Merged update from upstream sources
This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssh.git#44aae310bd4e0f19369ea1c91ada03334f29c843
This commit is contained in:
parent
fa840d638a
commit
d029bb77ce
3
.gitignore
vendored
3
.gitignore
vendored
@ -45,3 +45,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/openssh-8.4p1.tar.gz
|
/openssh-8.4p1.tar.gz
|
||||||
/openssh-8.4p1.tar.gz.asc
|
/openssh-8.4p1.tar.gz.asc
|
||||||
/pam_ssh_agent_auth-0.10.4.tar.gz
|
/pam_ssh_agent_auth-0.10.4.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz.asc
|
||||||
|
/gpgkey-736060BA.gpg
|
||||||
|
@ -2,14 +2,14 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
|||||||
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
||||||
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
||||||
void
|
log_init(const char *av0, LogLevel level, SyslogFacility facility,
|
||||||
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
|
int on_stderr)
|
||||||
{
|
{
|
||||||
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+void
|
||||||
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||||
#endif
|
#endif
|
||||||
@ -30,10 +30,10 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
|||||||
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
||||||
@@ -49,6 +49,7 @@ typedef enum {
|
@@ -49,6 +49,7 @@ typedef enum {
|
||||||
typedef void (log_handler_fn)(LogLevel, const char *, void *);
|
const char *, void *);
|
||||||
|
|
||||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
void log_init(const char *, LogLevel, SyslogFacility, int);
|
||||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
+void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
|
||||||
LogLevel log_level_get(void);
|
LogLevel log_level_get(void);
|
||||||
int log_change_level(LogLevel);
|
int log_change_level(LogLevel);
|
||||||
int log_is_on_stderr(void);
|
int log_is_on_stderr(void);
|
||||||
@ -59,14 +59,14 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
ssh_signal(SIGHUP, &monitor_child_handler);
|
ssh_signal(SIGHUP, &monitor_child_handler);
|
||||||
ssh_signal(SIGTERM, &monitor_child_handler);
|
ssh_signal(SIGTERM, &monitor_child_handler);
|
||||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
||||||
|
/* Log it */
|
||||||
if (log_level_name(level) == NULL)
|
if (log_level_name(level) == NULL)
|
||||||
fatal("%s: invalid log level %u (corrupted message?)",
|
fatal_f("invalid log level %u (corrupted message?)", level);
|
||||||
__func__, level);
|
- sshlog(file, func, line, 0, level, NULL, "%s [preauth]", msg);
|
||||||
- do_log2(level, "%s [preauth]", msg);
|
+ sshlog(file, func, line, 0, level, NULL, "%s [%s]", msg, pmonitor->m_state);
|
||||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
|
||||||
|
|
||||||
sshbuf_free(logmsg);
|
sshbuf_free(logmsg);
|
||||||
free(msg);
|
free(file);
|
||||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
||||||
mon = xcalloc(1, sizeof(*mon));
|
mon = xcalloc(1, sizeof(*mon));
|
||||||
monitor_openfds(mon, 1);
|
monitor_openfds(mon, 1);
|
||||||
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
||||||
+
|
+
|
||||||
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
||||||
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
|
+ debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
|
||||||
+ do_logfds = 1;
|
+ do_logfds = 1;
|
||||||
+ }
|
+ }
|
||||||
+ free(dev_log_path);
|
+ free(dev_log_path);
|
||||||
|
@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
|
|||||||
+
|
+
|
||||||
+ contexts_path = selinux_openssh_contexts_path();
|
+ contexts_path = selinux_openssh_contexts_path();
|
||||||
+ if (contexts_path == NULL) {
|
+ if (contexts_path == NULL) {
|
||||||
+ debug3("%s: Failed to get the path to SELinux context", __func__);
|
+ debug3_f("Failed to get the path to SELinux context");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||||
+ debug("%s: Failed to open SELinux context file", __func__);
|
+ debug_f("Failed to open SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||||
+ logit("%s: SELinux context file needs to be owned by root"
|
+ logit_f("SELinux context file needs to be owned by root"
|
||||||
+ " and not writable by anyone else", __func__);
|
+ " and not writable by anyone else");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||||
+ arg = strdelim(&cp);
|
+ arg = strdelim(&cp);
|
||||||
+ if (!arg || *arg == '\0') {
|
+ if (!arg || *arg == '\0') {
|
||||||
+ debug("%s: privsep_preauth is empty", __func__);
|
+ debug_f("privsep_preauth is empty");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+
|
+
|
||||||
+ if (preauth_context == NULL) {
|
+ if (preauth_context == NULL) {
|
||||||
+ debug("%s: Unable to find 'privsep_preauth' option in"
|
+ debug_f("Unable to find 'privsep_preauth' option in"
|
||||||
+ " SELinux context file", __func__);
|
+ " SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644
|
|||||||
if ((cx = index(cx + 1, ':')))
|
if ((cx = index(cx + 1, ':')))
|
||||||
strlcat(newctx, cx, newlen);
|
strlcat(newctx, cx, newlen);
|
||||||
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
||||||
+ debug("%s: setting context from '%s' to '%s'", __func__,
|
+ debug_f("setting context from '%s' to '%s'",
|
||||||
oldctx, newctx);
|
oldctx, newctx);
|
||||||
if (setcon(newctx) < 0)
|
if (setcon(newctx) < 0)
|
||||||
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
do_log2(log_level, "%s: setcon %s from %s failed with %s",
|
||||||
|
__func__, newctx, oldctx, strerror(errno));
|
||||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||||
index cb51f99..8b7cda2 100644
|
index cb51f99..8b7cda2 100644
|
||||||
--- a/openbsd-compat/port-linux.h
|
--- a/openbsd-compat/port-linux.h
|
||||||
|
@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -418,7 +421,7 @@ typedef enum {
|
@@ -418,7 +421,7 @@ typedef enum {
|
||||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
diff -up openssh/auth.c.keycat openssh/misc.c
|
diff -up openssh/misc.c.keycat openssh/misc.c
|
||||||
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||||
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
|
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
|
||||||
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
|
@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
|
||||||
|
error("%s: dup2: %s", tag, strerror(errno));
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ error ("failed to copy environment: %s",
|
+ error ("failed to copy environment: %s",
|
||||||
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
|
|||||||
+ _exit(127);
|
+ _exit(127);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
if (env != NULL)
|
||||||
execve(av[0], av, child_env);
|
execve(av[0], av, env);
|
||||||
error("%s exec \"%s\": %s", tag, command, strerror(errno));
|
else
|
||||||
_exit(127);
|
|
||||||
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
||||||
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
|
@ -193,7 +193,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -399,7 +402,7 @@ typedef enum {
|
@@ -399,7 +402,7 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
|
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
||||||
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
debug3("%s: done", __func__);
|
debug3_f("done");
|
||||||
}
|
}
|
||||||
|
|
||||||
+void
|
+void
|
||||||
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
+ return;
|
+ return;
|
||||||
+
|
+
|
||||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||||
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno));
|
+ logit_f("getexeccon failed with %s", strerror(errno));
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+ if (ctx != NULL) {
|
+ if (ctx != NULL) {
|
||||||
+ /* unset exec context before we will lose this capabililty */
|
+ /* unset exec context before we will lose this capabililty */
|
||||||
+ if (setexeccon(NULL) != 0)
|
+ if (setexeccon(NULL) != 0)
|
||||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setexeccon failed with %s", strerror(errno));
|
||||||
+ if (setcon(ctx) != 0)
|
+ if (setcon(ctx) != 0)
|
||||||
+ fatal("%s: setcon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setcon failed with %s", strerror(errno));
|
||||||
+ freecon(ctx);
|
+ freecon(ctx);
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
|
@ -34,7 +34,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
|||||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||||
error("%s: cannot allocate fds for pty", __func__);
|
error_f("cannot allocate fds for pty");
|
||||||
- if (tmp1 > 0)
|
- if (tmp1 > 0)
|
||||||
+ if (tmp1 >= 0)
|
+ if (tmp1 >= 0)
|
||||||
close(tmp1);
|
close(tmp1);
|
||||||
@ -120,11 +120,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
|||||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||||
debug2("%s: reading", __func__);
|
debug2_f("reading");
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||||
debug("%s: invalid tun", __func__);
|
debug_f("invalid tun");
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
- if (auth_opts->force_tun_device != -1) {
|
- if (auth_opts->force_tun_device != -1) {
|
||||||
|
@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+ int r, ret = 0;
|
+ int r, ret = 0;
|
||||||
+
|
+
|
||||||
+ debug3("%s: entering", __func__);
|
+ debug3_f("entering");
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ do {
|
+ do {
|
||||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||||
+ if (blen == 0) /* closed pipe */
|
+ if (blen == 0) /* closed pipe */
|
||||||
+ break;
|
+ break;
|
||||||
+ if (blen != sizeof(buf)) {
|
+ if (blen != sizeof(buf)) {
|
||||||
+ error("%s: Failed to read the buffer from child", __func__);
|
+ error_f("Failed to read the buffer from child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ msg_len = get_u32(buf);
|
+ msg_len = get_u32(buf);
|
||||||
+ if (msg_len > 256 * 1024)
|
+ if (msg_len > 256 * 1024)
|
||||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
+ fatal_f("read: bad msg_len %d", msg_len);
|
||||||
+ sshbuf_reset(m);
|
+ sshbuf_reset(m);
|
||||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
+ error_f("Failed to read the the buffer content from the child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
+ error_f("Failed to write the message to the monitor");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
|
@ -49,7 +49,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+
|
+
|
||||||
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
||||||
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
|
+ debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
|
||||||
+ if (k5login_directory == NULL || ret != 0) {
|
+ if (k5login_directory == NULL || ret != 0) {
|
||||||
+ /* If not set, the library will look for k5login
|
+ /* If not set, the library will look for k5login
|
||||||
+ * files in the user's home directory, with the filename .k5login.
|
+ * files in the user's home directory, with the filename .k5login.
|
||||||
@ -64,7 +64,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
||||||
+ pw->pw_name);
|
+ pw->pw_name);
|
||||||
+ }
|
+ }
|
||||||
+ debug("%s: Checking existence of file %s", __func__, file);
|
+ debug_f("Checking existence of file %s", file);
|
||||||
|
|
||||||
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||||
return access(file, F_OK) == 0;
|
return access(file, F_OK) == 0;
|
||||||
|
@ -943,7 +943,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
|
|||||||
return SSH_ERR_NO_CIPHER_ALG_MATCH;
|
return SSH_ERR_NO_CIPHER_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
if ((enc->cipher = cipher_by_name(name)) == NULL) {
|
||||||
error("%s: unsupported cipher %s", __func__, name);
|
error_f("unsupported cipher %s", name);
|
||||||
free(name);
|
free(name);
|
||||||
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||||
{
|
{
|
||||||
@ -957,7 +957,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
|
|||||||
return SSH_ERR_NO_MAC_ALG_MATCH;
|
return SSH_ERR_NO_MAC_ALG_MATCH;
|
||||||
+ }
|
+ }
|
||||||
if (mac_setup(mac, name) < 0) {
|
if (mac_setup(mac, name) < 0) {
|
||||||
error("%s: unsupported MAC %s", __func__, name);
|
error_f("unsupported MAC %s", name);
|
||||||
free(name);
|
free(name);
|
||||||
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
|
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
|
||||||
}
|
}
|
||||||
@ -1094,7 +1094,7 @@ diff -up openssh/Makefile.in.audit openssh/Makefile.in
|
|||||||
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
|
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
|
||||||
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
|
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
|
||||||
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||||
kexgssc.o \
|
kexgssc.o \
|
||||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
- sshbuf-io.o
|
- sshbuf-io.o
|
||||||
@ -1172,15 +1172,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||||
!monitor_allowed_key(blob, bloblen))
|
!monitor_allowed_key(blob, bloblen))
|
||||||
fatal("%s: bad key, not previously allowed", __func__);
|
fatal_f("bad key, not previously allowed");
|
||||||
+ if (type != key_blobtype)
|
+ if (type != key_blobtype)
|
||||||
+ fatal("%s: bad key type", __func__);
|
+ fatal_f("bad key type");
|
||||||
|
|
||||||
/* Empty signature algorithm means NULL. */
|
/* Empty signature algorithm means NULL. */
|
||||||
if (*sigalg == '\0') {
|
if (*sigalg == '\0') {
|
||||||
@@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int
|
@@ -1470,27 +1491,30 @@ mm_answer_keyverify(struct ssh *ssh, int
|
||||||
case MM_USERKEY:
|
case MM_USERKEY:
|
||||||
valid_data = monitor_valid_userblob(data, datalen);
|
valid_data = monitor_valid_userblob(ssh, data, datalen);
|
||||||
auth_method = "publickey";
|
auth_method = "publickey";
|
||||||
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
+ ret = user_key_verify(ssh, key, signature, signaturelen, data,
|
||||||
+ datalen, sigalg, ssh->compat, &sig_details);
|
+ datalen, sigalg, ssh->compat, &sig_details);
|
||||||
@ -1198,15 +1198,17 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (!valid_data)
|
if (!valid_data)
|
||||||
fatal("%s: bad signature data blob", __func__);
|
fatal_f("bad %s signature data blob",
|
||||||
|
key_blobtype == MM_USERKEY ? "userkey" :
|
||||||
|
(key_blobtype == MM_HOSTKEY ? "hostkey" : "unknown"));
|
||||||
|
|
||||||
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
SSH_FP_DEFAULT)) == NULL)
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
fatal_f("sshkey_fingerprint failed");
|
||||||
|
|
||||||
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
- ret = sshkey_verify(key, signature, signaturelen, data, datalen,
|
||||||
- sigalg, ssh->compat, &sig_details);
|
- sigalg, ssh->compat, &sig_details);
|
||||||
debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
|
debug3_f("%s %p signature %s%s%s", auth_method, key,
|
||||||
(ret == 0) ? "verified" : "unverified",
|
(ret == 0) ? "verified" : "unverified",
|
||||||
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
|
||||||
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
|
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
|
||||||
@ -1216,14 +1218,14 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
-mm_session_close(Session *s)
|
-mm_session_close(Session *s)
|
||||||
+mm_session_close(struct ssh *ssh, Session *s)
|
+mm_session_close(struct ssh *ssh, Session *s)
|
||||||
{
|
{
|
||||||
debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
|
debug3_f("session %d pid %ld", s->self, (long)s->pid);
|
||||||
if (s->ttyfd != -1) {
|
if (s->ttyfd != -1) {
|
||||||
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
debug3_f("tty %s ptyfd %d", s->tty, s->ptyfd);
|
||||||
session_pty_cleanup2(s);
|
session_pty_cleanup2(s);
|
||||||
}
|
}
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ if (s->command != NULL) {
|
+ if (s->command != NULL) {
|
||||||
+ debug3("%s: command %d", __func__, s->command_handle);
|
+ debug3_f("command %d", s->command_handle);
|
||||||
+ session_end_command2(ssh, s);
|
+ session_end_command2(ssh, s);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
@ -1237,11 +1239,11 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
- mm_session_close(s);
|
- mm_session_close(s);
|
||||||
+ mm_session_close(ssh, s);
|
+ mm_session_close(ssh, s);
|
||||||
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
if ((r = sshbuf_put_u32(m, 0)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "assemble 0");
|
||||||
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
mm_request_send(sock, MONITOR_ANS_PTY, m);
|
||||||
@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
|
@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
|
||||||
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse tty");
|
||||||
if ((s = session_by_tty(tty)) != NULL)
|
if ((s = session_by_tty(tty)) != NULL)
|
||||||
- mm_session_close(s);
|
- mm_session_close(s);
|
||||||
+ mm_session_close(ssh, s);
|
+ mm_session_close(ssh, s);
|
||||||
@ -1271,7 +1273,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
- audit_run_command(cmd);
|
- audit_run_command(cmd);
|
||||||
+ s = session_new();
|
+ s = session_new();
|
||||||
+ if (s == NULL)
|
+ if (s == NULL)
|
||||||
+ fatal("%s: error allocating a session", __func__);
|
+ fatal_f("error allocating a session");
|
||||||
+ s->command = cmd;
|
+ s->command = cmd;
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ s->command_handle = audit_run_command(ssh, cmd);
|
+ s->command_handle = audit_run_command(ssh, cmd);
|
||||||
@ -1293,15 +1295,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+ u_char *cmd = NULL;
|
+ u_char *cmd = NULL;
|
||||||
+ Session *s;
|
+ Session *s;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering", __func__);
|
+ debug3_f("entering");
|
||||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0)
|
+ (r = sshbuf_get_string(m, &cmd, &len)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ s = session_by_id(handle);
|
+ s = session_by_id(handle);
|
||||||
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
+ if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
|
||||||
+ strcmp(s->command, cmd) != 0)
|
+ strcmp(s->command, cmd) != 0)
|
||||||
+ fatal("%s: invalid handle", __func__);
|
+ fatal_f("invalid handle");
|
||||||
+ mm_session_close(ssh, s);
|
+ mm_session_close(ssh, s);
|
||||||
free(cmd);
|
free(cmd);
|
||||||
return (0);
|
return (0);
|
||||||
@ -1311,13 +1313,13 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
{
|
{
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
debug3("%s: Waiting for new keys", __func__);
|
debug3_f("Waiting for new keys");
|
||||||
|
|
||||||
if ((child_state = sshbuf_new()) == NULL)
|
if ((child_state = sshbuf_new()) == NULL)
|
||||||
@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct
|
@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct
|
||||||
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
|
||||||
child_state);
|
child_state);
|
||||||
debug3("%s: GOT new keys", __func__);
|
debug3_f("GOT new keys");
|
||||||
+
|
+
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ m = sshbuf_new();
|
+ m = sshbuf_new();
|
||||||
@ -1345,7 +1347,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+ int what, r;
|
+ int what, r;
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &what)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &what)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ audit_unsupported_body(ssh, what);
|
+ audit_unsupported_body(ssh, what);
|
||||||
+
|
+
|
||||||
@ -1370,10 +1372,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
|
+ (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
|
+ (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ pid = (pid_t) tmp;
|
+ pid = (pid_t) tmp;
|
||||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ uid = (pid_t) tmp;
|
+ uid = (pid_t) tmp;
|
||||||
+
|
+
|
||||||
+ audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
|
+ audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
|
||||||
@ -1398,10 +1400,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
|
||||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ pid = (pid_t) tmp;
|
+ pid = (pid_t) tmp;
|
||||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ uid = (uid_t) tmp;
|
+ uid = (uid_t) tmp;
|
||||||
+
|
+
|
||||||
+ audit_session_key_free_body(ssh, ctos, pid, uid);
|
+ audit_session_key_free_body(ssh, ctos, pid, uid);
|
||||||
@ -1423,10 +1425,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
|
|||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
|
+ if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
|
||||||
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ (r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ pid = (pid_t) tmp;
|
+ pid = (pid_t) tmp;
|
||||||
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
+ if ((r = sshbuf_get_u64(m, &tmp)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ uid = (uid_t) tmp;
|
+ uid = (uid_t) tmp;
|
||||||
+
|
+
|
||||||
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
+ audit_destroy_sensitive_data(ssh, fp, pid, uid);
|
||||||
@ -1470,7 +1472,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
|
||||||
*sig_detailsp = NULL;
|
*sig_detailsp = NULL;
|
||||||
if ((m = sshbuf_new()) == NULL)
|
if ((m = sshbuf_new()) == NULL)
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
- if ((r = sshkey_puts(key, m)) != 0 ||
|
- if ((r = sshkey_puts(key, m)) != 0 ||
|
||||||
+ if ((r = sshbuf_put_u32(m, type)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, type)) != 0 ||
|
||||||
+ (r = sshkey_puts(key, m)) != 0 ||
|
+ (r = sshkey_puts(key, m)) != 0 ||
|
||||||
@ -1522,7 +1524,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &handle)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &handle)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
+ return (handle);
|
+ return (handle);
|
||||||
@ -1534,13 +1536,13 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ int r;
|
+ int r;
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering command %s", __func__, command);
|
+ debug3_f("entering command %s", command);
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, handle)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, handle)) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m, command)) != 0)
|
+ (r = sshbuf_put_cstring(m, command)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
|
||||||
sshbuf_free(m);
|
sshbuf_free(m);
|
||||||
@ -1558,9 +1560,9 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, what)) != 0)
|
+ if ((r = sshbuf_put_u32(m, what)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||||
@ -1577,7 +1579,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m, cipher)) != 0 ||
|
+ (r = sshbuf_put_cstring(m, cipher)) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
|
+ (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
|
||||||
@ -1585,7 +1587,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ (r = sshbuf_put_cstring(m, fps)) != 0 ||
|
+ (r = sshbuf_put_cstring(m, fps)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
|
||||||
@ -1601,11 +1603,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
|
||||||
@ -1620,11 +1622,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
|
+ if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
+ (r = sshbuf_put_u64(m, pid)) != 0 ||
|
||||||
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
+ (r = sshbuf_put_u64(m, uid)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
@ -1903,7 +1905,7 @@ diff -up openssh/session.c.audit openssh/session.c
|
|||||||
+ if (s->used)
|
+ if (s->used)
|
||||||
+ return s;
|
+ return s;
|
||||||
+ }
|
+ }
|
||||||
+ debug("%s: unknown id %d", __func__, id);
|
+ debug_f("unknown id %d", id);
|
||||||
+ session_dump();
|
+ session_dump();
|
||||||
+ return NULL;
|
+ return NULL;
|
||||||
+}
|
+}
|
||||||
@ -2115,7 +2117,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
|
|||||||
sshkey_free(sensitive_data.host_certificates[i]);
|
sshkey_free(sensitive_data.host_certificates[i]);
|
||||||
sensitive_data.host_certificates[i] = NULL;
|
sensitive_data.host_certificates[i] = NULL;
|
||||||
}
|
}
|
||||||
@@ -400,14 +437,26 @@ destroy_sensitive_data(void)
|
@@ -400,20 +437,38 @@ destroy_sensitive_data(void)
|
||||||
|
|
||||||
/* Demote private to public keys for network child */
|
/* Demote private to public keys for network child */
|
||||||
void
|
void
|
||||||
@ -2142,9 +2144,8 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
|
|||||||
+ fp = NULL;
|
+ fp = NULL;
|
||||||
if ((r = sshkey_from_private(
|
if ((r = sshkey_from_private(
|
||||||
sensitive_data.host_keys[i], &tmp)) != 0)
|
sensitive_data.host_keys[i], &tmp)) != 0)
|
||||||
fatal("could not demote host %s key: %s",
|
fatal_r(r, "could not demote host %s key",
|
||||||
@@ -415,6 +464,12 @@ demote_sensitive_data(void)
|
sshkey_type(sensitive_data.host_keys[i]));
|
||||||
ssh_err(r));
|
|
||||||
sshkey_free(sensitive_data.host_keys[i]);
|
sshkey_free(sensitive_data.host_keys[i]);
|
||||||
sensitive_data.host_keys[i] = tmp;
|
sensitive_data.host_keys[i] = tmp;
|
||||||
+ if (fp != NULL) {
|
+ if (fp != NULL) {
|
||||||
@ -2254,7 +2255,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
|
|||||||
do_cleanup(the_active_state, the_authctxt);
|
do_cleanup(the_active_state, the_authctxt);
|
||||||
if (use_privsep && privsep_is_preauth &&
|
if (use_privsep && privsep_is_preauth &&
|
||||||
@@ -2414,9 +2482,16 @@ cleanup_exit(int i)
|
@@ -2414,9 +2482,16 @@ cleanup_exit(int i)
|
||||||
pmonitor->m_pid, strerror(errno));
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
||||||
|
@ -2,9 +2,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
|||||||
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
||||||
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -72,6 +72,9 @@
|
@@ -72,6 +72,9 @@
|
||||||
|
|
||||||
|
/* import */
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
extern u_char *session_id2;
|
|
||||||
extern u_int session_id2_len;
|
|
||||||
+extern int inetd_flag;
|
+extern int inetd_flag;
|
||||||
+extern int rexeced_flag;
|
+extern int rexeced_flag;
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
@ -12,59 +12,59 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
|||||||
static char *
|
static char *
|
||||||
format_key(const struct sshkey *key)
|
format_key(const struct sshkey *key)
|
||||||
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
||||||
|
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
||||||
|
if ((pid = subprocess("AuthorizedKeysCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
diff -up openssh/auth.c.refactor openssh/auth.c
|
diff -up openssh/misc.c.refactor openssh/misc.c
|
||||||
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
--- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
||||||
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
||||||
*/
|
|
||||||
pid_t
|
pid_t
|
||||||
subprocess(const char *tag, struct passwd *pw, const char *command,
|
subprocess(const char *tag, const char *command,
|
||||||
- int ac, char **av, FILE **child, u_int flags)
|
int ac, char **av, FILE **child, u_int flags,
|
||||||
+ int ac, char **av, FILE **child, u_int flags, int inetd,
|
- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
|
||||||
+ void *the_authctxt)
|
+ struct passwd *pw, privdrop_fn *drop_privs,
|
||||||
|
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
|
||||||
{
|
{
|
||||||
FILE *f = NULL;
|
FILE *f = NULL;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
||||||
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
- if (sshd_selinux_setup_env_variables() < 0) {
|
- if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
||||||
error ("failed to copy environment: %s",
|
error ("failed to copy environment: %s",
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
_exit(127);
|
_exit(127);
|
||||||
diff -up openssh/auth.h.refactor openssh/auth.h
|
diff -up openssh/misc.h.refactor openssh/misc.h
|
||||||
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
--- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
||||||
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
||||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
#define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
|
||||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
#define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
|
||||||
pid_t subprocess(const char *, struct passwd *,
|
pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
|
||||||
- const char *, int, char **, FILE **, u_int flags);
|
- struct passwd *, privdrop_fn *, privrestore_fn *);
|
||||||
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
+ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
|
||||||
|
|
||||||
int sys_auth_passwd(struct ssh *, const char *);
|
|
||||||
|
|
||||||
|
typedef struct arglist arglist;
|
||||||
|
struct arglist {
|
||||||
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
||||||
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@ -145,7 +145,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
char *role;
|
char *role;
|
||||||
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||||
@ -203,10 +203,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
||||||
switch (security_getenforce()) {
|
switch (security_getenforce()) {
|
||||||
case -1:
|
case -1:
|
||||||
fatal("%s: security_getenforce() failed", __func__);
|
fatal_f("security_getenforce() failed");
|
||||||
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
||||||
@ -269,3 +269,15 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam) {
|
if (options.use_pam) {
|
||||||
|
diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
|
||||||
|
--- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100
|
||||||
|
+++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100
|
||||||
|
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
|
||||||
|
|
||||||
|
if ((pid = subprocess(tag, command, ac, av, &f,
|
||||||
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
|
||||||
|
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
|
||||||
|
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
|
||||||
|
@ -165,7 +165,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
|||||||
+
|
+
|
||||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||||
#define SSH_ALLOWED_CA_SIGALGS \
|
#define SSH_ALLOWED_CA_SIGALGS \
|
||||||
"ecdsa-sha2-nistp256," \
|
"ssh-ed25519," \
|
||||||
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
||||||
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
||||||
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
@ -416,7 +416,7 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
|
|||||||
if (!BN_set_word(f4, RSA_F4) ||
|
if (!BN_set_word(f4, RSA_F4) ||
|
||||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||||
+ if (FIPS_mode())
|
+ if (FIPS_mode())
|
||||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
+ logit_f("the key length might be unsupported by FIPS mode approved key generation method");
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
@ -151,7 +151,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ssh_krb5_expand_template(char **result, const char *template) {
|
+ssh_krb5_expand_template(char **result, const char *template) {
|
||||||
+ char *p_n, *p_o, *r, *tmp_template;
|
+ char *p_n, *p_o, *r, *tmp_template;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called, template = %s", __func__, template);
|
+ debug3_f("called, template = %s", template);
|
||||||
+ if (template == NULL)
|
+ if (template == NULL)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+
|
+
|
||||||
@ -179,7 +179,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ } else {
|
+ } else {
|
||||||
+ p_o = strchr(p_n, '}') + 1;
|
+ p_o = strchr(p_n, '}') + 1;
|
||||||
+ *p_o = '\0';
|
+ *p_o = '\0';
|
||||||
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
+ debug_f("unsupported token %s in %s", p_n, template);
|
||||||
+ /* unknown token, fallback to the default */
|
+ /* unknown token, fallback to the default */
|
||||||
+ goto cleanup;
|
+ goto cleanup;
|
||||||
+ }
|
+ }
|
||||||
@ -207,7 +207,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+ char *value = NULL;
|
+ char *value = NULL;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ ret = krb5_get_profile(ctx, &p);
|
+ ret = krb5_get_profile(ctx, &p);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
@ -218,7 +218,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+
|
+
|
||||||
+ ret = ssh_krb5_expand_template(ccname, value);
|
+ ret = ssh_krb5_expand_template(ccname, value);
|
||||||
+
|
+
|
||||||
+ debug3("%s: returning with ccname = %s", __func__, *ccname);
|
+ debug3_f("returning with ccname = %s", *ccname);
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
@ -242,7 +242,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
- return oerrno;
|
- return oerrno;
|
||||||
- }
|
- }
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ if (need_environment)
|
+ if (need_environment)
|
||||||
+ *need_environment = 0;
|
+ *need_environment = 0;
|
||||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||||
@ -283,7 +283,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- close(tmpfd);
|
- close(tmpfd);
|
||||||
|
|
||||||
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ debug3("%s: setting default ccname to %s", __func__, ccname);
|
+ debug3_f("setting default ccname to %s", ccname);
|
||||||
+ /* set the default with already expanded user IDs */
|
+ /* set the default with already expanded user IDs */
|
||||||
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
@ -304,13 +304,13 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * a primary cache for this collection, if it supports that (non-FILE)
|
+ * a primary cache for this collection, if it supports that (non-FILE)
|
||||||
+ */
|
+ */
|
||||||
+ if (krb5_cc_support_switch(ctx, type)) {
|
+ if (krb5_cc_support_switch(ctx, type)) {
|
||||||
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
|
+ debug3_f("calling cc_new_unique(%s)", ccname);
|
||||||
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+
|
+
|
||||||
+ debug3("%s: calling cc_switch()", __func__);
|
+ debug3_f("calling cc_switch()");
|
||||||
+ return krb5_cc_switch(ctx, *ccache);
|
+ return krb5_cc_switch(ctx, *ccache);
|
||||||
+ } else {
|
+ } else {
|
||||||
+ /* Otherwise, we can not create a unique ccname here (either
|
+ /* Otherwise, we can not create a unique ccname here (either
|
||||||
@ -318,7 +318,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * collections
|
+ * collections
|
||||||
+ */
|
+ */
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname);
|
+ debug3_f("calling cc_resolve(%s)", ccname);
|
||||||
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
@ -513,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_keyex == -1)
|
if (options->gss_keyex == -1)
|
||||||
@@ -447,7 +450,8 @@ typedef enum {
|
@@ -447,7 +450,8 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||||
|
@ -52,7 +52,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
gss_buffer_desc mic, gssbuf;
|
gss_buffer_desc mic, gssbuf;
|
||||||
const char *displayname;
|
const char *displayname;
|
||||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
mic.value = p;
|
mic.value = p;
|
||||||
mic.length = len;
|
mic.length = len;
|
||||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
@ -63,7 +63,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
+#endif
|
+#endif
|
||||||
+ micuser = authctxt->user;
|
+ micuser = authctxt->user;
|
||||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||||
"gssapi-with-mic");
|
"gssapi-with-mic", ssh->kex->session_id);
|
||||||
|
|
||||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
@ -80,7 +80,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
|||||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ (authctxt->role
|
+ (authctxt->role
|
||||||
@ -224,8 +224,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
+ monitor_permit_authentications(1);
|
+ monitor_permit_authentications(1);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ debug3("%s: role=%s", __func__, authctxt->role);
|
+ debug3_f("role=%s", authctxt->role);
|
||||||
+
|
+
|
||||||
+ if (strlen(authctxt->role) == 0) {
|
+ if (strlen(authctxt->role) == 0) {
|
||||||
+ free(authctxt->role);
|
+ free(authctxt->role);
|
||||||
@ -251,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(cp, '/')) != NULL)
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
@ -269,7 +269,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(p, '/')) != NULL)
|
+ if ((s = strchr(p, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
@ -305,12 +305,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
|||||||
+ int r;
|
+ int r;
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering", __func__);
|
+ debug3_f("entering");
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
@ -357,7 +357,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
-void
|
-void
|
||||||
-ssh_selinux_setup_exec_context(char *pwname)
|
-ssh_selinux_setup_exec_context(char *pwname)
|
||||||
-{
|
-{
|
||||||
- security_context_t user_ctx = NULL;
|
- char *user_ctx = NULL;
|
||||||
-
|
-
|
||||||
- if (!ssh_selinux_enabled())
|
- if (!ssh_selinux_enabled())
|
||||||
- return;
|
- return;
|
||||||
@ -393,7 +393,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
|
|
||||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||||
+ if (getexeccon(&user_ctx) != 0) {
|
+ if (getexeccon(&user_ctx) != 0) {
|
||||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
+ error_f("getexeccon: %s", strerror(errno));
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -418,7 +418,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
|
|||||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -0,0 +1,425 @@
|
@@ -0,0 +1,421 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||||
@ -530,7 +530,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ access_vector_t bit;
|
+ access_vector_t bit;
|
||||||
+ security_class_t class;
|
+ security_class_t class;
|
||||||
+
|
+
|
||||||
+ debug("%s: src:%s dst:%s", __func__, src, dst);
|
+ debug_f("src:%s dst:%s", src, dst);
|
||||||
+ class = string_to_security_class("context");
|
+ class = string_to_security_class("context");
|
||||||
+ if (!class) {
|
+ if (!class) {
|
||||||
+ error("string_to_security_class failed to translate security class context");
|
+ error("string_to_security_class failed to translate security class context");
|
||||||
@ -692,7 +692,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ /* we actually don't change level */
|
+ /* we actually don't change level */
|
||||||
+ reqlvl = "";
|
+ reqlvl = "";
|
||||||
+
|
+
|
||||||
+ debug("%s: current connection level '%s'", __func__, reqlvl);
|
+ debug_f("current connection level '%s'", reqlvl);
|
||||||
+
|
+
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -720,8 +720,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0) {
|
+ if (r != 0) {
|
||||||
+ error("%s: Failed to get default SELinux security "
|
+ error_f("Failed to get default SELinux security "
|
||||||
+ "context for %s", __func__, pwname);
|
+ "context for %s", pwname);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+#ifdef HAVE_GETSEUSERBYNAME
|
+#ifdef HAVE_GETSEUSERBYNAME
|
||||||
@ -746,7 +746,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ char *use_current;
|
+ char *use_current;
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+
|
+
|
||||||
@ -783,32 +783,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables()) {
|
+ if (sshd_selinux_setup_pam_variables()) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
|
+ error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
|
+ fatal_f("SELinux PAM variable setup failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ if (r >= 0) {
|
+ if (r >= 0) {
|
||||||
+ r = setexeccon(user_ctx);
|
+ r = setexeccon(user_ctx);
|
||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ error("%s: Failed to set SELinux execution context %s for %s",
|
+ error_f("Failed to set SELinux execution context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#ifdef HAVE_SETKEYCREATECON
|
+#ifdef HAVE_SETKEYCREATECON
|
||||||
+ else if (setkeycreatecon(user_ctx) < 0) {
|
+ else if (setkeycreatecon(user_ctx) < 0) {
|
||||||
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
|
+ error_f("Failed to set SELinux keyring creation context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
+ }
|
||||||
@ -823,14 +821,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux failure. Continuing in permissive mode.",
|
+ error_f("ELinux failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux failure. Aborting connection.",
|
+ fatal_f("SELinux failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
||||||
@ -838,7 +834,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (default_ctx != NULL)
|
+ if (default_ctx != NULL)
|
||||||
+ freecon(default_ctx);
|
+ freecon(default_ctx);
|
||||||
+
|
+
|
||||||
+ debug3("%s: done", __func__);
|
+ debug3_f("done");
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Tue, 29 Sep 2020 10:02:45 +0000
|
|
||||||
Subject: [PATCH] Fail hard on the first failed attempt to write the
|
|
||||||
authorized_keys_file
|
|
||||||
|
|
||||||
---
|
|
||||||
ssh-copy-id | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 392f64f..e69a23f 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -251,7 +251,7 @@ installkeys_sh() {
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
|
|
||||||
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
|
||||||
cat >> ${AUTH_KEY_FILE} ||
|
|
||||||
exit 1;
|
|
||||||
if type restorecon >/dev/null 2>&1; then
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
||||||
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
||||||
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
||||||
@@ -359,17 +359,17 @@ or
|
@@ -359,14 +359,13 @@ or
|
||||||
.Qq *.c.example.com
|
.Qq *.c.example.com
|
||||||
domains.
|
domains.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -14,19 +14,15 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
will not accept host certificates signed using algorithms other than those
|
will not accept host certificates signed using algorithms other than those
|
||||||
specified.
|
specified.
|
||||||
+.Pp
|
|
||||||
.It Cm CertificateFile
|
|
||||||
Specifies a file from which the user's certificate is read.
|
|
||||||
A corresponding private key must be provided separately in order
|
|
||||||
@@ -424,20 +424,25 @@ If the option is set to
|
@@ -424,20 +424,25 @@ If the option is set to
|
||||||
.Cm no ,
|
(the default),
|
||||||
the check will not be executed.
|
the check will not be executed.
|
||||||
.It Cm Ciphers
|
.It Cm Ciphers
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
@ -133,8 +129,8 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q kex .
|
||||||
@@ -1231,37 +1228,33 @@ The default is INFO.
|
@@ -1231,37 +1228,33 @@ The default is INFO.
|
||||||
DEBUG and DEBUG1 are equivalent.
|
file.
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -179,56 +175,57 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm NoHostAuthenticationForLocalhost
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
@@ -1394,37 +1387,25 @@ instead of continuing to execute and pas
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the key types that will be used for public key authentication
|
Specifies the signature algorithms that will be used for public key
|
||||||
as a comma-separated list of patterns.
|
authentication as a comma-separated list of patterns.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq +
|
.Sq +
|
||||||
-character, then the key types after it will be appended to the default
|
-character, then the algorithms after it will be appended to the default
|
||||||
-instead of replacing it.
|
-instead of replacing it.
|
||||||
+character, then the key types after it will be appended to the built-in
|
+character, then the algorithms after it will be appended to the built-in
|
||||||
+openssh default instead of replacing it.
|
+openssh default instead of replacing it.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq -
|
.Sq -
|
||||||
character, then the specified key types (including wildcards) will be removed
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
-from the default set instead of replacing them.
|
-from the default set instead of replacing them.
|
||||||
+from the built-in openssh default set instead of replacing them.
|
+from the built-in openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified algorithms will be placed at the head of the
|
||||||
-default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+built-in openssh default set.
|
+built-in openssh default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
||||||
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
||||||
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
||||||
@@ -375,16 +375,16 @@ If the argument is
|
@@ -375,14 +375,13 @@ If the argument is
|
||||||
then no banner is displayed.
|
then no banner is displayed.
|
||||||
By default, no banner is displayed.
|
By default, no banner is displayed.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -241,16 +238,13 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
Certificates signed using other algorithms will not be accepted for
|
Certificates signed using other algorithms will not be accepted for
|
||||||
public key or host-based authentication.
|
public key or host-based authentication.
|
||||||
+.Pp
|
|
||||||
.It Cm ChallengeResponseAuthentication
|
.It Cm ChallengeResponseAuthentication
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
|
||||||
PAM or through authentication styles supported in
|
|
||||||
@@ -446,20 +446,25 @@ The default is
|
@@ -446,20 +446,25 @@ The default is
|
||||||
indicating not to
|
indicating not to
|
||||||
.Xr chroot 2 .
|
.Xr chroot 2 .
|
||||||
@ -295,7 +289,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
.It Cm ClientAliveCountMax
|
.It Cm ClientAliveCountMax
|
||||||
@@ -681,22 +679,24 @@ For this to work
|
@@ -681,21 +679,22 @@ For this to work
|
||||||
.Cm GSSAPIKeyExchange
|
.Cm GSSAPIKeyExchange
|
||||||
needs to be enabled in the server and also used by the client.
|
needs to be enabled in the server and also used by the client.
|
||||||
.It Cm GSSAPIKexAlgorithms
|
.It Cm GSSAPIKexAlgorithms
|
||||||
@ -326,11 +320,9 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
This option only applies to connections using GSSAPI.
|
This option only applies to connections using GSSAPI.
|
||||||
+.Pp
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
@@ -793,26 +793,13 @@ is specified, the location of the socket
|
||||||
as a list of comma-separated patterns.
|
|
||||||
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
|
||||||
.Ev SSH_AUTH_SOCK
|
.Ev SSH_AUTH_SOCK
|
||||||
environment variable.
|
environment variable.
|
||||||
.It Cm HostKeyAlgorithms
|
.It Cm HostKeyAlgorithms
|
||||||
@ -339,26 +331,27 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the host key algorithms
|
Specifies the host key signature algorithms
|
||||||
that the server offers.
|
that the server offers.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q HostKeyAlgorithms .
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
.It Cm IgnoreRhosts
|
.It Cm IgnoreRhosts
|
||||||
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
||||||
@ -392,7 +385,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
.Bl -item -compact -offset indent
|
.Bl -item -compact -offset indent
|
||||||
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
||||||
sntrup4591761x25519-sha512@tinyssh.org
|
sntrup761x25519-sha512@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -408,8 +401,8 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
.Qq ssh -Q KexAlgorithms .
|
.Qq ssh -Q KexAlgorithms .
|
||||||
.It Cm ListenAddress
|
.It Cm ListenAddress
|
||||||
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
file.
|
||||||
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -454,49 +447,50 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm Match
|
.It Cm Match
|
||||||
@@ -1480,36 +1460,25 @@ or equivalent.)
|
@@ -1480,37 +1460,25 @@ or equivalent.)
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the key types that will be accepted for public key authentication
|
Specifies the signature algorithms that will be accepted for public key
|
||||||
as a list of comma-separated patterns.
|
authentication as a list of comma-separated patterns.
|
||||||
Alternately if the specified list begins with a
|
Alternately if the specified list begins with a
|
||||||
.Sq +
|
.Sq +
|
||||||
-character, then the specified key types will be appended to the default set
|
-character, then the specified algorithms will be appended to the default set
|
||||||
-instead of replacing them.
|
-instead of replacing them.
|
||||||
+character, then the specified key types will be appended to the built-in
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
+openssh default set instead of replacing them.
|
+openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq -
|
.Sq -
|
||||||
character, then the specified key types (including wildcards) will be removed
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
-from the default set instead of replacing them.
|
-from the default set instead of replacing them.
|
||||||
+from the built-in openssh default set instead of replacing them.
|
+from the built-in openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified algorithms will be placed at the head of the
|
||||||
-default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+built-in openssh default set.
|
+built-in openssh default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
|
@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
|
|||||||
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||||
kexgexc.o kexgexs.o \
|
kexgexc.o kexgexs.o \
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||||
+ kexgssc.o \
|
+ kexgssc.o \
|
||||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
sshbuf-io.o
|
sshbuf-io.o
|
||||||
@ -17,7 +17,7 @@ index e7549470..b68c1710 100644
|
|||||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
sftp-server.o sftp-common.o \
|
srclimit.o sftp-server.o sftp-common.o \
|
||||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||||
diff --git a/auth.c b/auth.c
|
diff --git a/auth.c b/auth.c
|
||||||
index 086b8ebb..687c57b4 100644
|
index 086b8ebb..687c57b4 100644
|
||||||
@ -138,7 +138,7 @@ index 9351e042..d6446c0c 100644
|
|||||||
--- a/auth2-gss.c
|
--- a/auth2-gss.c
|
||||||
+++ b/auth2-gss.c
|
+++ b/auth2-gss.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
|
/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
@ -165,19 +165,19 @@ index 9351e042..d6446c0c 100644
|
|||||||
+
|
+
|
||||||
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
|
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
|
||||||
+ (r = sshpkt_get_end(ssh)) != 0)
|
+ (r = sshpkt_get_end(ssh)) != 0)
|
||||||
+ fatal("%s: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "parsing");
|
||||||
+
|
+
|
||||||
+ if ((b = sshbuf_new()) == NULL)
|
+ if ((b = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ mic.value = p;
|
+ mic.value = p;
|
||||||
+ mic.length = len;
|
+ mic.length = len;
|
||||||
+
|
+
|
||||||
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
+ "gssapi-keyex");
|
+ "gssapi-keyex", ssh->kex->session_id);
|
||||||
+
|
+
|
||||||
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
|
+ fatal_f("sshbuf_mutable_ptr failed");
|
||||||
+ gssbuf.length = sshbuf_len(b);
|
+ gssbuf.length = sshbuf_len(b);
|
||||||
+
|
+
|
||||||
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
||||||
@ -197,7 +197,7 @@ index 9351e042..d6446c0c 100644
|
|||||||
* how to check local user kuserok and the like)
|
* how to check local user kuserok and the like)
|
||||||
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
|
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
|
||||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||||
fatal("%s: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse packet");
|
||||||
|
|
||||||
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
||||||
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
||||||
@ -441,7 +441,7 @@ index d56257b4..763a63ff 100644
|
|||||||
--- a/gss-genr.c
|
--- a/gss-genr.c
|
||||||
+++ b/gss-genr.c
|
+++ b/gss-genr.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
|
/* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
||||||
@ -449,7 +449,7 @@ index d56257b4..763a63ff 100644
|
|||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions
|
* modification, are permitted provided that the following conditions
|
||||||
@@ -41,12 +41,36 @@
|
@@ -41,9 +41,33 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
@ -461,9 +461,6 @@ index d56257b4..763a63ff 100644
|
|||||||
|
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
|
|
||||||
extern u_char *session_id2;
|
|
||||||
extern u_int session_id2_len;
|
|
||||||
|
|
||||||
+typedef struct {
|
+typedef struct {
|
||||||
+ char *encoded;
|
+ char *encoded;
|
||||||
+ gss_OID oid;
|
+ gss_OID oid;
|
||||||
@ -486,7 +483,7 @@ index d56257b4..763a63ff 100644
|
|||||||
/* sshbuf_get for gss_buffer_desc */
|
/* sshbuf_get for gss_buffer_desc */
|
||||||
int
|
int
|
||||||
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||||
@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
@@ -62,6 +86,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -548,7 +545,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ (gss_supported->count + 1));
|
+ (gss_supported->count + 1));
|
||||||
+
|
+
|
||||||
+ if ((buf = sshbuf_new()) == NULL)
|
+ if ((buf = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ oidpos = 0;
|
+ oidpos = 0;
|
||||||
+ s = cp = xstrdup(kex);
|
+ s = cp = xstrdup(kex);
|
||||||
@ -565,8 +562,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ gss_supported->elements[i].elements,
|
+ gss_supported->elements[i].elements,
|
||||||
+ gss_supported->elements[i].length)) != 0 ||
|
+ gss_supported->elements[i].length)) != 0 ||
|
||||||
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
|
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
|
||||||
+ fatal("%s: digest failed: %s", __func__,
|
+ fatal_fr(r, "digest failed");
|
||||||
+ ssh_err(r));
|
|
||||||
+ ssh_digest_free(md);
|
+ ssh_digest_free(md);
|
||||||
+ md = NULL;
|
+ md = NULL;
|
||||||
+
|
+
|
||||||
@ -581,12 +577,10 @@ index d56257b4..763a63ff 100644
|
|||||||
+ (p = strsep(&cp, ","))) {
|
+ (p = strsep(&cp, ","))) {
|
||||||
+ if (sshbuf_len(buf) != 0 &&
|
+ if (sshbuf_len(buf) != 0 &&
|
||||||
+ (r = sshbuf_put_u8(buf, ',')) != 0)
|
+ (r = sshbuf_put_u8(buf, ',')) != 0)
|
||||||
+ fatal("%s: sshbuf_put_u8 error: %s",
|
+ fatal_fr(r, "sshbuf_put_u8 error");
|
||||||
+ __func__, ssh_err(r));
|
|
||||||
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
||||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||||
+ fatal("%s: sshbuf_put error: %s",
|
+ fatal_fr(r, "sshbuf_put error");
|
||||||
+ __func__, ssh_err(r));
|
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||||
@ -599,7 +593,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ gss_enc2oid[oidpos].encoded = NULL;
|
+ gss_enc2oid[oidpos].encoded = NULL;
|
||||||
+
|
+
|
||||||
+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
|
+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
|
||||||
+ fatal("%s: sshbuf_dup_string failed", __func__);
|
+ fatal_f("sshbuf_dup_string failed");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(buf);
|
+ sshbuf_free(buf);
|
||||||
+
|
+
|
||||||
@ -721,7 +715,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+
|
+
|
||||||
void
|
void
|
||||||
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||||
const char *context)
|
const char *context, const struct sshbuf *session_id)
|
||||||
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1123,10 +1117,10 @@ index ab3a15f0..6ce56e92 100644
|
|||||||
+
|
+
|
||||||
+ if (gssapi_client.store.data != NULL) {
|
+ if (gssapi_client.store.data != NULL) {
|
||||||
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
|
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
|
||||||
+ debug("%s: krb5_cc_resolve(): %.100s", __func__,
|
+ debug_f("krb5_cc_resolve(): %.100s",
|
||||||
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
||||||
+ debug("%s: krb5_cc_destroy(): %.100s", __func__,
|
+ debug_f("krb5_cc_destroy(): %.100s",
|
||||||
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
+ } else {
|
+ } else {
|
||||||
+ krb5_free_context(gssapi_client.store.data);
|
+ krb5_free_context(gssapi_client.store.data);
|
||||||
@ -1375,7 +1369,7 @@ index ce85f043..574c7609 100644
|
|||||||
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
|
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
|
||||||
sshbuf_free(kex->server_version);
|
sshbuf_free(kex->server_version);
|
||||||
sshbuf_free(kex->client_pub);
|
sshbuf_free(kex->client_pub);
|
||||||
free(kex->session_id);
|
sshbuf_free(kex->session_id);
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+ free(kex->gss_host);
|
+ free(kex->gss_host);
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
@ -1389,7 +1383,7 @@ index a5ae6ac0..fe714141 100644
|
|||||||
@@ -102,6 +102,15 @@ enum kex_exchange {
|
@@ -102,6 +102,15 @@ enum kex_exchange {
|
||||||
KEX_ECDH_SHA2,
|
KEX_ECDH_SHA2,
|
||||||
KEX_C25519_SHA256,
|
KEX_C25519_SHA256,
|
||||||
KEX_KEM_SNTRUP4591761X25519_SHA512,
|
KEX_KEM_SNTRUP761X25519_SHA512,
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+ KEX_GSS_GRP1_SHA1,
|
+ KEX_GSS_GRP1_SHA1,
|
||||||
+ KEX_GSS_GRP14_SHA1,
|
+ KEX_GSS_GRP14_SHA1,
|
||||||
@ -1498,7 +1492,7 @@ new file mode 100644
|
|||||||
index 00000000..f6e1405e
|
index 00000000..f6e1405e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kexgssc.c
|
+++ b/kexgssc.c
|
||||||
@@ -0,0 +1,606 @@
|
@@ -0,0 +1,599 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -1597,7 +1591,7 @@ index 00000000..f6e1405e
|
|||||||
+ r = kex_c25519_keypair(kex);
|
+ r = kex_c25519_keypair(kex);
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0)
|
||||||
+ return r;
|
+ return r;
|
||||||
@ -1785,7 +1779,7 @@ index 00000000..f6e1405e
|
|||||||
+ server_blob,
|
+ server_blob,
|
||||||
+ shared_secret,
|
+ shared_secret,
|
||||||
+ hash, &hashlen)) != 0)
|
+ hash, &hashlen)) != 0)
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+
|
+
|
||||||
+ gssbuf.value = hash;
|
+ gssbuf.value = hash;
|
||||||
+ gssbuf.length = hashlen;
|
+ gssbuf.length = hashlen;
|
||||||
@ -2074,13 +2068,6 @@ index 00000000..f6e1405e
|
|||||||
+
|
+
|
||||||
+ gss_release_buffer(&min_status, &msg_tok);
|
+ gss_release_buffer(&min_status, &msg_tok);
|
||||||
+
|
+
|
||||||
+ /* save session id */
|
|
||||||
+ if (kex->session_id == NULL) {
|
|
||||||
+ kex->session_id_len = hashlen;
|
|
||||||
+ kex->session_id = xmalloc(kex->session_id_len);
|
|
||||||
+ memcpy(kex->session_id, hash, kex->session_id_len);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (kex->gss_deleg_creds)
|
+ if (kex->gss_deleg_creds)
|
||||||
+ ssh_gssapi_credentials_updated(ctxt);
|
+ ssh_gssapi_credentials_updated(ctxt);
|
||||||
+
|
+
|
||||||
@ -2202,12 +2189,12 @@ index 00000000..60bc02de
|
|||||||
+ free(mechs);
|
+ free(mechs);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ debug2("%s: Identifying %s", __func__, kex->name);
|
+ debug2_f("Identifying %s", kex->name);
|
||||||
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
||||||
+ if (oid == GSS_C_NO_OID)
|
+ if (oid == GSS_C_NO_OID)
|
||||||
+ fatal("Unknown gssapi mechanism");
|
+ fatal("Unknown gssapi mechanism");
|
||||||
+
|
+
|
||||||
+ debug2("%s: Acquiring credentials", __func__);
|
+ debug2_f("Acquiring credentials");
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
||||||
+ fatal("Unable to acquire credentials for the server");
|
+ fatal("Unable to acquire credentials for the server");
|
||||||
@ -2242,7 +2229,7 @@ index 00000000..60bc02de
|
|||||||
+ &shared_secret);
|
+ &shared_secret);
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0)
|
||||||
+ goto out;
|
+ goto out;
|
||||||
@ -2398,12 +2385,12 @@ index 00000000..60bc02de
|
|||||||
+ if ((mechs = ssh_gssapi_server_mechanisms()))
|
+ if ((mechs = ssh_gssapi_server_mechanisms()))
|
||||||
+ free(mechs);
|
+ free(mechs);
|
||||||
+
|
+
|
||||||
+ debug2("%s: Identifying %s", __func__, kex->name);
|
+ debug2_f("Identifying %s", kex->name);
|
||||||
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
||||||
+ if (oid == GSS_C_NO_OID)
|
+ if (oid == GSS_C_NO_OID)
|
||||||
+ fatal("Unknown gssapi mechanism");
|
+ fatal("Unknown gssapi mechanism");
|
||||||
+
|
+
|
||||||
+ debug2("%s: Acquiring credentials", __func__);
|
+ debug2_f("Acquiring credentials");
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
||||||
+ fatal("Unable to acquire credentials for the server");
|
+ fatal("Unable to acquire credentials for the server");
|
||||||
@ -2641,44 +2628,44 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
|
||||||
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||||
# endif
|
# endif
|
||||||
+# ifdef GSSAPI
|
+# ifdef GSSAPI
|
||||||
+ if (options.gss_keyex) {
|
+ if (options.gss_keyex) {
|
||||||
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
|
+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
|
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
|
||||||
+ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
|
+ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
|
||||||
+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
|
+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
|
||||||
+ }
|
+ }
|
||||||
+# endif
|
+# endif
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||||
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
u_char *p;
|
u_char *p;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse");
|
||||||
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
OM_uint32 flags = 0; /* GSI needs this */
|
OM_uint32 flags = 0; /* GSI needs this */
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "ssh_gssapi_get_buffer_desc");
|
||||||
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||||
@ -2692,9 +2679,9 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
||||||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
||||||
@ -2707,13 +2694,13 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
const char *displayname;
|
const char *displayname;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
||||||
+ if ((r = sshbuf_get_u32(m, &kex)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &kex)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ authenticated = authctxt->valid &&
|
+ authenticated = authctxt->valid &&
|
||||||
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
|
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
|
||||||
@ -2721,7 +2708,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
sshbuf_reset(m);
|
sshbuf_reset(m);
|
||||||
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
||||||
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
debug3("%s: sending result %d", __func__, authenticated);
|
debug3_f("sending result %d", authenticated);
|
||||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||||
|
|
||||||
- auth_method = "gssapi-with-mic";
|
- auth_method = "gssapi-with-mic";
|
||||||
@ -2733,7 +2720,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
|
|
||||||
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
||||||
auth2_record_info(authctxt, "%s", displayname);
|
auth2_record_info(authctxt, "%s", displayname);
|
||||||
@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1921,5 +1958,84 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
/* Monitor loop will terminate if authenticated */
|
/* Monitor loop will terminate if authenticated */
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
@ -2749,16 +2736,15 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ data.value = p;
|
+ data.value = p;
|
||||||
+ data.length = len;
|
+ data.length = len;
|
||||||
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
|
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
|
||||||
+ if (data.length != 20 && data.length != 32 && data.length != 64)
|
+ if (data.length != 20 && data.length != 32 && data.length != 64)
|
||||||
+ fatal("%s: data length incorrect: %d", __func__,
|
+ fatal_f("data length incorrect: %d", (int) data.length);
|
||||||
+ (int) data.length);
|
|
||||||
+
|
+
|
||||||
+ /* Save the session ID on the first time around */
|
+ /* Save the session ID on the first time around */
|
||||||
+ if (session_id2_len == 0) {
|
+ if (session_id2_len == 0) {
|
||||||
@ -2774,7 +2760,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+
|
+
|
||||||
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
|
||||||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
|
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
|
||||||
+
|
+
|
||||||
@ -2795,12 +2781,12 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+ int r, ok;
|
+ int r, ok;
|
||||||
+
|
+
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
|
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
|
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
|
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ ok = ssh_gssapi_update_creds(&store);
|
+ ok = ssh_gssapi_update_creds(&store);
|
||||||
+
|
+
|
||||||
@ -2810,7 +2796,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+
|
+
|
||||||
+ sshbuf_reset(m);
|
+ sshbuf_reset(m);
|
||||||
+ if ((r = sshbuf_put_u32(m, ok)) != 0)
|
+ if ((r = sshbuf_put_u32(m, ok)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
|
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
|
||||||
+
|
+
|
||||||
@ -2847,14 +2833,14 @@ index 001a8fa1..6edb509a 100644
|
|||||||
int r, authenticated = 0;
|
int r, authenticated = 0;
|
||||||
|
|
||||||
if ((m = sshbuf_new()) == NULL)
|
if ((m = sshbuf_new()) == NULL)
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, kex)) != 0)
|
+ if ((r = sshbuf_put_u32(m, kex)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
|
|
||||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
||||||
mm_request_receive_expect(pmonitor->m_recvfd,
|
mm_request_receive_expect(pmonitor->m_recvfd,
|
||||||
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
||||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
debug3_f("user %sauthenticated", authenticated ? "" : "not ");
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
@ -2866,16 +2852,16 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
|
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
|
||||||
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
|
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
@ -2889,7 +2875,7 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ int r, ok;
|
+ int r, ok;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_put_cstring(m,
|
+ if ((r = sshbuf_put_cstring(m,
|
||||||
+ store->filename ? store->filename : "")) != 0 ||
|
+ store->filename ? store->filename : "")) != 0 ||
|
||||||
@ -2897,13 +2883,13 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ store->envvar ? store->envvar : "")) != 0 ||
|
+ store->envvar ? store->envvar : "")) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m,
|
+ (r = sshbuf_put_cstring(m,
|
||||||
+ store->envval ? store->envval : "")) != 0)
|
+ store->envval ? store->envval : "")) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
@ -3124,7 +3110,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -531,6 +543,7 @@ typedef enum {
|
@@ -531,6 +543,7 @@ typedef enum {
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
||||||
@ -3246,7 +3232,7 @@ index 36180d07..70dd3665 100644
|
|||||||
--- a/ssh-gss.h
|
--- a/ssh-gss.h
|
||||||
+++ b/ssh-gss.h
|
+++ b/ssh-gss.h
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
|
/* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
@ -3332,7 +3318,7 @@ index 36180d07..70dd3665 100644
|
|||||||
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
|
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
|
||||||
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||||
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
|
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
|
||||||
const char *, const char *);
|
const char *, const char *, const struct sshbuf *);
|
||||||
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
|
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
|
||||||
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
|
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
|
||||||
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
|
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
|
||||||
@ -3382,7 +3368,7 @@ index 60de6087..db5c65bc 100644
|
|||||||
+.It GSSAPITrustDns
|
+.It GSSAPITrustDns
|
||||||
.It HashKnownHosts
|
.It HashKnownHosts
|
||||||
.It Host
|
.It Host
|
||||||
.It HostbasedAuthentication
|
.It HostbasedAcceptedAlgorithms
|
||||||
@@ -579,6 +585,8 @@ flag),
|
@@ -579,6 +585,8 @@ flag),
|
||||||
(supported message integrity codes),
|
(supported message integrity codes),
|
||||||
.Ar kex
|
.Ar kex
|
||||||
@ -3526,9 +3512,9 @@ index af00fb30..03bc87eb 100644
|
|||||||
+
|
+
|
||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
xxx_hostaddr = hostaddr;
|
xxx_hostaddr = hostaddr;
|
||||||
|
xxx_conn_info = cinfo;
|
||||||
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3588,7 +3574,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+# endif
|
+# endif
|
||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||||
ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
|
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||||
ssh->kex->verify_host_key=&verify_host_key_callback;
|
ssh->kex->verify_host_key=&verify_host_key_callback;
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3604,7 +3590,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
|
|
||||||
/* remove ext-info from the KEX proposals for rekeying */
|
/* remove ext-info from the KEX proposals for rekeying */
|
||||||
myproposal[PROPOSAL_KEX_ALGS] =
|
myproposal[PROPOSAL_KEX_ALGS] =
|
||||||
compat_kex_proposal(options.kex_algorithms);
|
compat_kex_proposal(ssh, options.kex_algorithms);
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ /* repair myproposal after it was crumpled by the */
|
+ /* repair myproposal after it was crumpled by the */
|
||||||
+ /* ext-info removal above */
|
+ /* ext-info removal above */
|
||||||
@ -3616,7 +3602,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
||||||
fatal("kex_prop2buf: %s", ssh_err(r));
|
fatal_r(r, "kex_prop2buf");
|
||||||
|
|
||||||
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
||||||
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
||||||
@ -3714,13 +3700,13 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((b = sshbuf_new()) == NULL)
|
+ if ((b = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
|
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
|
||||||
+ "gssapi-keyex");
|
+ "gssapi-keyex", ssh->kex->session_id);
|
||||||
+
|
+
|
||||||
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
|
+ fatal_f("sshbuf_mutable_ptr failed");
|
||||||
+ gssbuf.length = sshbuf_len(b);
|
+ gssbuf.length = sshbuf_len(b);
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
|
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
|
||||||
@ -3734,7 +3720,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
|
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
|
||||||
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
|
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
|
||||||
+ (r = sshpkt_send(ssh)) != 0)
|
+ (r = sshpkt_send(ssh)) != 0)
|
||||||
+ fatal("%s: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "parsing");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(b);
|
+ sshbuf_free(b);
|
||||||
+ gss_release_buffer(&ms, &mic);
|
+ gss_release_buffer(&ms, &mic);
|
||||||
@ -3751,11 +3737,11 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
|
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||||
}
|
}
|
||||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
debug3_f("sent %u hostkeys", nkeys);
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
- fatal("%s: no hostkeys", __func__);
|
- fatal_f("no hostkeys");
|
||||||
- if ((r = sshpkt_send(ssh)) != 0)
|
- if ((r = sshpkt_send(ssh)) != 0)
|
||||||
+ debug3("%s: no hostkeys", __func__);
|
+ debug3_f("no hostkeys");
|
||||||
+ else if ((r = sshpkt_send(ssh)) != 0)
|
+ else if ((r = sshpkt_send(ssh)) != 0)
|
||||||
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
||||||
sshbuf_free(buf);
|
sshbuf_free(buf);
|
||||||
@ -3772,7 +3758,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
}
|
}
|
||||||
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||||
list_hostkey_types());
|
ssh, list_hostkey_types());
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ {
|
+ {
|
||||||
@ -3818,7 +3804,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+
|
+
|
||||||
/* start key exchange */
|
/* start key exchange */
|
||||||
if ((r = kex_setup(ssh, myproposal)) != 0)
|
if ((r = kex_setup(ssh, myproposal)) != 0)
|
||||||
fatal("kex_setup: %s", ssh_err(r));
|
fatal_r(r, "kex_setup");
|
||||||
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||||
@ -3837,7 +3823,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+# endif
|
+# endif
|
||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||||
diff --git a/sshd_config b/sshd_config
|
diff --git a/sshd_config b/sshd_config
|
||||||
index 19b7c91a..2c48105f 100644
|
index 19b7c91a..2c48105f 100644
|
||||||
@ -3898,9 +3884,9 @@ index 70ccea44..f6b41a2f 100644
|
|||||||
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
+This option only applies to connections using GSSAPI.
|
+This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
as a list of comma-separated patterns.
|
authentication as a list of comma-separated patterns.
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
diff --git a/sshkey.c b/sshkey.c
|
||||||
index 57995ee6..fd5b7724 100644
|
index 57995ee6..fd5b7724 100644
|
||||||
--- a/sshkey.c
|
--- a/sshkey.c
|
||||||
|
@ -96,7 +96,7 @@ index b6f041f4..1fbce2bb 100644
|
|||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||||
+ kex->session_id, kex->session_id_len);
|
+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
|
||||||
+ if (r != 1) {
|
+ if (r != 1) {
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
|
@ -57,26 +57,26 @@ index e7549470..4511f82a 100644
|
|||||||
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
|
rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
|
||||||
+ rm -f regress/unittests/pkcs11/*.o
|
+ rm -f regress/unittests/pkcs11/*.o
|
||||||
+ rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
|
+ rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
|
||||||
rm -f regress/misc/kexfuzz/*.o
|
|
||||||
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
|
||||||
rm -f regress/misc/sk-dummy/*.o
|
rm -f regress/misc/sk-dummy/*.o
|
||||||
|
rm -f regress/misc/sk-dummy/*.lo
|
||||||
|
rm -f regress/misc/sk-dummy/sk-dummy.so
|
||||||
@@ -322,6 +324,8 @@ distclean: regressclean
|
@@ -322,6 +324,8 @@ distclean: regressclean
|
||||||
rm -f regress/unittests/match/test_match
|
rm -f regress/unittests/match/test_match
|
||||||
rm -f regress/unittests/utf8/*.o
|
rm -f regress/unittests/utf8/*.o
|
||||||
rm -f regress/unittests/utf8/test_utf8
|
rm -f regress/unittests/utf8/test_utf8
|
||||||
+ rm -f regress/unittests/pkcs11/*.o
|
+ rm -f regress/unittests/pkcs11/*.o
|
||||||
+ rm -f regress/unittests/pkcs11/test_pkcs11
|
+ rm -f regress/unittests/pkcs11/test_pkcs11
|
||||||
rm -f regress/misc/kexfuzz/*.o
|
|
||||||
rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
|
||||||
(cd openbsd-compat && $(MAKE) distclean)
|
(cd openbsd-compat && $(MAKE) distclean)
|
||||||
|
if test -d pkg ; then \
|
||||||
|
rm -fr pkg ; \
|
||||||
@@ -490,6 +494,7 @@ regress-prep:
|
@@ -490,6 +494,7 @@ regress-prep:
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/kex
|
$(MKDIR_P) `pwd`/regress/unittests/kex
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/match
|
$(MKDIR_P) `pwd`/regress/unittests/match
|
||||||
$(MKDIR_P) `pwd`/regress/unittests/utf8
|
$(MKDIR_P) `pwd`/regress/unittests/utf8
|
||||||
+ $(MKDIR_P) `pwd`/regress/unittests/pkcs11
|
+ $(MKDIR_P) `pwd`/regress/unittests/pkcs11
|
||||||
$(MKDIR_P) `pwd`/regress/misc/kexfuzz
|
|
||||||
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
|
$(MKDIR_P) `pwd`/regress/misc/sk-dummy
|
||||||
[ -f `pwd`/regress/Makefile ] || \
|
[ -f `pwd`/regress/Makefile ] || \
|
||||||
|
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||||
@@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
|
@@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
|
||||||
regress/unittests/test_helper/libtest_helper.a \
|
regress/unittests/test_helper/libtest_helper.a \
|
||||||
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
@ -91,17 +91,17 @@ index e7549470..4511f82a 100644
|
|||||||
+ regress/unittests/test_helper/libtest_helper.a \
|
+ regress/unittests/test_helper/libtest_helper.a \
|
||||||
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
+ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
+
|
+
|
||||||
MISC_KEX_FUZZ_OBJS=\
|
# These all need to be compiled -fPIC, so they are treated differently.
|
||||||
regress/misc/kexfuzz/kexfuzz.o \
|
SK_DUMMY_OBJS=\
|
||||||
$(SKOBJS)
|
regress/misc/sk-dummy/sk-dummy.lo \
|
||||||
@@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
|
@@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
|
||||||
regress/unittests/kex/test_kex$(EXEEXT) \
|
regress/unittests/kex/test_kex$(EXEEXT) \
|
||||||
regress/unittests/match/test_match$(EXEEXT) \
|
regress/unittests/match/test_match$(EXEEXT) \
|
||||||
regress/unittests/utf8/test_utf8$(EXEEXT) \
|
regress/unittests/utf8/test_utf8$(EXEEXT) \
|
||||||
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
|
||||||
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
|
|
||||||
|
|
||||||
tests: file-tests t-exec interop-tests unit
|
tests: file-tests t-exec interop-tests unit
|
||||||
|
echo all tests passed
|
||||||
diff --git a/configure.ac b/configure.ac
|
diff --git a/configure.ac b/configure.ac
|
||||||
index b689db4b..98d3ce4f 100644
|
index b689db4b..98d3ce4f 100644
|
||||||
--- a/configure.ac
|
--- a/configure.ac
|
||||||
@ -1075,10 +1075,10 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
+ char *provider = NULL, *pin = NULL, *sane_uri = NULL;
|
+ char *provider = NULL, *pin = NULL, *sane_uri = NULL;
|
||||||
char **comments = NULL;
|
char **comments = NULL;
|
||||||
int r, i, count = 0, success = 0, confirm = 0;
|
int r, i, count = 0, success = 0, confirm = 0;
|
||||||
u_int seconds;
|
u_int seconds = 0;
|
||||||
@@ -681,33 +743,28 @@ process_add_smartcard_key(SocketEntry *e)
|
@@ -681,33 +743,28 @@ process_add_smartcard_key(SocketEntry *e)
|
||||||
goto send;
|
error_f("failed to parse constraints");
|
||||||
}
|
goto send;
|
||||||
}
|
}
|
||||||
- if (realpath(provider, canonical_provider) == NULL) {
|
- if (realpath(provider, canonical_provider) == NULL) {
|
||||||
- verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
- verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
|
||||||
@ -1093,13 +1093,13 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
+ if (sane_uri == NULL)
|
+ if (sane_uri == NULL)
|
||||||
goto send;
|
goto send;
|
||||||
- }
|
- }
|
||||||
- debug("%s: add %.100s", __func__, canonical_provider);
|
- debug_f("add %.100s", canonical_provider);
|
||||||
+
|
+
|
||||||
if (lifetime && !death)
|
if (lifetime && !death)
|
||||||
death = monotime() + lifetime;
|
death = monotime() + lifetime;
|
||||||
|
|
||||||
- count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments);
|
- count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments);
|
||||||
+ debug("%s: add %.100s", __func__, sane_uri);
|
+ debug_f("add %.100s", sane_uri);
|
||||||
+ count = pkcs11_add_provider(sane_uri, pin, &keys, &comments);
|
+ count = pkcs11_add_provider(sane_uri, pin, &keys, &comments);
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
k = keys[i];
|
k = keys[i];
|
||||||
@ -1147,8 +1147,8 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
goto send;
|
goto send;
|
||||||
- }
|
- }
|
||||||
|
|
||||||
- debug("%s: remove %.100s", __func__, canonical_provider);
|
- debug_f("remove %.100s", canonical_provider);
|
||||||
+ debug("%s: remove %.100s", __func__, sane_uri);
|
+ debug_f("remove %.100s", sane_uri);
|
||||||
for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {
|
for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {
|
||||||
nxt = TAILQ_NEXT(id, next);
|
nxt = TAILQ_NEXT(id, next);
|
||||||
/* Skip file--based keys */
|
/* Skip file--based keys */
|
||||||
@ -1165,7 +1165,7 @@ index 7eb6f0dc..27d8e4af 100644
|
|||||||
+ if (pkcs11_del_provider(sane_uri) == 0)
|
+ if (pkcs11_del_provider(sane_uri) == 0)
|
||||||
success = 1;
|
success = 1;
|
||||||
else
|
else
|
||||||
error("%s: pkcs11_del_provider failed", __func__);
|
error_f("pkcs11_del_provider failed");
|
||||||
send:
|
send:
|
||||||
free(provider);
|
free(provider);
|
||||||
+ free(sane_uri);
|
+ free(sane_uri);
|
||||||
@ -1198,7 +1198,7 @@ index 8a0ffef5..ead8a562 100644
|
|||||||
u_int nkeys, i;
|
u_int nkeys, i;
|
||||||
struct sshbuf *msg;
|
struct sshbuf *msg;
|
||||||
|
|
||||||
+ debug("%s: called, name = %s", __func__, name);
|
+ debug_f("called, name = %s", name);
|
||||||
+
|
+
|
||||||
if (fd < 0 && pkcs11_start_helper() < 0)
|
if (fd < 0 && pkcs11_start_helper() < 0)
|
||||||
return (-1);
|
return (-1);
|
||||||
@ -1207,7 +1207,7 @@ index 8a0ffef5..ead8a562 100644
|
|||||||
*keysp = xcalloc(nkeys, sizeof(struct sshkey *));
|
*keysp = xcalloc(nkeys, sizeof(struct sshkey *));
|
||||||
if (labelsp)
|
if (labelsp)
|
||||||
*labelsp = xcalloc(nkeys, sizeof(char *));
|
*labelsp = xcalloc(nkeys, sizeof(char *));
|
||||||
+ debug("%s: nkeys = %u", __func__, nkeys);
|
+ debug_f("nkeys = %u", nkeys);
|
||||||
for (i = 0; i < nkeys; i++) {
|
for (i = 0; i < nkeys; i++) {
|
||||||
/* XXX clean up properly instead of fatal() */
|
/* XXX clean up properly instead of fatal() */
|
||||||
if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
|
if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
|
||||||
@ -1216,7 +1216,7 @@ new file mode 100644
|
|||||||
index 00000000..e1a7b4e0
|
index 00000000..e1a7b4e0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/ssh-pkcs11-uri.c
|
+++ b/ssh-pkcs11-uri.c
|
||||||
@@ -0,0 +1,425 @@
|
@@ -0,0 +1,419 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2017 Red Hat
|
+ * Copyright (c) 2017 Red Hat
|
||||||
+ *
|
+ *
|
||||||
@ -1493,13 +1493,12 @@ index 00000000..e1a7b4e0
|
|||||||
+ size_t scheme_len = strlen(PKCS11_URI_SCHEME);
|
+ size_t scheme_len = strlen(PKCS11_URI_SCHEME);
|
||||||
+ if (strlen(uri) < scheme_len || /* empty URI matches everything */
|
+ if (strlen(uri) < scheme_len || /* empty URI matches everything */
|
||||||
+ strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) {
|
+ strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) {
|
||||||
+ error("%s: The '%s' does not look like PKCS#11 URI",
|
+ error_f("The '%s' does not look like PKCS#11 URI", uri);
|
||||||
+ __func__, uri);
|
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (pkcs11 == NULL) {
|
+ if (pkcs11 == NULL) {
|
||||||
+ error("%s: Bad arguments. The pkcs11 can't be null", __func__);
|
+ error_f("Bad arguments. The pkcs11 can't be null");
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1510,7 +1509,7 @@ index 00000000..e1a7b4e0
|
|||||||
+ /* everything before ? */
|
+ /* everything before ? */
|
||||||
+ tok = strtok_r(str1, "?", &saveptr1);
|
+ tok = strtok_r(str1, "?", &saveptr1);
|
||||||
+ if (tok == NULL) {
|
+ if (tok == NULL) {
|
||||||
+ error("%s: pk11-path expected, got EOF", __func__);
|
+ error_f("pk11-path expected, got EOF");
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
@ -1536,35 +1535,32 @@ index 00000000..e1a7b4e0
|
|||||||
+ case pId:
|
+ case pId:
|
||||||
+ /* CKA_ID */
|
+ /* CKA_ID */
|
||||||
+ if (pkcs11->id != NULL) {
|
+ if (pkcs11->id != NULL) {
|
||||||
+ verbose("%s: The id already set in the PKCS#11 URI",
|
+ verbose_f("The id already set in the PKCS#11 URI");
|
||||||
+ __func__);
|
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ len = percent_decode(arg, &pkcs11->id);
|
+ len = percent_decode(arg, &pkcs11->id);
|
||||||
+ if (len <= 0) {
|
+ if (len <= 0) {
|
||||||
+ verbose("%s: Failed to percent-decode CKA_ID: %s",
|
+ verbose_f("Failed to percent-decode CKA_ID: %s", arg);
|
||||||
+ __func__, arg);
|
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ } else
|
+ } else
|
||||||
+ pkcs11->id_len = len;
|
+ pkcs11->id_len = len;
|
||||||
+ debug3("%s: Setting CKA_ID = %s from PKCS#11 URI",
|
+ debug3_f("Setting CKA_ID = %s from PKCS#11 URI", arg);
|
||||||
+ __func__, arg);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ case pToken:
|
+ case pToken:
|
||||||
+ /* CK_TOKEN_INFO -> label */
|
+ /* CK_TOKEN_INFO -> label */
|
||||||
+ charptr = &pkcs11->token;
|
+ charptr = &pkcs11->token;
|
||||||
+ parse_string:
|
+ parse_string:
|
||||||
+ if (*charptr != NULL) {
|
+ if (*charptr != NULL) {
|
||||||
+ verbose("%s: The %s already set in the PKCS#11 URI",
|
+ verbose_f("The %s already set in the PKCS#11 URI",
|
||||||
+ keywords[opcode].name, __func__);
|
+ keywords[opcode].name);
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ percent_decode(arg, charptr);
|
+ percent_decode(arg, charptr);
|
||||||
+ debug3("%s: Setting %s = %s from PKCS#11 URI",
|
+ debug3_f("Setting %s = %s from PKCS#11 URI",
|
||||||
+ __func__, keywords[opcode].name, *charptr);
|
+ keywords[opcode].name, *charptr);
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ case pObject:
|
+ case pObject:
|
||||||
@ -1584,8 +1580,7 @@ index 00000000..e1a7b4e0
|
|||||||
+
|
+
|
||||||
+ default:
|
+ default:
|
||||||
+ /* Unrecognized attribute in the URI path SHOULD be error */
|
+ /* Unrecognized attribute in the URI path SHOULD be error */
|
||||||
+ verbose("%s: Unknown part of path in PKCS#11 URI: %s",
|
+ verbose_f("Unknown part of path in PKCS#11 URI: %s", tok);
|
||||||
+ __func__, tok);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1608,32 +1603,31 @@ index 00000000..e1a7b4e0
|
|||||||
+ case pModulePath:
|
+ case pModulePath:
|
||||||
+ /* module-path is PKCS11Provider */
|
+ /* module-path is PKCS11Provider */
|
||||||
+ if (pkcs11->module_path != NULL) {
|
+ if (pkcs11->module_path != NULL) {
|
||||||
+ verbose("%s: Multiple module-path attributes are"
|
+ verbose_f("Multiple module-path attributes are"
|
||||||
+ "not supported the PKCS#11 URI", __func__);
|
+ "not supported the PKCS#11 URI");
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ percent_decode(arg, &pkcs11->module_path);
|
+ percent_decode(arg, &pkcs11->module_path);
|
||||||
+ debug3("%s: Setting PKCS11Provider = %s from PKCS#11 URI",
|
+ debug3_f("Setting PKCS11Provider = %s from PKCS#11 URI",
|
||||||
+ __func__, pkcs11->module_path);
|
+ pkcs11->module_path);
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ case pPinValue:
|
+ case pPinValue:
|
||||||
+ /* pin-value */
|
+ /* pin-value */
|
||||||
+ if (pkcs11->pin != NULL) {
|
+ if (pkcs11->pin != NULL) {
|
||||||
+ verbose("%s: Multiple pin-value attributes are"
|
+ verbose_f("Multiple pin-value attributes are"
|
||||||
+ "not supported the PKCS#11 URI", __func__);
|
+ "not supported the PKCS#11 URI");
|
||||||
+ rv = -1;
|
+ rv = -1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ percent_decode(arg, &pkcs11->pin);
|
+ percent_decode(arg, &pkcs11->pin);
|
||||||
+ debug3("%s: Setting PIN from PKCS#11 URI", __func__);
|
+ debug3_f("Setting PIN from PKCS#11 URI");
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
+ default:
|
+ default:
|
||||||
+ /* Unrecognized attribute in the URI query SHOULD be ignored */
|
+ /* Unrecognized attribute in the URI query SHOULD be ignored */
|
||||||
+ verbose("%s: Unknown part of query in PKCS#11 URI: %s",
|
+ verbose_f("Unknown part of query in PKCS#11 URI: %s", tok);
|
||||||
+ __func__, tok);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+out:
|
+out:
|
||||||
@ -1727,7 +1721,7 @@ index a302c79c..879fe917 100644
|
|||||||
};
|
};
|
||||||
|
|
||||||
int pkcs11_interactive = 0;
|
int pkcs11_interactive = 0;
|
||||||
@@ -106,26 +114,63 @@ pkcs11_init(int interactive)
|
@@ -106,26 +114,61 @@ pkcs11_init(int interactive)
|
||||||
* this is called when a provider gets unregistered.
|
* this is called when a provider gets unregistered.
|
||||||
*/
|
*/
|
||||||
static void
|
static void
|
||||||
@ -1740,8 +1734,7 @@ index a302c79c..879fe917 100644
|
|||||||
- debug("pkcs11_provider_finalize: %p refcount %d valid %d",
|
- debug("pkcs11_provider_finalize: %p refcount %d valid %d",
|
||||||
- p, p->refcount, p->valid);
|
- p, p->refcount, p->valid);
|
||||||
- if (!p->valid)
|
- if (!p->valid)
|
||||||
+ debug("%s: %p refcount %d valid %d", __func__,
|
+ debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
|
||||||
+ m, m->refcount, m->valid);
|
|
||||||
+ if (!m->valid)
|
+ if (!m->valid)
|
||||||
return;
|
return;
|
||||||
- for (i = 0; i < p->nslots; i++) {
|
- for (i = 0; i < p->nslots; i++) {
|
||||||
@ -1769,11 +1762,11 @@ index a302c79c..879fe917 100644
|
|||||||
+static void
|
+static void
|
||||||
+pkcs11_module_unref(struct pkcs11_module *m)
|
+pkcs11_module_unref(struct pkcs11_module *m)
|
||||||
+{
|
+{
|
||||||
+ debug("%s: %p refcount %d", __func__, m, m->refcount);
|
+ debug_f("%p refcount %d", m, m->refcount);
|
||||||
+ if (--m->refcount <= 0) {
|
+ if (--m->refcount <= 0) {
|
||||||
+ pkcs11_module_finalize(m);
|
+ pkcs11_module_finalize(m);
|
||||||
+ if (m->valid)
|
+ if (m->valid)
|
||||||
+ error("%s: %p still valid", __func__, m);
|
+ error_f("%p still valid", m);
|
||||||
+ free(m->slotlist);
|
+ free(m->slotlist);
|
||||||
+ free(m->slotinfo);
|
+ free(m->slotinfo);
|
||||||
+ free(m->module_path);
|
+ free(m->module_path);
|
||||||
@ -1790,8 +1783,7 @@ index a302c79c..879fe917 100644
|
|||||||
+static void
|
+static void
|
||||||
+pkcs11_provider_finalize(struct pkcs11_provider *p)
|
+pkcs11_provider_finalize(struct pkcs11_provider *p)
|
||||||
+{
|
+{
|
||||||
+ debug("%s: %p refcount %d valid %d", __func__,
|
+ debug_f("%p refcount %d valid %d", p, p->refcount, p->valid);
|
||||||
+ p, p->refcount, p->valid);
|
|
||||||
+ if (!p->valid)
|
+ if (!p->valid)
|
||||||
+ return;
|
+ return;
|
||||||
+ pkcs11_module_unref(p->module);
|
+ pkcs11_module_unref(p->module);
|
||||||
@ -1807,7 +1799,7 @@ index a302c79c..879fe917 100644
|
|||||||
pkcs11_provider_unref(struct pkcs11_provider *p)
|
pkcs11_provider_unref(struct pkcs11_provider *p)
|
||||||
{
|
{
|
||||||
- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
|
- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
|
||||||
+ debug("%s: %p refcount %d", __func__, p, p->refcount);
|
+ debug_f("%p refcount %d", p, p->refcount);
|
||||||
if (--p->refcount <= 0) {
|
if (--p->refcount <= 0) {
|
||||||
- if (p->valid)
|
- if (p->valid)
|
||||||
- error("pkcs11_provider_unref: %p still valid", p);
|
- error("pkcs11_provider_unref: %p still valid", p);
|
||||||
@ -1853,7 +1845,7 @@ index a302c79c..879fe917 100644
|
|||||||
+ int rv;
|
+ int rv;
|
||||||
+ struct pkcs11_uri *uri;
|
+ struct pkcs11_uri *uri;
|
||||||
+
|
+
|
||||||
+ debug("%s: called, provider_id = %s", __func__, provider_id);
|
+ debug_f("called, provider_id = %s", provider_id);
|
||||||
+
|
+
|
||||||
+ uri = pkcs11_uri_init();
|
+ uri = pkcs11_uri_init();
|
||||||
+ if (uri == NULL)
|
+ if (uri == NULL)
|
||||||
@ -1881,7 +1873,7 @@ index a302c79c..879fe917 100644
|
|||||||
+ char *provider_uri = pkcs11_uri_get(uri);
|
+ char *provider_uri = pkcs11_uri_get(uri);
|
||||||
|
|
||||||
- if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
|
- if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
|
||||||
+ debug3("%s(%s): called", __func__, provider_uri);
|
+ debug3_f("called with provider %s", provider_uri);
|
||||||
+
|
+
|
||||||
+ if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) {
|
+ if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) {
|
||||||
TAILQ_REMOVE(&pkcs11_providers, p, next);
|
TAILQ_REMOVE(&pkcs11_providers, p, next);
|
||||||
@ -1977,7 +1969,7 @@ index a302c79c..879fe917 100644
|
|||||||
si->token.label);
|
si->token.label);
|
||||||
- if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) {
|
- if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) {
|
||||||
+ if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) {
|
+ if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) {
|
||||||
debug("%s: no pin specified", __func__);
|
debug_f("no pin specified");
|
||||||
return (-1); /* bail out */
|
return (-1); /* bail out */
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2296,7 +2288,7 @@ index a302c79c..879fe917 100644
|
|||||||
error("BN_bin2bn failed");
|
error("BN_bin2bn failed");
|
||||||
goto fail;
|
goto fail;
|
||||||
@@ -871,7 +1032,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
@@ -871,7 +1032,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
|
||||||
fatal("%s: set key", __func__);
|
fatal_f("set key");
|
||||||
rsa_n = rsa_e = NULL; /* transferred */
|
rsa_n = rsa_e = NULL; /* transferred */
|
||||||
|
|
||||||
- if (pkcs11_rsa_wrap(p, slotidx, &key_attr[0], rsa))
|
- if (pkcs11_rsa_wrap(p, slotidx, &key_attr[0], rsa))
|
||||||
@ -2508,7 +2500,7 @@ index a302c79c..879fe917 100644
|
|||||||
int ret = -1;
|
int ret = -1;
|
||||||
struct pkcs11_provider *p = NULL;
|
struct pkcs11_provider *p = NULL;
|
||||||
void *handle = NULL;
|
void *handle = NULL;
|
||||||
@@ -1484,167 +1670,303 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
@@ -1484,164 +1670,298 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_TOKEN_INFO *token;
|
CK_TOKEN_INFO *token;
|
||||||
CK_ULONG i;
|
CK_ULONG i;
|
||||||
@ -2522,7 +2514,7 @@ index a302c79c..879fe917 100644
|
|||||||
+#ifdef PKCS11_DEFAULT_PROVIDER
|
+#ifdef PKCS11_DEFAULT_PROVIDER
|
||||||
+ provider_module = strdup(PKCS11_DEFAULT_PROVIDER);
|
+ provider_module = strdup(PKCS11_DEFAULT_PROVIDER);
|
||||||
+#else
|
+#else
|
||||||
+ error("%s: No module path provided", __func__);
|
+ error_f("No module path provided");
|
||||||
goto fail;
|
goto fail;
|
||||||
- *providerp = NULL;
|
- *providerp = NULL;
|
||||||
-
|
-
|
||||||
@ -2536,16 +2528,14 @@ index a302c79c..879fe917 100644
|
|||||||
+ }
|
+ }
|
||||||
|
|
||||||
- if (pkcs11_provider_lookup(provider_id) != NULL) {
|
- if (pkcs11_provider_lookup(provider_id) != NULL) {
|
||||||
- debug("%s: provider already registered: %s",
|
- debug_f("provider already registered: %s", provider_id);
|
||||||
- __func__, provider_id);
|
|
||||||
- goto fail;
|
- goto fail;
|
||||||
+ p = xcalloc(1, sizeof(*p));
|
+ p = xcalloc(1, sizeof(*p));
|
||||||
+ p->name = pkcs11_uri_get(uri);
|
+ p->name = pkcs11_uri_get(uri);
|
||||||
+
|
+
|
||||||
+ if ((m = pkcs11_provider_lookup_module(provider_module)) != NULL
|
+ if ((m = pkcs11_provider_lookup_module(provider_module)) != NULL
|
||||||
+ && m->valid) {
|
+ && m->valid) {
|
||||||
+ debug("%s: provider module already initialized: %s",
|
+ debug_f("provider module already initialized: %s", provider_module);
|
||||||
+ __func__, provider_module);
|
|
||||||
+ free(provider_module);
|
+ free(provider_module);
|
||||||
+ /* Skip the initialization of PKCS#11 module */
|
+ /* Skip the initialization of PKCS#11 module */
|
||||||
+ m->refcount++;
|
+ m->refcount++;
|
||||||
@ -2605,8 +2595,8 @@ index a302c79c..879fe917 100644
|
|||||||
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
|
||||||
+ if (uri->lib_manuf != NULL &&
|
+ if (uri->lib_manuf != NULL &&
|
||||||
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
|
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) {
|
||||||
+ debug("%s: Skipping provider %s not matching library_manufacturer",
|
+ debug_f("Skipping provider %s not matching library_manufacturer",
|
||||||
+ __func__, m->info.manufacturerID);
|
+ m->info.manufacturerID);
|
||||||
+ goto fail;
|
+ goto fail;
|
||||||
+ }
|
+ }
|
||||||
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
|
||||||
@ -2634,9 +2624,8 @@ index a302c79c..879fe917 100644
|
|||||||
}
|
}
|
||||||
- if (p->nslots == 0) {
|
- if (p->nslots == 0) {
|
||||||
+ if (m->nslots == 0) {
|
+ if (m->nslots == 0) {
|
||||||
debug("%s: provider %s returned no slots", __func__,
|
- debug_f("provider %s returned no slots", provider_id);
|
||||||
- provider_id);
|
+ debug_f("provider %s returned no slots", provider_module);
|
||||||
+ provider_module);
|
|
||||||
ret = -SSH_PKCS11_ERR_NO_SLOTS;
|
ret = -SSH_PKCS11_ERR_NO_SLOTS;
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
@ -2663,8 +2652,8 @@ index a302c79c..879fe917 100644
|
|||||||
+ if ((rv = f->C_GetTokenInfo(m->slotlist[i], token))
|
+ if ((rv = f->C_GetTokenInfo(m->slotlist[i], token))
|
||||||
!= CKR_OK) {
|
!= CKR_OK) {
|
||||||
error("C_GetTokenInfo for provider %s slot %lu "
|
error("C_GetTokenInfo for provider %s slot %lu "
|
||||||
- "failed: %lu", provider_id, (unsigned long)i, rv);
|
- "failed: %lu", provider_id, (u_long)i, rv);
|
||||||
+ "failed: %lu", provider_module, (unsigned long)i, rv);
|
+ "failed: %lu", provider_module, (u_long)i, rv);
|
||||||
+ token->flags = 0;
|
+ token->flags = 0;
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -2735,25 +2724,23 @@ index a302c79c..879fe917 100644
|
|||||||
+ for (i = 0; i < p->module->nslots; i++) {
|
+ for (i = 0; i < p->module->nslots; i++) {
|
||||||
+ token = &p->module->slotinfo[i].token;
|
+ token = &p->module->slotinfo[i].token;
|
||||||
if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {
|
if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {
|
||||||
debug2("%s: ignoring uninitialised token in "
|
debug2_f("ignoring uninitialised token in "
|
||||||
"provider %s slot %lu", __func__,
|
- "provider %s slot %lu", provider_id, (u_long)i);
|
||||||
- provider_id, (unsigned long)i);
|
+ "provider %s slot %lu", provider_uri, (u_long)i);
|
||||||
+ provider_uri, (unsigned long)i);
|
|
||||||
+ continue;
|
+ continue;
|
||||||
+ }
|
+ }
|
||||||
+ if (uri->token != NULL &&
|
+ if (uri->token != NULL &&
|
||||||
+ strcmp(token->label, uri->token) != 0) {
|
+ strcmp(token->label, uri->token) != 0) {
|
||||||
+ debug2("%s: ignoring token not matching label (%s) "
|
+ debug2_f("ignoring token not matching label (%s) "
|
||||||
+ "specified by PKCS#11 URI in slot %lu", __func__,
|
+ "specified by PKCS#11 URI in slot %lu",
|
||||||
+ token->label, (unsigned long)i);
|
+ token->label, (unsigned long)i);
|
||||||
+ continue;
|
+ continue;
|
||||||
+ }
|
+ }
|
||||||
+ if (uri->manuf != NULL &&
|
+ if (uri->manuf != NULL &&
|
||||||
+ strcmp(token->manufacturerID, uri->manuf) != 0) {
|
+ strcmp(token->manufacturerID, uri->manuf) != 0) {
|
||||||
+ debug2("%s: ignoring token not matching requrested "
|
+ debug2_f("ignoring token not matching requrested "
|
||||||
+ "manufacturerID (%s) specified by PKCS#11 URI in "
|
+ "manufacturerID (%s) specified by PKCS#11 URI in "
|
||||||
+ "slot %lu", __func__,
|
+ "slot %lu", token->manufacturerID, (unsigned long)i);
|
||||||
+ token->manufacturerID, (unsigned long)i);
|
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
- rmspace(token->label, sizeof(token->label));
|
- rmspace(token->label, sizeof(token->label));
|
||||||
@ -2789,8 +2776,7 @@ index a302c79c..879fe917 100644
|
|||||||
* expose keys.
|
* expose keys.
|
||||||
*/
|
*/
|
||||||
- if (pkcs11_login_slot(p, &p->slotinfo[i],
|
- if (pkcs11_login_slot(p, &p->slotinfo[i],
|
||||||
+ debug3("%s: Trying to login as there were no keys found",
|
+ debug3_f("Trying to login as there were no keys found");
|
||||||
+ __func__);
|
|
||||||
+ if (pkcs11_login_slot(p, &p->module->slotinfo[i],
|
+ if (pkcs11_login_slot(p, &p->module->slotinfo[i],
|
||||||
CKU_USER) < 0) {
|
CKU_USER) < 0) {
|
||||||
error("login failed");
|
error("login failed");
|
||||||
@ -2802,8 +2788,8 @@ index a302c79c..879fe917 100644
|
|||||||
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
||||||
+ }
|
+ }
|
||||||
+ if (nkeys == 0 && uri->object != NULL) {
|
+ if (nkeys == 0 && uri->object != NULL) {
|
||||||
+ debug3("%s: No keys found. Retrying without label (%s) ",
|
+ debug3_f("No keys found. Retrying without label (%s) ",
|
||||||
+ __func__, uri->object);
|
+ uri->object);
|
||||||
+ /* Try once more without the label filter */
|
+ /* Try once more without the label filter */
|
||||||
+ char *label = uri->object;
|
+ char *label = uri->object;
|
||||||
+ uri->object = NULL; /* XXX clone uri? */
|
+ uri->object = NULL; /* XXX clone uri? */
|
||||||
@ -2852,7 +2838,7 @@ index a302c79c..879fe917 100644
|
|||||||
+ struct pkcs11_uri *uri = NULL;
|
+ struct pkcs11_uri *uri = NULL;
|
||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ debug("%s: called, provider_id = %s", __func__, provider_id);
|
+ debug_f("called, provider_id = %s", provider_id);
|
||||||
+
|
+
|
||||||
+ uri = pkcs11_uri_init();
|
+ uri = pkcs11_uri_init();
|
||||||
+ if (uri == NULL)
|
+ if (uri == NULL)
|
||||||
@ -2878,12 +2864,11 @@ index a302c79c..879fe917 100644
|
|||||||
+pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin,
|
+pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin,
|
||||||
+ struct sshkey ***keyp, char ***labelsp)
|
+ struct sshkey ***keyp, char ***labelsp)
|
||||||
{
|
{
|
||||||
- struct pkcs11_provider *p = NULL;
|
struct pkcs11_provider *p = NULL;
|
||||||
int nkeys;
|
int nkeys;
|
||||||
+ struct pkcs11_provider *p = NULL;
|
|
||||||
+ char *provider_uri = pkcs11_uri_get(uri);
|
+ char *provider_uri = pkcs11_uri_get(uri);
|
||||||
+
|
+
|
||||||
+ debug("%s: called, provider_uri = %s", __func__, provider_uri);
|
+ debug_f("called, provider_uri = %s", provider_uri);
|
||||||
|
|
||||||
- nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp,
|
- nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp,
|
||||||
- &p, CKU_USER);
|
- &p, CKU_USER);
|
||||||
@ -2892,11 +2877,11 @@ index a302c79c..879fe917 100644
|
|||||||
/* no keys found or some other error, de-register provider */
|
/* no keys found or some other error, de-register provider */
|
||||||
if (nkeys <= 0 && p != NULL) {
|
if (nkeys <= 0 && p != NULL) {
|
||||||
@@ -1652,7 +1974,37 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp,
|
@@ -1652,7 +1974,37 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp,
|
||||||
|
pkcs11_provider_unref(p);
|
||||||
}
|
}
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
debug("%s: provider %s returned no keys", __func__,
|
- debug_f("provider %s returned no keys", provider_id);
|
||||||
- provider_id);
|
+ debug_f("provider %s returned no keys", provider_uri);
|
||||||
+ provider_uri);
|
|
||||||
+
|
+
|
||||||
+ free(provider_uri);
|
+ free(provider_uri);
|
||||||
+ return nkeys;
|
+ return nkeys;
|
||||||
@ -2930,26 +2915,6 @@ index a302c79c..879fe917 100644
|
|||||||
|
|
||||||
return (nkeys);
|
return (nkeys);
|
||||||
}
|
}
|
||||||
@@ -1674,7 +2026,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label,
|
|
||||||
|
|
||||||
if ((p = pkcs11_provider_lookup(provider_id)) != NULL)
|
|
||||||
debug("%s: provider \"%s\" available", __func__, provider_id);
|
|
||||||
- else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, NULL,
|
|
||||||
+ else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL,
|
|
||||||
&p, CKU_SO)) < 0) {
|
|
||||||
debug("%s: could not register provider %s", __func__,
|
|
||||||
provider_id);
|
|
||||||
@@ -1746,8 +2098,8 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx,
|
|
||||||
|
|
||||||
if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
|
|
||||||
debug("%s: using provider \"%s\"", __func__, provider_id);
|
|
||||||
- } else if (pkcs11_register_provider(provider_id, pin, NULL, NULL, &p,
|
|
||||||
- CKU_SO) < 0) {
|
|
||||||
+ } else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL,
|
|
||||||
+ &p, CKU_SO)) < 0) {
|
|
||||||
debug("%s: could not register provider %s", __func__,
|
|
||||||
provider_id);
|
|
||||||
goto out;
|
|
||||||
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
|
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
|
||||||
index 81f1d7c5..feaf74de 100644
|
index 81f1d7c5..feaf74de 100644
|
||||||
--- a/ssh-pkcs11.h
|
--- a/ssh-pkcs11.h
|
||||||
@ -2995,7 +2960,7 @@ index 15aee569..976844cb 100644
|
|||||||
+ pkcs11_terminate();
|
+ pkcs11_terminate();
|
||||||
|
|
||||||
skip_connect:
|
skip_connect:
|
||||||
exit_status = ssh_session2(ssh, pw);
|
exit_status = ssh_session2(ssh, cinfo);
|
||||||
@@ -2076,6 +2085,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
|
@@ -2076,6 +2085,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
|
||||||
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
||||||
}
|
}
|
||||||
@ -3041,7 +3006,7 @@ index 15aee569..976844cb 100644
|
|||||||
+
|
+
|
||||||
/* Loads all IdentityFile and CertificateFile keys */
|
/* Loads all IdentityFile and CertificateFile keys */
|
||||||
static void
|
static void
|
||||||
load_public_identity_files(struct passwd *pw)
|
load_public_identity_files(const struct ssh_conn_info *cinfo)
|
||||||
@@ -2090,11 +2138,6 @@ load_public_identity_files(struct passwd *pw)
|
@@ -2090,11 +2138,6 @@ load_public_identity_files(struct passwd *pw)
|
||||||
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
|
char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
|
||||||
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
|
struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
|
||||||
@ -3117,9 +3082,9 @@ index 15aee569..976844cb 100644
|
|||||||
+ }
|
+ }
|
||||||
+#endif /* ENABLE_PKCS11 */
|
+#endif /* ENABLE_PKCS11 */
|
||||||
+ cp = tilde_expand_filename(name, getuid());
|
+ cp = tilde_expand_filename(name, getuid());
|
||||||
filename = default_client_percent_dollar_expand(cp,
|
filename = default_client_percent_dollar_expand(cp, cinfo);
|
||||||
pw->pw_dir, host, options.user, pw->pw_name);
|
|
||||||
free(cp);
|
free(cp);
|
||||||
|
check_load(sshkey_load_public(filename, &public, NULL),
|
||||||
diff --git a/ssh_config.5 b/ssh_config.5
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
index 06a32d31..4b2763bd 100644
|
index 06a32d31..4b2763bd 100644
|
||||||
--- a/ssh_config.5
|
--- a/ssh_config.5
|
||||||
|
@ -7,8 +7,8 @@ diff --git a/channels.c b/channels.c
|
|||||||
if (x11_use_localhost)
|
if (x11_use_localhost)
|
||||||
set_reuseaddr(sock);
|
set_reuseaddr(sock);
|
||||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
debug2("%s: bind port %d: %.100s", __func__,
|
debug2_f("bind port %d: %.100s", port,
|
||||||
port, strerror(errno));
|
strerror(errno));
|
||||||
close(sock);
|
close(sock);
|
||||||
+
|
+
|
||||||
+ /* do not remove successfully opened
|
+ /* do not remove successfully opened
|
||||||
|
@ -37,8 +37,8 @@
|
|||||||
+ * SHA2 signature types.
|
+ * SHA2 signature types.
|
||||||
+ */
|
+ */
|
||||||
+ if (alg == NULL &&
|
+ if (alg == NULL &&
|
||||||
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
|
+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
|
||||||
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
|
+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
|
||||||
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||||
+ if (sshkey_type_from_name(cp) != key->type)
|
+ if (sshkey_type_from_name(cp) != key->type)
|
||||||
+ continue;
|
+ continue;
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index e0768c06..5065ae7e 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
#ifdef __NR_pselect6
|
|
||||||
SC_ALLOW(__NR_pselect6),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_pselect6_time64
|
|
||||||
+ SC_ALLOW(__NR_pselect6_time64),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_read
|
|
||||||
SC_ALLOW(__NR_read),
|
|
||||||
#endif
|
|
@ -1,130 +0,0 @@
|
|||||||
From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Oleg <Fallmay@users.noreply.github.com>
|
|
||||||
Date: Thu, 1 Oct 2020 12:09:08 +0300
|
|
||||||
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
|
|
||||||
|
|
||||||
---
|
|
||||||
contrib/ssh-copy-id | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 392f64f94..a76907717 100644
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -247,7 +247,7 @@ installkeys_sh() {
|
|
||||||
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
|
|
||||||
# the cat adds the keys we're getting via STDIN
|
|
||||||
# and if available restorecon is used to restore the SELinux context
|
|
||||||
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
|
|
||||||
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
@@ -258,6 +258,7 @@ installkeys_sh() {
|
|
||||||
restorecon -F .ssh ${AUTH_KEY_FILE};
|
|
||||||
fi
|
|
||||||
EOF
|
|
||||||
+ )
|
|
||||||
|
|
||||||
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
|
|
||||||
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
|
|
||||||
|
|
||||||
From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Philip Hands <phil@hands.com>
|
|
||||||
Date: Sat, 3 Oct 2020 00:20:07 +0200
|
|
||||||
Subject: [PATCH] un-nest $() to make ksh cheerful
|
|
||||||
|
|
||||||
---
|
|
||||||
ssh-copy-id | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Philip Hands <phil@hands.com>
|
|
||||||
Date: Fri, 2 Oct 2020 21:30:10 +0200
|
|
||||||
Subject: [PATCH] ksh doesn't grok 'local'
|
|
||||||
|
|
||||||
and AFAICT it's not actually doing anything useful in the code, so let's
|
|
||||||
see how things go without it.
|
|
||||||
---
|
|
||||||
ssh-copy-id | 11 +++++------
|
|
||||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index a769077..11c9463 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -76,7 +76,7 @@ quote() {
|
|
||||||
}
|
|
||||||
|
|
||||||
use_id_file() {
|
|
||||||
- local L_ID_FILE="$1"
|
|
||||||
+ L_ID_FILE="$1"
|
|
||||||
|
|
||||||
if [ -z "$L_ID_FILE" ] ; then
|
|
||||||
printf '%s: ERROR: no ID file found\n' "$0"
|
|
||||||
@@ -94,7 +94,7 @@ use_id_file() {
|
|
||||||
# check that the files are readable
|
|
||||||
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
|
|
||||||
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
|
|
||||||
- local L_PRIVMSG=""
|
|
||||||
+ L_PRIVMSG=""
|
|
||||||
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
|
|
||||||
printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
|
|
||||||
exit 1
|
|
||||||
@@ -169,7 +169,7 @@ fi
|
|
||||||
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
|
|
||||||
# and has the side effect of setting $NEW_IDS
|
|
||||||
populate_new_ids() {
|
|
||||||
- local L_SUCCESS="$1"
|
|
||||||
+ L_SUCCESS="$1"
|
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
if [ "$FORCED" ] ; then
|
|
||||||
@@ -181,13 +181,12 @@ populate_new_ids() {
|
|
||||||
eval set -- "$SSH_OPTS"
|
|
||||||
|
|
||||||
umask 0177
|
|
||||||
- local L_TMP_ID_FILE
|
|
||||||
L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
|
||||||
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
|
||||||
printf '%s: ERROR: mktemp failed\n' "$0" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
- local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
|
||||||
+ L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
|
||||||
# shellcheck disable=SC2064
|
|
||||||
trap "$L_CLEANUP" EXIT TERM INT QUIT
|
|
||||||
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
|
||||||
@@ -237,7 +236,7 @@ populate_new_ids() {
|
|
||||||
# produce a one-liner to add the keys to remote authorized_keys file
|
|
||||||
# optionally takes an alternative path for authorized_keys
|
|
||||||
installkeys_sh() {
|
|
||||||
- local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
+ AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
|
|
||||||
# In setting INSTALLKEYS_SH:
|
|
||||||
# the tr puts it all on one line (to placate tcsh)
|
|
||||||
--
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 11c9463..ee3f637 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -237,6 +237,7 @@ populate_new_ids() {
|
|
||||||
# optionally takes an alternative path for authorized_keys
|
|
||||||
installkeys_sh() {
|
|
||||||
AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
+ AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
|
|
||||||
|
|
||||||
# In setting INSTALLKEYS_SH:
|
|
||||||
# the tr puts it all on one line (to placate tcsh)
|
|
||||||
@@ -249,7 +250,7 @@ installkeys_sh() {
|
|
||||||
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
+ mkdir -p "${AUTH_KEY_DIR}" &&
|
|
||||||
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
|
||||||
cat >> ${AUTH_KEY_FILE} ||
|
|
||||||
exit 1;
|
|
||||||
--
|
|
42
openssh.spec
42
openssh.spec
@ -50,21 +50,21 @@
|
|||||||
%{?static_openssl:%global static_libcrypto 1}
|
%{?static_openssl:%global static_libcrypto 1}
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.4p1
|
%global openssh_ver 8.5p1
|
||||||
%global openssh_rel 5
|
%global openssh_rel 2
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 1
|
%global pam_ssh_agent_rel 2
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: %{openssh_ver}
|
Version: %{openssh_ver}
|
||||||
Release: %{openssh_rel}%{?dist}.1
|
Release: %{openssh_rel}%{?dist}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
||||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||||
Source2: sshd.pam
|
Source2: sshd.pam
|
||||||
Source3: DJM-GPG-KEY.gpg
|
Source3: gpgkey-736060BA.gpg
|
||||||
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
|
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
|
||||||
Source5: pam_ssh_agent-rmheaders
|
Source5: pam_ssh_agent-rmheaders
|
||||||
Source6: ssh-keycat.pam
|
Source6: ssh-keycat.pam
|
||||||
@ -75,6 +75,7 @@ Source11: sshd.service
|
|||||||
Source12: sshd-keygen@.service
|
Source12: sshd-keygen@.service
|
||||||
Source13: sshd-keygen
|
Source13: sshd-keygen
|
||||||
Source15: sshd-keygen.target
|
Source15: sshd-keygen.target
|
||||||
|
Source16: ssh-agent.service
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||||
Patch100: openssh-6.7p1-coverity.patch
|
Patch100: openssh-6.7p1-coverity.patch
|
||||||
@ -178,9 +179,6 @@ Patch950: openssh-7.5p1-sandbox.patch
|
|||||||
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
||||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||||
# ssh-copy-id is unmaintained: Aggreagete patches
|
|
||||||
# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
|
|
||||||
Patch958: openssh-7.9p1-ssh-copy-id.patch
|
|
||||||
# Mention crypto-policies in manual pages (#1668325)
|
# Mention crypto-policies in manual pages (#1668325)
|
||||||
Patch962: openssh-8.0p1-crypto-policies.patch
|
Patch962: openssh-8.0p1-crypto-policies.patch
|
||||||
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
||||||
@ -191,9 +189,6 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
|
|||||||
Patch965: openssh-8.2p1-visibility.patch
|
Patch965: openssh-8.2p1-visibility.patch
|
||||||
# Do not break X11 without IPv6
|
# Do not break X11 without IPv6
|
||||||
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||||
Patch967: openssh-8.4p1-ssh-copy-id.patch
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
|
|
||||||
Patch968: openssh-8.4p1-sandbox-seccomp.patch
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
||||||
Patch969: openssh-8.4p1-debian-compat.patch
|
Patch969: openssh-8.4p1-debian-compat.patch
|
||||||
|
|
||||||
@ -216,6 +211,7 @@ BuildRequires: pam-devel
|
|||||||
BuildRequires: openssl-devel >= 0.9.8j
|
BuildRequires: openssl-devel >= 0.9.8j
|
||||||
BuildRequires: perl-podlators
|
BuildRequires: perl-podlators
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
|
BuildRequires: systemd-rpm-macros
|
||||||
BuildRequires: gcc make
|
BuildRequires: gcc make
|
||||||
BuildRequires: p11-kit-devel
|
BuildRequires: p11-kit-devel
|
||||||
BuildRequires: libfido2-devel
|
BuildRequires: libfido2-devel
|
||||||
@ -266,7 +262,7 @@ Requires: openssh = %{version}-%{release}
|
|||||||
%package -n pam_ssh_agent_auth
|
%package -n pam_ssh_agent_auth
|
||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.3
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -364,14 +360,11 @@ popd
|
|||||||
%patch950 -p1 -b .sandbox
|
%patch950 -p1 -b .sandbox
|
||||||
%patch951 -p1 -b .pkcs11-uri
|
%patch951 -p1 -b .pkcs11-uri
|
||||||
%patch953 -p1 -b .scp-ipv6
|
%patch953 -p1 -b .scp-ipv6
|
||||||
%patch958 -p1 -b .ssh-copy-id
|
|
||||||
%patch962 -p1 -b .crypto-policies
|
%patch962 -p1 -b .crypto-policies
|
||||||
%patch963 -p1 -b .openssl-evp
|
%patch963 -p1 -b .openssl-evp
|
||||||
%patch964 -p1 -b .openssl-kdf
|
%patch964 -p1 -b .openssl-kdf
|
||||||
%patch965 -p1 -b .visibility
|
%patch965 -p1 -b .visibility
|
||||||
%patch966 -p1 -b .x11-ipv6
|
%patch966 -p1 -b .x11-ipv6
|
||||||
%patch967 -p1 -b .ssh-copy-id
|
|
||||||
%patch968 -p1 -b .seccomp
|
|
||||||
%patch969 -p0 -b .debian
|
%patch969 -p0 -b .debian
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
@ -517,6 +510,8 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
|||||||
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
||||||
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
|
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
|
||||||
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
|
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
|
||||||
|
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
|
||||||
|
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
|
||||||
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
||||||
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
||||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
@ -573,6 +568,12 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%postun server
|
%postun server
|
||||||
%systemd_postun_with_restart sshd.service
|
%systemd_postun_with_restart sshd.service
|
||||||
|
|
||||||
|
%post clients
|
||||||
|
%systemd_user_post ssh-agent.service
|
||||||
|
|
||||||
|
%preun clients
|
||||||
|
%systemd_user_preun ssh-agent.service
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENCE
|
%license LICENCE
|
||||||
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
||||||
@ -607,6 +608,7 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
||||||
|
%attr(0644,root,root) %{_userunitdir}/ssh-agent.service
|
||||||
|
|
||||||
%files server
|
%files server
|
||||||
%dir %attr(0711,root,root) %{_datadir}/empty.sshd
|
%dir %attr(0711,root,root) %{_datadir}/empty.sshd
|
||||||
@ -648,6 +650,16 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
|
||||||
|
- ssh-agent.serivce is user unit (#1761817#27)
|
||||||
|
|
||||||
|
* Wed Mar 03 2021 Jakub Jelen <jjelen@redhat.com> - 8.5p1-1 + 0.10.4-2
|
||||||
|
- New upstream release (#1934336)
|
||||||
|
|
||||||
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.4p1-5.2
|
||||||
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.4p1-5.1
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.4p1-5.1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
6
sources
6
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
|
SHA512 (openssh-8.5p1.tar.gz) = af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
|
||||||
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
|
SHA512 (openssh-8.5p1.tar.gz.asc) = 264a991c7207f2215875e2b472a649ede1a69f6486d25777bf522047c26ea77c2995d34b6917a993ea9a250b7dd5298a30f1975e20e471f079c9064ce283cec2
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21
|
||||||
|
14
ssh-agent.service
Normal file
14
ssh-agent.service
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
|
||||||
|
# set in environment, handled for example in plasma via
|
||||||
|
# /etc/xdg/plasma-workspace/env/ssh-agent.sh
|
||||||
|
[Unit]
|
||||||
|
ConditionEnvironment=!SSH_AGENT_PID
|
||||||
|
Description=OpenSSH key agent
|
||||||
|
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
|
||||||
|
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
|
||||||
|
PassEnvironment=SSH_AGENT_PID
|
||||||
|
SuccessExitStatus=2
|
||||||
|
Type=forking
|
Loading…
Reference in New Issue
Block a user