updated, nss3, audit, init script

2009-12-21 11:38:04 +00:00 · 2009-12-21 11:38:04 +00:00 · 2fea4b636f
parent a595f1f67e
commit 2fea4b636f
4 changed files with 64 additions and 140 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1,2 @@
-openssh-5.2p1-noacss.tar.bz2
+openssh-5.3p1-noacss.tar.bz2
 pam_ssh_agent_auth-0.9.tar.bz2
--- a/openssh-5.3p1-audit.patch
+++ b/openssh-5.3p1-audit.patch
@ -1,15 +1,15 @@
 diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
 --- openssh-5.3p1/auth.c.audit	2008-11-05 06:12:54.000000000 +0100
-+++ openssh-5.3p1/auth.c	2009-10-11 13:02:47.000000000 +0200
+++ openssh-5.3p1/auth.c	2009-12-21 08:50:12.000000000 +0100
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
 # endif
 #endif
 +#if HAVE_LINUX_AUDIT
-+	if (authenticated == 0 && !authctxt->postponed) {
+        if (authenticated == 0 && !authctxt->postponed) {
-+		linux_audit_record_event(-1, authctxt->user, NULL,
+                linux_audit_record_event(-1, authctxt->user, NULL,
-+			get_remote_ipaddr(), "sshd", 0);
+                        get_remote_ipaddr(), "sshd", 0);
-+	}
+        }
 +#endif
 #ifdef SSH_AUDIT_EVENTS
 	if (authenticated == 0 && !authctxt->postponed)
@ -19,79 +19,35 @@ diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
 		    get_canonical_hostname(options.use_dns), "ssh");
 #endif
 +#ifdef HAVE_LINUX_AUDIT
-+		linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
+                linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
-+			"sshd", 0);
+                        "sshd", 0);
 +#endif
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.3p1/config.h.in.audit openssh-5.3p1/config.h.in
 --- openssh-5.3p1/config.h.in.audit	2009-09-26 08:31:14.000000000 +0200
 +++ openssh-5.3p1/config.h.in	2009-10-11 13:09:41.000000000 +0200
@@ -533,6 +533,9 @@
 /* Define to 1 if you have the <lastlog.h> header file. */
 #undef HAVE_LASTLOG_H
 +/* Define to 1 if you have the <libaudit.h> header file. */
 +#undef HAVE_LIBAUDIT_H
 +
 /* Define to 1 if you have the `bsm' library (-lbsm). */
 #undef HAVE_LIBBSM
@@ -572,6 +575,9 @@
 /* Define to 1 if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H
 +/* Define if you want Linux audit support. */
 +#undef HAVE_LINUX_AUDIT
 +
 /* Define to 1 if you have the <linux/if_tun.h> header file. */
 #undef HAVE_LINUX_IF_TUN_H
@@ -768,6 +774,9 @@
 /* Define to 1 if you have the `setgroups' function. */
 #undef HAVE_SETGROUPS
 +/* Define to 1 if you have the `setkeycreatecon' function. */
 +#undef HAVE_SETKEYCREATECON
 +
 /* Define to 1 if you have the `setlogin' function. */
 #undef HAVE_SETLOGIN
@@ -1348,6 +1357,10 @@
 /* Prepend the address family to IP tunnel traffic */
 #undef SSH_TUN_PREPEND_AF
 +/* Define to your vendor patch level, if it has been modified from the
 +   upstream source release. */
 +#undef SSH_VENDOR_PATCHLEVEL
 +
 /* Define to 1 if you have the ANSI C header files. */
 #undef STDC_HEADERS
 diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.audit	2009-09-11 06:56:08.000000000 +0200
+--- openssh-5.3p1/configure.ac.audit	2009-12-21 08:48:59.000000000 +0100
-+++ openssh-5.3p1/configure.ac	2009-10-11 13:08:03.000000000 +0200
+++ openssh-5.3p1/configure.ac	2009-12-21 08:51:47.000000000 +0100
-@@ -3407,6 +3407,18 @@ AC_ARG_WITH(selinux,
+@@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux,
 	fi ]
 )
 +# Check whether user wants Linux audit support
 +LINUX_AUDIT_MSG="no"
 +AC_ARG_WITH(linux-audit,
-+	[  --with-linux-audit   Enable Linux audit support],
+        [  --with-linux-audit   Enable Linux audit support],
-+	[ if test "x$withval" != "xno" ; then
+        [ if test "x$withval" != "xno" ; then
-+		AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
+                AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
-+		LINUX_AUDIT_MSG="yes"
+                LINUX_AUDIT_MSG="yes"
-+		AC_CHECK_HEADERS(libaudit.h)
+                AC_CHECK_HEADERS(libaudit.h)
-+		SSHDLIBS="$SSHDLIBS -laudit"
+                SSHDLIBS="$SSHDLIBS -laudit"
-+	fi ]
+        fi ]
 +)
 +
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
-@@ -4226,6 +4238,7 @@ echo "                       PAM support
+@@ -4234,6 +4246,7 @@ echo "                       PAM support
 echo "                   OSF SIA support: $SIA_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
@ -101,7 +57,7 @@ diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
 echo "              TCP Wrappers support: $TCPW_MSG"
 diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
 --- openssh-5.3p1/loginrec.c.audit	2009-02-12 03:12:22.000000000 +0100
-+++ openssh-5.3p1/loginrec.c	2009-10-11 13:06:16.000000000 +0200
+++ openssh-5.3p1/loginrec.c	2009-12-21 08:54:17.000000000 +0100
@@ -176,6 +176,10 @@
 #include "auth.h"
 #include "buffer.h"
@ -128,94 +84,54 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
 	/* set the timestamp */
 	login_set_current_time(li);
 +#ifdef HAVE_LINUX_AUDIT
-+	if (linux_audit_write_entry(li) == 0)
+        if (linux_audit_write_entry(li) == 0)
-+		fatal("linux_audit_write_entry failed: %s", strerror(errno));
+                fatal("linux_audit_write_entry failed: %s", strerror(errno));
 +#endif
 #ifdef USE_LOGIN
 	syslogin_write_entry(li);
 #endif
-@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
+@@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li)
 }
 #endif /* USE_WTMPX */
 +#ifdef HAVE_LINUX_AUDIT
 +static void
 +_audit_hexscape(const char *what, char *where, unsigned int size)
 +{
 +	const char *ptr = what;
 +	const char *hex = "0123456789ABCDEF";
 +
 +	while (*ptr) {
 +		if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
 +			unsigned int i;
 +			ptr = what;
 +			for (i = 0; *ptr && i+2 < size; i += 2) {
 +				where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
 +				where[i+1] = hex[(unsigned)*ptr & 0x0F];   /* Lower nibble */
 +				ptr++;
 +			}
 +			where[i] = '\0';
 +			return;
 +		}
 +		ptr++;
 +	}
 +	where[0] = '"';
 +	if ((unsigned)(ptr - what) < size - 3)
 +	{
 +		size = ptr - what + 3;
 +	}
 +	strncpy(where + 1, what, size - 3);
 +	where[size-2] = '"';
 +	where[size-1] = '\0';
 +}
 +
 +#define AUDIT_LOG_SIZE 128
 +#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
 +
 +int
 +linux_audit_record_event(int uid, const char *username,
-+	const char *hostname, const char *ip, const char *ttyn, int success)
+        const char *hostname, const char *ip, const char *ttyn, int success)
 +{
-+	char buf[AUDIT_LOG_SIZE];
+        int audit_fd, rc;
 +	int audit_fd, rc;
 +
-+	audit_fd = audit_open();
+        audit_fd = audit_open();
-+	if (audit_fd < 0) {
+        if (audit_fd < 0) {
-+	 	if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+                 if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-+					errno == EAFNOSUPPORT)
+                                        errno == EAFNOSUPPORT)
-+			return 1; /* No audit support in kernel */
+                        return 1; /* No audit support in kernel */
-+		else
+                else
-+			return 0; /* Must prevent login */
+                        return 0; /* Must prevent login */
-+	}
+        }
-+	if (username == NULL)
+        rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
-+		snprintf(buf, sizeof(buf), "uid=%d", uid);
+                NULL, "login", username ? username : "(unknown)",
-+	else {
+                username == NULL ? uid : -1, hostname, ip, ttyn, success);
-+		char encoded[AUDIT_ACCT_SIZE];
+        close(audit_fd);
-+		_audit_hexscape(username, encoded, sizeof(encoded));
+        if (rc >= 0)
-+		snprintf(buf, sizeof(buf), "acct=%s", encoded);
+                return 1;
-+	}
+        else
-+	rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
+                return 0;
 +		buf, hostname, ip, ttyn, success);
 +	close(audit_fd);
 +	if (rc >= 0)
 +		return 1;
 +	else
 +		return 0;
 +}
 +
 +int
 +linux_audit_write_entry(struct logininfo *li)
 +{
-+	switch(li->type) {
+        switch(li->type) {
-+	case LTYPE_LOGIN:
+        case LTYPE_LOGIN:
-+		return (linux_audit_record_event(li->uid, NULL, li->hostname,
+                return (linux_audit_record_event(li->uid, NULL, li->hostname,
-+			NULL, li->line, 1));
+                        NULL, li->line, 1));
-+	case LTYPE_LOGOUT:
+        case LTYPE_LOGOUT:
-+		return (1);	/* We only care about logins */
+                return (1);        /* We only care about logins */
-+	default:
+        default:
-+		logit("%s: invalid type field", __func__);
+                logit("%s: invalid type field", __func__);
-+		return (0);
+                return (0);
-+	}
+        }
 +}
 +#endif /* HAVE_LINUX_AUDIT */
 +
@ -224,14 +140,14 @@ diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
  **/
 diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
 --- openssh-5.3p1/loginrec.h.audit	2006-08-05 04:39:40.000000000 +0200
-+++ openssh-5.3p1/loginrec.h	2009-10-11 13:04:28.000000000 +0200
+++ openssh-5.3p1/loginrec.h	2009-12-21 08:48:59.000000000 +0100
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
 char *line_abbrevname(char *dst, const char *src, int dstsize);
 void record_failed_login(const char *, const char *, const char *);
 +#ifdef HAVE_LINUX_AUDIT
 +int linux_audit_record_event(int uid, const char *username,
-+	const char *hostname, const char *ip, const char *ttyn, int success);
+        const char *hostname, const char *ip, const char *ttyn, int success);
 +#endif /* HAVE_LINUX_AUDIT */
 #endif /* _HAVE_LOGINREC_H_ */
--- a/openssh.spec
+++ b/openssh.spec
@ -69,7 +69,7 @@
 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 5.3p1
-Release: 11%{?dist}%{?rescue_rel}
+Release: 13%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshauth.sourceforge.net
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -525,6 +525,11 @@ fi
 %endif
 %changelog
 * Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13
 - Update the audit patch
 - Add possibility to autocreate only RSA key into initscript (#533339)
 - Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
 * Mon Nov 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-11
 - Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
--- a/sshd.init
+++ b/sshd.init
@ -122,9 +122,11 @@ start()
 	[ -f /etc/ssh/sshd_config ] || exit 6
 	# Create keys if necessary
 	if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
 		do_rsa1_keygen
 		do_rsa_keygen
-		do_dsa_keygen
+		if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
 			do_rsa1_keygen
 			do_dsa_keygen
 		fi
 	fi
 	echo -n $"Starting $prog: "
`@ -1 +1,2 @@`
	`openssh-5.2p1-noacss.tar.bz2`	`openssh-5.3p1-noacss.tar.bz2`
		`pam_ssh_agent_auth-0.9.tar.bz2`