
+
if (the_authctxt)
if (the_authctxt) {
do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
@@ -2384,6 +2403,8 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno));
}
}
+ is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
+ packet_destroy_all(1, is_privsep_child);
#ifdef SSH_AUDIT_EVENTS

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p1/audit-bsm.c.audit5 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit5 2011-09-13 22:07:31.262575526 +0200
+++ openssh-5.9p1/audit-bsm.c 2011-09-13 22:07:33.268491813 +0200
@@ -414,4 +414,22 @@ audit_session_key_free_body(int ctos, pi
diff -up openssh-6.0p1/audit-bsm.c.audit5 openssh-6.0p1/audit-bsm.c
--- openssh-6.0p1/audit-bsm.c.audit5 2012-08-06 20:37:50.036345216 +0200
+++ openssh-6.0p1/audit-bsm.c 2012-08-06 20:37:50.046345177 +0200
@@ -491,4 +491,22 @@ audit_session_key_free_body(int ctos, pi
{
/* not implemented */
}
@ -24,10 +24,58 @@ diff -up openssh-5.9p1/audit-bsm.c.audit5 openssh-5.9p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh-5.9p1/audit-linux.c.audit5 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit5 2011-09-13 22:07:31.400584308 +0200
+++ openssh-5.9p1/audit-linux.c 2011-09-13 22:07:33.357460348 +0200
@@ -350,4 +350,50 @@ audit_session_key_free_body(int ctos, pi
diff -up openssh-6.0p1/audit.c.audit5 openssh-6.0p1/audit.c
--- openssh-6.0p1/audit.c.audit5 2012-08-06 20:37:50.036345216 +0200
+++ openssh-6.0p1/audit.c 2012-08-06 20:37:50.047345173 +0200
@@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi
debug("audit session key discard euid %u direction %d from pid %ld uid %u",
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
}
+
+/*
+ * This will be called on destroy private part of the server key
+ */
+void
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
+{
+ debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
+ geteuid(), fp, (long)pid, (unsigned)uid);
+}
+
+/*
+ * This will be called on generation of the ephemeral server key
+ */
+void
+audit_generate_ephemeral_server_key(const char *)
+{
+ debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-6.0p1/audit.h.audit5 openssh-6.0p1/audit.h
--- openssh-6.0p1/audit.h.audit5 2012-08-06 20:37:50.037345212 +0200
+++ openssh-6.0p1/audit.h 2012-08-06 20:37:50.047345173 +0200
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
};
typedef enum ssh_audit_event_type ssh_audit_event_t;
+int listening_for_clients(void);
+
void audit_connection_from(const char *, int);
void audit_event(ssh_audit_event_t);
void audit_count_session_open(void);
@@ -64,5 +66,7 @@ void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
void audit_session_key_free(int ctos);
void audit_session_key_free_body(int ctos, pid_t, uid_t);
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
diff -up openssh-6.0p1/audit-linux.c.audit5 openssh-6.0p1/audit-linux.c
--- openssh-6.0p1/audit-linux.c.audit5 2012-08-06 20:37:50.037345212 +0200
+++ openssh-6.0p1/audit-linux.c 2012-08-06 20:37:50.046345177 +0200
@@ -356,4 +356,50 @@ audit_session_key_free_body(int ctos, pi
error("cannot write into audit");
}
@ -78,58 +126,10 @@ diff -up openssh-5.9p1/audit-linux.c.audit5 openssh-5.9p1/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.9p1/audit.c.audit5 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit5 2011-09-13 22:07:31.495458797 +0200
+++ openssh-5.9p1/audit.c 2011-09-13 22:07:33.478458341 +0200
@@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi
debug("audit session key discard euid %u direction %d from pid %ld uid %u",
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
}
+
+/*
+ * This will be called on destroy private part of the server key
+ */
+void
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
+{
+ debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
+ geteuid(), fp, (long)pid, (unsigned)uid);
+}
+
+/*
+ * This will be called on generation of the ephemeral server key
+ */
+void
+audit_generate_ephemeral_server_key(const char *)
+{
+ debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/audit.h.audit5 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit5 2011-09-13 22:07:31.616459125 +0200
+++ openssh-5.9p1/audit.h 2011-09-13 22:07:33.612458074 +0200
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
};
typedef enum ssh_audit_event_type ssh_audit_event_t;
+int listening_for_clients(void);
+
void audit_connection_from(const char *, int);
void audit_event(ssh_audit_event_t);
void audit_count_session_open(void);
@@ -64,5 +66,7 @@ void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
void audit_session_key_free(int ctos);
void audit_session_key_free_body(int ctos, pid_t, uid_t);
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p1/key.c.audit5 openssh-5.9p1/key.c
--- openssh-5.9p1/key.c.audit5 2011-09-13 22:07:23.054490740 +0200
+++ openssh-5.9p1/key.c 2011-09-13 22:07:33.721583661 +0200
@@ -1799,6 +1799,30 @@ key_demote(const Key *k)
diff -up openssh-6.0p1/key.c.audit5 openssh-6.0p1/key.c
--- openssh-6.0p1/key.c.audit5 2012-08-06 20:37:49.992345388 +0200
+++ openssh-6.0p1/key.c 2012-08-06 20:37:50.048345169 +0200
@@ -1794,6 +1794,30 @@ key_demote(const Key *k)
}
int
@ -160,9 +160,9 @@ diff -up openssh-5.9p1/key.c.audit5 openssh-5.9p1/key.c
key_is_cert(const Key *k)
{
if (k == NULL)
diff -up openssh-5.9p1/key.h.audit5 openssh-5.9p1/key.h
--- openssh-5.9p1/key.h.audit5 2011-09-13 22:07:23.160459285 +0200
+++ openssh-5.9p1/key.h 2011-09-13 22:07:33.847459341 +0200
diff -up openssh-6.0p1/key.h.audit5 openssh-6.0p1/key.h
--- openssh-6.0p1/key.h.audit5 2012-08-06 20:37:49.993345384 +0200
+++ openssh-6.0p1/key.h 2012-08-06 20:37:50.049345165 +0200
@@ -109,6 +109,7 @@ Key *key_generate(int, u_int);
Key *key_from_private(const Key *);
int key_type_from_name(char *);
@ -171,9 +171,9 @@ diff -up openssh-5.9p1/key.h.audit5 openssh-5.9p1/key.h
int key_type_plain(int);
int key_to_certified(Key *, int);
int key_drop_cert(Key *);
diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit5 2011-09-13 22:07:32.285495537 +0200
+++ openssh-5.9p1/monitor.c 2011-09-13 22:10:04.148554239 +0200
diff -up openssh-6.0p1/monitor.c.audit5 openssh-6.0p1/monitor.c
--- openssh-6.0p1/monitor.c.audit5 2012-08-06 20:37:50.040345200 +0200
+++ openssh-6.0p1/monitor.c 2012-08-06 20:37:50.049345165 +0200
@@ -114,6 +114,8 @@ extern Buffer auth_debug;
extern int auth_debug_init;
extern Buffer loginmsg;
@ -183,7 +183,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
/* State exported from the child */
struct {
@@ -191,6 +193,7 @@ int mm_answer_audit_end_command(int, Buf
@@ -190,6 +192,7 @@ int mm_answer_audit_end_command(int, Buf
int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *);
int mm_answer_audit_session_key_free_body(int, Buffer *);
@ -199,7 +199,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -285,6 +289,7 @@ struct mon_table mon_dispatch_postauth20
@@ -284,6 +288,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
@ -207,7 +207,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
#endif
{0, 0, NULL}
};
@@ -319,6 +324,7 @@ struct mon_table mon_dispatch_proto15[]
@@ -318,6 +323,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
@ -215,7 +215,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
#endif
{0, 0, NULL}
};
@@ -334,6 +340,7 @@ struct mon_table mon_dispatch_postauth15
@@ -333,6 +339,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
@ -223,7 +223,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
#endif
{0, 0, NULL}
};
@@ -1716,6 +1723,8 @@ mm_answer_term(int sock, Buffer *req)
@@ -1744,6 +1751,8 @@ mm_answer_term(int sock, Buffer *req)
sshpam_cleanup();
#endif
@ -232,7 +232,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
@@ -2470,4 +2479,25 @@ mm_answer_audit_session_key_free_body(in
@@ -2485,4 +2494,25 @@ mm_answer_audit_session_key_free_body(in
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
return 0;
}
@ -258,9 +258,9 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
+ return 0;
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor.h.audit5 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit5 2011-09-13 22:07:32.385522626 +0200
+++ openssh-5.9p1/monitor.h 2011-09-13 22:07:34.098459356 +0200
diff -up openssh-6.0p1/monitor.h.audit5 openssh-6.0p1/monitor.h
--- openssh-6.0p1/monitor.h.audit5 2012-08-06 20:37:50.040345200 +0200
+++ openssh-6.0p1/monitor.h 2012-08-06 20:37:50.050345161 +0200
@@ -64,6 +64,7 @@ enum monitor_reqtype {
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
@ -269,10 +269,10 @@ diff -up openssh-5.9p1/monitor.h.audit5 openssh-5.9p1/monitor.h
MONITOR_REQ_TERM,
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-5.9p1/monitor_wrap.c.audit5 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit5 2011-09-13 22:07:32.510521163 +0200
+++ openssh-5.9p1/monitor_wrap.c 2011-09-13 22:07:34.610458275 +0200
@@ -1559,4 +1559,20 @@ mm_audit_session_key_free_body(int ctos,
diff -up openssh-6.0p1/monitor_wrap.c.audit5 openssh-6.0p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.audit5 2012-08-06 20:37:50.041345196 +0200
+++ openssh-6.0p1/monitor_wrap.c 2012-08-06 20:37:50.050345161 +0200
@@ -1539,4 +1539,20 @@ mm_audit_session_key_free_body(int ctos,
&m);
buffer_free(&m);
}
@ -293,10 +293,10 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit5 openssh-5.9p1/monitor_wrap.c
+ buffer_free(&m);
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor_wrap.h.audit5 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit5 2011-09-13 22:07:32.607520810 +0200
+++ openssh-5.9p1/monitor_wrap.h 2011-09-13 22:07:34.716458214 +0200
@@ -81,6 +81,7 @@ void mm_audit_end_command(int, const cha
diff -up openssh-6.0p1/monitor_wrap.h.audit5 openssh-6.0p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.audit5 2012-08-06 20:37:50.041345196 +0200
+++ openssh-6.0p1/monitor_wrap.h 2012-08-06 20:37:50.051345157 +0200
@@ -80,6 +80,7 @@ void mm_audit_end_command(int, const cha
void mm_audit_unsupported_body(int);
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
void mm_audit_session_key_free_body(int, pid_t, uid_t);
@ -304,9 +304,9 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit5 openssh-5.9p1/monitor_wrap.h
#endif
struct Session;
diff -up openssh-5.9p1/session.c.audit5 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit5 2011-09-13 22:07:32.973544819 +0200
+++ openssh-5.9p1/session.c 2011-09-13 22:07:34.849585578 +0200
diff -up openssh-6.0p1/session.c.audit5 openssh-6.0p1/session.c
--- openssh-6.0p1/session.c.audit5 2012-08-06 20:37:50.043345189 +0200
+++ openssh-6.0p1/session.c 2012-08-06 20:37:50.052345153 +0200
@@ -136,7 +136,7 @@ extern int log_stderr;
extern int debug_flag;
extern u_int utmp_len;
@ -325,10 +325,10 @@ diff -up openssh-5.9p1/session.c.audit5 openssh-5.9p1/session.c
/* Don't audit this - both us and the parent would be talking to the
monitor over a single socket, with no synchronization. */
packet_destroy_all(0, 1);
diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit5 2011-09-13 22:07:33.106516378 +0200
+++ openssh-5.9p1/sshd.c 2011-09-13 22:07:34.989470331 +0200
@@ -254,7 +254,7 @@ Buffer loginmsg;
diff -up openssh-6.0p1/sshd.c.audit5 openssh-6.0p1/sshd.c
--- openssh-6.0p1/sshd.c.audit5 2012-08-06 20:37:50.044345185 +0200
+++ openssh-6.0p1/sshd.c 2012-08-06 20:37:50.053345149 +0200
@@ -255,7 +255,7 @@ Buffer loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
@ -337,7 +337,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
void demote_sensitive_data(void);
static void do_ssh1_kex(void);
@@ -273,6 +273,15 @@ close_listen_socks(void)
@@ -274,6 +274,15 @@ close_listen_socks(void)
num_listen_socks = -1;
}
@ -353,7 +353,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
static void
close_startup_pipes(void)
{
@@ -533,22 +542,47 @@ sshd_exchange_identification(int sock_in
@@ -534,22 +543,47 @@ sshd_exchange_identification(int sock_in
}
}
@ -404,7 +404,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
@@ -562,6 +596,8 @@ void
@@ -563,6 +597,8 @@ void
demote_sensitive_data(void)
{
Key *tmp;
@ -413,7 +413,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
int i;
if (sensitive_data.server_key) {
@@ -570,13 +606,27 @@ demote_sensitive_data(void)
@@ -571,13 +607,27 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp;
}
@ -441,7 +441,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
}
/* Certs do not need demotion */
}
@@ -1145,6 +1195,7 @@ server_accept_loop(int *sock_in, int *so
@@ -1149,6 +1199,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
@ -449,7 +449,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
close_listen_socks();
unlink(options.pid_file);
exit(received_sigterm == SIGTERM ? 0 : 255);
@@ -2050,7 +2101,7 @@ main(int ac, char **av)
@@ -2054,7 +2105,7 @@ main(int ac, char **av)
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
if (!compat20)
@ -458,7 +458,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
}
packet_set_timeout(options.client_alive_interval,
@@ -2061,6 +2112,7 @@ main(int ac, char **av)
@@ -2065,6 +2116,7 @@ main(int ac, char **av)
/* The connection has been terminated. */
packet_destroy_all(1, 1);
@ -466,7 +466,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
@@ -2289,7 +2341,7 @@ do_ssh1_kex(void)
@@ -2293,7 +2345,7 @@ do_ssh1_kex(void)
session_id[i] = session_key[i] ^ session_key[i + 16];
}
/* Destroy the private and public keys. No longer. */
@ -475,9 +475,9 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
if (use_privsep)
mm_ssh1_session_id(session_id);
@@ -2392,6 +2444,8 @@ cleanup_exit(int i)
if (the_authctxt)
do_cleanup(the_authctxt);
@@ -2404,6 +2456,8 @@ cleanup_exit(int i)
}
}
is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
+ if (sensitive_data.host_keys != NULL)
+ destroy_sensitive_data(is_privsep_child);

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p0/entropy.c.entropy openssh-5.9p0/entropy.c
--- openssh-5.9p0/entropy.c.entropy 2011-08-31 13:20:59.660150441 +0200
+++ openssh-5.9p0/entropy.c 2011-08-31 13:21:05.072024970 +0200
@@ -232,6 +232,9 @@ seed_rng(void)
diff -up openssh-6.0p1/entropy.c.entropy openssh-6.0p1/entropy.c
--- openssh-6.0p1/entropy.c.entropy 2012-08-06 20:51:59.131033413 +0200
+++ openssh-6.0p1/entropy.c 2012-08-06 20:51:59.171033257 +0200
@@ -237,6 +237,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
@ -11,21 +11,21 @@ diff -up openssh-5.9p0/entropy.c.entropy openssh-5.9p0/entropy.c
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
diff -up openssh-5.9p0/openbsd-compat/Makefile.in.entropy openssh-5.9p0/openbsd-compat/Makefile.in
--- openssh-5.9p0/openbsd-compat/Makefile.in.entropy 2011-08-31 13:20:54.000000000 +0200
+++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 13:44:25.138151565 +0200
diff -up openssh-6.0p1/openbsd-compat/Makefile.in.entropy openssh-6.0p1/openbsd-compat/Makefile.in
--- openssh-6.0p1/openbsd-compat/Makefile.in.entropy 2012-08-06 20:51:59.100033534 +0200
+++ openssh-6.0p1/openbsd-compat/Makefile.in 2012-08-06 20:51:59.171033257 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-5.9p0/openbsd-compat/port-linux-prng.c.entropy openssh-5.9p0/openbsd-compat/port-linux-prng.c
--- openssh-5.9p0/openbsd-compat/port-linux-prng.c.entropy 2011-08-31 13:21:05.382024083 +0200
+++ openssh-5.9p0/openbsd-compat/port-linux-prng.c 2011-08-31 13:21:05.386024776 +0200
diff -up openssh-6.0p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.0p1/openbsd-compat/port-linux-prng.c
--- openssh-6.0p1/openbsd-compat/port-linux-prng.c.entropy 2012-08-06 20:51:59.171033257 +0200
+++ openssh-6.0p1/openbsd-compat/port-linux-prng.c 2012-08-06 20:51:59.171033257 +0200
@@ -0,0 +1,59 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
@ -86,10 +86,37 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux-prng.c.entropy openssh-5.9p0/op
+ fatal ("EOF reading %s", random);
+ }
+}
diff -up openssh-5.9p0/ssh-add.1.entropy openssh-5.9p0/ssh-add.1
--- openssh-5.9p0/ssh-add.1.entropy 2010-11-05 00:20:14.000000000 +0100
+++ openssh-5.9p0/ssh-add.1 2011-08-31 13:21:05.597122030 +0200
@@ -158,6 +158,20 @@ Identifies the path of a
diff -up openssh-6.0p1/ssh.1.entropy openssh-6.0p1/ssh.1
--- openssh-6.0p1/ssh.1.entropy 2012-08-06 20:51:59.139033382 +0200
+++ openssh-6.0p1/ssh.1 2012-08-06 20:51:59.174033245 +0200
@@ -1269,6 +1269,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff -up openssh-6.0p1/ssh-add.1.entropy openssh-6.0p1/ssh-add.1
--- openssh-6.0p1/ssh-add.1.entropy 2011-10-18 07:06:33.000000000 +0200
+++ openssh-6.0p1/ssh-add.1 2012-08-06 20:51:59.172033253 +0200
@@ -161,6 +161,20 @@ Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
.El
@ -110,9 +137,9 @@ diff -up openssh-5.9p0/ssh-add.1.entropy openssh-5.9p0/ssh-add.1
.Sh FILES
.Bl -tag -width Ds
.It Pa ~/.ssh/identity
diff -up openssh-5.9p0/ssh-agent.1.entropy openssh-5.9p0/ssh-agent.1
--- openssh-5.9p0/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
+++ openssh-5.9p0/ssh-agent.1 2011-08-31 13:21:05.735150196 +0200
diff -up openssh-6.0p1/ssh-agent.1.entropy openssh-6.0p1/ssh-agent.1
--- openssh-6.0p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
+++ openssh-6.0p1/ssh-agent.1 2012-08-06 20:51:59.172033253 +0200
@@ -198,6 +198,24 @@ sockets used to contain the connection t
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
@ -138,10 +165,38 @@ diff -up openssh-5.9p0/ssh-agent.1.entropy openssh-5.9p0/ssh-agent.1
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff -up openssh-5.9p0/ssh-keygen.1.entropy openssh-5.9p0/ssh-keygen.1
--- openssh-5.9p0/ssh-keygen.1.entropy 2011-08-31 13:20:59.200212619 +0200
+++ openssh-5.9p0/ssh-keygen.1 2011-08-31 13:21:06.077150115 +0200
@@ -669,6 +669,24 @@ Contains Diffie-Hellman groups used for
diff -up openssh-6.0p1/sshd.8.entropy openssh-6.0p1/sshd.8
--- openssh-6.0p1/sshd.8.entropy 2012-08-06 20:51:59.139033382 +0200
+++ openssh-6.0p1/sshd.8 2012-08-06 20:51:59.174033245 +0200
@@ -943,6 +943,24 @@ concurrently for different ports, this c
started last).
The content of this file is not sensitive; it can be world-readable.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh IPV6
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO
diff -up openssh-6.0p1/ssh-keygen.1.entropy openssh-6.0p1/ssh-keygen.1
--- openssh-6.0p1/ssh-keygen.1.entropy 2011-10-18 07:05:21.000000000 +0200
+++ openssh-6.0p1/ssh-keygen.1 2012-08-06 20:51:59.173033249 +0200
@@ -675,6 +675,24 @@ Contains Diffie-Hellman groups used for
The file format is described in
.Xr moduli 5 .
.El
@ -166,9 +221,9 @@ diff -up openssh-5.9p0/ssh-keygen.1.entropy openssh-5.9p0/ssh-keygen.1
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff -up openssh-5.9p0/ssh-keysign.8.entropy openssh-5.9p0/ssh-keysign.8
--- openssh-5.9p0/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
+++ openssh-5.9p0/ssh-keysign.8 2011-08-31 13:21:06.207024356 +0200
diff -up openssh-6.0p1/ssh-keysign.8.entropy openssh-6.0p1/ssh-keysign.8
--- openssh-6.0p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
+++ openssh-6.0p1/ssh-keysign.8 2012-08-06 20:51:59.173033249 +0200
@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
@ -194,58 +249,3 @@ diff -up openssh-5.9p0/ssh-keysign.8.entropy openssh-5.9p0/ssh-keysign.8
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
diff -up openssh-5.9p0/ssh.1.entropy openssh-5.9p0/ssh.1
--- openssh-5.9p0/ssh.1.entropy 2011-08-31 13:21:00.835103535 +0200
+++ openssh-5.9p0/ssh.1 2011-08-31 13:21:05.482032754 +0200
@@ -1255,6 +1255,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff -up openssh-5.9p0/sshd.8.entropy openssh-5.9p0/sshd.8
--- openssh-5.9p0/sshd.8.entropy 2011-08-31 13:21:00.000000000 +0200
+++ openssh-5.9p0/sshd.8 2011-08-31 13:46:27.341025537 +0200
@@ -940,6 +940,24 @@ concurrently for different ports, this c
started last).
The content of this file is not sensitive; it can be world-readable.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 6 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh IPV6
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,934 @@
diff -up openssh-6.0p1/auth.h.role-mls openssh-6.0p1/auth.h
--- openssh-6.0p1/auth.h.role-mls 2012-06-24 16:57:17.540262700 +0200
+++ openssh-6.0p1/auth.h 2012-06-24 16:49:35.802071204 +0200
@@ -59,6 +59,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-6.0p1/auth-pam.c.role-mls openssh-6.0p1/auth-pam.c
--- openssh-6.0p1/auth-pam.c.role-mls 2012-06-24 16:57:17.532262382 +0200
+++ openssh-6.0p1/auth-pam.c 2012-06-24 16:49:35.803071166 +0200
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-6.0p1/auth-pam.h.role-mls openssh-6.0p1/auth-pam.h
--- openssh-6.0p1/auth-pam.h.role-mls 2012-06-24 16:57:17.515261702 +0200
+++ openssh-6.0p1/auth-pam.h 2012-06-24 16:49:35.804071128 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-6.0p1/auth1.c.role-mls openssh-6.0p1/auth1.c
--- openssh-6.0p1/auth1.c.role-mls 2012-06-24 16:57:17.505261305 +0200
+++ openssh-6.0p1/auth1.c 2012-06-24 16:49:35.805071090 +0200
@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role=NULL;
+#endif
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+#ifdef WITH_SELINUX
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
+#endif
authctxt->user = user;
authctxt->style = style;
+#ifdef WITH_SELINUX
+ authctxt->role = role;
+#endif
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-6.0p1/auth2.c.role-mls openssh-6.0p1/auth2.c
--- openssh-6.0p1/auth2.c.role-mls 2012-06-24 16:57:17.507261384 +0200
+++ openssh-6.0p1/auth2.c 2012-06-24 16:49:35.806071052 +0200
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *active_methods, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
int authenticated = 0;
if (authctxt == NULL)
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -249,8 +257,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+ if (use_privsep) {
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+#endif
+ }
userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
diff -up openssh-6.0p1/auth2-gss.c.role-mls openssh-6.0p1/auth2-gss.c
--- openssh-6.0p1/auth2-gss.c.role-mls 2012-06-24 16:57:17.522261982 +0200
+++ openssh-6.0p1/auth2-gss.c 2012-06-24 16:49:35.806071052 +0200
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-6.0p1/auth2-hostbased.c.role-mls openssh-6.0p1/auth2-hostbased.c
--- openssh-6.0p1/auth2-hostbased.c.role-mls 2012-06-24 16:57:17.535262501 +0200
+++ openssh-6.0p1/auth2-hostbased.c 2012-06-24 16:49:35.807071014 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-6.0p1/auth2-pubkey.c.role-mls openssh-6.0p1/auth2-pubkey.c
--- openssh-6.0p1/auth2-pubkey.c.role-mls 2012-06-24 16:57:17.517261782 +0200
+++ openssh-6.0p1/auth2-pubkey.c 2012-06-24 16:49:35.807071014 +0200
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-6.0p1/misc.c.role-mls openssh-6.0p1/misc.c
--- openssh-6.0p1/misc.c.role-mls 2012-06-24 17:02:27.116348979 +0200
+++ openssh-6.0p1/misc.c 2012-06-24 16:58:09.631883672 +0200
@@ -427,6 +427,7 @@ char *
colon(char *cp)
{
int flag = 0;
+ int start = 1;
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
@@ -442,6 +443,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
+ if (start) {
+ /* Slash on beginning or after dots only denotes file name. */
+ if (*cp == '/')
+ return (0);
+ if (*cp != '.')
+ start = 0;
+ }
}
return NULL;
}
diff -up openssh-6.0p1/monitor.c.role-mls openssh-6.0p1/monitor.c
--- openssh-6.0p1/monitor.c.role-mls 2012-06-24 16:57:17.510261504 +0200
+++ openssh-6.0p1/monitor.c 2012-06-24 16:49:35.809070938 +0200
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
+#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *);
+#endif
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+#ifdef WITH_SELINUX
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -835,6 +841,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM
@@ -878,6 +887,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+ monitor_permit_authentications(1);
+
+ authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+#endif
+
int
mm_answer_authpassword(int sock, Buffer *m)
{
@@ -1254,7 +1282,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1280,6 +1308,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
@@ -1311,7 +1341,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
- char *p;
+ char *p, *r;
u_int len;
int fail = 0;
@@ -1328,6 +1358,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL)
+ *r = '\0';
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
diff -up openssh-6.0p1/monitor.h.role-mls openssh-6.0p1/monitor.h
--- openssh-6.0p1/monitor.h.role-mls 2012-06-24 16:57:17.520261902 +0200
+++ openssh-6.0p1/monitor.h 2012-06-24 16:49:35.809070938 +0200
@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+#ifdef WITH_SELINUX
+ MONITOR_REQ_AUTHROLE,
+#endif
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-6.0p1/monitor_wrap.c.role-mls openssh-6.0p1/monitor_wrap.c
--- openssh-6.0p1/monitor_wrap.c.role-mls 2012-06-24 16:57:17.537262580 +0200
+++ openssh-6.0p1/monitor_wrap.c 2012-06-24 16:49:35.810070900 +0200
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
+/* Inform the privileged process about role */
+
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, role ? role : "");
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+}
+#endif
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-6.0p1/monitor_wrap.h.role-mls openssh-6.0p1/monitor_wrap.h
--- openssh-6.0p1/monitor_wrap.h.role-mls 2012-06-24 16:57:17.513261623 +0200
+++ openssh-6.0p1/monitor_wrap.h 2012-06-24 16:49:35.811070862 +0200
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-6.0p1/openbsd-compat/Makefile.in.role-mls openssh-6.0p1/openbsd-compat/Makefile.in
--- openssh-6.0p1/openbsd-compat/Makefile.in.role-mls 2012-06-24 16:57:17.525262102 +0200
+++ openssh-6.0p1/openbsd-compat/Makefile.in 2012-06-24 16:51:38.087889399 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-6.0p1/openbsd-compat/port-linux.c.role-mls openssh-6.0p1/openbsd-compat/port-linux.c
--- openssh-6.0p1/openbsd-compat/port-linux.c.role-mls 2012-06-24 16:57:17.527262182 +0200
+++ openssh-6.0p1/openbsd-compat/port-linux.c 2012-06-24 17:00:55.621978528 +0200
@@ -31,68 +31,271 @@
#include "log.h"
#include "xmalloc.h"
+#include "servconf.h"
#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
+#include <selinux/context.h>
#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+#include <selinux/av_permissions.h>
+
+#ifdef HAVE_LINUX_AUDIT
+#include <libaudit.h>
+#include <unistd.h>
+#endif
#ifndef SSH_SELINUX_UNCONFINED_TYPE
# define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
#endif
-/* Wrapper around is_selinux_enabled() to log its return value once only */
-int
-ssh_selinux_enabled(void)
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern int inetd_flag;
+extern int rexeced_flag;
+
+/* Send audit message */
+static int
+send_audit_message(int success, security_context_t default_context,
+ security_context_t selected_context)
+{
+ int rc=0;
+#ifdef HAVE_LINUX_AUDIT
+ char *msg = NULL;
+ int audit_fd = audit_open();
+ security_context_t default_raw=NULL;
+ security_context_t selected_raw=NULL;
+ rc = -1;
+ if (audit_fd < 0) {
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+ errno == EAFNOSUPPORT)
+ return 0; /* No audit support in kernel */
+ error("Error connecting to audit system.");
+ return rc;
+ }
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ error("Error translating default context.");
+ default_raw = NULL;
+ }
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+ error("Error translating selected context.");
+ selected_raw = NULL;
+ }
+ if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
+ default_raw ? default_raw : (default_context ? default_context: "?"),
+ selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
+ error("Error allocating memory.");
+ goto out;
+ }
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, NULL, success) <= 0) {
+ error("Error sending audit message.");
+ goto out;
+ }
+ rc = 0;
+ out:
+ free(msg);
+ freecon(default_raw);
+ freecon(selected_raw);
+ close(audit_fd);
+#endif
+ return rc;
+}
+
+static int
+mls_range_allowed(security_context_t src, security_context_t dst)
{
- static int enabled = -1;
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
+
+ debug("%s: src:%s dst:%s", __func__, src, dst);
+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+
+ return 1;
+}
+
+static int
+get_user_context(const char *sename, const char *role, const char *lvl,
+ security_context_t *sc) {
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
+ /* User may have requested a level completely outside of his
+ allowed range. We get a context just for auditing as the
+ range check below will certainly fail for default context. */
+#endif
+ if (get_default_context(sename, NULL, sc) != 0) {
+ *sc = NULL;
+ return -1;
+ }
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ }
+#endif
+ if (role != NULL && role[0]) {
+ context_t con;
+ char *type=NULL;
+ if (get_default_type(role, &type) != 0) {
+ error("get_default_type: failed to get default type for '%s'",
+ role);
+ goto out;
+ }
+ con = context_new(*sc);
+ if (!con) {
+ goto out;
+ }
+ context_role_set(con, role);
+ context_type_set(con, type);
+ freecon(*sc);
+ *sc = strdup(context_str(con));
+ context_free(con);
+ if (!*sc)
+ return -1;
+ }
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ if (lvl != NULL && lvl[0]) {
+ /* verify that the requested range is obtained */
+ context_t con;
+ security_context_t obtained_raw;
+ security_context_t requested_raw;
+ con = context_new(*sc);
+ if (!con) {
+ goto out;
+ }
+ context_range_set(con, lvl);
+ if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
+ context_free(con);
+ goto out;
+ }
+ if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
+ freecon(obtained_raw);
+ context_free(con);
+ goto out;
+ }
- if (enabled == -1) {
- enabled = (is_selinux_enabled() == 1);
- debug("SELinux support %s", enabled ? "enabled" : "disabled");
+ debug("get_user_context: obtained context '%s' requested context '%s'",
+ obtained_raw, requested_raw);
+ if (strcmp(obtained_raw, requested_raw)) {
+ /* set the context to the real requested one but fail */
+ freecon(requested_raw);
+ freecon(obtained_raw);
+ freecon(*sc);
+ *sc = strdup(context_str(con));
+ context_free(con);
+ return -1;
+ }
+ freecon(requested_raw);
+ freecon(obtained_raw);
+ context_free(con);
}
+#endif
+ return 0;
+ out:
+ freecon(*sc);
+ *sc = NULL;
+ return -1;
+}
- return (enabled);
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
+ *role = NULL;
+ *level = NULL;
+ if (the_authctxt) {
+ if (the_authctxt->role != NULL) {
+ char *slash;
+ *role = xstrdup(the_authctxt->role);
+ if ((slash = strchr(*role, '/')) != NULL) {
+ *slash = '\0';
+ *level = slash + 1;
+ }
+ }
+ }
}
/* Return the default security context for the given username */
static security_context_t
-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname,
+ security_context_t *default_sc, security_context_t *user_sc)
{
- security_context_t sc = NULL;
- char *sename = NULL, *lvl = NULL;
- int r;
+ char *sename, *lvl;
+ char *role;
+ const char *reqlvl;
+ int r = 0;
+ context_t con = NULL;
+
+ ssh_selinux_get_role_level(&role, &reqlvl);
#ifdef HAVE_GETSEUSERBYNAME
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
- return NULL;
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+ sename = NULL;
+ lvl = NULL;
+ }
#else
sename = pwname;
- lvl = NULL;
+ lvl = "";
#endif
+ if (r == 0) {
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ r = get_default_context_with_level(sename, lvl, NULL, default_sc);
#else
- r = get_default_context(sename, NULL, &sc);
+ r = get_default_context(sename, NULL, default_sc);
#endif
+ }
+
+ if (r == 0) {
+ /* If launched from xinetd, we must use current level */
+ if (inetd_flag && !rexeced_flag) {
+ security_context_t sshdsc=NULL;
+
+ if (getcon_raw(&sshdsc) < 0)
+ fatal("failed to allocate security context");
+
+ if ((con=context_new(sshdsc)) == NULL)
+ fatal("failed to allocate selinux context");
+ reqlvl = context_range_get(con);
+ freecon(sshdsc);
+ if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
+ /* we actually don't change level */
+ reqlvl = "";
+
+ debug("%s: current connection level '%s'", __func__, reqlvl);
- if (r != 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: ssh_selinux_getctxbyname: "
- "security_getenforce() failed", __func__);
- case 0:
- error("%s: Failed to get default SELinux security "
- "context for %s", __func__, pwname);
- sc = NULL;
- break;
- default:
- fatal("%s: Failed to get default SELinux security "
- "context for %s (in enforcing mode)",
- __func__, pwname);
}
+
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
+ r = get_user_context(sename, role, reqlvl, user_sc);
+
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
+ security_context_t default_level_sc = *default_sc;
+ if (role != NULL && role[0]) {
+ if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
+ default_level_sc = *default_sc;
+ }
+ /* verify that the requested range is contained in the user range */
+ if (mls_range_allowed(default_level_sc, *user_sc)) {
+ logit("permit MLS level %s (user range %s)", reqlvl, lvl);
+ } else {
+ r = -1;
+ error("deny MLS level %s (user range %s)", reqlvl, lvl);
+ }
+ if (default_level_sc != *default_sc)
+ freecon(default_level_sc);
+ }
+ } else {
+ *user_sc = *default_sc;
+ }
+ }
+ if (r != 0) {
+ error("%s: Failed to get default SELinux security "
+ "context for %s", __func__, pwname);
}
#ifdef HAVE_GETSEUSERBYNAME
@@ -102,7 +305,42 @@ ssh_selinux_getctxbyname(char *pwname)
xfree(lvl);
#endif
- return sc;
+ if (role != NULL)
+ xfree(role);
+ if (con)
+ context_free(con);
+
+ return (r);
+}
+
+/* Setup environment variables for pam_selinux */
+static int
+ssh_selinux_setup_pam_variables(void)
+{
+ const char *reqlvl;
+ char *role;
+ char *use_current;
+ int rv;
+
+ debug3("%s: setting execution context", __func__);
+
+ ssh_selinux_get_role_level(&role, &reqlvl);
+
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+
+ if (inetd_flag && !rexeced_flag) {
+ use_current = "1";
+ } else {
+ use_current = "";
+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+ }
+
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+ if (role != NULL)
+ xfree(role);
+
+ return rv;
}
/* Set the execution context to the default for the specified user */
@@ -110,28 +348,71 @@ void
ssh_selinux_setup_exec_context(char *pwname)
{
security_context_t user_ctx = NULL;
+ int r = 0;
+ security_context_t default_ctx = NULL;
if (!ssh_selinux_enabled())
return;
+ if (options.use_pam) {
+ /* do not compute context, just setup environment for pam_selinux */
+ if (ssh_selinux_setup_pam_variables()) {
+ switch (security_getenforce()) {
+ case -1:
+ fatal("%s: security_getenforce() failed", __func__);
+ case 0:
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+ __func__);
+ break;
+ default:
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+ __func__);
+ }
+ }
+ return;
+ }
+
debug3("%s: setting execution context", __func__);
- user_ctx = ssh_selinux_getctxbyname(pwname);
- if (setexeccon(user_ctx) != 0) {
+ r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ if (r >= 0) {
+ r = setexeccon(user_ctx);
+ if (r < 0) {
+ error("%s: Failed to set SELinux execution context %s for %s",
+ __func__, user_ctx, pwname);
+ }
+#ifdef HAVE_SETKEYCREATECON
+ else if (setkeycreatecon(user_ctx) < 0) {
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
+ __func__, user_ctx, pwname);
+ }
+#endif
+ }
+ if (user_ctx == NULL) {
+ user_ctx = default_ctx;
+ }
+ if (r < 0 || user_ctx != default_ctx) {
+ /* audit just the case when user changed a role or there was
+ a failure */
+ send_audit_message(r >= 0, default_ctx, user_ctx);
+ }
+ if (r < 0) {
switch (security_getenforce()) {
case -1:
fatal("%s: security_getenforce() failed", __func__);
case 0:
- error("%s: Failed to set SELinux execution "
- "context for %s", __func__, pwname);
+ error("%s: SELinux failure. Continuing in permissive mode.",
+ __func__);
break;
default:
- fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname);
+ fatal("%s: SELinux failure. Aborting connection.",
+ __func__);
}
}
- if (user_ctx != NULL)
+ if (user_ctx != NULL && user_ctx != default_ctx)
freecon(user_ctx);
+ if (default_ctx != NULL)
+ freecon(default_ctx);
debug3("%s: done", __func__);
}
@@ -149,7 +430,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) < 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno));
+ goto out;
+ }
/* XXX: should these calls fatal() upon failure in enforcing mode? */
@@ -221,21 +505,6 @@ ssh_selinux_change_context(const char *n
xfree(newctx);
}
-void
-ssh_selinux_setfscreatecon(const char *path)
-{
- security_context_t context;
-
- if (!ssh_selinux_enabled())
- return;
- if (path == NULL) {
- setfscreatecon(NULL);
- return;
- }
- if (matchpathcon(path, 0700, &context) == 0)
- setfscreatecon(context);
-}
-
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
diff -up openssh-6.0p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.0p1/openbsd-compat/port-linux_part_2.c
--- openssh-6.0p1/openbsd-compat/port-linux_part_2.c.role-mls 2012-06-24 16:57:17.530262302 +0200
+++ openssh-6.0p1/openbsd-compat/port-linux_part_2.c 2012-06-24 16:49:35.813070786 +0200
@@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - just SELinux support at present
+ */
+
+#include "includes.h"
+
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "log.h"
+#include "xmalloc.h"
+#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+int
+ssh_selinux_enabled(void)
+{
+ static int enabled = -1;
+
+ if (enabled == -1) {
+ enabled = (is_selinux_enabled() == 1);
+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
+ }
+
+ return (enabled);
+}
+
+void
+ssh_selinux_setfscreatecon(const char *path)
+{
+ security_context_t context;
+
+ if (!ssh_selinux_enabled())
+ return;
+ if (path == NULL) {
+ setfscreatecon(NULL);
+ return;
+ }
+ if (matchpathcon(path, 0700, &context) == 0)
+ setfscreatecon(context);
+}
+
+#endif /* WITH_SELINUX */
+
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
diff -up openssh-6.0p1/sshd.c.role-mls openssh-6.0p1/sshd.c
--- openssh-6.0p1/sshd.c.role-mls 2012-06-24 17:02:56.543257378 +0200
+++ openssh-6.0p1/sshd.c 2012-06-24 16:58:09.634883844 +0200
@@ -2090,6 +2090,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
+#ifdef WITH_SELINUX
+ ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
+#endif
#ifdef USE_PAM
if (options.use_pam) {
do_pam_setcred(1);

View File

@ -74,10 +74,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.9p1
%define openssh_rel 26
%define openssh_ver 6.0p1
%define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 1
%define pam_ssh_agent_rel 2
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@ -123,15 +123,15 @@ Patch104: openssh-5.9p1-required-authentications.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-5.8p1-audit0.patch
# -"-
Patch201: openssh-5.9p1-audit1.patch
Patch201: openssh-6.0p1-audit1.patch
# -"-
Patch202: openssh-5.9p1-audit2.patch
# -"-
Patch203: openssh-5.9p1-audit3.patch
# -"-
Patch204: openssh-5.9p1-audit4.patch
Patch204: openssh-6.0p1-audit4.patch
# -"-
Patch205: openssh-5.9p1-audit5.patch
Patch205: openssh-6.0p1-audit5.patch
# --- pam_ssh-agent ---
# make it build reusing the openssh sources
@ -140,27 +140,24 @@ Patch300: pam_ssh_agent_auth-0.9.3-build.patch
Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
# explicitly make pam callbacks visible
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-5.9p1-role.patch
#?
Patch401: openssh-5.9p1-mls.patch
Patch400: openssh-6.0p1-role-mls.patch
#?
Patch402: openssh-5.9p1-sftp-chroot.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1940
Patch403: openssh-5.9p1-sesandbox.patch
#Patch403: openssh-5.9p1-sesandbox.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
Patch404: openssh-5.9p1-privsep-selinux.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1663
Patch500: openssh-5.9p1-akc.patch
#?-- unwanted child :(
Patch501: openssh-5.9p1-ldap.patch
Patch501: openssh-6.0p1-ldap.patch
#?
Patch502: openssh-5.9p1-keycat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1668
Patch600: openssh-5.9p1-keygen.patch
#Patch600: openssh-5.9p1-keygen.patch
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-5.2p1-allow-ip-opts.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
@ -197,7 +194,7 @@ Patch706: openssh-5.8p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-5.9p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-5.9p1-entropy.patch
Patch708: openssh-6.0p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch709: openssh-5.9p1-vendor.patch
#?
@ -424,10 +421,9 @@ popd
%endif
%if %{WITH_SELINUX}
%patch400 -p1 -b .role
%patch401 -p1 -b .mls
%patch400 -p1 -b .role-mls
%patch402 -p1 -b .sftp-chroot
%patch403 -p1 -b .sesandbox
#%patch403 -p1 -b .sesandbox
%patch404 -p1 -b .privsep-selinux
%endif
@ -437,7 +433,7 @@ popd
%endif
%patch502 -p1 -b .keycat
%patch600 -p1 -b .keygen
#%patch600 -p1 -b .keygen
%patch601 -p1 -b .ip-opts
%patch602 -p1 -b .randclean
%patch603 -p1 -b .glob
@ -542,10 +538,11 @@ fi
%endif
%if %{WITH_SELINUX}
--with-selinux --with-audit=linux \
%if 1
--with-sandbox=selinux \
%if 0
#seccomp_filter cannot be build right now
--with-sandbox=seccomp_filter \
%else
--with-sandbox=no \
--with-sandbox=rlimit \
%endif
%endif
%if %{kerberos5}
@ -807,6 +804,9 @@ fi
%endif
%changelog
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 6.0p1-1 + 0.9.3-2
- new upstream release
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-26 + 0.9.3-1
- change SELinux context also for root user (#827109)

View File

@ -1,2 +1,2 @@
085cfbb262f1b8b875aadea6fba60b1b openssh-5.9p1-noacss.tar.bz2
a7223e1a501bdd60a183bed87b6ce485 openssh-6.0p1-noacss.tar.bz2
9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2