Merge remote-tracking branch 'origin/master' into f21

2014-11-04 19:10:58 +01:00 · 2014-11-04 19:10:58 +01:00 · d64ab980a2
parent b7e2bae5c4 3b7c8620a1
commit d64ab980a2
3 changed files with 187 additions and 27 deletions
--- a/openssh-6.6.1p1-selinux-contexts.patch
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@ -0,0 +1,118 @@
+diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+index 0077dd7..e3f2ced 100644
+--- a/openbsd-compat/port-linux-sshd.c
+++ b/openbsd-compat/port-linux-sshd.c
+@@ -31,6 +31,7 @@
+ #include "xmalloc.h"
+ #include "servconf.h"
+ #include "port-linux.h"
+#include "misc.h"
+ #include "key.h"
+ #include "hostfile.h"
+ #include "auth.h"
+@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+ void
+ sshd_selinux_copy_context(void)
+ {
+-	security_context_t *ctx;
+	char *ctx;
+ 
+ 	if (!sshd_selinux_enabled())
+ 		return;
+@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void)
+ 	}
+ }
+ 
+void
+sshd_selinux_change_privsep_preauth_context(void)
+{
+	int len;
+	char line[1024], *preauth_context = NULL, *cp, *arg;
+	const char *contexts_path;
+	FILE *contexts_file;
+
+	contexts_path = selinux_openssh_contexts_path();
+	if (contexts_path != NULL) {
+		if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
+			struct stat sb;
+
+			if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
+				while (fgets(line, sizeof(line), contexts_file)) {
+					/* Strip trailing whitespace */
+					for (len = strlen(line) - 1; len > 0; len--) {
+						if (strchr(" \t\r\n", line[len]) == NULL)
+							break;
+						line[len] = '\0';
+					}
+
+					if (line[0] == '\0')
+						continue;
+
+					cp = line;
+					arg = strdelim(&cp);
+					if (*arg == '\0')
+						arg = strdelim(&cp);
+
+					if (strcmp(arg, "privsep_preauth") == 0) {
+						arg = strdelim(&cp);
+						if (!arg || *arg == '\0') {
+							debug("%s: privsep_preauth is empty", __func__);
+							fclose(contexts_file);
+							return;
+						}
+						preauth_context = xstrdup(arg);
+					}
+				}
+			}
+			fclose(contexts_file);
+		}
+	}
+
+	if (preauth_context == NULL)
+		preauth_context = xstrdup("sshd_net_t");
+
+	ssh_selinux_change_context(preauth_context);
+	free(preauth_context);
+}
+
+ #endif
+ #endif
+ 
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 22ea8ef..1fc963d 100644
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
+ 	strlcpy(newctx + len, newname, newlen - len);
+ 	if ((cx = index(cx + 1, ':')))
+ 		strlcat(newctx, cx, newlen);
+-	debug3("%s: setting context from '%s' to '%s'", __func__,
+	debug("%s: setting context from '%s' to '%s'", __func__,
+ 	    oldctx, newctx);
+ 	if (setcon(newctx) < 0)
+ 		switchlog("%s: setcon %s from %s failed with %s", __func__,
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index cb51f99..8b7cda2 100644
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
+ void sshd_selinux_copy_context(void);
+ void sshd_selinux_setup_exec_context(char *);
+ int sshd_selinux_setup_env_variables(void);
+void sshd_selinux_change_privsep_preauth_context(void);
+ #endif
+ 
+ #ifdef LINUX_OOM_ADJUST
+diff --git a/sshd.c b/sshd.c
+index 512c7ed..3eee75a 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -637,7 +637,7 @@ privsep_preauth_child(void)
+ 	demote_sensitive_data();
+ 
+ #ifdef WITH_SELINUX
+-	ssh_selinux_change_context("sshd_net_t");
+	sshd_selinux_change_privsep_preauth_context();
+ #endif
+ 
+ 	/* Change our root directory */
--- a/openssh-6.6p1-audit.patch
+++ b/openssh-6.6p1-audit.patch
@ -486,7 +486,7 @@ index b3ee2f4..946f7fa 100644
 +}
 #endif /* USE_LINUX_AUDIT */
 diff --git a/audit.c b/audit.c
-index ced57fa..b806f03 100644
+index ced57fa..ab9fb82 100644
 --- a/audit.c
 +++ b/audit.c
@@ -28,6 +28,7 @@
@ -507,7 +507,23 @@ index ced57fa..b806f03 100644
 
 /*
  * Care must be taken when using this since it WILL NOT be initialized when
-@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev)
+@@ -71,13 +75,10 @@ audit_classify_auth(const char *method)
+ const char *
+ audit_username(void)
+ {
+-	static const char unknownuser[] = "(unknown user)";
+-	static const char invaliduser[] = "(invalid user)";
+	static const char unknownuser[] = "(unknown)";
+ 
+-	if (the_authctxt == NULL || the_authctxt->user == NULL)
+	if (the_authctxt == NULL || the_authctxt->user == NULL || !the_authctxt->valid)
+ 		return (unknownuser);
+-	if (!the_authctxt->valid)
+-		return (invaliduser);
+ 	return (the_authctxt->user);
+ }
+ 
+@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev)
 	return(event_lookup[i].name);
 }
 
@ -548,7 +564,7 @@ index ced57fa..b806f03 100644
 # ifndef CUSTOM_SSH_AUDIT_EVENTS
 /*
  * Null implementations of audit functions.
-@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event)
+@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event)
 }
 
 /*
@ -566,7 +582,7 @@ index ced57fa..b806f03 100644
  * Called when a user session is started.  Argument is the tty allocated to
  * the session, or NULL if no tty was allocated.
  *
-@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li)
+@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li)
 /*
  * This will be called when a user runs a non-interactive command.  Note that
  * it may be called multiple times for a single connection since SSH2 allows
@ -795,6 +811,20 @@ index 5dad6c3..f225b0b 100644
 }
 
 /*
+diff --git a/auth.c b/auth.c
+index 420a85b..d613f8c 100644
+--- a/auth.c
+++ b/auth.c
+@@ -628,9 +628,6 @@ getpwnamallow(const char *user)
+ 		record_failed_login(user,
+ 		    get_canonical_hostname(options.use_dns), "ssh");
+ #endif
+-#ifdef SSH_AUDIT_EVENTS
+-		audit_event(SSH_INVALID_USER);
+-#endif /* SSH_AUDIT_EVENTS */
+ 		return (NULL);
+ 	}
+ 	if (!allowed_user(pw))
 diff --git a/auth.h b/auth.h
 index 4605588..f9d191c 100644
 --- a/auth.h
@ -880,7 +910,7 @@ index cb0f931..6d1c872 100644
 match_principals_option(const char *principal_list, struct KeyCert *cert)
 {
 diff --git a/auth2.c b/auth2.c
-index 0f52b68..472a5b2 100644
+index 426dcd6..436cd60 100644
 --- a/auth2.c
 +++ b/auth2.c
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@ -1143,7 +1173,7 @@ index fbe18c4..7dc7f43 100644
 void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff --git a/monitor.c b/monitor.c
-index aa70945..bdabe21 100644
+index 8b18086..5a65114 100644
 --- a/monitor.c
 +++ b/monitor.c
@@ -97,6 +97,7 @@
@ -1221,7 +1251,7 @@ index aa70945..bdabe21 100644
 #endif
     {0, 0, NULL}
 };
-@@ -1390,9 +1416,11 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1393,9 +1419,11 @@ mm_answer_keyverify(int sock, Buffer *m)
 	Key *key;
 	u_char *signature, *data, *blob;
 	u_int signaturelen, datalen, bloblen;
@ -1233,7 +1263,7 @@ index aa70945..bdabe21 100644
 	blob = buffer_get_string(m, &bloblen);
 	signature = buffer_get_string(m, &signaturelen);
 	data = buffer_get_string(m, &datalen);
-@@ -1400,6 +1428,8 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1403,6 +1431,8 @@ mm_answer_keyverify(int sock, Buffer *m)
 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
 	  !monitor_allowed_key(blob, bloblen))
 		fatal("%s: bad key, not previously allowed", __func__);
@ -1242,7 +1272,7 @@ index aa70945..bdabe21 100644
 
 	key = key_from_blob(blob, bloblen);
 	if (key == NULL)
-@@ -1420,7 +1450,17 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1423,7 +1453,17 @@ mm_answer_keyverify(int sock, Buffer *m)
 	if (!valid_data)
 		fatal("%s: bad signature data blob", __func__);
 
@ -1261,7 +1291,7 @@ index aa70945..bdabe21 100644
 	debug3("%s: key %p signature %s",
 	    __func__, key, (verified == 1) ? "verified" : "unverified");
 
-@@ -1473,6 +1513,12 @@ mm_session_close(Session *s)
+@@ -1476,6 +1516,12 @@ mm_session_close(Session *s)
 		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
 		session_pty_cleanup2(s);
 	}
@ -1274,7 +1304,7 @@ index aa70945..bdabe21 100644
 	session_unused(s->self);
 }
 
-@@ -1753,6 +1799,8 @@ mm_answer_term(int sock, Buffer *req)
+@@ -1756,6 +1802,8 @@ mm_answer_term(int sock, Buffer *req)
 		sshpam_cleanup();
 #endif
 
@ -1283,7 +1313,7 @@ index aa70945..bdabe21 100644
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
 			exit(1);
-@@ -1795,11 +1843,43 @@ mm_answer_audit_command(int socket, Buffer *m)
+@@ -1798,11 +1846,43 @@ mm_answer_audit_command(int socket, Buffer *m)
 {
 	u_int len;
 	char *cmd;
@ -1328,7 +1358,7 @@ index aa70945..bdabe21 100644
 	free(cmd);
 	return (0);
 }
-@@ -1943,11 +2023,13 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -1946,11 +2026,13 @@ mm_get_keystate(struct monitor *pmonitor)
 
 	blob = buffer_get_string(&m, &bloblen);
 	current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@ -1342,7 +1372,7 @@ index aa70945..bdabe21 100644
 	free(blob);
 
 	/* Now get sequence numbers for the packets */
-@@ -1993,6 +2075,21 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -1996,6 +2078,21 @@ mm_get_keystate(struct monitor *pmonitor)
 	}
 
 	buffer_free(&m);
@ -1364,7 +1394,7 @@ index aa70945..bdabe21 100644
 }
 
 
-@@ -2274,3 +2371,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
 
 #endif /* GSSAPI */
 
@ -1860,7 +1890,7 @@ index f8edf85..c36c812 100644
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
 diff --git a/session.c b/session.c
-index e4add93..626a642 100644
+index df43592..b186ca1 100644
 --- a/session.c
 +++ b/session.c
@@ -138,7 +138,7 @@ extern int log_stderr;
@ -1921,7 +1951,7 @@ index e4add93..626a642 100644
 
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
-@@ -1932,6 +1947,7 @@ session_unused(int id)
+@@ -1933,6 +1948,7 @@ session_unused(int id)
 	sessions[id].ttyfd = -1;
 	sessions[id].ptymaster = -1;
 	sessions[id].x11_chanids = NULL;
@ -1929,7 +1959,7 @@ index e4add93..626a642 100644
 	sessions[id].next_unused = sessions_first_unused;
 	sessions_first_unused = id;
 }
-@@ -2014,6 +2030,19 @@ session_open(Authctxt *authctxt, int chanid)
+@@ -2015,6 +2031,19 @@ session_open(Authctxt *authctxt, int chanid)
 }
 
 Session *
@ -1949,7 +1979,7 @@ index e4add93..626a642 100644
 session_by_tty(char *tty)
 {
 	int i;
-@@ -2530,6 +2559,30 @@ session_exit_message(Session *s, int status)
+@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status)
 		chan_write_failed(c);
 }
 
@ -1980,7 +2010,7 @@ index e4add93..626a642 100644
 void
 session_close(Session *s)
 {
-@@ -2538,6 +2591,10 @@ session_close(Session *s)
+@@ -2539,6 +2592,10 @@ session_close(Session *s)
 	debug("session_close: session %d pid %ld", s->self, (long)s->pid);
 	if (s->ttyfd != -1)
 		session_pty_cleanup(s);
@ -1991,7 +2021,7 @@ index e4add93..626a642 100644
 	free(s->term);
 	free(s->display);
 	free(s->x11_chanids);
-@@ -2752,6 +2809,15 @@ do_authenticated2(Authctxt *authctxt)
+@@ -2753,6 +2810,15 @@ do_authenticated2(Authctxt *authctxt)
 	server_loop2(authctxt);
 }
 
@ -2007,7 +2037,7 @@ index e4add93..626a642 100644
 void
 do_cleanup(Authctxt *authctxt)
 {
-@@ -2800,5 +2866,5 @@ do_cleanup(Authctxt *authctxt)
+@@ -2801,5 +2867,5 @@ do_cleanup(Authctxt *authctxt)
 	 * or if running in monitor.
 	 */
 	if (!use_privsep || mm_is_monitor())
@ -2043,7 +2073,7 @@ index 6a2f35e..e9b312e 100644
 void	 session_close(Session *);
 void	 do_setusercontext(struct passwd *);
 diff --git a/sshd.c b/sshd.c
-index 512c7ed..b561ec8 100644
+index 8a0740a..2813aa2 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -119,6 +119,7 @@
--- a/openssh.spec
+++ b/openssh.spec
@ -64,14 +64,14 @@

 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 6.6.1p1
-%define openssh_rel 5
+%define openssh_rel 6
 %define pam_ssh_agent_ver 0.9.3
 %define pam_ssh_agent_rel 3

 Summary: An open source implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1
+Release: %{openssh_rel}%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #URL1: http://pamsshagentauth.sourceforge.net
 # Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@ -207,6 +207,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch
 # Ignore SIGXFSZ in postauth monitor
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2263
 Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
+# privsep_preauth: use SELinux context from selinux-policy (#1008580)
+Patch916: openssh-6.6.1p1-selinux-contexts.patch


 License: BSD
@ -246,8 +248,8 @@ BuildRequires: libedit-devel ncurses-devel
 %endif

 %if %{WITH_SELINUX}
-Requires: libselinux >= 1.27.7
-BuildRequires: libselinux-devel >= 1.27.7
+Requires: libselinux >= 2.3-5
+BuildRequires: libselinux-devel >= 2.3-5
 Requires: audit-libs >= 1.0.8
 BuildRequires: audit-libs >= 1.0.8
 %endif
@ -417,6 +419,7 @@ popd
 %patch913 -p1 -b .partial-success
 %patch914 -p1 -b .servconf
 %patch915 -p1 -b .SIGXFSZ
+%patch916 -p1 -b .contexts

 %patch200 -p1 -b .audit
 %patch700 -p1 -b .fips
@ -729,6 +732,15 @@ getent passwd sshd >/dev/null || \
 %endif

 %changelog
+* Tue Nov 04 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-6 + 0.9.3-3
+- privsep_preauth: use SELinux context from selinux-policy (#1008580)
+- change audit trail for unknown users (mindrot#2245)
+- fix kuserok patch which checked for the existence of .k5login
+  unconditionally and hence prevented other mechanisms to be used properly
+- revert the default of KerberosUseKuserok back to yes (#1153076)
+- ignore SIGXFSZ in postauth monitor (mindrot#2263)
+- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode
+
 * Mon Sep 08 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-5 + 0.9.3-3
 - set a client's address right after a connection is set (mindrot#2257)
 - apply RFC3454 stringprep to banners when possible (mindrot#2058)