From fcef7f6231a8dba8483489a93f1be27fabedbcb6 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 9 Apr 2013 23:22:42 +0200 Subject: [PATCH] keep track of which IndentityFile options were manually supplied and which were default options, and don't warn if the latter are missing. (mindrot#2084) --- openssh-6.2p1-track-IdentifyFile.patch | 235 +++++++++++++++++++++++++ openssh.spec | 3 + 2 files changed, 238 insertions(+) create mode 100644 openssh-6.2p1-track-IdentifyFile.patch diff --git a/openssh-6.2p1-track-IdentifyFile.patch b/openssh-6.2p1-track-IdentifyFile.patch new file mode 100644 index 0000000..3124781 --- /dev/null +++ b/openssh-6.2p1-track-IdentifyFile.patch @@ -0,0 +1,235 @@ +diff --git a/readconf.c b/readconf.c +index 99c04a9..375ca32 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: readconf.c,v 1.194 2011/09/23 07:45:05 markus Exp $ */ ++/* $OpenBSD: readconf.c,v 1.196 2013/02/22 04:45:08 dtucker Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -337,6 +337,26 @@ clear_forwardings(Options *options) + options->tun_open = SSH_TUNMODE_NO; + } + ++void ++add_identity_file(Options *options, const char *dir, const char *filename, ++ int userprovided) ++{ ++ char *path; ++ ++ if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES) ++ fatal("Too many identity files specified (max %d)", ++ SSH_MAX_IDENTITY_FILES); ++ ++ if (dir == NULL) /* no dir, filename is absolute */ ++ path = xstrdup(filename); ++ else ++ (void)xasprintf(&path, "%.100s%.100s", dir, filename); ++ ++ options->identity_file_userprovided[options->num_identity_files] = ++ userprovided; ++ options->identity_files[options->num_identity_files++] = path; ++} ++ + /* + * Returns the number of the token pointed to by cp or oBadOption. + */ +@@ -364,7 +384,7 @@ parse_token(const char *cp, const char *filename, int linenum) + int + process_config_line(Options *options, const char *host, + char *line, const char *filename, int linenum, +- int *activep) ++ int *activep, int userconfig) + { + char *s, **charptr, *endofnumber, *keyword, *arg, *arg2; + char **cpptr, fwdarg[256]; +@@ -617,9 +637,7 @@ parse_yesnoask: + if (*intptr >= SSH_MAX_IDENTITY_FILES) + fatal("%.200s line %d: Too many identity files specified (max %d).", + filename, linenum, SSH_MAX_IDENTITY_FILES); +- charptr = &options->identity_files[*intptr]; +- *charptr = xstrdup(arg); +- *intptr = *intptr + 1; ++ add_identity_file(options, NULL, arg, userconfig); + } + break; + +@@ -1106,7 +1124,7 @@ parse_int: + + int + read_config_file(const char *filename, const char *host, Options *options, +- int checkperm) ++ int flags) + { + FILE *f; + char line[1024]; +@@ -1116,7 +1134,7 @@ read_config_file(const char *filename, const char *host, Options *options, + if ((f = fopen(filename, "r")) == NULL) + return 0; + +- if (checkperm) { ++ if (flags & SSHCONF_CHECKPERM) { + struct stat sb; + + if (fstat(fileno(f), &sb) == -1) +@@ -1137,7 +1155,8 @@ read_config_file(const char *filename, const char *host, Options *options, + while (fgets(line, sizeof(line), f)) { + /* Update line number counter. */ + linenum++; +- if (process_config_line(options, host, line, filename, linenum, &active) != 0) ++ if (process_config_line(options, host, line, filename, linenum, ++ &active, flags & SSHCONF_USERCONF) != 0) + bad_options++; + } + fclose(f); +@@ -1322,30 +1341,17 @@ fill_default_options(Options * options) + options->protocol = SSH_PROTO_2; + if (options->num_identity_files == 0) { + if (options->protocol & SSH_PROTO_1) { +- len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1; +- options->identity_files[options->num_identity_files] = +- xmalloc(len); +- snprintf(options->identity_files[options->num_identity_files++], +- len, "~/%.100s", _PATH_SSH_CLIENT_IDENTITY); ++ add_identity_file(options, "~/", ++ _PATH_SSH_CLIENT_IDENTITY, 0); + } + if (options->protocol & SSH_PROTO_2) { +- len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1; +- options->identity_files[options->num_identity_files] = +- xmalloc(len); +- snprintf(options->identity_files[options->num_identity_files++], +- len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA); +- +- len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1; +- options->identity_files[options->num_identity_files] = +- xmalloc(len); +- snprintf(options->identity_files[options->num_identity_files++], +- len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA); ++ add_identity_file(options, "~/", ++ _PATH_SSH_CLIENT_ID_RSA, 0); ++ add_identity_file(options, "~/", ++ _PATH_SSH_CLIENT_ID_DSA, 0); + #ifdef OPENSSL_HAS_ECC +- len = 2 + strlen(_PATH_SSH_CLIENT_ID_ECDSA) + 1; +- options->identity_files[options->num_identity_files] = +- xmalloc(len); +- snprintf(options->identity_files[options->num_identity_files++], +- len, "~/%.100s", _PATH_SSH_CLIENT_ID_ECDSA); ++ add_identity_file(options, "~/", ++ _PATH_SSH_CLIENT_ID_ECDSA, 0); + #endif + } + } +diff --git a/readconf.h b/readconf.h +index 41f1bef..0835cb6 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: readconf.h,v 1.91 2011/09/23 07:45:05 markus Exp $ */ ++/* $OpenBSD: readconf.h,v 1.93 2013/02/22 04:45:09 dtucker Exp $ */ + + /* + * Author: Tatu Ylonen +@@ -101,6 +101,7 @@ typedef struct { + + int num_identity_files; /* Number of files for RSA/DSA identities. */ + char *identity_files[SSH_MAX_IDENTITY_FILES]; ++ int identity_file_userprovided[SSH_MAX_IDENTITY_FILES]; + Key *identity_keys[SSH_MAX_IDENTITY_FILES]; + + /* Local TCP/IP forward requests. */ +@@ -153,15 +154,20 @@ typedef struct { + #define REQUEST_TTY_YES 2 + #define REQUEST_TTY_FORCE 3 + ++#define SSHCONF_CHECKPERM 1 /* check permissions on config file */ ++#define SSHCONF_USERCONF 2 /* user provided config file not system */ ++ + void initialize_options(Options *); + void fill_default_options(Options *); + int read_config_file(const char *, const char *, Options *, int); + int parse_forward(Forward *, const char *, int, int); + + int +-process_config_line(Options *, const char *, char *, const char *, int, int *); ++process_config_line(Options *, const char *, char *, const char *, int, int *, ++ int); + + void add_local_forward(Options *, const Forward *); + void add_remote_forward(Options *, const Forward *); ++void add_identity_file(Options *, const char *, const char *, int); + + #endif /* READCONF_H */ +diff --git a/ssh.c b/ssh.c +index 21b3fc7..606d449 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.370 2012/07/06 01:47:38 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.372 2013/02/22 04:45:09 dtucker Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -414,12 +414,7 @@ main(int ac, char **av) + strerror(errno)); + break; + } +- if (options.num_identity_files >= +- SSH_MAX_IDENTITY_FILES) +- fatal("Too many identity files specified " +- "(max %d)", SSH_MAX_IDENTITY_FILES); +- options.identity_files[options.num_identity_files++] = +- xstrdup(optarg); ++ add_identity_file(&options, NULL, optarg, 1); + break; + case 'I': + #ifdef ENABLE_PKCS11 +@@ -593,7 +588,8 @@ main(int ac, char **av) + dummy = 1; + line = xstrdup(optarg); + if (process_config_line(&options, host ? host : "", +- line, "command-line", 0, &dummy) != 0) ++ line, "command-line", 0, &dummy, SSHCONF_USERCONF) ++ != 0) + exit(255); + xfree(line); + break; +@@ -686,14 +682,15 @@ main(int ac, char **av) + * file if the user specifies a config file on the command line. + */ + if (config != NULL) { +- if (!read_config_file(config, host, &options, 0)) ++ if (!read_config_file(config, host, &options, SSHCONF_USERCONF)) + fatal("Can't open user config file %.100s: " + "%.100s", config, strerror(errno)); + } else { + r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, + _PATH_SSH_USER_CONFFILE); + if (r > 0 && (size_t)r < sizeof(buf)) +- (void)read_config_file(buf, host, &options, 1); ++ (void)read_config_file(buf, host, &options, ++ SSHCONF_CHECKPERM|SSHCONF_USERCONF); + + /* Read systemwide configuration file after user config. */ + (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, +diff --git a/sshconnect2.c b/sshconnect2.c +index 350abb5..a8b6276 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect2.c,v 1.191 2013/02/15 00:21:01 dtucker Exp $ */ ++/* $OpenBSD: sshconnect2.c,v 1.192 2013/02/17 23:16:57 dtucker Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2008 Damien Miller. All rights reserved. +@@ -1515,7 +1515,7 @@ pubkey_prepare(Authctxt *authctxt) + id = xcalloc(1, sizeof(*id)); + id->key = key; + id->filename = xstrdup(options.identity_files[i]); +- id->userprovided = 1; ++ id->userprovided = options.identity_file_userprovided[i]; + TAILQ_INSERT_TAIL(&files, id, next); + } + /* Prefer PKCS11 keys that are explicitly listed */ diff --git a/openssh.spec b/openssh.spec index c8e0ca8..e7fd647 100644 --- a/openssh.spec +++ b/openssh.spec @@ -216,6 +216,8 @@ Patch904: openssh-6.1p1-change-max-startups.patch # build regress/modpipe tests with $(CFLAGS), based on # http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-March/031167.html Patch905: openssh-6.2p1-modpipe-cflags.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2084 +Patch906: openssh-6.2p1-track-IdentifyFile.patch #--- #https://bugzilla.mindrot.org/show_bug.cgi?id=1604 @@ -465,6 +467,7 @@ popd # %patch903 -p1 -b .required-authentication # %patch904 -p1 -b .max-startups %patch905 -p1 -b .modpipe-cflags +%patch906 -p1 -b .identityfile %if 0 # Nothing here yet