Fixes from RHEL 8.5.0

2021-04-22 17:02:11 +02:00 · 2021-04-22 17:02:11 +02:00 · df26987d52
commit df26987d52
parent f32b842272
3 changed files with 64 additions and 0 deletions
--- a/openssh-8.0p1-keygen-strip-doseol.patch
+++ b/openssh-8.0p1-keygen-strip-doseol.patch
@ -0,0 +1,12 @@
 diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
 --- openssh-8.0p1/ssh-keygen.c.strip-doseol	2021-03-18 17:41:34.472404994 +0100
 +++ openssh-8.0p1/ssh-keygen.c	2021-03-18 17:41:55.255538761 +0100
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
 	while (getline(&line, &linesize, f) != -1) {
 		lnum++;
 		cp = line;
 -		cp[strcspn(cp, "\n")] = '\0';
 +		cp[strcspn(cp, "\r\n")] = '\0';
 		/* Trim leading space and comments */
 		cp = line + strspn(line, " \t");
 		if (*cp == '#' || *cp == '\0')
--- a/openssh-8.0p1-preserve-pam-errors.patch
+++ b/openssh-8.0p1-preserve-pam-errors.patch
@ -0,0 +1,44 @@
 diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
 --- openssh-8.0p1/auth-pam.c.preserve-pam-errors	2021-03-31 17:03:15.618592347 +0200
 +++ openssh-8.0p1/auth-pam.c	2021-03-31 17:06:58.115220014 +0200
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
 		goto auth_fail;
 	if (!do_pam_account()) {
 -		sshpam_err = PAM_ACCT_EXPIRED;
 +		/* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
 +		 * Backward compatibility for other errors. */
 +		if (sshpam_err != PAM_PERM_DENIED
 +			&& sshpam_err != PAM_USER_UNKNOWN)
 +			sshpam_err = PAM_ACCT_EXPIRED;
 		goto auth_fail;
 	}
 	if (sshpam_authctxt->force_pwchange) {
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
 	    pam_strerror(sshpam_handle, sshpam_err))) != 0)
 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
 	/* XXX - can't do much about an error here */
 -	if (sshpam_err == PAM_ACCT_EXPIRED)
 -		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
 +	if (sshpam_err == PAM_PERM_DENIED
 +		|| sshpam_err == PAM_USER_UNKNOWN
 +		|| sshpam_err == PAM_ACCT_EXPIRED)
 +		ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
 	else if (sshpam_maxtries_reached)
 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
 	else
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
 			plen++;
 			free(msg);
 			break;
 +		case PAM_USER_UNKNOWN:
 +		case PAM_PERM_DENIED:
 		case PAM_ACCT_EXPIRED:
 +			sshpam_account_status = 0;
 +			/* FALLTHROUGH */
 		case PAM_MAXTRIES:
 -			if (type == PAM_ACCT_EXPIRED)
 -				sshpam_account_status = 0;
 			if (type == PAM_MAXTRIES)
 				sshpam_set_maxtries_reached(1);
 			/* FALLTHROUGH */
--- a/openssh.spec
+++ b/openssh.spec
@ -191,6 +191,10 @@ Patch965: openssh-8.2p1-visibility.patch
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3213
 Patch969: openssh-8.4p1-debian-compat.patch
 # ssh-keygen printing fingerprint issue with Windows keys (#1901518)
 Patch974: openssh-8.0p1-keygen-strip-doseol.patch
 # sshd provides PAM an incorrect error code (#1879503)
 Patch975: openssh-8.0p1-preserve-pam-errors.patch
 License: BSD
 Requires: /sbin/nologin
@ -366,6 +370,8 @@ popd
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
 %patch969 -p0 -b .debian
 %patch974 -p1 -b .keygen-strip-doseol
 %patch975 -p1 -b .preserve-pam-errors
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race
@ -652,6 +658,8 @@ test -f %{sysconfig_anaconda} && \
 %changelog
 * Mon Apr 19 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1
 - New upstream release (#1950819)
 - ssh-keygen printing fingerprint issue with Windows keys (#1901518)
 - sshd provides PAM an incorrect error code (#1879503)
 * Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
 - ssh-agent.serivce is user unit (#1761817#27)