diff --git a/openssh-6.3p1-increase-size-of-DF-groups.patch b/openssh-6.3p1-increase-size-of-DF-groups.patch deleted file mode 100644 index 941aa72..0000000 --- a/openssh-6.3p1-increase-size-of-DF-groups.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff -U0 openssh-6.3p1/ChangeLog.df openssh-6.3p1/ChangeLog ---- openssh-6.3p1/ChangeLog.df 2013-10-23 22:38:03.476272461 +0200 -+++ openssh-6.3p1/ChangeLog 2013-10-23 22:39:46.051788366 +0200 -@@ -0,0 +1,8 @@ -+20131010 -+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13 -+ [dh.c dh.h] -+ Increase the size of the Diffie-Hellman groups requested for a each -+ symmetric key size. New values from NIST Special Publication 800-57 with -+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok -+ djm@. -+ -diff -up openssh-6.3p1/dh.c.df openssh-6.3p1/dh.c ---- openssh-6.3p1/dh.c.df 2013-07-18 08:12:07.000000000 +0200 -+++ openssh-6.3p1/dh.c 2013-10-23 22:38:03.476272461 +0200 -@@ -1,4 +1,4 @@ --/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */ -+/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */ - /* - * Copyright (c) 2000 Niels Provos. All rights reserved. - * -@@ -352,17 +352,20 @@ dh_new_group14(void) - - /* - * Estimates the group order for a Diffie-Hellman group that has an -- * attack complexity approximately the same as O(2**bits). Estimate -- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))) -+ * attack complexity approximately the same as O(2**bits). -+ * Values from NIST Special Publication 800-57: Recommendation for Key -+ * Management Part 1 (rev 3) limited by the recommended maximum value -+ * from RFC4419 section 3. - */ - - int - dh_estimate(int bits) - { -- -+ if (bits <= 112) -+ return 2048; - if (bits <= 128) -- return (1024); /* O(2**86) */ -+ return 3072; - if (bits <= 192) -- return (2048); /* O(2**116) */ -- return (4096); /* O(2**156) */ -+ return 7680; -+ return 8192; - } -diff -up openssh-6.3p1/dh.h.df openssh-6.3p1/dh.h ---- openssh-6.3p1/dh.h.df 2008-06-29 14:47:04.000000000 +0200 -+++ openssh-6.3p1/dh.h 2013-10-23 22:38:03.476272461 +0200 -@@ -1,4 +1,4 @@ --/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */ -+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */ - - /* - * Copyright (c) 2000 Niels Provos. All rights reserved. -@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *); - - int dh_estimate(int); - -+/* Min and max values from RFC4419. */ - #define DH_GRP_MIN 1024 - #define DH_GRP_MAX 8192 - diff --git a/openssh-6.4p1-ignore-bad-env-var.patch b/openssh-6.4p1-ignore-bad-env-var.patch deleted file mode 100644 index 3bb49c2..0000000 --- a/openssh-6.4p1-ignore-bad-env-var.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog ---- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100 -+++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100 -@@ -0,0 +1,7 @@ -+20140304 -+ - OpenBSD CVS Sync -+ - djm@cvs.openbsd.org 2014/03/03 22:22:30 -+ [session.c] -+ ignore enviornment variables with embedded '=' or '\0' characters; -+ spotted by Jann Horn; ok deraadt@ -+ -diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c ---- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100 -+++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100 -@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi - u_int envsize; - u_int i, namelen; - -+ if (strchr(name, '=') != NULL) { -+ error("Invalid environment variable \"%.100s\"", name); -+ return; -+ } -+ - /* - * If we're passed an uninitialized list, allocate a single null - * entry before continuing. -@@ -2255,8 +2260,8 @@ session_env_req(Session *s) - char *name, *val; - u_int name_len, val_len, i; - -- name = packet_get_string(&name_len); -- val = packet_get_string(&val_len); -+ name = packet_get_cstring(&name_len); -+ val = packet_get_cstring(&val_len); - packet_check_eom(); - - /* Don't set too many environment variables */ diff --git a/openssh-6.3p1-force_krb.patch b/openssh-6.6p1-force_krb.patch similarity index 84% rename from openssh-6.3p1-force_krb.patch rename to openssh-6.6p1-force_krb.patch index 695c0eb..a242394 100644 --- a/openssh-6.3p1-force_krb.patch +++ b/openssh-6.6p1-force_krb.patch @@ -1,6 +1,7 @@ -diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c ---- openssh-6.3p1/gss-serv-krb5.c.force_krb 2013-10-11 18:58:51.553948159 +0200 -+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:40:49.972337025 +0200 +diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c +index 42de994..60de320 100644 +--- a/gss-serv-krb5.c ++++ b/gss-serv-krb5.c @@ -32,7 +32,9 @@ #include @@ -38,7 +39,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c static krb5_context krb_context = NULL; /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) krb5_principal princ; int retval; const char *errmsg; @@ -46,7 +47,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c if (ssh_gssapi_krb5_init() == 0) return 0; -@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) krb5_free_error_message(krb_context, errmsg); return 0; } @@ -70,7 +71,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c } else retval = 0; -@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client +@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) return retval; } @@ -206,19 +207,20 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c /* This writes out any forwarded credentials from the structure populated * during userauth. Called after we have setuid to the user */ -diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c ---- openssh-6.3p1/session.c.force_krb 2013-10-11 18:58:51.487948468 +0200 -+++ openssh-6.3p1/session.c 2013-10-11 18:58:51.563948112 +0200 -@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command) - debug("Forced command (key option) '%.900s'", command); +diff --git a/session.c b/session.c +index b5dc144..ba4589b 100644 +--- a/session.c ++++ b/session.c +@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command) + command = forced_command; + forced = "(key-option)"; } - +#ifdef GSSAPI +#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */ + else if (k5users_allowed_cmds) { + const char *match = command; + int allowed = 0, i = 0; -+ ++ + if (!match) + match = s->pw->pw_shell; + while (k5users_allowed_cmds[i]) { @@ -236,12 +238,13 @@ diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c +#endif +#endif + - #ifdef SSH_AUDIT_EVENTS - if (s->command != NULL || s->command_handle != -1) - fatal("do_exec: command already set"); -diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h ---- openssh-6.3p1/ssh-gss.h.force_krb 2013-10-11 18:58:51.558948136 +0200 -+++ openssh-6.3p1/ssh-gss.h 2013-10-11 18:58:51.563948112 +0200 + if (forced != NULL) { + if (IS_INTERNAL_SFTP(command)) { + s->is_subsystem = s->is_subsystem ? +diff --git a/ssh-gss.h b/ssh-gss.h +index 0374c88..509109a 100644 +--- a/ssh-gss.h ++++ b/ssh-gss.h @@ -49,6 +49,10 @@ # endif /* !HAVE_DECL_GSS_C_NT_... */ @@ -253,10 +256,11 @@ diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h #endif /* KRB5 */ /* draft-ietf-secsh-gsskeyex-06 */ -diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8 ---- openssh-6.3p1/sshd.8.force_krb 2013-10-11 18:58:51.537948234 +0200 -+++ openssh-6.3p1/sshd.8 2013-10-11 18:58:51.563948112 +0200 -@@ -326,6 +326,7 @@ Finally, the server and the client enter +diff --git a/sshd.8 b/sshd.8 +index 058d37a..5c4f15b 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog. The client tries to authenticate itself using host-based authentication, public key authentication, @@ -264,7 +268,7 @@ diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8 challenge-response authentication, or password authentication. .Pp -@@ -797,6 +798,12 @@ This file is used in exactly the same wa +@@ -800,6 +801,12 @@ This file is used in exactly the same way as but allows host-based authentication without permitting login with rlogin/rsh. .Pp diff --git a/openssh-6.3p1-kuserok.patch b/openssh-6.6p1-kuserok.patch similarity index 67% rename from openssh-6.3p1-kuserok.patch rename to openssh-6.6p1-kuserok.patch index 60688db..d2d07b6 100644 --- a/openssh-6.3p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -1,7 +1,7 @@ -diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c ---- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200 -+++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200 -@@ -55,6 +55,20 @@ +diff -up openssh-6.6p1/auth-krb5.c.kuserok openssh-6.6p1/auth-krb5.c +--- openssh-6.6p1/auth-krb5.c.kuserok 2013-10-24 01:53:02.000000000 +0200 ++++ openssh-6.6p1/auth-krb5.c 2014-05-07 10:42:00.883534478 +0200 +@@ -54,6 +54,20 @@ extern ServerOptions options; @@ -22,18 +22,19 @@ diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c static int krb5_init(void *context) { -@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c +@@ -157,8 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; -- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { -+ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) { +- if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, +- authctxt->pw->pw_name)) { ++ if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; } -diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c ---- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200 -+++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200 +diff -up openssh-6.6p1/gss-serv-krb5.c.kuserok openssh-6.6p1/gss-serv-krb5.c +--- openssh-6.6p1/gss-serv-krb5.c.kuserok 2014-05-07 10:35:30.792053846 +0200 ++++ openssh-6.6p1/gss-serv-krb5.c 2014-05-07 10:35:30.801053812 +0200 @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr int); @@ -51,9 +52,9 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", name, (char *)client->displayname.value); -diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c ---- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200 -+++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200 +diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c +--- openssh-6.6p1/servconf.c.kuserok 2014-05-07 10:35:30.783053881 +0200 ++++ openssh-6.6p1/servconf.c 2014-05-07 10:39:13.133189061 +0200 @@ -157,6 +157,7 @@ initialize_server_options(ServerOptions options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -62,16 +63,16 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c } void -@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption +@@ -312,6 +313,8 @@ fill_default_server_options(ServerOption options->version_addendum = xstrdup(""); if (options->show_patchlevel == -1) options->show_patchlevel = 0; + if (options->use_kuserok == -1) -+ options->use_kuserok = 1; ++ options->use_kuserok = 0; /* Turn privilege separation on by default */ if (use_privsep == -1) -@@ -336,7 +339,7 @@ typedef enum { +@@ -338,7 +341,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, @@ -80,7 +81,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -409,11 +412,13 @@ static struct { +@@ -410,11 +413,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -94,7 +95,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions +@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -105,7 +106,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d +@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); @@ -113,7 +114,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); -@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o) +@@ -2062,6 +2072,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); @@ -121,10 +122,10 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h ---- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200 -+++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200 -@@ -174,6 +174,7 @@ typedef struct { +diff -up openssh-6.6p1/servconf.h.kuserok openssh-6.6p1/servconf.h +--- openssh-6.6p1/servconf.h.kuserok 2014-05-07 10:35:30.783053881 +0200 ++++ openssh-6.6p1/servconf.h 2014-05-07 10:35:30.802053808 +0200 +@@ -173,6 +173,7 @@ typedef struct { int num_permitted_opens; @@ -132,21 +133,21 @@ diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5 ---- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200 -+++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200 -@@ -675,6 +675,10 @@ Specifies whether to automatically destr +diff -up openssh-6.6p1/sshd_config.5.kuserok openssh-6.6p1/sshd_config.5 +--- openssh-6.6p1/sshd_config.5.kuserok 2014-05-07 10:35:30.786053870 +0200 ++++ openssh-6.6p1/sshd_config.5 2014-05-07 10:43:04.784285016 +0200 +@@ -697,6 +697,10 @@ Specifies whether to automatically destr file on logout. The default is .Dq yes . +.It Cm KerberosUseKuserok +Specifies whether to look at .k5login file for user's aliases. +The default is -+.Dq yes . ++.Dq no . .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -833,6 +837,7 @@ Available keywords are +@@ -862,6 +866,7 @@ Available keywords are .Cm HostbasedUsesNameFromPacketOnly , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , @@ -154,14 +155,14 @@ diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5 .Cm MaxAuthTries , .Cm MaxSessions , .Cm PasswordAuthentication , -diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config ---- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200 -+++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200 -@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no +diff -up openssh-6.6p1/sshd_config.kuserok openssh-6.6p1/sshd_config +--- openssh-6.6p1/sshd_config.kuserok 2014-05-07 10:35:30.803053804 +0200 ++++ openssh-6.6p1/sshd_config 2014-05-07 10:38:30.735354431 +0200 +@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no -+#KerberosUseKuserok yes ++#KerberosUseKuserok no # GSSAPI options - #GSSAPIAuthentication no + GSSAPIAuthentication yes