another audit improovements
This commit is contained in:
parent
0e9e1c1344
commit
9cefae06b0
127
openssh-5.8p1-audit1a.patch
Normal file
127
openssh-5.8p1-audit1a.patch
Normal file
@ -0,0 +1,127 @@
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit1a 2011-02-21 18:14:37.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:17:33.000000000 +0100
|
||||
@@ -35,13 +35,20 @@
|
||||
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
|
||||
+extern ServerOptions options;
|
||||
+extern Authctxt *the_authctxt;
|
||||
+extern u_int utmp_len;
|
||||
const char* audit_username(void);
|
||||
|
||||
static void
|
||||
-linux_audit_user_login(int uid, const char *username,
|
||||
- const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
+linux_audit_user_logxxx(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
|
||||
{
|
||||
int audit_fd, rc, saved_errno;
|
||||
|
||||
@@ -53,7 +60,7 @@ linux_audit_user_login(int uid, const ch
|
||||
else
|
||||
goto fatal_report; /* Must prevent login */
|
||||
}
|
||||
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
+ rc = audit_log_acct_message(audit_fd, event,
|
||||
NULL, "login", username ? username : "(unknown)",
|
||||
username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
saved_errno = errno;
|
||||
@@ -77,19 +84,19 @@ linux_audit_user_auth(int uid, const cha
|
||||
{
|
||||
int audit_fd, rc, saved_errno;
|
||||
static const char *event_name[] = {
|
||||
- "exceed maxtries",
|
||||
+ "maxtries exceeded",
|
||||
"root denied",
|
||||
"success",
|
||||
"none",
|
||||
- "pasword",
|
||||
- "chalenge-response",
|
||||
+ "password",
|
||||
+ "challenge-response",
|
||||
"pubkey",
|
||||
"hostbased",
|
||||
"gssapi",
|
||||
"invalid user",
|
||||
"nologin",
|
||||
- "connection close",
|
||||
- "connection abandon",
|
||||
+ "connection closed",
|
||||
+ "connection abandoned",
|
||||
"unknown"
|
||||
};
|
||||
|
||||
@@ -123,6 +130,8 @@ fatal_report:
|
||||
}
|
||||
}
|
||||
|
||||
+static int user_login_count = 0;
|
||||
+
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
@@ -134,20 +143,31 @@ audit_connection_from(const char *host,
|
||||
void
|
||||
audit_run_command(const char *command)
|
||||
{
|
||||
- /* not implemented */
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_START);
|
||||
+ if (!user_login_count++)
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
|
||||
}
|
||||
|
||||
void
|
||||
audit_session_open(struct logininfo *li)
|
||||
{
|
||||
- linux_audit_user_login(li->uid, NULL, li->hostname,
|
||||
- NULL, li->line, 1);
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_START);
|
||||
+ if (!user_login_count++)
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
|
||||
}
|
||||
|
||||
void
|
||||
audit_session_close(struct logininfo *li)
|
||||
{
|
||||
- /* not implemented */
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_END);
|
||||
+ if (!--user_login_count)
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -163,8 +183,8 @@ audit_event(ssh_audit_event_t event)
|
||||
case SSH_LOGIN_ROOT_DENIED:
|
||||
linux_audit_user_auth(-1, audit_username(), NULL,
|
||||
get_remote_ipaddr(), "sshd", 0, event);
|
||||
- linux_audit_user_login(-1, audit_username(), NULL,
|
||||
- get_remote_ipaddr(), "sshd", 0);
|
||||
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
|
||||
break;
|
||||
|
||||
case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
@@ -181,8 +201,8 @@ audit_event(ssh_audit_event_t event)
|
||||
case SSH_CONNECTION_CLOSE:
|
||||
case SSH_CONNECTION_ABANDON:
|
||||
case SSH_INVALID_USER:
|
||||
- linux_audit_user_login(-1, audit_username(), NULL,
|
||||
- get_remote_ipaddr(), "sshd", 0);
|
||||
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0, AUDIT_USER_LOGIN);
|
||||
break;
|
||||
|
||||
default:
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit2 2011-01-17 11:15:29.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 18:21:20.000000000 +0100
|
||||
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
|
||||
/* not implemented */
|
||||
}
|
||||
@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit2 openssh-5.8p1/audit-bsm.c
|
||||
{
|
||||
diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit2 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 18:21:21.000000000 +0100
|
||||
@@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
return(event_lookup[i].name);
|
||||
}
|
||||
@ -71,7 +71,7 @@ diff -up openssh-5.8p1/audit.c.audit2 openssh-5.8p1/audit.c
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit2 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 18:21:21.000000000 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
# define _SSH_AUDIT_H
|
||||
|
||||
@ -89,18 +89,18 @@ diff -up openssh-5.8p1/audit.h.audit2 openssh-5.8p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-16 23:31:08.000000000 +0100
|
||||
@@ -37,6 +37,8 @@
|
||||
#include "audit.h"
|
||||
--- openssh-5.8p1/audit-linux.c.audit2 2011-02-21 18:21:20.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:21:56.000000000 +0100
|
||||
@@ -41,6 +41,8 @@
|
||||
#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
|
||||
+#define AUDIT_LOG_SIZE 128
|
||||
+
|
||||
const char* audit_username(void);
|
||||
|
||||
static void
|
||||
@@ -123,6 +125,37 @@ fatal_report:
|
||||
extern ServerOptions options;
|
||||
extern Authctxt *the_authctxt;
|
||||
extern u_int utmp_len;
|
||||
@@ -130,6 +132,37 @@ fatal_report:
|
||||
}
|
||||
}
|
||||
|
||||
@ -135,12 +135,12 @@ diff -up openssh-5.8p1/audit-linux.c.audit2 openssh-5.8p1/audit-linux.c
|
||||
+ return (rc >= 0) || ((rc == -EPERM) && (getuid() != 0));
|
||||
+}
|
||||
+
|
||||
/* Below is the sshd audit API code */
|
||||
static int user_login_count = 0;
|
||||
|
||||
void
|
||||
/* Below is the sshd audit API code */
|
||||
diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
||||
--- openssh-5.8p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
|
||||
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-hostbased.c 2011-02-21 18:21:21.000000000 +0100
|
||||
@@ -136,6 +136,18 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -162,7 +162,7 @@ diff -up openssh-5.8p1/auth2-hostbased.c.audit2 openssh-5.8p1/auth2-hostbased.c
|
||||
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.audit2 2010-12-01 01:50:14.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-21 18:21:21.000000000 +0100
|
||||
@@ -177,6 +177,18 @@ done:
|
||||
return authenticated;
|
||||
}
|
||||
@ -184,7 +184,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.audit2 openssh-5.8p1/auth2-pubkey.c
|
||||
{
|
||||
diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
||||
--- openssh-5.8p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
|
||||
+++ openssh-5.8p1/auth.h 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/auth.h 2011-02-21 18:21:21.000000000 +0100
|
||||
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
|
||||
char *authorized_keys_file(struct passwd *);
|
||||
char *authorized_keys_file2(struct passwd *);
|
||||
@ -203,7 +203,7 @@ diff -up openssh-5.8p1/auth.h.audit2 openssh-5.8p1/auth.h
|
||||
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
|
||||
diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
||||
--- openssh-5.8p1/auth-rsa.c.audit2 2010-12-04 23:01:47.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-21 18:21:21.000000000 +0100
|
||||
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
{
|
||||
u_char buf[32], mdbuf[16];
|
||||
@ -242,7 +242,7 @@ diff -up openssh-5.8p1/auth-rsa.c.audit2 openssh-5.8p1/auth-rsa.c
|
||||
/*
|
||||
diff -up openssh-5.8p1/monitor.c.audit2 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit2 2010-09-10 03:23:34.000000000 +0200
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-16 23:29:26.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-21 18:21:21.000000000 +0100
|
||||
@@ -1235,7 +1235,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (!valid_data)
|
||||
fatal("%s: bad signature data blob", __func__);
|
||||
|
@ -1,6 +1,23 @@
|
||||
diff -up openssh-5.8p1/acss.c.audit2a openssh-5.8p1/acss.c
|
||||
diff -up openssh-5.8p1/acss.h.audit2a openssh-5.8p1/acss.h
|
||||
diff -up openssh-5.8p1/addrmatch.c.audit2a openssh-5.8p1/addrmatch.c
|
||||
diff -up openssh-5.8p1/atomicio.c.audit2a openssh-5.8p1/atomicio.c
|
||||
diff -up openssh-5.8p1/atomicio.h.audit2a openssh-5.8p1/atomicio.h
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit2a openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit2a 2011-02-21 16:17:09.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 16:20:57.000000000 +0100
|
||||
@@ -317,7 +317,7 @@ audit_session_close(struct logininfo *li
|
||||
}
|
||||
|
||||
int
|
||||
-audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
|
||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
diff -up openssh-5.8p1/audit.c.audit2a openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit2a 2011-02-17 15:05:55.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-17 15:06:13.000000000 +0100
|
||||
--- openssh-5.8p1/audit.c.audit2a 2011-02-21 16:17:09.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 16:23:39.000000000 +0100
|
||||
@@ -36,6 +36,7 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@ -9,3 +26,293 @@ diff -up openssh-5.8p1/audit.c.audit2a openssh-5.8p1/audit.c
|
||||
|
||||
/*
|
||||
* Care must be taken when using this since it WILL NOT be initialized when
|
||||
@@ -111,29 +112,18 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
return(event_lookup[i].name);
|
||||
}
|
||||
|
||||
-int
|
||||
-audit_key(int type, int *rv, const Key *key)
|
||||
+void
|
||||
+audit_key(int host_user, int *rv, const Key *key)
|
||||
{
|
||||
char *fp;
|
||||
- unsigned size = 0;
|
||||
- const char *crypto_name[] = {
|
||||
- "ssh-rsa1",
|
||||
- "ssh-rsa",
|
||||
- "ssh-dsa",
|
||||
- "unknown" };
|
||||
+ const char *crypto_name;
|
||||
|
||||
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- switch(key->type) {
|
||||
- case KEY_RSA1:
|
||||
- case KEY_RSA:
|
||||
- size = RSA_size(key->rsa);
|
||||
- break;
|
||||
- case KEY_DSA:
|
||||
- size = DSA_size(key->dsa);
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
- if (audit_keyusage(0, crypto_name[key->type], size, fp, *rv) == 0)
|
||||
+ if (key->type == KEY_RSA1)
|
||||
+ crypto_name = "ssh-rsa1";
|
||||
+ else
|
||||
+ crypto_name = key_ssh_name(key);
|
||||
+ if (audit_keyusage(host_user, crypto_name, key_size(key), fp, *rv) == 0)
|
||||
*rv = 0;
|
||||
xfree(fp);
|
||||
}
|
||||
@@ -216,10 +206,10 @@ audit_run_command(const char *command)
|
||||
* Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
|
||||
*/
|
||||
int
|
||||
-audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
|
||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
||||
{
|
||||
debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
||||
- host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
|
||||
+ host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, bits, fp, rv);
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit2a openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit2a 2011-02-21 16:17:09.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 16:24:27.000000000 +0100
|
||||
@@ -55,6 +55,6 @@ void audit_session_close(struct logininf
|
||||
void audit_run_command(const char *);
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||
-int audit_key(int, int *, const Key *);
|
||||
+void audit_key(int, int *, const Key *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit2a openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit2a 2011-02-21 16:17:09.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 16:21:19.000000000 +0100
|
||||
@@ -129,7 +129,7 @@ fatal_report:
|
||||
}
|
||||
|
||||
int
|
||||
-audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
|
||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
||||
{
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, rc, saved_errno;
|
||||
@@ -148,7 +148,7 @@ audit_keyusage(int host_user, const char
|
||||
if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
||||
goto out;
|
||||
snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
|
||||
- type, 8 * len, fp, get_remote_port());
|
||||
+ type, bits, fp, get_remote_port());
|
||||
rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
||||
buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
|
||||
out:
|
||||
diff -up openssh-5.8p1/auth1.c.audit2a openssh-5.8p1/auth1.c
|
||||
diff -up openssh-5.8p1/auth2.c.audit2a openssh-5.8p1/auth2.c
|
||||
diff -up openssh-5.8p1/auth2-chall.c.audit2a openssh-5.8p1/auth2-chall.c
|
||||
diff -up openssh-5.8p1/auth2-gss.c.audit2a openssh-5.8p1/auth2-gss.c
|
||||
diff -up openssh-5.8p1/auth2-hostbased.c.audit2a openssh-5.8p1/auth2-hostbased.c
|
||||
diff -up openssh-5.8p1/auth2-jpake.c.audit2a openssh-5.8p1/auth2-jpake.c
|
||||
diff -up openssh-5.8p1/auth2-kbdint.c.audit2a openssh-5.8p1/auth2-kbdint.c
|
||||
diff -up openssh-5.8p1/auth2-none.c.audit2a openssh-5.8p1/auth2-none.c
|
||||
diff -up openssh-5.8p1/auth2-passwd.c.audit2a openssh-5.8p1/auth2-passwd.c
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.audit2a openssh-5.8p1/auth2-pubkey.c
|
||||
diff -up openssh-5.8p1/auth-bsdauth.c.audit2a openssh-5.8p1/auth-bsdauth.c
|
||||
diff -up openssh-5.8p1/auth.c.audit2a openssh-5.8p1/auth.c
|
||||
diff -up openssh-5.8p1/auth-chall.c.audit2a openssh-5.8p1/auth-chall.c
|
||||
diff -up openssh-5.8p1/authfd.c.audit2a openssh-5.8p1/authfd.c
|
||||
diff -up openssh-5.8p1/authfd.h.audit2a openssh-5.8p1/authfd.h
|
||||
diff -up openssh-5.8p1/authfile.c.audit2a openssh-5.8p1/authfile.c
|
||||
diff -up openssh-5.8p1/authfile.h.audit2a openssh-5.8p1/authfile.h
|
||||
diff -up openssh-5.8p1/auth.h.audit2a openssh-5.8p1/auth.h
|
||||
diff -up openssh-5.8p1/auth-krb5.c.audit2a openssh-5.8p1/auth-krb5.c
|
||||
diff -up openssh-5.8p1/auth-options.c.audit2a openssh-5.8p1/auth-options.c
|
||||
diff -up openssh-5.8p1/auth-options.h.audit2a openssh-5.8p1/auth-options.h
|
||||
diff -up openssh-5.8p1/auth-pam.c.audit2a openssh-5.8p1/auth-pam.c
|
||||
diff -up openssh-5.8p1/auth-pam.h.audit2a openssh-5.8p1/auth-pam.h
|
||||
diff -up openssh-5.8p1/auth-passwd.c.audit2a openssh-5.8p1/auth-passwd.c
|
||||
diff -up openssh-5.8p1/auth-rhosts.c.audit2a openssh-5.8p1/auth-rhosts.c
|
||||
diff -up openssh-5.8p1/auth-rh-rsa.c.audit2a openssh-5.8p1/auth-rh-rsa.c
|
||||
diff -up openssh-5.8p1/auth-rsa.c.audit2a openssh-5.8p1/auth-rsa.c
|
||||
--- openssh-5.8p1/auth-rsa.c.audit2a 2011-02-21 16:17:09.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-21 16:25:17.000000000 +0100
|
||||
@@ -120,7 +120,7 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
- if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
|
||||
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
|
||||
debug("unsuccessful audit");
|
||||
rv = 0;
|
||||
}
|
||||
diff -up openssh-5.8p1/auth-shadow.c.audit2a openssh-5.8p1/auth-shadow.c
|
||||
diff -up openssh-5.8p1/auth-sia.c.audit2a openssh-5.8p1/auth-sia.c
|
||||
diff -up openssh-5.8p1/auth-sia.h.audit2a openssh-5.8p1/auth-sia.h
|
||||
diff -up openssh-5.8p1/auth-skey.c.audit2a openssh-5.8p1/auth-skey.c
|
||||
diff -up openssh-5.8p1/bufaux.c.audit2a openssh-5.8p1/bufaux.c
|
||||
diff -up openssh-5.8p1/bufbn.c.audit2a openssh-5.8p1/bufbn.c
|
||||
diff -up openssh-5.8p1/bufec.c.audit2a openssh-5.8p1/bufec.c
|
||||
diff -up openssh-5.8p1/buffer.c.audit2a openssh-5.8p1/buffer.c
|
||||
diff -up openssh-5.8p1/buffer.h.audit2a openssh-5.8p1/buffer.h
|
||||
diff -up openssh-5.8p1/canohost.c.audit2a openssh-5.8p1/canohost.c
|
||||
diff -up openssh-5.8p1/canohost.h.audit2a openssh-5.8p1/canohost.h
|
||||
diff -up openssh-5.8p1/channels.c.audit2a openssh-5.8p1/channels.c
|
||||
diff -up openssh-5.8p1/channels.h.audit2a openssh-5.8p1/channels.h
|
||||
diff -up openssh-5.8p1/cipher-3des1.c.audit2a openssh-5.8p1/cipher-3des1.c
|
||||
diff -up openssh-5.8p1/cipher-acss.c.audit2a openssh-5.8p1/cipher-acss.c
|
||||
diff -up openssh-5.8p1/cipher-aes.c.audit2a openssh-5.8p1/cipher-aes.c
|
||||
diff -up openssh-5.8p1/cipher-bf1.c.audit2a openssh-5.8p1/cipher-bf1.c
|
||||
diff -up openssh-5.8p1/cipher.c.audit2a openssh-5.8p1/cipher.c
|
||||
diff -up openssh-5.8p1/cipher-ctr.c.audit2a openssh-5.8p1/cipher-ctr.c
|
||||
diff -up openssh-5.8p1/cipher.h.audit2a openssh-5.8p1/cipher.h
|
||||
diff -up openssh-5.8p1/cleanup.c.audit2a openssh-5.8p1/cleanup.c
|
||||
diff -up openssh-5.8p1/clientloop.c.audit2a openssh-5.8p1/clientloop.c
|
||||
diff -up openssh-5.8p1/clientloop.h.audit2a openssh-5.8p1/clientloop.h
|
||||
diff -up openssh-5.8p1/compat.c.audit2a openssh-5.8p1/compat.c
|
||||
diff -up openssh-5.8p1/compat.h.audit2a openssh-5.8p1/compat.h
|
||||
diff -up openssh-5.8p1/compress.c.audit2a openssh-5.8p1/compress.c
|
||||
diff -up openssh-5.8p1/compress.h.audit2a openssh-5.8p1/compress.h
|
||||
diff -up openssh-5.8p1/crc32.c.audit2a openssh-5.8p1/crc32.c
|
||||
diff -up openssh-5.8p1/crc32.h.audit2a openssh-5.8p1/crc32.h
|
||||
diff -up openssh-5.8p1/deattack.c.audit2a openssh-5.8p1/deattack.c
|
||||
diff -up openssh-5.8p1/deattack.h.audit2a openssh-5.8p1/deattack.h
|
||||
diff -up openssh-5.8p1/defines.h.audit2a openssh-5.8p1/defines.h
|
||||
diff -up openssh-5.8p1/dh.c.audit2a openssh-5.8p1/dh.c
|
||||
diff -up openssh-5.8p1/dh.h.audit2a openssh-5.8p1/dh.h
|
||||
diff -up openssh-5.8p1/dispatch.c.audit2a openssh-5.8p1/dispatch.c
|
||||
diff -up openssh-5.8p1/dispatch.h.audit2a openssh-5.8p1/dispatch.h
|
||||
diff -up openssh-5.8p1/dns.c.audit2a openssh-5.8p1/dns.c
|
||||
diff -up openssh-5.8p1/dns.h.audit2a openssh-5.8p1/dns.h
|
||||
diff -up openssh-5.8p1/entropy.c.audit2a openssh-5.8p1/entropy.c
|
||||
diff -up openssh-5.8p1/entropy.h.audit2a openssh-5.8p1/entropy.h
|
||||
diff -up openssh-5.8p1/fatal.c.audit2a openssh-5.8p1/fatal.c
|
||||
diff -up openssh-5.8p1/groupaccess.c.audit2a openssh-5.8p1/groupaccess.c
|
||||
diff -up openssh-5.8p1/groupaccess.h.audit2a openssh-5.8p1/groupaccess.h
|
||||
diff -up openssh-5.8p1/gss-genr.c.audit2a openssh-5.8p1/gss-genr.c
|
||||
diff -up openssh-5.8p1/gss-serv.c.audit2a openssh-5.8p1/gss-serv.c
|
||||
diff -up openssh-5.8p1/gss-serv-krb5.c.audit2a openssh-5.8p1/gss-serv-krb5.c
|
||||
diff -up openssh-5.8p1/hostfile.c.audit2a openssh-5.8p1/hostfile.c
|
||||
diff -up openssh-5.8p1/hostfile.h.audit2a openssh-5.8p1/hostfile.h
|
||||
diff -up openssh-5.8p1/includes.h.audit2a openssh-5.8p1/includes.h
|
||||
diff -up openssh-5.8p1/jpake.c.audit2a openssh-5.8p1/jpake.c
|
||||
diff -up openssh-5.8p1/jpake.h.audit2a openssh-5.8p1/jpake.h
|
||||
diff -up openssh-5.8p1/kex.c.audit2a openssh-5.8p1/kex.c
|
||||
diff -up openssh-5.8p1/kexdh.c.audit2a openssh-5.8p1/kexdh.c
|
||||
diff -up openssh-5.8p1/kexdhc.c.audit2a openssh-5.8p1/kexdhc.c
|
||||
diff -up openssh-5.8p1/kexdhs.c.audit2a openssh-5.8p1/kexdhs.c
|
||||
diff -up openssh-5.8p1/kexecdh.c.audit2a openssh-5.8p1/kexecdh.c
|
||||
diff -up openssh-5.8p1/kexecdhc.c.audit2a openssh-5.8p1/kexecdhc.c
|
||||
diff -up openssh-5.8p1/kexecdhs.c.audit2a openssh-5.8p1/kexecdhs.c
|
||||
diff -up openssh-5.8p1/kexgex.c.audit2a openssh-5.8p1/kexgex.c
|
||||
diff -up openssh-5.8p1/kexgexc.c.audit2a openssh-5.8p1/kexgexc.c
|
||||
diff -up openssh-5.8p1/kexgexs.c.audit2a openssh-5.8p1/kexgexs.c
|
||||
diff -up openssh-5.8p1/kex.h.audit2a openssh-5.8p1/kex.h
|
||||
diff -up openssh-5.8p1/key.c.audit2a openssh-5.8p1/key.c
|
||||
diff -up openssh-5.8p1/key.h.audit2a openssh-5.8p1/key.h
|
||||
diff -up openssh-5.8p1/log.c.audit2a openssh-5.8p1/log.c
|
||||
diff -up openssh-5.8p1/log.h.audit2a openssh-5.8p1/log.h
|
||||
diff -up openssh-5.8p1/loginrec.c.audit2a openssh-5.8p1/loginrec.c
|
||||
diff -up openssh-5.8p1/loginrec.h.audit2a openssh-5.8p1/loginrec.h
|
||||
diff -up openssh-5.8p1/logintest.c.audit2a openssh-5.8p1/logintest.c
|
||||
diff -up openssh-5.8p1/mac.c.audit2a openssh-5.8p1/mac.c
|
||||
diff -up openssh-5.8p1/mac.h.audit2a openssh-5.8p1/mac.h
|
||||
diff -up openssh-5.8p1/match.c.audit2a openssh-5.8p1/match.c
|
||||
diff -up openssh-5.8p1/match.h.audit2a openssh-5.8p1/match.h
|
||||
diff -up openssh-5.8p1/md5crypt.c.audit2a openssh-5.8p1/md5crypt.c
|
||||
diff -up openssh-5.8p1/md5crypt.h.audit2a openssh-5.8p1/md5crypt.h
|
||||
diff -up openssh-5.8p1/md-sha256.c.audit2a openssh-5.8p1/md-sha256.c
|
||||
diff -up openssh-5.8p1/misc.c.audit2a openssh-5.8p1/misc.c
|
||||
diff -up openssh-5.8p1/misc.h.audit2a openssh-5.8p1/misc.h
|
||||
diff -up openssh-5.8p1/moduli.c.audit2a openssh-5.8p1/moduli.c
|
||||
diff -up openssh-5.8p1/monitor.c.audit2a openssh-5.8p1/monitor.c
|
||||
diff -up openssh-5.8p1/monitor_fdpass.c.audit2a openssh-5.8p1/monitor_fdpass.c
|
||||
diff -up openssh-5.8p1/monitor_fdpass.h.audit2a openssh-5.8p1/monitor_fdpass.h
|
||||
diff -up openssh-5.8p1/monitor.h.audit2a openssh-5.8p1/monitor.h
|
||||
diff -up openssh-5.8p1/monitor_mm.c.audit2a openssh-5.8p1/monitor_mm.c
|
||||
diff -up openssh-5.8p1/monitor_mm.h.audit2a openssh-5.8p1/monitor_mm.h
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit2a openssh-5.8p1/monitor_wrap.c
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit2a openssh-5.8p1/monitor_wrap.h
|
||||
diff -up openssh-5.8p1/msg.c.audit2a openssh-5.8p1/msg.c
|
||||
diff -up openssh-5.8p1/msg.h.audit2a openssh-5.8p1/msg.h
|
||||
diff -up openssh-5.8p1/mux.c.audit2a openssh-5.8p1/mux.c
|
||||
diff -up openssh-5.8p1/myproposal.h.audit2a openssh-5.8p1/myproposal.h
|
||||
diff -up openssh-5.8p1/nchan.c.audit2a openssh-5.8p1/nchan.c
|
||||
diff -up openssh-5.8p1/packet.c.audit2a openssh-5.8p1/packet.c
|
||||
diff -up openssh-5.8p1/packet.h.audit2a openssh-5.8p1/packet.h
|
||||
diff -up openssh-5.8p1/pathnames.h.audit2a openssh-5.8p1/pathnames.h
|
||||
diff -up openssh-5.8p1/pkcs11.h.audit2a openssh-5.8p1/pkcs11.h
|
||||
diff -up openssh-5.8p1/platform.c.audit2a openssh-5.8p1/platform.c
|
||||
diff -up openssh-5.8p1/platform.h.audit2a openssh-5.8p1/platform.h
|
||||
diff -up openssh-5.8p1/progressmeter.c.audit2a openssh-5.8p1/progressmeter.c
|
||||
diff -up openssh-5.8p1/progressmeter.h.audit2a openssh-5.8p1/progressmeter.h
|
||||
diff -up openssh-5.8p1/readconf.c.audit2a openssh-5.8p1/readconf.c
|
||||
diff -up openssh-5.8p1/readconf.h.audit2a openssh-5.8p1/readconf.h
|
||||
diff -up openssh-5.8p1/readpass.c.audit2a openssh-5.8p1/readpass.c
|
||||
diff -up openssh-5.8p1/rijndael.c.audit2a openssh-5.8p1/rijndael.c
|
||||
diff -up openssh-5.8p1/rijndael.h.audit2a openssh-5.8p1/rijndael.h
|
||||
diff -up openssh-5.8p1/roaming_client.c.audit2a openssh-5.8p1/roaming_client.c
|
||||
diff -up openssh-5.8p1/roaming_common.c.audit2a openssh-5.8p1/roaming_common.c
|
||||
diff -up openssh-5.8p1/roaming_dummy.c.audit2a openssh-5.8p1/roaming_dummy.c
|
||||
diff -up openssh-5.8p1/roaming.h.audit2a openssh-5.8p1/roaming.h
|
||||
diff -up openssh-5.8p1/roaming_serv.c.audit2a openssh-5.8p1/roaming_serv.c
|
||||
diff -up openssh-5.8p1/rsa.c.audit2a openssh-5.8p1/rsa.c
|
||||
diff -up openssh-5.8p1/rsa.h.audit2a openssh-5.8p1/rsa.h
|
||||
diff -up openssh-5.8p1/schnorr.c.audit2a openssh-5.8p1/schnorr.c
|
||||
diff -up openssh-5.8p1/schnorr.h.audit2a openssh-5.8p1/schnorr.h
|
||||
diff -up openssh-5.8p1/scp.c.audit2a openssh-5.8p1/scp.c
|
||||
diff -up openssh-5.8p1/servconf.c.audit2a openssh-5.8p1/servconf.c
|
||||
diff -up openssh-5.8p1/servconf.h.audit2a openssh-5.8p1/servconf.h
|
||||
diff -up openssh-5.8p1/serverloop.c.audit2a openssh-5.8p1/serverloop.c
|
||||
diff -up openssh-5.8p1/serverloop.h.audit2a openssh-5.8p1/serverloop.h
|
||||
diff -up openssh-5.8p1/session.c.audit2a openssh-5.8p1/session.c
|
||||
diff -up openssh-5.8p1/session.h.audit2a openssh-5.8p1/session.h
|
||||
diff -up openssh-5.8p1/sftp.c.audit2a openssh-5.8p1/sftp.c
|
||||
diff -up openssh-5.8p1/sftp-client.c.audit2a openssh-5.8p1/sftp-client.c
|
||||
diff -up openssh-5.8p1/sftp-client.h.audit2a openssh-5.8p1/sftp-client.h
|
||||
diff -up openssh-5.8p1/sftp-common.c.audit2a openssh-5.8p1/sftp-common.c
|
||||
diff -up openssh-5.8p1/sftp-common.h.audit2a openssh-5.8p1/sftp-common.h
|
||||
diff -up openssh-5.8p1/sftp-glob.c.audit2a openssh-5.8p1/sftp-glob.c
|
||||
diff -up openssh-5.8p1/sftp.h.audit2a openssh-5.8p1/sftp.h
|
||||
diff -up openssh-5.8p1/sftp-server.c.audit2a openssh-5.8p1/sftp-server.c
|
||||
diff -up openssh-5.8p1/sftp-server-main.c.audit2a openssh-5.8p1/sftp-server-main.c
|
||||
diff -up openssh-5.8p1/ssh1.h.audit2a openssh-5.8p1/ssh1.h
|
||||
diff -up openssh-5.8p1/ssh2.h.audit2a openssh-5.8p1/ssh2.h
|
||||
diff -up openssh-5.8p1/ssh-add.c.audit2a openssh-5.8p1/ssh-add.c
|
||||
diff -up openssh-5.8p1/ssh-agent.c.audit2a openssh-5.8p1/ssh-agent.c
|
||||
diff -up openssh-5.8p1/ssh.c.audit2a openssh-5.8p1/ssh.c
|
||||
diff -up openssh-5.8p1/sshconnect1.c.audit2a openssh-5.8p1/sshconnect1.c
|
||||
diff -up openssh-5.8p1/sshconnect2.c.audit2a openssh-5.8p1/sshconnect2.c
|
||||
diff -up openssh-5.8p1/sshconnect.c.audit2a openssh-5.8p1/sshconnect.c
|
||||
diff -up openssh-5.8p1/sshconnect.h.audit2a openssh-5.8p1/sshconnect.h
|
||||
diff -up openssh-5.8p1/sshd.c.audit2a openssh-5.8p1/sshd.c
|
||||
diff -up openssh-5.8p1/ssh-dss.c.audit2a openssh-5.8p1/ssh-dss.c
|
||||
diff -up openssh-5.8p1/ssh-ecdsa.c.audit2a openssh-5.8p1/ssh-ecdsa.c
|
||||
diff -up openssh-5.8p1/ssh-gss.h.audit2a openssh-5.8p1/ssh-gss.h
|
||||
diff -up openssh-5.8p1/ssh.h.audit2a openssh-5.8p1/ssh.h
|
||||
diff -up openssh-5.8p1/ssh-keygen.c.audit2a openssh-5.8p1/ssh-keygen.c
|
||||
diff -up openssh-5.8p1/ssh-keyscan.c.audit2a openssh-5.8p1/ssh-keyscan.c
|
||||
diff -up openssh-5.8p1/ssh-keysign.c.audit2a openssh-5.8p1/ssh-keysign.c
|
||||
diff -up openssh-5.8p1/sshlogin.c.audit2a openssh-5.8p1/sshlogin.c
|
||||
diff -up openssh-5.8p1/sshlogin.h.audit2a openssh-5.8p1/sshlogin.h
|
||||
diff -up openssh-5.8p1/ssh-pkcs11.c.audit2a openssh-5.8p1/ssh-pkcs11.c
|
||||
diff -up openssh-5.8p1/ssh-pkcs11-client.c.audit2a openssh-5.8p1/ssh-pkcs11-client.c
|
||||
diff -up openssh-5.8p1/ssh-pkcs11.h.audit2a openssh-5.8p1/ssh-pkcs11.h
|
||||
diff -up openssh-5.8p1/ssh-pkcs11-helper.c.audit2a openssh-5.8p1/ssh-pkcs11-helper.c
|
||||
diff -up openssh-5.8p1/sshpty.c.audit2a openssh-5.8p1/sshpty.c
|
||||
diff -up openssh-5.8p1/sshpty.h.audit2a openssh-5.8p1/sshpty.h
|
||||
diff -up openssh-5.8p1/ssh-rand-helper.c.audit2a openssh-5.8p1/ssh-rand-helper.c
|
||||
diff -up openssh-5.8p1/ssh-rsa.c.audit2a openssh-5.8p1/ssh-rsa.c
|
||||
diff -up openssh-5.8p1/sshtty.c.audit2a openssh-5.8p1/sshtty.c
|
||||
diff -up openssh-5.8p1/ttymodes.c.audit2a openssh-5.8p1/ttymodes.c
|
||||
diff -up openssh-5.8p1/ttymodes.h.audit2a openssh-5.8p1/ttymodes.h
|
||||
diff -up openssh-5.8p1/uidswap.c.audit2a openssh-5.8p1/uidswap.c
|
||||
diff -up openssh-5.8p1/uidswap.h.audit2a openssh-5.8p1/uidswap.h
|
||||
diff -up openssh-5.8p1/umac.c.audit2a openssh-5.8p1/umac.c
|
||||
diff -up openssh-5.8p1/umac.h.audit2a openssh-5.8p1/umac.h
|
||||
diff -up openssh-5.8p1/uuencode.c.audit2a openssh-5.8p1/uuencode.c
|
||||
diff -up openssh-5.8p1/uuencode.h.audit2a openssh-5.8p1/uuencode.h
|
||||
diff -up openssh-5.8p1/version.h.audit2a openssh-5.8p1/version.h
|
||||
diff -up openssh-5.8p1/xmalloc.c.audit2a openssh-5.8p1/xmalloc.c
|
||||
diff -up openssh-5.8p1/xmalloc.h.audit2a openssh-5.8p1/xmalloc.h
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit3 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-17 15:09:38.000000000 +0100
|
||||
--- openssh-5.8p1/audit-bsm.c.audit3 2011-02-21 18:28:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
|
||||
debug("%s: unhandled event %d", __func__, event);
|
||||
}
|
||||
@ -19,8 +19,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit3 openssh-5.8p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit3 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-17 15:10:27.000000000 +0100
|
||||
--- openssh-5.8p1/audit.c.audit3 2011-02-21 18:28:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -36,6 +36,8 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@ -30,7 +30,7 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
||||
#include "xmalloc.h"
|
||||
|
||||
/*
|
||||
@@ -139,6 +141,18 @@ audit_key(int type, int *rv, const Key *
|
||||
@@ -128,6 +130,18 @@ audit_key(int host_user, int *rv, const
|
||||
xfree(fp);
|
||||
}
|
||||
|
||||
@ -49,9 +49,9 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -222,5 +236,24 @@ audit_keyusage(int host_user, const char
|
||||
@@ -211,5 +225,24 @@ audit_keyusage(int host_user, const char
|
||||
debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
||||
host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
|
||||
host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, bits, fp, rv);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
@ -75,12 +75,12 @@ diff -up openssh-5.8p1/audit.c.audit3 openssh-5.8p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit3 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-17 15:09:38.000000000 +0100
|
||||
--- openssh-5.8p1/audit.h.audit3 2011-02-21 18:28:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -56,5 +56,9 @@ void audit_run_command(const char *);
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||
int audit_key(int, int *, const Key *);
|
||||
void audit_key(int, int *, const Key *);
|
||||
+void audit_unsupported(int);
|
||||
+void audit_kex(int, char *, char *, char *);
|
||||
+void audit_unsupported_body(int);
|
||||
@ -88,18 +88,18 @@ diff -up openssh-5.8p1/audit.h.audit3 openssh-5.8p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit3 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-17 15:09:38.000000000 +0100
|
||||
@@ -36,6 +36,8 @@
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
--- openssh-5.8p1/audit-linux.c.audit3 2011-02-21 18:28:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:28:59.000000000 +0100
|
||||
@@ -40,6 +40,8 @@
|
||||
#include "auth.h"
|
||||
#include "servconf.h"
|
||||
#include "canohost.h"
|
||||
+#include "packet.h"
|
||||
+#include "cipher.h"
|
||||
|
||||
#define AUDIT_LOG_SIZE 128
|
||||
|
||||
@@ -223,4 +225,54 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -243,4 +245,54 @@ audit_event(ssh_audit_event_t event)
|
||||
}
|
||||
}
|
||||
|
||||
@ -155,8 +155,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit3 openssh-5.8p1/audit-linux.c
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
|
||||
--- openssh-5.8p1/auditstub.c.audit3 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-17 15:09:38.000000000 +0100
|
||||
--- openssh-5.8p1/auditstub.c.audit3 2011-02-21 18:28:25.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -0,0 +1,39 @@
|
||||
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
|
||||
+
|
||||
@ -199,7 +199,7 @@ diff -up openssh-5.8p1/auditstub.c.audit3 openssh-5.8p1/auditstub.c
|
||||
+
|
||||
diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
|
||||
--- openssh-5.8p1/cipher.c.audit3 2011-02-09 15:24:23.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.c 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
|
||||
extern const EVP_CIPHER *evp_aes_128_ctr(void);
|
||||
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
|
||||
@ -219,7 +219,7 @@ diff -up openssh-5.8p1/cipher.c.audit3 openssh-5.8p1/cipher.c
|
||||
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
|
||||
diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
|
||||
--- openssh-5.8p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.h 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.h 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -61,7 +61,16 @@
|
||||
typedef struct Cipher Cipher;
|
||||
typedef struct CipherContext CipherContext;
|
||||
@ -240,7 +240,7 @@ diff -up openssh-5.8p1/cipher.h.audit3 openssh-5.8p1/cipher.h
|
||||
EVP_CIPHER_CTX evp;
|
||||
diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
|
||||
--- openssh-5.8p1/kex.c.audit3 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.8p1/kex.c 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -49,6 +49,7 @@
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
@ -305,7 +305,7 @@ diff -up openssh-5.8p1/kex.c.audit3 openssh-5.8p1/kex.c
|
||||
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.audit3 2011-02-04 01:42:13.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -76,7 +76,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
@ -316,8 +316,8 @@ diff -up openssh-5.8p1/Makefile.in.audit3 openssh-5.8p1/Makefile.in
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||
diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit3 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-17 15:09:38.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.c.audit3 2011-02-21 18:28:25.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -89,6 +89,7 @@
|
||||
#include "ssh2.h"
|
||||
#include "jpake.h"
|
||||
@ -414,7 +414,7 @@ diff -up openssh-5.8p1/monitor.c.audit3 openssh-5.8p1/monitor.c
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -66,6 +66,8 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
|
||||
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
|
||||
@ -426,7 +426,7 @@ diff -up openssh-5.8p1/monitor.h.audit3 openssh-5.8p1/monitor.h
|
||||
struct mm_master;
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit3 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -1412,3 +1412,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
|
||||
return success;
|
||||
}
|
||||
@ -468,7 +468,7 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit3 openssh-5.8p1/monitor_wrap.c
|
||||
+#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
|
||||
#include "audit.h"
|
||||
void mm_audit_event(ssh_audit_event_t);
|
||||
@ -480,7 +480,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit3 openssh-5.8p1/monitor_wrap.h
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/sshd.c.audit3 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit3 2011-01-11 07:20:31.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-17 15:09:38.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-21 18:28:25.000000000 +0100
|
||||
@@ -118,6 +118,7 @@
|
||||
#endif
|
||||
#include "monitor_wrap.h"
|
||||
|
139
openssh-5.8p1-audit3a.patch
Normal file
139
openssh-5.8p1-audit3a.patch
Normal file
@ -0,0 +1,139 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit3a openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit3a 2011-02-21 18:29:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 18:29:45.000000000 +0100
|
||||
@@ -391,7 +391,7 @@ audit_unsupported_body(int what)
|
||||
}
|
||||
|
||||
void
|
||||
-audit_kex_body(int ctos, char *enc, char *mac, char *compress)
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
diff -up openssh-5.8p1/audit.c.audit3a openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit3a 2011-02-21 18:29:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 18:29:45.000000000 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
+#include <unistd.h>
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
|
||||
@@ -139,7 +140,7 @@ audit_unsupported(int what)
|
||||
void
|
||||
audit_kex(int ctos, char *enc, char *mac, char *comp)
|
||||
{
|
||||
- PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
|
||||
+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||
}
|
||||
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
@@ -239,10 +240,12 @@ audit_unsupported_body(int what)
|
||||
* This will be called on succesfull protocol negotiation.
|
||||
*/
|
||||
void
|
||||
-audit_kex_body(int ctos, char *enc, char *mac, char *compress)
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||
+ uid_t uid)
|
||||
{
|
||||
- debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
|
||||
- geteuid(), ctos, enc, mac, compress);
|
||||
+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
|
||||
+ (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
||||
+ (unsigned)uid);
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit3a openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit3a 2011-02-21 18:29:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 18:29:45.000000000 +0100
|
||||
@@ -59,6 +59,6 @@ void audit_key(int, int *, const Key *);
|
||||
void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
-void audit_kex_body(int, char *, char *, char *);
|
||||
+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit3a openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit3a 2011-02-21 18:29:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:29:45.000000000 +0100
|
||||
@@ -267,7 +267,8 @@ audit_unsupported_body(int what)
|
||||
}
|
||||
|
||||
void
|
||||
-audit_kex_body(int ctos, char *enc, char *mac, char *compress)
|
||||
+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||
+ uid_t uid)
|
||||
{
|
||||
#ifdef AUDIT_CRYPTO_SESSION
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
@@ -275,8 +276,9 @@ audit_kex_body(int ctos, char *enc, char
|
||||
const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
Cipher *cipher = cipher_by_name(enc);
|
||||
|
||||
- snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d rport=%d laddr=%s lport=%d",
|
||||
+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
|
||||
direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
|
||||
+ (intmax_t)pid, (intmax_t)uid,
|
||||
get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
|
||||
audit_fd = audit_open();
|
||||
if (audit_fd < 0) {
|
||||
diff -up openssh-5.8p1/monitor.c.audit3a openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit3a 2011-02-21 18:29:45.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-21 18:29:45.000000000 +0100
|
||||
@@ -2239,13 +2239,17 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
{
|
||||
int ctos, len;
|
||||
char *cipher, *mac, *compress;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
|
||||
ctos = buffer_get_int(m);
|
||||
cipher = buffer_get_string(m, &len);
|
||||
mac = buffer_get_string(m, &len);
|
||||
compress = buffer_get_string(m, &len);
|
||||
+ pid = buffer_get_int64(m);
|
||||
+ uid = buffer_get_int64(m);
|
||||
|
||||
- audit_kex_body(ctos, cipher, mac, compress);
|
||||
+ audit_kex_body(ctos, cipher, mac, compress, pid, uid);
|
||||
|
||||
buffer_clear(m);
|
||||
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit3a openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit3a 2011-02-21 18:29:45.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 18:29:45.000000000 +0100
|
||||
@@ -1430,7 +1430,8 @@ mm_audit_unsupported_body(int what)
|
||||
}
|
||||
|
||||
void
|
||||
-mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress)
|
||||
+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
|
||||
+ uid_t uid)
|
||||
{
|
||||
Buffer m;
|
||||
|
||||
@@ -1439,6 +1440,8 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
buffer_put_cstring(&m, cipher);
|
||||
buffer_put_cstring(&m, mac);
|
||||
buffer_put_cstring(&m, compress);
|
||||
+ buffer_put_int64(&m, pid);
|
||||
+ buffer_put_int64(&m, uid);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, &m);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit3a openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit3a 2011-02-21 18:33:57.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 18:34:18.000000000 +0100
|
||||
@@ -75,7 +75,7 @@ void mm_sshpam_free_ctx(void *);
|
||||
void mm_audit_event(ssh_audit_event_t);
|
||||
void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
-void mm_audit_kex_body(int, char *, char *, char *);
|
||||
+void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
#endif
|
||||
|
||||
struct Session;
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -395,4 +395,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||
{
|
||||
/* not implemented */
|
||||
@ -13,10 +13,10 @@ diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-17 10:34:25.000000000 +0100
|
||||
@@ -152,6 +152,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp));
|
||||
--- openssh-5.8p1/audit.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||
}
|
||||
|
||||
+void
|
||||
@ -28,14 +28,15 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -254,5 +260,13 @@ audit_kex_body(int ctos, char *enc, char
|
||||
debug("audit procol negotiation euid %d direction %d cipher %s mac %s compresion %s",
|
||||
geteuid(), ctos, enc, mac, compress);
|
||||
@@ -247,5 +253,14 @@ audit_kex_body(int ctos, char *enc, char
|
||||
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
||||
(unsigned)uid);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on succesfull session key discard
|
||||
+ */
|
||||
+void
|
||||
+audit_session_key_free_body(int ctos)
|
||||
+{
|
||||
+ debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
@ -43,36 +44,37 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/audit.h.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -60,5 +60,7 @@ void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *);
|
||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
+void audit_session_key_free(int ctos);
|
||||
+void audit_session_key_free_body(int ctos);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-17 10:34:25.000000000 +0100
|
||||
@@ -246,13 +246,14 @@ audit_unsupported_body(int what)
|
||||
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -266,6 +266,8 @@ audit_unsupported_body(int what)
|
||||
#endif
|
||||
}
|
||||
|
||||
+const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
+
|
||||
void
|
||||
audit_kex_body(int ctos, char *enc, char *mac, char *compress)
|
||||
{
|
||||
audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
|
||||
uid_t uid)
|
||||
@@ -273,7 +275,6 @@ audit_kex_body(int ctos, char *enc, char
|
||||
#ifdef AUDIT_CRYPTO_SESSION
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, audit_ok;
|
||||
- const static char *direction[] = { "from-server", "from-client", "both" };
|
||||
Cipher *cipher = cipher_by_name(enc);
|
||||
|
||||
snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d rport=%d laddr=%s lport=%d",
|
||||
@@ -275,4 +276,29 @@ audit_kex_body(int ctos, char *enc, char
|
||||
snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
|
||||
@@ -297,4 +298,29 @@ audit_kex_body(int ctos, char *enc, char
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -103,8 +105,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
||||
--- openssh-5.8p1/auditstub.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/auditstub.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -37,3 +37,7 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
{
|
||||
}
|
||||
@ -114,8 +116,8 @@ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
||||
--- openssh-5.8p1/kex.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.c 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/kex.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
@ -153,7 +155,7 @@ diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
||||
+
|
||||
diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
||||
--- openssh-5.8p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.8p1/kex.h 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.h 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||
void kexecdh_client(Kex *);
|
||||
void kexecdh_server(Kex *);
|
||||
@ -165,7 +167,7 @@ diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
||||
--- openssh-5.8p1/mac.c.audit4 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.8p1/mac.c 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/mac.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -189,15 +191,15 @@ diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
||||
int
|
||||
diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
|
||||
--- openssh-5.8p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-5.8p1/mac.h 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/mac.h 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -180,6 +180,7 @@ int mm_answer_audit_event(int, Buffer *)
|
||||
int mm_answer_audit_command(int, Buffer *);
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
@ -238,7 +240,7 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2253,4 +2258,18 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
@@ -2257,4 +2262,18 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -258,8 +260,8 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.h.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -68,6 +68,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
@ -269,9 +271,9 @@ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-17 10:34:25.000000000 +0100
|
||||
@@ -1446,4 +1446,17 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -1449,4 +1449,17 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
|
||||
buffer_free(&m);
|
||||
}
|
||||
@ -290,19 +292,19 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 18:39:26.000000000 +0100
|
||||
@@ -76,6 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
|
||||
void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
+void mm_audit_session_key_free_body(int);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
||||
--- openssh-5.8p1/packet.c.audit4 2010-11-24 00:46:37.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.c 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -497,6 +497,7 @@ packet_close(void)
|
||||
}
|
||||
cipher_cleanup(&active_state->send_context);
|
||||
@ -397,7 +399,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
||||
+
|
||||
diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
|
||||
--- openssh-5.8p1/packet.h.audit4 2010-11-20 05:19:38.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.h 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.h 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -125,4 +125,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
@ -405,8 +407,8 @@ diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
|
||||
+void packet_destroy_all(void);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit4 2011-02-17 10:34:25.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-17 10:34:25.000000000 +0100
|
||||
--- openssh-5.8p1/sshd.c.audit4 2011-02-21 18:38:45.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-21 18:38:45.000000000 +0100
|
||||
@@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
return (0);
|
||||
}
|
||||
|
131
openssh-5.8p1-audit4a.patch
Normal file
131
openssh-5.8p1-audit4a.patch
Normal file
@ -0,0 +1,131 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit4a openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit4a 2011-02-21 18:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 18:42:14.000000000 +0100
|
||||
@@ -397,7 +397,7 @@ audit_kex_body(int ctos, char *enc, char
|
||||
}
|
||||
|
||||
void
|
||||
-audit_session_key_free_body(int ctos)
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
diff -up openssh-5.8p1/audit.c.audit4a openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit4a 2011-02-21 18:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 18:42:14.000000000 +0100
|
||||
@@ -146,7 +146,7 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
void
|
||||
audit_session_key_free(int ctos)
|
||||
{
|
||||
- PRIVSEP(audit_session_key_free_body(ctos));
|
||||
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
|
||||
}
|
||||
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
@@ -258,9 +258,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||
* This will be called on succesfull session key discard
|
||||
*/
|
||||
void
|
||||
-audit_session_key_free_body(int ctos)
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
{
|
||||
- debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit4a openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit4a 2011-02-21 18:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 18:42:14.000000000 +0100
|
||||
@@ -61,6 +61,6 @@ void audit_kex(int, char *, char *, char
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
void audit_session_key_free(int ctos);
|
||||
-void audit_session_key_free_body(int ctos);
|
||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit4a openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit4a 2011-02-21 18:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:42:14.000000000 +0100
|
||||
@@ -299,13 +299,14 @@ audit_kex_body(int ctos, char *enc, char
|
||||
}
|
||||
|
||||
void
|
||||
-audit_session_key_free_body(int ctos)
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
{
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, audit_ok;
|
||||
|
||||
- snprintf(buf, sizeof(buf), "op=destroy kind=session direction=%s rport=%d laddr=%s lport=%d",
|
||||
- direction[ctos], get_remote_port(),
|
||||
+ snprintf(buf, sizeof(buf), "op=destroy kind=session fp=? direction=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d",
|
||||
+ direction[ctos], (intmax_t)pid, (intmax_t)uid,
|
||||
+ get_remote_port(),
|
||||
get_local_ipaddr(packet_get_connection_in()),
|
||||
get_local_port());
|
||||
audit_fd = audit_open();
|
||||
diff -up openssh-5.8p1/monitor.c.audit4a openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit4a 2011-02-21 18:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-21 18:42:14.000000000 +0100
|
||||
@@ -2266,10 +2266,14 @@ int
|
||||
mm_answer_audit_session_key_free_body(int sock, Buffer *m)
|
||||
{
|
||||
int ctos;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
|
||||
ctos = buffer_get_int(m);
|
||||
+ pid = buffer_get_int64(m);
|
||||
+ uid = buffer_get_int64(m);
|
||||
|
||||
- audit_session_key_free_body(ctos);
|
||||
+ audit_session_key_free_body(ctos, pid, uid);
|
||||
|
||||
buffer_clear(m);
|
||||
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit4a openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit4a 2011-02-21 18:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 18:42:14.000000000 +0100
|
||||
@@ -1451,12 +1451,14 @@ mm_audit_kex_body(int ctos, char *cipher
|
||||
}
|
||||
|
||||
void
|
||||
-mm_audit_session_key_free_body(int ctos)
|
||||
+mm_audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
{
|
||||
Buffer m;
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_int(&m, ctos);
|
||||
+ buffer_put_int64(&m, pid);
|
||||
+ buffer_put_int64(&m, uid);
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, &m);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||
&m);
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit4a openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit4a 2011-02-21 18:42:14.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 18:42:14.000000000 +0100
|
||||
@@ -76,7 +76,7 @@ void mm_audit_event(ssh_audit_event_t);
|
||||
void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
-void mm_audit_session_key_free_body(int);
|
||||
+void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit4a 2011-02-21 18:48:30.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-21 18:48:41.000000000 +0100
|
||||
@@ -693,7 +693,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
newkeys_destroy(current_keys[MODE_OUT]);
|
||||
newkeys_destroy(current_keys[MODE_IN]);
|
||||
packet_destroy_all();
|
||||
- audit_session_key_free_body(2);
|
||||
+ audit_session_key_free_body(2, getpid(), getuid());
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-17 10:36:14.000000000 +0100
|
||||
@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos)
|
||||
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos, pi
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
@ -13,11 +13,11 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-17 10:36:14.000000000 +0100
|
||||
@@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos)
|
||||
{
|
||||
debug("audit session key discard euid %d direction %d", geteuid(), ctos);
|
||||
--- openssh-5.8p1/audit.c.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -263,5 +263,14 @@ audit_session_key_free_body(int ctos, pi
|
||||
debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
@ -31,19 +31,19 @@ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-17 10:36:14.000000000 +0100
|
||||
--- openssh-5.8p1/audit.h.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -62,5 +62,6 @@ void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *);
|
||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
void audit_session_key_free(int ctos);
|
||||
void audit_session_key_free_body(int ctos);
|
||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
+void audit_destroy_sensitive_data(const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-17 10:36:14.000000000 +0100
|
||||
@@ -301,4 +301,26 @@ audit_session_key_free_body(int ctos)
|
||||
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -324,4 +324,26 @@ audit_session_key_free_body(int ctos, pi
|
||||
error("cannot write into audit");
|
||||
}
|
||||
|
||||
@ -71,8 +71,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-17 10:36:14.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.c.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
int mm_answer_audit_kex_body(int, Buffer *);
|
||||
@ -113,7 +113,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2272,4 +2277,20 @@ mm_answer_audit_session_key_free_body(in
|
||||
@@ -2280,4 +2285,20 @@ mm_answer_audit_session_key_free_body(in
|
||||
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
return 0;
|
||||
}
|
||||
@ -135,8 +135,8 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-17 10:36:14.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.h.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -69,6 +69,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
@ -146,9 +146,9 @@ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-17 10:36:14.000000000 +0100
|
||||
@@ -1459,4 +1459,18 @@ mm_audit_session_key_free_body(int ctos)
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -1464,4 +1464,18 @@ mm_audit_session_key_free_body(int ctos,
|
||||
&m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
@ -168,19 +168,19 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-17 10:36:14.000000000 +0100
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 18:54:56.000000000 +0100
|
||||
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *);
|
||||
void mm_audit_session_key_free_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||
+void mm_audit_destroy_sensitive_data(const char *);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
||||
--- openssh-5.8p1/session.c.audit5 2010-12-01 02:02:59.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -132,7 +132,7 @@ extern int log_stderr;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
@ -200,8 +200,8 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit5 2011-02-17 10:36:14.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-17 10:36:14.000000000 +0100
|
||||
--- openssh-5.8p1/sshd.c.audit5 2011-02-21 18:54:03.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-21 18:54:03.000000000 +0100
|
||||
@@ -253,7 +253,7 @@ Buffer loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
|
@ -1,24 +1,37 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit5a openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit5a 2011-02-17 14:23:22.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-17 14:24:05.000000000 +0100
|
||||
@@ -407,4 +407,10 @@ audit_destroy_sensitive_data(const char
|
||||
--- openssh-5.8p1/audit-bsm.c.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -407,4 +407,16 @@ audit_destroy_sensitive_data(const char
|
||||
{
|
||||
/* not implemented */
|
||||
}
|
||||
+
|
||||
+void
|
||||
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_generate_ephemeral_server_key(const char *fp)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit5a openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit5a 2011-02-17 13:27:01.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-17 14:18:58.000000000 +0100
|
||||
@@ -277,5 +277,14 @@ audit_destroy_sensitive_data(const char
|
||||
--- openssh-5.8p1/audit.c.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -268,9 +268,19 @@ audit_session_key_free_body(int ctos, pi
|
||||
* This will be called on destroy private part of the server key
|
||||
*/
|
||||
void
|
||||
-audit_destroy_sensitive_data(const char *fp)
|
||||
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||
{
|
||||
debug("audit destroy sensitive data euid %d fingerprint %s", geteuid(), fp);
|
||||
}
|
||||
- debug("audit destroy sensitive data euid %d fingerprint %s", geteuid(), fp);
|
||||
+ debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
|
||||
+ geteuid(), fp, (long)pid, (unsigned)uid);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on generation of the ephemeral server key
|
||||
@ -27,23 +40,61 @@ diff -up openssh-5.8p1/audit.c.audit5a openssh-5.8p1/audit.c
|
||||
+audit_generate_ephemeral_server_key(const char *)
|
||||
+{
|
||||
+ debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
|
||||
+}
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit5a openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit5a 2011-02-17 13:23:57.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-17 14:11:53.000000000 +0100
|
||||
@@ -63,5 +63,6 @@ void audit_kex_body(int, char *, char *,
|
||||
--- openssh-5.8p1/audit.h.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
|
||||
};
|
||||
typedef enum ssh_audit_event_type ssh_audit_event_t;
|
||||
|
||||
+int listening_for_clients(void);
|
||||
+
|
||||
void audit_connection_from(const char *, int);
|
||||
void audit_event(ssh_audit_event_t);
|
||||
void audit_session_open(struct logininfo *);
|
||||
@@ -62,6 +64,7 @@ void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
void audit_session_key_free(int ctos);
|
||||
void audit_session_key_free_body(int ctos);
|
||||
void audit_destroy_sensitive_data(const char *);
|
||||
void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
-void audit_destroy_sensitive_data(const char *);
|
||||
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
+void audit_generate_ephemeral_server_key(const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit5a openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit5a 2011-02-17 14:24:31.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-17 14:26:12.000000000 +0100
|
||||
@@ -323,4 +323,25 @@ audit_destroy_sensitive_data(const char
|
||||
--- openssh-5.8p1/audit-linux.c.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -317,7 +317,9 @@ audit_session_key_free_body(int ctos, pi
|
||||
return;
|
||||
}
|
||||
audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
- buf, NULL, get_remote_ipaddr(), NULL, 1);
|
||||
+ buf, NULL,
|
||||
+ listening_for_clients() ? NULL : get_remote_ipaddr(),
|
||||
+ NULL, 1);
|
||||
audit_close(audit_fd);
|
||||
/* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
@@ -325,12 +327,13 @@ audit_session_key_free_body(int ctos, pi
|
||||
}
|
||||
|
||||
void
|
||||
-audit_destroy_sensitive_data(const char *fp)
|
||||
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||
{
|
||||
char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, audit_ok;
|
||||
|
||||
- snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=?", fp);
|
||||
+ snprintf(buf, sizeof(buf), "op=destroy kind=server fp=%s direction=? spid=%jd suid=%jd",
|
||||
+ fp, (intmax_t)pid, (intmax_t)uid);
|
||||
audit_fd = audit_open();
|
||||
if (audit_fd < 0) {
|
||||
if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
@@ -346,4 +349,25 @@ audit_destroy_sensitive_data(const char
|
||||
error("cannot write into audit");
|
||||
}
|
||||
|
||||
@ -69,23 +120,232 @@ diff -up openssh-5.8p1/audit-linux.c.audit5a openssh-5.8p1/audit-linux.c
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit5a 2011-02-17 13:23:27.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-17 14:11:33.000000000 +0100
|
||||
@@ -379,6 +379,16 @@ generate_ephemeral_server_key(void)
|
||||
sensitive_data.server_key = key_generate(KEY_RSA1,
|
||||
options.server_key_bits);
|
||||
verbose("RSA key generation complete.");
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ {
|
||||
+ char *fp;
|
||||
+
|
||||
+ fp = key_fingerprint(sensitive_data.server_key,
|
||||
+ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ audit_generate_ephemeral_server_key(fp);
|
||||
+ xfree(fp);
|
||||
+ }
|
||||
+#endif
|
||||
diff -up openssh-5.8p1/key.c.audit5a openssh-5.8p1/key.c
|
||||
--- openssh-5.8p1/key.c.audit5a 2011-02-04 01:48:34.000000000 +0100
|
||||
+++ openssh-5.8p1/key.c 2011-02-21 19:15:28.000000000 +0100
|
||||
@@ -1769,6 +1769,30 @@ key_demote(const Key *k)
|
||||
}
|
||||
|
||||
arc4random_buf(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
|
||||
arc4random_stir();
|
||||
int
|
||||
+key_is_private(const Key *k)
|
||||
+{
|
||||
+ switch (k->type) {
|
||||
+ case KEY_RSA_CERT_V00:
|
||||
+ case KEY_RSA_CERT:
|
||||
+ case KEY_RSA1:
|
||||
+ case KEY_RSA:
|
||||
+ return k->rsa->d != NULL;
|
||||
+ case KEY_DSA_CERT_V00:
|
||||
+ case KEY_DSA_CERT:
|
||||
+ case KEY_DSA:
|
||||
+ return k->dsa->priv_key != NULL;
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ case KEY_ECDSA_CERT:
|
||||
+ case KEY_ECDSA:
|
||||
+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
|
||||
+#endif
|
||||
+ default:
|
||||
+ fatal("key_is_private: bad key type %d", k->type);
|
||||
+ return 1;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+int
|
||||
key_is_cert(const Key *k)
|
||||
{
|
||||
if (k == NULL)
|
||||
diff -up openssh-5.8p1/key.h.audit5a openssh-5.8p1/key.h
|
||||
--- openssh-5.8p1/key.h.audit5a 2010-11-05 00:19:49.000000000 +0100
|
||||
+++ openssh-5.8p1/key.h 2011-02-21 19:15:34.000000000 +0100
|
||||
@@ -106,6 +106,7 @@ Key *key_generate(int, u_int);
|
||||
Key *key_from_private(const Key *);
|
||||
int key_type_from_name(char *);
|
||||
int key_is_cert(const Key *);
|
||||
+int key_is_private(const Key *k);
|
||||
int key_type_plain(int);
|
||||
int key_to_certified(Key *, int);
|
||||
int key_drop_cert(Key *);
|
||||
diff -up openssh-5.8p1/monitor.c.audit5a openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -2291,10 +2291,14 @@ mm_answer_audit_server_key_free(int sock
|
||||
{
|
||||
int len;
|
||||
char *fp;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
|
||||
fp = buffer_get_string(m, &len);
|
||||
+ pid = buffer_get_int64(m);
|
||||
+ uid = buffer_get_int64(m);
|
||||
|
||||
- audit_destroy_sensitive_data(fp);
|
||||
+ audit_destroy_sensitive_data(fp, pid, uid);
|
||||
|
||||
buffer_clear(m);
|
||||
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit5a openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -1466,12 +1466,14 @@ mm_audit_session_key_free_body(int ctos,
|
||||
}
|
||||
|
||||
void
|
||||
-mm_audit_destroy_sensitive_data(const char *fp)
|
||||
+mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||
{
|
||||
Buffer m;
|
||||
|
||||
buffer_init(&m);
|
||||
buffer_put_cstring(&m, fp);
|
||||
+ buffer_put_int64(&m, pid);
|
||||
+ buffer_put_int64(&m, uid);
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE,
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit5a openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -77,7 +77,7 @@ void mm_audit_run_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||
-void mm_audit_destroy_sensitive_data(const char *);
|
||||
+void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit5a 2011-02-21 19:11:32.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-21 19:11:32.000000000 +0100
|
||||
@@ -272,6 +272,15 @@ close_listen_socks(void)
|
||||
num_listen_socks = -1;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Is this process listening for clients (i.e. not specific to any specific
|
||||
+ * client connection?)
|
||||
+ */
|
||||
+int listening_for_clients(void)
|
||||
+{
|
||||
+ return num_listen_socks > 0;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
close_startup_pipes(void)
|
||||
{
|
||||
@@ -532,30 +541,47 @@ sshd_exchange_identification(int sock_in
|
||||
}
|
||||
}
|
||||
|
||||
-/* Destroy the host and server keys. They will no longer be needed. */
|
||||
+/*
|
||||
+ * Destroy the host and server keys. They will no longer be needed. Careful,
|
||||
+ * this can be called from cleanup_exit() - i.e. from just about anywhere.
|
||||
+ */
|
||||
void
|
||||
destroy_sensitive_data(int privsep)
|
||||
{
|
||||
int i;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
|
||||
if (sensitive_data.server_key) {
|
||||
key_free(sensitive_data.server_key);
|
||||
sensitive_data.server_key = NULL;
|
||||
}
|
||||
+ pid = getpid();
|
||||
+ uid = getuid();
|
||||
for (i = 0; i < options.num_host_key_files; i++) {
|
||||
if (sensitive_data.host_keys[i]) {
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(sensitive_data.host_keys[i],
|
||||
- FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ if (key_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = key_fingerprint(sensitive_data.host_keys[i],
|
||||
+ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
|
||||
+ SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
key_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = NULL;
|
||||
- if (privsep)
|
||||
- PRIVSEP(audit_destroy_sensitive_data(fp));
|
||||
- else
|
||||
- audit_destroy_sensitive_data(fp);
|
||||
+ if (fp != NULL) {
|
||||
+ if (privsep)
|
||||
+ PRIVSEP(audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid));
|
||||
+ else
|
||||
+ audit_destroy_sensitive_data(fp,
|
||||
+ pid, uid);
|
||||
+ xfree(fp);
|
||||
+ }
|
||||
}
|
||||
- if (sensitive_data.host_certificates[i]) {
|
||||
+ if (sensitive_data.host_certificates
|
||||
+ && sensitive_data.host_certificates[i]) {
|
||||
key_free(sensitive_data.host_certificates[i]);
|
||||
sensitive_data.host_certificates[i] = NULL;
|
||||
}
|
||||
@@ -569,6 +595,8 @@ void
|
||||
demote_sensitive_data(void)
|
||||
{
|
||||
Key *tmp;
|
||||
+ pid_t pid;
|
||||
+ uid_t uid;
|
||||
int i;
|
||||
|
||||
if (sensitive_data.server_key) {
|
||||
@@ -577,19 +605,27 @@ demote_sensitive_data(void)
|
||||
sensitive_data.server_key = tmp;
|
||||
}
|
||||
|
||||
+ pid = getpid();
|
||||
+ uid = getuid();
|
||||
for (i = 0; i < options.num_host_key_files; i++) {
|
||||
if (sensitive_data.host_keys[i]) {
|
||||
char *fp;
|
||||
|
||||
- fp = key_fingerprint(sensitive_data.host_keys[i],
|
||||
- FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ if (key_is_private(sensitive_data.host_keys[i]))
|
||||
+ fp = key_fingerprint(sensitive_data.host_keys[i],
|
||||
+ FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5,
|
||||
+ SSH_FP_HEX);
|
||||
+ else
|
||||
+ fp = NULL;
|
||||
tmp = key_demote(sensitive_data.host_keys[i]);
|
||||
key_free(sensitive_data.host_keys[i]);
|
||||
sensitive_data.host_keys[i] = tmp;
|
||||
if (tmp->type == KEY_RSA1)
|
||||
sensitive_data.ssh1_host_key = tmp;
|
||||
- audit_destroy_sensitive_data(fp);
|
||||
- xfree(fp);
|
||||
+ if (fp != NULL) {
|
||||
+ audit_destroy_sensitive_data(fp, pid, uid);
|
||||
+ xfree(fp);
|
||||
+ }
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -1134,6 +1170,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
+ destroy_sensitive_data(0);
|
||||
close_listen_socks();
|
||||
unlink(options.pid_file);
|
||||
exit(255);
|
||||
@@ -2370,6 +2407,9 @@ cleanup_exit(int i)
|
||||
{
|
||||
if (the_authctxt)
|
||||
do_cleanup(the_authctxt);
|
||||
+ if (sensitive_data.host_keys != NULL)
|
||||
+ destroy_sensitive_data(use_privsep && pmonitor != NULL &&
|
||||
+ !mm_is_monitor());
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
/* done after do_cleanup so it can cancel the PAM auth 'thread' */
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
|
@ -1,18 +1,18 @@
|
||||
diff -up openssh-5.8p1/audit.c.fips openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-14 10:10:41.000000000 +0100
|
||||
@@ -124,7 +124,7 @@ audit_key(int type, int *rv, const Key *
|
||||
"ssh-dsa",
|
||||
"unknown" };
|
||||
--- openssh-5.8p1/audit.c.fips 2011-02-21 17:05:13.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-21 17:06:18.000000000 +0100
|
||||
@@ -121,7 +121,7 @@ audit_key(int host_user, int *rv, const
|
||||
char *fp;
|
||||
const char *crypto_name;
|
||||
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
switch(key->type) {
|
||||
case KEY_RSA1:
|
||||
case KEY_RSA:
|
||||
if (key->type == KEY_RSA1)
|
||||
crypto_name = "ssh-rsa1";
|
||||
else
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.fips openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/auth2-pubkey.c.fips 2011-02-21 17:05:14.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -36,6 +36,7 @@
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
@ -32,7 +32,7 @@ diff -up openssh-5.8p1/auth2-pubkey.c.fips openssh-5.8p1/auth2-pubkey.c
|
||||
xfree(fp);
|
||||
diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
|
||||
--- openssh-5.8p1/authfile.c.fips 2010-12-01 02:03:39.000000000 +0100
|
||||
+++ openssh-5.8p1/authfile.c 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/authfile.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
|
||||
/* Allocate space for the private part of the key in the buffer. */
|
||||
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
|
||||
@ -67,20 +67,20 @@ diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
|
||||
buffer_ptr(blob), buffer_len(blob));
|
||||
cipher_cleanup(&ciphercontext);
|
||||
diff -up openssh-5.8p1/auth-rsa.c.fips openssh-5.8p1/auth-rsa.c
|
||||
--- openssh-5.8p1/auth-rsa.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/auth-rsa.c.fips 2011-02-21 17:05:13.000000000 +0100
|
||||
+++ openssh-5.8p1/auth-rsa.c 2011-02-21 17:07:33.000000000 +0100
|
||||
@@ -119,7 +119,7 @@ auth_rsa_verify_response(Key *key, BIGNU
|
||||
rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
|
||||
+ fp = key_fingerprint(key, FIPS_mode() ? SSH_FP_SHA1 : SSH_FP_MD5, SSH_FP_HEX);
|
||||
if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
|
||||
if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
|
||||
debug("unsuccessful audit");
|
||||
rv = 0;
|
||||
diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
|
||||
--- openssh-5.8p1/cipher.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.c 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/cipher.c.fips 2011-02-21 17:05:13.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -167,7 +167,7 @@ diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
|
||||
/*
|
||||
diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
|
||||
--- openssh-5.8p1/cipher-ctr.c.fips 2010-10-07 13:06:42.000000000 +0200
|
||||
+++ openssh-5.8p1/cipher-ctr.c 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher-ctr.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
@ -179,8 +179,8 @@ diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
|
||||
--- openssh-5.8p1/cipher.h.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.h 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/cipher.h.fips 2011-02-21 17:05:13.000000000 +0100
|
||||
+++ openssh-5.8p1/cipher.h 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -87,7 +87,7 @@ void cipher_init(CipherContext *, Ciphe
|
||||
const u_char *, u_int, int);
|
||||
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
|
||||
@ -191,8 +191,8 @@ diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
|
||||
u_int cipher_keylen(const Cipher *);
|
||||
u_int cipher_is_cbc(const Cipher *);
|
||||
diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
|
||||
--- openssh-5.8p1/mac.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/mac.c 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/mac.c.fips 2011-02-21 17:05:13.000000000 +0100
|
||||
+++ openssh-5.8p1/mac.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -243,8 +243,8 @@ diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
|
||||
for (i = 0; macs[i].name; i++) {
|
||||
if (strcmp(name, macs[i].name) == 0) {
|
||||
diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/Makefile.in.fips 2011-02-21 17:05:14.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
@ -288,7 +288,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
|
||||
--- openssh-5.8p1/myproposal.h.fips 2011-01-13 12:00:22.000000000 +0100
|
||||
+++ openssh-5.8p1/myproposal.h 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/myproposal.h 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -81,7 +81,12 @@
|
||||
"hmac-sha1-96,hmac-md5-96"
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
@ -305,7 +305,7 @@ diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
|
||||
KEX_DEFAULT_KEX,
|
||||
diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -39,6 +39,7 @@
|
||||
static int rc4_ready = 0;
|
||||
static RC4_KEY rc4;
|
||||
@ -349,7 +349,7 @@ diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbs
|
||||
#ifndef HAVE_ARC4RANDOM_BUF
|
||||
diff -up openssh-5.8p1/ssh-add.c.fips openssh-5.8p1/ssh-add.c
|
||||
--- openssh-5.8p1/ssh-add.c.fips 2010-11-11 04:17:02.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-add.c 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-add.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -42,6 +42,7 @@
|
||||
#include <sys/param.h>
|
||||
|
||||
@ -369,7 +369,7 @@ diff -up openssh-5.8p1/ssh-add.c.fips openssh-5.8p1/ssh-add.c
|
||||
key_size(key), fp, comment, key_type(key));
|
||||
diff -up openssh-5.8p1/ssh-agent.c.fips openssh-5.8p1/ssh-agent.c
|
||||
--- openssh-5.8p1/ssh-agent.c.fips 2010-12-01 01:50:35.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-agent.c 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-agent.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -51,6 +51,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -393,7 +393,7 @@ diff -up openssh-5.8p1/ssh-agent.c.fips openssh-5.8p1/ssh-agent.c
|
||||
|
||||
diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
|
||||
--- openssh-5.8p1/ssh.c.fips 2011-02-04 01:42:15.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh.c 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -73,6 +73,8 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -458,7 +458,7 @@ diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
|
||||
options.address_family, options.connection_attempts, &timeout_ms,
|
||||
diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
|
||||
--- openssh-5.8p1/sshconnect2.c.fips 2010-12-01 02:21:51.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect2.c 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect2.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
@ -504,7 +504,7 @@ diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
|
||||
/*
|
||||
diff -up openssh-5.8p1/sshconnect.c.fips openssh-5.8p1/sshconnect.c
|
||||
--- openssh-5.8p1/sshconnect.c.fips 2011-01-16 13:17:59.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect.c 2011-02-14 10:18:14.000000000 +0100
|
||||
+++ openssh-5.8p1/sshconnect.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -41,6 +41,8 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
@ -617,8 +617,8 @@ diff -up openssh-5.8p1/sshconnect.c.fips openssh-5.8p1/sshconnect.c
|
||||
|
||||
xfree(fp);
|
||||
diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/sshd.c.fips 2011-02-21 17:05:14.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -76,6 +76,8 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -628,7 +628,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
@@ -1314,6 +1316,12 @@ main(int ac, char **av)
|
||||
@@ -1327,6 +1329,12 @@ main(int ac, char **av)
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -641,7 +641,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
init_rng();
|
||||
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
@@ -1475,8 +1483,6 @@ main(int ac, char **av)
|
||||
@@ -1488,8 +1496,6 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
@ -650,7 +650,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
/*
|
||||
* Force logging to stderr until we have loaded the private host
|
||||
* key (unless started from inetd)
|
||||
@@ -1595,6 +1601,10 @@ main(int ac, char **av)
|
||||
@@ -1608,6 +1614,10 @@ main(int ac, char **av)
|
||||
debug("private host key: #%d type %d %s", i, key->type,
|
||||
key_type(key));
|
||||
}
|
||||
@ -661,7 +661,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -1759,6 +1769,10 @@ main(int ac, char **av)
|
||||
@@ -1772,6 +1782,10 @@ main(int ac, char **av)
|
||||
/* Initialize the random number generator. */
|
||||
arc4random_stir();
|
||||
|
||||
@ -672,7 +672,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
chdir("/");
|
||||
@@ -2305,6 +2319,9 @@ do_ssh2_kex(void)
|
||||
@@ -2315,6 +2329,9 @@ do_ssh2_kex(void)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -682,7 +682,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -2314,6 +2331,9 @@ do_ssh2_kex(void)
|
||||
@@ -2324,6 +2341,9 @@ do_ssh2_kex(void)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -693,8 +693,8 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
diff -up openssh-5.8p1/ssh-keygen.c.fips openssh-5.8p1/ssh-keygen.c
|
||||
--- openssh-5.8p1/ssh-keygen.c.fips 2011-02-14 10:10:41.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-keygen.c 2011-02-14 10:10:41.000000000 +0100
|
||||
--- openssh-5.8p1/ssh-keygen.c.fips 2011-02-21 17:05:14.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-keygen.c 2011-02-21 17:05:14.000000000 +0100
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
74
openssh-5.8p1-wIm.patch
Normal file
74
openssh-5.8p1-wIm.patch
Normal file
@ -0,0 +1,74 @@
|
||||
diff -up openssh-5.8p1/log.h.wIm openssh-5.8p1/log.h
|
||||
--- openssh-5.8p1/log.h.wIm 2008-06-13 02:22:54.000000000 +0200
|
||||
+++ openssh-5.8p1/log.h 2011-02-17 11:41:51.000000000 +0100
|
||||
@@ -63,6 +63,7 @@ void verbose(const char *, ...) __at
|
||||
void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
+void debug_wIm(const char *);
|
||||
|
||||
void do_log(LogLevel, const char *, va_list);
|
||||
void cleanup_exit(int) __attribute__((noreturn));
|
||||
diff -up openssh-5.8p1/Makefile.in.wIm openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.wIm 2011-02-04 01:42:13.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-17 11:44:05.000000000 +0100
|
||||
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
+ readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
diff -up openssh-5.8p1/sshd.c.wIm openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.wIm 2011-01-11 07:20:31.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-17 11:41:51.000000000 +0100
|
||||
@@ -139,6 +139,9 @@ int deny_severity;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
+/* trace of fork processes */
|
||||
+extern int whereIam;
|
||||
+
|
||||
/* Server configuration options. */
|
||||
ServerOptions options;
|
||||
|
||||
@@ -652,6 +655,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
} else {
|
||||
/* child */
|
||||
|
||||
+ whereIam = 1;
|
||||
close(pmonitor->m_sendfd);
|
||||
|
||||
/* Demote the child */
|
||||
@@ -693,6 +697,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
exit(0);
|
||||
}
|
||||
|
||||
+ whereIam = 2;
|
||||
close(pmonitor->m_sendfd);
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@@ -1302,6 +1307,8 @@ main(int ac, char **av)
|
||||
Key *key;
|
||||
Authctxt *authctxt;
|
||||
|
||||
+ whereIam = 0;
|
||||
+
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
diff -up openssh-5.8p1/whereIam.c.wIm openssh-5.8p1/whereIam.c
|
||||
--- openssh-5.8p1/whereIam.c.wIm 2011-02-17 11:41:51.000000000 +0100
|
||||
+++ openssh-5.8p1/whereIam.c 2011-02-17 11:41:51.000000000 +0100
|
||||
@@ -0,0 +1,9 @@
|
||||
+
|
||||
+int whereIam = -1;
|
||||
+
|
||||
+void debug_wIm(const char *txt)
|
||||
+{
|
||||
+ debug("%s: %s wIm = %d, euid=%d", txt, __func__, whereIam, geteuid());
|
||||
+}
|
||||
+
|
||||
+
|
11
openssh.spec
11
openssh.spec
@ -71,7 +71,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.8p1
|
||||
%define openssh_rel 4
|
||||
%define openssh_rel 5
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 30
|
||||
|
||||
@ -97,10 +97,13 @@ Patch100: openssh-5.8p1-wIm.patch
|
||||
Patch0: openssh-5.6p1-redhat.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch1: openssh-5.8p1-audit1.patch
|
||||
Patch101: openssh-5.8p1-audit1a.patch
|
||||
Patch2: openssh-5.8p1-audit2.patch
|
||||
Patch102: openssh-5.8p1-audit2a.patch
|
||||
Patch3: openssh-5.8p1-audit3.patch
|
||||
Patch103: openssh-5.8p1-audit3a.patch
|
||||
Patch4: openssh-5.8p1-audit4.patch
|
||||
Patch104: openssh-5.8p1-audit4a.patch
|
||||
Patch5: openssh-5.8p1-audit5.patch
|
||||
Patch105: openssh-5.8p1-audit5a.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640
|
||||
@ -287,10 +290,13 @@ The module is most useful for su and sudo service stacks.
|
||||
###%patch100 -p1 -b .wIm
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch1 -p1 -b .audit1
|
||||
%patch101 -p1 -b .audit1a
|
||||
%patch2 -p1 -b .audit2
|
||||
%patch102 -p1 -b .audit2a
|
||||
%patch3 -p1 -b .audit3
|
||||
%patch103 -p1 -b .audit3a
|
||||
%patch4 -p1 -b .audit4
|
||||
%patch104 -p1 -b .audit4a
|
||||
%patch5 -p1 -b .audit5
|
||||
%patch105 -p1 -b .audit5a
|
||||
%patch9 -p1 -b .vendor
|
||||
@ -610,6 +616,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 21 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-5 + 0.9.2-30
|
||||
- another audit improovements
|
||||
|
||||
* Thu Feb 17 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-4 + 0.9.2-30
|
||||
- improve audit of server ket management
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user