8.4p1-1 + 0.10.4-1
This commit is contained in:
parent
3783a5da43
commit
bd35168662
3
.gitignore
vendored
3
.gitignore
vendored
@ -42,3 +42,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-8.2p1.tar.gz.asc
|
||||
/openssh-8.3p1.tar.gz
|
||||
/openssh-8.3p1.tar.gz.asc
|
||||
/openssh-8.4p1.tar.gz
|
||||
/openssh-8.4p1.tar.gz.asc
|
||||
/pam_ssh_agent_auth-0.10.4.tar.gz
|
||||
|
@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
||||
@@ -53,6 +53,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <X11/Xlib.h>
|
||||
+#include <glib.h>
|
||||
#include <gtk/gtk.h>
|
||||
#include <gdk/gdkx.h>
|
||||
|
||||
#include <gdk/gdkkeysyms.h>
|
||||
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static void
|
||||
@ -34,39 +34,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
||||
- GtkWidget *parent_window, *dialog, *entry;
|
||||
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
||||
GdkGrabStatus status;
|
||||
GdkColor fg, bg;
|
||||
int fg_set = 0, bg_set = 0;
|
||||
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
|
||||
gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
|
||||
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
@@ -104,16 +116,37 @@ passphrase_dialog(char *message)
|
||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
|
||||
if (prompt_type == PROMPT_ENTRY) {
|
||||
if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
|
||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||
+ FALSE, 0);
|
||||
+ gtk_widget_show(hbox);
|
||||
+
|
||||
entry = gtk_entry_new();
|
||||
if (fg_set)
|
||||
gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
|
||||
if (bg_set)
|
||||
gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
|
||||
gtk_box_pack_start(
|
||||
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
|
||||
- entry, FALSE, FALSE, 0);
|
||||
+ GTK_BOX(hbox), entry,
|
||||
+ TRUE, FALSE, 0);
|
||||
+ GTK_BOX(hbox), entry, TRUE, FALSE, 0);
|
||||
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
gtk_widget_show(entry);
|
||||
/* Make <enter> close dialog */
|
||||
g_signal_connect(G_OBJECT(entry), "activate",
|
||||
G_CALLBACK(ok_dialog), dialog);
|
||||
if (prompt_type == PROMPT_ENTRY) {
|
||||
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
|
||||
g_signal_connect(G_OBJECT(entry), "key_press_event",
|
||||
G_CALLBACK(check_none), dialog);
|
||||
}
|
||||
+
|
||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||
+ FALSE, 8);
|
||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
|
||||
+ hbox, FALSE, FALSE, 8);
|
||||
+ gtk_widget_show(hbox);
|
||||
+
|
||||
+ progress = gtk_progress_bar_new();
|
||||
+
|
||||
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
|
||||
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
|
||||
+ "Passphrase length hidden intentionally");
|
||||
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
||||
+ TRUE, 5);
|
||||
+ gtk_widget_show(progress);
|
||||
|
@ -145,9 +145,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
session_type,
|
||||
tty == NULL ? "" : " on ",
|
||||
@@ -1486,14 +1492,6 @@ child_close_fds(void)
|
||||
* descriptors left by system functions. They will be closed later.
|
||||
*/
|
||||
endpwent();
|
||||
|
||||
/* Stop directing logs to a high-numbered fd before we close it */
|
||||
log_redirect_stderr_to(NULL);
|
||||
-
|
||||
- /*
|
||||
- * Close any extra open file descriptors so that we don't have them
|
||||
|
@ -44,8 +44,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
||||
K5LIBS=@K5LIBS@
|
||||
GSSLIBS=@GSSLIBS@
|
||||
SSHLIBS=@SSHLIBS@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
+KEYCATLIBS=@KEYCATLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
@ -466,16 +466,16 @@ index 3bbccfd..6481f1f 100644
|
||||
esac
|
||||
fi
|
||||
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST([SSHLIBS])
|
||||
AC_SUBST([SSHDLIBS])
|
||||
+AC_SUBST([KEYCATLIBS])
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
@@ -5031,6 +5034,9 @@ fi
|
||||
if test ! -z "${SSHLIBS}"; then
|
||||
echo " +for ssh: ${SSHLIBS}"
|
||||
if test ! -z "${SSHDLIBS}"; then
|
||||
echo " +for sshd: ${SSHDLIBS}"
|
||||
fi
|
||||
+if test ! -z "${KEYCATLIBS}"; then
|
||||
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||
|
@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||
*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||
*inc_flags &= ~SSHCFG_MATCH_ONLY;
|
||||
break;
|
||||
|
||||
+ case sKerberosUseKuserok:
|
||||
|
@ -2,8 +2,8 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
|
||||
--- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
|
||||
+++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
|
||||
@@ -38,6 +38,7 @@
|
||||
.Op Fl P Ar blacklisted_requests
|
||||
.Op Fl p Ar whitelisted_requests
|
||||
.Op Fl P Ar denied_requests
|
||||
.Op Fl p Ar allowed_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_perms
|
||||
.Ek
|
||||
@ -67,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
|
||||
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||
- "[-p whitelisted_requests] [-u umask]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
|
||||
"[-l log_level]\n\t[-P denied_requests] "
|
||||
- "[-p allowed_requests] [-u umask]\n"
|
||||
+ "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
|
@ -137,7 +137,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
}
|
||||
|
||||
@@ -1538,6 +1565,34 @@ child_close_fds(void)
|
||||
endpwent();
|
||||
log_redirect_stderr_to(NULL);
|
||||
}
|
||||
|
||||
+void
|
||||
|
@ -1158,8 +1158,8 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||
size_t signaturelen, datalen, bloblen;
|
||||
int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
|
||||
int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
|
||||
int encoded_ret;
|
||||
struct sshkey_sig_details *sig_details = NULL;
|
||||
+ int type = 0;
|
||||
|
||||
|
@ -173,20 +173,20 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||
/* remove unsupported algos from default lists */
|
||||
- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
|
||||
- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
|
||||
- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
|
||||
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
|
||||
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
|
||||
- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
|
||||
- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
|
||||
- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
|
||||
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
|
||||
+ def_mac = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
|
||||
+ def_kex = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
|
||||
+ def_key = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||
+ def_sig = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||
#define ASSEMBLE(what, defaults, all) \
|
||||
do { \
|
||||
@ -211,20 +211,20 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||
/* remove unsupported algos from default lists */
|
||||
- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
|
||||
- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
|
||||
- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
|
||||
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
|
||||
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
|
||||
- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
|
||||
- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
|
||||
- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
|
||||
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
|
||||
+ def_mac = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
|
||||
+ def_kex = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
|
||||
+ def_key = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||
+ def_sig = match_filter_whitelist((FIPS_mode() ?
|
||||
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||
#define ASSEMBLE(what, defaults, all) \
|
||||
do { \
|
||||
|
@ -2,9 +2,9 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config
|
||||
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
||||
@@ -43,3 +43,10 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
|
||||
+#
|
||||
+# This system is following system-wide crypto policy.
|
||||
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
|
||||
|
@ -154,20 +154,6 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh/configure.ac.role-mls openssh/configure.ac
|
||||
--- openssh/configure.ac.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/configure.ac 2018-08-22 11:14:56.820430957 +0200
|
||||
@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
|
||||
LIBS="$LIBS -lselinux"
|
||||
],
|
||||
AC_MSG_ERROR([SELinux support requires libselinux library]))
|
||||
- SSHLIBS="$SSHLIBS $LIBSELINUX"
|
||||
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
|
||||
- LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST([SSHLIBS])
|
||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||
@ -338,8 +324,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
|
||||
const u_char *, size_t, const char *, const char *, u_int compat);
|
||||
const u_char *, size_t, const char *, const char *,
|
||||
const char *, u_int compat);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
|
@ -1,31 +1,27 @@
|
||||
diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id
|
||||
--- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id 2018-10-17 02:01:20.000000000 +0200
|
||||
+++ openssh-7.9p1/contrib/ssh-copy-id 2019-01-23 20:49:30.513393667 +0100
|
||||
@@ -112,7 +112,8 @@ do
|
||||
usage
|
||||
}
|
||||
|
||||
- OPT= OPTARG=
|
||||
+ OPT=
|
||||
+ OPTARG=
|
||||
# implement something like getopt to avoid Solaris pain
|
||||
case "$1" in
|
||||
-i?*|-o?*|-p?*)
|
||||
@@ -261,7 +262,7 @@ populate_new_ids() {
|
||||
fi
|
||||
if [ -z "$NEW_IDS" ] ; then
|
||||
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
|
||||
- printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
|
||||
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
|
||||
exit 0
|
||||
fi
|
||||
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
||||
@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in
|
||||
# in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
|
||||
# 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
|
||||
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
|
||||
- ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
||||
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|
||||
|| exit 1
|
||||
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
|
||||
;;
|
||||
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 29 Sep 2020 10:02:45 +0000
|
||||
Subject: [PATCH] Fail hard on the first failed attempt to write the
|
||||
authorized_keys_file
|
||||
|
||||
---
|
||||
ssh-copy-id | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||
index 392f64f..e69a23f 100755
|
||||
--- a/contrib/ssh-copy-id
|
||||
+++ b/contrib/ssh-copy-id
|
||||
@@ -251,7 +251,7 @@ installkeys_sh() {
|
||||
cd;
|
||||
umask 077;
|
||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
||||
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
|
||||
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
||||
cat >> ${AUTH_KEY_FILE} ||
|
||||
exit 1;
|
||||
if type restorecon >/dev/null 2>&1; then
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
||||
|
@ -568,8 +568,8 @@ index 4e56e110..2690ebeb 100644
|
||||
|
||||
REGRESS_FAIL_EARLY?= yes
|
||||
SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion
|
||||
-SUBDIR+=authopt misc
|
||||
+SUBDIR+=authopt misc pkcs11
|
||||
-SUBDIR+=authopt misc sshsig
|
||||
+SUBDIR+=authopt misc sshsig pkcs11
|
||||
|
||||
.include <bsd.subdir.mk>
|
||||
diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c
|
||||
@ -807,7 +807,7 @@ index 00000000..b637cb13
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+check_encode(char *source, size_t len, char *whitelist, char *expect)
|
||||
+check_encode(char *source, size_t len, char *allow_list, char *expect)
|
||||
+{
|
||||
+ char *buf = NULL;
|
||||
+ struct sshbuf *b;
|
||||
@ -816,7 +816,7 @@ index 00000000..b637cb13
|
||||
+ TEST_START(buf);
|
||||
+ free(buf);
|
||||
+
|
||||
+ b = percent_encode(source, len, whitelist);
|
||||
+ b = percent_encode(source, len, allow_list);
|
||||
+ ASSERT_STRING_EQ(sshbuf_ptr(b), expect);
|
||||
+ sshbuf_free(b);
|
||||
+ TEST_DONE();
|
||||
@ -841,14 +841,14 @@ index 00000000..b637cb13
|
||||
+static void
|
||||
+test_percent_encode(void)
|
||||
+{
|
||||
+ /* Without whitelist encodes everything (for CKA_ID) */
|
||||
+ /* Without allow list encodes everything (for CKA_ID) */
|
||||
+ check_encode("A*", 2, "", "%41%2A");
|
||||
+ check_encode("\x00", 1, "", "%00");
|
||||
+ check_encode("\x7F", 1, "", "%7F");
|
||||
+ check_encode("\x80", 1, "", "%80");
|
||||
+ check_encode("\xff", 1, "", "%FF");
|
||||
+
|
||||
+ /* Default whitelist encodes anything but safe letters */
|
||||
+ /* Default allow list encodes anything but safe letters */
|
||||
+ check_encode("test" "\x00" "0alpha", 11, PKCS11_URI_WHITELIST,
|
||||
+ "test%000alpha");
|
||||
+ check_encode(" ", 1, PKCS11_URI_WHITELIST,
|
||||
@ -920,9 +920,9 @@ index 8057eb1f..0c470e32 100644
|
||||
--- a/ssh-add.c
|
||||
+++ b/ssh-add.c
|
||||
@@ -67,6 +67,7 @@
|
||||
#include "ssherr.h"
|
||||
#include "digest.h"
|
||||
#include "ssh-sk.h"
|
||||
#include "sk-api.h"
|
||||
+#include "ssh-pkcs11-uri.h"
|
||||
|
||||
/* argv0 */
|
||||
@ -1045,9 +1045,9 @@ index 7eb6f0dc..27d8e4af 100644
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ free(module_path);
|
||||
+ if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
|
||||
+ if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
|
||||
+ verbose("refusing PKCS#11 provider \"%.100s\": "
|
||||
+ "not whitelisted", canonical_provider);
|
||||
+ "not allowed", canonical_provider);
|
||||
+ pkcs11_uri_cleanup(uri);
|
||||
+ return NULL;
|
||||
+ }
|
||||
@ -1085,9 +1085,9 @@ index 7eb6f0dc..27d8e4af 100644
|
||||
- provider, strerror(errno));
|
||||
- goto send;
|
||||
- }
|
||||
- if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
|
||||
- if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
|
||||
- verbose("refusing PKCS#11 add of \"%.100s\": "
|
||||
- "provider not whitelisted", canonical_provider);
|
||||
- "provider not allowed", canonical_provider);
|
||||
+
|
||||
+ sane_uri = sanitize_pkcs11_provider(provider);
|
||||
+ if (sane_uri == NULL)
|
||||
@ -1342,7 +1342,7 @@ index 00000000..e1a7b4e0
|
||||
+}
|
||||
+
|
||||
+struct sshbuf *
|
||||
+percent_encode(const char *data, size_t length, const char *whitelist)
|
||||
+percent_encode(const char *data, size_t length, const char *allow_list)
|
||||
+{
|
||||
+ struct sshbuf *b = NULL;
|
||||
+ char tmp[4], *cp;
|
||||
@ -1351,7 +1351,7 @@ index 00000000..e1a7b4e0
|
||||
+ if ((b = sshbuf_new()) == NULL)
|
||||
+ return NULL;
|
||||
+ for (i = 0; i < length; i++) {
|
||||
+ cp = strchr(whitelist, data[i]);
|
||||
+ cp = strchr(allow_list, data[i]);
|
||||
+ /* if c is specified as '\0' pointer to terminator is returned !! */
|
||||
+ if (cp != NULL && *cp != '\0') {
|
||||
+ if (sshbuf_put(b, &data[i], 1) != 0)
|
||||
@ -3115,7 +3115,7 @@ index 15aee569..976844cb 100644
|
||||
+ }
|
||||
+#endif /* ENABLE_PKCS11 */
|
||||
+ cp = tilde_expand_filename(name, getuid());
|
||||
filename = default_client_percent_expand(cp,
|
||||
filename = default_client_percent_dollar_expand(cp,
|
||||
pw->pw_dir, host, options.user, pw->pw_name);
|
||||
free(cp);
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
|
@ -1,227 +0,0 @@
|
||||
From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon, 25 May 2020 15:46:51 +0200
|
||||
Subject: [PATCH 1/3] regress: Add more test cases
|
||||
|
||||
---
|
||||
regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 35 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
|
||||
index b25c8faa..b6a9a248 100644
|
||||
--- a/regress/servcfginclude.sh
|
||||
+++ b/regress/servcfginclude.sh
|
||||
@@ -146,9 +146,43 @@ Include
|
||||
_EOF
|
||||
|
||||
trace "disallow invalid with no argument"
|
||||
-${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
|
||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
|
||||
-C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
|
||||
fail "sshd allowed Include with no argument"
|
||||
|
||||
+# Ensure the Include before any Match block works as expected (bug #3122)
|
||||
+cat > $OBJ/sshd_config.i << _EOF
|
||||
+Banner /xx
|
||||
+HostKey $OBJ/host.ssh-ed25519
|
||||
+Include $OBJ/sshd_config.i.2
|
||||
+Match host a
|
||||
+ Banner /aaaa
|
||||
+_EOF
|
||||
+cat > $OBJ/sshd_config.i.2 << _EOF
|
||||
+Match host a
|
||||
+ Banner /aa
|
||||
+_EOF
|
||||
+
|
||||
+trace "Include before match blocks"
|
||||
+trial a /aa "included file before match blocks is properly evaluated"
|
||||
+
|
||||
+# Port in included file is correctly interpretted (bug #3169)
|
||||
+cat > $OBJ/sshd_config.i << _EOF
|
||||
+Include $OBJ/sshd_config.i.2
|
||||
+Port 7722
|
||||
+_EOF
|
||||
+cat > $OBJ/sshd_config.i.2 << _EOF
|
||||
+HostKey $OBJ/host.ssh-ed25519
|
||||
+_EOF
|
||||
+
|
||||
+trace "Port after included files"
|
||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
|
||||
+ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
|
||||
+ fail "failed to parse Port after included files"
|
||||
+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
|
||||
+if test "x7722" != "x$_port" ; then
|
||||
+ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
|
||||
+fi
|
||||
+
|
||||
# cleanup
|
||||
rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon, 25 May 2020 16:56:39 +0200
|
||||
Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every
|
||||
included file
|
||||
|
||||
Fixes #3169
|
||||
---
|
||||
servconf.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 5bb4b1f8..78a7d87d 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
-void parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
+static void parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
struct sshbuf *conf, struct include_list *includes,
|
||||
struct connection_info *connectinfo, int flags, int *activep, int depth);
|
||||
|
||||
@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
#undef M_CP_STRARRAYOPT
|
||||
|
||||
#define SERVCONF_MAX_DEPTH 16
|
||||
-void
|
||||
+static void
|
||||
parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
struct sshbuf *conf, struct include_list *includes,
|
||||
struct connection_info *connectinfo, int flags, int *activep, int depth)
|
||||
@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
if (bad_options > 0)
|
||||
fatal("%s: terminating, %d bad configuration options",
|
||||
filename, bad_options);
|
||||
- process_queued_listen_addrs(options);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename,
|
||||
int active = connectinfo ? 0 : 1;
|
||||
parse_server_config_depth(options, filename, conf, includes,
|
||||
connectinfo, 0, &active, 0);
|
||||
+ process_queued_listen_addrs(options);
|
||||
}
|
||||
|
||||
static const char *
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 26 May 2020 16:25:24 +0200
|
||||
Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files
|
||||
(#3122)
|
||||
|
||||
---
|
||||
servconf.c | 28 +++++++++++++++++++---------
|
||||
1 file changed, 19 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 78a7d87d..a8541514 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -554,6 +554,7 @@ typedef enum {
|
||||
#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
||||
#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
||||
#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
|
||||
+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
|
||||
|
||||
/* Textual representation of the tokens. */
|
||||
static struct {
|
||||
@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = {
|
||||
static int
|
||||
process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
const char *filename, int linenum, int *activep,
|
||||
- struct connection_info *connectinfo, int inc_flags, int depth,
|
||||
+ struct connection_info *connectinfo, int *inc_flags, int depth,
|
||||
struct include_list *includes)
|
||||
{
|
||||
char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
|
||||
@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
parse_server_config_depth(options,
|
||||
item->filename, item->contents,
|
||||
includes, connectinfo,
|
||||
- (oactive ? 0 : SSHCFG_NEVERMATCH),
|
||||
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
||||
+ ? SSHCFG_MATCH_ONLY : (oactive
|
||||
+ ? 0 : SSHCFG_NEVERMATCH)),
|
||||
activep, depth + 1);
|
||||
}
|
||||
found = 1;
|
||||
@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
parse_server_config_depth(options,
|
||||
item->filename, item->contents,
|
||||
includes, connectinfo,
|
||||
- (oactive ? 0 : SSHCFG_NEVERMATCH),
|
||||
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
||||
+ ? SSHCFG_MATCH_ONLY : (oactive
|
||||
+ ? 0 : SSHCFG_NEVERMATCH)),
|
||||
activep, depth + 1);
|
||||
*activep = oactive;
|
||||
TAILQ_INSERT_TAIL(includes, item, entry);
|
||||
@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
if (cmdline)
|
||||
fatal("Match directive not supported as a command-line "
|
||||
"option");
|
||||
- value = match_cfg_line(&cp, linenum, connectinfo);
|
||||
+ value = match_cfg_line(&cp, linenum,
|
||||
+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
|
||||
if (value < 0)
|
||||
fatal("%s line %d: Bad Match condition", filename,
|
||||
linenum);
|
||||
- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||
+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||
+ /* The MATCH_ONLY is applicable only until the first match block */
|
||||
+ *inc_flags &= ~SSHCFG_MATCH_ONLY;
|
||||
break;
|
||||
|
||||
case sKerberosUseKuserok:
|
||||
@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
const char *filename, int linenum, int *activep,
|
||||
struct connection_info *connectinfo, struct include_list *includes)
|
||||
{
|
||||
+ int inc_flags = 0;
|
||||
return process_server_config_line_depth(options, line, filename,
|
||||
- linenum, activep, connectinfo, 0, 0, includes);
|
||||
+ linenum, activep, connectinfo, &inc_flags, 0, includes);
|
||||
}
|
||||
|
||||
|
||||
@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
|
||||
fatal("Too many recursive configuration includes");
|
||||
|
||||
- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
|
||||
+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
|
||||
+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
|
||||
|
||||
if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
|
||||
fatal("%s: sshbuf_dup_string failed", __func__);
|
||||
linenum = 1;
|
||||
while ((cp = strsep(&cbuf, "\n")) != NULL) {
|
||||
if (process_server_config_line_depth(options, cp,
|
||||
- filename, linenum++, activep, connectinfo, flags,
|
||||
+ filename, linenum++, activep, connectinfo, &flags,
|
||||
depth, includes) != 0)
|
||||
bad_options++;
|
||||
}
|
||||
@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename,
|
||||
{
|
||||
int active = connectinfo ? 0 : 1;
|
||||
parse_server_config_depth(options, filename, conf, includes,
|
||||
- connectinfo, 0, &active, 0);
|
||||
+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
|
||||
process_queued_listen_addrs(options);
|
||||
}
|
||||
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
BIN
openssh-SNAP-20200921.tar.gz
Normal file
BIN
openssh-SNAP-20200921.tar.gz
Normal file
Binary file not shown.
16
openssh.spec
16
openssh.spec
@ -50,15 +50,15 @@
|
||||
%{?static_openssl:%global static_libcrypto 1}
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.3p1
|
||||
%global openssh_rel 4
|
||||
%global openssh_ver 8.4p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 1
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
Version: %{openssh_ver}
|
||||
Release: %{openssh_rel}%{?dist}
|
||||
Release: %{openssh_rel}.1%{?dist}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
@ -184,8 +184,7 @@ Patch951: openssh-8.0p1-pkcs11-uri.patch
|
||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||
# ssh-copy-id is unmaintained: Aggreagete patches
|
||||
# - do not return 0 if the write fails (full disk)
|
||||
# - shellcheck reports (upstream #2902)
|
||||
# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
|
||||
Patch958: openssh-7.9p1-ssh-copy-id.patch
|
||||
# Mention crypto-policies in manual pages (#1668325)
|
||||
Patch962: openssh-8.0p1-crypto-policies.patch
|
||||
@ -197,8 +196,6 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
|
||||
Patch965: openssh-8.2p1-visibility.patch
|
||||
# Do not break X11 without IPv6
|
||||
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||
# Unbreak sshd_config include corner cases (#3122)
|
||||
Patch967: openssh-8.3p1-sshd_include.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -219,7 +216,7 @@ BuildRequires: pam-devel
|
||||
BuildRequires: openssl-devel >= 0.9.8j
|
||||
BuildRequires: perl-podlators
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gcc make
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: libfido2-devel
|
||||
Recommends: p11-kit
|
||||
@ -272,7 +269,7 @@ Requires: openssh = %{version}-%{release}
|
||||
%package -n pam_ssh_agent_auth
|
||||
Summary: PAM module for authentication with ssh-agent
|
||||
Version: %{pam_ssh_agent_ver}
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1
|
||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
|
||||
License: BSD
|
||||
|
||||
%description
|
||||
@ -382,7 +379,6 @@ popd
|
||||
%patch964 -p1 -b .openssl-kdf
|
||||
%patch965 -p1 -b .visibility
|
||||
%patch966 -p1 -b .x11-ipv6
|
||||
%patch967 -p1 -b .include
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
|
6
sources
6
sources
@ -1,4 +1,4 @@
|
||||
SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
|
||||
SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75
|
||||
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
|
||||
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
|
||||
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||
|
Loading…
Reference in New Issue
Block a user