replace TwoFactorAuth with RequiredAuthentications[12]
https://bugzilla.mindrot.org/show_bug.cgi?id=983
This commit is contained in:
parent
21699d5622
commit
d9e6186c71
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||||
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200
|
--- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100
|
||||||
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200
|
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100
|
||||||
@@ -27,6 +27,7 @@
|
@@ -27,6 +27,7 @@
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -136,7 +136,7 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
|||||||
+ do {
|
+ do {
|
||||||
+ if ((cp = strrchr(progname, '/')) == NULL)
|
+ if ((cp = strrchr(progname, '/')) == NULL)
|
||||||
+ break;
|
+ break;
|
||||||
+ else
|
+ else
|
||||||
+ *cp = '\0';
|
+ *cp = '\0';
|
||||||
+
|
+
|
||||||
+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
|
+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname));
|
||||||
@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
|||||||
return 0;
|
return 0;
|
||||||
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
|
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
|
||||||
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||||
--- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200
|
--- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100
|
||||||
+++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200
|
+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100
|
||||||
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
|
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
|
||||||
esac ]
|
esac ]
|
||||||
)
|
)
|
||||||
@ -271,9 +271,9 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
|||||||
echo " libedit support: $LIBEDIT_MSG"
|
echo " libedit support: $LIBEDIT_MSG"
|
||||||
echo " Solaris process contract support: $SPC_MSG"
|
echo " Solaris process contract support: $SPC_MSG"
|
||||||
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||||
--- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200
|
--- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100
|
||||||
+++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200
|
+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100
|
||||||
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
|
@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
|
||||||
options->num_permitted_opens = -1;
|
options->num_permitted_opens = -1;
|
||||||
options->adm_forced_command = NULL;
|
options->adm_forced_command = NULL;
|
||||||
options->chroot_directory = NULL;
|
options->chroot_directory = NULL;
|
||||||
@ -282,7 +282,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
|||||||
options->zero_knowledge_password_authentication = -1;
|
options->zero_knowledge_password_authentication = -1;
|
||||||
options->revoked_keys_file = NULL;
|
options->revoked_keys_file = NULL;
|
||||||
options->trusted_user_ca_keys = NULL;
|
options->trusted_user_ca_keys = NULL;
|
||||||
@@ -348,6 +350,7 @@ typedef enum {
|
@@ -329,6 +331,7 @@ typedef enum {
|
||||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||||
sKexAlgorithms, sIPQoS,
|
sKexAlgorithms, sIPQoS,
|
||||||
@ -290,9 +290,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
|||||||
sDeprecated, sUnsupported
|
sDeprecated, sUnsupported
|
||||||
} ServerOpCodes;
|
} ServerOpCodes;
|
||||||
|
|
||||||
@@ -487,6 +490,13 @@ static struct {
|
@@ -455,6 +458,13 @@ static struct {
|
||||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
||||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
||||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||||
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
||||||
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||||
@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
|||||||
{ NULL, sBadOption, 0 }
|
{ NULL, sBadOption, 0 }
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
|
@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -329,16 +329,16 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
|||||||
case sDeprecated:
|
case sDeprecated:
|
||||||
logit("%s line %d: Deprecated option %s",
|
logit("%s line %d: Deprecated option %s",
|
||||||
filename, linenum, arg);
|
filename, linenum, arg);
|
||||||
@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
|
@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
|
||||||
|
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
||||||
|
M_CP_INTOPT(kbd_interactive_authentication);
|
||||||
M_CP_INTOPT(zero_knowledge_password_authentication);
|
M_CP_INTOPT(zero_knowledge_password_authentication);
|
||||||
M_CP_INTOPT(second_zero_knowledge_password_authentication);
|
|
||||||
M_CP_INTOPT(two_factor_authentication);
|
|
||||||
+ M_CP_STROPT(authorized_keys_command);
|
+ M_CP_STROPT(authorized_keys_command);
|
||||||
+ M_CP_STROPT(authorized_keys_command_runas);
|
+ M_CP_STROPT(authorized_keys_command_runas);
|
||||||
M_CP_INTOPT(permit_root_login);
|
M_CP_INTOPT(permit_root_login);
|
||||||
M_CP_INTOPT(permit_empty_passwd);
|
M_CP_INTOPT(permit_empty_passwd);
|
||||||
|
|
||||||
@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
|
@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
|
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
|
||||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||||
o->authorized_principals_file);
|
o->authorized_principals_file);
|
||||||
@ -348,9 +348,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
|||||||
/* string arguments requiring a lookup */
|
/* string arguments requiring a lookup */
|
||||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||||
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
||||||
--- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200
|
--- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100
|
||||||
+++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200
|
+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100
|
||||||
@@ -174,6 +174,8 @@ typedef struct {
|
@@ -169,6 +169,8 @@ typedef struct {
|
||||||
char *revoked_keys_file;
|
char *revoked_keys_file;
|
||||||
char *trusted_user_ca_keys;
|
char *trusted_user_ca_keys;
|
||||||
char *authorized_principals_file;
|
char *authorized_principals_file;
|
||||||
@ -359,9 +359,22 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
|||||||
} ServerOptions;
|
} ServerOptions;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
|
||||||
|
--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100
|
||||||
|
@@ -49,6 +49,9 @@
|
||||||
|
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||||
|
AuthorizedKeysFile .ssh/authorized_keys
|
||||||
|
|
||||||
|
+#AuthorizedKeysCommand none
|
||||||
|
+#AuthorizedKeysCommandRunAs nobody
|
||||||
|
+
|
||||||
|
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||||
|
#RhostsRSAAuthentication no
|
||||||
|
# similar for protocol version 2
|
||||||
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
||||||
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
|
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
|
||||||
+++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200
|
+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
|
||||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||||
|
|
||||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||||
@ -370,8 +383,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
|||||||
+
|
+
|
||||||
+ Specifies a program to be used for lookup of the user's
|
+ Specifies a program to be used for lookup of the user's
|
||||||
+ public keys. The program will be invoked with its first
|
+ public keys. The program will be invoked with its first
|
||||||
+ argument the name of the user being authorized, and should produce
|
+ argument the name of the user being authorized, and should produce
|
||||||
+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
|
+ on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
|
||||||
+ in sshd(8)). By default (or when set to the empty string) there is no
|
+ in sshd(8)). By default (or when set to the empty string) there is no
|
||||||
+ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
|
+ AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
|
||||||
+ authorize the user, authorization falls through to the
|
+ authorize the user, authorization falls through to the
|
||||||
@ -397,34 +410,17 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
|||||||
GSSAPIAuthentication, HostbasedAuthentication,
|
GSSAPIAuthentication, HostbasedAuthentication,
|
||||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||||
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
||||||
--- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200
|
--- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100
|
||||||
+++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200
|
+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100
|
||||||
@@ -706,6 +706,8 @@ Available keywords are
|
@@ -151,6 +151,19 @@ See
|
||||||
.Cm AllowAgentForwarding ,
|
in
|
||||||
.Cm AllowTcpForwarding ,
|
.Xr ssh_config 5
|
||||||
.Cm AuthorizedKeysFile ,
|
for more information on patterns.
|
||||||
+.Cm AuthorizedKeysCommand ,
|
|
||||||
+.Cm AuthorizedKeysCommandRunAs ,
|
|
||||||
.Cm AuthorizedPrincipalsFile ,
|
|
||||||
.Cm Banner ,
|
|
||||||
.Cm ChrootDirectory ,
|
|
||||||
@@ -718,6 +720,7 @@ Available keywords are
|
|
||||||
.Cm KerberosAuthentication ,
|
|
||||||
.Cm MaxAuthTries ,
|
|
||||||
.Cm MaxSessions ,
|
|
||||||
+.Cm PubkeyAuthentication ,
|
|
||||||
.Cm PasswordAuthentication ,
|
|
||||||
.Cm PermitEmptyPasswords ,
|
|
||||||
.Cm PermitOpen ,
|
|
||||||
@@ -926,6 +929,20 @@ Specifies a list of revoked public keys.
|
|
||||||
Keys listed in this file will be refused for public key authentication.
|
|
||||||
Note that if this file is not readable, then public key authentication will
|
|
||||||
be refused for all users.
|
|
||||||
+.It Cm AuthorizedKeysCommand
|
+.It Cm AuthorizedKeysCommand
|
||||||
+Specifies a program to be used for lookup of the user's
|
+Specifies a program to be used for lookup of the user's
|
||||||
+public keys. The program will be invoked with its first
|
+public keys. The program will be invoked with its first
|
||||||
+argument the name of the user being authorized, and should produce
|
+argument the name of the user being authorized, and should produce
|
||||||
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
|
+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS
|
||||||
+in sshd(8)). By default (or when set to the empty string) there is no
|
+in sshd(8)). By default (or when set to the empty string) there is no
|
||||||
+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
|
+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully
|
||||||
+authorize the user, authorization falls through to the
|
+authorize the user, authorization falls through to the
|
||||||
@ -433,20 +429,23 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
|||||||
+.It Cm AuthorizedKeysCommandRunAs
|
+.It Cm AuthorizedKeysCommandRunAs
|
||||||
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
|
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
|
||||||
+string (the default value) means the user being authorized is used.
|
+string (the default value) means the user being authorized is used.
|
||||||
+.Dq
|
.It Cm AuthorizedKeysFile
|
||||||
.It Cm RhostsRSAAuthentication
|
Specifies the file that contains the public keys that can be used
|
||||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
for user authentication.
|
||||||
with successful RSA host authentication is allowed.
|
@@ -706,6 +719,8 @@ Available keywords are
|
||||||
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
|
.Cm AllowAgentForwarding ,
|
||||||
--- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200
|
.Cm AllowTcpForwarding ,
|
||||||
+++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200
|
.Cm AuthorizedKeysFile ,
|
||||||
@@ -49,6 +49,9 @@
|
+.Cm AuthorizedKeysCommand ,
|
||||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
+.Cm AuthorizedKeysCommandRunAs ,
|
||||||
AuthorizedKeysFile .ssh/authorized_keys
|
.Cm AuthorizedPrincipalsFile ,
|
||||||
|
.Cm Banner ,
|
||||||
+#AuthorizedKeysCommand none
|
.Cm ChrootDirectory ,
|
||||||
+#AuthorizedKeysCommandRunAs nobody
|
@@ -718,6 +733,7 @@ Available keywords are
|
||||||
+
|
.Cm KerberosAuthentication ,
|
||||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
.Cm MaxAuthTries ,
|
||||||
#RhostsRSAAuthentication no
|
.Cm MaxSessions ,
|
||||||
# similar for protocol version 2
|
+.Cm PubkeyAuthentication ,
|
||||||
|
.Cm PasswordAuthentication ,
|
||||||
|
.Cm PermitEmptyPasswords ,
|
||||||
|
.Cm PermitOpen ,
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
|
diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
|
||||||
--- openssh-5.9p1/audit-bsm.c.audit4 2011-09-18 05:13:24.922458521 +0200
|
--- openssh-5.9p1/audit-bsm.c.audit4 2012-02-06 17:15:01.574908126 +0100
|
||||||
+++ openssh-5.9p1/audit-bsm.c 2011-09-18 05:13:26.808459314 +0200
|
+++ openssh-5.9p1/audit-bsm.c 2012-02-06 17:15:21.656095559 +0100
|
||||||
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
|
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||||
{
|
{
|
||||||
/* not implemented */
|
/* not implemented */
|
||||||
@ -12,9 +12,52 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
|
|||||||
+ /* not implemented */
|
+ /* not implemented */
|
||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
|
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
|
||||||
|
--- openssh-5.9p1/audit.c.audit4 2012-02-06 17:15:01.576787216 +0100
|
||||||
|
+++ openssh-5.9p1/audit.c 2012-02-06 17:15:21.690032906 +0100
|
||||||
|
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||||
|
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||||
|
}
|
||||||
|
|
||||||
|
+void
|
||||||
|
+audit_session_key_free(int ctos)
|
||||||
|
+{
|
||||||
|
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||||
|
/*
|
||||||
|
* Null implementations of audit functions.
|
||||||
|
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
|
||||||
|
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
||||||
|
(unsigned)uid);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * This will be called on succesfull session key discard
|
||||||
|
+ */
|
||||||
|
+void
|
||||||
|
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||||
|
+{
|
||||||
|
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||||
|
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||||
|
+}
|
||||||
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
|
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
|
||||||
|
--- openssh-5.9p1/audit.h.audit4 2012-02-06 17:15:01.576787216 +0100
|
||||||
|
+++ openssh-5.9p1/audit.h 2012-02-06 17:15:21.690876254 +0100
|
||||||
|
@@ -62,5 +62,7 @@ void audit_unsupported(int);
|
||||||
|
void audit_kex(int, char *, char *, char *);
|
||||||
|
void audit_unsupported_body(int);
|
||||||
|
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||||
|
+void audit_session_key_free(int ctos);
|
||||||
|
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||||
|
|
||||||
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
||||||
--- openssh-5.9p1/audit-linux.c.audit4 2011-09-18 05:13:25.041460630 +0200
|
--- openssh-5.9p1/audit-linux.c.audit4 2012-02-06 17:15:01.575908525 +0100
|
||||||
+++ openssh-5.9p1/audit-linux.c 2011-09-18 05:13:26.897563551 +0200
|
+++ openssh-5.9p1/audit-linux.c 2012-02-06 17:15:21.682001323 +0100
|
||||||
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
|
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@ -65,52 +108,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
|
|
||||||
--- openssh-5.9p1/audit.c.audit4 2011-09-18 05:13:25.151459504 +0200
|
|
||||||
+++ openssh-5.9p1/audit.c 2011-09-18 05:13:26.995548664 +0200
|
|
||||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
|
||||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
|
||||||
}
|
|
||||||
|
|
||||||
+void
|
|
||||||
+audit_session_key_free(int ctos)
|
|
||||||
+{
|
|
||||||
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
|
||||||
/*
|
|
||||||
* Null implementations of audit functions.
|
|
||||||
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
|
|
||||||
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
|
||||||
(unsigned)uid);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * This will be called on succesfull session key discard
|
|
||||||
+ */
|
|
||||||
+void
|
|
||||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
|
||||||
+{
|
|
||||||
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
|
||||||
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
|
||||||
+}
|
|
||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
|
||||||
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
|
|
||||||
--- openssh-5.9p1/audit.h.audit4 2011-09-18 05:13:25.247587021 +0200
|
|
||||||
+++ openssh-5.9p1/audit.h 2011-09-18 05:13:27.107531553 +0200
|
|
||||||
@@ -62,5 +62,7 @@ void audit_unsupported(int);
|
|
||||||
void audit_kex(int, char *, char *, char *);
|
|
||||||
void audit_unsupported_body(int);
|
|
||||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
|
||||||
+void audit_session_key_free(int ctos);
|
|
||||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
|
||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
|
||||||
diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
|
diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
|
||||||
--- openssh-5.9p1/auditstub.c.audit4 2011-09-18 05:13:25.350459598 +0200
|
--- openssh-5.9p1/auditstub.c.audit4 2012-02-06 17:15:01.576787216 +0100
|
||||||
+++ openssh-5.9p1/auditstub.c 2011-09-18 05:13:27.209523920 +0200
|
+++ openssh-5.9p1/auditstub.c 2012-02-06 17:15:21.690876254 +0100
|
||||||
@@ -27,6 +27,8 @@
|
@@ -27,6 +27,8 @@
|
||||||
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||||
*/
|
*/
|
||||||
@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
|
|||||||
+{
|
+{
|
||||||
+}
|
+}
|
||||||
diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
|
diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
|
||||||
--- openssh-5.9p1/kex.c.audit4 2011-09-18 05:13:25.656459960 +0200
|
--- openssh-5.9p1/kex.c.audit4 2012-02-06 17:15:01.578907640 +0100
|
||||||
+++ openssh-5.9p1/kex.c 2011-09-18 05:13:27.309500951 +0200
|
+++ openssh-5.9p1/kex.c 2012-02-06 17:15:21.691785656 +0100
|
||||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||||
fprintf(stderr, "\n");
|
fprintf(stderr, "\n");
|
||||||
}
|
}
|
||||||
@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
|
|||||||
+
|
+
|
||||||
diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
|
diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
|
||||||
--- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
--- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||||
+++ openssh-5.9p1/kex.h 2011-09-18 05:13:27.419492884 +0200
|
+++ openssh-5.9p1/kex.h 2012-02-06 17:15:21.691785656 +0100
|
||||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||||
void kexecdh_client(Kex *);
|
void kexecdh_client(Kex *);
|
||||||
void kexecdh_server(Kex *);
|
void kexecdh_server(Kex *);
|
||||||
@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
|
|||||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||||
diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
|
diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
|
||||||
--- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200
|
--- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200
|
||||||
+++ openssh-5.9p1/mac.c 2011-09-18 05:13:27.545464964 +0200
|
+++ openssh-5.9p1/mac.c 2012-02-06 17:15:21.692918961 +0100
|
||||||
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
|
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
|
||||||
mac->umac_ctx = NULL;
|
mac->umac_ctx = NULL;
|
||||||
}
|
}
|
||||||
@ -209,16 +209,16 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
|
|||||||
int
|
int
|
||||||
diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
|
diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
|
||||||
--- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
--- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||||
+++ openssh-5.9p1/mac.h 2011-09-18 05:13:27.675473027 +0200
|
+++ openssh-5.9p1/mac.h 2012-02-06 17:15:21.692918961 +0100
|
||||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||||
int mac_init(Mac *);
|
int mac_init(Mac *);
|
||||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||||
void mac_clear(Mac *);
|
void mac_clear(Mac *);
|
||||||
+void mac_destroy(Mac *);
|
+void mac_destroy(Mac *);
|
||||||
diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||||
--- openssh-5.9p1/monitor.c.audit4 2011-09-18 05:13:25.778584691 +0200
|
--- openssh-5.9p1/monitor.c.audit4 2012-02-06 17:15:01.579896475 +0100
|
||||||
+++ openssh-5.9p1/monitor.c 2011-09-18 05:15:22.786522699 +0200
|
+++ openssh-5.9p1/monitor.c 2012-02-06 17:16:32.405783810 +0100
|
||||||
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
|
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
|
||||||
int mm_answer_audit_end_command(int, Buffer *);
|
int mm_answer_audit_end_command(int, Buffer *);
|
||||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||||
int mm_answer_audit_kex_body(int, Buffer *);
|
int mm_answer_audit_kex_body(int, Buffer *);
|
||||||
@ -226,7 +226,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
static int monitor_read_log(struct monitor *);
|
static int monitor_read_log(struct monitor *);
|
||||||
@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -234,7 +234,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||||
@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20
|
@@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20
|
||||||
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -242,7 +242,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[]
|
@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -250,7 +250,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15
|
@@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15
|
||||||
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||||
@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
#endif
|
#endif
|
||||||
{0, 0, NULL}
|
{0, 0, NULL}
|
||||||
};
|
};
|
||||||
@@ -437,10 +442,6 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
}
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
- /* Drain any buffered messages from the child */
|
- /* Drain any buffered messages from the child */
|
||||||
@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
if (!authctxt->valid)
|
if (!authctxt->valid)
|
||||||
fatal("%s: authenticated invalid user", __func__);
|
fatal("%s: authenticated invalid user", __func__);
|
||||||
if (strcmp(auth_method, "unknown") == 0)
|
if (strcmp(auth_method, "unknown") == 0)
|
||||||
@@ -1927,11 +1928,13 @@ mm_get_keystate(struct monitor *pmonitor
|
@@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor
|
||||||
|
|
||||||
blob = buffer_get_string(&m, &bloblen);
|
blob = buffer_get_string(&m, &bloblen);
|
||||||
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
||||||
@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
xfree(blob);
|
xfree(blob);
|
||||||
|
|
||||||
/* Now get sequence numbers for the packets */
|
/* Now get sequence numbers for the packets */
|
||||||
@@ -1977,6 +1980,21 @@ mm_get_keystate(struct monitor *pmonitor
|
@@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor
|
||||||
}
|
}
|
||||||
|
|
||||||
buffer_free(&m);
|
buffer_free(&m);
|
||||||
@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -2421,4 +2439,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
@@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
|||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
|
diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
|
||||||
--- openssh-5.9p1/monitor.h.audit4 2011-09-18 05:13:25.887586033 +0200
|
--- openssh-5.9p1/monitor.h.audit4 2012-02-06 17:15:01.580908188 +0100
|
||||||
+++ openssh-5.9p1/monitor.h 2011-09-18 05:13:27.934522919 +0200
|
+++ openssh-5.9p1/monitor.h 2012-02-06 17:15:21.695033617 +0100
|
||||||
@@ -63,6 +63,7 @@ enum monitor_reqtype {
|
@@ -63,6 +63,7 @@ enum monitor_reqtype {
|
||||||
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
|
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
|
||||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||||
@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
|
|||||||
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
||||||
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||||
diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
|
diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
|
||||||
--- openssh-5.9p1/monitor_wrap.c.audit4 2011-09-18 05:13:26.013583317 +0200
|
--- openssh-5.9p1/monitor_wrap.c.audit4 2012-02-06 17:15:01.581802928 +0100
|
||||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-18 05:13:28.049519981 +0200
|
+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:15:21.696033353 +0100
|
||||||
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
|
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
|
||||||
fatal("%s: conversion of newkeys failed", __func__);
|
fatal("%s: conversion of newkeys failed", __func__);
|
||||||
|
|
||||||
@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
|
|||||||
+}
|
+}
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
|
diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
|
||||||
--- openssh-5.9p1/monitor_wrap.h.audit4 2011-09-18 05:13:26.119474152 +0200
|
--- openssh-5.9p1/monitor_wrap.h.audit4 2012-02-06 17:15:01.582908343 +0100
|
||||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-18 05:13:28.151521539 +0200
|
+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:15:21.696033353 +0100
|
||||||
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
|
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
|
||||||
void mm_audit_end_command(int, const char *);
|
void mm_audit_end_command(int, const char *);
|
||||||
void mm_audit_unsupported_body(int);
|
void mm_audit_unsupported_body(int);
|
||||||
@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
|
|||||||
|
|
||||||
struct Session;
|
struct Session;
|
||||||
diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
|
diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
|
||||||
--- openssh-5.9p1/packet.c.audit4 2011-09-18 05:13:20.417548627 +0200
|
--- openssh-5.9p1/packet.c.audit4 2012-02-06 17:15:01.545908387 +0100
|
||||||
+++ openssh-5.9p1/packet.c 2011-09-18 05:13:28.278520968 +0200
|
+++ openssh-5.9p1/packet.c 2012-02-06 17:15:21.696886524 +0100
|
||||||
@@ -60,6 +60,7 @@
|
@@ -60,6 +60,7 @@
|
||||||
#include <signal.h>
|
#include <signal.h>
|
||||||
|
|
||||||
@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
|
|||||||
+
|
+
|
||||||
diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
|
diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
|
||||||
--- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200
|
--- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200
|
||||||
+++ openssh-5.9p1/packet.h 2011-09-18 05:13:28.385521238 +0200
|
+++ openssh-5.9p1/packet.h 2012-02-06 17:15:21.697874825 +0100
|
||||||
@@ -124,4 +124,5 @@ void packet_restore_state(void);
|
@@ -124,4 +124,5 @@ void packet_restore_state(void);
|
||||||
void *packet_get_input(void);
|
void *packet_get_input(void);
|
||||||
void *packet_get_output(void);
|
void *packet_get_output(void);
|
||||||
@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
|
|||||||
+void packet_destroy_all(int, int);
|
+void packet_destroy_all(int, int);
|
||||||
#endif /* PACKET_H */
|
#endif /* PACKET_H */
|
||||||
diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
|
diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
|
||||||
--- openssh-5.9p1/session.c.audit4 2011-09-18 05:13:22.842504192 +0200
|
--- openssh-5.9p1/session.c.audit4 2012-02-06 17:15:01.562908533 +0100
|
||||||
+++ openssh-5.9p1/session.c 2011-09-18 05:13:28.511522576 +0200
|
+++ openssh-5.9p1/session.c 2012-02-06 17:15:21.697874825 +0100
|
||||||
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
|
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
|
||||||
|
|
||||||
/* remove hostkey from the child's memory */
|
/* remove hostkey from the child's memory */
|
||||||
@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
|
|||||||
/* Force a password change */
|
/* Force a password change */
|
||||||
if (s->authctxt->force_pwchange) {
|
if (s->authctxt->force_pwchange) {
|
||||||
diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
||||||
--- openssh-5.9p1/sshd.c.audit4 2011-09-18 05:13:26.617460032 +0200
|
--- openssh-5.9p1/sshd.c.audit4 2012-02-06 17:15:01.583866459 +0100
|
||||||
+++ openssh-5.9p1/sshd.c 2011-09-18 05:13:28.621521065 +0200
|
+++ openssh-5.9p1/sshd.c 2012-02-06 17:15:21.699033720 +0100
|
||||||
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
|
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
|
diff -up openssh-5.9p1/ssh_config.redhat openssh-5.9p1/ssh_config
|
||||||
--- openssh-5.9p0/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
|
--- openssh-5.9p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
|
||||||
+++ openssh-5.9p0/ssh_config 2011-09-05 14:48:16.386439023 +0200
|
+++ openssh-5.9p1/ssh_config 2012-02-06 17:32:43.428032471 +0100
|
||||||
@@ -45,3 +45,14 @@
|
@@ -45,3 +45,14 @@
|
||||||
# PermitLocalCommand no
|
# PermitLocalCommand no
|
||||||
# VisualHostKey no
|
# VisualHostKey no
|
||||||
@ -16,37 +16,9 @@ diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
|
|||||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
+ SendEnv XMODIFIERS
|
+ SendEnv XMODIFIERS
|
||||||
diff -up openssh-5.9p0/sshd_config.0.redhat openssh-5.9p0/sshd_config.0
|
diff -up openssh-5.9p1/sshd_config.redhat openssh-5.9p1/sshd_config
|
||||||
--- openssh-5.9p0/sshd_config.0.redhat 2011-09-05 14:48:08.522441255 +0200
|
--- openssh-5.9p1/sshd_config.redhat 2012-02-06 17:32:43.427032448 +0100
|
||||||
+++ openssh-5.9p0/sshd_config.0 2011-09-05 14:48:16.477443868 +0200
|
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:15.356783832 +0100
|
||||||
@@ -581,9 +581,9 @@ DESCRIPTION
|
|
||||||
|
|
||||||
SyslogFacility
|
|
||||||
Gives the facility code that is used when logging messages from
|
|
||||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
|
||||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
|
||||||
- default is AUTH.
|
|
||||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
|
||||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
|
||||||
+ The default is AUTH.
|
|
||||||
|
|
||||||
TCPKeepAlive
|
|
||||||
Specifies whether the system should send TCP keepalive messages
|
|
||||||
diff -up openssh-5.9p0/sshd_config.5.redhat openssh-5.9p0/sshd_config.5
|
|
||||||
--- openssh-5.9p0/sshd_config.5.redhat 2011-09-05 14:48:08.657564688 +0200
|
|
||||||
+++ openssh-5.9p0/sshd_config.5 2011-09-05 14:48:16.589501736 +0200
|
|
||||||
@@ -1029,7 +1029,7 @@ Note that this option applies to protoco
|
|
||||||
.It Cm SyslogFacility
|
|
||||||
Gives the facility code that is used when logging messages from
|
|
||||||
.Xr sshd 8 .
|
|
||||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
|
||||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
|
||||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
|
||||||
The default is AUTH.
|
|
||||||
.It Cm TCPKeepAlive
|
|
||||||
diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
|
||||||
--- openssh-5.9p0/sshd_config.redhat 2011-09-05 14:48:16.250626793 +0200
|
|
||||||
+++ openssh-5.9p0/sshd_config 2011-09-05 15:06:01.513443553 +0200
|
|
||||||
@@ -32,6 +32,7 @@
|
@@ -32,6 +32,7 @@
|
||||||
# Logging
|
# Logging
|
||||||
# obsoletes QuietMode and FascistLogging
|
# obsoletes QuietMode and FascistLogging
|
||||||
@ -77,15 +49,13 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
|||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
# and session processing. If this is enabled, PAM authentication will
|
||||||
@@ -89,6 +94,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
@@ -89,11 +94,13 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
#UsePAM no
|
#UsePAM no
|
||||||
+UsePAM yes
|
+UsePAM yes
|
||||||
|
|
||||||
#TwoFactorAuthentication no
|
#AllowAgentForwarding yes
|
||||||
#SecondPubkeyAuthentication yes
|
|
||||||
@@ -101,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
#AllowTcpForwarding yes
|
#AllowTcpForwarding yes
|
||||||
#GatewayPorts no
|
#GatewayPorts no
|
||||||
#X11Forwarding no
|
#X11Forwarding no
|
||||||
@ -93,7 +63,7 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
|||||||
#X11DisplayOffset 10
|
#X11DisplayOffset 10
|
||||||
#X11UseLocalhost yes
|
#X11UseLocalhost yes
|
||||||
#PrintMotd yes
|
#PrintMotd yes
|
||||||
@@ -121,6 +128,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
@@ -114,6 +121,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
# no default banner path
|
# no default banner path
|
||||||
#Banner none
|
#Banner none
|
||||||
|
|
||||||
@ -106,3 +76,31 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
|||||||
# override default of no subsystems
|
# override default of no subsystems
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
Subsystem sftp /usr/libexec/sftp-server
|
||||||
|
|
||||||
|
diff -up openssh-5.9p1/sshd_config.0.redhat openssh-5.9p1/sshd_config.0
|
||||||
|
--- openssh-5.9p1/sshd_config.0.redhat 2012-02-06 17:32:43.302970171 +0100
|
||||||
|
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:32:43.428032471 +0100
|
||||||
|
@@ -581,9 +581,9 @@ DESCRIPTION
|
||||||
|
|
||||||
|
SyslogFacility
|
||||||
|
Gives the facility code that is used when logging messages from
|
||||||
|
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||||
|
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||||
|
- default is AUTH.
|
||||||
|
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||||
|
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||||
|
+ The default is AUTH.
|
||||||
|
|
||||||
|
TCPKeepAlive
|
||||||
|
Specifies whether the system should send TCP keepalive messages
|
||||||
|
diff -up openssh-5.9p1/sshd_config.5.redhat openssh-5.9p1/sshd_config.5
|
||||||
|
--- openssh-5.9p1/sshd_config.5.redhat 2012-02-06 17:32:43.303971959 +0100
|
||||||
|
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:32:43.429032398 +0100
|
||||||
|
@@ -1019,7 +1019,7 @@ Note that this option applies to protoco
|
||||||
|
.It Cm SyslogFacility
|
||||||
|
Gives the facility code that is used when logging messages from
|
||||||
|
.Xr sshd 8 .
|
||||||
|
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||||
|
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||||
|
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||||
|
The default is AUTH.
|
||||||
|
.It Cm TCPKeepAlive
|
||||||
|
827
openssh-5.9p1-required-authentications.patch
Normal file
827
openssh-5.9p1-required-authentications.patch
Normal file
@ -0,0 +1,827 @@
|
|||||||
|
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
|
||||||
|
--- openssh-5.9p1/auth.c.required-authentication 2012-02-06 17:03:51.034158031 +0100
|
||||||
|
+++ openssh-5.9p1/auth.c 2012-02-06 17:03:55.007830206 +0100
|
||||||
|
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
||||||
|
+auth_log(Authctxt *authctxt, int authenticated, const char *method,
|
||||||
|
+ const char *submethod, const char *info)
|
||||||
|
{
|
||||||
|
void (*authlog) (const char *fmt,...) = verbose;
|
||||||
|
char *authmsg;
|
||||||
|
@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
|
||||||
|
else
|
||||||
|
authmsg = authenticated ? "Accepted" : "Failed";
|
||||||
|
|
||||||
|
- authlog("%s %s for %s%.100s from %.200s port %d%s",
|
||||||
|
+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
|
||||||
|
authmsg,
|
||||||
|
method,
|
||||||
|
+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
|
||||||
|
authctxt->valid ? "" : "invalid user ",
|
||||||
|
authctxt->user,
|
||||||
|
get_remote_ipaddr(),
|
||||||
|
@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||||
|
* Check whether root logins are disallowed.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
-auth_root_allowed(char *method)
|
||||||
|
+auth_root_allowed(const char *method)
|
||||||
|
{
|
||||||
|
switch (options.permit_root_login) {
|
||||||
|
case PERMIT_YES:
|
||||||
|
@@ -694,3 +696,57 @@ fakepw(void)
|
||||||
|
|
||||||
|
return (&fake);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+auth_method_in_list(const char *list, const char *method)
|
||||||
|
+{
|
||||||
|
+ char *cp;
|
||||||
|
+
|
||||||
|
+ cp = match_list(method, list, NULL);
|
||||||
|
+ if (cp != NULL) {
|
||||||
|
+ xfree(cp);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define DELIM ","
|
||||||
|
+int
|
||||||
|
+auth_remove_from_list(char **list, const char *method)
|
||||||
|
+{
|
||||||
|
+ char *oldlist, *cp, *newlist = NULL;
|
||||||
|
+ u_int len = 0, ret = 0;
|
||||||
|
+
|
||||||
|
+ if (list == NULL || *list == NULL)
|
||||||
|
+ return (0);
|
||||||
|
+
|
||||||
|
+ oldlist = *list;
|
||||||
|
+ len = strlen(oldlist) + 1;
|
||||||
|
+ newlist = xmalloc(len);
|
||||||
|
+ memset(newlist, '\0', len);
|
||||||
|
+
|
||||||
|
+ /* Remove method from list, if present */
|
||||||
|
+ for (;;) {
|
||||||
|
+ if ((cp = strsep(&oldlist, DELIM)) == NULL)
|
||||||
|
+ break;
|
||||||
|
+ if (*cp == '\0')
|
||||||
|
+ continue;
|
||||||
|
+ if (strcmp(cp, method) != 0) {
|
||||||
|
+ if (*newlist != '\0')
|
||||||
|
+ strlcat(newlist, DELIM, len);
|
||||||
|
+ strlcat(newlist, cp, len);
|
||||||
|
+ } else
|
||||||
|
+ ret++;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Return NULL instead of empty list */
|
||||||
|
+ if (*newlist == '\0') {
|
||||||
|
+ xfree(newlist);
|
||||||
|
+ newlist = NULL;
|
||||||
|
+ }
|
||||||
|
+ xfree(*list);
|
||||||
|
+ *list = newlist;
|
||||||
|
+
|
||||||
|
+ return (ret);
|
||||||
|
+}
|
||||||
|
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
|
||||||
|
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/auth.h 2012-02-06 17:03:55.008839468 +0100
|
||||||
|
@@ -142,10 +142,11 @@ void disable_forwarding(void);
|
||||||
|
void do_authentication(Authctxt *);
|
||||||
|
void do_authentication2(Authctxt *);
|
||||||
|
|
||||||
|
-void auth_log(Authctxt *, int, char *, char *);
|
||||||
|
-void userauth_finish(Authctxt *, int, char *);
|
||||||
|
+void auth_log(Authctxt *, int, const char *, const char *, const char *);
|
||||||
|
+void userauth_finish(Authctxt *, int, const char *, const char *);
|
||||||
|
+int auth_root_allowed(const char *);
|
||||||
|
+
|
||||||
|
void userauth_send_banner(const char *);
|
||||||
|
-int auth_root_allowed(char *);
|
||||||
|
|
||||||
|
char *auth2_read_banner(void);
|
||||||
|
|
||||||
|
@@ -192,6 +193,11 @@ void auth_debug_send(void);
|
||||||
|
void auth_debug_reset(void);
|
||||||
|
|
||||||
|
struct passwd *fakepw(void);
|
||||||
|
+int auth_method_in_list(const char *, const char *);
|
||||||
|
+int auth_remove_from_list(char **, const char *);
|
||||||
|
+
|
||||||
|
+int auth1_check_required(const char *);
|
||||||
|
+int auth2_check_required(const char *);
|
||||||
|
|
||||||
|
int sys_auth_passwd(Authctxt *, const char *);
|
||||||
|
|
||||||
|
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
|
||||||
|
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/auth1.c 2012-02-06 17:03:55.055811924 +0100
|
||||||
|
@@ -98,6 +98,54 @@ static const struct AuthMethod1
|
||||||
|
return (NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static const struct AuthMethod1 *
|
||||||
|
+lookup_authmethod1_by_name(const char *name)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; auth1_methods[i].name != NULL; i++)
|
||||||
|
+ if (strcmp(auth1_methods[i].name, name) == 0)
|
||||||
|
+ return (&(auth1_methods[i]));
|
||||||
|
+
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define DELIM ","
|
||||||
|
+int
|
||||||
|
+auth1_check_required(const char *list)
|
||||||
|
+{
|
||||||
|
+ char *orig_methods, *methods, *cp;
|
||||||
|
+ static const struct AuthMethod1 *m;
|
||||||
|
+ int ret = 0;
|
||||||
|
+
|
||||||
|
+ orig_methods = methods = xstrdup(list);
|
||||||
|
+ for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
|
||||||
|
+ if ((cp = strsep(&methods, DELIM)) == NULL)
|
||||||
|
+ break;
|
||||||
|
+ debug2("auth1_check_required: method \"%s\"", cp);
|
||||||
|
+ if (*cp == '\0') {
|
||||||
|
+ debug("auth1_check_required: empty method");
|
||||||
|
+ ret = -1;
|
||||||
|
+ }
|
||||||
|
+ if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
|
||||||
|
+ debug("auth1_check_required: unknown method "
|
||||||
|
+ "\"%s\"", cp);
|
||||||
|
+ ret = -1;
|
||||||
|
+ }
|
||||||
|
+ if (*(m->enabled) == 0) {
|
||||||
|
+ debug("auth1_check_required: method %s explicitly "
|
||||||
|
+ "disabled", cp);
|
||||||
|
+ ret = -1;
|
||||||
|
+ }
|
||||||
|
+ /* Activate method if it isn't already */
|
||||||
|
+ if (*(m->enabled) == -1)
|
||||||
|
+ *(m->enabled) = 1;
|
||||||
|
+ }
|
||||||
|
+ xfree(orig_methods);
|
||||||
|
+ return (ret);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
static char *
|
||||||
|
get_authname(int type)
|
||||||
|
{
|
||||||
|
@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
{
|
||||||
|
int authenticated = 0;
|
||||||
|
char info[1024];
|
||||||
|
+ const char *meth_name;
|
||||||
|
int prev = 0, type = 0;
|
||||||
|
const struct AuthMethod1 *meth;
|
||||||
|
|
||||||
|
@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
authctxt->valid ? "" : "invalid user ", authctxt->user);
|
||||||
|
|
||||||
|
/* If the user has no password, accept authentication immediately. */
|
||||||
|
- if (options.permit_empty_passwd && options.password_authentication &&
|
||||||
|
+ if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
|
||||||
|
#ifdef KRB5
|
||||||
|
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
||||||
|
#endif
|
||||||
|
@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
if (options.use_pam && (PRIVSEP(do_pam_account())))
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
- auth_log(authctxt, 1, "without authentication", "");
|
||||||
|
+ auth_log(authctxt, 1, "without authentication", NULL, "");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
/* Get a packet from the client. */
|
||||||
|
prev = type;
|
||||||
|
type = packet_read();
|
||||||
|
+ meth_name = get_authname(type);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If we started challenge-response authentication but the
|
||||||
|
@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
if (authctxt->failures >= options.max_authtries)
|
||||||
|
goto skip;
|
||||||
|
if ((meth = lookup_authmethod1(type)) == NULL) {
|
||||||
|
- logit("Unknown message during authentication: "
|
||||||
|
- "type %d", type);
|
||||||
|
+ logit("Unknown message during authentication: type %d",
|
||||||
|
+ type);
|
||||||
|
goto skip;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
goto skip;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Skip methods not in required list, until all the required
|
||||||
|
+ * ones are done
|
||||||
|
+ */
|
||||||
|
+ if (options.required_auth1 != NULL &&
|
||||||
|
+ !auth_method_in_list(options.required_auth1, meth_name)) {
|
||||||
|
+ debug("Skipping method \"%s\" until required "
|
||||||
|
+ "authentication completed", meth_name);
|
||||||
|
+ goto skip;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
authenticated = meth->method(authctxt, info, sizeof(info));
|
||||||
|
if (authenticated == -1)
|
||||||
|
continue; /* "postponed" */
|
||||||
|
@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
|
||||||
|
skip:
|
||||||
|
/* Log before sending the reply */
|
||||||
|
- auth_log(authctxt, authenticated, get_authname(type), info);
|
||||||
|
+ auth_log(authctxt, authenticated, meth_name, NULL, info);
|
||||||
|
+
|
||||||
|
+ /* Loop until the required authmethods are done */
|
||||||
|
+ if (authenticated && options.required_auth1 != NULL) {
|
||||||
|
+ if (auth_remove_from_list(&options.required_auth1,
|
||||||
|
+ meth_name) != 1)
|
||||||
|
+ fatal("INTERNAL ERROR: authenticated method "
|
||||||
|
+ "\"%s\" not in required list \"%s\"",
|
||||||
|
+ meth_name, options.required_auth1);
|
||||||
|
+ debug2("do_authloop: required list now: %s",
|
||||||
|
+ options.required_auth1 == NULL ?
|
||||||
|
+ "DONE" : options.required_auth1);
|
||||||
|
+ if (options.required_auth1 == NULL)
|
||||||
|
+ return;
|
||||||
|
+ authenticated = 0;
|
||||||
|
+ /*
|
||||||
|
+ * Disable method so client can't authenticate with it
|
||||||
|
+ * after the required authentications are complete.
|
||||||
|
+ */
|
||||||
|
+ *(meth->enabled) = 0;
|
||||||
|
+ packet_send_debug("Further authentication required");
|
||||||
|
+ goto send_fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (client_user != NULL) {
|
||||||
|
xfree(client_user);
|
||||||
|
@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt)
|
||||||
|
#endif
|
||||||
|
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||||
|
}
|
||||||
|
+ send_fail:
|
||||||
|
|
||||||
|
packet_start(SSH_SMSG_FAILURE);
|
||||||
|
packet_send();
|
||||||
|
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
|
||||||
|
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/auth2.c 2012-02-06 17:03:55.100896430 +0100
|
||||||
|
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
|
||||||
|
{
|
||||||
|
Authctxt *authctxt = ctxt;
|
||||||
|
Authmethod *m = NULL;
|
||||||
|
- char *user, *service, *method, *style = NULL;
|
||||||
|
+ char *user, *service, *method, *active_methods, *style = NULL;
|
||||||
|
int authenticated = 0;
|
||||||
|
|
||||||
|
if (authctxt == NULL)
|
||||||
|
@@ -277,22 +277,31 @@ input_userauth_request(int type, u_int32
|
||||||
|
authctxt->server_caused_failure = 0;
|
||||||
|
|
||||||
|
/* try to authenticate user */
|
||||||
|
- m = authmethod_lookup(method);
|
||||||
|
- if (m != NULL && authctxt->failures < options.max_authtries) {
|
||||||
|
- debug2("input_userauth_request: try method %s", method);
|
||||||
|
- authenticated = m->userauth(authctxt);
|
||||||
|
- }
|
||||||
|
- userauth_finish(authctxt, authenticated, method);
|
||||||
|
+ active_methods = authmethods_get();
|
||||||
|
+ if (strcmp(method, "none") == 0 ||
|
||||||
|
+ auth_method_in_list(active_methods, method)) {
|
||||||
|
+ m = authmethod_lookup(method);
|
||||||
|
+ if (m != NULL) {
|
||||||
|
+ debug2("input_userauth_request: try method %s", method);
|
||||||
|
+ authenticated = m->userauth(authctxt);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ }
|
||||||
|
+ xfree(active_methods);
|
||||||
|
+ userauth_finish(authctxt, authenticated, method, NULL);
|
||||||
|
+
|
||||||
|
xfree(service);
|
||||||
|
xfree(user);
|
||||||
|
xfree(method);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
||||||
|
+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
|
||||||
|
+ const char *submethod)
|
||||||
|
{
|
||||||
|
char *methods;
|
||||||
|
+ Authmethod *m = NULL;
|
||||||
|
+ u_int partial = 0;
|
||||||
|
|
||||||
|
if (!authctxt->valid && authenticated)
|
||||||
|
fatal("INTERNAL ERROR: authenticated invalid user %s",
|
||||||
|
@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int
|
||||||
|
#endif /* _UNICOS */
|
||||||
|
|
||||||
|
/* Log before sending the reply */
|
||||||
|
- auth_log(authctxt, authenticated, method, " ssh2");
|
||||||
|
+ auth_log(authctxt, authenticated, method, submethod, " ssh2");
|
||||||
|
|
||||||
|
if (authctxt->postponed)
|
||||||
|
return;
|
||||||
|
|
||||||
|
- /* XXX todo: check if multiple auth methods are needed */
|
||||||
|
+ /* Handle RequiredAuthentications2: loop until required methods done */
|
||||||
|
+ if (authenticated && options.required_auth2 != NULL) {
|
||||||
|
+ if ((m = authmethod_lookup(method)) == NULL)
|
||||||
|
+ fatal("INTERNAL ERROR: authenticated method "
|
||||||
|
+ "\"%s\" unknown", method);
|
||||||
|
+ if (auth_remove_from_list(&options.required_auth2, method) != 1)
|
||||||
|
+ fatal("INTERNAL ERROR: authenticated method "
|
||||||
|
+ "\"%s\" not in required list \"%s\"",
|
||||||
|
+ method, options.required_auth2);
|
||||||
|
+ debug2("userauth_finish: required list now: %s",
|
||||||
|
+ options.required_auth2 == NULL ?
|
||||||
|
+ "DONE" : options.required_auth2);
|
||||||
|
+ /*
|
||||||
|
+ * if authenticated and no more required methods
|
||||||
|
+ * then declare success
|
||||||
|
+ */
|
||||||
|
+ if ( authenticated && options.required_auth2 == NULL ) {
|
||||||
|
+ debug2("userauth_finish: authenticated and no more required methods");
|
||||||
|
+ } else {
|
||||||
|
+ /*
|
||||||
|
+ * Disable method so client can't authenticate with it after
|
||||||
|
+ * the required authentications are complete.
|
||||||
|
+ */
|
||||||
|
+ if (m->enabled != NULL)
|
||||||
|
+ *(m->enabled) = 0;
|
||||||
|
+ authenticated = 0;
|
||||||
|
+ partial = 1;
|
||||||
|
+ goto send_fail;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (authenticated == 1) {
|
||||||
|
/* turn off userauth */
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
|
||||||
|
@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int
|
||||||
|
/* now we can break out */
|
||||||
|
authctxt->success = 1;
|
||||||
|
} else {
|
||||||
|
-
|
||||||
|
/* Allow initial try of "none" auth without failure penalty */
|
||||||
|
if (!authctxt->server_caused_failure &&
|
||||||
|
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
|
||||||
|
@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int
|
||||||
|
#endif
|
||||||
|
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||||
|
}
|
||||||
|
+ send_fail:
|
||||||
|
methods = authmethods_get();
|
||||||
|
packet_start(SSH2_MSG_USERAUTH_FAILURE);
|
||||||
|
packet_put_cstring(methods);
|
||||||
|
- packet_put_char(0); /* XXX partial success, unused */
|
||||||
|
+ packet_put_char(partial);
|
||||||
|
packet_send();
|
||||||
|
packet_write_wait();
|
||||||
|
xfree(methods);
|
||||||
|
@@ -373,6 +412,9 @@ authmethods_get(void)
|
||||||
|
char *list;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
+ if (options.required_auth2 != NULL)
|
||||||
|
+ return xstrdup(options.required_auth2);
|
||||||
|
+
|
||||||
|
buffer_init(&b);
|
||||||
|
for (i = 0; authmethods[i] != NULL; i++) {
|
||||||
|
if (strcmp(authmethods[i]->name, "none") == 0)
|
||||||
|
@@ -407,3 +449,43 @@ authmethod_lookup(const char *name)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#define DELIM ","
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+auth2_check_required(const char *list)
|
||||||
|
+{
|
||||||
|
+ char *orig_methods, *methods, *cp;
|
||||||
|
+ struct Authmethod *m;
|
||||||
|
+ int i, ret = 0;
|
||||||
|
+
|
||||||
|
+ orig_methods = methods = xstrdup(list);
|
||||||
|
+ for(;;) {
|
||||||
|
+ if ((cp = strsep(&methods, DELIM)) == NULL)
|
||||||
|
+ break;
|
||||||
|
+ debug2("auth2_check_required: method \"%s\"", cp);
|
||||||
|
+ if (*cp == '\0') {
|
||||||
|
+ debug("auth2_check_required: empty method");
|
||||||
|
+ ret = -1;
|
||||||
|
+ }
|
||||||
|
+ for (i = 0; authmethods[i] != NULL; i++)
|
||||||
|
+ if (strcmp(cp, authmethods[i]->name) == 0)
|
||||||
|
+ break;
|
||||||
|
+ if ((m = authmethods[i]) == NULL) {
|
||||||
|
+ debug("auth2_check_required: unknown method "
|
||||||
|
+ "\"%s\"", cp);
|
||||||
|
+ ret = -1;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (m->enabled == NULL || *(m->enabled) == 0) {
|
||||||
|
+ debug("auth2_check_required: method %s explicitly "
|
||||||
|
+ "disabled", cp);
|
||||||
|
+ ret = -1;
|
||||||
|
+ }
|
||||||
|
+ /* Activate method if it isn't already */
|
||||||
|
+ if (*(m->enabled) == -1)
|
||||||
|
+ *(m->enabled) = 1;
|
||||||
|
+ }
|
||||||
|
+ xfree(orig_methods);
|
||||||
|
+ return (ret);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
|
||||||
|
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:03:55.098862514 +0100
|
||||||
|
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
|
||||||
|
}
|
||||||
|
authctxt->postponed = 0;
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
||||||
|
- userauth_finish(authctxt, 0, "gssapi-with-mic");
|
||||||
|
+ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
|
||||||
|
} else {
|
||||||
|
if (send_tok.length != 0) {
|
||||||
|
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
|
||||||
|
@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type,
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
|
||||||
|
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
|
||||||
|
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
|
||||||
|
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
|
||||||
|
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
|
||||||
|
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
Authmethod method_gssapi = {
|
||||||
|
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
|
||||||
|
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
|
||||||
|
+++ openssh-5.9p1/auth2-chall.c 2012-02-06 17:03:55.098862514 +0100
|
||||||
|
@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u
|
||||||
|
auth2_challenge_start(authctxt);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- userauth_finish(authctxt, authenticated, method);
|
||||||
|
- xfree(method);
|
||||||
|
+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
|
||||||
|
+ kbdintctxt->device?kbdintctxt->device->name:NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
|
||||||
|
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/auth2-none.c 2012-02-06 17:03:55.099879104 +0100
|
||||||
|
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
|
||||||
|
{
|
||||||
|
none_enabled = 0;
|
||||||
|
packet_check_eom();
|
||||||
|
- if (options.permit_empty_passwd && options.password_authentication)
|
||||||
|
+ if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
|
||||||
|
return (PRIVSEP(auth_password(authctxt, "")));
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||||
|
--- openssh-5.9p1/monitor.c.required-authentication 2012-02-06 17:03:51.020095446 +0100
|
||||||
|
+++ openssh-5.9p1/monitor.c 2012-02-06 17:03:55.101912924 +0100
|
||||||
|
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
|
||||||
|
static char *hostbased_cuser = NULL;
|
||||||
|
static char *hostbased_chost = NULL;
|
||||||
|
static char *auth_method = "unknown";
|
||||||
|
+static char *auth_submethod = NULL;
|
||||||
|
static u_int session_id2_len = 0;
|
||||||
|
static u_char *session_id2 = NULL;
|
||||||
|
static pid_t monitor_child_pid;
|
||||||
|
@@ -352,7 +353,8 @@ void
|
||||||
|
monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
|
||||||
|
{
|
||||||
|
struct mon_table *ent;
|
||||||
|
- int authenticated = 0;
|
||||||
|
+ int no_increment, authenticated = 0;
|
||||||
|
+ char **req_auth;
|
||||||
|
|
||||||
|
debug3("preauth child monitor started");
|
||||||
|
|
||||||
|
@@ -367,12 +369,14 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
|
|
||||||
|
if (compat20) {
|
||||||
|
mon_dispatch = mon_dispatch_proto20;
|
||||||
|
+ req_auth = &options.required_auth2;
|
||||||
|
|
||||||
|
/* Permit requests for moduli and signatures */
|
||||||
|
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||||
|
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||||
|
} else {
|
||||||
|
mon_dispatch = mon_dispatch_proto15;
|
||||||
|
+ req_auth = &options.required_auth1;
|
||||||
|
|
||||||
|
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
|
||||||
|
}
|
||||||
|
@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
|
/* The first few requests do not require asynchronous access */
|
||||||
|
while (!authenticated) {
|
||||||
|
auth_method = "unknown";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
+ no_increment = 1;
|
||||||
|
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
|
||||||
|
if (authenticated) {
|
||||||
|
if (!(ent->flags & MON_AUTHDECIDE))
|
||||||
|
@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
+ /* Loop until the required authmethods are done */
|
||||||
|
+ if (authenticated && *req_auth != NULL) {
|
||||||
|
+ if (auth_remove_from_list(req_auth, auth_method) != 1)
|
||||||
|
+ fatal("INTERNAL ERROR: authenticated method "
|
||||||
|
+ "\"%s\" not in required list \"%s\"",
|
||||||
|
+ auth_method, *req_auth);
|
||||||
|
+ debug2("monitor_child_preauth: required list now: %s",
|
||||||
|
+ *req_auth == NULL ? "DONE" : *req_auth);
|
||||||
|
+ if (*req_auth != NULL)
|
||||||
|
+ authenticated = 0;
|
||||||
|
+ no_increment = 1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
|
||||||
|
auth_log(authctxt, authenticated, auth_method,
|
||||||
|
- compat20 ? " ssh2" : "");
|
||||||
|
- if (!authenticated)
|
||||||
|
+ auth_submethod, compat20 ? " ssh2" : "");
|
||||||
|
+ if (!authenticated && !no_increment)
|
||||||
|
authctxt->failures++;
|
||||||
|
}
|
||||||
|
#ifdef JPAKE
|
||||||
|
@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer
|
||||||
|
auth_method = "none";
|
||||||
|
else
|
||||||
|
auth_method = "password";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
|
||||||
|
/* Causes monitor loop to terminate if authenticated */
|
||||||
|
return (authenticated);
|
||||||
|
@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
|
||||||
|
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
|
||||||
|
|
||||||
|
auth_method = "bsdauth";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
|
||||||
|
return (authok != 0);
|
||||||
|
}
|
||||||
|
@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer *
|
||||||
|
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
|
||||||
|
|
||||||
|
auth_method = "skey";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
|
||||||
|
return (authok != 0);
|
||||||
|
}
|
||||||
|
@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m)
|
||||||
|
xfree(prompts);
|
||||||
|
if (echo_on != NULL)
|
||||||
|
xfree(echo_on);
|
||||||
|
- auth_method = "keyboard-interactive/pam";
|
||||||
|
+ auth_method = "keyboard-interactive";
|
||||||
|
+ auth_submethod = "pam";
|
||||||
|
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer *
|
||||||
|
buffer_clear(m);
|
||||||
|
buffer_put_int(m, ret);
|
||||||
|
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
|
||||||
|
- auth_method = "keyboard-interactive/pam";
|
||||||
|
+ auth_method = "keyboard-interactive";
|
||||||
|
+ auth_submethod = "pam";
|
||||||
|
if (ret == 0)
|
||||||
|
sshpam_authok = sshpam_ctxt;
|
||||||
|
return (0);
|
||||||
|
@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
|
||||||
|
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||||
|
buffer_clear(m);
|
||||||
|
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||||
|
- auth_method = "keyboard-interactive/pam";
|
||||||
|
+ auth_method = "keyboard-interactive";
|
||||||
|
+ auth_submethod = "pam";
|
||||||
|
return (sshpam_authok == sshpam_ctxt);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||||
|
allowed = options.pubkey_authentication &&
|
||||||
|
user_key_allowed(authctxt->pw, key);
|
||||||
|
auth_method = "publickey";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
if (options.pubkey_authentication && allowed != 1)
|
||||||
|
auth_clear_options();
|
||||||
|
break;
|
||||||
|
@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||||
|
hostbased_key_allowed(authctxt->pw,
|
||||||
|
cuser, chost, key);
|
||||||
|
auth_method = "hostbased";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
break;
|
||||||
|
case MM_RSAHOSTKEY:
|
||||||
|
key->type = KEY_RSA1; /* XXX */
|
||||||
|
@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||||
|
if (options.rhosts_rsa_authentication && allowed != 1)
|
||||||
|
auth_clear_options();
|
||||||
|
auth_method = "rsa";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
fatal("%s: unknown key type %d", __func__, type);
|
||||||
|
@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||||
|
hostbased_chost = chost;
|
||||||
|
} else {
|
||||||
|
/* Log failed attempt */
|
||||||
|
- auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
|
||||||
|
+ auth_log(authctxt, 0, auth_method, auth_submethod,
|
||||||
|
+ compat20 ? " ssh2" : "");
|
||||||
|
xfree(blob);
|
||||||
|
xfree(cuser);
|
||||||
|
xfree(chost);
|
||||||
|
@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||||
|
xfree(data);
|
||||||
|
|
||||||
|
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
|
||||||
|
monitor_reset_key_state();
|
||||||
|
|
||||||
|
@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
|
||||||
|
debug3("%s entering", __func__);
|
||||||
|
|
||||||
|
auth_method = "rsa";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
if (options.rsa_authentication && authctxt->valid) {
|
||||||
|
if ((client_n = BN_new()) == NULL)
|
||||||
|
fatal("%s: BN_new", __func__);
|
||||||
|
@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer
|
||||||
|
xfree(response);
|
||||||
|
|
||||||
|
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
|
||||||
|
/* reset state */
|
||||||
|
BN_clear_free(ssh1_challenge);
|
||||||
|
@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||||
|
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||||
|
|
||||||
|
auth_method = "gssapi-with-mic";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
|
||||||
|
/* Monitor loop will terminate if authenticated */
|
||||||
|
return (authenticated);
|
||||||
|
@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock,
|
||||||
|
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
|
||||||
|
|
||||||
|
auth_method = "jpake-01@openssh.com";
|
||||||
|
+ auth_submethod = NULL;
|
||||||
|
return authenticated;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
|
||||||
|
--- openssh-5.9p1/servconf.c.required-authentication 2012-02-06 17:03:51.024963230 +0100
|
||||||
|
+++ openssh-5.9p1/servconf.c 2012-02-06 17:03:55.102929716 +0100
|
||||||
|
@@ -42,6 +42,8 @@
|
||||||
|
#include "key.h"
|
||||||
|
#include "kex.h"
|
||||||
|
#include "mac.h"
|
||||||
|
+#include "hostfile.h"
|
||||||
|
+#include "auth.h"
|
||||||
|
#include "match.h"
|
||||||
|
#include "channels.h"
|
||||||
|
#include "groupaccess.h"
|
||||||
|
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
|
||||||
|
options->num_authkeys_files = 0;
|
||||||
|
options->num_accept_env = 0;
|
||||||
|
options->permit_tun = -1;
|
||||||
|
+ options->required_auth1 = NULL;
|
||||||
|
+ options->required_auth2 = NULL;
|
||||||
|
options->num_permitted_opens = -1;
|
||||||
|
options->adm_forced_command = NULL;
|
||||||
|
options->chroot_directory = NULL;
|
||||||
|
@@ -319,6 +323,7 @@ typedef enum {
|
||||||
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||||
|
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
|
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||||
|
+ sRequiredAuthentications1, sRequiredAuthentications2,
|
||||||
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||||
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
|
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||||
|
@@ -447,6 +452,8 @@ static struct {
|
||||||
|
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||||
|
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||||
|
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||||
|
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
||||||
|
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
||||||
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||||
|
{ NULL, sBadOption, 0 }
|
||||||
|
};
|
||||||
|
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
|
||||||
|
options->max_startups = options->max_startups_begin;
|
||||||
|
break;
|
||||||
|
|
||||||
|
+
|
||||||
|
+ case sRequiredAuthentications1:
|
||||||
|
+ charptr = &options->required_auth1;
|
||||||
|
+ arg = strdelim(&cp);
|
||||||
|
+ if (auth1_check_required(arg) != 0)
|
||||||
|
+ fatal("%.200s line %d: Invalid required authentication "
|
||||||
|
+ "list", filename, linenum);
|
||||||
|
+ if (!arg || *arg == '\0')
|
||||||
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
|
+ filename, linenum);
|
||||||
|
+ if (*charptr == NULL)
|
||||||
|
+ *charptr = xstrdup(arg);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ case sRequiredAuthentications2:
|
||||||
|
+ charptr = &options->required_auth2;
|
||||||
|
+ arg = strdelim(&cp);
|
||||||
|
+ if (auth2_check_required(arg) != 0)
|
||||||
|
+ fatal("%.200s line %d: Invalid required authentication "
|
||||||
|
+ "list", filename, linenum);
|
||||||
|
+ if (!arg || *arg == '\0')
|
||||||
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
|
+ filename, linenum);
|
||||||
|
+ if (*charptr == NULL)
|
||||||
|
+ *charptr = xstrdup(arg);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case sMaxAuthTries:
|
||||||
|
intptr = &options->max_authtries;
|
||||||
|
goto parse_int;
|
||||||
|
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
|
||||||
|
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/servconf.h 2012-02-06 17:03:55.102929716 +0100
|
||||||
|
@@ -154,6 +154,9 @@ typedef struct {
|
||||||
|
u_int num_authkeys_files; /* Files containing public keys */
|
||||||
|
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
||||||
|
|
||||||
|
+ char *required_auth1; /* Required, but not sufficient */
|
||||||
|
+ char *required_auth2;
|
||||||
|
+
|
||||||
|
char *adm_forced_command;
|
||||||
|
|
||||||
|
int use_pam; /* Enable auth via PAM */
|
||||||
|
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
|
||||||
|
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:09:39.038871798 +0100
|
||||||
|
@@ -723,6 +723,8 @@ Available keywords are
|
||||||
|
.Cm PermitOpen ,
|
||||||
|
.Cm PermitRootLogin ,
|
||||||
|
.Cm PermitTunnel ,
|
||||||
|
+.Cm RequiredAuthentications1,
|
||||||
|
+.Cm RequiredAuthentications2,
|
||||||
|
.Cm PubkeyAuthentication ,
|
||||||
|
.Cm RhostsRSAAuthentication ,
|
||||||
|
.Cm RSAAuthentication ,
|
||||||
|
@@ -920,6 +937,21 @@ Specifies a list of revoked public keys.
|
||||||
|
Keys listed in this file will be refused for public key authentication.
|
||||||
|
Note that if this file is not readable, then public key authentication will
|
||||||
|
be refused for all users.
|
||||||
|
+.It Cm RequiredAuthentications[12]
|
||||||
|
+ Requires two authentication methods to succeed before authorizing the connection.
|
||||||
|
+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
|
||||||
|
+
|
||||||
|
+ RequiredAuthentications1 method[,method...]
|
||||||
|
+ RequiredAuthentications2 method[,method...]
|
||||||
|
+
|
||||||
|
+.Pp
|
||||||
|
+Example 1:
|
||||||
|
+
|
||||||
|
+ RequiredAuthentications2 password,hostbased
|
||||||
|
+
|
||||||
|
+Example 2:
|
||||||
|
+ RequiredAuthentications2 publickey,password
|
||||||
|
+
|
||||||
|
.It Cm RhostsRSAAuthentication
|
||||||
|
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||||
|
with successful RSA host authentication is allowed.
|
@ -1,30 +1,6 @@
|
|||||||
diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c
|
diff -up openssh-5.9p1/auth.h.role openssh-5.9p1/auth.h
|
||||||
--- openssh-5.9p0/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
|
--- openssh-5.9p1/auth.h.role 2012-02-06 17:21:26.038970656 +0100
|
||||||
+++ openssh-5.9p0/auth-pam.c 2011-08-31 11:42:54.870087433 +0200
|
+++ openssh-5.9p1/auth.h 2012-02-06 17:21:59.477033401 +0100
|
||||||
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
|
|
||||||
* during the ssh authentication process.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
-do_pam_putenv(char *name, char *value)
|
|
||||||
+do_pam_putenv(char *name, const char *value)
|
|
||||||
{
|
|
||||||
int ret = 1;
|
|
||||||
#ifdef HAVE_PAM_PUTENV
|
|
||||||
diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h
|
|
||||||
--- openssh-5.9p0/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
|
|
||||||
+++ openssh-5.9p0/auth-pam.h 2011-08-31 11:42:54.979086333 +0200
|
|
||||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
|
||||||
void do_pam_set_tty(const char *);
|
|
||||||
void do_pam_setcred(int );
|
|
||||||
void do_pam_chauthtok(void);
|
|
||||||
-int do_pam_putenv(char *, char *);
|
|
||||||
+int do_pam_putenv(char *, const char *);
|
|
||||||
char ** fetch_pam_environment(void);
|
|
||||||
char ** fetch_pam_child_environment(void);
|
|
||||||
void free_pam_environment(char **);
|
|
||||||
diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
|
|
||||||
--- openssh-5.9p0/auth.h.role 2011-08-31 11:42:47.760024631 +0200
|
|
||||||
+++ openssh-5.9p0/auth.h 2011-08-31 11:42:55.090151027 +0200
|
|
||||||
@@ -59,6 +59,9 @@ struct Authctxt {
|
@@ -59,6 +59,9 @@ struct Authctxt {
|
||||||
char *service;
|
char *service;
|
||||||
struct passwd *pw; /* set if 'valid' */
|
struct passwd *pw; /* set if 'valid' */
|
||||||
@ -35,10 +11,34 @@ diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
|
|||||||
void *kbdintctxt;
|
void *kbdintctxt;
|
||||||
void *jpake_ctx;
|
void *jpake_ctx;
|
||||||
#ifdef BSD_AUTH
|
#ifdef BSD_AUTH
|
||||||
diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
|
diff -up openssh-5.9p1/auth-pam.c.role openssh-5.9p1/auth-pam.c
|
||||||
--- openssh-5.9p0/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
|
--- openssh-5.9p1/auth-pam.c.role 2012-02-06 17:21:25.983793983 +0100
|
||||||
+++ openssh-5.9p0/auth1.c 2011-08-31 11:42:55.215033075 +0200
|
+++ openssh-5.9p1/auth-pam.c 2012-02-06 17:21:59.476038868 +0100
|
||||||
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
|
||||||
|
* during the ssh authentication process.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
-do_pam_putenv(char *name, char *value)
|
||||||
|
+do_pam_putenv(char *name, const char *value)
|
||||||
|
{
|
||||||
|
int ret = 1;
|
||||||
|
#ifdef HAVE_PAM_PUTENV
|
||||||
|
diff -up openssh-5.9p1/auth-pam.h.role openssh-5.9p1/auth-pam.h
|
||||||
|
--- openssh-5.9p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/auth-pam.h 2012-02-06 17:21:59.477033401 +0100
|
||||||
|
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||||
|
void do_pam_set_tty(const char *);
|
||||||
|
void do_pam_setcred(int );
|
||||||
|
void do_pam_chauthtok(void);
|
||||||
|
-int do_pam_putenv(char *, char *);
|
||||||
|
+int do_pam_putenv(char *, const char *);
|
||||||
|
char ** fetch_pam_environment(void);
|
||||||
|
char ** fetch_pam_child_environment(void);
|
||||||
|
void free_pam_environment(char **);
|
||||||
|
diff -up openssh-5.9p1/auth1.c.role openssh-5.9p1/auth1.c
|
||||||
|
--- openssh-5.9p1/auth1.c.role 2012-02-06 17:21:26.016845827 +0100
|
||||||
|
+++ openssh-5.9p1/auth1.c 2012-02-06 17:21:59.478033396 +0100
|
||||||
|
@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
u_int ulen;
|
u_int ulen;
|
||||||
char *user, *style = NULL;
|
char *user, *style = NULL;
|
||||||
@ -48,7 +48,7 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
|
|||||||
|
|
||||||
/* Get the name of the user that we wish to log in as. */
|
/* Get the name of the user that we wish to log in as. */
|
||||||
packet_read_expect(SSH_CMSG_USER);
|
packet_read_expect(SSH_CMSG_USER);
|
||||||
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
|
@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt)
|
||||||
user = packet_get_cstring(&ulen);
|
user = packet_get_cstring(&ulen);
|
||||||
packet_check_eom();
|
packet_check_eom();
|
||||||
|
|
||||||
@ -73,88 +73,13 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
|
|||||||
|
|
||||||
/* Verify that the user is a valid user. */
|
/* Verify that the user is a valid user. */
|
||||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||||
diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c
|
diff -up openssh-5.9p1/auth2.c.role openssh-5.9p1/auth2.c
|
||||||
--- openssh-5.9p0/auth2-gss.c.role 2011-05-05 06:04:11.000000000 +0200
|
--- openssh-5.9p1/auth2.c.role 2012-02-06 17:21:26.024976386 +0100
|
||||||
+++ openssh-5.9p0/auth2-gss.c 2011-08-31 11:42:55.313025576 +0200
|
+++ openssh-5.9p1/auth2.c 2012-02-06 17:23:14.127811737 +0100
|
||||||
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
|
||||||
Authctxt *authctxt = ctxt;
|
|
||||||
Gssctxt *gssctxt;
|
|
||||||
int authenticated = 0;
|
|
||||||
+ char *micuser;
|
|
||||||
Buffer b;
|
|
||||||
gss_buffer_desc mic, gssbuf;
|
|
||||||
u_int len;
|
|
||||||
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
|
||||||
mic.value = packet_get_string(&len);
|
|
||||||
mic.length = len;
|
|
||||||
|
|
||||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
|
||||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
|
||||||
+ else
|
|
||||||
+#endif
|
|
||||||
+ micuser = authctxt->user;
|
|
||||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
|
||||||
"gssapi-with-mic");
|
|
||||||
|
|
||||||
gssbuf.value = buffer_ptr(&b);
|
|
||||||
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
|
||||||
logit("GSSAPI MIC check failed");
|
|
||||||
|
|
||||||
buffer_free(&b);
|
|
||||||
+ if (micuser != authctxt->user)
|
|
||||||
+ xfree(micuser);
|
|
||||||
xfree(mic.value);
|
|
||||||
|
|
||||||
authctxt->postponed = 0;
|
|
||||||
diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c
|
|
||||||
--- openssh-5.9p0/auth2-hostbased.c.role 2011-08-31 11:42:47.863023264 +0200
|
|
||||||
+++ openssh-5.9p0/auth2-hostbased.c 2011-08-31 11:42:55.421024814 +0200
|
|
||||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
|
||||||
buffer_put_string(&b, session_id2, session_id2_len);
|
|
||||||
/* reconstruct packet */
|
|
||||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
|
||||||
- buffer_put_cstring(&b, authctxt->user);
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ if (authctxt->role) {
|
|
||||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
|
||||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
|
||||||
+ buffer_put_char(&b, '/');
|
|
||||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
|
||||||
+ } else
|
|
||||||
+#endif
|
|
||||||
+ buffer_put_cstring(&b, authctxt->user);
|
|
||||||
buffer_put_cstring(&b, service);
|
|
||||||
buffer_put_cstring(&b, "hostbased");
|
|
||||||
buffer_put_string(&b, pkalg, alen);
|
|
||||||
diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c
|
|
||||||
--- openssh-5.9p0/auth2-pubkey.c.role 2011-08-31 11:42:47.978087418 +0200
|
|
||||||
+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:42:55.551025263 +0200
|
|
||||||
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
|
|
||||||
}
|
|
||||||
/* reconstruct packet */
|
|
||||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
|
||||||
- buffer_put_cstring(&b, authctxt->user);
|
|
||||||
+#ifdef WITH_SELINUX
|
|
||||||
+ if (authctxt->role) {
|
|
||||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
|
||||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
|
||||||
+ buffer_put_char(&b, '/');
|
|
||||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
|
||||||
+ } else
|
|
||||||
+#endif
|
|
||||||
+ buffer_put_cstring(&b, authctxt->user);
|
|
||||||
buffer_put_cstring(&b,
|
|
||||||
datafellows & SSH_BUG_PKSERVICE ?
|
|
||||||
"ssh-userauth" :
|
|
||||||
diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
|
|
||||||
--- openssh-5.9p0/auth2.c.role 2011-08-31 11:42:45.409026065 +0200
|
|
||||||
+++ openssh-5.9p0/auth2.c 2011-08-31 11:42:55.676024869 +0200
|
|
||||||
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
|
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
|
||||||
Authctxt *authctxt = ctxt;
|
Authctxt *authctxt = ctxt;
|
||||||
Authmethod *m = NULL;
|
Authmethod *m = NULL;
|
||||||
char *user, *service, *method, *style = NULL;
|
char *user, *service, *method, *active_methods, *style = NULL;
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ char *role = NULL;
|
+ char *role = NULL;
|
||||||
+#endif
|
+#endif
|
||||||
@ -190,9 +115,84 @@ diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
|
|||||||
userauth_banner();
|
userauth_banner();
|
||||||
} else if (strcmp(user, authctxt->user) != 0 ||
|
} else if (strcmp(user, authctxt->user) != 0 ||
|
||||||
strcmp(service, authctxt->service) != 0) {
|
strcmp(service, authctxt->service) != 0) {
|
||||||
diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
diff -up openssh-5.9p1/auth2-gss.c.role openssh-5.9p1/auth2-gss.c
|
||||||
--- openssh-5.9p0/monitor.c.role 2011-08-31 11:42:53.301024819 +0200
|
--- openssh-5.9p1/auth2-gss.c.role 2012-02-06 17:21:26.017853239 +0100
|
||||||
+++ openssh-5.9p0/monitor.c 2011-08-31 11:42:55.796025812 +0200
|
+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:21:59.479096211 +0100
|
||||||
|
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
|
Authctxt *authctxt = ctxt;
|
||||||
|
Gssctxt *gssctxt;
|
||||||
|
int authenticated = 0;
|
||||||
|
+ char *micuser;
|
||||||
|
Buffer b;
|
||||||
|
gss_buffer_desc mic, gssbuf;
|
||||||
|
u_int len;
|
||||||
|
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
|
mic.value = packet_get_string(&len);
|
||||||
|
mic.length = len;
|
||||||
|
|
||||||
|
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||||
|
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||||
|
+ else
|
||||||
|
+#endif
|
||||||
|
+ micuser = authctxt->user;
|
||||||
|
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||||
|
"gssapi-with-mic");
|
||||||
|
|
||||||
|
gssbuf.value = buffer_ptr(&b);
|
||||||
|
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
|
logit("GSSAPI MIC check failed");
|
||||||
|
|
||||||
|
buffer_free(&b);
|
||||||
|
+ if (micuser != authctxt->user)
|
||||||
|
+ xfree(micuser);
|
||||||
|
xfree(mic.value);
|
||||||
|
|
||||||
|
authctxt->postponed = 0;
|
||||||
|
diff -up openssh-5.9p1/auth2-hostbased.c.role openssh-5.9p1/auth2-hostbased.c
|
||||||
|
--- openssh-5.9p1/auth2-hostbased.c.role 2012-02-06 17:21:26.038970656 +0100
|
||||||
|
+++ openssh-5.9p1/auth2-hostbased.c 2012-02-06 17:21:59.479096211 +0100
|
||||||
|
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||||
|
buffer_put_string(&b, session_id2, session_id2_len);
|
||||||
|
/* reconstruct packet */
|
||||||
|
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||||
|
- buffer_put_cstring(&b, authctxt->user);
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ if (authctxt->role) {
|
||||||
|
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||||
|
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||||
|
+ buffer_put_char(&b, '/');
|
||||||
|
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||||
|
+ } else
|
||||||
|
+#endif
|
||||||
|
+ buffer_put_cstring(&b, authctxt->user);
|
||||||
|
buffer_put_cstring(&b, service);
|
||||||
|
buffer_put_cstring(&b, "hostbased");
|
||||||
|
buffer_put_string(&b, pkalg, alen);
|
||||||
|
diff -up openssh-5.9p1/auth2-pubkey.c.role openssh-5.9p1/auth2-pubkey.c
|
||||||
|
--- openssh-5.9p1/auth2-pubkey.c.role 2012-02-06 17:21:26.039787441 +0100
|
||||||
|
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 17:21:59.480096032 +0100
|
||||||
|
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||||
|
}
|
||||||
|
/* reconstruct packet */
|
||||||
|
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||||
|
- buffer_put_cstring(&b, authctxt->user);
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ if (authctxt->role) {
|
||||||
|
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||||
|
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||||
|
+ buffer_put_char(&b, '/');
|
||||||
|
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||||
|
+ } else
|
||||||
|
+#endif
|
||||||
|
+ buffer_put_cstring(&b, authctxt->user);
|
||||||
|
buffer_put_cstring(&b,
|
||||||
|
datafellows & SSH_BUG_PKSERVICE ?
|
||||||
|
"ssh-userauth" :
|
||||||
|
diff -up openssh-5.9p1/monitor.c.role openssh-5.9p1/monitor.c
|
||||||
|
--- openssh-5.9p1/monitor.c.role 2012-02-06 17:21:26.071220592 +0100
|
||||||
|
+++ openssh-5.9p1/monitor.c 2012-02-06 17:21:59.481783500 +0100
|
||||||
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
|
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
|
||||||
int mm_answer_pwnamallow(int, Buffer *);
|
int mm_answer_pwnamallow(int, Buffer *);
|
||||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||||
@ -203,7 +203,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
int mm_answer_authpassword(int, Buffer *);
|
int mm_answer_authpassword(int, Buffer *);
|
||||||
int mm_answer_bsdauthquery(int, Buffer *);
|
int mm_answer_bsdauthquery(int, Buffer *);
|
||||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||||
@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||||
@ -213,7 +213,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
@@ -833,6 +839,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||||
else {
|
else {
|
||||||
/* Allow service/style information on the auth context */
|
/* Allow service/style information on the auth context */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||||
@ -223,7 +223,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||||
}
|
}
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
@@ -876,6 +885,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -249,7 +249,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
int
|
int
|
||||||
mm_answer_authpassword(int sock, Buffer *m)
|
mm_answer_authpassword(int sock, Buffer *m)
|
||||||
{
|
{
|
||||||
@@ -1227,7 +1255,7 @@ static int
|
@@ -1252,7 +1280,7 @@ static int
|
||||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||||
{
|
{
|
||||||
Buffer b;
|
Buffer b;
|
||||||
@ -258,7 +258,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
u_int len;
|
u_int len;
|
||||||
int fail = 0;
|
int fail = 0;
|
||||||
|
|
||||||
@@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1278,6 +1306,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||||
fail++;
|
fail++;
|
||||||
p = buffer_get_string(&b, NULL);
|
p = buffer_get_string(&b, NULL);
|
||||||
@ -267,7 +267,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
if (strcmp(authctxt->user, p) != 0) {
|
if (strcmp(authctxt->user, p) != 0) {
|
||||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||||
authctxt->user, p);
|
authctxt->user, p);
|
||||||
@@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1309,7 +1339,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
char *chost)
|
char *chost)
|
||||||
{
|
{
|
||||||
Buffer b;
|
Buffer b;
|
||||||
@ -276,7 +276,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
u_int len;
|
u_int len;
|
||||||
int fail = 0;
|
int fail = 0;
|
||||||
|
|
||||||
@@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1326,6 +1356,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||||
fail++;
|
fail++;
|
||||||
p = buffer_get_string(&b, NULL);
|
p = buffer_get_string(&b, NULL);
|
||||||
@ -285,9 +285,9 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
|||||||
if (strcmp(authctxt->user, p) != 0) {
|
if (strcmp(authctxt->user, p) != 0) {
|
||||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||||
authctxt->user, p);
|
authctxt->user, p);
|
||||||
diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
|
diff -up openssh-5.9p1/monitor.h.role openssh-5.9p1/monitor.h
|
||||||
--- openssh-5.9p0/monitor.h.role 2011-08-31 11:42:53.409025333 +0200
|
--- openssh-5.9p1/monitor.h.role 2012-02-06 17:21:26.071852220 +0100
|
||||||
+++ openssh-5.9p0/monitor.h 2011-08-31 11:42:55.889024801 +0200
|
+++ openssh-5.9p1/monitor.h 2012-02-06 17:21:59.482846081 +0100
|
||||||
@@ -31,6 +31,9 @@
|
@@ -31,6 +31,9 @@
|
||||||
enum monitor_reqtype {
|
enum monitor_reqtype {
|
||||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||||
@ -298,9 +298,9 @@ diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
|
|||||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||||
diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
|
diff -up openssh-5.9p1/monitor_wrap.c.role openssh-5.9p1/monitor_wrap.c
|
||||||
--- openssh-5.9p0/monitor_wrap.c.role 2011-08-31 11:42:53.548024503 +0200
|
--- openssh-5.9p1/monitor_wrap.c.role 2012-02-06 17:21:26.071852220 +0100
|
||||||
+++ openssh-5.9p0/monitor_wrap.c 2011-08-31 11:42:56.029024553 +0200
|
+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:21:59.483845610 +0100
|
||||||
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
|
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
|
||||||
buffer_free(&m);
|
buffer_free(&m);
|
||||||
}
|
}
|
||||||
@ -327,9 +327,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
|
|||||||
/* Do the password authentication */
|
/* Do the password authentication */
|
||||||
int
|
int
|
||||||
mm_auth_password(Authctxt *authctxt, char *password)
|
mm_auth_password(Authctxt *authctxt, char *password)
|
||||||
diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
|
diff -up openssh-5.9p1/monitor_wrap.h.role openssh-5.9p1/monitor_wrap.h
|
||||||
--- openssh-5.9p0/monitor_wrap.h.role 2011-08-31 11:42:53.660025271 +0200
|
--- openssh-5.9p1/monitor_wrap.h.role 2012-02-06 17:21:26.073192915 +0100
|
||||||
+++ openssh-5.9p0/monitor_wrap.h 2011-08-31 11:42:56.131025748 +0200
|
+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:21:59.483845610 +0100
|
||||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||||
DH *mm_choose_dh(int, int, int);
|
DH *mm_choose_dh(int, int, int);
|
||||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||||
@ -340,9 +340,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
|
|||||||
struct passwd *mm_getpwnamallow(const char *);
|
struct passwd *mm_getpwnamallow(const char *);
|
||||||
char *mm_auth2_read_banner(void);
|
char *mm_auth2_read_banner(void);
|
||||||
int mm_auth_password(struct Authctxt *, char *);
|
int mm_auth_password(struct Authctxt *, char *);
|
||||||
diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in
|
diff -up openssh-5.9p1/openbsd-compat/Makefile.in.role openssh-5.9p1/openbsd-compat/Makefile.in
|
||||||
--- openssh-5.9p0/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
|
--- openssh-5.9p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
|
||||||
+++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 11:48:02.404091479 +0200
|
+++ openssh-5.9p1/openbsd-compat/Makefile.in 2012-02-06 17:21:59.484846191 +0100
|
||||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
||||||
|
|
||||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||||
@ -352,9 +352,9 @@ diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-com
|
|||||||
|
|
||||||
.c.o:
|
.c.o:
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||||
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c
|
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.role openssh-5.9p1/openbsd-compat/port-linux.c
|
||||||
--- openssh-5.9p0/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
|
--- openssh-5.9p1/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
|
||||||
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:42:56.492087969 +0200
|
+++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-02-06 17:21:59.484846191 +0100
|
||||||
@@ -31,7 +31,11 @@
|
@@ -31,7 +31,11 @@
|
||||||
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
@ -532,9 +532,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-co
|
|||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
|
|
||||||
#ifdef LINUX_OOM_ADJUST
|
#ifdef LINUX_OOM_ADJUST
|
||||||
diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c
|
diff -up openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role openssh-5.9p1/openbsd-compat/port-linux_part_2.c
|
||||||
--- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role 2011-08-31 11:42:56.583047619 +0200
|
--- openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role 2012-02-06 17:21:59.485846294 +0100
|
||||||
+++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c 2011-08-31 11:42:56.586178005 +0200
|
+++ openssh-5.9p1/openbsd-compat/port-linux_part_2.c 2012-02-06 17:21:59.485846294 +0100
|
||||||
@@ -0,0 +1,75 @@
|
@@ -0,0 +1,75 @@
|
||||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||||
+
|
+
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
|
diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
|
||||||
--- openssh-5.9p0/configure.ac.vendor 2011-09-03 20:24:29.899501572 +0200
|
--- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100
|
||||||
+++ openssh-5.9p0/configure.ac 2011-09-03 20:24:39.153501595 +0200
|
+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100
|
||||||
@@ -4131,6 +4131,12 @@ AC_ARG_WITH([lastlog],
|
@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
|
||||||
fi
|
fi
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
@ -14,7 +14,7 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
|
|||||||
|
|
||||||
dnl lastlog, [uw]tmpx? detection
|
dnl lastlog, [uw]tmpx? detection
|
||||||
dnl NOTE: set the paths in the platform section to avoid the
|
dnl NOTE: set the paths in the platform section to avoid the
|
||||||
@@ -4357,6 +4363,7 @@ echo " Translate v4 in v6 hack
|
@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack
|
||||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||||
echo " Random number source: $RAND_MSG"
|
echo " Random number source: $RAND_MSG"
|
||||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||||
@ -22,10 +22,10 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
|
|||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||||
--- openssh-5.9p0/servconf.c.vendor 2011-09-03 20:24:29.080500853 +0200
|
--- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100
|
||||||
+++ openssh-5.9p0/servconf.c 2011-09-03 20:27:15.727564566 +0200
|
+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100
|
||||||
@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions
|
@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions
|
||||||
options->max_authtries = -1;
|
options->max_authtries = -1;
|
||||||
options->max_sessions = -1;
|
options->max_sessions = -1;
|
||||||
options->banner = NULL;
|
options->banner = NULL;
|
||||||
@ -33,7 +33,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
|||||||
options->use_dns = -1;
|
options->use_dns = -1;
|
||||||
options->client_alive_interval = -1;
|
options->client_alive_interval = -1;
|
||||||
options->client_alive_count_max = -1;
|
options->client_alive_count_max = -1;
|
||||||
@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
|
@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
|
||||||
options->ip_qos_interactive = IPTOS_LOWDELAY;
|
options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||||
if (options->ip_qos_bulk == -1)
|
if (options->ip_qos_bulk == -1)
|
||||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||||
@ -42,16 +42,16 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
|||||||
|
|
||||||
/* Turn privilege separation on by default */
|
/* Turn privilege separation on by default */
|
||||||
if (use_privsep == -1)
|
if (use_privsep == -1)
|
||||||
@@ -338,7 +341,7 @@ typedef enum {
|
@@ -321,7 +324,7 @@ typedef enum {
|
||||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||||
sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
|
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||||
sSecondPubkeyAuthentication, sSecondGssAuthentication,
|
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
|
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||||
@@ -470,6 +473,7 @@ static struct {
|
@@ -436,6 +439,7 @@ static struct {
|
||||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||||
{ "banner", sBanner, SSHCFG_ALL },
|
{ "banner", sBanner, SSHCFG_ALL },
|
||||||
@ -59,7 +59,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
|||||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||||
@@ -1152,6 +1156,10 @@ process_server_config_line(ServerOptions
|
@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
|
||||||
multistate_ptr = multistate_privsep;
|
multistate_ptr = multistate_privsep;
|
||||||
goto parse_multistate;
|
goto parse_multistate;
|
||||||
|
|
||||||
@ -70,7 +70,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
|||||||
case sAllowUsers:
|
case sAllowUsers:
|
||||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||||
@@ -1849,6 +1857,7 @@ dump_config(ServerOptions *o)
|
@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||||
dump_cfg_fmtint(sCompression, o->compression);
|
dump_cfg_fmtint(sCompression, o->compression);
|
||||||
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||||||
@ -78,10 +78,10 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
|||||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||||
diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
|
diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
|
||||||
--- openssh-5.9p0/servconf.h.vendor 2011-09-03 20:24:29.179632045 +0200
|
--- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100
|
||||||
+++ openssh-5.9p0/servconf.h 2011-09-03 20:24:39.426502323 +0200
|
+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100
|
||||||
@@ -148,6 +148,7 @@ typedef struct {
|
@@ -140,6 +140,7 @@ typedef struct {
|
||||||
int max_authtries;
|
int max_authtries;
|
||||||
int max_sessions;
|
int max_sessions;
|
||||||
char *banner; /* SSH-2 banner message */
|
char *banner; /* SSH-2 banner message */
|
||||||
@ -89,31 +89,20 @@ diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
|
|||||||
int use_dns;
|
int use_dns;
|
||||||
int client_alive_interval; /*
|
int client_alive_interval; /*
|
||||||
* poke the client this often to
|
* poke the client this often to
|
||||||
diff -up openssh-5.9p0/sshd.c.vendor openssh-5.9p0/sshd.c
|
diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
|
||||||
--- openssh-5.9p0/sshd.c.vendor 2011-09-03 20:24:35.987501565 +0200
|
--- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100
|
||||||
+++ openssh-5.9p0/sshd.c 2011-09-03 20:24:39.542501643 +0200
|
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100
|
||||||
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
|
@@ -112,6 +112,7 @@ X11Forwarding yes
|
||||||
minor = PROTOCOL_MINOR_1;
|
#Compression delayed
|
||||||
}
|
#ClientAliveInterval 0
|
||||||
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
|
#ClientAliveCountMax 3
|
||||||
- SSH_VERSION, newline);
|
+#ShowPatchLevel no
|
||||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
|
#UseDNS yes
|
||||||
server_version_string = xstrdup(buf);
|
#PidFile /var/run/sshd.pid
|
||||||
|
#MaxStartups 10
|
||||||
/* Send our protocol version identification. */
|
diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
|
||||||
@@ -1627,7 +1627,8 @@ main(int ac, char **av)
|
--- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100
|
||||||
exit(1);
|
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100
|
||||||
}
|
|
||||||
|
|
||||||
- debug("sshd version %.100s", SSH_RELEASE);
|
|
||||||
+ debug("sshd version %.100s",
|
|
||||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
|
||||||
|
|
||||||
/* Store privilege separation user for later use if required. */
|
|
||||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
|
||||||
diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
|
|
||||||
--- openssh-5.9p0/sshd_config.0.vendor 2011-09-03 20:24:37.524438185 +0200
|
|
||||||
+++ openssh-5.9p0/sshd_config.0 2011-09-03 20:24:39.677508255 +0200
|
|
||||||
@@ -556,6 +556,11 @@ DESCRIPTION
|
@@ -556,6 +556,11 @@ DESCRIPTION
|
||||||
Defines the number of bits in the ephemeral protocol version 1
|
Defines the number of bits in the ephemeral protocol version 1
|
||||||
server key. The minimum value is 512, and the default is 1024.
|
server key. The minimum value is 512, and the default is 1024.
|
||||||
@ -126,10 +115,10 @@ diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
|
|||||||
StrictModes
|
StrictModes
|
||||||
Specifies whether sshd(8) should check file modes and ownership
|
Specifies whether sshd(8) should check file modes and ownership
|
||||||
of the user's files and home directory before accepting login.
|
of the user's files and home directory before accepting login.
|
||||||
diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
|
diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
|
||||||
--- openssh-5.9p0/sshd_config.5.vendor 2011-09-03 20:24:37.640442022 +0200
|
--- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100
|
||||||
+++ openssh-5.9p0/sshd_config.5 2011-09-03 20:24:40.176544206 +0200
|
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100
|
||||||
@@ -952,6 +952,14 @@ This option applies to protocol version
|
@@ -982,6 +982,14 @@ This option applies to protocol version
|
||||||
.It Cm ServerKeyBits
|
.It Cm ServerKeyBits
|
||||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||||
The minimum value is 512, and the default is 1024.
|
The minimum value is 512, and the default is 1024.
|
||||||
@ -144,14 +133,25 @@ diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
|
|||||||
.It Cm StrictModes
|
.It Cm StrictModes
|
||||||
Specifies whether
|
Specifies whether
|
||||||
.Xr sshd 8
|
.Xr sshd 8
|
||||||
diff -up openssh-5.9p0/sshd_config.vendor openssh-5.9p0/sshd_config
|
diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
|
||||||
--- openssh-5.9p0/sshd_config.vendor 2011-09-03 20:24:37.770439735 +0200
|
--- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100
|
||||||
+++ openssh-5.9p0/sshd_config 2011-09-03 20:24:40.278628002 +0200
|
+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100
|
||||||
@@ -120,6 +120,7 @@ X11Forwarding yes
|
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
|
||||||
#Compression delayed
|
minor = PROTOCOL_MINOR_1;
|
||||||
#ClientAliveInterval 0
|
}
|
||||||
#ClientAliveCountMax 3
|
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
|
||||||
+#ShowPatchLevel no
|
- SSH_VERSION, newline);
|
||||||
#UseDNS yes
|
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
|
||||||
#PidFile /var/run/sshd.pid
|
server_version_string = xstrdup(buf);
|
||||||
#MaxStartups 10
|
|
||||||
|
/* Send our protocol version identification. */
|
||||||
|
@@ -1634,7 +1634,8 @@ main(int ac, char **av)
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
- debug("sshd version %.100s", SSH_RELEASE);
|
||||||
|
+ debug("sshd version %.100s",
|
||||||
|
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
||||||
|
|
||||||
|
/* Store privilege separation user for later use if required. */
|
||||||
|
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||||
|
@ -116,7 +116,8 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
|
|||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
||||||
Patch103: openssh-5.8p1-packet.patch
|
Patch103: openssh-5.8p1-packet.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=983
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=983
|
||||||
Patch104: openssh-5.9p1-2auth.patch
|
#Patch104: openssh-5.9p1-2auth.patch
|
||||||
|
Patch104: openssh-5.9p1-required-authentications.patch
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||||
Patch200: openssh-5.8p1-audit0.patch
|
Patch200: openssh-5.8p1-audit0.patch
|
||||||
@ -395,7 +396,7 @@ The module is most useful for su and sudo service stacks.
|
|||||||
%patch101 -p1 -b .fingerprint
|
%patch101 -p1 -b .fingerprint
|
||||||
%patch102 -p1 -b .getaddrinfo
|
%patch102 -p1 -b .getaddrinfo
|
||||||
%patch103 -p1 -b .packet
|
%patch103 -p1 -b .packet
|
||||||
%patch104 -p1 -b .2auth
|
%patch104 -p1 -b .required-authentication
|
||||||
|
|
||||||
%patch200 -p1 -b .audit0
|
%patch200 -p1 -b .audit0
|
||||||
%patch201 -p1 -b .audit1
|
%patch201 -p1 -b .audit1
|
||||||
|
Loading…
Reference in New Issue
Block a user