Rebasing to OpenSSH 8.7p1

Resolves: rhbz#2001002
This commit is contained in:
Dmitry Belyavskiy 2021-09-24 16:19:18 +02:00
parent 62d88b35f1
commit f9e5ded9dd
12 changed files with 176 additions and 578 deletions

View File

@ -28,7 +28,7 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+ options->enable_k5users = -1; + options->enable_k5users = -1;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->permit_empty_passwd = -1;
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption @@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
#endif #endif
if (options->use_kuserok == -1) if (options->use_kuserok == -1)
@ -72,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
+ intptr = &options->enable_k5users; + intptr = &options->enable_k5users;
+ goto parse_flag; + goto parse_flag;
+ +
case sPermitListen: case sMatch:
case sPermitOpen: if (cmdline)
if (opcode == sPermitListen) { fatal("Match directive not supported as a command-line "
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d @@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);

View File

@ -182,7 +182,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
+ options->use_kuserok = -1; + options->use_kuserok = -1;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->permit_empty_passwd = -1;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
if (options->gss_kex_algorithms == NULL) if (options->gss_kex_algorithms == NULL)
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX); options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
@ -193,8 +193,8 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum { @@ -399,7 +402,7 @@ typedef enum {
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sKerberosUniqueCCache, - sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok, + sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
@ -217,16 +217,16 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*inc_flags &= ~SSHCFG_MATCH_ONLY; }
break; break;
+ case sKerberosUseKuserok: + case sKerberosUseKuserok:
+ intptr = &options->use_kuserok; + intptr = &options->use_kuserok;
+ goto parse_flag; + goto parse_flag;
+ +
case sPermitListen: case sMatch:
case sPermitOpen: if (cmdline)
if (opcode == sPermitListen) { fatal("Match directive not supported as a command-line "
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d @@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(client_alive_interval); M_CP_INTOPT(client_alive_interval);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);

View File

@ -54,18 +54,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100 --- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100 +++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const
errstr = "invalid environment string";
goto fail;
}
- if ((cp = strdup(opt)) == NULL)
+ if ((cp = strdup(opt)) == NULL) {
+ free(opt);
goto alloc_fail;
+ }
cp[tmp - opt] = '\0'; /* truncate at '=' */
if (!valid_env_name(cp)) {
free(cp);
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char * @@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
return r; return r;
} }
@ -133,13 +121,13 @@ diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 --- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 +++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname @@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
&hostkey_digest_len, hostkey)) { &hostkey_digest, &hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint."); error("Error calculating key fingerprint.");
freerrset(fingerprints); freerrset(fingerprints);
+ free(dnskey_digest); + free(dnskey_digest);
return -1; return -1;
} }
}
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100 --- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100 +++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@ -301,6 +289,36 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity openssh-8.7p1/openbsd-compat/bsd-pselect.c
--- openssh-8.7p1/openbsd-compat/bsd-pselect.c.coverity 2021-08-30 16:36:11.357288009 +0200
+++ openssh-8.7p1/openbsd-compat/bsd-pselect.c 2021-08-30 16:37:21.791897976 +0200
@@ -113,13 +113,13 @@ pselect_notify_setup(void)
static void
pselect_notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
pselect_notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -127,8 +127,8 @@ pselect_notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) {
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) {
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2_f("reading");
FD_CLR(notify_pipe[0], readset);
}
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100 --- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100 +++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
@ -309,33 +327,29 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
error("%.200s line %d: glob failed for %s.", error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2); filename, linenum, arg2);
+ free(arg2); + free(arg2);
return -1; goto out;
} }
free(arg2); free(arg2);
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100 --- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100 +++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
@@ -157,7 +157,7 @@ killchild(int signo) @@ -186,11 +186,11 @@ killchild(int signo)
{ {
if (do_cmd_pid > 1) { if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM); kill(do_cmd_pid, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid, NULL, 0); - waitpid(do_cmd_pid, NULL, 0);
+ (void) waitpid(do_cmd_pid, NULL, 0); + (void) waitpid(do_cmd_pid, NULL, 0);
} }
if (do_cmd_pid2 > 1) {
kill(do_cmd_pid2, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid2, NULL, 0);
+ (void) waitpid(do_cmd_pid2, NULL, 0);
}
if (signo) if (signo)
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100 --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
- arg = strdelim(&cp);
+ /*arg =*/ (void) strdelim(&cp);
break;
}
for (i = 0; i < options->num_subsystems; i++)
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) { if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid()); *charptr = tilde_expand_filename(arg, getuid());
@ -348,37 +362,10 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
} }
break; break;
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.7p1/serverloop.c.coverity 2021-08-20 06:03:49.000000000 +0200
+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100 +++ openssh-8.7p1/serverloop.c 2021-08-30 16:28:22.416226981 +0200
@@ -125,13 +125,13 @@ notify_setup(void) @@ -547,7 +547,7 @@ server_request_tun(struct ssh *ssh)
static void
notify_parent(void)
{
- if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0)
(void)write(notify_pipe[1], "", 1);
}
static void
notify_prepare(fd_set *readset)
{
- if (notify_pipe[0] != -1)
+ if (notify_pipe[0] >= 0)
FD_SET(notify_pipe[0], readset);
}
static void
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
{
char c;
- if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
- while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
+ while (read(notify_pipe[0], &c, 1) >= 0)
debug2_f("reading");
}
@@ -518,7 +518,7 @@ server_request_tun(void)
debug_f("invalid tun"); debug_f("invalid tun");
goto done; goto done;
} }

View File

@ -807,15 +807,6 @@ diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
--- openssh-8.6p1/auth.c.audit 2021-05-06 12:05:27.304463967 +0200 --- openssh-8.6p1/auth.c.audit 2021-05-06 12:05:27.304463967 +0200
+++ openssh-8.6p1/auth.c 2021-05-06 12:05:27.378464540 +0200 +++ openssh-8.6p1/auth.c 2021-05-06 12:05:27.378464540 +0200
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
- if (authenticated == 0 && !authctxt->postponed)
+ if (authenticated == 0 && !authctxt->postponed && !partial)
audit_event(ssh, audit_classify_auth(method));
#endif
}
@@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha @@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
record_failed_login(ssh, user, record_failed_login(ssh, user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
@ -1204,7 +1195,7 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
- ret = sshkey_verify(key, signature, signaturelen, data, datalen, - ret = sshkey_verify(key, signature, signaturelen, data, datalen,
- sigalg, ssh->compat, &sig_details); - sigalg, ssh->compat, &sig_details);
debug3_f("%s %p signature %s%s%s", auth_method, key, debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key),
(ret == 0) ? "verified" : "unverified", (ret == 0) ? "verified" : "unverified",
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session @@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
@ -2065,7 +2056,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
close_startup_pipes(void) close_startup_pipes(void)
{ {
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig) @@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
ssh_remote_port(the_active_state)); }
} }
-/* Destroy the host and server keys. They will no longer be needed. */ -/* Destroy the host and server keys. They will no longer be needed. */

View File

@ -504,8 +504,8 @@ diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_keyex == -1) if (options->gss_keyex == -1)
@@ -506,7 +509,8 @@ typedef enum { @@ -506,7 +509,8 @@ typedef enum {
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sChallengeResponseAuthentication, - sKerberosGetAFSToken, sChallengeResponseAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache, + sKerberosGetAFSToken, sKerberosUniqueCCache,

View File

@ -18,7 +18,7 @@ diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
@@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and KbdInteractiveAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems. +# problems.
#UsePAM no #UsePAM no

View File

@ -337,7 +337,7 @@ diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Make
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 --- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
@@ -92,7 +92,8 @@ PORTS= port-aix.o \ @@ -92,7 +92,8 @@ PORTS= port-aix.o \
port-linux.o \ port-prngd.o \
port-solaris.o \ port-solaris.o \
port-net.o \ port-net.o \
- port-uw.o - port-uw.o

View File

@ -1,7 +1,7 @@
diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5 diff -up openssh-8.7p1/ssh_config.5.crypto-policies openssh-8.7p1/ssh_config.5
--- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200 --- openssh-8.7p1/ssh_config.5.crypto-policies 2021-08-30 13:29:00.174292872 +0200
+++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200 +++ openssh-8.7p1/ssh_config.5 2021-08-30 13:31:32.009548808 +0200
@@ -368,15 +368,13 @@ or @@ -373,17 +373,13 @@ or
.Qq *.c.example.com .Qq *.c.example.com
domains. domains.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
@ -14,15 +14,17 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
by certificate authorities (CAs). by certificate authorities (CAs).
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ecdsa-sha2-nistp256,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, -ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256 -rsa-sha2-512,rsa-sha2-256
-.Ed -.Ed
-.Pp -.Pp
.Xr ssh 1 If the specified list begins with a
will not accept host certificates signed using algorithms other than those .Sq +
specified. character, then the specified algorithms will be appended to the default set
@@ -436,20 +434,25 @@ If the option is set to @@ -445,20 +441,25 @@ If the option is set to
(the default), (the default),
the check will not be executed. the check will not be executed.
.It Cm Ciphers .It Cm Ciphers
@ -52,7 +54,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.Pp .Pp
The supported ciphers are: The supported ciphers are:
.Bd -literal -offset indent .Bd -literal -offset indent
@@ -465,13 +468,6 @@ aes256-gcm@openssh.com @@ -474,13 +475,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.Ed .Ed
.Pp .Pp
@ -66,7 +68,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
.It Cm ClearAllForwardings .It Cm ClearAllForwardings
@@ -826,6 +822,11 @@ command line will be passed untouched to @@ -874,6 +868,11 @@ command line will be passed untouched to
The default is The default is
.Dq no . .Dq no .
.It Cm GSSAPIKexAlgorithms .It Cm GSSAPIKexAlgorithms
@ -78,7 +80,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
The list of key exchange algorithms that are offered for GSSAPI The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are key exchange. Possible values are
.Bd -literal -offset 3n .Bd -literal -offset 3n
@@ -838,10 +839,8 @@ gss-nistp256-sha256-, @@ -886,10 +885,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256- gss-curve25519-sha256-
.Ed .Ed
.Pp .Pp
@ -90,7 +92,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
@@ -1169,29 +1168,25 @@ it may be zero or more of: @@ -1219,29 +1216,25 @@ it may be zero or more of:
and and
.Cm pam . .Cm pam .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -129,7 +131,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .
@@ -1301,37 +1296,33 @@ function, and all code in the @@ -1351,37 +1344,33 @@ function, and all code in the
file. file.
This option is intended for debugging and no overrides are enabled by default. This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs .It Cm MACs
@ -176,7 +178,7 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost .It Cm NoHostAuthenticationForLocalhost
@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas @@ -1553,37 +1542,25 @@ instead of continuing to execute and pas
The default is The default is
.Cm no . .Cm no .
.It Cm PubkeyAcceptedAlgorithms .It Cm PubkeyAcceptedAlgorithms
@ -223,10 +225,10 @@ diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
.Pp .Pp
The list of available signature algorithms may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms . .Qq ssh -Q PubkeyAcceptedAlgorithms .
diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5 diff -up openssh-8.7p1/sshd_config.5.crypto-policies openssh-8.7p1/sshd_config.5
--- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200 --- openssh-8.7p1/sshd_config.5.crypto-policies 2021-08-30 13:29:00.157292731 +0200
+++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200 +++ openssh-8.7p1/sshd_config.5 2021-08-30 13:32:16.263918533 +0200
@@ -373,15 +373,13 @@ If the argument is @@ -373,17 +373,13 @@ If the argument is
then no banner is displayed. then no banner is displayed.
By default, no banner is displayed. By default, no banner is displayed.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
@ -239,15 +241,17 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
by certificate authorities (CAs). by certificate authorities (CAs).
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ecdsa-sha2-nistp256,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com, -ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256 -rsa-sha2-512,rsa-sha2-256
-.Ed -.Ed
-.Pp -.Pp
Certificates signed using other algorithms will not be accepted for If the specified list begins with a
public key or host-based authentication. .Sq +
.It Cm ChallengeResponseAuthentication character, then the specified algorithms will be appended to the default set
@@ -445,20 +443,25 @@ The default is @@ -450,20 +446,25 @@ The default is
indicating not to indicating not to
.Xr chroot 2 . .Xr chroot 2 .
.It Cm Ciphers .It Cm Ciphers
@ -277,7 +281,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
.Pp .Pp
The supported ciphers are: The supported ciphers are:
.Pp .Pp
@@ -485,13 +488,6 @@ aes256-gcm@openssh.com @@ -490,13 +491,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.El .El
.Pp .Pp
@ -291,7 +295,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
.It Cm ClientAliveCountMax .It Cm ClientAliveCountMax
@@ -680,21 +676,22 @@ For this to work @@ -685,21 +679,22 @@ For this to work
.Cm GSSAPIKeyExchange .Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client. needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms .It Cm GSSAPIKexAlgorithms
@ -324,7 +328,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
This option only applies to connections using GSSAPI. This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms .It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased Specifies the signature algorithms that will be accepted for hostbased
@@ -794,26 +791,13 @@ is specified, the location of the socket @@ -799,26 +794,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK .Ev SSH_AUTH_SOCK
environment variable. environment variable.
.It Cm HostKeyAlgorithms .It Cm HostKeyAlgorithms
@ -356,7 +360,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available signature algorithms may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms . .Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts .It Cm IgnoreRhosts
@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi @@ -965,20 +947,25 @@ Specifies whether to look at .k5login fi
The default is The default is
.Cm yes . .Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -386,7 +390,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The supported algorithms are: The supported algorithms are:
.Pp .Pp
.Bl -item -compact -offset indent .Bl -item -compact -offset indent
@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521 @@ -1010,15 +997,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com sntrup761x25519-sha512@openssh.com
.El .El
.Pp .Pp
@ -402,7 +406,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms . .Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress .It Cm ListenAddress
@@ -1097,21 +1077,26 @@ function, and all code in the @@ -1104,21 +1082,26 @@ function, and all code in the
file. file.
This option is intended for debugging and no overrides are enabled by default. This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs .It Cm MACs
@ -433,7 +437,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
.Pp .Pp
The algorithms that contain The algorithms that contain
.Qq -etm .Qq -etm
@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com @@ -1161,15 +1144,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com umac-128-etm@openssh.com
.El .El
.Pp .Pp
@ -449,7 +453,7 @@ diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
.It Cm Match .It Cm Match
@@ -1541,37 +1517,25 @@ or equivalent.) @@ -1548,37 +1522,25 @@ or equivalent.)
The default is The default is
.Cm yes . .Cm yes .
.It Cm PubkeyAcceptedAlgorithms .It Cm PubkeyAcceptedAlgorithms

View File

@ -19,11 +19,10 @@ index e7549470..b68c1710 100644
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
srclimit.o sftp-server.o sftp-common.o \ srclimit.o sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff --git a/auth.c b/auth.c diff -up a/auth.c.gsskex b/auth.c
index 086b8ebb..687c57b4 100644 --- a/auth.c.gsskex 2021-08-20 06:03:49.000000000 +0200
--- a/auth.c +++ b/auth.c 2021-08-27 12:41:51.262788953 +0200
+++ b/auth.c @@ -402,7 +402,8 @@ auth_root_allowed(struct ssh *ssh, const
@@ -400,7 +400,8 @@ auth_root_allowed(struct ssh *ssh, const char *method)
case PERMIT_NO_PASSWD: case PERMIT_NO_PASSWD:
if (strcmp(method, "publickey") == 0 || if (strcmp(method, "publickey") == 0 ||
strcmp(method, "hostbased") == 0 || strcmp(method, "hostbased") == 0 ||
@ -33,18 +32,15 @@ index 086b8ebb..687c57b4 100644
return 1; return 1;
break; break;
case PERMIT_FORCED_ONLY: case PERMIT_FORCED_ONLY:
@@ -724,99 +725,6 @@ fakepw(void) @@ -730,97 +731,6 @@ fakepw(void)
return (&fake);
} }
-/* /*
- * Returns the remote DNS hostname as a string. The returned string must not - * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is - * be freed. NB. this will usually trigger a DNS query the first time it is
- * called. - * called.
- * This function does additional checks on the hostname to mitigate some - * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication. - * attacks on based on conflation of hostnames and IP addresses.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */ - */
- -
-static char * -static char *
@ -130,9 +126,10 @@ index 086b8ebb..687c57b4 100644
- return xstrdup(name); - return xstrdup(name);
-} -}
- -
/* -/*
* Return the canonical name of the host in the other side of the current * Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this * connection. The host name is cached, so it is efficient to call this
* several times.
diff --git a/auth2-gss.c b/auth2-gss.c diff --git a/auth2-gss.c b/auth2-gss.c
index 9351e042..d6446c0c 100644 index 9351e042..d6446c0c 100644
--- a/auth2-gss.c --- a/auth2-gss.c
@ -2933,10 +2930,9 @@ index 23ab096a..485590c1 100644
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
diff --git a/readconf.c b/readconf.c diff -up a/readconf.c.gsskex b/readconf.c
index f3cac6b3..da8022dd 100644 --- a/readconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
--- a/readconf.c +++ b/readconf.c 2021-08-27 12:25:42.556421509 +0200
+++ b/readconf.c
@@ -67,6 +67,7 @@ @@ -67,6 +67,7 @@
#include "uidswap.h" #include "uidswap.h"
#include "myproposal.h" #include "myproposal.h"
@ -2945,7 +2941,7 @@ index f3cac6b3..da8022dd 100644
/* Format of the configuration file: /* Format of the configuration file:
@@ -160,6 +161,8 @@ typedef enum { @@ -161,6 +162,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost, oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds, oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -2954,7 +2950,7 @@ index f3cac6b3..da8022dd 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts, oHashKnownHosts,
@@ -204,10 +207,22 @@ static struct { @@ -206,10 +209,22 @@ static struct {
/* Sometimes-unsupported options */ /* Sometimes-unsupported options */
#if defined(GSSAPI) #if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
@ -2977,7 +2973,7 @@ index f3cac6b3..da8022dd 100644
#endif #endif
#ifdef ENABLE_PKCS11 #ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider }, { "pkcs11provider", oPKCS11Provider },
@@ -1029,10 +1044,42 @@ parse_time: @@ -1113,10 +1128,42 @@ parse_time:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -3006,7 +3002,7 @@ index f3cac6b3..da8022dd 100644
+ goto parse_flag; + goto parse_flag;
+ +
+ case oGssKexAlgorithms: + case oGssKexAlgorithms:
+ arg = strdelim(&s); + arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0') + if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", + fatal("%.200s line %d: Missing argument.",
+ filename, linenum); + filename, linenum);
@ -3020,9 +3016,9 @@ index f3cac6b3..da8022dd 100644
case oBatchMode: case oBatchMode:
intptr = &options->batch_mode; intptr = &options->batch_mode;
goto parse_flag; goto parse_flag;
@@ -1911,7 +1958,13 @@ initialize_options(Options * options) @@ -2306,7 +2353,13 @@ initialize_options(Options * options)
options->fwd_opts.streamlocal_bind_unlink = -1;
options->pubkey_authentication = -1; options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1; options->gss_authentication = -1;
+ options->gss_keyex = -1; + options->gss_keyex = -1;
options->gss_deleg_creds = -1; options->gss_deleg_creds = -1;
@ -3034,8 +3030,8 @@ index f3cac6b3..da8022dd 100644
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL; options->kbd_interactive_devices = NULL;
@@ -2059,8 +2112,18 @@ fill_default_options(Options * options) @@ -2463,8 +2516,18 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1; options->pubkey_authentication = 1;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
+ if (options->gss_keyex == -1) + if (options->gss_keyex == -1)
@ -3053,7 +3049,7 @@ index f3cac6b3..da8022dd 100644
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -2702,7 +2765,14 @@ dump_client_config(Options *o, const char *host) @@ -3246,7 +3309,14 @@ dump_client_config(Options *o, const cha
dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports);
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); dump_cfg_fmtint(oGssAuthentication, o->gss_authentication);
@ -3068,13 +3064,12 @@ index f3cac6b3..da8022dd 100644
#endif /* GSSAPI */ #endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts); dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication); dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
diff --git a/readconf.h b/readconf.h diff -up a/readconf.h.gsskex b/readconf.h
index feedb3d2..a8a8870d 100644 --- a/readconf.h.gsskex 2021-08-27 12:05:29.248142431 +0200
--- a/readconf.h +++ b/readconf.h 2021-08-27 12:22:19.270679852 +0200
+++ b/readconf.h @@ -39,7 +39,13 @@ typedef struct {
@@ -41,7 +41,13 @@ typedef struct { int pubkey_authentication; /* Try ssh2 pubkey authentication. */
int challenge_response_authentication; int hostbased_authentication; /* ssh2's rhosts_rsa */
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */ int gss_authentication; /* Try GSS authentication */
+ int gss_keyex; /* Try GSS key exchange */ + int gss_keyex; /* Try GSS key exchange */
int gss_deleg_creds; /* Delegate GSS credentials */ int gss_deleg_creds; /* Delegate GSS credentials */
@ -3086,11 +3081,10 @@ index feedb3d2..a8a8870d 100644
int password_authentication; /* Try password int password_authentication; /* Try password
* authentication. */ * authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/servconf.c b/servconf.c diff -up a/servconf.c.gsskex b/servconf.c
index 70f5f73f..191575a1 100644 --- a/servconf.c.gsskex 2021-08-20 06:03:49.000000000 +0200
--- a/servconf.c +++ b/servconf.c 2021-08-27 12:28:15.887735189 +0200
+++ b/servconf.c @@ -70,6 +70,7 @@
@@ -69,6 +69,7 @@
#include "auth.h" #include "auth.h"
#include "myproposal.h" #include "myproposal.h"
#include "digest.h" #include "digest.h"
@ -3098,7 +3092,7 @@ index 70f5f73f..191575a1 100644
static void add_listen_addr(ServerOptions *, const char *, static void add_listen_addr(ServerOptions *, const char *,
const char *, int); const char *, int);
@@ -133,8 +134,11 @@ initialize_server_options(ServerOptions *options) @@ -136,8 +137,11 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
options->gss_authentication=-1; options->gss_authentication=-1;
@ -3109,8 +3103,8 @@ index 70f5f73f..191575a1 100644
+ options->gss_kex_algorithms = NULL; + options->gss_kex_algorithms = NULL;
options->password_authentication = -1; options->password_authentication = -1;
options->kbd_interactive_authentication = -1; options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1; options->permit_empty_passwd = -1;
@@ -375,10 +379,18 @@ fill_default_server_options(ServerOptions *options) @@ -356,10 +360,18 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
@ -3129,7 +3123,7 @@ index 70f5f73f..191575a1 100644
if (options->password_authentication == -1) if (options->password_authentication == -1)
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -531,6 +543,7 @@ typedef enum { @@ -506,6 +518,7 @@ typedef enum {
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@ -3137,7 +3131,7 @@ index 70f5f73f..191575a1 100644
sAcceptEnv, sSetEnv, sPermitTunnel, sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding, sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -607,12 +620,22 @@ static struct { @@ -587,12 +600,22 @@ static struct {
#ifdef GSSAPI #ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -3159,8 +3153,8 @@ index 70f5f73f..191575a1 100644
+ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, { "challengeresponseauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, /* alias */
@@ -1548,6 +1571,10 @@ process_server_config_line_depth(ServerOptions *options, char *line, @@ -1576,6 +1599,10 @@ process_server_config_line_depth(ServerO
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@ -3171,7 +3165,7 @@ index 70f5f73f..191575a1 100644
case sGssCleanupCreds: case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds; intptr = &options->gss_cleanup_creds;
goto parse_flag; goto parse_flag;
@@ -1556,6 +1583,22 @@ process_server_config_line_depth(ServerOptions *options, char *line, @@ -1584,6 +1611,22 @@ process_server_config_line_depth(ServerO
intptr = &options->gss_strict_acceptor; intptr = &options->gss_strict_acceptor;
goto parse_flag; goto parse_flag;
@ -3180,7 +3174,7 @@ index 70f5f73f..191575a1 100644
+ goto parse_flag; + goto parse_flag;
+ +
+ case sGssKexAlgorithms: + case sGssKexAlgorithms:
+ arg = strdelim(&cp); + arg = argv_next(&ac, &av);
+ if (!arg || *arg == '\0') + if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", + fatal("%.200s line %d: Missing argument.",
+ filename, linenum); + filename, linenum);
@ -3194,7 +3188,7 @@ index 70f5f73f..191575a1 100644
case sPasswordAuthentication: case sPasswordAuthentication:
intptr = &options->password_authentication; intptr = &options->password_authentication;
goto parse_flag; goto parse_flag;
@@ -2777,6 +2820,10 @@ dump_config(ServerOptions *o) @@ -2892,6 +2935,10 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);

View File

@ -120,10 +120,12 @@ diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in
# These all need to be compiled -fPIC, so they are treated differently. # These all need to be compiled -fPIC, so they are treated differently.
SK_DUMMY_OBJS=\ SK_DUMMY_OBJS=\
regress/misc/sk-dummy/sk-dummy.lo \ regress/misc/sk-dummy/sk-dummy.lo \
@@ -709,6 +724,7 @@ regress-unit-binaries: regress-prep $(RE @@ -711,7 +726,8 @@ regress-unit-binaries: regress-prep $(RE
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT) \ regress/unittests/sshkey/test_sshkey$(EXEEXT) \
regress/unittests/sshsig/test_sshsig$(EXEEXT) \ regress/unittests/sshsig/test_sshsig$(EXEEXT) \
regress/unittests/utf8/test_utf8$(EXEEXT) \ - regress/unittests/utf8/test_utf8$(EXEEXT)
+ regress/unittests/utf8/test_utf8$(EXEEXT) \
+ regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \ + regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
tests: file-tests t-exec interop-tests unit tests: file-tests t-exec interop-tests unit
@ -1379,8 +1381,8 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
CK_RV rv; CK_RV rv;
CK_ULONG i; CK_ULONG i;
- debug("pkcs11_provider_finalize: %p refcount %d valid %d", - debug_f("provider \"%s\" refcount %d valid %d",
- p, p->refcount, p->valid); - p->name, p->refcount, p->valid);
- if (!p->valid) - if (!p->valid)
+ debug_f("%p refcount %d valid %d", m, m->refcount, m->valid); + debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
+ if (!m->valid) + if (!m->valid)
@ -1423,9 +1425,9 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
+} +}
+ +
+/* +/*
+ * finalize a provider shared libarary, it's no longer usable. + * finalize a provider shared library, it's no longer usable.
+ * however, there might still be keys referencing this provider, + * however, there might still be keys referencing this provider,
+ * so the actuall freeing of memory is handled by pkcs11_provider_unref(). + * so the actual freeing of memory is handled by pkcs11_provider_unref().
+ * this is called when a provider gets unregistered. + * this is called when a provider gets unregistered.
+ */ + */
+static void +static void
@ -1442,15 +1444,12 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
} }
/* /*
@@ -135,13 +178,11 @@ pkcs11_provider_finalize(struct pkcs11_p @@ -137,11 +180,9 @@ pkcs11_provider_unref(struct pkcs11_prov
static void
pkcs11_provider_unref(struct pkcs11_provider *p)
{ {
- debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount); debug_f("provider \"%s\" refcount %d", p->name, p->refcount);
+ debug_f("%p refcount %d", p, p->refcount);
if (--p->refcount <= 0) { if (--p->refcount <= 0) {
- if (p->valid) - if (p->valid)
- error("pkcs11_provider_unref: %p still valid", p); - error_f("provider \"%s\" still valid", p->name);
free(p->name); free(p->name);
- free(p->slotlist); - free(p->slotlist);
- free(p->slotinfo); - free(p->slotinfo);
@ -2123,16 +2122,16 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
+ key_attr[nattr].ulValueLen = strlen(uri->object); + key_attr[nattr].ulValueLen = strlen(uri->object);
+ nattr++; + nattr++;
+ } + }
+
+ session = p->module->slotinfo[slotidx].session;
+ f = p->module->function_list;
- rv = f->C_FindObjectsInit(session, key_attr, 1); - rv = f->C_FindObjectsInit(session, key_attr, 1);
+ session = p->module->slotinfo[slotidx].session;
+ f = p->module->function_list;
+
+ rv = f->C_FindObjectsInit(session, key_attr, nattr); + rv = f->C_FindObjectsInit(session, key_attr, nattr);
if (rv != CKR_OK) { if (rv != CKR_OK) {
error("C_FindObjectsInit failed: %lu", rv); error("C_FindObjectsInit failed: %lu", rv);
goto fail; goto fail;
@@ -1499,16 +1687,10 @@ pkcs11_ecdsa_generate_private_key(struct @@ -1499,16 +1690,10 @@ pkcs11_ecdsa_generate_private_key(struct
} }
#endif /* WITH_PKCS11_KEYGEN */ #endif /* WITH_PKCS11_KEYGEN */
@ -2237,17 +2236,17 @@ diff -up openssh-8.6p1/ssh-pkcs11.c.pkcs11-uri openssh-8.6p1/ssh-pkcs11.c
error("C_GetInfo for provider %s failed: %lu", error("C_GetInfo for provider %s failed: %lu",
- provider_id, rv); - provider_id, rv);
+ provider_module, rv); + provider_module, rv);
goto fail; + goto fail;
} + }
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
+ rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID)); + rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
+ if (uri->lib_manuf != NULL && + if (uri->lib_manuf != NULL &&
+ strcmp(uri->lib_manuf, m->info.manufacturerID)) { + strcmp(uri->lib_manuf, m->info.manufacturerID)) {
+ debug_f("Skipping provider %s not matching library_manufacturer", + debug_f("Skipping provider %s not matching library_manufacturer",
+ m->info.manufacturerID); + m->info.manufacturerID);
+ goto fail; goto fail;
+ } }
- rmspace(p->info.manufacturerID, sizeof(p->info.manufacturerID));
- rmspace(p->info.libraryDescription, sizeof(p->info.libraryDescription));
+ rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription)); + rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d" debug("provider %s: manufacturerID <%s> cryptokiVersion %d.%d"
" libraryDescription <%s> libraryVersion %d.%d", " libraryDescription <%s> libraryVersion %d.%d",

View File

@ -1,320 +0,0 @@
diff --git a/channels.c b/channels.c
index 32d1f617..0024f751 100644
--- a/channels.c
+++ b/channels.c
@@ -333,7 +333,27 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
#endif
/* enable nonblocking mode */
- if (nonblock) {
+ c->restore_block = 0;
+ if (nonblock == CHANNEL_NONBLOCK_STDIO) {
+ /*
+ * Special handling for stdio file descriptors: do not set
+ * non-blocking mode if they are TTYs. Otherwise prepare to
+ * restore their blocking state on exit to avoid interfering
+ * with other programs that follow.
+ */
+ if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_RFD;
+ set_nonblock(rfd);
+ }
+ if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_WFD;
+ set_nonblock(wfd);
+ }
+ if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
+ c->restore_block |= CHANNEL_RESTORE_EFD;
+ set_nonblock(efd);
+ }
+ } else if (nonblock) {
if (rfd != -1)
set_nonblock(rfd);
if (wfd != -1)
@@ -422,17 +442,23 @@ channel_find_maxfd(struct ssh_channels *sc)
}
int
-channel_close_fd(struct ssh *ssh, int *fdp)
+channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
{
struct ssh_channels *sc = ssh->chanctxt;
- int ret = 0, fd = *fdp;
+ int ret, fd = *fdp;
- if (fd != -1) {
- ret = close(fd);
- *fdp = -1;
- if (fd == sc->channel_max_fd)
- channel_find_maxfd(sc);
- }
+ if (fd == -1)
+ return 0;
+
+ if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
+ (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
+ (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
+ (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
+
+ ret = close(fd);
+ *fdp = -1;
+ if (fd == sc->channel_max_fd)
+ channel_find_maxfd(sc);
return ret;
}
@@ -442,13 +468,13 @@ channel_close_fds(struct ssh *ssh, Channel *c)
{
int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
if (rfd != sock)
- channel_close_fd(ssh, &c->rfd);
+ channel_close_fd(ssh, c, &c->rfd);
if (wfd != sock && wfd != rfd)
- channel_close_fd(ssh, &c->wfd);
+ channel_close_fd(ssh, c, &c->wfd);
if (efd != sock && efd != rfd && efd != wfd)
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
}
static void
@@ -702,7 +728,7 @@ channel_stop_listening(struct ssh *ssh)
case SSH_CHANNEL_X11_LISTENER:
case SSH_CHANNEL_UNIX_LISTENER:
case SSH_CHANNEL_RUNIX_LISTENER:
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
channel_free(ssh, c);
break;
}
@@ -1491,7 +1517,8 @@ channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
Channel *
channel_connect_stdio_fwd(struct ssh *ssh,
- const char *host_to_connect, u_short port_to_connect, int in, int out)
+ const char *host_to_connect, u_short port_to_connect,
+ int in, int out, int nonblock)
{
Channel *c;
@@ -1499,7 +1526,7 @@ channel_connect_stdio_fwd(struct ssh *ssh,
c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
-1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "stdio-forward", /*nonblock*/0);
+ 0, "stdio-forward", nonblock);
c->path = xstrdup(host_to_connect);
c->host_port = port_to_connect;
@@ -1649,7 +1676,7 @@ channel_post_x11_listener(struct ssh *ssh, Channel *c,
if (c->single_connection) {
oerrno = errno;
debug2("single_connection: closing X11 listener.");
- channel_close_fd(ssh, &c->sock);
+ channel_close_fd(ssh, c, &c->sock);
chan_mark_dead(ssh, c);
errno = oerrno;
}
@@ -2058,7 +2085,7 @@ channel_handle_efd_write(struct ssh *ssh, Channel *c,
return 1;
if (len <= 0) {
debug2("channel %d: closing write-efd %d", c->self, c->efd);
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
} else {
if ((r = sshbuf_consume(c->extended, len)) != 0)
fatal_fr(r, "channel %i: consume", c->self);
@@ -2087,7 +2114,7 @@ channel_handle_efd_read(struct ssh *ssh, Channel *c,
return 1;
if (len <= 0) {
debug2("channel %d: closing read-efd %d", c->self, c->efd);
- channel_close_fd(ssh, &c->efd);
+ channel_close_fd(ssh, c, &c->efd);
} else if (c->extended_usage == CHAN_EXTENDED_IGNORE)
debug3("channel %d: discard efd", c->self);
else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
diff --git a/channels.h b/channels.h
index 378d987c..6bf86b00 100644
--- a/channels.h
+++ b/channels.h
@@ -63,6 +63,16 @@
#define CHANNEL_CANCEL_PORT_STATIC -1
+/* nonblocking flags for channel_new */
+#define CHANNEL_NONBLOCK_LEAVE 0 /* don't modify non-blocking state */
+#define CHANNEL_NONBLOCK_SET 1 /* set non-blocking state */
+#define CHANNEL_NONBLOCK_STDIO 2 /* set non-blocking and restore on close */
+
+/* c->restore_block mask flags */
+#define CHANNEL_RESTORE_RFD 0x01
+#define CHANNEL_RESTORE_WFD 0x02
+#define CHANNEL_RESTORE_EFD 0x04
+
/* TCP forwarding */
#define FORWARD_DENY 0
#define FORWARD_REMOTE (1)
@@ -139,6 +149,7 @@ struct Channel {
* to a matching pre-select handler.
* this way post-select handlers are not
* accidentally called if a FD gets reused */
+ int restore_block; /* fd mask to restore blocking status */
struct sshbuf *input; /* data read from socket, to be sent over
* encrypted connection */
struct sshbuf *output; /* data received over encrypted connection for
@@ -266,7 +277,7 @@ void channel_register_filter(struct ssh *, int, channel_infilter_fn *,
void channel_register_status_confirm(struct ssh *, int,
channel_confirm_cb *, channel_confirm_abandon_cb *, void *);
void channel_cancel_cleanup(struct ssh *, int);
-int channel_close_fd(struct ssh *, int *);
+int channel_close_fd(struct ssh *, Channel *, int *);
void channel_send_window_changes(struct ssh *);
/* mux proxy support */
@@ -313,7 +324,7 @@ Channel *channel_connect_to_port(struct ssh *, const char *, u_short,
char *, char *, int *, const char **);
Channel *channel_connect_to_path(struct ssh *, const char *, char *, char *);
Channel *channel_connect_stdio_fwd(struct ssh *, const char*,
- u_short, int, int);
+ u_short, int, int, int);
Channel *channel_connect_by_listen_address(struct ssh *, const char *,
u_short, char *, char *);
Channel *channel_connect_by_listen_path(struct ssh *, const char *,
diff --git a/clientloop.c b/clientloop.c
index 219f0e90..bdd67686 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1405,14 +1405,6 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg,
if (have_pty)
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
- /* restore blocking io */
- if (!isatty(fileno(stdin)))
- unset_nonblock(fileno(stdin));
- if (!isatty(fileno(stdout)))
- unset_nonblock(fileno(stdout));
- if (!isatty(fileno(stderr)))
- unset_nonblock(fileno(stderr));
-
/*
* If there was no shell or command requested, there will be no remote
* exit status to be returned. In that case, clear error code if the
diff --git a/mux.c b/mux.c
index faf4ef1e..9454bfed 100644
--- a/mux.c
+++ b/mux.c
@@ -452,14 +452,6 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
error_f("tcgetattr: %s", strerror(errno));
- /* enable nonblocking unless tty */
- if (!isatty(new_fd[0]))
- set_nonblock(new_fd[0]);
- if (!isatty(new_fd[1]))
- set_nonblock(new_fd[1]);
- if (!isatty(new_fd[2]))
- set_nonblock(new_fd[2]);
-
window = CHAN_SES_WINDOW_DEFAULT;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (cctx->want_tty) {
@@ -469,7 +461,7 @@ mux_master_process_new_session(struct ssh *ssh, u_int rid,
nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
new_fd[0], new_fd[1], new_fd[2], window, packetmax,
- CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
+ CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
nc->ctl_chan = c->self; /* link session -> control channel */
c->remote_id = nc->self; /* link control -> session channel */
@@ -1025,13 +1017,8 @@ mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
}
}
- /* enable nonblocking unless tty */
- if (!isatty(new_fd[0]))
- set_nonblock(new_fd[0]);
- if (!isatty(new_fd[1]))
- set_nonblock(new_fd[1]);
-
- nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
+ nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
+ CHANNEL_NONBLOCK_STDIO);
free(chost);
nc->ctl_chan = c->self; /* link session -> control channel */
diff --git a/nchan.c b/nchan.c
index 4a4494b8..7ef3a350 100644
--- a/nchan.c
+++ b/nchan.c
@@ -384,7 +384,7 @@ chan_shutdown_write(struct ssh *ssh, Channel *c)
c->istate, c->ostate, strerror(errno));
}
} else {
- if (channel_close_fd(ssh, &c->wfd) < 0) {
+ if (channel_close_fd(ssh, c, &c->wfd) < 0) {
logit_f("channel %d: close() failed for "
"fd %d [i%d o%d]: %.100s", c->self, c->wfd,
c->istate, c->ostate, strerror(errno));
@@ -412,7 +412,7 @@ chan_shutdown_read(struct ssh *ssh, Channel *c)
c->istate, c->ostate, strerror(errno));
}
} else {
- if (channel_close_fd(ssh, &c->rfd) < 0) {
+ if (channel_close_fd(ssh, c, &c->rfd) < 0) {
logit_f("channel %d: close() failed for "
"fd %d [i%d o%d]: %.100s", c->self, c->rfd,
c->istate, c->ostate, strerror(errno));
@@ -431,7 +431,7 @@ chan_shutdown_extended_read(struct ssh *ssh, Channel *c)
debug_f("channel %d: (i%d o%d sock %d wfd %d efd %d [%s])",
c->self, c->istate, c->ostate, c->sock, c->rfd, c->efd,
channel_format_extended_usage(c));
- if (channel_close_fd(ssh, &c->efd) < 0) {
+ if (channel_close_fd(ssh, c, &c->efd) < 0) {
logit_f("channel %d: close() failed for "
"extended fd %d [i%d o%d]: %.100s", c->self, c->efd,
c->istate, c->ostate, strerror(errno));
diff --git a/ssh.c b/ssh.c
index 696dc3bc..6243db76 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1876,9 +1876,10 @@ ssh_init_stdio_forwarding(struct ssh *ssh)
if ((in = dup(STDIN_FILENO)) == -1 ||
(out = dup(STDOUT_FILENO)) == -1)
- fatal("channel_connect_stdio_fwd: dup() in/out failed");
+ fatal_f("dup() in/out failed");
if ((c = channel_connect_stdio_fwd(ssh, options.stdio_forward_host,
- options.stdio_forward_port, in, out)) == NULL)
+ options.stdio_forward_port, in, out,
+ CHANNEL_NONBLOCK_STDIO)) == NULL)
fatal_f("channel_connect_stdio_fwd failed");
channel_register_cleanup(ssh, c->self, client_cleanup_stdio_fwd, 0);
channel_register_open_confirm(ssh, c->self, ssh_stdio_confirm, NULL);
@@ -2074,14 +2075,6 @@ ssh_session2_open(struct ssh *ssh)
if (in == -1 || out == -1 || err == -1)
fatal("dup() in/out/err failed");
- /* enable nonblocking unless tty */
- if (!isatty(in))
- set_nonblock(in);
- if (!isatty(out))
- set_nonblock(out);
- if (!isatty(err))
- set_nonblock(err);
-
window = CHAN_SES_WINDOW_DEFAULT;
packetmax = CHAN_SES_PACKET_DEFAULT;
if (tty_flag) {
@@ -2091,7 +2084,7 @@ ssh_session2_open(struct ssh *ssh)
c = channel_new(ssh,
"session", SSH_CHANNEL_OPENING, in, out, err,
window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
+ "client-session", CHANNEL_NONBLOCK_STDIO);
debug3_f("channel_new: %d", c->self);

View File

@ -1,57 +0,0 @@
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
@@ -34,7 +34,7 @@
#define SSH_BUG_UTF8TTYMODE 0x00000001
#define SSH_BUG_SIGTYPE 0x00000002
-/* #define unused 0x00000004 */
+#define SSH_BUG_SIGTYPE74 0x00000004
/* #define unused 0x00000008 */
#define SSH_OLD_SESSIONID 0x00000010
/* #define unused 0x00000020 */
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
@@ -65,11 +65,12 @@
{ "OpenSSH_6.5*,"
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
SSH_BUG_SIGTYPE},
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
+ SSH_BUG_SIGTYPE74},
{ "OpenSSH_7.0*,"
"OpenSSH_7.1*,"
"OpenSSH_7.2*,"
"OpenSSH_7.3*,"
- "OpenSSH_7.4*,"
"OpenSSH_7.5*,"
"OpenSSH_7.6*,"
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
@@ -1305,6 +1305,26 @@
break;
}
free(oallowed);
+ /*
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
+ * support. For that release, check the local policy against the
+ * SHA2 signature types.
+ */
+ if (alg == NULL &&
+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
+ while ((cp = strsep(&allowed, ",")) != NULL) {
+ if (sshkey_type_from_name(cp) != key->type)
+ continue;
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
+ if (tmp != NULL)
+ alg = xstrdup(cp);
+ free(tmp);
+ if (alg != NULL)
+ break;
+ }
+ free(oallowed);
+ }
return alg;
}