Rebase from openssh 8.5p1 to 8.6p1

Resolves: rhbz#1952957
This commit is contained in:
Dmitry Belyavskiy 2021-05-06 14:51:30 +02:00
parent dd942e6d52
commit 9dff9c0419
14 changed files with 2106 additions and 2119 deletions

2
.gitignore vendored
View File

@ -48,3 +48,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-8.5p1.tar.gz /openssh-8.5p1.tar.gz
/openssh-8.5p1.tar.gz.asc /openssh-8.5p1.tar.gz.asc
/gpgkey-736060BA.gpg /gpgkey-736060BA.gpg
/openssh-8.6p1.tar.gz
/openssh-8.6p1.tar.gz.asc

View File

@ -1,19 +1,18 @@
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100 --- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info 2021-04-19 13:57:11.720113536 +0200
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100 +++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c 2021-04-19 13:59:29.842163204 +0200
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi @@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
GTK_MESSAGE_ERROR, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
GTK_BUTTONS_CLOSE, - "Could not grab %s. A malicious client may be eavesdropping "
- "Could not grab %s. " - "on your session.", what);
- "A malicious client may be eavesdropping " + "SSH password dialog could not grab the %s input.\n"
- "on your session.", what); + "This might be caused by application such as screensaver, "
+ "SSH password dialog could not grab the %s input.\n" + "however it could also mean that someone may be eavesdropping "
+ "This might be caused by application such as screensaver, " + "on your session.\n"
+ "however it could also mean that someone may be eavesdropping " + "Either close the application which grabs the %s or "
+ "on your session.\n" + "log out and log in again to prevent this from happening.", what, what);
+ "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_dialog_run(GTK_DIALOG(err)); gtk_dialog_run(GTK_DIALOG(err));

View File

@ -60,7 +60,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
if (prompt_type == PROMPT_ENTRY) { if (prompt_type == PROMPT_ENTRY) {
@@ -130,6 +145,22 @@ passphrase_dialog(char *message) @@ -130,6 +145,22 @@ passphrase_dialog(char *message)
g_signal_connect(G_OBJECT(entry), "key_press_event", g_signal_connect(G_OBJECT(entry), "key_press_event",
G_CALLBACK(check_none), dialog); G_CALLBACK(check_none), dialog);
} }
+ +
+ hbox = gtk_hbox_new(FALSE, 0); + hbox = gtk_hbox_new(FALSE, 0);

View File

@ -1,7 +1,7 @@
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100 +++ openssh-8.6p1/log.c 2021-05-06 11:32:25.179006811 +0200
@@ -250,6 +250,11 @@ debug3(const char *fmt,...) @@ -194,6 +194,11 @@ void
log_init(const char *av0, LogLevel level, SyslogFacility facility, log_init(const char *av0, LogLevel level, SyslogFacility facility,
int on_stderr) int on_stderr)
{ {
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT; struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif #endif
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl @@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
exit(1); exit(1);
} }
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
log_on_stderr = on_stderr; log_on_stderr = on_stderr;
if (on_stderr) if (on_stderr)
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/log.h.log-in-chroot 2021-05-06 11:32:25.179006811 +0200
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100 +++ openssh-8.6p1/log.h 2021-05-06 11:34:22.349925757 +0200
@@ -49,6 +49,7 @@ typedef enum { @@ -52,6 +52,7 @@ typedef enum {
const char *, void *); typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
void log_init(const char *, LogLevel, SyslogFacility, int); void log_init(const char *, LogLevel, SyslogFacility, int);
+void log_init_handler(const char *, LogLevel, SyslogFacility, int, int); +void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
LogLevel log_level_get(void); LogLevel log_level_get(void);
int log_change_level(LogLevel); int log_change_level(LogLevel);
int log_is_on_stderr(void); int log_is_on_stderr(void);
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100 --- openssh-8.6p1/monitor.c.log-in-chroot 2021-05-06 11:32:25.153006607 +0200
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100 +++ openssh-8.6p1/monitor.c 2021-05-06 11:33:37.671575348 +0200
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx @@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
close(pmonitor->m_log_sendfd); close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +49,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
authctxt = (Authctxt *)ssh->authctxt; authctxt = (Authctxt *)ssh->authctxt;
memset(authctxt, 0, sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt));
ssh->authctxt = authctxt; ssh->authctxt = authctxt;
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p @@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
close(pmonitor->m_recvfd); close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1; pmonitor->m_recvfd = -1;
@ -58,16 +58,16 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
monitor_set_child_handler(pmonitor->m_pid); monitor_set_child_handler(pmonitor->m_pid);
ssh_signal(SIGHUP, &monitor_child_handler); ssh_signal(SIGHUP, &monitor_child_handler);
ssh_signal(SIGTERM, &monitor_child_handler); ssh_signal(SIGTERM, &monitor_child_handler);
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito @@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
/* Log it */ /* Log it */
if (log_level_name(level) == NULL) if (log_level_name(level) == NULL)
fatal_f("invalid log level %u (corrupted message?)", level); fatal_f("invalid log level %u (corrupted message?)", level);
- sshlog(file, func, line, 0, level, NULL, "%s [preauth]", msg); - sshlogdirect(level, forced, "%s [preauth]", msg);
+ sshlog(file, func, line, 0, level, NULL, "%s [%s]", msg, pmonitor->m_state); + sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
sshbuf_free(logmsg); sshbuf_free(logmsg);
free(file); free(msg);
@@ -1719,13 +1723,28 @@ monitor_init(void) @@ -1868,13 +1872,28 @@ monitor_init(void)
mon = xcalloc(1, sizeof(*mon)); mon = xcalloc(1, sizeof(*mon));
monitor_openfds(mon, 1); monitor_openfds(mon, 1);
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
} }
#ifdef GSSAPI #ifdef GSSAPI
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100 --- openssh-8.6p1/monitor.h.log-in-chroot 2021-05-06 11:32:25.153006607 +0200
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100 +++ openssh-8.6p1/monitor.h 2021-05-06 11:32:25.180006819 +0200
@@ -83,10 +83,11 @@ struct monitor { @@ -80,10 +80,11 @@ struct monitor {
int m_log_sendfd; int m_log_sendfd;
struct kex **m_pkex; struct kex **m_pkex;
pid_t m_pid; pid_t m_pid;
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
struct Authctxt; struct Authctxt;
void monitor_child_preauth(struct ssh *, struct monitor *); void monitor_child_preauth(struct ssh *, struct monitor *);
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100 --- openssh-8.6p1/session.c.log-in-chroot 2021-05-06 11:32:25.166006709 +0200
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100 +++ openssh-8.6p1/session.c 2021-05-06 11:32:25.181006827 +0200
@@ -160,6 +160,7 @@ login_cap_t *lc; @@ -160,6 +160,7 @@ login_cap_t *lc;
static int is_child = 0; static int is_child = 0;
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
/* File containing userauth info, if ExposeAuthInfo set */ /* File containing userauth info, if ExposeAuthInfo set */
static char *auth_info_file = NULL; static char *auth_info_file = NULL;
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command) @@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
int ret; int ret;
const char *forced = NULL, *tty = NULL; const char *forced = NULL, *tty = NULL;
char session_type[1024]; char session_type[1024];
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
if (options.adm_forced_command) { if (options.adm_forced_command) {
original_command = command; original_command = command;
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command) @@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
tty += 5; tty += 5;
} }
@ -144,7 +144,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type, session_type,
tty == NULL ? "" : " on ", tty == NULL ? "" : " on ",
@@ -1486,14 +1492,6 @@ child_close_fds(void) @@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
/* Stop directing logs to a high-numbered fd before we close it */ /* Stop directing logs to a high-numbered fd before we close it */
log_redirect_stderr_to(NULL); log_redirect_stderr_to(NULL);
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
} }
/* /*
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command @@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
exit(1); exit(1);
} }
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
do_rc_files(ssh, s, shell); do_rc_files(ssh, s, shell);
/* restore SIGPIPE for child */ /* restore SIGPIPE for child */
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command @@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
fflush(NULL); fflush(NULL);
/* Get the last component of the shell name. */ /* Get the last component of the shell name. */
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp.h.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp.h 2021-05-06 11:32:25.181006827 +0200
@@ -97,5 +97,5 @@ @@ -97,5 +97,5 @@
struct passwd; struct passwd;
@ -197,10 +197,10 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
-int sftp_server_main(int, char **, struct passwd *); -int sftp_server_main(int, char **, struct passwd *);
+int sftp_server_main(int, char **, struct passwd *, int); +int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn)); void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp-server.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp-server.c 2021-05-06 11:32:25.181006827 +0200
@@ -1497,7 +1497,7 @@ sftp_server_usage(void) @@ -1644,7 +1644,7 @@ sftp_server_usage(void)
} }
int int
@ -209,7 +209,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
{ {
fd_set *rset, *wset; fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv, @@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname; extern char *__progname;
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
@ -218,7 +218,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv, @@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
} }
} }
@ -227,20 +227,20 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
/* /*
* On platforms where we can, avoid making /proc/self/{mem,maps} * On platforms where we can, avoid making /proc/self/{mem,maps}
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp-server-main.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp-server-main.c 2021-05-06 11:32:25.181006827 +0200
@@ -49,5 +49,5 @@ main(int argc, char **argv) @@ -50,5 +50,5 @@ main(int argc, char **argv)
return 1; return 1;
} }
- return (sftp_server_main(argc, argv, user_pw)); - return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0)); + return (sftp_server_main(argc, argv, user_pw, 0));
} }
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100 --- openssh-8.6p1/sshd.c.log-in-chroot 2021-05-06 11:32:25.177006795 +0200
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100 +++ openssh-8.6p1/sshd.c 2021-05-06 11:32:25.182006834 +0200
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt) @@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
} }
/* New socket pair */ /* New socket pair */
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
pmonitor->m_pid = fork(); pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1) if (pmonitor->m_pid == -1)
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt) @@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1; pmonitor->m_sendfd = -1;

View File

@ -1,7 +1,7 @@
diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c diff -up openssh-8.6p1/audit-bsm.c.audit openssh-8.6p1/audit-bsm.c
--- openssh/audit-bsm.c.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/audit-bsm.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/audit-bsm.c 2019-04-03 17:02:20.713886041 +0200 +++ openssh-8.6p1/audit-bsm.c 2021-05-06 12:05:27.376464524 +0200
@@ -372,13 +372,26 @@ audit_connection_from(const char *host, @@ -373,13 +373,26 @@ audit_connection_from(const char *host,
#endif #endif
} }
@ -29,7 +29,7 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
audit_session_open(struct logininfo *li) audit_session_open(struct logininfo *li)
{ {
/* not implemented */ /* not implemented */
@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li @@ -391,6 +404,12 @@ audit_session_close(struct logininfo *li
/* not implemented */ /* not implemented */
} }
@ -42,7 +42,7 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
void void
audit_event(struct ssh *ssh, ssh_audit_event_t event) audit_event(struct ssh *ssh, ssh_audit_event_t event)
{ {
@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_e @@ -452,4 +471,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
debug("%s: unhandled event %d", __func__, event); debug("%s: unhandled event %d", __func__, event);
} }
} }
@ -71,9 +71,9 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh/audit.c.audit openssh/audit.c diff -up openssh-8.6p1/audit.c.audit openssh-8.6p1/audit.c
--- openssh/audit.c.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/audit.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/audit.c 2019-04-03 17:02:20.713886041 +0200 +++ openssh-8.6p1/audit.c 2021-05-06 12:05:27.376464524 +0200
@@ -34,6 +34,12 @@ @@ -34,6 +34,12 @@
#include "log.h" #include "log.h"
#include "hostfile.h" #include "hostfile.h"
@ -251,9 +251,9 @@ diff -up openssh/audit.c.audit openssh/audit.c
} }
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh/audit.h.audit openssh/audit.h diff -up openssh-8.6p1/audit.h.audit openssh-8.6p1/audit.h
--- openssh/audit.h.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/audit.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/audit.h 2019-04-03 17:02:20.713886041 +0200 +++ openssh-8.6p1/audit.h 2021-05-06 12:05:27.376464524 +0200
@@ -26,6 +26,7 @@ @@ -26,6 +26,7 @@
# define _SSH_AUDIT_H # define _SSH_AUDIT_H
@ -296,9 +296,9 @@ diff -up openssh/audit.h.audit openssh/audit.h
+void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t); +void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh/audit-linux.c.audit openssh/audit-linux.c diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
--- openssh/audit-linux.c.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/audit-linux.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/audit-linux.c 2019-04-03 17:02:20.713886041 +0200 +++ openssh-8.6p1/audit-linux.c 2021-05-06 12:05:27.377464532 +0200
@@ -33,27 +33,40 @@ @@ -33,27 +33,40 @@
#include "log.h" #include "log.h"
@ -669,9 +669,9 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
+ error("cannot write into audit"); + error("cannot write into audit");
+} +}
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh/auditstub.c.audit openssh/auditstub.c diff -up openssh-8.6p1/auditstub.c.audit openssh-8.6p1/auditstub.c
--- openssh/auditstub.c.audit 2019-04-03 17:02:20.714886050 +0200 --- openssh-8.6p1/auditstub.c.audit 2021-05-06 12:05:27.377464532 +0200
+++ openssh/auditstub.c 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/auditstub.c 2021-05-06 12:05:27.377464532 +0200
@@ -0,0 +1,52 @@ @@ -0,0 +1,52 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+ +
@ -725,10 +725,10 @@ diff -up openssh/auditstub.c.audit openssh/auditstub.c
+audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid) +audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid)
+{ +{
+} +}
diff -up openssh/auth2.c.audit openssh/auth2.c diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c
--- openssh/auth2.c.audit 2019-04-03 17:02:20.651885453 +0200 --- openssh-8.6p1/auth2.c.audit 2021-05-06 12:05:27.305463975 +0200
+++ openssh/auth2.c 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/auth2.c 2021-05-06 12:05:27.377464532 +0200
@@ -303,9 +303,6 @@ input_userauth_request(int type, u_int32 @@ -298,9 +298,6 @@ input_userauth_request(int type, u_int32
} else { } else {
/* Invalid user, fake password information */ /* Invalid user, fake password information */
authctxt->pw = fakepw(); authctxt->pw = fakepw();
@ -738,9 +738,9 @@ diff -up openssh/auth2.c.audit openssh/auth2.c
} }
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) if (options.use_pam)
diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c diff -up openssh-8.6p1/auth2-hostbased.c.audit openssh-8.6p1/auth2-hostbased.c
--- openssh/auth2-hostbased.c.audit 2019-04-03 17:02:20.612885083 +0200 --- openssh-8.6p1/auth2-hostbased.c.audit 2021-05-06 12:05:27.283463805 +0200
+++ openssh/auth2-hostbased.c 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/auth2-hostbased.c 2021-05-06 12:05:27.377464532 +0200
@@ -158,7 +158,7 @@ userauth_hostbased(struct ssh *ssh) @@ -158,7 +158,7 @@ userauth_hostbased(struct ssh *ssh)
authenticated = 0; authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser, if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
@ -771,10 +771,10 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
/* return 1 if given hostkey is allowed */ /* return 1 if given hostkey is allowed */
int int
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw, hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
--- openssh/auth2-pubkey.c.audit 2019-04-03 17:02:20.691885832 +0200 --- openssh-8.6p1/auth2-pubkey.c.audit 2021-05-06 12:05:27.344464277 +0200
+++ openssh/auth2-pubkey.c 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/auth2-pubkey.c 2021-05-06 12:05:27.378464540 +0200
@@ -219,7 +219,7 @@ userauth_pubkey(struct ssh *ssh) @@ -213,7 +213,7 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */ /* test for correct signature */
authenticated = 0; authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -783,7 +783,7 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
sshbuf_ptr(b), sshbuf_len(b), sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL, (ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat, &sig_details)) == 0) { ssh->compat, &sig_details)) == 0) {
@@ -278,6 +278,20 @@ done: @@ -305,6 +305,20 @@ done:
return authenticated; return authenticated;
} }
@ -804,10 +804,10 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
static int static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert) match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{ {
diff -up openssh/auth.c.audit openssh/auth.c diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
--- openssh/auth.c.audit 2019-04-03 17:02:20.691885832 +0200 --- openssh-8.6p1/auth.c.audit 2021-05-06 12:05:27.304463967 +0200
+++ openssh/auth.c 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/auth.c 2021-05-06 12:05:27.378464540 +0200
@@ -366,7 +366,7 @@ auth_log(struct ssh *ssh, int authentica @@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
# endif # endif
#endif #endif
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -816,7 +816,7 @@ diff -up openssh/auth.c.audit openssh/auth.c
audit_event(ssh, audit_classify_auth(method)); audit_event(ssh, audit_classify_auth(method));
#endif #endif
} }
@@ -592,9 +592,6 @@ getpwnamallow(struct ssh *ssh, const cha @@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
record_failed_login(ssh, user, record_failed_login(ssh, user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif #endif
@ -826,10 +826,10 @@ diff -up openssh/auth.c.audit openssh/auth.c
return (NULL); return (NULL);
} }
if (!allowed_user(ssh, pw)) if (!allowed_user(ssh, pw))
diff -up openssh/auth.h.audit openssh/auth.h diff -up openssh-8.6p1/auth.h.audit openssh-8.6p1/auth.h
--- openssh/auth.h.audit 2019-04-03 17:02:20.692885842 +0200 --- openssh-8.6p1/auth.h.audit 2021-05-06 12:05:27.318464076 +0200
+++ openssh/auth.h 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/auth.h 2021-05-06 12:05:27.378464540 +0200
@@ -195,6 +195,8 @@ struct passwd * getpwnamallow(struct ssh @@ -193,6 +193,8 @@ struct passwd * getpwnamallow(struct ssh
char *expand_authorized_keys(const char *, struct passwd *pw); char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *); char *authorized_principals_file(struct passwd *);
@ -838,7 +838,7 @@ diff -up openssh/auth.h.audit openssh/auth.h
FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -214,6 +216,8 @@ struct sshkey *get_hostkey_private_by_ty @@ -212,6 +214,8 @@ struct sshkey *get_hostkey_private_by_ty
int get_hostkey_index(struct sshkey *, int, struct ssh *); int get_hostkey_index(struct sshkey *, int, struct ssh *);
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
u_char **, size_t *, const u_char *, size_t, const char *); u_char **, size_t *, const u_char *, size_t, const char *);
@ -847,10 +847,10 @@ diff -up openssh/auth.h.audit openssh/auth.h
/* Key / cert options linkage to auth layer */ /* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *); const struct sshauthopt *auth_options(struct ssh *);
diff -up openssh/cipher.c.audit openssh/cipher.c diff -up openssh-8.6p1/cipher.c.audit openssh-8.6p1/cipher.c
--- openssh/cipher.c.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/cipher.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/cipher.c 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/cipher.c 2021-05-06 12:05:27.378464540 +0200
@@ -61,25 +61,6 @@ struct sshcipher_ctx { @@ -64,25 +64,6 @@ struct sshcipher_ctx {
const struct sshcipher *cipher; const struct sshcipher *cipher;
}; };
@ -876,7 +876,7 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
static const struct sshcipher ciphers[] = { static const struct sshcipher ciphers[] = {
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES #ifndef OPENSSL_NO_DES
@@ -410,7 +391,7 @@ cipher_get_length(struct sshcipher_ctx * @@ -422,7 +403,7 @@ cipher_get_length(struct sshcipher_ctx *
void void
cipher_free(struct sshcipher_ctx *cc) cipher_free(struct sshcipher_ctx *cc)
{ {
@ -885,10 +885,10 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
return; return;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
chachapoly_free(cc->cp_ctx); chachapoly_free(cc->cp_ctx);
diff -up openssh/cipher.h.audit openssh/cipher.h diff -up openssh-8.6p1/cipher.h.audit openssh-8.6p1/cipher.h
--- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/cipher.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200 +++ openssh-8.6p1/cipher.h 2021-05-06 12:05:27.378464540 +0200
@@ -45,7 +45,25 @@ @@ -47,7 +47,25 @@
#define CIPHER_ENCRYPT 1 #define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0 #define CIPHER_DECRYPT 0
@ -915,10 +915,10 @@ diff -up openssh/cipher.h.audit openssh/cipher.h
struct sshcipher_ctx; struct sshcipher_ctx;
const struct sshcipher *cipher_by_name(const char *); const struct sshcipher *cipher_by_name(const char *);
diff -up openssh/kex.c.audit openssh/kex.c diff -up openssh-8.6p1/kex.c.audit openssh-8.6p1/kex.c
--- openssh/kex.c.audit 2019-04-03 17:02:20.652885462 +0200 --- openssh-8.6p1/kex.c.audit 2021-05-06 12:05:27.368464462 +0200
+++ openssh/kex.c 2019-04-03 17:02:20.715886060 +0200 +++ openssh-8.6p1/kex.c 2021-05-06 12:05:27.379464547 +0200
@@ -60,6 +60,7 @@ @@ -65,6 +65,7 @@
#include "ssherr.h" #include "ssherr.h"
#include "sshbuf.h" #include "sshbuf.h"
#include "digest.h" #include "digest.h"
@ -926,7 +926,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
#ifdef GSSAPI #ifdef GSSAPI
#include "ssh-gss.h" #include "ssh-gss.h"
@@ -758,12 +759,16 @@ kex_start_rekex(struct ssh *ssh) @@ -816,12 +817,16 @@ kex_start_rekex(struct ssh *ssh)
} }
static int static int
@ -945,7 +945,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
if ((enc->cipher = cipher_by_name(name)) == NULL) { if ((enc->cipher = cipher_by_name(name)) == NULL) {
error_f("unsupported cipher %s", name); error_f("unsupported cipher %s", name);
free(name); free(name);
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma @@ -842,8 +847,12 @@ choose_mac(struct ssh *ssh, struct sshma
{ {
char *name = match_list(client, server, NULL); char *name = match_list(client, server, NULL);
@ -959,7 +959,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
if (mac_setup(mac, name) < 0) { if (mac_setup(mac, name) < 0) {
error_f("unsupported MAC %s", name); error_f("unsupported MAC %s", name);
free(name); free(name);
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma @@ -856,12 +865,16 @@ choose_mac(struct ssh *ssh, struct sshma
} }
static int static int
@ -978,7 +978,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
#ifdef WITH_ZLIB #ifdef WITH_ZLIB
if (strcmp(name, "zlib@openssh.com") == 0) { if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED; comp->type = COMP_DELAYED;
@@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh) @@ -1002,7 +1015,7 @@ kex_choose_conf(struct ssh *ssh)
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC; nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC; nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC; ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
@ -987,7 +987,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
sprop[nenc])) != 0) { sprop[nenc])) != 0) {
kex->failed_choice = peer[nenc]; kex->failed_choice = peer[nenc];
peer[nenc] = NULL; peer[nenc] = NULL;
@@ -948,7 +961,7 @@ kex_choose_conf(struct ssh *ssh) @@ -1017,7 +1030,7 @@ kex_choose_conf(struct ssh *ssh)
peer[nmac] = NULL; peer[nmac] = NULL;
goto out; goto out;
} }
@ -996,7 +996,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
sprop[ncomp])) != 0) { sprop[ncomp])) != 0) {
kex->failed_choice = peer[ncomp]; kex->failed_choice = peer[ncomp];
peer[ncomp] = NULL; peer[ncomp] = NULL;
@@ -971,6 +984,10 @@ kex_choose_conf(struct ssh *ssh) @@ -1040,6 +1053,10 @@ kex_choose_conf(struct ssh *ssh)
dh_need = MAXIMUM(dh_need, newkeys->enc.block_size); dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len); dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
dh_need = MAXIMUM(dh_need, newkeys->mac.key_len); dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
@ -1007,7 +1007,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
} }
/* XXX need runden? */ /* XXX need runden? */
kex->we_need = need; kex->we_need = need;
@@ -1129,6 +1146,36 @@ dump_digest(const char *msg, const u_cha @@ -1297,6 +1314,36 @@ dump_digest(const char *msg, const u_cha
} }
#endif #endif
@ -1044,9 +1044,9 @@ diff -up openssh/kex.c.audit openssh/kex.c
/* /*
* Send a plaintext error message to the peer, suffixed by \r\n. * Send a plaintext error message to the peer, suffixed by \r\n.
* Only used during banner exchange, and there only for the server. * Only used during banner exchange, and there only for the server.
diff -up openssh/kex.h.audit openssh/kex.h diff -up openssh-8.6p1/kex.h.audit openssh-8.6p1/kex.h
--- openssh/kex.h.audit 2019-04-03 17:02:20.652885462 +0200 --- openssh-8.6p1/kex.h.audit 2021-05-06 12:05:27.306463983 +0200
+++ openssh/kex.h 2019-04-03 17:02:20.715886060 +0200 +++ openssh-8.6p1/kex.h 2021-05-06 12:05:27.379464547 +0200
@@ -226,6 +226,8 @@ int kexgss_client(struct ssh *); @@ -226,6 +226,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *); int kexgss_server(struct ssh *);
#endif #endif
@ -1056,10 +1056,10 @@ diff -up openssh/kex.h.audit openssh/kex.h
int kex_dh_keypair(struct kex *); int kex_dh_keypair(struct kex *);
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
struct sshbuf **); struct sshbuf **);
diff -up openssh/mac.c.audit openssh/mac.c diff -up openssh-8.6p1/mac.c.audit openssh-8.6p1/mac.c
--- openssh/mac.c.audit 2019-04-03 17:02:20.652885462 +0200 --- openssh-8.6p1/mac.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/mac.c 2019-04-03 17:02:20.715886060 +0200 +++ openssh-8.6p1/mac.c 2021-05-06 12:05:27.379464547 +0200
@@ -243,6 +243,20 @@ mac_clear(struct sshmac *mac) @@ -239,6 +239,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL; mac->umac_ctx = NULL;
} }
@ -1080,9 +1080,9 @@ diff -up openssh/mac.c.audit openssh/mac.c
/* XXX copied from ciphers_valid */ /* XXX copied from ciphers_valid */
#define MAC_SEP "," #define MAC_SEP ","
int int
diff -up openssh/mac.h.audit openssh/mac.h diff -up openssh-8.6p1/mac.h.audit openssh-8.6p1/mac.h
--- openssh/mac.h.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/mac.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/mac.h 2019-04-03 17:02:20.715886060 +0200 +++ openssh-8.6p1/mac.h 2021-05-06 12:05:27.379464547 +0200
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3 @@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t, int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
const u_char *, size_t); const u_char *, size_t);
@ -1090,21 +1090,21 @@ diff -up openssh/mac.h.audit openssh/mac.h
+void mac_destroy(struct sshmac *); +void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */ #endif /* SSHMAC_H */
diff -up openssh/Makefile.in.audit openssh/Makefile.in diff -up openssh-8.6p1/Makefile.in.audit openssh-8.6p1/Makefile.in
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200 --- openssh-8.6p1/Makefile.in.audit 2021-05-06 12:05:27.352464339 +0200
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200 +++ openssh-8.6p1/Makefile.in 2021-05-06 12:05:27.380464555 +0200
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -112,7 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexsntrup761x25519.o sntrup761.o kexgen.o \ kexsntrup761x25519.o sntrup761.o kexgen.o \
kexgssc.o \ kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
- sshbuf-io.o - sshbuf-io.o
+ sshbuf-io.o auditstub.o + sshbuf-io.o auditstub.o
SKOBJS= ssh-sk-client.o SKOBJS= ssh-sk-client.o
diff -up openssh/monitor.c.audit openssh/monitor.c diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
--- openssh/monitor.c.audit 2019-04-03 17:02:20.674885671 +0200 --- openssh-8.6p1/monitor.c.audit 2021-05-06 12:05:27.326464138 +0200
+++ openssh/monitor.c 2019-04-03 17:03:17.201421405 +0200 +++ openssh-8.6p1/monitor.c 2021-05-06 12:05:27.380464555 +0200
@@ -93,6 +93,7 @@ @@ -93,6 +93,7 @@
#include "compat.h" #include "compat.h"
#include "ssh2.h" #include "ssh2.h"
@ -1113,7 +1113,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
#include "match.h" #include "match.h"
#include "ssherr.h" #include "ssherr.h"
#include "sk-api.h" #include "sk-api.h"
@@ -107,6 +108,8 @@ extern u_char session_id[]; @@ -107,6 +108,8 @@ extern u_int utmp_len;
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1157,7 +1157,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int @@ -1444,8 +1461,10 @@ mm_answer_keyverify(struct ssh *ssh, int
int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
int encoded_ret; int encoded_ret;
struct sshkey_sig_details *sig_details = NULL; struct sshkey_sig_details *sig_details = NULL;
@ -1169,7 +1169,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 || (r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 || (r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0) (r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int @@ -1454,6 +1473,8 @@ mm_answer_keyverify(struct ssh *ssh, int
if (hostbased_cuser == NULL || hostbased_chost == NULL || if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen)) !monitor_allowed_key(blob, bloblen))
fatal_f("bad key, not previously allowed"); fatal_f("bad key, not previously allowed");
@ -1178,7 +1178,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
/* Empty signature algorithm means NULL. */ /* Empty signature algorithm means NULL. */
if (*sigalg == '\0') { if (*sigalg == '\0') {
@@ -1470,27 +1491,30 @@ mm_answer_keyverify(struct ssh *ssh, int @@ -1469,14 +1490,19 @@ mm_answer_keyverify(struct ssh *ssh, int
case MM_USERKEY: case MM_USERKEY:
valid_data = monitor_valid_userblob(ssh, data, datalen); valid_data = monitor_valid_userblob(ssh, data, datalen);
auth_method = "publickey"; auth_method = "publickey";
@ -1198,11 +1198,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
break; break;
} }
if (!valid_data) if (!valid_data)
fatal_f("bad %s signature data blob", @@ -1488,8 +1514,6 @@ mm_answer_keyverify(struct ssh *ssh, int
key_blobtype == MM_USERKEY ? "userkey" :
(key_blobtype == MM_HOSTKEY ? "hostkey" : "unknown"));
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
SSH_FP_DEFAULT)) == NULL) SSH_FP_DEFAULT)) == NULL)
fatal_f("sshkey_fingerprint failed"); fatal_f("sshkey_fingerprint failed");
@ -1211,7 +1207,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
debug3_f("%s %p signature %s%s%s", auth_method, key, debug3_f("%s %p signature %s%s%s", auth_method, key,
(ret == 0) ? "verified" : "unverified", (ret == 0) ? "verified" : "unverified",
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session @@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
} }
static void static void
@ -1232,7 +1228,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
session_unused(s->self); session_unused(s->self);
} }
@@ -1609,7 +1639,7 @@ mm_answer_pty(struct ssh *ssh, int sock, @@ -1649,7 +1679,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
error: error:
if (s != NULL) if (s != NULL)
@ -1241,7 +1237,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
if ((r = sshbuf_put_u32(m, 0)) != 0) if ((r = sshbuf_put_u32(m, 0)) != 0)
fatal_fr(r, "assemble 0"); fatal_fr(r, "assemble 0");
mm_request_send(sock, MONITOR_ANS_PTY, m); mm_request_send(sock, MONITOR_ANS_PTY, m);
@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i @@ -1668,7 +1698,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0) if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
fatal_fr(r, "parse tty"); fatal_fr(r, "parse tty");
if ((s = session_by_tty(tty)) != NULL) if ((s = session_by_tty(tty)) != NULL)
@ -1250,7 +1246,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
sshbuf_reset(m); sshbuf_reset(m);
free(tty); free(tty);
return (0); return (0);
@@ -1650,6 +1680,8 @@ mm_answer_term(struct ssh *ssh, int sock @@ -1690,6 +1720,8 @@ mm_answer_term(struct ssh *ssh, int sock
sshpam_cleanup(); sshpam_cleanup();
#endif #endif
@ -1259,7 +1255,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1) while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR) if (errno != EINTR)
exit(1); exit(1);
@@ -1696,12 +1728,47 @@ mm_answer_audit_command(struct ssh *ssh, @@ -1736,12 +1768,47 @@ mm_answer_audit_command(struct ssh *ssh,
{ {
char *cmd; char *cmd;
int r; int r;
@ -1308,7 +1304,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
free(cmd); free(cmd);
return (0); return (0);
} }
@@ -1767,6 +1834,7 @@ monitor_apply_keystate(struct ssh *ssh, @@ -1813,6 +1880,7 @@ monitor_apply_keystate(struct ssh *ssh,
void void
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
{ {
@ -1316,7 +1312,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
debug3_f("Waiting for new keys"); debug3_f("Waiting for new keys");
if ((child_state = sshbuf_new()) == NULL) if ((child_state = sshbuf_new()) == NULL)
@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct @@ -1820,6 +1888,19 @@ mm_get_keystate(struct ssh *ssh, struct
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
child_state); child_state);
debug3_f("GOT new keys"); debug3_f("GOT new keys");
@ -1336,7 +1332,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
} }
@@ -2066,3 +2147,102 @@ mm_answer_gss_updatecreds(struct ssh *ss @@ -2111,3 +2192,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
#endif /* GSSAPI */ #endif /* GSSAPI */
@ -1439,9 +1435,9 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
+ return 0; + return 0;
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/monitor.h.audit openssh/monitor.h diff -up openssh-8.6p1/monitor.h.audit openssh-8.6p1/monitor.h
--- openssh/monitor.h.audit 2019-04-03 17:02:20.674885671 +0200 --- openssh-8.6p1/monitor.h.audit 2021-05-06 12:05:27.326464138 +0200
+++ openssh/monitor.h 2019-04-03 17:02:20.715886060 +0200 +++ openssh-8.6p1/monitor.h 2021-05-06 12:05:27.380464555 +0200
@@ -65,7 +65,13 @@ enum monitor_reqtype { @@ -65,7 +65,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1457,10 +1453,10 @@ diff -up openssh/monitor.h.audit openssh/monitor.h
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c diff -up openssh-8.6p1/monitor_wrap.c.audit openssh-8.6p1/monitor_wrap.c
--- openssh/monitor_wrap.c.audit 2019-04-03 17:02:20.653885472 +0200 --- openssh-8.6p1/monitor_wrap.c.audit 2021-05-06 12:05:27.307463991 +0200
+++ openssh/monitor_wrap.c 2019-04-03 17:02:20.716886069 +0200 +++ openssh-8.6p1/monitor_wrap.c 2021-05-06 12:05:27.381464563 +0200
@@ -513,7 +513,7 @@ mm_key_allowed(enum mm_keytype type, con @@ -520,7 +520,7 @@ mm_key_allowed(enum mm_keytype type, con
*/ */
int int
@ -1469,7 +1465,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
const u_char *data, size_t datalen, const char *sigalg, u_int compat, const u_char *data, size_t datalen, const char *sigalg, u_int compat,
struct sshkey_sig_details **sig_detailsp) struct sshkey_sig_details **sig_detailsp)
{ {
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke @@ -536,7 +536,8 @@ mm_sshkey_verify(const struct sshkey *ke
*sig_detailsp = NULL; *sig_detailsp = NULL;
if ((m = sshbuf_new()) == NULL) if ((m = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed"); fatal_f("sshbuf_new failed");
@ -1479,7 +1475,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
(r = sshbuf_put_string(m, sig, siglen)) != 0 || (r = sshbuf_put_string(m, sig, siglen)) != 0 ||
(r = sshbuf_put_string(m, data, datalen)) != 0 || (r = sshbuf_put_string(m, data, datalen)) != 0 ||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0) (r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
@@ -547,6 +548,22 @@ mm_sshkey_verify(const struct sshkey *ke @@ -569,6 +570,22 @@ mm_sshkey_verify(const struct sshkey *ke
return 0; return 0;
} }
@ -1502,7 +1498,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
void void
mm_send_keystate(struct ssh *ssh, struct monitor *monitor) mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
{ {
@@ -900,11 +915,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi @@ -921,11 +938,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi
sshbuf_free(m); sshbuf_free(m);
} }
@ -1517,7 +1513,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
debug3("%s entering command %s", __func__, command); debug3("%s entering command %s", __func__, command);
@@ -914,6 +930,30 @@ mm_audit_run_command(const char *command @@ -935,6 +953,30 @@ mm_audit_run_command(const char *command
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
@ -1548,7 +1544,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
sshbuf_free(m); sshbuf_free(m);
} }
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
@@ -1074,3 +1114,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc @@ -1095,3 +1137,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
} }
#endif /* GSSAPI */ #endif /* GSSAPI */
@ -1632,10 +1628,10 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
+ sshbuf_free(m); + sshbuf_free(m);
+} +}
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h diff -up openssh-8.6p1/monitor_wrap.h.audit openssh-8.6p1/monitor_wrap.h
--- openssh/monitor_wrap.h.audit 2019-04-03 17:02:20.653885472 +0200 --- openssh-8.6p1/monitor_wrap.h.audit 2021-05-06 12:05:27.307463991 +0200
+++ openssh/monitor_wrap.h 2019-04-03 17:02:20.716886069 +0200 +++ openssh-8.6p1/monitor_wrap.h 2021-05-06 12:05:27.381464563 +0200
@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, st @@ -61,7 +61,9 @@ int mm_user_key_allowed(struct ssh *, st
struct sshauthopt **); struct sshauthopt **);
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *, int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
const char *, struct sshkey *); const char *, struct sshkey *);
@ -1646,7 +1642,7 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
#ifdef GSSAPI #ifdef GSSAPI
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *); @@ -86,7 +88,12 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
#include "audit.h" #include "audit.h"
void mm_audit_event(struct ssh *, ssh_audit_event_t); void mm_audit_event(struct ssh *, ssh_audit_event_t);
@ -1660,10 +1656,10 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
#endif #endif
struct Session; struct Session;
diff -up openssh/packet.c.audit openssh/packet.c diff -up openssh-8.6p1/packet.c.audit openssh-8.6p1/packet.c
--- openssh/packet.c.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/packet.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/packet.c 2019-04-03 17:02:20.716886069 +0200 +++ openssh-8.6p1/packet.c 2021-05-06 12:07:38.535478683 +0200
@@ -77,6 +77,7 @@ @@ -81,6 +81,7 @@
#endif #endif
#include "xmalloc.h" #include "xmalloc.h"
@ -1671,7 +1667,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
#include "compat.h" #include "compat.h"
#include "ssh2.h" #include "ssh2.h"
#include "cipher.h" #include "cipher.h"
@@ -510,6 +511,13 @@ ssh_packet_get_connection_out(struct ssh @@ -506,6 +507,13 @@ ssh_packet_get_connection_out(struct ssh
return ssh->state->connection_out; return ssh->state->connection_out;
} }
@ -1685,7 +1681,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
/* /*
* Returns the IP-address of the remote host as a string. The returned * Returns the IP-address of the remote host as a string. The returned
* string must not be freed. * string must not be freed.
@@ -587,22 +595,19 @@ ssh_packet_close_internal(struct ssh *ss @@ -583,22 +591,19 @@ ssh_packet_close_internal(struct ssh *ss
{ {
struct session_state *state = ssh->state; struct session_state *state = ssh->state;
u_int mode; u_int mode;
@ -1713,7 +1709,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
for (mode = 0; mode < MODE_MAX; mode++) { for (mode = 0; mode < MODE_MAX; mode++) {
kex_free_newkeys(state->newkeys[mode]); /* current keys */ kex_free_newkeys(state->newkeys[mode]); /* current keys */
state->newkeys[mode] = NULL; state->newkeys[mode] = NULL;
@@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss @@ -634,8 +639,18 @@ ssh_packet_close_internal(struct ssh *ss
#endif /* WITH_ZLIB */ #endif /* WITH_ZLIB */
cipher_free(state->send_context); cipher_free(state->send_context);
cipher_free(state->receive_context); cipher_free(state->receive_context);
@ -1732,15 +1728,15 @@ diff -up openssh/packet.c.audit openssh/packet.c
free(ssh->local_ipaddr); free(ssh->local_ipaddr);
ssh->local_ipaddr = NULL; ssh->local_ipaddr = NULL;
free(ssh->remote_ipaddr); free(ssh->remote_ipaddr);
@@ -864,6 +879,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod @@ -892,6 +907,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
(unsigned long long)state->p_send.bytes, (unsigned long long)state->p_send.bytes,
(unsigned long long)state->p_send.blocks); (unsigned long long)state->p_send.blocks);
kex_free_newkeys(state->newkeys[mode]); kex_free_newkeys(state->newkeys[mode]);
+ audit_session_key_free(ssh, mode); + audit_session_key_free(ssh, mode);
state->newkeys[mode] = NULL; state->newkeys[mode] = NULL;
} }
/* note that both bytes and the seqnr are not reset */ /* note that both bytes and the seqnr are not reset */
@@ -2167,6 +2183,72 @@ ssh_packet_get_output(struct ssh *ssh) @@ -2173,6 +2189,72 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output; return (void *)ssh->state->output;
} }
@ -1813,18 +1809,18 @@ diff -up openssh/packet.c.audit openssh/packet.c
/* Reset after_authentication and reset compression in post-auth privsep */ /* Reset after_authentication and reset compression in post-auth privsep */
static int static int
ssh_packet_set_postauth(struct ssh *ssh) ssh_packet_set_postauth(struct ssh *ssh)
diff -up openssh/packet.h.audit openssh/packet.h diff -up openssh-8.6p1/packet.h.audit openssh-8.6p1/packet.h
--- openssh/packet.h.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/packet.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/packet.h 2019-04-03 17:02:20.716886069 +0200 +++ openssh-8.6p1/packet.h 2021-05-06 12:05:27.382464571 +0200
@@ -217,4 +217,5 @@ const u_char *sshpkt_ptr(struct ssh *, s @@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
# undef EC_POINT # undef EC_POINT
#endif #endif
+void packet_destroy_all(struct ssh *, int, int); +void packet_destroy_all(struct ssh *, int, int);
#endif /* PACKET_H */ #endif /* PACKET_H */
diff -up openssh/session.c.audit openssh/session.c diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
--- openssh/session.c.audit 2019-04-03 17:02:20.712886031 +0200 --- openssh-8.6p1/session.c.audit 2021-05-06 12:05:27.340464246 +0200
+++ openssh/session.c 2019-04-03 17:02:20.716886069 +0200 +++ openssh-8.6p1/session.c 2021-05-06 12:05:27.383464578 +0200
@@ -136,7 +136,7 @@ extern char *__progname; @@ -136,7 +136,7 @@ extern char *__progname;
extern int debug_flag; extern int debug_flag;
extern u_int utmp_len; extern u_int utmp_len;
@ -1834,7 +1830,7 @@ diff -up openssh/session.c.audit openssh/session.c
extern struct sshbuf *loginmsg; extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; extern struct sshauthopt *auth_opts;
extern char *tun_fwd_ifnames; /* serverloop.c */ extern char *tun_fwd_ifnames; /* serverloop.c */
@@ -648,6 +648,14 @@ do_exec_pty(struct ssh *ssh, Session *s, @@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
/* Parent. Close the slave side of the pseudo tty. */ /* Parent. Close the slave side of the pseudo tty. */
close(ttyfd); close(ttyfd);
@ -1849,7 +1845,7 @@ diff -up openssh/session.c.audit openssh/session.c
/* Enter interactive session. */ /* Enter interactive session. */
s->ptymaster = ptymaster; s->ptymaster = ptymaster;
ssh_packet_set_interactive(ssh, 1, ssh_packet_set_interactive(ssh, 1,
@@ -740,15 +748,19 @@ do_exec(struct ssh *ssh, Session *s, con @@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
s->self); s->self);
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
@ -1871,7 +1867,7 @@ diff -up openssh/session.c.audit openssh/session.c
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command); ret = do_exec_pty(ssh, s, command);
@@ -1556,8 +1568,11 @@ do_child(struct ssh *ssh, Session *s, co @@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
@ -1884,7 +1880,7 @@ diff -up openssh/session.c.audit openssh/session.c
/* Force a password change */ /* Force a password change */
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
@@ -1769,6 +1784,9 @@ session_unused(int id) @@ -1763,6 +1778,9 @@ session_unused(int id)
sessions[id].ttyfd = -1; sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1; sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL; sessions[id].x11_chanids = NULL;
@ -1894,7 +1890,7 @@ diff -up openssh/session.c.audit openssh/session.c
sessions[id].next_unused = sessions_first_unused; sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id; sessions_first_unused = id;
} }
@@ -1851,6 +1869,19 @@ session_open(Authctxt *authctxt, int cha @@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
} }
Session * Session *
@ -1914,7 +1910,7 @@ diff -up openssh/session.c.audit openssh/session.c
session_by_tty(char *tty) session_by_tty(char *tty)
{ {
int i; int i;
@@ -2461,6 +2492,32 @@ session_exit_message(struct ssh *ssh, Se @@ -2450,6 +2481,32 @@ session_exit_message(struct ssh *ssh, Se
chan_write_failed(ssh, c); chan_write_failed(ssh, c);
} }
@ -1947,7 +1943,7 @@ diff -up openssh/session.c.audit openssh/session.c
void void
session_close(struct ssh *ssh, Session *s) session_close(struct ssh *ssh, Session *s)
{ {
@@ -2474,6 +2531,10 @@ session_close(struct ssh *ssh, Session * @@ -2463,6 +2520,10 @@ session_close(struct ssh *ssh, Session *
if (s->ttyfd != -1) if (s->ttyfd != -1)
session_pty_cleanup(s); session_pty_cleanup(s);
@ -1958,7 +1954,7 @@ diff -up openssh/session.c.audit openssh/session.c
free(s->term); free(s->term);
free(s->display); free(s->display);
free(s->x11_chanids); free(s->x11_chanids);
@@ -2549,14 +2610,14 @@ session_close_by_channel(struct ssh *ssh @@ -2537,14 +2598,14 @@ session_close_by_channel(struct ssh *ssh
} }
void void
@ -1975,7 +1971,7 @@ diff -up openssh/session.c.audit openssh/session.c
else else
session_close(ssh, s); session_close(ssh, s);
} }
@@ -2683,6 +2744,15 @@ do_authenticated2(struct ssh *ssh, Authc @@ -2671,6 +2732,15 @@ do_authenticated2(struct ssh *ssh, Authc
server_loop2(ssh, authctxt); server_loop2(ssh, authctxt);
} }
@ -1991,7 +1987,7 @@ diff -up openssh/session.c.audit openssh/session.c
void void
do_cleanup(struct ssh *ssh, Authctxt *authctxt) do_cleanup(struct ssh *ssh, Authctxt *authctxt)
{ {
@@ -2746,7 +2816,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au @@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor. * or if running in monitor.
*/ */
if (!use_privsep || mm_is_monitor()) if (!use_privsep || mm_is_monitor())
@ -2000,9 +1996,9 @@ diff -up openssh/session.c.audit openssh/session.c
} }
/* Return a name for the remote host that fits inside utmp_size */ /* Return a name for the remote host that fits inside utmp_size */
diff -up openssh/session.h.audit openssh/session.h diff -up openssh-8.6p1/session.h.audit openssh-8.6p1/session.h
--- openssh/session.h.audit 2019-03-27 23:26:14.000000000 +0100 --- openssh-8.6p1/session.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh/session.h 2019-04-03 17:02:20.717886079 +0200 +++ openssh-8.6p1/session.h 2021-05-06 12:05:27.384464586 +0200
@@ -61,6 +61,12 @@ struct Session { @@ -61,6 +61,12 @@ struct Session {
char *name; char *name;
char *val; char *val;
@ -2030,9 +2026,9 @@ diff -up openssh/session.h.audit openssh/session.h
Session *session_by_tty(char *); Session *session_by_tty(char *);
void session_close(struct ssh *, Session *); void session_close(struct ssh *, Session *);
void do_setusercontext(struct passwd *); void do_setusercontext(struct passwd *);
diff -up openssh/sshd.c.audit openssh/sshd.c diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
--- openssh/sshd.c.audit 2019-04-03 17:02:20.692885842 +0200 --- openssh-8.6p1/sshd.c.audit 2021-05-06 12:05:27.346464292 +0200
+++ openssh/sshd.c 2019-04-03 17:02:20.717886079 +0200 +++ openssh-8.6p1/sshd.c 2021-05-06 12:05:27.385464594 +0200
@@ -122,6 +122,7 @@ @@ -122,6 +122,7 @@
#include "ssh-gss.h" #include "ssh-gss.h"
#endif #endif
@ -2041,7 +2037,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
#include "ssh-sandbox.h" #include "ssh-sandbox.h"
#include "auth-options.h" #include "auth-options.h"
#include "version.h" #include "version.h"
@@ -261,8 +262,8 @@ struct sshbuf *loginmsg; @@ -260,8 +261,8 @@ struct sshbuf *loginmsg;
struct passwd *privsep_pw = NULL; struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */ /* Prototypes for various functions defined later in this file. */
@ -2052,7 +2048,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
static void do_ssh2_kex(struct ssh *); static void do_ssh2_kex(struct ssh *);
static char *listener_proctitle; static char *listener_proctitle;
@@ -278,6 +279,15 @@ close_listen_socks(void) @@ -279,6 +280,15 @@ close_listen_socks(void)
num_listen_socks = -1; num_listen_socks = -1;
} }
@ -2068,7 +2064,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
static void static void
close_startup_pipes(void) close_startup_pipes(void)
{ {
@@ -380,18 +390,45 @@ grace_alarm_handler(int sig) @@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
ssh_remote_port(the_active_state)); ssh_remote_port(the_active_state));
} }
@ -2117,7 +2113,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
sshkey_free(sensitive_data.host_certificates[i]); sshkey_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL; sensitive_data.host_certificates[i] = NULL;
} }
@@ -400,20 +437,38 @@ destroy_sensitive_data(void) @@ -397,20 +434,38 @@ destroy_sensitive_data(void)
/* Demote private to public keys for network child */ /* Demote private to public keys for network child */
void void
@ -2157,7 +2153,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
} }
/* Certs do not need demotion */ /* Certs do not need demotion */
} }
@@ -442,7 +497,7 @@ reseed_prngs(void) @@ -438,7 +493,7 @@ reseed_prngs(void)
} }
static void static void
@ -2166,7 +2162,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
{ {
gid_t gidset[1]; gid_t gidset[1];
@@ -457,7 +512,7 @@ privsep_preauth_child(void) @@ -453,7 +508,7 @@ privsep_preauth_child(void)
reseed_prngs(); reseed_prngs();
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
@ -2175,7 +2171,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
sshd_selinux_change_privsep_preauth_context(); sshd_selinux_change_privsep_preauth_context();
@@ -496,7 +551,7 @@ privsep_preauth(struct ssh *ssh) @@ -492,7 +547,7 @@ privsep_preauth(struct ssh *ssh)
if (use_privsep == PRIVSEP_ON) if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor); box = ssh_sandbox_init(pmonitor);
@ -2184,7 +2180,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
if (pid == -1) { if (pid == -1) {
fatal("fork of unprivileged child failed"); fatal("fork of unprivileged child failed");
} else if (pid != 0) { } else if (pid != 0) {
@@ -542,7 +597,7 @@ privsep_preauth(struct ssh *ssh) @@ -537,7 +592,7 @@ privsep_preauth(struct ssh *ssh)
/* Arrange for logging to be sent to the monitor */ /* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor); set_log_handler(mm_log_handler, pmonitor);
@ -2193,7 +2189,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
if (box != NULL) if (box != NULL)
ssh_sandbox_child(box); ssh_sandbox_child(box);
@@ -594,7 +649,7 @@ privsep_postauth(struct ssh *ssh, Authct @@ -589,7 +644,7 @@ privsep_postauth(struct ssh *ssh, Authct
set_log_handler(mm_log_handler, pmonitor); set_log_handler(mm_log_handler, pmonitor);
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
@ -2202,7 +2198,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
reseed_prngs(); reseed_prngs();
@@ -1057,7 +1112,7 @@ server_listen(void) @@ -1143,7 +1198,7 @@ server_listen(void)
* from this function are in a forked subprocess. * from this function are in a forked subprocess.
*/ */
static void static void
@ -2211,7 +2207,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
{ {
fd_set *fdset; fd_set *fdset;
int i, j, ret, maxfd; int i, j, ret, maxfd;
@@ -1112,6 +1167,7 @@ server_accept_loop(int *sock_in, int *so @@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) { if (received_sigterm) {
logit("Received signal %d; terminating.", logit("Received signal %d; terminating.",
(int) received_sigterm); (int) received_sigterm);
@ -2219,7 +2215,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
close_listen_socks(); close_listen_socks();
if (options.pid_file != NULL) if (options.pid_file != NULL)
unlink(options.pid_file); unlink(options.pid_file);
@@ -1978,7 +2034,7 @@ main(int ac, char **av) @@ -2098,7 +2154,7 @@ main(int ac, char **av)
#endif #endif
/* Accept a connection and return in a forked child */ /* Accept a connection and return in a forked child */
@ -2228,7 +2224,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
&newsock, config_s); &newsock, config_s);
} }
@@ -2222,6 +2278,9 @@ main(int ac, char **av) @@ -2333,6 +2389,9 @@ main(int ac, char **av)
do_authenticated(ssh, authctxt); do_authenticated(ssh, authctxt);
/* The connection has been terminated. */ /* The connection has been terminated. */
@ -2238,7 +2234,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
ssh_packet_get_bytes(ssh, &ibytes, &obytes); ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes", verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes); (unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2401,6 +2460,15 @@ do_ssh2_kex(struct ssh *ssh) @@ -2513,6 +2572,15 @@ do_ssh2_kex(struct ssh *ssh)
void void
cleanup_exit(int i) cleanup_exit(int i)
{ {
@ -2254,7 +2250,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
if (the_active_state != NULL && the_authctxt != NULL) { if (the_active_state != NULL && the_authctxt != NULL) {
do_cleanup(the_active_state, the_authctxt); do_cleanup(the_active_state, the_authctxt);
if (use_privsep && privsep_is_preauth && if (use_privsep && privsep_is_preauth &&
@@ -2414,9 +2482,16 @@ cleanup_exit(int i) @@ -2525,9 +2593,16 @@ cleanup_exit(int i)
} }
} }
} }
@ -2272,10 +2268,10 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
audit_event(the_active_state, SSH_CONNECTION_ABANDON); audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif #endif
_exit(i); _exit(i);
diff -up openssh/sshkey.c.audit openssh/sshkey.c diff -up openssh-8.6p1/sshkey.c.audit openssh-8.6p1/sshkey.c
--- openssh/sshkey.c.audit 2019-04-03 17:02:20.657885510 +0200 --- openssh-8.6p1/sshkey.c.audit 2021-05-06 12:05:27.364464431 +0200
+++ openssh/sshkey.c 2019-04-03 17:02:20.718886088 +0200 +++ openssh-8.6p1/sshkey.c 2021-05-06 12:05:27.386464602 +0200
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type) @@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type)
} }
int int
@ -2314,10 +2310,10 @@ diff -up openssh/sshkey.c.audit openssh/sshkey.c
sshkey_is_cert(const struct sshkey *k) sshkey_is_cert(const struct sshkey *k)
{ {
if (k == NULL) if (k == NULL)
diff -up openssh/sshkey.h.audit openssh/sshkey.h diff -up openssh-8.6p1/sshkey.h.audit openssh-8.6p1/sshkey.h
--- openssh/sshkey.h.audit 2019-04-03 17:02:20.657885510 +0200 --- openssh-8.6p1/sshkey.h.audit 2021-05-06 12:05:27.365464439 +0200
+++ openssh/sshkey.h 2019-04-03 17:02:20.718886088 +0200 +++ openssh-8.6p1/sshkey.h 2021-05-06 12:05:27.386464602 +0200
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey @@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke
int sshkey_unshield_private(struct sshkey *); int sshkey_unshield_private(struct sshkey *);
int sshkey_type_from_name(const char *); int sshkey_type_from_name(const char *);

View File

@ -1,6 +1,6 @@
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200 --- openssh-8.6p1/cipher-ctr.c.fips 2021-05-06 12:08:36.423926297 +0200
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/cipher-ctr.c 2021-05-06 12:08:36.497926869 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void) @@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr; aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP #ifndef SSH_OLD_EVP
@ -11,10 +11,10 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/dh.c 2021-05-06 12:12:10.107634472 +0200
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max @@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
int best, bestcount, which, linenum; int best, bestcount, which, linenum;
struct dhgroup dhg; struct dhgroup dhg;
@ -24,10 +24,10 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+ return (dh_new_group_fallback(max)); + return (dh_new_group_fallback(max));
+ } + }
+ +
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) { if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
logit("WARNING: could not open %s (%s), using fixed modulus", logit("WARNING: could not open %s (%s), using fixed modulus",
_PATH_DH_MODULI, strerror(errno)); get_moduli_filename(), strerror(errno));
@@ -489,4 +495,38 @@ dh_estimate(int bits) @@ -502,4 +508,38 @@ dh_estimate(int bits)
return 8192; return 8192;
} }
@ -66,21 +66,21 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+} +}
+ +
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/dh.h.fips 2021-05-06 12:08:36.498926877 +0200
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/dh.h 2021-05-06 12:11:28.393298005 +0200
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int); @@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
int dh_gen_key(DH *, int); int dh_gen_key(DH *, int);
int dh_pub_is_valid(const DH *, const BIGNUM *); int dh_pub_is_valid(const DH *, const BIGNUM *);
+int dh_is_known_group(const DH *); +int dh_is_known_group(const DH *);
u_int dh_estimate(int); u_int dh_estimate(int);
void dh_set_moduli_file(const char *);
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200 --- openssh-8.6p1/kex.c.fips 2021-05-06 12:08:36.489926807 +0200
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/kex.c 2021-05-06 12:08:36.498926877 +0200
@@ -199,7 +199,10 @@ kex_names_valid(const char *names) @@ -203,7 +203,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) { if (kex_alg_by_name(p) == NULL) {
@ -92,9 +92,9 @@ diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
free(s); free(s);
return 0; return 0;
} }
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/kexgexc.c 2021-05-06 12:08:36.498926877 +0200
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -103,7 +103,7 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
#include <sys/types.h> #include <sys/types.h>
#include <openssl/dh.h> #include <openssl/dh.h>
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32 @@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
r = SSH_ERR_ALLOC_FAIL; r = SSH_ERR_ALLOC_FAIL;
goto out; goto out;
} }
@ -114,10 +114,10 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
p = g = NULL; /* belong to kex->dh now */ p = g = NULL; /* belong to kex->dh now */
/* generate and send 'e', client DH public key */ /* generate and send 'e', client DH public key */
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/myproposal.h 2021-05-06 12:08:36.498926877 +0200
@@ -111,6 +111,20 @@ @@ -57,6 +57,20 @@
"rsa-sha2-256," \ "rsa-sha2-256," \
"ssh-rsa" "ssh-rsa"
@ -138,7 +138,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
#define KEX_SERVER_ENCRYPT \ #define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \ "chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr," \ "aes128-ctr,aes192-ctr,aes256-ctr," \
@@ -134,6 +142,27 @@ @@ -78,6 +92,27 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC #define KEX_CLIENT_MAC KEX_SERVER_MAC
@ -166,10 +166,10 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
/* Not a KEX value, but here so all the algorithm defaults are together */ /* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \ #define SSH_ALLOWED_CA_SIGALGS \
"ssh-ed25519," \ "ssh-ed25519," \
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200 --- openssh-8.6p1/readconf.c.fips 2021-05-06 12:08:36.428926336 +0200
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/readconf.c 2021-05-06 12:08:36.499926885 +0200
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options) @@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */ /* remove unsupported algos from default lists */
@ -191,10 +191,10 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
#define ASSEMBLE(what, defaults, all) \ #define ASSEMBLE(what, defaults, all) \
do { \ do { \
if ((r = kex_assemble_names(&options->what, \ if ((r = kex_assemble_names(&options->what, \
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200 --- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-05-06 12:08:36.463926606 +0200
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-05-06 12:08:36.499926885 +0200
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_ @@ -160,6 +160,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open #ifdef __NR_open
SC_DENY(__NR_open, EACCES), SC_DENY(__NR_open, EACCES),
#endif #endif
@ -204,10 +204,10 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
#ifdef __NR_openat #ifdef __NR_openat
SC_DENY(__NR_openat, EACCES), SC_DENY(__NR_openat, EACCES),
#endif #endif
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200 --- openssh-8.6p1/servconf.c.fips 2021-05-06 12:08:36.455926545 +0200
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/servconf.c 2021-05-06 12:08:36.500926893 +0200
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o) @@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */ /* remove unsupported algos from default lists */
@ -229,10 +229,10 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
#define ASSEMBLE(what, defaults, all) \ #define ASSEMBLE(what, defaults, all) \
do { \ do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200 --- openssh-8.6p1/ssh.c.fips 2021-05-06 12:08:36.467926637 +0200
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/ssh.c 2021-05-06 12:08:36.500926893 +0200
@@ -76,6 +76,7 @@ @@ -77,6 +77,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#endif #endif
@ -240,21 +240,21 @@ diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -614,6 +626,10 @@ main(int ac, char **av) @@ -1516,6 +1517,10 @@ main(int ac, char **av)
dump_client_config(&options, host);
exit(0); exit(0);
} }
+
+ if (FIPS_mode()) { + if (FIPS_mode()) {
+ debug("FIPS mode initialized"); + debug("FIPS mode initialized");
+ } + }
+
/* Expand SecurityKeyProvider if it refers to an environment variable */ /* Expand SecurityKeyProvider if it refers to an environment variable */
if (options.sk_provider != NULL && *options.sk_provider == '$' && if (options.sk_provider != NULL && *options.sk_provider == '$' &&
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c strlen(options.sk_provider) > 1) {
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200 diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200 --- openssh-8.6p1/sshconnect2.c.fips 2021-05-06 12:08:36.485926777 +0200
@@ -44,6 +44,8 @@ +++ openssh-8.6p1/sshconnect2.c 2021-05-06 12:08:36.501926900 +0200
@@ -45,6 +45,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -263,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st @@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
#if defined(GSSAPI) && defined(WITH_OPENSSL) #if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) { if (options.gss_keyex) {
@ -279,24 +279,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
- * and can not use DNS on that socket */ - * and can not use DNS on that socket */
- if (strcmp(gss_host, "UNKNOWN") == 0) { - if (strcmp(gss_host, "UNKNOWN") == 0) {
- free(gss_host); - free(gss_host);
- gss_host = xstrdup(host);
- }
- } else {
- gss_host = xstrdup(host);
- }
-
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
-
- /* If we've got GSSAPI algorithms, then we also support the
- * 'null' hostkey, as a last resort */
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig);
+ if (FIPS_mode()) { + if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); + logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0; + options.gss_keyex = 0;
@ -316,9 +298,24 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
+ gss_host = xstrdup(host); + gss_host = xstrdup(host);
+ } + }
+ } else { + } else {
+ gss_host = xstrdup(host); gss_host = xstrdup(host);
+ } }
+ - } else {
- gss_host = xstrdup(host);
- }
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
-
- /* If we've got GSSAPI algorithms, then we also support the
- * 'null' hostkey, as a last resort */
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig);
+ gss = ssh_gssapi_client_mechanisms(gss_host, + gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms); + options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) { + if (gss) {
@ -335,9 +332,9 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
} }
} }
#endif #endif
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200 --- openssh-8.6p1/sshd.c.fips 2021-05-06 12:08:36.493926838 +0200
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/sshd.c 2021-05-06 12:13:56.501492639 +0200
@@ -66,6 +66,7 @@ @@ -66,6 +66,7 @@
#include <grp.h> #include <grp.h>
#include <pwd.h> #include <pwd.h>
@ -354,7 +351,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#endif #endif
@@ -1529,6 +1532,7 @@ main(int ac, char **av) @@ -1619,6 +1621,7 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -362,7 +359,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1992,6 +2007,10 @@ main(int ac, char **av) @@ -2110,6 +2113,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */ /* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -370,10 +367,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
+ debug("FIPS mode initialized"); + debug("FIPS mode initialized");
+ } + }
+ +
/* Chdir to the root directory so that the current disk can be /*
unmounted if desired. */ * Chdir to the root directory so that the current disk can be
if (chdir("/") == -1) * unmounted if desired.
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh) @@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL; orig = NULL;
@ -392,9 +389,9 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
if (gss && orig) if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig); xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200 --- openssh-8.6p1/sshkey.c.fips 2021-05-06 12:08:36.493926838 +0200
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200 +++ openssh-8.6p1/sshkey.c 2021-05-06 12:08:36.502926908 +0200
@@ -34,6 +34,7 @@ @@ -34,6 +34,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -411,7 +408,7 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
#include "ssh-sk.h" #include "ssh-sk.h"
#ifdef WITH_XMSS #ifdef WITH_XMSS
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA @@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
} }
if (!BN_set_word(f4, RSA_F4) || if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) { !RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -420,10 +417,10 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
ret = SSH_ERR_LIBCRYPTO_ERROR; ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out; goto out;
} }
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200 --- openssh-8.6p1/ssh-keygen.c.fips 2021-05-06 12:08:36.467926637 +0200
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200 +++ openssh-8.6p1/ssh-keygen.c 2021-05-06 12:08:36.503926916 +0200
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
#endif #endif
} }
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -436,7 +433,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
switch (type) { switch (type) {
case KEY_DSA: case KEY_DSA:
if (*bitsp != 1024) if (*bitsp != 1024)
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1; first = 1;
printf("%s: generating new host keys: ", __progname); printf("%s: generating new host keys: ", __progname);
} }
@ -454,4 +451,4 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
- type = sshkey_type_from_name(key_types[i].key_type); - type = sshkey_type_from_name(key_types[i].key_type);
if ((fd = mkstemp(prv_tmp)) == -1) { if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your private key in %s: %s", error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno)); prv_tmp, strerror(errno));

View File

@ -1,7 +1,26 @@
diff --git a/auth-krb5.c b/auth-krb5.c diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
index a5a81ed2..63f877f2 100644 --- openssh-8.6p1/auth.h.ccache_name 2021-05-06 11:15:36.345143341 +0200
--- a/auth-krb5.c +++ openssh-8.6p1/auth.h 2021-05-06 11:15:36.387143654 +0200
+++ b/auth-krb5.c @@ -83,6 +83,7 @@ struct Authctxt {
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
int sys_auth_passwd(struct ssh *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
#endif
#endif /* AUTH_H */
diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
--- openssh-8.6p1/auth-krb5.c.ccache_name 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/auth-krb5.c 2021-05-06 11:28:40.195242317 +0200
@@ -51,6 +51,7 @@ @@ -51,6 +51,7 @@
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
@ -10,7 +29,7 @@ index a5a81ed2..63f877f2 100644
extern ServerOptions options; extern ServerOptions options;
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
#endif #endif
krb5_error_code problem; krb5_error_code problem;
krb5_ccache ccache = NULL; krb5_ccache ccache = NULL;
@ -19,24 +38,18 @@ index a5a81ed2..63f877f2 100644
char *client, *platform_client; char *client, *platform_client;
const char *errmsg; const char *errmsg;
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
goto out; goto out;
} }
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); - problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
- &authctxt->krb5_fwd_ccache);
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx, + problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env); + &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
if (problem) if (problem)
goto out; goto out;
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
goto out; goto out;
#endif #endif
@ -57,7 +70,7 @@ index a5a81ed2..63f877f2 100644
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif #endif
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
void void
krb5_cleanup_proc(Authctxt *authctxt) krb5_cleanup_proc(Authctxt *authctxt)
{ {
@ -113,7 +126,7 @@ index a5a81ed2..63f877f2 100644
if (authctxt->krb5_user) { if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
authctxt->krb5_user = NULL; authctxt->krb5_user = NULL;
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt) @@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
} }
} }
@ -198,10 +211,7 @@ index a5a81ed2..63f877f2 100644
+ return -1; + return -1;
+} +}
+ +
krb5_error_code +krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) { +ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ profile_t p; + profile_t p;
+ int ret = 0; + int ret = 0;
@ -222,7 +232,10 @@ index a5a81ed2..63f877f2 100644
+ return ret; + return ret;
+} +}
+ +
+krb5_error_code krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) { +ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
+ int tmpfd, ret, oerrno, type_len; + int tmpfd, ret, oerrno, type_len;
+ char *ccname = NULL; + char *ccname = NULL;
@ -324,30 +337,41 @@ index a5a81ed2..63f877f2 100644
} }
#endif /* !HEIMDAL */ #endif /* !HEIMDAL */
#endif /* KRB5 */ #endif /* KRB5 */
diff --git a/auth.h b/auth.h diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
index 29491df9..fdab5040 100644 --- openssh-8.6p1/gss-serv.c.ccache_name 2021-05-06 11:15:36.374143558 +0200
--- a/auth.h +++ openssh-8.6p1/gss-serv.c 2021-05-06 11:15:36.387143654 +0200
+++ b/auth.h @@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
@@ -82,6 +82,7 @@ struct Authctxt { }
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *); /* As user */
int sys_auth_passwd(struct ssh *, const char *); -void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
#if defined(KRB5) && !defined(HEIMDAL) /* This allows GSSAPI methods to do things to the child's environment based
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); @@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *); char *envstr;
#endif #endif
#endif /* AUTH_H */ - if (gssapi_client.store.filename == NULL &&
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c - gssapi_client.store.envval == NULL &&
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100 - gssapi_client.store.envvar == NULL)
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100 + if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
--- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-05-06 11:15:36.384143632 +0200
+++ openssh-8.6p1/gss-serv-krb5.c 2021-05-06 11:15:36.387143654 +0200
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
/* This writes out any forwarded credentials from the structure populated /* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */ * during userauth. Called after we have setuid to the user */
@ -450,7 +474,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
do_pam_putenv(client->store.envvar, client->store.envval); do_pam_putenv(client->store.envvar, client->store.envval);
#endif #endif
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
client->store.data = krb_context; client->store.data = krb_context;
@ -459,43 +483,10 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
} }
int int
diff --git a/gss-serv.c b/gss-serv.c diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
index 6cae720e..16e55cbc 100644 --- openssh-8.6p1/servconf.c.ccache_name 2021-05-06 11:15:36.377143580 +0200
--- a/gss-serv.c +++ openssh-8.6p1/servconf.c 2021-05-06 11:15:36.388143662 +0200
+++ b/gss-serv.c @@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
}
/* As user */
-void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
/* This allows GSSAPI methods to do things to the child's environment based
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
char *envstr;
#endif
- if (gssapi_client.store.filename == NULL &&
- gssapi_client.store.envval == NULL &&
- gssapi_client.store.envvar == NULL)
+ if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
options->kerberos_or_local_passwd = -1; options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
@ -503,7 +494,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
options->gss_authentication=-1; options->gss_authentication=-1;
options->gss_keyex = -1; options->gss_keyex = -1;
options->gss_cleanup_creds = -1; options->gss_cleanup_creds = -1;
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options) @@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
options->kerberos_ticket_cleanup = 1; options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1) if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
@ -512,7 +503,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_keyex == -1) if (options->gss_keyex == -1)
@@ -447,7 +450,8 @@ typedef enum { @@ -506,7 +509,8 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -522,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts, sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -526,11 +530,13 @@ static struct { @@ -593,11 +597,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -536,7 +527,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line, @@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
intptr = &options->kerberos_get_afs_token; intptr = &options->kerberos_get_afs_token;
goto parse_flag; goto parse_flag;
@ -547,7 +538,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
case sGssAuthentication: case sGssAuthentication:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o) @@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
# ifdef USE_AFS # ifdef USE_AFS
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
# endif # endif
@ -555,11 +546,10 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif #endif
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/servconf.h b/servconf.h diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
index db8362c6..4fa42d64 100644 --- openssh-8.6p1/servconf.h.ccache_name 2021-05-06 11:15:36.377143580 +0200
--- a/servconf.h +++ openssh-8.6p1/servconf.h 2021-05-06 11:15:36.397143729 +0200
+++ b/servconf.h @@ -140,6 +140,8 @@ typedef struct {
@@ -123,6 +123,8 @@ typedef struct {
* file on logout. */ * file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
@ -568,11 +558,10 @@ index db8362c6..4fa42d64 100644
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff --git a/session.c b/session.c diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
index 85df6a27..480a5ead 100644 --- openssh-8.6p1/session.c.ccache_name 2021-05-06 11:15:36.384143632 +0200
--- a/session.c +++ openssh-8.6p1/session.c 2021-05-06 11:15:36.397143729 +0200
+++ b/session.c @@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
/* Allow any GSSAPI methods that we've used to alter /* Allow any GSSAPI methods that we've used to alter
* the child's environment as they see fit * the child's environment as they see fit
*/ */
@ -582,7 +571,7 @@ index 85df6a27..480a5ead 100644
#endif #endif
/* Set basic environment. */ /* Set basic environment. */
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) @@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
} }
#endif #endif
#ifdef KRB5 #ifdef KRB5
@ -591,33 +580,10 @@ index 85df6a27..480a5ead 100644
child_set_env(&env, &envsize, "KRB5CCNAME", child_set_env(&env, &envsize, "KRB5CCNAME",
s->authctxt->krb5_ccname); s->authctxt->krb5_ccname);
#endif #endif
diff --git a/ssh-gss.h b/ssh-gss.h diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c
index 6593e422..245178af 100644 --- openssh-8.6p1/sshd.c.ccache_name 2021-05-06 11:15:36.380143602 +0200
--- a/ssh-gss.h +++ openssh-8.6p1/sshd.c 2021-05-06 11:15:36.398143736 +0200
+++ b/ssh-gss.h @@ -2284,7 +2284,7 @@ main(int ac, char **av)
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);
diff --git a/sshd.c b/sshd.c
index edbe815c..89514e8a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
#ifdef GSSAPI #ifdef GSSAPI
if (options.gss_authentication) { if (options.gss_authentication) {
temporarily_use_uid(authctxt->pw); temporarily_use_uid(authctxt->pw);
@ -626,11 +592,10 @@ index edbe815c..89514e8a 100644
restore_uid(); restore_uid();
} }
#endif #endif
diff --git a/sshd_config.5 b/sshd_config.5 diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
index c0683d4a..2349f477 100644 --- openssh-8.6p1/sshd_config.5.ccache_name 2021-05-06 11:15:36.380143602 +0200
--- a/sshd_config.5 +++ openssh-8.6p1/sshd_config.5 2021-05-06 11:15:36.398143736 +0200
+++ b/sshd_config.5 @@ -939,6 +939,14 @@ Specifies whether to automatically destr
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
file on logout. file on logout.
The default is The default is
.Cm yes . .Cm yes .
@ -645,3 +610,24 @@ index c0683d4a..2349f477 100644
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
--- openssh-8.6p1/ssh-gss.h.ccache_name 2021-05-06 11:15:36.384143632 +0200
+++ openssh-8.6p1/ssh-gss.h 2021-05-06 11:15:36.398143736 +0200
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);

View File

@ -1,7 +1,7 @@
diff --git a/sshd.c b/sshd.c diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- a/sshd.c --- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
+++ b/sshd.c +++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200
@@ -1701,6 +1701,10 @@ main(int ac, char **av) @@ -1749,6 +1749,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, &includes, NULL); cfg, &includes, NULL);
@ -9,13 +9,13 @@ diff --git a/sshd.c b/sshd.c
+ if (! options.use_pam) + if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+ +
/* Fill in default values for those options not explicitly set. */ #ifdef WITH_OPENSSL
fill_default_server_options(&options); if (options.moduli_file != NULL)
dh_set_moduli_file(options.moduli_file);
diff --git a/sshd_config b/sshd_config diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
--- a/sshd_config --- openssh-8.6p1/sshd_config.log-usepam-no 2021-04-19 14:00:45.098735121 +0200
+++ b/sshd_config +++ openssh-8.6p1/sshd_config 2021-04-19 14:00:45.099735129 +0200
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no @@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.

View File

@ -1,7 +1,7 @@
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5 diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100 --- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100 +++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200
@@ -359,14 +359,13 @@ or @@ -368,15 +368,13 @@ or
.Qq *.c.example.com .Qq *.c.example.com
domains. domains.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
@ -14,14 +14,15 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
by certificate authorities (CAs). by certificate authorities (CAs).
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed -.Ed
-.Pp -.Pp
.Xr ssh 1 .Xr ssh 1
will not accept host certificates signed using algorithms other than those will not accept host certificates signed using algorithms other than those
specified. specified.
@@ -424,20 +424,25 @@ If the option is set to @@ -436,20 +434,25 @@ If the option is set to
(the default), (the default),
the check will not be executed. the check will not be executed.
.It Cm Ciphers .It Cm Ciphers
@ -51,7 +52,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp .Pp
The supported ciphers are: The supported ciphers are:
.Bd -literal -offset indent .Bd -literal -offset indent
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com @@ -465,13 +468,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.Ed .Ed
.Pp .Pp
@ -65,7 +66,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
.It Cm ClearAllForwardings .It Cm ClearAllForwardings
@@ -812,6 +810,11 @@ command line will be passed untouched to @@ -826,6 +822,11 @@ command line will be passed untouched to
The default is The default is
.Dq no . .Dq no .
.It Cm GSSAPIKexAlgorithms .It Cm GSSAPIKexAlgorithms
@ -77,7 +78,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of key exchange algorithms that are offered for GSSAPI The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are key exchange. Possible values are
.Bd -literal -offset 3n .Bd -literal -offset 3n
@@ -824,10 +827,8 @@ gss-nistp256-sha256-, @@ -838,10 +839,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256- gss-curve25519-sha256-
.Ed .Ed
.Pp .Pp
@ -89,7 +90,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
@@ -1149,29 +1150,25 @@ it may be zero or more of: @@ -1169,29 +1168,25 @@ it may be zero or more of:
and and
.Cm pam . .Cm pam .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -128,7 +129,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .
@@ -1231,37 +1228,33 @@ The default is INFO. @@ -1301,37 +1296,33 @@ function, and all code in the
file. file.
This option is intended for debugging and no overrides are enabled by default. This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs .It Cm MACs
@ -175,7 +176,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost .It Cm NoHostAuthenticationForLocalhost
@@ -1394,37 +1387,25 @@ instead of continuing to execute and pas @@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
The default is The default is
.Cm no . .Cm no .
.It Cm PubkeyAcceptedAlgorithms .It Cm PubkeyAcceptedAlgorithms
@ -222,10 +223,10 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp .Pp
The list of available signature algorithms may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms . .Qq ssh -Q PubkeyAcceptedAlgorithms .
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5 diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100 --- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100 +++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200
@@ -375,14 +375,13 @@ If the argument is @@ -373,15 +373,13 @@ If the argument is
then no banner is displayed. then no banner is displayed.
By default, no banner is displayed. By default, no banner is displayed.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
@ -238,14 +239,15 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
by certificate authorities (CAs). by certificate authorities (CAs).
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed -.Ed
-.Pp -.Pp
Certificates signed using other algorithms will not be accepted for Certificates signed using other algorithms will not be accepted for
public key or host-based authentication. public key or host-based authentication.
.It Cm ChallengeResponseAuthentication .It Cm ChallengeResponseAuthentication
@@ -446,20 +446,25 @@ The default is @@ -445,20 +443,25 @@ The default is
indicating not to indicating not to
.Xr chroot 2 . .Xr chroot 2 .
.It Cm Ciphers .It Cm Ciphers
@ -275,7 +277,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
.Pp .Pp
The supported ciphers are: The supported ciphers are:
.Pp .Pp
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com @@ -485,13 +488,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.El .El
.Pp .Pp
@ -289,7 +291,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
.It Cm ClientAliveCountMax .It Cm ClientAliveCountMax
@@ -681,21 +679,22 @@ For this to work @@ -680,21 +676,22 @@ For this to work
.Cm GSSAPIKeyExchange .Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client. needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms .It Cm GSSAPIKexAlgorithms
@ -322,7 +324,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
This option only applies to connections using GSSAPI. This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms .It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased Specifies the signature algorithms that will be accepted for hostbased
@@ -793,26 +793,13 @@ is specified, the location of the socket @@ -794,26 +791,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK .Ev SSH_AUTH_SOCK
environment variable. environment variable.
.It Cm HostKeyAlgorithms .It Cm HostKeyAlgorithms
@ -354,7 +356,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available signature algorithms may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms . .Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts .It Cm IgnoreRhosts
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi @@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
The default is The default is
.Cm yes . .Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -384,7 +386,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The supported algorithms are: The supported algorithms are:
.Pp .Pp
.Bl -item -compact -offset indent .Bl -item -compact -offset indent
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521 @@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com sntrup761x25519-sha512@openssh.com
.El .El
.Pp .Pp
@ -400,7 +402,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms . .Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress .It Cm ListenAddress
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent. @@ -1097,21 +1077,26 @@ function, and all code in the
file. file.
This option is intended for debugging and no overrides are enabled by default. This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs .It Cm MACs
@ -431,7 +433,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
.Pp .Pp
The algorithms that contain The algorithms that contain
.Qq -etm .Qq -etm
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com @@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com umac-128-etm@openssh.com
.El .El
.Pp .Pp
@ -447,7 +449,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
.It Cm Match .It Cm Match
@@ -1480,37 +1460,25 @@ or equivalent.) @@ -1541,37 +1517,25 @@ or equivalent.)
The default is The default is
.Cm yes . .Cm yes .
.It Cm PubkeyAcceptedAlgorithms .It Cm PubkeyAcceptedAlgorithms

View File

@ -0,0 +1,12 @@
diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100
+++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
while (getline(&line, &linesize, f) != -1) {
lnum++;
cp = line;
- cp[strcspn(cp, "\n")] = '\0';
+ cp[strcspn(cp, "\r\n")] = '\0';
/* Trim leading space and comments */
cp = line + strspn(line, " \t");
if (*cp == '#' || *cp == '\0')

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,44 @@
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
goto auth_fail;
if (!do_pam_account()) {
- sshpam_err = PAM_ACCT_EXPIRED;
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
+ * Backward compatibility for other errors. */
+ if (sshpam_err != PAM_PERM_DENIED
+ && sshpam_err != PAM_USER_UNKNOWN)
+ sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) {
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
pam_strerror(sshpam_handle, sshpam_err))) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
/* XXX - can't do much about an error here */
- if (sshpam_err == PAM_ACCT_EXPIRED)
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
+ if (sshpam_err == PAM_PERM_DENIED
+ || sshpam_err == PAM_USER_UNKNOWN
+ || sshpam_err == PAM_ACCT_EXPIRED)
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
else if (sshpam_maxtries_reached)
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
else
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
plen++;
free(msg);
break;
+ case PAM_USER_UNKNOWN:
+ case PAM_PERM_DENIED:
case PAM_ACCT_EXPIRED:
+ sshpam_account_status = 0;
+ /* FALLTHROUGH */
case PAM_MAXTRIES:
- if (type == PAM_ACCT_EXPIRED)
- sshpam_account_status = 0;
if (type == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
/* FALLTHROUGH */

View File

@ -50,15 +50,15 @@
%{?static_openssl:%global static_libcrypto 1} %{?static_openssl:%global static_libcrypto 1}
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.5p1 %global openssh_ver 8.6p1
%global openssh_rel 3 %global openssh_rel 1
%global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 2 %global pam_ssh_agent_rel 3
Summary: An open source implementation of SSH protocol version 2 Summary: An open source implementation of SSH protocol version 2
Name: openssh Name: openssh
Version: %{openssh_ver} Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}.1 Release: %{openssh_rel}%{?dist}
URL: http://www.openssh.com/portable.html URL: http://www.openssh.com/portable.html
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -191,6 +191,10 @@ Patch965: openssh-8.2p1-visibility.patch
Patch966: openssh-8.2p1-x11-without-ipv6.patch Patch966: openssh-8.2p1-x11-without-ipv6.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213 # https://bugzilla.mindrot.org/show_bug.cgi?id=3213
Patch969: openssh-8.4p1-debian-compat.patch Patch969: openssh-8.4p1-debian-compat.patch
# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
# sshd provides PAM an incorrect error code (#1879503)
Patch975: openssh-8.0p1-preserve-pam-errors.patch
License: BSD License: BSD
Requires: /sbin/nologin Requires: /sbin/nologin
@ -262,7 +266,7 @@ Requires: openssh = %{version}-%{release}
%package -n pam_ssh_agent_auth %package -n pam_ssh_agent_auth
Summary: PAM module for authentication with ssh-agent Summary: PAM module for authentication with ssh-agent
Version: %{pam_ssh_agent_ver} Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1 Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
License: BSD License: BSD
%description %description
@ -366,6 +370,8 @@ popd
%patch965 -p1 -b .visibility %patch965 -p1 -b .visibility
%patch966 -p1 -b .x11-ipv6 %patch966 -p1 -b .x11-ipv6
%patch969 -p0 -b .debian %patch969 -p0 -b .debian
%patch974 -p1 -b .keygen-strip-doseol
%patch975 -p1 -b .preserve-pam-errors
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
@ -650,6 +656,9 @@ test -f %{sysconfig_anaconda} && \
%endif %endif
%changelog %changelog
* Thu May 06 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1 + 0.10.4-3
- New upstream release (#1952957)
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.5p1-3.1 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 8.5p1-3.1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.5p1.tar.gz) = af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f SHA512 (openssh-8.6p1.tar.gz) = 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
SHA512 (openssh-8.5p1.tar.gz.asc) = 264a991c7207f2215875e2b472a649ede1a69f6486d25777bf522047c26ea77c2995d34b6917a993ea9a250b7dd5298a30f1975e20e471f079c9064ce283cec2 SHA512 (openssh-8.6p1.tar.gz.asc) = ea75d7fe350fd1761ee5490b222249e9b8915b2a02a1d41979195f15d239def387e4c6467362ab9515d517087750fa66bc368f5baa15c325502f725172631967
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2 SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21 SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21