diff --git a/.gitignore b/.gitignore index bfa675f..0a4a73d 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-8.2p1.tar.gz.asc /openssh-8.3p1.tar.gz /openssh-8.3p1.tar.gz.asc +/openssh-8.4p1.tar.gz +/openssh-8.4p1.tar.gz.asc +/pam_ssh_agent_auth-0.10.4.tar.gz diff --git a/openssh-5.1p1-askpass-progress.patch b/openssh-5.1p1-askpass-progress.patch index 21f6502..e0ecb80 100644 --- a/openssh-5.1p1-askpass-progress.patch +++ b/openssh-5.1p1-askpass-progress.patch @@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100 @@ -53,6 +53,7 @@ - #include #include + #include +#include #include #include - + #include @@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia - gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); + return 1; } +static void @@ -34,39 +34,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr - GtkWidget *parent_window, *dialog, *entry; + GtkWidget *parent_window, *dialog, *entry, *progress, *hbox; GdkGrabStatus status; + GdkColor fg, bg; + int fg_set = 0, bg_set = 0; +@@ -104,14 +116,19 @@ passphrase_dialog(char *message) + gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg); - grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); -@@ -104,16 +116,37 @@ passphrase_dialog(char *message) - gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); - - if (prompt_type == PROMPT_ENTRY) { + if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) { + hbox = gtk_hbox_new(FALSE, 0); + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + FALSE, 0); + gtk_widget_show(hbox); + entry = gtk_entry_new(); + if (fg_set) + gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg); + if (bg_set) + gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg); gtk_box_pack_start( - GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), - entry, FALSE, FALSE, 0); -+ GTK_BOX(hbox), entry, -+ TRUE, FALSE, 0); ++ GTK_BOX(hbox), entry, TRUE, FALSE, 0); + gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_widget_grab_focus(entry); - gtk_widget_show(entry); - /* Make close dialog */ - g_signal_connect(G_OBJECT(entry), "activate", - G_CALLBACK(ok_dialog), dialog); + if (prompt_type == PROMPT_ENTRY) { +@@ -130,6 +145,22 @@ passphrase_dialog(char *message) + g_signal_connect(G_OBJECT(entry), "key_press_event", + G_CALLBACK(check_none), dialog); + } + + hbox = gtk_hbox_new(FALSE, 0); -+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, -+ FALSE, 8); ++ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), ++ hbox, FALSE, FALSE, 8); + gtk_widget_show(hbox); + + progress = gtk_progress_bar_new(); + -+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally"); ++ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), ++ "Passphrase length hidden intentionally"); + gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE, + TRUE, 5); + gtk_widget_show(progress); diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index 1260242..fa0717f 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -145,9 +145,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c session_type, tty == NULL ? "" : " on ", @@ -1486,14 +1492,6 @@ child_close_fds(void) - * descriptors left by system functions. They will be closed later. - */ - endpwent(); + + /* Stop directing logs to a high-numbered fd before we close it */ + log_redirect_stderr_to(NULL); - - /* - * Close any extra open file descriptors so that we don't have them diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index e349b85..9e71efe 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -44,8 +44,8 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@ + K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ - SSHLIBS=@SSHLIBS@ SSHDLIBS=@SSHDLIBS@ +KEYCATLIBS=@KEYCATLIBS@ LIBEDIT=@LIBEDIT@ @@ -466,16 +466,16 @@ index 3bbccfd..6481f1f 100644 esac fi @@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux], + fi ] ) - AC_SUBST([SSHLIBS]) AC_SUBST([SSHDLIBS]) +AC_SUBST([KEYCATLIBS]) # Check whether user wants Kerberos 5 support KRB5_MSG="no" @@ -5031,6 +5034,9 @@ fi - if test ! -z "${SSHLIBS}"; then - echo " +for ssh: ${SSHLIBS}" + if test ! -z "${SSHDLIBS}"; then + echo " +for sshd: ${SSHDLIBS}" fi +if test ! -z "${KEYCATLIBS}"; then +echo " +for ssh-keycat: ${KEYCATLIBS}" diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 8428c1c..5009e2a 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions - *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; + *inc_flags &= ~SSHCFG_MATCH_ONLY; break; + case sKerberosUseKuserok: diff --git a/openssh-6.7p1-sftp-force-permission.patch b/openssh-6.7p1-sftp-force-permission.patch index 0944ad3..1cfa309 100644 --- a/openssh-6.7p1-sftp-force-permission.patch +++ b/openssh-6.7p1-sftp-force-permission.patch @@ -2,8 +2,8 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8 --- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100 +++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200 @@ -38,6 +38,7 @@ - .Op Fl P Ar blacklisted_requests - .Op Fl p Ar whitelisted_requests + .Op Fl P Ar denied_requests + .Op Fl p Ar allowed_requests .Op Fl u Ar umask +.Op Fl m Ar force_file_perms .Ek @@ -67,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c @@ -1494,7 +1505,7 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-P blacklisted_requests] " -- "[-p whitelisted_requests] [-u umask]\n" -+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n" + "[-l log_level]\n\t[-P denied_requests] " +- "[-p allowed_requests] [-u umask]\n" ++ "[-p allowed_requests] [-u umask] [-m force_file_perms]\n" " %s -Q protocol_feature\n", __progname, __progname); exit(1); diff --git a/openssh-7.1p2-audit-race-condition.patch b/openssh-7.1p2-audit-race-condition.patch index 9c9a680..de70ff5 100644 --- a/openssh-7.1p2-audit-race-condition.patch +++ b/openssh-7.1p2-audit-race-condition.patch @@ -137,7 +137,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c } @@ -1538,6 +1565,34 @@ child_close_fds(void) - endpwent(); + log_redirect_stderr_to(NULL); } +void diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index 98d5709..35a1a8a 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -1158,8 +1158,8 @@ diff -up openssh/monitor.c.audit openssh/monitor.c {0, 0, NULL} }; @@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int - size_t signaturelen, datalen, bloblen; - int r, ret, req_presence = 0, valid_data = 0, encoded_ret; + int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; + int encoded_ret; struct sshkey_sig_details *sig_details = NULL; + int type = 0; diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index bb69efe..19f3d97 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -173,20 +173,20 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); /* remove unsupported algos from default lists */ -- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); -- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); -- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); -- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); -- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); -+ def_cipher = match_filter_whitelist((FIPS_mode() ? +- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher); +- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac); +- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex); +- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); -+ def_mac = match_filter_whitelist((FIPS_mode() ? ++ def_mac = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); -+ def_kex = match_filter_whitelist((FIPS_mode() ? ++ def_kex = match_filter_allowlist((FIPS_mode() ? + KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); -+ def_key = match_filter_whitelist((FIPS_mode() ? ++ def_key = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); -+ def_sig = match_filter_whitelist((FIPS_mode() ? ++ def_sig = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); #define ASSEMBLE(what, defaults, all) \ do { \ @@ -211,20 +211,20 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); /* remove unsupported algos from default lists */ -- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher); -- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac); -- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex); -- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); -- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); -+ def_cipher = match_filter_whitelist((FIPS_mode() ? +- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher); +- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac); +- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex); +- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); -+ def_mac = match_filter_whitelist((FIPS_mode() ? ++ def_mac = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); -+ def_kex = match_filter_whitelist((FIPS_mode() ? ++ def_kex = match_filter_allowlist((FIPS_mode() ? + KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); -+ def_key = match_filter_whitelist((FIPS_mode() ? ++ def_key = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); -+ def_sig = match_filter_whitelist((FIPS_mode() ? ++ def_sig = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); #define ASSEMBLE(what, defaults, all) \ do { \ diff --git a/openssh-7.7p1-redhat.patch b/openssh-7.7p1-redhat.patch index fe4200d..6011593 100644 --- a/openssh-7.7p1-redhat.patch +++ b/openssh-7.7p1-redhat.patch @@ -2,9 +2,9 @@ diff -up openssh/ssh_config.redhat openssh/ssh_config --- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100 +++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100 @@ -43,3 +43,10 @@ - # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h + # UserKnownHostsFile ~/.ssh/known_hosts.d/%k +# +# This system is following system-wide crypto policy. +# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf diff --git a/openssh-7.8p1-role-mls.patch b/openssh-7.8p1-role-mls.patch index fb7ce7c..add4727 100644 --- a/openssh-7.8p1-role-mls.patch +++ b/openssh-7.8p1-role-mls.patch @@ -154,20 +154,6 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -diff -up openssh/configure.ac.role-mls openssh/configure.ac ---- openssh/configure.ac.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/configure.ac 2018-08-22 11:14:56.820430957 +0200 -@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux], - LIBS="$LIBS -lselinux" - ], - AC_MSG_ERROR([SELinux support requires libselinux library])) -- SSHLIBS="$SSHLIBS $LIBSELINUX" -- SSHDLIBS="$SSHDLIBS $LIBSELINUX" - AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level]) -- LIBS="$save_LIBS" - fi ] - ) - AC_SUBST([SSHLIBS]) diff -up openssh/misc.c.role-mls openssh/misc.c --- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200 @@ -338,8 +324,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h --- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200 +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); - int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, - const u_char *, size_t, const char *, const char *, u_int compat); + const u_char *, size_t, const char *, const char *, + const char *, u_int compat); void mm_inform_authserv(char *, char *); +#ifdef WITH_SELINUX +void mm_inform_authrole(char *); diff --git a/openssh-7.9p1-ssh-copy-id.patch b/openssh-7.9p1-ssh-copy-id.patch index d47880a..24598b8 100644 --- a/openssh-7.9p1-ssh-copy-id.patch +++ b/openssh-7.9p1-ssh-copy-id.patch @@ -1,31 +1,27 @@ -diff -up openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id openssh-7.9p1/contrib/ssh-copy-id ---- openssh-7.9p1/contrib/ssh-copy-id.ssh-copy-id 2018-10-17 02:01:20.000000000 +0200 -+++ openssh-7.9p1/contrib/ssh-copy-id 2019-01-23 20:49:30.513393667 +0100 -@@ -112,7 +112,8 @@ do - usage - } - -- OPT= OPTARG= -+ OPT= -+ OPTARG= - # implement something like getopt to avoid Solaris pain - case "$1" in - -i?*|-o?*|-p?*) -@@ -261,7 +262,7 @@ populate_new_ids() { - fi - if [ -z "$NEW_IDS" ] ; then - printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2 -- printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2 -+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2 - exit 0 - fi - printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2 -@@ -296,7 +297,7 @@ case "$REMOTE_VERSION" in - # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - # 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh. - [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ -- ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ -+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys || exit 1; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ - || exit 1 - ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) - ;; +From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 29 Sep 2020 10:02:45 +0000 +Subject: [PATCH] Fail hard on the first failed attempt to write the + authorized_keys_file + +--- + ssh-copy-id | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id +index 392f64f..e69a23f 100755 +--- a/contrib/ssh-copy-id ++++ b/contrib/ssh-copy-id +@@ -251,7 +251,7 @@ installkeys_sh() { + cd; + umask 077; + mkdir -p $(dirname "${AUTH_KEY_FILE}") && +- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } && ++ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } && + cat >> ${AUTH_KEY_FILE} || + exit 1; + if type restorecon >/dev/null 2>&1; then +-- +GitLab + + diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index 724177d..d55df23 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -568,8 +568,8 @@ index 4e56e110..2690ebeb 100644 REGRESS_FAIL_EARLY?= yes SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion --SUBDIR+=authopt misc -+SUBDIR+=authopt misc pkcs11 +-SUBDIR+=authopt misc sshsig ++SUBDIR+=authopt misc sshsig pkcs11 .include diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c @@ -807,7 +807,7 @@ index 00000000..b637cb13 +} + +void -+check_encode(char *source, size_t len, char *whitelist, char *expect) ++check_encode(char *source, size_t len, char *allow_list, char *expect) +{ + char *buf = NULL; + struct sshbuf *b; @@ -816,7 +816,7 @@ index 00000000..b637cb13 + TEST_START(buf); + free(buf); + -+ b = percent_encode(source, len, whitelist); ++ b = percent_encode(source, len, allow_list); + ASSERT_STRING_EQ(sshbuf_ptr(b), expect); + sshbuf_free(b); + TEST_DONE(); @@ -841,14 +841,14 @@ index 00000000..b637cb13 +static void +test_percent_encode(void) +{ -+ /* Without whitelist encodes everything (for CKA_ID) */ ++ /* Without allow list encodes everything (for CKA_ID) */ + check_encode("A*", 2, "", "%41%2A"); + check_encode("\x00", 1, "", "%00"); + check_encode("\x7F", 1, "", "%7F"); + check_encode("\x80", 1, "", "%80"); + check_encode("\xff", 1, "", "%FF"); + -+ /* Default whitelist encodes anything but safe letters */ ++ /* Default allow list encodes anything but safe letters */ + check_encode("test" "\x00" "0alpha", 11, PKCS11_URI_WHITELIST, + "test%000alpha"); + check_encode(" ", 1, PKCS11_URI_WHITELIST, @@ -920,9 +920,9 @@ index 8057eb1f..0c470e32 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -67,6 +67,7 @@ - #include "ssherr.h" #include "digest.h" #include "ssh-sk.h" + #include "sk-api.h" +#include "ssh-pkcs11-uri.h" /* argv0 */ @@ -1045,9 +1045,9 @@ index 7eb6f0dc..27d8e4af 100644 + return NULL; + } + free(module_path); -+ if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) { ++ if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) { + verbose("refusing PKCS#11 provider \"%.100s\": " -+ "not whitelisted", canonical_provider); ++ "not allowed", canonical_provider); + pkcs11_uri_cleanup(uri); + return NULL; + } @@ -1085,9 +1085,9 @@ index 7eb6f0dc..27d8e4af 100644 - provider, strerror(errno)); - goto send; - } -- if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) { +- if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) { - verbose("refusing PKCS#11 add of \"%.100s\": " -- "provider not whitelisted", canonical_provider); +- "provider not allowed", canonical_provider); + + sane_uri = sanitize_pkcs11_provider(provider); + if (sane_uri == NULL) @@ -1342,7 +1342,7 @@ index 00000000..e1a7b4e0 +} + +struct sshbuf * -+percent_encode(const char *data, size_t length, const char *whitelist) ++percent_encode(const char *data, size_t length, const char *allow_list) +{ + struct sshbuf *b = NULL; + char tmp[4], *cp; @@ -1351,7 +1351,7 @@ index 00000000..e1a7b4e0 + if ((b = sshbuf_new()) == NULL) + return NULL; + for (i = 0; i < length; i++) { -+ cp = strchr(whitelist, data[i]); ++ cp = strchr(allow_list, data[i]); + /* if c is specified as '\0' pointer to terminator is returned !! */ + if (cp != NULL && *cp != '\0') { + if (sshbuf_put(b, &data[i], 1) != 0) @@ -3115,7 +3115,7 @@ index 15aee569..976844cb 100644 + } +#endif /* ENABLE_PKCS11 */ + cp = tilde_expand_filename(name, getuid()); - filename = default_client_percent_expand(cp, + filename = default_client_percent_dollar_expand(cp, pw->pw_dir, host, options.user, pw->pw_name); free(cp); diff --git a/ssh_config.5 b/ssh_config.5 diff --git a/openssh-8.3p1-sshd_include.patch b/openssh-8.3p1-sshd_include.patch deleted file mode 100644 index a399e6a..0000000 --- a/openssh-8.3p1-sshd_include.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 3caa40f40c7f97ecf46969e050e530338864033e Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Mon, 25 May 2020 15:46:51 +0200 -Subject: [PATCH 1/3] regress: Add more test cases - ---- - regress/servcfginclude.sh | 36 +++++++++++++++++++++++++++++++++++- - 1 file changed, 35 insertions(+), 1 deletion(-) - -diff --git a/regress/servcfginclude.sh b/regress/servcfginclude.sh -index b25c8faa..b6a9a248 100644 ---- a/regress/servcfginclude.sh -+++ b/regress/servcfginclude.sh -@@ -146,9 +146,43 @@ Include - _EOF - - trace "disallow invalid with no argument" --${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x \ -+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i.x -T \ - -C "host=x,user=test,addr=127.0.0.1" 2>/dev/null && \ - fail "sshd allowed Include with no argument" - -+# Ensure the Include before any Match block works as expected (bug #3122) -+cat > $OBJ/sshd_config.i << _EOF -+Banner /xx -+HostKey $OBJ/host.ssh-ed25519 -+Include $OBJ/sshd_config.i.2 -+Match host a -+ Banner /aaaa -+_EOF -+cat > $OBJ/sshd_config.i.2 << _EOF -+Match host a -+ Banner /aa -+_EOF -+ -+trace "Include before match blocks" -+trial a /aa "included file before match blocks is properly evaluated" -+ -+# Port in included file is correctly interpretted (bug #3169) -+cat > $OBJ/sshd_config.i << _EOF -+Include $OBJ/sshd_config.i.2 -+Port 7722 -+_EOF -+cat > $OBJ/sshd_config.i.2 << _EOF -+HostKey $OBJ/host.ssh-ed25519 -+_EOF -+ -+trace "Port after included files" -+${SUDO} ${REAL_SSHD} -f $OBJ/sshd_config.i -T \ -+ -C "host=x,user=test,addr=127.0.0.1" > $OBJ/sshd_config.out || \ -+ fail "failed to parse Port after included files" -+_port=`grep -i '^port ' $OBJ/sshd_config.out | awk '{print $2}'` -+if test "x7722" != "x$_port" ; then -+ fail "The Port in included file was intertepretted wrongly. Expected 7722, got $_port" -+fi -+ - # cleanup - rm -f $OBJ/sshd_config.i $OBJ/sshd_config.i.* $OBJ/sshd_config.out --- -2.25.4 - - -From 924922fcb8f34fb4a156367de2ee33ad92a68a6a Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Mon, 25 May 2020 16:56:39 +0200 -Subject: [PATCH 2/3] Do not call process_queued_listen_addrs() for every - included file - -Fixes #3169 ---- - servconf.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/servconf.c b/servconf.c -index 5bb4b1f8..78a7d87d 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -74,7 +74,7 @@ static void add_listen_addr(ServerOptions *, const char *, - const char *, int); - static void add_one_listen_addr(ServerOptions *, const char *, - const char *, int); --void parse_server_config_depth(ServerOptions *options, const char *filename, -+static void parse_server_config_depth(ServerOptions *options, const char *filename, - struct sshbuf *conf, struct include_list *includes, - struct connection_info *connectinfo, int flags, int *activep, int depth); - -@@ -2580,7 +2580,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) - #undef M_CP_STRARRAYOPT - - #define SERVCONF_MAX_DEPTH 16 --void -+static void - parse_server_config_depth(ServerOptions *options, const char *filename, - struct sshbuf *conf, struct include_list *includes, - struct connection_info *connectinfo, int flags, int *activep, int depth) -@@ -2606,7 +2606,6 @@ parse_server_config_depth(ServerOptions *options, const char *filename, - if (bad_options > 0) - fatal("%s: terminating, %d bad configuration options", - filename, bad_options); -- process_queued_listen_addrs(options); - } - - void -@@ -2617,6 +2616,7 @@ parse_server_config(ServerOptions *options, const char *filename, - int active = connectinfo ? 0 : 1; - parse_server_config_depth(options, filename, conf, includes, - connectinfo, 0, &active, 0); -+ process_queued_listen_addrs(options); - } - - static const char * --- -2.25.4 - - -From 26d970b4fb373cb7bd99286e41dd095cd1eadbd0 Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Tue, 26 May 2020 16:25:24 +0200 -Subject: [PATCH 3/3] servconf: Fix parsing of Match blocks in included files - (#3122) - ---- - servconf.c | 28 +++++++++++++++++++--------- - 1 file changed, 19 insertions(+), 9 deletions(-) - -diff --git a/servconf.c b/servconf.c -index 78a7d87d..a8541514 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -554,6 +554,7 @@ typedef enum { - #define SSHCFG_MATCH 0x02 /* allowed inside a Match section */ - #define SSHCFG_ALL (SSHCFG_GLOBAL|SSHCFG_MATCH) - #define SSHCFG_NEVERMATCH 0x04 /* Match never matches; internal only */ -+#define SSHCFG_MATCH_ONLY 0x08 /* Match only in conditional blocks; internal only */ - - /* Textual representation of the tokens. */ - static struct { -@@ -1265,7 +1266,7 @@ static const struct multistate multistate_tcpfwd[] = { - static int - process_server_config_line_depth(ServerOptions *options, char *line, - const char *filename, int linenum, int *activep, -- struct connection_info *connectinfo, int inc_flags, int depth, -+ struct connection_info *connectinfo, int *inc_flags, int depth, - struct include_list *includes) - { - char ch, *cp, ***chararrayptr, **charptr, *arg, *arg2, *p; -@@ -2012,7 +2013,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, - parse_server_config_depth(options, - item->filename, item->contents, - includes, connectinfo, -- (oactive ? 0 : SSHCFG_NEVERMATCH), -+ (*inc_flags & SSHCFG_MATCH_ONLY -+ ? SSHCFG_MATCH_ONLY : (oactive -+ ? 0 : SSHCFG_NEVERMATCH)), - activep, depth + 1); - } - found = 1; -@@ -2060,7 +2063,9 @@ process_server_config_line_depth(ServerOptions *options, char *line, - parse_server_config_depth(options, - item->filename, item->contents, - includes, connectinfo, -- (oactive ? 0 : SSHCFG_NEVERMATCH), -+ (*inc_flags & SSHCFG_MATCH_ONLY -+ ? SSHCFG_MATCH_ONLY : (oactive -+ ? 0 : SSHCFG_NEVERMATCH)), - activep, depth + 1); - *activep = oactive; - TAILQ_INSERT_TAIL(includes, item, entry); -@@ -2078,11 +2083,14 @@ process_server_config_line_depth(ServerOptions *options, char *line, - if (cmdline) - fatal("Match directive not supported as a command-line " - "option"); -- value = match_cfg_line(&cp, linenum, connectinfo); -+ value = match_cfg_line(&cp, linenum, -+ (*inc_flags & SSHCFG_NEVERMATCH ? NULL : connectinfo)); - if (value < 0) - fatal("%s line %d: Bad Match condition", filename, - linenum); -- *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; -+ *activep = (*inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; -+ /* The MATCH_ONLY is applicable only until the first match block */ -+ *inc_flags &= ~SSHCFG_MATCH_ONLY; - break; - - case sKerberosUseKuserok: -@@ -2385,8 +2393,9 @@ process_server_config_line(ServerOptions *options, char *line, - const char *filename, int linenum, int *activep, - struct connection_info *connectinfo, struct include_list *includes) - { -+ int inc_flags = 0; - return process_server_config_line_depth(options, line, filename, -- linenum, activep, connectinfo, 0, 0, includes); -+ linenum, activep, connectinfo, &inc_flags, 0, includes); - } - - -@@ -2591,14 +2600,15 @@ parse_server_config_depth(ServerOptions *options, const char *filename, - if (depth < 0 || depth > SERVCONF_MAX_DEPTH) - fatal("Too many recursive configuration includes"); - -- debug2("%s: config %s len %zu", __func__, filename, sshbuf_len(conf)); -+ debug2("%s: config %s len %zu%s", __func__, filename, sshbuf_len(conf), -+ (flags & SSHCFG_NEVERMATCH ? " [checking syntax only]" : "")); - - if ((obuf = cbuf = sshbuf_dup_string(conf)) == NULL) - fatal("%s: sshbuf_dup_string failed", __func__); - linenum = 1; - while ((cp = strsep(&cbuf, "\n")) != NULL) { - if (process_server_config_line_depth(options, cp, -- filename, linenum++, activep, connectinfo, flags, -+ filename, linenum++, activep, connectinfo, &flags, - depth, includes) != 0) - bad_options++; - } -@@ -2615,7 +2625,7 @@ parse_server_config(ServerOptions *options, const char *filename, - { - int active = connectinfo ? 0 : 1; - parse_server_config_depth(options, filename, conf, includes, -- connectinfo, 0, &active, 0); -+ connectinfo, (connectinfo ? SSHCFG_MATCH_ONLY : 0), &active, 0); - process_queued_listen_addrs(options); - } - --- -2.25.4 - - diff --git a/openssh-SNAP-20200921.tar.gz b/openssh-SNAP-20200921.tar.gz new file mode 100644 index 0000000..f16fe6a Binary files /dev/null and b/openssh-SNAP-20200921.tar.gz differ diff --git a/openssh.spec b/openssh.spec index 79ba7af..113bc2f 100644 --- a/openssh.spec +++ b/openssh.spec @@ -50,15 +50,15 @@ %{?static_openssl:%global static_libcrypto 1} # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 8.3p1 -%global openssh_rel 4 +%global openssh_ver 8.4p1 +%global openssh_rel 1 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 1 Summary: An open source implementation of SSH protocol version 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist} +Release: %{openssh_rel}.1%{?dist} URL: http://www.openssh.com/portable.html #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -184,8 +184,7 @@ Patch951: openssh-8.0p1-pkcs11-uri.patch # Unbreak scp between two IPv6 hosts (#1620333) Patch953: openssh-7.8p1-scp-ipv6.patch # ssh-copy-id is unmaintained: Aggreagete patches -# - do not return 0 if the write fails (full disk) -# - shellcheck reports (upstream #2902) +# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2 Patch958: openssh-7.9p1-ssh-copy-id.patch # Mention crypto-policies in manual pages (#1668325) Patch962: openssh-8.0p1-crypto-policies.patch @@ -197,8 +196,6 @@ Patch964: openssh-8.0p1-openssl-kdf.patch Patch965: openssh-8.2p1-visibility.patch # Do not break X11 without IPv6 Patch966: openssh-8.2p1-x11-without-ipv6.patch -# Unbreak sshd_config include corner cases (#3122) -Patch967: openssh-8.3p1-sshd_include.patch License: BSD Requires: /sbin/nologin @@ -219,7 +216,7 @@ BuildRequires: pam-devel BuildRequires: openssl-devel >= 0.9.8j BuildRequires: perl-podlators BuildRequires: systemd-devel -BuildRequires: gcc +BuildRequires: gcc make BuildRequires: p11-kit-devel BuildRequires: libfido2-devel Recommends: p11-kit @@ -272,7 +269,7 @@ Requires: openssh = %{version}-%{release} %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} -Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.1 +Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2 License: BSD %description @@ -382,7 +379,6 @@ popd %patch964 -p1 -b .openssl-kdf %patch965 -p1 -b .visibility %patch966 -p1 -b .x11-ipv6 -%patch967 -p1 -b .include %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race diff --git a/sources b/sources index 112375c..41d33d0 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (openssh-8.3p1.tar.gz) = b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40 -SHA512 (openssh-8.3p1.tar.gz.asc) = 569fa12b3671af15bd7cd54fc7b13d1d64f3e96eb28f6dc430082f7bec4595689c633d3d56c23faad45b73e4da666c3ec090de26bf54f49410ba9bb8b5363e75 +SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce +SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32 +SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2 SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d -SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66