replace TwoFactorAuth with RequiredAuthentications[12]

https://bugzilla.mindrot.org/show_bug.cgi?id=983
This commit is contained in:
Petr Lautrbach 2012-02-06 22:15:10 +01:00
parent 21699d5622
commit d9e6186c71
8 changed files with 1754 additions and 929 deletions

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200
--- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100
@@ -27,6 +27,7 @@
#include <sys/types.h>
@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200
+++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200
--- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100
+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
esac ]
)
@ -271,9 +271,9 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200
+++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
--- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100
+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100
@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
@ -282,7 +282,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
options->zero_knowledge_password_authentication = -1;
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
@@ -348,6 +350,7 @@ typedef enum {
@@ -329,6 +331,7 @@ typedef enum {
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sKexAlgorithms, sIPQoS,
@ -290,9 +290,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -487,6 +490,13 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
@@ -455,6 +458,13 @@ static struct {
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
{ NULL, sBadOption, 0 }
};
@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
}
break;
@ -329,16 +329,16 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
M_CP_INTOPT(kbd_interactive_authentication);
M_CP_INTOPT(zero_knowledge_password_authentication);
M_CP_INTOPT(second_zero_knowledge_password_authentication);
M_CP_INTOPT(two_factor_authentication);
+ M_CP_STROPT(authorized_keys_command);
+ M_CP_STROPT(authorized_keys_command_runas);
M_CP_INTOPT(permit_root_login);
M_CP_INTOPT(permit_empty_passwd);
@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
@ -348,9 +348,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200
+++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200
@@ -174,6 +174,8 @@ typedef struct {
--- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100
+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100
@@ -169,6 +169,8 @@ typedef struct {
char *revoked_keys_file;
char *trusted_user_ca_keys;
char *authorized_principals_file;
@ -359,9 +359,22 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
} ServerOptions;
/*
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200
+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100
@@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
+++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200
+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
@@ -71,6 +71,23 @@ DESCRIPTION
See PATTERNS in ssh_config(5) for more information on patterns.
@ -397,29 +410,12 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
GSSAPIAuthentication, HostbasedAuthentication,
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200
+++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200
@@ -706,6 +706,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
@@ -718,6 +720,7 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
+.Cm PubkeyAuthentication ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
@@ -926,6 +929,20 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
--- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100
+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100
@@ -151,6 +151,19 @@ See
in
.Xr ssh_config 5
for more information on patterns.
+.It Cm AuthorizedKeysCommand
+Specifies a program to be used for lookup of the user's
+public keys. The program will be invoked with its first
@ -433,20 +429,23 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
+.It Cm AuthorizedKeysCommandRunAs
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
+string (the default value) means the user being authorized is used.
+.Dq
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200
+++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200
@@ -49,6 +49,9 @@
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
.It Cm AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication.
@@ -706,6 +719,8 @@ Available keywords are
.Cm AllowAgentForwarding ,
.Cm AllowTcpForwarding ,
.Cm AuthorizedKeysFile ,
+.Cm AuthorizedKeysCommand ,
+.Cm AuthorizedKeysCommandRunAs ,
.Cm AuthorizedPrincipalsFile ,
.Cm Banner ,
.Cm ChrootDirectory ,
@@ -718,6 +733,7 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
+.Cm PubkeyAuthentication ,
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit4 2011-09-18 05:13:24.922458521 +0200
+++ openssh-5.9p1/audit-bsm.c 2011-09-18 05:13:26.808459314 +0200
--- openssh-5.9p1/audit-bsm.c.audit4 2012-02-06 17:15:01.574908126 +0100
+++ openssh-5.9p1/audit-bsm.c 2012-02-06 17:15:21.656095559 +0100
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
{
/* not implemented */
@ -12,9 +12,52 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit4 2012-02-06 17:15:01.576787216 +0100
+++ openssh-5.9p1/audit.c 2012-02-06 17:15:21.690032906 +0100
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
}
+void
+audit_session_key_free(int ctos)
+{
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
(unsigned)uid);
}
+
+/*
+ * This will be called on succesfull session key discard
+ */
+void
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit4 2012-02-06 17:15:01.576787216 +0100
+++ openssh-5.9p1/audit.h 2012-02-06 17:15:21.690876254 +0100
@@ -62,5 +62,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
+void audit_session_key_free(int ctos);
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit4 2011-09-18 05:13:25.041460630 +0200
+++ openssh-5.9p1/audit-linux.c 2011-09-18 05:13:26.897563551 +0200
--- openssh-5.9p1/audit-linux.c.audit4 2012-02-06 17:15:01.575908525 +0100
+++ openssh-5.9p1/audit-linux.c 2012-02-06 17:15:21.682001323 +0100
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
#endif
}
@ -65,52 +108,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
+}
+
#endif /* USE_LINUX_AUDIT */
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit4 2011-09-18 05:13:25.151459504 +0200
+++ openssh-5.9p1/audit.c 2011-09-18 05:13:26.995548664 +0200
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
}
+void
+audit_session_key_free(int ctos)
+{
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
(unsigned)uid);
}
+
+/*
+ * This will be called on succesfull session key discard
+ */
+void
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
+}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit4 2011-09-18 05:13:25.247587021 +0200
+++ openssh-5.9p1/audit.h 2011-09-18 05:13:27.107531553 +0200
@@ -62,5 +62,7 @@ void audit_unsupported(int);
void audit_kex(int, char *, char *, char *);
void audit_unsupported_body(int);
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
+void audit_session_key_free(int ctos);
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
--- openssh-5.9p1/auditstub.c.audit4 2011-09-18 05:13:25.350459598 +0200
+++ openssh-5.9p1/auditstub.c 2011-09-18 05:13:27.209523920 +0200
--- openssh-5.9p1/auditstub.c.audit4 2012-02-06 17:15:01.576787216 +0100
+++ openssh-5.9p1/auditstub.c 2012-02-06 17:15:21.690876254 +0100
@@ -27,6 +27,8 @@
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
*/
@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
+{
+}
diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
--- openssh-5.9p1/kex.c.audit4 2011-09-18 05:13:25.656459960 +0200
+++ openssh-5.9p1/kex.c 2011-09-18 05:13:27.309500951 +0200
--- openssh-5.9p1/kex.c.audit4 2012-02-06 17:15:01.578907640 +0100
+++ openssh-5.9p1/kex.c 2012-02-06 17:15:21.691785656 +0100
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
fprintf(stderr, "\n");
}
@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
+
diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
--- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
+++ openssh-5.9p1/kex.h 2011-09-18 05:13:27.419492884 +0200
+++ openssh-5.9p1/kex.h 2012-02-06 17:15:21.691785656 +0100
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
void kexecdh_client(Kex *);
void kexecdh_server(Kex *);
@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
--- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200
+++ openssh-5.9p1/mac.c 2011-09-18 05:13:27.545464964 +0200
+++ openssh-5.9p1/mac.c 2012-02-06 17:15:21.692918961 +0100
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL;
}
@ -209,15 +209,15 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
int
diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
--- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
+++ openssh-5.9p1/mac.h 2011-09-18 05:13:27.675473027 +0200
+++ openssh-5.9p1/mac.h 2012-02-06 17:15:21.692918961 +0100
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit4 2011-09-18 05:13:25.778584691 +0200
+++ openssh-5.9p1/monitor.c 2011-09-18 05:15:22.786522699 +0200
--- openssh-5.9p1/monitor.c.audit4 2012-02-06 17:15:01.579896475 +0100
+++ openssh-5.9p1/monitor.c 2012-02-06 17:16:32.405783810 +0100
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
int mm_answer_audit_end_command(int, Buffer *);
int mm_answer_audit_unsupported_body(int, Buffer *);
@ -226,7 +226,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif
static int monitor_read_log(struct monitor *);
@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[]
@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -234,7 +234,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20
@@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -242,7 +242,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif
{0, 0, NULL}
};
@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[]
@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[]
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -250,7 +250,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif
{0, 0, NULL}
};
@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15
@@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
#endif
{0, 0, NULL}
};
@@ -437,10 +442,6 @@ monitor_child_preauth(Authctxt *_authctx
}
@@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx
#endif
}
- /* Drain any buffered messages from the child */
@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
if (!authctxt->valid)
fatal("%s: authenticated invalid user", __func__);
if (strcmp(auth_method, "unknown") == 0)
@@ -1927,11 +1928,13 @@ mm_get_keystate(struct monitor *pmonitor
@@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
xfree(blob);
/* Now get sequence numbers for the packets */
@@ -1977,6 +1980,21 @@ mm_get_keystate(struct monitor *pmonitor
@@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor
}
buffer_free(&m);
@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
}
@@ -2421,4 +2439,22 @@ mm_answer_audit_kex_body(int sock, Buffe
@@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe
return 0;
}
@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit4 2011-09-18 05:13:25.887586033 +0200
+++ openssh-5.9p1/monitor.h 2011-09-18 05:13:27.934522919 +0200
--- openssh-5.9p1/monitor.h.audit4 2012-02-06 17:15:01.580908188 +0100
+++ openssh-5.9p1/monitor.h 2012-02-06 17:15:21.695033617 +0100
@@ -63,6 +63,7 @@ enum monitor_reqtype {
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit4 2011-09-18 05:13:26.013583317 +0200
+++ openssh-5.9p1/monitor_wrap.c 2011-09-18 05:13:28.049519981 +0200
--- openssh-5.9p1/monitor_wrap.c.audit4 2012-02-06 17:15:01.581802928 +0100
+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:15:21.696033353 +0100
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
fatal("%s: conversion of newkeys failed", __func__);
@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
+}
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit4 2011-09-18 05:13:26.119474152 +0200
+++ openssh-5.9p1/monitor_wrap.h 2011-09-18 05:13:28.151521539 +0200
--- openssh-5.9p1/monitor_wrap.h.audit4 2012-02-06 17:15:01.582908343 +0100
+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:15:21.696033353 +0100
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
void mm_audit_end_command(int, const char *);
void mm_audit_unsupported_body(int);
@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
struct Session;
diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.audit4 2011-09-18 05:13:20.417548627 +0200
+++ openssh-5.9p1/packet.c 2011-09-18 05:13:28.278520968 +0200
--- openssh-5.9p1/packet.c.audit4 2012-02-06 17:15:01.545908387 +0100
+++ openssh-5.9p1/packet.c 2012-02-06 17:15:21.696886524 +0100
@@ -60,6 +60,7 @@
#include <signal.h>
@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
+
diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
--- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200
+++ openssh-5.9p1/packet.h 2011-09-18 05:13:28.385521238 +0200
+++ openssh-5.9p1/packet.h 2012-02-06 17:15:21.697874825 +0100
@@ -124,4 +124,5 @@ void packet_restore_state(void);
void *packet_get_input(void);
void *packet_get_output(void);
@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit4 2011-09-18 05:13:22.842504192 +0200
+++ openssh-5.9p1/session.c 2011-09-18 05:13:28.511522576 +0200
--- openssh-5.9p1/session.c.audit4 2012-02-06 17:15:01.562908533 +0100
+++ openssh-5.9p1/session.c 2012-02-06 17:15:21.697874825 +0100
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
/* remove hostkey from the child's memory */
@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
/* Force a password change */
if (s->authctxt->force_pwchange) {
diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit4 2011-09-18 05:13:26.617460032 +0200
+++ openssh-5.9p1/sshd.c 2011-09-18 05:13:28.621521065 +0200
--- openssh-5.9p1/sshd.c.audit4 2012-02-06 17:15:01.583866459 +0100
+++ openssh-5.9p1/sshd.c 2012-02-06 17:15:21.699033720 +0100
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
}
}

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
--- openssh-5.9p0/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
+++ openssh-5.9p0/ssh_config 2011-09-05 14:48:16.386439023 +0200
diff -up openssh-5.9p1/ssh_config.redhat openssh-5.9p1/ssh_config
--- openssh-5.9p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
+++ openssh-5.9p1/ssh_config 2012-02-06 17:32:43.428032471 +0100
@@ -45,3 +45,14 @@
# PermitLocalCommand no
# VisualHostKey no
@ -16,37 +16,9 @@ diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
diff -up openssh-5.9p0/sshd_config.0.redhat openssh-5.9p0/sshd_config.0
--- openssh-5.9p0/sshd_config.0.redhat 2011-09-05 14:48:08.522441255 +0200
+++ openssh-5.9p0/sshd_config.0 2011-09-05 14:48:16.477443868 +0200
@@ -581,9 +581,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.9p0/sshd_config.5.redhat openssh-5.9p0/sshd_config.5
--- openssh-5.9p0/sshd_config.5.redhat 2011-09-05 14:48:08.657564688 +0200
+++ openssh-5.9p0/sshd_config.5 2011-09-05 14:48:16.589501736 +0200
@@ -1029,7 +1029,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
--- openssh-5.9p0/sshd_config.redhat 2011-09-05 14:48:16.250626793 +0200
+++ openssh-5.9p0/sshd_config 2011-09-05 15:06:01.513443553 +0200
diff -up openssh-5.9p1/sshd_config.redhat openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.redhat 2012-02-06 17:32:43.427032448 +0100
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:15.356783832 +0100
@@ -32,6 +32,7 @@
# Logging
# obsoletes QuietMode and FascistLogging
@ -77,15 +49,13 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -89,6 +94,7 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -89,11 +94,13 @@ AuthorizedKeysFile .ssh/authorized_keys
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
+UsePAM yes
#TwoFactorAuthentication no
#SecondPubkeyAuthentication yes
@@ -101,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
@ -93,7 +63,7 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
@@ -121,6 +128,12 @@ AuthorizedKeysFile .ssh/authorized_keys
@@ -114,6 +121,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none
@ -106,3 +76,31 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
diff -up openssh-5.9p1/sshd_config.0.redhat openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.redhat 2012-02-06 17:32:43.302970171 +0100
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:32:43.428032471 +0100
@@ -581,9 +581,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.9p1/sshd_config.5.redhat openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.redhat 2012-02-06 17:32:43.303971959 +0100
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:32:43.429032398 +0100
@@ -1019,7 +1019,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive

View File

@ -0,0 +1,827 @@
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
--- openssh-5.9p1/auth.c.required-authentication 2012-02-06 17:03:51.034158031 +0100
+++ openssh-5.9p1/auth.c 2012-02-06 17:03:55.007830206 +0100
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
}
void
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
+auth_log(Authctxt *authctxt, int authenticated, const char *method,
+ const char *submethod, const char *info)
{
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;
@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
else
authmsg = authenticated ? "Accepted" : "Failed";
- authlog("%s %s for %s%.100s from %.200s port %d%s",
+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
authmsg,
method,
+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
authctxt->valid ? "" : "invalid user ",
authctxt->user,
get_remote_ipaddr(),
@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
* Check whether root logins are disallowed.
*/
int
-auth_root_allowed(char *method)
+auth_root_allowed(const char *method)
{
switch (options.permit_root_login) {
case PERMIT_YES:
@@ -694,3 +696,57 @@ fakepw(void)
return (&fake);
}
+
+int
+auth_method_in_list(const char *list, const char *method)
+{
+ char *cp;
+
+ cp = match_list(method, list, NULL);
+ if (cp != NULL) {
+ xfree(cp);
+ return 1;
+ }
+
+ return 0;
+}
+
+#define DELIM ","
+int
+auth_remove_from_list(char **list, const char *method)
+{
+ char *oldlist, *cp, *newlist = NULL;
+ u_int len = 0, ret = 0;
+
+ if (list == NULL || *list == NULL)
+ return (0);
+
+ oldlist = *list;
+ len = strlen(oldlist) + 1;
+ newlist = xmalloc(len);
+ memset(newlist, '\0', len);
+
+ /* Remove method from list, if present */
+ for (;;) {
+ if ((cp = strsep(&oldlist, DELIM)) == NULL)
+ break;
+ if (*cp == '\0')
+ continue;
+ if (strcmp(cp, method) != 0) {
+ if (*newlist != '\0')
+ strlcat(newlist, DELIM, len);
+ strlcat(newlist, cp, len);
+ } else
+ ret++;
+ }
+
+ /* Return NULL instead of empty list */
+ if (*newlist == '\0') {
+ xfree(newlist);
+ newlist = NULL;
+ }
+ xfree(*list);
+ *list = newlist;
+
+ return (ret);
+}
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
+++ openssh-5.9p1/auth.h 2012-02-06 17:03:55.008839468 +0100
@@ -142,10 +142,11 @@ void disable_forwarding(void);
void do_authentication(Authctxt *);
void do_authentication2(Authctxt *);
-void auth_log(Authctxt *, int, char *, char *);
-void userauth_finish(Authctxt *, int, char *);
+void auth_log(Authctxt *, int, const char *, const char *, const char *);
+void userauth_finish(Authctxt *, int, const char *, const char *);
+int auth_root_allowed(const char *);
+
void userauth_send_banner(const char *);
-int auth_root_allowed(char *);
char *auth2_read_banner(void);
@@ -192,6 +193,11 @@ void auth_debug_send(void);
void auth_debug_reset(void);
struct passwd *fakepw(void);
+int auth_method_in_list(const char *, const char *);
+int auth_remove_from_list(char **, const char *);
+
+int auth1_check_required(const char *);
+int auth2_check_required(const char *);
int sys_auth_passwd(Authctxt *, const char *);
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.9p1/auth1.c 2012-02-06 17:03:55.055811924 +0100
@@ -98,6 +98,54 @@ static const struct AuthMethod1
return (NULL);
}
+static const struct AuthMethod1 *
+lookup_authmethod1_by_name(const char *name)
+{
+ int i;
+
+ for (i = 0; auth1_methods[i].name != NULL; i++)
+ if (strcmp(auth1_methods[i].name, name) == 0)
+ return (&(auth1_methods[i]));
+
+ return NULL;
+}
+
+#define DELIM ","
+int
+auth1_check_required(const char *list)
+{
+ char *orig_methods, *methods, *cp;
+ static const struct AuthMethod1 *m;
+ int ret = 0;
+
+ orig_methods = methods = xstrdup(list);
+ for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
+ if ((cp = strsep(&methods, DELIM)) == NULL)
+ break;
+ debug2("auth1_check_required: method \"%s\"", cp);
+ if (*cp == '\0') {
+ debug("auth1_check_required: empty method");
+ ret = -1;
+ }
+ if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
+ debug("auth1_check_required: unknown method "
+ "\"%s\"", cp);
+ ret = -1;
+ }
+ if (*(m->enabled) == 0) {
+ debug("auth1_check_required: method %s explicitly "
+ "disabled", cp);
+ ret = -1;
+ }
+ /* Activate method if it isn't already */
+ if (*(m->enabled) == -1)
+ *(m->enabled) = 1;
+ }
+ xfree(orig_methods);
+ return (ret);
+}
+
+
static char *
get_authname(int type)
{
@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt)
{
int authenticated = 0;
char info[1024];
+ const char *meth_name;
int prev = 0, type = 0;
const struct AuthMethod1 *meth;
@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt)
authctxt->valid ? "" : "invalid user ", authctxt->user);
/* If the user has no password, accept authentication immediately. */
- if (options.permit_empty_passwd && options.password_authentication &&
+ if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
#ifdef KRB5
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt)
if (options.use_pam && (PRIVSEP(do_pam_account())))
#endif
{
- auth_log(authctxt, 1, "without authentication", "");
+ auth_log(authctxt, 1, "without authentication", NULL, "");
return;
}
}
@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt)
/* Get a packet from the client. */
prev = type;
type = packet_read();
+ meth_name = get_authname(type);
/*
* If we started challenge-response authentication but the
@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt)
if (authctxt->failures >= options.max_authtries)
goto skip;
if ((meth = lookup_authmethod1(type)) == NULL) {
- logit("Unknown message during authentication: "
- "type %d", type);
+ logit("Unknown message during authentication: type %d",
+ type);
goto skip;
}
@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt)
goto skip;
}
+ /*
+ * Skip methods not in required list, until all the required
+ * ones are done
+ */
+ if (options.required_auth1 != NULL &&
+ !auth_method_in_list(options.required_auth1, meth_name)) {
+ debug("Skipping method \"%s\" until required "
+ "authentication completed", meth_name);
+ goto skip;
+ }
+
authenticated = meth->method(authctxt, info, sizeof(info));
if (authenticated == -1)
continue; /* "postponed" */
@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt)
skip:
/* Log before sending the reply */
- auth_log(authctxt, authenticated, get_authname(type), info);
+ auth_log(authctxt, authenticated, meth_name, NULL, info);
+
+ /* Loop until the required authmethods are done */
+ if (authenticated && options.required_auth1 != NULL) {
+ if (auth_remove_from_list(&options.required_auth1,
+ meth_name) != 1)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" not in required list \"%s\"",
+ meth_name, options.required_auth1);
+ debug2("do_authloop: required list now: %s",
+ options.required_auth1 == NULL ?
+ "DONE" : options.required_auth1);
+ if (options.required_auth1 == NULL)
+ return;
+ authenticated = 0;
+ /*
+ * Disable method so client can't authenticate with it
+ * after the required authentications are complete.
+ */
+ *(meth->enabled) = 0;
+ packet_send_debug("Further authentication required");
+ goto send_fail;
+ }
if (client_user != NULL) {
xfree(client_user);
@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt)
#endif
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
}
+ send_fail:
packet_start(SSH_SMSG_FAILURE);
packet_send();
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2.c 2012-02-06 17:03:55.100896430 +0100
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
{
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
+ char *user, *service, *method, *active_methods, *style = NULL;
int authenticated = 0;
if (authctxt == NULL)
@@ -277,22 +277,31 @@ input_userauth_request(int type, u_int32
authctxt->server_caused_failure = 0;
/* try to authenticate user */
- m = authmethod_lookup(method);
- if (m != NULL && authctxt->failures < options.max_authtries) {
- debug2("input_userauth_request: try method %s", method);
- authenticated = m->userauth(authctxt);
- }
- userauth_finish(authctxt, authenticated, method);
+ active_methods = authmethods_get();
+ if (strcmp(method, "none") == 0 ||
+ auth_method_in_list(active_methods, method)) {
+ m = authmethod_lookup(method);
+ if (m != NULL) {
+ debug2("input_userauth_request: try method %s", method);
+ authenticated = m->userauth(authctxt);
+ }
+ }
+ xfree(active_methods);
+ userauth_finish(authctxt, authenticated, method, NULL);
+
xfree(service);
xfree(user);
xfree(method);
}
void
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
+ const char *submethod)
{
char *methods;
+ Authmethod *m = NULL;
+ u_int partial = 0;
if (!authctxt->valid && authenticated)
fatal("INTERNAL ERROR: authenticated invalid user %s",
@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int
#endif /* _UNICOS */
/* Log before sending the reply */
- auth_log(authctxt, authenticated, method, " ssh2");
+ auth_log(authctxt, authenticated, method, submethod, " ssh2");
if (authctxt->postponed)
return;
- /* XXX todo: check if multiple auth methods are needed */
+ /* Handle RequiredAuthentications2: loop until required methods done */
+ if (authenticated && options.required_auth2 != NULL) {
+ if ((m = authmethod_lookup(method)) == NULL)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" unknown", method);
+ if (auth_remove_from_list(&options.required_auth2, method) != 1)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" not in required list \"%s\"",
+ method, options.required_auth2);
+ debug2("userauth_finish: required list now: %s",
+ options.required_auth2 == NULL ?
+ "DONE" : options.required_auth2);
+ /*
+ * if authenticated and no more required methods
+ * then declare success
+ */
+ if ( authenticated && options.required_auth2 == NULL ) {
+ debug2("userauth_finish: authenticated and no more required methods");
+ } else {
+ /*
+ * Disable method so client can't authenticate with it after
+ * the required authentications are complete.
+ */
+ if (m->enabled != NULL)
+ *(m->enabled) = 0;
+ authenticated = 0;
+ partial = 1;
+ goto send_fail;
+ }
+ }
+
if (authenticated == 1) {
/* turn off userauth */
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int
/* now we can break out */
authctxt->success = 1;
} else {
-
/* Allow initial try of "none" auth without failure penalty */
if (!authctxt->server_caused_failure &&
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int
#endif
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
}
+ send_fail:
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
- packet_put_char(0); /* XXX partial success, unused */
+ packet_put_char(partial);
packet_send();
packet_write_wait();
xfree(methods);
@@ -373,6 +412,9 @@ authmethods_get(void)
char *list;
int i;
+ if (options.required_auth2 != NULL)
+ return xstrdup(options.required_auth2);
+
buffer_init(&b);
for (i = 0; authmethods[i] != NULL; i++) {
if (strcmp(authmethods[i]->name, "none") == 0)
@@ -407,3 +449,43 @@ authmethod_lookup(const char *name)
return NULL;
}
+#define DELIM ","
+
+int
+auth2_check_required(const char *list)
+{
+ char *orig_methods, *methods, *cp;
+ struct Authmethod *m;
+ int i, ret = 0;
+
+ orig_methods = methods = xstrdup(list);
+ for(;;) {
+ if ((cp = strsep(&methods, DELIM)) == NULL)
+ break;
+ debug2("auth2_check_required: method \"%s\"", cp);
+ if (*cp == '\0') {
+ debug("auth2_check_required: empty method");
+ ret = -1;
+ }
+ for (i = 0; authmethods[i] != NULL; i++)
+ if (strcmp(cp, authmethods[i]->name) == 0)
+ break;
+ if ((m = authmethods[i]) == NULL) {
+ debug("auth2_check_required: unknown method "
+ "\"%s\"", cp);
+ ret = -1;
+ break;
+ }
+ if (m->enabled == NULL || *(m->enabled) == 0) {
+ debug("auth2_check_required: method %s explicitly "
+ "disabled", cp);
+ ret = -1;
+ }
+ /* Activate method if it isn't already */
+ if (*(m->enabled) == -1)
+ *(m->enabled) = 1;
+ }
+ xfree(orig_methods);
+ return (ret);
+}
+
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:03:55.098862514 +0100
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
}
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
- userauth_finish(authctxt, 0, "gssapi-with-mic");
+ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
} else {
if (send_tok.length != 0) {
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type,
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
static void
@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t ple
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
Authmethod method_gssapi = {
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
+++ openssh-5.9p1/auth2-chall.c 2012-02-06 17:03:55.098862514 +0100
@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u
auth2_challenge_start(authctxt);
}
}
- userauth_finish(authctxt, authenticated, method);
- xfree(method);
+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
+ kbdintctxt->device?kbdintctxt->device->name:NULL);
}
void
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
+++ openssh-5.9p1/auth2-none.c 2012-02-06 17:03:55.099879104 +0100
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
packet_check_eom();
- if (options.permit_empty_passwd && options.password_authentication)
+ if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
}
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.required-authentication 2012-02-06 17:03:51.020095446 +0100
+++ openssh-5.9p1/monitor.c 2012-02-06 17:03:55.101912924 +0100
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
static char *auth_method = "unknown";
+static char *auth_submethod = NULL;
static u_int session_id2_len = 0;
static u_char *session_id2 = NULL;
static pid_t monitor_child_pid;
@@ -352,7 +353,8 @@ void
monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
{
struct mon_table *ent;
- int authenticated = 0;
+ int no_increment, authenticated = 0;
+ char **req_auth;
debug3("preauth child monitor started");
@@ -367,12 +369,14 @@ monitor_child_preauth(Authctxt *_authctx
if (compat20) {
mon_dispatch = mon_dispatch_proto20;
+ req_auth = &options.required_auth2;
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
} else {
mon_dispatch = mon_dispatch_proto15;
+ req_auth = &options.required_auth1;
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
}
@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx
/* The first few requests do not require asynchronous access */
while (!authenticated) {
auth_method = "unknown";
+ auth_submethod = NULL;
+ no_increment = 1;
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
if (authenticated) {
if (!(ent->flags & MON_AUTHDECIDE))
@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx
}
#endif
}
+ /* Loop until the required authmethods are done */
+ if (authenticated && *req_auth != NULL) {
+ if (auth_remove_from_list(req_auth, auth_method) != 1)
+ fatal("INTERNAL ERROR: authenticated method "
+ "\"%s\" not in required list \"%s\"",
+ auth_method, *req_auth);
+ debug2("monitor_child_preauth: required list now: %s",
+ *req_auth == NULL ? "DONE" : *req_auth);
+ if (*req_auth != NULL)
+ authenticated = 0;
+ no_increment = 1;
+ }
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
auth_log(authctxt, authenticated, auth_method,
- compat20 ? " ssh2" : "");
- if (!authenticated)
+ auth_submethod, compat20 ? " ssh2" : "");
+ if (!authenticated && !no_increment)
authctxt->failures++;
}
#ifdef JPAKE
@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer
auth_method = "none";
else
auth_method = "password";
+ auth_submethod = NULL;
/* Causes monitor loop to terminate if authenticated */
return (authenticated);
@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth";
+ auth_submethod = NULL;
return (authok != 0);
}
@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer *
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey";
+ auth_submethod = NULL;
return (authok != 0);
}
@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m)
xfree(prompts);
if (echo_on != NULL)
xfree(echo_on);
- auth_method = "keyboard-interactive/pam";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
return (0);
}
@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer *
buffer_clear(m);
buffer_put_int(m, ret);
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
- auth_method = "keyboard-interactive/pam";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
if (ret == 0)
sshpam_authok = sshpam_ctxt;
return (0);
@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
(sshpam_device.free_ctx)(sshpam_ctxt);
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
- auth_method = "keyboard-interactive/pam";
+ auth_method = "keyboard-interactive";
+ auth_submethod = "pam";
return (sshpam_authok == sshpam_ctxt);
}
#endif
@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m
allowed = options.pubkey_authentication &&
user_key_allowed(authctxt->pw, key);
auth_method = "publickey";
+ auth_submethod = NULL;
if (options.pubkey_authentication && allowed != 1)
auth_clear_options();
break;
@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_key_allowed(authctxt->pw,
cuser, chost, key);
auth_method = "hostbased";
+ auth_submethod = NULL;
break;
case MM_RSAHOSTKEY:
key->type = KEY_RSA1; /* XXX */
@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m
if (options.rhosts_rsa_authentication && allowed != 1)
auth_clear_options();
auth_method = "rsa";
+ auth_submethod = NULL;
break;
default:
fatal("%s: unknown key type %d", __func__, type);
@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m
hostbased_chost = chost;
} else {
/* Log failed attempt */
- auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
+ auth_log(authctxt, 0, auth_method, auth_submethod,
+ compat20 ? " ssh2" : "");
xfree(blob);
xfree(cuser);
xfree(chost);
@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m)
xfree(data);
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
+ auth_submethod = NULL;
monitor_reset_key_state();
@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
debug3("%s entering", __func__);
auth_method = "rsa";
+ auth_submethod = NULL;
if (options.rsa_authentication && authctxt->valid) {
if ((client_n = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer
xfree(response);
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
+ auth_submethod = NULL;
/* reset state */
BN_clear_free(ssh1_challenge);
@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
auth_method = "gssapi-with-mic";
+ auth_submethod = NULL;
/* Monitor loop will terminate if authenticated */
return (authenticated);
@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock,
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
auth_method = "jpake-01@openssh.com";
+ auth_submethod = NULL;
return authenticated;
}
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.required-authentication 2012-02-06 17:03:51.024963230 +0100
+++ openssh-5.9p1/servconf.c 2012-02-06 17:03:55.102929716 +0100
@@ -42,6 +42,8 @@
#include "key.h"
#include "kex.h"
#include "mac.h"
+#include "hostfile.h"
+#include "auth.h"
#include "match.h"
#include "channels.h"
#include "groupaccess.h"
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
options->num_authkeys_files = 0;
options->num_accept_env = 0;
options->permit_tun = -1;
+ options->required_auth1 = NULL;
+ options->required_auth2 = NULL;
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
@@ -319,6 +323,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sRequiredAuthentications1, sRequiredAuthentications2,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -447,6 +452,8 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ NULL, sBadOption, 0 }
};
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
options->max_startups = options->max_startups_begin;
break;
+
+ case sRequiredAuthentications1:
+ charptr = &options->required_auth1;
+ arg = strdelim(&cp);
+ if (auth1_check_required(arg) != 0)
+ fatal("%.200s line %d: Invalid required authentication "
+ "list", filename, linenum);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (*charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
+
+ case sRequiredAuthentications2:
+ charptr = &options->required_auth2;
+ arg = strdelim(&cp);
+ if (auth2_check_required(arg) != 0)
+ fatal("%.200s line %d: Invalid required authentication "
+ "list", filename, linenum);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (*charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
+
case sMaxAuthTries:
intptr = &options->max_authtries;
goto parse_int;
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
+++ openssh-5.9p1/servconf.h 2012-02-06 17:03:55.102929716 +0100
@@ -154,6 +154,9 @@ typedef struct {
u_int num_authkeys_files; /* Files containing public keys */
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
+ char *required_auth1; /* Required, but not sufficient */
+ char *required_auth2;
+
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:09:39.038871798 +0100
@@ -723,6 +723,8 @@ Available keywords are
.Cm PermitOpen ,
.Cm PermitRootLogin ,
.Cm PermitTunnel ,
+.Cm RequiredAuthentications1,
+.Cm RequiredAuthentications2,
.Cm PubkeyAuthentication ,
.Cm RhostsRSAAuthentication ,
.Cm RSAAuthentication ,
@@ -920,6 +937,21 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
+.It Cm RequiredAuthentications[12]
+ Requires two authentication methods to succeed before authorizing the connection.
+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
+
+ RequiredAuthentications1 method[,method...]
+ RequiredAuthentications2 method[,method...]
+
+.Pp
+Example 1:
+
+ RequiredAuthentications2 password,hostbased
+
+Example 2:
+ RequiredAuthentications2 publickey,password
+
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.

View File

@ -1,30 +1,6 @@
diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c
--- openssh-5.9p0/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.9p0/auth-pam.c 2011-08-31 11:42:54.870087433 +0200
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h
--- openssh-5.9p0/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.9p0/auth-pam.h 2011-08-31 11:42:54.979086333 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
--- openssh-5.9p0/auth.h.role 2011-08-31 11:42:47.760024631 +0200
+++ openssh-5.9p0/auth.h 2011-08-31 11:42:55.090151027 +0200
diff -up openssh-5.9p1/auth.h.role openssh-5.9p1/auth.h
--- openssh-5.9p1/auth.h.role 2012-02-06 17:21:26.038970656 +0100
+++ openssh-5.9p1/auth.h 2012-02-06 17:21:59.477033401 +0100
@@ -59,6 +59,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
@ -35,10 +11,34 @@ diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
--- openssh-5.9p0/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.9p0/auth1.c 2011-08-31 11:42:55.215033075 +0200
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
diff -up openssh-5.9p1/auth-pam.c.role openssh-5.9p1/auth-pam.c
--- openssh-5.9p1/auth-pam.c.role 2012-02-06 17:21:25.983793983 +0100
+++ openssh-5.9p1/auth-pam.c 2012-02-06 17:21:59.476038868 +0100
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-5.9p1/auth-pam.h.role openssh-5.9p1/auth-pam.h
--- openssh-5.9p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.9p1/auth-pam.h 2012-02-06 17:21:59.477033401 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.9p1/auth1.c.role openssh-5.9p1/auth1.c
--- openssh-5.9p1/auth1.c.role 2012-02-06 17:21:26.016845827 +0100
+++ openssh-5.9p1/auth1.c 2012-02-06 17:21:59.478033396 +0100
@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
@ -48,7 +48,7 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
@ -73,88 +73,13 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c
--- openssh-5.9p0/auth2-gss.c.role 2011-05-05 06:04:11.000000000 +0200
+++ openssh-5.9p0/auth2-gss.c 2011-08-31 11:42:55.313025576 +0200
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c
--- openssh-5.9p0/auth2-hostbased.c.role 2011-08-31 11:42:47.863023264 +0200
+++ openssh-5.9p0/auth2-hostbased.c 2011-08-31 11:42:55.421024814 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c
--- openssh-5.9p0/auth2-pubkey.c.role 2011-08-31 11:42:47.978087418 +0200
+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:42:55.551025263 +0200
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
--- openssh-5.9p0/auth2.c.role 2011-08-31 11:42:45.409026065 +0200
+++ openssh-5.9p0/auth2.c 2011-08-31 11:42:55.676024869 +0200
diff -up openssh-5.9p1/auth2.c.role openssh-5.9p1/auth2.c
--- openssh-5.9p1/auth2.c.role 2012-02-06 17:21:26.024976386 +0100
+++ openssh-5.9p1/auth2.c 2012-02-06 17:23:14.127811737 +0100
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
char *user, *service, *method, *active_methods, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
@ -190,9 +115,84 @@ diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
--- openssh-5.9p0/monitor.c.role 2011-08-31 11:42:53.301024819 +0200
+++ openssh-5.9p0/monitor.c 2011-08-31 11:42:55.796025812 +0200
diff -up openssh-5.9p1/auth2-gss.c.role openssh-5.9p1/auth2-gss.c
--- openssh-5.9p1/auth2-gss.c.role 2012-02-06 17:21:26.017853239 +0100
+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:21:59.479096211 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ xfree(micuser);
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.9p1/auth2-hostbased.c.role openssh-5.9p1/auth2-hostbased.c
--- openssh-5.9p1/auth2-hostbased.c.role 2012-02-06 17:21:26.038970656 +0100
+++ openssh-5.9p1/auth2-hostbased.c 2012-02-06 17:21:59.479096211 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.9p1/auth2-pubkey.c.role openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.role 2012-02-06 17:21:26.039787441 +0100
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 17:21:59.480096032 +0100
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.9p1/monitor.c.role openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.role 2012-02-06 17:21:26.071220592 +0100
+++ openssh-5.9p1/monitor.c 2012-02-06 17:21:59.481783500 +0100
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
@ -203,7 +203,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[]
@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -213,7 +213,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
@@ -833,6 +839,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -223,7 +223,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM
@@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m)
@@ -876,6 +885,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@ -249,7 +249,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
int
mm_answer_authpassword(int sock, Buffer *m)
{
@@ -1227,7 +1255,7 @@ static int
@@ -1252,7 +1280,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
@ -258,7 +258,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
u_int len;
int fail = 0;
@@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i
@@ -1278,6 +1306,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
@ -267,7 +267,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
@@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data
@@ -1309,7 +1339,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
@ -276,7 +276,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
u_int len;
int fail = 0;
@@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data
@@ -1326,6 +1356,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
@ -285,9 +285,9 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
--- openssh-5.9p0/monitor.h.role 2011-08-31 11:42:53.409025333 +0200
+++ openssh-5.9p0/monitor.h 2011-08-31 11:42:55.889024801 +0200
diff -up openssh-5.9p1/monitor.h.role openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.role 2012-02-06 17:21:26.071852220 +0100
+++ openssh-5.9p1/monitor.h 2012-02-06 17:21:59.482846081 +0100
@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
@ -298,9 +298,9 @@ diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
--- openssh-5.9p0/monitor_wrap.c.role 2011-08-31 11:42:53.548024503 +0200
+++ openssh-5.9p0/monitor_wrap.c 2011-08-31 11:42:56.029024553 +0200
diff -up openssh-5.9p1/monitor_wrap.c.role openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.role 2012-02-06 17:21:26.071852220 +0100
+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:21:59.483845610 +0100
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
@ -327,9 +327,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
--- openssh-5.9p0/monitor_wrap.h.role 2011-08-31 11:42:53.660025271 +0200
+++ openssh-5.9p0/monitor_wrap.h 2011-08-31 11:42:56.131025748 +0200
diff -up openssh-5.9p1/monitor_wrap.h.role openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.role 2012-02-06 17:21:26.073192915 +0100
+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:21:59.483845610 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -340,9 +340,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in
--- openssh-5.9p0/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
+++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 11:48:02.404091479 +0200
diff -up openssh-5.9p1/openbsd-compat/Makefile.in.role openssh-5.9p1/openbsd-compat/Makefile.in
--- openssh-5.9p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/Makefile.in 2012-02-06 17:21:59.484846191 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -352,9 +352,9 @@ diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-com
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c
--- openssh-5.9p0/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:42:56.492087969 +0200
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.role openssh-5.9p1/openbsd-compat/port-linux.c
--- openssh-5.9p1/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
+++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-02-06 17:21:59.484846191 +0100
@@ -31,7 +31,11 @@
#include "log.h"
@ -532,9 +532,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-co
#endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST
diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c
--- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role 2011-08-31 11:42:56.583047619 +0200
+++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c 2011-08-31 11:42:56.586178005 +0200
diff -up openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role openssh-5.9p1/openbsd-compat/port-linux_part_2.c
--- openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role 2012-02-06 17:21:59.485846294 +0100
+++ openssh-5.9p1/openbsd-compat/port-linux_part_2.c 2012-02-06 17:21:59.485846294 +0100
@@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+

View File

@ -1,7 +1,7 @@
diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
--- openssh-5.9p0/configure.ac.vendor 2011-09-03 20:24:29.899501572 +0200
+++ openssh-5.9p0/configure.ac 2011-09-03 20:24:39.153501595 +0200
@@ -4131,6 +4131,12 @@ AC_ARG_WITH([lastlog],
diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100
+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100
@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@ -14,7 +14,7 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
@@ -4357,6 +4363,7 @@ echo " Translate v4 in v6 hack
@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
echo ""
diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
--- openssh-5.9p0/servconf.c.vendor 2011-09-03 20:24:29.080500853 +0200
+++ openssh-5.9p0/servconf.c 2011-09-03 20:27:15.727564566 +0200
@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions
diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100
+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100
@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@ -33,7 +33,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
options->ip_qos_bulk = IPTOS_THROUGHPUT;
@ -42,16 +42,16 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
/* Turn privilege separation on by default */
if (use_privsep == -1)
@@ -338,7 +341,7 @@ typedef enum {
@@ -321,7 +324,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
sSecondPubkeyAuthentication, sSecondGssAuthentication,
sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
@@ -470,6 +473,7 @@ static struct {
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -436,6 +439,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1152,6 +1156,10 @@ process_server_config_line(ServerOptions
@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@ -70,7 +70,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -1849,6 +1857,7 @@ dump_config(ServerOptions *o)
@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
@ -78,10 +78,10 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
--- openssh-5.9p0/servconf.h.vendor 2011-09-03 20:24:29.179632045 +0200
+++ openssh-5.9p0/servconf.h 2011-09-03 20:24:39.426502323 +0200
@@ -148,6 +148,7 @@ typedef struct {
diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100
+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100
@@ -140,6 +140,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
@ -89,31 +89,20 @@ diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-5.9p0/sshd.c.vendor openssh-5.9p0/sshd.c
--- openssh-5.9p0/sshd.c.vendor 2011-09-03 20:24:35.987501565 +0200
+++ openssh-5.9p0/sshd.c 2011-09-03 20:24:39.542501643 +0200
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
minor = PROTOCOL_MINOR_1;
}
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
- SSH_VERSION, newline);
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
@@ -1627,7 +1627,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %.100s", SSH_RELEASE);
+ debug("sshd version %.100s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
/* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
--- openssh-5.9p0/sshd_config.0.vendor 2011-09-03 20:24:37.524438185 +0200
+++ openssh-5.9p0/sshd_config.0 2011-09-03 20:24:39.677508255 +0200
diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100
@@ -112,6 +112,7 @@ X11Forwarding yes
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
--- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100
@@ -556,6 +556,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
@ -126,10 +115,10 @@ diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
StrictModes
Specifies whether sshd(8) should check file modes and ownership
of the user's files and home directory before accepting login.
diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
--- openssh-5.9p0/sshd_config.5.vendor 2011-09-03 20:24:37.640442022 +0200
+++ openssh-5.9p0/sshd_config.5 2011-09-03 20:24:40.176544206 +0200
@@ -952,6 +952,14 @@ This option applies to protocol version
diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100
@@ -982,6 +982,14 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
@ -144,14 +133,25 @@ diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
.It Cm StrictModes
Specifies whether
.Xr sshd 8
diff -up openssh-5.9p0/sshd_config.vendor openssh-5.9p0/sshd_config
--- openssh-5.9p0/sshd_config.vendor 2011-09-03 20:24:37.770439735 +0200
+++ openssh-5.9p0/sshd_config 2011-09-03 20:24:40.278628002 +0200
@@ -120,6 +120,7 @@ X11Forwarding yes
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100
+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
minor = PROTOCOL_MINOR_1;
}
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
- SSH_VERSION, newline);
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
server_version_string = xstrdup(buf);
/* Send our protocol version identification. */
@@ -1634,7 +1634,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %.100s", SSH_RELEASE);
+ debug("sshd version %.100s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
/* Store privilege separation user for later use if required. */
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {

View File

@ -116,7 +116,8 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=983
Patch104: openssh-5.9p1-2auth.patch
#Patch104: openssh-5.9p1-2auth.patch
Patch104: openssh-5.9p1-required-authentications.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-5.8p1-audit0.patch
@ -395,7 +396,7 @@ The module is most useful for su and sudo service stacks.
%patch101 -p1 -b .fingerprint
%patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet
%patch104 -p1 -b .2auth
%patch104 -p1 -b .required-authentication
%patch200 -p1 -b .audit0
%patch201 -p1 -b .audit1