Merge remote-tracking branch 'up/master' into master-riscv64
Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
This commit is contained in:
commit
1e4e75e433
2
.gitignore
vendored
2
.gitignore
vendored
@ -40,3 +40,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/openssh-8.1p1.tar.gz.asc
|
/openssh-8.1p1.tar.gz.asc
|
||||||
/openssh-8.2p1.tar.gz
|
/openssh-8.2p1.tar.gz
|
||||||
/openssh-8.2p1.tar.gz.asc
|
/openssh-8.2p1.tar.gz.asc
|
||||||
|
/openssh-8.3p1.tar.gz
|
||||||
|
/openssh-8.3p1.tar.gz.asc
|
||||||
|
@ -20,10 +20,10 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
|||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||||
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||||
|
|
||||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
@ -62,10 +62,10 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
|||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
|
||||||
|
|
||||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
@ -20,7 +20,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
|||||||
ssh-xmss.o \
|
ssh-xmss.o \
|
||||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
||||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
|
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
|
||||||
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
@ -173,7 +173,7 @@ diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
|
|||||||
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
|
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
|
||||||
|
|
||||||
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
||||||
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LDAPLIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
@ -883,8 +883,8 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
|
|||||||
- if (cc == NULL)
|
- if (cc == NULL)
|
||||||
+ if (cc == NULL || cc->cipher == NULL)
|
+ if (cc == NULL || cc->cipher == NULL)
|
||||||
return;
|
return;
|
||||||
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
|
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
|
||||||
explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
|
chachapoly_free(cc->cp_ctx);
|
||||||
diff -up openssh/cipher.h.audit openssh/cipher.h
|
diff -up openssh/cipher.h.audit openssh/cipher.h
|
||||||
--- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100
|
--- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100
|
||||||
+++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200
|
+++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200
|
||||||
@ -1738,7 +1738,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
|
|||||||
state->newkeys[mode] = NULL;
|
state->newkeys[mode] = NULL;
|
||||||
}
|
}
|
||||||
/* note that both bytes and the seqnr are not reset */
|
/* note that both bytes and the seqnr are not reset */
|
||||||
@@ -2167,6 +2183,71 @@ ssh_packet_get_output(struct ssh *ssh)
|
@@ -2167,6 +2183,72 @@ ssh_packet_get_output(struct ssh *ssh)
|
||||||
return (void *)ssh->state->output;
|
return (void *)ssh->state->output;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1769,6 +1769,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
|
|||||||
+
|
+
|
||||||
+ cipher_free(state->receive_context);
|
+ cipher_free(state->receive_context);
|
||||||
+ cipher_free(state->send_context);
|
+ cipher_free(state->send_context);
|
||||||
|
+ state->send_context = state->receive_context = NULL;
|
||||||
+
|
+
|
||||||
+ sshbuf_free(state->input);
|
+ sshbuf_free(state->input);
|
||||||
+ state->input = NULL;
|
+ state->input = NULL;
|
||||||
|
@ -114,50 +114,6 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
|
|||||||
p = g = NULL; /* belong to kex->dh now */
|
p = g = NULL; /* belong to kex->dh now */
|
||||||
|
|
||||||
/* generate and send 'e', client DH public key */
|
/* generate and send 'e', client DH public key */
|
||||||
diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in
|
|
||||||
--- openssh-8.0p1/Makefile.in.fips 2019-07-23 14:55:45.396526350 +0200
|
|
||||||
+++ openssh-8.0p1/Makefile.in 2019-07-23 14:55:45.402526411 +0200
|
|
||||||
@@ -180,25 +180,25 @@ libssh.a: $(LIBSSH_OBJS)
|
|
||||||
$(RANLIB) $@
|
|
||||||
|
|
||||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
|
||||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
|
||||||
|
|
||||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
|
||||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
|
||||||
|
|
||||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
|
|
||||||
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS)
|
|
||||||
- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS)
|
|
||||||
- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS)
|
|
||||||
- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS)
|
|
||||||
- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS)
|
|
||||||
$(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
|
||||||
$(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
|
||||||
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS)
|
|
||||||
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
||||||
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
||||||
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
||||||
@ -276,43 +232,25 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
|||||||
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
||||||
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
||||||
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
@@ -76,6 +76,8 @@
|
@@ -76,6 +76,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#endif
|
#endif
|
||||||
+#include <openssl/crypto.h>
|
+#include <openssl/crypto.h>
|
||||||
+#include <fipscheck.h>
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
@@ -600,6 +602,16 @@ main(int ac, char **av)
|
|
||||||
sanitise_stdfd();
|
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
||||||
+ SSLeay_add_all_algorithms();
|
|
||||||
+#endif
|
|
||||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
|
||||||
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ fatal("FIPS integrity verification test failed.");
|
|
||||||
+ else
|
|
||||||
+ logit("FIPS integrity verification test failed.");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
#ifndef HAVE_SETPROCTITLE
|
|
||||||
/* Prepare for later setproctitle emulation */
|
|
||||||
@@ -614,6 +626,10 @@ main(int ac, char **av)
|
@@ -614,6 +626,10 @@ main(int ac, char **av)
|
||||||
|
dump_client_config(&options, host);
|
||||||
seed_rng();
|
exit(0);
|
||||||
|
}
|
||||||
|
+
|
||||||
+ if (FIPS_mode()) {
|
+ if (FIPS_mode()) {
|
||||||
+ debug("FIPS mode initialized");
|
+ debug("FIPS mode initialized");
|
||||||
+ }
|
+ }
|
||||||
+
|
|
||||||
/*
|
/* Expand SecurityKeyProvider if it refers to an environment variable */
|
||||||
* Discard other fds that are hanging around. These can cause problem
|
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
|
||||||
* with backgrounded ssh processes started by ControlPersist.
|
|
||||||
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
||||||
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
|
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
|
||||||
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
|
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
@ -325,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
|
||||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
if (options.gss_keyex) {
|
if (options.gss_keyex) {
|
||||||
@ -333,12 +271,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
- * client to the key exchange algorithm proposal */
|
- * client to the key exchange algorithm proposal */
|
||||||
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||||
-
|
-
|
||||||
- if (options.gss_server_identity)
|
- if (options.gss_server_identity) {
|
||||||
- gss_host = xstrdup(options.gss_server_identity);
|
- gss_host = xstrdup(options.gss_server_identity);
|
||||||
- else if (options.gss_trust_dns)
|
- } else if (options.gss_trust_dns) {
|
||||||
- gss_host = remote_hostname(ssh);
|
- gss_host = remote_hostname(ssh);
|
||||||
- else
|
- /* Fall back to specified host if we are using proxy command
|
||||||
|
- * and can not use DNS on that socket */
|
||||||
|
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
- free(gss_host);
|
||||||
- gss_host = xstrdup(host);
|
- gss_host = xstrdup(host);
|
||||||
|
- }
|
||||||
|
- } else {
|
||||||
|
- gss_host = xstrdup(host);
|
||||||
|
- }
|
||||||
-
|
-
|
||||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
@ -360,12 +305,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
+ * client to the key exchange algorithm proposal */
|
+ * client to the key exchange algorithm proposal */
|
||||||
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||||
+
|
+
|
||||||
+ if (options.gss_server_identity)
|
+ if (options.gss_server_identity) {
|
||||||
+ gss_host = xstrdup(options.gss_server_identity);
|
+ gss_host = xstrdup(options.gss_server_identity);
|
||||||
+ else if (options.gss_trust_dns)
|
+ } else if (options.gss_trust_dns) {
|
||||||
+ gss_host = remote_hostname(ssh);
|
+ gss_host = remote_hostname(ssh);
|
||||||
+ else
|
+ /* Fall back to specified host if we are using proxy command
|
||||||
|
+ * and can not use DNS on that socket */
|
||||||
|
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
+ free(gss_host);
|
||||||
+ gss_host = xstrdup(host);
|
+ gss_host = xstrdup(host);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ gss_host = xstrdup(host);
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
@ -394,31 +346,19 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
|||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
@@ -77,6 +78,8 @@
|
@@ -77,6 +78,7 @@
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
#include <openssl/bn.h>
|
#include <openssl/bn.h>
|
||||||
#include <openssl/rand.h>
|
#include <openssl/rand.h>
|
||||||
+#include <openssl/crypto.h>
|
+#include <openssl/crypto.h>
|
||||||
+#include <fipscheck.h>
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -1529,6 +1532,18 @@ main(int ac, char **av)
|
@@ -1529,6 +1532,7 @@ main(int ac, char **av)
|
||||||
#endif
|
#endif
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
|
||||||
+ OpenSSL_add_all_algorithms();
|
+ OpenSSL_add_all_algorithms();
|
||||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
|
||||||
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
|
||||||
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
|
|
||||||
+ cleanup_exit(255);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
|
|
||||||
+ closelog();
|
|
||||||
+ }
|
|
||||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||||
saved_argc = ac;
|
saved_argc = ac;
|
||||||
rexec_argc = ac;
|
rexec_argc = ac;
|
||||||
@ -513,5 +453,5 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
|
|||||||
fflush(stdout);
|
fflush(stdout);
|
||||||
- type = sshkey_type_from_name(key_types[i].key_type);
|
- type = sshkey_type_from_name(key_types[i].key_type);
|
||||||
if ((fd = mkstemp(prv_tmp)) == -1) {
|
if ((fd = mkstemp(prv_tmp)) == -1) {
|
||||||
error("Could not save your public key in %s: %s",
|
error("Could not save your private key in %s: %s",
|
||||||
prv_tmp, strerror(errno));
|
prv_tmp, strerror(errno));
|
||||||
|
@ -480,7 +480,7 @@ index 6cae720e..16e55cbc 100644
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* This allows GSSAPI methods to do things to the childs environment based
|
/* This allows GSSAPI methods to do things to the child's environment based
|
||||||
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
|
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
|
||||||
char *envstr;
|
char *envstr;
|
||||||
#endif
|
#endif
|
||||||
@ -574,7 +574,7 @@ index 85df6a27..480a5ead 100644
|
|||||||
+++ b/session.c
|
+++ b/session.c
|
||||||
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
/* Allow any GSSAPI methods that we've used to alter
|
/* Allow any GSSAPI methods that we've used to alter
|
||||||
* the childs environment as they see fit
|
* the child's environment as they see fit
|
||||||
*/
|
*/
|
||||||
- ssh_gssapi_do_child(&env, &envsize);
|
- ssh_gssapi_do_child(&env, &envsize);
|
||||||
+ if (s->authctxt->krb5_set_env)
|
+ if (s->authctxt->krb5_set_env)
|
||||||
|
@ -1,13 +1,16 @@
|
|||||||
diff -up openssh/ssh_config.redhat openssh/ssh_config
|
diff -up openssh/ssh_config.redhat openssh/ssh_config
|
||||||
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
||||||
@@ -43,3 +43,7 @@
|
@@ -43,3 +43,10 @@
|
||||||
# VisualHostKey no
|
# VisualHostKey no
|
||||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||||
# RekeyLimit 1G 1h
|
# RekeyLimit 1G 1h
|
||||||
+#
|
+#
|
||||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
+# This system is following system-wide crypto policy.
|
||||||
+# /etc/ssh/ssh_config.d/ which will be automatically included below
|
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
|
||||||
|
+# file under /etc/ssh/ssh_config.d/ which will be automatically
|
||||||
|
+# included below. For more information, see manual page for
|
||||||
|
+# update-crypto-policies(8) and ssh_config(5).
|
||||||
+Include /etc/ssh/ssh_config.d/*.conf
|
+Include /etc/ssh/ssh_config.d/*.conf
|
||||||
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
|
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
|
||||||
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
|
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
|
||||||
@ -65,10 +68,14 @@ diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
|
|||||||
diff -up openssh/sshd_config.redhat openssh/sshd_config
|
diff -up openssh/sshd_config.redhat openssh/sshd_config
|
||||||
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
|
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
|
||||||
@@ -10,6 +10,10 @@
|
@@ -10,6 +10,14 @@
|
||||||
# possible, but leave them commented. Uncommented options override the
|
# possible, but leave them commented. Uncommented options override the
|
||||||
# default value.
|
# default value.
|
||||||
|
|
||||||
|
+# To modify the system-wide sshd configuration, create a *.conf file under
|
||||||
|
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||||
|
+Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
+
|
||||||
+# If you want to change the port on a SELinux system, you have to tell
|
+# If you want to change the port on a SELinux system, you have to tell
|
||||||
+# SELinux about this change.
|
+# SELinux about this change.
|
||||||
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||||
@ -76,26 +83,16 @@ diff -up openssh/sshd_config.redhat openssh/sshd_config
|
|||||||
#Port 22
|
#Port 22
|
||||||
#AddressFamily any
|
#AddressFamily any
|
||||||
#ListenAddress 0.0.0.0
|
#ListenAddress 0.0.0.0
|
||||||
@@ -114,3 +118,7 @@ Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
# AllowTcpForwarding no
|
|
||||||
# PermitTTY no
|
|
||||||
# ForceCommand cvs server
|
|
||||||
+
|
|
||||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
|
||||||
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
|
||||||
+Include /etc/ssh/sshd_config.d/*.conf
|
|
||||||
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
||||||
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
|
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
|
||||||
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
|
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
|
||||||
@@ -0,0 +1,31 @@
|
@@ -0,0 +1,29 @@
|
||||||
+# System-wide Crypto policy:
|
|
||||||
+# This system is following system-wide crypto policy. The changes to
|
+# This system is following system-wide crypto policy. The changes to
|
||||||
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
|
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
|
||||||
+# effect here. They will be overridden by command-line options passed on
|
+# this or following included files. To override some configuration option,
|
||||||
+# the server start up.
|
+# write it before this block or include it before this file.
|
||||||
+# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
|
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||||
+# variable in /etc/sysconfig/sshd to overwrite the policy.
|
+Include /etc/crypto-policies/back-ends/opensshserver.config
|
||||||
+# For more information, see manual page for update-crypto-policies(8).
|
|
||||||
+
|
+
|
||||||
+SyslogFacility AUTHPRIV
|
+SyslogFacility AUTHPRIV
|
||||||
+
|
+
|
||||||
|
@ -1,8 +1,15 @@
|
|||||||
diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
||||||
--- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100
|
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
||||||
+++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100
|
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
||||||
@@ -361,15 +361,15 @@ domains.
|
@@ -359,17 +359,17 @@ or
|
||||||
|
.Qq *.c.example.com
|
||||||
|
domains.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
Specifies which algorithms are allowed for signing of certificates
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -15,15 +22,39 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
will not accept host certificates signed using algorithms other than those
|
will not accept host certificates signed using algorithms other than those
|
||||||
specified.
|
specified.
|
||||||
+.Pp
|
+.Pp
|
||||||
|
.It Cm CertificateFile
|
||||||
|
Specifies a file from which the user's certificate is read.
|
||||||
|
A corresponding private key must be provided separately in order
|
||||||
|
@@ -424,20 +424,25 @@ If the option is set to
|
||||||
|
.Cm no ,
|
||||||
|
the check will not be executed.
|
||||||
|
.It Cm Ciphers
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
.It Cm CertificateFile
|
Specifies the ciphers allowed and their order of preference.
|
||||||
Specifies a file from which the user's certificate is read.
|
Multiple ciphers must be comma-separated.
|
||||||
A corresponding private key must be provided separately in order
|
If the specified list begins with a
|
||||||
@@ -453,12 +453,10 @@ aes256-gcm@openssh.com
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
+character, then the specified ciphers will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -33,30 +64,59 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available ciphers may also be obtained using
|
||||||
|
.Qq ssh -Q cipher .
|
||||||
|
.It Cm ClearAllForwardings
|
||||||
|
@@ -812,6 +810,11 @@ command line will be passed untouched to
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
.It Cm GSSAPIKexAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available ciphers may also be obtained using
|
The list of key exchange algorithms that are offered for GSSAPI
|
||||||
.Qq ssh -Q cipher .
|
key exchange. Possible values are
|
||||||
@@ -824,8 +822,10 @@ gss-nistp256-sha256-,
|
.Bd -literal -offset 3n
|
||||||
|
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
-The default is
|
-The default is
|
||||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
+.Pp
|
||||||
|
.It Cm HashKnownHosts
|
||||||
|
Indicates that
|
||||||
|
.Xr ssh 1
|
||||||
|
@@ -1149,29 +1150,25 @@ it may be zero or more of:
|
||||||
|
and
|
||||||
|
.Cm pam .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
This option only applies to protocol version 2 connections using GSSAPI.
|
+.Pp
|
||||||
.It Cm HashKnownHosts
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
Indicates that
|
Multiple algorithms must be comma-separated.
|
||||||
@@ -1162,15 +1162,10 @@ If the specified list begins with a
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified methods will be appended to the default set
|
||||||
|
+character, then the specified methods will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified methods (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified methods will be placed at the head of the
|
character, then the specified methods will be placed at the head of the
|
||||||
default set.
|
-default set.
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
@ -66,14 +126,41 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-diffie-hellman-group18-sha512,
|
-diffie-hellman-group18-sha512,
|
||||||
-diffie-hellman-group14-sha256
|
-diffie-hellman-group14-sha256
|
||||||
-.Ed
|
-.Ed
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q kex .
|
||||||
|
@@ -1231,37 +1228,33 @@ The default is INFO.
|
||||||
|
DEBUG and DEBUG1 are equivalent.
|
||||||
|
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
||||||
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the MAC (message authentication code) algorithms
|
||||||
|
in order of preference.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
+character, then the specified algorithms will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The algorithms that contain
|
||||||
.Qq ssh -Q kex .
|
.Qq -etm
|
||||||
@@ -1252,14 +1247,10 @@ The algorithms that contain
|
|
||||||
calculate the MAC after encryption (encrypt-then-mac).
|
calculate the MAC after encryption (encrypt-then-mac).
|
||||||
These are considered safer and their use recommended.
|
These are considered safer and their use recommended.
|
||||||
.Pp
|
.Pp
|
||||||
@ -85,17 +172,35 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-umac-64@openssh.com,umac-128@openssh.com,
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
|
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
||||||
|
The default is
|
||||||
|
.Cm no .
|
||||||
|
.It Cm PubkeyAcceptedKeyTypes
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available MAC algorithms may also be obtained using
|
Specifies the key types that will be used for public key authentication
|
||||||
.Qq ssh -Q mac .
|
as a comma-separated list of patterns.
|
||||||
@@ -1407,22 +1398,10 @@ If the specified list begins with a
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the key types after it will be appended to the default
|
||||||
|
+character, then the key types after it will be appended to the built-in default
|
||||||
|
instead of replacing it.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified key types (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified key types will be placed at the head of the
|
||||||
default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
@ -112,18 +217,22 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5
|
|||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The list of available key types may also be obtained using
|
||||||
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||||
|
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
||||||
|
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
||||||
|
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
||||||
|
@@ -375,16 +375,16 @@ If the argument is
|
||||||
|
then no banner is displayed.
|
||||||
|
By default, no banner is displayed.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available key types may also be obtained using
|
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
|
||||||
diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|
||||||
--- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100
|
|
||||||
+++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100
|
|
||||||
@@ -377,14 +377,14 @@ By default, no banner is displayed.
|
|
||||||
.It Cm CASignatureAlgorithms
|
|
||||||
Specifies which algorithms are allowed for signing of certificates
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -135,15 +244,39 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
Certificates signed using other algorithms will not be accepted for
|
Certificates signed using other algorithms will not be accepted for
|
||||||
public key or host-based authentication.
|
public key or host-based authentication.
|
||||||
+.Pp
|
+.Pp
|
||||||
|
.It Cm ChallengeResponseAuthentication
|
||||||
|
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||||
|
PAM or through authentication styles supported in
|
||||||
|
@@ -446,20 +446,25 @@ The default is
|
||||||
|
indicating not to
|
||||||
|
.Xr chroot 2 .
|
||||||
|
.It Cm Ciphers
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
.It Cm ChallengeResponseAuthentication
|
Specifies the ciphers allowed.
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
Multiple ciphers must be comma-separated.
|
||||||
PAM or through authentication styles supported in
|
If the specified list begins with a
|
||||||
@@ -486,12 +486,10 @@ aes256-gcm@openssh.com
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
+character, then the specified ciphers will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Pp
|
||||||
|
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -153,28 +286,54 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
-.Pp
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the defaults and how to modify this default, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
.Pp
|
|
||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
@@ -693,8 +691,10 @@ gss-nistp256-sha256-,
|
.It Cm ClientAliveCountMax
|
||||||
gss-curve25519-sha256-
|
@@ -681,22 +679,24 @@ For this to work
|
||||||
.Ed
|
.Cm GSSAPIKeyExchange
|
||||||
.Pp
|
needs to be enabled in the server and also used by the client.
|
||||||
-The default is
|
.It Cm GSSAPIKexAlgorithms
|
||||||
-.Dq gss-gex-sha1-,gss-group14-sha1- .
|
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
This option only applies to protocol version 2 connections using GSSAPI.
|
+.Pp
|
||||||
|
The list of key exchange algorithms that are accepted by GSSAPI
|
||||||
|
key exchange. Possible values are
|
||||||
|
.Bd -literal -offset 3n
|
||||||
|
-gss-gex-sha1-,
|
||||||
|
-gss-group1-sha1-,
|
||||||
|
-gss-group14-sha1-,
|
||||||
|
-gss-group14-sha256-,
|
||||||
|
-gss-group16-sha512-,
|
||||||
|
-gss-nistp256-sha256-,
|
||||||
|
+gss-gex-sha1-
|
||||||
|
+gss-group1-sha1-
|
||||||
|
+gss-group14-sha1-
|
||||||
|
+gss-group14-sha256-
|
||||||
|
+gss-group16-sha512-
|
||||||
|
+gss-nistp256-sha256-
|
||||||
|
gss-curve25519-sha256-
|
||||||
|
.Ed
|
||||||
|
-.Pp
|
||||||
|
-The default is
|
||||||
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
+.Pp
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
@@ -794,22 +794,10 @@ environment variable.
|
as a list of comma-separated patterns.
|
||||||
|
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
||||||
|
.Ev SSH_AUTH_SOCK
|
||||||
|
environment variable.
|
||||||
.It Cm HostKeyAlgorithms
|
.It Cm HostKeyAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
Specifies the host key algorithms
|
Specifies the host key algorithms
|
||||||
that the server offers.
|
that the server offers.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
@ -193,14 +352,40 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available key types may also be obtained using
|
||||||
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
|
.It Cm IgnoreRhosts
|
||||||
|
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified methods will be appended to the default set
|
||||||
|
+character, then the specified methods will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified methods (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified methods will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
|
The supported algorithms are:
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
.Bl -item -compact -offset indent
|
||||||
.Qq ssh -Q HostKeyAlgorithms .
|
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
||||||
@@ -987,14 +975,10 @@ ecdh-sha2-nistp521
|
|
||||||
sntrup4591761x25519-sha512@tinyssh.org
|
sntrup4591761x25519-sha512@tinyssh.org
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -212,14 +397,41 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||||
-diffie-hellman-group14-sha256
|
-diffie-hellman-group14-sha256
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q KexAlgorithms .
|
||||||
|
.It Cm ListenAddress
|
||||||
|
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
||||||
|
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
||||||
|
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
||||||
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available MAC (message authentication code) algorithms.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
+character, then the specified algorithms will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The algorithms that contain
|
||||||
.Qq ssh -Q KexAlgorithms .
|
.Qq -etm
|
||||||
@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com
|
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
|
||||||
umac-128-etm@openssh.com
|
umac-128-etm@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -231,17 +443,35 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-umac-64@openssh.com,umac-128@openssh.com,
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
-.Ed
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm Match
|
||||||
|
@@ -1480,36 +1460,25 @@ or equivalent.)
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm PubkeyAcceptedKeyTypes
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
.Pp
|
+.Pp
|
||||||
The list of available MAC algorithms may also be obtained using
|
Specifies the key types that will be accepted for public key authentication
|
||||||
.Qq ssh -Q mac .
|
as a list of comma-separated patterns.
|
||||||
@@ -1492,22 +1472,10 @@ If the specified list begins with a
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified key types will be appended to the default set
|
||||||
|
+character, then the specified key types will be appended to the built-in default set
|
||||||
|
instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified key types (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified key types will be placed at the head of the
|
||||||
default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
@ -258,10 +488,7 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5
|
|||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+The default is handled system-wide by
|
+built-in default set.
|
||||||
+.Xr crypto-policies 7 .
|
|
||||||
+To see the defaults and how to modify this default, see manual page
|
|
||||||
+.Xr update-crypto-policies 8 .
|
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available key types may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||||
|
@ -964,7 +964,7 @@ index ab3a15f0..6ce56e92 100644
|
|||||||
--- a/gss-serv.c
|
--- a/gss-serv.c
|
||||||
+++ b/gss-serv.c
|
+++ b/gss-serv.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */
|
/* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
@ -3253,7 +3253,7 @@ index 36180d07..70dd3665 100644
|
|||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions
|
* modification, are permitted provided that the following conditions
|
||||||
@@ -61,10 +61,30 @@
|
@@ -61,10 +61,34 @@
|
||||||
|
|
||||||
#define SSH_GSS_OIDTYPE 0x06
|
#define SSH_GSS_OIDTYPE 0x06
|
||||||
|
|
||||||
@ -3273,8 +3273,12 @@ index 36180d07..70dd3665 100644
|
|||||||
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
|
+#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-"
|
||||||
+
|
+
|
||||||
+#define GSS_KEX_DEFAULT_KEX \
|
+#define GSS_KEX_DEFAULT_KEX \
|
||||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
+ KEX_GSS_GRP14_SHA256_ID "," \
|
||||||
+ KEX_GSS_GRP14_SHA1_ID
|
+ KEX_GSS_GRP16_SHA512_ID "," \
|
||||||
|
+ KEX_GSS_NISTP256_SHA256_ID "," \
|
||||||
|
+ KEX_GSS_C25519_SHA256_ID "," \
|
||||||
|
+ KEX_GSS_GRP14_SHA1_ID "," \
|
||||||
|
+ KEX_GSS_GEX_SHA1_ID
|
||||||
+
|
+
|
||||||
typedef struct {
|
typedef struct {
|
||||||
char *filename;
|
char *filename;
|
||||||
@ -3429,7 +3433,7 @@ diff --git a/ssh_config.5 b/ssh_config.5
|
|||||||
index 06a32d31..3f490697 100644
|
index 06a32d31..3f490697 100644
|
||||||
--- a/ssh_config.5
|
--- a/ssh_config.5
|
||||||
+++ b/ssh_config.5
|
+++ b/ssh_config.5
|
||||||
@@ -766,10 +766,67 @@ The default is
|
@@ -766,10 +766,68 @@ The default is
|
||||||
Specifies whether user authentication based on GSSAPI is allowed.
|
Specifies whether user authentication based on GSSAPI is allowed.
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
@ -3492,8 +3496,9 @@ index 06a32d31..3f490697 100644
|
|||||||
+.Ed
|
+.Ed
|
||||||
+.Pp
|
+.Pp
|
||||||
+The default is
|
+The default is
|
||||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
+This option only applies to connections using GSSAPI.
|
||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
@ -3522,7 +3527,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
xxx_hostaddr = hostaddr;
|
xxx_hostaddr = hostaddr;
|
||||||
|
|
||||||
@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3532,12 +3537,19 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ * client to the key exchange algorithm proposal */
|
+ * client to the key exchange algorithm proposal */
|
||||||
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||||
+
|
+
|
||||||
+ if (options.gss_server_identity)
|
+ if (options.gss_server_identity) {
|
||||||
+ gss_host = xstrdup(options.gss_server_identity);
|
+ gss_host = xstrdup(options.gss_server_identity);
|
||||||
+ else if (options.gss_trust_dns)
|
+ } else if (options.gss_trust_dns) {
|
||||||
+ gss_host = remote_hostname(ssh);
|
+ gss_host = remote_hostname(ssh);
|
||||||
+ else
|
+ /* Fall back to specified host if we are using proxy command
|
||||||
|
+ * and can not use DNS on that socket */
|
||||||
|
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
+ free(gss_host);
|
||||||
+ gss_host = xstrdup(host);
|
+ gss_host = xstrdup(host);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ gss_host = xstrdup(host);
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
@ -3626,18 +3638,25 @@ index af00fb30..03bc87eb 100644
|
|||||||
{"gssapi-with-mic",
|
{"gssapi-with-mic",
|
||||||
userauth_gssapi,
|
userauth_gssapi,
|
||||||
userauth_gssapi_cleanup,
|
userauth_gssapi_cleanup,
|
||||||
@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh)
|
@@ -716,12 +784,32 @@ userauth_gssapi(struct ssh *ssh)
|
||||||
OM_uint32 min;
|
OM_uint32 min;
|
||||||
int r, ok = 0;
|
int r, ok = 0;
|
||||||
gss_OID mech = NULL;
|
gss_OID mech = NULL;
|
||||||
+ char *gss_host;
|
+ char *gss_host = NULL;
|
||||||
+
|
+
|
||||||
+ if (options.gss_server_identity)
|
+ if (options.gss_server_identity) {
|
||||||
+ gss_host = xstrdup(options.gss_server_identity);
|
+ gss_host = xstrdup(options.gss_server_identity);
|
||||||
+ else if (options.gss_trust_dns)
|
+ } else if (options.gss_trust_dns) {
|
||||||
+ gss_host = remote_hostname(ssh);
|
+ gss_host = remote_hostname(ssh);
|
||||||
+ else
|
+ /* Fall back to specified host if we are using proxy command
|
||||||
|
+ * and can not use DNS on that socket */
|
||||||
|
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
+ free(gss_host);
|
||||||
+ gss_host = xstrdup(authctxt->host);
|
+ gss_host = xstrdup(authctxt->host);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ gss_host = xstrdup(authctxt->host);
|
||||||
|
+ }
|
||||||
|
|
||||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||||
* once. */
|
* once. */
|
||||||
@ -3849,7 +3868,7 @@ index 70ccea44..f6b41a2f 100644
|
|||||||
.It Cm GSSAPIStrictAcceptorCheck
|
.It Cm GSSAPIStrictAcceptorCheck
|
||||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||||
a client authenticates against.
|
a client authenticates against.
|
||||||
@@ -660,6 +665,31 @@ machine's default store.
|
@@ -660,6 +665,32 @@ machine's default store.
|
||||||
This facility is provided to assist with operation on multi homed machines.
|
This facility is provided to assist with operation on multi homed machines.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -3876,8 +3895,9 @@ index 70ccea44..f6b41a2f 100644
|
|||||||
+.Ed
|
+.Ed
|
||||||
+.Pp
|
+.Pp
|
||||||
+The default is
|
+The default is
|
||||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
+This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
as a list of comma-separated patterns.
|
as a list of comma-separated patterns.
|
||||||
|
@ -48,7 +48,7 @@ index e7549470..4511f82a 100644
|
|||||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||||
- ssh-pkcs11.o smult_curve25519_ref.o \
|
- ssh-pkcs11.o smult_curve25519_ref.o \
|
||||||
+ ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
|
+ ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \
|
||||||
poly1305.o chacha.o cipher-chachapoly.o \
|
poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \
|
||||||
ssh-ed25519.o digest-openssl.o digest-libc.o \
|
ssh-ed25519.o digest-openssl.o digest-libc.o \
|
||||||
hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
|
hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \
|
||||||
@@ -289,6 +289,8 @@ clean: regressclean
|
@@ -289,6 +289,8 @@ clean: regressclean
|
||||||
@ -2502,7 +2502,7 @@ index a302c79c..879fe917 100644
|
|||||||
int ret = -1;
|
int ret = -1;
|
||||||
struct pkcs11_provider *p = NULL;
|
struct pkcs11_provider *p = NULL;
|
||||||
void *handle = NULL;
|
void *handle = NULL;
|
||||||
@@ -1484,165 +1670,301 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
@@ -1484,167 +1670,303 @@ pkcs11_register_provider(char *provider_id, char *pin,
|
||||||
CK_FUNCTION_LIST *f = NULL;
|
CK_FUNCTION_LIST *f = NULL;
|
||||||
CK_TOKEN_INFO *token;
|
CK_TOKEN_INFO *token;
|
||||||
CK_ULONG i;
|
CK_ULONG i;
|
||||||
@ -2722,6 +2722,9 @@ index a302c79c..879fe917 100644
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ provider_uri = pkcs11_uri_get(uri);
|
+ provider_uri = pkcs11_uri_get(uri);
|
||||||
|
+ if (pin == NULL && uri->pin != NULL) {
|
||||||
|
+ pin = uri->pin;
|
||||||
|
+ }
|
||||||
+ nkeys = 0;
|
+ nkeys = 0;
|
||||||
+ for (i = 0; i < p->module->nslots; i++) {
|
+ for (i = 0; i < p->module->nslots; i++) {
|
||||||
+ token = &p->module->slotinfo[i].token;
|
+ token = &p->module->slotinfo[i].token;
|
||||||
@ -2757,9 +2760,6 @@ index a302c79c..879fe917 100644
|
|||||||
+ provider_uri, (unsigned long)i,
|
+ provider_uri, (unsigned long)i,
|
||||||
token->label, token->manufacturerID, token->model,
|
token->label, token->manufacturerID, token->model,
|
||||||
token->serialNumber, token->flags);
|
token->serialNumber, token->flags);
|
||||||
+ if (pin == NULL && uri->pin != NULL) {
|
|
||||||
+ pin = uri->pin;
|
|
||||||
+ }
|
|
||||||
/*
|
/*
|
||||||
- * open session, login with pin and retrieve public
|
- * open session, login with pin and retrieve public
|
||||||
- * keys (if keyp is provided)
|
- * keys (if keyp is provided)
|
||||||
@ -2805,8 +2805,8 @@ index a302c79c..879fe917 100644
|
|||||||
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
+ pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
|
||||||
+ uri->object = label;
|
+ uri->object = label;
|
||||||
}
|
}
|
||||||
+ pin = NULL; /* Will be cleaned up with URI */
|
|
||||||
}
|
}
|
||||||
|
+ pin = NULL; /* Will be cleaned up with URI */
|
||||||
|
|
||||||
/* now owned by caller */
|
/* now owned by caller */
|
||||||
*providerp = p;
|
*providerp = p;
|
||||||
@ -2830,6 +2830,8 @@ index a302c79c..879fe917 100644
|
|||||||
}
|
}
|
||||||
- if (handle)
|
- if (handle)
|
||||||
- dlclose(handle);
|
- dlclose(handle);
|
||||||
|
if (ret > 0)
|
||||||
|
ret = -1;
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3109,9 +3111,9 @@ index 15aee569..976844cb 100644
|
|||||||
+ }
|
+ }
|
||||||
+#endif /* ENABLE_PKCS11 */
|
+#endif /* ENABLE_PKCS11 */
|
||||||
+ cp = tilde_expand_filename(name, getuid());
|
+ cp = tilde_expand_filename(name, getuid());
|
||||||
filename = percent_expand(cp, "d", pw->pw_dir,
|
filename = default_client_percent_expand(cp,
|
||||||
"u", pw->pw_name, "l", thishost, "h", host,
|
pw->pw_dir, host, options.user, pw->pw_name);
|
||||||
"r", options.user, (char *)NULL);
|
free(cp);
|
||||||
diff --git a/ssh_config.5 b/ssh_config.5
|
diff --git a/ssh_config.5 b/ssh_config.5
|
||||||
index 06a32d31..4b2763bd 100644
|
index 06a32d31..4b2763bd 100644
|
||||||
--- a/ssh_config.5
|
--- a/ssh_config.5
|
||||||
|
@ -26,7 +26,7 @@ index dca158de..afdcb1d2 100644
|
|||||||
|
|
||||||
-int
|
-int
|
||||||
+int __attribute__((visibility("default")))
|
+int __attribute__((visibility("default")))
|
||||||
sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
|
||||||
const char *application, const uint8_t *key_handle, size_t key_handle_len,
|
const char *application, const uint8_t *key_handle, size_t key_handle_len,
|
||||||
uint8_t flags, const char *pin, struct sk_option **options,
|
uint8_t flags, const char *pin, struct sk_option **options,
|
||||||
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||||
|
30
openssh-8.2p1-x11-without-ipv6.patch
Normal file
30
openssh-8.2p1-x11-without-ipv6.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
diff --git a/channels.c b/channels.c
|
||||||
|
--- a/channels.c
|
||||||
|
+++ b/channels.c
|
||||||
|
@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_
|
||||||
|
if (ai->ai_family == AF_INET6)
|
||||||
|
sock_set_v6only(sock);
|
||||||
|
if (x11_use_localhost)
|
||||||
|
set_reuseaddr(sock);
|
||||||
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
|
debug2("%s: bind port %d: %.100s", __func__,
|
||||||
|
port, strerror(errno));
|
||||||
|
close(sock);
|
||||||
|
+
|
||||||
|
+ /* do not remove successfully opened
|
||||||
|
+ * sockets if the request failed because
|
||||||
|
+ * the protocol IPv4/6 is not available
|
||||||
|
+ * (e.g. IPv6 may be disabled while being
|
||||||
|
+ * supported)
|
||||||
|
+ */
|
||||||
|
+ if (EADDRNOTAVAIL == errno)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
for (n = 0; n < num_socks; n++)
|
||||||
|
close(socks[n]);
|
||||||
|
num_socks = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
socks[num_socks++] = sock;
|
||||||
|
if (num_socks == NUM_SOCKS)
|
||||||
|
break;
|
227
openssh-8.3p1-sshd_include.patch
Normal file
227
openssh-8.3p1-sshd_include.patch
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Mon, 25 May 2020 15:46:51 +0200
|
||||||
|
Subject: [PATCH 1/3] regress: Add more test cases
|
||||||
|
|
||||||
|
---
|
||||||
|
regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 35 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
|
||||||
|
index b25c8faa..b6a9a248 100644
|
||||||
|
--- a/regress/servcfginclude.sh
|
||||||
|
+++ b/regress/servcfginclude.sh
|
||||||
|
@@ -146,9 +146,43 @@ Include
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
trace "disallow invalid with no argument"
|
||||||
|
-${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
|
||||||
|
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
|
||||||
|
-C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
|
||||||
|
fail "sshd allowed Include with no argument"
|
||||||
|
|
||||||
|
+# Ensure the Include before any Match block works as expected (bug #3122)
|
||||||
|
+cat > $OBJ/sshd_config.i << _EOF
|
||||||
|
+Banner /xx
|
||||||
|
+HostKey $OBJ/host.ssh-ed25519
|
||||||
|
+Include $OBJ/sshd_config.i.2
|
||||||
|
+Match host a
|
||||||
|
+ Banner /aaaa
|
||||||
|
+_EOF
|
||||||
|
+cat > $OBJ/sshd_config.i.2 << _EOF
|
||||||
|
+Match host a
|
||||||
|
+ Banner /aa
|
||||||
|
+_EOF
|
||||||
|
+
|
||||||
|
+trace "Include before match blocks"
|
||||||
|
+trial a /aa "included file before match blocks is properly evaluated"
|
||||||
|
+
|
||||||
|
+# Port in included file is correctly interpretted (bug #3169)
|
||||||
|
+cat > $OBJ/sshd_config.i << _EOF
|
||||||
|
+Include $OBJ/sshd_config.i.2
|
||||||
|
+Port 7722
|
||||||
|
+_EOF
|
||||||
|
+cat > $OBJ/sshd_config.i.2 << _EOF
|
||||||
|
+HostKey $OBJ/host.ssh-ed25519
|
||||||
|
+_EOF
|
||||||
|
+
|
||||||
|
+trace "Port after included files"
|
||||||
|
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
|
||||||
|
+ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
|
||||||
|
+ fail "failed to parse Port after included files"
|
||||||
|
+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
|
||||||
|
+if test "x7722" != "x$_port" ; then
|
||||||
|
+ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
# cleanup
|
||||||
|
rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
|
||||||
|
--
|
||||||
|
2.25.4
|
||||||
|
|
||||||
|
|
||||||
|
From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Mon, 25 May 2020 16:56:39 +0200
|
||||||
|
Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every
|
||||||
|
included file
|
||||||
|
|
||||||
|
Fixes #3169
|
||||||
|
---
|
||||||
|
servconf.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/servconf.c b/servconf.c
|
||||||
|
index 5bb4b1f8..78a7d87d 100644
|
||||||
|
--- a/servconf.c
|
||||||
|
+++ b/servconf.c
|
||||||
|
@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *,
|
||||||
|
const char *, int);
|
||||||
|
static void add_one_listen_addr(ServerOptions *, const char *,
|
||||||
|
const char *, int);
|
||||||
|
-void parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||||
|
+static void parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||||
|
struct sshbuf *conf, struct include_list *includes,
|
||||||
|
struct connection_info *connectinfo, int flags, int *activep, int depth);
|
||||||
|
|
||||||
|
@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||||
|
#undef M_CP_STRARRAYOPT
|
||||||
|
|
||||||
|
#define SERVCONF_MAX_DEPTH 16
|
||||||
|
-void
|
||||||
|
+static void
|
||||||
|
parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||||
|
struct sshbuf *conf, struct include_list *includes,
|
||||||
|
struct connection_info *connectinfo, int flags, int *activep, int depth)
|
||||||
|
@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||||
|
if (bad_options > 0)
|
||||||
|
fatal("%s: terminating, %d bad configuration options",
|
||||||
|
filename, bad_options);
|
||||||
|
- process_queued_listen_addrs(options);
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename,
|
||||||
|
int active = connectinfo ? 0 : 1;
|
||||||
|
parse_server_config_depth(options, filename, conf, includes,
|
||||||
|
connectinfo, 0, &active, 0);
|
||||||
|
+ process_queued_listen_addrs(options);
|
||||||
|
}
|
||||||
|
|
||||||
|
static const char *
|
||||||
|
--
|
||||||
|
2.25.4
|
||||||
|
|
||||||
|
|
||||||
|
From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Tue, 26 May 2020 16:25:24 +0200
|
||||||
|
Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files
|
||||||
|
(#3122)
|
||||||
|
|
||||||
|
---
|
||||||
|
servconf.c | 28 +++++++++++++++++++---------
|
||||||
|
1 file changed, 19 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/servconf.c b/servconf.c
|
||||||
|
index 78a7d87d..a8541514 100644
|
||||||
|
--- a/servconf.c
|
||||||
|
+++ b/servconf.c
|
||||||
|
@@ -554,6 +554,7 @@ typedef enum {
|
||||||
|
#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
|
||||||
|
#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
|
||||||
|
#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
|
||||||
|
+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
|
||||||
|
|
||||||
|
/* Textual representation of the tokens. */
|
||||||
|
static struct {
|
||||||
|
@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = {
|
||||||
|
static int
|
||||||
|
process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
|
const char *filename, int linenum, int *activep,
|
||||||
|
- struct connection_info *connectinfo, int inc_flags, int depth,
|
||||||
|
+ struct connection_info *connectinfo, int *inc_flags, int depth,
|
||||||
|
struct include_list *includes)
|
||||||
|
{
|
||||||
|
char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
|
||||||
|
@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
|
parse_server_config_depth(options,
|
||||||
|
item->filename, item->contents,
|
||||||
|
includes, connectinfo,
|
||||||
|
- (oactive ? 0 : SSHCFG_NEVERMATCH),
|
||||||
|
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
||||||
|
+ ? SSHCFG_MATCH_ONLY : (oactive
|
||||||
|
+ ? 0 : SSHCFG_NEVERMATCH)),
|
||||||
|
activep, depth + 1);
|
||||||
|
}
|
||||||
|
found = 1;
|
||||||
|
@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
|
parse_server_config_depth(options,
|
||||||
|
item->filename, item->contents,
|
||||||
|
includes, connectinfo,
|
||||||
|
- (oactive ? 0 : SSHCFG_NEVERMATCH),
|
||||||
|
+ (*inc_flags & SSHCFG_MATCH_ONLY
|
||||||
|
+ ? SSHCFG_MATCH_ONLY : (oactive
|
||||||
|
+ ? 0 : SSHCFG_NEVERMATCH)),
|
||||||
|
activep, depth + 1);
|
||||||
|
*activep = oactive;
|
||||||
|
TAILQ_INSERT_TAIL(includes, item, entry);
|
||||||
|
@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||||
|
if (cmdline)
|
||||||
|
fatal("Match directive not supported as a command-line "
|
||||||
|
"option");
|
||||||
|
- value = match_cfg_line(&cp, linenum, connectinfo);
|
||||||
|
+ value = match_cfg_line(&cp, linenum,
|
||||||
|
+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
|
||||||
|
if (value < 0)
|
||||||
|
fatal("%s line %d: Bad Match condition", filename,
|
||||||
|
linenum);
|
||||||
|
- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||||
|
+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
|
||||||
|
+ /* The MATCH_ONLY is applicable only until the first match block */
|
||||||
|
+ *inc_flags &= ~SSHCFG_MATCH_ONLY;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case sKerberosUseKuserok:
|
||||||
|
@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||||
|
const char *filename, int linenum, int *activep,
|
||||||
|
struct connection_info *connectinfo, struct include_list *includes)
|
||||||
|
{
|
||||||
|
+ int inc_flags = 0;
|
||||||
|
return process_server_config_line_depth(options, line, filename,
|
||||||
|
- linenum, activep, connectinfo, 0, 0, includes);
|
||||||
|
+ linenum, activep, connectinfo, &inc_flags, 0, includes);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
|
||||||
|
if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
|
||||||
|
fatal("Too many recursive configuration includes");
|
||||||
|
|
||||||
|
- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
|
||||||
|
+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
|
||||||
|
+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
|
||||||
|
|
||||||
|
if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
|
||||||
|
fatal("%s: sshbuf_dup_string failed", __func__);
|
||||||
|
linenum = 1;
|
||||||
|
while ((cp = strsep(&cbuf, "\n")) != NULL) {
|
||||||
|
if (process_server_config_line_depth(options, cp,
|
||||||
|
- filename, linenum++, activep, connectinfo, flags,
|
||||||
|
+ filename, linenum++, activep, connectinfo, &flags,
|
||||||
|
depth, includes) != 0)
|
||||||
|
bad_options++;
|
||||||
|
}
|
||||||
|
@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename,
|
||||||
|
{
|
||||||
|
int active = connectinfo ? 0 : 1;
|
||||||
|
parse_server_config_depth(options, filename, conf, includes,
|
||||||
|
- connectinfo, 0, &active, 0);
|
||||||
|
+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
|
||||||
|
process_queued_listen_addrs(options);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.25.4
|
||||||
|
|
||||||
|
|
63
openssh.spec
63
openssh.spec
@ -65,10 +65,10 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.2p1
|
%global openssh_ver 8.3p1
|
||||||
%global openssh_rel 2
|
%global openssh_rel 3
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.3
|
||||||
%global pam_ssh_agent_rel 9
|
%global pam_ssh_agent_rel 10
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
@ -213,6 +213,10 @@ Patch963: openssh-8.0p1-openssl-evp.patch
|
|||||||
Patch964: openssh-8.0p1-openssl-kdf.patch
|
Patch964: openssh-8.0p1-openssl-kdf.patch
|
||||||
# sk-dummy.so built with -fvisibility=hidden does not work
|
# sk-dummy.so built with -fvisibility=hidden does not work
|
||||||
Patch965: openssh-8.2p1-visibility.patch
|
Patch965: openssh-8.2p1-visibility.patch
|
||||||
|
# Do not break X11 without IPv6
|
||||||
|
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||||
|
# Unbreak sshd_config include corner cases (#3122)
|
||||||
|
Patch967: openssh-8.3p1-sshd_include.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -233,7 +237,6 @@ BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
|
|||||||
BuildRequires: audit-libs-devel >= 2.0.5
|
BuildRequires: audit-libs-devel >= 2.0.5
|
||||||
BuildRequires: util-linux, groff
|
BuildRequires: util-linux, groff
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: fipscheck-devel >= 1.3.0
|
|
||||||
BuildRequires: openssl-devel >= 0.9.8j
|
BuildRequires: openssl-devel >= 0.9.8j
|
||||||
BuildRequires: perl-podlators
|
BuildRequires: perl-podlators
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
@ -264,16 +267,14 @@ BuildRequires: gnupg2
|
|||||||
%package clients
|
%package clients
|
||||||
Summary: An open source SSH client applications
|
Summary: An open source SSH client applications
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
Requires: crypto-policies >= 20200610-1
|
||||||
Requires: crypto-policies >= 20180306-1
|
|
||||||
|
|
||||||
%package server
|
%package server
|
||||||
Summary: An open source SSH server daemon
|
Summary: An open source SSH server daemon
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires(pre): /usr/sbin/useradd
|
Requires(pre): /usr/sbin/useradd
|
||||||
Requires: pam >= 1.0.1-3
|
Requires: pam >= 1.0.1-3
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
Requires: crypto-policies >= 20200610-1
|
||||||
Requires: crypto-policies >= 20180306-1
|
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
|
|
||||||
%if %{ldap}
|
%if %{ldap}
|
||||||
@ -415,6 +416,8 @@ popd
|
|||||||
%patch963 -p1 -b .openssl-evp
|
%patch963 -p1 -b .openssl-evp
|
||||||
%patch964 -p1 -b .openssl-kdf
|
%patch964 -p1 -b .openssl-kdf
|
||||||
%patch965 -p1 -b .visibility
|
%patch965 -p1 -b .visibility
|
||||||
|
%patch966 -p1 -b .x11-ipv6
|
||||||
|
%patch967 -p1 -b .include
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
@ -545,14 +548,6 @@ make
|
|||||||
popd
|
popd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Add generation of HMAC checksums of the final stripped binaries
|
|
||||||
%global __spec_install_post \
|
|
||||||
%%{?__debug_package:%%{__debug_install_post}} \
|
|
||||||
%%{__arch_install_post} \
|
|
||||||
%%{__os_install_post} \
|
|
||||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
|
|
||||||
%{nil}
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
#to run tests use "--with check"
|
#to run tests use "--with check"
|
||||||
%if %{?_with_check:1}%{!?_with_check:0}
|
%if %{?_with_check:1}%{!?_with_check:0}
|
||||||
@ -572,12 +567,11 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
|
|||||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||||
install -d $RPM_BUILD_ROOT/etc/sysconfig/
|
install -d $RPM_BUILD_ROOT/etc/sysconfig/
|
||||||
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
|
|
||||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
||||||
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
||||||
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
|
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/50-redhat.conf
|
||||||
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/05-redhat.conf
|
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/50-redhat.conf
|
||||||
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
||||||
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
||||||
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
||||||
@ -644,13 +638,12 @@ getent passwd sshd >/dev/null || \
|
|||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%attr(0755,root,root) %{_bindir}/ssh
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
|
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
||||||
%attr(0755,root,root) %{_bindir}/scp
|
%attr(0755,root,root) %{_bindir}/scp
|
||||||
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
|
||||||
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||||
%if ! %{rescue}
|
%if ! %{rescue}
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-agent
|
%attr(0755,root,root) %{_bindir}/ssh-agent
|
||||||
@ -673,7 +666,6 @@ getent passwd sshd >/dev/null || \
|
|||||||
%files server
|
%files server
|
||||||
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
||||||
%attr(0755,root,root) %{_sbindir}/sshd
|
%attr(0755,root,root) %{_sbindir}/sshd
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
||||||
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||||
@ -682,7 +674,7 @@ getent passwd sshd >/dev/null || \
|
|||||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
|
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/05-redhat.conf
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-redhat.conf
|
||||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||||
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
@ -728,9 +720,32 @@ getent passwd sshd >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Mar 26 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> - 8.2p1-2 + 0.10.3-9.0.riscv64
|
* Thu Jul 23 2020 David Abdurachmanov <david.abdurachmanov@sifive.com> - 8.3p1-3 + 0.10.3-10.0.riscv64
|
||||||
- Add support for RISC-V (riscv64)
|
- Add support for RISC-V (riscv64)
|
||||||
|
|
||||||
|
* Wed Jun 10 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-3 + 0.10.3-10
|
||||||
|
- Do not lose PIN when more slots match PKCS#11 URI (#1843372)
|
||||||
|
- Update to new crypto-policies version on server (using sshd_config include)
|
||||||
|
- Move redhat configuraion files to larger number to allow simpler override
|
||||||
|
- Move sshd_config include before any other definitions (#1824913)
|
||||||
|
|
||||||
|
* Mon Jun 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-2 + 0.10.3-10
|
||||||
|
- Fix crash on cleanup (#1842281)
|
||||||
|
|
||||||
|
* Wed May 27 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-1 + 0.10.3-10
|
||||||
|
- New upstream release (#1840503)
|
||||||
|
- Unbreak corner cases of sshd_config include
|
||||||
|
- Fix order of gssapi key exchange algorithms
|
||||||
|
|
||||||
|
* Wed Apr 08 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-3 + 0.10.3-9
|
||||||
|
- Simplify reference to crypto policies in configuration files
|
||||||
|
- Unbreak gssapi authentication with GSSAPITrustDNS over jump hosts
|
||||||
|
- Correctly print FIPS mode initialized in debug mode
|
||||||
|
- Enable SHA2-based GSSAPI key exchange methods (#1666781)
|
||||||
|
- Do not break X11 forwarding when IPv6 is disabled
|
||||||
|
- Remove fipscheck dependency as OpenSSH is no longer FIPS module
|
||||||
|
- Improve documentation about crypto policies defaults in manual pages
|
||||||
|
|
||||||
* Thu Feb 20 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-2 + 0.10.3-9
|
* Thu Feb 20 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-2 + 0.10.3-9
|
||||||
- Build against libfido2 to unbreak internal u2f support
|
- Build against libfido2 to unbreak internal u2f support
|
||||||
|
|
||||||
|
4
sources
4
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (openssh-8.2p1.tar.gz) = c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
|
SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
|
||||||
SHA512 (openssh-8.2p1.tar.gz.asc) = e6d091289d62d3a01d5978e3c26f72d8ea6979c345fbebc215515185ea567c959f5b17e32052d752829ab4c6bc537fd977f7aa02cf0a23280da63fd9d880f303
|
SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75
|
||||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
||||||
|
@ -6,10 +6,9 @@ Wants=sshd-keygen.target
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=notify
|
Type=notify
|
||||||
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
|
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
|
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
|
ExecStart=/usr/sbin/sshd -D $OPTIONS $PERMITROOTLOGIN
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
@ -5,8 +5,7 @@ Wants=sshd-keygen.target
|
|||||||
After=sshd-keygen.target
|
After=sshd-keygen.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
|
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
|
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
|
ExecStart=-/usr/sbin/sshd -i $OPTIONS $PERMITROOTLOGIN
|
||||||
StandardInput=socket
|
StandardInput=socket
|
||||||
|
Loading…
Reference in New Issue
Block a user