improve session keys audit

This commit is contained in:
Jan F 2011-03-09 08:48:51 +01:00
parent 71d3d9c683
commit d1fc5c2d41
4 changed files with 96 additions and 3 deletions

View File

@ -0,0 +1,79 @@
diff -up openssh-5.8p1/packet.c.audit4a openssh-5.8p1/packet.c
--- openssh-5.8p1/packet.c.audit4a 2011-03-08 08:52:12.000000000 +0100
+++ openssh-5.8p1/packet.c 2011-03-08 08:52:39.000000000 +0100
@@ -473,6 +473,13 @@ packet_get_connection_out(void)
return active_state->connection_out;
}
+static int
+packet_state_has_keys (const struct session_state *state)
+{
+ return state != NULL &&
+ (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
+}
+
/* Closes the connection and clears and frees internal data structures. */
void
@@ -481,13 +488,6 @@ packet_close(void)
if (!active_state->initialized)
return;
active_state->initialized = 0;
- if (active_state->connection_in == active_state->connection_out) {
- shutdown(active_state->connection_out, SHUT_RDWR);
- close(active_state->connection_out);
- } else {
- close(active_state->connection_in);
- close(active_state->connection_out);
- }
buffer_free(&active_state->input);
buffer_free(&active_state->output);
buffer_free(&active_state->outgoing_packet);
@@ -496,9 +496,18 @@ packet_close(void)
buffer_free(&active_state->compression_buffer);
buffer_compress_uninit();
}
- cipher_cleanup(&active_state->send_context);
- cipher_cleanup(&active_state->receive_context);
- audit_session_key_free(2);
+ if (packet_state_has_keys(active_state)) {
+ cipher_cleanup(&active_state->send_context);
+ cipher_cleanup(&active_state->receive_context);
+ audit_session_key_free(2);
+ }
+ if (active_state->connection_in == active_state->connection_out) {
+ shutdown(active_state->connection_out, SHUT_RDWR);
+ close(active_state->connection_out);
+ } else {
+ close(active_state->connection_in);
+ close(active_state->connection_out);
+ }
}
/* Sets remote side protocol flags. */
@@ -1945,13 +1954,6 @@ packet_destroy_state(struct session_stat
// memset(state, 0, sizeof(state));
}
-static int
-packet_state_has_keys (const struct session_state *state)
-{
- return state != NULL &&
- (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
-}
-
void
packet_destroy_all(int audit_it, int privsep)
{
diff -up openssh-5.8p1/sshd.c.audit4a openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit4a 2011-03-08 08:53:02.000000000 +0100
+++ openssh-5.8p1/sshd.c 2011-03-08 08:55:23.000000000 +0100
@@ -2033,7 +2033,7 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
- packet_destroy_all(1, 0);
+ packet_destroy_all(1, 1);
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);

View File

@ -0,0 +1,11 @@
diff -up openssh-5.8p1/sshd.c.audit5a openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.audit5a 2011-03-08 09:03:49.000000000 +0100
+++ openssh-5.8p1/sshd.c 2011-03-08 09:06:23.000000000 +0100
@@ -2085,6 +2085,7 @@ main(int ac, char **av)
/* The connection has been terminated. */
packet_destroy_all(1, 1);
+ destroy_sensitive_data(1);
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);

View File

@ -117,7 +117,7 @@ diff -up openssh-5.8p1/HOWTO.ldap-keys.ldap openssh-5.8p1/HOWTO.ldap-keys
+2) add appropriate schema +2) add appropriate schema
+3) insert users into LDAP +3) insert users into LDAP
+4) on the ssh side set in sshd_config +4) on the ssh side set in sshd_config
+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper +AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+AuthorizedKeysCommandRunAs <appropriate user to run LDAP> +AuthorizedKeysCommandRunAs <appropriate user to run LDAP>
+5) do not forget to set +5) do not forget to set
+PubkeyAuthentication yes +PubkeyAuthentication yes
@ -2262,7 +2262,7 @@ diff -up openssh-5.8p1/README.lpk.ldap openssh-5.8p1/README.lpk
+ +
+ 2 tokens are added to sshd_config : + 2 tokens are added to sshd_config :
+ # here is the new patched ldap related tokens + # here is the new patched ldap related tokens
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-helper -s %u + AuthorizedKeysCommand "/usr/libexec/openssh/ssh-ldap-wrapper"
+ AuthorizedKeysCommandRunAs nobody + AuthorizedKeysCommandRunAs nobody
+ +
+ The LDAP configuratin is read from common /etc/ldap.conf configuration file. + The LDAP configuratin is read from common /etc/ldap.conf configuration file.

View File

@ -71,7 +71,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.8p1 %define openssh_ver 5.8p1
%define openssh_rel 15 %define openssh_rel 16
%define pam_ssh_agent_ver 0.9.2 %define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 30 %define pam_ssh_agent_rel 30
@ -652,6 +652,9 @@ fi
%endif %endif
%changelog %changelog
* Tue Mar 8 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-16 + 0.9.2-30
- improve session keys audit
* Mon Mar 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30 * Mon Mar 7 2011 Jan F. Chadima <jchadima@redhat.com> - 5.8p1-15 + 0.9.2-30
- CVE-2010-4755 - CVE-2010-4755