From 9591af3b1d38463b34bc3f103eccb5d7515d6638 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 15 Jul 2022 16:52:19 +0200 Subject: [PATCH] FIX pam_ssh_agent_auth auth for RSA keys Related: rhbz#2070113 --- openssh.spec | 11 +++++++++-- pam_ssh_agent_auth-0.10.4-rsasha2.patch | 19 +++++++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 pam_ssh_agent_auth-0.10.4-rsasha2.patch diff --git a/openssh.spec b/openssh.spec index 490fef1..7a0ba8f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,9 +51,9 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 -%global openssh_rel 18 +%global openssh_rel 19 %global pam_ssh_agent_ver 0.10.4 -%global pam_ssh_agent_rel 4 +%global pam_ssh_agent_rel 5 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -102,6 +102,8 @@ Patch306: pam_ssh_agent_auth-0.10.2-compat.patch # Fix NULL dereference from getpwuid() return value # https://sourceforge.net/p/pamsshagentauth/bugs/22/ Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2070113 +Patch308: pam_ssh_agent_auth-0.10.4-rsasha2.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) Patch400: openssh-7.8p1-role-mls.patch @@ -377,6 +379,7 @@ pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver} %patch306 -p2 -b .psaa-compat %patch305 -p2 -b .psaa-agent %patch307 -p2 -b .psaa-deref +%patch308 -p2 -b .rsasha2 # Remove duplicate headers and library files rm -f $(cat %{SOURCE5}) popd @@ -725,6 +728,10 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Jul 15 2022 Dmitry Belyavskiy - 8.7p1-19 + 0.10.4-5 +- FIX pam_ssh_agent_auth auth for RSA keys + Related: rhbz#2070113 + * Thu Jul 14 2022 Zoltan Fridrich - 8.7p1-18 - Fix new coverity issues Related: rhbz#2068423 diff --git a/pam_ssh_agent_auth-0.10.4-rsasha2.patch b/pam_ssh_agent_auth-0.10.4-rsasha2.patch new file mode 100644 index 0000000..c8815bb --- /dev/null +++ b/pam_ssh_agent_auth-0.10.4-rsasha2.patch @@ -0,0 +1,19 @@ +diff -up openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.rsasha2 openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c +--- openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.rsasha2 2022-07-15 15:08:12.865585410 +0200 ++++ openssh-8.7p1/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c 2022-07-15 15:16:25.164282372 +0200 +@@ -87,8 +87,13 @@ userauth_pubkey_from_id(const char *ruse + (r = sshbuf_put_string(b, pkblob, blen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + +- if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0) +- goto user_auth_clean_exit; ++ if (sshkey_type_plain(id->key->type) == KEY_RSA ++ && ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), "rsa-sha2-256", 0) == 0) { ++ /* Do nothing */ ++ } else { ++ if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0) ++ goto user_auth_clean_exit; ++ } + + /* test for correct signature */ + if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0)