replace TwoFactorAuth with RequiredAuthentications[12]

https://bugzilla.mindrot.org/show_bug.cgi?id=983
This commit is contained in:
Petr Lautrbach 2012-02-06 22:15:10 +01:00
parent 21699d5622
commit d9e6186c71
8 changed files with 1754 additions and 929 deletions

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200 --- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200 +++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100
@@ -27,6 +27,7 @@ @@ -27,6 +27,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -136,7 +136,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
+ do { + do {
+ if ((cp = strrchr(progname, '/')) == NULL) + if ((cp = strrchr(progname, '/')) == NULL)
+ break; + break;
+ else + else
+ *cp = '\0'; + *cp = '\0';
+ +
+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname)); + debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
return 0; return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200 --- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100
+++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200 +++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit], @@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
esac ] esac ]
) )
@ -271,9 +271,9 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
echo " libedit support: $LIBEDIT_MSG" echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG" echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200 --- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100
+++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200 +++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions @@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1; options->num_permitted_opens = -1;
options->adm_forced_command = NULL; options->adm_forced_command = NULL;
options->chroot_directory = NULL; options->chroot_directory = NULL;
@ -282,7 +282,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
options->zero_knowledge_password_authentication = -1; options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL; options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL; options->trusted_user_ca_keys = NULL;
@@ -348,6 +350,7 @@ typedef enum { @@ -329,6 +331,7 @@ typedef enum {
sZeroKnowledgePasswordAuthentication, sHostCertificate, sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS, sKexAlgorithms, sIPQoS,
@ -290,9 +290,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
sDeprecated, sUnsupported sDeprecated, sUnsupported
} ServerOpCodes; } ServerOpCodes;
@@ -487,6 +490,13 @@ static struct { @@ -455,6 +458,13 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND +#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
{ NULL, sBadOption, 0 } { NULL, sBadOption, 0 }
}; };
@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions @@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
} }
break; break;
@ -329,16 +329,16 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
case sDeprecated: case sDeprecated:
logit("%s line %d: Deprecated option %s", logit("%s line %d: Deprecated option %s",
filename, linenum, arg); filename, linenum, arg);
@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d @@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
M_CP_INTOPT(kbd_interactive_authentication);
M_CP_INTOPT(zero_knowledge_password_authentication); M_CP_INTOPT(zero_knowledge_password_authentication);
M_CP_INTOPT(second_zero_knowledge_password_authentication);
M_CP_INTOPT(two_factor_authentication);
+ M_CP_STROPT(authorized_keys_command); + M_CP_STROPT(authorized_keys_command);
+ M_CP_STROPT(authorized_keys_command_runas); + M_CP_STROPT(authorized_keys_command_runas);
M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(permit_empty_passwd); M_CP_INTOPT(permit_empty_passwd);
@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o) @@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file); dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile, dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file); o->authorized_principals_file);
@ -348,9 +348,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
/* string arguments requiring a lookup */ /* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level)); dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200 --- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100
+++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200 +++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100
@@ -174,6 +174,8 @@ typedef struct { @@ -169,6 +169,8 @@ typedef struct {
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
char *authorized_principals_file; char *authorized_principals_file;
@ -359,9 +359,22 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
} ServerOptions; } ServerOptions;
/* /*
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200
+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100
@@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0 diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200 --- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
+++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200 +++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
@@ -71,6 +71,23 @@ DESCRIPTION @@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns. See PATTERNS in ssh_config(5) for more information on patterns.
@ -370,8 +383,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
+ +
+ Specifies a program to be used for lookup of the user's + Specifies a program to be used for lookup of the user's
+ public keys. The program will be invoked with its first + public keys. The program will be invoked with its first
+ argument the name of the user being authorized, and should produce + argument the name of the user being authorized, and should produce
+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS + on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
+ in sshd(8)). By default (or when set to the empty string) there is no + in sshd(8)). By default (or when set to the empty string) there is no
+ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully + AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
+ authorize the user, authorization falls through to the + authorize the user, authorization falls through to the
@ -397,34 +410,17 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
GSSAPIAuthentication, HostbasedAuthentication, GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5 diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200 --- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100
+++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200 +++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100
@@ -706,6 +706,8 @@ Available keywords are @@ -151,6 +151,19 @@ See
.Cm AllowAgentForwarding , in
.Cm AllowTcpForwarding , .Xr ssh_config 5
.Cm AuthorizedKeysFile , for more information on patterns.
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
@@ -718,6 +720,7 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
+.Cm PubkeyAuthentication ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
@@ -926,6 +929,20 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
+.It Cm AuthorizedKeysCommand +.It Cm AuthorizedKeysCommand
+Specifies a program to be used for lookup of the user's +Specifies a program to be used for lookup of the user's
+public keys. The program will be invoked with its first +public keys. The program will be invoked with its first
+argument the name of the user being authorized, and should produce +argument the name of the user being authorized, and should produce
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS +on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
+in sshd(8)). By default (or when set to the empty string) there is no +in sshd(8)). By default (or when set to the empty string) there is no
+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully +AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
+authorize the user, authorization falls through to the +authorize the user, authorization falls through to the
@ -433,20 +429,23 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
+.It Cm AuthorizedKeysCommandRunAs +.It Cm AuthorizedKeysCommandRunAs
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty +Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
+string (the default value) means the user being authorized is used. +string (the default value) means the user being authorized is used.
+.Dq .It Cm AuthorizedKeysFile
.It Cm RhostsRSAAuthentication Specifies the file that contains the public keys that can be used
Specifies whether rhosts or /etc/hosts.equiv authentication together for user authentication.
with successful RSA host authentication is allowed. @@ -706,6 +719,8 @@ Available keywords are
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config .Cm AllowAgentForwarding ,
--- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200 .Cm AllowTcpForwarding ,
+++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200 .Cm AuthorizedKeysFile ,
@@ -49,6 +49,9 @@ +.Cm AuthorizedKeysCommand ,
# but this is overridden so installations will only check .ssh/authorized_keys +.Cm AuthorizedKeysCommandRunAs ,
AuthorizedKeysFile .ssh/authorized_keys .Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
+#AuthorizedKeysCommand none .Cm ChrootDirectory ,
+#AuthorizedKeysCommandRunAs nobody @@ -718,6 +733,7 @@ Available keywords are
+ .Cm KerberosAuthentication ,
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts .Cm MaxAuthTries ,
#RhostsRSAAuthentication no .Cm MaxSessions ,
# similar for protocol version 2 +.Cm PubkeyAuthentication ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit4 2011-09-18 05:13:24.922458521 +0200 --- openssh-5.9p1/audit-bsm.c.audit4 2012-02-06 17:15:01.574908126 +0100
+++ openssh-5.9p1/audit-bsm.c 2011-09-18 05:13:26.808459314 +0200 +++ openssh-5.9p1/audit-bsm.c 2012-02-06 17:15:21.656095559 +0100
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char @@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
{ {
/* not implemented */ /* not implemented */
@ -12,9 +12,52 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
+ /* not implemented */ + /* not implemented */
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit4 2012-02-06 17:15:01.576787216 +0100
+++ openssh-5.9p1/audit.c 2012-02-06 17:15:21.690032906 +0100
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
}
+void
+audit_session_key_free(int ctos)
+{
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
(unsigned)uid);
}
+
+/*
+ * This will be called on succesfull session key discard
+ */
+void
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit4 2012-02-06 17:15:01.576787216 +0100
+++ openssh-5.9p1/audit.h 2012-02-06 17:15:21.690876254 +0100
@@ -62,5 +62,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
+void audit_session_key_free(int ctos);
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit4 2011-09-18 05:13:25.041460630 +0200 --- openssh-5.9p1/audit-linux.c.audit4 2012-02-06 17:15:01.575908525 +0100
+++ openssh-5.9p1/audit-linux.c 2011-09-18 05:13:26.897563551 +0200 +++ openssh-5.9p1/audit-linux.c 2012-02-06 17:15:21.682001323 +0100
@@ -294,6 +294,8 @@ audit_unsupported_body(int what) @@ -294,6 +294,8 @@ audit_unsupported_body(int what)
#endif #endif
} }
@ -65,52 +108,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
+} +}
+ +
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit4 2011-09-18 05:13:25.151459504 +0200
+++ openssh-5.9p1/audit.c 2011-09-18 05:13:26.995548664 +0200
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
}
+void
+audit_session_key_free(int ctos)
+{
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
(unsigned)uid);
}
+
+/*
+ * This will be called on succesfull session key discard
+ */
+void
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit4 2011-09-18 05:13:25.247587021 +0200
+++ openssh-5.9p1/audit.h 2011-09-18 05:13:27.107531553 +0200
@@ -62,5 +62,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
+void audit_session_key_free(int ctos);
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
--- openssh-5.9p1/auditstub.c.audit4 2011-09-18 05:13:25.350459598 +0200 --- openssh-5.9p1/auditstub.c.audit4 2012-02-06 17:15:01.576787216 +0100
+++ openssh-5.9p1/auditstub.c 2011-09-18 05:13:27.209523920 +0200 +++ openssh-5.9p1/auditstub.c 2012-02-06 17:15:21.690876254 +0100
@@ -27,6 +27,8 @@ @@ -27,6 +27,8 @@
* Red Hat author: Jan F. Chadima <jchadima@redhat.com> * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
*/ */
@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
+{ +{
+} +}
diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
--- openssh-5.9p1/kex.c.audit4 2011-09-18 05:13:25.656459960 +0200 --- openssh-5.9p1/kex.c.audit4 2012-02-06 17:15:01.578907640 +0100
+++ openssh-5.9p1/kex.c 2011-09-18 05:13:27.309500951 +0200 +++ openssh-5.9p1/kex.c 2012-02-06 17:15:21.691785656 +0100
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i @@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
fprintf(stderr, "\n"); fprintf(stderr, "\n");
} }
@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
+ +
diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
--- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200 --- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
+++ openssh-5.9p1/kex.h 2011-09-18 05:13:27.419492884 +0200 +++ openssh-5.9p1/kex.h 2012-02-06 17:15:21.691785656 +0100
@@ -156,6 +156,8 @@ void kexgex_server(Kex *); @@ -156,6 +156,8 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *); void kexecdh_client(Kex *);
void kexecdh_server(Kex *); void kexecdh_server(Kex *);
@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
--- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200 --- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200
+++ openssh-5.9p1/mac.c 2011-09-18 05:13:27.545464964 +0200 +++ openssh-5.9p1/mac.c 2012-02-06 17:15:21.692918961 +0100
@@ -168,6 +168,20 @@ mac_clear(Mac *mac) @@ -168,6 +168,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL; mac->umac_ctx = NULL;
} }
@ -209,16 +209,16 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
int int
diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
--- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200 --- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
+++ openssh-5.9p1/mac.h 2011-09-18 05:13:27.675473027 +0200 +++ openssh-5.9p1/mac.h 2012-02-06 17:15:21.692918961 +0100
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *); @@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
int mac_init(Mac *); int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int); u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *); void mac_clear(Mac *);
+void mac_destroy(Mac *); +void mac_destroy(Mac *);
diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit4 2011-09-18 05:13:25.778584691 +0200 --- openssh-5.9p1/monitor.c.audit4 2012-02-06 17:15:01.579896475 +0100
+++ openssh-5.9p1/monitor.c 2011-09-18 05:15:22.786522699 +0200 +++ openssh-5.9p1/monitor.c 2012-02-06 17:16:32.405783810 +0100
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer @@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
int mm_answer_audit_end_command(int, Buffer *); int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *); int mm_answer_audit_unsupported_body(int, Buffer *);
int mm_answer_audit_kex_body(int, Buffer *); int mm_answer_audit_kex_body(int, Buffer *);
@ -226,7 +226,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif #endif
static int monitor_read_log(struct monitor *); static int monitor_read_log(struct monitor *);
@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[] @@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -234,7 +234,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif #endif
#ifdef BSD_AUTH #ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20 @@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -242,7 +242,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[] @@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -250,7 +250,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15 @@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command}, {MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body}, {MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body}, {MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif #endif
{0, 0, NULL} {0, 0, NULL}
}; };
@@ -437,10 +442,6 @@ monitor_child_preauth(Authctxt *_authctx @@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx
} #endif
} }
- /* Drain any buffered messages from the child */ - /* Drain any buffered messages from the child */
@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
if (!authctxt->valid) if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__); fatal("%s: authenticated invalid user", __func__);
if (strcmp(auth_method, "unknown") == 0) if (strcmp(auth_method, "unknown") == 0)
@@ -1927,11 +1928,13 @@ mm_get_keystate(struct monitor *pmonitor @@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor
blob = buffer_get_string(&m, &bloblen); blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
xfree(blob); xfree(blob);
/* Now get sequence numbers for the packets */ /* Now get sequence numbers for the packets */
@@ -1977,6 +1980,21 @@ mm_get_keystate(struct monitor *pmonitor @@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor
} }
buffer_free(&m); buffer_free(&m);
@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
} }
@@ -2421,4 +2439,22 @@ mm_answer_audit_kex_body(int sock, Buffe @@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe
return 0; return 0;
} }
@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit4 2011-09-18 05:13:25.887586033 +0200 --- openssh-5.9p1/monitor.h.audit4 2012-02-06 17:15:01.580908188 +0100
+++ openssh-5.9p1/monitor.h 2011-09-18 05:13:27.934522919 +0200 +++ openssh-5.9p1/monitor.h 2012-02-06 17:15:21.695033617 +0100
@@ -63,6 +63,7 @@ enum monitor_reqtype { @@ -63,6 +63,7 @@ enum monitor_reqtype {
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND, MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED, MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit4 2011-09-18 05:13:26.013583317 +0200 --- openssh-5.9p1/monitor_wrap.c.audit4 2012-02-06 17:15:01.581802928 +0100
+++ openssh-5.9p1/monitor_wrap.c 2011-09-18 05:13:28.049519981 +0200 +++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:15:21.696033353 +0100
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor @@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
fatal("%s: conversion of newkeys failed", __func__); fatal("%s: conversion of newkeys failed", __func__);
@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit4 2011-09-18 05:13:26.119474152 +0200 --- openssh-5.9p1/monitor_wrap.h.audit4 2012-02-06 17:15:01.582908343 +0100
+++ openssh-5.9p1/monitor_wrap.h 2011-09-18 05:13:28.151521539 +0200 +++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:15:21.696033353 +0100
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *); @@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
void mm_audit_end_command(int, const char *); void mm_audit_end_command(int, const char *);
void mm_audit_unsupported_body(int); void mm_audit_unsupported_body(int);
@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
struct Session; struct Session;
diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.audit4 2011-09-18 05:13:20.417548627 +0200 --- openssh-5.9p1/packet.c.audit4 2012-02-06 17:15:01.545908387 +0100
+++ openssh-5.9p1/packet.c 2011-09-18 05:13:28.278520968 +0200 +++ openssh-5.9p1/packet.c 2012-02-06 17:15:21.696886524 +0100
@@ -60,6 +60,7 @@ @@ -60,6 +60,7 @@
#include <signal.h> #include <signal.h>
@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
+ +
diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
--- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200 --- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200
+++ openssh-5.9p1/packet.h 2011-09-18 05:13:28.385521238 +0200 +++ openssh-5.9p1/packet.h 2012-02-06 17:15:21.697874825 +0100
@@ -124,4 +124,5 @@ void packet_restore_state(void); @@ -124,4 +124,5 @@ void packet_restore_state(void);
void *packet_get_input(void); void *packet_get_input(void);
void *packet_get_output(void); void *packet_get_output(void);
@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
+void packet_destroy_all(int, int); +void packet_destroy_all(int, int);
#endif /* PACKET_H */ #endif /* PACKET_H */
diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit4 2011-09-18 05:13:22.842504192 +0200 --- openssh-5.9p1/session.c.audit4 2012-02-06 17:15:01.562908533 +0100
+++ openssh-5.9p1/session.c 2011-09-18 05:13:28.511522576 +0200 +++ openssh-5.9p1/session.c 2012-02-06 17:15:21.697874825 +0100
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command @@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
/* remove hostkey from the child's memory */ /* remove hostkey from the child's memory */
@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
/* Force a password change */ /* Force a password change */
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit4 2011-09-18 05:13:26.617460032 +0200 --- openssh-5.9p1/sshd.c.audit4 2012-02-06 17:15:01.583866459 +0100
+++ openssh-5.9p1/sshd.c 2011-09-18 05:13:28.621521065 +0200 +++ openssh-5.9p1/sshd.c 2012-02-06 17:15:21.699033720 +0100
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt) @@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
} }
} }

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config diff -up openssh-5.9p1/ssh_config.redhat openssh-5.9p1/ssh_config
--- openssh-5.9p0/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 --- openssh-5.9p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
+++ openssh-5.9p0/ssh_config 2011-09-05 14:48:16.386439023 +0200 +++ openssh-5.9p1/ssh_config 2012-02-06 17:32:43.428032471 +0100
@@ -45,3 +45,14 @@ @@ -45,3 +45,14 @@
# PermitLocalCommand no # PermitLocalCommand no
# VisualHostKey no # VisualHostKey no
@ -16,37 +16,9 @@ diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS + SendEnv XMODIFIERS
diff -up openssh-5.9p0/sshd_config.0.redhat openssh-5.9p0/sshd_config.0 diff -up openssh-5.9p1/sshd_config.redhat openssh-5.9p1/sshd_config
--- openssh-5.9p0/sshd_config.0.redhat 2011-09-05 14:48:08.522441255 +0200 --- openssh-5.9p1/sshd_config.redhat 2012-02-06 17:32:43.427032448 +0100
+++ openssh-5.9p0/sshd_config.0 2011-09-05 14:48:16.477443868 +0200 +++ openssh-5.9p1/sshd_config 2012-02-06 17:35:15.356783832 +0100
@@ -581,9 +581,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.9p0/sshd_config.5.redhat openssh-5.9p0/sshd_config.5
--- openssh-5.9p0/sshd_config.5.redhat 2011-09-05 14:48:08.657564688 +0200
+++ openssh-5.9p0/sshd_config.5 2011-09-05 14:48:16.589501736 +0200
@@ -1029,7 +1029,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
--- openssh-5.9p0/sshd_config.redhat 2011-09-05 14:48:16.250626793 +0200
+++ openssh-5.9p0/sshd_config 2011-09-05 15:06:01.513443553 +0200
@@ -32,6 +32,7 @@ @@ -32,6 +32,7 @@
# Logging # Logging
# obsoletes QuietMode and FascistLogging # obsoletes QuietMode and FascistLogging
@ -77,15 +49,13 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
@@ -89,6 +94,7 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -89,11 +94,13 @@ AuthorizedKeysFile .ssh/authorized_keys
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
#UsePAM no #UsePAM no
+UsePAM yes +UsePAM yes
#TwoFactorAuthentication no #AllowAgentForwarding yes
#SecondPubkeyAuthentication yes
@@ -101,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#AllowTcpForwarding yes #AllowTcpForwarding yes
#GatewayPorts no #GatewayPorts no
#X11Forwarding no #X11Forwarding no
@ -93,7 +63,7 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
@@ -121,6 +128,12 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -114,6 +121,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path # no default banner path
#Banner none #Banner none
@ -106,3 +76,31 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
# override default of no subsystems # override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server Subsystem sftp /usr/libexec/sftp-server
diff -up openssh-5.9p1/sshd_config.0.redhat openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.redhat 2012-02-06 17:32:43.302970171 +0100
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:32:43.428032471 +0100
@@ -581,9 +581,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.9p1/sshd_config.5.redhat openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.redhat 2012-02-06 17:32:43.303971959 +0100
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:32:43.429032398 +0100
@@ -1019,7 +1019,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive

View File

@ -0,0 +1,827 @@
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
--- openssh-5.9p1/auth.c.required-authentication 2012-02-06 17:03:51.034158031 +0100
+++ openssh-5.9p1/auth.c 2012-02-06 17:03:55.007830206 +0100
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
}
void
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
+auth_log(Authctxt *authctxt, int authenticated, const char *method,
+ const char *submethod, const char *info)
{
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;
@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
else
authmsg = authenticated ? "Accepted" : "Failed";
- authlog("%s %s for %s%.100s from %.200s port %d%s",
+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
authmsg,
method,
+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
authctxt->valid ? "" : "invalid user ",
authctxt->user,
get_remote_ipaddr(),
@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
* Check whether root logins are disallowed.
*/
int
-auth_root_allowed(char *method)
+auth_root_allowed(const char *method)
{
switch (options.permit_root_login) {
case PERMIT_YES:
@@ -694,3 +696,57 @@ fakepw(void)
return (&fake);
}
+
+int
+auth_method_in_list(const char *list, const char *method)
+{
+ char *cp;
+
+ cp = match_list(method, list, NULL);
+ if (cp != NULL) {
+ xfree(cp);
+ return 1;
+ }
+
+ return 0;
+}
+
+#define DELIM ","
+int
+auth_remove_from_list(char **list, const char *method)
+{
+ char *oldlist, *cp, *newlist = NULL;
+ u_int len = 0, ret = 0;
+
+ if (list == NULL || *list == NULL)
+ return (0);
+
+ oldlist = *list;
+ len = strlen(oldlist) + 1;
+ newlist = xmalloc(len);
+ memset(newlist, '\0', len);
+
+ /* Remove method from list, if present */
+ for (;;) {
+ if ((cp = strsep(&oldlist, DELIM)) == NULL)
+ break;
+ if (*cp == '\0')
+ continue;
+ if (strcmp(cp, method) != 0) {
+ if (*newlist != '\0')
+ strlcat(newlist, DELIM, len);
+ strlcat(newlist, cp, len);
+ } else
+ ret++;
+ }
+
+ /* Return NULL instead of empty list */
+ if (*newlist == '\0') {
+ xfree(newlist);
+ newlist = NULL;
+ }
+ xfree(*list);
+ *list = newlist;
+
+ return (ret);
+}
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
+++ openssh-5.9p1/auth.h 2012-02-06 17:03:55.008839468 +0100
@@ -142,10 +142,11 @@ void disable_forwarding(void);
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
-void auth_log(Authctxt *, int, char *, char *);
-void userauth_finish(Authctxt *, int, char *);
+void auth_log(Authctxt *, int, const char *, const char *, const char *);
+void userauth_finish(Authctxt *, int, const char *, const char *);
+int auth_root_allowed(const char *);
+
void userauth_send_banner(const char *);
-int auth_root_allowed(char *);
char *auth2_read_banner(void);
@@ -192,6 +193,11 @@ void auth_debug_send(void);
void auth_debug_reset(void);
struct passwd *fakepw(void);
+int auth_method_in_list(const char *, const char *);
+int auth_remove_from_list(char **, const char *);
+
+int auth1_check_required(const char *);
+int auth2_check_required(const char *);
int sys_auth_passwd(Authctxt *, const char *);
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.9p1/auth1.c 2012-02-06 17:03:55.055811924 +0100
@@ -98,6 +98,54 @@ static const struct AuthMethod1
return (NULL);
}
+static const struct AuthMethod1 *
+lookup_authmethod1_by_name(const char *name)
+{
+ int i;
+
+ for (i = 0; auth1_methods[i].name != NULL; i++)
+ if (strcmp(auth1_methods[i].name, name) == 0)
+ return (&(auth1_methods[i]));
+
+ return NULL;
+}
+
+#define DELIM ","
+int
+auth1_check_required(const char *list)
+{
+ char *orig_methods, *methods, *cp;
+ static const struct AuthMethod1 *m;
+ int ret = 0;
+
+ orig_methods = methods = xstrdup(list);
+ for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
+ if ((cp = strsep(&methods, DELIM)) == NULL)
+ break;
+ debug2("auth1_check_required: method \"%s\"", cp);
+ if (*cp == '\0') {
+ debug("auth1_check_required: empty method");
+ ret = -1;
+ }
+ if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
+ debug("auth1_check_required: unknown method "
+ "\"%s\"", cp);
+ ret = -1;
+ }
+ if (*(m->enabled) == 0) {
+ debug("auth1_check_required: method %s explicitly "
+ "disabled", cp);
+ ret = -1;
+ }
+ /* Activate method if it isn't already */
+ if (*(m->enabled) == -1)
+ *(m->enabled) = 1;
+ }
+ xfree(orig_methods);
+ return (ret);
+}
+
+
static char *
get_authname(int type)
{
@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
char info[1024];
+ const char *meth_name;
int prev = 0, type = 0;
const struct AuthMethod1 *meth;
@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt)
authctxt->valid ? "" : "invalid user ", authctxt->user);
/* If the user has no password, accept authentication immediately. */
- if (options.permit_empty_passwd && options.password_authentication &&
+ if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
#ifdef KRB5
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt)
if (options.use_pam && (PRIVSEP(do_pam_account())))
#endif
{
- auth_log(authctxt, 1, "without authentication", "");
+ auth_log(authctxt, 1, "without authentication", NULL, "");
return;
}
}
@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt)
/* Get a packet from the client. */
prev = type;
type = packet_read();
+ meth_name = get_authname(type);
/*
* If we started challenge-response authentication but the
@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt)
if (authctxt->failures >= options.max_authtries)
goto skip;
if ((meth = lookup_authmethod1(type)) == NULL) {
- logit("Unknown message during authentication: "
- "type %d", type);
+ logit("Unknown message during authentication: type %d",
+ type);
goto skip;
}
@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt)
goto skip;
}
+ /*
+ * Skip methods not in required list, until all the required
+ * ones are done
+ */
+ if (options.required_auth1 != NULL &&
+ !auth_method_in_list(options.required_auth1, meth_name)) {
+ debug("Skipping method \"%s\" until required "
+ "authentication completed", meth_name);
+ goto skip;
+ }
+
authenticated = meth->method(authctxt, info, sizeof(info));
if (authenticated == -1)
continue; /* "postponed" */
@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt)
skip:
/* Log before sending the reply */
- auth_log(authctxt, authenticated, get_authname(type), info);
+ auth_log(authctxt, authenticated, meth_name, NULL, info);
+
+ /* Loop until the required authmethods are done */
+ if (authenticated && options.required_auth1 != NULL) {
+ if (auth_remove_from_list(&options.required_auth1,
+ meth_name) != 1)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" not in required list \"%s\"",
+ meth_name, options.required_auth1);
+ debug2("do_authloop: required list now: %s",
+ options.required_auth1 == NULL ?
+ "DONE" : options.required_auth1);
+ if (options.required_auth1 == NULL)
+ return;
+ authenticated = 0;
+ /*
+ * Disable method so client can't authenticate with it
+ * after the required authentications are complete.
+ */
+ *(meth->enabled) = 0;
+ packet_send_debug("Further authentication required");
+ goto send_fail;
+ }
if (client_user != NULL) {
xfree(client_user);
@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt)
#endif
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
}
+ send_fail:
packet_start(SSH_SMSG_FAILURE);
packet_send();
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2.c 2012-02-06 17:03:55.100896430 +0100
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
{
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
+ char *user, *service, *method, *active_methods, *style = NULL;
int authenticated = 0;
if (authctxt == NULL)
@@ -277,22 +277,31 @@ input_userauth_request(int type, u_int32
authctxt->server_caused_failure = 0;
/* try to authenticate user */
- m = authmethod_lookup(method);
- if (m != NULL && authctxt->failures < options.max_authtries) {
- debug2("input_userauth_request: try method %s", method);
- authenticated = m->userauth(authctxt);
- }
- userauth_finish(authctxt, authenticated, method);
+ active_methods = authmethods_get();
+ if (strcmp(method, "none") == 0 ||
+ auth_method_in_list(active_methods, method)) {
+ m = authmethod_lookup(method);
+ if (m != NULL) {
+ debug2("input_userauth_request: try method %s", method);
+ authenticated = m->userauth(authctxt);
+ }
+ }
+ xfree(active_methods);
+ userauth_finish(authctxt, authenticated, method, NULL);
+
xfree(service);
xfree(user);
xfree(method);
}
void
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
+ const char *submethod)
{
char *methods;
+ Authmethod *m = NULL;
+ u_int partial = 0;
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int
#endif /* _UNICOS */
/* Log before sending the reply */
- auth_log(authctxt, authenticated, method, " ssh2");
+ auth_log(authctxt, authenticated, method, submethod, " ssh2");
if (authctxt->postponed)
return;
- /* XXX todo: check if multiple auth methods are needed */
+ /* Handle RequiredAuthentications2: loop until required methods done */
+ if (authenticated && options.required_auth2 != NULL) {
+ if ((m = authmethod_lookup(method)) == NULL)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" unknown", method);
+ if (auth_remove_from_list(&options.required_auth2, method) != 1)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" not in required list \"%s\"",
+ method, options.required_auth2);
+ debug2("userauth_finish: required list now: %s",
+ options.required_auth2 == NULL ?
+ "DONE" : options.required_auth2);
+ /*
+ * if authenticated and no more required methods
+ * then declare success
+ */
+ if ( authenticated && options.required_auth2 == NULL ) {
+ debug2("userauth_finish: authenticated and no more required methods");
+ } else {
+ /*
+ * Disable method so client can't authenticate with it after
+ * the required authentications are complete.
+ */
+ if (m->enabled != NULL)
+ *(m->enabled) = 0;
+ authenticated = 0;
+ partial = 1;
+ goto send_fail;
+ }
+ }
+
if (authenticated == 1) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int
/* now we can break out */
authctxt->success = 1;
} else {
-
/* Allow initial try of "none" auth without failure penalty */
if (!authctxt->server_caused_failure &&
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int
#endif
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
}
+ send_fail:
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
- packet_put_char(0); /* XXX partial success, unused */
+ packet_put_char(partial);
packet_send();
packet_write_wait();
xfree(methods);
@@ -373,6 +412,9 @@ authmethods_get(void)
char *list;
int i;
+ if (options.required_auth2 != NULL)
+ return xstrdup(options.required_auth2);
+
buffer_init(&b);
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(authmethods[i]->name, "none") == 0)
@@ -407,3 +449,43 @@ authmethod_lookup(const char *name)
return NULL;
}
+#define DELIM ","
+
+int
+auth2_check_required(const char *list)
+{
+ char *orig_methods, *methods, *cp;
+ struct Authmethod *m;
+ int i, ret = 0;
+
+ orig_methods = methods = xstrdup(list);
+ for(;;) {
+ if ((cp = strsep(&methods, DELIM)) == NULL)
+ break;
+ debug2("auth2_check_required: method \"%s\"", cp);
+ if (*cp == '\0') {
+ debug("auth2_check_required: empty method");
+ ret = -1;
+ }
+ for (i = 0; authmethods[i] != NULL; i++)
+ if (strcmp(cp, authmethods[i]->name) == 0)
+ break;
+ if ((m = authmethods[i]) == NULL) {
+ debug("auth2_check_required: unknown method "
+ "\"%s\"", cp);
+ ret = -1;
+ break;
+ }
+ if (m->enabled == NULL || *(m->enabled) == 0) {
+ debug("auth2_check_required: method %s explicitly "
+ "disabled", cp);
+ ret = -1;
+ }
+ /* Activate method if it isn't already */
+ if (*(m->enabled) == -1)
+ *(m->enabled) = 1;
+ }
+ xfree(orig_methods);
+ return (ret);
+}
+
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:03:55.098862514 +0100
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
}
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
- userauth_finish(authctxt, 0, "gssapi-with-mic");
+ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
} else {
if (send_tok.length != 0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type,
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
static void
@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t ple
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
Authmethod method_gssapi = {
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
+++ openssh-5.9p1/auth2-chall.c 2012-02-06 17:03:55.098862514 +0100
@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u
auth2_challenge_start(authctxt);
}
}
- userauth_finish(authctxt, authenticated, method);
- xfree(method);
+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
+ kbdintctxt->device?kbdintctxt->device->name:NULL);
}
void
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
+++ openssh-5.9p1/auth2-none.c 2012-02-06 17:03:55.099879104 +0100
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
packet_check_eom();
- if (options.permit_empty_passwd && options.password_authentication)
+ if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
}
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.required-authentication 2012-02-06 17:03:51.020095446 +0100
+++ openssh-5.9p1/monitor.c 2012-02-06 17:03:55.101912924 +0100
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
static char *auth_method = "unknown";
+static char *auth_submethod = NULL;
static u_int session_id2_len = 0;
static u_char *session_id2 = NULL;
static pid_t monitor_child_pid;
@@ -352,7 +353,8 @@ void
monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
{
struct mon_table *ent;
- int authenticated = 0;
+ int no_increment, authenticated = 0;
+ char **req_auth;
debug3("preauth child monitor started");
@@ -367,12 +369,14 @@ monitor_child_preauth(Authctxt *_authctx
if (compat20) {
mon_dispatch = mon_dispatch_proto20;
+ req_auth = &options.required_auth2;
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
} else {
mon_dispatch = mon_dispatch_proto15;
+ req_auth = &options.required_auth1;
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
}
@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx
/* The first few requests do not require asynchronous access */
while (!authenticated) {
auth_method = "unknown";
+ auth_submethod = NULL;
+ no_increment = 1;
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
if (authenticated) {
if (!(ent->flags & MON_AUTHDECIDE))
@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx
}
#endif
}
+ /* Loop until the required authmethods are done */
+ if (authenticated && *req_auth != NULL) {
+ if (auth_remove_from_list(req_auth, auth_method) != 1)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" not in required list \"%s\"",
+ auth_method, *req_auth);
+ debug2("monitor_child_preauth: required list now: %s",
+ *req_auth == NULL ? "DONE" : *req_auth);
+ if (*req_auth != NULL)
+ authenticated = 0;
+ no_increment = 1;
+ }
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(authctxt, authenticated, auth_method,
- compat20 ? " ssh2" : "");
- if (!authenticated)
+ auth_submethod, compat20 ? " ssh2" : "");
+ if (!authenticated && !no_increment)
authctxt->failures++;
}
#ifdef JPAKE
@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer
auth_method = "none";
else
auth_method = "password";
+ auth_submethod = NULL;
/* Causes monitor loop to terminate if authenticated */
return (authenticated);
@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth";
+ auth_submethod = NULL;
return (authok != 0);
}
@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer *
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey";
+ auth_submethod = NULL;
return (authok != 0);
}
@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m)
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
- auth_method = "keyboard-interactive/pam";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer *
buffer_clear(m);
buffer_put_int(m, ret);
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
- auth_method = "keyboard-interactive/pam";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
if (ret == 0)
sshpam_authok = sshpam_ctxt;
return (0);
@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
- auth_method = "keyboard-interactive/pam";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
return (sshpam_authok == sshpam_ctxt);
}
#endif
@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
auth_method = "publickey";
+ auth_submethod = NULL;
if (options.pubkey_authentication && allowed != 1)
auth_clear_options();
break;
@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
auth_method = "hostbased";
+ auth_submethod = NULL;
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m
if (options.rhosts_rsa_authentication && allowed != 1)
auth_clear_options();
auth_method = "rsa";
+ auth_submethod = NULL;
break;
default:
fatal("%s: unknown key type %d", __func__, type);
@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_chost = chost;
} else {
/* Log failed attempt */
- auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
+ auth_log(authctxt, 0, auth_method, auth_submethod,
+ compat20 ? " ssh2" : "");
xfree(blob);
xfree(cuser);
xfree(chost);
@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m)
xfree(data);
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
+ auth_submethod = NULL;
monitor_reset_key_state();
@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
debug3("%s entering", __func__);
auth_method = "rsa";
+ auth_submethod = NULL;
if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer
xfree(response);
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
+ auth_submethod = NULL;
/* reset state */
BN_clear_free(ssh1_challenge);
@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
auth_method = "gssapi-with-mic";
+ auth_submethod = NULL;
/* Monitor loop will terminate if authenticated */
return (authenticated);
@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "jpake-01@openssh.com";
+ auth_submethod = NULL;
return authenticated;
}
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.required-authentication 2012-02-06 17:03:51.024963230 +0100
+++ openssh-5.9p1/servconf.c 2012-02-06 17:03:55.102929716 +0100
@@ -42,6 +42,8 @@
#include "key.h"
#include "kex.h"
#include "mac.h"
+#include "hostfile.h"
+#include "auth.h"
#include "match.h"
#include "channels.h"
#include "groupaccess.h"
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
options->num_authkeys_files = 0;
options->num_accept_env = 0;
options->permit_tun = -1;
+ options->required_auth1 = NULL;
+ options->required_auth2 = NULL;
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
@@ -319,6 +323,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sRequiredAuthentications1, sRequiredAuthentications2,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -447,6 +452,8 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
options->max_startups = options->max_startups_begin;
break;
+
+ case sRequiredAuthentications1:
+ charptr = &options->required_auth1;
+ arg = strdelim(&cp);
+ if (auth1_check_required(arg) != 0)
+ fatal("%.200s line %d: Invalid required authentication "
+ "list", filename, linenum);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (*charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
+
+ case sRequiredAuthentications2:
+ charptr = &options->required_auth2;
+ arg = strdelim(&cp);
+ if (auth2_check_required(arg) != 0)
+ fatal("%.200s line %d: Invalid required authentication "
+ "list", filename, linenum);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (*charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
+
case sMaxAuthTries:
intptr = &options->max_authtries;
goto parse_int;
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.h 2012-02-06 17:03:55.102929716 +0100
@@ -154,6 +154,9 @@ typedef struct {
u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
+ char *required_auth1; /* Required, but not sufficient */
+ char *required_auth2;
+
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:09:39.038871798 +0100
@@ -723,6 +723,8 @@ Available keywords are
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
+.Cm RequiredAuthentications1,
+.Cm RequiredAuthentications2,
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
@@ -920,6 +937,21 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
+.It Cm RequiredAuthentications[12]
+ Requires two authentication methods to succeed before authorizing the connection.
+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
+
+ RequiredAuthentications1 method[,method...]
+ RequiredAuthentications2 method[,method...]
+
+.Pp
+Example 1:
+
+ RequiredAuthentications2 password,hostbased
+
+Example 2:
+ RequiredAuthentications2 publickey,password
+
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.

View File

@ -1,30 +1,6 @@
diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c diff -up openssh-5.9p1/auth.h.role openssh-5.9p1/auth.h
--- openssh-5.9p0/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200 --- openssh-5.9p1/auth.h.role 2012-02-06 17:21:26.038970656 +0100
+++ openssh-5.9p0/auth-pam.c 2011-08-31 11:42:54.870087433 +0200 +++ openssh-5.9p1/auth.h 2012-02-06 17:21:59.477033401 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h
--- openssh-5.9p0/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.9p0/auth-pam.h 2011-08-31 11:42:54.979086333 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
--- openssh-5.9p0/auth.h.role 2011-08-31 11:42:47.760024631 +0200
+++ openssh-5.9p0/auth.h 2011-08-31 11:42:55.090151027 +0200
@@ -59,6 +59,9 @@ struct Authctxt { @@ -59,6 +59,9 @@ struct Authctxt {
char *service; char *service;
struct passwd *pw; /* set if 'valid' */ struct passwd *pw; /* set if 'valid' */
@ -35,10 +11,34 @@ diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
void *kbdintctxt; void *kbdintctxt;
void *jpake_ctx; void *jpake_ctx;
#ifdef BSD_AUTH #ifdef BSD_AUTH
diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c diff -up openssh-5.9p1/auth-pam.c.role openssh-5.9p1/auth-pam.c
--- openssh-5.9p0/auth1.c.role 2010-08-31 14:36:39.000000000 +0200 --- openssh-5.9p1/auth-pam.c.role 2012-02-06 17:21:25.983793983 +0100
+++ openssh-5.9p0/auth1.c 2011-08-31 11:42:55.215033075 +0200 +++ openssh-5.9p1/auth-pam.c 2012-02-06 17:21:59.476038868 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) @@ -1074,7 +1074,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-5.9p1/auth-pam.h.role openssh-5.9p1/auth-pam.h
--- openssh-5.9p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.9p1/auth-pam.h 2012-02-06 17:21:59.477033401 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.9p1/auth1.c.role openssh-5.9p1/auth1.c
--- openssh-5.9p1/auth1.c.role 2012-02-06 17:21:26.016845827 +0100
+++ openssh-5.9p1/auth1.c 2012-02-06 17:21:59.478033396 +0100
@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt)
{ {
u_int ulen; u_int ulen;
char *user, *style = NULL; char *user, *style = NULL;
@ -48,7 +48,7 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
/* Get the name of the user that we wish to log in as. */ /* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER); packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt) @@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen); user = packet_get_cstring(&ulen);
packet_check_eom(); packet_check_eom();
@ -73,88 +73,13 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
/* Verify that the user is a valid user. */ /* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c diff -up openssh-5.9p1/auth2.c.role openssh-5.9p1/auth2.c
--- openssh-5.9p0/auth2-gss.c.role 2011-05-05 06:04:11.000000000 +0200 --- openssh-5.9p1/auth2.c.role 2012-02-06 17:21:26.024976386 +0100
+++ openssh-5.9p0/auth2-gss.c 2011-08-31 11:42:55.313025576 +0200 +++ openssh-5.9p1/auth2.c 2012-02-06 17:23:14.127811737 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c
--- openssh-5.9p0/auth2-hostbased.c.role 2011-08-31 11:42:47.863023264 +0200
+++ openssh-5.9p0/auth2-hostbased.c 2011-08-31 11:42:55.421024814 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c
--- openssh-5.9p0/auth2-pubkey.c.role 2011-08-31 11:42:47.978087418 +0200
+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:42:55.551025263 +0200
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
--- openssh-5.9p0/auth2.c.role 2011-08-31 11:42:45.409026065 +0200
+++ openssh-5.9p0/auth2.c 2011-08-31 11:42:55.676024869 +0200
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 @@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
char *user, *service, *method, *style = NULL; char *user, *service, *method, *active_methods, *style = NULL;
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ char *role = NULL; + char *role = NULL;
+#endif +#endif
@ -190,9 +115,84 @@ diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
userauth_banner(); userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 || } else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) { strcmp(service, authctxt->service) != 0) {
diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c diff -up openssh-5.9p1/auth2-gss.c.role openssh-5.9p1/auth2-gss.c
--- openssh-5.9p0/monitor.c.role 2011-08-31 11:42:53.301024819 +0200 --- openssh-5.9p1/auth2-gss.c.role 2012-02-06 17:21:26.017853239 +0100
+++ openssh-5.9p0/monitor.c 2011-08-31 11:42:55.796025812 +0200 +++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:21:59.479096211 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.9p1/auth2-hostbased.c.role openssh-5.9p1/auth2-hostbased.c
--- openssh-5.9p1/auth2-hostbased.c.role 2012-02-06 17:21:26.038970656 +0100
+++ openssh-5.9p1/auth2-hostbased.c 2012-02-06 17:21:59.479096211 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.9p1/auth2-pubkey.c.role openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.role 2012-02-06 17:21:26.039787441 +0100
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 17:21:59.480096032 +0100
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.9p1/monitor.c.role openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.role 2012-02-06 17:21:26.071220592 +0100
+++ openssh-5.9p1/monitor.c 2012-02-06 17:21:59.481783500 +0100
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); @@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *);
@ -203,7 +203,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
int mm_answer_authpassword(int, Buffer *); int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *);
@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[] @@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -213,7 +213,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m @@ -833,6 +839,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else { else {
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -223,7 +223,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
} }
#ifdef USE_PAM #ifdef USE_PAM
@@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m) @@ -876,6 +885,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0); return (0);
} }
@ -249,7 +249,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
int int
mm_answer_authpassword(int sock, Buffer *m) mm_answer_authpassword(int sock, Buffer *m)
{ {
@@ -1227,7 +1255,7 @@ static int @@ -1252,7 +1280,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen) monitor_valid_userblob(u_char *data, u_int datalen)
{ {
Buffer b; Buffer b;
@ -258,7 +258,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i @@ -1278,6 +1306,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_string(&b, NULL); p = buffer_get_string(&b, NULL);
@ -267,7 +267,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
if (strcmp(authctxt->user, p) != 0) { if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s", logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p); authctxt->user, p);
@@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data @@ -1309,7 +1339,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost) char *chost)
{ {
Buffer b; Buffer b;
@ -276,7 +276,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data @@ -1326,6 +1356,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_string(&b, NULL); p = buffer_get_string(&b, NULL);
@ -285,9 +285,9 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
if (strcmp(authctxt->user, p) != 0) { if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s", logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p); authctxt->user, p);
diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h diff -up openssh-5.9p1/monitor.h.role openssh-5.9p1/monitor.h
--- openssh-5.9p0/monitor.h.role 2011-08-31 11:42:53.409025333 +0200 --- openssh-5.9p1/monitor.h.role 2012-02-06 17:21:26.071852220 +0100
+++ openssh-5.9p0/monitor.h 2011-08-31 11:42:55.889024801 +0200 +++ openssh-5.9p1/monitor.h 2012-02-06 17:21:59.482846081 +0100
@@ -31,6 +31,9 @@ @@ -31,6 +31,9 @@
enum monitor_reqtype { enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
@ -298,9 +298,9 @@ diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c diff -up openssh-5.9p1/monitor_wrap.c.role openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p0/monitor_wrap.c.role 2011-08-31 11:42:53.548024503 +0200 --- openssh-5.9p1/monitor_wrap.c.role 2012-02-06 17:21:26.071852220 +0100
+++ openssh-5.9p0/monitor_wrap.c 2011-08-31 11:42:56.029024553 +0200 +++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:21:59.483845610 +0100
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char * @@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m); buffer_free(&m);
} }
@ -327,9 +327,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
/* Do the password authentication */ /* Do the password authentication */
int int
mm_auth_password(Authctxt *authctxt, char *password) mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h diff -up openssh-5.9p1/monitor_wrap.h.role openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p0/monitor_wrap.h.role 2011-08-31 11:42:53.660025271 +0200 --- openssh-5.9p1/monitor_wrap.h.role 2012-02-06 17:21:26.073192915 +0100
+++ openssh-5.9p0/monitor_wrap.h 2011-08-31 11:42:56.131025748 +0200 +++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:21:59.483845610 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void); @@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int); DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -340,9 +340,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in diff -up openssh-5.9p1/openbsd-compat/Makefile.in.role openssh-5.9p1/openbsd-compat/Makefile.in
--- openssh-5.9p0/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200 --- openssh-5.9p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
+++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 11:48:02.404091479 +0200 +++ openssh-5.9p1/openbsd-compat/Makefile.in 2012-02-06 17:21:59.484846191 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -352,9 +352,9 @@ diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-com
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c diff -up openssh-5.9p1/openbsd-compat/port-linux.c.role openssh-5.9p1/openbsd-compat/port-linux.c
--- openssh-5.9p0/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200 --- openssh-5.9p1/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:42:56.492087969 +0200 +++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-02-06 17:21:59.484846191 +0100
@@ -31,7 +31,11 @@ @@ -31,7 +31,11 @@
#include "log.h" #include "log.h"
@ -532,9 +532,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-co
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c diff -up openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role openssh-5.9p1/openbsd-compat/port-linux_part_2.c
--- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role 2011-08-31 11:42:56.583047619 +0200 --- openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role 2012-02-06 17:21:59.485846294 +0100
+++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c 2011-08-31 11:42:56.586178005 +0200 +++ openssh-5.9p1/openbsd-compat/port-linux_part_2.c 2012-02-06 17:21:59.485846294 +0100
@@ -0,0 +1,75 @@ @@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+ +

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
--- openssh-5.9p0/configure.ac.vendor 2011-09-03 20:24:29.899501572 +0200 --- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100
+++ openssh-5.9p0/configure.ac 2011-09-03 20:24:39.153501595 +0200 +++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100
@@ -4131,6 +4131,12 @@ AC_ARG_WITH([lastlog], @@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
fi fi
] ]
) )
@ -14,7 +14,7 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
dnl lastlog, [uw]tmpx? detection dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the dnl NOTE: set the paths in the platform section to avoid the
@@ -4357,6 +4363,7 @@ echo " Translate v4 in v6 hack @@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG" echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG" echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE" echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
echo "" echo ""
diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
--- openssh-5.9p0/servconf.c.vendor 2011-09-03 20:24:29.080500853 +0200 --- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100
+++ openssh-5.9p0/servconf.c 2011-09-03 20:27:15.727564566 +0200 +++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100
@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions @@ -125,6 +125,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1; options->max_authtries = -1;
options->max_sessions = -1; options->max_sessions = -1;
options->banner = NULL; options->banner = NULL;
@ -33,7 +33,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
options->use_dns = -1; options->use_dns = -1;
options->client_alive_interval = -1; options->client_alive_interval = -1;
options->client_alive_count_max = -1; options->client_alive_count_max = -1;
@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption @@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
options->ip_qos_interactive = IPTOS_LOWDELAY; options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1) if (options->ip_qos_bulk == -1)
options->ip_qos_bulk = IPTOS_THROUGHPUT; options->ip_qos_bulk = IPTOS_THROUGHPUT;
@ -42,16 +42,16 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
@@ -338,7 +341,7 @@ typedef enum { @@ -321,7 +324,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions, sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication, - sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, + sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sSecondPubkeyAuthentication, sSecondGssAuthentication, sClientAliveCountMax, sAuthorizedKeysFile,
sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -470,6 +473,7 @@ static struct { @@ -436,6 +439,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL }, { "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1152,6 +1156,10 @@ process_server_config_line(ServerOptions @@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep; multistate_ptr = multistate_privsep;
goto parse_multistate; goto parse_multistate;
@ -70,7 +70,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
case sAllowUsers: case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') { while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS) if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1849,6 +1857,7 @@ dump_config(ServerOptions *o) @@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports); dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@ -78,10 +78,10 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
--- openssh-5.9p0/servconf.h.vendor 2011-09-03 20:24:29.179632045 +0200 --- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100
+++ openssh-5.9p0/servconf.h 2011-09-03 20:24:39.426502323 +0200 +++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100
@@ -148,6 +148,7 @@ typedef struct { @@ -140,6 +140,7 @@ typedef struct {
int max_authtries; int max_authtries;
int max_sessions; int max_sessions;
char *banner; /* SSH-2 banner message */ char *banner; /* SSH-2 banner message */
@ -89,31 +89,20 @@ diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
int use_dns; int use_dns;
int client_alive_interval; /* int client_alive_interval; /*
* poke the client this often to * poke the client this often to
diff -up openssh-5.9p0/sshd.c.vendor openssh-5.9p0/sshd.c diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
--- openssh-5.9p0/sshd.c.vendor 2011-09-03 20:24:35.987501565 +0200 --- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100
+++ openssh-5.9p0/sshd.c 2011-09-03 20:24:39.542501643 +0200 +++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in @@ -112,6 +112,7 @@ X11Forwarding yes
minor = PROTOCOL_MINOR_1; #Compression delayed
} #ClientAliveInterval 0
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, #ClientAliveCountMax 3
- SSH_VERSION, newline); +#ShowPatchLevel no
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline); #UseDNS yes
server_version_string = xstrdup(buf); #PidFile /var/run/sshd.pid
#MaxStartups 10
/* Send our protocol version identification. */ diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
@@ -1627,7 +1627,8 @@ main(int ac, char **av) --- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100
exit(1); +++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100
}
- debug("sshd version %.100s", SSH_RELEASE);
+ debug("sshd version %.100s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
/* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
--- openssh-5.9p0/sshd_config.0.vendor 2011-09-03 20:24:37.524438185 +0200
+++ openssh-5.9p0/sshd_config.0 2011-09-03 20:24:39.677508255 +0200
@@ -556,6 +556,11 @@ DESCRIPTION @@ -556,6 +556,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1 Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024. server key. The minimum value is 512, and the default is 1024.
@ -126,10 +115,10 @@ diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
StrictModes StrictModes
Specifies whether sshd(8) should check file modes and ownership Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login. of the user's files and home directory before accepting login.
diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5 diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
--- openssh-5.9p0/sshd_config.5.vendor 2011-09-03 20:24:37.640442022 +0200 --- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100
+++ openssh-5.9p0/sshd_config.5 2011-09-03 20:24:40.176544206 +0200 +++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100
@@ -952,6 +952,14 @@ This option applies to protocol version @@ -982,6 +982,14 @@ This option applies to protocol version
.It Cm ServerKeyBits .It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key. Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024. The minimum value is 512, and the default is 1024.
@ -144,14 +133,25 @@ diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
.It Cm StrictModes .It Cm StrictModes
Specifies whether Specifies whether
.Xr sshd 8 .Xr sshd 8
diff -up openssh-5.9p0/sshd_config.vendor openssh-5.9p0/sshd_config diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
--- openssh-5.9p0/sshd_config.vendor 2011-09-03 20:24:37.770439735 +0200 --- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100
+++ openssh-5.9p0/sshd_config 2011-09-03 20:24:40.278628002 +0200 +++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100
@@ -120,6 +120,7 @@ X11Forwarding yes @@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
#Compression delayed minor = PROTOCOL_MINOR_1;
#ClientAliveInterval 0 }
#ClientAliveCountMax 3 snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
+#ShowPatchLevel no - SSH_VERSION, newline);
#UseDNS yes + (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
#PidFile /var/run/sshd.pid server_version_string = xstrdup(buf);
#MaxStartups 10
/* Send our protocol version identification. */
@@ -1634,7 +1634,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %.100s", SSH_RELEASE);
+ debug("sshd version %.100s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
/* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {

View File

@ -116,7 +116,8 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889 #https://bugzilla.mindrot.org/show_bug.cgi?id=1889
Patch103: openssh-5.8p1-packet.patch Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=983 #https://bugzilla.mindrot.org/show_bug.cgi?id=983
Patch104: openssh-5.9p1-2auth.patch #Patch104: openssh-5.9p1-2auth.patch
Patch104: openssh-5.9p1-required-authentications.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-5.8p1-audit0.patch Patch200: openssh-5.8p1-audit0.patch
@ -395,7 +396,7 @@ The module is most useful for su and sudo service stacks.
%patch101 -p1 -b .fingerprint %patch101 -p1 -b .fingerprint
%patch102 -p1 -b .getaddrinfo %patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet %patch103 -p1 -b .packet
%patch104 -p1 -b .2auth %patch104 -p1 -b .required-authentication
%patch200 -p1 -b .audit0 %patch200 -p1 -b .audit0
%patch201 -p1 -b .audit1 %patch201 -p1 -b .audit1