- add auditing the host based key ussage

- repait X11 abstract layer socket (#648896)
This commit is contained in:
Jan F 2010-11-05 17:31:30 +01:00
parent 848d56e0fa
commit 5daee12df3
4 changed files with 156 additions and 93 deletions

View File

@ -1,7 +1,7 @@
diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
--- openssh-5.5p1/channels.c.x11 2010-06-30 15:22:45.000000000 +0200 --- openssh-5.3p1/channels.c.bz595935 2010-08-12 14:19:28.000000000 +0200
+++ openssh-5.5p1/channels.c 2010-06-30 15:27:42.000000000 +0200 +++ openssh-5.3p1/channels.c 2010-08-12 14:33:51.000000000 +0200
@@ -3332,7 +3332,7 @@ x11_create_display_inet(int x11_display_ @@ -3185,7 +3185,7 @@ x11_create_display_inet(int x11_display_
} }
static int static int
@ -10,20 +10,25 @@ diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c
{ {
int sock; int sock;
struct sockaddr_un addr; struct sockaddr_un addr;
@@ -3342,7 +3342,11 @@ connect_local_xsocket_path(const char *p @@ -3195,11 +3195,14 @@ connect_local_xsocket_path(const char *p
error("socket: %.100s", strerror(errno)); error("socket: %.100s", strerror(errno));
memset(&addr, 0, sizeof(addr)); memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX; addr.sun_family = AF_UNIX;
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); - strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
- if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
+ if (len <= 0) + if (len <= 0)
+ return -1; + return -1;
+ if (len > sizeof addr.sun_path) + if (len > sizeof addr.sun_path)
+ len = sizeof addr.sun_path; + len = sizeof addr.sun_path;
+ memcpy(addr.sun_path, pathname , len); + memcpy(addr.sun_path, pathname, len);
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) + if (connect(sock, (struct sockaddr *)&addr, sizeof addr - (sizeof addr.sun_path - len) ) == 0)
return sock; return sock;
close(sock); close(sock);
@@ -3354,8 +3358,18 @@ static int - error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
return -1;
}
@@ -3207,8 +3210,21 @@ static int
connect_local_xsocket(u_int dnr) connect_local_xsocket(u_int dnr)
{ {
char buf[1024]; char buf[1024];
@ -40,7 +45,10 @@ diff -up openssh-5.5p1/channels.c.x11 openssh-5.5p1/channels.c
+ if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0) + if ((ret = connect_local_xsocket_path(buf, len + 1)) >= 0)
+ return ret; + return ret;
+#endif +#endif
+ return connect_local_xsocket_path(buf + 1, len); + if ((ret = connect_local_xsocket_path(buf + 1, len)) >= 0)
+ return ret;
+ error("connect %.100s: %.100s", buf + 1, strerror(errno));
+ return -1;
} }
int int

View File

@ -1,12 +1,12 @@
diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
--- openssh-5.6p1/audit-bsm.c.audit2 2010-11-02 21:04:27.000000000 +0100 --- openssh-5.6p1/audit-bsm.c.audit2 2010-11-05 15:41:17.000000000 +0100
+++ openssh-5.6p1/audit-bsm.c 2010-11-02 21:04:28.000000000 +0100 +++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:45:28.000000000 +0100
@@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li @@ -316,6 +316,12 @@ audit_session_close(struct logininfo *li
/* not implemented */ /* not implemented */
} }
+int +int
+audit_keyusage(const char *type, unsigned len, char *fp, int rv) +audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
+{ +{
+ /* not implemented */ + /* not implemented */
+} +}
@ -15,9 +15,43 @@ diff -up openssh-5.6p1/audit-bsm.c.audit2 openssh-5.6p1/audit-bsm.c
audit_event(ssh_audit_event_t event) audit_event(ssh_audit_event_t event)
{ {
diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
--- openssh-5.6p1/audit.c.audit2 2010-11-02 21:04:27.000000000 +0100 --- openssh-5.6p1/audit.c.audit2 2010-11-05 15:41:17.000000000 +0100
+++ openssh-5.6p1/audit.c 2010-11-02 21:04:28.000000000 +0100 +++ openssh-5.6p1/audit.c 2010-11-05 15:51:37.000000000 +0100
@@ -182,5 +182,17 @@ audit_run_command(const char *command) @@ -111,6 +111,33 @@ audit_event_lookup(ssh_audit_event_t ev)
return(event_lookup[i].name);
}
+int
+audit_key(int type, int *rv, const Key *key)
+{
+ char *fp;
+ unsigned size = 0;
+ const char *crypto_name[] = {
+ "ssh-rsa1",
+ "ssh-rsa",
+ "ssh-dsa",
+ "unknown" };
+
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ switch(key->type) {
+ case KEY_RSA1:
+ case KEY_RSA:
+ size = RSA_size(key->rsa);
+ break;
+ case KEY_DSA:
+ size = DSA_size(key->dsa);
+ break;
+ }
+
+ if (audit_keyusage(0, crypto_name[key->type], size, fp, *rv) == 0)
+ *rv = 0;
+ xfree(fp);
+}
+
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
@@ -182,5 +209,17 @@ audit_run_command(const char *command)
debug("audit run command euid %d user %s command '%.200s'", geteuid(), debug("audit run command euid %d user %s command '%.200s'", geteuid(),
audit_username(), command); audit_username(), command);
} }
@ -28,26 +62,35 @@ diff -up openssh-5.6p1/audit.c.audit2 openssh-5.6p1/audit.c
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key. + * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
+ */ + */
+int +int
+audit_keyusage(const char *type, unsigned len, char *fp, int rv) +audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
+{ +{
+ debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", geteuid(), + debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
+ audit_username(), type, len, fp, rv); + host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
+} +}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h diff -up openssh-5.6p1/audit.h.audit2 openssh-5.6p1/audit.h
--- openssh-5.6p1/audit.h.audit2 2010-11-02 21:04:27.000000000 +0100 --- openssh-5.6p1/audit.h.audit2 2010-11-05 15:41:17.000000000 +0100
+++ openssh-5.6p1/audit.h 2010-11-02 21:04:28.000000000 +0100 +++ openssh-5.6p1/audit.h 2010-11-05 15:41:18.000000000 +0100
@@ -53,5 +53,6 @@ void audit_session_open(struct logininfo @@ -28,6 +28,7 @@
# define _SSH_AUDIT_H
#include "loginrec.h"
+#include "key.h"
enum ssh_audit_event_type {
SSH_LOGIN_EXCEED_MAXTRIES,
@@ -53,5 +54,7 @@ void audit_session_open(struct logininfo
void audit_session_close(struct logininfo *); void audit_session_close(struct logininfo *);
void audit_run_command(const char *); void audit_run_command(const char *);
ssh_audit_event_t audit_classify_auth(const char *); ssh_audit_event_t audit_classify_auth(const char *);
+int audit_keyusage(const char *, unsigned, char *, int); +int audit_keyusage(int, const char *, unsigned, char *, int);
+int audit_key(int, int *, const Key *);
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit2 2010-11-02 21:04:27.000000000 +0100 --- openssh-5.6p1/audit-linux.c.audit2 2010-11-05 15:41:17.000000000 +0100
+++ openssh-5.6p1/audit-linux.c 2010-11-02 21:04:28.000000000 +0100 +++ openssh-5.6p1/audit-linux.c 2010-11-05 15:41:18.000000000 +0100
@@ -37,6 +37,8 @@ @@ -37,6 +37,8 @@
#include "audit.h" #include "audit.h"
#include "canohost.h" #include "canohost.h"
@ -62,7 +105,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
} }
+int +int
+audit_keyusage(const char *type, unsigned len, char *fp, int rv) +audit_keyusage(int host_user, const char *type, unsigned len, char *fp, int rv)
+{ +{
+ char buf[AUDIT_LOG_SIZE]; + char buf[AUDIT_LOG_SIZE];
+ int audit_fd, rc, saved_errno; + int audit_fd, rc, saved_errno;
@ -75,12 +118,12 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
+ else + else
+ return 0; /* Must prevent login */ + return 0; /* Must prevent login */
+ } + }
+ snprintf(buf, sizeof(buf), "pubkey_auth rport=%d", get_remote_port()); + snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "hostbased" : "pubkey", get_remote_port());
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv); + buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
+ if (rc < 0) + if (rc < 0)
+ goto out; + goto out;
+ snprintf(buf, sizeof(buf), "pubkey_auth algo=%s size=%d fp=%s rport=%d", + snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
+ type, 8 * len, fp, get_remote_port()); + type, 8 * len, fp, get_remote_port());
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL, + rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv); + buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
@ -94,10 +137,32 @@ diff -up openssh-5.6p1/audit-linux.c.audit2 openssh-5.6p1/audit-linux.c
/* Below is the sshd audit API code */ /* Below is the sshd audit API code */
void void
diff -up openssh-5.6p1/auth2-hostbased.c.audit2 openssh-5.6p1/auth2-hostbased.c
--- openssh-5.6p1/auth2-hostbased.c.audit2 2010-08-05 05:04:50.000000000 +0200
+++ openssh-5.6p1/auth2-hostbased.c 2010-11-05 15:41:18.000000000 +0100
@@ -136,6 +136,18 @@ done:
return authenticated;
}
+int
+hostkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
+{
+ int rv;
+
+ rv = key_verify(key, sig, slen, data, datalen);
+#ifdef SSH_AUDIT_EVENTS
+ audit_key(0, &rv, key);
+#endif
+ return rv;
+}
+
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
--- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200 --- openssh-5.6p1/auth2-pubkey.c.audit2 2010-07-02 05:35:19.000000000 +0200
+++ openssh-5.6p1/auth2-pubkey.c 2010-11-02 21:04:28.000000000 +0100 +++ openssh-5.6p1/auth2-pubkey.c 2010-11-05 15:41:18.000000000 +0100
@@ -177,6 +177,40 @@ done: @@ -177,6 +177,18 @@ done:
return authenticated; return authenticated;
} }
@ -105,32 +170,10 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
+pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen) +pubkey_key_verify(const Key *key, const u_char *sig, u_int slen, const u_char *data, u_int datalen)
+{ +{
+ int rv; + int rv;
+#ifdef SSH_AUDIT_EVENTS
+ char *fp;
+ unsigned size = 0;
+ const char *crypto_name[] = {
+ "ssh-rsa1",
+ "ssh-rsa",
+ "ssh-dsa",
+ "unknown" };
+#endif
+ +
+ rv = key_verify(key, sig, slen, data, datalen); + rv = key_verify(key, sig, slen, data, datalen);
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + audit_key(1, &rv, key);
+ switch(key->type) {
+ case KEY_RSA1:
+ case KEY_RSA:
+ size = RSA_size(key->rsa);
+ break;
+ case KEY_DSA:
+ size = DSA_size(key->dsa);
+ break;
+ }
+
+ if (audit_keyusage(crypto_name[key->type], size, fp, rv) == 0)
+ rv = 0;
+ xfree(fp);
+#endif +#endif
+ return rv; + return rv;
+} +}
@ -139,19 +182,27 @@ diff -up openssh-5.6p1/auth2-pubkey.c.audit2 openssh-5.6p1/auth2-pubkey.c
match_principals_option(const char *principal_list, struct KeyCert *cert) match_principals_option(const char *principal_list, struct KeyCert *cert)
{ {
diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h diff -up openssh-5.6p1/auth.h.audit2 openssh-5.6p1/auth.h
--- openssh-5.6p1/auth.h.audit2 2010-11-02 21:06:05.000000000 +0100 --- openssh-5.6p1/auth.h.audit2 2010-05-10 03:58:03.000000000 +0200
+++ openssh-5.6p1/auth.h 2010-11-02 21:07:32.000000000 +0100 +++ openssh-5.6p1/auth.h 2010-11-05 15:41:18.000000000 +0100
@@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt @@ -170,6 +170,7 @@ void abandon_challenge_response(Authctxt
char *authorized_keys_file(struct passwd *); char *authorized_keys_file(struct passwd *);
char *authorized_keys_file2(struct passwd *); char *authorized_keys_file2(struct passwd *);
char *authorized_principals_file(struct passwd *); char *authorized_principals_file(struct passwd *);
+int pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); +int pubkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -185,6 +186,7 @@ Key *get_hostkey_public_by_type(int);
Key *get_hostkey_private_by_type(int);
int get_hostkey_index(Key *);
int ssh1_session_key(BIGNUM *);
+int hostkey_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
--- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200 --- openssh-5.6p1/auth-rsa.c.audit2 2010-07-16 05:58:37.000000000 +0200
+++ openssh-5.6p1/auth-rsa.c 2010-11-02 21:04:28.000000000 +0100 +++ openssh-5.6p1/auth-rsa.c 2010-11-05 15:41:18.000000000 +0100
@@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU @@ -92,7 +92,10 @@ auth_rsa_verify_response(Key *key, BIGNU
{ {
u_char buf[32], mdbuf[16]; u_char buf[32], mdbuf[16];
@ -175,7 +226,7 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
+ +
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ if (audit_keyusage("ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) { + if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa), fp, rv) == 0) {
+ debug("unsuccessful audit"); + debug("unsuccessful audit");
+ rv = 0; + rv = 0;
} }
@ -190,7 +241,7 @@ diff -up openssh-5.6p1/auth-rsa.c.audit2 openssh-5.6p1/auth-rsa.c
/* /*
diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c
--- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200 --- openssh-5.6p1/monitor.c.audit2 2010-08-03 07:50:16.000000000 +0200
+++ openssh-5.6p1/monitor.c 2010-11-02 21:04:28.000000000 +0100 +++ openssh-5.6p1/monitor.c 2010-11-05 15:41:18.000000000 +0100
@@ -1235,7 +1235,19 @@ mm_answer_keyverify(int sock, Buffer *m) @@ -1235,7 +1235,19 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data) if (!valid_data)
fatal("%s: bad signature data blob", __func__); fatal("%s: bad signature data blob", __func__);
@ -201,7 +252,7 @@ diff -up openssh-5.6p1/monitor.c.audit2 openssh-5.6p1/monitor.c
+ verified = pubkey_key_verify(key, signature, signaturelen, data, datalen); + verified = pubkey_key_verify(key, signature, signaturelen, data, datalen);
+ break; + break;
+ case MM_HOSTKEY: + case MM_HOSTKEY:
+ verified = key_verify(key, signature, signaturelen, data, datalen); + verified = hostkey_key_verify(key, signature, signaturelen, data, datalen);
+ valid_data = monitor_valid_hostbasedblob(data, datalen, + valid_data = monitor_valid_hostbasedblob(data, datalen,
+ hostbased_cuser, hostbased_chost); + hostbased_cuser, hostbased_chost);
+ break; + break;

View File

@ -1,6 +1,6 @@
diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
--- openssh-5.6p1/audit-bsm.c.audit3 2010-11-03 08:59:55.000000000 +0100 --- openssh-5.6p1/audit-bsm.c.audit3 2010-11-05 15:54:35.000000000 +0100
+++ openssh-5.6p1/audit-bsm.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/audit-bsm.c 2010-11-05 15:54:35.000000000 +0100
@@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event) @@ -383,4 +383,16 @@ audit_event(ssh_audit_event_t event)
debug("%s: unhandled event %d", __func__, event); debug("%s: unhandled event %d", __func__, event);
} }
@ -19,8 +19,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit3 openssh-5.6p1/audit-bsm.c
+} +}
#endif /* BSM */ #endif /* BSM */
diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
--- openssh-5.6p1/audit.c.audit3 2010-11-03 08:59:56.000000000 +0100 --- openssh-5.6p1/audit.c.audit3 2010-11-05 15:54:35.000000000 +0100
+++ openssh-5.6p1/audit.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/audit.c 2010-11-05 15:56:19.000000000 +0100
@@ -36,6 +36,8 @@ @@ -36,6 +36,8 @@
#include "key.h" #include "key.h"
#include "hostfile.h" #include "hostfile.h"
@ -30,8 +30,8 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
/* /*
* Care must be taken when using this since it WILL NOT be initialized when * Care must be taken when using this since it WILL NOT be initialized when
@@ -111,6 +113,18 @@ audit_event_lookup(ssh_audit_event_t ev) @@ -138,6 +140,18 @@ audit_key(int type, int *rv, const Key *
return(event_lookup[i].name); xfree(fp);
} }
+void +void
@ -49,9 +49,9 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
# ifndef CUSTOM_SSH_AUDIT_EVENTS # ifndef CUSTOM_SSH_AUDIT_EVENTS
/* /*
* Null implementations of audit functions. * Null implementations of audit functions.
@@ -194,5 +208,24 @@ audit_keyusage(const char *type, unsigne @@ -221,5 +235,24 @@ audit_keyusage(int host_user, const char
debug("audit key usage euid %d user %s key type %s key length %d fingerprint %s, result %d", geteuid(), debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
audit_username(), type, len, fp, rv); host_user ? "hostbased" : "pubkey", geteuid(), audit_username(), type, len, fp, rv);
} }
+ +
+/* +/*
@ -61,7 +61,7 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
+audit_unsupported_body(int what) +audit_unsupported_body(int what)
+{ +{
+ debug("audit unsupported protocol ieuid %d type %d", geteuid(), what); + debug("audit unsupported protocol ieuid %d type %d", geteuid(), what);
+} +
+ +
+/* +/*
+ * This will be called on succesfull protocol negotiation. + * This will be called on succesfull protocol negotiation.
@ -75,12 +75,12 @@ diff -up openssh-5.6p1/audit.c.audit3 openssh-5.6p1/audit.c
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
--- openssh-5.6p1/audit.h.audit3 2010-11-03 08:59:56.000000000 +0100 --- openssh-5.6p1/audit.h.audit3 2010-11-05 15:54:35.000000000 +0100
+++ openssh-5.6p1/audit.h 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/audit.h 2010-11-05 15:54:35.000000000 +0100
@@ -54,5 +54,9 @@ void audit_session_close(struct logininf @@ -56,5 +56,9 @@ void audit_run_command(const char *);
void audit_run_command(const char *);
ssh_audit_event_t audit_classify_auth(const char *); ssh_audit_event_t audit_classify_auth(const char *);
int audit_keyusage(const char *, unsigned, char *, int); int audit_keyusage(int, const char *, unsigned, char *, int);
int audit_key(int, int *, const Key *);
+void audit_unsupported(int); +void audit_unsupported(int);
+void audit_kex(int, char *, char *, char *); +void audit_kex(int, char *, char *, char *);
+void audit_unsupported_body(int); +void audit_unsupported_body(int);
@ -88,8 +88,8 @@ diff -up openssh-5.6p1/audit.h.audit3 openssh-5.6p1/audit.h
#endif /* _SSH_AUDIT_H */ #endif /* _SSH_AUDIT_H */
diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
--- openssh-5.6p1/audit-linux.c.audit3 2010-11-03 08:59:56.000000000 +0100 --- openssh-5.6p1/audit-linux.c.audit3 2010-11-05 15:54:35.000000000 +0100
+++ openssh-5.6p1/audit-linux.c 2010-11-03 09:01:56.000000000 +0100 +++ openssh-5.6p1/audit-linux.c 2010-11-05 15:54:35.000000000 +0100
@@ -36,6 +36,8 @@ @@ -36,6 +36,8 @@
#include "log.h" #include "log.h"
#include "audit.h" #include "audit.h"
@ -99,7 +99,7 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
#define AUDIT_LOG_SIZE 128 #define AUDIT_LOG_SIZE 128
@@ -149,4 +150,53 @@ audit_event(ssh_audit_event_t event) @@ -149,4 +151,53 @@ audit_event(ssh_audit_event_t event)
} }
} }
@ -154,8 +154,8 @@ diff -up openssh-5.6p1/audit-linux.c.audit3 openssh-5.6p1/audit-linux.c
+ +
#endif /* USE_LINUX_AUDIT */ #endif /* USE_LINUX_AUDIT */
diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
--- openssh-5.6p1/auditstub.c.audit3 2010-11-03 08:59:56.000000000 +0100 --- openssh-5.6p1/auditstub.c.audit3 2010-11-05 15:54:35.000000000 +0100
+++ openssh-5.6p1/auditstub.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/auditstub.c 2010-11-05 15:54:35.000000000 +0100
@@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+ +
@ -198,7 +198,7 @@ diff -up openssh-5.6p1/auditstub.c.audit3 openssh-5.6p1/auditstub.c
+ +
diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
--- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200 --- openssh-5.6p1/cipher.c.audit3 2010-09-03 14:54:23.000000000 +0200
+++ openssh-5.6p1/cipher.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/cipher.c 2010-11-05 15:54:35.000000000 +0100
@@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX @@ -59,15 +59,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
extern const EVP_CIPHER *evp_aes_128_ctr(void); extern const EVP_CIPHER *evp_aes_128_ctr(void);
extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
@ -218,7 +218,7 @@ diff -up openssh-5.6p1/cipher.c.audit3 openssh-5.6p1/cipher.c
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
--- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100 --- openssh-5.6p1/cipher.h.audit3 2009-01-28 06:38:41.000000000 +0100
+++ openssh-5.6p1/cipher.h 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/cipher.h 2010-11-05 15:54:35.000000000 +0100
@@ -61,7 +61,16 @@ @@ -61,7 +61,16 @@
typedef struct Cipher Cipher; typedef struct Cipher Cipher;
typedef struct CipherContext CipherContext; typedef struct CipherContext CipherContext;
@ -239,7 +239,7 @@ diff -up openssh-5.6p1/cipher.h.audit3 openssh-5.6p1/cipher.h
EVP_CIPHER_CTX evp; EVP_CIPHER_CTX evp;
diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
--- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100 --- openssh-5.6p1/kex.c.audit3 2010-01-08 06:50:41.000000000 +0100
+++ openssh-5.6p1/kex.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/kex.c 2010-11-05 15:54:35.000000000 +0100
@@ -49,6 +49,7 @@ @@ -49,6 +49,7 @@
#include "dispatch.h" #include "dispatch.h"
#include "monitor.h" #include "monitor.h"
@ -303,8 +303,8 @@ diff -up openssh-5.6p1/kex.c.audit3 openssh-5.6p1/kex.c
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in
--- openssh-5.6p1/Makefile.in.audit3 2010-11-03 08:59:55.000000000 +0100 --- openssh-5.6p1/Makefile.in.audit3 2010-11-05 15:54:35.000000000 +0100
+++ openssh-5.6p1/Makefile.in 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/Makefile.in 2010-11-05 15:54:35.000000000 +0100
@@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b @@ -74,7 +74,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \ kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
@ -315,8 +315,8 @@ diff -up openssh-5.6p1/Makefile.in.audit3 openssh-5.6p1/Makefile.in
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
--- openssh-5.6p1/monitor.c.audit3 2010-11-03 08:59:56.000000000 +0100 --- openssh-5.6p1/monitor.c.audit3 2010-11-05 15:54:35.000000000 +0100
+++ openssh-5.6p1/monitor.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/monitor.c 2010-11-05 15:54:35.000000000 +0100
@@ -89,6 +89,7 @@ @@ -89,6 +89,7 @@
#include "ssh2.h" #include "ssh2.h"
#include "jpake.h" #include "jpake.h"
@ -395,7 +395,7 @@ diff -up openssh-5.6p1/monitor.c.audit3 openssh-5.6p1/monitor.c
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
--- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100 --- openssh-5.6p1/monitor.h.audit3 2008-11-05 06:20:46.000000000 +0100
+++ openssh-5.6p1/monitor.h 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/monitor.h 2010-11-05 15:54:35.000000000 +0100
@@ -66,6 +66,8 @@ enum monitor_reqtype { @@ -66,6 +66,8 @@ enum monitor_reqtype {
MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
@ -407,7 +407,7 @@ diff -up openssh-5.6p1/monitor.h.audit3 openssh-5.6p1/monitor.h
struct mm_master; struct mm_master;
diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
--- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100 --- openssh-5.6p1/monitor_wrap.c.audit3 2010-03-07 13:05:17.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/monitor_wrap.c 2010-11-05 15:54:35.000000000 +0100
@@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k, @@ -1411,3 +1411,38 @@ mm_jpake_check_confirm(const BIGNUM *k,
return success; return success;
} }
@ -449,7 +449,7 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit3 openssh-5.6p1/monitor_wrap.c
+#endif /* SSH_AUDIT_EVENTS */ +#endif /* SSH_AUDIT_EVENTS */
diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
--- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100 --- openssh-5.6p1/monitor_wrap.h.audit3 2009-03-05 14:58:22.000000000 +0100
+++ openssh-5.6p1/monitor_wrap.h 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/monitor_wrap.h 2010-11-05 15:54:35.000000000 +0100
@@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *); @@ -74,6 +74,8 @@ void mm_sshpam_free_ctx(void *);
#include "audit.h" #include "audit.h"
void mm_audit_event(ssh_audit_event_t); void mm_audit_event(ssh_audit_event_t);
@ -461,7 +461,7 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit3 openssh-5.6p1/monitor_wrap.h
struct Session; struct Session;
diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c diff -up openssh-5.6p1/sshd.c.audit3 openssh-5.6p1/sshd.c
--- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200 --- openssh-5.6p1/sshd.c.audit3 2010-04-16 07:56:22.000000000 +0200
+++ openssh-5.6p1/sshd.c 2010-11-03 08:59:56.000000000 +0100 +++ openssh-5.6p1/sshd.c 2010-11-05 15:54:35.000000000 +0100
@@ -118,6 +118,7 @@ @@ -118,6 +118,7 @@
#endif #endif
#include "monitor_wrap.h" #include "monitor_wrap.h"

View File

@ -71,7 +71,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.6p1 %define openssh_ver 5.6p1
%define openssh_rel 15 %define openssh_rel 16
%define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 27 %define pam_ssh_agent_rel 27
@ -99,7 +99,7 @@ Patch1: openssh-5.6p1-audit.patch
Patch2: openssh-5.6p1-audit2.patch Patch2: openssh-5.6p1-audit2.patch
Patch3: openssh-5.6p1-audit3.patch Patch3: openssh-5.6p1-audit3.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640
Patch4: openssh-5.2p1-vendor.patch Patch5: openssh-5.2p1-vendor.patch
Patch10: pam_ssh_agent_auth-0.9-build.patch Patch10: pam_ssh_agent_auth-0.9-build.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Patch12: openssh-5.4p1-selinux.patch Patch12: openssh-5.4p1-selinux.patch
@ -272,7 +272,7 @@ The module is most useful for su and sudo service stacks.
%patch1 -p1 -b .audit %patch1 -p1 -b .audit
%patch2 -p1 -b .audit2 %patch2 -p1 -b .audit2
%patch3 -p1 -b .audit3 %patch3 -p1 -b .audit3
%patch4 -p1 -b .vendor %patch5 -p1 -b .vendor
%if %{pam_ssh_agent} %if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver} pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@ -589,6 +589,10 @@ fi
%endif %endif
%changelog %changelog
* Fri Nov 5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-16 + 0.9.2-27
- add auditing the host based key ussage
- repait X11 abstract layer socket (#648896)
* Wed Nov 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-15 + 0.9.2-27 * Wed Nov 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-15 + 0.9.2-27
- add auditing the kex result - add auditing the kex result