rpms
/
openssh
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

8.4p1-1 + 0.10.4-1

This commit is contained in:
Jakub Jelen 2020-09-21 13:19:05 +02:00
parent 3783a5da43
commit bd35168662
17 changed files with 114 additions and 355 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -42,3 +42,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-8.2p1.tar.gz.asc
/openssh-8.3p1.tar.gz
/openssh-8.3p1.tar.gz.asc
/openssh-8.4p1.tar.gz
/openssh-8.4p1.tar.gz.asc
/pam_ssh_agent_auth-0.10.4.tar.gz

39
openssh-5.1p1-askpass-progress.patch
View File

@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@
#include <string.h>
#include <unistd.h>
#include <X11/Xlib.h>
+#include <glib.h>
#include <gtk/gtk.h>
#include <gdk/gdkx.h>
#include <gdk/gdkkeysyms.h>
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
return 1;
}
+static void
@ -34,39 +34,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
- GtkWidget *parent_window, *dialog, *entry;
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
GdkGrabStatus status;
GdkColor fg, bg;
int fg_set = 0, bg_set = 0;
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
@@ -104,16 +116,37 @@ passphrase_dialog(char *message)
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
if (prompt_type == PROMPT_ENTRY) {
if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
+ hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 0);
+ gtk_widget_show(hbox);
+
entry = gtk_entry_new();
if (fg_set)
gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
if (bg_set)
gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
gtk_box_pack_start(
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
- entry, FALSE, FALSE, 0);
+ GTK_BOX(hbox), entry,
+ TRUE, FALSE, 0);
+ GTK_BOX(hbox), entry, TRUE, FALSE, 0);
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
gtk_widget_grab_focus(entry);
gtk_widget_show(entry);
/* Make <enter> close dialog */
g_signal_connect(G_OBJECT(entry), "activate",
G_CALLBACK(ok_dialog), dialog);
if (prompt_type == PROMPT_ENTRY) {
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
g_signal_connect(G_OBJECT(entry), "key_press_event",
G_CALLBACK(check_none), dialog);
}
+
+ hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 8);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
+ hbox, FALSE, FALSE, 8);
+ gtk_widget_show(hbox);
+
+ progress = gtk_progress_bar_new();
+
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
+ "Passphrase length hidden intentionally");
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
+ TRUE, 5);
+ gtk_widget_show(progress);

6
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -145,9 +145,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
session_type,
tty == NULL ? "" : " on ",
@@ -1486,14 +1492,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later.
*/
endpwent();
/* Stop directing logs to a high-numbered fd before we close it */
log_redirect_stderr_to(NULL);
-
- /*
- * Close any extra open file descriptors so that we don't have them

8
openssh-6.6p1-keycat.patch
View File

@ -44,8 +44,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHLIBS=@SSHLIBS@
SSHDLIBS=@SSHDLIBS@
+KEYCATLIBS=@KEYCATLIBS@
LIBEDIT=@LIBEDIT@
@ -466,16 +466,16 @@ index 3bbccfd..6481f1f 100644
esac
fi
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
fi ]
)
AC_SUBST([SSHLIBS])
AC_SUBST([SSHDLIBS])
+AC_SUBST([KEYCATLIBS])
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@@ -5031,6 +5034,9 @@ fi
if test ! -z "${SSHLIBS}"; then
echo " +for ssh: ${SSHLIBS}"
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
+if test ! -z "${KEYCATLIBS}"; then
+echo " +for ssh-keycat: ${KEYCATLIBS}"

2
openssh-6.6p1-kuserok.patch
View File

@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
*inc_flags &= ~SSHCFG_MATCH_ONLY;
break;
+ case sKerberosUseKuserok:

10
openssh-6.7p1-sftp-force-permission.patch
View File

@ -2,8 +2,8 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
--- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
@@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
.Op Fl P Ar denied_requests
.Op Fl p Ar allowed_requests
.Op Fl u Ar umask
+.Op Fl m Ar force_file_perms
.Ek
@ -67,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
"[-l log_level]\n\t[-P denied_requests] "
- "[-p allowed_requests] [-u umask]\n"
+ "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);

2
openssh-7.1p2-audit-race-condition.patch
View File

@ -137,7 +137,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
}
@@ -1538,6 +1565,34 @@ child_close_fds(void)
endpwent();
log_redirect_stderr_to(NULL);
}
+void

4
openssh-7.6p1-audit.patch
View File

@ -1158,8 +1158,8 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
{0, 0, NULL}
};
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
size_t signaturelen, datalen, bloblen;
int r, ret, req_presence = 0, valid_data = 0, encoded_ret;
int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
int encoded_ret;
struct sshkey_sig_details *sig_details = NULL;
+ int type = 0;

40
openssh-7.7p1-fips.patch
View File

@ -173,20 +173,20 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher);
- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac);
- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex);
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
+ def_mac = match_filter_whitelist((FIPS_mode() ?
+ def_mac = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
+ def_kex = match_filter_whitelist((FIPS_mode() ?
+ def_kex = match_filter_allowlist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
+ def_key = match_filter_whitelist((FIPS_mode() ?
+ def_key = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_whitelist((FIPS_mode() ?
+ def_sig = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \
@ -211,20 +211,20 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher);
- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac);
- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex);
- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_whitelist((FIPS_mode() ?
- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
+ def_mac = match_filter_whitelist((FIPS_mode() ?
+ def_mac = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
+ def_kex = match_filter_whitelist((FIPS_mode() ?
+ def_kex = match_filter_allowlist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
+ def_key = match_filter_whitelist((FIPS_mode() ?
+ def_key = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_whitelist((FIPS_mode() ?
+ def_sig = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \

2
openssh-7.7p1-redhat.patch
View File

@ -2,9 +2,9 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
@@ -43,3 +43,10 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+#
+# This system is following system-wide crypto policy.
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf

18
openssh-7.8p1-role-mls.patch
View File

@ -154,20 +154,6 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh/configure.ac.role-mls openssh/configure.ac
--- openssh/configure.ac.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/configure.ac 2018-08-22 11:14:56.820430957 +0200
@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux],
LIBS="$LIBS -lselinux"
],
AC_MSG_ERROR([SELinux support requires libselinux library]))
- SSHLIBS="$SSHLIBS $LIBSELINUX"
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
- LIBS="$save_LIBS"
fi ]
)
AC_SUBST([SSHLIBS])
diff -up openssh/misc.c.role-mls openssh/misc.c
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
@ -338,8 +324,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
const u_char *, size_t, const char *, const char *, u_int compat);
const u_char *, size_t, const char *, const char *,
const char *, u_int compat);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);

58
openssh-7.9p1-ssh-copy-id.patch
View File

@ -1,31 +1,27 @@
diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id
--- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id 2018-10-17 02:01:20.000000000 +0200
+++ openssh-7.9p1/contrib/ssh-copy-id 2019-01-23 20:49:30.513393667 +0100
@@ -112,7 +112,8 @@ do
usage
}
- OPT= OPTARG=
+ OPT=
+ OPTARG=
# implement something like getopt to avoid Solaris pain
case "$1" in
-i?*|-o?*|-p?*)
@@ -261,7 +262,7 @@ populate_new_ids() {
fi
if [ -z "$NEW_IDS" ] ; then
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
- printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
exit 0
fi
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in
# in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
# 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
- ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 29 Sep 2020 10:02:45 +0000
Subject: [PATCH] Fail hard on the first failed attempt to write the
authorized_keys_file
---
ssh-copy-id | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f..e69a23f 100755
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -251,7 +251,7 @@ installkeys_sh() {
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
cat >> ${AUTH_KEY_FILE} ||
exit 1;
if type restorecon >/dev/null 2>&1; then
--
GitLab

28
openssh-8.0p1-pkcs11-uri.patch
View File

@ -568,8 +568,8 @@ index 4e56e110..2690ebeb 100644
REGRESS_FAIL_EARLY?= yes
SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion
-SUBDIR+=authopt misc
+SUBDIR+=authopt misc pkcs11
-SUBDIR+=authopt misc sshsig
+SUBDIR+=authopt misc sshsig pkcs11
.include <bsd.subdir.mk>
diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c
@ -807,7 +807,7 @@ index 00000000..b637cb13
+}
+
+void
+check_encode(char *source, size_t len, char *whitelist, char *expect)
+check_encode(char *source, size_t len, char *allow_list, char *expect)
+{
+ char *buf = NULL;
+ struct sshbuf *b;
@ -816,7 +816,7 @@ index 00000000..b637cb13
+ TEST_START(buf);
+ free(buf);
+
+ b = percent_encode(source, len, whitelist);
+ b = percent_encode(source, len, allow_list);
+ ASSERT_STRING_EQ(sshbuf_ptr(b), expect);
+ sshbuf_free(b);
+ TEST_DONE();
@ -841,14 +841,14 @@ index 00000000..b637cb13
+static void
+test_percent_encode(void)
+{
+ /* Without whitelist encodes everything (for CKA_ID) */
+ /* Without allow list encodes everything (for CKA_ID) */
+ check_encode("A*", 2, "", "%41%2A");
+ check_encode("\x00", 1, "", "%00");
+ check_encode("\x7F", 1, "", "%7F");
+ check_encode("\x80", 1, "", "%80");
+ check_encode("\xff", 1, "", "%FF");
+
+ /* Default whitelist encodes anything but safe letters */
+ /* Default allow list encodes anything but safe letters */
+ check_encode("test" "\x00" "0alpha", 11, PKCS11_URI_WHITELIST,
+ "test%000alpha");
+ check_encode(" ", 1, PKCS11_URI_WHITELIST,
@ -920,9 +920,9 @@ index 8057eb1f..0c470e32 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -67,6 +67,7 @@
#include "ssherr.h"
#include "digest.h"
#include "ssh-sk.h"
#include "sk-api.h"
+#include "ssh-pkcs11-uri.h"
/* argv0 */
@ -1045,9 +1045,9 @@ index 7eb6f0dc..27d8e4af 100644
+ return NULL;
+ }
+ free(module_path);
+ if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
+ if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
+ verbose("refusing PKCS#11 provider \"%.100s\": "
+ "not whitelisted", canonical_provider);
+ "not allowed", canonical_provider);
+ pkcs11_uri_cleanup(uri);
+ return NULL;
+ }
@ -1085,9 +1085,9 @@ index 7eb6f0dc..27d8e4af 100644
- provider, strerror(errno));
- goto send;
- }
- if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) {
- if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) {
- verbose("refusing PKCS#11 add of \"%.100s\": "
- "provider not whitelisted", canonical_provider);
- "provider not allowed", canonical_provider);
+
+ sane_uri = sanitize_pkcs11_provider(provider);
+ if (sane_uri == NULL)
@ -1342,7 +1342,7 @@ index 00000000..e1a7b4e0
+}
+
+struct sshbuf *
+percent_encode(const char *data, size_t length, const char *whitelist)
+percent_encode(const char *data, size_t length, const char *allow_list)
+{
+ struct sshbuf *b = NULL;
+ char tmp[4], *cp;
@ -1351,7 +1351,7 @@ index 00000000..e1a7b4e0
+ if ((b = sshbuf_new()) == NULL)
+ return NULL;
+ for (i = 0; i < length; i++) {
+ cp = strchr(whitelist, data[i]);
+ cp = strchr(allow_list, data[i]);
+ /* if c is specified as '\0' pointer to terminator is returned !! */
+ if (cp != NULL && *cp != '\0') {
+ if (sshbuf_put(b, &data[i], 1) != 0)
@ -3115,7 +3115,7 @@ index 15aee569..976844cb 100644
+ }
+#endif /* ENABLE_PKCS11 */
+ cp = tilde_expand_filename(name, getuid());
filename = default_client_percent_expand(cp,
filename = default_client_percent_dollar_expand(cp,
pw->pw_dir, host, options.user, pw->pw_name);
free(cp);
diff --git a/ssh_config.5 b/ssh_config.5

227
openssh-8.3p1-sshd_include.patch
View File

@ -1,227 +0,0 @@
From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 25 May 2020 15:46:51 +0200
Subject: [PATCH 1/3] regress: Add more test cases
---
regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh
index b25c8faa..b6a9a248 100644
--- a/regress/servcfginclude.sh
+++ b/regress/servcfginclude.sh
@@ -146,9 +146,43 @@ Include
_EOF
trace "disallow invalid with no argument"
-${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \
-C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \
fail "sshd allowed Include with no argument"
+# Ensure the Include before any Match block works as expected (bug #3122)
+cat > $OBJ/sshd_config.i << _EOF
+Banner /xx
+HostKey $OBJ/host.ssh-ed25519
+Include $OBJ/sshd_config.i.2
+Match host a
+ Banner /aaaa
+_EOF
+cat > $OBJ/sshd_config.i.2 << _EOF
+Match host a
+ Banner /aa
+_EOF
+
+trace "Include before match blocks"
+trial a /aa "included file before match blocks is properly evaluated"
+
+# Port in included file is correctly interpretted (bug #3169)
+cat > $OBJ/sshd_config.i << _EOF
+Include $OBJ/sshd_config.i.2
+Port 7722
+_EOF
+cat > $OBJ/sshd_config.i.2 << _EOF
+HostKey $OBJ/host.ssh-ed25519
+_EOF
+
+trace "Port after included files"
+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \
+ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \
+ fail "failed to parse Port after included files"
+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'`
+if test "x7722" != "x$_port" ; then
+ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port"
+fi
+
# cleanup
rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out
--
2.25.4
From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 25 May 2020 16:56:39 +0200
Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every
included file
Fixes #3169
---
servconf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/servconf.c b/servconf.c
index 5bb4b1f8..78a7d87d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *,
const char *, int);
static void add_one_listen_addr(ServerOptions *, const char *,
const char *, int);
-void parse_server_config_depth(ServerOptions *options, const char *filename,
+static void parse_server_config_depth(ServerOptions *options, const char *filename,
struct sshbuf *conf, struct include_list *includes,
struct connection_info *connectinfo, int flags, int *activep, int depth);
@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
#undef M_CP_STRARRAYOPT
#define SERVCONF_MAX_DEPTH 16
-void
+static void
parse_server_config_depth(ServerOptions *options, const char *filename,
struct sshbuf *conf, struct include_list *includes,
struct connection_info *connectinfo, int flags, int *activep, int depth)
@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
if (bad_options > 0)
fatal("%s: terminating, %d bad configuration options",
filename, bad_options);
- process_queued_listen_addrs(options);
}
void
@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename,
int active = connectinfo ? 0 : 1;
parse_server_config_depth(options, filename, conf, includes,
connectinfo, 0, &active, 0);
+ process_queued_listen_addrs(options);
}
static const char *
--
2.25.4
From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 26 May 2020 16:25:24 +0200
Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files
(#3122)
---
servconf.c | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/servconf.c b/servconf.c
index 78a7d87d..a8541514 100644
--- a/servconf.c
+++ b/servconf.c
@@ -554,6 +554,7 @@ typedef enum {
#define SSHCFG_MATCH 0x02 /* allowed inside a Match section */
#define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH)
#define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */
+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */
/* Textual representation of the tokens. */
static struct {
@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = {
static int
process_server_config_line_depth(ServerOptions *options, char *line,
const char *filename, int linenum, int *activep,
- struct connection_info *connectinfo, int inc_flags, int depth,
+ struct connection_info *connectinfo, int *inc_flags, int depth,
struct include_list *includes)
{
char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p;
@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
parse_server_config_depth(options,
item->filename, item->contents,
includes, connectinfo,
- (oactive ? 0 : SSHCFG_NEVERMATCH),
+ (*inc_flags & SSHCFG_MATCH_ONLY
+ ? SSHCFG_MATCH_ONLY : (oactive
+ ? 0 : SSHCFG_NEVERMATCH)),
activep, depth + 1);
}
found = 1;
@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line,
parse_server_config_depth(options,
item->filename, item->contents,
includes, connectinfo,
- (oactive ? 0 : SSHCFG_NEVERMATCH),
+ (*inc_flags & SSHCFG_MATCH_ONLY
+ ? SSHCFG_MATCH_ONLY : (oactive
+ ? 0 : SSHCFG_NEVERMATCH)),
activep, depth + 1);
*activep = oactive;
TAILQ_INSERT_TAIL(includes, item, entry);
@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line,
if (cmdline)
fatal("Match directive not supported as a command-line "
"option");
- value = match_cfg_line(&cp, linenum, connectinfo);
+ value = match_cfg_line(&cp, linenum,
+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo));
if (value < 0)
fatal("%s line %d: Bad Match condition", filename,
linenum);
- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value;
+ /* The MATCH_ONLY is applicable only until the first match block */
+ *inc_flags &= ~SSHCFG_MATCH_ONLY;
break;
case sKerberosUseKuserok:
@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line,
const char *filename, int linenum, int *activep,
struct connection_info *connectinfo, struct include_list *includes)
{
+ int inc_flags = 0;
return process_server_config_line_depth(options, line, filename,
- linenum, activep, connectinfo, 0, 0, includes);
+ linenum, activep, connectinfo, &inc_flags, 0, includes);
}
@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename,
if (depth < 0 || depth > SERVCONF_MAX_DEPTH)
fatal("Too many recursive configuration includes");
- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf));
+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf),
+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : ""));
if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL)
fatal("%s: sshbuf_dup_string failed", __func__);
linenum = 1;
while ((cp = strsep(&cbuf, "\n")) != NULL) {
if (process_server_config_line_depth(options, cp,
- filename, linenum++, activep, connectinfo, flags,
+ filename, linenum++, activep, connectinfo, &flags,
depth, includes) != 0)
bad_options++;
}
@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename,
{
int active = connectinfo ? 0 : 1;
parse_server_config_depth(options, filename, conf, includes,
- connectinfo, 0, &active, 0);
+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0);
process_queued_listen_addrs(options);
}
--
2.25.4

BIN
openssh-SNAP-20200921.tar.gz Normal file
View File

Binary file not shown.

16
openssh.spec
View File

@ -50,15 +50,15 @@
%{?static_openssl:%global static_libcrypto 1}
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.3p1
%global openssh_rel 4
%global openssh_ver 8.4p1
%global openssh_rel 1
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 1
Summary: An open source implementation of SSH protocol version 2
Name: openssh
Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}
Release: %{openssh_rel}.1%{?dist}
URL: http://www.openssh.com/portable.html
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -184,8 +184,7 @@ Patch951: openssh-8.0p1-pkcs11-uri.patch
# Unbreak scp between two IPv6 hosts (#1620333)
Patch953: openssh-7.8p1-scp-ipv6.patch
# ssh-copy-id is unmaintained: Aggreagete patches
# - do not return 0 if the write fails (full disk)
# - shellcheck reports (upstream #2902)
# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
Patch958: openssh-7.9p1-ssh-copy-id.patch
# Mention crypto-policies in manual pages (#1668325)
Patch962: openssh-8.0p1-crypto-policies.patch
@ -197,8 +196,6 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
Patch965: openssh-8.2p1-visibility.patch
# Do not break X11 without IPv6
Patch966: openssh-8.2p1-x11-without-ipv6.patch
# Unbreak sshd_config include corner cases (#3122)
Patch967: openssh-8.3p1-sshd_include.patch
License: BSD
Requires: /sbin/nologin
@ -219,7 +216,7 @@ BuildRequires: pam-devel
BuildRequires: openssl-devel >= 0.9.8j
BuildRequires: perl-podlators
BuildRequires: systemd-devel
BuildRequires: gcc
BuildRequires: gcc make
BuildRequires: p11-kit-devel
BuildRequires: libfido2-devel
Recommends: p11-kit
@ -272,7 +269,7 @@ Requires: openssh = %{version}-%{release}
%package -n pam_ssh_agent_auth
Summary: PAM module for authentication with ssh-agent
Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
License: BSD
%description
@ -382,7 +379,6 @@ popd
%patch964 -p1 -b .openssl-kdf
%patch965 -p1 -b .visibility
%patch966 -p1 -b .x11-ipv6
%patch967 -p1 -b .include
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race

6
sources
View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66