diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch new file mode 100644 index 0000000..a831a15 --- /dev/null +++ b/openssh-6.6.1p1-selinux-contexts.patch @@ -0,0 +1,118 @@ +diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c +index 0077dd7..e3f2ced 100644 +--- a/openbsd-compat/port-linux-sshd.c ++++ b/openbsd-compat/port-linux-sshd.c +@@ -31,6 +31,7 @@ + #include "xmalloc.h" + #include "servconf.h" + #include "port-linux.h" ++#include "misc.h" + #include "key.h" + #include "hostfile.h" + #include "auth.h" +@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname) + void + sshd_selinux_copy_context(void) + { +- security_context_t *ctx; ++ char *ctx; + + if (!sshd_selinux_enabled()) + return; +@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void) + } + } + ++void ++sshd_selinux_change_privsep_preauth_context(void) ++{ ++ int len; ++ char line[1024], *preauth_context = NULL, *cp, *arg; ++ const char *contexts_path; ++ FILE *contexts_file; ++ ++ contexts_path = selinux_openssh_contexts_path(); ++ if (contexts_path != NULL) { ++ if ((contexts_file = fopen(contexts_path, "r")) != NULL) { ++ struct stat sb; ++ ++ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) { ++ while (fgets(line, sizeof(line), contexts_file)) { ++ /* Strip trailing whitespace */ ++ for (len = strlen(line) - 1; len > 0; len--) { ++ if (strchr(" \t\r\n", line[len]) == NULL) ++ break; ++ line[len] = '\0'; ++ } ++ ++ if (line[0] == '\0') ++ continue; ++ ++ cp = line; ++ arg = strdelim(&cp); ++ if (*arg == '\0') ++ arg = strdelim(&cp); ++ ++ if (strcmp(arg, "privsep_preauth") == 0) { ++ arg = strdelim(&cp); ++ if (!arg || *arg == '\0') { ++ debug("%s: privsep_preauth is empty", __func__); ++ fclose(contexts_file); ++ return; ++ } ++ preauth_context = xstrdup(arg); ++ } ++ } ++ } ++ fclose(contexts_file); ++ } ++ } ++ ++ if (preauth_context == NULL) ++ preauth_context = xstrdup("sshd_net_t"); ++ ++ ssh_selinux_change_context(preauth_context); ++ free(preauth_context); ++} ++ + #endif + #endif + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 22ea8ef..1fc963d 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname) + strlcpy(newctx + len, newname, newlen - len); + if ((cx = index(cx + 1, ':'))) + strlcat(newctx, cx, newlen); +- debug3("%s: setting context from '%s' to '%s'", __func__, ++ debug("%s: setting context from '%s' to '%s'", __func__, + oldctx, newctx); + if (setcon(newctx) < 0) + switchlog("%s: setcon %s from %s failed with %s", __func__, +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index cb51f99..8b7cda2 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void); + void sshd_selinux_copy_context(void); + void sshd_selinux_setup_exec_context(char *); + int sshd_selinux_setup_env_variables(void); ++void sshd_selinux_change_privsep_preauth_context(void); + #endif + + #ifdef LINUX_OOM_ADJUST +diff --git a/sshd.c b/sshd.c +index 512c7ed..3eee75a 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -637,7 +637,7 @@ privsep_preauth_child(void) + demote_sensitive_data(); + + #ifdef WITH_SELINUX +- ssh_selinux_change_context("sshd_net_t"); ++ sshd_selinux_change_privsep_preauth_context(); + #endif + + /* Change our root directory */ diff --git a/openssh-6.6p1-audit.patch b/openssh-6.6p1-audit.patch index b83b46a..7e0c0f4 100644 --- a/openssh-6.6p1-audit.patch +++ b/openssh-6.6p1-audit.patch @@ -486,7 +486,7 @@ index b3ee2f4..946f7fa 100644 +} #endif /* USE_LINUX_AUDIT */ diff --git a/audit.c b/audit.c -index ced57fa..b806f03 100644 +index ced57fa..ab9fb82 100644 --- a/audit.c +++ b/audit.c @@ -28,6 +28,7 @@ @@ -507,7 +507,23 @@ index ced57fa..b806f03 100644 /* * Care must be taken when using this since it WILL NOT be initialized when -@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev) +@@ -71,13 +75,10 @@ audit_classify_auth(const char *method) + const char * + audit_username(void) + { +- static const char unknownuser[] = "(unknown user)"; +- static const char invaliduser[] = "(invalid user)"; ++ static const char unknownuser[] = "(unknown)"; + +- if (the_authctxt == NULL || the_authctxt->user == NULL) ++ if (the_authctxt == NULL || the_authctxt->user == NULL || !the_authctxt->valid) + return (unknownuser); +- if (!the_authctxt->valid) +- return (invaliduser); + return (the_authctxt->user); + } + +@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev) return(event_lookup[i].name); } @@ -548,7 +564,7 @@ index ced57fa..b806f03 100644 # ifndef CUSTOM_SSH_AUDIT_EVENTS /* * Null implementations of audit functions. -@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event) +@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event) } /* @@ -566,7 +582,7 @@ index ced57fa..b806f03 100644 * Called when a user session is started. Argument is the tty allocated to * the session, or NULL if no tty was allocated. * -@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li) +@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li) /* * This will be called when a user runs a non-interactive command. Note that * it may be called multiple times for a single connection since SSH2 allows @@ -795,6 +811,20 @@ index 5dad6c3..f225b0b 100644 } /* +diff --git a/auth.c b/auth.c +index 420a85b..d613f8c 100644 +--- a/auth.c ++++ b/auth.c +@@ -628,9 +628,6 @@ getpwnamallow(const char *user) + record_failed_login(user, + get_canonical_hostname(options.use_dns), "ssh"); + #endif +-#ifdef SSH_AUDIT_EVENTS +- audit_event(SSH_INVALID_USER); +-#endif /* SSH_AUDIT_EVENTS */ + return (NULL); + } + if (!allowed_user(pw)) diff --git a/auth.h b/auth.h index 4605588..f9d191c 100644 --- a/auth.h @@ -880,7 +910,7 @@ index cb0f931..6d1c872 100644 match_principals_option(const char *principal_list, struct KeyCert *cert) { diff --git a/auth2.c b/auth2.c -index 0f52b68..472a5b2 100644 +index 426dcd6..436cd60 100644 --- a/auth2.c +++ b/auth2.c @@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) @@ -1143,7 +1173,7 @@ index fbe18c4..7dc7f43 100644 void mac_clear(Mac *); +void mac_destroy(Mac *); diff --git a/monitor.c b/monitor.c -index aa70945..bdabe21 100644 +index 8b18086..5a65114 100644 --- a/monitor.c +++ b/monitor.c @@ -97,6 +97,7 @@ @@ -1221,7 +1251,7 @@ index aa70945..bdabe21 100644 #endif {0, 0, NULL} }; -@@ -1390,9 +1416,11 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1393,9 +1419,11 @@ mm_answer_keyverify(int sock, Buffer *m) Key *key; u_char *signature, *data, *blob; u_int signaturelen, datalen, bloblen; @@ -1233,7 +1263,7 @@ index aa70945..bdabe21 100644 blob = buffer_get_string(m, &bloblen); signature = buffer_get_string(m, &signaturelen); data = buffer_get_string(m, &datalen); -@@ -1400,6 +1428,8 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1403,6 +1431,8 @@ mm_answer_keyverify(int sock, Buffer *m) if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal("%s: bad key, not previously allowed", __func__); @@ -1242,7 +1272,7 @@ index aa70945..bdabe21 100644 key = key_from_blob(blob, bloblen); if (key == NULL) -@@ -1420,7 +1450,17 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1423,7 +1453,17 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); @@ -1261,7 +1291,7 @@ index aa70945..bdabe21 100644 debug3("%s: key %p signature %s", __func__, key, (verified == 1) ? "verified" : "unverified"); -@@ -1473,6 +1513,12 @@ mm_session_close(Session *s) +@@ -1476,6 +1516,12 @@ mm_session_close(Session *s) debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } @@ -1274,7 +1304,7 @@ index aa70945..bdabe21 100644 session_unused(s->self); } -@@ -1753,6 +1799,8 @@ mm_answer_term(int sock, Buffer *req) +@@ -1756,6 +1802,8 @@ mm_answer_term(int sock, Buffer *req) sshpam_cleanup(); #endif @@ -1283,7 +1313,7 @@ index aa70945..bdabe21 100644 while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1795,11 +1843,43 @@ mm_answer_audit_command(int socket, Buffer *m) +@@ -1798,11 +1846,43 @@ mm_answer_audit_command(int socket, Buffer *m) { u_int len; char *cmd; @@ -1328,7 +1358,7 @@ index aa70945..bdabe21 100644 free(cmd); return (0); } -@@ -1943,11 +2023,13 @@ mm_get_keystate(struct monitor *pmonitor) +@@ -1946,11 +2026,13 @@ mm_get_keystate(struct monitor *pmonitor) blob = buffer_get_string(&m, &bloblen); current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); @@ -1342,7 +1372,7 @@ index aa70945..bdabe21 100644 free(blob); /* Now get sequence numbers for the packets */ -@@ -1993,6 +2075,21 @@ mm_get_keystate(struct monitor *pmonitor) +@@ -1996,6 +2078,21 @@ mm_get_keystate(struct monitor *pmonitor) } buffer_free(&m); @@ -1364,7 +1394,7 @@ index aa70945..bdabe21 100644 } -@@ -2274,3 +2371,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { +@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { #endif /* GSSAPI */ @@ -1860,7 +1890,7 @@ index f8edf85..c36c812 100644 +void packet_destroy_all(int, int); #endif /* PACKET_H */ diff --git a/session.c b/session.c -index e4add93..626a642 100644 +index df43592..b186ca1 100644 --- a/session.c +++ b/session.c @@ -138,7 +138,7 @@ extern int log_stderr; @@ -1921,7 +1951,7 @@ index e4add93..626a642 100644 /* Force a password change */ if (s->authctxt->force_pwchange) { -@@ -1932,6 +1947,7 @@ session_unused(int id) +@@ -1933,6 +1948,7 @@ session_unused(int id) sessions[id].ttyfd = -1; sessions[id].ptymaster = -1; sessions[id].x11_chanids = NULL; @@ -1929,7 +1959,7 @@ index e4add93..626a642 100644 sessions[id].next_unused = sessions_first_unused; sessions_first_unused = id; } -@@ -2014,6 +2030,19 @@ session_open(Authctxt *authctxt, int chanid) +@@ -2015,6 +2031,19 @@ session_open(Authctxt *authctxt, int chanid) } Session * @@ -1949,7 +1979,7 @@ index e4add93..626a642 100644 session_by_tty(char *tty) { int i; -@@ -2530,6 +2559,30 @@ session_exit_message(Session *s, int status) +@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status) chan_write_failed(c); } @@ -1980,7 +2010,7 @@ index e4add93..626a642 100644 void session_close(Session *s) { -@@ -2538,6 +2591,10 @@ session_close(Session *s) +@@ -2539,6 +2592,10 @@ session_close(Session *s) debug("session_close: session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) session_pty_cleanup(s); @@ -1991,7 +2021,7 @@ index e4add93..626a642 100644 free(s->term); free(s->display); free(s->x11_chanids); -@@ -2752,6 +2809,15 @@ do_authenticated2(Authctxt *authctxt) +@@ -2753,6 +2810,15 @@ do_authenticated2(Authctxt *authctxt) server_loop2(authctxt); } @@ -2007,7 +2037,7 @@ index e4add93..626a642 100644 void do_cleanup(Authctxt *authctxt) { -@@ -2800,5 +2866,5 @@ do_cleanup(Authctxt *authctxt) +@@ -2801,5 +2867,5 @@ do_cleanup(Authctxt *authctxt) * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) @@ -2043,7 +2073,7 @@ index 6a2f35e..e9b312e 100644 void session_close(Session *); void do_setusercontext(struct passwd *); diff --git a/sshd.c b/sshd.c -index 512c7ed..b561ec8 100644 +index 8a0740a..2813aa2 100644 --- a/sshd.c +++ b/sshd.c @@ -119,6 +119,7 @@ diff --git a/openssh.spec b/openssh.spec index 9d2b5e4..9d662d3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -64,14 +64,14 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 6.6.1p1 -%define openssh_rel 5 +%define openssh_rel 6 %define pam_ssh_agent_ver 0.9.3 %define pam_ssh_agent_rel 3 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh Version: %{openssh_ver} -Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1 +Release: %{openssh_rel}%{?dist}%{?rescue_rel} URL: http://www.openssh.com/portable.html #URL1: http://pamsshagentauth.sourceforge.net # Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz @@ -207,6 +207,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch # Ignore SIGXFSZ in postauth monitor # https://bugzilla.mindrot.org/show_bug.cgi?id=2263 Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch +# privsep_preauth: use SELinux context from selinux-policy (#1008580) +Patch916: openssh-6.6.1p1-selinux-contexts.patch License: BSD @@ -246,8 +248,8 @@ BuildRequires: libedit-devel ncurses-devel %endif %if %{WITH_SELINUX} -Requires: libselinux >= 1.27.7 -BuildRequires: libselinux-devel >= 1.27.7 +Requires: libselinux >= 2.3-5 +BuildRequires: libselinux-devel >= 2.3-5 Requires: audit-libs >= 1.0.8 BuildRequires: audit-libs >= 1.0.8 %endif @@ -417,6 +419,7 @@ popd %patch913 -p1 -b .partial-success %patch914 -p1 -b .servconf %patch915 -p1 -b .SIGXFSZ +%patch916 -p1 -b .contexts %patch200 -p1 -b .audit %patch700 -p1 -b .fips @@ -729,6 +732,15 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Tue Nov 04 2014 Petr Lautrbach 6.6.1p1-6 + 0.9.3-3 +- privsep_preauth: use SELinux context from selinux-policy (#1008580) +- change audit trail for unknown users (mindrot#2245) +- fix kuserok patch which checked for the existence of .k5login + unconditionally and hence prevented other mechanisms to be used properly +- revert the default of KerberosUseKuserok back to yes (#1153076) +- ignore SIGXFSZ in postauth monitor (mindrot#2263) +- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode + * Mon Sep 08 2014 Petr Lautrbach 6.6.1p1-5 + 0.9.3-3 - set a client's address right after a connection is set (mindrot#2257) - apply RFC3454 stringprep to banners when possible (mindrot#2058)