add missing patches and remove unused patches

This commit is contained in:
Petr Lautrbach 2014-06-04 10:26:18 +02:00
parent 3e1dd6c5fd
commit 7463b66c25
4 changed files with 65 additions and 162 deletions

View File

@ -1,65 +0,0 @@
diff -U0 openssh-6.3p1/ChangeLog.df openssh-6.3p1/ChangeLog
--- openssh-6.3p1/ChangeLog.df 2013-10-23 22:38:03.476272461 +0200
+++ openssh-6.3p1/ChangeLog 2013-10-23 22:39:46.051788366 +0200
@@ -0,0 +1,8 @@
+20131010
+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
+ [dh.c dh.h]
+ Increase the size of the Diffie-Hellman groups requested for a each
+ symmetric key size. New values from NIST Special Publication 800-57 with
+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
+ djm@.
+
diff -up openssh-6.3p1/dh.c.df openssh-6.3p1/dh.c
--- openssh-6.3p1/dh.c.df 2013-07-18 08:12:07.000000000 +0200
+++ openssh-6.3p1/dh.c 2013-10-23 22:38:03.476272461 +0200
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
+/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
*
@@ -352,17 +352,20 @@ dh_new_group14(void)
/*
* Estimates the group order for a Diffie-Hellman group that has an
- * attack complexity approximately the same as O(2**bits). Estimate
- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
+ * attack complexity approximately the same as O(2**bits).
+ * Values from NIST Special Publication 800-57: Recommendation for Key
+ * Management Part 1 (rev 3) limited by the recommended maximum value
+ * from RFC4419 section 3.
*/
int
dh_estimate(int bits)
{
-
+ if (bits <= 112)
+ return 2048;
if (bits <= 128)
- return (1024); /* O(2**86) */
+ return 3072;
if (bits <= 192)
- return (2048); /* O(2**116) */
- return (4096); /* O(2**156) */
+ return 7680;
+ return 8192;
}
diff -up openssh-6.3p1/dh.h.df openssh-6.3p1/dh.h
--- openssh-6.3p1/dh.h.df 2008-06-29 14:47:04.000000000 +0200
+++ openssh-6.3p1/dh.h 2013-10-23 22:38:03.476272461 +0200
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
/*
* Copyright (c) 2000 Niels Provos. All rights reserved.
@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
int dh_estimate(int);
+/* Min and max values from RFC4419. */
#define DH_GRP_MIN 1024
#define DH_GRP_MAX 8192

View File

@ -1,37 +0,0 @@
diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100
+++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100
@@ -0,0 +1,7 @@
+20140304
+ - OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2014/03/03 22:22:30
+ [session.c]
+ ignore enviornment variables with embedded '=' or '\0' characters;
+ spotted by Jann Horn; ok deraadt@
+
diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100
+++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100
@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
u_int envsize;
u_int i, namelen;
+ if (strchr(name, '=') != NULL) {
+ error("Invalid environment variable \"%.100s\"", name);
+ return;
+ }
+
/*
* If we're passed an uninitialized list, allocate a single null
* entry before continuing.
@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
char *name, *val;
u_int name_len, val_len, i;
- name = packet_get_string(&name_len);
- val = packet_get_string(&val_len);
+ name = packet_get_cstring(&name_len);
+ val = packet_get_cstring(&val_len);
packet_check_eom();
/* Don't set too many environment variables */

View File

@ -1,6 +1,7 @@
diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.force_krb 2013-10-11 18:58:51.553948159 +0200
+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:40:49.972337025 +0200
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 42de994..60de320 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -32,7 +32,9 @@
#include <sys/types.h>
@ -38,7 +39,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_principal princ;
int retval;
const char *errmsg;
@ -46,7 +47,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
if (ssh_gssapi_krb5_init() == 0)
return 0;
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_free_error_message(krb_context, errmsg);
return 0;
}
@ -70,7 +71,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
} else
retval = 0;
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
return retval;
}
@ -206,19 +207,20 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
--- openssh-6.3p1/session.c.force_krb 2013-10-11 18:58:51.487948468 +0200
+++ openssh-6.3p1/session.c 2013-10-11 18:58:51.563948112 +0200
@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
debug("Forced command (key option) '%.900s'", command);
diff --git a/session.c b/session.c
index b5dc144..ba4589b 100644
--- a/session.c
+++ b/session.c
@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command)
command = forced_command;
forced = "(key-option)";
}
+#ifdef GSSAPI
+#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
+ else if (k5users_allowed_cmds) {
+ const char *match = command;
+ int allowed = 0, i = 0;
+
+
+ if (!match)
+ match = s->pw->pw_shell;
+ while (k5users_allowed_cmds[i]) {
@ -236,12 +238,13 @@ diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
+#endif
+#endif
+
#ifdef SSH_AUDIT_EVENTS
if (s->command != NULL || s->command_handle != -1)
fatal("do_exec: command already set");
diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
--- openssh-6.3p1/ssh-gss.h.force_krb 2013-10-11 18:58:51.558948136 +0200
+++ openssh-6.3p1/ssh-gss.h 2013-10-11 18:58:51.563948112 +0200
if (forced != NULL) {
if (IS_INTERNAL_SFTP(command)) {
s->is_subsystem = s->is_subsystem ?
diff --git a/ssh-gss.h b/ssh-gss.h
index 0374c88..509109a 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -49,6 +49,10 @@
# endif /* !HAVE_DECL_GSS_C_NT_... */
@ -253,10 +256,11 @@ diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
#endif /* KRB5 */
/* draft-ietf-secsh-gsskeyex-06 */
diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
--- openssh-6.3p1/sshd.8.force_krb 2013-10-11 18:58:51.537948234 +0200
+++ openssh-6.3p1/sshd.8 2013-10-11 18:58:51.563948112 +0200
@@ -326,6 +326,7 @@ Finally, the server and the client enter
diff --git a/sshd.8 b/sshd.8
index 058d37a..5c4f15b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
host-based authentication,
public key authentication,
@ -264,7 +268,7 @@ diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
challenge-response authentication,
or password authentication.
.Pp
@@ -797,6 +798,12 @@ This file is used in exactly the same wa
@@ -800,6 +801,12 @@ This file is used in exactly the same way as
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp

View File

@ -1,7 +1,7 @@
diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
--- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200
+++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200
@@ -55,6 +55,20 @@
diff -up openssh-6.6p1/auth-krb5.c.kuserok openssh-6.6p1/auth-krb5.c
--- openssh-6.6p1/auth-krb5.c.kuserok 2013-10-24 01:53:02.000000000 +0200
+++ openssh-6.6p1/auth-krb5.c 2014-05-07 10:42:00.883534478 +0200
@@ -54,6 +54,20 @@
extern ServerOptions options;
@ -22,18 +22,19 @@ diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
static int
krb5_init(void *context)
{
@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
@@ -157,8 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
- authctxt->pw->pw_name)) {
+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) {
problem = -1;
goto out;
}
diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200
+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200
diff -up openssh-6.6p1/gss-serv-krb5.c.kuserok openssh-6.6p1/gss-serv-krb5.c
--- openssh-6.6p1/gss-serv-krb5.c.kuserok 2014-05-07 10:35:30.792053846 +0200
+++ openssh-6.6p1/gss-serv-krb5.c 2014-05-07 10:35:30.801053812 +0200
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
@ -51,9 +52,9 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
--- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200
+++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200
diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c
--- openssh-6.6p1/servconf.c.kuserok 2014-05-07 10:35:30.783053881 +0200
+++ openssh-6.6p1/servconf.c 2014-05-07 10:39:13.133189061 +0200
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
@ -62,16 +63,16 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
}
void
@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
@@ -312,6 +313,8 @@ fill_default_server_options(ServerOption
options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1)
options->show_patchlevel = 0;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
+ options->use_kuserok = 0;
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -336,7 +339,7 @@ typedef enum {
@@ -338,7 +341,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +81,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -409,11 +412,13 @@ static struct {
@@ -410,11 +413,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -94,7 +95,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
@ -105,7 +106,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@ -113,7 +114,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
@@ -2062,6 +2072,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +122,10 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
--- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200
+++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200
@@ -174,6 +174,7 @@ typedef struct {
diff -up openssh-6.6p1/servconf.h.kuserok openssh-6.6p1/servconf.h
--- openssh-6.6p1/servconf.h.kuserok 2014-05-07 10:35:30.783053881 +0200
+++ openssh-6.6p1/servconf.h 2014-05-07 10:35:30.802053808 +0200
@@ -173,6 +173,7 @@ typedef struct {
int num_permitted_opens;
@ -132,21 +133,21 @@ diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
--- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200
@@ -675,6 +675,10 @@ Specifies whether to automatically destr
diff -up openssh-6.6p1/sshd_config.5.kuserok openssh-6.6p1/sshd_config.5
--- openssh-6.6p1/sshd_config.5.kuserok 2014-05-07 10:35:30.786053870 +0200
+++ openssh-6.6p1/sshd_config.5 2014-05-07 10:43:04.784285016 +0200
@@ -697,6 +697,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
+.It Cm KerberosUseKuserok
+Specifies whether to look at .k5login file for user's aliases.
+The default is
+.Dq yes .
+.Dq no .
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
@@ -833,6 +837,7 @@ Available keywords are
@@ -862,6 +866,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
@ -154,14 +155,14 @@ diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
.Cm MaxAuthTries ,
.Cm MaxSessions ,
.Cm PasswordAuthentication ,
diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200
@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
diff -up openssh-6.6p1/sshd_config.kuserok openssh-6.6p1/sshd_config
--- openssh-6.6p1/sshd_config.kuserok 2014-05-07 10:35:30.803053804 +0200
+++ openssh-6.6p1/sshd_config 2014-05-07 10:38:30.735354431 +0200
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+#KerberosUseKuserok no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes