Merge remote-tracking branch 'up/master' into master-riscv64
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
This commit is contained in:
commit
1e4e75e433
2
.gitignore
vendored
2
.gitignore
vendored
@ -40,3 +40,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/openssh-8.1p1.tar.gz.asc
|
||||
/openssh-8.2p1.tar.gz
|
||||
/openssh-8.2p1.tar.gz.asc
|
||||
/openssh-8.3p1.tar.gz
|
||||
/openssh-8.3p1.tar.gz.asc
|
||||
|
@ -20,10 +20,10 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||
ssh-xmss.o \
|
||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
@ -62,10 +62,10 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||
ssh-xmss.o \
|
||||
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
|
||||
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
@ -20,7 +20,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||
ssh-xmss.o \
|
||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
|
||||
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
@ -173,7 +173,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
||||
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
|
||||
|
||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
@ -883,8 +883,8 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
|
||||
- if (cc == NULL)
|
||||
+ if (cc == NULL || cc->cipher == NULL)
|
||||
return;
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
||||
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||
chachapoly_free(cc->cp_ctx);
|
||||
diff -up openssh/cipher.h.audit openssh/cipher.h
|
||||
--- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100
|
||||
+++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200
|
||||
@ -1738,7 +1738,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
|
||||
state->newkeys[mode] = NULL;
|
||||
}
|
||||
/* note that both bytes and the seqnr are not reset */
|
||||
@@ -2167,6 +2183,71 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
@@ -2167,6 +2183,72 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||
return (void *)ssh->state->output;
|
||||
}
|
||||
|
||||
@ -1769,6 +1769,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
|
||||
+
|
||||
+ cipher_free(state->receive_context);
|
||||
+ cipher_free(state->send_context);
|
||||
+ state->send_context = state->receive_context = NULL;
|
||||
+
|
||||
+ sshbuf_free(state->input);
|
||||
+ state->input = NULL;
|
||||
|
@ -114,50 +114,6 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
|
||||
p = g = NULL; /* belong to kex->dh now */
|
||||
|
||||
/* generate and send 'e', client DH public key */
|
||||
diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in
|
||||
--- openssh-8.0p1/Makefile.in.fips 2019-07-23 14:55:45.396526350 +0200
|
||||
+++ openssh-8.0p1/Makefile.in 2019-07-23 14:55:45.402526411 +0200
|
||||
@@ -180,25 +180,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
|
||||
- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
|
||||
- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
|
||||
- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
|
||||
- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
|
||||
$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
||||
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
||||
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
||||
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
||||
@ -276,43 +232,25 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
||||
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
||||
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
||||
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
||||
@@ -76,6 +76,8 @@
|
||||
@@ -76,6 +76,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
+#include <openssl/crypto.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -600,6 +602,16 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+#endif
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
||||
+ if (FIPS_mode())
|
||||
+ fatal("FIPS integrity verification test failed.");
|
||||
+ else
|
||||
+ logit("FIPS integrity verification test failed.");
|
||||
+ }
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -614,6 +626,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
dump_client_config(&options, host);
|
||||
exit(0);
|
||||
}
|
||||
+
|
||||
+ if (FIPS_mode()) {
|
||||
+ debug("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Discard other fds that are hanging around. These can cause problem
|
||||
* with backgrounded ssh processes started by ControlPersist.
|
||||
|
||||
/* Expand SecurityKeyProvider if it refers to an environment variable */
|
||||
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
|
||||
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
||||
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
|
||||
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
|
||||
@ -325,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||
|
||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||
if (options.gss_keyex) {
|
||||
@ -333,12 +271,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
||||
- * client to the key exchange algorithm proposal */
|
||||
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||
-
|
||||
- if (options.gss_server_identity)
|
||||
- if (options.gss_server_identity) {
|
||||
- gss_host = xstrdup(options.gss_server_identity);
|
||||
- else if (options.gss_trust_dns)
|
||||
- } else if (options.gss_trust_dns) {
|
||||
- gss_host = remote_hostname(ssh);
|
||||
- else
|
||||
- /* Fall back to specified host if we are using proxy command
|
||||
- * and can not use DNS on that socket */
|
||||
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||
- free(gss_host);
|
||||
- gss_host = xstrdup(host);
|
||||
- }
|
||||
- } else {
|
||||
- gss_host = xstrdup(host);
|
||||
- }
|
||||
-
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||
@ -360,12 +305,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
||||
+ * client to the key exchange algorithm proposal */
|
||||
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||
+
|
||||
+ if (options.gss_server_identity)
|
||||
+ if (options.gss_server_identity) {
|
||||
+ gss_host = xstrdup(options.gss_server_identity);
|
||||
+ else if (options.gss_trust_dns)
|
||||
+ } else if (options.gss_trust_dns) {
|
||||
+ gss_host = remote_hostname(ssh);
|
||||
+ else
|
||||
+ /* Fall back to specified host if we are using proxy command
|
||||
+ * and can not use DNS on that socket */
|
||||
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||
+ free(gss_host);
|
||||
+ gss_host = xstrdup(host);
|
||||
+ }
|
||||
+ } else {
|
||||
+ gss_host = xstrdup(host);
|
||||
+ }
|
||||
+
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
@ -394,31 +346,19 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@@ -77,6 +78,8 @@
|
||||
@@ -77,6 +78,7 @@
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/crypto.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
@@ -1529,6 +1532,18 @@ main(int ac, char **av)
|
||||
@@ -1529,6 +1532,7 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
||||
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
||||
+ if (FIPS_mode()) {
|
||||
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
|
||||
+ cleanup_exit(255);
|
||||
+ }
|
||||
+ else
|
||||
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
|
||||
+ closelog();
|
||||
+ }
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@ -513,5 +453,5 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
|
||||
fflush(stdout);
|
||||
- type = sshkey_type_from_name(key_types[i].key_type);
|
||||
if ((fd = mkstemp(prv_tmp)) == -1) {
|
||||
error("Could not save your public key in %s: %s",
|
||||
prv_tmp, strerror(errno));
|
||||
error("Could not save your private key in %s: %s",
|
||||
prv_tmp, strerror(errno));
|
||||
|
@ -480,7 +480,7 @@ index 6cae720e..16e55cbc 100644
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/* This allows GSSAPI methods to do things to the childs environment based
|
||||
/* This allows GSSAPI methods to do things to the child's environment based
|
||||
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
|
||||
char *envstr;
|
||||
#endif
|
||||
@ -574,7 +574,7 @@ index 85df6a27..480a5ead 100644
|
||||
+++ b/session.c
|
||||
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
/* Allow any GSSAPI methods that we've used to alter
|
||||
* the childs environment as they see fit
|
||||
* the child's environment as they see fit
|
||||
*/
|
||||
- ssh_gssapi_do_child(&env, &envsize);
|
||||
+ if (s->authctxt->krb5_set_env)
|
||||
|
@ -1,13 +1,16 @@
|
||||
diff -up openssh/ssh_config.redhat openssh/ssh_config
|
||||
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
||||
@@ -43,3 +43,7 @@
|
||||
@@ -43,3 +43,10 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
+#
|
||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
||||
+# /etc/ssh/ssh_config.d/ which will be automatically included below
|
||||
+# This system is following system-wide crypto policy.
|
||||
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
|
||||
+# file under /etc/ssh/ssh_config.d/ which will be automatically
|
||||
+# included below. For more information, see manual page for
|
||||
+# update-crypto-policies(8) and ssh_config(5).
|
||||
+Include /etc/ssh/ssh_config.d/*.conf
|
||||
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
|
||||
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
|
||||
@ -65,10 +68,14 @@ diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
|
||||
diff -up openssh/sshd_config.redhat openssh/sshd_config
|
||||
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
|
||||
@@ -10,6 +10,10 @@
|
||||
@@ -10,6 +10,14 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
|
||||
+# To modify the system-wide sshd configuration, create a *.conf file under
|
||||
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||
+Include /etc/ssh/sshd_config.d/*.conf
|
||||
+
|
||||
+# If you want to change the port on a SELinux system, you have to tell
|
||||
+# SELinux about this change.
|
||||
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||
@ -76,26 +83,16 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
@@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
+
|
||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
||||
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||
+Include /etc/ssh/sshd_config.d/*.conf
|
||||
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
||||
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
|
||||
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
|
||||
@@ -0,0 +1,31 @@
|
||||
+# System-wide Crypto policy:
|
||||
@@ -0,0 +1,29 @@
|
||||
+# This system is following system-wide crypto policy. The changes to
|
||||
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
|
||||
+# effect here. They will be overridden by command-line options passed on
|
||||
+# the server start up.
|
||||
+# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
|
||||
+# variable in /etc/sysconfig/sshd to overwrite the policy.
|
||||
+# For more information, see manual page for update-crypto-policies(8).
|
||||
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
|
||||
+# this or following included files. To override some configuration option,
|
||||
+# write it before this block or include it before this file.
|
||||
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||
+Include /etc/crypto-policies/back-ends/opensshserver.config
|
||||
+
|
||||
+SyslogFacility AUTHPRIV
|
||||
+
|
||||
|
@ -1,8 +1,15 @@
|
||||
diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||
--- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100
|
||||
+++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100
|
||||
@@ -361,15 +361,15 @@ domains.
|
||||
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
||||
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
||||
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
||||
@@ -359,17 +359,17 @@ or
|
||||
.Qq *.c.example.com
|
||||
domains.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies which algorithms are allowed for signing of certificates
|
||||
by certificate authorities (CAs).
|
||||
-The default is:
|
||||
@ -15,15 +22,39 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||
will not accept host certificates signed using algorithms other than those
|
||||
specified.
|
||||
+.Pp
|
||||
.It Cm CertificateFile
|
||||
Specifies a file from which the user's certificate is read.
|
||||
A corresponding private key must be provided separately in order
|
||||
@@ -424,20 +424,25 @@ If the option is set to
|
||||
.Cm no ,
|
||||
the check will not be executed.
|
||||
.It Cm Ciphers
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
.It Cm CertificateFile
|
||||
Specifies a file from which the user's certificate is read.
|
||||
A corresponding private key must be provided separately in order
|
||||
@@ -453,12 +453,10 @@ aes256-gcm@openssh.com
|
||||
Specifies the ciphers allowed and their order of preference.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified ciphers will be appended to the default set
|
||||
+character, then the specified ciphers will be appended to the built-in default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified ciphers (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified ciphers will be placed at the head of the
|
||||
-default set.
|
||||
+built-in default set.
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Bd -literal -offset indent
|
||||
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
|
||||
chacha20-poly1305@openssh.com
|
||||
.Ed
|
||||
.Pp
|
||||
@ -33,30 +64,59 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClearAllForwardings
|
||||
@@ -812,6 +810,11 @@ command line will be passed untouched to
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
@@ -824,8 +822,10 @@ gss-nistp256-sha256-,
|
||||
+.Pp
|
||||
The list of key exchange algorithms that are offered for GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
+.Pp
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
@@ -1149,29 +1150,25 @@ it may be zero or more of:
|
||||
and
|
||||
.Cm pam .
|
||||
.It Cm KexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
@@ -1162,15 +1162,10 @@ If the specified list begins with a
|
||||
+.Pp
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified methods will be appended to the default set
|
||||
+character, then the specified methods will be appended to the built-in default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified methods (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified methods will be placed at the head of the
|
||||
default set.
|
||||
-default set.
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
@ -66,14 +126,41 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||
-diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
-.Ed
|
||||
+built-in default set.
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@@ -1231,37 +1228,33 @@ The default is INFO.
|
||||
DEBUG and DEBUG1 are equivalent.
|
||||
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
||||
.It Cm MACs
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the MAC (message authentication code) algorithms
|
||||
in order of preference.
|
||||
The MAC algorithm is used for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
+character, then the specified algorithms will be appended to the built-in default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in default set.
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@@ -1252,14 +1247,10 @@ The algorithms that contain
|
||||
The algorithms that contain
|
||||
.Qq -etm
|
||||
calculate the MAC after encryption (encrypt-then-mac).
|
||||
These are considered safer and their use recommended.
|
||||
.Pp
|
||||
@ -85,17 +172,35 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||
-umac-64@openssh.com,umac-128@openssh.com,
|
||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm NoHostAuthenticationForLocalhost
|
||||
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
||||
The default is
|
||||
.Cm no .
|
||||
.It Cm PubkeyAcceptedKeyTypes
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
@@ -1407,22 +1398,10 @@ If the specified list begins with a
|
||||
+.Pp
|
||||
Specifies the key types that will be used for public key authentication
|
||||
as a comma-separated list of patterns.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the key types after it will be appended to the default
|
||||
+character, then the key types after it will be appended to the built-in default
|
||||
instead of replacing it.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified key types (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified key types will be placed at the head of the
|
||||
default set.
|
||||
-default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
@ -112,18 +217,22 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
+built-in default set.
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
||||
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
||||
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
||||
@@ -375,16 +375,16 @@ If the argument is
|
||||
then no banner is displayed.
|
||||
By default, no banner is displayed.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||
diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
--- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100
|
||||
+++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100
|
||||
@@ -377,14 +377,14 @@ By default, no banner is displayed.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+.Pp
|
||||
Specifies which algorithms are allowed for signing of certificates
|
||||
by certificate authorities (CAs).
|
||||
-The default is:
|
||||
@ -135,15 +244,39 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
Certificates signed using other algorithms will not be accepted for
|
||||
public key or host-based authentication.
|
||||
+.Pp
|
||||
.It Cm ChallengeResponseAuthentication
|
||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||
PAM or through authentication styles supported in
|
||||
@@ -446,20 +446,25 @@ The default is
|
||||
indicating not to
|
||||
.Xr chroot 2 .
|
||||
.It Cm Ciphers
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
.It Cm ChallengeResponseAuthentication
|
||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||
PAM or through authentication styles supported in
|
||||
@@ -486,12 +486,10 @@ aes256-gcm@openssh.com
|
||||
Specifies the ciphers allowed.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified ciphers will be appended to the default set
|
||||
+character, then the specified ciphers will be appended to the built-in default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified ciphers (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified ciphers will be placed at the head of the
|
||||
-default set.
|
||||
+built-in default set.
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Pp
|
||||
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
|
||||
chacha20-poly1305@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
@ -153,28 +286,54 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
-.Ed
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
.Pp
|
||||
-.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
@@ -693,8 +691,10 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
.It Cm ClientAliveCountMax
|
||||
@@ -681,22 +679,24 @@ For this to work
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
This option only applies to protocol version 2 connections using GSSAPI.
|
||||
+.Pp
|
||||
The list of key exchange algorithms that are accepted by GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
-gss-gex-sha1-,
|
||||
-gss-group1-sha1-,
|
||||
-gss-group14-sha1-,
|
||||
-gss-group14-sha256-,
|
||||
-gss-group16-sha512-,
|
||||
-gss-nistp256-sha256-,
|
||||
+gss-gex-sha1-
|
||||
+gss-group1-sha1-
|
||||
+gss-group14-sha1-
|
||||
+gss-group14-sha256-
|
||||
+gss-group16-sha512-
|
||||
+gss-nistp256-sha256-
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
-.Pp
|
||||
-The default is
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
+.Pp
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
@@ -794,22 +794,10 @@ environment variable.
|
||||
as a list of comma-separated patterns.
|
||||
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
||||
.Ev SSH_AUTH_SOCK
|
||||
environment variable.
|
||||
.It Cm HostKeyAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the host key algorithms
|
||||
that the server offers.
|
||||
-The default for this option is:
|
||||
@ -193,14 +352,40 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
.It Cm IgnoreRhosts
|
||||
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified methods will be appended to the default set
|
||||
+character, then the specified methods will be appended to the built-in default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified methods (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified methods will be placed at the head of the
|
||||
-default set.
|
||||
+built-in default set.
|
||||
The supported algorithms are:
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
@@ -987,14 +975,10 @@ ecdh-sha2-nistp521
|
||||
.Bl -item -compact -offset indent
|
||||
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
||||
sntrup4591761x25519-sha512@tinyssh.org
|
||||
.El
|
||||
.Pp
|
||||
@ -212,14 +397,41 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
.It Cm ListenAddress
|
||||
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
||||
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
||||
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
||||
.It Cm MACs
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available MAC (message authentication code) algorithms.
|
||||
The MAC algorithm is used for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
+character, then the specified algorithms will be appended to the built-in default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in default set.
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com
|
||||
The algorithms that contain
|
||||
.Qq -etm
|
||||
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
|
||||
umac-128-etm@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
@ -231,17 +443,35 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
-umac-64@openssh.com,umac-128@openssh.com,
|
||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm Match
|
||||
@@ -1480,36 +1460,25 @@ or equivalent.)
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm PubkeyAcceptedKeyTypes
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
@@ -1492,22 +1472,10 @@ If the specified list begins with a
|
||||
+.Pp
|
||||
Specifies the key types that will be accepted for public key authentication
|
||||
as a list of comma-separated patterns.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified key types will be appended to the default set
|
||||
+character, then the specified key types will be appended to the built-in default set
|
||||
instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified key types (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified key types will be placed at the head of the
|
||||
default set.
|
||||
-default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
@ -258,10 +488,7 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+built-in default set.
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||
|
@ -964,7 +964,7 @@ index ab3a15f0..6ce56e92 100644
|
||||
--- a/gss-serv.c
|
||||
+++ b/gss-serv.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
|
||||
/* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
|
||||
|
||||
/*
|
||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||
@ -3253,7 +3253,7 @@ index 36180d07..70dd3665 100644
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@@ -61,10 +61,30 @@
|
||||
@@ -61,10 +61,34 @@
|
||||
|
||||
#define SSH_GSS_OIDTYPE 0x06
|
||||
|
||||
@ -3273,8 +3273,12 @@ index 36180d07..70dd3665 100644
|
||||
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
|
||||
+
|
||||
+#define GSS_KEX_DEFAULT_KEX \
|
||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||
+ KEX_GSS_GRP14_SHA1_ID
|
||||
+ KEX_GSS_GRP14_SHA256_ID "," \
|
||||
+ KEX_GSS_GRP16_SHA512_ID "," \
|
||||
+ KEX_GSS_NISTP256_SHA256_ID "," \
|
||||
+ KEX_GSS_C25519_SHA256_ID "," \
|
||||
+ KEX_GSS_GRP14_SHA1_ID "," \
|
||||
+ KEX_GSS_GEX_SHA1_ID
|
||||
+
|
||||
typedef struct {
|
||||
char *filename;
|
||||
@ -3429,7 +3433,7 @@ diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 06a32d31..3f490697 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -766,10 +766,67 @@ The default is
|
||||
@@ -766,10 +766,68 @@ The default is
|
||||
Specifies whether user authentication based on GSSAPI is allowed.
|
||||
The default is
|
||||
.Cm no .
|
||||
@ -3492,8 +3496,9 @@ index 06a32d31..3f490697 100644
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
+This option only applies to connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
@ -3522,7 +3527,7 @@ index af00fb30..03bc87eb 100644
|
||||
xxx_host = host;
|
||||
xxx_hostaddr = hostaddr;
|
||||
|
||||
@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||
}
|
||||
|
||||
@ -3532,12 +3537,19 @@ index af00fb30..03bc87eb 100644
|
||||
+ * client to the key exchange algorithm proposal */
|
||||
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||
+
|
||||
+ if (options.gss_server_identity)
|
||||
+ if (options.gss_server_identity) {
|
||||
+ gss_host = xstrdup(options.gss_server_identity);
|
||||
+ else if (options.gss_trust_dns)
|
||||
+ } else if (options.gss_trust_dns) {
|
||||
+ gss_host = remote_hostname(ssh);
|
||||
+ else
|
||||
+ /* Fall back to specified host if we are using proxy command
|
||||
+ * and can not use DNS on that socket */
|
||||
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||
+ free(gss_host);
|
||||
+ gss_host = xstrdup(host);
|
||||
+ }
|
||||
+ } else {
|
||||
+ gss_host = xstrdup(host);
|
||||
+ }
|
||||
+
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
@ -3626,18 +3638,25 @@ index af00fb30..03bc87eb 100644
|
||||
{"gssapi-with-mic",
|
||||
userauth_gssapi,
|
||||
userauth_gssapi_cleanup,
|
||||
@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh)
|
||||
@@ -716,12 +784,32 @@ userauth_gssapi(struct ssh *ssh)
|
||||
OM_uint32 min;
|
||||
int r, ok = 0;
|
||||
gss_OID mech = NULL;
|
||||
+ char *gss_host;
|
||||
+ char *gss_host = NULL;
|
||||
+
|
||||
+ if (options.gss_server_identity)
|
||||
+ if (options.gss_server_identity) {
|
||||
+ gss_host = xstrdup(options.gss_server_identity);
|
||||
+ else if (options.gss_trust_dns)
|
||||
+ } else if (options.gss_trust_dns) {
|
||||
+ gss_host = remote_hostname(ssh);
|
||||
+ else
|
||||
+ /* Fall back to specified host if we are using proxy command
|
||||
+ * and can not use DNS on that socket */
|
||||
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||
+ free(gss_host);
|
||||
+ gss_host = xstrdup(authctxt->host);
|
||||
+ }
|
||||
+ } else {
|
||||
+ gss_host = xstrdup(authctxt->host);
|
||||
+ }
|
||||
|
||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||
* once. */
|
||||
@ -3849,7 +3868,7 @@ index 70ccea44..f6b41a2f 100644
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
@@ -660,6 +665,31 @@ machine's default store.
|
||||
@@ -660,6 +665,32 @@ machine's default store.
|
||||
This facility is provided to assist with operation on multi homed machines.
|
||||
The default is
|
||||
.Cm yes .
|
||||
@ -3876,8 +3895,9 @@ index 70ccea44..f6b41a2f 100644
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
+This option only applies to connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a list of comma-separated patterns.
|
||||
|
@ -48,7 +48,7 @@ index e7549470..4511f82a 100644
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
- ssh-pkcs11.o smult_curve25519_ref.o \
|
||||
+ ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
|
||||
poly1305.o chacha.o cipher-chachapoly.o \
|
||||
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
|
||||
ssh-ed25519.o digest-openssl.o digest-libc.o \
|
||||
hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
|
||||
@@ -289,6 +289,8 @@ clean: regressclean
|
||||
@ -2502,7 +2502,7 @@ index a302c79c..879fe917 100644
|
||||
int ret = -1;
|
||||
struct pkcs11_provider *p = NULL;
|
||||
void *handle = NULL;
|
||||
@@ -1484,165 +1670,301 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
||||
@@ -1484,167 +1670,303 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
||||
CK_FUNCTION_LIST *f = NULL;
|
||||
CK_TOKEN_INFO *token;
|
||||
CK_ULONG i;
|
||||
@ -2722,6 +2722,9 @@ index a302c79c..879fe917 100644
|
||||
+ }
|
||||
+
|
||||
+ provider_uri = pkcs11_uri_get(uri);
|
||||
+ if (pin == NULL && uri->pin != NULL) {
|
||||
+ pin = uri->pin;
|
||||
+ }
|
||||
+ nkeys = 0;
|
||||
+ for (i = 0; i < p->module->nslots; i++) {
|
||||
+ token = &p->module->slotinfo[i].token;
|
||||
@ -2757,9 +2760,6 @@ index a302c79c..879fe917 100644
|
||||
+ provider_uri, (unsigned long)i,
|
||||
token->label, token->manufacturerID, token->model,
|
||||
token->serialNumber, token->flags);
|
||||
+ if (pin == NULL && uri->pin != NULL) {
|
||||
+ pin = uri->pin;
|
||||
+ }
|
||||
/*
|
||||
- * open session, login with pin and retrieve public
|
||||
- * keys (if keyp is provided)
|
||||
@ -2805,8 +2805,8 @@ index a302c79c..879fe917 100644
|
||||
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
||||
+ uri->object = label;
|
||||
}
|
||||
+ pin = NULL; /* Will be cleaned up with URI */
|
||||
}
|
||||
+ pin = NULL; /* Will be cleaned up with URI */
|
||||
|
||||
/* now owned by caller */
|
||||
*providerp = p;
|
||||
@ -2830,6 +2830,8 @@ index a302c79c..879fe917 100644
|
||||
}
|
||||
- if (handle)
|
||||
- dlclose(handle);
|
||||
if (ret > 0)
|
||||
ret = -1;
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@ -3109,9 +3111,9 @@ index 15aee569..976844cb 100644
|
||||
+ }
|
||||
+#endif /* ENABLE_PKCS11 */
|
||||
+ cp = tilde_expand_filename(name, getuid());
|
||||
filename = percent_expand(cp, "d", pw->pw_dir,
|
||||
"u", pw->pw_name, "l", thishost, "h", host,
|
||||
"r", options.user, (char *)NULL);
|
||||
filename = default_client_percent_expand(cp,
|
||||
pw->pw_dir, host, options.user, pw->pw_name);
|
||||
free(cp);
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 06a32d31..4b2763bd 100644
|
||||
--- a/ssh_config.5
|
||||
|
@ -26,7 +26,7 @@ index dca158de..afdcb1d2 100644
|
||||
|
||||
-int
|
||||
+int __attribute__((visibility("default")))
|
||||
sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||
sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
|
||||
const char *application, const uint8_t *key_handle, size_t key_handle_len,
|
||||
uint8_t flags, const char *pin, struct sk_option **options,
|
||||
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||
|
30
openssh-8.2p1-x11-without-ipv6.patch
Normal file
30
openssh-8.2p1-x11-without-ipv6.patch
Normal file
@ -0,0 +1,30 @@
|
||||
diff --git a/channels.c b/channels.c
|
||||
--- a/channels.c
|
||||
+++ b/channels.c
|
||||
@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_
|
||||
if (ai->ai_family == AF_INET6)
|
||||
sock_set_v6only(sock);
|
||||
if (x11_use_localhost)
|
||||
set_reuseaddr(sock);
|
||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||
debug2("%s: bind port %d: %.100s", __func__,
|
||||
port, strerror(errno));
|
||||
close(sock);
|
||||
+
|
||||
+ /* do not remove successfully opened
|
||||
+ * sockets if the request failed because
|
||||
+ * the protocol IPv4/6 is not available
|
||||
+ * (e.g. IPv6 may be disabled while being
|
||||
+ * supported)
|
||||
+ */
|
||||
+ if (EADDRNOTAVAIL == errno)
|
||||
+ continue;
|
||||
+
|
||||
for (n = 0; n < num_socks; n++)
|
||||
close(socks[n]);
|
||||
num_socks = 0;
|
||||
break;
|
||||
}
|
||||
socks[num_socks++] = sock;
|
||||
if (num_socks == NUM_SOCKS)
|
||||
break;
|
227
openssh-8.3p1-sshd_include.patch
Normal file
227
openssh-8.3p1-sshd_include.patch
Normal file
@ -0,0 +1,227 @@
|
||||
From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon, 25 May 2020 15:46:51 +0200
|
||||
Subject: [PATCH 1/3] regress: Add more test cases
|
||||
|
||||
---
|
||||
regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 35 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
|
||||
index b25c8faa..b6a9a248 100644
|
||||
--- a/regress/servcfginclude.sh
|
||||
+++ b/regress/servcfginclude.sh
|
||||
@@ -146,9 +146,43 @@ Include
|
||||
_EOF
|
||||
|
||||
trace "disallow invalid with no argument"
|
||||
-${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
|
||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
|
||||
-C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
|
||||
fail "sshd allowed Include with no argument"
|
||||
|
||||
+# Ensure the Include before any Match block works as expected (bug #3122)
|
||||
+cat > $OBJ/sshd_config.i << _EOF
|
||||
+Banner /xx
|
||||
+HostKey $OBJ/host.ssh-ed25519
|
||||
+Include $OBJ/sshd_config.i.2
|
||||
+Match host a
|
||||
+ Banner /aaaa
|
||||
+_EOF
|
||||
+cat > $OBJ/sshd_config.i.2 << _EOF
|
||||
+Match host a
|
||||
+ Banner /aa
|
||||
+_EOF
|
||||
+
|
||||
+trace "Include before match blocks"
|
||||
+trial a /aa "included file before match blocks is properly evaluated"
|
||||
+
|
||||
+# Port in included file is correctly interpretted (bug #3169)
|
||||
+cat > $OBJ/sshd_config.i << _EOF
|
||||
+Include $OBJ/sshd_config.i.2
|
||||
+Port 7722
|
||||
+_EOF
|
||||
+cat > $OBJ/sshd_config.i.2 << _EOF
|
||||
+HostKey $OBJ/host.ssh-ed25519
|
||||
+_EOF
|
||||
+
|
||||
+trace "Port after included files"
|
||||
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
|
||||
+ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
|
||||
+ fail "failed to parse Port after included files"
|
||||
+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
|
||||
+if test "x7722" != "x$_port" ; then
|
||||
+ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
|
||||
+fi
|
||||
+
|
||||
# cleanup
|
||||
rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon, 25 May 2020 16:56:39 +0200
|
||||
Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every
|
||||
included file
|
||||
|
||||
Fixes #3169
|
||||
---
|
||||
servconf.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 5bb4b1f8..78a7d87d 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, const char *,
|
||||
const char *, int);
|
||||
-void parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
+static void parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
struct sshbuf *conf, struct include_list *includes,
|
||||
struct connection_info *connectinfo, int flags, int *activep, int depth);
|
||||
|
||||
@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
#undef M_CP_STRARRAYOPT
|
||||
|
||||
#define SERVCONF_MAX_DEPTH 16
|
||||
-void
|
||||
+static void
|
||||
parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
struct sshbuf *conf, struct include_list *includes,
|
||||
struct connection_info *connectinfo, int flags, int *activep, int depth)
|
||||
@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
if (bad_options > 0)
|
||||
fatal("%s: terminating, %d bad configuration options",
|
||||
filename, bad_options);
|
||||
- process_queued_listen_addrs(options);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename,
|
||||
int active = connectinfo ? 0 : 1;
|
||||
parse_server_config_depth(options, filename, conf, includes,
|
||||
connectinfo, 0, &active, 0);
|
||||
+ process_queued_listen_addrs(options);
|
||||
}
|
||||
|
||||
static const char *
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
||||
From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 26 May 2020 16:25:24 +0200
|
||||
Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files
|
||||
(#3122)
|
||||
|
||||
---
|
||||
servconf.c | 28 +++++++++++++++++++---------
|
||||
1 file changed, 19 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 78a7d87d..a8541514 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -554,6 +554,7 @@ typedef enum {
|
||||
#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
||||
#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
||||
#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
|
||||
+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
|
||||
|
||||
/* Textual representation of the tokens. */
|
||||
static struct {
|
||||
@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = {
|
||||
static int
|
||||
process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
const char *filename, int linenum, int *activep,
|
||||
- struct connection_info *connectinfo, int inc_flags, int depth,
|
||||
+ struct connection_info *connectinfo, int *inc_flags, int depth,
|
||||
struct include_list *includes)
|
||||
{
|
||||
char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
|
||||
@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
parse_server_config_depth(options,
|
||||
item->filename, item->contents,
|
||||
includes, connectinfo,
|
||||
- (oactive ? 0 : SSHCFG_NEVERMATCH),
|
||||
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
||||
+ ? SSHCFG_MATCH_ONLY : (oactive
|
||||
+ ? 0 : SSHCFG_NEVERMATCH)),
|
||||
activep, depth + 1);
|
||||
}
|
||||
found = 1;
|
||||
@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
parse_server_config_depth(options,
|
||||
item->filename, item->contents,
|
||||
includes, connectinfo,
|
||||
- (oactive ? 0 : SSHCFG_NEVERMATCH),
|
||||
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
||||
+ ? SSHCFG_MATCH_ONLY : (oactive
|
||||
+ ? 0 : SSHCFG_NEVERMATCH)),
|
||||
activep, depth + 1);
|
||||
*activep = oactive;
|
||||
TAILQ_INSERT_TAIL(includes, item, entry);
|
||||
@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
if (cmdline)
|
||||
fatal("Match directive not supported as a command-line "
|
||||
"option");
|
||||
- value = match_cfg_line(&cp, linenum, connectinfo);
|
||||
+ value = match_cfg_line(&cp, linenum,
|
||||
+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
|
||||
if (value < 0)
|
||||
fatal("%s line %d: Bad Match condition", filename,
|
||||
linenum);
|
||||
- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||
+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||
+ /* The MATCH_ONLY is applicable only until the first match block */
|
||||
+ *inc_flags &= ~SSHCFG_MATCH_ONLY;
|
||||
break;
|
||||
|
||||
case sKerberosUseKuserok:
|
||||
@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
const char *filename, int linenum, int *activep,
|
||||
struct connection_info *connectinfo, struct include_list *includes)
|
||||
{
|
||||
+ int inc_flags = 0;
|
||||
return process_server_config_line_depth(options, line, filename,
|
||||
- linenum, activep, connectinfo, 0, 0, includes);
|
||||
+ linenum, activep, connectinfo, &inc_flags, 0, includes);
|
||||
}
|
||||
|
||||
|
||||
@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||
if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
|
||||
fatal("Too many recursive configuration includes");
|
||||
|
||||
- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
|
||||
+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
|
||||
+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
|
||||
|
||||
if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
|
||||
fatal("%s: sshbuf_dup_string failed", __func__);
|
||||
linenum = 1;
|
||||
while ((cp = strsep(&cbuf, "\n")) != NULL) {
|
||||
if (process_server_config_line_depth(options, cp,
|
||||
- filename, linenum++, activep, connectinfo, flags,
|
||||
+ filename, linenum++, activep, connectinfo, &flags,
|
||||
depth, includes) != 0)
|
||||
bad_options++;
|
||||
}
|
||||
@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename,
|
||||
{
|
||||
int active = connectinfo ? 0 : 1;
|
||||
parse_server_config_depth(options, filename, conf, includes,
|
||||
- connectinfo, 0, &active, 0);
|
||||
+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
|
||||
process_queued_listen_addrs(options);
|
||||
}
|
||||
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
63
openssh.spec
63
openssh.spec
@ -65,10 +65,10 @@
|
||||
%endif
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 8.2p1
|
||||
%global openssh_rel 2
|
||||
%global openssh_ver 8.3p1
|
||||
%global openssh_rel 3
|
||||
%global pam_ssh_agent_ver 0.10.3
|
||||
%global pam_ssh_agent_rel 9
|
||||
%global pam_ssh_agent_rel 10
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -213,6 +213,10 @@ Patch963: openssh-8.0p1-openssl-evp.patch
|
||||
Patch964: openssh-8.0p1-openssl-kdf.patch
|
||||
# sk-dummy.so built with -fvisibility=hidden does not work
|
||||
Patch965: openssh-8.2p1-visibility.patch
|
||||
# Do not break X11 without IPv6
|
||||
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||
# Unbreak sshd_config include corner cases (#3122)
|
||||
Patch967: openssh-8.3p1-sshd_include.patch
|
||||
|
||||
License: BSD
|
||||
Requires: /sbin/nologin
|
||||
@ -233,7 +237,6 @@ BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
|
||||
BuildRequires: audit-libs-devel >= 2.0.5
|
||||
BuildRequires: util-linux, groff
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: fipscheck-devel >= 1.3.0
|
||||
BuildRequires: openssl-devel >= 0.9.8j
|
||||
BuildRequires: perl-podlators
|
||||
BuildRequires: systemd-devel
|
||||
@ -264,16 +267,14 @@ BuildRequires: gnupg2
|
||||
%package clients
|
||||
Summary: An open source SSH client applications
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
||||
Requires: crypto-policies >= 20180306-1
|
||||
Requires: crypto-policies >= 20200610-1
|
||||
|
||||
%package server
|
||||
Summary: An open source SSH server daemon
|
||||
Requires: openssh = %{version}-%{release}
|
||||
Requires(pre): /usr/sbin/useradd
|
||||
Requires: pam >= 1.0.1-3
|
||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
||||
Requires: crypto-policies >= 20180306-1
|
||||
Requires: crypto-policies >= 20200610-1
|
||||
%{?systemd_requires}
|
||||
|
||||
%if %{ldap}
|
||||
@ -415,6 +416,8 @@ popd
|
||||
%patch963 -p1 -b .openssl-evp
|
||||
%patch964 -p1 -b .openssl-kdf
|
||||
%patch965 -p1 -b .visibility
|
||||
%patch966 -p1 -b .x11-ipv6
|
||||
%patch967 -p1 -b .include
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
@ -545,14 +548,6 @@ make
|
||||
popd
|
||||
%endif
|
||||
|
||||
# Add generation of HMAC checksums of the final stripped binaries
|
||||
%global __spec_install_post \
|
||||
%%{?__debug_package:%%{__debug_install_post}} \
|
||||
%%{__arch_install_post} \
|
||||
%%{__os_install_post} \
|
||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
|
||||
%{nil}
|
||||
|
||||
%check
|
||||
#to run tests use "--with check"
|
||||
%if %{?_with_check:1}%{!?_with_check:0}
|
||||
@ -572,12 +567,11 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
|
||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||
install -d $RPM_BUILD_ROOT/etc/sysconfig/
|
||||
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||
install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
|
||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
||||
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
||||
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
|
||||
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/05-redhat.conf
|
||||
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/50-redhat.conf
|
||||
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/50-redhat.conf
|
||||
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
||||
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
||||
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
||||
@ -644,13 +638,12 @@ getent passwd sshd >/dev/null || \
|
||||
|
||||
%files clients
|
||||
%attr(0755,root,root) %{_bindir}/ssh
|
||||
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
||||
%attr(0755,root,root) %{_bindir}/scp
|
||||
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
|
||||
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||
%if ! %{rescue}
|
||||
%attr(0755,root,root) %{_bindir}/ssh-agent
|
||||
@ -673,7 +666,6 @@ getent passwd sshd >/dev/null || \
|
||||
%files server
|
||||
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
||||
%attr(0755,root,root) %{_sbindir}/sshd
|
||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
||||
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||
@ -682,7 +674,7 @@ getent passwd sshd >/dev/null || \
|
||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/05-redhat.conf
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-redhat.conf
|
||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||
@ -728,9 +720,32 @@ getent passwd sshd >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Mar 26 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> - 8.2p1-2 + 0.10.3-9.0.riscv64
|
||||
* Thu Jul 23 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> - 8.3p1-3 + 0.10.3-10.0.riscv64
|
||||
- Add support for RISC-V (riscv64)
|
||||
|
||||
* Wed Jun 10 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-3 + 0.10.3-10
|
||||
- Do not lose PIN when more slots match PKCS#11 URI (#1843372)
|
||||
- Update to new crypto-policies version on server (using sshd_config include)
|
||||
- Move redhat configuraion files to larger number to allow simpler override
|
||||
- Move sshd_config include before any other definitions (#1824913)
|
||||
|
||||
* Mon Jun 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-2 + 0.10.3-10
|
||||
- Fix crash on cleanup (#1842281)
|
||||
|
||||
* Wed May 27 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-1 + 0.10.3-10
|
||||
- New upstream release (#1840503)
|
||||
- Unbreak corner cases of sshd_config include
|
||||
- Fix order of gssapi key exchange algorithms
|
||||
|
||||
* Wed Apr 08 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-3 + 0.10.3-9
|
||||
- Simplify reference to crypto policies in configuration files
|
||||
- Unbreak gssapi authentication with GSSAPITrustDNS over jump hosts
|
||||
- Correctly print FIPS mode initialized in debug mode
|
||||
- Enable SHA2-based GSSAPI key exchange methods (#1666781)
|
||||
- Do not break X11 forwarding when IPv6 is disabled
|
||||
- Remove fipscheck dependency as OpenSSH is no longer FIPS module
|
||||
- Improve documentation about crypto policies defaults in manual pages
|
||||
|
||||
* Thu Feb 20 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-2 + 0.10.3-9
|
||||
- Build against libfido2 to unbreak internal u2f support
|
||||
|
||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
||||
SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
|
||||
SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303
|
||||
SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
|
||||
SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75
|
||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||
|
@ -6,10 +6,9 @@ Wants=sshd-keygen.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
|
||||
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
|
||||
EnvironmentFile=-/etc/sysconfig/sshd
|
||||
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
|
||||
ExecStart=/usr/sbin/sshd -D $OPTIONS $PERMITROOTLOGIN
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
|
@ -5,8 +5,7 @@ Wants=sshd-keygen.target
|
||||
After=sshd-keygen.target
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
|
||||
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
|
||||
EnvironmentFile=-/etc/sysconfig/sshd
|
||||
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
|
||||
ExecStart=-/usr/sbin/sshd -i $OPTIONS $PERMITROOTLOGIN
|
||||
StandardInput=socket
|
||||
|
Loading…
Reference in New Issue
Block a user