improove ssk-keycat
This commit is contained in:
Jan F
parent
04fc86e945
commit
1499a28f37
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit1 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit1 2011-01-17 11:15:29.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -305,6 +305,12 @@ audit_run_command(const char *command)
|
||||
}
|
||||
|
||||
@ -16,7 +16,7 @@ diff -up openssh-5.8p1/audit-bsm.c.audit1 openssh-5.8p1/audit-bsm.c
|
||||
/* not implemented */
|
||||
diff -up openssh-5.8p1/audit.c.audit1 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -182,5 +182,18 @@ audit_run_command(const char *command)
|
||||
debug("audit run command euid %d user %s command '%.200s'", geteuid(),
|
||||
audit_username(), command);
|
||||
@ -38,7 +38,7 @@ diff -up openssh-5.8p1/audit.c.audit1 openssh-5.8p1/audit.c
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit1 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit1 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -52,6 +52,7 @@ void audit_event(ssh_audit_event_t);
|
||||
void audit_session_open(struct logininfo *);
|
||||
void audit_session_close(struct logininfo *);
|
||||
@ -49,7 +49,7 @@ diff -up openssh-5.8p1/audit.h.audit1 openssh-5.8p1/audit.h
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit1 2011-01-17 11:15:30.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -35,13 +35,20 @@
|
||||
|
||||
#include "log.h"
|
||||
@ -179,7 +179,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
+{
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_END);
|
||||
+ if (!--user_login_count)
|
||||
+ if (user_login_count && !--user_login_count)
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
@ -203,7 +203,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
- /* not implemented */
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_END);
|
||||
+ if (!--user_login_count)
|
||||
+ if (user_login_count && !--user_login_count)
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
@ -259,7 +259,7 @@ diff -up openssh-5.8p1/audit-linux.c.audit1 openssh-5.8p1/audit-linux.c
|
||||
default:
|
||||
diff -up openssh-5.8p1/monitor.c.audit1 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit1 2010-09-10 03:23:34.000000000 +0200
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -177,6 +177,7 @@ int mm_answer_gss_checkmic(int, Buffer *
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
int mm_answer_audit_event(int, Buffer *);
|
||||
@ -307,7 +307,7 @@ diff -up openssh-5.8p1/monitor.c.audit1 openssh-5.8p1/monitor.c
|
||||
void
|
||||
diff -up openssh-5.8p1/monitor.h.audit1 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit1 2008-11-05 06:20:46.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -60,6 +60,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
|
||||
MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
|
||||
@ -318,7 +318,7 @@ diff -up openssh-5.8p1/monitor.h.audit1 openssh-5.8p1/monitor.h
|
||||
MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit1 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit1 2010-08-31 14:41:14.000000000 +0200
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -1163,6 +1163,20 @@ mm_audit_run_command(const char *command
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
|
||||
buffer_free(&m);
|
||||
@ -342,7 +342,7 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit1 openssh-5.8p1/monitor_wrap.c
|
||||
#ifdef GSSAPI
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit1 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit1 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -74,6 +74,7 @@ void mm_sshpam_free_ctx(void *);
|
||||
#include "audit.h"
|
||||
void mm_audit_event(ssh_audit_event_t);
|
||||
@ -353,7 +353,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit1 openssh-5.8p1/monitor_wrap.h
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/session.c.audit1 openssh-5.8p1/session.c
|
||||
--- openssh-5.8p1/session.c.audit1 2010-12-01 02:02:59.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -809,14 +809,16 @@ do_exec(Session *s, const char *command)
|
||||
}
|
||||
|
||||
@ -388,7 +388,7 @@ diff -up openssh-5.8p1/session.c.audit1 openssh-5.8p1/session.c
|
||||
if (s->display)
|
||||
diff -up openssh-5.8p1/session.h.audit1 openssh-5.8p1/session.h
|
||||
--- openssh-5.8p1/session.h.audit1 2008-05-19 07:34:50.000000000 +0200
|
||||
+++ openssh-5.8p1/session.h 2011-02-24 13:49:49.000000000 +0100
|
||||
+++ openssh-5.8p1/session.h 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -60,6 +60,11 @@ struct Session {
|
||||
char *name;
|
||||
char *val;
|
||||
@ -402,8 +402,8 @@ diff -up openssh-5.8p1/session.h.audit1 openssh-5.8p1/session.h
|
||||
|
||||
void do_authenticated(Authctxt *);
|
||||
diff -up openssh-5.8p1/sshd.c.audit1 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit1 2011-02-24 13:50:29.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-24 13:50:47.000000000 +0100
|
||||
--- openssh-5.8p1/sshd.c.audit1 2011-01-11 07:20:31.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-28 22:39:02.000000000 +0100
|
||||
@@ -2342,7 +2342,8 @@ cleanup_exit(int i)
|
||||
do_cleanup(the_authctxt);
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
|
||||
@ -1,21 +0,0 @@
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit1a openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit1a 2011-02-28 14:45:40.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-28 14:46:50.000000000 +0100
|
||||
@@ -155,7 +155,7 @@ audit_end_command(const char *command)
|
||||
{
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
NULL, "ssh", 1, AUDIT_USER_END);
|
||||
- if (!--user_login_count)
|
||||
+ if (user_login_count && !--user_login_count)
|
||||
linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, get_remote_name_or_ip(utmp_len, options.use_dns),
|
||||
NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
@@ -175,7 +175,7 @@ audit_session_close(struct logininfo *li
|
||||
{
|
||||
linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
NULL, li->line, 1, AUDIT_USER_END);
|
||||
- if (!--user_login_count)
|
||||
+ if (user_login_count && !--user_login_count)
|
||||
linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
NULL, li->line, 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/audit-bsm.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -401,4 +401,10 @@ audit_kex_body(int ctos, char *enc, char
|
||||
{
|
||||
/* not implemented */
|
||||
@ -13,8 +13,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit4 openssh-5.8p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/audit.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
|
||||
PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
|
||||
}
|
||||
@ -45,8 +45,8 @@ diff -up openssh-5.8p1/audit.c.audit4 openssh-5.8p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/audit.h.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -61,5 +61,7 @@ void audit_unsupported(int);
|
||||
void audit_kex(int, char *, char *, char *);
|
||||
void audit_unsupported_body(int);
|
||||
@ -56,8 +56,8 @@ diff -up openssh-5.8p1/audit.h.audit4 openssh-5.8p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/audit-linux.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -285,6 +285,8 @@ audit_unsupported_body(int what)
|
||||
#endif
|
||||
}
|
||||
@ -107,8 +107,8 @@ diff -up openssh-5.8p1/audit-linux.c.audit4 openssh-5.8p1/audit-linux.c
|
||||
+
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
||||
--- openssh-5.8p1/auditstub.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/auditstub.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/auditstub.c 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -27,6 +27,8 @@
|
||||
* Red Hat author: Jan F. Chadima <jchadima@redhat.com>
|
||||
*/
|
||||
@ -132,8 +132,8 @@ diff -up openssh-5.8p1/auditstub.c.audit4 openssh-5.8p1/auditstub.c
|
||||
+{
|
||||
+}
|
||||
diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
||||
--- openssh-5.8p1/kex.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/kex.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.c 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
@ -171,7 +171,7 @@ diff -up openssh-5.8p1/kex.c.audit4 openssh-5.8p1/kex.c
|
||||
+
|
||||
diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
||||
--- openssh-5.8p1/kex.h.audit4 2010-09-24 14:11:14.000000000 +0200
|
||||
+++ openssh-5.8p1/kex.h 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/kex.h 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -156,6 +156,8 @@ void kexgex_server(Kex *);
|
||||
void kexecdh_client(Kex *);
|
||||
void kexecdh_server(Kex *);
|
||||
@ -183,7 +183,7 @@ diff -up openssh-5.8p1/kex.h.audit4 openssh-5.8p1/kex.h
|
||||
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
|
||||
diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
||||
--- openssh-5.8p1/mac.c.audit4 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.8p1/mac.c 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/mac.c 2011-02-28 23:07:12.000000000 +0100
|
||||
@@ -162,6 +162,20 @@ mac_clear(Mac *mac)
|
||||
mac->umac_ctx = NULL;
|
||||
}
|
||||
@ -207,15 +207,15 @@ diff -up openssh-5.8p1/mac.c.audit4 openssh-5.8p1/mac.c
|
||||
int
|
||||
diff -up openssh-5.8p1/mac.h.audit4 openssh-5.8p1/mac.h
|
||||
--- openssh-5.8p1/mac.h.audit4 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-5.8p1/mac.h 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/mac.h 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -28,3 +28,4 @@ int mac_setup(Mac *, char *);
|
||||
int mac_init(Mac *);
|
||||
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
|
||||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer
|
||||
int mm_answer_audit_end_command(int, Buffer *);
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
@ -311,8 +311,8 @@ diff -up openssh-5.8p1/monitor.c.audit4 openssh-5.8p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.h.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -69,6 +69,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM,
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
@ -322,8 +322,8 @@ diff -up openssh-5.8p1/monitor.h.audit4 openssh-5.8p1/monitor.h
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -601,12 +601,14 @@ mm_send_keystate(struct monitor *monitor
|
||||
fatal("%s: conversion of newkeys failed", __func__);
|
||||
|
||||
@ -360,8 +360,8 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit4 openssh-5.8p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
|
||||
void mm_audit_end_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
@ -372,7 +372,7 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit4 openssh-5.8p1/monitor_wrap.h
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
||||
--- openssh-5.8p1/packet.c.audit4 2010-11-24 00:46:37.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.c 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.c 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#include <signal.h>
|
||||
|
||||
@ -532,7 +532,7 @@ diff -up openssh-5.8p1/packet.c.audit4 openssh-5.8p1/packet.c
|
||||
+
|
||||
diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
|
||||
--- openssh-5.8p1/packet.h.audit4 2010-11-20 05:19:38.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.h 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/packet.h 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -125,4 +125,5 @@ void packet_restore_state(void);
|
||||
void *packet_get_input(void);
|
||||
void *packet_get_output(void);
|
||||
@ -540,8 +540,8 @@ diff -up openssh-5.8p1/packet.h.audit4 openssh-5.8p1/packet.h
|
||||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c
|
||||
--- openssh-5.8p1/session.c.audit4 2011-02-24 13:54:01.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-24 13:54:02.000000000 +0100
|
||||
--- openssh-5.8p1/session.c.audit4 2011-02-28 23:07:11.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -1617,6 +1617,9 @@ do_child(Session *s, const char *command
|
||||
|
||||
/* remove hostkey from the child's memory */
|
||||
@ -553,8 +553,8 @@ diff -up openssh-5.8p1/session.c.audit4 openssh-5.8p1/session.c
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit4 2011-02-24 13:54:02.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-24 13:55:09.000000000 +0100
|
||||
--- openssh-5.8p1/sshd.c.audit4 2011-02-28 23:07:12.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-28 23:07:13.000000000 +0100
|
||||
@@ -663,6 +663,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
return (0);
|
||||
}
|
||||
@ -564,17 +564,18 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
||||
static void
|
||||
privsep_postauth(Authctxt *authctxt)
|
||||
{
|
||||
@@ -688,6 +690,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -688,6 +690,10 @@ privsep_postauth(Authctxt *authctxt)
|
||||
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
|
||||
close(pmonitor->m_recvfd);
|
||||
buffer_clear(&loginmsg);
|
||||
+ newkeys_destroy(current_keys[MODE_OUT]);
|
||||
+ newkeys_destroy(current_keys[MODE_IN]);
|
||||
+ packet_destroy_all(1, 0);
|
||||
+ audit_session_key_free_body(2, getpid(), getuid());
|
||||
+ packet_destroy_all(0, 0);
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@@ -1974,6 +1979,7 @@ main(int ac, char **av)
|
||||
@@ -1974,6 +1980,7 @@ main(int ac, char **av)
|
||||
*/
|
||||
if (use_privsep) {
|
||||
mm_send_keystate(pmonitor);
|
||||
@ -582,7 +583,7 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -2026,6 +2032,8 @@ main(int ac, char **av)
|
||||
@@ -2026,6 +2033,8 @@ main(int ac, char **av)
|
||||
do_authenticated(authctxt);
|
||||
|
||||
/* The connection has been terminated. */
|
||||
@ -591,7 +592,7 @@ diff -up openssh-5.8p1/sshd.c.audit4 openssh-5.8p1/sshd.c
|
||||
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
|
||||
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
|
||||
verbose("Transferred: sent %llu, received %llu bytes",
|
||||
@@ -2345,6 +2353,7 @@ cleanup_exit(int i)
|
||||
@@ -2345,6 +2354,7 @@ cleanup_exit(int i)
|
||||
{
|
||||
if (the_authctxt)
|
||||
do_cleanup(the_authctxt);
|
||||
|
||||
@ -1,13 +0,0 @@
|
||||
diff -ur openssh/sshd.c openssh-5.8p1/sshd.c
|
||||
--- openssh/sshd.c 2011-02-23 16:23:05.720096223 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-23 17:04:24.206612620 +0100
|
||||
@@ -748,7 +748,8 @@
|
||||
buffer_clear(&loginmsg);
|
||||
newkeys_destroy(current_keys[MODE_OUT]);
|
||||
newkeys_destroy(current_keys[MODE_IN]);
|
||||
- packet_destroy_all(1, 0);
|
||||
+ audit_session_key_free_body(2, getpid(), getuid());
|
||||
+ packet_destroy_all(0, 0);
|
||||
monitor_child_postauth(pmonitor);
|
||||
|
||||
/* NEVERREACHED */
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
||||
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/audit-bsm.c.audit5 2011-02-28 23:17:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-bsm.c 2011-02-28 23:17:13.000000000 +0100
|
||||
@@ -407,4 +407,22 @@ audit_session_key_free_body(int ctos, pi
|
||||
{
|
||||
/* not implemented */
|
||||
@ -25,8 +25,8 @@ diff -up openssh-5.8p1/audit-bsm.c.audit5 openssh-5.8p1/audit-bsm.c
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
||||
--- openssh-5.8p1/audit.c.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/audit.c.audit5 2011-02-28 23:17:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.c 2011-02-28 23:17:13.000000000 +0100
|
||||
@@ -276,5 +276,24 @@ audit_session_key_free_body(int ctos, pi
|
||||
debug("audit session key discard euid %u direction %d from pid %ld uid %u",
|
||||
(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
|
||||
@ -53,8 +53,8 @@ diff -up openssh-5.8p1/audit.c.audit5 openssh-5.8p1/audit.c
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
||||
--- openssh-5.8p1/audit.h.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/audit.h.audit5 2011-02-28 23:17:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit.h 2011-02-28 23:17:13.000000000 +0100
|
||||
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
|
||||
};
|
||||
typedef enum ssh_audit_event_type ssh_audit_event_t;
|
||||
@ -73,8 +73,8 @@ diff -up openssh-5.8p1/audit.h.audit5 openssh-5.8p1/audit.h
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
||||
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/audit-linux.c.audit5 2011-02-28 23:17:12.000000000 +0100
|
||||
+++ openssh-5.8p1/audit-linux.c 2011-02-28 23:17:13.000000000 +0100
|
||||
@@ -343,4 +343,50 @@ audit_session_key_free_body(int ctos, pi
|
||||
error("cannot write into audit");
|
||||
}
|
||||
@ -127,9 +127,9 @@ diff -up openssh-5.8p1/audit-linux.c.audit5 openssh-5.8p1/audit-linux.c
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
|
||||
--- openssh-5.8p1/key.c.audit5 2011-02-24 13:39:31.000000000 +0100
|
||||
+++ openssh-5.8p1/key.c 2011-02-24 13:39:32.000000000 +0100
|
||||
@@ -1795,6 +1795,30 @@ key_demote(const Key *k)
|
||||
--- openssh-5.8p1/key.c.audit5 2011-02-28 23:17:10.000000000 +0100
|
||||
+++ openssh-5.8p1/key.c 2011-02-28 23:17:13.000000000 +0100
|
||||
@@ -1797,6 +1797,30 @@ key_demote(const Key *k)
|
||||
}
|
||||
|
||||
int
|
||||
@ -161,8 +161,8 @@ diff -up openssh-5.8p1/key.c.audit5 openssh-5.8p1/key.c
|
||||
{
|
||||
if (k == NULL)
|
||||
diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
|
||||
--- openssh-5.8p1/key.h.audit5 2011-02-24 13:39:31.000000000 +0100
|
||||
+++ openssh-5.8p1/key.h 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/key.h.audit5 2011-02-28 23:17:10.000000000 +0100
|
||||
+++ openssh-5.8p1/key.h 2011-02-28 23:17:13.000000000 +0100
|
||||
@@ -109,6 +109,7 @@ Key *key_generate(int, u_int);
|
||||
Key *key_from_private(const Key *);
|
||||
int key_type_from_name(char *);
|
||||
@ -172,9 +172,18 @@ diff -up openssh-5.8p1/key.h.audit5 openssh-5.8p1/key.h
|
||||
int key_to_certified(Key *, int);
|
||||
int key_drop_cert(Key *);
|
||||
diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
--- openssh-5.8p1/monitor.c.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-24 13:39:32.000000000 +0100
|
||||
@@ -182,6 +182,7 @@ int mm_answer_audit_end_command(int, Buf
|
||||
--- openssh-5.8p1/monitor.c.audit5 2011-02-28 23:17:13.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-28 23:17:14.000000000 +0100
|
||||
@@ -106,6 +106,8 @@ extern Buffer auth_debug;
|
||||
extern int auth_debug_init;
|
||||
extern Buffer loginmsg;
|
||||
|
||||
+extern void destroy_sensitive_data(int);
|
||||
+
|
||||
/* State exported from the child */
|
||||
|
||||
struct {
|
||||
@@ -182,6 +184,7 @@ int mm_answer_audit_end_command(int, Buf
|
||||
int mm_answer_audit_unsupported_body(int, Buffer *);
|
||||
int mm_answer_audit_kex_body(int, Buffer *);
|
||||
int mm_answer_audit_session_key_free_body(int, Buffer *);
|
||||
@ -182,7 +191,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
#endif
|
||||
|
||||
static Authctxt *authctxt;
|
||||
@@ -233,6 +234,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
@@ -233,6 +236,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
@ -190,7 +199,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
#endif
|
||||
#ifdef BSD_AUTH
|
||||
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
|
||||
@@ -273,6 +275,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
@@ -273,6 +277,7 @@ struct mon_table mon_dispatch_postauth20
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
@ -198,7 +207,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -307,6 +310,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
@@ -307,6 +312,7 @@ struct mon_table mon_dispatch_proto15[]
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
@ -206,7 +215,7 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -322,6 +326,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
@@ -322,6 +328,7 @@ struct mon_table mon_dispatch_postauth15
|
||||
{MONITOR_REQ_AUDIT_UNSUPPORTED, MON_PERMIT, mm_answer_audit_unsupported_body},
|
||||
{MONITOR_REQ_AUDIT_KEX, MON_PERMIT, mm_answer_audit_kex_body},
|
||||
{MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
|
||||
@ -214,7 +223,16 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -2309,4 +2314,24 @@ mm_answer_audit_session_key_free_body(in
|
||||
@@ -1597,6 +1604,8 @@ mm_answer_term(int sock, Buffer *req)
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
+ destroy_sensitive_data(0);
|
||||
+
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -2309,4 +2318,24 @@ mm_answer_audit_session_key_free_body(in
|
||||
mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
|
||||
return 0;
|
||||
}
|
||||
@ -240,8 +258,8 @@ diff -up openssh-5.8p1/monitor.c.audit5 openssh-5.8p1/monitor.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
||||
--- openssh-5.8p1/monitor.h.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/monitor.h.audit5 2011-02-28 23:17:13.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor.h 2011-02-28 23:17:14.000000000 +0100
|
||||
@@ -70,6 +70,7 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
|
||||
MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
|
||||
@ -251,8 +269,8 @@ diff -up openssh-5.8p1/monitor.h.audit5 openssh-5.8p1/monitor.h
|
||||
|
||||
struct mm_master;
|
||||
diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/monitor_wrap.c.audit5 2011-02-28 23:17:13.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.c 2011-02-28 23:17:14.000000000 +0100
|
||||
@@ -1480,4 +1480,20 @@ mm_audit_session_key_free_body(int ctos,
|
||||
&m);
|
||||
buffer_free(&m);
|
||||
@ -275,8 +293,8 @@ diff -up openssh-5.8p1/monitor_wrap.c.audit5 openssh-5.8p1/monitor_wrap.c
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-24 13:39:32.000000000 +0100
|
||||
--- openssh-5.8p1/monitor_wrap.h.audit5 2011-02-28 23:17:13.000000000 +0100
|
||||
+++ openssh-5.8p1/monitor_wrap.h 2011-02-28 23:17:14.000000000 +0100
|
||||
@@ -78,6 +78,7 @@ void mm_audit_end_command(const char *);
|
||||
void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
|
||||
@ -286,8 +304,8 @@ diff -up openssh-5.8p1/monitor_wrap.h.audit5 openssh-5.8p1/monitor_wrap.h
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
||||
--- openssh-5.8p1/session.c.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-24 13:43:35.000000000 +0100
|
||||
--- openssh-5.8p1/session.c.audit5 2011-02-28 23:17:13.000000000 +0100
|
||||
+++ openssh-5.8p1/session.c 2011-02-28 23:17:14.000000000 +0100
|
||||
@@ -132,7 +132,7 @@ extern int log_stderr;
|
||||
extern int debug_flag;
|
||||
extern u_int utmp_len;
|
||||
@ -307,8 +325,8 @@ diff -up openssh-5.8p1/session.c.audit5 openssh-5.8p1/session.c
|
||||
monitor over a single socket, with no synchronization. */
|
||||
packet_destroy_all(0, 1);
|
||||
diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||
--- openssh-5.8p1/sshd.c.audit5 2011-02-24 13:39:32.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-24 13:43:08.000000000 +0100
|
||||
--- openssh-5.8p1/sshd.c.audit5 2011-02-28 23:17:13.000000000 +0100
|
||||
+++ openssh-5.8p1/sshd.c 2011-02-28 23:17:14.000000000 +0100
|
||||
@@ -253,7 +253,7 @@ Buffer loginmsg;
|
||||
struct passwd *privsep_pw = NULL;
|
||||
|
||||
@ -422,7 +440,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -1119,6 +1169,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
@@ -1120,6 +1170,7 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (received_sigterm) {
|
||||
logit("Received signal %d; terminating.",
|
||||
(int) received_sigterm);
|
||||
@ -430,7 +448,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||
close_listen_socks();
|
||||
unlink(options.pid_file);
|
||||
exit(255);
|
||||
@@ -2022,7 +2073,7 @@ main(int ac, char **av)
|
||||
@@ -2023,7 +2074,7 @@ main(int ac, char **av)
|
||||
privsep_postauth(authctxt);
|
||||
/* the monitor process [priv] will not return */
|
||||
if (!compat20)
|
||||
@ -439,7 +457,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||
}
|
||||
|
||||
packet_set_timeout(options.client_alive_interval,
|
||||
@@ -2261,7 +2312,7 @@ do_ssh1_kex(void)
|
||||
@@ -2262,7 +2313,7 @@ do_ssh1_kex(void)
|
||||
session_id[i] = session_key[i] ^ session_key[i + 16];
|
||||
}
|
||||
/* Destroy the private and public keys. No longer. */
|
||||
@ -448,7 +466,7 @@ diff -up openssh-5.8p1/sshd.c.audit5 openssh-5.8p1/sshd.c
|
||||
|
||||
if (use_privsep)
|
||||
mm_ssh1_session_id(session_id);
|
||||
@@ -2351,8 +2402,22 @@ do_ssh2_kex(void)
|
||||
@@ -2352,8 +2403,22 @@ do_ssh2_kex(void)
|
||||
void
|
||||
cleanup_exit(int i)
|
||||
{
|
||||
|
||||
@ -1,21 +0,0 @@
|
||||
diff -ur openssh/monitor.c openssh-5.8p1/monitor.c
|
||||
--- openssh/monitor.c 2011-02-23 14:22:42.007937852 +0100
|
||||
+++ openssh-5.8p1/monitor.c 2011-02-23 19:26:01.491710679 +0100
|
||||
@@ -106,6 +106,8 @@
|
||||
extern int auth_debug_init;
|
||||
extern Buffer loginmsg;
|
||||
|
||||
+extern void destroy_sensitive_data(int);
|
||||
+
|
||||
/* State exported from the child */
|
||||
|
||||
struct {
|
||||
@@ -1651,6 +1653,8 @@
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
+ destroy_sensitive_data(0);
|
||||
+
|
||||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
132
openssh-5.8p1-keycat2.patch
Normal file
132
openssh-5.8p1-keycat2.patch
Normal file
@ -0,0 +1,132 @@
|
||||
diff -up openssh-5.8p1/auth2-pubkey.c.keycat2 openssh-5.8p1/auth2-pubkey.c
|
||||
--- openssh-5.8p1/auth2-pubkey.c.keycat2 2011-03-01 06:57:03.000000000 +0100
|
||||
+++ openssh-5.8p1/auth2-pubkey.c 2011-03-01 07:25:04.000000000 +0100
|
||||
@@ -579,6 +579,14 @@ user_key_via_command_allowed2(struct pas
|
||||
close(i);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (ssh_selinux_setup_env_variables() < 0) {
|
||||
+ error ("failed to copy environment: %s",
|
||||
+ strerror(errno));
|
||||
+ _exit(127);
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL);
|
||||
|
||||
/* if we got here, it didn't work */
|
||||
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.keycat2 openssh-5.8p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.8p1/openbsd-compat/port-linux.c.keycat2 2011-03-01 07:00:32.000000000 +0100
|
||||
+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-03-01 07:23:13.000000000 +0100
|
||||
@@ -309,7 +309,7 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-ssh_selinux_setup_pam_variables(void)
|
||||
+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *))
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -320,16 +320,16 @@ ssh_selinux_setup_pam_variables(void)
|
||||
|
||||
ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
|
||||
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
if (inetd_flag && !rexeced_flag) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
- rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
+ rv = rv || set_it("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
|
||||
}
|
||||
|
||||
- rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
+ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
|
||||
|
||||
if (role != NULL)
|
||||
xfree(role);
|
||||
@@ -337,6 +337,24 @@ ssh_selinux_setup_pam_variables(void)
|
||||
return rv;
|
||||
}
|
||||
|
||||
+static int
|
||||
+ssh_selinux_setup_pam_variables(void)
|
||||
+{
|
||||
+ return ssh_selinux_setup_variables(do_pam_putenv);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+do_setenv(char *name, char *value)
|
||||
+{
|
||||
+ return setenv(name, value, 1);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+ssh_selinux_setup_env_variables(void)
|
||||
+{
|
||||
+ return ssh_selinux_setup_variables(do_setenv);
|
||||
+}
|
||||
+
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
diff -up openssh-5.8p1/ssh-keycat.c.keycat2 openssh-5.8p1/ssh-keycat.c
|
||||
--- openssh-5.8p1/ssh-keycat.c.keycat2 2011-03-01 06:56:02.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-keycat.c 2011-03-01 06:56:02.000000000 +0100
|
||||
@@ -65,6 +65,7 @@
|
||||
#define ERR_FDOPEN 10
|
||||
#define ERR_STAT 11
|
||||
#define ERR_WRITE 12
|
||||
+#define ERR_PAM_PUTENV 13
|
||||
#define BUFLEN 4096
|
||||
|
||||
/* Just ignore the messages in the conversation function */
|
||||
@@ -166,6 +167,34 @@ fail:
|
||||
return rv;
|
||||
}
|
||||
|
||||
+static const char *env_names[] = { "SELINUX_ROLE_REQUESTED",
|
||||
+ "SELINUX_LEVEL_REQUESTED",
|
||||
+ "SELINUX_USE_CURRENT_RANGE"
|
||||
+};
|
||||
+
|
||||
+extern char **environ;
|
||||
+
|
||||
+int
|
||||
+set_pam_environment(pam_handle_t *pamh)
|
||||
+{
|
||||
+ int i;
|
||||
+ size_t j;
|
||||
+
|
||||
+ for (j = 0; j < sizeof(env_names)/sizeof(env_names[0]); ++j) {
|
||||
+ int len = strlen(env_names[j]);
|
||||
+
|
||||
+ for (i = 0; environ[i] != NULL; ++i) {
|
||||
+ if (strncmp(env_names[j], environ[i], len) == 0 &&
|
||||
+ environ[i][len] == '=') {
|
||||
+ if (pam_putenv(pamh, environ[i]) != PAM_SUCCESS)
|
||||
+ return ERR_PAM_PUTENV;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int
|
||||
main(int argc, char *argv[])
|
||||
{
|
||||
@@ -183,6 +212,10 @@ main(int argc, char *argv[])
|
||||
return ERR_PAM_START;
|
||||
}
|
||||
|
||||
+ ev = set_pam_environment(pamh);
|
||||
+ if (ev != 0)
|
||||
+ goto finish;
|
||||
+
|
||||
retval = pam_open_session(pamh, PAM_SILENT);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
ev = ERR_OPEN_SESSION;
|
||||
@ -1,7 +1,7 @@
|
||||
diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac
|
||||
--- openssh-5.6p1/configure.ac.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/configure.ac 2010-10-20 09:21:04.000000000 +0200
|
||||
@@ -1366,6 +1366,106 @@ AC_ARG_WITH(authorized-keys-command,
|
||||
diff -up openssh-5.8p1/configure.ac.ldap openssh-5.8p1/configure.ac
|
||||
--- openssh-5.8p1/configure.ac.ldap 2011-02-28 23:21:05.000000000 +0100
|
||||
+++ openssh-5.8p1/configure.ac 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -1434,6 +1434,106 @@ AC_ARG_WITH(authorized-keys-command,
|
||||
]
|
||||
)
|
||||
|
||||
@ -108,9 +108,27 @@ diff -up openssh-5.6p1/configure.ac.ldap openssh-5.6p1/configure.ac
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS( \
|
||||
arc4random \
|
||||
diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c
|
||||
--- openssh-5.6p1/ldapbody.c.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldapbody.c 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
|
||||
--- openssh-5.8p1/HOWTO.ldap-keys.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/HOWTO.ldap-keys 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,14 @@
|
||||
+
|
||||
+1) configure LDAP server
|
||||
+2) add appropriate schema
|
||||
+3) insert users into LDAP
|
||||
+4) on the ssh side set in sshd_config
|
||||
+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
|
||||
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
|
||||
+5) do not forget to set
|
||||
+PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
+To debug the ssh-ldap-helper is possible to set
|
||||
+the necessary flags in the ssh-ldap-wrapper.
|
||||
+
|
||||
diff -up openssh-5.8p1/ldapbody.c.ldap openssh-5.8p1/ldapbody.c
|
||||
--- openssh-5.8p1/ldapbody.c.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldapbody.c 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,494 @@
|
||||
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -606,9 +624,9 @@ diff -up openssh-5.6p1/ldapbody.c.ldap openssh-5.6p1/ldapbody.c
|
||||
+ return;
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h
|
||||
--- openssh-5.6p1/ldapbody.h.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldapbody.h 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldapbody.h.ldap openssh-5.8p1/ldapbody.h
|
||||
--- openssh-5.8p1/ldapbody.h.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldapbody.h 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,37 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -647,9 +665,9 @@ diff -up openssh-5.6p1/ldapbody.h.ldap openssh-5.6p1/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c
|
||||
--- openssh-5.6p1/ldapconf.c.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldapconf.c 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldapconf.c.ldap openssh-5.8p1/ldapconf.c
|
||||
--- openssh-5.8p1/ldapconf.c.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldapconf.c 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,682 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1333,9 +1351,9 @@ diff -up openssh-5.6p1/ldapconf.c.ldap openssh-5.6p1/ldapconf.c
|
||||
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
|
||||
+}
|
||||
+
|
||||
diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h
|
||||
--- openssh-5.6p1/ldapconf.h.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldapconf.h 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldapconf.h.ldap openssh-5.8p1/ldapconf.h
|
||||
--- openssh-5.8p1/ldapconf.h.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldapconf.h 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,71 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1408,9 +1426,9 @@ diff -up openssh-5.6p1/ldapconf.h.ldap openssh-5.6p1/ldapconf.h
|
||||
+void dump_config(void);
|
||||
+
|
||||
+#endif /* LDAPCONF_H */
|
||||
diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf
|
||||
--- openssh-5.6p1/ldap.conf.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldap.conf 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldap.conf.ldap openssh-5.8p1/ldap.conf
|
||||
--- openssh-5.8p1/ldap.conf.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldap.conf 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,88 @@
|
||||
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
|
||||
+#
|
||||
@ -1500,9 +1518,9 @@ diff -up openssh-5.6p1/ldap.conf.ldap openssh-5.6p1/ldap.conf
|
||||
+#tls_cert
|
||||
+#tls_key
|
||||
+
|
||||
diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c
|
||||
--- openssh-5.6p1/ldap-helper.c.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldap-helper.c 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldap-helper.c.ldap openssh-5.8p1/ldap-helper.c
|
||||
--- openssh-5.8p1/ldap-helper.c.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldap-helper.c 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,154 @@
|
||||
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1557,7 +1575,7 @@ diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c
|
||||
+ fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
|
||||
+ fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
|
||||
+ fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
|
||||
+ fprintf(stderr, " -w Warn on unknown commands int the config file.\n");
|
||||
+ fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
|
||||
+ exit(1);
|
||||
+}
|
||||
+
|
||||
@ -1658,9 +1676,9 @@ diff -up openssh-5.6p1/ldap-helper.c.ldap openssh-5.6p1/ldap-helper.c
|
||||
+void *buffer_get_string(Buffer *b, u_int *l) {}
|
||||
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
|
||||
+
|
||||
diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h
|
||||
--- openssh-5.6p1/ldap-helper.h.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldap-helper.h 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldap-helper.h.ldap openssh-5.8p1/ldap-helper.h
|
||||
--- openssh-5.8p1/ldap-helper.h.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldap-helper.h 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,32 @@
|
||||
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1694,9 +1712,9 @@ diff -up openssh-5.6p1/ldap-helper.h.ldap openssh-5.6p1/ldap-helper.h
|
||||
+extern int config_warning_config_file;
|
||||
+
|
||||
+#endif /* LDAP_HELPER_H */
|
||||
diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h
|
||||
--- openssh-5.6p1/ldapincludes.h.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldapincludes.h 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldapincludes.h.ldap openssh-5.8p1/ldapincludes.h
|
||||
--- openssh-5.8p1/ldapincludes.h.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldapincludes.h 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1739,9 +1757,9 @@ diff -up openssh-5.6p1/ldapincludes.h.ldap openssh-5.6p1/ldapincludes.h
|
||||
+#endif
|
||||
+
|
||||
+#endif /* LDAPINCLUDES_H */
|
||||
diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c
|
||||
--- openssh-5.6p1/ldapmisc.c.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldapmisc.c 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldapmisc.c.ldap openssh-5.8p1/ldapmisc.c
|
||||
--- openssh-5.8p1/ldapmisc.c.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldapmisc.c 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,79 @@
|
||||
+
|
||||
+#include "ldapincludes.h"
|
||||
@ -1822,9 +1840,9 @@ diff -up openssh-5.6p1/ldapmisc.c.ldap openssh-5.6p1/ldapmisc.c
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h
|
||||
--- openssh-5.6p1/ldapmisc.h.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ldapmisc.h 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ldapmisc.h.ldap openssh-5.8p1/ldapmisc.h
|
||||
--- openssh-5.8p1/ldapmisc.h.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ldapmisc.h 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,35 @@
|
||||
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
@ -1861,9 +1879,9 @@ diff -up openssh-5.6p1/ldapmisc.h.ldap openssh-5.6p1/ldapmisc.h
|
||||
+
|
||||
+#endif /* LDAPMISC_H */
|
||||
+
|
||||
diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example.txt
|
||||
--- openssh-5.6p1/lpk-user-example.txt.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/lpk-user-example.txt 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/lpk-user-example.txt.ldap openssh-5.8p1/lpk-user-example.txt
|
||||
--- openssh-5.8p1/lpk-user-example.txt.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/lpk-user-example.txt 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,117 @@
|
||||
+
|
||||
+Post to ML -> User Made Quick Install Doc.
|
||||
@ -1982,18 +2000,19 @@ diff -up openssh-5.6p1/lpk-user-example.txt.ldap openssh-5.6p1/lpk-user-example.
|
||||
+puTTY). Login should succeed.
|
||||
+
|
||||
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
|
||||
--- openssh-5.6p1/Makefile.in.ldap 2010-10-20 09:21:03.000000000 +0200
|
||||
+++ openssh-5.6p1/Makefile.in 2010-10-20 10:36:39.000000000 +0200
|
||||
@@ -26,6 +26,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
diff -up openssh-5.8p1/Makefile.in.ldap openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.ldap 2011-02-28 23:21:03.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -26,6 +26,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
RAND_HELPER=$(libexecdir)/ssh-rand-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -61,8 +62,9 @@ EXEEXT=@EXEEXT@
|
||||
@@ -63,8 +65,9 @@ MANFMT=@MANFMT@
|
||||
|
||||
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
|
||||
INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@
|
||||
@ -2004,7 +2023,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
|
||||
|
||||
LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
|
||||
@@ -94,8 +96,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
@@ -96,8 +99,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
|
||||
sftp-server.o sftp-common.o \
|
||||
roaming_common.o roaming_serv.o
|
||||
|
||||
@ -2015,7 +2034,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
|
||||
MANTYPE = @MANTYPE@
|
||||
|
||||
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||
@@ -163,6 +165,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
||||
@@ -166,6 +169,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
@ -2025,17 +2044,18 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -267,6 +272,9 @@ install-files:
|
||||
@@ -270,6 +276,10 @@ install-files:
|
||||
fi
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||
+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
+ fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
@@ -286,6 +294,10 @@ install-files:
|
||||
@@ -289,6 +299,10 @@ install-files:
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -2046,7 +2066,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(bindir)/slogin
|
||||
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
@@ -322,6 +334,13 @@ install-sysconf:
|
||||
@@ -325,6 +339,13 @@ install-sysconf:
|
||||
else \
|
||||
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||
fi
|
||||
@ -2060,7 +2080,7 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
|
||||
|
||||
host-key: ssh-keygen$(EXEEXT)
|
||||
@if [ -z "$(DESTDIR)" ] ; then \
|
||||
@@ -385,6 +404,7 @@ uninstall:
|
||||
@@ -396,6 +417,7 @@ uninstall:
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||
@ -2068,9 +2088,9 @@ diff -up openssh-5.6p1/Makefile.in.ldap openssh-5.6p1/Makefile.in
|
||||
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||
|
||||
tests interop-tests: $(TARGETS)
|
||||
diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lpk-openldap.schema
|
||||
--- openssh-5.6p1/openssh-lpk-openldap.schema.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/openssh-lpk-openldap.schema 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/openssh-lpk-openldap.schema.ldap openssh-5.8p1/openssh-lpk-openldap.schema
|
||||
--- openssh-5.8p1/openssh-lpk-openldap.schema.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/openssh-lpk-openldap.schema 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,21 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2093,9 +2113,9 @@ diff -up openssh-5.6p1/openssh-lpk-openldap.schema.ldap openssh-5.6p1/openssh-lp
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun.schema
|
||||
--- openssh-5.6p1/openssh-lpk-sun.schema.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/openssh-lpk-sun.schema 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/openssh-lpk-sun.schema.ldap openssh-5.8p1/openssh-lpk-sun.schema
|
||||
--- openssh-5.8p1/openssh-lpk-sun.schema.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/openssh-lpk-sun.schema 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,23 @@
|
||||
+#
|
||||
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
|
||||
@ -2120,9 +2140,9 @@ diff -up openssh-5.6p1/openssh-lpk-sun.schema.ldap openssh-5.6p1/openssh-lpk-sun
|
||||
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
|
||||
+ MUST ( sshPublicKey $ uid )
|
||||
+ )
|
||||
diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk
|
||||
--- openssh-5.6p1/README.lpk.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/README.lpk 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
|
||||
--- openssh-5.8p1/README.lpk.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/README.lpk 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,274 @@
|
||||
+OpenSSH LDAP PUBLIC KEY PATCH
|
||||
+Copyright (c) 2003 Eric AUGE (eau@phear.org)
|
||||
@ -2398,9 +2418,9 @@ diff -up openssh-5.6p1/README.lpk.ldap openssh-5.6p1/README.lpk
|
||||
+- CONTACT :
|
||||
+ Jan F. Chadima <jchadima@redhat.com>
|
||||
+
|
||||
diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5
|
||||
--- openssh-5.6p1/ssh-ldap.conf.5.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ssh-ldap.conf.5 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ssh-ldap.conf.5.ldap openssh-5.8p1/ssh-ldap.conf.5
|
||||
--- openssh-5.8p1/ssh-ldap.conf.5.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-ldap.conf.5 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,373 @@
|
||||
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2775,9 +2795,9 @@ diff -up openssh-5.6p1/ssh-ldap.conf.5.ldap openssh-5.6p1/ssh-ldap.conf.5
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8
|
||||
--- openssh-5.6p1/ssh-ldap-helper.8.ldap 2010-10-20 09:21:04.000000000 +0200
|
||||
+++ openssh-5.6p1/ssh-ldap-helper.8 2010-10-20 09:21:04.000000000 +0200
|
||||
diff -up openssh-5.8p1/ssh-ldap-helper.8.ldap openssh-5.8p1/ssh-ldap-helper.8
|
||||
--- openssh-5.8p1/ssh-ldap-helper.8.ldap 2011-02-28 23:21:06.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-ldap-helper.8 2011-02-28 23:21:06.000000000 +0100
|
||||
@@ -0,0 +1,78 @@
|
||||
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
|
||||
+.\"
|
||||
@ -2857,3 +2877,11 @@ diff -up openssh-5.6p1/ssh-ldap-helper.8.ldap openssh-5.6p1/ssh-ldap-helper.8
|
||||
+OpenSSH 5.5 + PKA-LDAP .
|
||||
+.Sh AUTHORS
|
||||
+.An Jan F. Chadima Aq jchadima@redhat.com
|
||||
diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap openssh-5.8p1/ssh-ldap-wrapper
|
||||
--- openssh-5.8p1/ssh-ldap-wrapper.ldap 2011-02-28 23:21:07.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-ldap-wrapper 2011-02-28 23:21:07.000000000 +0100
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
|
||||
@ -1,57 +0,0 @@
|
||||
diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap2 openssh-5.8p1/HOWTO.ldap-keys
|
||||
--- openssh-5.8p1/HOWTO.ldap-keys.ldap2 2011-02-25 11:48:59.000000000 +0100
|
||||
+++ openssh-5.8p1/HOWTO.ldap-keys 2011-02-25 11:48:59.000000000 +0100
|
||||
@@ -0,0 +1,14 @@
|
||||
+
|
||||
+1) configure LDAP server
|
||||
+2) add appropriate schema
|
||||
+3) insert users into LDAP
|
||||
+4) on the ssh side set in sshd_config
|
||||
+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
|
||||
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
|
||||
+5) do not forget to set
|
||||
+PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
+To debug the ssh-ldap-helper is possible to set
|
||||
+the necessary flags in the ssh-ldap-wrapper.
|
||||
+
|
||||
diff -up openssh-5.8p1/ldap-helper.c.ldap2 openssh-5.8p1/ldap-helper.c
|
||||
--- openssh-5.8p1/ldap-helper.c.ldap2 2011-02-25 11:48:59.000000000 +0100
|
||||
+++ openssh-5.8p1/ldap-helper.c 2011-02-25 11:48:59.000000000 +0100
|
||||
@@ -51,7 +51,7 @@ usage(void)
|
||||
fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
|
||||
fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
|
||||
fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
|
||||
- fprintf(stderr, " -w Warn on unknown commands int the config file.\n");
|
||||
+ fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
diff -up openssh-5.8p1/Makefile.in.ldap2 openssh-5.8p1/Makefile.in
|
||||
--- openssh-5.8p1/Makefile.in.ldap2 2011-02-25 11:48:59.000000000 +0100
|
||||
+++ openssh-5.8p1/Makefile.in 2011-02-25 11:55:59.000000000 +0100
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
RAND_HELPER=$(libexecdir)/ssh-rand-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -277,6 +278,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
|
||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
diff -up openssh-5.8p1/ssh-ldap-wrapper.ldap2 openssh-5.8p1/ssh-ldap-wrapper
|
||||
--- openssh-5.8p1/ssh-ldap-wrapper.ldap2 2011-02-25 11:48:59.000000000 +0100
|
||||
+++ openssh-5.8p1/ssh-ldap-wrapper 2011-02-25 11:48:59.000000000 +0100
|
||||
@@ -0,0 +1,4 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
|
||||
+
|
||||
@ -71,7 +71,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 5.8p1
|
||||
%define openssh_rel 11
|
||||
%define openssh_rel 12
|
||||
%define pam_ssh_agent_ver 0.9.2
|
||||
%define pam_ssh_agent_rel 30
|
||||
|
||||
@ -152,6 +152,7 @@ Patch56: openssh-5.2p1-edns.patch
|
||||
Patch57: openssh-5.1p1-scp-manpage.patch
|
||||
#?
|
||||
Patch58: openssh-5.8p1-keycat.patch
|
||||
Patch158: openssh-5.8p1-keycat2.patch
|
||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
||||
Patch60: openssh-5.8p1-gsskex.patch
|
||||
#?
|
||||
@ -347,6 +348,7 @@ popd
|
||||
%patch56 -p1 -b .edns
|
||||
%patch57 -p1 -b .manpage
|
||||
%patch58 -p1 -b .keycat
|
||||
%patch158 -p1 -b .keycat2
|
||||
%patch60 -p1 -b .gsskex
|
||||
%patch61 -p1 -b .canohost
|
||||
|
||||
@ -641,6 +643,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Mar 1 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-12 + 0.9.2-30
|
||||
- improove ssk-keycat
|
||||
|
||||
* Mon Feb 28 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-11 + 0.9.2-30
|
||||
- add ssk-keycat
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user