- upgrade to latest upstream
- use libedit in sftp (#203009) - fixed audit log injection problem (CVE-2007-3102)
This commit is contained in:
Tomáš Mráz
parent
f370730d3b
commit
c9833c96a4
|
|
@ -1 +1 @@
|
|||
openssh-4.5p1-noacss.tar.bz2
|
||||
openssh-4.7p1-noacss.tar.bz2
|
||||
|
|
|
|||
|
|
@ -1,53 +0,0 @@
|
|||
--- openssh-3.9p1/log.h.log-chroot 2006-02-22 10:54:04.000000000 +0100
|
||||
+++ openssh-3.9p1/log.h 2006-02-22 10:53:29.000000000 +0100
|
||||
@@ -63,4 +63,6 @@
|
||||
|
||||
void do_log(LogLevel, const char *, va_list);
|
||||
void cleanup_exit(int) __dead;
|
||||
+
|
||||
+void open_log(void);
|
||||
#endif
|
||||
--- openssh-3.9p1/log.c.log-chroot 2006-02-22 13:29:48.000000000 +0100
|
||||
+++ openssh-3.9p1/log.c 2006-02-22 10:56:01.000000000 +0100
|
||||
@@ -48,6 +48,7 @@
|
||||
static int log_on_stderr = 1;
|
||||
static int log_facility = LOG_AUTH;
|
||||
static char *argv0;
|
||||
+static int log_fd_keep;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
@@ -330,9 +331,20 @@
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
closelog_r(&sdata);
|
||||
#else
|
||||
+ if (!log_fd_keep) {
|
||||
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
||||
+ }
|
||||
syslog(pri, "%.500s", fmtbuf);
|
||||
+ if (!log_fd_keep) {
|
||||
closelog();
|
||||
+ }
|
||||
#endif
|
||||
}
|
||||
}
|
||||
+
|
||||
+void
|
||||
+open_log(void)
|
||||
+{
|
||||
+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
|
||||
+ log_fd_keep = 1;
|
||||
+}
|
||||
--- openssh-3.9p1/sshd.c.log-chroot 2006-01-11 13:42:32.000000000 +0100
|
||||
+++ openssh-3.9p1/sshd.c 2006-02-22 18:58:24.000000000 +0100
|
||||
@@ -565,6 +565,10 @@
|
||||
memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
|
||||
endpwent();
|
||||
|
||||
+ /* Open the syslog permanently so the chrooted process still
|
||||
+ can write to syslog. */
|
||||
+ open_log();
|
||||
+
|
||||
/* Change our root directory */
|
||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
--- openssh-4.3p2/loginrec.c.inject-fix 2007-06-20 21:18:00.000000000 +0200
|
||||
+++ openssh-4.3p2/loginrec.c 2007-07-13 15:25:35.000000000 +0200
|
||||
@@ -1389,11 +1389,44 @@
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
#ifdef HAVE_LINUX_AUDIT
|
||||
+static void
|
||||
+_audit_hexscape(const char *what, char *where, unsigned int size)
|
||||
+{
|
||||
+ const char *ptr = what;
|
||||
+ const char *hex = "0123456789ABCDEF";
|
||||
+
|
||||
+ while (*ptr) {
|
||||
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
|
||||
+ unsigned int i;
|
||||
+ ptr = what;
|
||||
+ for (i = 0; *ptr && i+2 < size; i += 2) {
|
||||
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
|
||||
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ where[i] = '\0';
|
||||
+ return;
|
||||
+ }
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ where[0] = '"';
|
||||
+ if ((unsigned)(ptr - what) < size - 3)
|
||||
+ {
|
||||
+ size = ptr - what + 3;
|
||||
+ }
|
||||
+ strncpy(where + 1, what, size - 3);
|
||||
+ where[size-2] = '"';
|
||||
+ where[size-1] = '\0';
|
||||
+}
|
||||
+
|
||||
+#define AUDIT_LOG_SIZE 128
|
||||
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
|
||||
+
|
||||
int
|
||||
linux_audit_record_event(int uid, const char *username,
|
||||
const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
{
|
||||
- char buf[64];
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
int audit_fd, rc;
|
||||
|
||||
audit_fd = audit_open();
|
||||
@@ -1406,8 +1439,11 @@
|
||||
}
|
||||
if (username == NULL)
|
||||
snprintf(buf, sizeof(buf), "uid=%d", uid);
|
||||
- else
|
||||
- snprintf(buf, sizeof(buf), "acct=%s", username);
|
||||
+ else {
|
||||
+ char encoded[AUDIT_ACCT_SIZE];
|
||||
+ _audit_hexscape(username, encoded, sizeof(encoded));
|
||||
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
|
||||
+ }
|
||||
rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
buf, hostname, ip, ttyn, success);
|
||||
close(audit_fd);
|
||||
|
|
@ -1,6 +1,34 @@
|
|||
--- openssh-4.5p1/loginrec.c.audit 2006-09-07 14:57:54.000000000 +0200
|
||||
+++ openssh-4.5p1/loginrec.c 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -175,6 +175,10 @@
|
||||
diff -up openssh-4.7p1/auth.c.audit openssh-4.7p1/auth.c
|
||||
--- openssh-4.7p1/auth.c.audit 2007-03-26 18:35:28.000000000 +0200
|
||||
+++ openssh-4.7p1/auth.c 2007-09-06 17:07:44.000000000 +0200
|
||||
@@ -286,6 +286,12 @@ auth_log(Authctxt *authctxt, int authent
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
+#if HAVE_LINUX_AUDIT
|
||||
+ if (authenticated == 0 && !authctxt->postponed) {
|
||||
+ linux_audit_record_event(-1, authctxt->user, NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
+ }
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -492,6 +498,10 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
|
||||
+ "sshd", 0);
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-4.7p1/loginrec.c.audit openssh-4.7p1/loginrec.c
|
||||
--- openssh-4.7p1/loginrec.c.audit 2007-04-29 04:10:58.000000000 +0200
|
||||
+++ openssh-4.7p1/loginrec.c 2007-09-06 17:07:44.000000000 +0200
|
||||
@@ -176,6 +176,10 @@
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
|
||||
|
|
@ -11,7 +39,7 @@
|
|||
#ifdef HAVE_UTIL_H
|
||||
# include <util.h>
|
||||
#endif
|
||||
@@ -201,6 +205,9 @@
|
||||
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
|
||||
int utmpx_write_entry(struct logininfo *li);
|
||||
int wtmp_write_entry(struct logininfo *li);
|
||||
int wtmpx_write_entry(struct logininfo *li);
|
||||
|
|
@ -21,7 +49,7 @@
|
|||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
|
||||
@@ -439,6 +446,10 @@
|
||||
@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
|
|
@ -32,7 +60,7 @@
|
|||
#ifdef USE_LOGIN
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
@@ -1393,6 +1404,51 @@
|
||||
@@ -1394,6 +1405,51 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
|
|
@ -84,40 +112,10 @@
|
|||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
--- openssh-4.5p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-4.5p1/loginrec.h 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -127,5 +127,9 @@
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
||||
void record_failed_login(const char *, const char *, const char *);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success);
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
|
||||
#endif /* _HAVE_LOGINREC_H_ */
|
||||
--- openssh-4.5p1/Makefile.in.audit 2006-10-23 23:44:47.000000000 +0200
|
||||
+++ openssh-4.5p1/Makefile.in 2006-12-21 12:19:39.000000000 +0100
|
||||
@@ -45,6 +45,7 @@
|
||||
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
LIBSELINUX=@LIBSELINUX@
|
||||
+LIBAUDIT=@LIBAUDIT@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBPAM=@LIBPAM@
|
||||
@@ -139,7 +140,7 @@
|
||||
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBAUDIT) $(SSHDLIBS) $(LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
--- openssh-4.5p1/config.h.in.audit 2006-11-07 14:07:01.000000000 +0100
|
||||
+++ openssh-4.5p1/config.h.in 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -1305,6 +1305,9 @@
|
||||
diff -up openssh-4.7p1/config.h.in.audit openssh-4.7p1/config.h.in
|
||||
--- openssh-4.7p1/config.h.in.audit 2007-09-04 08:50:04.000000000 +0200
|
||||
+++ openssh-4.7p1/config.h.in 2007-09-06 17:07:44.000000000 +0200
|
||||
@@ -1334,6 +1334,9 @@
|
||||
/* Define if you want SELinux support. */
|
||||
#undef WITH_SELINUX
|
||||
|
||||
|
|
@ -127,30 +125,42 @@
|
|||
/* Define to 1 if your processor stores words with the most significant byte
|
||||
first (like Motorola and SPARC, unlike Intel and VAX). */
|
||||
#undef WORDS_BIGENDIAN
|
||||
--- openssh-4.5p1/configure.ac.audit 2006-12-21 12:17:34.000000000 +0100
|
||||
+++ openssh-4.5p1/configure.ac 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -3161,6 +3161,20 @@
|
||||
diff -up openssh-4.7p1/loginrec.h.audit openssh-4.7p1/loginrec.h
|
||||
--- openssh-4.7p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-4.7p1/loginrec.h 2007-09-06 17:07:44.000000000 +0200
|
||||
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
||||
void record_failed_login(const char *, const char *, const char *);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success);
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
|
||||
#endif /* _HAVE_LOGINREC_H_ */
|
||||
diff -up openssh-4.7p1/configure.ac.audit openssh-4.7p1/configure.ac
|
||||
--- openssh-4.7p1/configure.ac.audit 2007-09-06 17:07:44.000000000 +0200
|
||||
+++ openssh-4.7p1/configure.ac 2007-09-06 17:15:23.000000000 +0200
|
||||
@@ -3216,6 +3216,18 @@ AC_ARG_WITH(selinux,
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST(LIBSELINUX)
|
||||
|
||||
+# Check whether user wants Linux audit support
|
||||
+LINUX_AUDIT_MSG="no"
|
||||
+LIBAUDIT=""
|
||||
+AC_ARG_WITH(linux-audit,
|
||||
+ [ --with-linux-audit Enable Linux audit support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
|
||||
+ LINUX_AUDIT_MSG="yes"
|
||||
+ AC_CHECK_HEADERS(libaudit.h)
|
||||
+ LIBAUDIT="-laudit"
|
||||
+ fi
|
||||
+ ])
|
||||
+AC_SUBST(LIBAUDIT)
|
||||
+ SSHDLIBS="$SSHDLIBS -laudit"
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@@ -3982,6 +3996,7 @@
|
||||
@@ -4037,6 +4049,7 @@ echo " PAM support
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
|
|
@ -158,29 +168,3 @@
|
|||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
--- openssh-4.5p1/auth.c.audit 2006-10-27 17:10:16.000000000 +0200
|
||||
+++ openssh-4.5p1/auth.c 2006-12-21 12:17:35.000000000 +0100
|
||||
@@ -286,6 +286,12 @@
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
+#if HAVE_LINUX_AUDIT
|
||||
+ if (authenticated == 0 && !authctxt->postponed) {
|
||||
+ linux_audit_record_event(-1, authctxt->user, NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
+ }
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -492,6 +498,10 @@
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
|
||||
+ "sshd", 0);
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
diff -up openssh-4.7p1/sshd.c.log-chroot openssh-4.7p1/sshd.c
|
||||
--- openssh-4.7p1/sshd.c.log-chroot 2007-09-06 17:24:13.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd.c 2007-09-06 17:24:13.000000000 +0200
|
||||
@@ -596,6 +596,10 @@ privsep_preauth_child(void)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
|
||||
+ /* Open the syslog permanently so the chrooted process still
|
||||
+ can write to syslog. */
|
||||
+ open_log();
|
||||
+
|
||||
/* Change our root directory */
|
||||
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
|
||||
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
|
||||
diff -up openssh-4.7p1/log.c.log-chroot openssh-4.7p1/log.c
|
||||
--- openssh-4.7p1/log.c.log-chroot 2007-05-20 07:08:16.000000000 +0200
|
||||
+++ openssh-4.7p1/log.c 2007-09-06 17:29:34.000000000 +0200
|
||||
@@ -56,6 +56,7 @@ static LogLevel log_level = SYSLOG_LEVEL
|
||||
static int log_on_stderr = 1;
|
||||
static int log_facility = LOG_AUTH;
|
||||
static char *argv0;
|
||||
+static int log_fd_keep;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
@@ -370,10 +371,21 @@ do_log(LogLevel level, const char *fmt,
|
||||
syslog_r(pri, &sdata, "%.500s", fmtbuf);
|
||||
closelog_r(&sdata);
|
||||
#else
|
||||
+ if (!log_fd_keep) {
|
||||
openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility);
|
||||
+ }
|
||||
syslog(pri, "%.500s", fmtbuf);
|
||||
+ if (!log_fd_keep) {
|
||||
closelog();
|
||||
+ }
|
||||
#endif
|
||||
}
|
||||
errno = saved_errno;
|
||||
}
|
||||
+
|
||||
+void
|
||||
+open_log(void)
|
||||
+{
|
||||
+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility);
|
||||
+ log_fd_keep = 1;
|
||||
+}
|
||||
diff -up openssh-4.7p1/log.h.log-chroot openssh-4.7p1/log.h
|
||||
--- openssh-4.7p1/log.h.log-chroot 2006-08-18 16:32:21.000000000 +0200
|
||||
+++ openssh-4.7p1/log.h 2007-09-06 17:24:13.000000000 +0200
|
||||
@@ -62,4 +62,6 @@ void debug3(const char *, ...) __att
|
||||
|
||||
void do_log(LogLevel, const char *, va_list);
|
||||
void cleanup_exit(int) __dead;
|
||||
+
|
||||
+void open_log(void);
|
||||
#endif
|
||||
|
|
@ -1,5 +1,53 @@
|
|||
--- openssh-4.5p1/openbsd-compat/port-linux.c.mls 2007-01-16 22:13:32.000000000 +0100
|
||||
+++ openssh-4.5p1/openbsd-compat/port-linux.c 2007-03-20 10:07:39.000000000 +0100
|
||||
diff -up openssh-4.7p1/misc.c.mls openssh-4.7p1/misc.c
|
||||
--- openssh-4.7p1/misc.c.mls 2007-01-05 06:24:48.000000000 +0100
|
||||
+++ openssh-4.7p1/misc.c 2007-09-06 17:39:28.000000000 +0200
|
||||
@@ -418,6 +418,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
+ int start = 1;
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return (0);
|
||||
@@ -431,8 +432,13 @@ colon(char *cp)
|
||||
return (cp+1);
|
||||
if (*cp == ':' && !flag)
|
||||
return (cp);
|
||||
- if (*cp == '/')
|
||||
- return (0);
|
||||
+ if (start) {
|
||||
+ /* Slash on beginning or after dots only denotes file name. */
|
||||
+ if (*cp == '/')
|
||||
+ return (0);
|
||||
+ if (*cp != '.')
|
||||
+ start = 0;
|
||||
+ }
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
diff -up openssh-4.7p1/session.c.mls openssh-4.7p1/session.c
|
||||
--- openssh-4.7p1/session.c.mls 2007-09-06 17:39:28.000000000 +0200
|
||||
+++ openssh-4.7p1/session.c 2007-09-06 17:39:28.000000000 +0200
|
||||
@@ -1347,10 +1347,6 @@ do_setusercontext(struct passwd *pw)
|
||||
#endif
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
||||
-
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
-#endif
|
||||
}
|
||||
|
||||
static void
|
||||
diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-compat/port-linux.c
|
||||
--- openssh-4.7p1/openbsd-compat/port-linux.c.mls 2007-09-06 17:39:28.000000000 +0200
|
||||
+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-08-07 17:38:18.000000000 +0200
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */
|
||||
+/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
@@ -33,12 +33,23 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
|
|
@ -24,7 +72,7 @@
|
|||
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
static int
|
||||
@@ -54,17 +65,173 @@
|
||||
@@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
|
||||
return (enabled);
|
||||
}
|
||||
|
||||
|
|
@ -204,7 +252,7 @@
|
|||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
sename = NULL;
|
||||
@@ -72,37 +239,63 @@
|
||||
@@ -72,37 +239,62 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
}
|
||||
#else
|
||||
sename = pwname;
|
||||
|
|
@ -236,6 +284,7 @@
|
|||
- case 0:
|
||||
- error("%s: Failed to get default SELinux security "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to get default SELinux security "
|
||||
- "context for %s (in enforcing mode)",
|
||||
|
|
@ -257,7 +306,7 @@
|
|||
+ reqlvl = "";
|
||||
+
|
||||
+ debug("%s: current connection level '%s'", __func__, reqlvl);
|
||||
+ }
|
||||
}
|
||||
+
|
||||
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
|
||||
+ r = get_user_context(sename, role, reqlvl, user_sc);
|
||||
|
|
@ -280,16 +329,15 @@
|
|||
+ }
|
||||
+ } else {
|
||||
+ *user_sc = *default_sc;
|
||||
}
|
||||
}
|
||||
+ }
|
||||
+ }
|
||||
+ if (r != 0) {
|
||||
+ error("%s: Failed to get default SELinux security "
|
||||
+ "context for %s", __func__, pwname);
|
||||
+ }
|
||||
}
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if (sename != NULL)
|
||||
@@ -110,14 +303,20 @@
|
||||
@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
if (lvl != NULL)
|
||||
xfree(lvl);
|
||||
#endif
|
||||
|
|
@ -311,7 +359,7 @@
|
|||
security_context_t user_ctx = NULL;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
@@ -125,21 +324,39 @@
|
||||
@@ -126,22 +324,39 @@ ssh_selinux_setup_exec_context(char *pwn
|
||||
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
|
|
@ -342,7 +390,7 @@
|
|||
- "context for %s", __func__, pwname);
|
||||
+ error("%s: SELinux failure. Continuing in permissive mode.",
|
||||
+ __func__);
|
||||
+ break;
|
||||
break;
|
||||
default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
|
|
@ -358,7 +406,7 @@
|
|||
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
@@ -157,7 +374,10 @@
|
||||
@@ -159,7 +374,10 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
|
|
@ -370,9 +418,10 @@
|
|||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
--- openssh-4.5p1/sshd.c.mls 2007-01-16 22:13:32.000000000 +0100
|
||||
+++ openssh-4.5p1/sshd.c 2007-01-16 22:13:32.000000000 +0100
|
||||
@@ -1833,6 +1833,9 @@
|
||||
diff -up openssh-4.7p1/sshd.c.mls openssh-4.7p1/sshd.c
|
||||
--- openssh-4.7p1/sshd.c.mls 2007-09-06 17:39:28.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd.c 2007-09-06 17:39:28.000000000 +0200
|
||||
@@ -1838,6 +1838,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
|
|
@ -382,42 +431,3 @@
|
|||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred(1);
|
||||
--- openssh-4.5p1/misc.c.mls 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-4.5p1/misc.c 2007-01-16 22:13:32.000000000 +0100
|
||||
@@ -418,6 +418,7 @@
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
+ int start = 1;
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return (0);
|
||||
@@ -431,8 +432,13 @@
|
||||
return (cp+1);
|
||||
if (*cp == ':' && !flag)
|
||||
return (cp);
|
||||
- if (*cp == '/')
|
||||
- return (0);
|
||||
+ if (start) {
|
||||
+ /* Slash on beginning or after dots only denotes file name. */
|
||||
+ if (*cp == '/')
|
||||
+ return (0);
|
||||
+ if (*cp != '.')
|
||||
+ start = 0;
|
||||
+ }
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
--- openssh-4.5p1/session.c.mls 2007-01-16 22:13:32.000000000 +0100
|
||||
+++ openssh-4.5p1/session.c 2007-01-16 22:13:32.000000000 +0100
|
||||
@@ -1347,10 +1347,6 @@
|
||||
#endif
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
||||
-
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
-#endif
|
||||
}
|
||||
|
||||
static void
|
||||
File diff suppressed because it is too large
Load Diff
|
|
@ -1,28 +1,80 @@
|
|||
--- openssh-4.3p2/auth-pam.c.pam-session 2006-11-27 17:39:08.000000000 +0100
|
||||
+++ openssh-4.3p2/auth-pam.c 2006-11-27 19:31:41.000000000 +0100
|
||||
@@ -563,15 +563,17 @@
|
||||
void
|
||||
sshpam_cleanup(void)
|
||||
{
|
||||
- debug("PAM: cleanup");
|
||||
- if (sshpam_handle == NULL)
|
||||
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
|
||||
return;
|
||||
+ debug("PAM: cleanup");
|
||||
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
|
||||
if (sshpam_cred_established) {
|
||||
+ debug("PAM: deleting credentials");
|
||||
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
|
||||
sshpam_cred_established = 0;
|
||||
}
|
||||
if (sshpam_session_open) {
|
||||
+ debug("PAM: closing session");
|
||||
pam_close_session(sshpam_handle, PAM_SILENT);
|
||||
sshpam_session_open = 0;
|
||||
}
|
||||
--- openssh-4.3p2/sshd.c.pam-session 2006-11-27 17:29:44.000000000 +0100
|
||||
+++ openssh-4.3p2/sshd.c 2006-11-28 21:21:52.000000000 +0100
|
||||
@@ -1745,7 +1745,21 @@
|
||||
diff -up openssh-4.7p1/session.c.pam-session openssh-4.7p1/session.c
|
||||
--- openssh-4.7p1/session.c.pam-session 2007-08-16 15:28:04.000000000 +0200
|
||||
+++ openssh-4.7p1/session.c 2007-09-06 17:37:46.000000000 +0200
|
||||
@@ -422,11 +422,6 @@ do_exec_no_pty(Session *s, const char *c
|
||||
|
||||
session_proctitle(s);
|
||||
|
||||
-#if defined(USE_PAM)
|
||||
- if (options.use_pam && !use_privsep)
|
||||
- do_pam_setcred(1);
|
||||
-#endif /* USE_PAM */
|
||||
-
|
||||
/* Fork the child. */
|
||||
if ((pid = fork()) == 0) {
|
||||
is_child = 1;
|
||||
@@ -557,14 +552,6 @@ do_exec_pty(Session *s, const char *comm
|
||||
ptyfd = s->ptyfd;
|
||||
ttyfd = s->ttyfd;
|
||||
|
||||
-#if defined(USE_PAM)
|
||||
- if (options.use_pam) {
|
||||
- do_pam_set_tty(s->tty);
|
||||
- if (!use_privsep)
|
||||
- do_pam_setcred(1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
/* Fork the child. */
|
||||
if ((pid = fork()) == 0) {
|
||||
is_child = 1;
|
||||
@@ -1300,17 +1287,9 @@ do_setusercontext(struct passwd *pw)
|
||||
# ifdef __bsdi__
|
||||
setpgid(0, 0);
|
||||
# endif
|
||||
-#ifdef GSSAPI
|
||||
- if (options.gss_authentication) {
|
||||
- temporarily_use_uid(pw);
|
||||
- ssh_gssapi_storecreds();
|
||||
- restore_uid();
|
||||
- }
|
||||
-#endif
|
||||
# ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
- do_pam_session();
|
||||
- do_pam_setcred(use_privsep);
|
||||
+ do_pam_setcred(0);
|
||||
}
|
||||
# endif /* USE_PAM */
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
@@ -1337,13 +1316,6 @@ do_setusercontext(struct passwd *pw)
|
||||
exit(1);
|
||||
}
|
||||
endgrent();
|
||||
-#ifdef GSSAPI
|
||||
- if (options.gss_authentication) {
|
||||
- temporarily_use_uid(pw);
|
||||
- ssh_gssapi_storecreds();
|
||||
- restore_uid();
|
||||
- }
|
||||
-#endif
|
||||
# ifdef USE_PAM
|
||||
/*
|
||||
* PAM credentials may take the form of supplementary groups.
|
||||
@@ -1351,8 +1323,7 @@ do_setusercontext(struct passwd *pw)
|
||||
* Reestablish them here.
|
||||
*/
|
||||
if (options.use_pam) {
|
||||
- do_pam_session();
|
||||
- do_pam_setcred(use_privsep);
|
||||
+ do_pam_setcred(0);
|
||||
}
|
||||
# endif /* USE_PAM */
|
||||
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
|
||||
diff -up openssh-4.7p1/sshd.c.pam-session openssh-4.7p1/sshd.c
|
||||
--- openssh-4.7p1/sshd.c.pam-session 2007-09-06 17:37:46.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd.c 2007-09-06 17:37:46.000000000 +0200
|
||||
@@ -1831,7 +1831,21 @@ main(int ac, char **av)
|
||||
audit_event(SSH_AUTH_SUCCESS);
|
||||
#endif
|
||||
|
||||
|
|
@ -45,9 +97,10 @@
|
|||
* In privilege separation, we fork another child and prepare
|
||||
* file descriptor passing.
|
||||
*/
|
||||
--- openssh-4.3p2/monitor.c.pam-session 2006-11-27 17:29:44.000000000 +0100
|
||||
+++ openssh-4.3p2/monitor.c 2006-11-28 14:01:23.000000000 +0100
|
||||
@@ -1539,6 +1539,11 @@
|
||||
diff -up openssh-4.7p1/monitor.c.pam-session openssh-4.7p1/monitor.c
|
||||
--- openssh-4.7p1/monitor.c.pam-session 2007-09-06 17:37:46.000000000 +0200
|
||||
+++ openssh-4.7p1/monitor.c 2007-09-06 17:37:46.000000000 +0200
|
||||
@@ -1566,6 +1566,11 @@ mm_answer_term(int sock, Buffer *req)
|
||||
/* The child is terminating */
|
||||
session_destroy_all(&mm_session_close);
|
||||
|
||||
|
|
@ -59,71 +112,26 @@
|
|||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
--- openssh-4.3p2/session.c.pam-session 2006-11-27 17:29:43.000000000 +0100
|
||||
+++ openssh-4.3p2/session.c 2006-11-28 21:17:56.000000000 +0100
|
||||
@@ -395,11 +395,6 @@
|
||||
|
||||
session_proctitle(s);
|
||||
|
||||
-#if defined(USE_PAM)
|
||||
- if (options.use_pam && !use_privsep)
|
||||
- do_pam_setcred(1);
|
||||
-#endif /* USE_PAM */
|
||||
-
|
||||
/* Fork the child. */
|
||||
if ((pid = fork()) == 0) {
|
||||
is_child = 1;
|
||||
@@ -530,14 +525,6 @@
|
||||
ptyfd = s->ptyfd;
|
||||
ttyfd = s->ttyfd;
|
||||
|
||||
-#if defined(USE_PAM)
|
||||
- if (options.use_pam) {
|
||||
- do_pam_set_tty(s->tty);
|
||||
- if (!use_privsep)
|
||||
- do_pam_setcred(1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
/* Fork the child. */
|
||||
if ((pid = fork()) == 0) {
|
||||
is_child = 1;
|
||||
@@ -1266,16 +1253,8 @@
|
||||
# ifdef __bsdi__
|
||||
setpgid(0, 0);
|
||||
# endif
|
||||
-#ifdef GSSAPI
|
||||
- if (options.gss_authentication) {
|
||||
- temporarily_use_uid(pw);
|
||||
- ssh_gssapi_storecreds();
|
||||
- restore_uid();
|
||||
- }
|
||||
-#endif
|
||||
# ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
- do_pam_session();
|
||||
do_pam_setcred(0);
|
||||
}
|
||||
# endif /* USE_PAM */
|
||||
@@ -1303,13 +1282,6 @@
|
||||
exit(1);
|
||||
}
|
||||
endgrent();
|
||||
-#ifdef GSSAPI
|
||||
- if (options.gss_authentication) {
|
||||
- temporarily_use_uid(pw);
|
||||
- ssh_gssapi_storecreds();
|
||||
- restore_uid();
|
||||
- }
|
||||
-#endif
|
||||
# ifdef USE_PAM
|
||||
/*
|
||||
* PAM credentials may take the form of supplementary groups.
|
||||
@@ -1317,7 +1289,6 @@
|
||||
* Reestablish them here.
|
||||
*/
|
||||
if (options.use_pam) {
|
||||
- do_pam_session();
|
||||
do_pam_setcred(0);
|
||||
}
|
||||
# endif /* USE_PAM */
|
||||
diff -up openssh-4.7p1/auth-pam.c.pam-session openssh-4.7p1/auth-pam.c
|
||||
--- openssh-4.7p1/auth-pam.c.pam-session 2007-08-10 06:32:34.000000000 +0200
|
||||
+++ openssh-4.7p1/auth-pam.c 2007-09-06 17:37:46.000000000 +0200
|
||||
@@ -598,15 +598,17 @@ static struct pam_conv store_conv = { ss
|
||||
void
|
||||
sshpam_cleanup(void)
|
||||
{
|
||||
- debug("PAM: cleanup");
|
||||
- if (sshpam_handle == NULL)
|
||||
+ if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
|
||||
return;
|
||||
+ debug("PAM: cleanup");
|
||||
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
|
||||
if (sshpam_cred_established) {
|
||||
+ debug("PAM: deleting credentials");
|
||||
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
|
||||
sshpam_cred_established = 0;
|
||||
}
|
||||
if (sshpam_session_open) {
|
||||
+ debug("PAM: closing session");
|
||||
pam_close_session(sshpam_handle, PAM_SILENT);
|
||||
sshpam_session_open = 0;
|
||||
}
|
||||
|
|
@ -1,29 +1,7 @@
|
|||
--- openssh-4.5p1/sshd_config.0.redhat 2006-11-07 14:07:28.000000000 +0100
|
||||
+++ openssh-4.5p1/sshd_config.0 2006-12-20 22:04:16.000000000 +0100
|
||||
@@ -430,9 +430,9 @@
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
|
||||
- fault is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
--- openssh-4.5p1/sshd_config.redhat 2006-07-24 06:06:47.000000000 +0200
|
||||
+++ openssh-4.5p1/sshd_config 2006-12-20 21:59:15.000000000 +0100
|
||||
@@ -12,6 +12,7 @@
|
||||
|
||||
#Port 22
|
||||
#Protocol 2,1
|
||||
+Protocol 2
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
@@ -29,6 +30,7 @@
|
||||
diff -up openssh-4.7p1/sshd_config.redhat openssh-4.7p1/sshd_config
|
||||
--- openssh-4.7p1/sshd_config.redhat 2007-03-21 10:42:25.000000000 +0100
|
||||
+++ openssh-4.7p1/sshd_config 2007-09-06 16:23:58.000000000 +0200
|
||||
@@ -33,6 +33,7 @@ Protocol 2
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
|
|
@ -31,7 +9,7 @@
|
|||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
@@ -55,9 +57,11 @@
|
||||
@@ -59,9 +60,11 @@ Protocol 2
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
|
|
@ -43,7 +21,7 @@
|
|||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@@ -67,7 +71,9 @@
|
||||
@@ -71,7 +74,9 @@ Protocol 2
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
|
|
@ -53,7 +31,7 @@
|
|||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -79,10 +85,16 @@
|
||||
@@ -83,10 +88,16 @@ Protocol 2
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
|
|
@ -70,9 +48,10 @@
|
|||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PrintMotd yes
|
||||
--- openssh-4.5p1/ssh_config.redhat 2006-06-13 05:01:10.000000000 +0200
|
||||
+++ openssh-4.5p1/ssh_config 2006-12-20 21:59:15.000000000 +0100
|
||||
@@ -42,3 +42,13 @@
|
||||
diff -up openssh-4.7p1/ssh_config.redhat openssh-4.7p1/ssh_config
|
||||
--- openssh-4.7p1/ssh_config.redhat 2007-06-11 06:04:42.000000000 +0200
|
||||
+++ openssh-4.7p1/ssh_config 2007-09-06 16:21:49.000000000 +0200
|
||||
@@ -43,3 +43,13 @@
|
||||
# Tunnel no
|
||||
# TunnelDevice any:any
|
||||
# PermitLocalCommand no
|
||||
|
|
@ -86,9 +65,26 @@
|
|||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL
|
||||
--- openssh-4.5p1/sshd_config.5.redhat 2006-08-30 03:06:34.000000000 +0200
|
||||
+++ openssh-4.5p1/sshd_config.5 2006-12-20 22:05:18.000000000 +0100
|
||||
@@ -740,7 +740,7 @@
|
||||
diff -up openssh-4.7p1/sshd_config.0.redhat openssh-4.7p1/sshd_config.0
|
||||
--- openssh-4.7p1/sshd_config.0.redhat 2007-09-04 08:50:11.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:21:49.000000000 +0200
|
||||
@@ -435,9 +435,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
|
||||
- fault is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh-4.7p1/sshd_config.5.redhat openssh-4.7p1/sshd_config.5
|
||||
--- openssh-4.7p1/sshd_config.5.redhat 2007-06-11 06:07:13.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:21:49.000000000 +0200
|
||||
@@ -748,7 +748,7 @@ Note that this option applies to protoco
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
|
|
@ -1,16 +1,18 @@
|
|||
--- openssh-4.5p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200
|
||||
+++ openssh-4.5p1/auth.h 2006-12-20 22:10:48.000000000 +0100
|
||||
@@ -58,6 +58,7 @@
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+ char *role;
|
||||
void *kbdintctxt;
|
||||
#ifdef BSD_AUTH
|
||||
auth_session_t *as;
|
||||
--- openssh-4.5p1/auth1.c.selinux 2006-12-20 22:10:35.000000000 +0100
|
||||
+++ openssh-4.5p1/auth1.c 2006-12-20 22:10:48.000000000 +0100
|
||||
@@ -388,7 +388,7 @@
|
||||
diff -up openssh-4.7p1/configure.ac.selinux openssh-4.7p1/configure.ac
|
||||
--- openssh-4.7p1/configure.ac.selinux 2007-09-06 19:46:32.000000000 +0200
|
||||
+++ openssh-4.7p1/configure.ac 2007-09-06 19:52:23.000000000 +0200
|
||||
@@ -3211,6 +3211,7 @@ AC_ARG_WITH(selinux,
|
||||
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
|
||||
AC_MSG_ERROR(SELinux support requires libselinux library))
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
+ LIBS="$LIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
diff -up openssh-4.7p1/auth1.c.selinux openssh-4.7p1/auth1.c
|
||||
--- openssh-4.7p1/auth1.c.selinux 2007-09-06 19:46:32.000000000 +0200
|
||||
+++ openssh-4.7p1/auth1.c 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -388,7 +388,7 @@ void
|
||||
do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
|
|
@ -19,7 +21,7 @@
|
|||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -397,11 +397,19 @@
|
||||
@@ -397,11 +397,19 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_string(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
|
|
@ -39,58 +41,59 @@
|
|||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
--- openssh-4.5p1/monitor.c.selinux 2006-11-07 13:16:08.000000000 +0100
|
||||
+++ openssh-4.5p1/monitor.c 2006-12-20 22:10:48.000000000 +0100
|
||||
@@ -133,6 +133,7 @@
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
+int mm_answer_authrole(int, Buffer *);
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -204,6 +205,7 @@
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -653,6 +655,7 @@
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
diff -up openssh-4.7p1/monitor_wrap.h.selinux openssh-4.7p1/monitor_wrap.h
|
||||
--- openssh-4.7p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-4.7p1/monitor_wrap.h 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -41,6 +41,7 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+void mm_inform_authrole(char *);
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh-4.7p1/monitor.h.selinux openssh-4.7p1/monitor.h
|
||||
--- openssh-4.7p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200
|
||||
+++ openssh-4.7p1/monitor.h 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -30,7 +30,7 @@
|
||||
|
||||
@@ -698,6 +701,23 @@
|
||||
enum monitor_reqtype {
|
||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
|
||||
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
|
||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||
diff -up openssh-4.7p1/monitor_wrap.c.selinux openssh-4.7p1/monitor_wrap.c
|
||||
--- openssh-4.7p1/monitor_wrap.c.selinux 2007-06-11 06:01:42.000000000 +0200
|
||||
+++ openssh-4.7p1/monitor_wrap.c 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -294,6 +294,23 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
int
|
||||
+mm_answer_authrole(int sock, Buffer *m)
|
||||
+/* Inform the privileged process about role */
|
||||
+
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ monitor_permit_authentications(1);
|
||||
+ Buffer m;
|
||||
+
|
||||
+ authctxt->role = buffer_get_string(m, NULL);
|
||||
+ debug3("%s: role=%s",
|
||||
+ __func__, authctxt->role);
|
||||
+ debug3("%s entering", __func__);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ xfree(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_cstring(&m, role ? role : "");
|
||||
+
|
||||
+ return (0);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
static int call_count;
|
||||
--- openssh-4.5p1/openbsd-compat/port-linux.c.selinux 2006-09-01 07:38:41.000000000 +0200
|
||||
+++ openssh-4.5p1/openbsd-compat/port-linux.c 2006-12-21 12:15:59.000000000 +0100
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh-4.7p1/openbsd-compat/port-linux.c.selinux openssh-4.7p1/openbsd-compat/port-linux.c
|
||||
--- openssh-4.7p1/openbsd-compat/port-linux.c.selinux 2007-06-28 00:48:03.000000000 +0200
|
||||
+++ openssh-4.7p1/openbsd-compat/port-linux.c 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -30,11 +30,16 @@
|
||||
#ifdef WITH_SELINUX
|
||||
#include "log.h"
|
||||
|
|
@ -108,7 +111,7 @@
|
|||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
static int
|
||||
ssh_selinux_enabled(void)
|
||||
@@ -53,23 +58,36 @@
|
||||
@@ -53,23 +58,36 @@ ssh_selinux_enabled(void)
|
||||
static security_context_t
|
||||
ssh_selinux_getctxbyname(char *pwname)
|
||||
{
|
||||
|
|
@ -152,29 +155,21 @@
|
|||
|
||||
if (r != 0) {
|
||||
switch (security_getenforce()) {
|
||||
--- openssh-4.5p1/configure.ac.selinux 2006-12-20 22:10:35.000000000 +0100
|
||||
+++ openssh-4.5p1/configure.ac 2006-12-21 11:18:48.000000000 +0100
|
||||
@@ -3137,8 +3137,16 @@
|
||||
SELINUX_MSG="no"
|
||||
LIBSELINUX=""
|
||||
AC_ARG_WITH(selinux,
|
||||
- [ --with-selinux Enable SELinux support],
|
||||
+ [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support],
|
||||
[ if test "x$withval" != "xno" ; then
|
||||
+ if test "x$withval" != "xyes"; then
|
||||
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
|
||||
SELINUX_MSG="yes"
|
||||
AC_CHECK_HEADER([selinux/selinux.h], ,
|
||||
--- openssh-4.5p1/auth2.c.selinux 2006-08-05 04:39:39.000000000 +0200
|
||||
+++ openssh-4.5p1/auth2.c 2006-12-20 22:10:48.000000000 +0100
|
||||
@@ -145,7 +145,7 @@
|
||||
diff -up openssh-4.7p1/auth.h.selinux openssh-4.7p1/auth.h
|
||||
--- openssh-4.7p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200
|
||||
+++ openssh-4.7p1/auth.h 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -58,6 +58,7 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+ char *role;
|
||||
void *kbdintctxt;
|
||||
#ifdef BSD_AUTH
|
||||
auth_session_t *as;
|
||||
diff -up openssh-4.7p1/auth2.c.selinux openssh-4.7p1/auth2.c
|
||||
--- openssh-4.7p1/auth2.c.selinux 2007-05-20 06:58:41.000000000 +0200
|
||||
+++ openssh-4.7p1/auth2.c 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -141,7 +141,7 @@ input_userauth_request(int type, u_int32
|
||||
{
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
|
|
@ -183,7 +178,7 @@
|
|||
int authenticated = 0;
|
||||
|
||||
if (authctxt == NULL)
|
||||
@@ -157,6 +157,9 @@
|
||||
@@ -153,6 +153,9 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
|
|
@ -193,7 +188,7 @@
|
|||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -182,8 +185,11 @@
|
||||
@@ -178,8 +181,11 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
|
|
@ -206,50 +201,54 @@
|
|||
} else if (strcmp(user, authctxt->user) != 0 ||
|
||||
strcmp(service, authctxt->service) != 0) {
|
||||
packet_disconnect("Change of username or service not allowed: "
|
||||
--- openssh-4.5p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-4.5p1/monitor_wrap.h 2006-12-20 22:10:48.000000000 +0100
|
||||
@@ -41,6 +41,7 @@
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+void mm_inform_authrole(char *);
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
--- openssh-4.5p1/monitor_wrap.c.selinux 2006-09-01 07:38:37.000000000 +0200
|
||||
+++ openssh-4.5p1/monitor_wrap.c 2006-12-20 22:10:48.000000000 +0100
|
||||
@@ -282,6 +282,23 @@
|
||||
buffer_free(&m);
|
||||
diff -up openssh-4.7p1/monitor.c.selinux openssh-4.7p1/monitor.c
|
||||
--- openssh-4.7p1/monitor.c.selinux 2007-05-20 07:10:16.000000000 +0200
|
||||
+++ openssh-4.7p1/monitor.c 2007-09-06 19:46:32.000000000 +0200
|
||||
@@ -133,6 +133,7 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
+int mm_answer_authrole(int, Buffer *);
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -657,6 +659,7 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
}
|
||||
|
||||
@@ -702,6 +705,23 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
+
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
int
|
||||
+mm_answer_authrole(int sock, Buffer *m)
|
||||
+{
|
||||
+ Buffer m;
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ debug3("%s entering", __func__);
|
||||
+ authctxt->role = buffer_get_string(m, NULL);
|
||||
+ debug3("%s: role=%s",
|
||||
+ __func__, authctxt->role);
|
||||
+
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_cstring(&m, role ? role : "");
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ xfree(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+ return (0);
|
||||
+}
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
--- openssh-4.5p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200
|
||||
+++ openssh-4.5p1/monitor.h 2006-12-20 22:10:35.000000000 +0100
|
||||
@@ -30,7 +30,7 @@
|
||||
|
||||
enum monitor_reqtype {
|
||||
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
|
||||
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
|
||||
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
|
||||
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
|
||||
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
|
||||
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
|
||||
+int
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
static int call_count;
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssh-4.5p1/sftp-client.c.drain-acks openssh-4.5p1/sftp-client.c
|
||||
--- openssh-4.5p1/sftp-client.c.drain-acks 2006-10-23 19:03:02.000000000 +0200
|
||||
+++ openssh-4.5p1/sftp-client.c 2007-08-07 17:46:16.000000000 +0200
|
||||
diff -up openssh-4.7p1/sftp-client.c.drain-acks openssh-4.7p1/sftp-client.c
|
||||
--- openssh-4.7p1/sftp-client.c.drain-acks 2007-02-19 12:13:39.000000000 +0100
|
||||
+++ openssh-4.7p1/sftp-client.c 2007-09-06 17:54:41.000000000 +0200
|
||||
@@ -992,7 +992,8 @@ int
|
||||
do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
|
||||
int pflag)
|
||||
|
|
@ -20,7 +20,7 @@ diff -up openssh-4.5p1/sftp-client.c.drain-acks openssh-4.5p1/sftp-client.c
|
|||
len = 0;
|
||||
else do
|
||||
len = read(local_fd, data, conn->transfer_buflen);
|
||||
@@ -1131,17 +1132,6 @@ do_upload(struct sftp_conn *conn, char *
|
||||
@@ -1131,18 +1132,6 @@ do_upload(struct sftp_conn *conn, char *
|
||||
fatal("Can't find request for ID %u", r_id);
|
||||
TAILQ_REMOVE(&acks, ack, tq);
|
||||
|
||||
|
|
@ -33,12 +33,13 @@ diff -up openssh-4.5p1/sftp-client.c.drain-acks openssh-4.5p1/sftp-client.c
|
|||
- close(local_fd);
|
||||
- xfree(data);
|
||||
- xfree(ack);
|
||||
- status = -1;
|
||||
- goto done;
|
||||
- }
|
||||
debug3("In write loop, ack for %u %u bytes at %llu",
|
||||
ack->id, ack->len, (unsigned long long)ack->offset);
|
||||
++ackid;
|
||||
@@ -1153,21 +1143,25 @@ do_upload(struct sftp_conn *conn, char *
|
||||
@@ -1154,21 +1143,25 @@ do_upload(struct sftp_conn *conn, char *
|
||||
stop_progress_meter();
|
||||
xfree(data);
|
||||
|
||||
|
|
@ -1,48 +1,7 @@
|
|||
--- openssh-4.5p1/servconf.h.vendor 2006-08-18 16:23:15.000000000 +0200
|
||||
+++ openssh-4.5p1/servconf.h 2006-12-20 22:06:27.000000000 +0100
|
||||
@@ -120,6 +120,7 @@
|
||||
int max_startups;
|
||||
int max_authtries;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
+ int show_patchlevel; /* Show vendor patch level to clients */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
--- openssh-4.5p1/sshd_config.vendor 2006-12-20 22:06:27.000000000 +0100
|
||||
+++ openssh-4.5p1/sshd_config 2006-12-20 22:06:27.000000000 +0100
|
||||
@@ -106,6 +106,7 @@
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
--- openssh-4.5p1/sshd.c.vendor 2006-11-07 13:14:42.000000000 +0100
|
||||
+++ openssh-4.5p1/sshd.c 2006-12-20 22:06:27.000000000 +0100
|
||||
@@ -418,7 +418,8 @@
|
||||
major = PROTOCOL_MAJOR_1;
|
||||
minor = PROTOCOL_MINOR_1;
|
||||
}
|
||||
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
|
||||
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
|
||||
server_version_string = xstrdup(buf);
|
||||
|
||||
/* Send our protocol version identification. */
|
||||
@@ -1429,7 +1430,8 @@
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %.100s", SSH_RELEASE);
|
||||
+ debug("sshd version %.100s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
--- openssh-4.5p1/configure.ac.vendor 2006-12-20 22:06:27.000000000 +0100
|
||||
+++ openssh-4.5p1/configure.ac 2006-12-20 22:06:27.000000000 +0100
|
||||
@@ -3729,6 +3729,12 @@
|
||||
diff -up openssh-4.7p1/configure.ac.vendor openssh-4.7p1/configure.ac
|
||||
--- openssh-4.7p1/configure.ac.vendor 2007-09-06 16:27:47.000000000 +0200
|
||||
+++ openssh-4.7p1/configure.ac 2007-09-06 16:27:47.000000000 +0200
|
||||
@@ -3792,6 +3792,12 @@ AC_ARG_WITH(lastlog,
|
||||
fi
|
||||
]
|
||||
)
|
||||
|
|
@ -55,7 +14,7 @@
|
|||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -3978,6 +3984,7 @@
|
||||
@@ -4041,6 +4047,7 @@ echo " IP address in \$DISPLAY hac
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
|
|
@ -63,70 +22,10 @@
|
|||
if test ! -z "$USE_RAND_HELPER" ; then
|
||||
echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
|
||||
fi
|
||||
--- openssh-4.5p1/sshd_config.0.vendor 2006-12-20 22:06:27.000000000 +0100
|
||||
+++ openssh-4.5p1/sshd_config.0 2006-12-20 22:06:27.000000000 +0100
|
||||
@@ -413,6 +413,11 @@
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 768.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
--- openssh-4.5p1/servconf.c.vendor 2006-08-18 16:23:15.000000000 +0200
|
||||
+++ openssh-4.5p1/servconf.c 2006-12-20 22:08:41.000000000 +0100
|
||||
@@ -113,6 +113,7 @@
|
||||
options->max_startups = -1;
|
||||
options->max_authtries = -1;
|
||||
options->banner = NULL;
|
||||
+ options->show_patchlevel = -1;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -250,6 +251,9 @@
|
||||
if (options->permit_tun == -1)
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
+
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = 1;
|
||||
@@ -293,6 +297,7 @@
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand,
|
||||
sUsePrivilegeSeparation,
|
||||
+ sShowPatchLevel,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -390,6 +395,7 @@
|
||||
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
|
||||
{ "banner", sBanner, SSHCFG_GLOBAL },
|
||||
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1006,6 +1012,10 @@
|
||||
intptr = &use_privsep;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sShowPatchLevel:
|
||||
+ intptr = &options->show_patchlevel;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
--- openssh-4.5p1/sshd_config.5.vendor 2006-12-20 22:06:27.000000000 +0100
|
||||
+++ openssh-4.5p1/sshd_config.5 2006-12-20 22:06:27.000000000 +0100
|
||||
@@ -717,6 +717,14 @@
|
||||
diff -up openssh-4.7p1/sshd_config.5.vendor openssh-4.7p1/sshd_config.5
|
||||
--- openssh-4.7p1/sshd_config.5.vendor 2007-09-06 16:27:47.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd_config.5 2007-09-06 16:27:47.000000000 +0200
|
||||
@@ -725,6 +725,14 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The minimum value is 512, and the default is 768.
|
||||
|
|
@ -141,3 +40,111 @@
|
|||
.It Cm StrictModes
|
||||
Specifies whether
|
||||
.Xr sshd 8
|
||||
diff -up openssh-4.7p1/servconf.h.vendor openssh-4.7p1/servconf.h
|
||||
--- openssh-4.7p1/servconf.h.vendor 2007-02-19 12:25:38.000000000 +0100
|
||||
+++ openssh-4.7p1/servconf.h 2007-09-06 16:27:47.000000000 +0200
|
||||
@@ -120,6 +120,7 @@ typedef struct {
|
||||
int max_startups;
|
||||
int max_authtries;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
+ int show_patchlevel; /* Show vendor patch level to clients */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-4.7p1/servconf.c.vendor openssh-4.7p1/servconf.c
|
||||
--- openssh-4.7p1/servconf.c.vendor 2007-05-20 07:03:16.000000000 +0200
|
||||
+++ openssh-4.7p1/servconf.c 2007-09-06 16:29:11.000000000 +0200
|
||||
@@ -113,6 +113,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_startups = -1;
|
||||
options->max_authtries = -1;
|
||||
options->banner = NULL;
|
||||
+ options->show_patchlevel = -1;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -250,6 +251,9 @@ fill_default_server_options(ServerOption
|
||||
if (options->permit_tun == -1)
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
+
|
||||
/* Turn privilege separation on by default */
|
||||
if (use_privsep == -1)
|
||||
use_privsep = 1;
|
||||
@@ -293,6 +297,7 @@ typedef enum {
|
||||
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand,
|
||||
sUsePrivilegeSeparation,
|
||||
+ sShowPatchLevel,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -390,6 +395,7 @@ static struct {
|
||||
{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1005,6 +1011,10 @@ parse_flag:
|
||||
intptr = &use_privsep;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sShowPatchLevel:
|
||||
+ intptr = &options->show_patchlevel;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
diff -up openssh-4.7p1/sshd_config.0.vendor openssh-4.7p1/sshd_config.0
|
||||
--- openssh-4.7p1/sshd_config.0.vendor 2007-09-06 16:27:47.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd_config.0 2007-09-06 16:27:47.000000000 +0200
|
||||
@@ -418,6 +418,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The minimum value is 512, and the default is 768.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StrictModes
|
||||
Specifies whether sshd(8) should check file modes and ownership
|
||||
of the user's files and home directory before accepting login.
|
||||
diff -up openssh-4.7p1/sshd_config.vendor openssh-4.7p1/sshd_config
|
||||
--- openssh-4.7p1/sshd_config.vendor 2007-09-06 16:27:47.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd_config 2007-09-06 16:27:47.000000000 +0200
|
||||
@@ -109,6 +109,7 @@ X11Forwarding yes
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10
|
||||
diff -up openssh-4.7p1/sshd.c.vendor openssh-4.7p1/sshd.c
|
||||
--- openssh-4.7p1/sshd.c.vendor 2007-06-05 10:22:32.000000000 +0200
|
||||
+++ openssh-4.7p1/sshd.c 2007-09-06 16:27:47.000000000 +0200
|
||||
@@ -419,7 +419,8 @@ sshd_exchange_identification(int sock_in
|
||||
major = PROTOCOL_MAJOR_1;
|
||||
minor = PROTOCOL_MINOR_1;
|
||||
}
|
||||
- snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
|
||||
+ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
|
||||
server_version_string = xstrdup(buf);
|
||||
|
||||
/* Send our protocol version identification. */
|
||||
@@ -1434,7 +1435,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %.100s", SSH_RELEASE);
|
||||
+ debug("sshd version %.100s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
|
||||
|
||||
/* Store privilege separation user for later use if required. */
|
||||
if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
|
||||
71
openssh.spec
71
openssh.spec
|
|
@ -1,10 +1,5 @@
|
|||
# Do we want SELinux & Audit
|
||||
%define WITH_SELINUX 1
|
||||
%if %{WITH_SELINUX}
|
||||
# Audit patch applicable only over SELinux patch
|
||||
%define WITH_AUDIT 1
|
||||
%else
|
||||
%define WITH_AUDIT 0
|
||||
%endif
|
||||
|
||||
# OpenSSH privilege separation requires a user & group ID
|
||||
%define sshd_uid 74
|
||||
|
|
@ -28,6 +23,9 @@
|
|||
# Do we want kerberos5 support (1=yes 0=no)
|
||||
%define kerberos5 1
|
||||
|
||||
# Do we want libedit support
|
||||
%define libedit 1
|
||||
|
||||
# Do we want NSS tokens support
|
||||
%define nss 1
|
||||
|
||||
|
|
@ -59,42 +57,44 @@
|
|||
# Turn off some stuff for resuce builds
|
||||
%if %{rescue}
|
||||
%define kerberos5 0
|
||||
%define libedit 0
|
||||
%endif
|
||||
|
||||
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 4.5p1
|
||||
Release: 8%{?dist}%{?rescue_rel}
|
||||
Version: 4.7p1
|
||||
Release: 1%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
# This package differs from the upstream OpenSSH tarball in that
|
||||
# the ACSS cipher is removed by running openssh-nukeacss.sh in
|
||||
# the unpacked source directory.
|
||||
Source0: openssh-%{version}-noacss.tar.bz2
|
||||
Source1: openssh-nukeacss.sh
|
||||
Patch0: openssh-4.5p1-redhat.patch
|
||||
Patch0: openssh-4.7p1-redhat.patch
|
||||
Patch2: openssh-3.8.1p1-skip-initial.patch
|
||||
Patch3: openssh-3.8.1p1-krb5-config.patch
|
||||
Patch4: openssh-4.5p1-vendor.patch
|
||||
Patch4: openssh-4.7p1-vendor.patch
|
||||
Patch5: openssh-4.3p2-initscript.patch
|
||||
Patch12: openssh-4.5p1-selinux.patch
|
||||
Patch16: openssh-4.5p1-audit.patch
|
||||
Patch10: openssh-4.7p1-pam-session.patch
|
||||
Patch12: openssh-4.7p1-selinux.patch
|
||||
Patch13: openssh-4.7p1-mls.patch
|
||||
Patch16: openssh-4.7p1-audit.patch
|
||||
Patch17: openssh-4.3p2-cve-2007-3102.patch
|
||||
Patch22: openssh-3.9p1-askpass-keep-above.patch
|
||||
Patch24: openssh-4.3p1-fromto-remote.patch
|
||||
Patch26: openssh-4.2p1-pam-no-stack.patch
|
||||
Patch27: openssh-3.9p1-log-in-chroot.patch
|
||||
Patch27: openssh-4.7p1-log-in-chroot.patch
|
||||
Patch30: openssh-4.0p1-exit-deadlock.patch
|
||||
Patch31: openssh-3.9p1-skip-used.patch
|
||||
Patch35: openssh-4.2p1-askpass-progress.patch
|
||||
Patch38: openssh-4.3p2-askpass-grab-info.patch
|
||||
Patch39: openssh-4.3p2-no-v6only.patch
|
||||
Patch44: openssh-4.3p2-allow-ip-opts.patch
|
||||
Patch48: openssh-4.3p2-pam-session.patch
|
||||
Patch49: openssh-4.3p2-gssapi-canohost.patch
|
||||
Patch50: openssh-4.5p1-mls.patch
|
||||
Patch51: openssh-4.5p1-nss-keys.patch
|
||||
Patch52: openssh-4.5p1-sftp-drain-acks.patch
|
||||
Patch51: openssh-4.7p1-nss-keys.patch
|
||||
Patch52: openssh-4.7p1-sftp-drain-acks.patch
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
|
@ -126,6 +126,10 @@ BuildRequires: tcp_wrappers-devel
|
|||
BuildRequires: krb5-devel
|
||||
%endif
|
||||
|
||||
%if %{libedit}
|
||||
BuildRequires: libedit-devel
|
||||
%endif
|
||||
|
||||
%if %{nss}
|
||||
BuildRequires: nss-devel
|
||||
%endif
|
||||
|
|
@ -133,9 +137,6 @@ BuildRequires: nss-devel
|
|||
%if %{WITH_SELINUX}
|
||||
Requires: libselinux >= 1.27.7
|
||||
BuildRequires: libselinux-devel >= 1.27.7
|
||||
%endif
|
||||
|
||||
%if %{WITH_AUDIT}
|
||||
Requires: audit-libs >= 1.0.8
|
||||
BuildRequires: audit-libs >= 1.0.8
|
||||
%endif
|
||||
|
|
@ -204,13 +205,14 @@ an X11 passphrase dialog for OpenSSH.
|
|||
%patch4 -p1 -b .vendor
|
||||
%patch5 -p1 -b .initscript
|
||||
|
||||
%patch10 -p1 -b .pam-session
|
||||
|
||||
%if %{WITH_SELINUX}
|
||||
#SELinux
|
||||
%patch12 -p1 -b .selinux
|
||||
%endif
|
||||
|
||||
%if %{WITH_AUDIT}
|
||||
%patch13 -p1 -b .mls
|
||||
%patch16 -p1 -b .audit
|
||||
%patch17 -p1 -b .inject-fix
|
||||
%endif
|
||||
|
||||
%patch22 -p1 -b .keep-above
|
||||
|
|
@ -223,9 +225,7 @@ an X11 passphrase dialog for OpenSSH.
|
|||
%patch38 -p1 -b .grab-info
|
||||
%patch39 -p1 -b .no-v6only
|
||||
%patch44 -p1 -b .ip-opts
|
||||
%patch48 -p1 -b .pam-sesssion
|
||||
%patch49 -p1 -b .canohost
|
||||
%patch50 -p1 -b .mls
|
||||
%patch51 -p1 -b .nss-keys
|
||||
%patch52 -p1 -b .drain-acks
|
||||
|
||||
|
|
@ -282,15 +282,17 @@ fi
|
|||
--with-pam \
|
||||
%endif
|
||||
%if %{WITH_SELINUX}
|
||||
--with-selinux \
|
||||
%endif
|
||||
%if %{WITH_AUDIT}
|
||||
--with-linux-audit \
|
||||
--with-selinux --with-linux-audit \
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
--with-kerberos5${krb5_prefix:+=${krb5_prefix}}
|
||||
--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
|
||||
%else
|
||||
--without-kerberos5
|
||||
--without-kerberos5 \
|
||||
%endif
|
||||
%if %{libedit}
|
||||
--with-libedit
|
||||
%else
|
||||
--without-libedit
|
||||
%endif
|
||||
|
||||
%if %{static_libcrypto}
|
||||
|
|
@ -478,6 +480,11 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Sep 6 2007 Tomas Mraz <tmraz@redhat.com> - 4.7p1-1
|
||||
- upgrade to latest upstream
|
||||
- use libedit in sftp (#203009)
|
||||
- fixed audit log injection problem (CVE-2007-3102)
|
||||
|
||||
* Thu Aug 9 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-8
|
||||
- fix sftp client problems on write error (#247802)
|
||||
- allow disabling autocreation of server keys (#235466)
|
||||
|
|
|
|||
Loading…
Reference in New Issue