replace TwoFactorAuth with RequiredAuthentications[12]
https://bugzilla.mindrot.org/show_bug.cgi?id=983
This commit is contained in:
parent
21699d5622
commit
d9e6186c71
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
--- openssh-5.9p1/auth2-pubkey.c.akc 2011-09-14 07:24:40.876512251 +0200
|
||||
+++ openssh-5.9p1/auth2-pubkey.c 2011-09-14 07:24:43.318458515 +0200
|
||||
--- openssh-5.9p1/auth2-pubkey.c.akc 2012-02-06 20:47:36.641814218 +0100
|
||||
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 20:47:36.665095838 +0100
|
||||
@@ -27,6 +27,7 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
|
||||
return 0;
|
||||
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
|
||||
diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
--- openssh-5.9p1/configure.ac.akc 2011-09-14 07:24:42.863494886 +0200
|
||||
+++ openssh-5.9p1/configure.ac 2011-09-14 07:24:43.441583848 +0200
|
||||
--- openssh-5.9p1/configure.ac.akc 2012-02-06 20:47:36.656046570 +0100
|
||||
+++ openssh-5.9p1/configure.ac 2012-02-06 20:47:36.666095176 +0100
|
||||
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
|
||||
esac ]
|
||||
)
|
||||
@ -271,9 +271,9 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.akc 2011-09-14 07:24:29.402475399 +0200
|
||||
+++ openssh-5.9p1/servconf.c 2011-09-14 07:56:27.158585590 +0200
|
||||
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
|
||||
--- openssh-5.9p1/servconf.c.akc 2012-02-06 20:47:36.573033521 +0100
|
||||
+++ openssh-5.9p1/servconf.c 2012-02-06 20:47:36.667106367 +0100
|
||||
@@ -136,6 +136,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
@ -282,7 +282,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
options->zero_knowledge_password_authentication = -1;
|
||||
options->revoked_keys_file = NULL;
|
||||
options->trusted_user_ca_keys = NULL;
|
||||
@@ -348,6 +350,7 @@ typedef enum {
|
||||
@@ -329,6 +331,7 @@ typedef enum {
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
|
||||
sKexAlgorithms, sIPQoS,
|
||||
@ -290,9 +290,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -487,6 +490,13 @@ static struct {
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
@@ -455,6 +458,13 @@ static struct {
|
||||
{ "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
||||
{ "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
+#ifdef WITH_AUTHORIZED_KEYS_COMMAND
|
||||
+ { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
|
||||
@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
|
||||
@@ -1430,6 +1440,24 @@ process_server_config_line(ServerOptions
|
||||
}
|
||||
break;
|
||||
|
||||
@ -329,16 +329,16 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
|
||||
@@ -1534,6 +1562,8 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(hostbased_uses_name_from_packet_only);
|
||||
M_CP_INTOPT(kbd_interactive_authentication);
|
||||
M_CP_INTOPT(zero_knowledge_password_authentication);
|
||||
M_CP_INTOPT(second_zero_knowledge_password_authentication);
|
||||
M_CP_INTOPT(two_factor_authentication);
|
||||
+ M_CP_STROPT(authorized_keys_command);
|
||||
+ M_CP_STROPT(authorized_keys_command_runas);
|
||||
M_CP_INTOPT(permit_root_login);
|
||||
M_CP_INTOPT(permit_empty_passwd);
|
||||
|
||||
@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
|
||||
@@ -1793,6 +1823,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
|
||||
dump_cfg_string(sAuthorizedPrincipalsFile,
|
||||
o->authorized_principals_file);
|
||||
@ -348,9 +348,9 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.akc 2011-09-14 07:24:29.511480441 +0200
|
||||
+++ openssh-5.9p1/servconf.h 2011-09-14 07:24:43.678459183 +0200
|
||||
@@ -174,6 +174,8 @@ typedef struct {
|
||||
--- openssh-5.9p1/servconf.h.akc 2012-02-06 20:47:36.574033734 +0100
|
||||
+++ openssh-5.9p1/servconf.h 2012-02-06 20:47:36.668096740 +0100
|
||||
@@ -169,6 +169,8 @@ typedef struct {
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
char *authorized_principals_file;
|
||||
@ -359,9 +359,22 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
|
||||
} ServerOptions;
|
||||
|
||||
/*
|
||||
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.akc 2011-05-29 13:39:39.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config 2012-02-06 20:47:36.669067546 +0100
|
||||
@@ -49,6 +49,9 @@
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
+#AuthorizedKeysCommand none
|
||||
+#AuthorizedKeysCommandRunAs nobody
|
||||
+
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
||||
--- openssh-5.9p1/sshd_config.0.akc 2011-09-07 01:16:30.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config.0 2011-09-14 07:24:43.791460201 +0200
|
||||
+++ openssh-5.9p1/sshd_config.0 2012-02-06 20:47:36.669067546 +0100
|
||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
@ -397,29 +410,12 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
|
||||
GSSAPIAuthentication, HostbasedAuthentication,
|
||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||
diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.akc 2011-09-14 07:24:29.793520372 +0200
|
||||
+++ openssh-5.9p1/sshd_config.5 2011-09-14 07:24:43.912583678 +0200
|
||||
@@ -706,6 +706,8 @@ Available keywords are
|
||||
.Cm AllowAgentForwarding ,
|
||||
.Cm AllowTcpForwarding ,
|
||||
.Cm AuthorizedKeysFile ,
|
||||
+.Cm AuthorizedKeysCommand ,
|
||||
+.Cm AuthorizedKeysCommandRunAs ,
|
||||
.Cm AuthorizedPrincipalsFile ,
|
||||
.Cm Banner ,
|
||||
.Cm ChrootDirectory ,
|
||||
@@ -718,6 +720,7 @@ Available keywords are
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
+.Cm PubkeyAuthentication ,
|
||||
.Cm PasswordAuthentication ,
|
||||
.Cm PermitEmptyPasswords ,
|
||||
.Cm PermitOpen ,
|
||||
@@ -926,6 +929,20 @@ Specifies a list of revoked public keys.
|
||||
Keys listed in this file will be refused for public key authentication.
|
||||
Note that if this file is not readable, then public key authentication will
|
||||
be refused for all users.
|
||||
--- openssh-5.9p1/sshd_config.5.akc 2012-02-06 20:47:36.574891218 +0100
|
||||
+++ openssh-5.9p1/sshd_config.5 2012-02-06 20:49:58.913878595 +0100
|
||||
@@ -151,6 +151,19 @@ See
|
||||
in
|
||||
.Xr ssh_config 5
|
||||
for more information on patterns.
|
||||
+.It Cm AuthorizedKeysCommand
|
||||
+Specifies a program to be used for lookup of the user's
|
||||
+public keys. The program will be invoked with its first
|
||||
@ -433,20 +429,23 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
|
||||
+.It Cm AuthorizedKeysCommandRunAs
|
||||
+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty
|
||||
+string (the default value) means the user being authorized is used.
|
||||
+.Dq
|
||||
.It Cm RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful RSA host authentication is allowed.
|
||||
diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.akc 2011-09-14 07:24:29.620461608 +0200
|
||||
+++ openssh-5.9p1/sshd_config 2011-09-14 07:24:44.034462546 +0200
|
||||
@@ -49,6 +49,9 @@
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
+#AuthorizedKeysCommand none
|
||||
+#AuthorizedKeysCommandRunAs nobody
|
||||
+
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
# similar for protocol version 2
|
||||
.It Cm AuthorizedKeysFile
|
||||
Specifies the file that contains the public keys that can be used
|
||||
for user authentication.
|
||||
@@ -706,6 +719,8 @@ Available keywords are
|
||||
.Cm AllowAgentForwarding ,
|
||||
.Cm AllowTcpForwarding ,
|
||||
.Cm AuthorizedKeysFile ,
|
||||
+.Cm AuthorizedKeysCommand ,
|
||||
+.Cm AuthorizedKeysCommandRunAs ,
|
||||
.Cm AuthorizedPrincipalsFile ,
|
||||
.Cm Banner ,
|
||||
.Cm ChrootDirectory ,
|
||||
@@ -718,6 +733,7 @@ Available keywords are
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
+.Cm PubkeyAuthentication ,
|
||||
.Cm PasswordAuthentication ,
|
||||
.Cm PermitEmptyPasswords ,
|
||||
.Cm PermitOpen ,
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
|
||||
--- openssh-5.9p1/audit-bsm.c.audit4 2011-09-18 05:13:24.922458521 +0200
|
||||
+++ openssh-5.9p1/audit-bsm.c 2011-09-18 05:13:26.808459314 +0200
|
||||
--- openssh-5.9p1/audit-bsm.c.audit4 2012-02-06 17:15:01.574908126 +0100
|
||||
+++ openssh-5.9p1/audit-bsm.c 2012-02-06 17:15:21.656095559 +0100
|
||||
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||
{
|
||||
/* not implemented */
|
||||
@ -12,9 +12,52 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
|
||||
--- openssh-5.9p1/audit.c.audit4 2012-02-06 17:15:01.576787216 +0100
|
||||
+++ openssh-5.9p1/audit.c 2012-02-06 17:15:21.690032906 +0100
|
||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free(int ctos)
|
||||
+{
|
||||
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
|
||||
+}
|
||||
+
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
|
||||
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
||||
(unsigned)uid);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on succesfull session key discard
|
||||
+ */
|
||||
+void
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
|
||||
--- openssh-5.9p1/audit.h.audit4 2012-02-06 17:15:01.576787216 +0100
|
||||
+++ openssh-5.9p1/audit.h 2012-02-06 17:15:21.690876254 +0100
|
||||
@@ -62,5 +62,7 @@ void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
+void audit_session_key_free(int ctos);
|
||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
||||
--- openssh-5.9p1/audit-linux.c.audit4 2011-09-18 05:13:25.041460630 +0200
|
||||
+++ openssh-5.9p1/audit-linux.c 2011-09-18 05:13:26.897563551 +0200
|
||||
--- openssh-5.9p1/audit-linux.c.audit4 2012-02-06 17:15:01.575908525 +0100
|
||||
+++ openssh-5.9p1/audit-linux.c 2012-02-06 17:15:21.682001323 +0100
|
||||
@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
|
||||
#endif
|
||||
}
|
||||
@ -65,52 +108,9 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
|
||||
+}
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
|
||||
--- openssh-5.9p1/audit.c.audit4 2011-09-18 05:13:25.151459504 +0200
|
||||
+++ openssh-5.9p1/audit.c 2011-09-18 05:13:26.995548664 +0200
|
||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||
}
|
||||
|
||||
+void
|
||||
+audit_session_key_free(int ctos)
|
||||
+{
|
||||
+ PRIVSEP(audit_session_key_free_body(ctos, getpid(), getuid()));
|
||||
+}
|
||||
+
|
||||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -274,5 +280,15 @@ audit_kex_body(int ctos, char *enc, char
|
||||
(unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
|
||||
(unsigned)uid);
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on succesfull session key discard
|
||||
+ */
|
||||
+void
|
||||
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+ debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||
+ (unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||
+}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
|
||||
--- openssh-5.9p1/audit.h.audit4 2011-09-18 05:13:25.247587021 +0200
|
||||
+++ openssh-5.9p1/audit.h 2011-09-18 05:13:27.107531553 +0200
|
||||
@@ -62,5 +62,7 @@ void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
+void audit_session_key_free(int ctos);
|
||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
|
||||
--- openssh-5.9p1/auditstub.c.audit4 2011-09-18 05:13:25.350459598 +0200
|
||||
+++ openssh-5.9p1/auditstub.c 2011-09-18 05:13:27.209523920 +0200
|
||||
--- openssh-5.9p1/auditstub.c.audit4 2012-02-06 17:15:01.576787216 +0100
|
||||
+++ openssh-5.9p1/auditstub.c 2012-02-06 17:15:21.690876254 +0100
|
||||
@@ -27,6 +27,8 @@
|
||||
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||
*/
|
||||
@ -134,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
|
||||
--- openssh-5.9p1/kex.c.audit4 2011-09-18 05:13:25.656459960 +0200
|
||||
+++ openssh-5.9p1/kex.c 2011-09-18 05:13:27.309500951 +0200
|
||||
--- openssh-5.9p1/kex.c.audit4 2012-02-06 17:15:01.578907640 +0100
|
||||
+++ openssh-5.9p1/kex.c 2012-02-06 17:15:21.691785656 +0100
|
||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
@ -173,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
|
||||
+
|
||||
diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
|
||||
--- openssh-5.9p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.9p1/kex.h 2011-09-18 05:13:27.419492884 +0200
|
||||
+++ openssh-5.9p1/kex.h 2012-02-06 17:15:21.691785656 +0100
|
||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||
void kexecdh_client(Kex *);
|
||||
void kexecdh_server(Kex *);
|
||||
@ -185,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
|
||||
--- openssh-5.9p1/mac.c.audit4 2011-08-17 02:29:03.000000000 +0200
|
||||
+++ openssh-5.9p1/mac.c 2011-09-18 05:13:27.545464964 +0200
|
||||
+++ openssh-5.9p1/mac.c 2012-02-06 17:15:21.692918961 +0100
|
||||
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -209,15 +209,15 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
|
||||
int
|
||||
diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
|
||||
--- openssh-5.9p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-5.9p1/mac.h 2011-09-18 05:13:27.675473027 +0200
|
||||
+++ openssh-5.9p1/mac.h 2012-02-06 17:15:21.692918961 +0100
|
||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.audit4 2011-09-18 05:13:25.778584691 +0200
|
||||
+++ openssh-5.9p1/monitor.c 2011-09-18 05:15:22.786522699 +0200
|
||||
--- openssh-5.9p1/monitor.c.audit4 2012-02-06 17:15:01.579896475 +0100
|
||||
+++ openssh-5.9p1/monitor.c 2012-02-06 17:16:32.405783810 +0100
|
||||
@@ -189,6 +189,7 @@ int mm_answer_audit_command(int, Buffer
|
||||
int mm_answer_audit_end_command(int, Buffer *);
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
@ -226,7 +226,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
#endif
|
||||
|
||||
static int monitor_read_log(struct monitor *);
|
||||
@@ -241,6 +242,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -242,6 +243,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
@ -234,7 +234,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -280,6 +282,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -281,6 +283,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
@ -242,7 +242,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -313,6 +316,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -314,6 +317,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
@ -250,7 +250,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -327,6 +331,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
@@ -328,6 +332,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
{MONITOR_REQ_AUDIT_END_COMMAND, MON_PERMIT, mm_answer_audit_end_command},
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
@ -258,8 +258,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -437,10 +442,6 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
}
|
||||
@@ -451,10 +456,6 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
#endif
|
||||
}
|
||||
|
||||
- /* Drain any buffered messages from the child */
|
||||
@ -269,7 +269,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
if (!authctxt->valid)
|
||||
fatal("%s: authenticated invalid user", __func__);
|
||||
if (strcmp(auth_method, "unknown") == 0)
|
||||
@@ -1927,11 +1928,13 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -1954,11 +1955,13 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
|
||||
blob = buffer_get_string(&m, &bloblen);
|
||||
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
||||
@ -283,7 +283,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
xfree(blob);
|
||||
|
||||
/* Now get sequence numbers for the packets */
|
||||
@@ -1977,6 +1980,21 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
@@ -2004,6 +2007,21 @@ mm_get_keystate(struct monitor *pmonitor
|
||||
}
|
||||
|
||||
buffer_free(&m);
|
||||
@ -305,7 +305,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
}
|
||||
|
||||
|
||||
@@ -2421,4 +2439,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
@@ -2450,4 +2468,22 @@ mm_answer_audit_kex_body(int sock, Buffe
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -329,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
|
||||
--- openssh-5.9p1/monitor.h.audit4 2011-09-18 05:13:25.887586033 +0200
|
||||
+++ openssh-5.9p1/monitor.h 2011-09-18 05:13:27.934522919 +0200
|
||||
--- openssh-5.9p1/monitor.h.audit4 2012-02-06 17:15:01.580908188 +0100
|
||||
+++ openssh-5.9p1/monitor.h 2012-02-06 17:15:21.695033617 +0100
|
||||
@@ -63,6 +63,7 @@ enum monitor_reqtype {
|
||||
MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
@ -340,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
|
||||
MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
|
||||
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.audit4 2011-09-18 05:13:26.013583317 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2011-09-18 05:13:28.049519981 +0200
|
||||
--- openssh-5.9p1/monitor_wrap.c.audit4 2012-02-06 17:15:01.581802928 +0100
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:15:21.696033353 +0100
|
||||
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
|
||||
fatal("%s: conversion of newkeys failed", __func__);
|
||||
|
||||
@ -378,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
|
||||
--- openssh-5.9p1/monitor_wrap.h.audit4 2011-09-18 05:13:26.119474152 +0200
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2011-09-18 05:13:28.151521539 +0200
|
||||
--- openssh-5.9p1/monitor_wrap.h.audit4 2012-02-06 17:15:01.582908343 +0100
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:15:21.696033353 +0100
|
||||
@@ -79,6 +79,7 @@ int mm_audit_run_command(const char *);
|
||||
void mm_audit_end_command(int, const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
@ -389,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
|
||||
--- openssh-5.9p1/packet.c.audit4 2011-09-18 05:13:20.417548627 +0200
|
||||
+++ openssh-5.9p1/packet.c 2011-09-18 05:13:28.278520968 +0200
|
||||
--- openssh-5.9p1/packet.c.audit4 2012-02-06 17:15:01.545908387 +0100
|
||||
+++ openssh-5.9p1/packet.c 2012-02-06 17:15:21.696886524 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#include <signal.h>
|
||||
|
||||
@ -584,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
|
||||
+
|
||||
diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
|
||||
--- openssh-5.9p1/packet.h.audit4 2011-05-15 00:43:13.000000000 +0200
|
||||
+++ openssh-5.9p1/packet.h 2011-09-18 05:13:28.385521238 +0200
|
||||
+++ openssh-5.9p1/packet.h 2012-02-06 17:15:21.697874825 +0100
|
||||
@@ -124,4 +124,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
@ -592,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
|
||||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
|
||||
--- openssh-5.9p1/session.c.audit4 2011-09-18 05:13:22.842504192 +0200
|
||||
+++ openssh-5.9p1/session.c 2011-09-18 05:13:28.511522576 +0200
|
||||
--- openssh-5.9p1/session.c.audit4 2012-02-06 17:15:01.562908533 +0100
|
||||
+++ openssh-5.9p1/session.c 2012-02-06 17:15:21.697874825 +0100
|
||||
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -605,8 +605,8 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.audit4 2011-09-18 05:13:26.617460032 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-18 05:13:28.621521065 +0200
|
||||
--- openssh-5.9p1/sshd.c.audit4 2012-02-06 17:15:01.583866459 +0100
|
||||
+++ openssh-5.9p1/sshd.c 2012-02-06 17:15:21.699033720 +0100
|
||||
@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
}
|
||||
}
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
|
||||
--- openssh-5.9p0/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
|
||||
+++ openssh-5.9p0/ssh_config 2011-09-05 14:48:16.386439023 +0200
|
||||
diff -up openssh-5.9p1/ssh_config.redhat openssh-5.9p1/ssh_config
|
||||
--- openssh-5.9p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
|
||||
+++ openssh-5.9p1/ssh_config 2012-02-06 17:32:43.428032471 +0100
|
||||
@@ -45,3 +45,14 @@
|
||||
# PermitLocalCommand no
|
||||
# VisualHostKey no
|
||||
@ -16,37 +16,9 @@ diff -up openssh-5.9p0/ssh_config.redhat openssh-5.9p0/ssh_config
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+ SendEnv XMODIFIERS
|
||||
diff -up openssh-5.9p0/sshd_config.0.redhat openssh-5.9p0/sshd_config.0
|
||||
--- openssh-5.9p0/sshd_config.0.redhat 2011-09-05 14:48:08.522441255 +0200
|
||||
+++ openssh-5.9p0/sshd_config.0 2011-09-05 14:48:16.477443868 +0200
|
||||
@@ -581,9 +581,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh-5.9p0/sshd_config.5.redhat openssh-5.9p0/sshd_config.5
|
||||
--- openssh-5.9p0/sshd_config.5.redhat 2011-09-05 14:48:08.657564688 +0200
|
||||
+++ openssh-5.9p0/sshd_config.5 2011-09-05 14:48:16.589501736 +0200
|
||||
@@ -1029,7 +1029,7 @@ Note that this option applies to protoco
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
||||
--- openssh-5.9p0/sshd_config.redhat 2011-09-05 14:48:16.250626793 +0200
|
||||
+++ openssh-5.9p0/sshd_config 2011-09-05 15:06:01.513443553 +0200
|
||||
diff -up openssh-5.9p1/sshd_config.redhat openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.redhat 2012-02-06 17:32:43.427032448 +0100
|
||||
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:15.356783832 +0100
|
||||
@@ -32,6 +32,7 @@
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
@ -77,15 +49,13 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -89,6 +94,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -89,11 +94,13 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#TwoFactorAuthentication no
|
||||
#SecondPubkeyAuthentication yes
|
||||
@@ -101,6 +107,7 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
#X11Forwarding no
|
||||
@ -93,7 +63,7 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PrintMotd yes
|
||||
@@ -121,6 +128,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
@@ -114,6 +121,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
@ -106,3 +76,31 @@ diff -up openssh-5.9p0/sshd_config.redhat openssh-5.9p0/sshd_config
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
diff -up openssh-5.9p1/sshd_config.0.redhat openssh-5.9p1/sshd_config.0
|
||||
--- openssh-5.9p1/sshd_config.0.redhat 2012-02-06 17:32:43.302970171 +0100
|
||||
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:32:43.428032471 +0100
|
||||
@@ -581,9 +581,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh-5.9p1/sshd_config.5.redhat openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.redhat 2012-02-06 17:32:43.303971959 +0100
|
||||
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:32:43.429032398 +0100
|
||||
@@ -1019,7 +1019,7 @@ Note that this option applies to protoco
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
|
827
openssh-5.9p1-required-authentications.patch
Normal file
827
openssh-5.9p1-required-authentications.patch
Normal file
@ -0,0 +1,827 @@
|
||||
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
|
||||
--- openssh-5.9p1/auth.c.required-authentication 2012-02-06 17:03:51.034158031 +0100
|
||||
+++ openssh-5.9p1/auth.c 2012-02-06 17:03:55.007830206 +0100
|
||||
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
|
||||
}
|
||||
|
||||
void
|
||||
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
||||
+auth_log(Authctxt *authctxt, int authenticated, const char *method,
|
||||
+ const char *submethod, const char *info)
|
||||
{
|
||||
void (*authlog) (const char *fmt,...) = verbose;
|
||||
char *authmsg;
|
||||
@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
|
||||
else
|
||||
authmsg = authenticated ? "Accepted" : "Failed";
|
||||
|
||||
- authlog("%s %s for %s%.100s from %.200s port %d%s",
|
||||
+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
|
||||
authmsg,
|
||||
method,
|
||||
+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
|
||||
authctxt->valid ? "" : "invalid user ",
|
||||
authctxt->user,
|
||||
get_remote_ipaddr(),
|
||||
@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||
* Check whether root logins are disallowed.
|
||||
*/
|
||||
int
|
||||
-auth_root_allowed(char *method)
|
||||
+auth_root_allowed(const char *method)
|
||||
{
|
||||
switch (options.permit_root_login) {
|
||||
case PERMIT_YES:
|
||||
@@ -694,3 +696,57 @@ fakepw(void)
|
||||
|
||||
return (&fake);
|
||||
}
|
||||
+
|
||||
+int
|
||||
+auth_method_in_list(const char *list, const char *method)
|
||||
+{
|
||||
+ char *cp;
|
||||
+
|
||||
+ cp = match_list(method, list, NULL);
|
||||
+ if (cp != NULL) {
|
||||
+ xfree(cp);
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#define DELIM ","
|
||||
+int
|
||||
+auth_remove_from_list(char **list, const char *method)
|
||||
+{
|
||||
+ char *oldlist, *cp, *newlist = NULL;
|
||||
+ u_int len = 0, ret = 0;
|
||||
+
|
||||
+ if (list == NULL || *list == NULL)
|
||||
+ return (0);
|
||||
+
|
||||
+ oldlist = *list;
|
||||
+ len = strlen(oldlist) + 1;
|
||||
+ newlist = xmalloc(len);
|
||||
+ memset(newlist, '\0', len);
|
||||
+
|
||||
+ /* Remove method from list, if present */
|
||||
+ for (;;) {
|
||||
+ if ((cp = strsep(&oldlist, DELIM)) == NULL)
|
||||
+ break;
|
||||
+ if (*cp == '\0')
|
||||
+ continue;
|
||||
+ if (strcmp(cp, method) != 0) {
|
||||
+ if (*newlist != '\0')
|
||||
+ strlcat(newlist, DELIM, len);
|
||||
+ strlcat(newlist, cp, len);
|
||||
+ } else
|
||||
+ ret++;
|
||||
+ }
|
||||
+
|
||||
+ /* Return NULL instead of empty list */
|
||||
+ if (*newlist == '\0') {
|
||||
+ xfree(newlist);
|
||||
+ newlist = NULL;
|
||||
+ }
|
||||
+ xfree(*list);
|
||||
+ *list = newlist;
|
||||
+
|
||||
+ return (ret);
|
||||
+}
|
||||
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
|
||||
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
|
||||
+++ openssh-5.9p1/auth.h 2012-02-06 17:03:55.008839468 +0100
|
||||
@@ -142,10 +142,11 @@ void disable_forwarding(void);
|
||||
void do_authentication(Authctxt *);
|
||||
void do_authentication2(Authctxt *);
|
||||
|
||||
-void auth_log(Authctxt *, int, char *, char *);
|
||||
-void userauth_finish(Authctxt *, int, char *);
|
||||
+void auth_log(Authctxt *, int, const char *, const char *, const char *);
|
||||
+void userauth_finish(Authctxt *, int, const char *, const char *);
|
||||
+int auth_root_allowed(const char *);
|
||||
+
|
||||
void userauth_send_banner(const char *);
|
||||
-int auth_root_allowed(char *);
|
||||
|
||||
char *auth2_read_banner(void);
|
||||
|
||||
@@ -192,6 +193,11 @@ void auth_debug_send(void);
|
||||
void auth_debug_reset(void);
|
||||
|
||||
struct passwd *fakepw(void);
|
||||
+int auth_method_in_list(const char *, const char *);
|
||||
+int auth_remove_from_list(char **, const char *);
|
||||
+
|
||||
+int auth1_check_required(const char *);
|
||||
+int auth2_check_required(const char *);
|
||||
|
||||
int sys_auth_passwd(Authctxt *, const char *);
|
||||
|
||||
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
|
||||
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
|
||||
+++ openssh-5.9p1/auth1.c 2012-02-06 17:03:55.055811924 +0100
|
||||
@@ -98,6 +98,54 @@ static const struct AuthMethod1
|
||||
return (NULL);
|
||||
}
|
||||
|
||||
+static const struct AuthMethod1 *
|
||||
+lookup_authmethod1_by_name(const char *name)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; auth1_methods[i].name != NULL; i++)
|
||||
+ if (strcmp(auth1_methods[i].name, name) == 0)
|
||||
+ return (&(auth1_methods[i]));
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+#define DELIM ","
|
||||
+int
|
||||
+auth1_check_required(const char *list)
|
||||
+{
|
||||
+ char *orig_methods, *methods, *cp;
|
||||
+ static const struct AuthMethod1 *m;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ orig_methods = methods = xstrdup(list);
|
||||
+ for(;;) { /* XXX maybe: while ((cp = ...) != NULL) ? */
|
||||
+ if ((cp = strsep(&methods, DELIM)) == NULL)
|
||||
+ break;
|
||||
+ debug2("auth1_check_required: method \"%s\"", cp);
|
||||
+ if (*cp == '\0') {
|
||||
+ debug("auth1_check_required: empty method");
|
||||
+ ret = -1;
|
||||
+ }
|
||||
+ if ((m = lookup_authmethod1_by_name(cp)) == NULL) {
|
||||
+ debug("auth1_check_required: unknown method "
|
||||
+ "\"%s\"", cp);
|
||||
+ ret = -1;
|
||||
+ }
|
||||
+ if (*(m->enabled) == 0) {
|
||||
+ debug("auth1_check_required: method %s explicitly "
|
||||
+ "disabled", cp);
|
||||
+ ret = -1;
|
||||
+ }
|
||||
+ /* Activate method if it isn't already */
|
||||
+ if (*(m->enabled) == -1)
|
||||
+ *(m->enabled) = 1;
|
||||
+ }
|
||||
+ xfree(orig_methods);
|
||||
+ return (ret);
|
||||
+}
|
||||
+
|
||||
+
|
||||
static char *
|
||||
get_authname(int type)
|
||||
{
|
||||
@@ -237,6 +285,7 @@ do_authloop(Authctxt *authctxt)
|
||||
{
|
||||
int authenticated = 0;
|
||||
char info[1024];
|
||||
+ const char *meth_name;
|
||||
int prev = 0, type = 0;
|
||||
const struct AuthMethod1 *meth;
|
||||
|
||||
@@ -244,7 +293,7 @@ do_authloop(Authctxt *authctxt)
|
||||
authctxt->valid ? "" : "invalid user ", authctxt->user);
|
||||
|
||||
/* If the user has no password, accept authentication immediately. */
|
||||
- if (options.permit_empty_passwd && options.password_authentication &&
|
||||
+ if (options.permit_empty_passwd && options.password_authentication && options.password_authentication &&
|
||||
#ifdef KRB5
|
||||
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
||||
#endif
|
||||
@@ -253,7 +302,7 @@ do_authloop(Authctxt *authctxt)
|
||||
if (options.use_pam && (PRIVSEP(do_pam_account())))
|
||||
#endif
|
||||
{
|
||||
- auth_log(authctxt, 1, "without authentication", "");
|
||||
+ auth_log(authctxt, 1, "without authentication", NULL, "");
|
||||
return;
|
||||
}
|
||||
}
|
||||
@@ -272,6 +321,7 @@ do_authloop(Authctxt *authctxt)
|
||||
/* Get a packet from the client. */
|
||||
prev = type;
|
||||
type = packet_read();
|
||||
+ meth_name = get_authname(type);
|
||||
|
||||
/*
|
||||
* If we started challenge-response authentication but the
|
||||
@@ -287,8 +337,8 @@ do_authloop(Authctxt *authctxt)
|
||||
if (authctxt->failures >= options.max_authtries)
|
||||
goto skip;
|
||||
if ((meth = lookup_authmethod1(type)) == NULL) {
|
||||
- logit("Unknown message during authentication: "
|
||||
- "type %d", type);
|
||||
+ logit("Unknown message during authentication: type %d",
|
||||
+ type);
|
||||
goto skip;
|
||||
}
|
||||
|
||||
@@ -297,6 +347,17 @@ do_authloop(Authctxt *authctxt)
|
||||
goto skip;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Skip methods not in required list, until all the required
|
||||
+ * ones are done
|
||||
+ */
|
||||
+ if (options.required_auth1 != NULL &&
|
||||
+ !auth_method_in_list(options.required_auth1, meth_name)) {
|
||||
+ debug("Skipping method \"%s\" until required "
|
||||
+ "authentication completed", meth_name);
|
||||
+ goto skip;
|
||||
+ }
|
||||
+
|
||||
authenticated = meth->method(authctxt, info, sizeof(info));
|
||||
if (authenticated == -1)
|
||||
continue; /* "postponed" */
|
||||
@@ -352,7 +413,29 @@ do_authloop(Authctxt *authctxt)
|
||||
|
||||
skip:
|
||||
/* Log before sending the reply */
|
||||
- auth_log(authctxt, authenticated, get_authname(type), info);
|
||||
+ auth_log(authctxt, authenticated, meth_name, NULL, info);
|
||||
+
|
||||
+ /* Loop until the required authmethods are done */
|
||||
+ if (authenticated && options.required_auth1 != NULL) {
|
||||
+ if (auth_remove_from_list(&options.required_auth1,
|
||||
+ meth_name) != 1)
|
||||
+ fatal("INTERNAL ERROR: authenticated method "
|
||||
+ "\"%s\" not in required list \"%s\"",
|
||||
+ meth_name, options.required_auth1);
|
||||
+ debug2("do_authloop: required list now: %s",
|
||||
+ options.required_auth1 == NULL ?
|
||||
+ "DONE" : options.required_auth1);
|
||||
+ if (options.required_auth1 == NULL)
|
||||
+ return;
|
||||
+ authenticated = 0;
|
||||
+ /*
|
||||
+ * Disable method so client can't authenticate with it
|
||||
+ * after the required authentications are complete.
|
||||
+ */
|
||||
+ *(meth->enabled) = 0;
|
||||
+ packet_send_debug("Further authentication required");
|
||||
+ goto send_fail;
|
||||
+ }
|
||||
|
||||
if (client_user != NULL) {
|
||||
xfree(client_user);
|
||||
@@ -368,6 +451,7 @@ do_authloop(Authctxt *authctxt)
|
||||
#endif
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
}
|
||||
+ send_fail:
|
||||
|
||||
packet_start(SSH_SMSG_FAILURE);
|
||||
packet_send();
|
||||
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
|
||||
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-5.9p1/auth2.c 2012-02-06 17:03:55.100896430 +0100
|
||||
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
- char *user, *service, *method, *style = NULL;
|
||||
+ char *user, *service, *method, *active_methods, *style = NULL;
|
||||
int authenticated = 0;
|
||||
|
||||
if (authctxt == NULL)
|
||||
@@ -277,22 +277,31 @@ input_userauth_request(int type, u_int32
|
||||
authctxt->server_caused_failure = 0;
|
||||
|
||||
/* try to authenticate user */
|
||||
- m = authmethod_lookup(method);
|
||||
- if (m != NULL && authctxt->failures < options.max_authtries) {
|
||||
- debug2("input_userauth_request: try method %s", method);
|
||||
- authenticated = m->userauth(authctxt);
|
||||
- }
|
||||
- userauth_finish(authctxt, authenticated, method);
|
||||
+ active_methods = authmethods_get();
|
||||
+ if (strcmp(method, "none") == 0 ||
|
||||
+ auth_method_in_list(active_methods, method)) {
|
||||
+ m = authmethod_lookup(method);
|
||||
+ if (m != NULL) {
|
||||
+ debug2("input_userauth_request: try method %s", method);
|
||||
+ authenticated = m->userauth(authctxt);
|
||||
+ }
|
||||
|
||||
+ }
|
||||
+ xfree(active_methods);
|
||||
+ userauth_finish(authctxt, authenticated, method, NULL);
|
||||
+
|
||||
xfree(service);
|
||||
xfree(user);
|
||||
xfree(method);
|
||||
}
|
||||
|
||||
void
|
||||
-userauth_finish(Authctxt *authctxt, int authenticated, char *method)
|
||||
+userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
|
||||
+ const char *submethod)
|
||||
{
|
||||
char *methods;
|
||||
+ Authmethod *m = NULL;
|
||||
+ u_int partial = 0;
|
||||
|
||||
if (!authctxt->valid && authenticated)
|
||||
fatal("INTERNAL ERROR: authenticated invalid user %s",
|
||||
@@ -330,12 +339,42 @@ userauth_finish(Authctxt *authctxt, int
|
||||
#endif /* _UNICOS */
|
||||
|
||||
/* Log before sending the reply */
|
||||
- auth_log(authctxt, authenticated, method, " ssh2");
|
||||
+ auth_log(authctxt, authenticated, method, submethod, " ssh2");
|
||||
|
||||
if (authctxt->postponed)
|
||||
return;
|
||||
|
||||
- /* XXX todo: check if multiple auth methods are needed */
|
||||
+ /* Handle RequiredAuthentications2: loop until required methods done */
|
||||
+ if (authenticated && options.required_auth2 != NULL) {
|
||||
+ if ((m = authmethod_lookup(method)) == NULL)
|
||||
+ fatal("INTERNAL ERROR: authenticated method "
|
||||
+ "\"%s\" unknown", method);
|
||||
+ if (auth_remove_from_list(&options.required_auth2, method) != 1)
|
||||
+ fatal("INTERNAL ERROR: authenticated method "
|
||||
+ "\"%s\" not in required list \"%s\"",
|
||||
+ method, options.required_auth2);
|
||||
+ debug2("userauth_finish: required list now: %s",
|
||||
+ options.required_auth2 == NULL ?
|
||||
+ "DONE" : options.required_auth2);
|
||||
+ /*
|
||||
+ * if authenticated and no more required methods
|
||||
+ * then declare success
|
||||
+ */
|
||||
+ if ( authenticated && options.required_auth2 == NULL ) {
|
||||
+ debug2("userauth_finish: authenticated and no more required methods");
|
||||
+ } else {
|
||||
+ /*
|
||||
+ * Disable method so client can't authenticate with it after
|
||||
+ * the required authentications are complete.
|
||||
+ */
|
||||
+ if (m->enabled != NULL)
|
||||
+ *(m->enabled) = 0;
|
||||
+ authenticated = 0;
|
||||
+ partial = 1;
|
||||
+ goto send_fail;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (authenticated == 1) {
|
||||
/* turn off userauth */
|
||||
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
|
||||
@@ -345,7 +384,6 @@ userauth_finish(Authctxt *authctxt, int
|
||||
/* now we can break out */
|
||||
authctxt->success = 1;
|
||||
} else {
|
||||
-
|
||||
/* Allow initial try of "none" auth without failure penalty */
|
||||
if (!authctxt->server_caused_failure &&
|
||||
(authctxt->attempt > 1 || strcmp(method, "none") != 0))
|
||||
@@ -356,10 +394,11 @@ userauth_finish(Authctxt *authctxt, int
|
||||
#endif
|
||||
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
|
||||
}
|
||||
+ send_fail:
|
||||
methods = authmethods_get();
|
||||
packet_start(SSH2_MSG_USERAUTH_FAILURE);
|
||||
packet_put_cstring(methods);
|
||||
- packet_put_char(0); /* XXX partial success, unused */
|
||||
+ packet_put_char(partial);
|
||||
packet_send();
|
||||
packet_write_wait();
|
||||
xfree(methods);
|
||||
@@ -373,6 +412,9 @@ authmethods_get(void)
|
||||
char *list;
|
||||
int i;
|
||||
|
||||
+ if (options.required_auth2 != NULL)
|
||||
+ return xstrdup(options.required_auth2);
|
||||
+
|
||||
buffer_init(&b);
|
||||
for (i = 0; authmethods[i] != NULL; i++) {
|
||||
if (strcmp(authmethods[i]->name, "none") == 0)
|
||||
@@ -407,3 +449,43 @@ authmethod_lookup(const char *name)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+#define DELIM ","
|
||||
+
|
||||
+int
|
||||
+auth2_check_required(const char *list)
|
||||
+{
|
||||
+ char *orig_methods, *methods, *cp;
|
||||
+ struct Authmethod *m;
|
||||
+ int i, ret = 0;
|
||||
+
|
||||
+ orig_methods = methods = xstrdup(list);
|
||||
+ for(;;) {
|
||||
+ if ((cp = strsep(&methods, DELIM)) == NULL)
|
||||
+ break;
|
||||
+ debug2("auth2_check_required: method \"%s\"", cp);
|
||||
+ if (*cp == '\0') {
|
||||
+ debug("auth2_check_required: empty method");
|
||||
+ ret = -1;
|
||||
+ }
|
||||
+ for (i = 0; authmethods[i] != NULL; i++)
|
||||
+ if (strcmp(cp, authmethods[i]->name) == 0)
|
||||
+ break;
|
||||
+ if ((m = authmethods[i]) == NULL) {
|
||||
+ debug("auth2_check_required: unknown method "
|
||||
+ "\"%s\"", cp);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (m->enabled == NULL || *(m->enabled) == 0) {
|
||||
+ debug("auth2_check_required: method %s explicitly "
|
||||
+ "disabled", cp);
|
||||
+ ret = -1;
|
||||
+ }
|
||||
+ /* Activate method if it isn't already */
|
||||
+ if (*(m->enabled) == -1)
|
||||
+ *(m->enabled) = 1;
|
||||
+ }
|
||||
+ xfree(orig_methods);
|
||||
+ return (ret);
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
|
||||
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:03:55.098862514 +0100
|
||||
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
|
||||
}
|
||||
authctxt->postponed = 0;
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
|
||||
- userauth_finish(authctxt, 0, "gssapi-with-mic");
|
||||
+ userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
|
||||
} else {
|
||||
if (send_tok.length != 0) {
|
||||
packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
|
||||
@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type,
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
|
||||
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
|
||||
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
|
||||
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
|
||||
- userauth_finish(authctxt, authenticated, "gssapi-with-mic");
|
||||
+ userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
|
||||
}
|
||||
|
||||
Authmethod method_gssapi = {
|
||||
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
|
||||
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
|
||||
+++ openssh-5.9p1/auth2-chall.c 2012-02-06 17:03:55.098862514 +0100
|
||||
@@ -341,8 +341,8 @@ input_userauth_info_response(int type, u
|
||||
auth2_challenge_start(authctxt);
|
||||
}
|
||||
}
|
||||
- userauth_finish(authctxt, authenticated, method);
|
||||
- xfree(method);
|
||||
+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
|
||||
+ kbdintctxt->device?kbdintctxt->device->name:NULL);
|
||||
}
|
||||
|
||||
void
|
||||
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
|
||||
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
|
||||
+++ openssh-5.9p1/auth2-none.c 2012-02-06 17:03:55.099879104 +0100
|
||||
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
|
||||
{
|
||||
none_enabled = 0;
|
||||
packet_check_eom();
|
||||
- if (options.permit_empty_passwd && options.password_authentication)
|
||||
+ if (options.permit_empty_passwd && options.password_authentication && options.required_auth2 == NULL)
|
||||
return (PRIVSEP(auth_password(authctxt, "")));
|
||||
return (0);
|
||||
}
|
||||
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.required-authentication 2012-02-06 17:03:51.020095446 +0100
|
||||
+++ openssh-5.9p1/monitor.c 2012-02-06 17:03:55.101912924 +0100
|
||||
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
|
||||
static char *hostbased_cuser = NULL;
|
||||
static char *hostbased_chost = NULL;
|
||||
static char *auth_method = "unknown";
|
||||
+static char *auth_submethod = NULL;
|
||||
static u_int session_id2_len = 0;
|
||||
static u_char *session_id2 = NULL;
|
||||
static pid_t monitor_child_pid;
|
||||
@@ -352,7 +353,8 @@ void
|
||||
monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
|
||||
{
|
||||
struct mon_table *ent;
|
||||
- int authenticated = 0;
|
||||
+ int no_increment, authenticated = 0;
|
||||
+ char **req_auth;
|
||||
|
||||
debug3("preauth child monitor started");
|
||||
|
||||
@@ -367,12 +369,14 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
|
||||
if (compat20) {
|
||||
mon_dispatch = mon_dispatch_proto20;
|
||||
+ req_auth = &options.required_auth2;
|
||||
|
||||
/* Permit requests for moduli and signatures */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
|
||||
} else {
|
||||
mon_dispatch = mon_dispatch_proto15;
|
||||
+ req_auth = &options.required_auth1;
|
||||
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
|
||||
}
|
||||
@@ -380,6 +384,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
/* The first few requests do not require asynchronous access */
|
||||
while (!authenticated) {
|
||||
auth_method = "unknown";
|
||||
+ auth_submethod = NULL;
|
||||
+ no_increment = 1;
|
||||
authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
|
||||
if (authenticated) {
|
||||
if (!(ent->flags & MON_AUTHDECIDE))
|
||||
@@ -401,11 +407,23 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
}
|
||||
#endif
|
||||
}
|
||||
+ /* Loop until the required authmethods are done */
|
||||
+ if (authenticated && *req_auth != NULL) {
|
||||
+ if (auth_remove_from_list(req_auth, auth_method) != 1)
|
||||
+ fatal("INTERNAL ERROR: authenticated method "
|
||||
+ "\"%s\" not in required list \"%s\"",
|
||||
+ auth_method, *req_auth);
|
||||
+ debug2("monitor_child_preauth: required list now: %s",
|
||||
+ *req_auth == NULL ? "DONE" : *req_auth);
|
||||
+ if (*req_auth != NULL)
|
||||
+ authenticated = 0;
|
||||
+ no_increment = 1;
|
||||
+ }
|
||||
|
||||
if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
|
||||
auth_log(authctxt, authenticated, auth_method,
|
||||
- compat20 ? " ssh2" : "");
|
||||
- if (!authenticated)
|
||||
+ auth_submethod, compat20 ? " ssh2" : "");
|
||||
+ if (!authenticated && !no_increment)
|
||||
authctxt->failures++;
|
||||
}
|
||||
#ifdef JPAKE
|
||||
@@ -862,6 +880,7 @@ mm_answer_authpassword(int sock, Buffer
|
||||
auth_method = "none";
|
||||
else
|
||||
auth_method = "password";
|
||||
+ auth_submethod = NULL;
|
||||
|
||||
/* Causes monitor loop to terminate if authenticated */
|
||||
return (authenticated);
|
||||
@@ -921,6 +940,7 @@ mm_answer_bsdauthrespond(int sock, Buffe
|
||||
mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
|
||||
|
||||
auth_method = "bsdauth";
|
||||
+ auth_submethod = NULL;
|
||||
|
||||
return (authok != 0);
|
||||
}
|
||||
@@ -970,6 +990,7 @@ mm_answer_skeyrespond(int sock, Buffer *
|
||||
mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
|
||||
|
||||
auth_method = "skey";
|
||||
+ auth_submethod = NULL;
|
||||
|
||||
return (authok != 0);
|
||||
}
|
||||
@@ -1059,7 +1080,8 @@ mm_answer_pam_query(int sock, Buffer *m)
|
||||
xfree(prompts);
|
||||
if (echo_on != NULL)
|
||||
xfree(echo_on);
|
||||
- auth_method = "keyboard-interactive/pam";
|
||||
+ auth_method = "keyboard-interactive";
|
||||
+ auth_submethod = "pam";
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
|
||||
return (0);
|
||||
}
|
||||
@@ -1088,7 +1110,8 @@ mm_answer_pam_respond(int sock, Buffer *
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, ret);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
|
||||
- auth_method = "keyboard-interactive/pam";
|
||||
+ auth_method = "keyboard-interactive";
|
||||
+ auth_submethod = "pam";
|
||||
if (ret == 0)
|
||||
sshpam_authok = sshpam_ctxt;
|
||||
return (0);
|
||||
@@ -1102,7 +1125,8 @@ mm_answer_pam_free_ctx(int sock, Buffer
|
||||
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||
buffer_clear(m);
|
||||
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||
- auth_method = "keyboard-interactive/pam";
|
||||
+ auth_method = "keyboard-interactive";
|
||||
+ auth_submethod = "pam";
|
||||
return (sshpam_authok == sshpam_ctxt);
|
||||
}
|
||||
#endif
|
||||
@@ -1138,6 +1162,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
allowed = options.pubkey_authentication &&
|
||||
user_key_allowed(authctxt->pw, key);
|
||||
auth_method = "publickey";
|
||||
+ auth_submethod = NULL;
|
||||
if (options.pubkey_authentication && allowed != 1)
|
||||
auth_clear_options();
|
||||
break;
|
||||
@@ -1146,6 +1171,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
hostbased_key_allowed(authctxt->pw,
|
||||
cuser, chost, key);
|
||||
auth_method = "hostbased";
|
||||
+ auth_submethod = NULL;
|
||||
break;
|
||||
case MM_RSAHOSTKEY:
|
||||
key->type = KEY_RSA1; /* XXX */
|
||||
@@ -1155,6 +1181,7 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
if (options.rhosts_rsa_authentication && allowed != 1)
|
||||
auth_clear_options();
|
||||
auth_method = "rsa";
|
||||
+ auth_submethod = NULL;
|
||||
break;
|
||||
default:
|
||||
fatal("%s: unknown key type %d", __func__, type);
|
||||
@@ -1180,7 +1207,8 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
hostbased_chost = chost;
|
||||
} else {
|
||||
/* Log failed attempt */
|
||||
- auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : "");
|
||||
+ auth_log(authctxt, 0, auth_method, auth_submethod,
|
||||
+ compat20 ? " ssh2" : "");
|
||||
xfree(blob);
|
||||
xfree(cuser);
|
||||
xfree(chost);
|
||||
@@ -1356,6 +1384,7 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
xfree(data);
|
||||
|
||||
auth_method = key_blobtype == MM_USERKEY ? "publickey" : "hostbased";
|
||||
+ auth_submethod = NULL;
|
||||
|
||||
monitor_reset_key_state();
|
||||
|
||||
@@ -1545,6 +1574,7 @@ mm_answer_rsa_keyallowed(int sock, Buffe
|
||||
debug3("%s entering", __func__);
|
||||
|
||||
auth_method = "rsa";
|
||||
+ auth_submethod = NULL;
|
||||
if (options.rsa_authentication && authctxt->valid) {
|
||||
if ((client_n = BN_new()) == NULL)
|
||||
fatal("%s: BN_new", __func__);
|
||||
@@ -1650,6 +1680,7 @@ mm_answer_rsa_response(int sock, Buffer
|
||||
xfree(response);
|
||||
|
||||
auth_method = key_blobtype == MM_RSAUSERKEY ? "rsa" : "rhosts-rsa";
|
||||
+ auth_submethod = NULL;
|
||||
|
||||
/* reset state */
|
||||
BN_clear_free(ssh1_challenge);
|
||||
@@ -2099,6 +2130,7 @@ mm_answer_gss_userok(int sock, Buffer *m
|
||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||
|
||||
auth_method = "gssapi-with-mic";
|
||||
+ auth_submethod = NULL;
|
||||
|
||||
/* Monitor loop will terminate if authenticated */
|
||||
return (authenticated);
|
||||
@@ -2303,6 +2335,7 @@ mm_answer_jpake_check_confirm(int sock,
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
|
||||
|
||||
auth_method = "jpake-01@openssh.com";
|
||||
+ auth_submethod = NULL;
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.required-authentication 2012-02-06 17:03:51.024963230 +0100
|
||||
+++ openssh-5.9p1/servconf.c 2012-02-06 17:03:55.102929716 +0100
|
||||
@@ -42,6 +42,8 @@
|
||||
#include "key.h"
|
||||
#include "kex.h"
|
||||
#include "mac.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
#include "match.h"
|
||||
#include "channels.h"
|
||||
#include "groupaccess.h"
|
||||
@@ -129,6 +131,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_authkeys_files = 0;
|
||||
options->num_accept_env = 0;
|
||||
options->permit_tun = -1;
|
||||
+ options->required_auth1 = NULL;
|
||||
+ options->required_auth2 = NULL;
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
@@ -319,6 +323,7 @@ typedef enum {
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
+ sRequiredAuthentications1, sRequiredAuthentications2,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sZeroKnowledgePasswordAuthentication, sHostCertificate,
|
||||
@@ -447,6 +452,8 @@ static struct {
|
||||
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
||||
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|
||||
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
|
||||
+ { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL },
|
||||
+ { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL },
|
||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
|
||||
options->max_startups = options->max_startups_begin;
|
||||
break;
|
||||
|
||||
+
|
||||
+ case sRequiredAuthentications1:
|
||||
+ charptr = &options->required_auth1;
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (auth1_check_required(arg) != 0)
|
||||
+ fatal("%.200s line %d: Invalid required authentication "
|
||||
+ "list", filename, linenum);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (*charptr == NULL)
|
||||
+ *charptr = xstrdup(arg);
|
||||
+ break;
|
||||
+
|
||||
+ case sRequiredAuthentications2:
|
||||
+ charptr = &options->required_auth2;
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (auth2_check_required(arg) != 0)
|
||||
+ fatal("%.200s line %d: Invalid required authentication "
|
||||
+ "list", filename, linenum);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (*charptr == NULL)
|
||||
+ *charptr = xstrdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case sMaxAuthTries:
|
||||
intptr = &options->max_authtries;
|
||||
goto parse_int;
|
||||
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
|
||||
+++ openssh-5.9p1/servconf.h 2012-02-06 17:03:55.102929716 +0100
|
||||
@@ -154,6 +154,9 @@ typedef struct {
|
||||
u_int num_authkeys_files; /* Files containing public keys */
|
||||
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
||||
|
||||
+ char *required_auth1; /* Required, but not sufficient */
|
||||
+ char *required_auth2;
|
||||
+
|
||||
char *adm_forced_command;
|
||||
|
||||
int use_pam; /* Enable auth via PAM */
|
||||
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:09:39.038871798 +0100
|
||||
@@ -723,6 +723,8 @@ Available keywords are
|
||||
.Cm PermitOpen ,
|
||||
.Cm PermitRootLogin ,
|
||||
.Cm PermitTunnel ,
|
||||
+.Cm RequiredAuthentications1,
|
||||
+.Cm RequiredAuthentications2,
|
||||
.Cm PubkeyAuthentication ,
|
||||
.Cm RhostsRSAAuthentication ,
|
||||
.Cm RSAAuthentication ,
|
||||
@@ -920,6 +937,21 @@ Specifies a list of revoked public keys.
|
||||
Keys listed in this file will be refused for public key authentication.
|
||||
Note that if this file is not readable, then public key authentication will
|
||||
be refused for all users.
|
||||
+.It Cm RequiredAuthentications[12]
|
||||
+ Requires two authentication methods to succeed before authorizing the connection.
|
||||
+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
|
||||
+
|
||||
+ RequiredAuthentications1 method[,method...]
|
||||
+ RequiredAuthentications2 method[,method...]
|
||||
+
|
||||
+.Pp
|
||||
+Example 1:
|
||||
+
|
||||
+ RequiredAuthentications2 password,hostbased
|
||||
+
|
||||
+Example 2:
|
||||
+ RequiredAuthentications2 publickey,password
|
||||
+
|
||||
.It Cm RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful RSA host authentication is allowed.
|
@ -1,30 +1,6 @@
|
||||
diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c
|
||||
--- openssh-5.9p0/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
|
||||
+++ openssh-5.9p0/auth-pam.c 2011-08-31 11:42:54.870087433 +0200
|
||||
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h
|
||||
--- openssh-5.9p0/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-5.9p0/auth-pam.h 2011-08-31 11:42:54.979086333 +0200
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
|
||||
--- openssh-5.9p0/auth.h.role 2011-08-31 11:42:47.760024631 +0200
|
||||
+++ openssh-5.9p0/auth.h 2011-08-31 11:42:55.090151027 +0200
|
||||
diff -up openssh-5.9p1/auth.h.role openssh-5.9p1/auth.h
|
||||
--- openssh-5.9p1/auth.h.role 2012-02-06 17:21:26.038970656 +0100
|
||||
+++ openssh-5.9p1/auth.h 2012-02-06 17:21:59.477033401 +0100
|
||||
@@ -59,6 +59,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
@ -35,10 +11,34 @@ diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h
|
||||
void *kbdintctxt;
|
||||
void *jpake_ctx;
|
||||
#ifdef BSD_AUTH
|
||||
diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
|
||||
--- openssh-5.9p0/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
|
||||
+++ openssh-5.9p0/auth1.c 2011-08-31 11:42:55.215033075 +0200
|
||||
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
||||
diff -up openssh-5.9p1/auth-pam.c.role openssh-5.9p1/auth-pam.c
|
||||
--- openssh-5.9p1/auth-pam.c.role 2012-02-06 17:21:25.983793983 +0100
|
||||
+++ openssh-5.9p1/auth-pam.c 2012-02-06 17:21:59.476038868 +0100
|
||||
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-5.9p1/auth-pam.h.role openssh-5.9p1/auth-pam.h
|
||||
--- openssh-5.9p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
|
||||
+++ openssh-5.9p1/auth-pam.h 2012-02-06 17:21:59.477033401 +0100
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-5.9p1/auth1.c.role openssh-5.9p1/auth1.c
|
||||
--- openssh-5.9p1/auth1.c.role 2012-02-06 17:21:26.016845827 +0100
|
||||
+++ openssh-5.9p1/auth1.c 2012-02-06 17:21:59.478033396 +0100
|
||||
@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
char *user, *style = NULL;
|
||||
@ -48,7 +48,7 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
|
||||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
|
||||
@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_cstring(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
@ -73,88 +73,13 @@ diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c
|
||||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c
|
||||
--- openssh-5.9p0/auth2-gss.c.role 2011-05-05 06:04:11.000000000 +0200
|
||||
+++ openssh-5.9p0/auth2-gss.c 2011-08-31 11:42:55.313025576 +0200
|
||||
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ xfree(micuser);
|
||||
xfree(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c
|
||||
--- openssh-5.9p0/auth2-hostbased.c.role 2011-08-31 11:42:47.863023264 +0200
|
||||
+++ openssh-5.9p0/auth2-hostbased.c 2011-08-31 11:42:55.421024814 +0200
|
||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c
|
||||
--- openssh-5.9p0/auth2-pubkey.c.role 2011-08-31 11:42:47.978087418 +0200
|
||||
+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:42:55.551025263 +0200
|
||||
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b,
|
||||
datafellows & SSH_BUG_PKSERVICE ?
|
||||
"ssh-userauth" :
|
||||
diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
|
||||
--- openssh-5.9p0/auth2.c.role 2011-08-31 11:42:45.409026065 +0200
|
||||
+++ openssh-5.9p0/auth2.c 2011-08-31 11:42:55.676024869 +0200
|
||||
diff -up openssh-5.9p1/auth2.c.role openssh-5.9p1/auth2.c
|
||||
--- openssh-5.9p1/auth2.c.role 2012-02-06 17:21:26.024976386 +0100
|
||||
+++ openssh-5.9p1/auth2.c 2012-02-06 17:23:14.127811737 +0100
|
||||
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user, *service, *method, *style = NULL;
|
||||
char *user, *service, *method, *active_methods, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role = NULL;
|
||||
+#endif
|
||||
@ -190,9 +115,84 @@ diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c
|
||||
userauth_banner();
|
||||
} else if (strcmp(user, authctxt->user) != 0 ||
|
||||
strcmp(service, authctxt->service) != 0) {
|
||||
diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
--- openssh-5.9p0/monitor.c.role 2011-08-31 11:42:53.301024819 +0200
|
||||
+++ openssh-5.9p0/monitor.c 2011-08-31 11:42:55.796025812 +0200
|
||||
diff -up openssh-5.9p1/auth2-gss.c.role openssh-5.9p1/auth2-gss.c
|
||||
--- openssh-5.9p1/auth2-gss.c.role 2012-02-06 17:21:26.017853239 +0100
|
||||
+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:21:59.479096211 +0100
|
||||
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ xfree(micuser);
|
||||
xfree(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-5.9p1/auth2-hostbased.c.role openssh-5.9p1/auth2-hostbased.c
|
||||
--- openssh-5.9p1/auth2-hostbased.c.role 2012-02-06 17:21:26.038970656 +0100
|
||||
+++ openssh-5.9p1/auth2-hostbased.c 2012-02-06 17:21:59.479096211 +0100
|
||||
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-5.9p1/auth2-pubkey.c.role openssh-5.9p1/auth2-pubkey.c
|
||||
--- openssh-5.9p1/auth2-pubkey.c.role 2012-02-06 17:21:26.039787441 +0100
|
||||
+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 17:21:59.480096032 +0100
|
||||
@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b,
|
||||
datafellows & SSH_BUG_PKSERVICE ?
|
||||
"ssh-userauth" :
|
||||
diff -up openssh-5.9p1/monitor.c.role openssh-5.9p1/monitor.c
|
||||
--- openssh-5.9p1/monitor.c.role 2012-02-06 17:21:26.071220592 +0100
|
||||
+++ openssh-5.9p1/monitor.c 2012-02-06 17:21:59.481783500 +0100
|
||||
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
@ -203,7 +203,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -213,7 +213,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
@@ -833,6 +839,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
@ -223,7 +223,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
@@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
@@ -876,6 +885,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
@ -249,7 +249,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1227,7 +1255,7 @@ static int
|
||||
@@ -1252,7 +1280,7 @@ static int
|
||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
{
|
||||
Buffer b;
|
||||
@ -258,7 +258,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
@@ -1278,6 +1306,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
@ -267,7 +267,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
@@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1309,7 +1339,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
char *chost)
|
||||
{
|
||||
Buffer b;
|
||||
@ -276,7 +276,7 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1326,6 +1356,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
p = buffer_get_string(&b, NULL);
|
||||
@ -285,9 +285,9 @@ diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c
|
||||
if (strcmp(authctxt->user, p) != 0) {
|
||||
logit("wrong user name passed to monitor: expected %s != %.100s",
|
||||
authctxt->user, p);
|
||||
diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
|
||||
--- openssh-5.9p0/monitor.h.role 2011-08-31 11:42:53.409025333 +0200
|
||||
+++ openssh-5.9p0/monitor.h 2011-08-31 11:42:55.889024801 +0200
|
||||
diff -up openssh-5.9p1/monitor.h.role openssh-5.9p1/monitor.h
|
||||
--- openssh-5.9p1/monitor.h.role 2012-02-06 17:21:26.071852220 +0100
|
||||
+++ openssh-5.9p1/monitor.h 2012-02-06 17:21:59.482846081 +0100
|
||||
@@ -31,6 +31,9 @@
|
||||
enum monitor_reqtype {
|
||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||
@ -298,9 +298,9 @@ diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h
|
||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||
diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
|
||||
--- openssh-5.9p0/monitor_wrap.c.role 2011-08-31 11:42:53.548024503 +0200
|
||||
+++ openssh-5.9p0/monitor_wrap.c 2011-08-31 11:42:56.029024553 +0200
|
||||
diff -up openssh-5.9p1/monitor_wrap.c.role openssh-5.9p1/monitor_wrap.c
|
||||
--- openssh-5.9p1/monitor_wrap.c.role 2012-02-06 17:21:26.071852220 +0100
|
||||
+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:21:59.483845610 +0100
|
||||
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
}
|
||||
@ -327,9 +327,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
|
||||
--- openssh-5.9p0/monitor_wrap.h.role 2011-08-31 11:42:53.660025271 +0200
|
||||
+++ openssh-5.9p0/monitor_wrap.h 2011-08-31 11:42:56.131025748 +0200
|
||||
diff -up openssh-5.9p1/monitor_wrap.h.role openssh-5.9p1/monitor_wrap.h
|
||||
--- openssh-5.9p1/monitor_wrap.h.role 2012-02-06 17:21:26.073192915 +0100
|
||||
+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:21:59.483845610 +0100
|
||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
@ -340,9 +340,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in
|
||||
--- openssh-5.9p0/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
|
||||
+++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 11:48:02.404091479 +0200
|
||||
diff -up openssh-5.9p1/openbsd-compat/Makefile.in.role openssh-5.9p1/openbsd-compat/Makefile.in
|
||||
--- openssh-5.9p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/Makefile.in 2012-02-06 17:21:59.484846191 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
|
||||
|
||||
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||
@ -352,9 +352,9 @@ diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-com
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c
|
||||
--- openssh-5.9p0/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
|
||||
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:42:56.492087969 +0200
|
||||
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.role openssh-5.9p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.9p1/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200
|
||||
+++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-02-06 17:21:59.484846191 +0100
|
||||
@@ -31,7 +31,11 @@
|
||||
|
||||
#include "log.h"
|
||||
@ -532,9 +532,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-co
|
||||
#endif /* WITH_SELINUX */
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c
|
||||
--- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role 2011-08-31 11:42:56.583047619 +0200
|
||||
+++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c 2011-08-31 11:42:56.586178005 +0200
|
||||
diff -up openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role openssh-5.9p1/openbsd-compat/port-linux_part_2.c
|
||||
--- openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role 2012-02-06 17:21:59.485846294 +0100
|
||||
+++ openssh-5.9p1/openbsd-compat/port-linux_part_2.c 2012-02-06 17:21:59.485846294 +0100
|
||||
@@ -0,0 +1,75 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
|
||||
--- openssh-5.9p0/configure.ac.vendor 2011-09-03 20:24:29.899501572 +0200
|
||||
+++ openssh-5.9p0/configure.ac 2011-09-03 20:24:39.153501595 +0200
|
||||
@@ -4131,6 +4131,12 @@ AC_ARG_WITH([lastlog],
|
||||
diff -up openssh-5.9p1/configure.ac.vendor openssh-5.9p1/configure.ac
|
||||
--- openssh-5.9p1/configure.ac.vendor 2012-02-06 17:35:37.439855272 +0100
|
||||
+++ openssh-5.9p1/configure.ac 2012-02-06 17:35:37.510219862 +0100
|
||||
@@ -4135,6 +4135,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
@ -14,7 +14,7 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -4357,6 +4363,7 @@ echo " Translate v4 in v6 hack
|
||||
@@ -4361,6 +4367,7 @@ echo " Translate v4 in v6 hack
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
@ -22,10 +22,10 @@ diff -up openssh-5.9p0/configure.ac.vendor openssh-5.9p0/configure.ac
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
||||
--- openssh-5.9p0/servconf.c.vendor 2011-09-03 20:24:29.080500853 +0200
|
||||
+++ openssh-5.9p0/servconf.c 2011-09-03 20:27:15.727564566 +0200
|
||||
@@ -130,6 +130,7 @@ initialize_server_options(ServerOptions
|
||||
diff -up openssh-5.9p1/servconf.c.vendor openssh-5.9p1/servconf.c
|
||||
--- openssh-5.9p1/servconf.c.vendor 2012-02-06 17:35:37.432972267 +0100
|
||||
+++ openssh-5.9p1/servconf.c 2012-02-06 17:37:58.806272833 +0100
|
||||
@@ -125,6 +125,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
@ -33,7 +33,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption
|
||||
@@ -283,6 +284,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
@ -42,16 +42,16 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
||||
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
@@ -338,7 +341,7 @@ typedef enum {
|
||||
@@ -321,7 +324,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
|
||||
sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sTwoFactorAuthentication,
|
||||
sSecondPubkeyAuthentication, sSecondGssAuthentication,
|
||||
sSecondPasswordAuthentication, sSecondKbdInteractiveAuthentication,
|
||||
@@ -470,6 +473,7 @@ static struct {
|
||||
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
|
||||
sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
@@ -436,6 +439,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
@ -59,7 +59,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1152,6 +1156,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1092,6 +1096,10 @@ process_server_config_line(ServerOptions
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
@ -70,7 +70,7 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -1849,6 +1857,7 @@ dump_config(ServerOptions *o)
|
||||
@@ -1807,6 +1815,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
|
||||
@ -78,10 +78,10 @@ diff -up openssh-5.9p0/servconf.c.vendor openssh-5.9p0/servconf.c
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
|
||||
--- openssh-5.9p0/servconf.h.vendor 2011-09-03 20:24:29.179632045 +0200
|
||||
+++ openssh-5.9p0/servconf.h 2011-09-03 20:24:39.426502323 +0200
|
||||
@@ -148,6 +148,7 @@ typedef struct {
|
||||
diff -up openssh-5.9p1/servconf.h.vendor openssh-5.9p1/servconf.h
|
||||
--- openssh-5.9p1/servconf.h.vendor 2012-02-06 17:35:37.434095467 +0100
|
||||
+++ openssh-5.9p1/servconf.h 2012-02-06 17:35:37.512225786 +0100
|
||||
@@ -140,6 +140,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
@ -89,31 +89,20 @@ diff -up openssh-5.9p0/servconf.h.vendor openssh-5.9p0/servconf.h
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-5.9p0/sshd.c.vendor openssh-5.9p0/sshd.c
|
||||
--- openssh-5.9p0/sshd.c.vendor 2011-09-03 20:24:35.987501565 +0200
|
||||
+++ openssh-5.9p0/sshd.c 2011-09-03 20:24:39.542501643 +0200
|
||||
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
|
||||
minor = PROTOCOL_MINOR_1;
|
||||
}
|
||||
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
|
||||
- SSH_VERSION, newline);
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
|
||||
server_version_string = xstrdup(buf);
|
||||
|
||||
/* Send our protocol version identification. */
|
||||
@@ -1627,7 +1627,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %.100s", SSH_RELEASE);
|
||||
+ debug("sshd version %.100s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
|
||||
--- openssh-5.9p0/sshd_config.0.vendor 2011-09-03 20:24:37.524438185 +0200
|
||||
+++ openssh-5.9p0/sshd_config.0 2011-09-03 20:24:39.677508255 +0200
|
||||
diff -up openssh-5.9p1/sshd_config.vendor openssh-5.9p1/sshd_config
|
||||
--- openssh-5.9p1/sshd_config.vendor 2012-02-06 17:35:37.499226201 +0100
|
||||
+++ openssh-5.9p1/sshd_config 2012-02-06 17:35:37.515220444 +0100
|
||||
@@ -112,6 +112,7 @@ X11Forwarding yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
diff -up openssh-5.9p1/sshd_config.0.vendor openssh-5.9p1/sshd_config.0
|
||||
--- openssh-5.9p1/sshd_config.0.vendor 2012-02-06 17:35:37.500225787 +0100
|
||||
+++ openssh-5.9p1/sshd_config.0 2012-02-06 17:35:37.513225808 +0100
|
||||
@@ -556,6 +556,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 1024.
|
||||
@ -126,10 +115,10 @@ diff -up openssh-5.9p0/sshd_config.0.vendor openssh-5.9p0/sshd_config.0
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
|
||||
--- openssh-5.9p0/sshd_config.5.vendor 2011-09-03 20:24:37.640442022 +0200
|
||||
+++ openssh-5.9p0/sshd_config.5 2011-09-03 20:24:40.176544206 +0200
|
||||
@@ -952,6 +952,14 @@ This option applies to protocol version
|
||||
diff -up openssh-5.9p1/sshd_config.5.vendor openssh-5.9p1/sshd_config.5
|
||||
--- openssh-5.9p1/sshd_config.5.vendor 2012-02-06 17:35:37.500225787 +0100
|
||||
+++ openssh-5.9p1/sshd_config.5 2012-02-06 17:35:37.514220449 +0100
|
||||
@@ -982,6 +982,14 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The minimum value is 512, and the default is 1024.
|
||||
@ -144,14 +133,25 @@ diff -up openssh-5.9p0/sshd_config.5.vendor openssh-5.9p0/sshd_config.5
|
||||
.It Cm StrictModes
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
diff -up openssh-5.9p0/sshd_config.vendor openssh-5.9p0/sshd_config
|
||||
--- openssh-5.9p0/sshd_config.vendor 2011-09-03 20:24:37.770439735 +0200
|
||||
+++ openssh-5.9p0/sshd_config 2011-09-03 20:24:40.278628002 +0200
|
||||
@@ -120,6 +120,7 @@ X11Forwarding yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
diff -up openssh-5.9p1/sshd.c.vendor openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.vendor 2012-02-06 17:35:37.485230832 +0100
|
||||
+++ openssh-5.9p1/sshd.c 2012-02-06 17:35:37.513225808 +0100
|
||||
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
|
||||
minor = PROTOCOL_MINOR_1;
|
||||
}
|
||||
snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
|
||||
- SSH_VERSION, newline);
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION, newline);
|
||||
server_version_string = xstrdup(buf);
|
||||
|
||||
/* Send our protocol version identification. */
|
||||
@@ -1634,7 +1634,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %.100s", SSH_RELEASE);
|
||||
+ debug("sshd version %.100s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
|
@ -116,7 +116,8 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
||||
Patch103: openssh-5.8p1-packet.patch
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=983
|
||||
Patch104: openssh-5.9p1-2auth.patch
|
||||
#Patch104: openssh-5.9p1-2auth.patch
|
||||
Patch104: openssh-5.9p1-required-authentications.patch
|
||||
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||
Patch200: openssh-5.8p1-audit0.patch
|
||||
@ -395,7 +396,7 @@ The module is most useful for su and sudo service stacks.
|
||||
%patch101 -p1 -b .fingerprint
|
||||
%patch102 -p1 -b .getaddrinfo
|
||||
%patch103 -p1 -b .packet
|
||||
%patch104 -p1 -b .2auth
|
||||
%patch104 -p1 -b .required-authentication
|
||||
|
||||
%patch200 -p1 -b .audit0
|
||||
%patch201 -p1 -b .audit1
|
||||
|
Loading…
Reference in New Issue
Block a user