OpenSSH 8.8p1 rebase

Related: rhbz#2007967
This commit is contained in:
Dmitry Belyavskiy 2021-11-29 14:37:28 +01:00
parent c5e4c28ae1
commit 7b76af5292
10 changed files with 48 additions and 122 deletions

2
.gitignore vendored
View File

@ -52,3 +52,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-8.6p1.tar.gz.asc
/openssh-8.7p1.tar.gz
/openssh-8.7p1.tar.gz.asc
/openssh-8.8p1.tar.gz
/openssh-8.8p1.tar.gz.asc

View File

@ -196,11 +196,11 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
- sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -478,12 +481,14 @@ static struct {
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif

View File

@ -110,8 +110,8 @@ diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
@@ -419,7 +422,7 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,

View File

@ -117,9 +117,9 @@ diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200
@@ -57,6 +57,20 @@
"rsa-sha2-256," \
"ssh-rsa"
@@ -57,6 +57,19 @@
"rsa-sha2-512," \
"rsa-sha2-256"
+#define KEX_FIPS_PK_ALG \
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
@ -132,8 +132,7 @@ diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
+ "ecdsa-sha2-nistp384," \
+ "ecdsa-sha2-nistp521," \
+ "rsa-sha2-512," \
+ "rsa-sha2-256," \
+ "ssh-rsa"
+ "rsa-sha2-256,"
+
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \

View File

@ -503,16 +503,15 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
if (options->gss_authentication == -1)
options->gss_authentication = 0;
if (options->gss_keyex == -1)
@@ -506,7 +509,8 @@ typedef enum {
@@ -506,7 +509,7 @@ typedef enum {
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
- sKerberosGetAFSToken, sPasswordAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sPasswordAuthentication,
sKbdInteractiveAuthentication, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -593,11 +597,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },

View File

@ -2,8 +2,8 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
--- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
+++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
@@ -373,17 +373,13 @@ or
.Qq *.c.example.com
domains.
causes no CNAMEs to be considered for canonicalization.
This is the default behaviour.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
@ -105,18 +105,18 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified methods will be appended to the default set
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified methods will be placed at the head of the
character, then the specified algorithms will be placed at the head of the
-default set.
-The default is:
-.Bd -literal -offset indent
@ -178,7 +178,7 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
@@ -1553,36 +1542,25 @@ instead of continuing to execute and pas
The default is
.Cm no .
.It Cm PubkeyAcceptedAlgorithms
@ -214,12 +214,11 @@ diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-rsa-sha2-512,rsa-sha2-256
-.Ed
+built-in openssh default set.
.Pp
@ -373,18 +372,18 @@ diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
Multiple algorithms must be comma-separated.
Alternately if the specified list begins with a
.Sq +
-character, then the specified methods will be appended to the default set
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified methods will be placed at the head of the
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
The supported algorithms are:

View File

@ -2,18 +2,6 @@ diff --git a/scp.1 b/scp.1
index 68aac04b..a96e95ad 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
.\"
-.Dd $Mdocdate: August 11 2021 $
+.Dd $Mdocdate: September 8 2021 $
.Dt SCP 1
.Os
.Sh NAME
@@ -18,7 +18,7 @@
.Nd OpenSSH secure file copy
.Sh SYNOPSIS
@ -23,55 +11,31 @@ index 68aac04b..a96e95ad 100644
.Op Fl c Ar cipher
.Op Fl D Ar sftp_server_path
.Op Fl F Ar ssh_config
@@ -37,9 +37,6 @@ It uses
.Xr ssh 1
for data transfer, and uses the same authentication and provides the
same security as a login session.
-The scp protocol requires execution of the remote user's shell to perform
-.Xr glob 3
-pattern matching.
.Pp
.Nm
will ask for passwords or passphrases if they are needed for
@@ -79,7 +76,9 @@ The options are as follows:
Copies between two remote hosts are transferred through the local host.
Without this option the data is copied directly between the two remote
hosts.
-Note that, when using the legacy SCP protocol (the default), this option
+Note that, when using the legacy SCP protocol (via the
-Note that, when using the original SCP protocol (the default), this option
+Note that, when using the original SCP protocol (via the
+.Fl O
+flag), this option
selects batch mode for the second host as
.Nm
cannot ask for passwords or passphrases for both hosts.
@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
.It Fl O
Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
Forcing the use of the SCP protocol may be necessary for servers that do
-not implement SFTP or for backwards-compatibility for particular filename
-wildcard patterns.
@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s.
wildcard patterns and for expanding paths with a
.Sq ~
prefix for older SFTP servers.
-This mode is the default.
+not implement SFTP, for backwards-compatibility for particular filename
+wildcard patterns and for expanding paths with a
+.Sq ~
+prefix for older SFTP servers.
.It Fl o Ar ssh_option
Can be used to pass options to
.Nm ssh
@@ -258,16 +258,6 @@ to use for the encrypted connection.
@@ -258,8 +258,6 @@ to use for the encrypted connection.
The program must understand
.Xr ssh 1
options.
-.It Fl s
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
-Using SFTP avoids invoking a shell on the remote side and provides
-more predictable filename handling, as the SCP protocol
-relied on the remote shell for expanding
-.Xr glob 3
-wildcards.
-.Pp
-A near-future release of OpenSSH will make the SFTP protocol the default.
-This option will be deleted before the end of 2022.
-Use the SFTP protocol for transfers rather than the original scp protocol.
.It Fl T
Disable strict filename checking.
By default when copying files from a remote host to a local directory
@ -103,12 +67,6 @@ diff --git a/scp.c b/scp.c
index e039350c..c7cf7529 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -448,7 +448,7 @@ main(int argc, char **argv)
const char *errstr;
extern char *optarg;

View File

@ -1,31 +0,0 @@
diff --git a/misc.c b/misc.c
index b8d1040d..0134d694 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.169 2021/08/09 23:47:44 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -56,6 +56,7 @@
#ifdef HAVE_PATHS_H
# include <paths.h>
#include <pwd.h>
+#include <grp.h>
#endif
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
@@ -2695,6 +2696,12 @@ subprocess(const char *tag, const char *command,
}
closefrom(STDERR_FILENO + 1);
+ if (geteuid() == 0 &&
+ initgroups(pw->pw_name, pw->pw_gid) == -1) {
+ error("%s: initgroups(%s, %u): %s", tag,
+ pw->pw_name, (u_int)pw->pw_gid, strerror(errno));
+ _exit(1);
+ }
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) == -1) {
error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid,
strerror(errno));

View File

@ -50,10 +50,10 @@
%{?static_openssl:%global static_libcrypto 1}
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.7p1
%global openssh_rel 3
%global openssh_ver 8.8p1
%global openssh_rel 1
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 4
%global pam_ssh_agent_rel 5
Summary: An open source implementation of SSH protocol version 2
Name: openssh
@ -197,8 +197,6 @@ Patch975: openssh-8.0p1-preserve-pam-errors.patch
Patch976: openssh-8.7p1-sftp-default-protocol.patch
# Implement kill switch for SCP protocol
Patch977: openssh-8.7p1-scp-kill-switch.patch
# CVE-2021-41617
Patch978: openssh-8.7p1-upstream-cve-2021-41617.patch
License: BSD
Requires: /sbin/nologin
@ -377,7 +375,6 @@ popd
%patch975 -p1 -b .preserve-pam-errors
%patch976 -p1 -b .sftp-by-default
%patch977 -p1 -b .kill-scp
%patch978 -p1 -b .cve-2021-41617
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race
@ -663,6 +660,9 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
* Mon Nov 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.8p1-1 + 0.10.4-5
- New upstream release (#2007967)
* Wed Sep 29 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-3
- CVE-2021-41617 fix (#2008292)

View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.7p1.tar.gz) = 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2
SHA512 (openssh-8.7p1.tar.gz.asc) = 08b4bda855ca3ef202c271f1c0e3486082b93d1009a794d020e7ba223978bc87bf34b1fbccaae3379a47639bd849935fdaaf63bdb781d0a44625066ccf00fbfc
SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21