Merge remote-tracking branch 'origin/master' into f21
This commit is contained in:
commit
d64ab980a2
|
@ -0,0 +1,118 @@
|
|||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index 0077dd7..e3f2ced 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include "xmalloc.h"
|
||||
#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "misc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
void
|
||||
sshd_selinux_copy_context(void)
|
||||
{
|
||||
- security_context_t *ctx;
|
||||
+ char *ctx;
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void)
|
||||
}
|
||||
}
|
||||
|
||||
+void
|
||||
+sshd_selinux_change_privsep_preauth_context(void)
|
||||
+{
|
||||
+ int len;
|
||||
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
||||
+ const char *contexts_path;
|
||||
+ FILE *contexts_file;
|
||||
+
|
||||
+ contexts_path = selinux_openssh_contexts_path();
|
||||
+ if (contexts_path != NULL) {
|
||||
+ if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
|
||||
+ struct stat sb;
|
||||
+
|
||||
+ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
|
||||
+ while (fgets(line, sizeof(line), contexts_file)) {
|
||||
+ /* Strip trailing whitespace */
|
||||
+ for (len = strlen(line) - 1; len > 0; len--) {
|
||||
+ if (strchr(" \t\r\n", line[len]) == NULL)
|
||||
+ break;
|
||||
+ line[len] = '\0';
|
||||
+ }
|
||||
+
|
||||
+ if (line[0] == '\0')
|
||||
+ continue;
|
||||
+
|
||||
+ cp = line;
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (*arg == '\0')
|
||||
+ arg = strdelim(&cp);
|
||||
+
|
||||
+ if (strcmp(arg, "privsep_preauth") == 0) {
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0') {
|
||||
+ debug("%s: privsep_preauth is empty", __func__);
|
||||
+ fclose(contexts_file);
|
||||
+ return;
|
||||
+ }
|
||||
+ preauth_context = xstrdup(arg);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(contexts_file);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (preauth_context == NULL)
|
||||
+ preauth_context = xstrdup("sshd_net_t");
|
||||
+
|
||||
+ ssh_selinux_change_context(preauth_context);
|
||||
+ free(preauth_context);
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
#endif
|
||||
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 22ea8ef..1fc963d 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
|
||||
strlcpy(newctx + len, newname, newlen - len);
|
||||
if ((cx = index(cx + 1, ':')))
|
||||
strlcat(newctx, cx, newlen);
|
||||
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
||||
+ debug("%s: setting context from '%s' to '%s'", __func__,
|
||||
oldctx, newctx);
|
||||
if (setcon(newctx) < 0)
|
||||
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index cb51f99..8b7cda2 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
int sshd_selinux_setup_env_variables(void);
|
||||
+void sshd_selinux_change_privsep_preauth_context(void);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 512c7ed..3eee75a 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -637,7 +637,7 @@ privsep_preauth_child(void)
|
||||
demote_sensitive_data();
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_change_context("sshd_net_t");
|
||||
+ sshd_selinux_change_privsep_preauth_context();
|
||||
#endif
|
||||
|
||||
/* Change our root directory */
|
|
@ -486,7 +486,7 @@ index b3ee2f4..946f7fa 100644
|
|||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff --git a/audit.c b/audit.c
|
||||
index ced57fa..b806f03 100644
|
||||
index ced57fa..ab9fb82 100644
|
||||
--- a/audit.c
|
||||
+++ b/audit.c
|
||||
@@ -28,6 +28,7 @@
|
||||
|
@ -507,7 +507,23 @@ index ced57fa..b806f03 100644
|
|||
|
||||
/*
|
||||
* Care must be taken when using this since it WILL NOT be initialized when
|
||||
@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
@@ -71,13 +75,10 @@ audit_classify_auth(const char *method)
|
||||
const char *
|
||||
audit_username(void)
|
||||
{
|
||||
- static const char unknownuser[] = "(unknown user)";
|
||||
- static const char invaliduser[] = "(invalid user)";
|
||||
+ static const char unknownuser[] = "(unknown)";
|
||||
|
||||
- if (the_authctxt == NULL || the_authctxt->user == NULL)
|
||||
+ if (the_authctxt == NULL || the_authctxt->user == NULL || !the_authctxt->valid)
|
||||
return (unknownuser);
|
||||
- if (!the_authctxt->valid)
|
||||
- return (invaliduser);
|
||||
return (the_authctxt->user);
|
||||
}
|
||||
|
||||
@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
return(event_lookup[i].name);
|
||||
}
|
||||
|
||||
|
@ -548,7 +564,7 @@ index ced57fa..b806f03 100644
|
|||
# ifndef CUSTOM_SSH_AUDIT_EVENTS
|
||||
/*
|
||||
* Null implementations of audit functions.
|
||||
@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event)
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -566,7 +582,7 @@ index ced57fa..b806f03 100644
|
|||
* Called when a user session is started. Argument is the tty allocated to
|
||||
* the session, or NULL if no tty was allocated.
|
||||
*
|
||||
@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li)
|
||||
@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li)
|
||||
/*
|
||||
* This will be called when a user runs a non-interactive command. Note that
|
||||
* it may be called multiple times for a single connection since SSH2 allows
|
||||
|
@ -795,6 +811,20 @@ index 5dad6c3..f225b0b 100644
|
|||
}
|
||||
|
||||
/*
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 420a85b..d613f8c 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -628,9 +628,6 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
-#ifdef SSH_AUDIT_EVENTS
|
||||
- audit_event(SSH_INVALID_USER);
|
||||
-#endif /* SSH_AUDIT_EVENTS */
|
||||
return (NULL);
|
||||
}
|
||||
if (!allowed_user(pw))
|
||||
diff --git a/auth.h b/auth.h
|
||||
index 4605588..f9d191c 100644
|
||||
--- a/auth.h
|
||||
|
@ -880,7 +910,7 @@ index cb0f931..6d1c872 100644
|
|||
match_principals_option(const char *principal_list, struct KeyCert *cert)
|
||||
{
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index 0f52b68..472a5b2 100644
|
||||
index 426dcd6..436cd60 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
|
||||
|
@ -1143,7 +1173,7 @@ index fbe18c4..7dc7f43 100644
|
|||
void mac_clear(Mac *);
|
||||
+void mac_destroy(Mac *);
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index aa70945..bdabe21 100644
|
||||
index 8b18086..5a65114 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -97,6 +97,7 @@
|
||||
|
@ -1221,7 +1251,7 @@ index aa70945..bdabe21 100644
|
|||
#endif
|
||||
{0, 0, NULL}
|
||||
};
|
||||
@@ -1390,9 +1416,11 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1393,9 +1419,11 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
Key *key;
|
||||
u_char *signature, *data, *blob;
|
||||
u_int signaturelen, datalen, bloblen;
|
||||
|
@ -1233,7 +1263,7 @@ index aa70945..bdabe21 100644
|
|||
blob = buffer_get_string(m, &bloblen);
|
||||
signature = buffer_get_string(m, &signaturelen);
|
||||
data = buffer_get_string(m, &datalen);
|
||||
@@ -1400,6 +1428,8 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1403,6 +1431,8 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
|
||||
!monitor_allowed_key(blob, bloblen))
|
||||
fatal("%s: bad key, not previously allowed", __func__);
|
||||
|
@ -1242,7 +1272,7 @@ index aa70945..bdabe21 100644
|
|||
|
||||
key = key_from_blob(blob, bloblen);
|
||||
if (key == NULL)
|
||||
@@ -1420,7 +1450,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
@@ -1423,7 +1453,17 @@ mm_answer_keyverify(int sock, Buffer *m)
|
||||
if (!valid_data)
|
||||
fatal("%s: bad signature data blob", __func__);
|
||||
|
||||
|
@ -1261,7 +1291,7 @@ index aa70945..bdabe21 100644
|
|||
debug3("%s: key %p signature %s",
|
||||
__func__, key, (verified == 1) ? "verified" : "unverified");
|
||||
|
||||
@@ -1473,6 +1513,12 @@ mm_session_close(Session *s)
|
||||
@@ -1476,6 +1516,12 @@ mm_session_close(Session *s)
|
||||
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
|
||||
session_pty_cleanup2(s);
|
||||
}
|
||||
|
@ -1274,7 +1304,7 @@ index aa70945..bdabe21 100644
|
|||
session_unused(s->self);
|
||||
}
|
||||
|
||||
@@ -1753,6 +1799,8 @@ mm_answer_term(int sock, Buffer *req)
|
||||
@@ -1756,6 +1802,8 @@ mm_answer_term(int sock, Buffer *req)
|
||||
sshpam_cleanup();
|
||||
#endif
|
||||
|
||||
|
@ -1283,7 +1313,7 @@ index aa70945..bdabe21 100644
|
|||
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
|
||||
if (errno != EINTR)
|
||||
exit(1);
|
||||
@@ -1795,11 +1843,43 @@ mm_answer_audit_command(int socket, Buffer *m)
|
||||
@@ -1798,11 +1846,43 @@ mm_answer_audit_command(int socket, Buffer *m)
|
||||
{
|
||||
u_int len;
|
||||
char *cmd;
|
||||
|
@ -1328,7 +1358,7 @@ index aa70945..bdabe21 100644
|
|||
free(cmd);
|
||||
return (0);
|
||||
}
|
||||
@@ -1943,11 +2023,13 @@ mm_get_keystate(struct monitor *pmonitor)
|
||||
@@ -1946,11 +2026,13 @@ mm_get_keystate(struct monitor *pmonitor)
|
||||
|
||||
blob = buffer_get_string(&m, &bloblen);
|
||||
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
|
||||
|
@ -1342,7 +1372,7 @@ index aa70945..bdabe21 100644
|
|||
free(blob);
|
||||
|
||||
/* Now get sequence numbers for the packets */
|
||||
@@ -1993,6 +2075,21 @@ mm_get_keystate(struct monitor *pmonitor)
|
||||
@@ -1996,6 +2078,21 @@ mm_get_keystate(struct monitor *pmonitor)
|
||||
}
|
||||
|
||||
buffer_free(&m);
|
||||
|
@ -1364,7 +1394,7 @@ index aa70945..bdabe21 100644
|
|||
}
|
||||
|
||||
|
||||
@@ -2274,3 +2371,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
|
||||
@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
|
||||
|
||||
#endif /* GSSAPI */
|
||||
|
||||
|
@ -1860,7 +1890,7 @@ index f8edf85..c36c812 100644
|
|||
+void packet_destroy_all(int, int);
|
||||
#endif /* PACKET_H */
|
||||
diff --git a/session.c b/session.c
|
||||
index e4add93..626a642 100644
|
||||
index df43592..b186ca1 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -138,7 +138,7 @@ extern int log_stderr;
|
||||
|
@ -1921,7 +1951,7 @@ index e4add93..626a642 100644
|
|||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
@@ -1932,6 +1947,7 @@ session_unused(int id)
|
||||
@@ -1933,6 +1948,7 @@ session_unused(int id)
|
||||
sessions[id].ttyfd = -1;
|
||||
sessions[id].ptymaster = -1;
|
||||
sessions[id].x11_chanids = NULL;
|
||||
|
@ -1929,7 +1959,7 @@ index e4add93..626a642 100644
|
|||
sessions[id].next_unused = sessions_first_unused;
|
||||
sessions_first_unused = id;
|
||||
}
|
||||
@@ -2014,6 +2030,19 @@ session_open(Authctxt *authctxt, int chanid)
|
||||
@@ -2015,6 +2031,19 @@ session_open(Authctxt *authctxt, int chanid)
|
||||
}
|
||||
|
||||
Session *
|
||||
|
@ -1949,7 +1979,7 @@ index e4add93..626a642 100644
|
|||
session_by_tty(char *tty)
|
||||
{
|
||||
int i;
|
||||
@@ -2530,6 +2559,30 @@ session_exit_message(Session *s, int status)
|
||||
@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status)
|
||||
chan_write_failed(c);
|
||||
}
|
||||
|
||||
|
@ -1980,7 +2010,7 @@ index e4add93..626a642 100644
|
|||
void
|
||||
session_close(Session *s)
|
||||
{
|
||||
@@ -2538,6 +2591,10 @@ session_close(Session *s)
|
||||
@@ -2539,6 +2592,10 @@ session_close(Session *s)
|
||||
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
|
||||
if (s->ttyfd != -1)
|
||||
session_pty_cleanup(s);
|
||||
|
@ -1991,7 +2021,7 @@ index e4add93..626a642 100644
|
|||
free(s->term);
|
||||
free(s->display);
|
||||
free(s->x11_chanids);
|
||||
@@ -2752,6 +2809,15 @@ do_authenticated2(Authctxt *authctxt)
|
||||
@@ -2753,6 +2810,15 @@ do_authenticated2(Authctxt *authctxt)
|
||||
server_loop2(authctxt);
|
||||
}
|
||||
|
||||
|
@ -2007,7 +2037,7 @@ index e4add93..626a642 100644
|
|||
void
|
||||
do_cleanup(Authctxt *authctxt)
|
||||
{
|
||||
@@ -2800,5 +2866,5 @@ do_cleanup(Authctxt *authctxt)
|
||||
@@ -2801,5 +2867,5 @@ do_cleanup(Authctxt *authctxt)
|
||||
* or if running in monitor.
|
||||
*/
|
||||
if (!use_privsep || mm_is_monitor())
|
||||
|
@ -2043,7 +2073,7 @@ index 6a2f35e..e9b312e 100644
|
|||
void session_close(Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 512c7ed..b561ec8 100644
|
||||
index 8a0740a..2813aa2 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -119,6 +119,7 @@
|
||||
|
|
20
openssh.spec
20
openssh.spec
|
@ -64,14 +64,14 @@
|
|||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.6.1p1
|
||||
%define openssh_rel 5
|
||||
%define openssh_rel 6
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 3
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: %{openssh_ver}
|
||||
Release: %{openssh_rel}%{?dist}%{?rescue_rel}.1
|
||||
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: http://pamsshagentauth.sourceforge.net
|
||||
# Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
|
@ -207,6 +207,8 @@ Patch914: openssh-6.6.1p1-servconf-parser.patch
|
|||
# Ignore SIGXFSZ in postauth monitor
|
||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2263
|
||||
Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
|
||||
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
||||
Patch916: openssh-6.6.1p1-selinux-contexts.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
|
@ -246,8 +248,8 @@ BuildRequires: libedit-devel ncurses-devel
|
|||
%endif
|
||||
|
||||
%if %{WITH_SELINUX}
|
||||
Requires: libselinux >= 1.27.7
|
||||
BuildRequires: libselinux-devel >= 1.27.7
|
||||
Requires: libselinux >= 2.3-5
|
||||
BuildRequires: libselinux-devel >= 2.3-5
|
||||
Requires: audit-libs >= 1.0.8
|
||||
BuildRequires: audit-libs >= 1.0.8
|
||||
%endif
|
||||
|
@ -417,6 +419,7 @@ popd
|
|||
%patch913 -p1 -b .partial-success
|
||||
%patch914 -p1 -b .servconf
|
||||
%patch915 -p1 -b .SIGXFSZ
|
||||
%patch916 -p1 -b .contexts
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch700 -p1 -b .fips
|
||||
|
@ -729,6 +732,15 @@ getent passwd sshd >/dev/null || \
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Nov 04 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-6 + 0.9.3-3
|
||||
- privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
||||
- change audit trail for unknown users (mindrot#2245)
|
||||
- fix kuserok patch which checked for the existence of .k5login
|
||||
unconditionally and hence prevented other mechanisms to be used properly
|
||||
- revert the default of KerberosUseKuserok back to yes (#1153076)
|
||||
- ignore SIGXFSZ in postauth monitor (mindrot#2263)
|
||||
- sshd-keygen - don't generate DSA and ED25519 host keys in FIPS mode
|
||||
|
||||
* Mon Sep 08 2014 Petr Lautrbach <plautrba@redhat.com> 6.6.1p1-5 + 0.9.3-3
|
||||
- set a client's address right after a connection is set (mindrot#2257)
|
||||
- apply RFC3454 stringprep to banners when possible (mindrot#2058)
|
||||
|
|
Loading…
Reference in New Issue