Hostbased ssh authentication fails if session ID contains a '/'

Resolves: rhbz#1963059

openssh-7.8p1-role-mls.patch

@@ -179,10 +179,10 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
  	}
  	return NULL;
  }
-diff -up openssh/monitor.c.role-mls openssh/monitor.c
---- openssh/monitor.c.role-mls	2018-08-20 07:57:29.000000000 +0200
-+++ openssh/monitor.c	2018-08-22 11:19:56.006844867 +0200
-@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
+diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
+--- openssh-8.6p1/monitor.c.role-mls	2021-04-16 05:55:25.000000000 +0200
++++ openssh-8.6p1/monitor.c	2021-05-21 14:21:56.719414087 +0200
+@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
  int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
  int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
  int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@@ -192,7 +192,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
  int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
  int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
  int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -202,7 +202,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
+@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
  
  	/* Allow service/style information on the auth context */
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -212,7 +212,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
  	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
  
  #ifdef USE_PAM
-@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
+@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
  	return found;
  }
  
@@ -239,7 +239,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
  int
  mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
  {
-@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
  {
  	struct sshbuf *b;
  	const u_char *p;
@@ -248,7 +248,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
  	size_t len;
  	u_char type;
  	int r, fail = 0;
-@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
  		fail++;
  	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
  		fatal_fr(r, "parse userstyle");
@@ -257,7 +257,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
  	xasprintf(&userstyle, "%s%s%s", authctxt->user,
  	    authctxt->style ? ":" : "",
  	    authctxt->style ? authctxt->style : "");
-@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
  {
  	struct sshbuf *b;
  	const u_char *p;
@@ -266,11 +266,11 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
  	size_t len;
  	int r, fail = 0;
  	u_char type;
-@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
  		fail++;
  	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
  		fatal_fr(r, "parse userstyle");
-+	if ((s = strchr(p, '/')) != NULL)
++	if ((s = strchr(cp, '/')) != NULL)
 +		*s = '\0';
  	xasprintf(&userstyle, "%s%s%s", authctxt->user,
  	    authctxt->style ? ":" : "",

openssh.spec

@@ -659,6 +659,9 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Fri May 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-3
+- Hostbased ssh authentication fails if session ID contains a '/' (#1963059)
+
 * Mon May 10 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-2
 - restore the blocking mode on standard output (#1942901)