From aefa65dfca63663e473b847066af2d0168b0bee0 Mon Sep 17 00:00:00 2001 From: Jan F Date: Thu, 24 Feb 2011 14:25:14 +0100 Subject: [PATCH] another audit improovements --- openssh-5.8p1-fingerprint.patch | 419 ++++++++++++++++++++++++++++++++ openssh.spec | 2 +- 2 files changed, 420 insertions(+), 1 deletion(-) create mode 100644 openssh-5.8p1-fingerprint.patch diff --git a/openssh-5.8p1-fingerprint.patch b/openssh-5.8p1-fingerprint.patch new file mode 100644 index 0000000..180c92a --- /dev/null +++ b/openssh-5.8p1-fingerprint.patch @@ -0,0 +1,419 @@ +diff -up openssh-5.8p1/auth2-hostbased.c.fingerprint openssh-5.8p1/auth2-hostbased.c +--- openssh-5.8p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200 ++++ openssh-5.8p1/auth2-hostbased.c 2011-02-24 10:30:47.000000000 +0100 +@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw, + + if (host_status == HOST_OK) { + if (key_is_cert(key)) { +- fp = key_fingerprint(key->cert->signature_key, +- SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_selected_fingerprint(key->cert->signature_key, ++ SSH_FP_HEX); + verbose("Accepted certificate ID \"%s\" signed by " +- "%s CA %s from %s@%s", key->cert->key_id, +- key_type(key->cert->signature_key), fp, ++ "%s CA %s%s from %s@%s", key->cert->key_id, ++ key_type(key->cert->signature_key), ++ key_fingerprint_prefix(), fp, + cuser, lookup); + } else { +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); +- verbose("Accepted %s public key %s from %s@%s", +- key_type(key), fp, cuser, lookup); ++ fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ verbose("Accepted %s public key %s%s from %s@%s", ++ key_type(key), key_fingerprint_prefix(), ++ fp, cuser, lookup); + } + xfree(fp); + } +diff -up openssh-5.8p1/auth2-pubkey.c.fingerprint openssh-5.8p1/auth2-pubkey.c +--- openssh-5.8p1/auth2-pubkey.c.fingerprint 2010-12-01 01:50:14.000000000 +0100 ++++ openssh-5.8p1/auth2-pubkey.c 2011-02-24 10:30:47.000000000 +0100 +@@ -319,10 +319,10 @@ user_key_allowed2(struct passwd *pw, Key + continue; + if (!key_is_cert_authority) + continue; +- fp = key_fingerprint(found, SSH_FP_MD5, +- SSH_FP_HEX); +- debug("matching CA found: file %s, line %lu, %s %s", +- file, linenum, key_type(found), fp); ++ fp = key_selected_fingerprint(found, SSH_FP_HEX); ++ debug("matching CA found: file %s, line %lu, %s %s%s", ++ file, linenum, key_type(found), ++ key_fingerprint_prefix(), fp); + /* + * If the user has specified a list of principals as + * a key option, then prefer that list to matching +@@ -362,9 +362,9 @@ user_key_allowed2(struct passwd *pw, Key + found_key = 1; + debug("matching key found: file %s, line %lu", + file, linenum); +- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); +- verbose("Found matching %s key: %s", +- key_type(found), fp); ++ fp = key_selected_fingerprint(found, SSH_FP_HEX); ++ verbose("Found matching %s key: %s%s", ++ key_type(found), key_fingerprint_prefix(), fp); + xfree(fp); + break; + } +@@ -388,13 +388,13 @@ user_cert_trusted_ca(struct passwd *pw, + if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) + return 0; + +- ca_fp = key_fingerprint(key->cert->signature_key, +- SSH_FP_MD5, SSH_FP_HEX); ++ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX); + + if (key_in_file(key->cert->signature_key, + options.trusted_user_ca_keys, 1) != 1) { +- debug2("%s: CA %s %s is not listed in %s", __func__, +- key_type(key->cert->signature_key), ca_fp, ++ debug2("%s: CA %s%s %s is not listed in %s", __func__, ++ key_type(key->cert->signature_key), ++ key_fingerprint_prefix(), ca_fp, + options.trusted_user_ca_keys); + goto out; + } +diff -up openssh-5.8p1/auth.c.fingerprint openssh-5.8p1/auth.c +--- openssh-5.8p1/auth.c.fingerprint 2010-12-01 02:21:51.000000000 +0100 ++++ openssh-5.8p1/auth.c 2011-02-24 10:30:47.000000000 +0100 +@@ -639,9 +639,10 @@ auth_key_is_revoked(Key *key) + return 1; + case 1: + /* Key revoked */ +- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); ++ key_fp = key_selected_fingerprint(key, SSH_FP_HEX); + error("WARNING: authentication attempt with a revoked " +- "%s key %s ", key_type(key), key_fp); ++ "%s key %s%s ", key_type(key), ++ key_fingerprint_prefix(), key_fp); + xfree(key_fp); + return 1; + } +diff -up openssh-5.8p1/auth-rsa.c.fingerprint openssh-5.8p1/auth-rsa.c +--- openssh-5.8p1/auth-rsa.c.fingerprint 2010-12-04 23:01:47.000000000 +0100 ++++ openssh-5.8p1/auth-rsa.c 2011-02-24 10:30:47.000000000 +0100 +@@ -318,9 +318,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli + * options; this will be reset if the options cause the + * authentication to be rejected. + */ +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); +- verbose("Found matching %s key: %s", +- key_type(key), fp); ++ fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ verbose("Found matching %s key: %s%s", ++ key_type(key), key_fingerprint_prefix(), fp); + xfree(fp); + key_free(key); + +diff -up openssh-5.8p1/key.c.fingerprint openssh-5.8p1/key.c +--- openssh-5.8p1/key.c.fingerprint 2011-02-04 01:48:34.000000000 +0100 ++++ openssh-5.8p1/key.c 2011-02-24 10:33:05.000000000 +0100 +@@ -594,6 +594,32 @@ key_fingerprint(Key *k, enum fp_type dgs + return retval; + } + ++int ++key_fingerprint_selection(void) ++{ ++ char *env; ++ static int rv = -1; ++ ++ if (rv == -1) { ++ env = getenv("SSH_FINGERPRINT_TYPE"); ++ rv = env && !strcmp (env, "sha"); ++ } ++ return rv; ++} ++ ++char * ++key_selected_fingerprint(Key *k, enum fp_rep dgst_rep) ++{ ++ return key_fingerprint(k, key_fingerprint_selection() ? ++ SSH_FP_SHA1 : SSH_FP_MD5, dgst_rep); ++} ++ ++char * ++key_fingerprint_prefix(void) ++{ ++ return key_fingerprint_selection() ? "sha1:" : ""; ++} ++ + /* + * Reads a multiple-precision integer in decimal from the buffer, and advances + * the pointer. The integer must already be initialized. This function is +diff -up openssh-5.8p1/key.h.fingerprint openssh-5.8p1/key.h +--- openssh-5.8p1/key.h.fingerprint 2010-11-05 00:19:49.000000000 +0100 ++++ openssh-5.8p1/key.h 2011-02-24 10:30:47.000000000 +0100 +@@ -96,6 +96,9 @@ int key_equal_public(const Key *, cons + int key_equal(const Key *, const Key *); + char *key_fingerprint(Key *, enum fp_type, enum fp_rep); + u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); ++int key_fingerprint_selection(void); ++char *key_selected_fingerprint(Key *, enum fp_rep); ++char *key_fingerprint_prefix(void); + const char *key_type(const Key *); + const char *key_cert_type(const Key *); + int key_write(const Key *, FILE *); +diff -up openssh-5.8p1/ssh-add.c.fingerprint openssh-5.8p1/ssh-add.c +--- openssh-5.8p1/ssh-add.c.fingerprint 2010-11-11 04:17:02.000000000 +0100 ++++ openssh-5.8p1/ssh-add.c 2011-02-24 10:30:47.000000000 +0100 +@@ -280,10 +280,10 @@ list_identities(AuthenticationConnection + key = ssh_get_next_identity(ac, &comment, version)) { + had_identities = 1; + if (do_fp) { +- fp = key_fingerprint(key, SSH_FP_MD5, +- SSH_FP_HEX); +- printf("%d %s %s (%s)\n", +- key_size(key), fp, comment, key_type(key)); ++ fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ printf("%d %s%s %s (%s)\n", ++ key_size(key), key_fingerprint_prefix(), ++ fp, comment, key_type(key)); + xfree(fp); + } else { + if (!key_write(key, stdout)) +diff -up openssh-5.8p1/ssh-agent.c.fingerprint openssh-5.8p1/ssh-agent.c +--- openssh-5.8p1/ssh-agent.c.fingerprint 2010-12-01 01:50:35.000000000 +0100 ++++ openssh-5.8p1/ssh-agent.c 2011-02-24 10:30:47.000000000 +0100 +@@ -199,9 +199,9 @@ confirm_key(Identity *id) + char *p; + int ret = -1; + +- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); +- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", +- id->comment, p)) ++ p = key_selected_fingerprint(id->key, SSH_FP_HEX); ++ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.", ++ id->comment, key_fingerprint_prefix(), p)) + ret = 0; + xfree(p); + +diff -up openssh-5.8p1/sshconnect2.c.fingerprint openssh-5.8p1/sshconnect2.c +--- openssh-5.8p1/sshconnect2.c.fingerprint 2010-12-01 02:21:51.000000000 +0100 ++++ openssh-5.8p1/sshconnect2.c 2011-02-24 10:30:47.000000000 +0100 +@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t + key->type, pktype); + goto done; + } +- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); +- debug2("input_userauth_pk_ok: fp %s", fp); ++ fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ debug2("input_userauth_pk_ok: fp %s%s", ++ key_fingerprint_prefix(), fp); + xfree(fp); + + /* +@@ -1203,8 +1204,9 @@ sign_and_send_pubkey(Authctxt *authctxt, + int have_sig = 1; + char *fp; + +- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); +- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); ++ fp = key_selected_fingerprint(id->key, SSH_FP_HEX); ++ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key), ++ key_fingerprint_prefix(), fp); + xfree(fp); + + if (key_to_blob(id->key, &blob, &bloblen) == 0) { +diff -up openssh-5.8p1/sshconnect.c.fingerprint openssh-5.8p1/sshconnect.c +--- openssh-5.8p1/sshconnect.c.fingerprint 2011-01-16 13:17:59.000000000 +0100 ++++ openssh-5.8p1/sshconnect.c 2011-02-24 10:30:47.000000000 +0100 +@@ -798,10 +798,10 @@ check_host_key(char *hostname, struct so + "key for IP address '%.128s' to the list " + "of known hosts.", type, ip); + } else if (options.visual_host_key) { +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(host_key, SSH_FP_MD5, +- SSH_FP_RANDOMART); +- logit("Host key fingerprint is %s\n%s\n", fp, ra); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); ++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); ++ logit("Host key fingerprint is %s%s\n%s\n", ++ key_fingerprint_prefix(), fp, ra); + xfree(ra); + xfree(fp); + } +@@ -838,9 +838,8 @@ check_host_key(char *hostname, struct so + else + snprintf(msg1, sizeof(msg1), "."); + /* The default */ +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(host_key, SSH_FP_MD5, +- SSH_FP_RANDOMART); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); ++ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART); + msg2[0] = '\0'; + if (options.verify_host_key_dns) { + if (matching_host_key_dns) +@@ -855,10 +854,11 @@ check_host_key(char *hostname, struct so + snprintf(msg, sizeof(msg), + "The authenticity of host '%.200s (%s)' can't be " + "established%s\n" +- "%s key fingerprint is %s.%s%s\n%s" ++ "%s key fingerprint is %s%s.%s%s\n%s" + "Are you sure you want to continue connecting " + "(yes/no)? ", +- host, ip, msg1, type, fp, ++ host, ip, msg1, type, ++ key_fingerprint_prefix(), fp, + options.visual_host_key ? "\n" : "", + options.visual_host_key ? ra : "", + msg2); +@@ -1104,8 +1104,9 @@ verify_host_key(char *host, struct socka + int flags = 0; + char *fp; + +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); +- debug("Server host key: %s %s", key_type(host_key), fp); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); ++ debug("Server host key: %s %s%s", key_type(host_key), ++ key_fingerprint_prefix(), fp); + xfree(fp); + + /* XXX certs are not yet supported for DNS */ +@@ -1214,14 +1215,15 @@ show_other_keys(struct hostkeys *hostkey + continue; + if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) + continue; +- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); +- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); ++ fp = key_selected_fingerprint(found->key, SSH_FP_HEX); ++ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART); + logit("WARNING: %s key found for host %s\n" + "in %s:%lu\n" +- "%s key fingerprint %s.", ++ "%s key fingerprint %s%s.", + key_type(found->key), + found->host, found->file, found->line, +- key_type(found->key), fp); ++ key_type(found->key), ++ key_fingerprint_prefix(), fp); + if (options.visual_host_key) + logit("%s", ra); + xfree(ra); +@@ -1236,7 +1238,7 @@ warn_changed_key(Key *host_key) + { + char *fp; + +- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); ++ fp = key_selected_fingerprint(host_key, SSH_FP_HEX); + + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); +@@ -1244,8 +1246,8 @@ warn_changed_key(Key *host_key) + error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); + error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); + error("It is also possible that a host key has just been changed."); +- error("The fingerprint for the %s key sent by the remote host is\n%s.", +- key_type(host_key), fp); ++ error("The fingerprint for the %s key sent by the remote host is\n%s%s.", ++ key_type(host_key),key_fingerprint_prefix(), fp); + error("Please contact your system administrator."); + + xfree(fp); +diff -up openssh-5.8p1/ssh-keygen.c.fingerprint openssh-5.8p1/ssh-keygen.c +--- openssh-5.8p1/ssh-keygen.c.fingerprint 2011-01-11 07:20:31.000000000 +0100 ++++ openssh-5.8p1/ssh-keygen.c 2011-02-24 10:30:47.000000000 +0100 +@@ -714,13 +714,14 @@ do_fingerprint(struct passwd *pw) + { + FILE *f; + Key *public; +- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; ++ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra, *pfx; + int i, skip = 0, num = 0, invalid = 1; + enum fp_rep rep; + enum fp_type fptype; + struct stat st; + +- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; ++ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection(); ++ pfx = print_bubblebabble ? "" : key_fingerprint_prefix(); + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + + if (!have_identity) +@@ -732,8 +733,8 @@ do_fingerprint(struct passwd *pw) + public = key_load_public(identity_file, &comment); + if (public != NULL) { + fp = key_fingerprint(public, fptype, rep); +- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); +- printf("%u %s %s (%s)\n", key_size(public), fp, comment, ++ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); ++ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, comment, + key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); +@@ -798,8 +799,8 @@ do_fingerprint(struct passwd *pw) + } + comment = *cp ? cp : comment; + fp = key_fingerprint(public, fptype, rep); +- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); +- printf("%u %s %s (%s)\n", key_size(public), fp, ++ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); ++ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, + comment ? comment : "no comment", key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); +@@ -823,13 +824,15 @@ printhost(FILE *f, const char *name, Key + if (print_fingerprint) { + enum fp_rep rep; + enum fp_type fptype; +- char *fp, *ra; ++ char *fp, *ra, *pfx; + +- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; ++ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection(); ++ pfx = print_bubblebabble ? "" : key_fingerprint_prefix(); + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; ++ + fp = key_fingerprint(public, fptype, rep); +- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); +- printf("%u %s %s (%s)\n", key_size(public), fp, name, ++ ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); ++ printf("%u %s%s %s (%s)\n", key_size(public), pfx, fp, name, + key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); +@@ -1695,16 +1698,17 @@ do_show_cert(struct passwd *pw) + fatal("%s is not a certificate", identity_file); + v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; + +- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); +- ca_fp = key_fingerprint(key->cert->signature_key, +- SSH_FP_MD5, SSH_FP_HEX); ++ key_fp = key_selected_fingerprint(key, SSH_FP_HEX); ++ ca_fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX); + + printf("%s:\n", identity_file); + printf(" Type: %s %s certificate\n", key_ssh_name(key), + key_cert_type(key)); +- printf(" Public key: %s %s\n", key_type(key), key_fp); +- printf(" Signing CA: %s %s\n", +- key_type(key->cert->signature_key), ca_fp); ++ printf(" Public key: %s %s%s\n", key_type(key), ++ key_fingerprint_prefix(), key_fp); ++ printf(" Signing CA: %s %s%s\n", ++ key_type(key->cert->signature_key), ++ key_fingerprint_prefix(), ca_fp); + printf(" Key ID: \"%s\"\n", key->cert->key_id); + if (!v00) { + printf(" Serial: %llu\n", +@@ -2249,13 +2253,12 @@ passphrase_again: + fclose(f); + + if (!quiet) { +- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); +- char *ra = key_fingerprint(public, SSH_FP_MD5, +- SSH_FP_RANDOMART); ++ char *fp = key_selected_fingerprint(public, SSH_FP_HEX); ++ char *ra = key_selected_fingerprint(public, SSH_FP_RANDOMART); + printf("Your public key has been saved in %s.\n", + identity_file); + printf("The key fingerprint is:\n"); +- printf("%s %s\n", fp, comment); ++ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment); + printf("The key's randomart image is:\n"); + printf("%s\n", ra); + xfree(ra); diff --git a/openssh.spec b/openssh.spec index 1d24258..420a265 100644 --- a/openssh.spec +++ b/openssh.spec @@ -96,7 +96,7 @@ Source5: pam_ssh_agent-rmheaders Patch99: openssh-5.8p1-wIm.patch Patch0: openssh-5.6p1-redhat.patch #? -Patch100: openssh-5.8p1-fingerprit.patch +Patch100: openssh-5.8p1-fingerprint.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Patch1: openssh-5.8p1-audit1.patch Patch101: openssh-5.8p1-audit1a.patch