add missing patches and remove unused patches

2014-06-04 10:26:18 +02:00 · 2014-06-04 10:26:18 +02:00 · 7463b66c25
commit 7463b66c25
parent 3e1dd6c5fd
4 changed files with 65 additions and 162 deletions
--- a/openssh-6.3p1-increase-size-of-DF-groups.patch
+++ b/openssh-6.3p1-increase-size-of-DF-groups.patch
@ -1,65 +0,0 @@
 diff -U0 openssh-6.3p1/ChangeLog.df openssh-6.3p1/ChangeLog
 --- openssh-6.3p1/ChangeLog.df	2013-10-23 22:38:03.476272461 +0200
 +++ openssh-6.3p1/ChangeLog	2013-10-23 22:39:46.051788366 +0200
@@ -0,0 +1,8 @@
 +20131010
 + - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
 +   [dh.c dh.h]
 +   Increase the size of the Diffie-Hellman groups requested for a each
 +   symmetric key size.  New values from NIST Special Publication 800-57 with
 +   the upper limit specified by RFC4419.  Pointed out by Peter Backes, ok
 +   djm@.
 +
 diff -up openssh-6.3p1/dh.c.df openssh-6.3p1/dh.c
 --- openssh-6.3p1/dh.c.df	2013-07-18 08:12:07.000000000 +0200
 +++ openssh-6.3p1/dh.c	2013-10-23 22:38:03.476272461 +0200
@@ -1,4 +1,4 @@
 -/* $OpenBSD: dh.c,v 1.51 2013/07/02 12:31:43 markus Exp $ */
 +/* $OpenBSD: dh.c,v 1.52 2013/10/08 11:42:13 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  *
@@ -352,17 +352,20 @@ dh_new_group14(void)
 /*
  * Estimates the group order for a Diffie-Hellman group that has an
 - * attack complexity approximately the same as O(2**bits).  Estimate
 - * with:  O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
 + * attack complexity approximately the same as O(2**bits).
 + * Values from NIST Special Publication 800-57: Recommendation for Key
 + * Management Part 1 (rev 3) limited by the recommended maximum value
 + * from RFC4419 section 3.
  */
 int
 dh_estimate(int bits)
 {
 -
 +	if (bits <= 112)
 +		return 2048;
 	if (bits <= 128)
 -		return (1024);	/* O(2**86) */
 +		return 3072;
 	if (bits <= 192)
 -		return (2048);	/* O(2**116) */
 -	return (4096);		/* O(2**156) */
 +		return 7680;
 +	return 8192;
 }
 diff -up openssh-6.3p1/dh.h.df openssh-6.3p1/dh.h
 --- openssh-6.3p1/dh.h.df	2008-06-29 14:47:04.000000000 +0200
 +++ openssh-6.3p1/dh.h	2013-10-23 22:38:03.476272461 +0200
@@ -1,4 +1,4 @@
 -/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
 +/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
@@ -43,6 +43,7 @@ int	 dh_pub_is_valid(DH *, BIGNUM *);
 int	 dh_estimate(int);
 +/* Min and max values from RFC4419. */
 #define DH_GRP_MIN	1024
 #define DH_GRP_MAX	8192
--- a/openssh-6.4p1-ignore-bad-env-var.patch
+++ b/openssh-6.4p1-ignore-bad-env-var.patch
@ -1,37 +0,0 @@
 diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
 --- openssh-6.4p1/ChangeLog.bad-env-var	2014-03-19 21:37:36.270509907 +0100
 +++ openssh-6.4p1/ChangeLog	2014-03-19 21:37:36.276509878 +0100
@@ -0,0 +1,7 @@
 +20140304
 + - OpenBSD CVS Sync
 +   - djm@cvs.openbsd.org 2014/03/03 22:22:30
 +     [session.c]
 +     ignore enviornment variables with embedded '=' or '\0' characters;
 +     spotted by Jann Horn; ok deraadt@
 +
 diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
 --- openssh-6.4p1/session.c.bad-env-var	2014-03-19 21:37:36.233510090 +0100
 +++ openssh-6.4p1/session.c	2014-03-19 21:37:36.277509873 +0100
@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
 	u_int envsize;
 	u_int i, namelen;
 +	if (strchr(name, '=') != NULL) {
 +		error("Invalid environment variable \"%.100s\"", name);
 +		return;
 +	}
 +
 	/*
 	 * If we're passed an uninitialized list, allocate a single null
 	 * entry before continuing.
@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
 	char *name, *val;
 	u_int name_len, val_len, i;
 -	name = packet_get_string(&name_len);
 -	val = packet_get_string(&val_len);
 +	name = packet_get_cstring(&name_len);
 +	val = packet_get_cstring(&val_len);
 	packet_check_eom();
 	/* Don't set too many environment variables */
--- a/openssh-6.6p1-force_krb.patch
+++ b/openssh-6.6p1-force_krb.patch
@ -1,6 +1,7 @@
-diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
+diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.force_krb	2013-10-11 18:58:51.553948159 +0200
+index 42de994..60de320 100644
-+++ openssh-6.3p1/gss-serv-krb5.c	2013-10-11 21:40:49.972337025 +0200
+--- a/gss-serv-krb5.c
 +++ b/gss-serv-krb5.c
@@ -32,7 +32,9 @@
 #include <sys/types.h>
@ -38,7 +39,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
 static krb5_context krb_context = NULL;
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 	krb5_principal princ;
 	int retval;
 	const char *errmsg;
@ -46,7 +47,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
 	if (ssh_gssapi_krb5_init() == 0)
 		return 0;
-@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 		krb5_free_error_message(krb_context, errmsg);
 		return 0;
 	}
@ -70,7 +71,7 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
 	} else
 		retval = 0;
-@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 	return retval;
 }
@ -206,19 +207,20 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
-diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
+diff --git a/session.c b/session.c
--- openssh-6.3p1/session.c.force_krb	2013-10-11 18:58:51.487948468 +0200
+index b5dc144..ba4589b 100644
-+++ openssh-6.3p1/session.c	2013-10-11 18:58:51.563948112 +0200
+--- a/session.c
-@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
+++ b/session.c
- 		debug("Forced command (key option) '%.900s'", command);
+@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command)
 		command = forced_command;
 		forced = "(key-option)";
 	}
 +#ifdef GSSAPI
 +#ifdef KRB5 /* k5users_allowed_cmds only available w/ GSSAPI+KRB5 */
 +	else if (k5users_allowed_cmds) {
 +		const char *match = command;
 +		int allowed = 0, i = 0;
-+ 
+
 +		if (!match)
 +			match = s->pw->pw_shell;
 +		while (k5users_allowed_cmds[i]) {
@ -236,12 +238,13 @@ diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
 +#endif
 +#endif
 +
- #ifdef SSH_AUDIT_EVENTS
+ 	if (forced != NULL) {
- 	if (s->command != NULL || s->command_handle != -1)
+ 		if (IS_INTERNAL_SFTP(command)) {
- 		fatal("do_exec: command already set");
+ 			s->is_subsystem = s->is_subsystem ?
-diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
+diff --git a/ssh-gss.h b/ssh-gss.h
--- openssh-6.3p1/ssh-gss.h.force_krb	2013-10-11 18:58:51.558948136 +0200
+index 0374c88..509109a 100644
-+++ openssh-6.3p1/ssh-gss.h	2013-10-11 18:58:51.563948112 +0200
+--- a/ssh-gss.h
 +++ b/ssh-gss.h
@@ -49,6 +49,10 @@
 #  endif /* !HAVE_DECL_GSS_C_NT_... */
@ -253,10 +256,11 @@ diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
 #endif /* KRB5 */
 /* draft-ietf-secsh-gsskeyex-06 */
-diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
+diff --git a/sshd.8 b/sshd.8
--- openssh-6.3p1/sshd.8.force_krb	2013-10-11 18:58:51.537948234 +0200
+index 058d37a..5c4f15b 100644
-+++ openssh-6.3p1/sshd.8	2013-10-11 18:58:51.563948112 +0200
+--- a/sshd.8
-@@ -326,6 +326,7 @@ Finally, the server and the client enter
+++ b/sshd.8
@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog.
 The client tries to authenticate itself using
 host-based authentication,
 public key authentication,
@ -264,7 +268,7 @@ diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
 challenge-response authentication,
 or password authentication.
 .Pp
-@@ -797,6 +798,12 @@ This file is used in exactly the same wa
+@@ -800,6 +801,12 @@ This file is used in exactly the same way as
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -1,7 +1,7 @@
-diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
+diff -up openssh-6.6p1/auth-krb5.c.kuserok openssh-6.6p1/auth-krb5.c
--- openssh-6.3p1/auth-krb5.c.kuserok	2013-10-11 21:41:42.889087613 +0200
+--- openssh-6.6p1/auth-krb5.c.kuserok	2013-10-24 01:53:02.000000000 +0200
-+++ openssh-6.3p1/auth-krb5.c	2013-10-11 21:41:42.905087537 +0200
+++ openssh-6.6p1/auth-krb5.c	2014-05-07 10:42:00.883534478 +0200
-@@ -55,6 +55,20 @@
+@@ -54,6 +54,20 @@
 extern ServerOptions	 options;
@ -22,18 +22,19 @@ diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
 static int
 krb5_init(void *context)
 {
-@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -157,8 +171,7 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-+	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
+-	    authctxt->pw->pw_name)) {
 +	if (!ssh_krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) {
 		problem = -1;
 		goto out;
 	}
-diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
+diff -up openssh-6.6p1/gss-serv-krb5.c.kuserok openssh-6.6p1/gss-serv-krb5.c
--- openssh-6.3p1/gss-serv-krb5.c.kuserok	2013-10-11 21:41:42.901087556 +0200
+--- openssh-6.6p1/gss-serv-krb5.c.kuserok	2014-05-07 10:35:30.792053846 +0200
-+++ openssh-6.3p1/gss-serv-krb5.c	2013-10-11 21:46:42.898673597 +0200
+++ openssh-6.6p1/gss-serv-krb5.c	2014-05-07 10:35:30.801053812 +0200
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
     int);
@ -51,9 +52,9 @@ diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
 		retval = 1;
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
 		    name, (char *)client->displayname.value);
-diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
+diff -up openssh-6.6p1/servconf.c.kuserok openssh-6.6p1/servconf.c
--- openssh-6.3p1/servconf.c.kuserok	2013-10-11 21:41:42.896087580 +0200
+--- openssh-6.6p1/servconf.c.kuserok	2014-05-07 10:35:30.783053881 +0200
-+++ openssh-6.3p1/servconf.c	2013-10-11 21:48:24.664194016 +0200
+++ openssh-6.6p1/servconf.c	2014-05-07 10:39:13.133189061 +0200
@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
@ -62,16 +63,16 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
 }
 void
-@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
+@@ -312,6 +313,8 @@ fill_default_server_options(ServerOption
 		options->version_addendum = xstrdup("");
 	if (options->show_patchlevel == -1)
 		options->show_patchlevel = 0;
 +	if (options->use_kuserok == -1)
-+		options->use_kuserok = 1;
+		options->use_kuserok = 0;
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-@@ -336,7 +339,7 @@ typedef enum {
+@@ -338,7 +341,7 @@ typedef enum {
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +81,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
-@@ -409,11 +412,13 @@ static struct {
+@@ -410,11 +413,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -94,7 +95,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
+@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions
 		*activep = value;
 		break;
@ -105,7 +106,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(max_authtries);
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
@ -113,7 +114,7 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
-@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
+@@ -2062,6 +2072,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +122,10 @@ diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
+diff -up openssh-6.6p1/servconf.h.kuserok openssh-6.6p1/servconf.h
--- openssh-6.3p1/servconf.h.kuserok	2013-10-11 21:41:42.896087580 +0200
+--- openssh-6.6p1/servconf.h.kuserok	2014-05-07 10:35:30.783053881 +0200
-+++ openssh-6.3p1/servconf.h	2013-10-11 21:41:42.907087528 +0200
+++ openssh-6.6p1/servconf.h	2014-05-07 10:35:30.802053808 +0200
-@@ -174,6 +174,7 @@ typedef struct {
+@@ -173,6 +173,7 @@ typedef struct {
 	int	num_permitted_opens;
@ -132,21 +133,21 @@ diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
+diff -up openssh-6.6p1/sshd_config.5.kuserok openssh-6.6p1/sshd_config.5
--- openssh-6.3p1/sshd_config.5.kuserok	2013-10-11 21:41:42.898087571 +0200
+--- openssh-6.6p1/sshd_config.5.kuserok	2014-05-07 10:35:30.786053870 +0200
-+++ openssh-6.3p1/sshd_config.5	2013-10-11 21:41:42.907087528 +0200
+++ openssh-6.6p1/sshd_config.5	2014-05-07 10:43:04.784285016 +0200
-@@ -675,6 +675,10 @@ Specifies whether to automatically destr
+@@ -697,6 +697,10 @@ Specifies whether to automatically destr
 file on logout.
 The default is
 .Dq yes .
 +.It Cm KerberosUseKuserok
 +Specifies whether to look at .k5login file for user's aliases.
 +The default is
-+.Dq yes .
+.Dq no .
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-@@ -833,6 +837,7 @@ Available keywords are
+@@ -862,6 +866,7 @@ Available keywords are
 .Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
@ -154,14 +155,14 @@ diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
-diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
+diff -up openssh-6.6p1/sshd_config.kuserok openssh-6.6p1/sshd_config
--- openssh-6.3p1/sshd_config.kuserok	2013-10-11 21:41:42.898087571 +0200
+--- openssh-6.6p1/sshd_config.kuserok	2014-05-07 10:35:30.803053804 +0200
-+++ openssh-6.3p1/sshd_config	2013-10-11 21:41:42.907087528 +0200
+++ openssh-6.6p1/sshd_config	2014-05-07 10:38:30.735354431 +0200
-@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
+@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
-+#KerberosUseKuserok yes
+#KerberosUseKuserok no
 # GSSAPI options
- #GSSAPIAuthentication no
+ GSSAPIAuthentication yes