From 2fea4b636f185090ec13bd10122e302889c24c01 Mon Sep 17 00:00:00 2001 From: "Jan F. Chadima" Date: Mon, 21 Dec 2009 11:38:04 +0000 Subject: [PATCH] updated, nss3, audit, init script --- .cvsignore | 3 +- openssh-5.3p1-audit.patch | 188 +++++++++++--------------------------- openssh.spec | 7 +- sshd.init | 6 +- 4 files changed, 64 insertions(+), 140 deletions(-) diff --git a/.cvsignore b/.cvsignore index 33580b1..c7df7d7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,2 @@ -openssh-5.2p1-noacss.tar.bz2 +openssh-5.3p1-noacss.tar.bz2 +pam_ssh_agent_auth-0.9.tar.bz2 diff --git a/openssh-5.3p1-audit.patch b/openssh-5.3p1-audit.patch index 7606e49..5809294 100644 --- a/openssh-5.3p1-audit.patch +++ b/openssh-5.3p1-audit.patch @@ -1,15 +1,15 @@ diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c --- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100 -+++ openssh-5.3p1/auth.c 2009-10-11 13:02:47.000000000 +0200 ++++ openssh-5.3p1/auth.c 2009-12-21 08:50:12.000000000 +0100 @@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent get_canonical_hostname(options.use_dns), "ssh", &loginmsg); # endif #endif +#if HAVE_LINUX_AUDIT -+ if (authenticated == 0 && !authctxt->postponed) { -+ linux_audit_record_event(-1, authctxt->user, NULL, -+ get_remote_ipaddr(), "sshd", 0); -+ } ++ if (authenticated == 0 && !authctxt->postponed) { ++ linux_audit_record_event(-1, authctxt->user, NULL, ++ get_remote_ipaddr(), "sshd", 0); ++ } +#endif #ifdef SSH_AUDIT_EVENTS if (authenticated == 0 && !authctxt->postponed) @@ -19,79 +19,35 @@ diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c get_canonical_hostname(options.use_dns), "ssh"); #endif +#ifdef HAVE_LINUX_AUDIT -+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), -+ "sshd", 0); ++ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(), ++ "sshd", 0); +#endif #ifdef SSH_AUDIT_EVENTS audit_event(SSH_INVALID_USER); #endif /* SSH_AUDIT_EVENTS */ -diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in ---- openssh-5.3p1/config.h.in.audit 2009-09-26 08:31:14.000000000 +0200 -+++ openssh-5.3p1/config.h.in 2009-10-11 13:09:41.000000000 +0200 -@@ -533,6 +533,9 @@ - /* Define to 1 if you have the header file. */ - #undef HAVE_LASTLOG_H - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_LIBAUDIT_H -+ - /* Define to 1 if you have the `bsm' library (-lbsm). */ - #undef HAVE_LIBBSM - -@@ -572,6 +575,9 @@ - /* Define to 1 if you have the header file. */ - #undef HAVE_LIMITS_H - -+/* Define if you want Linux audit support. */ -+#undef HAVE_LINUX_AUDIT -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_LINUX_IF_TUN_H - -@@ -768,6 +774,9 @@ - /* Define to 1 if you have the `setgroups' function. */ - #undef HAVE_SETGROUPS - -+/* Define to 1 if you have the `setkeycreatecon' function. */ -+#undef HAVE_SETKEYCREATECON -+ - /* Define to 1 if you have the `setlogin' function. */ - #undef HAVE_SETLOGIN - -@@ -1348,6 +1357,10 @@ - /* Prepend the address family to IP tunnel traffic */ - #undef SSH_TUN_PREPEND_AF - -+/* Define to your vendor patch level, if it has been modified from the -+ upstream source release. */ -+#undef SSH_VENDOR_PATCHLEVEL -+ - /* Define to 1 if you have the ANSI C header files. */ - #undef STDC_HEADERS - diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac ---- openssh-5.3p1/configure.ac.audit 2009-09-11 06:56:08.000000000 +0200 -+++ openssh-5.3p1/configure.ac 2009-10-11 13:08:03.000000000 +0200 -@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux, +--- openssh-5.3p1/configure.ac.audit 2009-12-21 08:48:59.000000000 +0100 ++++ openssh-5.3p1/configure.ac 2009-12-21 08:51:47.000000000 +0100 +@@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux, fi ] ) +# Check whether user wants Linux audit support +LINUX_AUDIT_MSG="no" +AC_ARG_WITH(linux-audit, -+ [ --with-linux-audit Enable Linux audit support], -+ [ if test "x$withval" != "xno" ; then -+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) -+ LINUX_AUDIT_MSG="yes" -+ AC_CHECK_HEADERS(libaudit.h) -+ SSHDLIBS="$SSHDLIBS -laudit" -+ fi ] ++ [ --with-linux-audit Enable Linux audit support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.]) ++ LINUX_AUDIT_MSG="yes" ++ AC_CHECK_HEADERS(libaudit.h) ++ SSHDLIBS="$SSHDLIBS -laudit" ++ fi ] +) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, -@@ -4226,6 +4238,7 @@ echo " PAM support +@@ -4234,6 +4246,7 @@ echo " PAM support echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" @@ -101,7 +57,7 @@ diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac echo " TCP Wrappers support: $TCPW_MSG" diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c --- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100 -+++ openssh-5.3p1/loginrec.c 2009-10-11 13:06:16.000000000 +0200 ++++ openssh-5.3p1/loginrec.c 2009-12-21 08:54:17.000000000 +0100 @@ -176,6 +176,10 @@ #include "auth.h" #include "buffer.h" @@ -128,94 +84,54 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c /* set the timestamp */ login_set_current_time(li); +#ifdef HAVE_LINUX_AUDIT -+ if (linux_audit_write_entry(li) == 0) -+ fatal("linux_audit_write_entry failed: %s", strerror(errno)); ++ if (linux_audit_write_entry(li) == 0) ++ fatal("linux_audit_write_entry failed: %s", strerror(errno)); +#endif #ifdef USE_LOGIN syslogin_write_entry(li); #endif -@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li) +@@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li) } #endif /* USE_WTMPX */ +#ifdef HAVE_LINUX_AUDIT -+static void -+_audit_hexscape(const char *what, char *where, unsigned int size) -+{ -+ const char *ptr = what; -+ const char *hex = "0123456789ABCDEF"; -+ -+ while (*ptr) { -+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) { -+ unsigned int i; -+ ptr = what; -+ for (i = 0; *ptr && i+2 < size; i += 2) { -+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */ -+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */ -+ ptr++; -+ } -+ where[i] = '\0'; -+ return; -+ } -+ ptr++; -+ } -+ where[0] = '"'; -+ if ((unsigned)(ptr - what) < size - 3) -+ { -+ size = ptr - what + 3; -+ } -+ strncpy(where + 1, what, size - 3); -+ where[size-2] = '"'; -+ where[size-1] = '\0'; -+} -+ -+#define AUDIT_LOG_SIZE 128 -+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8) -+ +int +linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success) ++ const char *hostname, const char *ip, const char *ttyn, int success) +{ -+ char buf[AUDIT_LOG_SIZE]; -+ int audit_fd, rc; ++ int audit_fd, rc; + -+ audit_fd = audit_open(); -+ if (audit_fd < 0) { -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return 1; /* No audit support in kernel */ -+ else -+ return 0; /* Must prevent login */ -+ } -+ if (username == NULL) -+ snprintf(buf, sizeof(buf), "uid=%d", uid); -+ else { -+ char encoded[AUDIT_ACCT_SIZE]; -+ _audit_hexscape(username, encoded, sizeof(encoded)); -+ snprintf(buf, sizeof(buf), "acct=%s", encoded); -+ } -+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN, -+ buf, hostname, ip, ttyn, success); -+ close(audit_fd); -+ if (rc >= 0) -+ return 1; -+ else -+ return 0; ++ audit_fd = audit_open(); ++ if (audit_fd < 0) { ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return 1; /* No audit support in kernel */ ++ else ++ return 0; /* Must prevent login */ ++ } ++ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN, ++ NULL, "login", username ? username : "(unknown)", ++ username == NULL ? uid : -1, hostname, ip, ttyn, success); ++ close(audit_fd); ++ if (rc >= 0) ++ return 1; ++ else ++ return 0; +} + +int +linux_audit_write_entry(struct logininfo *li) +{ -+ switch(li->type) { -+ case LTYPE_LOGIN: -+ return (linux_audit_record_event(li->uid, NULL, li->hostname, -+ NULL, li->line, 1)); -+ case LTYPE_LOGOUT: -+ return (1); /* We only care about logins */ -+ default: -+ logit("%s: invalid type field", __func__); -+ return (0); -+ } ++ switch(li->type) { ++ case LTYPE_LOGIN: ++ return (linux_audit_record_event(li->uid, NULL, li->hostname, ++ NULL, li->line, 1)); ++ case LTYPE_LOGOUT: ++ return (1); /* We only care about logins */ ++ default: ++ logit("%s: invalid type field", __func__); ++ return (0); ++ } +} +#endif /* HAVE_LINUX_AUDIT */ + @@ -224,14 +140,14 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c **/ diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h --- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200 -+++ openssh-5.3p1/loginrec.h 2009-10-11 13:04:28.000000000 +0200 ++++ openssh-5.3p1/loginrec.h 2009-12-21 08:48:59.000000000 +0100 @@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch char *line_abbrevname(char *dst, const char *src, int dstsize); void record_failed_login(const char *, const char *, const char *); +#ifdef HAVE_LINUX_AUDIT +int linux_audit_record_event(int uid, const char *username, -+ const char *hostname, const char *ip, const char *ttyn, int success); ++ const char *hostname, const char *ip, const char *ttyn, int success); +#endif /* HAVE_LINUX_AUDIT */ #endif /* _HAVE_LOGINREC_H_ */ diff --git a/openssh.spec b/openssh.spec index 8b43e21..1430b21 100644 --- a/openssh.spec +++ b/openssh.spec @@ -69,7 +69,7 @@ Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: 5.3p1 -Release: 11%{?dist}%{?rescue_rel} +Release: 13%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshauth.sourceforge.net #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -525,6 +525,11 @@ fi %endif %changelog +* Mon Dec 21 2009 Jan F. Chadima - 5.3p1-13 +- Update the audit patch +- Add possibility to autocreate only RSA key into initscript (#533339) +- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451) + * Mon Nov 30 2009 Jan F. Chadima - 5.3p1-11 - Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451) diff --git a/sshd.init b/sshd.init index 3bc2cc4..889c776 100755 --- a/sshd.init +++ b/sshd.init @@ -122,9 +122,11 @@ start() [ -f /etc/ssh/sshd_config ] || exit 6 # Create keys if necessary if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then - do_rsa1_keygen do_rsa_keygen - do_dsa_keygen + if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then + do_rsa1_keygen + do_dsa_keygen + fi fi echo -n $"Starting $prog: "