rebase to openssh-7.4p1-1
* Drop unaccepted (unapplying) coverity patches * Drop server support for SSH1 (server) * Workaround #2641 for systemd * UseLogin is gone * Drop upstream commit 28652bca * Tighten seccomp filter (cache credentials before entering sandbox) (#1395288)
This commit is contained in:
parent
4189cebf7a
commit
6cf9b8e61b
1
.gitignore
vendored
1
.gitignore
vendored
@ -23,3 +23,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-7.2p1.tar.gz
|
||||
/openssh-7.2p2.tar.gz
|
||||
/openssh-7.3p1.tar.gz
|
||||
/openssh-7.4p1.tar.gz
|
||||
|
@ -1,7 +1,8 @@
|
||||
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200
|
||||
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200
|
||||
@@ -65,9 +65,12 @@
|
||||
err = gtk_message_dialog_new(NULL, 0,
|
||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
|
||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
|
||||
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
|
||||
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
|
||||
GTK_MESSAGE_ERROR,
|
||||
GTK_BUTTONS_CLOSE,
|
||||
- "Could not grab %s. "
|
||||
@ -14,5 +15,5 @@
|
||||
+ "Either close the application which grabs the %s or "
|
||||
+ "log out and log in again to prevent this from happening.", what, what);
|
||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
|
||||
TRUE);
|
||||
|
||||
gtk_dialog_run(GTK_DIALOG(err));
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200
|
||||
+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200
|
||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
||||
@@ -53,6 +53,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
@ -9,7 +9,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
||||
#include <gtk/gtk.h>
|
||||
#include <gdk/gdkx.h>
|
||||
|
||||
@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||
@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
}
|
||||
|
||||
@ -30,12 +30,12 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
||||
const char *failed;
|
||||
char *passphrase, *local;
|
||||
int result, grab_tries, grab_server, grab_pointer;
|
||||
- GtkWidget *dialog, *entry;
|
||||
+ GtkWidget *dialog, *entry, *progress, *hbox;
|
||||
- GtkWidget *parent_window, *dialog, *entry;
|
||||
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
||||
GdkGrabStatus status;
|
||||
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
@@ -102,13 +114,31 @@ passphrase_dialog(char *message)
|
||||
@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
|
||||
"%s",
|
||||
message);
|
||||
|
||||
@ -45,9 +45,11 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
||||
+ gtk_widget_show(hbox);
|
||||
+
|
||||
entry = gtk_entry_new();
|
||||
- gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
|
||||
+ gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
|
||||
FALSE, 0);
|
||||
gtk_box_pack_start(
|
||||
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
|
||||
- FALSE, FALSE, 0);
|
||||
+ GTK_BOX(hbox), entry,
|
||||
+ TRUE, FALSE, 0);
|
||||
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
@ -68,7 +70,7 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
|
||||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
@@ -119,6 +149,8 @@ passphrase_dialog(char *message)
|
||||
@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
|
||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
g_signal_connect(G_OBJECT(entry), "activate",
|
||||
G_CALLBACK(ok_dialog), dialog);
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
|
||||
--- openssh-7.0p1/configure.ac.vendor 2015-08-12 11:14:54.102628399 +0200
|
||||
+++ openssh-7.0p1/configure.ac 2015-08-12 11:14:54.129628356 +0200
|
||||
@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog],
|
||||
diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
|
||||
--- openssh-7.4p1/configure.ac.vendor 2016-12-23 13:34:51.681253844 +0100
|
||||
+++ openssh-7.4p1/configure.ac 2016-12-23 13:34:51.694253847 +0100
|
||||
@@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
@ -14,7 +14,7 @@ diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -5038,6 +5044,7 @@ echo " Translate v4 in v6 hack
|
||||
@@ -5194,6 +5200,7 @@ echo " Translate v4 in v6 hack
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
@ -22,10 +22,10 @@ diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.vendor 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-12 11:15:33.201565712 +0200
|
||||
@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.vendor 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 13:36:07.555268628 +0100
|
||||
@@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
@ -33,7 +33,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -335,6 +336,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
@ -42,8 +42,8 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -407,7 +410,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
@@ -402,7 +405,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
|
||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
@ -51,7 +51,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@@ -529,6 +532,7 @@ static struct {
|
||||
@@ -528,6 +531,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
@ -59,7 +59,7 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
@ -70,18 +70,18 @@ diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.vendor 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-12 11:14:54.130628355 +0200
|
||||
@@ -155,6 +155,7 @@ typedef struct {
|
||||
diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.vendor 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 13:34:51.694253847 +0100
|
||||
@@ -149,6 +149,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
@ -89,12 +89,12 @@ diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
|
||||
--- openssh-7.0p1/sshd_config.0.vendor 2015-08-12 11:14:54.125628363 +0200
|
||||
+++ openssh-7.0p1/sshd_config.0 2015-08-12 11:14:54.130628355 +0200
|
||||
@@ -841,6 +841,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The default and minimum value is 1024.
|
||||
diff -up openssh-7.4p1/sshd_config.0.vendor openssh-7.4p1/sshd_config.0
|
||||
--- openssh-7.4p1/sshd_config.0.vendor 2016-12-23 13:34:51.695253847 +0100
|
||||
+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:36:53.146277511 +0100
|
||||
@@ -792,6 +792,11 @@ DESCRIPTION
|
||||
ssh-keygen(1). For more information on KRLs, see the KEY
|
||||
REVOCATION LISTS section in ssh-keygen(1).
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
@ -104,13 +104,13 @@ diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
|
||||
StreamLocalBindMask
|
||||
Sets the octal file creation mode mask (umask) used when creating
|
||||
a Unix-domain socket file for local or remote port forwarding.
|
||||
diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
|
||||
--- openssh-7.0p1/sshd_config.5.vendor 2015-08-12 11:14:54.125628363 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:14:54.131628353 +0200
|
||||
@@ -1411,6 +1411,13 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The default and minimum value is 1024.
|
||||
diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.vendor 2016-12-23 13:34:51.695253847 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:37:17.482282253 +0100
|
||||
@@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
|
||||
.Xr ssh-keygen 1 .
|
||||
For more information on KRLs, see the KEY REVOCATION LISTS section in
|
||||
.Xr ssh-keygen 1 .
|
||||
+.It Cm ShowPatchLevel
|
||||
+Specifies whether
|
||||
+.Nm sshd
|
||||
@ -121,10 +121,10 @@ diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
|
||||
.It Cm StreamLocalBindMask
|
||||
Sets the octal file creation mode mask
|
||||
.Pq umask
|
||||
diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.vendor 2015-08-12 11:14:54.125628363 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:14:54.131628353 +0200
|
||||
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.vendor 2016-12-23 13:34:51.690253846 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:34:51.695253847 +0100
|
||||
@@ -105,6 +105,7 @@ X11Forwarding yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
@ -132,19 +132,20 @@ diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
|
||||
#UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c
|
||||
--- openssh-7.0p1/sshd.c.vendor 2015-08-12 11:14:54.100628403 +0200
|
||||
+++ openssh-7.0p1/sshd.c 2015-08-12 11:14:54.131628353 +0200
|
||||
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in
|
||||
}
|
||||
diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.vendor 2016-12-23 13:34:51.682253844 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 13:38:32.434296856 +0100
|
||||
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
|
||||
char remote_version[256]; /* Must be at least as big as buf. */
|
||||
|
||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
||||
- major, minor, SSH_VERSION,
|
||||
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
options.version_addendum, newline);
|
||||
|
||||
@@ -1749,7 +1749,8 @@ main(int ac, char **av)
|
||||
@@ -1650,7 +1651,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
|
||||
--- openssh-6.8p1/log.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/log.c 2015-03-18 12:59:29.694022313 +0100
|
||||
@@ -241,6 +241,11 @@ debug3(const char *fmt,...)
|
||||
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
||||
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
||||
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
||||
void
|
||||
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
|
||||
{
|
||||
@ -13,7 +13,7 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
#endif
|
||||
@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl
|
||||
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -26,9 +26,9 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
|
||||
|
||||
log_on_stderr = on_stderr;
|
||||
if (on_stderr)
|
||||
diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
|
||||
--- openssh-6.8p1/log.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/log.h 2015-03-18 12:59:29.694022313 +0100
|
||||
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
||||
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
||||
@@ -49,6 +49,7 @@ typedef enum {
|
||||
typedef void (log_handler_fn)(LogLevel, const char *, void *);
|
||||
|
||||
@ -37,10 +37,10 @@ diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
|
||||
void log_change_level(LogLevel);
|
||||
int log_is_on_stderr(void);
|
||||
void log_redirect_stderr_to(const char *);
|
||||
diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
|
||||
--- openssh-6.8p1/monitor.c.log-in-chroot 2015-03-18 12:59:29.669022374 +0100
|
||||
+++ openssh-6.8p1/monitor.c 2015-03-18 13:01:52.894671198 +0100
|
||||
@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
||||
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
close(pmonitor->m_log_sendfd);
|
||||
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
||||
|
||||
@ -49,7 +49,7 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
|
||||
authctxt = _authctxt;
|
||||
memset(authctxt, 0, sizeof(*authctxt));
|
||||
|
||||
@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p
|
||||
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
||||
close(pmonitor->m_recvfd);
|
||||
pmonitor->m_recvfd = -1;
|
||||
|
||||
@ -58,7 +58,7 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
|
||||
monitor_set_child_handler(pmonitor->m_pid);
|
||||
signal(SIGHUP, &monitor_child_handler);
|
||||
signal(SIGTERM, &monitor_child_handler);
|
||||
@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito
|
||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
||||
if (log_level_name(level) == NULL)
|
||||
fatal("%s: invalid log level %u (corrupted message?)",
|
||||
__func__, level);
|
||||
@ -67,9 +67,9 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
|
||||
|
||||
buffer_free(&logmsg);
|
||||
free(msg);
|
||||
@@ -1998,13 +2002,28 @@ monitor_init(void)
|
||||
(ssh_packet_comp_free_func *)mm_zfree);
|
||||
}
|
||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
||||
mon = xcalloc(1, sizeof(*mon));
|
||||
monitor_openfds(mon, 1);
|
||||
|
||||
+ mon->m_state = "";
|
||||
+
|
||||
@ -98,11 +98,11 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
|
||||
}
|
||||
|
||||
#ifdef GSSAPI
|
||||
diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
|
||||
--- openssh-6.8p1/monitor.h.log-in-chroot 2015-03-18 12:59:29.695022310 +0100
|
||||
+++ openssh-6.8p1/monitor.h 2015-03-18 13:02:56.926514197 +0100
|
||||
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
||||
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100
|
||||
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100
|
||||
@@ -83,10 +83,11 @@ struct monitor {
|
||||
struct mm_master *m_zlib;
|
||||
int m_log_sendfd;
|
||||
struct kex **m_pkex;
|
||||
pid_t m_pid;
|
||||
+ char *m_state;
|
||||
@ -111,13 +111,13 @@ diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
|
||||
struct monitor *monitor_init(void);
|
||||
-void monitor_reinit(struct monitor *);
|
||||
+void monitor_reinit(struct monitor *, const char *);
|
||||
void monitor_sync(struct monitor *);
|
||||
|
||||
struct Authctxt;
|
||||
diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100
|
||||
+++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100
|
||||
@@ -161,6 +161,7 @@ login_cap_t *lc;
|
||||
void monitor_child_preauth(struct Authctxt *, struct monitor *);
|
||||
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
|
||||
@@ -160,6 +160,7 @@ login_cap_t *lc;
|
||||
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
@ -125,7 +125,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
|
||||
/* Name and directory of socket for authentication agent forwarding. */
|
||||
static char *auth_sock_name = NULL;
|
||||
@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
@@ -365,8 +366,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
is_child = 1;
|
||||
|
||||
/* Child. Reinitialize the log since the pid has changed. */
|
||||
@ -136,7 +136,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
|
||||
/*
|
||||
* Create a new session and process group since the 4.4BSD
|
||||
@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm
|
||||
@@ -523,8 +524,8 @@ do_exec_pty(Session *s, const char *comm
|
||||
close(ptymaster);
|
||||
|
||||
/* Child. Reinitialize the log because the pid has changed. */
|
||||
@ -147,7 +147,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
/* Close the master side of the pseudo tty. */
|
||||
close(ptyfd);
|
||||
|
||||
@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
|
||||
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
|
||||
int ret;
|
||||
const char *forced = NULL, *tty = NULL;
|
||||
char session_type[1024];
|
||||
@ -155,7 +155,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
|
||||
if (options.adm_forced_command) {
|
||||
original_command = command;
|
||||
@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command)
|
||||
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
|
||||
tty += 5;
|
||||
}
|
||||
|
||||
@ -166,7 +166,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||
session_type,
|
||||
tty == NULL ? "" : " on ",
|
||||
@@ -1678,14 +1685,6 @@ child_close_fds(void)
|
||||
@@ -1486,14 +1492,6 @@ child_close_fds(void)
|
||||
* descriptors left by system functions. They will be closed later.
|
||||
*/
|
||||
endpwent();
|
||||
@ -181,16 +181,16 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command
|
||||
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- closefrom(STDERR_FILENO + 1);
|
||||
-
|
||||
if (!options.use_login)
|
||||
do_rc_files(s, shell);
|
||||
|
||||
@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command
|
||||
/* restore SIGPIPE for child */
|
||||
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
@ -208,21 +208,21 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
+
|
||||
fflush(NULL);
|
||||
|
||||
if (options.use_login) {
|
||||
diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c
|
||||
--- openssh-6.8p1/sftp-server-main.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp-server-main.c 2015-03-18 12:59:29.696022308 +0100
|
||||
@@ -47,5 +47,5 @@ main(int argc, char **argv)
|
||||
return 1;
|
||||
}
|
||||
/* Get the last component of the shell name. */
|
||||
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
|
||||
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100
|
||||
@@ -97,5 +97,5 @@
|
||||
|
||||
- return (sftp_server_main(argc, argv, user_pw));
|
||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||
}
|
||||
diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
|
||||
--- openssh-6.8p1/sftp-server.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:03:52.510377911 +0100
|
||||
@@ -1502,7 +1502,7 @@ sftp_server_usage(void)
|
||||
struct passwd;
|
||||
|
||||
-int sftp_server_main(int, char **, struct passwd *);
|
||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
||||
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100
|
||||
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
|
||||
}
|
||||
|
||||
int
|
||||
@ -231,7 +231,7 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
|
||||
{
|
||||
fd_set *rset, *wset;
|
||||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||
@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
|
||||
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
@ -240,7 +240,7 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
|
||||
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv,
|
||||
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
|
||||
}
|
||||
}
|
||||
|
||||
@ -249,20 +249,20 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
|
||||
|
||||
/*
|
||||
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
||||
diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
|
||||
--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100
|
||||
@@ -97,5 +97,5 @@
|
||||
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
|
||||
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100
|
||||
@@ -49,5 +49,5 @@ main(int argc, char **argv)
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct passwd;
|
||||
|
||||
-int sftp_server_main(int, char **, struct passwd *);
|
||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||
diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.log-in-chroot 2015-03-18 12:59:29.691022320 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 12:59:29.697022305 +0100
|
||||
@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
- return (sftp_server_main(argc, argv, user_pw));
|
||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||
}
|
||||
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100
|
||||
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
}
|
||||
|
||||
/* New socket pair */
|
||||
@ -271,7 +271,7 @@ diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
|
||||
|
||||
pmonitor->m_pid = fork();
|
||||
if (pmonitor->m_pid == -1)
|
||||
@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c
|
||||
--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200
|
||||
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:27:44.047407912 +0200
|
||||
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
|
||||
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
|
||||
+++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 15:18:40.628216102 +0100
|
||||
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
FILE *fp;
|
||||
char file[MAXPATHLEN];
|
||||
char line[BUFSIZ] = "";
|
||||
@ -9,7 +9,7 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-ser
|
||||
struct stat st;
|
||||
struct passwd *pw = the_authctxt->pw;
|
||||
int found_principal = 0;
|
||||
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
@ -18,27 +18,27 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-ser
|
||||
return ssh_krb5_kuserok(krb_context, principal, luser,
|
||||
k5login_exists);
|
||||
}
|
||||
diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users 2015-08-12 11:27:44.036407930 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-12 11:28:49.087306430 +0200
|
||||
@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions
|
||||
options->version_addendum = NULL;
|
||||
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100
|
||||
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
|
||||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
options->use_kuserok = -1;
|
||||
+ options->enable_k5users = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ if (options->enable_k5users == -1)
|
||||
+ options->enable_k5users = 0;
|
||||
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
||||
options->disable_forwarding = 0;
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
+ if (options->enable_k5users == -1)
|
||||
+ options->enable_k5users = 0;
|
||||
|
||||
@@ -423,7 +426,7 @@ typedef enum {
|
||||
assemble_algorithms(options);
|
||||
|
||||
@@ -418,7 +421,7 @@ typedef enum {
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@ -47,7 +47,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
|
||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -502,12 +505,14 @@ static struct {
|
||||
@@ -497,12 +500,14 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
@ -62,7 +62,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->use_kuserok;
|
||||
goto parse_flag;
|
||||
|
||||
@ -73,7 +73,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
M_CP_INTOPT(use_kuserok);
|
||||
@ -81,7 +81,7 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
@ -89,10 +89,10 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-12 11:27:44.048407911 +0200
|
||||
@@ -180,7 +180,8 @@ typedef struct {
|
||||
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
|
||||
@@ -174,7 +174,8 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
@ -102,26 +102,26 @@ diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5
|
||||
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200
|
||||
@@ -633,6 +633,12 @@ on logout.
|
||||
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2016-12-23 15:18:40.630216103 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:36:21.607408435 +0100
|
||||
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
|
||||
on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.Cm yes .
|
||||
+.It Cm GSSAPIEnablek5users
|
||||
+Specifies whether to look at .k5users file for GSSAPI authentication
|
||||
+access control. Further details are described in
|
||||
+.Xr ksu 1 .
|
||||
+The default is
|
||||
+.Dq no .
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:27:44.048407911 +0200
|
||||
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
|
||||
+.Cm no .
|
||||
.It Cm GSSAPIKeyExchange
|
||||
Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
|
||||
doesn't rely on ssh keys to verify host identity.
|
||||
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
||||
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
|
@ -142,7 +142,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+{
|
||||
+
|
||||
+ const struct sshcipher *c;
|
||||
+ struct sshcipher_ctx cc;
|
||||
+ struct sshcipher_ctx *cc;
|
||||
+ char *algo = "aes128-ctr";
|
||||
+ char *hexkey = NULL;
|
||||
+ char *hexiv = "00000000000000000000000000000000";
|
||||
@ -232,11 +232,11 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||
+ cipher_crypt(cc, 0, outdata, data, datalen, 0, 0);
|
||||
+
|
||||
+ free(data);
|
||||
+
|
||||
+ cipher_cleanup(&cc);
|
||||
+ cipher_free(cc);
|
||||
+
|
||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||
+ printf("%02X", (unsigned char)*p);
|
||||
|
@ -1,8 +1,7 @@
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index 1e9d52a..d24e724 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -227,6 +227,9 @@ seed_rng(void)
|
||||
diff -up openssh-7.4p1/entropy.c.entropy openssh-7.4p1/entropy.c
|
||||
--- openssh-7.4p1/entropy.c.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/entropy.c 2016-12-23 18:34:27.769753570 +0100
|
||||
@@ -229,6 +229,9 @@ seed_rng(void)
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
@ -12,24 +11,31 @@ index 1e9d52a..d24e724 100644
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index 843225d..041bbab 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-compat/Makefile.in
|
||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.entropy 2016-12-23 18:34:53.715762155 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 18:35:15.890769493 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
index 0000000..da84bf2
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-prng.c
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.entropy 2016-12-23 18:34:27.747753563 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:34:27.769753570 +0100
|
||||
@@ -34,4 +34,6 @@ void oom_adjust_restore(void);
|
||||
void oom_adjust_setup(void);
|
||||
#endif
|
||||
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#endif /* ! _PORT_LINUX_H */
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy openssh-7.4p1/openbsd-compat/port-linux-prng.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy 2016-12-23 18:34:27.769753570 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux-prng.c 2016-12-23 18:34:27.769753570 +0100
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
@ -90,11 +96,37 @@ index 0000000..da84bf2
|
||||
+ fatal ("EOF reading %s", random);
|
||||
+ }
|
||||
+}
|
||||
diff --git a/ssh-add.0 b/ssh-add.0
|
||||
index f16165a..17d22cf 100644
|
||||
--- a/ssh-add.0
|
||||
+++ b/ssh-add.0
|
||||
@@ -82,6 +82,16 @@ ENVIRONMENT
|
||||
diff -up openssh-7.4p1/ssh.1.entropy openssh-7.4p1/ssh.1
|
||||
--- openssh-7.4p1/ssh.1.entropy 2016-12-23 18:34:27.754753565 +0100
|
||||
+++ openssh-7.4p1/ssh.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -1441,6 +1441,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff -up openssh-7.4p1/ssh-add.0.entropy openssh-7.4p1/ssh-add.0
|
||||
--- openssh-7.4p1/ssh-add.0.entropy 2016-12-19 06:21:21.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-add.0 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -88,6 +88,16 @@ ENVIRONMENT
|
||||
Identifies the path of a UNIX-domain socket used to communicate
|
||||
with the agent.
|
||||
|
||||
@ -111,11 +143,10 @@ index f16165a..17d22cf 100644
|
||||
FILES
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
diff --git a/ssh-add.1 b/ssh-add.1
|
||||
index 04d1840..db883a4 100644
|
||||
--- a/ssh-add.1
|
||||
+++ b/ssh-add.1
|
||||
@@ -170,6 +170,20 @@ to make this work.)
|
||||
diff -up openssh-7.4p1/ssh-add.1.entropy openssh-7.4p1/ssh-add.1
|
||||
--- openssh-7.4p1/ssh-add.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-add.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -171,6 +171,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
@ -136,11 +167,10 @@ index 04d1840..db883a4 100644
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index d7e791b..7332f0d 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
|
||||
diff -up openssh-7.4p1/ssh-agent.1.entropy openssh-7.4p1/ssh-agent.1
|
||||
--- openssh-7.4p1/ssh-agent.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-agent.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -214,6 +214,24 @@ sockets used to contain the connection t
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
@ -165,97 +195,10 @@ index d7e791b..7332f0d 100644
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 276dacc..a09d9b1 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
||||
index 69d0829..02d79f8 100644
|
||||
--- a/ssh-keysign.8
|
||||
+++ b/ssh-keysign.8
|
||||
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 4a476c2..410a04a 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1299,6 +1299,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index cb866b5..adcaaf9 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
|
||||
diff -up openssh-7.4p1/sshd.8.entropy openssh-7.4p1/sshd.8
|
||||
--- openssh-7.4p1/sshd.8.entropy 2016-12-23 18:34:27.755753566 +0100
|
||||
+++ openssh-7.4p1/sshd.8 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -920,6 +920,24 @@ concurrently for different ports, this c
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
@ -280,13 +223,59 @@ index cb866b5..adcaaf9 100644
|
||||
.Sh IPV6
|
||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity 2015-03-18 17:21:51.861264906 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -37,4 +37,6 @@ void oom_adjust_restore(void);
|
||||
void oom_adjust_setup(void);
|
||||
#endif
|
||||
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#endif /* ! _PORT_LINUX_H */
|
||||
diff -up openssh-7.4p1/ssh-keygen.1.entropy openssh-7.4p1/ssh-keygen.1
|
||||
--- openssh-7.4p1/ssh-keygen.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-keygen.1 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -848,6 +848,24 @@ Contains Diffie-Hellman groups used for
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff -up openssh-7.4p1/ssh-keysign.8.entropy openssh-7.4p1/ssh-keysign.8
|
||||
--- openssh-7.4p1/ssh-keysign.8.entropy 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-keysign.8 2016-12-23 18:34:27.770753571 +0100
|
||||
@@ -80,6 +80,24 @@ must be set-uid root if host-based authe
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
|
||||
--- openssh-7.0p1/auth-krb5.c.kuserok 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/auth-krb5.c 2015-08-12 11:26:21.874536127 +0200
|
||||
@@ -55,6 +55,21 @@
|
||||
diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
|
||||
--- openssh-7.4p1/auth-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
|
||||
+++ openssh-7.4p1/auth-krb5.c 2016-12-23 14:36:07.644465936 +0100
|
||||
@@ -56,6 +56,21 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
@ -23,7 +23,7 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
@@ -160,8 +175,9 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
@ -35,9 +35,9 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
|
||||
--- openssh-7.0p1/gss-serv-krb5.c.kuserok 2015-08-12 11:26:21.868536137 +0200
|
||||
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:26:21.875536126 +0200
|
||||
diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
|
||||
--- openssh-7.4p1/gss-serv-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
|
||||
+++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 14:36:07.644465936 +0100
|
||||
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
|
||||
int);
|
||||
|
||||
@ -160,7 +160,7 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
@@ -190,9 +289,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
if (!k5login_exists && (access(file, F_OK) == -1)) {
|
||||
@ -172,28 +172,28 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
|
||||
}
|
||||
if ((fp = fopen(file, "r")) == NULL) {
|
||||
int saved_errno = errno;
|
||||
diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.kuserok 2015-08-12 11:26:21.865536141 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-12 11:27:14.126454598 +0200
|
||||
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions
|
||||
options->ip_qos_bulk = -1;
|
||||
diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100
|
||||
@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
+ options->use_kuserok = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
@@ -342,6 +343,8 @@ fill_default_server_options(ServerOption
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
if (options->disable_forwarding == -1)
|
||||
options->disable_forwarding = 0;
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
@@ -404,7 +407,7 @@ typedef enum {
|
||||
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
@@ -399,7 +402,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken,
|
||||
@ -201,7 +201,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -483,11 +486,13 @@ static struct {
|
||||
@@ -478,11 +481,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
@ -215,7 +215,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
@ -226,15 +226,15 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
case sPermitOpen:
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(max_authtries);
|
||||
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(client_alive_interval);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
+ M_CP_INTOPT(use_kuserok);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
|
||||
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
@ -242,10 +242,10 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.kuserok 2015-08-12 11:26:21.865536141 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-12 11:26:21.876536124 +0200
|
||||
@@ -180,6 +180,7 @@ typedef struct {
|
||||
diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
|
||||
@@ -174,6 +174,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
@ -253,21 +253,21 @@ diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
|
||||
--- openssh-7.0p1/sshd_config.5.kuserok 2015-08-12 11:26:21.867536138 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:26:21.877536123 +0200
|
||||
@@ -872,6 +872,10 @@ Specifies whether to automatically destr
|
||||
diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
|
||||
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.Cm yes .
|
||||
+.It Cm KerberosUseKuserok
|
||||
+Specifies whether to look at .k5login file for user's aliases.
|
||||
+The default is
|
||||
+.Dq yes .
|
||||
+.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -1116,6 +1120,7 @@ Available keywords are
|
||||
@@ -1078,6 +1082,7 @@ Available keywords are
|
||||
.Cm IPQoS ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
@ -275,10 +275,10 @@ diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
.Cm PasswordAuthentication ,
|
||||
diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.kuserok 2015-08-12 11:26:21.867536138 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:26:21.876536124 +0200
|
||||
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
|
||||
diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.kuserok 2016-12-23 14:36:07.631465943 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 14:36:07.646465935 +0100
|
||||
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
@ -1,8 +1,18 @@
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index c18524e..d04f4ed 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -409,6 +409,28 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux 2016-12-23 18:58:52.972122201 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:58:52.974122201 +0100
|
||||
@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
||||
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
|
||||
@ -31,23 +41,19 @@ index c18524e..d04f4ed 100644
|
||||
#endif
|
||||
#endif
|
||||
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index 8ef6cc4..b18893c 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.privsep-selinux 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 18:58:52.974122201 +0100
|
||||
@@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
platform_setusercontext(pw);
|
||||
|
||||
diff --git a/session.c b/session.c
|
||||
index 2bcf818..b5dc144 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
@@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
@ -57,7 +63,7 @@ index 2bcf818..b5dc144 100644
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw)
|
||||
@@ -1396,6 +1399,11 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
@ -69,7 +75,7 @@ index 2bcf818..b5dc144 100644
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1588,9 +1588,6 @@ do_pwchange(Session *s)
|
||||
@@ -1413,9 +1421,6 @@ do_pwchange(Session *s)
|
||||
if (s->ttyfd != -1) {
|
||||
fprintf(stderr,
|
||||
"You must change your password now and login again!\n");
|
||||
@ -79,7 +85,7 @@ index 2bcf818..b5dc144 100644
|
||||
#ifdef PASSWD_NEEDS_USERNAME
|
||||
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
|
||||
(char *)NULL);
|
||||
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
|
||||
@@ -1625,9 +1630,6 @@ do_child(Session *s, const char *command
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
@ -89,11 +95,10 @@ index 2bcf818..b5dc144 100644
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 07f9926..a97f8b7 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
|
||||
diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 18:59:13.808124269 +0100
|
||||
@@ -540,6 +540,10 @@ privsep_preauth_child(void)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
|
||||
@ -104,26 +109,13 @@ index 07f9926..a97f8b7 100644
|
||||
/* Demote the child */
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
/* Change our root directory */
|
||||
@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
@@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||
{
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
+#elif defined(WITH_SELINUX)
|
||||
+ if (options.use_login) {
|
||||
+ if (0) {
|
||||
+ /* even root user can be confined by SELinux */
|
||||
#else
|
||||
if (authctxt->pw->pw_uid == 0 || options.use_login) {
|
||||
if (authctxt->pw->pw_uid == 0) {
|
||||
#endif
|
||||
diff --git a/session.c b/session.c
|
||||
index 684f867..09048bc 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1538,7 +1538,7 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
platform_setusercontext(pw);
|
||||
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
|
@ -1,8 +1,7 @@
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
index 49a4f6c..3f83c40 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -46,3 +46,7 @@
|
||||
diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
|
||||
--- openssh-7.4p1/ssh_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh_config 2016-12-23 13:32:00.045220402 +0100
|
||||
@@ -48,3 +48,7 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
@ -10,9 +9,9 @@ index 49a4f6c..3f83c40 100644
|
||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
||||
+# /etc/ssh/ssh_config.d/ which will be automatically included below
|
||||
+Include /etc/ssh/ssh_config.d/*.conf
|
||||
diff --git a/ssh_config_redhat b/ssh_config_redhat
|
||||
--- /dev/null
|
||||
+++ b/ssh_config_redhat
|
||||
diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat
|
||||
--- openssh-7.4p1/ssh_config_redhat.redhat 2016-12-23 13:32:00.045220402 +0100
|
||||
+++ openssh-7.4p1/ssh_config_redhat 2016-12-23 13:32:00.045220402 +0100
|
||||
@@ -0,0 +1,20 @@
|
||||
+# Follow system-wide Crypto Poliicy, if defined:
|
||||
+Include /etc/crypto-policies/back-ends/openssh.txt
|
||||
@ -34,11 +33,38 @@ diff --git a/ssh_config_redhat b/ssh_config_redhat
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+ SendEnv XMODIFIERS
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index c735429..e68ddee 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -10,6 +10,10 @@
|
||||
diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
|
||||
--- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:32:00.045220402 +0100
|
||||
@@ -837,9 +837,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:32:00.046220403 +0100
|
||||
@@ -1393,7 +1393,7 @@ By default no subsystems are defined.
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100
|
||||
@@ -10,21 +10,26 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
@ -49,10 +75,8 @@ index c735429..e68ddee 100644
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
@@ -21,10 +25,10 @@
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
#ListenAddress ::
|
||||
|
||||
-#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
+HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
@ -61,9 +85,8 @@ index c735429..e68ddee 100644
|
||||
+HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
+HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
@@ -36,6 +40,7 @@
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
# Logging
|
||||
#SyslogFacility AUTH
|
||||
@ -71,7 +94,7 @@ index c735429..e68ddee 100644
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
@ -83,7 +106,7 @@ index c735429..e68ddee 100644
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
@ -94,7 +117,7 @@ index c735429..e68ddee 100644
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
@ -109,7 +132,7 @@ index c735429..e68ddee 100644
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations.
|
||||
@@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
@ -122,33 +145,3 @@ index c735429..e68ddee 100644
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
diff --git a/sshd_config.0 b/sshd_config.0
|
||||
index 413c260..87e7ee7 100644
|
||||
--- a/sshd_config.0
|
||||
+++ b/sshd_config.0
|
||||
@@ -675,9 +675,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index ce71efe..12465c2 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
|
@ -1,157 +1,6 @@
|
||||
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||
--- openssh/auth-pam.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth-pam.c 2016-07-26 12:37:48.793593333 +0200
|
||||
@@ -1095,7 +1095,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||
--- openssh/auth-pam.h.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth-pam.h 2016-07-26 12:37:48.793593333 +0200
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||
--- openssh/auth.h.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth.h 2016-07-26 12:37:48.793593333 +0200
|
||||
@@ -62,6 +62,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
void *kbdintctxt;
|
||||
char *info; /* Extra info for next auth_log */
|
||||
#ifdef BSD_AUTH
|
||||
diff -up openssh/auth1.c.role-mls openssh/auth1.c
|
||||
--- openssh/auth1.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth1.c 2016-07-26 12:37:48.793593333 +0200
|
||||
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
char *user, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role=NULL;
|
||||
+#endif
|
||||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_cstring(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = '\0';
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = '\0';
|
||||
+#ifdef WITH_SELINUX
|
||||
+ else
|
||||
+ if (role && (style = strchr(role, ':')) != NULL)
|
||||
+ *style++ = '\0';
|
||||
+#endif
|
||||
|
||||
authctxt->user = user;
|
||||
authctxt->style = style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role;
|
||||
+#endif
|
||||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
--- openssh/auth2-gss.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth2-gss.c 2016-07-26 12:37:48.794593332 +0200
|
||||
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||
--- openssh/auth2-hostbased.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth2-hostbased.c 2016-07-26 12:37:48.794593332 +0200
|
||||
@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth2-pubkey.c 2016-07-26 12:37:48.794593332 +0200
|
||||
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
- authctxt->style ? authctxt->style : "");
|
||||
+ authctxt->style ? authctxt->style : "",
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role ? "/" : "",
|
||||
+ authctxt->role ? authctxt->role : "");
|
||||
+#else
|
||||
+ "", "");
|
||||
+#endif
|
||||
buffer_put_cstring(&b, userstyle);
|
||||
free(userstyle);
|
||||
buffer_put_cstring(&b,
|
||||
diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
--- openssh/auth2.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/auth2.c 2016-07-26 12:37:48.794593332 +0200
|
||||
diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
||||
--- openssh-7.4p1/auth2.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2.c 2016-12-23 12:19:58.587459379 +0100
|
||||
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
@ -191,9 +40,122 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
userauth_banner();
|
||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||
packet_disconnect("no authentication methods enabled");
|
||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
--- openssh/misc.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/misc.c 2016-07-26 12:37:48.794593332 +0200
|
||||
diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
|
||||
--- openssh-7.4p1/auth2-gss.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 12:19:58.586459382 +0100
|
||||
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.c
|
||||
--- openssh-7.4p1/auth2-hostbased.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 12:19:58.586459382 +0100
|
||||
@@ -121,7 +121,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
|
||||
--- openssh-7.4p1/auth2-pubkey.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 12:19:58.587459379 +0100
|
||||
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
- authctxt->style ? authctxt->style : "");
|
||||
+ authctxt->style ? authctxt->style : "",
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role ? "/" : "",
|
||||
+ authctxt->role ? authctxt->role : "");
|
||||
+#else
|
||||
+ "", "");
|
||||
+#endif
|
||||
buffer_put_cstring(&b, userstyle);
|
||||
free(userstyle);
|
||||
buffer_put_cstring(&b,
|
||||
diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
|
||||
--- openssh-7.4p1/auth.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth.h 2016-12-23 12:19:43.478510375 +0100
|
||||
@@ -62,6 +62,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
void *kbdintctxt;
|
||||
char *info; /* Extra info for next auth_log */
|
||||
#ifdef BSD_AUTH
|
||||
diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
|
||||
--- openssh-7.4p1/auth-pam.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth-pam.c 2016-12-23 12:19:43.477510378 +0100
|
||||
@@ -1087,7 +1087,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
|
||||
--- openssh-7.4p1/auth-pam.h.role-mls 2016-12-23 12:19:43.478510375 +0100
|
||||
+++ openssh-7.4p1/auth-pam.h 2016-12-23 12:21:44.698101234 +0100
|
||||
@@ -31,7 +31,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(void);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
|
||||
--- openssh-7.4p1/misc.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/misc.c 2016-12-23 12:19:58.587459379 +0100
|
||||
@@ -432,6 +432,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
@ -216,10 +178,10 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
--- openssh/monitor.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/monitor.c 2016-07-26 12:44:19.363379490 +0200
|
||||
@@ -128,6 +128,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 12:23:03.503835248 +0100
|
||||
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
@ -229,7 +191,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -207,6 +210,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -202,6 +205,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -239,17 +201,17 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -863,6 +869,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
else {
|
||||
@@ -769,6 +775,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
+#endif
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -904,6 +913,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
@@ -810,6 +819,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -275,7 +237,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1300,7 +1328,7 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
@@ -1208,7 +1236,7 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
{
|
||||
Buffer b;
|
||||
u_char *p;
|
||||
@ -284,7 +246,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1326,6 +1354,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
@@ -1234,6 +1262,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
cp = buffer_get_cstring(&b, NULL);
|
||||
@ -293,7 +255,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1361,7 +1391,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1269,7 +1299,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
char *chost)
|
||||
{
|
||||
Buffer b;
|
||||
@ -302,7 +264,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1378,6 +1408,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1286,6 +1316,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
@ -311,9 +273,9 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
--- openssh/monitor.h.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/monitor.h 2016-07-26 12:37:48.795593331 +0200
|
||||
diff -up openssh-7.4p1/monitor.h.role-mls openssh-7.4p1/monitor.h
|
||||
--- openssh-7.4p1/monitor.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor.h 2016-12-23 12:19:58.588459376 +0100
|
||||
@@ -57,6 +57,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
@ -325,10 +287,10 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
--- openssh/monitor_wrap.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/monitor_wrap.c 2016-07-26 12:37:48.795593331 +0200
|
||||
@@ -346,6 +346,25 @@ mm_inform_authserv(char *service, char *
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 12:19:58.588459376 +0100
|
||||
@@ -345,6 +345,25 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
@ -354,9 +316,9 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
--- openssh/monitor_wrap.h.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/monitor_wrap.h 2016-07-26 12:37:48.795593331 +0200
|
||||
diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
|
||||
--- openssh-7.4p1/monitor_wrap.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 12:19:58.588459376 +0100
|
||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
|
||||
@ -367,21 +329,90 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
|
||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/openbsd-compat/Makefile.in 2016-07-26 12:37:48.795593331 +0200
|
||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd-compat/Makefile.in
|
||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.role-mls 2016-12-23 12:19:58.588459376 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 12:24:06.042643938 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2016-07-26 12:37:48.796593331 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2016-07-26 12:37:48.796593331 +0200
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.c.role-mls openssh-7.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.c 2016-12-23 12:19:58.590459369 +0100
|
||||
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
-/* Set the execution context to the default for the specified user */
|
||||
-void
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
-{
|
||||
- security_context_t user_ctx = NULL;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
-
|
||||
- debug3("%s: setting execution context", __func__);
|
||||
-
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
- }
|
||||
- }
|
||||
- if (user_ctx != NULL)
|
||||
- freecon(user_ctx);
|
||||
-
|
||||
- debug3("%s: done", __func__);
|
||||
-}
|
||||
-
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) != 0) {
|
||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.role-mls openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 12:19:58.591459365 +0100
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
+
|
||||
+void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls 2016-12-23 12:19:58.590459369 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 12:19:58.590459369 +0100
|
||||
@@ -0,0 +1,424 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
@ -807,79 +838,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.c 2016-07-26 12:37:48.796593331 +0200
|
||||
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
-/* Set the execution context to the default for the specified user */
|
||||
-void
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
-{
|
||||
- security_context_t user_ctx = NULL;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
-
|
||||
- debug3("%s: setting execution context", __func__);
|
||||
-
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
- }
|
||||
- }
|
||||
- if (user_ctx != NULL)
|
||||
- freecon(user_ctx);
|
||||
-
|
||||
- debug3("%s: done", __func__);
|
||||
-}
|
||||
-
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -147,7 +116,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) != 0) {
|
||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2016-07-26 12:37:48.796593331 +0200
|
||||
@@ -22,9 +22,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
+
|
||||
+void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
--- openssh/platform.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/platform.c 2016-07-26 12:37:48.796593331 +0200
|
||||
@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(stru
|
||||
diff -up openssh-7.4p1/platform.c.role-mls openssh-7.4p1/platform.c
|
||||
--- openssh-7.4p1/platform.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/platform.c 2016-12-23 12:19:58.591459365 +0100
|
||||
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
@ -888,10 +850,10 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
#endif
|
||||
}
|
||||
|
||||
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
--- openssh/sshd.c.role-mls 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/sshd.c 2016-07-26 12:37:48.796593331 +0200
|
||||
@@ -2295,6 +2295,9 @@ main(int ac, char **av)
|
||||
diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 12:19:58.591459365 +0100
|
||||
@@ -2053,6 +2053,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
|
@ -1,22 +1,7 @@
|
||||
diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
|
||||
--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100
|
||||
+++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100
|
||||
@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||
channel_max_fd = MAX(channel_max_fd, efd);
|
||||
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (wfd != -1 && wfd != rfd)
|
||||
+ if (wfd >= 0 && wfd != rfd)
|
||||
fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (efd != -1 && efd != rfd && efd != wfd)
|
||||
+ if (efd >= 0 && efd != rfd && efd != wfd)
|
||||
fcntl(efd, F_SETFD, FD_CLOEXEC);
|
||||
|
||||
c->rfd = rfd;
|
||||
@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
||||
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
|
||||
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
|
||||
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
|
||||
/* enable nonblocking mode */
|
||||
if (nonblock) {
|
||||
@ -31,10 +16,10 @@ diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
|
||||
set_nonblock(efd);
|
||||
}
|
||||
}
|
||||
diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
|
||||
--- openssh-6.8p1/monitor.c.coverity 2015-03-18 17:21:51.887264852 +0100
|
||||
+++ openssh-6.8p1/monitor.c 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
||||
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
mm_get_keystate(pmonitor);
|
||||
|
||||
/* Drain any buffered messages from the child */
|
||||
@ -43,10 +28,10 @@ diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
|
||||
;
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
|
||||
--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100
|
||||
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||
error("%s: cannot allocate fds for pty", __func__);
|
||||
@ -60,9 +45,9 @@ diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
|
||||
return 0;
|
||||
}
|
||||
close(tmp1);
|
||||
diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/bindresvport.c 2015-03-18 17:21:51.897264831 +0100
|
||||
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
|
||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int16_t *portp;
|
||||
@ -72,10 +57,10 @@ diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/open
|
||||
int i;
|
||||
|
||||
if (sa == NULL) {
|
||||
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
|
||||
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
|
||||
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
|
||||
@@ -156,7 +156,7 @@ killchild(int signo)
|
||||
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
||||
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
|
||||
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
|
||||
@@ -157,7 +157,7 @@ killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1) {
|
||||
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
||||
@ -84,10 +69,10 @@ diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
|
||||
}
|
||||
|
||||
if (signo)
|
||||
diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
|
||||
--- openssh-6.8p1/servconf.c.coverity 2015-03-18 17:21:51.893264839 +0100
|
||||
+++ openssh-6.8p1/servconf.c 2015-03-18 17:21:58.281251460 +0100
|
||||
@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions
|
||||
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
||||
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
filename, linenum);
|
||||
if (!*activep) {
|
||||
@ -96,7 +81,7 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
|
||||
break;
|
||||
}
|
||||
for (i = 0; i < options->num_subsystems; i++)
|
||||
@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions
|
||||
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
|
||||
if (*activep && *charptr == NULL) {
|
||||
*charptr = tilde_expand_filename(arg, getuid());
|
||||
/* increase optional counter */
|
||||
@ -108,10 +93,10 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
|
||||
}
|
||||
break;
|
||||
|
||||
diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
|
||||
--- openssh-6.8p1/serverloop.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/serverloop.c 2015-03-18 17:28:45.616436080 +0100
|
||||
@@ -147,13 +147,13 @@ notify_setup(void)
|
||||
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100
|
||||
@@ -125,13 +125,13 @@ notify_setup(void)
|
||||
static void
|
||||
notify_parent(void)
|
||||
{
|
||||
@ -127,7 +112,7 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
|
||||
FD_SET(notify_pipe[0], readset);
|
||||
}
|
||||
static void
|
||||
@@ -161,8 +161,8 @@ notify_done(fd_set *readset)
|
||||
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
|
||||
{
|
||||
char c;
|
||||
|
||||
@ -138,80 +123,7 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
|
||||
debug2("notify_done: reading");
|
||||
}
|
||||
|
||||
@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea
|
||||
* If we have buffered data, try to write some of that data
|
||||
* to the program.
|
||||
*/
|
||||
- if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
|
||||
+ if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
|
||||
FD_SET(fdin, *writesetp);
|
||||
}
|
||||
notify_prepare(*readsetp);
|
||||
@@ -477,7 +477,7 @@ process_output(fd_set *writeset)
|
||||
int len;
|
||||
|
||||
/* Write buffered data to program stdin. */
|
||||
- if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
|
||||
+ if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
|
||||
data = buffer_ptr(&stdin_buffer);
|
||||
dlen = buffer_len(&stdin_buffer);
|
||||
len = write(fdin, data, dlen);
|
||||
@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
set_nonblock(fdin);
|
||||
set_nonblock(fdout);
|
||||
/* we don't have stderr for interactive terminal sessions, see below */
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
set_nonblock(fderr);
|
||||
|
||||
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
|
||||
@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
max_fd = MAX(connection_in, connection_out);
|
||||
max_fd = MAX(max_fd, fdin);
|
||||
max_fd = MAX(max_fd, fdout);
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
max_fd = MAX(max_fd, fderr);
|
||||
#endif
|
||||
|
||||
@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
* If we have received eof, and there is no more pending
|
||||
* input data, cause a real eof by closing fdin.
|
||||
*/
|
||||
- if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
|
||||
+ if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
|
||||
if (fdin != fdout)
|
||||
close(fdin);
|
||||
else
|
||||
@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
buffer_free(&stderr_buffer);
|
||||
|
||||
/* Close the file descriptors. */
|
||||
- if (fdout != -1)
|
||||
+ if (fdout >= 0)
|
||||
close(fdout);
|
||||
fdout = -1;
|
||||
fdout_eof = 1;
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
close(fderr);
|
||||
fderr = -1;
|
||||
fderr_eof = 1;
|
||||
- if (fdin != -1)
|
||||
+ if (fdin >= 0)
|
||||
close(fdin);
|
||||
fdin = -1;
|
||||
|
||||
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
|
||||
|
||||
debug("Window change received.");
|
||||
packet_check_eom();
|
||||
- if (fdin != -1)
|
||||
+ if (fdin >= 0)
|
||||
pty_change_window_size(fdin, row, col, xpixel, ypixel);
|
||||
return 0;
|
||||
}
|
||||
@@ -1043,7 +1043,7 @@ server_request_tun(void)
|
||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||
}
|
||||
|
||||
tun = packet_get_int();
|
||||
@ -220,10 +132,10 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
|
||||
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
|
||||
goto done;
|
||||
tun = forced_tun_device;
|
||||
diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
|
||||
--- openssh-6.8p1/sftp.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp.c 2015-03-18 17:21:58.283251456 +0100
|
||||
@@ -223,7 +223,7 @@ killchild(int signo)
|
||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
||||
@@ -224,7 +224,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
kill(sshpid, SIGTERM);
|
||||
@ -232,10 +144,10 @@ diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
|
||||
--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100
|
||||
@@ -1166,8 +1166,8 @@ main(int ac, char **av)
|
||||
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
||||
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
/* drop */
|
||||
@ -246,10 +158,10 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
|
||||
|
||||
platform_disable_tracing(0); /* strict=no */
|
||||
|
||||
diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
|
||||
@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
||||
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
@ -261,7 +173,7 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (num_listen_socks < 0)
|
||||
break;
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
|
||||
--- openssh/configure.ac.tcp_wrappers 2015-06-24 11:41:04.519293694 +0200
|
||||
+++ openssh/configure.ac 2015-06-24 11:41:04.556293600 +0200
|
||||
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
|
||||
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
|
||||
--- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100
|
||||
+++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100
|
||||
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
|
||||
]
|
||||
)
|
||||
|
||||
@ -64,7 +64,7 @@ diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5034,6 +5090,7 @@ echo " KerberosV support
|
||||
@@ -5214,6 +5270,7 @@ echo " KerberosV support
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
@ -72,10 +72,10 @@ diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
|
||||
--- openssh/sshd.8.tcp_wrappers 2015-06-24 11:41:04.527293674 +0200
|
||||
+++ openssh/sshd.8 2015-06-24 11:41:04.556293600 +0200
|
||||
@@ -860,6 +860,12 @@ the user's home directory becomes access
|
||||
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
|
||||
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
|
||||
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
|
||||
@@ -836,6 +836,12 @@ the user's home directory becomes access
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
@ -88,7 +88,7 @@ diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
@@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher
|
||||
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
@ -96,10 +96,10 @@ diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
|
||||
.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
|
||||
--- openssh/sshd.c.tcp_wrappers 2015-06-24 11:41:04.549293618 +0200
|
||||
+++ openssh/sshd.c 2015-06-24 11:41:53.331169536 +0200
|
||||
@@ -125,6 +125,13 @@
|
||||
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100
|
||||
@@ -123,6 +123,13 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
@ -110,10 +110,10 @@ diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
|
||||
+int deny_severity;
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
#ifndef O_NOCTTY
|
||||
#define O_NOCTTY 0
|
||||
#endif
|
||||
@@ -2158,6 +2165,24 @@ main(int ac, char **av)
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
@@ -2012,6 +2019,24 @@ main(int ac, char **av)
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
|
@ -1,8 +1,7 @@
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index ad5869b..0255ed3 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -1910,6 +1910,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.memory 2016-12-23 15:37:48.181422360 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:38:30.189429116 +0100
|
||||
@@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d
|
||||
dst->n = src->n; \
|
||||
} while (0)
|
||||
|
||||
@ -10,8 +9,8 @@ index ad5869b..0255ed3 100644
|
||||
+
|
||||
M_CP_INTOPT(password_authentication);
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(rsa_authentication);
|
||||
@@ -1947,8 +1949,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
@@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d
|
||||
} while(0)
|
||||
#define M_CP_STRARRAYOPT(n, num_n) do {\
|
||||
if (src->num_n != 0) { \
|
||||
|
@ -1,23 +1,7 @@
|
||||
From e1d58c44bd911e5ee4dddb6205e16eb9a03cc736 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Fri, 7 Aug 2015 10:18:54 +0200
|
||||
Subject: [PATCH] Possibility tu specify more fingerprint algorithms on client
|
||||
side for smother transition
|
||||
|
||||
---
|
||||
clientloop.c | 8 ++++----
|
||||
readconf.c | 43 +++++++++++++++++++++++++++++--------------
|
||||
readconf.h | 4 +++-
|
||||
ssh_config.5 | 4 ++--
|
||||
sshconnect.c | 48 +++++++++++++++++++++++++++---------------------
|
||||
sshconnect2.c | 6 +++---
|
||||
6 files changed, 68 insertions(+), 45 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 87ceb3d..4553114 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -2194,7 +2194,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||
diff -up openssh-7.4p1/clientloop.c.fingerprint openssh-7.4p1/clientloop.c
|
||||
--- openssh-7.4p1/clientloop.c.fingerprint 2016-12-23 15:38:50.520432387 +0100
|
||||
+++ openssh-7.4p1/clientloop.c 2016-12-23 15:38:50.564432394 +0100
|
||||
@@ -2279,7 +2279,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
if (ctx->keys_seen[i] != 2)
|
||||
continue;
|
||||
if ((fp = sshkey_fingerprint(ctx->keys[i],
|
||||
@ -26,7 +10,7 @@ index 87ceb3d..4553114 100644
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Learned new hostkey: %s %s",
|
||||
sshkey_type(ctx->keys[i]), fp);
|
||||
@@ -2202,7 +2202,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||
@@ -2287,7 +2287,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
}
|
||||
for (i = 0; i < ctx->nold; i++) {
|
||||
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
|
||||
@ -35,7 +19,7 @@ index 87ceb3d..4553114 100644
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
|
||||
sshkey_type(ctx->old_keys[i]), fp);
|
||||
@@ -2245,7 +2245,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||
@@ -2330,7 +2330,7 @@ update_known_hosts(struct hostkeys_updat
|
||||
(r = hostfile_replace_entries(options.user_hostfiles[0],
|
||||
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
|
||||
options.hash_known_hosts, 0,
|
||||
@ -44,7 +28,7 @@ index 87ceb3d..4553114 100644
|
||||
error("%s: hostfile_replace_entries failed: %s",
|
||||
__func__, ssh_err(r));
|
||||
}
|
||||
@@ -2358,7 +2358,7 @@ client_input_hostkeys(void)
|
||||
@@ -2443,7 +2443,7 @@ client_input_hostkeys(void)
|
||||
error("%s: parse key: %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
@ -53,11 +37,10 @@ index 87ceb3d..4553114 100644
|
||||
SSH_FP_DEFAULT);
|
||||
debug3("%s: received %s key %s", __func__,
|
||||
sshkey_type(key), fp);
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 1d03bdf..6af4c62 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1471,16 +1471,18 @@ parse_keytypes:
|
||||
diff -up openssh-7.4p1/readconf.c.fingerprint openssh-7.4p1/readconf.c
|
||||
--- openssh-7.4p1/readconf.c.fingerprint 2016-12-23 15:38:50.559432393 +0100
|
||||
+++ openssh-7.4p1/readconf.c 2016-12-23 15:38:50.565432394 +0100
|
||||
@@ -1668,16 +1668,18 @@ parse_keytypes:
|
||||
goto parse_string;
|
||||
|
||||
case oFingerprintHash:
|
||||
@ -86,7 +69,7 @@ index 1d03bdf..6af4c62 100644
|
||||
break;
|
||||
|
||||
case oUpdateHostkeys:
|
||||
@@ -1673,7 +1675,7 @@ initialize_options(Options * options)
|
||||
@@ -1905,7 +1907,7 @@ initialize_options(Options * options)
|
||||
options->canonicalize_fallback_local = -1;
|
||||
options->canonicalize_hostname = -1;
|
||||
options->revoked_host_keys = NULL;
|
||||
@ -95,7 +78,7 @@ index 1d03bdf..6af4c62 100644
|
||||
options->update_hostkeys = -1;
|
||||
options->hostbased_key_types = NULL;
|
||||
options->pubkey_key_types = NULL;
|
||||
@@ -1851,8 +1853,10 @@ fill_default_options(Options * options)
|
||||
@@ -2102,8 +2104,10 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_fallback_local = 1;
|
||||
if (options->canonicalize_hostname == -1)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
@ -108,7 +91,7 @@ index 1d03bdf..6af4c62 100644
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||
@@ -2189,6 +2193,17 @@ dump_cfg_strarray(OpCodes code, u_int count, char **vals)
|
||||
@@ -2489,6 +2493,17 @@ dump_cfg_strarray(OpCodes code, u_int co
|
||||
}
|
||||
|
||||
static void
|
||||
@ -126,7 +109,7 @@ index 1d03bdf..6af4c62 100644
|
||||
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
|
||||
{
|
||||
u_int i;
|
||||
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
|
||||
@@ -2564,7 +2579,6 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
||||
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
|
||||
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
||||
@ -134,7 +117,7 @@ index 1d03bdf..6af4c62 100644
|
||||
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
||||
dump_cfg_fmtint(oForwardX11, o->forward_x11);
|
||||
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
|
||||
@@ -2328,6 +2342,7 @@ dump_client_config(Options *o, const char *host)
|
||||
@@ -2634,6 +2648,7 @@ dump_client_config(Options *o, const cha
|
||||
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
|
||||
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
|
||||
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
|
||||
@ -142,10 +125,9 @@ index 1d03bdf..6af4c62 100644
|
||||
|
||||
/* Special cases */
|
||||
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index bb2d552..d817f92 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
diff -up openssh-7.4p1/readconf.h.fingerprint openssh-7.4p1/readconf.h
|
||||
--- openssh-7.4p1/readconf.h.fingerprint 2016-12-23 15:38:50.559432393 +0100
|
||||
+++ openssh-7.4p1/readconf.h 2016-12-23 15:38:50.565432394 +0100
|
||||
@@ -21,6 +21,7 @@
|
||||
#define MAX_SEND_ENV 256
|
||||
#define SSH_MAX_HOSTS_FILES 32
|
||||
@ -154,7 +136,7 @@ index bb2d552..d817f92 100644
|
||||
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
|
||||
|
||||
struct allowed_cname {
|
||||
@@ -146,7 +147,8 @@ typedef struct {
|
||||
@@ -162,7 +163,8 @@ typedef struct {
|
||||
|
||||
char *revoked_host_keys;
|
||||
|
||||
@ -164,31 +146,60 @@ index bb2d552..d817f92 100644
|
||||
|
||||
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 5b0975f..e8e6458 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -647,13 +647,13 @@ or
|
||||
The default is
|
||||
.Dq no .
|
||||
diff -up openssh-7.4p1/ssh_config.5.fingerprint openssh-7.4p1/ssh_config.5
|
||||
--- openssh-7.4p1/ssh_config.5.fingerprint 2016-12-23 15:38:50.565432394 +0100
|
||||
+++ openssh-7.4p1/ssh_config.5 2016-12-23 15:40:03.754444166 +0100
|
||||
@@ -652,12 +652,13 @@ or
|
||||
.Cm no
|
||||
(the default).
|
||||
.It Cm FingerprintHash
|
||||
-Specifies the hash algorithm used when displaying key fingerprints.
|
||||
+Specifies the hash algorithms used when displaying key fingerprints.
|
||||
Valid options are:
|
||||
.Dq md5
|
||||
.Cm md5
|
||||
and
|
||||
.Dq sha256 .
|
||||
The default is
|
||||
-.Dq sha256 .
|
||||
+.Dq "sha256 md5".
|
||||
-.Cm sha256
|
||||
-(the default).
|
||||
+.Cm sha256 .
|
||||
+The default is
|
||||
+.Cm "sha256 md5".
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index f41960c..e12932f 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -920,9 +920,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
diff -up openssh-7.4p1/sshconnect2.c.fingerprint openssh-7.4p1/sshconnect2.c
|
||||
--- openssh-7.4p1/sshconnect2.c.fingerprint 2016-12-23 15:38:50.561432394 +0100
|
||||
+++ openssh-7.4p1/sshconnect2.c 2016-12-23 15:38:50.566432394 +0100
|
||||
@@ -677,7 +677,7 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
goto done;
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
@@ -1172,7 +1172,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||
int matched, ret = -1, have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
return 0;
|
||||
debug3("%s: %s %s", __func__, key_type(id->key), fp);
|
||||
@@ -1864,7 +1864,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: sshkey_fingerprint failed", __func__);
|
||||
goto out;
|
||||
diff -up openssh-7.4p1/sshconnect.c.fingerprint openssh-7.4p1/sshconnect.c
|
||||
--- openssh-7.4p1/sshconnect.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshconnect.c 2016-12-23 15:38:50.566432394 +0100
|
||||
@@ -922,9 +922,9 @@ check_host_key(char *hostname, struct so
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
fp = sshkey_fingerprint(host_key,
|
||||
@ -200,7 +211,7 @@ index f41960c..e12932f 100644
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("Host key fingerprint is %s\n%s", fp, ra);
|
||||
@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
@@ -966,12 +966,6 @@ check_host_key(char *hostname, struct so
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
@ -213,14 +224,14 @@ index f41960c..e12932f 100644
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
if (matching_host_key_dns)
|
||||
@@ -983,16 +977,28 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
@@ -985,16 +979,28 @@ check_host_key(char *hostname, struct so
|
||||
}
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
- "established%s\n"
|
||||
- "%s key fingerprint is %s.%s%s\n%s"
|
||||
+ "established%s\n", host, ip, msg1);
|
||||
+ for (i = 0; i < options.num_fingerprint_hash; i++) {
|
||||
+ for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
|
||||
+ fp = sshkey_fingerprint(host_key,
|
||||
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
|
||||
+ ra = sshkey_fingerprint(host_key,
|
||||
@ -251,7 +262,7 @@ index f41960c..e12932f 100644
|
||||
if (!confirm(msg))
|
||||
goto fail;
|
||||
hostkey_trusted = 1; /* user explicitly confirmed */
|
||||
@@ -1241,7 +1247,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
|
||||
struct sshkey *plain = NULL;
|
||||
|
||||
if ((fp = sshkey_fingerprint(host_key,
|
||||
@ -260,7 +271,16 @@ index f41960c..e12932f 100644
|
||||
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
|
||||
r = -1;
|
||||
goto out;
|
||||
@@ -1405,9 +1411,9 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
|
||||
@@ -1252,7 +1258,7 @@ verify_host_key(char *host, struct socka
|
||||
|
||||
if (sshkey_is_cert(host_key)) {
|
||||
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint CA key: %s",
|
||||
__func__, ssh_err(r));
|
||||
r = -1;
|
||||
@@ -1432,9 +1438,9 @@ show_other_keys(struct hostkeys *hostkey
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
fp = sshkey_fingerprint(found->key,
|
||||
@ -272,7 +292,7 @@ index f41960c..e12932f 100644
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("WARNING: %s key found for host %s\n"
|
||||
@@ -1430,7 +1436,7 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1457,7 +1463,7 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
|
||||
@ -281,42 +301,10 @@ index f41960c..e12932f 100644
|
||||
SSH_FP_DEFAULT);
|
||||
if (fp == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 7751031..82ed92e 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -589,7 +589,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
goto done;
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
|
||||
int matched, ret = -1, have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
return 0;
|
||||
debug3("%s: %s %s", __func__, key_type(id->key), fp);
|
||||
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: sshkey_fingerprint failed", __func__);
|
||||
goto out;
|
||||
diff --git a/ssh-keysign.c b/ssh-keysign.c
|
||||
index 1dca3e2..23bff7d 100644
|
||||
--- a/ssh-keysign.c
|
||||
+++ b/ssh-keysign.c
|
||||
@@ -275,7 +275,7 @@ main(int argc, char **argv)
|
||||
diff -up openssh-7.4p1/ssh-keysign.c.fingerprint openssh-7.4p1/ssh-keysign.c
|
||||
--- openssh-7.4p1/ssh-keysign.c.fingerprint 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-keysign.c 2016-12-23 15:38:50.566432394 +0100
|
||||
@@ -285,7 +285,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
@ -325,21 +313,3 @@ index 1dca3e2..23bff7d 100644
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __progname);
|
||||
fatal("no matching hostkey found for key %s %s",
|
||||
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index de7ace6..f16e606 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
|
||||
if (sshkey_is_cert(host_key)) {
|
||||
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint CA key: %s",
|
||||
__func__, ssh_err(r));
|
||||
r = -1;
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
|
||||
--- openssh-7.1p1/ssh_config.5.gss-docs 2015-12-10 15:28:47.451966457 +0100
|
||||
+++ openssh-7.1p1/ssh_config.5 2015-12-10 15:30:28.070738047 +0100
|
||||
@@ -773,15 +773,26 @@ Note that this option applies to protoco
|
||||
diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
|
||||
--- openssh-7.4p1/ssh_config.5.gss-docs 2016-12-23 14:28:34.051714486 +0100
|
||||
+++ openssh-7.4p1/ssh_config.5 2016-12-23 14:34:24.568522417 +0100
|
||||
@@ -765,10 +765,19 @@ The default is
|
||||
If set to
|
||||
.Dq yes
|
||||
then renewal of the client's GSSAPI credentials will force the rekeying of the
|
||||
@ -19,6 +19,11 @@ diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
|
||||
+For this to work
|
||||
+.Cm GSSAPIKeyExchange
|
||||
+needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIServerIdentity
|
||||
If set, specifies the GSSAPI server identity that ssh should expect when
|
||||
connecting to the server. The default is unset, which means that the
|
||||
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
|
||||
hostname.
|
||||
.It Cm GSSAPITrustDns
|
||||
Set to
|
||||
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
||||
@ -31,10 +36,10 @@ diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
|
||||
command line will be passed untouched to the GSSAPI library.
|
||||
The default is
|
||||
.Dq no .
|
||||
diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5
|
||||
--- openssh-7.1p1/sshd_config.5.gss-docs 2015-12-10 15:28:47.453966452 +0100
|
||||
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:28:47.461966434 +0100
|
||||
@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede
|
||||
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.gss-docs 2016-12-23 14:28:34.043714490 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 14:28:34.051714486 +0100
|
||||
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
|
||||
successful connection rekeying. This option can be used to accepted renewed
|
||||
or updated credentials from a compatible client. The default is
|
||||
.Dq no .
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c
|
||||
--- openssh-7.3p1/monitor_wrap.c.audit-race 2016-12-15 14:27:22.376603747 +0100
|
||||
+++ openssh-7.3p1/monitor_wrap.c 2016-12-15 14:27:22.381603742 +0100
|
||||
@@ -1256,4 +1256,48 @@ mm_audit_destroy_sensitive_data(const ch
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100
|
||||
@@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
@ -50,10 +50,10 @@ diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c
|
||||
+ pmonitor->m_recvfd = fd;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h
|
||||
--- openssh-7.3p1/monitor_wrap.h.audit-race 2016-12-15 14:27:22.376603747 +0100
|
||||
+++ openssh-7.3p1/monitor_wrap.h 2016-12-15 14:27:22.381603742 +0100
|
||||
@@ -88,6 +88,8 @@ void mm_audit_unsupported_body(int);
|
||||
diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
|
||||
--- openssh-7.4p1/monitor_wrap.h.audit-race 2016-12-23 16:35:52.694685771 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 16:35:52.698685772 +0100
|
||||
@@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
@ -62,10 +62,10 @@ diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
--- openssh-7.3p1/session.c.audit-race 2016-12-15 14:27:22.378603745 +0100
|
||||
+++ openssh-7.3p1/session.c 2016-12-15 14:27:22.382603741 +0100
|
||||
@@ -164,6 +164,10 @@ static Session *sessions = NULL;
|
||||
diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.audit-race 2016-12-23 16:35:52.695685771 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 16:37:26.339730596 +0100
|
||||
@@ -162,6 +162,10 @@ static Session *sessions = NULL;
|
||||
login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
@ -76,8 +76,8 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
static int have_dev_log = 1;
|
||||
@@ -457,6 +457,8 @@ do_authenticated1(Authctxt *authctxt)
|
||||
}
|
||||
@@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+void child_destory_sensitive_data();
|
||||
@ -85,7 +85,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
#define USE_PIPES 1
|
||||
/*
|
||||
* This is called to fork and execute a command when we have no tty. This
|
||||
@@ -588,6 +592,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
||||
#endif
|
||||
|
||||
@ -94,7 +94,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
/* Do processing for the child (exec command etc). */
|
||||
do_child(s, command);
|
||||
/* NOTREACHED */
|
||||
@@ -722,6 +728,9 @@ do_exec_pty(Session *s, const char *comm
|
||||
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
|
||||
/* Close the extra descriptor for the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
@ -102,9 +102,9 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
+ child_destory_sensitive_data();
|
||||
+
|
||||
/* record login, etc. similar to login(1) */
|
||||
#ifndef HAVE_OSF_SIA
|
||||
if (!(options.use_login && command == NULL)) {
|
||||
@@ -903,6 +912,8 @@ do_exec(Session *s, const char *command)
|
||||
#ifdef _UNICOS
|
||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
||||
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
||||
}
|
||||
if (s->command != NULL && s->ptyfd == -1)
|
||||
s->command_handle = PRIVSEP(audit_run_command(s->command));
|
||||
@ -113,7 +113,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(s, command);
|
||||
@@ -918,6 +929,20 @@ do_exec(Session *s, const char *command)
|
||||
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
|
||||
*/
|
||||
buffer_clear(&loginmsg);
|
||||
|
||||
@ -134,7 +134,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1751,6 +1776,33 @@ child_close_fds(void)
|
||||
@@ -1538,6 +1565,33 @@ child_close_fds(void)
|
||||
endpwent();
|
||||
}
|
||||
|
||||
@ -168,7 +168,7 @@ diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c
|
||||
/*
|
||||
* Performs common processing for the child, such as setting up the
|
||||
* environment, closing extra file descriptors, setting the user and group
|
||||
@@ -1768,12 +1820,6 @@ do_child(Session *s, const char *command
|
||||
@@ -1554,12 +1608,6 @@ do_child(Session *s, const char *command
|
||||
struct passwd *pw = s->pw;
|
||||
int r = 0;
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
--- openssh-7.2p1/cipher.c.fips 2016-02-12 18:53:56.083665235 +0100
|
||||
+++ openssh-7.2p1/cipher.c 2016-02-12 18:53:56.090665235 +0100
|
||||
diff -up openssh-7.4p1/cipher.c.fips openssh-7.4p1/cipher.c
|
||||
--- openssh-7.4p1/cipher.c.fips 2016-12-23 16:37:49.290741582 +0100
|
||||
+++ openssh-7.4p1/cipher.c 2016-12-23 16:37:49.300741586 +0100
|
||||
@@ -39,6 +39,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -10,7 +10,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[]
|
||||
@@ -116,6 +118,20 @@ static const struct sshcipher ciphers[]
|
||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
@ -25,19 +25,13 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
|
||||
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
|
||||
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
|
||||
+#ifdef OPENSSL_HAVE_EVPGCM
|
||||
+ { "aes128-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
|
||||
+ { "aes256-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
|
||||
+#endif
|
||||
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
+};
|
||||
+
|
||||
/*--*/
|
||||
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
@@ -126,7 +142,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct sshcipher *c;
|
||||
|
||||
@ -46,7 +40,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
if (c->number != SSH_CIPHER_SSH2)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -193,7 +215,7 @@ const struct sshcipher *
|
||||
@@ -222,7 +238,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
@ -55,7 +49,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -203,7 +225,7 @@ const struct sshcipher *
|
||||
@@ -232,7 +248,7 @@ const struct sshcipher *
|
||||
cipher_by_number(int id)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
@ -64,7 +58,7 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
if (c->number == id)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -244,7 +266,7 @@ cipher_number(const char *name)
|
||||
@@ -273,7 +289,7 @@ cipher_number(const char *name)
|
||||
const struct sshcipher *c;
|
||||
if (name == NULL)
|
||||
return -1;
|
||||
@ -73,9 +67,9 @@ diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
if (strcasecmp(c->name, name) == 0)
|
||||
return c->number;
|
||||
return -1;
|
||||
diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c
|
||||
--- openssh-7.2p1/cipher-ctr.c.fips 2016-02-12 18:53:56.013665228 +0100
|
||||
+++ openssh-7.2p1/cipher-ctr.c 2016-02-12 18:53:56.090665235 +0100
|
||||
diff -up openssh-7.4p1/cipher-ctr.c.fips openssh-7.4p1/cipher-ctr.c
|
||||
--- openssh-7.4p1/cipher-ctr.c.fips 2016-12-23 16:37:49.225741551 +0100
|
||||
+++ openssh-7.4p1/cipher-ctr.c 2016-12-23 16:37:49.297741585 +0100
|
||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
@ -86,10 +80,10 @@ diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h
|
||||
--- openssh-7.2p1/dh.h.fips 2016-02-12 18:53:56.090665235 +0100
|
||||
+++ openssh-7.2p1/dh.h 2016-02-12 18:54:48.425670204 +0100
|
||||
@@ -49,6 +49,7 @@ u_int dh_estimate(int);
|
||||
diff -up openssh-7.4p1/dh.h.fips openssh-7.4p1/dh.h
|
||||
--- openssh-7.4p1/dh.h.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/dh.h 2016-12-23 16:37:49.297741585 +0100
|
||||
@@ -51,6 +51,7 @@ u_int dh_estimate(int);
|
||||
* Miniumum increased in light of DH precomputation attacks.
|
||||
*/
|
||||
#define DH_GRP_MIN 2048
|
||||
@ -97,9 +91,9 @@ diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c
|
||||
--- openssh-7.2p1/entropy.c.fips 2016-02-12 18:53:56.005665227 +0100
|
||||
+++ openssh-7.2p1/entropy.c 2016-02-12 18:53:56.091665235 +0100
|
||||
diff -up openssh-7.4p1/entropy.c.fips openssh-7.4p1/entropy.c
|
||||
--- openssh-7.4p1/entropy.c.fips 2016-12-23 16:37:49.219741548 +0100
|
||||
+++ openssh-7.4p1/entropy.c 2016-12-23 16:37:49.297741585 +0100
|
||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
@ -110,9 +104,9 @@ diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
|
||||
--- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100
|
||||
+++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100
|
||||
diff -up openssh-7.4p1/kex.c.fips openssh-7.4p1/kex.c
|
||||
--- openssh-7.4p1/kex.c.fips 2016-12-23 16:37:49.290741582 +0100
|
||||
+++ openssh-7.4p1/kex.c 2016-12-23 16:37:49.300741586 +0100
|
||||
@@ -35,6 +35,7 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
@ -121,13 +115,11 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
|
||||
#endif
|
||||
|
||||
#include "ssh2.h"
|
||||
@@ -121,6 +122,25 @@ static const struct kexalg kexalgs[] = {
|
||||
@@ -125,6 +126,23 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
+static const struct kexalg kexalgs_fips[] = {
|
||||
+ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+#endif
|
||||
@ -147,7 +139,7 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -148,7 +168,7 @@ kex_alg_by_name(const char *name)
|
||||
@@ -152,7 +170,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
@ -156,7 +148,7 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
#ifdef GSSAPI
|
||||
@@ -174,7 +194,10 @@ kex_names_valid(const char *names)
|
||||
@@ -178,7 +196,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
@ -168,17 +160,17 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c
|
||||
--- openssh-7.2p1/kexgexc.c.fips 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kexgexc.c 2016-02-12 18:53:56.091665235 +0100
|
||||
diff -up openssh-7.4p1/kexgexc.c.fips openssh-7.4p1/kexgexc.c
|
||||
--- openssh-7.4p1/kexgexc.c.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/kexgexc.c 2016-12-23 16:38:38.727763540 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
@ -188,24 +180,24 @@ diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
diff -up openssh-7.2p1/kexgexs.c.fips openssh-7.2p1/kexgexs.c
|
||||
--- openssh-7.2p1/kexgexs.c.fips 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kexgexs.c 2016-02-12 18:53:56.091665235 +0100
|
||||
diff -up openssh-7.4p1/kexgexs.c.fips openssh-7.4p1/kexgexs.c
|
||||
--- openssh-7.4p1/kexgexs.c.fips 2016-12-23 16:37:49.297741585 +0100
|
||||
+++ openssh-7.4p1/kexgexs.c 2016-12-23 16:39:35.009776626 +0100
|
||||
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAX(DH_GRP_MIN, min);
|
||||
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
||||
max = MIN(DH_GRP_MAX, max);
|
||||
- nbits = MAX(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
|
||||
nbits = MIN(DH_GRP_MAX, nbits);
|
||||
- min = MAXIMUM(DH_GRP_MIN, min);
|
||||
+ min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
||||
max = MINIMUM(DH_GRP_MAX, max);
|
||||
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
|
||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
|
||||
--- openssh-7.2p1/mac.c.fips 2016-02-12 18:53:56.084665234 +0100
|
||||
+++ openssh-7.2p1/mac.c 2016-02-12 18:53:56.091665235 +0100
|
||||
diff -up openssh-7.4p1/mac.c.fips openssh-7.4p1/mac.c
|
||||
--- openssh-7.4p1/mac.c.fips 2016-12-23 16:37:49.291741582 +0100
|
||||
+++ openssh-7.4p1/mac.c 2016-12-23 16:37:49.298741585 +0100
|
||||
@@ -27,6 +27,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -224,7 +216,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
|
||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
|
||||
@@ -85,6 +87,24 @@ static const struct macalg macs[] = {
|
||||
@@ -89,6 +91,24 @@ static const struct macalg macs[] = {
|
||||
{ NULL, 0, 0, 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
@ -249,7 +241,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
|
||||
/* Returns a list of supported MACs separated by the specified char. */
|
||||
char *
|
||||
mac_alg_list(char sep)
|
||||
@@ -93,7 +113,7 @@ mac_alg_list(char sep)
|
||||
@@ -97,7 +117,7 @@ mac_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct macalg *m;
|
||||
|
||||
@ -258,7 +250,7 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(m->name);
|
||||
@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
@@ -136,7 +156,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
@ -267,10 +259,10 @@ diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
|
||||
--- openssh-7.2p1/Makefile.in.fips 2016-02-12 18:53:56.085665235 +0100
|
||||
+++ openssh-7.2p1/Makefile.in 2016-02-12 18:53:56.092665235 +0100
|
||||
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
diff -up openssh-7.4p1/Makefile.in.fips openssh-7.4p1/Makefile.in
|
||||
--- openssh-7.4p1/Makefile.in.fips 2016-12-23 16:37:49.291741582 +0100
|
||||
+++ openssh-7.4p1/Makefile.in 2016-12-23 16:37:49.298741585 +0100
|
||||
@@ -169,25 +169,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
@ -302,7 +294,7 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
@@ -205,7 +205,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
@ -311,18 +303,16 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h
|
||||
--- openssh-7.2p1/myproposal.h.fips 2016-02-12 18:53:56.092665235 +0100
|
||||
+++ openssh-7.2p1/myproposal.h 2016-02-12 18:55:42.137675304 +0100
|
||||
@@ -129,6 +129,28 @@
|
||||
diff -up openssh-7.4p1/myproposal.h.fips openssh-7.4p1/myproposal.h
|
||||
--- openssh-7.4p1/myproposal.h.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/myproposal.h 2016-12-23 16:37:49.300741586 +0100
|
||||
@@ -138,6 +138,26 @@
|
||||
|
||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||
|
||||
+#define KEX_DEFAULT_KEX_FIPS \
|
||||
+ KEX_ECDH_METHODS \
|
||||
+ KEX_SHA2_METHODS \
|
||||
+ "diffie-hellman-group-exchange-sha1," \
|
||||
+ "diffie-hellman-group14-sha1"
|
||||
+ KEX_SHA2_METHODS
|
||||
+#define KEX_FIPS_ENCRYPT \
|
||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
+ "aes128-cbc,3des-cbc," \
|
||||
@ -343,10 +333,31 @@ diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c
|
||||
--- openssh-7.2p1/readconf.c.fips 2016-02-12 18:53:56.073665234 +0100
|
||||
+++ openssh-7.2p1/readconf.c 2016-02-12 18:53:56.092665235 +0100
|
||||
@@ -1969,9 +1969,12 @@ fill_default_options(Options * options)
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.fips openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c.fips 2016-12-23 16:37:49.185741531 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c 2016-12-23 16:37:49.300741586 +0100
|
||||
@@ -55,6 +55,7 @@
|
||||
#include "secure_filename.h"
|
||||
#include "uidswap.h"
|
||||
#include <unistd.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
#include "identity.h"
|
||||
|
||||
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||
found_key = 1;
|
||||
logit("matching key found: file/command %s, line %lu", file,
|
||||
linenum);
|
||||
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
|
||||
+ SSH_FP_HEX);
|
||||
logit("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
free(fp);
|
||||
diff -up openssh-7.4p1/readconf.c.fips openssh-7.4p1/readconf.c
|
||||
--- openssh-7.4p1/readconf.c.fips 2016-12-23 16:37:49.274741574 +0100
|
||||
+++ openssh-7.4p1/readconf.c 2016-12-23 16:37:49.298741585 +0100
|
||||
@@ -2110,9 +2110,12 @@ fill_default_options(Options * options)
|
||||
}
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
@ -362,10 +373,23 @@ diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
&options->hostbased_key_types) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
|
||||
--- openssh-7.2p1/servconf.c.fips 2016-02-12 18:53:56.068665233 +0100
|
||||
+++ openssh-7.2p1/servconf.c 2016-02-12 18:56:52.185681954 +0100
|
||||
@@ -188,9 +188,12 @@ option_clear_or_none(const char *o)
|
||||
diff -up openssh-7.4p1/sandbox-seccomp-filter.c.fips openssh-7.4p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.4p1/sandbox-seccomp-filter.c.fips 2016-12-23 16:37:49.292741583 +0100
|
||||
+++ openssh-7.4p1/sandbox-seccomp-filter.c 2016-12-23 16:37:49.300741586 +0100
|
||||
@@ -118,6 +118,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_open
|
||||
SC_DENY(open, EACCES),
|
||||
#endif
|
||||
+#ifdef __NR_socket
|
||||
+ SC_DENY(socket, EACCES),
|
||||
+#endif
|
||||
#ifdef __NR_openat
|
||||
SC_DENY(openat, EACCES),
|
||||
#endif
|
||||
diff -up openssh-7.4p1/servconf.c.fips openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.fips 2016-12-23 16:37:49.285741579 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 16:37:49.299741586 +0100
|
||||
@@ -185,9 +185,12 @@ option_clear_or_none(const char *o)
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
@ -381,7 +405,7 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
&o->hostkeyalgorithms) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
@@ -2376,8 +2379,10 @@ dump_config(ServerOptions *o)
|
||||
@@ -2390,8 +2393,10 @@ dump_config(ServerOptions *o)
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
@ -394,7 +418,7 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
|
||||
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
@@ -2392,8 +2397,8 @@ dump_config(ServerOptions *o)
|
||||
@@ -2406,8 +2411,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||
@ -405,10 +429,10 @@ diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
|
||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
|
||||
diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
--- openssh-7.2p1/ssh.c.fips 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/ssh.c 2016-02-12 18:53:56.093665236 +0100
|
||||
@@ -75,6 +75,8 @@
|
||||
diff -up openssh-7.4p1/ssh.c.fips openssh-7.4p1/ssh.c
|
||||
--- openssh-7.4p1/ssh.c.fips 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh.c 2016-12-23 16:37:49.299741586 +0100
|
||||
@@ -76,6 +76,8 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
@ -417,7 +441,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -531,6 +533,14 @@ main(int ac, char **av)
|
||||
@@ -530,6 +532,14 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -432,7 +456,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -608,6 +618,9 @@ main(int ac, char **av)
|
||||
@@ -609,6 +619,9 @@ main(int ac, char **av)
|
||||
"ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
@ -442,7 +466,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -952,7 +965,6 @@ main(int ac, char **av)
|
||||
@@ -964,7 +977,6 @@ main(int ac, char **av)
|
||||
host_arg = xstrdup(host);
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
@ -450,7 +474,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
|
||||
@@ -1126,6 +1138,10 @@ main(int ac, char **av)
|
||||
@@ -1175,6 +1187,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
@ -461,7 +485,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -1206,6 +1222,12 @@ main(int ac, char **av)
|
||||
@@ -1263,6 +1279,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
@ -474,9 +498,9 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts,
|
||||
diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
|
||||
--- openssh-7.2p1/sshconnect2.c.fips 2016-02-12 18:53:56.074665234 +0100
|
||||
+++ openssh-7.2p1/sshconnect2.c 2016-02-12 18:53:56.094665236 +0100
|
||||
diff -up openssh-7.4p1/sshconnect2.c.fips openssh-7.4p1/sshconnect2.c
|
||||
--- openssh-7.4p1/sshconnect2.c.fips 2016-12-23 16:37:49.275741574 +0100
|
||||
+++ openssh-7.4p1/sshconnect2.c 2016-12-23 16:37:49.299741586 +0100
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
@ -486,7 +510,7 @@ diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -171,21 +173,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
@@ -172,21 +174,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_keyex) {
|
||||
@ -528,9 +552,9 @@ diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
|
||||
}
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
|
||||
--- openssh-7.2p1/sshd.c.fips 2016-02-12 18:53:56.088665235 +0100
|
||||
+++ openssh-7.2p1/sshd.c 2016-02-12 18:53:56.094665236 +0100
|
||||
diff -up openssh-7.4p1/sshd.c.fips openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.fips 2016-12-23 16:37:49.293741583 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 16:37:49.299741586 +0100
|
||||
@@ -66,6 +66,7 @@
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
@ -548,7 +572,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
@@ -1555,6 +1558,18 @@ main(int ac, char **av)
|
||||
@@ -1475,6 +1478,18 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
@ -567,7 +591,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@@ -1707,7 +1722,7 @@ main(int ac, char **av)
|
||||
@@ -1623,7 +1638,7 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
@ -576,18 +600,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
|
||||
@@ -1906,6 +1921,10 @@ main(int ac, char **av)
|
||||
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
|
||||
free(fp);
|
||||
}
|
||||
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
|
||||
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
|
||||
+ options.protocol &= ~SSH_PROTO_1;
|
||||
+ }
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -2074,6 +2093,10 @@ main(int ac, char **av)
|
||||
@@ -1937,6 +1952,10 @@ main(int ac, char **av)
|
||||
/* Reinitialize the log (because of the fork above). */
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
@ -598,7 +611,7 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
if (chdir("/") == -1)
|
||||
@@ -2695,10 +2718,14 @@ do_ssh2_kex(void)
|
||||
@@ -2309,10 +2328,14 @@ do_ssh2_kex(void)
|
||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||
orig = NULL;
|
||||
|
||||
@ -617,10 +630,10 @@ diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
|
||||
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
|
||||
--- openssh-7.2p1/sshkey.c.fips 2016-02-12 18:53:56.089665235 +0100
|
||||
+++ openssh-7.2p1/sshkey.c 2016-02-12 18:53:56.095665236 +0100
|
||||
@@ -35,6 +35,7 @@
|
||||
diff -up openssh-7.4p1/sshkey.c.fips openssh-7.4p1/sshkey.c
|
||||
--- openssh-7.4p1/sshkey.c.fips 2016-12-23 16:37:49.293741583 +0100
|
||||
+++ openssh-7.4p1/sshkey.c 2016-12-23 16:37:49.300741586 +0100
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/pem.h>
|
||||
@ -628,7 +641,7 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
|
||||
#endif
|
||||
|
||||
#include "crypto_api.h"
|
||||
@@ -58,6 +58,7 @@
|
||||
@@ -56,6 +57,7 @@
|
||||
#include "digest.h"
|
||||
#define SSHKEY_INTERNAL
|
||||
#include "sshkey.h"
|
||||
@ -636,7 +649,7 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
|
||||
#include "match.h"
|
||||
#include "xmalloc.h"
|
||||
|
||||
@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
@@ -1580,6 +1582,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
@ -645,85 +658,3 @@ diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||
index 688b1b1..a3c1541 100644
|
||||
--- a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||
@@ -55,6 +55,7 @@
|
||||
#include "secure_filename.h"
|
||||
#include "uidswap.h"
|
||||
#include <unistd.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
#include "identity.h"
|
||||
|
||||
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
|
||||
found_key = 1;
|
||||
logit("matching key found: file/command %s, line %lu", file,
|
||||
linenum);
|
||||
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
|
||||
+ SSH_FP_HEX);
|
||||
logit("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
free(fp);
|
||||
diff --git a/cipher.c b/cipher.c
|
||||
index f282907..51bbffb 100644
|
||||
--- a/cipher.c
|
||||
+++ b/cipher.c
|
||||
@@ -112,12 +112,6 @@ static const struct sshcipher fips_ciphers[] = {
|
||||
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
|
||||
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
|
||||
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
|
||||
-#ifdef OPENSSL_HAVE_EVPGCM
|
||||
- { "aes128-gcm@openssh.com",
|
||||
- SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
|
||||
- { "aes256-gcm@openssh.com",
|
||||
- SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
|
||||
-#endif
|
||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index f07a636..4ce5843 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -123,8 +123,6 @@ static const struct kexalg kexalgs[] = {
|
||||
};
|
||||
|
||||
static const struct kexalg kexalgs_fips[] = {
|
||||
- { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
- { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
{ KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
#endif
|
||||
diff --git a/myproposal.h b/myproposal.h
|
||||
index 7efe312..bcf2ae1 100644
|
||||
--- a/myproposal.h
|
||||
+++ b/myproposal.h
|
||||
@@ -131,9 +131,7 @@
|
||||
|
||||
#define KEX_DEFAULT_KEX_FIPS \
|
||||
KEX_ECDH_METHODS \
|
||||
- KEX_SHA2_METHODS \
|
||||
- "diffie-hellman-group-exchange-sha1," \
|
||||
- "diffie-hellman-group14-sha1"
|
||||
+ KEX_SHA2_METHODS
|
||||
#define KEX_FIPS_ENCRYPT \
|
||||
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
"aes128-cbc,3des-cbc," \
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index a3975eb..5224084 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -112,6 +112,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_open
|
||||
SC_DENY(open, EACCES),
|
||||
#endif
|
||||
+#ifdef __NR_socket
|
||||
+ SC_DENY(socket, EACCES),
|
||||
+#endif
|
||||
#ifdef __NR_openat
|
||||
SC_DENY(openat, EACCES),
|
||||
#endif
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c
|
||||
--- openssh-7.2p1/auth2.c.gsskex 2016-02-19 10:01:04.829969345 +0100
|
||||
+++ openssh-7.2p1/auth2.c 2016-02-19 10:01:04.865969325 +0100
|
||||
diff -up openssh-7.4p1/auth2.c.gsskex openssh-7.4p1/auth2.c
|
||||
--- openssh-7.4p1/auth2.c.gsskex 2016-12-23 13:38:53.685300997 +0100
|
||||
+++ openssh-7.4p1/auth2.c 2016-12-23 13:38:53.725301005 +0100
|
||||
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
|
||||
extern Authmethod method_kbdint;
|
||||
extern Authmethod method_hostbased;
|
||||
@ -17,9 +17,9 @@ diff -up openssh-7.2p1/auth2.c.gsskex openssh-7.2p1/auth2.c
|
||||
&method_gssapi,
|
||||
#endif
|
||||
&method_passwd,
|
||||
diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c
|
||||
--- openssh-7.2p1/auth2-gss.c.gsskex 2016-02-19 10:01:04.829969345 +0100
|
||||
+++ openssh-7.2p1/auth2-gss.c 2016-02-19 10:01:04.865969325 +0100
|
||||
diff -up openssh-7.4p1/auth2-gss.c.gsskex openssh-7.4p1/auth2-gss.c
|
||||
--- openssh-7.4p1/auth2-gss.c.gsskex 2016-12-23 13:38:53.685300997 +0100
|
||||
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 13:38:53.725301005 +0100
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -102,21 +102,10 @@ diff -up openssh-7.2p1/auth2-gss.c.gsskex openssh-7.2p1/auth2-gss.c
|
||||
Authmethod method_gssapi = {
|
||||
"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
diff -up openssh-7.2p1/auth.c.gsskex openssh-7.2p1/auth.c
|
||||
--- openssh-7.2p1/auth.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/auth.c 2016-02-19 10:01:04.866969324 +0100
|
||||
@@ -354,6 +354,7 @@ auth_root_allowed(const char *method)
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "publickey") == 0 ||
|
||||
strcmp(method, "hostbased") == 0 ||
|
||||
+ strcmp(method, "gssapi-keyex") == 0 ||
|
||||
strcmp(method, "gssapi-with-mic") == 0)
|
||||
return 1;
|
||||
break;
|
||||
diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
|
||||
--- openssh-7.2p1/clientloop.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/clientloop.c 2016-02-19 10:01:04.866969324 +0100
|
||||
@@ -114,6 +114,10 @@
|
||||
diff -up openssh-7.4p1/clientloop.c.gsskex openssh-7.4p1/clientloop.c
|
||||
--- openssh-7.4p1/clientloop.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/clientloop.c 2016-12-23 13:38:53.725301005 +0100
|
||||
@@ -113,6 +113,10 @@
|
||||
#include "ssherr.h"
|
||||
#include "hostfile.h"
|
||||
|
||||
@ -127,7 +116,7 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
|
||||
/* import options */
|
||||
extern Options options;
|
||||
|
||||
@@ -1662,9 +1666,18 @@ client_loop(int have_pty, int escape_cha
|
||||
@@ -1664,9 +1668,18 @@ client_loop(int have_pty, int escape_cha
|
||||
break;
|
||||
|
||||
/* Do channel operations unless rekeying in progress. */
|
||||
@ -137,7 +126,7 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
|
||||
|
||||
+#ifdef GSSAPI
|
||||
+ if (options.gss_renewal_rekey &&
|
||||
+ ssh_gssapi_credentials_updated(GSS_C_NO_CONTEXT)) {
|
||||
+ ssh_gssapi_credentials_updated(NULL)) {
|
||||
+ debug("credentials updated - forcing rekey");
|
||||
+ need_rekeying = 1;
|
||||
+ }
|
||||
@ -147,10 +136,10 @@ diff -up openssh-7.2p1/clientloop.c.gsskex openssh-7.2p1/clientloop.c
|
||||
/* Buffer input from the connection. */
|
||||
client_process_net_input(readset);
|
||||
|
||||
diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
|
||||
--- openssh-7.2p1/configure.ac.gsskex 2016-02-19 10:01:04.857969329 +0100
|
||||
+++ openssh-7.2p1/configure.ac 2016-02-19 10:01:04.867969323 +0100
|
||||
@@ -632,6 +632,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
diff -up openssh-7.4p1/configure.ac.gsskex openssh-7.4p1/configure.ac
|
||||
--- openssh-7.4p1/configure.ac.gsskex 2016-12-23 13:38:53.716301003 +0100
|
||||
+++ openssh-7.4p1/configure.ac 2016-12-23 13:38:53.726301005 +0100
|
||||
@@ -623,6 +623,30 @@ main() { if (NSVersionOfRunTimeLibrary("
|
||||
[Use tunnel device compatibility to OpenBSD])
|
||||
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
|
||||
[Prepend the address family to IP tunnel traffic])
|
||||
@ -181,10 +170,10 @@ diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
|
||||
m4_pattern_allow([AU_IPv])
|
||||
AC_CHECK_DECL([AU_IPv4], [],
|
||||
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
|
||||
diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
--- openssh-7.2p1/gss-genr.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/gss-genr.c 2016-02-19 10:01:04.867969323 +0100
|
||||
@@ -41,12 +41,167 @@
|
||||
diff -up openssh-7.4p1/gss-genr.c.gsskex openssh-7.4p1/gss-genr.c
|
||||
--- openssh-7.4p1/gss-genr.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/gss-genr.c 2016-12-23 13:38:53.726301005 +0100
|
||||
@@ -40,12 +40,167 @@
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "ssh2.h"
|
||||
@ -352,7 +341,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
/* Check that the OID in a data stream matches that in the context */
|
||||
int
|
||||
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
|
||||
@@ -199,7 +354,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
|
||||
}
|
||||
|
||||
ctx->major = gss_init_sec_context(&ctx->minor,
|
||||
@ -361,7 +350,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
|
||||
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
|
||||
|
||||
@@ -229,8 +384,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
|
||||
}
|
||||
|
||||
OM_uint32
|
||||
@ -404,7 +393,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
|
||||
GSS_C_QOP_DEFAULT, buffer, hash)))
|
||||
ssh_gssapi_error(ctx);
|
||||
@@ -238,6 +427,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
|
||||
return (ctx->major);
|
||||
}
|
||||
|
||||
@ -424,7 +413,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
void
|
||||
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
|
||||
const char *context)
|
||||
@@ -251,11 +453,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
|
||||
@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
|
||||
}
|
||||
|
||||
int
|
||||
@ -442,7 +431,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
|
||||
/* RFC 4462 says we MUST NOT do SPNEGO */
|
||||
if (oid->length == spnego_oid.length &&
|
||||
@@ -265,6 +472,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
ssh_gssapi_build_ctx(ctx);
|
||||
ssh_gssapi_set_oid(*ctx, oid);
|
||||
major = ssh_gssapi_import_name(*ctx, host);
|
||||
@ -453,7 +442,7 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
if (!GSS_ERROR(major)) {
|
||||
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
|
||||
NULL);
|
||||
@@ -274,10 +485,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
|
||||
GSS_C_NO_BUFFER);
|
||||
}
|
||||
|
||||
@ -521,9 +510,9 @@ diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
|
||||
+}
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
|
||||
--- openssh-7.2p1/gss-serv.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/gss-serv.c 2016-02-19 10:01:04.867969323 +0100
|
||||
diff -up openssh-7.4p1/gss-serv.c.gsskex openssh-7.4p1/gss-serv.c
|
||||
--- openssh-7.4p1/gss-serv.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/gss-serv.c 2016-12-23 13:38:53.727301005 +0100
|
||||
@@ -45,17 +45,19 @@
|
||||
#include "session.h"
|
||||
#include "misc.h"
|
||||
@ -536,9 +525,10 @@ diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
|
||||
extern ServerOptions options;
|
||||
|
||||
static ssh_gssapi_client gssapi_client =
|
||||
{ GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
|
||||
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
|
||||
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}};
|
||||
+ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, {NULL, NULL, NULL}, 0, 0};
|
||||
+ { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, GSS_C_NO_CREDENTIAL,
|
||||
+ GSS_C_NO_NAME, NULL, {NULL, NULL, NULL, NULL, NULL}, 0, 0};
|
||||
|
||||
ssh_gssapi_mech gssapi_null_mech =
|
||||
- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL};
|
||||
@ -805,9 +795,9 @@ diff -up openssh-7.2p1/gss-serv.c.gsskex openssh-7.2p1/gss-serv.c
|
||||
}
|
||||
|
||||
#endif
|
||||
diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c
|
||||
--- openssh-7.2p1/gss-serv-krb5.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/gss-serv-krb5.c 2016-02-19 10:01:04.867969323 +0100
|
||||
diff -up openssh-7.4p1/gss-serv-krb5.c.gsskex openssh-7.4p1/gss-serv-krb5.c
|
||||
--- openssh-7.4p1/gss-serv-krb5.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 13:38:53.727301005 +0100
|
||||
@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
krb5_error_code problem;
|
||||
krb5_principal princ;
|
||||
@ -935,9 +925,9 @@ diff -up openssh-7.2p1/gss-serv-krb5.c.gsskex openssh-7.2p1/gss-serv-krb5.c
|
||||
};
|
||||
|
||||
#endif /* KRB5 */
|
||||
diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
|
||||
--- openssh-7.2p1/kex.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kex.c 2016-02-19 10:01:04.868969323 +0100
|
||||
diff -up openssh-7.4p1/kex.c.gsskex openssh-7.4p1/kex.c
|
||||
--- openssh-7.4p1/kex.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/kex.c 2016-12-23 13:39:56.064313151 +0100
|
||||
@@ -54,6 +54,10 @@
|
||||
#include "sshbuf.h"
|
||||
#include "digest.h"
|
||||
@ -949,9 +939,9 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
|
||||
# if defined(HAVE_EVP_SHA256)
|
||||
# define evp_ssh_sha256 EVP_sha256
|
||||
@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
|
||||
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
|
||||
@@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
|
||||
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||
+#ifdef GSSAPI
|
||||
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
@ -961,7 +951,7 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
@@ -140,6 +149,12 @@ kex_alg_by_name(const char *name)
|
||||
@@ -144,6 +153,12 @@ kex_alg_by_name(const char *name)
|
||||
for (k = kexalgs; k->name != NULL; k++) {
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
@ -974,9 +964,9 @@ diff -up openssh-7.2p1/kex.c.gsskex openssh-7.2p1/kex.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c
|
||||
--- openssh-7.2p1/kexgssc.c.gsskex 2016-02-19 10:01:04.868969323 +0100
|
||||
+++ openssh-7.2p1/kexgssc.c 2016-02-19 10:01:04.868969323 +0100
|
||||
diff -up openssh-7.4p1/kexgssc.c.gsskex openssh-7.4p1/kexgssc.c
|
||||
--- openssh-7.4p1/kexgssc.c.gsskex 2016-12-23 13:38:53.727301005 +0100
|
||||
+++ openssh-7.4p1/kexgssc.c 2016-12-23 13:38:53.727301005 +0100
|
||||
@@ -0,0 +1,338 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1316,9 +1306,9 @@ diff -up openssh-7.2p1/kexgssc.c.gsskex openssh-7.2p1/kexgssc.c
|
||||
+}
|
||||
+
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
|
||||
--- openssh-7.2p1/kexgsss.c.gsskex 2016-02-19 10:01:04.868969323 +0100
|
||||
+++ openssh-7.2p1/kexgsss.c 2016-02-19 10:01:04.868969323 +0100
|
||||
diff -up openssh-7.4p1/kexgsss.c.gsskex openssh-7.4p1/kexgsss.c
|
||||
--- openssh-7.4p1/kexgsss.c.gsskex 2016-12-23 13:38:53.728301005 +0100
|
||||
+++ openssh-7.4p1/kexgsss.c 2016-12-23 13:38:53.728301005 +0100
|
||||
@@ -0,0 +1,297 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||
@ -1617,10 +1607,10 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
|
||||
+ return 0;
|
||||
+}
|
||||
+#endif /* GSSAPI */
|
||||
diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
|
||||
--- openssh-7.2p1/kex.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kex.h 2016-02-19 10:01:04.868969323 +0100
|
||||
@@ -92,6 +92,11 @@ enum kex_exchange {
|
||||
diff -up openssh-7.4p1/kex.h.gsskex openssh-7.4p1/kex.h
|
||||
--- openssh-7.4p1/kex.h.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/kex.h 2016-12-23 13:38:53.728301005 +0100
|
||||
@@ -99,6 +99,11 @@ enum kex_exchange {
|
||||
KEX_DH_GEX_SHA256,
|
||||
KEX_ECDH_SHA2,
|
||||
KEX_C25519_SHA256,
|
||||
@ -1632,7 +1622,7 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
|
||||
KEX_MAX
|
||||
};
|
||||
|
||||
@@ -140,6 +145,12 @@ struct kex {
|
||||
@@ -147,6 +152,12 @@ struct kex {
|
||||
u_int flags;
|
||||
int hash_alg;
|
||||
int ec_nid;
|
||||
@ -1645,7 +1635,7 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
|
||||
char *client_version_string;
|
||||
char *server_version_string;
|
||||
char *failed_choice;
|
||||
@@ -189,6 +200,10 @@ int kexecdh_client(struct ssh *);
|
||||
@@ -196,6 +207,10 @@ int kexecdh_client(struct ssh *);
|
||||
int kexecdh_server(struct ssh *);
|
||||
int kexc25519_client(struct ssh *);
|
||||
int kexc25519_server(struct ssh *);
|
||||
@ -1656,10 +1646,10 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
|
||||
|
||||
int kex_dh_hash(int, const char *, const char *,
|
||||
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
|
||||
diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
|
||||
--- openssh/Makefile.in.gsskex 2016-07-25 14:11:42.978324182 +0200
|
||||
+++ openssh/Makefile.in 2016-07-25 14:14:15.560289050 +0200
|
||||
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
diff -up openssh-7.4p1/Makefile.in.gsskex openssh-7.4p1/Makefile.in
|
||||
--- openssh-7.4p1/Makefile.in.gsskex 2016-12-23 13:38:53.723301004 +0100
|
||||
+++ openssh-7.4p1/Makefile.in 2016-12-23 13:40:32.226320197 +0100
|
||||
@@ -91,6 +91,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
@ -1667,19 +1657,19 @@ diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
ssh-pkcs11.o smult_curve25519_ref.o \
|
||||
poly1305.o chacha.o cipher-chachapoly.o \
|
||||
@@ -111,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
@@ -112,7 +113,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||
auth2-none.o auth2-passwd.o auth2-pubkey.o \
|
||||
monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
|
||||
monitor.o monitor_wrap.o auth-krb5.o \
|
||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||
sftp-server.o sftp-common.o \
|
||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||
diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
--- openssh-7.2p1/monitor.c.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor.c 2016-02-19 10:01:04.869969322 +0100
|
||||
@@ -159,6 +159,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
diff -up openssh-7.4p1/monitor.c.gsskex openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.gsskex 2016-12-23 13:38:53.687300997 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 13:45:49.347381091 +0100
|
||||
@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
|
||||
int mm_answer_gss_accept_ctx(int, Buffer *);
|
||||
int mm_answer_gss_userok(int, Buffer *);
|
||||
int mm_answer_gss_checkmic(int, Buffer *);
|
||||
@ -1688,10 +1678,10 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
#endif
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
@@ -239,11 +241,18 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
|
||||
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
|
||||
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
|
||||
@@ -236,11 +238,18 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx},
|
||||
{MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok},
|
||||
{MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic},
|
||||
+ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
@ -1707,7 +1697,7 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
#ifdef WITH_OPENSSL
|
||||
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
|
||||
#endif
|
||||
@@ -358,6 +367,10 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
@@ -307,6 +316,10 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
/* Permit requests for moduli and signatures */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
@ -1715,10 +1705,10 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
+ /* and for the GSSAPI key exchange */
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
|
||||
+#endif
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_proto15;
|
||||
|
||||
@@ -466,6 +479,10 @@ monitor_child_postauth(struct monitor *p
|
||||
/* The first few requests do not require asynchronous access */
|
||||
while (!authenticated) {
|
||||
@@ -406,6 +419,10 @@ monitor_child_postauth(struct monitor *p
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@ -1726,10 +1716,10 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
+ /* and for the GSSAPI key exchange */
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1);
|
||||
+#endif
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_postauth15;
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
|
||||
@@ -1893,6 +1910,13 @@ monitor_apply_keystate(struct monitor *p
|
||||
|
||||
if (!no_pty_flag) {
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||
@@ -1633,6 +1650,13 @@ monitor_apply_keystate(struct monitor *p
|
||||
# endif
|
||||
#endif /* WITH_OPENSSL */
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||
@ -1743,27 +1733,25 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||
kex->load_host_private_key=&get_hostkey_private_by_type;
|
||||
kex->host_key_index=&get_hostkey_index;
|
||||
@@ -1992,6 +2016,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
@@ -1712,7 +1736,7 @@ mm_answer_gss_setup_ctx(int sock, Buffer
|
||||
OM_uint32 major;
|
||||
u_int len;
|
||||
|
||||
- if (!options.gss_authentication)
|
||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
+
|
||||
goid.elements = buffer_get_string(m, &len);
|
||||
goid.length = len;
|
||||
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||
|
||||
@@ -2019,6 +2046,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
goid.elements = buffer_get_string(m, &len);
|
||||
@@ -1742,7 +1766,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
OM_uint32 flags = 0; /* GSI needs this */
|
||||
u_int len;
|
||||
|
||||
- if (!options.gss_authentication)
|
||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
+
|
||||
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||
|
||||
in.value = buffer_get_string(m, &len);
|
||||
in.length = len;
|
||||
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
|
||||
@@ -2036,6 +2066,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
@@ -1762,6 +1786,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
|
||||
@ -1771,30 +1759,30 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
@@ -2047,6 +2078,9 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
@@ -1773,7 +1798,7 @@ mm_answer_gss_checkmic(int sock, Buffer
|
||||
OM_uint32 ret;
|
||||
u_int len;
|
||||
|
||||
- if (!options.gss_authentication)
|
||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
+
|
||||
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||
|
||||
gssbuf.value = buffer_get_string(m, &len);
|
||||
gssbuf.length = len;
|
||||
mic.value = buffer_get_string(m, &len);
|
||||
@@ -2073,7 +2107,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -1802,10 +1827,11 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
{
|
||||
int authenticated;
|
||||
|
||||
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
||||
- if (!options.gss_authentication)
|
||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||
+ fatal("In GSSAPI monitor when GSSAPI is disabled");
|
||||
+
|
||||
fatal("%s: GSSAPI authentication not enabled", __func__);
|
||||
|
||||
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
||||
+ authenticated = authctxt->valid &&
|
||||
+ ssh_gssapi_userok(authctxt->user, authctxt->pw);
|
||||
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, authenticated);
|
||||
@@ -2086,5 +2124,73 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -1818,5 +1844,73 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
@ -1868,9 +1856,9 @@ diff -up openssh-7.2p1/monitor.c.gsskex openssh-7.2p1/monitor.c
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
|
||||
diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h
|
||||
--- openssh-7.2p1/monitor.h.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor.h 2016-02-19 10:01:04.869969322 +0100
|
||||
diff -up openssh-7.4p1/monitor.h.gsskex openssh-7.4p1/monitor.h
|
||||
--- openssh-7.4p1/monitor.h.gsskex 2016-12-23 13:38:53.687300997 +0100
|
||||
+++ openssh-7.4p1/monitor.h 2016-12-23 13:38:53.729301005 +0100
|
||||
@@ -60,6 +60,8 @@ enum monitor_reqtype {
|
||||
#ifdef WITH_SELINUX
|
||||
MONITOR_REQ_AUTHROLE = 80,
|
||||
@ -1880,10 +1868,10 @@ diff -up openssh-7.2p1/monitor.h.gsskex openssh-7.2p1/monitor.h
|
||||
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
|
||||
--- openssh-7.2p1/monitor_wrap.c.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor_wrap.c 2016-02-19 10:01:04.869969322 +0100
|
||||
@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.gsskex openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.gsskex 2016-12-23 13:38:53.687300997 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 13:38:53.729301005 +0100
|
||||
@@ -943,7 +943,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
|
||||
}
|
||||
|
||||
int
|
||||
@ -1892,7 +1880,7 @@ diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
|
||||
{
|
||||
Buffer m;
|
||||
int authenticated = 0;
|
||||
@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user)
|
||||
@@ -960,5 +960,50 @@ mm_ssh_gssapi_userok(char *user)
|
||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
||||
return (authenticated);
|
||||
}
|
||||
@ -1943,10 +1931,10 @@ diff -up openssh-7.2p1/monitor_wrap.c.gsskex openssh-7.2p1/monitor_wrap.c
|
||||
+
|
||||
#endif /* GSSAPI */
|
||||
|
||||
diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h
|
||||
--- openssh-7.2p1/monitor_wrap.h.gsskex 2016-02-19 10:01:04.830969345 +0100
|
||||
+++ openssh-7.2p1/monitor_wrap.h 2016-02-19 10:01:04.869969322 +0100
|
||||
@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
|
||||
diff -up openssh-7.4p1/monitor_wrap.h.gsskex openssh-7.4p1/monitor_wrap.h
|
||||
--- openssh-7.4p1/monitor_wrap.h.gsskex 2016-12-23 13:38:53.687300997 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 13:38:53.729301005 +0100
|
||||
@@ -58,8 +58,10 @@ int mm_key_verify(Key *, u_char *, u_int
|
||||
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
|
||||
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
|
||||
@ -1958,10 +1946,10 @@ diff -up openssh-7.2p1/monitor_wrap.h.gsskex openssh-7.2p1/monitor_wrap.h
|
||||
#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
|
||||
--- openssh-7.2p1/readconf.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/readconf.c 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -148,6 +148,8 @@ typedef enum {
|
||||
diff -up openssh-7.4p1/readconf.c.gsskex openssh-7.4p1/readconf.c
|
||||
--- openssh-7.4p1/readconf.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/readconf.c 2016-12-23 13:38:53.730301005 +0100
|
||||
@@ -160,6 +160,8 @@ typedef enum {
|
||||
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
@ -1970,7 +1958,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -193,10 +195,19 @@ static struct {
|
||||
@@ -205,10 +207,19 @@ static struct {
|
||||
{ "afstokenpassing", oUnsupported },
|
||||
#if defined(GSSAPI)
|
||||
{ "gssapiauthentication", oGssAuthentication },
|
||||
@ -1990,7 +1978,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -926,10 +937,30 @@ parse_time:
|
||||
@@ -961,10 +972,30 @@ parse_time:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2021,7 +2009,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1648,7 +1679,12 @@ initialize_options(Options * options)
|
||||
@@ -1776,7 +1807,12 @@ initialize_options(Options * options)
|
||||
options->pubkey_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
options->gss_authentication = -1;
|
||||
@ -2034,7 +2022,7 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1777,8 +1813,14 @@ fill_default_options(Options * options)
|
||||
@@ -1920,8 +1956,14 @@ fill_default_options(Options * options)
|
||||
options->challenge_response_authentication = 1;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2049,9 +2037,9 @@ diff -up openssh-7.2p1/readconf.c.gsskex openssh-7.2p1/readconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
|
||||
--- openssh-7.2p1/readconf.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/readconf.h 2016-02-19 10:01:04.870969322 +0100
|
||||
diff -up openssh-7.4p1/readconf.h.gsskex openssh-7.4p1/readconf.h
|
||||
--- openssh-7.4p1/readconf.h.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/readconf.h 2016-12-23 13:38:53.730301005 +0100
|
||||
@@ -45,7 +45,12 @@ typedef struct {
|
||||
int challenge_response_authentication;
|
||||
/* Try S/Key or TIS, authentication. */
|
||||
@ -2065,9 +2053,9 @@ diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
|
||||
--- openssh/regress/cert-hostkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200
|
||||
+++ openssh/regress/cert-hostkey.sh 2016-07-25 14:15:17.784274722 +0200
|
||||
diff -up openssh-7.4p1/regress/cert-hostkey.sh.gsskex openssh-7.4p1/regress/cert-hostkey.sh
|
||||
--- openssh-7.4p1/regress/cert-hostkey.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/regress/cert-hostkey.sh 2016-12-23 13:38:53.731301006 +0100
|
||||
@@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain
|
||||
touch $OBJ/host_revoked_cert
|
||||
cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
|
||||
@ -2077,9 +2065,9 @@ diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
|
||||
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
|
||||
--- openssh/regress/cert-userkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200
|
||||
+++ openssh/regress/cert-userkey.sh 2016-07-25 14:15:36.769270354 +0200
|
||||
diff -up openssh-7.4p1/regress/cert-userkey.sh.gsskex openssh-7.4p1/regress/cert-userkey.sh
|
||||
--- openssh-7.4p1/regress/cert-userkey.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/regress/cert-userkey.sh 2016-12-23 13:38:53.731301006 +0100
|
||||
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
@ -2089,9 +2077,9 @@ diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
|
||||
|
||||
if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
|
||||
PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
|
||||
diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
|
||||
--- openssh/regress/kextype.sh.gsskex 2016-07-24 13:50:13.000000000 +0200
|
||||
+++ openssh/regress/kextype.sh 2016-07-25 14:11:42.987324180 +0200
|
||||
diff -up openssh-7.4p1/regress/kextype.sh.gsskex openssh-7.4p1/regress/kextype.sh
|
||||
--- openssh-7.4p1/regress/kextype.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/regress/kextype.sh 2016-12-23 13:38:53.731301006 +0100
|
||||
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
|
||||
|
||||
tries="1 2 3 4"
|
||||
@ -2102,9 +2090,9 @@ diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
|
||||
verbose "kex $k"
|
||||
for i in $tries; do
|
||||
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
||||
diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh
|
||||
--- openssh-7.2p1/regress/rekey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/regress/rekey.sh 2016-02-19 10:01:04.870969322 +0100
|
||||
diff -up openssh-7.4p1/regress/rekey.sh.gsskex openssh-7.4p1/regress/rekey.sh
|
||||
--- openssh-7.4p1/regress/rekey.sh.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/regress/rekey.sh 2016-12-23 13:38:53.731301006 +0100
|
||||
@@ -38,6 +38,9 @@ increase_datafile_size 300
|
||||
|
||||
opts=""
|
||||
@ -2125,10 +2113,10 @@ diff -up openssh-7.2p1/regress/rekey.sh.gsskex openssh-7.2p1/regress/rekey.sh
|
||||
verbose "client rekey $c $kex"
|
||||
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
|
||||
done
|
||||
diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
--- openssh-7.2p1/servconf.c.gsskex 2016-02-19 10:01:04.857969329 +0100
|
||||
+++ openssh-7.2p1/servconf.c 2016-02-19 10:01:04.870969322 +0100
|
||||
@@ -117,8 +117,10 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-7.4p1/servconf.c.gsskex openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.gsskex 2016-12-23 13:38:53.717301003 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 13:38:53.732301006 +0100
|
||||
@@ -113,8 +113,10 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
options->gss_authentication=-1;
|
||||
@ -2139,7 +2127,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -288,10 +290,14 @@ fill_default_server_options(ServerOption
|
||||
@@ -268,10 +270,14 @@ fill_default_server_options(ServerOption
|
||||
options->kerberos_get_afs_token = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
@ -2154,7 +2142,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -422,7 +428,7 @@ typedef enum {
|
||||
@@ -410,7 +416,7 @@ typedef enum {
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
@ -2163,7 +2151,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
@@ -496,11 +502,17 @@ static struct {
|
||||
@@ -484,11 +490,17 @@ static struct {
|
||||
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
@ -2181,7 +2169,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
|
||||
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
|
||||
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
|
||||
@@ -1246,6 +1258,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1211,6 +1223,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2192,7 +2180,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
case sGssCleanupCreds:
|
||||
intptr = &options->gss_cleanup_creds;
|
||||
goto parse_flag;
|
||||
@@ -1254,6 +1270,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1219,6 +1235,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_strict_acceptor;
|
||||
goto parse_flag;
|
||||
|
||||
@ -2203,7 +2191,7 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2274,6 +2294,9 @@ dump_config(ServerOptions *o)
|
||||
@@ -2257,6 +2277,9 @@ dump_config(ServerOptions *o)
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
|
||||
@ -2213,10 +2201,10 @@ diff -up openssh-7.2p1/servconf.c.gsskex openssh-7.2p1/servconf.c
|
||||
#endif
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h
|
||||
--- openssh-7.2p1/servconf.h.gsskex 2016-02-19 10:01:04.857969329 +0100
|
||||
+++ openssh-7.2p1/servconf.h 2016-02-19 10:01:04.871969321 +0100
|
||||
@@ -118,8 +118,10 @@ typedef struct {
|
||||
diff -up openssh-7.4p1/servconf.h.gsskex openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.gsskex 2016-12-23 13:38:53.717301003 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 13:38:53.732301006 +0100
|
||||
@@ -112,8 +112,10 @@ typedef struct {
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
@ -2227,31 +2215,26 @@ diff -up openssh-7.2p1/servconf.h.gsskex openssh-7.2p1/servconf.h
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
|
||||
--- openssh-7.2p1/ssh_config.5.gsskex 2016-02-19 10:01:04.871969321 +0100
|
||||
+++ openssh-7.2p1/ssh_config.5 2016-02-19 10:05:58.630146245 +0100
|
||||
@@ -824,10 +824,40 @@ The default is
|
||||
diff -up openssh-7.4p1/ssh_config.5.gsskex openssh-7.4p1/ssh_config.5
|
||||
--- openssh-7.4p1/ssh_config.5.gsskex 2016-12-23 13:38:53.732301006 +0100
|
||||
+++ openssh-7.4p1/ssh_config.5 2016-12-23 13:48:00.502331870 +0100
|
||||
@@ -748,10 +748,40 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Dq no .
|
||||
.Cm no .
|
||||
+.It Cm GSSAPIClientIdentity
|
||||
+If set, specifies the GSSAPI client identity that ssh should use when
|
||||
+connecting to the server. The default is unset, which means that the default
|
||||
+identity will be used.
|
||||
.It Cm GSSAPIDelegateCredentials
|
||||
Forward (delegate) credentials to the server.
|
||||
The default is
|
||||
.Cm no .
|
||||
+.It Cm GSSAPIKeyExchange
|
||||
+Specifies whether key exchange based on GSSAPI may be used. When using
|
||||
+GSSAPI key exchange the server need not have a host key.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+.It Cm GSSAPIClientIdentity
|
||||
+If set, specifies the GSSAPI client identity that ssh should use when
|
||||
+connecting to the server. The default is unset, which means that the default
|
||||
+identity will be used.
|
||||
+.It Cm GSSAPIServerIdentity
|
||||
+If set, specifies the GSSAPI server identity that ssh should expect when
|
||||
+connecting to the server. The default is unset, which means that the
|
||||
+expected GSSAPI server identity will be determined from the target
|
||||
+hostname.
|
||||
.It Cm GSSAPIDelegateCredentials
|
||||
Forward (delegate) credentials to the server.
|
||||
The default is
|
||||
.Dq no .
|
||||
+.It Cm GSSAPIRenewalForcesRekey
|
||||
+If set to
|
||||
+.Dq yes
|
||||
@ -2260,6 +2243,11 @@ diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
|
||||
+credentials to a session on the server.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
+.It Cm GSSAPIServerIdentity
|
||||
+If set, specifies the GSSAPI server identity that ssh should expect when
|
||||
+connecting to the server. The default is unset, which means that the
|
||||
+expected GSSAPI server identity will be determined from the target
|
||||
+hostname.
|
||||
+.It Cm GSSAPITrustDns
|
||||
+Set to
|
||||
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
||||
@ -2271,9 +2259,9 @@ diff -up openssh-7.2p1/ssh_config.5.gsskex openssh-7.2p1/ssh_config.5
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config
|
||||
--- openssh-7.2p1/ssh_config.gsskex 2016-02-19 10:01:04.852969332 +0100
|
||||
+++ openssh-7.2p1/ssh_config 2016-02-19 10:01:04.871969321 +0100
|
||||
diff -up openssh-7.4p1/ssh_config.gsskex openssh-7.4p1/ssh_config
|
||||
--- openssh-7.4p1/ssh_config.gsskex 2016-12-23 13:38:53.708301001 +0100
|
||||
+++ openssh-7.4p1/ssh_config 2016-12-23 13:38:53.733301006 +0100
|
||||
@@ -26,6 +26,8 @@
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
@ -2283,10 +2271,10 @@ diff -up openssh-7.2p1/ssh_config.gsskex openssh-7.2p1/ssh_config
|
||||
# BatchMode no
|
||||
# CheckHostIP yes
|
||||
# AddressFamily any
|
||||
diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
|
||||
--- openssh-7.2p1/sshconnect2.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/sshconnect2.c 2016-02-19 10:01:04.872969321 +0100
|
||||
@@ -161,9 +161,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
diff -up openssh-7.4p1/sshconnect2.c.gsskex openssh-7.4p1/sshconnect2.c
|
||||
--- openssh-7.4p1/sshconnect2.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshconnect2.c 2016-12-23 13:38:53.733301006 +0100
|
||||
@@ -162,9 +162,34 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
struct kex *kex;
|
||||
int r;
|
||||
|
||||
@ -2321,7 +2309,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
|
||||
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
|
||||
fatal("%s: kex_names_cat", __func__);
|
||||
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
|
||||
@@ -195,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
@@ -192,6 +217,17 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
order_hostkeyalgs(host, hostaddr, port));
|
||||
}
|
||||
|
||||
@ -2379,7 +2367,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
|
||||
#endif
|
||||
|
||||
void userauth(Authctxt *, char *);
|
||||
@@ -326,6 +383,11 @@ static char *authmethods_get(void);
|
||||
@@ -327,6 +384,11 @@ static char *authmethods_get(void);
|
||||
|
||||
Authmethod authmethods[] = {
|
||||
#ifdef GSSAPI
|
||||
@ -2391,7 +2379,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
|
||||
{"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
NULL,
|
||||
@@ -656,19 +718,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
@@ -652,19 +714,31 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
@ -2425,7 +2413,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
|
||||
ok = 1; /* Mechanism works */
|
||||
} else {
|
||||
mech++;
|
||||
@@ -765,8 +839,8 @@ input_gssapi_response(int type, u_int32_
|
||||
@@ -761,8 +835,8 @@ input_gssapi_response(int type, u_int32_
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
@ -2436,7 +2424,7 @@ diff -up openssh-7.2p1/sshconnect2.c.gsskex openssh-7.2p1/sshconnect2.c
|
||||
|
||||
if (authctxt == NULL)
|
||||
fatal("input_gssapi_response: no authentication context");
|
||||
@@ -879,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
@@ -875,6 +949,48 @@ input_gssapi_error(int type, u_int32_t p
|
||||
free(lang);
|
||||
return 0;
|
||||
}
|
||||
@ -2509,21 +2497,17 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
|
||||
sshbuf_free(buf);
|
||||
}
|
||||
|
||||
@@ -1845,10 +1846,13 @@ main(int ac, char **av)
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -1739,7 +1740,8 @@ main(int ac, char **av)
|
||||
key ? "private" : "agent", i, sshkey_ssh_name(pubkey), fp);
|
||||
free(fp);
|
||||
}
|
||||
+#ifndef GSSAPI
|
||||
- if (!sensitive_data.have_ssh2_key) {
|
||||
+ /* The GSSAPI key exchange can run without a host key */
|
||||
if ((options.protocol & SSH_PROTO_2) && !sensitive_data.have_ssh2_key) {
|
||||
logit("Disabling protocol version 2. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_2;
|
||||
}
|
||||
+#endif
|
||||
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
|
||||
+ if (!sensitive_data.have_ssh2_key && !options.gss_keyex) {
|
||||
logit("sshd: no hostkeys available -- exiting.");
|
||||
exit(1);
|
||||
@@ -2586,6 +2590,48 @@ do_ssh2_kex(void)
|
||||
}
|
||||
@@ -2196,6 +2198,48 @@ do_ssh2_kex(void)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||
list_hostkey_types());
|
||||
|
||||
@ -2572,7 +2556,7 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
|
||||
/* start key exchange */
|
||||
if ((r = kex_setup(active_state, myproposal)) != 0)
|
||||
fatal("kex_setup: %s", ssh_err(r));
|
||||
@@ -2600,6 +2646,13 @@ do_ssh2_kex(void)
|
||||
@@ -2213,6 +2257,13 @@ do_ssh2_kex(void)
|
||||
# endif
|
||||
#endif
|
||||
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
|
||||
@ -2586,25 +2570,25 @@ diff -up openssh-7.2p1/sshd.c.gsskex openssh-7.2p1/sshd.c
|
||||
kex->server = 1;
|
||||
kex->client_version_string=client_version_string;
|
||||
kex->server_version_string=server_version_string;
|
||||
diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5
|
||||
--- openssh-7.2p1/sshd_config.5.gsskex 2016-02-19 10:01:04.858969329 +0100
|
||||
+++ openssh-7.2p1/sshd_config.5 2016-02-19 10:06:26.651172355 +0100
|
||||
@@ -623,6 +623,11 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
diff -up openssh-7.4p1/sshd_config.5.gsskex openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.gsskex 2016-12-23 13:38:53.734301006 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:48:57.825310358 +0100
|
||||
@@ -628,6 +628,11 @@ Specifies whether to automatically destr
|
||||
on logout.
|
||||
The default is
|
||||
.Dq no .
|
||||
.Cm yes .
|
||||
+.It Cm GSSAPIKeyExchange
|
||||
+Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
|
||||
+doesn't rely on ssh keys to verify host identity.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
.It Cm GSSAPICleanupCredentials
|
||||
Specifies whether to automatically destroy the user's credentials cache
|
||||
on logout.
|
||||
@@ -643,6 +648,11 @@ machine's default store.
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
@@ -642,6 +647,11 @@ machine's default store.
|
||||
This facility is provided to assist with operation on multi homed machines.
|
||||
The default is
|
||||
.Dq yes .
|
||||
.Cm yes .
|
||||
+.It Cm GSSAPIStoreCredentialsOnRekey
|
||||
+Controls whether the user's GSSAPI credentials should be updated following a
|
||||
+successful connection rekeying. This option can be used to accepted renewed
|
||||
@ -2613,10 +2597,10 @@ diff -up openssh-7.2p1/sshd_config.5.gsskex openssh-7.2p1/sshd_config.5
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config
|
||||
--- openssh-7.2p1/sshd_config.gsskex 2016-02-19 10:01:04.860969328 +0100
|
||||
+++ openssh-7.2p1/sshd_config 2016-02-19 10:01:04.873969320 +0100
|
||||
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
|
||||
diff -up openssh-7.4p1/sshd_config.gsskex openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.gsskex 2016-12-23 13:38:53.719301003 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:38:53.734301006 +0100
|
||||
@@ -77,6 +77,8 @@ ChallengeResponseAuthentication no
|
||||
# GSSAPI options
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
@ -2625,9 +2609,9 @@ diff -up openssh-7.2p1/sshd_config.gsskex openssh-7.2p1/sshd_config
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h
|
||||
--- openssh-7.2p1/ssh-gss.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/ssh-gss.h 2016-02-19 10:01:04.873969320 +0100
|
||||
diff -up openssh-7.4p1/ssh-gss.h.gsskex openssh-7.4p1/ssh-gss.h
|
||||
--- openssh-7.4p1/ssh-gss.h.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-gss.h 2016-12-23 13:38:53.734301006 +0100
|
||||
@@ -1,6 +1,6 @@
|
||||
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
|
||||
/*
|
||||
@ -2727,10 +2711,10 @@ diff -up openssh-7.2p1/ssh-gss.h.gsskex openssh-7.2p1/ssh-gss.h
|
||||
#endif /* GSSAPI */
|
||||
|
||||
#endif /* _SSH_GSS_H */
|
||||
diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c
|
||||
--- openssh-7.2p1/sshkey.c.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/sshkey.c 2016-02-19 10:01:04.874969320 +0100
|
||||
@@ -115,6 +115,7 @@ static const struct keytype keytypes[] =
|
||||
diff -up openssh-7.4p1/sshkey.c.gsskex openssh-7.4p1/sshkey.c
|
||||
--- openssh-7.4p1/sshkey.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshkey.c 2016-12-23 13:38:53.735301006 +0100
|
||||
@@ -114,6 +114,7 @@ static const struct keytype keytypes[] =
|
||||
# endif /* OPENSSL_HAS_NISTP521 */
|
||||
# endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* WITH_OPENSSL */
|
||||
@ -2738,9 +2722,9 @@ diff -up openssh-7.2p1/sshkey.c.gsskex openssh-7.2p1/sshkey.c
|
||||
{ NULL, NULL, -1, -1, 0, 0 }
|
||||
};
|
||||
|
||||
diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
|
||||
--- openssh-7.2p1/sshkey.h.gsskex 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/sshkey.h 2016-02-19 10:01:04.874969320 +0100
|
||||
diff -up openssh-7.4p1/sshkey.h.gsskex openssh-7.4p1/sshkey.h
|
||||
--- openssh-7.4p1/sshkey.h.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sshkey.h 2016-12-23 13:38:53.735301006 +0100
|
||||
@@ -62,6 +62,7 @@ enum sshkey_types {
|
||||
KEY_DSA_CERT,
|
||||
KEY_ECDSA_CERT,
|
||||
@ -2749,11 +2733,18 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
|
||||
KEY_UNSPEC
|
||||
};
|
||||
|
||||
diff --git a/auth.c b/auth.c
|
||||
index e0f7639..a5a346e 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -784,99 +784,6 @@ fakepw(void)
|
||||
diff -up openssh-7.4p1/auth.c.gsskex openssh-7.4p1/auth.c
|
||||
--- openssh-7.4p1/auth.c.gsskex 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/auth.c 2016-12-23 13:38:53.735301006 +0100
|
||||
@@ -372,6 +372,7 @@ auth_root_allowed(const char *method)
|
||||
case PERMIT_NO_PASSWD:
|
||||
if (strcmp(method, "publickey") == 0 ||
|
||||
strcmp(method, "hostbased") == 0 ||
|
||||
+ strcmp(method, "gssapi-keyex") == 0 ||
|
||||
strcmp(method, "gssapi-with-mic") == 0)
|
||||
return 1;
|
||||
break;
|
||||
@@ -795,99 +796,6 @@ fakepw(void)
|
||||
}
|
||||
|
||||
/*
|
||||
@ -2853,11 +2844,10 @@ index e0f7639..a5a346e 100644
|
||||
* Return the canonical name of the host in the other side of the current
|
||||
* connection. The host name is cached, so it is efficient to call this
|
||||
* several times.
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 80729b3..93a1b04 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -32,6 +32,8 @@
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.c.gsskex openssh-7.4p1/openbsd-compat/port-linux.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.c.gsskex 2016-12-23 13:38:53.688300997 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.c 2016-12-23 13:38:53.735301006 +0100
|
||||
@@ -30,6 +30,8 @@
|
||||
#include "log.h"
|
||||
#include "xmalloc.h"
|
||||
#include "port-linux.h"
|
||||
@ -2866,7 +2856,7 @@ index 80729b3..93a1b04 100644
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
@@ -286,4 +288,121 @@ oom_adjust_restore(void)
|
||||
@@ -279,4 +281,121 @@ oom_adjust_restore(void)
|
||||
return;
|
||||
}
|
||||
#endif /* LINUX_OOM_ADJUST */
|
||||
@ -2988,11 +2978,10 @@ index 80729b3..93a1b04 100644
|
||||
+ }
|
||||
+}
|
||||
#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index e2ca8a1..6c5ac3f 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -18,6 +18,7 @@
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.gsskex openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.gsskex 2016-12-23 13:38:53.712301002 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 13:38:53.735301006 +0100
|
||||
@@ -16,6 +16,7 @@
|
||||
|
||||
#ifndef _PORT_LINUX_H
|
||||
#define _PORT_LINUX_H
|
||||
@ -3000,7 +2989,7 @@ index e2ca8a1..6c5ac3f 100644
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
@@ -39,4 +40,8 @@ void oom_adjust_setup(void);
|
||||
@@ -36,4 +37,8 @@ void oom_adjust_setup(void);
|
||||
|
||||
void linux_seed(void);
|
||||
|
||||
@ -3009,18 +2998,3 @@ index e2ca8a1..6c5ac3f 100644
|
||||
+
|
||||
+
|
||||
#endif /* ! _PORT_LINUX_H */
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 3e6f982..4c2653f 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -213,6 +213,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_write
|
||||
SC_ALLOW(write),
|
||||
#endif
|
||||
+#ifdef __NR_futex
|
||||
+ SC_ALLOW(futex), /* for GSSAPI Kex */
|
||||
+#endif
|
||||
#ifdef __NR_socketcall
|
||||
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
||||
#endif
|
||||
|
@ -1,14 +1,10 @@
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1701,6 +1701,14 @@ main(int ac, char **av)
|
||||
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
&cfg, NULL);
|
||||
|
||||
+ /* 'UseLogin yes' is not supported in Fedora */
|
||||
+ if (options.use_login == 1)
|
||||
+ logit("WARNING: 'UseLogin yes' is not supported in Fedora and may cause several problems.");
|
||||
+
|
||||
+ /* 'UsePAM no' is not supported in Fedora */
|
||||
+ if (! options.use_pam)
|
||||
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
||||
@ -28,12 +24,3 @@ diff --git a/sshd_config b/sshd_config
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
@@ -113,6 +115,8 @@ X11Forwarding yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
+# WARNING: 'UseLogin yes' is not supported in Fedora and may cause several
|
||||
+# problems.
|
||||
#UseLogin no
|
||||
#UsePrivilegeSeparation sandbox
|
||||
#PermitUserEnvironment no
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-7.2p2/auth2.c.expose-pam openssh-7.2p2/auth2.c
|
||||
--- openssh-7.2p2/auth2.c.expose-pam 2016-07-18 12:30:12.064783302 +0200
|
||||
+++ openssh-7.2p2/auth2.c 2016-07-18 12:30:12.124783255 +0200
|
||||
diff -up openssh-7.4p1/auth2.c.expose-pam openssh-7.4p1/auth2.c
|
||||
--- openssh-7.4p1/auth2.c.expose-pam 2016-12-23 15:40:26.768447868 +0100
|
||||
+++ openssh-7.4p1/auth2.c 2016-12-23 15:40:26.818447876 +0100
|
||||
@@ -310,6 +310,7 @@ userauth_finish(Authctxt *authctxt, int
|
||||
const char *submethod)
|
||||
{
|
||||
@ -28,9 +28,9 @@ diff -up openssh-7.2p2/auth2.c.expose-pam openssh-7.2p2/auth2.c
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam && authenticated) {
|
||||
if (!PRIVSEP(do_pam_account())) {
|
||||
diff -up openssh-7.2p2/auth2-gss.c.expose-pam openssh-7.2p2/auth2-gss.c
|
||||
--- openssh-7.2p2/auth2-gss.c.expose-pam 2016-07-18 12:30:12.123783256 +0200
|
||||
+++ openssh-7.2p2/auth2-gss.c 2016-07-18 12:32:08.034692086 +0200
|
||||
diff -up openssh-7.4p1/auth2-gss.c.expose-pam openssh-7.4p1/auth2-gss.c
|
||||
--- openssh-7.4p1/auth2-gss.c.expose-pam 2016-12-23 15:40:26.769447868 +0100
|
||||
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 15:40:26.818447876 +0100
|
||||
@@ -276,6 +276,9 @@ input_gssapi_exchange_complete(int type,
|
||||
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
||||
authctxt->pw));
|
||||
@ -51,9 +51,9 @@ diff -up openssh-7.2p2/auth2-gss.c.expose-pam openssh-7.2p2/auth2-gss.c
|
||||
buffer_free(&b);
|
||||
if (micuser != authctxt->user)
|
||||
free(micuser);
|
||||
diff -up openssh-7.2p2/auth2-hostbased.c.expose-pam openssh-7.2p2/auth2-hostbased.c
|
||||
--- openssh-7.2p2/auth2-hostbased.c.expose-pam 2016-07-18 12:30:12.027783331 +0200
|
||||
+++ openssh-7.2p2/auth2-hostbased.c 2016-07-18 12:30:12.124783255 +0200
|
||||
diff -up openssh-7.4p1/auth2-hostbased.c.expose-pam openssh-7.4p1/auth2-hostbased.c
|
||||
--- openssh-7.4p1/auth2-hostbased.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
|
||||
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 15:40:26.818447876 +0100
|
||||
@@ -60,7 +60,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
{
|
||||
Buffer b;
|
||||
@ -88,9 +88,9 @@ diff -up openssh-7.2p2/auth2-hostbased.c.expose-pam openssh-7.2p2/auth2-hostbase
|
||||
|
||||
buffer_free(&b);
|
||||
done:
|
||||
diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
|
||||
--- openssh-7.2p2/auth2-pubkey.c.expose-pam 2016-07-18 12:30:12.039783322 +0200
|
||||
+++ openssh-7.2p2/auth2-pubkey.c 2016-07-18 12:30:12.124783255 +0200
|
||||
diff -up openssh-7.4p1/auth2-pubkey.c.expose-pam openssh-7.4p1/auth2-pubkey.c
|
||||
--- openssh-7.4p1/auth2-pubkey.c.expose-pam 2016-12-23 15:40:26.746447864 +0100
|
||||
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -79,7 +79,7 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
{
|
||||
Buffer b;
|
||||
@ -100,7 +100,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
|
||||
u_char *pkblob, *sig;
|
||||
u_int alen, blen, slen;
|
||||
int have_sig, pktype;
|
||||
@@ -173,7 +173,8 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
@@ -177,7 +177,8 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
#ifdef DEBUG_PK
|
||||
buffer_dump(&b);
|
||||
#endif
|
||||
@ -110,7 +110,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
|
||||
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
@@ -181,9 +182,12 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
@@ -185,9 +186,12 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
|
||||
buffer_len(&b))) == 1) {
|
||||
authenticated = 1;
|
||||
@ -123,7 +123,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
|
||||
}
|
||||
buffer_free(&b);
|
||||
free(sig);
|
||||
@@ -224,7 +228,7 @@ done:
|
||||
@@ -228,7 +232,7 @@ done:
|
||||
void
|
||||
pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
|
||||
{
|
||||
@ -132,7 +132,7 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
|
||||
va_list ap;
|
||||
int i;
|
||||
|
||||
@@ -234,27 +238,13 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
@@ -238,27 +242,13 @@ pubkey_auth_info(Authctxt *authctxt, con
|
||||
i = vasprintf(&extra, fmt, ap);
|
||||
va_end(ap);
|
||||
if (i < 0 || extra == NULL)
|
||||
@ -165,9 +165,9 @@ diff -up openssh-7.2p2/auth2-pubkey.c.expose-pam openssh-7.2p2/auth2-pubkey.c
|
||||
free(extra);
|
||||
}
|
||||
|
||||
diff -up openssh-7.2p2/auth.h.expose-pam openssh-7.2p2/auth.h
|
||||
--- openssh-7.2p2/auth.h.expose-pam 2016-07-18 12:30:12.077783292 +0200
|
||||
+++ openssh-7.2p2/auth.h 2016-07-18 12:30:12.123783256 +0200
|
||||
diff -up openssh-7.4p1/auth.h.expose-pam openssh-7.4p1/auth.h
|
||||
--- openssh-7.4p1/auth.h.expose-pam 2016-12-23 15:40:26.782447870 +0100
|
||||
+++ openssh-7.4p1/auth.h 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -84,6 +84,9 @@ struct Authctxt {
|
||||
|
||||
struct sshkey **prev_userkeys;
|
||||
@ -178,10 +178,10 @@ diff -up openssh-7.2p2/auth.h.expose-pam openssh-7.2p2/auth.h
|
||||
};
|
||||
/*
|
||||
* Every authentication method has to handle authentication requests for
|
||||
diff -up openssh-7.2p2/auth-pam.c.expose-pam openssh-7.2p2/auth-pam.c
|
||||
--- openssh-7.2p2/auth-pam.c.expose-pam 2016-07-18 12:30:12.026783332 +0200
|
||||
+++ openssh-7.2p2/auth-pam.c 2016-07-18 12:30:12.123783256 +0200
|
||||
@@ -689,6 +689,11 @@ sshpam_init_ctx(Authctxt *authctxt)
|
||||
diff -up openssh-7.4p1/auth-pam.c.expose-pam openssh-7.4p1/auth-pam.c
|
||||
--- openssh-7.4p1/auth-pam.c.expose-pam 2016-12-23 15:40:26.731447862 +0100
|
||||
+++ openssh-7.4p1/auth-pam.c 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -688,6 +688,11 @@ sshpam_init_ctx(Authctxt *authctxt)
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
@ -193,9 +193,9 @@ diff -up openssh-7.2p2/auth-pam.c.expose-pam openssh-7.2p2/auth-pam.c
|
||||
ctxt = xcalloc(1, sizeof *ctxt);
|
||||
|
||||
/* Start the authentication thread */
|
||||
diff -up openssh-7.2p2/gss-serv.c.expose-pam openssh-7.2p2/gss-serv.c
|
||||
--- openssh-7.2p2/gss-serv.c.expose-pam 2016-07-18 12:30:12.124783255 +0200
|
||||
+++ openssh-7.2p2/gss-serv.c 2016-07-18 12:33:08.835644264 +0200
|
||||
diff -up openssh-7.4p1/gss-serv.c.expose-pam openssh-7.4p1/gss-serv.c
|
||||
--- openssh-7.4p1/gss-serv.c.expose-pam 2016-12-23 15:40:26.808447874 +0100
|
||||
+++ openssh-7.4p1/gss-serv.c 2016-12-23 15:40:26.819447876 +0100
|
||||
@@ -441,6 +441,16 @@ ssh_gssapi_do_child(char ***envp, u_int
|
||||
}
|
||||
|
||||
@ -213,10 +213,10 @@ diff -up openssh-7.2p2/gss-serv.c.expose-pam openssh-7.2p2/gss-serv.c
|
||||
int
|
||||
ssh_gssapi_userok(char *user, struct passwd *pw)
|
||||
{
|
||||
diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
|
||||
--- openssh-7.2p2/monitor.c.expose-pam 2016-07-18 12:30:12.093783279 +0200
|
||||
+++ openssh-7.2p2/monitor.c 2016-07-18 12:30:12.124783255 +0200
|
||||
@@ -349,6 +349,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
diff -up openssh-7.4p1/monitor.c.expose-pam openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:41:16.473455863 +0100
|
||||
@@ -300,6 +300,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
{
|
||||
struct mon_table *ent;
|
||||
int authenticated = 0, partial = 0;
|
||||
@ -224,7 +224,7 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
|
||||
|
||||
debug3("preauth child monitor started");
|
||||
|
||||
@@ -386,6 +387,18 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
@@ -330,6 +331,18 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
auth_submethod = NULL;
|
||||
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
|
||||
|
||||
@ -242,8 +242,8 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
|
||||
+
|
||||
/* Special handling for multiple required authentications */
|
||||
if (options.num_auth_methods != 0) {
|
||||
if (!compat20)
|
||||
@@ -1498,6 +1511,10 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (authenticated &&
|
||||
@@ -1417,6 +1430,10 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
debug3("%s: key %p signature %s",
|
||||
__func__, key, (verified == 1) ? "verified" : "unverified");
|
||||
|
||||
@ -254,7 +254,7 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
|
||||
/* If auth was successful then record key to ensure it isn't reused */
|
||||
if (verified == 1 && key_blobtype == MM_USERKEY)
|
||||
auth2_record_userkey(authctxt, key);
|
||||
@@ -2140,6 +2157,9 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
@@ -1860,6 +1877,9 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
|
||||
auth_method = "gssapi-with-mic";
|
||||
|
||||
@ -264,43 +264,43 @@ diff -up openssh-7.2p2/monitor.c.expose-pam openssh-7.2p2/monitor.c
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
}
|
||||
diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
|
||||
--- openssh-7.2p2/servconf.c.expose-pam 2016-07-18 12:30:12.112783264 +0200
|
||||
+++ openssh-7.2p2/servconf.c 2016-07-18 12:34:38.170574004 +0200
|
||||
@@ -176,6 +176,7 @@ initialize_server_options(ServerOptions
|
||||
options->fingerprint_hash = -1;
|
||||
diff -up openssh-7.4p1/servconf.c.expose-pam openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.expose-pam 2016-12-23 15:40:26.810447875 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:44:04.691482920 +0100
|
||||
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
|
||||
options->disable_forwarding = -1;
|
||||
options->use_kuserok = -1;
|
||||
options->enable_k5users = -1;
|
||||
+ options->expose_auth_methods = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@@ -374,6 +375,8 @@ fill_default_server_options(ServerOption
|
||||
options->enable_k5users = 0;
|
||||
if (options->use_kuserok == -1)
|
||||
@@ -354,6 +355,8 @@ fill_default_server_options(ServerOption
|
||||
options->use_kuserok = 1;
|
||||
if (options->enable_k5users == -1)
|
||||
options->enable_k5users = 0;
|
||||
+ if (options->expose_auth_methods == -1)
|
||||
+ options->expose_auth_methods = EXPOSE_AUTHMETH_NEVER;
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
@@ -451,6 +454,7 @@ typedef enum {
|
||||
@@ -439,6 +442,7 @@ typedef enum {
|
||||
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
+ sExposeAuthenticationMethods,
|
||||
sDeprecated, sUnsupported
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -606,6 +610,7 @@ static struct {
|
||||
{ "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
|
||||
@@ -595,6 +599,7 @@ static struct {
|
||||
{ "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
|
||||
{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
|
||||
{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
|
||||
+ { "exposeauthenticationmethods", sExposeAuthenticationMethods, SSHCFG_ALL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -994,6 +999,12 @@ static const struct multistate multistat
|
||||
@@ -984,6 +989,12 @@ static const struct multistate multistat
|
||||
{ "local", FORWARD_LOCAL },
|
||||
{ NULL, -1 }
|
||||
};
|
||||
@ -313,7 +313,7 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
|
||||
|
||||
int
|
||||
process_server_config_line(ServerOptions *options, char *line,
|
||||
@@ -1918,6 +1929,11 @@ process_server_config_line(ServerOptions
|
||||
@@ -1902,6 +1913,11 @@ process_server_config_line(ServerOptions
|
||||
options->fingerprint_hash = value;
|
||||
break;
|
||||
|
||||
@ -323,9 +323,9 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
|
||||
+ goto parse_multistate;
|
||||
+
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -2076,6 +2092,7 @@ copy_set_server_options(ServerOptions *d
|
||||
case sIgnore:
|
||||
case sUnsupported:
|
||||
@@ -2060,6 +2076,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(enable_k5users);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
@ -333,16 +333,16 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
|
||||
|
||||
/*
|
||||
* The bind_mask is a mode_t that may be unsigned, so we can't use
|
||||
@@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val)
|
||||
@@ -2176,6 +2193,8 @@ fmt_intarg(ServerOpCodes code, int val)
|
||||
return fmt_multistate_int(val, multistate_tcpfwd);
|
||||
case sFingerprintHash:
|
||||
return ssh_digest_alg_name(val);
|
||||
+ case sExposeAuthenticationMethods:
|
||||
+ return fmt_multistate_int(val, multistate_exposeauthmeth);
|
||||
case sProtocol:
|
||||
default:
|
||||
switch (val) {
|
||||
case SSH_PROTO_1:
|
||||
@@ -2374,6 +2393,7 @@ dump_config(ServerOptions *o)
|
||||
case 0:
|
||||
@@ -2356,6 +2375,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||
@ -350,9 +350,9 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
|
||||
--- openssh-7.2p2/servconf.h.expose-pam 2016-07-18 12:30:12.112783264 +0200
|
||||
+++ openssh-7.2p2/servconf.h 2016-07-18 12:30:12.125783254 +0200
|
||||
diff -up openssh-7.4p1/servconf.h.expose-pam openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.expose-pam 2016-12-23 15:40:26.810447875 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:40:26.821447876 +0100
|
||||
@@ -48,6 +48,11 @@
|
||||
#define FORWARD_LOCAL (1<<1)
|
||||
#define FORWARD_ALLOW (FORWARD_REMOTE|FORWARD_LOCAL)
|
||||
@ -365,7 +365,7 @@ diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
|
||||
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
|
||||
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
|
||||
|
||||
@@ -201,6 +206,8 @@ typedef struct {
|
||||
@@ -195,6 +200,8 @@ typedef struct {
|
||||
char *auth_methods[MAX_AUTH_METHODS];
|
||||
|
||||
int fingerprint_hash;
|
||||
@ -374,10 +374,10 @@ diff -up openssh-7.2p2/servconf.h.expose-pam openssh-7.2p2/servconf.h
|
||||
} ServerOptions;
|
||||
|
||||
/* Information about the incoming connection as used by Match */
|
||||
diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
|
||||
--- openssh-7.2p2/session.c.expose-pam 2016-07-18 12:30:12.120783258 +0200
|
||||
+++ openssh-7.2p2/session.c 2016-07-18 12:30:12.125783254 +0200
|
||||
@@ -1180,6 +1180,12 @@ copy_environment(char **source, char ***
|
||||
diff -up openssh-7.4p1/session.c.expose-pam openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.expose-pam 2016-12-23 15:40:26.794447872 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 15:40:26.821447876 +0100
|
||||
@@ -997,6 +997,12 @@ copy_environment(char **source, char ***
|
||||
}
|
||||
*var_val++ = '\0';
|
||||
|
||||
@ -390,7 +390,7 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
|
||||
debug3("Copy environment: %s=%s", var_name, var_val);
|
||||
child_set_env(env, envsize, var_name, var_val);
|
||||
|
||||
@@ -1359,6 +1365,11 @@ do_setup_env(Session *s, const char *she
|
||||
@@ -1173,6 +1179,11 @@ do_setup_env(Session *s, const char *she
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
|
||||
@ -402,7 +402,7 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
|
||||
if (auth_sock_name != NULL)
|
||||
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
|
||||
auth_sock_name);
|
||||
@@ -2798,6 +2809,9 @@ do_cleanup(Authctxt *authctxt)
|
||||
@@ -2561,6 +2572,9 @@ do_cleanup(Authctxt *authctxt)
|
||||
if (authctxt == NULL)
|
||||
return;
|
||||
|
||||
@ -412,10 +412,10 @@ diff -up openssh-7.2p2/session.c.expose-pam openssh-7.2p2/session.c
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
sshpam_cleanup();
|
||||
diff -up openssh-7.2p2/ssh.1.expose-pam openssh-7.2p2/ssh.1
|
||||
--- openssh-7.2p2/ssh.1.expose-pam 2016-07-18 12:30:12.112783264 +0200
|
||||
+++ openssh-7.2p2/ssh.1 2016-07-18 12:30:12.126783253 +0200
|
||||
@@ -1396,6 +1396,10 @@ server IP address, and server port numbe
|
||||
diff -up openssh-7.4p1/ssh.1.expose-pam openssh-7.4p1/ssh.1
|
||||
--- openssh-7.4p1/ssh.1.expose-pam 2016-12-23 15:40:26.810447875 +0100
|
||||
+++ openssh-7.4p1/ssh.1 2016-12-23 15:40:26.822447877 +0100
|
||||
@@ -1421,6 +1421,10 @@ server IP address, and server port numbe
|
||||
This variable contains the original command line if a forced command
|
||||
is executed.
|
||||
It can be used to extract the original arguments.
|
||||
@ -426,13 +426,13 @@ diff -up openssh-7.2p2/ssh.1.expose-pam openssh-7.2p2/ssh.1
|
||||
.It Ev SSH_TTY
|
||||
This is set to the name of the tty (path to the device) associated
|
||||
with the current shell or command.
|
||||
diff -up openssh-7.2p2/sshd_config.5.expose-pam openssh-7.2p2/sshd_config.5
|
||||
--- openssh-7.2p2/sshd_config.5.expose-pam 2016-07-18 12:30:12.113783263 +0200
|
||||
+++ openssh-7.2p2/sshd_config.5 2016-07-18 12:30:12.126783253 +0200
|
||||
@@ -570,6 +570,21 @@ and finally
|
||||
See PATTERNS in
|
||||
.Xr ssh_config 5
|
||||
for more information on patterns.
|
||||
diff -up openssh-7.4p1/sshd_config.5.expose-pam openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.expose-pam 2016-12-23 15:40:26.822447877 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:45:22.411495421 +0100
|
||||
@@ -570,6 +570,21 @@ Disables all forwarding features, includ
|
||||
TCP and StreamLocal.
|
||||
This option overrides all other forwarding-related options and may
|
||||
simplify restricted configurations.
|
||||
+.It Cm ExposeAuthenticationMethods
|
||||
+When using SSH2, this option controls the exposure of the list of
|
||||
+successful authentication methods to PAM during the authentication
|
||||
@ -440,20 +440,20 @@ diff -up openssh-7.2p2/sshd_config.5.expose-pam openssh-7.2p2/sshd_config.5
|
||||
+.Cm SSH_USER_AUTH
|
||||
+variable. See the description of this variable for more details.
|
||||
+Valid options are:
|
||||
+.Dq never
|
||||
+.Cm never
|
||||
+(Do not expose successful authentication methods),
|
||||
+.Dq pam-only
|
||||
+.Cm pam-only
|
||||
+(Only expose them to PAM during authentication, not afterwards),
|
||||
+.Dq pam-and-env
|
||||
+.Cm pam-and-env
|
||||
+(Expose them to PAM and keep them in the shell environment).
|
||||
+The default is
|
||||
+.Dq never .
|
||||
+.Cm never .
|
||||
.It Cm FingerprintHash
|
||||
Specifies the hash algorithm used when logging key fingerprints.
|
||||
Valid options are:
|
||||
diff -up openssh-7.2p2/ssh-gss.h.expose-pam openssh-7.2p2/ssh-gss.h
|
||||
--- openssh-7.2p2/ssh-gss.h.expose-pam 2016-07-18 12:30:12.125783254 +0200
|
||||
+++ openssh-7.2p2/ssh-gss.h 2016-07-18 12:35:01.906555328 +0200
|
||||
diff -up openssh-7.4p1/ssh-gss.h.expose-pam openssh-7.4p1/ssh-gss.h
|
||||
--- openssh-7.4p1/ssh-gss.h.expose-pam 2016-12-23 15:40:26.811447875 +0100
|
||||
+++ openssh-7.4p1/ssh-gss.h 2016-12-23 15:40:26.823447877 +0100
|
||||
@@ -159,6 +159,7 @@ int ssh_gssapi_server_check_mech(Gssctxt
|
||||
const char *);
|
||||
OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
|
||||
@ -462,10 +462,10 @@ diff -up openssh-7.2p2/ssh-gss.h.expose-pam openssh-7.2p2/ssh-gss.h
|
||||
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||
void ssh_gssapi_do_child(char ***, u_int *);
|
||||
void ssh_gssapi_cleanup_creds(void);
|
||||
diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
|
||||
--- openssh-7.2p2/sshkey.c.expose-pam 2016-07-18 12:30:12.071783296 +0200
|
||||
+++ openssh-7.2p2/sshkey.c 2016-07-18 12:30:12.126783253 +0200
|
||||
@@ -58,6 +58,7 @@
|
||||
diff -up openssh-7.4p1/sshkey.c.expose-pam openssh-7.4p1/sshkey.c
|
||||
--- openssh-7.4p1/sshkey.c.expose-pam 2016-12-23 15:40:26.777447869 +0100
|
||||
+++ openssh-7.4p1/sshkey.c 2016-12-23 15:40:26.823447877 +0100
|
||||
@@ -57,6 +57,7 @@
|
||||
#define SSHKEY_INTERNAL
|
||||
#include "sshkey.h"
|
||||
#include "match.h"
|
||||
@ -473,7 +473,7 @@ diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
|
||||
|
||||
/* openssh private key file format */
|
||||
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
|
||||
@@ -1190,6 +1191,30 @@ sshkey_fingerprint(const struct sshkey *
|
||||
@@ -1191,6 +1192,30 @@ sshkey_fingerprint(const struct sshkey *
|
||||
return retval;
|
||||
}
|
||||
|
||||
@ -504,9 +504,9 @@ diff -up openssh-7.2p2/sshkey.c.expose-pam openssh-7.2p2/sshkey.c
|
||||
#ifdef WITH_SSH1
|
||||
/*
|
||||
* Reads a multiple-precision integer in decimal from the buffer, and advances
|
||||
diff -up openssh-7.2p2/sshkey.h.expose-pam openssh-7.2p2/sshkey.h
|
||||
--- openssh-7.2p2/sshkey.h.expose-pam 2016-07-18 12:30:12.071783296 +0200
|
||||
+++ openssh-7.2p2/sshkey.h 2016-07-18 12:30:12.127783252 +0200
|
||||
diff -up openssh-7.4p1/sshkey.h.expose-pam openssh-7.4p1/sshkey.h
|
||||
--- openssh-7.4p1/sshkey.h.expose-pam 2016-12-23 15:40:26.777447869 +0100
|
||||
+++ openssh-7.4p1/sshkey.h 2016-12-23 15:40:26.823447877 +0100
|
||||
@@ -124,6 +124,7 @@ char *sshkey_fingerprint(const struct s
|
||||
int, enum sshkey_fp_rep);
|
||||
int sshkey_fingerprint_raw(const struct sshkey *k,
|
||||
|
@ -1,48 +0,0 @@
|
||||
From 28652bca29046f62c7045e933e6b931de1d16737 Mon Sep 17 00:00:00 2001
|
||||
From: "markus@openbsd.org" <markus@openbsd.org>
|
||||
Date: Mon, 19 Sep 2016 19:02:19 +0000
|
||||
Subject: upstream commit
|
||||
|
||||
move inbound NEWKEYS handling to kex layer; otherwise
|
||||
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
|
||||
with & ok djm@
|
||||
|
||||
Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
|
||||
---
|
||||
kex.c | 4 +++-
|
||||
packet.c | 6 ++----
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index f4c130f..8800d40 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -425,6 +425,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
|
||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||
return r;
|
||||
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
|
||||
+ return r;
|
||||
kex->done = 1;
|
||||
sshbuf_reset(kex->peer);
|
||||
/* sshbuf_reset(kex->my); */
|
||||
diff --git a/packet.c b/packet.c
|
||||
index 711091d..fb316ac 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
return r;
|
||||
return SSH_ERR_PROTOCOL_ERROR;
|
||||
}
|
||||
- if (*typep == SSH2_MSG_NEWKEYS)
|
||||
- r = ssh_set_newkeys(ssh, MODE_IN);
|
||||
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
|
||||
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
|
||||
r = ssh_packet_enable_delayed_compress(ssh);
|
||||
else
|
||||
r = 0;
|
||||
--
|
||||
cgit v0.12
|
||||
|
||||
0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
--- openssh-6.6p1/channels.c.x11max 2016-06-27 16:28:49.803631684 +0200
|
||||
+++ openssh-6.6p1/channels.c 2016-06-27 16:28:49.814631678 +0200
|
||||
@@ -138,8 +138,8 @@ static int all_opens_permitted = 0;
|
||||
diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
||||
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
|
||||
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
|
||||
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
|
||||
|
||||
/* -- X11 forwarding */
|
||||
|
||||
@ -12,7 +12,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
|
||||
/* Saved X11 local (client) display. */
|
||||
static char *x11_saved_display = NULL;
|
||||
@@ -3445,7 +3445,8 @@ channel_send_window_changes(void)
|
||||
@@ -4228,7 +4228,8 @@ channel_send_window_changes(void)
|
||||
*/
|
||||
int
|
||||
x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
|
||||
@ -22,7 +22,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
{
|
||||
Channel *nc = NULL;
|
||||
int display_number, sock;
|
||||
@@ -3457,10 +3458,15 @@ x11_create_display_inet(int x11_display_
|
||||
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
|
||||
if (chanids == NULL)
|
||||
return -1;
|
||||
|
||||
@ -40,7 +40,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
||||
@@ -3512,7 +3518,7 @@ x11_create_display_inet(int x11_display_
|
||||
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
|
||||
if (num_socks > 0)
|
||||
break;
|
||||
}
|
||||
@ -49,7 +49,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
error("Failed to allocate internet-domain X11 display socket.");
|
||||
return -1;
|
||||
}
|
||||
@@ -3658,7 +3664,7 @@ x11_connect_display(void)
|
||||
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
@ -58,7 +58,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
||||
error("%.100s: unknown host. (%s)", buf,
|
||||
ssh_gai_strerror(gaierr));
|
||||
@@ -3674,7 +3680,7 @@ x11_connect_display(void)
|
||||
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
|
||||
/* Connect it to the display. */
|
||||
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
||||
debug2("connect %.100s port %u: %.100s", buf,
|
||||
@ -67,7 +67,7 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
close(sock);
|
||||
continue;
|
||||
}
|
||||
@@ -3683,8 +3689,8 @@ x11_connect_display(void)
|
||||
@@ -4466,8 +4472,8 @@ x11_connect_display(void)
|
||||
}
|
||||
freeaddrinfo(aitop);
|
||||
if (!ai) {
|
||||
@ -78,10 +78,10 @@ diff -up openssh-6.6p1/channels.c.x11max openssh-6.6p1/channels.c
|
||||
return -1;
|
||||
}
|
||||
set_nodelay(sock);
|
||||
diff -up openssh-6.6p1/channels.h.x11max openssh-6.6p1/channels.h
|
||||
--- openssh-6.6p1/channels.h.x11max 2016-06-27 16:28:49.814631678 +0200
|
||||
+++ openssh-6.6p1/channels.h 2016-06-27 16:31:18.925557840 +0200
|
||||
@@ -281,7 +281,7 @@ int permitopen_port(const char *);
|
||||
diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
|
||||
--- openssh-7.4p1/channels.h.x11max 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
|
||||
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
|
||||
|
||||
void channel_set_x11_refuse_time(u_int);
|
||||
int x11_connect_display(void);
|
||||
@ -90,10 +90,10 @@ diff -up openssh-6.6p1/channels.h.x11max openssh-6.6p1/channels.h
|
||||
int x11_input_open(int, u_int32_t, void *);
|
||||
void x11_request_forwarding_with_spoofing(int, const char *, const char *,
|
||||
const char *, int);
|
||||
diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
|
||||
--- openssh-6.6p1/servconf.c.x11max 2016-06-27 16:28:49.808631681 +0200
|
||||
+++ openssh-6.6p1/servconf.c 2016-06-27 16:30:46.941573678 +0200
|
||||
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100
|
||||
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
|
||||
options->print_lastlog = -1;
|
||||
options->x11_forwarding = -1;
|
||||
options->x11_display_offset = -1;
|
||||
@ -101,7 +101,7 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
|
||||
options->x11_use_localhost = -1;
|
||||
options->permit_tty = -1;
|
||||
options->permit_user_rc = -1;
|
||||
@@ -219,6 +220,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
|
||||
options->x11_forwarding = 0;
|
||||
if (options->x11_display_offset == -1)
|
||||
options->x11_display_offset = 10;
|
||||
@ -110,16 +110,16 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
|
||||
if (options->x11_use_localhost == -1)
|
||||
options->x11_use_localhost = 1;
|
||||
if (options->xauth_location == NULL)
|
||||
@@ -364,7 +367,7 @@ typedef enum {
|
||||
@@ -419,7 +422,7 @@ typedef enum {
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
|
||||
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
|
||||
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
|
||||
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
@@ -476,6 +479,7 @@ static struct {
|
||||
@@ -540,6 +543,7 @@ static struct {
|
||||
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
|
||||
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
|
||||
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
|
||||
@ -127,9 +127,9 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
|
||||
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
|
||||
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
|
||||
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
|
||||
@@ -1202,6 +1206,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->x11_display_offset;
|
||||
goto parse_int;
|
||||
@@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
+ case sX11MaxDisplays:
|
||||
+ intptr = &options->x11_max_displays;
|
||||
@ -138,7 +138,7 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
|
||||
case sX11UseLocalhost:
|
||||
intptr = &options->x11_use_localhost;
|
||||
goto parse_flag;
|
||||
@@ -1889,6 +1897,7 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
|
||||
M_CP_INTOPT(x11_display_offset);
|
||||
M_CP_INTOPT(x11_forwarding);
|
||||
@ -146,17 +146,17 @@ diff -up openssh-6.6p1/servconf.c.x11max openssh-6.6p1/servconf.c
|
||||
M_CP_INTOPT(x11_use_localhost);
|
||||
M_CP_INTOPT(permit_tty);
|
||||
M_CP_INTOPT(permit_user_rc);
|
||||
@@ -2106,6 +2115,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
|
||||
#endif
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time);
|
||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||
+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
|
||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
diff -up openssh-6.6p1/servconf.h.x11max openssh-6.6p1/servconf.h
|
||||
--- openssh-6.6p1/servconf.h.x11max 2016-06-27 16:28:49.809631681 +0200
|
||||
+++ openssh-6.6p1/servconf.h 2016-06-27 16:28:49.815631678 +0200
|
||||
diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.x11max 2016-12-23 15:46:32.133506635 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:46:32.140506636 +0100
|
||||
@@ -55,6 +55,7 @@
|
||||
|
||||
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
|
||||
@ -173,10 +173,10 @@ diff -up openssh-6.6p1/servconf.h.x11max openssh-6.6p1/servconf.h
|
||||
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
|
||||
char *xauth_location; /* Location of xauth program */
|
||||
int permit_tty; /* If false, deny pty allocation */
|
||||
diff -up openssh-6.6p1/session.c.x11max openssh-6.6p1/session.c
|
||||
--- openssh-6.6p1/session.c.x11max 2016-06-27 16:28:49.809631681 +0200
|
||||
+++ openssh-6.6p1/session.c 2016-06-27 16:28:49.815631678 +0200
|
||||
@@ -2741,8 +2741,9 @@ session_setup_x11fwd(Session *s)
|
||||
diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.x11max 2016-12-23 15:46:32.136506636 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 15:46:32.141506636 +0100
|
||||
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
|
||||
return 0;
|
||||
}
|
||||
if (x11_create_display_inet(options.x11_display_offset,
|
||||
@ -188,10 +188,10 @@ diff -up openssh-6.6p1/session.c.x11max openssh-6.6p1/session.c
|
||||
debug("x11_create_display_inet failed.");
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-6.6p1/sshd_config.5.x11max openssh-6.6p1/sshd_config.5
|
||||
--- openssh-6.6p1/sshd_config.5.x11max 2016-06-27 16:28:49.809631681 +0200
|
||||
+++ openssh-6.6p1/sshd_config.5 2016-06-27 16:32:01.253536879 +0200
|
||||
@@ -930,6 +930,7 @@ Available keywords are
|
||||
diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
|
||||
@@ -1133,6 +1133,7 @@ Available keywords are
|
||||
.Cm StreamLocalBindUnlink ,
|
||||
.Cm TrustedUserCAKeys ,
|
||||
.Cm X11DisplayOffset ,
|
||||
@ -199,7 +199,7 @@ diff -up openssh-6.6p1/sshd_config.5.x11max openssh-6.6p1/sshd_config.5
|
||||
.Cm X11Forwarding
|
||||
and
|
||||
.Cm X11UseLocalHost .
|
||||
@@ -1339,6 +1340,12 @@ Specifies the first display number avail
|
||||
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
|
||||
X11 forwarding.
|
||||
This prevents sshd from interfering with real X11 servers.
|
||||
The default is 10.
|
||||
|
12
openssh-7.4p1-daemon.patch
Normal file
12
openssh-7.4p1-daemon.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up openssh-7.4p1/sshd.c.daemon openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.daemon 2017-01-02 15:32:56.618447579 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2017-01-02 15:33:07.606442751 +0100
|
||||
@@ -1943,7 +1943,7 @@ main(int ac, char **av)
|
||||
* terminal, and fork. The original process exits.
|
||||
*/
|
||||
already_daemon = daemonized();
|
||||
- if (!(debug_flag || inetd_flag || no_daemon_flag || already_daemon)) {
|
||||
+ if (!(debug_flag || inetd_flag || no_daemon_flag /*|| already_daemon*/)) {
|
||||
|
||||
if (daemon(0, 0) < 0)
|
||||
fatal("daemon() failed: %.200s", strerror(errno));
|
12
openssh.spec
12
openssh.spec
@ -65,10 +65,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 7.3p1
|
||||
%global openssh_rel 7
|
||||
%global openssh_ver 7.4p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.2
|
||||
%global pam_ssh_agent_rel 4
|
||||
%global pam_ssh_agent_rel 5
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
@ -223,10 +223,10 @@ Patch939: openssh-7.2p2-s390-closefrom.patch
|
||||
Patch940: openssh-7.2p2-expose-pam.patch
|
||||
# Rework SELinux context handling with chroot (#1357860)
|
||||
Patch942: openssh-7.2p2-chroot-capabilities.patch
|
||||
# Null dereference in newkeys code (#1380297)
|
||||
Patch943: openssh-7.3p1-null-deref.patch
|
||||
# Move MAX_DISPLAYS to a configuration option (#1341302)
|
||||
Patch944: openssh-7.3p1-x11-max-displays.patch
|
||||
# Temporary workaround for upstream (#2641)
|
||||
Patch945: openssh-7.4p1-daemon.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -459,8 +459,8 @@ popd
|
||||
%patch939 -p1 -b .s390-dev
|
||||
%patch940 -p1 -b .expose-pam
|
||||
%patch942 -p1 -b .chroot-cap
|
||||
%patch943 -p1 -b .deref
|
||||
%patch944 -p1 -b .x11max
|
||||
%patch945 -p1 -b .daemon
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2
|
||||
dfadd9f035d38ce5d58a3bf130b86d08 openssh-7.3p1.tar.gz
|
||||
SHA512 (openssh-7.4p1.tar.gz) = 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292
|
||||
SHA512 (pam_ssh_agent_auth-0.10.2.tar.bz2) = b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38
|
||||
|
Loading…
Reference in New Issue
Block a user