rpms/openssh
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to 5.4p1

Browse Source
This commit is contained in:
Jan F. Chadima 2010-03-09 09:37:02 +00:00
parent 172266f986
commit 3101856932
12 changed files with 587 additions and 2102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
openssh-4.3p2-no-v6only.patch
View File

@ -1,11 +0,0 @@
--- openssh-4.3p2/channels.c.no-v6only 2006-07-17 15:39:31.000000000 +0200
+++ openssh-4.3p2/channels.c 2006-08-08 12:44:51.000000000 +0200
@@ -2794,7 +2794,7 @@
}
}
#ifdef IPV6_V6ONLY
- if (ai->ai_family == AF_INET6) {
+ if (x11_use_localhost && ai->ai_family == AF_INET6) {
int on = 1;
if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno));

9
openssh-5.2p1-engine.patch
View File

@ -1,9 +0,0 @@
--- openssh-5.2p1/openbsd-compat/openssl-compat.c~ 2010-01-27 17:36:29.000000000 -0500
+++ openssh-5.2p1/openbsd-compat/openssl-compat.c 2010-01-28 10:52:53.000000000 -0500
@@ -58,5 +58,6 @@
/* Enable use of crypto hardware */
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
+ OPENSSL_config(NULL);
}
#endif

64
openssh-5.2p1-sesftp.patch
View File

@ -1,64 +0,0 @@
diff -up openssh-5.2p1/openbsd-compat/port-linux.c.sesftp openssh-5.2p1/openbsd-compat/port-linux.c
--- openssh-5.2p1/openbsd-compat/port-linux.c.sesftp 2009-08-12 00:29:37.712368892 +0200
+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-12 00:29:37.732544890 +0200
@@ -469,4 +469,36 @@ ssh_selinux_setup_pty(char *pwname, cons
freecon(user_ctx);
debug3("%s: done", __func__);
}
+
+void
+ssh_selinux_change_context(const char *newname)
+{
+ int len, newlen;
+ char *oldctx, *newctx, *cx;
+
+ if (!ssh_selinux_enabled())
+ return;
+
+ if (getcon((security_context_t *)&oldctx) < 0) {
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
+ return;
+ }
+ if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == NULL) {
+ logit ("%s: unparseable context %s", __func__, oldctx);
+ return;
+ }
+
+ newlen = strlen(oldctx) + strlen(newname) + 1;
+ newctx = xmalloc(newlen);
+ len = cx - oldctx + 1;
+ memcpy(newctx, oldctx, len);
+ strlcpy(newctx + len, newname, newlen - len);
+ if ((cx = index(cx + 1, ':')))
+ strlcat(newctx, cx, newlen);
+ debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, newctx);
+ if (setcon(newctx) < 0)
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
+ xfree(oldctx);
+ xfree(newctx);
+}
#endif /* WITH_SELINUX */
diff -up openssh-5.2p1/openbsd-compat/port-linux.h.sesftp openssh-5.2p1/openbsd-compat/port-linux.h
--- openssh-5.2p1/openbsd-compat/port-linux.h.sesftp 2008-03-26 21:27:21.000000000 +0100
+++ openssh-5.2p1/openbsd-compat/port-linux.h 2009-08-12 00:29:37.733388083 +0200
@@ -23,6 +23,7 @@
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_change_context(const char *);
#endif
#endif /* ! _PORT_LINUX_H */
diff -up openssh-5.2p1/session.c.sesftp openssh-5.2p1/session.c
--- openssh-5.2p1/session.c.sesftp 2009-08-12 00:29:37.659250161 +0200
+++ openssh-5.2p1/session.c 2009-08-12 00:29:37.729578695 +0200
@@ -1798,6 +1798,9 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
+#ifdef WITH_SELINUX
+ ssh_selinux_change_context("sftpd_t");
+#endif
exit(sftp_server_main(i, argv, s->pw));
}

1522
openssh-5.3p1-nss-keys.patch
View File

File diff suppressed because it is too large Load Diff

185
openssh-5.3p1-fips.patch → openssh-5.4p1-fips.patch
View File

@ -1,15 +1,15 @@
diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
--- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200
@@ -33,6 +33,7 @@
#include <stdio.h>
#include <stdarg.h>
diff -up openssh-5.4p1/auth2-pubkey.c.fips openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.fips 2010-03-01 17:55:26.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 17:57:56.000000000 +0100
@@ -35,6 +35,7 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <openssl/fips.h>
#include "xmalloc.h"
#include "ssh.h"
@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key
@@ -269,7 +270,7 @@ user_key_allowed2(struct passwd *pw, Key
found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
@ -18,10 +18,10 @@ diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
verbose("Found matching %s key: %s",
key_type(found), fp);
xfree(fp);
diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
--- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200
@@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch
diff -up openssh-5.4p1/authfile.c.fips openssh-5.4p1/authfile.c
--- openssh-5.4p1/authfile.c.fips 2010-01-12 09:42:29.000000000 +0100
+++ openssh-5.4p1/authfile.c 2010-03-01 17:55:28.000000000 +0100
@@ -146,8 +146,14 @@ key_save_private_rsa1(Key *key, const ch
/* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -38,7 +38,7 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext);
@@ -414,8 +420,14 @@ key_load_private_rsa1(int fd, const char
@@ -421,8 +427,14 @@ key_load_private_rsa1(int fd, const char
cp = buffer_append_space(&decrypted, buffer_len(&buffer));
/* Rest of the buffer is encrypted. Decrypt it using the passphrase. */
@ -55,9 +55,9 @@ diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
cipher_crypt(&ciphercontext, cp,
buffer_ptr(&buffer), buffer_len(&buffer));
cipher_cleanup(&ciphercontext);
diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
--- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200
+++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/cipher.c.fips openssh-5.4p1/cipher.c
--- openssh-5.4p1/cipher.c.fips 2010-03-01 15:09:22.000000000 +0100
+++ openssh-5.4p1/cipher.c 2010-03-01 17:55:28.000000000 +0100
@@ -40,6 +40,7 @@
#include <sys/types.h>
@ -142,9 +142,9 @@ diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
}
/*
diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
--- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
+++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/cipher-ctr.c.fips openssh-5.4p1/cipher-ctr.c
--- openssh-5.4p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
+++ openssh-5.4p1/cipher-ctr.c 2010-03-01 17:55:28.000000000 +0100
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@ -155,9 +155,9 @@ diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
--- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/cipher.h.fips openssh-5.4p1/cipher.h
--- openssh-5.4p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.4p1/cipher.h 2010-03-01 17:55:28.000000000 +0100
@@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe
const u_char *, u_int, int);
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -167,9 +167,9 @@ diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *);
u_int cipher_is_cbc(const Cipher *);
diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
--- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/mac.c.fips openssh-5.4p1/mac.c
--- openssh-5.4p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
+++ openssh-5.4p1/mac.c 2010-03-01 17:55:28.000000000 +0100
@@ -28,6 +28,7 @@
#include <sys/types.h>
@ -219,10 +219,10 @@ diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
--- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200
@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS)
diff -up openssh-5.4p1/Makefile.in.fips openssh-5.4p1/Makefile.in
--- openssh-5.4p1/Makefile.in.fips 2010-02-24 08:18:51.000000000 +0100
+++ openssh-5.4p1/Makefile.in 2010-03-01 17:55:28.000000000 +0100
@@ -139,31 +139,31 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -240,28 +240,31 @@ diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o
- $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
--- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
+++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200
@@ -53,7 +53,12 @@
diff -up openssh-5.4p1/myproposal.h.fips openssh-5.4p1/myproposal.h
--- openssh-5.4p1/myproposal.h.fips 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/myproposal.h 2010-03-01 17:55:28.000000000 +0100
@@ -55,7 +55,12 @@
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG ""
@ -275,23 +278,9 @@ diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX,
diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c
--- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
break;
}
- p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
- debug("fingerprint %u %s", key_size(k), p);
+ p = key_fingerprint(k, SSH_FP_SHA1, SSH_FP_HEX);
+ debug("SHA1 fingerprint %u %s", key_size(k), p);
xfree(p);
return 0;
diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
+++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.4p1/openbsd-compat/bsd-arc4random.c
--- openssh-5.4p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
+++ openssh-5.4p1/openbsd-compat/bsd-arc4random.c 2010-03-01 17:55:28.000000000 +0100
@@ -39,6 +39,7 @@
static int rc4_ready = 0;
static RC4_KEY rc4;
@ -333,9 +322,9 @@ diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbs
#endif /* !HAVE_ARC4RANDOM */
#ifndef ARC4RANDOM_BUF
diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
--- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh-add.c.fips openssh-5.4p1/ssh-add.c
--- openssh-5.4p1/ssh-add.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-add.c 2010-03-01 17:55:28.000000000 +0100
@@ -42,6 +42,7 @@
#include <sys/param.h>
@ -343,8 +332,8 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
+#include <openssl/fips.h>
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_LIBNSS
@@ -254,7 +255,7 @@ list_identities(AuthenticationConnection
#include <fcntl.h>
@@ -270,7 +271,7 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
@ -353,9 +342,9 @@ diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
SSH_FP_HEX);
printf("%d %s %s (%s)\n",
key_size(key), fp, comment, key_type(key));
diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
--- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh-agent.c.fips openssh-5.4p1/ssh-agent.c
--- openssh-5.4p1/ssh-agent.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-agent.c 2010-03-01 17:55:28.000000000 +0100
@@ -51,6 +51,7 @@
#include <openssl/evp.h>
@ -364,7 +353,7 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
#include "openbsd-compat/openssl-compat.h"
#include <errno.h>
@@ -200,9 +201,9 @@ confirm_key(Identity *id)
@@ -199,9 +200,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
@ -377,9 +366,9 @@ diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
ret = 0;
xfree(p);
diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
--- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh.c.fips openssh-5.4p1/ssh.c
--- openssh-5.4p1/ssh.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh.c 2010-03-01 17:55:28.000000000 +0100
@@ -72,6 +72,8 @@
#include <openssl/evp.h>
@ -389,7 +378,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -221,6 +223,10 @@ main(int ac, char **av)
@@ -225,6 +227,10 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
@ -400,8 +389,8 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
init_rng();
/*
@@ -281,6 +287,9 @@ main(int ac, char **av)
"ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) {
@@ -285,6 +291,9 @@ main(int ac, char **av)
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
@ -410,7 +399,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -552,7 +561,6 @@ main(int ac, char **av)
@@ -581,7 +590,6 @@ main(int ac, char **av)
if (!host)
usage();
@ -418,7 +407,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */
@@ -638,6 +646,10 @@ main(int ac, char **av)
@@ -667,6 +675,10 @@ main(int ac, char **av)
seed_rng();
@ -429,7 +418,7 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -704,6 +716,12 @@ main(int ac, char **av)
@@ -733,6 +745,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@ -442,9 +431,9 @@ diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
/* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
--- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/sshconnect2.c.fips openssh-5.4p1/sshconnect2.c
--- openssh-5.4p1/sshconnect2.c.fips 2010-03-01 17:55:28.000000000 +0100
+++ openssh-5.4p1/sshconnect2.c 2010-03-01 17:55:29.000000000 +0100
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
@ -477,7 +466,7 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms;
@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t
@@ -529,8 +539,8 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
@ -488,19 +477,19 @@ diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
xfree(fp);
/*
diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
--- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/sshconnect.c.fips openssh-5.4p1/sshconnect.c
--- openssh-5.4p1/sshconnect.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/sshconnect.c 2010-03-01 17:55:29.000000000 +0100
@@ -40,6 +40,8 @@
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
+#include <openssl/fips.h>
+
#include "xmalloc.h"
#include "key.h"
#include "hostfile.h"
@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so
@@ -789,6 +791,7 @@ check_host_key(char *hostname, struct so
goto fail;
} else if (options.strict_host_key_checking == 2) {
char msg1[1024], msg2[1024];
@ -508,7 +497,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
if (show_other_keys(host, host_key))
snprintf(msg1, sizeof(msg1),
@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so
@@ -797,8 +800,8 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
@ -519,7 +508,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so
@@ -814,10 +817,10 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
@ -532,7 +521,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con
@@ -1131,17 +1134,18 @@ show_key_from_file(const char *file, con
Key *found;
char *fp, *ra;
int line, ret;
@ -555,7 +544,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
xfree(ra);
xfree(fp);
}
@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key)
@@ -1187,8 +1191,9 @@ warn_changed_key(Key *host_key)
{
char *fp;
const char *type = key_type(host_key);
@ -566,7 +555,7 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key)
@@ -1196,8 +1201,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that the %s host key has just been changed.", type);
@ -577,9 +566,9 @@ diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
error("Please contact your system administrator.");
xfree(fp);
diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
--- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/sshd.c.fips openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.fips 2010-03-01 17:55:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 17:55:29.000000000 +0100
@@ -76,6 +76,8 @@
#include <openssl/bn.h>
#include <openssl/md5.h>
@ -589,7 +578,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE
@@ -1261,6 +1263,12 @@ main(int ac, char **av)
@@ -1298,6 +1300,12 @@ main(int ac, char **av)
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
@ -602,7 +591,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
init_rng();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
@@ -1413,8 +1421,6 @@ main(int ac, char **av)
@@ -1459,8 +1467,6 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -611,7 +600,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
/*
* Force logging to stderr until we have loaded the private host
* key (unless started from inetd)
@@ -1532,6 +1538,10 @@ main(int ac, char **av)
@@ -1578,6 +1584,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, key->type,
key_type(key));
}
@ -622,7 +611,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -1656,6 +1666,10 @@ main(int ac, char **av)
@@ -1742,6 +1752,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */
arc4random_stir();
@ -633,7 +622,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
chdir("/");
@@ -2183,6 +2197,9 @@ do_ssh2_kex(void)
@@ -2274,6 +2288,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -643,7 +632,7 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2192,6 +2209,9 @@ do_ssh2_kex(void)
@@ -2283,6 +2300,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -653,9 +642,9 @@ diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
--- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200
+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200
diff -up openssh-5.4p1/ssh-keygen.c.fips openssh-5.4p1/ssh-keygen.c
--- openssh-5.4p1/ssh-keygen.c.fips 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/ssh-keygen.c 2010-03-01 17:55:29.000000000 +0100
@@ -21,6 +21,7 @@
#include <openssl/evp.h>
@ -664,7 +653,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
#include "openbsd-compat/openssl-compat.h"
#include <errno.h>
@@ -537,7 +538,7 @@ do_fingerprint(struct passwd *pw)
@@ -524,7 +525,7 @@ do_fingerprint(struct passwd *pw)
enum fp_type fptype;
struct stat st;
@ -673,7 +662,7 @@ diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity)
@@ -1506,14 +1507,15 @@ passphrase_again:
@@ -1808,14 +1809,15 @@ passphrase_again:
fclose(f);
if (!quiet) {

310
openssh-5.3p1-gsskex.patch → openssh-5.4p1-gsskex.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
--- openssh-5.3p1/auth2.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth2.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/auth2.c.gsskex openssh-5.4p1/auth2.c
--- openssh-5.4p1/auth2.c.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/auth2.c 2010-03-01 18:14:28.000000000 +0100
@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@ -35,9 +35,9 @@ diff -up openssh-5.3p1/auth2.c.gsskex openssh-5.3p1/auth2.c
authctxt->failures++;
if (authctxt->failures >= options.max_authtries) {
#ifdef SSH_AUDIT_EVENTS
diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
--- openssh-5.3p1/auth2-gss.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth2-gss.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/auth2-gss.c.gsskex openssh-5.4p1/auth2-gss.c
--- openssh-5.4p1/auth2-gss.c.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
@ -137,9 +137,9 @@ diff -up openssh-5.3p1/auth2-gss.c.gsskex openssh-5.3p1/auth2-gss.c
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
--- openssh-5.3p1/auth.h.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/auth.h 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/auth.h.gsskex openssh-5.4p1/auth.h
--- openssh-5.4p1/auth.h.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/auth.h 2010-03-01 18:14:28.000000000 +0100
@@ -53,6 +53,7 @@ struct Authctxt {
int valid; /* user exists and is allowed to login */
int attempt;
@ -148,10 +148,10 @@ diff -up openssh-5.3p1/auth.h.gsskex openssh-5.3p1/auth.h
int force_pwchange;
char *user; /* username sent by the client */
char *service;
diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
--- openssh-5.3p1/auth-krb5.c.gsskex 2006-08-05 04:39:39.000000000 +0200
+++ openssh-5.3p1/auth-krb5.c 2009-11-20 14:39:04.000000000 +0100
@@ -166,8 +166,13 @@ auth_krb5_password(Authctxt *authctxt, c
diff -up openssh-5.4p1/auth-krb5.c.gsskex openssh-5.4p1/auth-krb5.c
--- openssh-5.4p1/auth-krb5.c.gsskex 2009-12-21 00:49:22.000000000 +0100
+++ openssh-5.4p1/auth-krb5.c 2010-03-01 18:14:28.000000000 +0100
@@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
@ -165,7 +165,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
#ifdef USE_PAM
if (options.use_pam)
@@ -219,15 +224,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
@@ -226,15 +231,22 @@ krb5_cleanup_proc(Authctxt *authctxt)
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
@ -190,7 +190,7 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
old_umask = umask(0177);
tmpfd = mkstemp(ccname + strlen("FILE:"));
umask(old_umask);
@@ -242,6 +254,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
@@ -249,6 +261,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_c
return errno;
}
close(tmpfd);
@ -198,9 +198,9 @@ diff -up openssh-5.3p1/auth-krb5.c.gsskex openssh-5.3p1/auth-krb5.c
return (krb5_cc_resolve(ctx, ccname, ccache));
}
diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
+++ openssh-5.3p1/ChangeLog.gssapi 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/ChangeLog.gssapi.gsskex openssh-5.4p1/ChangeLog.gssapi
--- openssh-5.4p1/ChangeLog.gssapi.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/ChangeLog.gssapi 2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,95 @@
+20090615
+ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@ -297,9 +297,9 @@ diff -up /dev/null openssh-5.3p1/ChangeLog.gssapi
+ add support for GssapiTrustDns option for gssapi-with-mic
+ (from jbasney AT ncsa.uiuc.edu)
+ <gssapi-with-mic support is Bugzilla #1008>
diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
--- openssh-5.3p1/clientloop.c.gsskex 2009-08-28 03:21:07.000000000 +0200
+++ openssh-5.3p1/clientloop.c 2009-11-20 14:48:53.000000000 +0100
diff -up openssh-5.4p1/clientloop.c.gsskex openssh-5.4p1/clientloop.c
--- openssh-5.4p1/clientloop.c.gsskex 2010-01-30 07:28:35.000000000 +0100
+++ openssh-5.4p1/clientloop.c 2010-03-01 18:14:28.000000000 +0100
@@ -111,6 +111,10 @@
#include "msg.h"
#include "roaming.h"
@ -311,7 +311,7 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
/* import options */
extern Options options;
@@ -1430,6 +1434,13 @@ client_loop(int have_pty, int escape_cha
@@ -1431,6 +1435,13 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@ -325,9 +325,9 @@ diff -up openssh-5.3p1/clientloop.c.gsskex openssh-5.3p1/clientloop.c
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
xxx_kex->done = 0;
diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.gsskex 2009-11-20 14:39:02.000000000 +0100
+++ openssh-5.3p1/configure.ac 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/configure.ac.gsskex openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 18:14:28.000000000 +0100
@@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
@ -359,9 +359,9 @@ diff -up openssh-5.3p1/configure.ac.gsskex openssh-5.3p1/configure.ac
m4_pattern_allow(AU_IPv)
AC_CHECK_DECL(AU_IPv4, [],
AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
--- openssh-5.3p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.3p1/gss-genr.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/gss-genr.c.gsskex openssh-5.4p1/gss-genr.c
--- openssh-5.4p1/gss-genr.c.gsskex 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/gss-genr.c 2010-03-01 18:14:28.000000000 +0100
@@ -39,12 +39,167 @@
#include "buffer.h"
#include "log.h"
@ -700,9 +700,9 @@ diff -up openssh-5.3p1/gss-genr.c.gsskex openssh-5.3p1/gss-genr.c
+}
+
#endif /* GSSAPI */
diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
--- openssh-5.3p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
+++ openssh-5.3p1/gss-serv.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/gss-serv.c.gsskex openssh-5.4p1/gss-serv.c
--- openssh-5.4p1/gss-serv.c.gsskex 2008-05-19 07:05:07.000000000 +0200
+++ openssh-5.4p1/gss-serv.c 2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
@ -1016,9 +1016,9 @@ diff -up openssh-5.3p1/gss-serv.c.gsskex openssh-5.3p1/gss-serv.c
}
#endif
diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
--- openssh-5.3p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.3p1/gss-serv-krb5.c 2009-11-20 14:39:04.000000000 +0100
diff -up openssh-5.4p1/gss-serv-krb5.c.gsskex openssh-5.4p1/gss-serv-krb5.c
--- openssh-5.4p1/gss-serv-krb5.c.gsskex 2006-09-01 07:38:36.000000000 +0200
+++ openssh-5.4p1/gss-serv-krb5.c 2010-03-01 18:14:28.000000000 +0100
@@ -1,7 +1,7 @@
/* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
@ -1139,12 +1139,12 @@ diff -up openssh-5.3p1/gss-serv-krb5.c.gsskex openssh-5.3p1/gss-serv-krb5.c
};
#endif /* KRB5 */
diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
--- openssh-5.3p1/kex.c.gsskex 2009-06-21 10:15:25.000000000 +0200
+++ openssh-5.3p1/kex.c 2009-11-20 14:50:11.000000000 +0100
@@ -49,6 +49,10 @@
#include "dispatch.h"
diff -up openssh-5.4p1/kex.c.gsskex openssh-5.4p1/kex.c
--- openssh-5.4p1/kex.c.gsskex 2010-01-08 06:50:41.000000000 +0100
+++ openssh-5.4p1/kex.c 2010-03-01 18:18:42.000000000 +0100
@@ -50,6 +50,10 @@
#include "monitor.h"
#include "roaming.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
@ -1153,7 +1153,7 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
@@ -325,6 +329,20 @@ choose_kex(Kex *k, char *client, char *s
@@ -326,6 +330,20 @@ choose_kex(Kex *k, char *client, char *s
k->kex_type = KEX_DH_GEX_SHA256;
k->evp_md = evp_ssh_sha256();
#endif
@ -1174,9 +1174,9 @@ diff -up openssh-5.3p1/kex.c.gsskex openssh-5.3p1/kex.c
} else
fatal("bad kex alg %s", k->name);
}
diff -up /dev/null openssh-5.3p1/kexgssc.c
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
+++ openssh-5.3p1/kexgssc.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/kexgssc.c.gsskex openssh-5.4p1/kexgssc.c
--- openssh-5.4p1/kexgssc.c.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/kexgssc.c 2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,334 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1512,9 +1512,9 @@ diff -up /dev/null openssh-5.3p1/kexgssc.c
+}
+
+#endif /* GSSAPI */
diff -up /dev/null openssh-5.3p1/kexgsss.c
--- /dev/null 2009-11-13 11:29:57.672908570 +0100
+++ openssh-5.3p1/kexgsss.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/kexgsss.c.gsskex openssh-5.4p1/kexgsss.c
--- openssh-5.4p1/kexgsss.c.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/kexgsss.c 2010-03-01 18:14:28.000000000 +0100
@@ -0,0 +1,288 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -1804,10 +1804,10 @@ diff -up /dev/null openssh-5.3p1/kexgsss.c
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
--- openssh-5.3p1/kex.h.gsskex 2009-06-21 10:15:25.000000000 +0200
+++ openssh-5.3p1/kex.h 2009-11-20 14:39:05.000000000 +0100
@@ -66,6 +66,9 @@ enum kex_exchange {
diff -up openssh-5.4p1/kex.h.gsskex openssh-5.4p1/kex.h
--- openssh-5.4p1/kex.h.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/kex.h 2010-03-01 18:14:28.000000000 +0100
@@ -67,6 +67,9 @@ enum kex_exchange {
KEX_DH_GRP14_SHA1,
KEX_DH_GEX_SHA1,
KEX_DH_GEX_SHA256,
@ -1817,7 +1817,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
KEX_MAX
};
@@ -121,6 +124,12 @@ struct Kex {
@@ -123,6 +126,12 @@ struct Kex {
sig_atomic_t done;
int flags;
const EVP_MD *evp_md;
@ -1830,7 +1830,7 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
char *client_version_string;
char *server_version_string;
int (*verify_host_key)(Key *);
@@ -143,6 +152,11 @@ void kexdh_server(Kex *);
@@ -146,6 +155,11 @@ void kexdh_server(Kex *);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
@ -1842,54 +1842,58 @@ diff -up openssh-5.3p1/kex.h.gsskex openssh-5.3p1/kex.h
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
diff -up openssh-5.3p1/key.c.gsskex openssh-5.3p1/key.c
--- openssh-5.3p1/key.c.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/key.c 2009-11-20 14:39:05.000000000 +0100
@@ -825,6 +825,8 @@ key_type_from_name(char *name)
return KEY_RSA;
} else if (strcmp(name, "ssh-dss") == 0) {
return KEY_DSA;
diff -up openssh-5.4p1/key.c.gsskex openssh-5.4p1/key.c
--- openssh-5.4p1/key.c.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/key.c 2010-03-01 18:20:43.000000000 +0100
@@ -969,6 +969,8 @@ key_type_from_name(char *name)
return KEY_RSA_CERT;
} else if (strcmp(name, "ssh-dss-cert-v00@openssh.com") == 0) {
return KEY_DSA_CERT;
+ } else if (strcmp(name, "null") == 0) {
+ return KEY_NULL;
}
debug2("key_type_from_name: unknown key type '%s'", name);
return KEY_UNSPEC;
diff -up openssh-5.3p1/key.h.gsskex openssh-5.3p1/key.h
--- openssh-5.3p1/key.h.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/key.h 2009-11-20 14:50:59.000000000 +0100
@@ -40,6 +40,7 @@ enum types {
KEY_RSA,
diff -up openssh-5.4p1/key.h.gsskex openssh-5.4p1/key.h
--- openssh-5.4p1/key.h.gsskex 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/key.h 2010-03-01 18:21:22.000000000 +0100
@@ -37,6 +37,7 @@ enum types {
KEY_DSA,
KEY_NSS,
KEY_RSA_CERT,
KEY_DSA_CERT,
+ KEY_NULL,
KEY_UNSPEC
};
enum fp_type {
diff -up openssh-5.3p1/Makefile.in.gsskex openssh-5.3p1/Makefile.in
--- openssh-5.3p1/Makefile.in.gsskex 2009-11-20 14:39:02.000000000 +0100
+++ openssh-5.3p1/Makefile.in 2009-11-20 15:06:44.000000000 +0100
@@ -71,7 +71,8 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
diff -up openssh-5.4p1/Makefile.in.gsskex openssh-5.4p1/Makefile.in
--- openssh-5.4p1/Makefile.in.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/Makefile.in 2010-03-01 18:23:31.000000000 +0100
@@ -74,11 +74,11 @@
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o
+ entropy.o scard-opensc.o gss-genr.o umac.o jpake.o schnorr.o nsskeys.o \
+ kexgssc.o
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
entropy.o gss-genr.o umac.o jpake.o schnorr.o \
- ssh-pkcs11.o
+ ssh-pkcs11.o kexgssc.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
@@ -85,7 +86,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\
- roaming_common.o roaming_client.o
+ roaming_common.o roaming_client.o kexgssc.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
@@ -91,7 +91,7 @@
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o \
roaming_common.o
diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
--- openssh-5.3p1/monitor.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor.c 2009-11-20 14:39:05.000000000 +0100
- roaming_common.o roaming_serv.o
+ roaming_common.o roaming_serv.o kexgsss.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
diff -up openssh-5.4p1/monitor.c.gsskex openssh-5.4p1/monitor.c
--- openssh-5.4p1/monitor.c.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor.c 2010-03-01 18:14:29.000000000 +0100
@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
@ -1956,7 +1960,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
@@ -1943,6 +1967,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
@@ -1944,6 +1968,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@ -1966,7 +1970,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
goid.elements = buffer_get_string(m, &len);
goid.length = len;
@@ -1970,6 +1997,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -1971,6 +1998,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@ -1976,7 +1980,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
@@ -1987,6 +2017,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
@@ -1988,6 +2018,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@ -1984,7 +1988,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
}
return (0);
}
@@ -1998,6 +2029,9 @@ mm_answer_gss_checkmic(int sock, Buffer
@@ -1999,6 +2030,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@ -1994,7 +1998,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
@@ -2024,7 +2058,11 @@ mm_answer_gss_userok(int sock, Buffer *m
@@ -2025,7 +2059,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@ -2007,7 +2011,7 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
buffer_clear(m);
buffer_put_int(m, authenticated);
@@ -2037,6 +2075,74 @@ mm_answer_gss_userok(int sock, Buffer *m
@@ -2038,6 +2076,74 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@ -2082,9 +2086,9 @@ diff -up openssh-5.3p1/monitor.c.gsskex openssh-5.3p1/monitor.c
#endif /* GSSAPI */
#ifdef JPAKE
diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
--- openssh-5.3p1/monitor.h.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor.h 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/monitor.h.gsskex openssh-5.4p1/monitor.h
--- openssh-5.4p1/monitor.h.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor.h 2010-03-01 18:14:29.000000000 +0100
@@ -56,6 +56,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@ -2094,9 +2098,9 @@ diff -up openssh-5.3p1/monitor.h.gsskex openssh-5.3p1/monitor.h
MONITOR_REQ_PAM_START,
MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
--- openssh-5.3p1/monitor_wrap.c.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor_wrap.c 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/monitor_wrap.c.gsskex openssh-5.4p1/monitor_wrap.c
--- openssh-5.4p1/monitor_wrap.c.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 18:14:29.000000000 +0100
@@ -1267,7 +1267,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
@ -2158,9 +2162,9 @@ diff -up openssh-5.3p1/monitor_wrap.c.gsskex openssh-5.3p1/monitor_wrap.c
#endif /* GSSAPI */
#ifdef JPAKE
diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
--- openssh-5.3p1/monitor_wrap.h.gsskex 2009-11-20 14:38:55.000000000 +0100
+++ openssh-5.3p1/monitor_wrap.h 2009-11-20 14:39:05.000000000 +0100
diff -up openssh-5.4p1/monitor_wrap.h.gsskex openssh-5.4p1/monitor_wrap.h
--- openssh-5.4p1/monitor_wrap.h.gsskex 2010-03-01 18:14:25.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 18:14:29.000000000 +0100
@@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@ -2173,10 +2177,10 @@ diff -up openssh-5.3p1/monitor_wrap.h.gsskex openssh-5.3p1/monitor_wrap.h
#endif
#ifdef USE_PAM
diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
--- openssh-5.3p1/readconf.c.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/readconf.c 2009-11-20 14:39:06.000000000 +0100
@@ -128,6 +128,7 @@ typedef enum {
diff -up openssh-5.4p1/readconf.c.gsskex openssh-5.4p1/readconf.c
--- openssh-5.4p1/readconf.c.gsskex 2010-02-11 23:21:03.000000000 +0100
+++ openssh-5.4p1/readconf.c 2010-03-01 18:14:29.000000000 +0100
@@ -127,6 +127,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -2184,7 +2188,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
@@ -165,10 +166,18 @@ static struct {
@@ -164,10 +165,18 @@ static struct {
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@ -2203,7 +2207,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -462,10 +471,26 @@ parse_flag:
@@ -456,10 +465,26 @@ parse_flag:
intptr = &options->gss_authentication;
goto parse_flag;
@ -2230,7 +2234,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1029,7 +1054,11 @@ initialize_options(Options * options)
@@ -1015,7 +1040,11 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@ -2242,7 +2246,7 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1123,8 +1152,14 @@ fill_default_options(Options * options)
@@ -1107,8 +1136,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2257,9 +2261,9 @@ diff -up openssh-5.3p1/readconf.c.gsskex openssh-5.3p1/readconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
--- openssh-5.3p1/readconf.h.gsskex 2009-11-20 14:38:59.000000000 +0100
+++ openssh-5.3p1/readconf.h 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/readconf.h.gsskex openssh-5.4p1/readconf.h
--- openssh-5.4p1/readconf.h.gsskex 2010-02-11 23:21:03.000000000 +0100
+++ openssh-5.4p1/readconf.h 2010-03-01 18:14:29.000000000 +0100
@@ -44,7 +44,11 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@ -2272,10 +2276,10 @@ diff -up openssh-5.3p1/readconf.h.gsskex openssh-5.3p1/readconf.h
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
--- openssh-5.3p1/servconf.c.gsskex 2009-11-20 14:39:03.000000000 +0100
+++ openssh-5.3p1/servconf.c 2009-11-20 14:52:27.000000000 +0100
@@ -92,7 +92,10 @@ initialize_server_options(ServerOptions
diff -up openssh-5.4p1/servconf.c.gsskex openssh-5.4p1/servconf.c
--- openssh-5.4p1/servconf.c.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/servconf.c 2010-03-01 18:25:32.000000000 +0100
@@ -93,7 +93,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@ -2286,7 +2290,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -213,8 +216,14 @@ fill_default_server_options(ServerOption
@@ -215,8 +218,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@ -2301,7 +2305,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -308,7 +317,9 @@ typedef enum {
@@ -310,7 +319,9 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
@ -2311,8 +2315,8 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
+ sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication,
@@ -371,9 +382,15 @@ static struct {
sZeroKnowledgePasswordAuthentication, sHostCertificate,
@@ -373,9 +384,15 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@ -2328,7 +2332,7 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
#endif
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
@@ -906,10 +923,22 @@ process_server_config_line(ServerOptions
@@ -935,10 +952,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@ -2351,10 +2355,10 @@ diff -up openssh-5.3p1/servconf.c.gsskex openssh-5.3p1/servconf.c
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
--- openssh-5.3p1/servconf.h.gsskex 2009-11-20 14:39:03.000000000 +0100
+++ openssh-5.3p1/servconf.h 2009-11-20 14:39:06.000000000 +0100
@@ -91,7 +91,10 @@ typedef struct {
diff -up openssh-5.4p1/servconf.h.gsskex openssh-5.4p1/servconf.h
--- openssh-5.4p1/servconf.h.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/servconf.h 2010-03-01 18:14:29.000000000 +0100
@@ -94,7 +94,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@ -2365,9 +2369,9 @@ diff -up openssh-5.3p1/servconf.h.gsskex openssh-5.3p1/servconf.h
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
--- openssh-5.3p1/ssh_config.5.gsskex 2009-02-23 00:53:58.000000000 +0100
+++ openssh-5.3p1/ssh_config.5 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/ssh_config.5.gsskex openssh-5.4p1/ssh_config.5
--- openssh-5.4p1/ssh_config.5.gsskex 2010-02-11 23:26:02.000000000 +0100
+++ openssh-5.4p1/ssh_config.5 2010-03-01 18:14:29.000000000 +0100
@@ -478,11 +478,38 @@ Specifies whether user authentication ba
The default is
.Dq no .
@ -2408,9 +2412,9 @@ diff -up openssh-5.3p1/ssh_config.5.gsskex openssh-5.3p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
--- openssh-5.3p1/ssh_config.gsskex 2009-11-20 14:38:53.000000000 +0100
+++ openssh-5.3p1/ssh_config 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/ssh_config.gsskex openssh-5.4p1/ssh_config
--- openssh-5.4p1/ssh_config.gsskex 2010-03-01 18:14:24.000000000 +0100
+++ openssh-5.4p1/ssh_config 2010-03-01 18:14:29.000000000 +0100
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@ -2420,9 +2424,9 @@ diff -up openssh-5.3p1/ssh_config.gsskex openssh-5.3p1/ssh_config
# BatchMode no
# CheckHostIP yes
# AddressFamily any
diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
--- openssh-5.3p1/sshconnect2.c.gsskex 2009-11-20 14:39:01.000000000 +0100
+++ openssh-5.3p1/sshconnect2.c 2009-11-20 15:05:03.000000000 +0100
diff -up openssh-5.4p1/sshconnect2.c.gsskex openssh-5.4p1/sshconnect2.c
--- openssh-5.4p1/sshconnect2.c.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/sshconnect2.c 2010-03-01 18:14:29.000000000 +0100
@@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
{
Kex *kex;
@ -2503,7 +2507,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
@@ -247,6 +299,7 @@ void input_gssapi_token(int type, u_int3
@@ -253,6 +305,7 @@ void input_gssapi_token(int type, u_int3
void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *);
@ -2511,7 +2515,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
#endif
void userauth(Authctxt *, char *);
@@ -262,6 +315,10 @@ static char *authmethods_get(void);
@@ -268,6 +321,10 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@ -2522,7 +2526,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
{"gssapi-with-mic",
userauth_gssapi,
NULL,
@@ -555,23 +612,35 @@ userauth_gssapi(Authctxt *authctxt)
@@ -576,23 +633,35 @@ userauth_gssapi(Authctxt *authctxt)
int ok = 0;
char* remotehost = NULL;
const char* canonicalhost = get_canonical_hostname(1);
@ -2560,7 +2564,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
ok = 1; /* Mechanism works */
} else {
mech++;
@@ -668,8 +737,8 @@ input_gssapi_response(int type, u_int32_
@@ -689,8 +758,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@ -2571,7 +2575,7 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
@@ -779,6 +848,48 @@ input_gssapi_error(int type, u_int32_t p
@@ -800,6 +869,48 @@ input_gssapi_error(int type, u_int32_t p
xfree(msg);
xfree(lang);
}
@ -2620,9 +2624,9 @@ diff -up openssh-5.3p1/sshconnect2.c.gsskex openssh-5.3p1/sshconnect2.c
#endif /* GSSAPI */
int
diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
--- openssh-5.3p1/sshd.c.gsskex 2009-11-20 14:39:01.000000000 +0100
+++ openssh-5.3p1/sshd.c 2009-11-20 14:53:31.000000000 +0100
diff -up openssh-5.4p1/sshd.c.gsskex openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.gsskex 2010-03-01 18:14:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 18:14:29.000000000 +0100
@@ -129,6 +129,10 @@ int allow_severity;
int deny_severity;
#endif /* LIBWRAP */
@ -2634,7 +2638,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -1546,10 +1550,13 @@ main(int ac, char **av)
@@ -1592,10 +1596,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@ -2648,7 +2652,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
@@ -1837,6 +1844,60 @@ main(int ac, char **av)
@@ -1928,6 +1935,60 @@ main(int ac, char **av)
/* Log the connection. */
verbose("Connection from %.500s port %d", remote_ip, remote_port);
@ -2709,7 +2713,7 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
@@ -2223,12 +2284,61 @@ do_ssh2_kex(void)
@@ -2314,12 +2375,61 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
@ -2771,9 +2775,9 @@ diff -up openssh-5.3p1/sshd.c.gsskex openssh-5.3p1/sshd.c
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
--- openssh-5.3p1/sshd_config.5.gsskex 2009-11-20 14:39:03.000000000 +0100
+++ openssh-5.3p1/sshd_config.5 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/sshd_config.5.gsskex openssh-5.4p1/sshd_config.5
--- openssh-5.4p1/sshd_config.5.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/sshd_config.5 2010-03-01 18:14:29.000000000 +0100
@@ -379,12 +379,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
@ -2815,10 +2819,10 @@ diff -up openssh-5.3p1/sshd_config.5.gsskex openssh-5.3p1/sshd_config.5
.It Cm HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful public key client host authentication is allowed
diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
--- openssh-5.3p1/sshd_config.gsskex 2009-11-20 14:39:04.000000000 +0100
+++ openssh-5.3p1/sshd_config 2009-11-20 14:54:30.000000000 +0100
@@ -80,6 +80,8 @@ ChallengeResponseAuthentication no
diff -up openssh-5.4p1/sshd_config.gsskex openssh-5.4p1/sshd_config
--- openssh-5.4p1/sshd_config.gsskex 2010-03-01 18:14:28.000000000 +0100
+++ openssh-5.4p1/sshd_config 2010-03-01 18:14:29.000000000 +0100
@@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
@ -2827,9 +2831,9 @@ diff -up openssh-5.3p1/sshd_config.gsskex openssh-5.3p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-5.3p1/ssh-gss.h.gsskex openssh-5.3p1/ssh-gss.h
--- openssh-5.3p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.3p1/ssh-gss.h 2009-11-20 14:39:06.000000000 +0100
diff -up openssh-5.4p1/ssh-gss.h.gsskex openssh-5.4p1/ssh-gss.h
--- openssh-5.4p1/ssh-gss.h.gsskex 2007-06-12 15:40:39.000000000 +0200
+++ openssh-5.4p1/ssh-gss.h 2010-03-01 18:14:30.000000000 +0100
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*

49
openssh-5.3p1-mls.patch → openssh-5.4p1-mls.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.mls 2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.3p1/configure.ac 2009-10-02 14:04:31.000000000 +0200
@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux,
diff -up openssh-5.4p1/configure.ac.mls openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 15:24:28.000000000 +0100
@@ -3360,6 +3360,7 @@ AC_ARG_WITH(selinux,
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
@ -9,9 +9,9 @@ diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
LIBS="$save_LIBS"
fi ]
)
diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
--- openssh-5.3p1/misc.c.mls 2009-02-21 22:47:02.000000000 +0100
+++ openssh-5.3p1/misc.c 2009-10-02 14:04:31.000000000 +0200
diff -up openssh-5.4p1/misc.c.mls openssh-5.4p1/misc.c
--- openssh-5.4p1/misc.c.mls 2010-01-10 00:31:12.000000000 +0100
+++ openssh-5.4p1/misc.c 2010-03-01 15:24:28.000000000 +0100
@@ -423,6 +423,7 @@ char *
colon(char *cp)
{
@ -36,15 +36,16 @@ diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
}
return (0);
}
diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c
--- openssh-5.3p1/openbsd-compat/port-linux.c.mls 2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.3p1/openbsd-compat/port-linux.c 2009-10-02 14:04:31.000000000 +0200
@@ -33,12 +33,23 @@
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.mls openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:25:50.000000000 +0100
@@ -35,13 +35,24 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "xmalloc.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
+#include <selinux/context.h>
@ -63,7 +64,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
@@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
@@ -57,17 +68,173 @@ ssh_selinux_enabled(void)
return (enabled);
}
@ -243,7 +244,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
sename = NULL;
@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname)
@@ -75,38 +242,63 @@ ssh_selinux_getctxbyname(char *pwname)
}
#else
sename = pwname;
@ -329,7 +330,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
#ifdef HAVE_GETSEUSERBYNAME
if (sename != NULL)
@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
@@ -114,14 +306,20 @@ ssh_selinux_getctxbyname(char *pwname)
if (lvl != NULL)
xfree(lvl);
#endif
@ -351,7 +352,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled())
@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn
@@ -129,22 +327,45 @@ ssh_selinux_setup_exec_context(char *pwn
debug3("%s: setting execution context", __func__);
@ -404,7 +405,7 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
debug3("%s: done", __func__);
}
@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons
@@ -162,7 +383,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
@ -416,10 +417,10 @@ diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-com
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
--- openssh-5.3p1/session.c.mls 2009-08-20 08:20:50.000000000 +0200
+++ openssh-5.3p1/session.c 2009-10-02 14:06:12.000000000 +0200
@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
diff -up openssh-5.4p1/session.c.mls openssh-5.4p1/session.c
--- openssh-5.4p1/session.c.mls 2010-01-12 09:51:48.000000000 +0100
+++ openssh-5.4p1/session.c 2010-03-01 15:24:28.000000000 +0100
@@ -1559,10 +1559,6 @@ do_setusercontext(struct passwd *pw)
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
@ -430,10 +431,10 @@ diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
}
static void
diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c
--- openssh-5.3p1/sshd.c.mls 2009-10-02 14:04:31.000000000 +0200
+++ openssh-5.3p1/sshd.c 2009-10-02 14:04:31.000000000 +0200
@@ -1896,6 +1896,9 @@ main(int ac, char **av)
diff -up openssh-5.4p1/sshd.c.mls openssh-5.4p1/sshd.c
--- openssh-5.4p1/sshd.c.mls 2010-03-01 15:24:27.000000000 +0100
+++ openssh-5.4p1/sshd.c 2010-03-01 15:24:28.000000000 +0100
@@ -1987,6 +1987,9 @@ main(int ac, char **av)
restore_uid();
}
#endif

156
openssh-5.4p1-pam_selinux.patch Normal file
View File

@ -0,0 +1,156 @@
diff -up openssh-5.4p1/auth-pam.c.pam_selinux openssh-5.4p1/auth-pam.c
--- openssh-5.4p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.4p1/auth-pam.c 2010-03-01 15:27:23.000000000 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-5.4p1/auth-pam.h.pam_selinux openssh-5.4p1/auth-pam.h
--- openssh-5.4p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.4p1/auth-pam.h 2010-03-01 15:27:23.000000000 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.pam_selinux 2010-03-01 15:27:22.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:27:53.000000000 +0100
@@ -36,6 +36,7 @@
#include "hostfile.h"
#include "auth.h"
#include "xmalloc.h"
+#include "servconf.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
@@ -50,6 +51,7 @@
#include <unistd.h>
#endif
+extern ServerOptions options;
extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
@@ -211,29 +213,38 @@ get_user_context(const char *sename, con
return -1;
}
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
+ *role = NULL;
+ *level = NULL;
+ if (the_authctxt) {
+ if (the_authctxt->role != NULL) {
+ char *slash;
+ *role = xstrdup(the_authctxt->role);
+ if ((slash = strchr(*role, '/')) != NULL) {
+ *slash = '\0';
+ *level = slash + 1;
+ }
+ }
+ }
+}
+
/* Return the default security context for the given username */
static int
ssh_selinux_getctxbyname(char *pwname,
security_context_t *default_sc, security_context_t *user_sc)
{
char *sename, *lvl;
- const char *reqlvl = NULL;
- char *role = NULL;
+ const char *reqlvl;
+ char *role;
int r = -1;
context_t con = NULL;
*default_sc = NULL;
*user_sc = NULL;
- if (the_authctxt) {
- if (the_authctxt->role != NULL) {
- char *slash;
- role = xstrdup(the_authctxt->role);
- if ((slash = strchr(role, '/')) != NULL) {
- *slash = '\0';
- reqlvl = slash + 1;
- }
- }
- }
+
+ ssh_selinux_get_role_level(&role, &reqlvl);
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -314,6 +325,36 @@ ssh_selinux_getctxbyname(char *pwname,
return (r);
}
+/* Setup environment variables for pam_selinux */
+static int
+ssh_selinux_setup_pam_variables(void)
+{
+ const char *reqlvl;
+ char *role;
+ char *use_current;
+ int rv;
+
+ debug3("%s: setting execution context", __func__);
+
+ ssh_selinux_get_role_level(&role, &reqlvl);
+
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+
+ if (inetd_flag && !rexeced_flag) {
+ use_current = "1";
+ } else {
+ use_current = "";
+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+ }
+
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+ if (role != NULL)
+ xfree(role);
+
+ return rv;
+}
+
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
@@ -325,6 +366,24 @@ ssh_selinux_setup_exec_context(char *pwn
if (!ssh_selinux_enabled())
return;
+ if (options.use_pam) {
+ /* do not compute context, just setup environment for pam_selinux */
+ if (ssh_selinux_setup_pam_variables()) {
+ switch (security_getenforce()) {
+ case -1:
+ fatal("%s: security_getenforce() failed", __func__);
+ case 0:
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+ __func__);
+ break;
+ default:
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+ __func__);
+ }
+ }
+ return;
+ }
+
debug3("%s: setting execution context", __func__);
r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);

234
openssh-5.3p1-pka.patch → openssh-5.4p1-pka.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
--- openssh-5.3p1/auth2-pubkey.c.pka 2009-03-08 01:40:28.000000000 +0100
+++ openssh-5.3p1/auth2-pubkey.c 2010-01-04 16:07:53.000000000 +0100
@@ -175,26 +175,14 @@ done:
diff -up openssh-5.4p1/auth2-pubkey.c.pka openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.pka 2010-03-09 08:01:05.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-09 08:07:15.000000000 +0100
@@ -187,27 +187,15 @@ done:
/* return 1 if user allows given key */
static int
@ -9,6 +9,7 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
char line[SSH_MAX_PUBKEY_BYTES];
const char *reason;
int found_key = 0;
- FILE *f;
u_long linenum = 0;
@ -27,9 +28,9 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
- }
-
found_key = 0;
found = key_new(key->type);
found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type);
@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key
@@ -278,8 +266,6 @@ user_key_allowed2(struct passwd *pw, Key
break;
}
}
@ -38,11 +39,11 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
key_free(found);
if (!found_key)
debug2("key not found");
return found_key;
@@ -327,13 +313,153 @@ user_cert_trusted_ca(struct passwd *pw,
return ret;
}
-/* check whether given key is in .ssh/authorized_keys* */
+
+/* return 1 if user allows given key */
+static int
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
@ -190,66 +191,13 @@ diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
+ return success;
+#endif
+
file = authorized_keys_file(pw);
success = user_key_allowed2(pw, key, file);
xfree(file);
diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure
--- openssh-5.3p1/configure.pka 2009-10-13 19:27:51.000000000 +0200
+++ openssh-5.3p1/configure 2009-10-15 06:26:33.000000000 +0200
@@ -769,6 +769,7 @@ with_skey
with_tcp_wrappers
with_libedit
with_audit
+with_pka
with_ssl_dir
with_openssl_header_check
with_ssl_engine
@@ -1473,6 +1474,7 @@ Optional Packages:
--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)
+ --with-pka Enable pubkey agent support
--with-ssl-dir=PATH Specify path to OpenSSL installation
--without-openssl-header-check Disable OpenSSL version consistency check
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m
fi
+# Check whether user wants pubkey agent support
+PKA_MSG="no"
+
+# Check whether --with-pka was given.
+if test "${with_pka+set}" = set; then
+ withval=$with_pka;
+ if test "x$withval" != "xno" ; then
+
+cat >>confdefs.h <<\_ACEOF
+#define WITH_PUBKEY_AGENT 1
+_ACEOF
+
+ PKA_MSG="yes"
+ fi
+
+
+fi
+
+
@@ -32772,6 +32793,7 @@ echo " Linux audit support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
+echo " PKA support: $PKA_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
--- openssh-5.3p1/configure.ac.pka 2009-09-11 06:56:08.000000000 +0200
+++ openssh-5.3p1/configure.ac 2010-01-04 16:07:53.000000000 +0100
@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit,
if (auth_key_is_revoked(key))
return 0;
if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
diff -up openssh-5.4p1/configure.ac.pka openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.pka 2010-03-09 08:01:04.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-09 08:01:05.000000000 +0100
@@ -1323,6 +1323,18 @@ AC_ARG_WITH(audit,
esac ]
)
@ -268,7 +216,7 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
arc4random \
@@ -4229,6 +4241,7 @@ echo " SELinux support
@@ -4206,6 +4218,7 @@ echo " Linux audit support
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG"
@ -276,30 +224,30 @@ diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
--- openssh-5.3p1/servconf.c.pka 2009-06-21 12:26:17.000000000 +0200
+++ openssh-5.3p1/servconf.c 2010-01-04 16:07:53.000000000 +0100
@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions
diff -up openssh-5.4p1/servconf.c.pka openssh-5.4p1/servconf.c
--- openssh-5.4p1/servconf.c.pka 2010-03-09 08:01:04.000000000 +0100
+++ openssh-5.4p1/servconf.c 2010-03-09 09:04:57.000000000 +0100
@@ -129,6 +129,8 @@ initialize_server_options(ServerOptions
options->num_permitted_opens = -1;
options->adm_forced_command = NULL;
options->chroot_directory = NULL;
+ options->pubkey_agent = NULL;
+ options->pubkey_agent_runas = NULL;
options->zero_knowledge_password_authentication = -1;
}
@@ -306,6 +308,7 @@ typedef enum {
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
options->revoked_keys_file = NULL;
options->trusted_user_ca_keys = NULL;
@@ -315,6 +317,7 @@ typedef enum {
sUsePrivilegeSeparation, sAllowAgentForwarding,
sZeroKnowledgePasswordAuthentication,
sZeroKnowledgePasswordAuthentication, sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys,
+ sPubkeyAgent, sPubkeyAgentRunAs,
sDeprecated, sUnsupported
} ServerOpCodes;
@@ -424,6 +427,13 @@ static struct {
{ "permitopen", sPermitOpen, SSHCFG_ALL },
{ "forcecommand", sForceCommand, SSHCFG_ALL },
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
@@ -437,6 +440,13 @@ static struct {
{ "hostcertificate", sHostCertificate, SSHCFG_GLOBAL },
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
+#ifdef WITH_PUBKEY_AGENT
+ { "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
+ { "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
@ -310,9 +258,9 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
{ NULL, sBadOption, 0 }
};
@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions
*charptr = xstrdup(arg);
break;
@@ -1345,6 +1355,20 @@ process_server_config_line(ServerOptions
charptr = &options->revoked_keys_file;
goto parse_filename;
+ case sPubkeyAgent:
+ len = strspn(cp, WHITESPACE);
@ -331,7 +279,7 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
case sDeprecated:
logit("%s line %d: Deprecated option %s",
filename, linenum, arg);
@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d
@@ -1438,6 +1462,8 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication);
M_CP_INTOPT(pubkey_authentication);
@ -340,51 +288,43 @@ diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
M_CP_INTOPT(kerberos_authentication);
M_CP_INTOPT(hostbased_authentication);
M_CP_INTOPT(kbd_interactive_authentication);
@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
dump_cfg_string(sForceCommand, o->adm_forced_command);
+#ifdef WITH_PUBKEY_AGENT
@@ -1683,6 +1709,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
+ dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
+ dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
+#endif
/* string arguments requiring a lookup */
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
--- openssh-5.3p1/servconf.h.pka 2009-01-28 06:31:23.000000000 +0100
+++ openssh-5.3p1/servconf.h 2010-01-04 16:07:53.000000000 +0100
@@ -151,6 +151,8 @@ typedef struct {
int num_permitted_opens;
diff -up openssh-5.4p1/servconf.h.pka openssh-5.4p1/servconf.h
--- openssh-5.4p1/servconf.h.pka 2010-03-09 08:01:04.000000000 +0100
+++ openssh-5.4p1/servconf.h 2010-03-09 09:05:29.000000000 +0100
@@ -157,6 +157,8 @@ typedef struct {
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
+ char *pubkey_agent;
+ char *pubkey_agent_runas;
} ServerOptions;
void initialize_server_options(ServerOptions *);
diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
--- openssh-5.3p1/sshd_config.0.pka 2009-09-26 08:31:16.000000000 +0200
+++ openssh-5.3p1/sshd_config.0 2010-01-04 16:07:53.000000000 +0100
@@ -344,10 +344,11 @@ DESCRIPTION
AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
diff -up openssh-5.4p1/sshd_config.0.pka openssh-5.4p1/sshd_config.0
--- openssh-5.4p1/sshd_config.0.pka 2010-03-09 08:01:04.000000000 +0100
+++ openssh-5.4p1/sshd_config.0 2010-03-09 09:07:35.000000000 +0100
@@ -352,7 +352,8 @@ DESCRIPTION
KbdInteractiveAuthentication, KerberosAuthentication,
- MaxAuthTries, MaxSessions, PasswordAuthentication,
- PermitEmptyPasswords, PermitOpen, PermitRootLogin,
- RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
- X11Forwarding and X11UseLocalHost.
+ MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
+ PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
+ PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
+ RSAAuthentication, X11DisplayOffset, X11Forwarding and
+ X11UseLocalHost.
MaxAuthTries, MaxSessions, PasswordAuthentication,
PermitEmptyPasswords, PermitOpen, PermitRootLogin,
- PubkeyAuthentication, RhostsRSAAuthentication, RSAAuthentication,
+ PubkeyAuthentication, PubkeyAgent, PubkeyAgentRunAs,
+ RhostsRSAAuthentication, RSAAuthentication,
X11DisplayOffset, X11Forwarding and X11UseLocalHost.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted
@@ -455,6 +456,17 @@ DESCRIPTION
fault is ``yes''. Note that this option applies to protocol ver-
sion 2 only.
@@ -467,6 +468,17 @@ DESCRIPTION
this file is not readable, then public key authentication will be
refused for all users.
+ PubkeyAgent
+ Specifies which agent is used for lookup of the user's public
@ -400,22 +340,10 @@ diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to-
gether with successful RSA host authentication is allowed. The
diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config
--- openssh-5.3p1/sshd_config.pka 2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.3p1/sshd_config 2010-01-04 16:07:53.000000000 +0100
@@ -46,6 +46,8 @@ Protocol 2
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#PubkeyAgent none
+#PubkeyAgentRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
--- openssh-5.3p1/sshd_config.5.pka 2009-08-28 02:27:08.000000000 +0200
+++ openssh-5.3p1/sshd_config.5 2010-01-04 16:07:53.000000000 +0100
@@ -610,6 +610,9 @@ Available keywords are
diff -up openssh-5.4p1/sshd_config.5.pka openssh-5.4p1/sshd_config.5
--- openssh-5.4p1/sshd_config.5.pka 2010-03-09 08:01:04.000000000 +0100
+++ openssh-5.4p1/sshd_config.5 2010-03-09 09:06:40.000000000 +0100
@@ -618,6 +618,9 @@ Available keywords are
.Cm KerberosAuthentication ,
.Cm MaxAuthTries ,
.Cm MaxSessions ,
@ -425,20 +353,32 @@ diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
.Cm PasswordAuthentication ,
.Cm PermitEmptyPasswords ,
.Cm PermitOpen ,
@@ -805,6 +808,16 @@ Specifies whether public key authenticat
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
+.It Cm PubkeyAgent
+Specifies which agent is used for lookup of the user's public
+keys. Empty string means to use the authorized_keys file.
+By default there is no PubkeyAgent set.
+Note that this option has an effect only with PubkeyAuthentication
+switched on.
+.It Cm PubkeyAgentRunAs
+Specifies the user under whose account the PubkeyAgent is run. Empty
+string (the default value) means the user being authorized is used.
+.Dq
@@ -819,6 +822,16 @@ Specifies a list of revoked public keys.
Keys listed in this file will be refused for public key authentication.
Note that if this file is not readable, then public key authentication will
be refused for all users.
++.It Cm PubkeyAgent
++Specifies which agent is used for lookup of the user's public
++keys. Empty string means to use the authorized_keys file.
++By default there is no PubkeyAgent set.
++Note that this option has an effect only with PubkeyAuthentication
++switched on.
++.It Cm PubkeyAgentRunAs
++Specifies the user under whose account the PubkeyAgent is run. Empty
++string (the default value) means the user being authorized is used.
++.Dq
.It Cm RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication together
with successful RSA host authentication is allowed.
diff -up openssh-5.4p1/sshd_config.pka openssh-5.4p1/sshd_config
--- openssh-5.4p1/sshd_config.pka 2010-03-09 08:01:04.000000000 +0100
+++ openssh-5.4p1/sshd_config 2010-03-09 08:01:06.000000000 +0100
@@ -45,6 +45,8 @@ SyslogFacility AUTHPRIV
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
+#PubkeyAgent none
+#PubkeyAgentRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no

40
openssh-5.2p1-redhat.patch → openssh-5.4p1-redhat.patch
View File

@ -1,10 +1,10 @@
diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
--- openssh-5.2p1/ssh_config.redhat 2009-02-21 02:45:02.000000000 +0100
+++ openssh-5.2p1/ssh_config 2009-08-09 08:45:11.302092427 +0200
@@ -44,3 +44,14 @@
# TunnelDevice any:any
diff -up openssh-5.4p1/ssh_config.redhat openssh-5.4p1/ssh_config
--- openssh-5.4p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100
+++ openssh-5.4p1/ssh_config 2010-03-01 15:15:51.000000000 +0100
@@ -45,3 +45,14 @@
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
@ -16,10 +16,10 @@ diff -up openssh-5.2p1/ssh_config.redhat openssh-5.2p1/ssh_config
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
--- openssh-5.2p1/sshd_config.0.redhat 2009-02-23 01:18:15.000000000 +0100
+++ openssh-5.2p1/sshd_config.0 2009-08-09 08:45:11.276555108 +0200
@@ -491,9 +491,9 @@ DESCRIPTION
diff -up openssh-5.4p1/sshd_config.0.redhat openssh-5.4p1/sshd_config.0
--- openssh-5.4p1/sshd_config.0.redhat 2010-03-01 14:30:04.000000000 +0100
+++ openssh-5.4p1/sshd_config.0 2010-03-01 15:14:13.000000000 +0100
@@ -501,9 +501,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
@ -32,10 +32,10 @@ diff -up openssh-5.2p1/sshd_config.0.redhat openssh-5.2p1/sshd_config.0
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
--- openssh-5.2p1/sshd_config.5.redhat 2009-02-23 01:00:24.000000000 +0100
+++ openssh-5.2p1/sshd_config.5 2009-08-09 08:45:11.278927203 +0200
@@ -848,7 +848,7 @@ Note that this option applies to protoco
diff -up openssh-5.4p1/sshd_config.5.redhat openssh-5.4p1/sshd_config.5
--- openssh-5.4p1/sshd_config.5.redhat 2010-02-26 21:55:06.000000000 +0100
+++ openssh-5.4p1/sshd_config.5 2010-03-01 15:14:14.000000000 +0100
@@ -865,7 +865,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
@ -44,10 +44,10 @@ diff -up openssh-5.2p1/sshd_config.5.redhat openssh-5.2p1/sshd_config.5
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
--- openssh-5.2p1/sshd_config.redhat 2008-07-02 14:35:43.000000000 +0200
+++ openssh-5.2p1/sshd_config 2009-08-09 08:47:40.850857227 +0200
@@ -33,6 +33,7 @@ Protocol 2
diff -up openssh-5.4p1/sshd_config.redhat openssh-5.4p1/sshd_config
--- openssh-5.4p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200
+++ openssh-5.4p1/sshd_config 2010-03-01 15:14:14.000000000 +0100
@@ -31,6 +31,7 @@
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
@ -55,7 +55,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
#LogLevel INFO
# Authentication:
@@ -60,9 +61,11 @@ Protocol 2
@@ -58,9 +59,11 @@
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
@ -67,7 +67,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
# Kerberos options
#KerberosAuthentication no
@@ -72,7 +75,9 @@ Protocol 2
@@ -70,7 +73,9 @@
# GSSAPI options
#GSSAPIAuthentication no
@ -77,7 +77,7 @@ diff -up openssh-5.2p1/sshd_config.redhat openssh-5.2p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -84,11 +89,19 @@ Protocol 2
@@ -82,11 +87,19 @@
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

107
openssh-5.2p1-selinux.patch → openssh-5.4p1-selinux.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
--- openssh-5.2p1/auth1.c.selinux 2008-07-09 12:54:05.000000000 +0200
+++ openssh-5.2p1/auth1.c 2009-08-11 22:43:07.918183730 +0200
@@ -392,6 +392,9 @@ do_authentication(Authctxt *authctxt)
diff -up openssh-5.4p1/auth1.c.selinux openssh-5.4p1/auth1.c
--- openssh-5.4p1/auth1.c.selinux 2010-03-01 15:19:56.000000000 +0100
+++ openssh-5.4p1/auth1.c 2010-03-01 15:19:57.000000000 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
@ -11,7 +11,7 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -400,11 +403,25 @@ do_authentication(Authctxt *authctxt)
@@ -392,11 +395,25 @@ do_authentication(Authctxt *authctxt)
user = packet_get_string(&ulen);
packet_check_eom();
@ -37,9 +37,9 @@ diff -up openssh-5.2p1/auth1.c.selinux openssh-5.2p1/auth1.c
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
--- openssh-5.2p1/auth2.c.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.2p1/auth2.c 2009-08-11 22:43:07.919756192 +0200
diff -up openssh-5.4p1/auth2.c.selinux openssh-5.4p1/auth2.c
--- openssh-5.4p1/auth2.c.selinux 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/auth2.c 2010-03-01 15:19:57.000000000 +0100
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
@ -79,9 +79,9 @@ diff -up openssh-5.2p1/auth2.c.selinux openssh-5.2p1/auth2.c
userauth_banner();
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
--- openssh-5.2p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.2p1/auth2-gss.c 2009-08-11 22:43:07.921723295 +0200
diff -up openssh-5.4p1/auth2-gss.c.selinux openssh-5.4p1/auth2-gss.c
--- openssh-5.4p1/auth2-gss.c.selinux 2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.4p1/auth2-gss.c 2010-03-01 15:19:57.000000000 +0100
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@ -114,9 +114,9 @@ diff -up openssh-5.2p1/auth2-gss.c.selinux openssh-5.2p1/auth2-gss.c
xfree(mic.value);
authctxt->postponed = 0;
diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
--- openssh-5.2p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
+++ openssh-5.2p1/auth2-hostbased.c 2009-08-11 22:43:07.923721059 +0200
diff -up openssh-5.4p1/auth2-hostbased.c.selinux openssh-5.4p1/auth2-hostbased.c
--- openssh-5.4p1/auth2-hostbased.c.selinux 2008-07-17 10:57:19.000000000 +0200
+++ openssh-5.4p1/auth2-hostbased.c 2010-03-01 15:19:57.000000000 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
@ -134,10 +134,10 @@ diff -up openssh-5.2p1/auth2-hostbased.c.selinux openssh-5.2p1/auth2-hostbased.c
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
--- openssh-5.2p1/auth2-pubkey.c.selinux 2008-07-04 04:54:25.000000000 +0200
+++ openssh-5.2p1/auth2-pubkey.c 2009-08-11 22:43:07.925704588 +0200
@@ -117,7 +117,15 @@ userauth_pubkey(Authctxt *authctxt)
diff -up openssh-5.4p1/auth2-pubkey.c.selinux openssh-5.4p1/auth2-pubkey.c
--- openssh-5.4p1/auth2-pubkey.c.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/auth2-pubkey.c 2010-03-01 15:19:57.000000000 +0100
@@ -119,7 +119,15 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@ -154,9 +154,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.selinux openssh-5.2p1/auth2-pubkey.c
buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
--- openssh-5.2p1/auth.h.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.2p1/auth.h 2009-08-11 22:43:07.927199901 +0200
diff -up openssh-5.4p1/auth.h.selinux openssh-5.4p1/auth.h
--- openssh-5.4p1/auth.h.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/auth.h 2010-03-01 15:19:57.000000000 +0100
@@ -58,6 +58,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
@ -167,21 +167,21 @@ diff -up openssh-5.2p1/auth.h.selinux openssh-5.2p1/auth.h
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-5.2p1/configure.ac.selinux openssh-5.2p1/configure.ac
--- openssh-5.2p1/configure.ac.selinux 2009-02-16 05:37:03.000000000 +0100
+++ openssh-5.2p1/configure.ac 2009-08-11 22:43:07.930259052 +0200
@@ -3335,6 +3335,7 @@ AC_ARG_WITH(selinux,
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
AC_MSG_ERROR(SELinux support requires libselinux library))
diff -up openssh-5.4p1/configure.ac.selinux openssh-5.4p1/configure.ac
--- openssh-5.4p1/configure.ac.selinux 2010-03-01 15:19:57.000000000 +0100
+++ openssh-5.4p1/configure.ac 2010-03-01 15:21:12.000000000 +0100
@@ -3358,6 +3358,7 @@ AC_ARG_WITH(selinux,
],
AC_MSG_ERROR(SELinux support requires libselinux library))
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
+ LIBS="$LIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
LIBS="$save_LIBS"
fi ]
diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
--- openssh-5.2p1/monitor.c.selinux 2009-02-14 06:33:31.000000000 +0100
+++ openssh-5.2p1/monitor.c 2009-08-11 22:43:07.933623092 +0200
@@ -135,6 +135,9 @@ int mm_answer_sign(int, Buffer *);
diff -up openssh-5.4p1/monitor.c.selinux openssh-5.4p1/monitor.c
--- openssh-5.4p1/monitor.c.selinux 2010-02-26 21:55:05.000000000 +0100
+++ openssh-5.4p1/monitor.c 2010-03-01 15:19:57.000000000 +0100
@@ -137,6 +137,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
@ -191,7 +191,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -211,6 +214,9 @@ struct mon_table mon_dispatch_proto20[]
@@ -213,6 +216,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -201,7 +201,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -680,6 +686,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
@@ -682,6 +688,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -211,7 +211,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -724,6 +733,25 @@ mm_answer_authserv(int sock, Buffer *m)
@@ -726,6 +735,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@ -237,7 +237,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
int
mm_answer_authpassword(int sock, Buffer *m)
{
@@ -1102,7 +1130,7 @@ static int
@@ -1104,7 +1132,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
@ -246,7 +246,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
u_int len;
int fail = 0;
@@ -1128,6 +1156,8 @@ monitor_valid_userblob(u_char *data, u_i
@@ -1130,6 +1158,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
@ -255,7 +255,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
@@ -1159,7 +1189,7 @@ monitor_valid_hostbasedblob(u_char *data
@@ -1161,7 +1191,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
@ -264,7 +264,7 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
u_int len;
int fail = 0;
@@ -1176,6 +1206,8 @@ monitor_valid_hostbasedblob(u_char *data
@@ -1178,6 +1208,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_string(&b, NULL);
@ -273,9 +273,9 @@ diff -up openssh-5.2p1/monitor.c.selinux openssh-5.2p1/monitor.c
if (strcmp(authctxt->user, p) != 0) {
logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
--- openssh-5.2p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.2p1/monitor.h 2009-08-11 22:43:07.935612930 +0200
diff -up openssh-5.4p1/monitor.h.selinux openssh-5.4p1/monitor.h
--- openssh-5.4p1/monitor.h.selinux 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.4p1/monitor.h 2010-03-01 15:19:57.000000000 +0100
@@ -31,6 +31,9 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
@ -286,9 +286,9 @@ diff -up openssh-5.2p1/monitor.h.selinux openssh-5.2p1/monitor.h
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
--- openssh-5.2p1/monitor_wrap.c.selinux 2008-11-05 06:20:47.000000000 +0100
+++ openssh-5.2p1/monitor_wrap.c 2009-08-11 22:43:07.937212340 +0200
diff -up openssh-5.4p1/monitor_wrap.c.selinux openssh-5.4p1/monitor_wrap.c
--- openssh-5.4p1/monitor_wrap.c.selinux 2009-06-22 08:11:07.000000000 +0200
+++ openssh-5.4p1/monitor_wrap.c 2010-03-01 15:19:57.000000000 +0100
@@ -297,6 +297,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
@ -315,9 +315,9 @@ diff -up openssh-5.2p1/monitor_wrap.c.selinux openssh-5.2p1/monitor_wrap.c
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
--- openssh-5.2p1/monitor_wrap.h.selinux 2008-11-05 06:20:47.000000000 +0100
+++ openssh-5.2p1/monitor_wrap.h 2009-08-11 22:43:07.938268752 +0200
diff -up openssh-5.4p1/monitor_wrap.h.selinux openssh-5.4p1/monitor_wrap.h
--- openssh-5.4p1/monitor_wrap.h.selinux 2009-03-05 14:58:22.000000000 +0100
+++ openssh-5.4p1/monitor_wrap.h 2010-03-01 15:19:57.000000000 +0100
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -328,17 +328,18 @@ diff -up openssh-5.2p1/monitor_wrap.h.selinux openssh-5.2p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd-compat/port-linux.c
--- openssh-5.2p1/openbsd-compat/port-linux.c.selinux 2008-03-26 21:27:21.000000000 +0100
+++ openssh-5.2p1/openbsd-compat/port-linux.c 2009-08-11 22:44:14.529196220 +0200
@@ -30,11 +30,16 @@
#ifdef WITH_SELINUX
diff -up openssh-5.4p1/openbsd-compat/port-linux.c.selinux openssh-5.4p1/openbsd-compat/port-linux.c
--- openssh-5.4p1/openbsd-compat/port-linux.c.selinux 2010-03-01 05:52:50.000000000 +0100
+++ openssh-5.4p1/openbsd-compat/port-linux.c 2010-03-01 15:22:19.000000000 +0100
@@ -32,12 +32,17 @@
#include "log.h"
#include "xmalloc.h"
#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/get_context_list.h>
@ -348,7 +349,7 @@ diff -up openssh-5.2p1/openbsd-compat/port-linux.c.selinux openssh-5.2p1/openbsd
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
@@ -56,23 +61,36 @@ ssh_selinux_enabled(void)
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{

2
openssh.spec
View File

@ -185,7 +185,7 @@ Provides: openssh-askpass-gnome
Summary: PAM module for authentication with ssh-agent
Group: System Environment/Base
Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh-rel}{?dist}%{?rescue_rel}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}{?dist}%{?rescue_rel}
License: BSD
%description