rpms
/
openssh
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

OpenSSH release update 

Resolves: rhbz#1950819
8.5p1 => 8.6p1
This commit is contained in:
Dmitry Belyavskiy 2021-04-19 17:17:19 +02:00
parent 446f300da0
commit f32b842272
12 changed files with 2045 additions and 2116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -48,3 +48,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-8.5p1.tar.gz
/openssh-8.5p1.tar.gz.asc
/gpgkey-736060BA.gpg
/openssh-8.6p1.tar.gz
/openssh-8.6p1.tar.gz.asc

29
openssh-4.3p2-askpass-grab-info.patch
View File

@ -1,19 +1,18 @@
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
--- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info 2021-04-19 13:57:11.720113536 +0200
+++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c 2021-04-19 13:59:29.842163204 +0200
@@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE,
- "Could not grab %s. "
- "A malicious client may be eavesdropping "
- "on your session.", what);
+ "SSH password dialog could not grab the %s input.\n"
+ "This might be caused by application such as screensaver, "
+ "however it could also mean that someone may be eavesdropping "
+ "on your session.\n"
+ "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what);
GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
- "Could not grab %s. A malicious client may be eavesdropping "
- "on your session.", what);
+ "SSH password dialog could not grab the %s input.\n"
+ "This might be caused by application such as screensaver, "
+ "however it could also mean that someone may be eavesdropping "
+ "on your session.\n"
+ "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_dialog_run(GTK_DIALOG(err));

2
openssh-5.1p1-askpass-progress.patch
View File

@ -60,7 +60,7 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
if (prompt_type == PROMPT_ENTRY) {
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
g_signal_connect(G_OBJECT(entry), "key_press_event",
G_CALLBACK(check_none), dialog);
G_CALLBACK(check_none), dialog);
}
+
+ hbox = gtk_hbox_new(FALSE, 0);

100
openssh-6.6.1p1-log-in-chroot.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200
@@ -194,6 +194,11 @@ void
log_init(const char *av0, LogLevel level, SyslogFacility facility,
int on_stderr)
{
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
@@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
exit(1);
}
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
log_on_stderr = on_stderr;
if (on_stderr)
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
@@ -49,6 +49,7 @@ typedef enum {
const char *, void *);
diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
--- openssh-8.6p1/log.h.log-in-chroot 2021-04-19 14:43:08.544843434 +0200
+++ openssh-8.6p1/log.h 2021-04-19 14:56:46.931042176 +0200
@@ -52,6 +52,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
void log_init(const char *, LogLevel, SyslogFacility, int);
+void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
LogLevel log_level_get(void);
int log_change_level(LogLevel);
int log_is_on_stderr(void);
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
--- openssh-8.6p1/monitor.c.log-in-chroot 2021-04-19 14:43:08.526843298 +0200
+++ openssh-8.6p1/monitor.c 2021-04-19 14:55:25.286424043 +0200
@@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +49,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
authctxt = (Authctxt *)ssh->authctxt;
memset(authctxt, 0, sizeof(*authctxt));
ssh->authctxt = authctxt;
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
@@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1;
@ -58,16 +58,16 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
monitor_set_child_handler(pmonitor->m_pid);
ssh_signal(SIGHUP, &monitor_child_handler);
ssh_signal(SIGTERM, &monitor_child_handler);
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
@@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
/* Log it */
if (log_level_name(level) == NULL)
fatal_f("invalid log level %u (corrupted message?)", level);
- sshlog(file, func, line, 0, level, NULL, "%s [preauth]", msg);
+ sshlog(file, func, line, 0, level, NULL, "%s [%s]", msg, pmonitor->m_state);
- sshlogdirect(level, forced, "%s [preauth]", msg);
+ sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
sshbuf_free(logmsg);
free(file);
@@ -1719,13 +1723,28 @@ monitor_init(void)
free(msg);
@@ -1868,13 +1872,28 @@ monitor_init(void)
mon = xcalloc(1, sizeof(*mon));
monitor_openfds(mon, 1);
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
}
#ifdef GSSAPI
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100
@@ -83,10 +83,11 @@ struct monitor {
diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
--- openssh-8.6p1/monitor.h.log-in-chroot 2021-04-19 14:43:08.527843305 +0200
+++ openssh-8.6p1/monitor.h 2021-04-19 14:43:08.545843441 +0200
@@ -80,10 +80,11 @@ struct monitor {
int m_log_sendfd;
struct kex **m_pkex;
pid_t m_pid;
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
struct Authctxt;
void monitor_child_preauth(struct ssh *, struct monitor *);
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
--- openssh-8.6p1/session.c.log-in-chroot 2021-04-19 14:43:08.534843358 +0200
+++ openssh-8.6p1/session.c 2021-04-19 14:43:08.545843441 +0200
@@ -160,6 +160,7 @@ login_cap_t *lc;
static int is_child = 0;
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
/* File containing userauth info, if ExposeAuthInfo set */
static char *auth_info_file = NULL;
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
@@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
int ret;
const char *forced = NULL, *tty = NULL;
char session_type[1024];
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
if (options.adm_forced_command) {
original_command = command;
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
@@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
tty += 5;
}
@ -144,7 +144,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type,
tty == NULL ? "" : " on ",
@@ -1486,14 +1492,6 @@ child_close_fds(void)
@@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
/* Stop directing logs to a high-numbered fd before we close it */
log_redirect_stderr_to(NULL);
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
}
/*
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
@@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
exit(1);
}
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
do_rc_files(ssh, s, shell);
/* restore SIGPIPE for child */
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
@@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
fflush(NULL);
/* Get the last component of the shell name. */
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100
diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
--- openssh-8.6p1/sftp.h.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/sftp.h 2021-04-19 14:43:08.545843441 +0200
@@ -97,5 +97,5 @@
struct passwd;
@ -197,10 +197,10 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
-int sftp_server_main(int, char **, struct passwd *);
+int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
--- openssh-8.6p1/sftp-server.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/sftp-server.c 2021-04-19 14:43:08.545843441 +0200
@@ -1644,7 +1644,7 @@ sftp_server_usage(void)
}
int
@ -209,7 +209,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
{
fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
__progname = ssh_get_progname(argv[0]);
@ -218,7 +218,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
pw = pwcopy(user_pw);
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
@@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
}
}
@ -227,20 +227,20 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
/*
* On platforms where we can, avoid making /proc/self/{mem,maps}
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100
@@ -49,5 +49,5 @@ main(int argc, char **argv)
diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
--- openssh-8.6p1/sftp-server-main.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/sftp-server-main.c 2021-04-19 14:43:08.545843441 +0200
@@ -50,5 +50,5 @@ main(int argc, char **argv)
return 1;
}
- return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0));
}
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:43:08.545843441 +0200
@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
}
/* New socket pair */
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1)
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
@@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1;

334
openssh-7.6p1-audit.patch
View File

@ -1,7 +1,7 @@
diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
--- openssh/audit-bsm.c.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/audit-bsm.c 2019-04-03 17:02:20.713886041 +0200
@@ -372,13 +372,26 @@ audit_connection_from(const char *host,
diff -up openssh-8.6p1/audit-bsm.c.audit openssh-8.6p1/audit-bsm.c
--- openssh-8.6p1/audit-bsm.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/audit-bsm.c 2021-04-19 16:47:35.753062106 +0200
@@ -373,13 +373,26 @@ audit_connection_from(const char *host,
#endif
}
@ -29,7 +29,7 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
audit_session_open(struct logininfo *li)
{
/* not implemented */
@@ -390,6 +403,12 @@ audit_session_close(struct logininfo *li
@@ -391,6 +404,12 @@ audit_session_close(struct logininfo *li
/* not implemented */
}
@ -42,7 +42,7 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
void
audit_event(struct ssh *ssh, ssh_audit_event_t event)
{
@@ -451,4 +470,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
@@ -452,4 +471,28 @@ audit_event(struct ssh *ssh, ssh_audit_e
debug("%s: unhandled event %d", __func__, event);
}
}
@ -71,9 +71,9 @@ diff -up openssh/audit-bsm.c.audit openssh/audit-bsm.c
+ /* not implemented */
+}
#endif /* BSM */
diff -up openssh/audit.c.audit openssh/audit.c
--- openssh/audit.c.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/audit.c 2019-04-03 17:02:20.713886041 +0200
diff -up openssh-8.6p1/audit.c.audit openssh-8.6p1/audit.c
--- openssh-8.6p1/audit.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/audit.c 2021-04-19 16:47:35.753062106 +0200
@@ -34,6 +34,12 @@
#include "log.h"
#include "hostfile.h"
@ -251,9 +251,9 @@ diff -up openssh/audit.c.audit openssh/audit.c
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/audit.h.audit openssh/audit.h
--- openssh/audit.h.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/audit.h 2019-04-03 17:02:20.713886041 +0200
diff -up openssh-8.6p1/audit.h.audit openssh-8.6p1/audit.h
--- openssh-8.6p1/audit.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/audit.h 2021-04-19 16:47:35.753062106 +0200
@@ -26,6 +26,7 @@
# define _SSH_AUDIT_H
@ -296,9 +296,9 @@ diff -up openssh/audit.h.audit openssh/audit.h
+void audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
#endif /* _SSH_AUDIT_H */
diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
--- openssh/audit-linux.c.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/audit-linux.c 2019-04-03 17:02:20.713886041 +0200
diff -up openssh-8.6p1/audit-linux.c.audit openssh-8.6p1/audit-linux.c
--- openssh-8.6p1/audit-linux.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/audit-linux.c 2021-04-19 16:47:35.753062106 +0200
@@ -33,27 +33,40 @@
#include "log.h"
@ -669,9 +669,9 @@ diff -up openssh/audit-linux.c.audit openssh/audit-linux.c
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
diff -up openssh/auditstub.c.audit openssh/auditstub.c
--- openssh/auditstub.c.audit 2019-04-03 17:02:20.714886050 +0200
+++ openssh/auditstub.c 2019-04-03 17:02:20.714886050 +0200
diff -up openssh-8.6p1/auditstub.c.audit openssh-8.6p1/auditstub.c
--- openssh-8.6p1/auditstub.c.audit 2021-04-19 16:47:35.754062114 +0200
+++ openssh-8.6p1/auditstub.c 2021-04-19 16:47:35.754062114 +0200
@@ -0,0 +1,52 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@ -725,10 +725,10 @@ diff -up openssh/auditstub.c.audit openssh/auditstub.c
+audit_session_key_free_body(struct ssh *ssh, int ctos, pid_t pid, uid_t uid)
+{
+}
diff -up openssh/auth2.c.audit openssh/auth2.c
--- openssh/auth2.c.audit 2019-04-03 17:02:20.651885453 +0200
+++ openssh/auth2.c 2019-04-03 17:02:20.714886050 +0200
@@ -303,9 +303,6 @@ input_userauth_request(int type, u_int32
diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c
--- openssh-8.6p1/auth2.c.audit 2021-04-19 16:47:35.682061561 +0200
+++ openssh-8.6p1/auth2.c 2021-04-19 16:47:35.754062114 +0200
@@ -298,9 +298,6 @@ input_userauth_request(int type, u_int32
} else {
/* Invalid user, fake password information */
authctxt->pw = fakepw();
@ -738,9 +738,9 @@ diff -up openssh/auth2.c.audit openssh/auth2.c
}
#ifdef USE_PAM
if (options.use_pam)
diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
--- openssh/auth2-hostbased.c.audit 2019-04-03 17:02:20.612885083 +0200
+++ openssh/auth2-hostbased.c 2019-04-03 17:02:20.714886050 +0200
diff -up openssh-8.6p1/auth2-hostbased.c.audit openssh-8.6p1/auth2-hostbased.c
--- openssh-8.6p1/auth2-hostbased.c.audit 2021-04-19 16:47:35.656061361 +0200
+++ openssh-8.6p1/auth2-hostbased.c 2021-04-19 16:47:35.754062114 +0200
@@ -158,7 +158,7 @@ userauth_hostbased(struct ssh *ssh)
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
@ -771,10 +771,10 @@ diff -up openssh/auth2-hostbased.c.audit openssh/auth2-hostbased.c
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.audit 2019-04-03 17:02:20.691885832 +0200
+++ openssh/auth2-pubkey.c 2019-04-03 17:02:20.714886050 +0200
@@ -219,7 +219,7 @@ userauth_pubkey(struct ssh *ssh)
diff -up openssh-8.6p1/auth2-pubkey.c.audit openssh-8.6p1/auth2-pubkey.c
--- openssh-8.6p1/auth2-pubkey.c.audit 2021-04-19 16:47:35.726061899 +0200
+++ openssh-8.6p1/auth2-pubkey.c 2021-04-19 16:47:35.754062114 +0200
@@ -213,7 +213,7 @@ userauth_pubkey(struct ssh *ssh)
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@ -783,7 +783,7 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
sshbuf_ptr(b), sshbuf_len(b),
(ssh->compat & SSH_BUG_SIGTYPE) == 0 ? pkalg : NULL,
ssh->compat, &sig_details)) == 0) {
@@ -278,6 +278,20 @@ done:
@@ -305,6 +305,20 @@ done:
return authenticated;
}
@ -804,10 +804,10 @@ diff -up openssh/auth2-pubkey.c.audit openssh/auth2-pubkey.c
static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{
diff -up openssh/auth.c.audit openssh/auth.c
--- openssh/auth.c.audit 2019-04-03 17:02:20.691885832 +0200
+++ openssh/auth.c 2019-04-03 17:02:20.714886050 +0200
@@ -366,7 +366,7 @@ auth_log(struct ssh *ssh, int authentica
diff -up openssh-8.6p1/auth.c.audit openssh-8.6p1/auth.c
--- openssh-8.6p1/auth.c.audit 2021-04-19 16:47:35.681061553 +0200
+++ openssh-8.6p1/auth.c 2021-04-19 16:47:35.754062114 +0200
@@ -367,7 +367,7 @@ auth_log(struct ssh *ssh, int authentica
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
@ -816,7 +816,7 @@ diff -up openssh/auth.c.audit openssh/auth.c
audit_event(ssh, audit_classify_auth(method));
#endif
}
@@ -592,9 +592,6 @@ getpwnamallow(struct ssh *ssh, const cha
@@ -597,9 +597,6 @@ getpwnamallow(struct ssh *ssh, const cha
record_failed_login(ssh, user,
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif
@ -826,10 +826,10 @@ diff -up openssh/auth.c.audit openssh/auth.c
return (NULL);
}
if (!allowed_user(ssh, pw))
diff -up openssh/auth.h.audit openssh/auth.h
--- openssh/auth.h.audit 2019-04-03 17:02:20.692885842 +0200
+++ openssh/auth.h 2019-04-03 17:02:20.714886050 +0200
@@ -195,6 +195,8 @@ struct passwd * getpwnamallow(struct ssh
diff -up openssh-8.6p1/auth.h.audit openssh-8.6p1/auth.h
--- openssh-8.6p1/auth.h.audit 2021-04-19 16:47:35.697061676 +0200
+++ openssh-8.6p1/auth.h 2021-04-19 16:47:35.754062114 +0200
@@ -193,6 +193,8 @@ struct passwd * getpwnamallow(struct ssh
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
@ -838,7 +838,7 @@ diff -up openssh/auth.h.audit openssh/auth.h
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
@@ -214,6 +216,8 @@ struct sshkey *get_hostkey_private_by_ty
@@ -212,6 +214,8 @@ struct sshkey *get_hostkey_private_by_ty
int get_hostkey_index(struct sshkey *, int, struct ssh *);
int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
u_char **, size_t *, const u_char *, size_t, const char *);
@ -847,10 +847,10 @@ diff -up openssh/auth.h.audit openssh/auth.h
/* Key / cert options linkage to auth layer */
const struct sshauthopt *auth_options(struct ssh *);
diff -up openssh/cipher.c.audit openssh/cipher.c
--- openssh/cipher.c.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/cipher.c 2019-04-03 17:02:20.714886050 +0200
@@ -61,25 +61,6 @@ struct sshcipher_ctx {
diff -up openssh-8.6p1/cipher.c.audit openssh-8.6p1/cipher.c
--- openssh-8.6p1/cipher.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/cipher.c 2021-04-19 16:47:35.755062122 +0200
@@ -64,25 +64,6 @@ struct sshcipher_ctx {
const struct sshcipher *cipher;
};
@ -876,7 +876,7 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
static const struct sshcipher ciphers[] = {
#ifdef WITH_OPENSSL
#ifndef OPENSSL_NO_DES
@@ -410,7 +391,7 @@ cipher_get_length(struct sshcipher_ctx *
@@ -422,7 +403,7 @@ cipher_get_length(struct sshcipher_ctx *
void
cipher_free(struct sshcipher_ctx *cc)
{
@ -885,10 +885,10 @@ diff -up openssh/cipher.c.audit openssh/cipher.c
return;
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
chachapoly_free(cc->cp_ctx);
diff -up openssh/cipher.h.audit openssh/cipher.h
--- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200
@@ -45,7 +45,25 @@
diff -up openssh-8.6p1/cipher.h.audit openssh-8.6p1/cipher.h
--- openssh-8.6p1/cipher.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/cipher.h 2021-04-19 16:47:35.755062122 +0200
@@ -47,7 +47,25 @@
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0
@ -915,10 +915,10 @@ diff -up openssh/cipher.h.audit openssh/cipher.h
struct sshcipher_ctx;
const struct sshcipher *cipher_by_name(const char *);
diff -up openssh/kex.c.audit openssh/kex.c
--- openssh/kex.c.audit 2019-04-03 17:02:20.652885462 +0200
+++ openssh/kex.c 2019-04-03 17:02:20.715886060 +0200
@@ -60,6 +60,7 @@
diff -up openssh-8.6p1/kex.c.audit openssh-8.6p1/kex.c
--- openssh-8.6p1/kex.c.audit 2021-04-19 16:47:35.743062030 +0200
+++ openssh-8.6p1/kex.c 2021-04-19 16:47:35.755062122 +0200
@@ -65,6 +65,7 @@
#include "ssherr.h"
#include "sshbuf.h"
#include "digest.h"
@ -926,7 +926,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -758,12 +759,16 @@ kex_start_rekex(struct ssh *ssh)
@@ -816,12 +817,16 @@ kex_start_rekex(struct ssh *ssh)
}
static int
@ -945,7 +945,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
if ((enc->cipher = cipher_by_name(name)) == NULL) {
error_f("unsupported cipher %s", name);
free(name);
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
@@ -842,8 +847,12 @@ choose_mac(struct ssh *ssh, struct sshma
{
char *name = match_list(client, server, NULL);
@ -959,7 +959,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
if (mac_setup(mac, name) < 0) {
error_f("unsupported MAC %s", name);
free(name);
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
@@ -856,12 +865,16 @@ choose_mac(struct ssh *ssh, struct sshma
}
static int
@ -978,7 +978,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
#ifdef WITH_ZLIB
if (strcmp(name, "zlib@openssh.com") == 0) {
comp->type = COMP_DELAYED;
@@ -933,7 +946,7 @@ kex_choose_conf(struct ssh *ssh)
@@ -1002,7 +1015,7 @@ kex_choose_conf(struct ssh *ssh)
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
@ -987,7 +987,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
sprop[nenc])) != 0) {
kex->failed_choice = peer[nenc];
peer[nenc] = NULL;
@@ -948,7 +961,7 @@ kex_choose_conf(struct ssh *ssh)
@@ -1017,7 +1030,7 @@ kex_choose_conf(struct ssh *ssh)
peer[nmac] = NULL;
goto out;
}
@ -996,7 +996,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
sprop[ncomp])) != 0) {
kex->failed_choice = peer[ncomp];
peer[ncomp] = NULL;
@@ -971,6 +984,10 @@ kex_choose_conf(struct ssh *ssh)
@@ -1040,6 +1053,10 @@ kex_choose_conf(struct ssh *ssh)
dh_need = MAXIMUM(dh_need, newkeys->enc.block_size);
dh_need = MAXIMUM(dh_need, newkeys->enc.iv_len);
dh_need = MAXIMUM(dh_need, newkeys->mac.key_len);
@ -1007,7 +1007,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
}
/* XXX need runden? */
kex->we_need = need;
@@ -1129,6 +1146,36 @@ dump_digest(const char *msg, const u_cha
@@ -1297,6 +1314,36 @@ dump_digest(const char *msg, const u_cha
}
#endif
@ -1044,9 +1044,9 @@ diff -up openssh/kex.c.audit openssh/kex.c
/*
* Send a plaintext error message to the peer, suffixed by \r\n.
* Only used during banner exchange, and there only for the server.
diff -up openssh/kex.h.audit openssh/kex.h
--- openssh/kex.h.audit 2019-04-03 17:02:20.652885462 +0200
+++ openssh/kex.h 2019-04-03 17:02:20.715886060 +0200
diff -up openssh-8.6p1/kex.h.audit openssh-8.6p1/kex.h
--- openssh-8.6p1/kex.h.audit 2021-04-19 16:47:35.683061568 +0200
+++ openssh-8.6p1/kex.h 2021-04-19 16:47:35.756062129 +0200
@@ -226,6 +226,8 @@ int kexgss_client(struct ssh *);
int kexgss_server(struct ssh *);
#endif
@ -1056,10 +1056,10 @@ diff -up openssh/kex.h.audit openssh/kex.h
int kex_dh_keypair(struct kex *);
int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **,
struct sshbuf **);
diff -up openssh/mac.c.audit openssh/mac.c
--- openssh/mac.c.audit 2019-04-03 17:02:20.652885462 +0200
+++ openssh/mac.c 2019-04-03 17:02:20.715886060 +0200
@@ -243,6 +243,20 @@ mac_clear(struct sshmac *mac)
diff -up openssh-8.6p1/mac.c.audit openssh-8.6p1/mac.c
--- openssh-8.6p1/mac.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/mac.c 2021-04-19 16:47:35.756062129 +0200
@@ -239,6 +239,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL;
}
@ -1080,9 +1080,9 @@ diff -up openssh/mac.c.audit openssh/mac.c
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
diff -up openssh/mac.h.audit openssh/mac.h
--- openssh/mac.h.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/mac.h 2019-04-03 17:02:20.715886060 +0200
diff -up openssh-8.6p1/mac.h.audit openssh-8.6p1/mac.h
--- openssh-8.6p1/mac.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/mac.h 2021-04-19 16:47:35.756062129 +0200
@@ -49,5 +49,6 @@ int mac_compute(struct sshmac *, u_int3
int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
const u_char *, size_t);
@ -1090,21 +1090,21 @@ diff -up openssh/mac.h.audit openssh/mac.h
+void mac_destroy(struct sshmac *);
#endif /* SSHMAC_H */
diff -up openssh/Makefile.in.audit openssh/Makefile.in
--- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200
+++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
diff -up openssh-8.6p1/Makefile.in.audit openssh-8.6p1/Makefile.in
--- openssh-8.6p1/Makefile.in.audit 2021-04-19 16:47:35.731061937 +0200
+++ openssh-8.6p1/Makefile.in 2021-04-19 16:47:35.756062129 +0200
@@ -112,7 +112,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexsntrup761x25519.o sntrup761.o kexgen.o \
kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
- sshbuf-io.o
+ sshbuf-io.o auditstub.o
SKOBJS= ssh-sk-client.o
diff -up openssh/monitor.c.audit openssh/monitor.c
--- openssh/monitor.c.audit 2019-04-03 17:02:20.674885671 +0200
+++ openssh/monitor.c 2019-04-03 17:03:17.201421405 +0200
diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c
--- openssh-8.6p1/monitor.c.audit 2021-04-19 16:47:35.707061753 +0200
+++ openssh-8.6p1/monitor.c 2021-04-19 16:47:35.756062129 +0200
@@ -93,6 +93,7 @@
#include "compat.h"
#include "ssh2.h"
@ -1113,7 +1113,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
#include "match.h"
#include "ssherr.h"
#include "sk-api.h"
@@ -107,6 +108,8 @@ extern u_char session_id[];
@@ -107,6 +108,8 @@ extern u_int utmp_len;
extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */
@ -1157,7 +1157,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
#endif
{0, 0, NULL}
};
@@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int
@@ -1444,8 +1461,10 @@ mm_answer_keyverify(struct ssh *ssh, int
int r, ret, req_presence = 0, req_verify = 0, valid_data = 0;
int encoded_ret;
struct sshkey_sig_details *sig_details = NULL;
@ -1169,7 +1169,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
(r = sshbuf_get_string_direct(m, &signature, &signaturelen)) != 0 ||
(r = sshbuf_get_string_direct(m, &data, &datalen)) != 0 ||
(r = sshbuf_get_cstring(m, &sigalg, NULL)) != 0)
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
@@ -1454,6 +1473,8 @@ mm_answer_keyverify(struct ssh *ssh, int
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal_f("bad key, not previously allowed");
@ -1178,7 +1178,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
/* Empty signature algorithm means NULL. */
if (*sigalg == '\0') {
@@ -1470,27 +1491,30 @@ mm_answer_keyverify(struct ssh *ssh, int
@@ -1469,14 +1490,19 @@ mm_answer_keyverify(struct ssh *ssh, int
case MM_USERKEY:
valid_data = monitor_valid_userblob(ssh, data, datalen);
auth_method = "publickey";
@ -1198,11 +1198,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
break;
}
if (!valid_data)
fatal_f("bad %s signature data blob",
key_blobtype == MM_USERKEY ? "userkey" :
(key_blobtype == MM_HOSTKEY ? "hostkey" : "unknown"));
if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
@@ -1488,8 +1514,6 @@ mm_answer_keyverify(struct ssh *ssh, int
SSH_FP_DEFAULT)) == NULL)
fatal_f("sshkey_fingerprint failed");
@ -1211,7 +1207,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
debug3_f("%s %p signature %s%s%s", auth_method, key,
(ret == 0) ? "verified" : "unverified",
(ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
@@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session
}
static void
@ -1232,7 +1228,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
session_unused(s->self);
}
@@ -1609,7 +1639,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
@@ -1649,7 +1679,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
error:
if (s != NULL)
@ -1241,7 +1237,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
if ((r = sshbuf_put_u32(m, 0)) != 0)
fatal_fr(r, "assemble 0");
mm_request_send(sock, MONITOR_ANS_PTY, m);
@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
@@ -1668,7 +1698,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
fatal_fr(r, "parse tty");
if ((s = session_by_tty(tty)) != NULL)
@ -1250,7 +1246,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
sshbuf_reset(m);
free(tty);
return (0);
@@ -1650,6 +1680,8 @@ mm_answer_term(struct ssh *ssh, int sock
@@ -1690,6 +1720,8 @@ mm_answer_term(struct ssh *ssh, int sock
sshpam_cleanup();
#endif
@ -1259,7 +1255,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
@@ -1696,12 +1728,47 @@ mm_answer_audit_command(struct ssh *ssh,
@@ -1736,12 +1768,47 @@ mm_answer_audit_command(struct ssh *ssh,
{
char *cmd;
int r;
@ -1308,7 +1304,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
free(cmd);
return (0);
}
@@ -1767,6 +1834,7 @@ monitor_apply_keystate(struct ssh *ssh,
@@ -1813,6 +1880,7 @@ monitor_apply_keystate(struct ssh *ssh,
void
mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
{
@ -1316,7 +1312,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
debug3_f("Waiting for new keys");
if ((child_state = sshbuf_new()) == NULL)
@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct
@@ -1820,6 +1888,19 @@ mm_get_keystate(struct ssh *ssh, struct
mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
child_state);
debug3_f("GOT new keys");
@ -1336,7 +1332,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
}
@@ -2066,3 +2147,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
@@ -2111,3 +2192,102 @@ mm_answer_gss_updatecreds(struct ssh *ss
#endif /* GSSAPI */
@ -1439,9 +1435,9 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/monitor.h.audit openssh/monitor.h
--- openssh/monitor.h.audit 2019-04-03 17:02:20.674885671 +0200
+++ openssh/monitor.h 2019-04-03 17:02:20.715886060 +0200
diff -up openssh-8.6p1/monitor.h.audit openssh-8.6p1/monitor.h
--- openssh-8.6p1/monitor.h.audit 2021-04-19 16:47:35.707061753 +0200
+++ openssh-8.6p1/monitor.h 2021-04-19 16:47:35.757062137 +0200
@@ -65,7 +65,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@ -1457,10 +1453,10 @@ diff -up openssh/monitor.h.audit openssh/monitor.h
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
--- openssh/monitor_wrap.c.audit 2019-04-03 17:02:20.653885472 +0200
+++ openssh/monitor_wrap.c 2019-04-03 17:02:20.716886069 +0200
@@ -513,7 +513,7 @@ mm_key_allowed(enum mm_keytype type, con
diff -up openssh-8.6p1/monitor_wrap.c.audit openssh-8.6p1/monitor_wrap.c
--- openssh-8.6p1/monitor_wrap.c.audit 2021-04-19 16:47:35.685061584 +0200
+++ openssh-8.6p1/monitor_wrap.c 2021-04-19 16:47:35.757062137 +0200
@@ -520,7 +520,7 @@ mm_key_allowed(enum mm_keytype type, con
*/
int
@ -1469,7 +1465,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
const u_char *data, size_t datalen, const char *sigalg, u_int compat,
struct sshkey_sig_details **sig_detailsp)
{
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
@@ -536,7 +536,8 @@ mm_sshkey_verify(const struct sshkey *ke
*sig_detailsp = NULL;
if ((m = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
@ -1479,7 +1475,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
(r = sshbuf_put_string(m, sig, siglen)) != 0 ||
(r = sshbuf_put_string(m, data, datalen)) != 0 ||
(r = sshbuf_put_cstring(m, sigalg == NULL ? "" : sigalg)) != 0)
@@ -547,6 +548,22 @@ mm_sshkey_verify(const struct sshkey *ke
@@ -569,6 +570,22 @@ mm_sshkey_verify(const struct sshkey *ke
return 0;
}
@ -1502,7 +1498,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
void
mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
{
@@ -900,11 +915,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi
@@ -921,11 +938,12 @@ mm_audit_event(struct ssh *ssh, ssh_audi
sshbuf_free(m);
}
@ -1517,7 +1513,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
debug3("%s entering command %s", __func__, command);
@@ -914,6 +930,30 @@ mm_audit_run_command(const char *command
@@ -935,6 +953,30 @@ mm_audit_run_command(const char *command
fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, m);
@ -1548,7 +1544,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
sshbuf_free(m);
}
#endif /* SSH_AUDIT_EVENTS */
@@ -1074,3 +1114,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
@@ -1095,3 +1137,83 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
}
#endif /* GSSAPI */
@ -1632,10 +1628,10 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
+ sshbuf_free(m);
+}
+#endif /* SSH_AUDIT_EVENTS */
diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
--- openssh/monitor_wrap.h.audit 2019-04-03 17:02:20.653885472 +0200
+++ openssh/monitor_wrap.h 2019-04-03 17:02:20.716886069 +0200
@@ -57,7 +57,9 @@ int mm_user_key_allowed(struct ssh *, st
diff -up openssh-8.6p1/monitor_wrap.h.audit openssh-8.6p1/monitor_wrap.h
--- openssh-8.6p1/monitor_wrap.h.audit 2021-04-19 16:47:35.685061584 +0200
+++ openssh-8.6p1/monitor_wrap.h 2021-04-19 16:47:35.757062137 +0200
@@ -61,7 +61,9 @@ int mm_user_key_allowed(struct ssh *, st
struct sshauthopt **);
int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
const char *, struct sshkey *);
@ -1646,7 +1642,7 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **);
#ifdef GSSAPI
@@ -82,7 +84,12 @@ void mm_sshpam_free_ctx(void *);
@@ -86,7 +88,12 @@ void mm_sshpam_free_ctx(void *);
#ifdef SSH_AUDIT_EVENTS
#include "audit.h"
void mm_audit_event(struct ssh *, ssh_audit_event_t);
@ -1660,10 +1656,10 @@ diff -up openssh/monitor_wrap.h.audit openssh/monitor_wrap.h
#endif
struct Session;
diff -up openssh/packet.c.audit openssh/packet.c
--- openssh/packet.c.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/packet.c 2019-04-03 17:02:20.716886069 +0200
@@ -77,6 +77,7 @@
diff -up openssh-8.6p1/packet.c.audit openssh-8.6p1/packet.c
--- openssh-8.6p1/packet.c.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/packet.c 2021-04-19 16:48:46.885608837 +0200
@@ -81,6 +81,7 @@
#endif
#include "xmalloc.h"
@ -1671,7 +1667,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
#include "compat.h"
#include "ssh2.h"
#include "cipher.h"
@@ -510,6 +511,13 @@ ssh_packet_get_connection_out(struct ssh
@@ -506,6 +507,13 @@ ssh_packet_get_connection_out(struct ssh
return ssh->state->connection_out;
}
@ -1685,7 +1681,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
@@ -587,22 +595,19 @@ ssh_packet_close_internal(struct ssh *ss
@@ -583,22 +591,19 @@ ssh_packet_close_internal(struct ssh *ss
{
struct session_state *state = ssh->state;
u_int mode;
@ -1713,7 +1709,7 @@ diff -up openssh/packet.c.audit openssh/packet.c
for (mode = 0; mode < MODE_MAX; mode++) {
kex_free_newkeys(state->newkeys[mode]); /* current keys */
state->newkeys[mode] = NULL;
@@ -636,8 +641,18 @@ ssh_packet_close_internal(struct ssh *ss
@@ -634,8 +639,18 @@ ssh_packet_close_internal(struct ssh *ss
#endif /* WITH_ZLIB */
cipher_free(state->send_context);
cipher_free(state->receive_context);
@ -1732,15 +1728,15 @@ diff -up openssh/packet.c.audit openssh/packet.c
free(ssh->local_ipaddr);
ssh->local_ipaddr = NULL;
free(ssh->remote_ipaddr);
@@ -864,6 +879,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
(unsigned long long)state->p_send.bytes,
(unsigned long long)state->p_send.blocks);
@@ -892,6 +907,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
(unsigned long long)state->p_send.bytes,
(unsigned long long)state->p_send.blocks);
kex_free_newkeys(state->newkeys[mode]);
+ audit_session_key_free(ssh, mode);
state->newkeys[mode] = NULL;
}
/* note that both bytes and the seqnr are not reset */
@@ -2167,6 +2183,72 @@ ssh_packet_get_output(struct ssh *ssh)
@@ -2173,6 +2189,72 @@ ssh_packet_get_output(struct ssh *ssh)
return (void *)ssh->state->output;
}
@ -1813,18 +1809,18 @@ diff -up openssh/packet.c.audit openssh/packet.c
/* Reset after_authentication and reset compression in post-auth privsep */
static int
ssh_packet_set_postauth(struct ssh *ssh)
diff -up openssh/packet.h.audit openssh/packet.h
--- openssh/packet.h.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/packet.h 2019-04-03 17:02:20.716886069 +0200
@@ -217,4 +217,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
diff -up openssh-8.6p1/packet.h.audit openssh-8.6p1/packet.h
--- openssh-8.6p1/packet.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/packet.h 2021-04-19 16:47:35.758062145 +0200
@@ -218,4 +218,5 @@ const u_char *sshpkt_ptr(struct ssh *, s
# undef EC_POINT
#endif
+void packet_destroy_all(struct ssh *, int, int);
#endif /* PACKET_H */
diff -up openssh/session.c.audit openssh/session.c
--- openssh/session.c.audit 2019-04-03 17:02:20.712886031 +0200
+++ openssh/session.c 2019-04-03 17:02:20.716886069 +0200
diff -up openssh-8.6p1/session.c.audit openssh-8.6p1/session.c
--- openssh-8.6p1/session.c.audit 2021-04-19 16:47:35.722061868 +0200
+++ openssh-8.6p1/session.c 2021-04-19 16:47:35.758062145 +0200
@@ -136,7 +136,7 @@ extern char *__progname;
extern int debug_flag;
extern u_int utmp_len;
@ -1834,7 +1830,7 @@ diff -up openssh/session.c.audit openssh/session.c
extern struct sshbuf *loginmsg;
extern struct sshauthopt *auth_opts;
extern char *tun_fwd_ifnames; /* serverloop.c */
@@ -648,6 +648,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
@@ -644,6 +644,14 @@ do_exec_pty(struct ssh *ssh, Session *s,
/* Parent. Close the slave side of the pseudo tty. */
close(ttyfd);
@ -1849,7 +1845,7 @@ diff -up openssh/session.c.audit openssh/session.c
/* Enter interactive session. */
s->ptymaster = ptymaster;
ssh_packet_set_interactive(ssh, 1,
@@ -740,15 +748,19 @@ do_exec(struct ssh *ssh, Session *s, con
@@ -736,15 +744,19 @@ do_exec(struct ssh *ssh, Session *s, con
s->self);
#ifdef SSH_AUDIT_EVENTS
@ -1871,7 +1867,7 @@ diff -up openssh/session.c.audit openssh/session.c
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(ssh, s, command);
@@ -1556,8 +1568,11 @@ do_child(struct ssh *ssh, Session *s, co
@@ -1550,8 +1562,11 @@ do_child(struct ssh *ssh, Session *s, co
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
/* remove hostkey from the child's memory */
@ -1884,7 +1880,7 @@ diff -up openssh/session.c.audit openssh/session.c
/* Force a password change */
if (s->authctxt->force_pwchange) {
@@ -1769,6 +1784,9 @@ session_unused(int id)
@@ -1763,6 +1778,9 @@ session_unused(int id)
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
@ -1894,7 +1890,7 @@ diff -up openssh/session.c.audit openssh/session.c
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
@@ -1851,6 +1869,19 @@ session_open(Authctxt *authctxt, int cha
@@ -1843,6 +1861,19 @@ session_open(Authctxt *authctxt, int cha
}
Session *
@ -1914,7 +1910,7 @@ diff -up openssh/session.c.audit openssh/session.c
session_by_tty(char *tty)
{
int i;
@@ -2461,6 +2492,32 @@ session_exit_message(struct ssh *ssh, Se
@@ -2450,6 +2481,32 @@ session_exit_message(struct ssh *ssh, Se
chan_write_failed(ssh, c);
}
@ -1947,7 +1943,7 @@ diff -up openssh/session.c.audit openssh/session.c
void
session_close(struct ssh *ssh, Session *s)
{
@@ -2474,6 +2531,10 @@ session_close(struct ssh *ssh, Session *
@@ -2463,6 +2520,10 @@ session_close(struct ssh *ssh, Session *
if (s->ttyfd != -1)
session_pty_cleanup(s);
@ -1958,7 +1954,7 @@ diff -up openssh/session.c.audit openssh/session.c
free(s->term);
free(s->display);
free(s->x11_chanids);
@@ -2549,14 +2610,14 @@ session_close_by_channel(struct ssh *ssh
@@ -2537,14 +2598,14 @@ session_close_by_channel(struct ssh *ssh
}
void
@ -1975,7 +1971,7 @@ diff -up openssh/session.c.audit openssh/session.c
else
session_close(ssh, s);
}
@@ -2683,6 +2744,15 @@ do_authenticated2(struct ssh *ssh, Authc
@@ -2671,6 +2732,15 @@ do_authenticated2(struct ssh *ssh, Authc
server_loop2(ssh, authctxt);
}
@ -1991,7 +1987,7 @@ diff -up openssh/session.c.audit openssh/session.c
void
do_cleanup(struct ssh *ssh, Authctxt *authctxt)
{
@@ -2746,7 +2816,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
@@ -2734,7 +2804,7 @@ do_cleanup(struct ssh *ssh, Authctxt *au
* or if running in monitor.
*/
if (!use_privsep || mm_is_monitor())
@ -2000,9 +1996,9 @@ diff -up openssh/session.c.audit openssh/session.c
}
/* Return a name for the remote host that fits inside utmp_size */
diff -up openssh/session.h.audit openssh/session.h
--- openssh/session.h.audit 2019-03-27 23:26:14.000000000 +0100
+++ openssh/session.h 2019-04-03 17:02:20.717886079 +0200
diff -up openssh-8.6p1/session.h.audit openssh-8.6p1/session.h
--- openssh-8.6p1/session.h.audit 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/session.h 2021-04-19 16:47:35.758062145 +0200
@@ -61,6 +61,12 @@ struct Session {
char *name;
char *val;
@ -2030,9 +2026,9 @@ diff -up openssh/session.h.audit openssh/session.h
Session *session_by_tty(char *);
void session_close(struct ssh *, Session *);
void do_setusercontext(struct passwd *);
diff -up openssh/sshd.c.audit openssh/sshd.c
--- openssh/sshd.c.audit 2019-04-03 17:02:20.692885842 +0200
+++ openssh/sshd.c 2019-04-03 17:02:20.717886079 +0200
diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.audit 2021-04-19 16:47:35.727061907 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 16:47:35.759062152 +0200
@@ -122,6 +122,7 @@
#include "ssh-gss.h"
#endif
@ -2041,7 +2037,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
#include "ssh-sandbox.h"
#include "auth-options.h"
#include "version.h"
@@ -261,8 +262,8 @@ struct sshbuf *loginmsg;
@@ -260,8 +261,8 @@ struct sshbuf *loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
@ -2052,7 +2048,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
static void do_ssh2_kex(struct ssh *);
static char *listener_proctitle;
@@ -278,6 +279,15 @@ close_listen_socks(void)
@@ -279,6 +280,15 @@ close_listen_socks(void)
num_listen_socks = -1;
}
@ -2068,7 +2064,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
static void
close_startup_pipes(void)
{
@@ -380,18 +390,45 @@ grace_alarm_handler(int sig)
@@ -377,18 +387,45 @@ grace_alarm_handler(int sig)
ssh_remote_port(the_active_state));
}
@ -2117,7 +2113,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
sshkey_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
@@ -400,20 +437,38 @@ destroy_sensitive_data(void)
@@ -397,20 +434,38 @@ destroy_sensitive_data(void)
/* Demote private to public keys for network child */
void
@ -2157,7 +2153,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
}
/* Certs do not need demotion */
}
@@ -442,7 +497,7 @@ reseed_prngs(void)
@@ -438,7 +493,7 @@ reseed_prngs(void)
}
static void
@ -2166,7 +2162,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
{
gid_t gidset[1];
@@ -457,7 +512,7 @@ privsep_preauth_child(void)
@@ -453,7 +508,7 @@ privsep_preauth_child(void)
reseed_prngs();
/* Demote the private keys to public keys. */
@ -2175,7 +2171,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
#ifdef WITH_SELINUX
sshd_selinux_change_privsep_preauth_context();
@@ -496,7 +551,7 @@ privsep_preauth(struct ssh *ssh)
@@ -492,7 +547,7 @@ privsep_preauth(struct ssh *ssh)
if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor);
@ -2184,7 +2180,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
@@ -542,7 +597,7 @@ privsep_preauth(struct ssh *ssh)
@@ -537,7 +592,7 @@ privsep_preauth(struct ssh *ssh)
/* Arrange for logging to be sent to the monitor */
set_log_handler(mm_log_handler, pmonitor);
@ -2193,7 +2189,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
setproctitle("%s", "[net]");
if (box != NULL)
ssh_sandbox_child(box);
@@ -594,7 +649,7 @@ privsep_postauth(struct ssh *ssh, Authct
@@ -589,7 +644,7 @@ privsep_postauth(struct ssh *ssh, Authct
set_log_handler(mm_log_handler, pmonitor);
/* Demote the private keys to public keys. */
@ -2202,7 +2198,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
reseed_prngs();
@@ -1057,7 +1112,7 @@ server_listen(void)
@@ -1143,7 +1198,7 @@ server_listen(void)
* from this function are in a forked subprocess.
*/
static void
@ -2211,7 +2207,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
{
fd_set *fdset;
int i, j, ret, maxfd;
@@ -1112,6 +1167,7 @@ server_accept_loop(int *sock_in, int *so
@@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
@ -2219,7 +2215,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
close_listen_socks();
if (options.pid_file != NULL)
unlink(options.pid_file);
@@ -1978,7 +2034,7 @@ main(int ac, char **av)
@@ -2098,7 +2154,7 @@ main(int ac, char **av)
#endif
/* Accept a connection and return in a forked child */
@ -2228,7 +2224,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
&newsock, config_s);
}
@@ -2222,6 +2278,9 @@ main(int ac, char **av)
@@ -2333,6 +2389,9 @@ main(int ac, char **av)
do_authenticated(ssh, authctxt);
/* The connection has been terminated. */
@ -2238,7 +2234,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
ssh_packet_get_bytes(ssh, &ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
(unsigned long long)obytes, (unsigned long long)ibytes);
@@ -2401,6 +2460,15 @@ do_ssh2_kex(struct ssh *ssh)
@@ -2513,6 +2572,15 @@ do_ssh2_kex(struct ssh *ssh)
void
cleanup_exit(int i)
{
@ -2254,7 +2250,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
if (the_active_state != NULL && the_authctxt != NULL) {
do_cleanup(the_active_state, the_authctxt);
if (use_privsep && privsep_is_preauth &&
@@ -2414,9 +2482,16 @@ cleanup_exit(int i)
@@ -2525,9 +2593,16 @@ cleanup_exit(int i)
}
}
}
@ -2272,10 +2268,10 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
_exit(i);
diff -up openssh/sshkey.c.audit openssh/sshkey.c
--- openssh/sshkey.c.audit 2019-04-03 17:02:20.657885510 +0200
+++ openssh/sshkey.c 2019-04-03 17:02:20.718886088 +0200
@@ -331,6 +331,38 @@ sshkey_type_is_valid_ca(int type)
diff -up openssh-8.6p1/sshkey.c.audit openssh-8.6p1/sshkey.c
--- openssh-8.6p1/sshkey.c.audit 2021-04-19 16:47:35.741062014 +0200
+++ openssh-8.6p1/sshkey.c 2021-04-19 16:47:35.759062152 +0200
@@ -371,6 +371,38 @@ sshkey_type_is_valid_ca(int type)
}
int
@ -2314,10 +2310,10 @@ diff -up openssh/sshkey.c.audit openssh/sshkey.c
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
diff -up openssh/sshkey.h.audit openssh/sshkey.h
--- openssh/sshkey.h.audit 2019-04-03 17:02:20.657885510 +0200
+++ openssh/sshkey.h 2019-04-03 17:02:20.718886088 +0200
@@ -148,6 +148,7 @@ u_int sshkey_size(const struct sshkey
diff -up openssh-8.6p1/sshkey.h.audit openssh-8.6p1/sshkey.h
--- openssh-8.6p1/sshkey.h.audit 2021-04-19 16:47:35.741062014 +0200
+++ openssh-8.6p1/sshkey.h 2021-04-19 16:47:35.759062152 +0200
@@ -189,6 +189,7 @@ int sshkey_shield_private(struct sshke
int sshkey_unshield_private(struct sshkey *);
int sshkey_type_from_name(const char *);

183
openssh-7.7p1-fips.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200
diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
--- openssh-8.6p1/cipher-ctr.c.fips 2021-04-19 16:53:02.994577324 +0200
+++ openssh-8.6p1/cipher-ctr.c 2021-04-19 16:53:03.064577862 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@ -11,10 +11,10 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
#endif
return (&aes_ctr);
}
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
--- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/dh.c 2021-04-19 16:58:47.750263410 +0200
@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
int best, bestcount, which, linenum;
struct dhgroup dhg;
@ -24,10 +24,10 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+ return (dh_new_group_fallback(max));
+ }
+
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
logit("WARNING: could not open %s (%s), using fixed modulus",
_PATH_DH_MODULI, strerror(errno));
@@ -489,4 +495,38 @@ dh_estimate(int bits)
get_moduli_filename(), strerror(errno));
@@ -502,4 +508,38 @@ dh_estimate(int bits)
return 8192;
}
@ -66,21 +66,21 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+}
+
#endif /* WITH_OPENSSL */
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);
diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.6p1/dh.h.fips 2021-04-19 16:53:03.064577862 +0200
+++ openssh-8.6p1/dh.h 2021-04-19 16:59:31.951616078 +0200
@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
int dh_gen_key(DH *, int);
int dh_pub_is_valid(const DH *, const BIGNUM *);
+int dh_is_known_group(const DH *);
u_int dh_estimate(int);
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200
@@ -199,7 +199,10 @@ kex_names_valid(const char *names)
void dh_set_moduli_file(const char *);
diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.6p1/kex.c.fips 2021-04-19 16:53:03.058577815 +0200
+++ openssh-8.6p1/kex.c 2021-04-19 16:53:03.065577869 +0200
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@ -92,9 +92,9 @@ diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
free(s);
return 0;
}
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200
diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
--- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/kexgexc.c 2021-04-19 16:53:03.065577869 +0200
@@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL
@ -103,7 +103,7 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
#include <sys/types.h>
#include <openssl/dh.h>
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32
@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
@ -114,10 +114,10 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
p = g = NULL; /* belong to kex->dh now */
/* generate and send 'e', client DH public key */
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
@@ -111,6 +111,20 @@
diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200
@@ -57,6 +57,20 @@
"rsa-sha2-256," \
"ssh-rsa"
@ -138,7 +138,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr," \
@@ -134,6 +142,27 @@
@@ -78,6 +92,27 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
@ -166,10 +166,10 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
"ssh-ed25519," \
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.6p1/readconf.c.fips 2021-04-19 16:53:02.999577362 +0200
+++ openssh-8.6p1/readconf.c 2021-04-19 16:53:03.065577869 +0200
@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
@ -191,10 +191,10 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&options->what, \
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-04-19 16:53:03.034577631 +0200
+++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-04-19 16:53:03.065577869 +0200
@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open
SC_DENY(__NR_open, EACCES),
#endif
@ -204,10 +204,10 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
#ifdef __NR_openat
SC_DENY(__NR_openat, EACCES),
#endif
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.6p1/servconf.c.fips 2021-04-19 16:53:03.027577577 +0200
+++ openssh-8.6p1/servconf.c 2021-04-19 16:53:03.066577877 +0200
@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
@ -229,10 +229,10 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
@@ -76,6 +76,7 @@
diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.6p1/ssh.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.6p1/ssh.c 2021-04-19 16:53:03.066577877 +0200
@@ -77,6 +77,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#endif
@ -240,21 +240,21 @@ diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -614,6 +626,10 @@ main(int ac, char **av)
dump_client_config(&options, host);
@@ -1516,6 +1517,10 @@ main(int ac, char **av)
exit(0);
}
+
+ if (FIPS_mode()) {
+ debug("FIPS mode initialized");
+ }
+
/* Expand SecurityKeyProvider if it refers to an environment variable */
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
@@ -44,6 +44,8 @@
strlen(options.sk_provider) > 1) {
diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
--- openssh-8.6p1/sshconnect2.c.fips 2021-04-19 16:53:03.055577792 +0200
+++ openssh-8.6p1/sshconnect2.c 2021-04-19 16:53:03.066577877 +0200
@@ -45,6 +45,8 @@
#include <vis.h>
#endif
@ -263,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
@@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
#if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) {
@ -279,24 +279,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
- * and can not use DNS on that socket */
- if (strcmp(gss_host, "UNKNOWN") == 0) {
- free(gss_host);
- gss_host = xstrdup(host);
- }
- } else {
- gss_host = xstrdup(host);
- }
-
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
-
- /* If we've got GSSAPI algorithms, then we also support the
- * 'null' hostkey, as a last resort */
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
@ -316,9 +298,24 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
+ gss_host = xstrdup(host);
+ }
+ } else {
+ gss_host = xstrdup(host);
+ }
+
gss_host = xstrdup(host);
}
- } else {
- gss_host = xstrdup(host);
- }
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
-
- /* If we've got GSSAPI algorithms, then we also support the
- * 'null' hostkey, as a last resort */
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig);
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) {
@ -335,9 +332,9 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
}
}
#endif
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200
diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
@ -354,7 +351,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -1529,6 +1532,7 @@ main(int ac, char **av)
@@ -1619,6 +1621,7 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
@ -362,7 +359,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1992,6 +2007,10 @@ main(int ac, char **av)
@@ -2110,6 +2113,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -370,10 +367,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
+ debug("FIPS mode initialized");
+ }
+
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh)
/*
* Chdir to the root directory so that the current disk can be
* unmounted if desired.
@@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
@ -392,9 +389,9 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200
diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.6p1/sshkey.c.fips 2021-04-19 16:53:03.061577838 +0200
+++ openssh-8.6p1/sshkey.c 2021-04-19 16:53:03.067577885 +0200
@@ -34,6 +34,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
@ -411,7 +408,7 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
#include "ssh-sk.h"
#ifdef WITH_XMSS
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -420,10 +417,10 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.6p1/ssh-keygen.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.6p1/ssh-keygen.c 2021-04-19 16:53:03.068577892 +0200
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
#endif
}
#ifdef WITH_OPENSSL
@ -436,7 +433,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1;
printf("%s: generating new host keys: ", __progname);
}
@ -454,4 +451,4 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
- type = sshkey_type_from_name(key_types[i].key_type);
if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno));
prv_tmp, strerror(errno));

242
openssh-7.7p1-gssapi-new-unique.patch
View File

@ -1,7 +1,26 @@
diff --git a/auth-krb5.c b/auth-krb5.c
index a5a81ed2..63f877f2 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
--- openssh-8.6p1/auth.h.ccache_name 2021-04-19 14:05:10.820744325 +0200
+++ openssh-8.6p1/auth.h 2021-04-19 14:05:10.853744569 +0200
@@ -83,6 +83,7 @@ struct Authctxt {
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
int sys_auth_passwd(struct ssh *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
#endif
#endif /* AUTH_H */
diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
--- openssh-8.6p1/auth-krb5.c.ccache_name 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/auth-krb5.c 2021-04-19 14:40:55.142832954 +0200
@@ -51,6 +51,7 @@
#include <unistd.h>
#include <string.h>
@ -10,7 +29,7 @@ index a5a81ed2..63f877f2 100644
extern ServerOptions options;
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
@ -19,24 +38,18 @@ index a5a81ed2..63f877f2 100644
char *client, *platform_client;
const char *errmsg;
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
goto out;
}
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
- &authctxt->krb5_fwd_ccache);
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
if (problem)
goto out;
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem)
goto out;
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
@@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
goto out;
#endif
@ -57,7 +70,7 @@ index a5a81ed2..63f877f2 100644
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
@@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
@ -113,7 +126,7 @@ index a5a81ed2..63f877f2 100644
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
authctxt->krb5_user = NULL;
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
@@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
}
}
@ -198,10 +211,7 @@ index a5a81ed2..63f877f2 100644
+ return -1;
+}
+
krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+krb5_error_code
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ profile_t p;
+ int ret = 0;
@ -222,7 +232,10 @@ index a5a81ed2..63f877f2 100644
+ return ret;
+}
+
+krb5_error_code
krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
+ int tmpfd, ret, oerrno, type_len;
+ char *ccname = NULL;
@ -324,30 +337,41 @@ index a5a81ed2..63f877f2 100644
}
#endif /* !HEIMDAL */
#endif /* KRB5 */
diff --git a/auth.h b/auth.h
index 29491df9..fdab5040 100644
--- a/auth.h
+++ b/auth.h
@@ -82,6 +82,7 @@ struct Authctxt {
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
--- openssh-8.6p1/gss-serv.c.ccache_name 2021-04-19 14:05:10.844744503 +0200
+++ openssh-8.6p1/gss-serv.c 2021-04-19 14:05:10.854744577 +0200
@@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
}
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *);
int sys_auth_passwd(struct ssh *, const char *);
/* As user */
-void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
#if defined(KRB5) && !defined(HEIMDAL)
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
/* This allows GSSAPI methods to do things to the child's environment based
@@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
char *envstr;
#endif
#endif /* AUTH_H */
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100
- if (gssapi_client.store.filename == NULL &&
- gssapi_client.store.envval == NULL &&
- gssapi_client.store.envvar == NULL)
+ if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
--- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
@ -450,7 +474,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
@@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
client->store.data = krb_context;
@ -459,43 +483,10 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
}
int
diff --git a/gss-serv.c b/gss-serv.c
index 6cae720e..16e55cbc 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
}
/* As user */
-void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
/* This allows GSSAPI methods to do things to the child's environment based
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
char *envstr;
#endif
- if (gssapi_client.store.filename == NULL &&
- gssapi_client.store.envval == NULL &&
- gssapi_client.store.envvar == NULL)
+ if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
--- openssh-8.6p1/servconf.c.ccache_name 2021-04-19 14:05:10.848744532 +0200
+++ openssh-8.6p1/servconf.c 2021-04-19 14:05:10.854744577 +0200
@@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
@ -503,7 +494,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
options->gss_authentication=-1;
options->gss_keyex = -1;
options->gss_cleanup_creds = -1;
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
@@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
@ -512,7 +503,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
if (options->gss_authentication == -1)
options->gss_authentication = 0;
if (options->gss_keyex == -1)
@@ -447,7 +450,8 @@ typedef enum {
@@ -506,7 +509,8 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -522,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -526,11 +530,13 @@ static struct {
@@ -593,11 +597,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@ -536,7 +527,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
@@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
intptr = &options->kerberos_get_afs_token;
goto parse_flag;
@ -547,7 +538,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
case sGssAuthentication:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
@@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
# ifdef USE_AFS
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
# endif
@ -555,11 +546,10 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/servconf.h b/servconf.h
index db8362c6..4fa42d64 100644
--- a/servconf.h
+++ b/servconf.h
@@ -123,6 +123,8 @@ typedef struct {
diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
--- openssh-8.6p1/servconf.h.ccache_name 2021-04-19 14:05:10.848744532 +0200
+++ openssh-8.6p1/servconf.h 2021-04-19 14:05:10.855744584 +0200
@@ -140,6 +140,8 @@ typedef struct {
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
@ -568,11 +558,10 @@ index db8362c6..4fa42d64 100644
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff --git a/session.c b/session.c
index 85df6a27..480a5ead 100644
--- a/session.c
+++ b/session.c
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
--- openssh-8.6p1/session.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/session.c 2021-04-19 14:05:10.855744584 +0200
@@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
/* Allow any GSSAPI methods that we've used to alter
* the child's environment as they see fit
*/
@ -582,7 +571,7 @@ index 85df6a27..480a5ead 100644
#endif
/* Set basic environment. */
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
@@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
}
#endif
#ifdef KRB5
@ -591,33 +580,10 @@ index 85df6a27..480a5ead 100644
child_set_env(&env, &envsize, "KRB5CCNAME",
s->authctxt->krb5_ccname);
#endif
diff --git a/ssh-gss.h b/ssh-gss.h
index 6593e422..245178af 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);
diff --git a/sshd.c b/sshd.c
index edbe815c..89514e8a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.ccache_name 2021-04-19 14:05:10.849744540 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:05:10.855744584 +0200
@@ -2284,7 +2284,7 @@ main(int ac, char **av)
#ifdef GSSAPI
if (options.gss_authentication) {
temporarily_use_uid(authctxt->pw);
@ -626,11 +592,10 @@ index edbe815c..89514e8a 100644
restore_uid();
}
#endif
diff --git a/sshd_config.5 b/sshd_config.5
index c0683d4a..2349f477 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
--- openssh-8.6p1/sshd_config.5.ccache_name 2021-04-19 14:05:10.849744540 +0200
+++ openssh-8.6p1/sshd_config.5 2021-04-19 14:05:10.856744592 +0200
@@ -939,6 +939,14 @@ Specifies whether to automatically destr
file on logout.
The default is
.Cm yes .
@ -645,3 +610,24 @@ index c0683d4a..2349f477 100644
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
--- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);

22
openssh-7.8p1-UsePAM-warning.patch
View File

@ -1,7 +1,7 @@
diff --git a/sshd.c b/sshd.c
--- a/sshd.c
+++ b/sshd.c
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
+++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, &includes, NULL);
@ -9,13 +9,13 @@ diff --git a/sshd.c b/sshd.c
+ if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
diff --git a/sshd_config b/sshd_config
--- a/sshd_config
+++ b/sshd_config
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
#ifdef WITH_OPENSSL
if (options.moduli_file != NULL)
dh_set_moduli_file(options.moduli_file);
diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
--- openssh-8.6p1/sshd_config.log-usepam-no 2021-04-19 14:00:45.098735121 +0200
+++ openssh-8.6p1/sshd_config 2021-04-19 14:00:45.099735129 +0200
@@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

58
openssh-8.0p1-crypto-policies.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
@@ -359,14 +359,13 @@ or
diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
--- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200
+++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200
@@ -368,15 +368,13 @@ or
.Qq *.c.example.com
domains.
.It Cm CASignatureAlgorithms
@ -14,14 +14,15 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
.Xr ssh 1
will not accept host certificates signed using algorithms other than those
specified.
@@ -424,20 +424,25 @@ If the option is set to
@@ -436,20 +434,25 @@ If the option is set to
(the default),
the check will not be executed.
.It Cm Ciphers
@ -51,7 +52,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
@@ -465,13 +468,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.Ed
.Pp
@ -65,7 +66,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClearAllForwardings
@@ -812,6 +810,11 @@ command line will be passed untouched to
@@ -826,6 +822,11 @@ command line will be passed untouched to
The default is
.Dq no .
.It Cm GSSAPIKexAlgorithms
@ -77,7 +78,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
@@ -838,10 +839,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256-
.Ed
.Pp
@ -89,7 +90,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -1149,29 +1150,25 @@ it may be zero or more of:
@@ -1169,29 +1168,25 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
@ -128,7 +129,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1231,37 +1228,33 @@ The default is INFO.
@@ -1301,37 +1296,33 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
@ -175,7 +176,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1394,37 +1387,25 @@ instead of continuing to execute and pas
@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
The default is
.Cm no .
.It Cm PubkeyAcceptedAlgorithms
@ -222,10 +223,10 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp
The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedAlgorithms .
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
@@ -375,14 +375,13 @@ If the argument is
diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
--- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200
+++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200
@@ -373,15 +373,13 @@ If the argument is
then no banner is displayed.
By default, no banner is displayed.
.It Cm CASignatureAlgorithms
@ -238,14 +239,15 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed
-.Pp
Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
.It Cm ChallengeResponseAuthentication
@@ -446,20 +446,25 @@ The default is
@@ -445,20 +443,25 @@ The default is
indicating not to
.Xr chroot 2 .
.It Cm Ciphers
@ -275,7 +277,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
.Pp
The supported ciphers are:
.Pp
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
@@ -485,13 +488,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.El
.Pp
@ -289,7 +291,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClientAliveCountMax
@@ -681,21 +679,22 @@ For this to work
@@ -680,21 +676,22 @@ For this to work
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms
@ -322,7 +324,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
Specifies the signature algorithms that will be accepted for hostbased
@@ -793,26 +793,13 @@ is specified, the location of the socket
@@ -794,26 +791,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
@ -354,7 +356,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
The default is
.Cm yes .
.It Cm KexAlgorithms
@ -384,7 +386,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha512@openssh.com
.El
.Pp
@ -400,7 +402,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
@@ -1097,21 +1077,26 @@ function, and all code in the
file.
This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs
@ -431,7 +433,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
.Pp
The algorithms that contain
.Qq -etm
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com
.El
.Pp
@ -447,7 +449,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1480,37 +1460,25 @@ or equivalent.)
@@ -1541,37 +1517,25 @@ or equivalent.)
The default is
.Cm yes .
.It Cm PubkeyAcceptedAlgorithms

3178
openssh-8.0p1-pkcs11-uri.patch
View File

File diff suppressed because it is too large Load Diff

7
openssh.spec
View File

@ -50,8 +50,8 @@
%{?static_openssl:%global static_libcrypto 1}
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.5p1
%global openssh_rel 2
%global openssh_ver 8.6p1
%global openssh_rel 1
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 2
@ -650,6 +650,9 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
* Mon Apr 19 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1
- New upstream release (#1950819)
* Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
- ssh-agent.serivce is user unit (#1761817#27)

4
sources
View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.5p1.tar.gz) = af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
SHA512 (openssh-8.5p1.tar.gz.asc) = 264a991c7207f2215875e2b472a649ede1a69f6486d25777bf522047c26ea77c2995d34b6917a993ea9a250b7dd5298a30f1975e20e471f079c9064ce283cec2
SHA512 (openssh-8.6p1.tar.gz) = 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
SHA512 (openssh-8.6p1.tar.gz.asc) = ea75d7fe350fd1761ee5490b222249e9b8915b2a02a1d41979195f15d239def387e4c6467362ab9515d517087750fa66bc368f5baa15c325502f725172631967
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21