Compare commits

..

337 Commits
f23 ... master

Author SHA1 Message Date
Jakub Jelen
557f728956 Fix malformed patch 2020-12-01 11:43:46 +01:00
Jakub Jelen
258db094bd 8.4p1-4 + 0.10.4-1 2020-12-01 09:54:21 +01:00
Jakub Jelen
d8a80c8be6 Fix Obsoletes for openssh-ldap (#1902084) 2020-12-01 09:53:40 +01:00
Jakub Jelen
eced70a8bd Remove PasswordAuthentication yes from shipped configuration as it is already default and it might be hard to override 2020-11-30 08:52:02 +01:00
Jakub Jelen
b6df6b3e29 List updated RFC 2020-11-26 11:48:54 +01:00
Jakub Jelen
126d278fec 8.4p1-3 + 0.10.4-1 2020-11-19 15:08:05 +01:00
Jakub Jelen
6a07699454 Compatibility with Debian's openssh-7.4p1 (#1881301)
This only version does incorrectly reports server_sig_algorithms
extension and in Fedora 33 with disabled SHA1, clients are unable
to connect to Debian servers
2020-11-19 15:08:05 +01:00
Jakub Jelen
bbe3c2e156 Fix missing syscall in sandbox on arm (#1897712) 2020-11-19 15:08:02 +01:00
Jakub Jelen
a048fcc3d0 8.4p1-2 + 0.10.4-1 2020-10-06 10:01:41 +02:00
Jakub Jelen
914eb2d891 Drop misleading comment about crypto policies 2020-10-06 10:01:41 +02:00
Jakub Jelen
62e762b7d5 ssh-copy-id compatibility with ksh 2020-10-06 10:01:41 +02:00
Jakub Jelen
dc5e3131ec Unbreak ssh-copy-id (#1884231) 2020-10-06 10:01:23 +02:00
Jakub Jelen
7b064ea363 Add missing changelog 2020-09-29 16:10:09 +02:00
Jakub Jelen
527f79ee8c Remove the snap version, which is not used for build 2020-09-29 15:56:35 +02:00
Jakub Jelen
bd35168662 8.4p1-1 + 0.10.4-1 2020-09-29 14:53:14 +02:00
Jakub Jelen
3783a5da43 Rebase pam_ssh_agent_auth to 0.10.4 2020-09-29 14:53:14 +02:00
Jakub Jelen
9c88962b82 Improve crypto policies mention in manual pages (#1881301) 2020-09-29 14:53:06 +02:00
Jakub Jelen
7e9d046986 Remove support for building rescue CD
This is not used for close to 20 years and is broken at least from Fedora 31
2020-09-07 09:37:58 +02:00
Jakub Jelen
10cdecf4f1 8.3p1-4 + 0.10.3-10 2020-08-28 20:14:42 +02:00
Jakub Jelen
26c894b07f Second iteration of sftp-server -m documentation (#1862504) 2020-08-28 20:14:42 +02:00
Jakub Jelen
44157573e5 Remove openssh-ldap subpackage 2020-08-21 09:40:42 +02:00
Jakub Jelen
4c85eb3d53 pkcs11: Do not crash with invalid paths in ssh-agent (#1868996) 2020-08-17 09:37:02 +02:00
Jakub Jelen
77aa771110 Clarify documentation about sftp-server -m (#1862504) 2020-08-12 15:09:02 +02:00
Jakub Jelen
68460c09bb Use make macros
Based on https://src.fedoraproject.org/rpms/openssh/pull-request/11

https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
2020-07-31 15:33:21 +02:00
Jakub Jelen
dfeecfb1e8 Drop loading of anaconda configuration from sysconfig including scriptlet to migrate to include drop-in directory 2020-07-31 15:26:55 +02:00
Fedora Release Engineering
fccd87eb18 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-28 12:48:46 +00:00
Jakub Jelen
996e25f2f9 8.3p1-3 + 0.10.3-10 2020-06-10 14:36:49 +02:00
Jakub Jelen
653d073710 Move sshd_config include before any other definitions (#1824913) 2020-06-10 14:36:37 +02:00
Jakub Jelen
ed59cb1783 Do not lose PIN when more slots match PKCS#11 URI (#1843372) 2020-06-10 14:36:27 +02:00
Jakub Jelen
868439f73a Stop loading crypto policy for command line in service files 2020-06-10 14:35:23 +02:00
Jakub Jelen
8b7ddfb28b Move included configuration files in order to allow applications to include their defaults
See more discussin in

https://src.fedoraproject.org/rpms/openssh/pull-request/9#

https://github.com/coreos/fedora-coreos-docs/pull/80#discussion_r434961161
2020-06-08 21:52:42 +02:00
Jakub Jelen
3bd5ced9ee 8.3p1-2 + 0.10.3-10 2020-06-01 13:51:43 +02:00
Jakub Jelen
7f87bd9cc9 Avoid crash on cleanup 2020-06-01 12:20:31 +02:00
Jakub Jelen
5cd9552fc4 8.3p1-1 + 0.10.3-10 2020-05-27 09:57:29 +02:00
Jakub Jelen
efd1b7e5c8 Unbreak corner cases of sshd_config include 2020-05-27 09:53:38 +02:00
Jakub Jelen
169fdb8814 Fix order of GSSAPI key exchange methods 2020-05-05 10:56:47 +02:00
Jakub Jelen
4e3553bf2a openssh-8.2p1-3 + 0.10.3-9 2020-04-08 10:27:07 +02:00
Jakub Jelen
a848054c8a Clarify crypto policies documentation in manual pages
* All the options that are affected by crypto policies will mention that + and -
       work with built-in defaults and not the crypto-policies ones.
     * The line mentioning crypto policies will be the first one in the option description.
2020-03-30 16:38:36 +02:00
Jakub Jelen
eb546ec1a7 Drop fipscheck dependency and non-standard fips checks 2020-03-30 16:38:36 +02:00
Jakub Jelen
02af5cfa17 Do not break X11 forwarding without IPv6 2020-03-30 16:38:36 +02:00
Jakub Jelen
1cc7c87af2 Enable SHA2-based GSSAPI key exchange algorithms by default (#1666781) 2020-03-30 16:38:36 +02:00
Jakub Jelen
fbd5f1bee2 Print FIPS mode initialized in debug mode after the configuration is processed
Amends ee9cb00
2020-03-30 16:38:36 +02:00
Jakub Jelen
57ba1bd853 Restore gssapi-canohost.patch (#1749862)
This is useful when connecting through proxyjump in combination with
GSSAPITrustDNS yes, because we can not get remote address of such socket.

https://src.fedoraproject.org/rpms/openssh/blob/f29/f/openssh-6.1p1-gssapi-canohost.patch
2020-03-30 16:38:36 +02:00
Jakub Jelen
3e611d91bb Simplify references to crypto policies in configuration files (#1812854) 2020-03-30 14:19:17 +02:00
Jakub Jelen
b2417553a2 openssh-8.2p1-2 + 0.10.3-9 2020-02-20 10:34:01 +01:00
Jakub Jelen
82f9421fb4 Build properly with integrated u2f support (#1803948) 2020-02-20 10:32:48 +01:00
Jakub Jelen
51f5c1c99f openssh-8.2p1-1 + 0.10.3-9 2020-02-17 14:34:41 +01:00
Jakub Jelen
ee9cb005b3 Do not write information about FIPS mode to stderr (#1778224) 2020-02-17 14:34:04 +01:00
Jakub Jelen
2b86acd332 Correctly report invalid key permissions (#1801459) 2020-02-17 14:28:10 +01:00
Jakub Jelen
a2cffc6e9b openssh-8.1p1-4 + 0.10.3-8 2020-02-03 00:51:53 +01:00
Jakub Jelen
7f46693182 Unbreak seccomp filter on ARM (#1796267) 2020-02-03 00:50:34 +01:00
Fedora Release Engineering
657d132847 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-29 20:24:49 +00:00
Jakub Jelen
62361a761c openssh-8.1p1-3 + 0.10.3-8 2019-11-27 11:16:26 +01:00
Jakub Jelen
c28decf412 Unbreak the seccomp filter also on ARM (#1777054) 2019-11-27 11:15:00 +01:00
Jakub Jelen
7254607b91 Do not extensively modify sshd_config -- DSA keys are not loaded for some time already 2019-11-19 13:16:28 +01:00
Jakub Jelen
d26b44fe7f openssh-8.1p1-2 + 0.10.3-8 2019-11-14 09:24:36 +01:00
Jakub Jelen
6a2fce44b5 Unbreak seccomp filter with latest glibc (#1771946) 2019-11-14 09:18:41 +01:00
Jakub Jelen
36fef5669a openssh-8.1p1-1 + 0.10.3-8 2019-10-09 10:24:21 +02:00
Jakub Jelen
5eb2d51328 Add missing hostkey certificate algorithms to the FIPS list 2019-07-26 09:27:52 +02:00
Jakub Jelen
d19ba936f2 Do not attempt to generate DSA and ED25519 keys in FIPS mode 2019-07-26 09:27:52 +02:00
Fedora Release Engineering
0ca1614ae2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-25 23:35:32 +00:00
Jakub Jelen
73b069e926 openssh-8.0p1-8 + 0.10.3-7 2019-07-23 09:50:20 +02:00
Jakub Jelen
5d6a14bd4a Use the upstream version of the PKCS#8 PEM support (#1722285) 2019-07-23 09:49:22 +02:00
Jakub Jelen
30922f629c openssh-8.0p1-7 + 0.10.3-7 2019-07-12 23:23:09 +02:00
Jakub Jelen
358f62be8a As agreed with anaconda team, they will provide a environment file under /etc/sysconfig (#1722928)
See anaconda pull request for discussion:

https://github.com/rhinstaller/anaconda/pull/2042
2019-07-12 23:20:56 +02:00
Jakub Jelen
e9bd9a2128 openssh-8.0p1-6 + 0.10.3-7 2019-07-03 16:52:53 +02:00
Jakub Jelen
0b10752bbc Accept environment variable PERMITROOTLOGIN from anaconda drop-in service file (#1722928)
Anaconda pull request:
https://github.com/rhinstaller/anaconda/pull/2037

Fedora change:
https://fedoraproject.org/wiki/Changes/DisableRootPasswordLoginInSshd
2019-07-03 14:54:40 +02:00
Jakub Jelen
36a44721c5 openssh-8.0p1-5 + 0.10.3-7 2019-06-26 14:06:48 +02:00
Jakub Jelen
e9a555ffbf Whitelist some annonying errors from rpmlint 2019-06-26 14:06:48 +02:00
Jakub Jelen
58ee5c17a8 Drop INSTALL file from docs as recommended by rpmlint checks 2019-06-26 14:06:48 +02:00
Jakub Jelen
eda4c070da Drop unused unversioned Obsoletes and Provides, which are 5 or 10 years old now 2019-06-26 14:06:48 +02:00
Jakub Jelen
4bd6cfb874 Disable root password logins (#1722928) 2019-06-26 14:06:37 +02:00
Jakub Jelen
fdbd5bc6f9 Fix typos in manual pages related to crypto-policies 2019-06-19 15:56:25 +02:00
Jakub Jelen
3153574729 tests: Make sure the user gets removed and the test pass 2019-06-17 13:31:57 +02:00
Jakub Jelen
dad744a32b openssh-8.0p1-4 + 0.10.3-7 2019-06-17 12:49:59 +02:00
Jakub Jelen
56494b92a4 pkcs11: Allow to specify pin-value also for ssh-add 2019-06-17 12:42:15 +02:00
Jakub Jelen
50e2b60d3f Provide correct signature type for SHA2 certificates in agent 2019-06-17 12:40:12 +02:00
Jakub Jelen
56fdfa2a52 Use the new OpenSSL API to export PEM files to avoid dependency on MD5 2019-05-30 11:29:43 +02:00
Jakub Jelen
f15fbdc5fe Whitelist another syscall variant for s390x cryptographic module (ibmca engine) 2019-05-30 11:28:11 +02:00
Jakub Jelen
66e9887b15 Coverity warnings 2019-05-30 11:27:04 +02:00
Jakub Jelen
7f1ad371a4 openssh-8.0p1-3 + 0.10.3-7 2019-05-27 10:23:08 +02:00
Jakub Jelen
7a14283cba Drop the problematic patch for updating pw structure after authentication 2019-05-23 15:34:17 +02:00
Jakub Jelen
ae802a53d8 pkcs11: Do not require the labels on the public objects (#1710832) 2019-05-16 15:14:52 +02:00
Jakub Jelen
53c9085316 openssh-8.0p1-2 + 0.10.3-7 2019-05-14 13:45:08 +02:00
Jakub Jelen
f726e51d86 Use OpenSSL KDF
Resolves: rhbz#1631761
2019-05-14 13:35:14 +02:00
Jakub Jelen
751cd9acc7 Use OpenSSL high-level API to produce and verify signatures
Resolves: rhbz#1707485
2019-05-14 13:32:04 +02:00
Jakub Jelen
6caa973459 Mention crypto-policies in the manual pages instead of the hardcoded defaults
Resolves: rhbz#1668325
2019-05-13 14:22:21 +02:00
Jakub Jelen
4feb6a973f Verify SCP vulnerabilities are fixed in the package testsuite 2019-05-10 14:34:35 +02:00
Jakub Jelen
b33caef080 Drop unused patch 2019-05-07 13:45:34 +02:00
Jakub Jelen
f660e11adc FIPS: Do not fail if FIPS-unsupported algorithm is provided in configuration or on command line
This effectively allows to use some previously denied algorithms
in FIPS mode, but they are not enabled in default hardcoded configuration
and disabled by FIPS crypto policy.

Additionally, there is no guarantee they will work in underlying OpenSSL.

Resolves: rhbz#1625318
2019-05-07 11:57:30 +02:00
Jakub Jelen
ec02bb9685 tests: Make sure the user gets removed after the test 2019-04-29 15:16:44 +02:00
Jakub Jelen
def1debf2e openssh-8.0p1-1 + 0.10.3-7
Resolves rhbz#1701072
2019-04-29 14:12:13 +02:00
Jakub Jelen
f51d092120 Remove unused parts of spec file 2019-03-27 13:20:32 +01:00
Jakub Jelen
cb35953bec The FIPS_mode() is in different header file 2019-03-21 17:02:28 +01:00
Jakub Jelen
91aa3d4921 openssh-7.9p1-5 + 0.10.3.6 2019-03-12 15:16:35 +01:00
Jakub Jelen
81a703d751 Do not allow negotiation of unknown primes with DG GEX in FIPS mode 2019-03-12 15:16:35 +01:00
Jakub Jelen
c53a1d4e90 Ignore PKCS#11 label if no key is found with it (#1671262) 2019-03-12 15:16:35 +01:00
Jakub Jelen
c694548168 Do not segfault when multiple pkcs11 providers is specified 2019-03-12 15:16:35 +01:00
Jakub Jelen
3339efd12d Do not fallback to sshd_net_t SELinux context 2019-03-12 15:16:35 +01:00
Jakub Jelen
586cf149b5 Reformat SELinux patch 2019-03-11 17:17:49 +01:00
Jakub Jelen
1341391c78 Update cached passwd structure after PAM authentication 2019-03-11 17:17:49 +01:00
Jakub Jelen
3722267e80 Make sure the kerberos cleanup procedures are properly invoked 2019-03-11 17:17:49 +01:00
Jakub Jelen
ae07017120 Use correct function name in the debug log 2019-03-01 11:33:25 +01:00
Jakub Jelen
7295e97cd1 openssh-7.9p1-4 + 0.10.3.6 2019-02-06 17:19:52 +01:00
Jakub Jelen
d711f557f7 Log when a client requests an interactive session and only sftp is allowed 2019-02-06 17:18:30 +01:00
Jakub Jelen
e8524ac3f4 ssh-copy-id: Minor issues found by shellcheck 2019-02-06 17:18:30 +01:00
Jakub Jelen
8622e384ef ssh-copy-id: Do not fail in case remote system is out of space 2019-02-06 17:18:30 +01:00
Jakub Jelen
ffb1787c07 Enclose redhat specific configuration with Match final block
This allows users to specify options in user configuration files overwriting
the defaults we propose without ovewriting them in the shipped configuration
file and without opting out from the crypto policy altogether.

Resolves: rhbz#1438326 rhbz#1630166
2019-02-06 17:18:30 +01:00
Fedora Release Engineering
4e5f61c2a0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 17:32:05 +00:00
Igor Gnatenko
7c726e0a13 Remove obsolete Group tag
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
2019-01-28 20:24:24 +01:00
Björn Esser
018ac8d1d9
Rebuilt for libcrypt.so.2 (#1666033) 2019-01-14 19:11:16 +01:00
Jakub Jelen
311908c042 openssh-7.9p1-3 + 0.10.3-6 2019-01-14 15:39:08 +01:00
Jakub Jelen
1b0cc8ff3b Correctly initialize ECDSA key structures from PKCS#11 2019-01-14 15:39:08 +01:00
Jakub Jelen
ba99e00fe8 tests: Do not expect /var/log/secure to be there 2019-01-14 15:39:08 +01:00
Jakub Jelen
40d2a04909 CVE-2018-20685 (#1665786) 2019-01-14 11:05:35 +01:00
Jakub Jelen
322896958a Backport several fixes from 7_9 branch (#1665611) 2019-01-14 11:05:35 +01:00
Jakub Jelen
661c7c0582 gsskex: Dump correct option 2018-11-26 12:50:16 +01:00
Jakub Jelen
d6cc5f4740 Backport Match final so the crypto-policies do not break canonicalization (#1630166) 2018-11-26 10:16:35 +01:00
Jakub Jelen
a4c0a26cd4 openssh-7.9p1-2 + 0.10.3-6 2018-11-14 09:57:17 +01:00
Jakub Jelen
57e280d1f4 Allow to disable RSA signatures with SHA-1 2018-11-14 09:54:54 +01:00
Jakub Jelen
3ae9c1b0c1 Dump missing GSS options from client configuration 2018-11-14 09:44:48 +01:00
Jakub Jelen
03264b16f7 Reference the correct file in configuration file (#1643274) 2018-10-26 14:03:00 +02:00
Jakub Jelen
0b6cc18df0 Avoid segfault on kerberos authentication failure 2018-10-26 14:03:00 +02:00
Mattias Ellert
be6a344dcd Fix LDAP configure test (#1642414) 2018-10-26 14:03:00 +02:00
Jakub Jelen
9f2c8b948c openssh-7.9p1-1 + 0.10.3-6 2018-10-19 11:46:02 +02:00
Jakub Jelen
e8876f1b1f Honor GSSAPIServerIdentity for GSSAPI Key Exchange (#1637167) 2018-10-19 11:41:34 +02:00
Jakub Jelen
6666c19414 Do not break gssapi-kex authentication method 2018-10-19 11:41:34 +02:00
Jakub Jelen
eaa7af2e41 rebase patches to openssh-7.9p1 2018-10-19 11:41:07 +02:00
Jakub Jelen
8089081fa9 Improve the naming of the new kerberos configuration option 2018-10-19 10:19:42 +02:00
Jakub Jelen
6c9d993869 Follow the system-wide PATH settings
https://fedoraproject.org/wiki/Features/SbinSanity
2018-10-03 11:00:12 +02:00
Jakub Jelen
f3715e62da auth-krb5: Avoid memory leaks and unread assignments 2018-09-25 16:34:19 +02:00
Jakub Jelen
97ee52c0a3 openssh-7.8p1-3 + 0.10.3-5 2018-09-24 15:25:57 +02:00
Jakub Jelen
8ebb9915a3 Cleanup specfile comments 2018-09-24 15:25:40 +02:00
Jakub Jelen
84d3ff9306 Do not let OpenSSH control our hardening flags 2018-09-21 17:22:35 +02:00
Jakub Jelen
e815fba204 Ignore unknown parts of PKCS#11 URI 2018-09-21 15:50:04 +02:00
Jakub Jelen
55520c5691 Fix sandbox for conditional gssapi authentication (#1580017)
Upstream:
https://bugzilla.mindrot.org/attachment.cgi?id=3168&action=diff
2018-09-21 09:50:45 +02:00
Jakub Jelen
178f3a4f56 Fix the cavs test and avoid it crashing (#1628962)
Patch from Stephan Mueller, adjusted by myselt
2018-09-14 16:53:24 +02:00
Jakub Jelen
8b9448c5ba openssh-7.8p1-2 + 0.10.3-5 2018-08-31 13:32:02 +02:00
Jakub Jelen
dba154f20c Unbreak gssapi rekeying (#1624344) 2018-08-31 13:26:44 +02:00
Jakub Jelen
90edc0cc1d Properly allocate buffer for gsskex (#1624323) 2018-08-31 13:26:44 +02:00
Jakub Jelen
9409715f65 Unbreak scp between two IPv6 hosts (#1620333) 2018-08-31 13:26:44 +02:00
Jakub Jelen
c60b555ac2 Address issues reported by coverity 2018-08-31 13:26:44 +02:00
Jakub Jelen
4c36c2a9ee Drop unused environment variable 2018-08-29 12:55:36 +02:00
Jakub Jelen
afaf23f6c3 Drop unused patch 2018-08-28 10:51:37 +02:00
Jakub Jelen
bbf61daf97 openssh-7.8p1-1 + 0.10.3-5
New upstream release including:
 * Dropping entropy patch
 * Remove default support for MD5 fingerprints
 * Porting all the downstream patches and pam_ssh_agent_auth
   to new sshbuf and sshkey API
 * pam_ssh_agent_auth is no longer using MD5 fingerprints
2018-08-24 23:16:24 +02:00
Jakub Jelen
01ba761e18 7.7p1-6 + 0.10.3-4 2018-08-09 14:14:18 +02:00
Jakub Jelen
44e2032a0a fips: Show real list of kex algoritms in FIPS 2018-08-08 10:18:27 +02:00
Jakub Jelen
951e3ca00b Allow aes-GCM modes in FIPS 2018-08-07 18:08:08 +02:00
Jakub Jelen
baff4a61a7 fixup the coverity fix 2018-08-07 18:07:36 +02:00
Jakub Jelen
009e39709f coverity: RESOURCE_LEAK (CWE-772) 2018-07-18 16:49:07 +02:00
Fedora Release Engineering
600d4011b5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 15:11:56 +00:00
Jakub Jelen
e1d855438b 7.7p1-5 + 0.10.3-4 2018-07-03 11:27:15 +02:00
Jakub Jelen
6c68d655b2 Disable manual reading of MOTD by default 2018-07-03 11:26:01 +02:00
Jakub Jelen
191bbb979e Drop the unused locks 2018-06-28 09:24:57 +02:00
Jakub Jelen
62f1736470 7.7p1-4 + 0.10.3-4 2018-06-27 14:09:27 +02:00
Jakub Jelen
1176788778 Improve kerberos credential cache handling (#1566494) 2018-06-27 13:40:48 +02:00
Stephen Gallagher
4ef6823ff4
Add pam_motd to the PAM stack
This will allow Cockpit to update /etc/motd.d/cockpit with
information informing the user of the location of the admin console
on the system if it is available.

Resolves: rhbz#1591381
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2018-06-14 11:28:51 -04:00
Jakub Jelen
04ca5e7b0b 7.7p1-3 + 0.10.3-4 2018-04-16 11:15:43 +02:00
Jakub Jelen
48cef7a0b8 Opening tun devices fails + other regressions in OpenSSH v7.7 fixed upstream 2018-04-16 11:15:37 +02:00
Jakub Jelen
836590e795 7.7p1-2 + 0.10.3-4 2018-04-12 10:35:14 +02:00
Jakub Jelen
ab24bd6608 Do not break quotes parsing in configuration file (#1566295) 2018-04-12 10:26:26 +02:00
Jakub Jelen
b0815ca514 7.7p1-1 + 0.10.3-4 2018-04-04 16:59:45 +02:00
Jakub Jelen
af10de8f01 Update to latest version of URI patch passing the new tests + rebase to 7.7 2018-04-04 16:59:45 +02:00
Jakub Jelen
273086d13a Need a p11-kit to allow default pkcs11 proxy 2018-04-04 16:59:45 +02:00
Jakub Jelen
42fe13ff31 Allow loading more keys from single PKCS#11 module 2018-04-04 16:58:34 +02:00
Jakub Jelen
077597136c PKCS#11: Load public keys from ECDSA certificates
Submitted in upstream bugzilla
  https://bugzilla.mindrot.org/show_bug.cgi?id=2474#c21
2018-04-04 16:57:59 +02:00
Jakub Jelen
aad4430f17 Print PKCS#11 URI also for ECDSA keys 2018-04-04 16:57:59 +02:00
Jakub Jelen
7e9748a2b5 PKCS#11: Support ECDSA keys and PKCS#11 URIs
Based on the patches in upstream bugzilla:
ECDSA:
  https://bugzilla.mindrot.org/show_bug.cgi?id=2474
PKCS#11 URI:
  https://bugzilla.mindrot.org/show_bug.cgi?id=2817
2018-04-04 16:56:59 +02:00
Jakub Jelen
3cd4899257 Rebase to latest OpenSSH 7.7p1 (#1563223) 2018-04-04 16:50:43 +02:00
Jakub Jelen
1ce235ac38 tests/pam_ssh_agent_auth: Add a new sanity test 2018-03-12 16:48:08 +01:00
Jakub Jelen
6b2140deea tests/port-forwarding: Do not expect the nc will succeed 2018-03-12 15:54:35 +01:00
Jakub Jelen
b4cbb0fe23 tests/port-forwarding: Do not require rhts makefile 2018-03-12 15:54:35 +01:00
Jakub Jelen
830acce379 revert part of the nss removal from LDAP 2018-03-06 15:15:03 +01:00
Jakub Jelen
cbb6ca5123 openssh-7.6p1-7 + 0.10.3-3 2018-03-06 14:37:01 +01:00
Jakub Jelen
c8f1381d11 Remove bogus nss linking 2018-03-06 14:37:01 +01:00
Jakub Jelen
92b8e55bea Crypto policies changed path 2018-03-06 13:53:17 +01:00
Jakub Jelen
bd5b563008 Require crypto policies 2018-03-06 13:53:02 +01:00
Jakub Jelen
c2a9e41702 Recommend crypto policies also for a server 2018-02-19 12:10:48 +01:00
Jakub Jelen
07c951f665 Require gcc
https://fedoraproject.org/wiki/Changes/Remove_GCC_from_BuildRoot
2018-02-19 12:10:48 +01:00
Igor Gnatenko
a6b5c2c42d
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 08:27:35 +01:00
Igor Gnatenko
5f6f10859d Remove BuildRoot definition
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-13 23:58:21 +01:00
Fedora Release Engineering
13efdb1d7f - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-08 17:49:28 +00:00
Jakub Jelen
6a6c2bc3ab We need systemd-devel for sdnotify() 2018-02-01 16:30:07 +01:00
Jakub Jelen
0780f33c5f removal of systemd-units and conforming to packaging guidelines
Per announcement on fedora-devel:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/LLG4T53FW2BGVZLGLKNYTKPD5SQNBZ2Y/
2018-01-27 10:57:06 +01:00
Jakub Jelen
bb4b7b77fc openssh-7.6p1-6 + 0.10.3-3 2018-01-26 16:26:50 +01:00
Florian Weimer
f61eaad2bd Rebuild to work around gcc bug leading to sshd miscompilation (#1538648) 2018-01-25 16:48:03 +01:00
Jakub Jelen
c45ece5fe8 Do not audit partial auth failures 2018-01-22 12:58:09 +01:00
Jakub Jelen
6996c6f503 Do not audit passsword authentication, if handled by PAM
and avoid auditing none auth method (not acually a method)
2018-01-22 12:58:09 +01:00
Jakub Jelen
9b05c6d476 USER_AUTH: Remove bogus rport, add required grantors 2018-01-22 12:58:09 +01:00
Jakub Jelen
667e6f013f Do not audit final success (#1534577) 2018-01-22 12:58:09 +01:00
Jakub Jelen
57349a88a8 Use correct audit event for pubkey auth 2018-01-22 12:58:09 +01:00
Björn Esser
427beb2f9e
Rebuilt for switch to libxcrypt 2018-01-20 23:07:25 +01:00
Jakub Jelen
b1ec43ef50 Add missing header to make it build (related to #1534577) 2018-01-19 10:46:01 +01:00
Jakub Jelen
0f4b4ccdea Audit correctly the res= after upstream refactoring 2018-01-19 10:18:51 +01:00
Jakub Jelen
38b67ad605 Avoid undefined TRUE/FALSE in ldap patch to build in rawhide 2018-01-17 10:50:05 +01:00
Jakub Jelen
4d97279349 openssh-7.6p1-5 + 0.10.3-3 2018-01-17 10:13:18 +01:00
Jakub Jelen
f284c5eb83 Do not attempt to pass hostnames to audit (inconsistency) (#1534577) 2018-01-17 10:10:28 +01:00
Jakub Jelen
32dc9bd1cd Drop unused function from audit 2018-01-16 16:24:27 +01:00
Jakub Jelen
316553ade0 Remove TCP wrappers support (#1530163) 2018-01-16 15:06:23 +01:00
Jakub Jelen
871dc3ed3e openssh-7.6p1-4 + 0.10.3-3 2017-12-14 10:23:37 +01:00
Jakub Jelen
17cd512319 Whitelist gettid() syscall for systemd (cleanup procedure?) 2017-12-12 14:19:35 +01:00
Jakub Jelen
1f2a7f3926 openssh-7.6p1-3 + 0.10.3-3 2017-12-11 11:54:38 +01:00
Jakub Jelen
fde6b96b35 Avoid gcc warnings about uninitialized variables 2017-12-11 11:53:10 +01:00
Jakub Jelen
217da75d53 Do not segfault for repetitive cipher_free() from audit (#1524233) 2017-12-11 11:53:03 +01:00
Jakub Jelen
eef660e534 7.6p1-2 + 0.10.3-3 2017-11-22 08:57:03 +01:00
Jakub Jelen
e3f4c1243d Do not build all the binaries against libldap 2017-11-15 10:17:46 +01:00
Jakub Jelen
2087929a90 Do not segfault for ECC keys in PKCS#11 2017-11-15 10:17:46 +01:00
Jakub Jelen
a464c88ee6 forgotten sources 2017-11-07 16:49:23 +01:00
Jakub Jelen
8fc2fee4e4 7.6p1-1 + 0.10.3-3 2017-11-07 14:58:44 +01:00
Jakub Jelen
cdc735a59b Make sure we audit properly from the new code 2017-11-07 14:58:44 +01:00
Jakub Jelen
e0e7ed914b Address issues of another PR#48 review 2017-11-07 14:58:44 +01:00
Jakub Jelen
c08aa4b8b1 Fix after-release bug in PermitOpen (posted on ML) 2017-11-07 14:58:44 +01:00
Jakub Jelen
5b55d0951d rebase patches to openssh-7.6p1 and make it build 2017-11-07 14:58:44 +01:00
Jakub Jelen
9e46aafab9 openssh-7.5p1-6 + 0.10.3-2 2017-10-19 16:09:53 +02:00
Jakub Jelen
ed0b5e5a9f Remove pam_reauthorize, not needed by cockpit anymore (#1492313) 2017-10-19 16:09:53 +02:00
Jakub Jelen
e044c5cf76 Enforce pam_sepermit for all logins (#1492313) 2017-10-19 16:09:53 +02:00
Jakub Jelen
72514f7644 Add newer gssapi kex methods, but leave them disabled out of the box yet 2017-10-19 16:09:53 +02:00
Jakub Jelen
8bcc21ed64 Add enablement for openssl-ibmca and openssl-ibmpkcs11 (#1477636) 2017-10-19 16:09:53 +02:00
Jakub Jelen
8c9e97e65a Do not export KRBCCNAME if the default path is used (#1199363) 2017-10-19 16:09:53 +02:00
Mike Gahagan
ce1afcf244 initial commit of tests from upstreamfirst project 2017-09-29 12:58:09 -04:00
Jakub Jelen
ef66c0c677 openssh-7.5p1-5 + 0.10.3-2 2017-08-14 09:45:09 +02:00
Jakub Jelen
0ce6c7b710 Another approach for crypto policies (#1479271) 2017-08-14 09:42:02 +02:00
Jakub Jelen
970a418151 Do not talk about SSHv1 in Summary 2017-08-09 16:10:33 +02:00
Jakub Jelen
6a05936971 Revert "server crypto policy"
This reverts commit 1d8ffcfe05.
2017-08-09 14:58:13 +02:00
Jakub Jelen
fffad0579c openssh-7.5p1-4 + 0.10.3-2 2017-08-02 15:46:58 +02:00
Jakub Jelen
722f82b9ab Remove openssh-clients-ssh1 subpackage (#1474942) 2017-08-02 15:46:58 +02:00
Jakub Jelen
1d8ffcfe05 Preprocess the configuration files to include crypto policies.
* The services are using ExecPre to start sshd-pre script
 * The sshd-pre script substitutes token in standard configuration file and writes a new on in /run
 * The services are using a file in /run as a sshd_config
2017-08-02 15:46:57 +02:00
Fedora Release Engineering
be108c2c82 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 01:53:26 +00:00
Petr Písař
64a3610c1f perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 14:20:53 +02:00
Jakub Jelen
2ea24bb006 openssh-7.5p1-2 + 0.10.3-2 2017-06-30 12:44:10 +02:00
Jakub Jelen
9dbec70c9c Sync FIPS patch with RHEL 2017-06-30 12:18:02 +02:00
Jakub Jelen
cdc7ba7293 get rid of unconditional goto in RSA1 code
Reported by <vyekkira@illinois.edu>
2017-06-19 18:24:05 +02:00
Jakub Jelen
f07a0866e1 Avoid double-free in the openssl-1.1.0 patch 2017-06-15 13:41:24 +02:00
Jakub Jelen
eb751fd1d3 In FIPS mode do not append bogus comma after the kex list 2017-04-26 14:26:50 +02:00
Jakub Jelen
204765aba1 openssh-7.5p1-2 + 0.10.3-2 2017-03-23 14:48:09 +01:00
Jakub Jelen
c2f63ba00b Revert the chroot magic 2017-03-23 14:47:27 +01:00
Jakub Jelen
93868f39a9 Remove RestartPreventExitStatus which can break on slow networks 2017-03-22 18:00:29 +01:00
Jakub Jelen
fb74d1ec96 Add missing header on s390 (#1434341) 2017-03-22 14:35:55 +01:00
Jakub Jelen
09320cf61a Fix typo in sandbox code, that got out after release
http://lists.mindrot.org/pipermail/openssh-unix-dev/2017-March/035879.html
2017-03-21 10:12:44 +01:00
Jakub Jelen
17b491b307 openssh-7.5p1-1 + 0.10.3-2 2017-03-20 16:00:16 +01:00
Jakub Jelen
fd58b9eabb Add new DH kex into the FIPS-allowed list 2017-03-08 14:37:07 +01:00
Jakub Jelen
7b666e5764 openssh-7.4p1-4 + 0.10.3-1 2017-03-03 15:53:31 +01:00
Jakub Jelen
a9ad706d82 Coverity reports applied 2017-03-03 15:51:52 +01:00
Jakub Jelen
f499c489fd Do not leave service in auto-restarting mode in case of configuration failure 2017-03-01 18:35:56 +01:00
Jakub Jelen
b83281f89d Avoid sending SD_NOTIFY from wrong processes (#1427526) 2017-02-28 15:13:24 +01:00
Jakub Jelen
ab7f9474c7 openssh-7.4p1-3 + 0.10.3-1 2017-02-22 14:56:00 +01:00
Jakub Jelen
3448f25d85 Typo 2017-02-22 14:56:00 +01:00
Jakub Jelen
b92d3c8ae0 Reference upstream bug 2017-02-22 14:56:00 +01:00
Jakub Jelen
4e7cdec7ef Add systemd stuff to keep track of service 2017-02-22 14:56:00 +01:00
Jakub Jelen
140ef5a0f5 Properly report errors from included files (#1408558) 2017-02-22 14:56:00 +01:00
Jakub Jelen
a97eeb671c ppc architecture is gone for years 2017-02-22 14:56:00 +01:00
Jakub Jelen
4cf8f1aa09 Cleaner linking ldap-helper (circular dependencies) 2017-02-22 14:56:00 +01:00
Jakub Jelen
465b6e6b82 Check seteuid return values in all cases 2017-02-22 14:56:00 +01:00
Jakub Jelen
bdb932c46a new pam_ssh_agent_auth-0.10.3 release 2017-02-22 14:55:59 +01:00
Jakub Jelen
26cec0607f openssh-7.4p1-2 + 0.10.2-5 2017-02-06 09:47:28 +01:00
Jakub Jelen
640dfa350e Set environment variable to avoid race condition with systemd (#1415218) 2017-02-06 09:41:32 +01:00
Jakub Jelen
4a6ef41937 Do not overwrite N and E for RSA-certs in ssh-agent (#1416584) 2017-02-03 11:06:19 +01:00
Jakub Jelen
28ff3aa1c5 Correct path to crypto policies 2017-01-06 13:00:16 +01:00
Jakub Jelen
b19926d292 openssh-7.4p1-1 + 0.10.2-5 2017-01-03 14:31:29 +01:00
Jakub Jelen
58f79a27c3 Whitelist /usr/lib64/ for PKCS#11 modules 2017-01-03 14:31:29 +01:00
Jakub Jelen
6cf9b8e61b rebase to openssh-7.4p1-1
* Drop unaccepted (unapplying) coverity patches
 * Drop server support for SSH1 (server)
 * Workaround #2641 for systemd
 * UseLogin is gone
 * Drop upstream commit 28652bca
 * Tighten seccomp filter (cache credentials before entering sandbox) (#1395288)
2017-01-03 14:31:20 +01:00
Jakub Jelen
4189cebf7a Cache supported OIDS for GSSAPI kex (#1395288) 2017-01-03 14:31:20 +01:00
Jakub Jelen
dd8e5419eb Fix use-after-free error (#1409433) 2017-01-03 14:30:50 +01:00
Jakub Jelen
38869a3406 Prevent hangs with long MOTD (filling buffers and blocking) 2016-12-20 17:31:03 +01:00
Jakub Jelen
d8c2e8dc88 openssh-7.3p1-7 + 0.10.2-4 2016-12-08 14:13:32 +01:00
Jakub Jelen
162941961a Move MAX_DISPLAYS to a configuration option 2016-12-08 14:13:32 +01:00
Jakub Jelen
4ce5741703 Properly deserialize received RSA certificates in ssh-agent (#1402029) 2016-12-08 13:50:08 +01:00
Jakub Jelen
7bccf7e6e0 openssh-7.3p1-6 + 0.10.2-4 2016-11-16 11:07:41 +01:00
Jakub Jelen
ef1da17783 GSSAPI requires futex syscall in privsep child (#1395288) 2016-11-16 08:48:33 +01:00
Jakub Jelen
ccf623128a Fix changelog 2016-11-07 09:33:43 +01:00
Jakub Jelen
2a8bce34e4 openssh-7.3p1-5 + 0.10.2-4 2016-10-27 18:26:25 +02:00
Jakub Jelen
aacf0d429a OpenSSL 1.1.0 compat 2016-10-27 17:19:17 +02:00
Jakub Jelen
ecc9f8d02b When doing chroot
* we should not drop any capabilities for root
 * we should not clear bounding capabilities for other users
 * we should probably retain the supplement groups
2016-10-21 14:50:42 +02:00
Jakub Jelen
c9d9fe9b0f Recommend crypto-policies for a client package 2016-10-11 10:29:50 +02:00
Jakub Jelen
d924bc6892 openssh-7.3p1-4 + 0.10.2-4 2016-09-29 14:14:19 +02:00
Jakub Jelen
639ae2c73c Include client Crypto Policy (#1225752) 2016-09-29 14:14:19 +02:00
Jakub Jelen
ae831ab305 Fix NULL derefence (#1380297)
https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
2016-09-29 11:15:13 +02:00
Jakub Jelen
739842b137 Make the code build without SELinux and without Audit 2016-09-15 16:36:04 +02:00
Jakub Jelen
0a605f4d31 openssh-7.3p1-3 + 0.10.2-4 2016-08-15 12:20:15 +02:00
Jakub Jelen
38d533a5e1 Proper content of the included configuration files 2016-08-15 12:18:50 +02:00
Jakub Jelen
73953d29f1 openssh-7.3p1-2 + 0.10.2-4 2016-08-09 10:32:01 +02:00
Jakub Jelen
88f3a752ae openssh-7.3p1-1. + 0.10.2-4 2016-08-09 08:24:35 +02:00
Jakub Jelen
90ffc35e29 Correct permissions on the ssh_config directory (#1365270) 2016-08-09 08:23:44 +02:00
Jakub Jelen
7ea4bdf410 forgotten sources 2016-08-05 15:50:24 +02:00
Jakub Jelen
a711d3c82f openssh-7.3p1-1 + 0.10.2-4 2016-08-04 13:57:21 +02:00
Jakub Jelen
6454089e75 Create include directory with example content (redhat modifications) 2016-08-04 13:57:21 +02:00
Jakub Jelen
334feb284c Do not build ssh-keycat with sshd LIBS 2016-08-04 13:57:21 +02:00
Jakub Jelen
b165161da2 When we don't listen for the clients, num_listen_socks is -1 2016-08-04 13:57:21 +02:00
Jakub Jelen
6da7f4d0ed Drop SCP progressmeter patch because of reworked UTF-8 API (tracked upstream #2434) 2016-08-04 13:57:02 +02:00
Jakub Jelen
b487a6d746 Move old canohost.h API to shared place, so it can be used by audit and gssapi (states) 2016-08-04 11:00:00 +02:00
Jakub Jelen
5878ebb50e Most of the coverity patch applied upstream, context changes for rebase 2016-08-04 10:59:59 +02:00
Jakub Jelen
70c2ac20bd CVE-2016-6210 is fixed upstream 2016-08-04 10:59:59 +02:00
Jakub Jelen
13a7aaf5e3 CVE-2015-8325 and certificate regression are fixed upstream 2016-08-04 10:59:59 +02:00
Jakub Jelen
38e1dfa80d Upstream bug #2477 applied 2016-08-04 10:59:59 +02:00
Jakub Jelen
4bd77fcccc seccomp for secondary architecures patch already upstream (#2590) 2016-08-04 10:59:59 +02:00
Jakub Jelen
05bc93847e Bug #2281 resolved upstream 2016-08-04 10:59:59 +02:00
Jakub Jelen
178ce15f5a UTF-8 banners resolved by upstream bug #2058 2016-08-04 10:59:59 +02:00
Jakub Jelen
14320ca590 The upstream bug #2257 is fixed 2016-08-04 10:59:59 +02:00
Jakub Jelen
82bfd19e51 openssh-7.2p2-11 + 0.10.2-3 2016-07-26 15:41:29 +02:00
Jakub Jelen
6a7dd92929 Remove legacy sshd-keygen (#1359762)
Revert "Add legacy sshd-keygen for anaconda (#1331077)"

This reverts commit 0b5300a59c.
2016-07-26 15:41:29 +02:00
Jakub Jelen
793bc4b1cc Remove slogin symlinks (#1359762)
Revert "Restore slogin symlinks"

This reverts commit e762f7265e.
2016-07-26 15:41:29 +02:00
Jakub Jelen
b4df5ebb8d Rework SELinux context handling with chroot using libcap-ng (#1357860) 2016-07-26 15:40:30 +02:00
Jakub Jelen
9dc741314f openssh-7.2p2-10 + 0.10.2-3 2016-07-18 13:55:58 +02:00
Jakub Jelen
1057900209 Prevent user enumeration via timing channel (CVE-2016-6210) 2016-07-18 13:30:52 +02:00
Jakub Jelen
209c7a8aea Expose more information to PAM 2016-07-18 13:30:51 +02:00
Jakub Jelen
9864973c69 Make closefrom() ignore softlinks to the /dev/ devices on s390 2016-07-18 12:26:15 +02:00
Jakub Jelen
a49441fa52 openssh-7.2p2-9 + 0.10.2-3 2016-07-01 09:07:18 +02:00
Jakub Jelen
a8068249cb Bad condition for UseLogin check (#1350347) 2016-06-27 10:33:57 +02:00
Jakub Jelen
5a67d51d0f openssh-7.2p2-8 + 0.10.2-3 2016-06-24 12:07:22 +02:00
Jakub Jelen
8cf031f736 pam_ssh_agent_auth: Fix conflict bewteen two getpwuid() calls (#1349551) 2016-06-24 12:07:22 +02:00
Jakub Jelen
d8ffa911e3 SFTP server forced permissions should restore umask 2016-06-24 12:07:22 +02:00
Jakub Jelen
f22e5dcaeb pselect6 is already in upstream seccomp filter 2016-06-24 12:07:22 +02:00
Jakub Jelen
186bf3858e UseLogin yes is not supported in Fedora 2016-06-24 12:07:22 +02:00
Jakub Jelen
c06fe506bc seccomp filter for MIPS (#1195065) 2016-06-24 12:07:22 +02:00
Petr Písař
ad928ac7d1 Mandatory Perl build-requires added <https://fedoraproject.org/wiki/Changes/Build_Root_Without_Perl> 2016-06-24 10:03:17 +02:00
Jakub Jelen
ba8f38935c openssh-7.2p2-7 2016-06-06 16:39:35 +02:00
Jakub Jelen
f6a096caf2 Build seccomp filter on ppc64(le) architecture (#1195065) 2016-06-06 16:39:35 +02:00
Jakub Jelen
1144aef1d1 Comments for patches, merge ssh_config from localdomain to redhat patch (ssh_config related) 2016-06-06 16:39:17 +02:00
Jakub Jelen
84d3989ec8 Coverity -> FIPS patch 2016-06-03 12:54:03 +02:00
Jakub Jelen
31536c7ac6 Move linux_seed() header from coverity to entropy patch 2016-06-03 12:54:03 +02:00
Jakub Jelen
f2868287aa rebase x11 patch to clean up coverity patch 2016-06-03 10:44:32 +02:00
Jakub Jelen
ea9421342e Coverity: dereference in pam_ssh_agent_auth
Upstream: https://sourceforge.net/p/pamsshagentauth/bugs/22/
2016-06-03 09:49:44 +02:00
Jakub Jelen
d78d347c11 Check for real location of .k5login file (#1328243) 2016-06-03 09:29:58 +02:00
Jakub Jelen
8dd0608e77 Regression in certificate-based authentication (#1333498) 2016-05-06 09:25:20 +02:00
Jakub Jelen
991b66246f openssh-7.2p2-6 + 0.10.2-3 2016-04-29 13:57:45 +02:00
Jakub Jelen
0b5300a59c Add legacy sshd-keygen for anaconda (#1331077) 2016-04-29 13:41:38 +02:00
Jakub Jelen
1380564732 openssh-7.2p2-5 + 0.10.2-3 2016-04-22 14:52:57 +02:00
Jakub Jelen
b7de610db3 Fix typo about sshd-keygen in sysconfig (#1325535) 2016-04-22 14:50:30 +02:00
Jakub Jelen
cf4e3a1844 Fix for CVE-2015-8325 (#1328013) 2016-04-18 12:39:11 +02:00
Jakub Jelen
58d2868dfe openssh-7.2p2-4 + 0.10.2-3 2016-04-15 17:56:43 +02:00
Jakub Jelen
5489ace8dc Add sshd-keygen.target to abstract key creation from sshd.service and sshd@.service (#1325535)
* PartOf  is needed to trigger  sshd-keygen  checks for  sshd.service  restarts
 * sshd-keygen.target  makes a level of abstraction to eliminate dupplicate
   dependencies on both  sshd  and  sshd@  services
2016-04-15 17:05:32 +02:00
Jakub Jelen
461b3af818 Remove unused sshd init script 2016-04-15 17:04:59 +02:00
Jakub Jelen
32a74888d5 openssh-7.2p2-3 + 0.10.2-3 2016-04-13 13:44:58 +02:00
Jakub Jelen
00c7b75439 Make sshd-keygen comply with packaging guidelines (#1325535) 2016-04-13 13:42:12 +02:00
Jakub Jelen
3d2c14680b Soft-deny socket() syscall in seccomp sandbox (#1324493)
* Used for  ecdh-sha2-nistp*  key exchange methods in FIPS mode
2016-04-11 16:14:25 +02:00
Jakub Jelen
0509c6c977 Remove *sha1 Kex in FIPS mode (#1324493) 2016-04-11 13:16:52 +02:00
Jakub Jelen
117a730ded Remove *gcm ciphers in FIPS mode (#1324493) 2016-04-11 13:16:44 +02:00
102 changed files with 16030 additions and 14424 deletions

23
.gitignore vendored
View File

@ -22,3 +22,26 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/pam_ssh_agent_auth-0.10.2.tar.bz2 /pam_ssh_agent_auth-0.10.2.tar.bz2
/openssh-7.2p1.tar.gz /openssh-7.2p1.tar.gz
/openssh-7.2p2.tar.gz /openssh-7.2p2.tar.gz
/openssh-7.3p1.tar.gz
/openssh-7.4p1.tar.gz
/pam_ssh_agent_auth-0.10.3.tar.bz2
/openssh-7.5p1.tar.gz
/openssh-7.6p1.tar.gz
/openssh-7.7p1.tar.gz
/openssh-7.7p1.tar.gz.asc
/DJM-GPG-KEY.gpg
/openssh-7.8p1.tar.gz
/openssh-7.8p1.tar.gz.asc
/openssh-7.9p1.tar.gz
/openssh-7.9p1.tar.gz.asc
/openssh-8.0p1.tar.gz
/openssh-8.0p1.tar.gz.asc
/openssh-8.1p1.tar.gz
/openssh-8.1p1.tar.gz.asc
/openssh-8.2p1.tar.gz
/openssh-8.2p1.tar.gz.asc
/openssh-8.3p1.tar.gz
/openssh-8.3p1.tar.gz.asc
/openssh-8.4p1.tar.gz
/openssh-8.4p1.tar.gz.asc
/pam_ssh_agent_auth-0.10.4.tar.gz

View File

@ -1,7 +1,8 @@
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200 diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
@@ -65,9 +65,12 @@ +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
err = gtk_message_dialog_new(NULL, 0, @@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
GTK_MESSAGE_ERROR, GTK_MESSAGE_ERROR,
GTK_BUTTONS_CLOSE, GTK_BUTTONS_CLOSE,
- "Could not grab %s. " - "Could not grab %s. "
@ -14,5 +15,5 @@
+ "Either close the application which grabs the %s or " + "Either close the application which grabs the %s or "
+ "log out and log in again to prevent this from happening.", what, what); + "log out and log in again to prevent this from happening.", what, what);
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER); gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
TRUE); gtk_dialog_run(GTK_DIALOG(err));

View File

@ -1,16 +1,16 @@
diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200 --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
@@ -53,6 +53,7 @@ @@ -53,6 +53,7 @@
#include <string.h>
#include <unistd.h> #include <unistd.h>
#include <X11/Xlib.h> #include <X11/Xlib.h>
+#include <glib.h> +#include <glib.h>
#include <gtk/gtk.h> #include <gtk/gtk.h>
#include <gdk/gdkx.h> #include <gdk/gdkx.h>
#include <gdk/gdkkeysyms.h>
@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia @@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); return 1;
} }
+static void +static void
@ -25,55 +25,59 @@ diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contr
+} +}
+ +
static int static int
passphrase_dialog(char *message) passphrase_dialog(char *message, int prompt_type)
{ {
const char *failed; const char *failed;
char *passphrase, *local; char *passphrase, *local;
int result, grab_tries, grab_server, grab_pointer; int result, grab_tries, grab_server, grab_pointer;
- GtkWidget *dialog, *entry; int buttons, default_response;
+ GtkWidget *dialog, *entry, *progress, *hbox; - GtkWidget *parent_window, *dialog, *entry;
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
GdkGrabStatus status; GdkGrabStatus status;
GdkColor fg, bg;
int fg_set = 0, bg_set = 0;
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
@@ -102,13 +114,31 @@ passphrase_dialog(char *message) + hbox = gtk_hbox_new(FALSE, 0);
"%s", + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
message); + FALSE, 0);
+ gtk_widget_show(hbox);
+ hbox = gtk_hbox_new(FALSE, 0);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
+ FALSE, 0);
+ gtk_widget_show(hbox);
+ +
entry = gtk_entry_new(); entry = gtk_entry_new();
- gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, if (fg_set)
+ gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE, gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
FALSE, 0); if (bg_set)
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_box_pack_start(
gtk_widget_grab_focus(entry); - GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
gtk_widget_show(entry); - entry, FALSE, FALSE, 0);
+ GTK_BOX(hbox), entry, TRUE, FALSE, 0);
+ hbox = gtk_hbox_new(FALSE, 0); + gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+ FALSE, 8); gtk_widget_grab_focus(entry);
+ gtk_widget_show(hbox); if (prompt_type == PROMPT_ENTRY) {
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
g_signal_connect(G_OBJECT(entry), "key_press_event",
G_CALLBACK(check_none), dialog);
}
+ +
+ progress = gtk_progress_bar_new(); + hbox = gtk_hbox_new(FALSE, 0);
+ + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally"); + hbox, FALSE, FALSE, 8);
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE, + gtk_widget_show(hbox);
+ TRUE, 5);
+ gtk_widget_show(progress);
+ +
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH"); + progress = gtk_progress_bar_new();
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER); +
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); + gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
@@ -119,6 +149,8 @@ passphrase_dialog(char *message) + "Passphrase length hidden intentionally");
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); + gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
g_signal_connect(G_OBJECT(entry), "activate", + TRUE, 5);
G_CALLBACK(ok_dialog), dialog); + gtk_widget_show(progress);
+ g_signal_connect(G_OBJECT(entry), "changed", + g_signal_connect(G_OBJECT(entry), "changed",
+ G_CALLBACK(move_progress), progress); + G_CALLBACK(move_progress), progress);
+
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); }
/* Grab focus */

View File

@ -1,24 +0,0 @@
diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
--- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
+++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
+#ifdef AI_ADDRCONFIG
+ hints.ai_flags |= AI_ADDRCONFIG;
+#endif
hints.ai_socktype = SOCK_STREAM;
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
+++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
memset(&hints, 0, sizeof(hints));
hints.ai_family = family;
hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
snprintf(strport, sizeof strport, "%u", port);
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
fatal("%s: Could not resolve hostname %.100s: %s", __progname,

View File

@ -1,12 +0,0 @@
diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
--- openssh-6.8p1/packet.c.packet 2015-03-18 10:56:32.286930601 +0100
+++ openssh-6.8p1/packet.c 2015-03-18 10:58:38.535629739 +0100
@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc
struct sockaddr_storage from, to;
socklen_t fromlen, tolen;
+ if (!state)
+ return 0;
/* filedescriptors in and out are the same, so it's a socket */
if (state->connection_in == state->connection_out)
return 1;

View File

@ -1,78 +0,0 @@
diff -up openssh-5.9p1/Makefile.in.wIm openssh-5.9p1/Makefile.in
--- openssh-5.9p1/Makefile.in.wIm 2011-08-05 22:15:18.000000000 +0200
+++ openssh-5.9p1/Makefile.in 2011-09-12 16:24:18.643674014 +0200
@@ -66,7 +66,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
+ readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
diff -up openssh-5.9p1/log.h.wIm openssh-5.9p1/log.h
--- openssh-5.9p1/log.h.wIm 2011-06-20 06:42:23.000000000 +0200
+++ openssh-5.9p1/log.h 2011-09-12 16:34:52.984674326 +0200
@@ -65,6 +65,8 @@ void verbose(const char *, ...) __at
void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
void debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
+void _debug_wIm_body(const char *, int, const char *, const char *, int);
+#define debug_wIm(a,b) _debug_wIm_body(a,b,__func__,__FILE__,__LINE__)
void set_log_handler(log_handler_fn *, void *);
diff -up openssh-5.9p1/sshd.c.wIm openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.wIm 2011-06-23 11:45:51.000000000 +0200
+++ openssh-5.9p1/sshd.c 2011-09-12 16:38:35.787816490 +0200
@@ -140,6 +140,9 @@ int deny_severity;
extern char *__progname;
+/* trace of fork processes */
+extern int whereIam;
+
/* Server configuration options. */
ServerOptions options;
@@ -666,6 +669,7 @@ privsep_preauth(Authctxt *authctxt)
return 1;
} else {
/* child */
+ whereIam = 1;
close(pmonitor->m_sendfd);
close(pmonitor->m_log_recvfd);
@@ -715,6 +719,7 @@ privsep_postauth(Authctxt *authctxt)
/* child */
+ whereIam = 2;
close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1;
@@ -1325,6 +1330,8 @@ main(int ac, char **av)
Key *key;
Authctxt *authctxt;
+ whereIam = 0;
+
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
diff -up openssh-5.9p1/whereIam.c.wIm openssh-5.9p1/whereIam.c
--- openssh-5.9p1/whereIam.c.wIm 2011-09-12 16:24:18.722674167 +0200
+++ openssh-5.9p1/whereIam.c 2011-09-12 16:24:18.724674418 +0200
@@ -0,0 +1,12 @@
+
+int whereIam = -1;
+
+void _debug_wIm_body(const char *txt, int val, const char *func, const char *file, int line)
+{
+ if (txt)
+ debug("%s=%d, %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, val, func, file, line, whereIam, getuid(), geteuid());
+ else
+ debug("%s(%s:%d) wIm = %d, uid=%d, euid=%d", func, file, line, whereIam, getuid(), geteuid());
+}
+
+

View File

@ -1,21 +0,0 @@
diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
--- openssh-6.1p1/sshconnect2.c.canohost 2012-10-30 10:52:59.593301692 +0100
+++ openssh-6.1p1/sshconnect2.c 2012-10-30 11:01:12.870301632 +0100
@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
- const char *gss_host;
+ const char *gss_host = NULL;
if (options.gss_server_identity)
gss_host = options.gss_server_identity;
- else if (options.gss_trust_dns)
+ else if (options.gss_trust_dns) {
gss_host = get_canonical_hostname(1);
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
+ gss_host = authctxt->host;
+ }
else
gss_host = authctxt->host;

View File

@ -1,156 +0,0 @@
diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
--- openssh-7.0p1/configure.ac.vendor 2015-08-12 11:14:54.102628399 +0200
+++ openssh-7.0p1/configure.ac 2015-08-12 11:14:54.129628356 +0200
@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
+AC_ARG_ENABLE(vendor-patchlevel,
+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
+ SSH_VENDOR_PATCHLEVEL="$enableval"],
+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
+ SSH_VENDOR_PATCHLEVEL=none])
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
@@ -5038,6 +5044,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
+echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
echo ""
diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
--- openssh-7.0p1/servconf.c.vendor 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/servconf.c 2015-08-12 11:15:33.201565712 +0200
@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
+ options->show_patchlevel = -1;
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -335,6 +336,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -407,7 +410,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -529,6 +532,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
+ case sShowPatchLevel:
+ intptr = &options->show_patchlevel;
+ goto parse_flag;
+
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
--- openssh-7.0p1/servconf.h.vendor 2015-08-11 10:57:29.000000000 +0200
+++ openssh-7.0p1/servconf.h 2015-08-12 11:14:54.130628355 +0200
@@ -155,6 +155,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
+ int show_patchlevel; /* Show vendor patch level to clients */
int use_dns;
int client_alive_interval; /*
* poke the client this often to
diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
--- openssh-7.0p1/sshd_config.0.vendor 2015-08-12 11:14:54.125628363 +0200
+++ openssh-7.0p1/sshd_config.0 2015-08-12 11:14:54.130628355 +0200
@@ -841,6 +841,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The default and minimum value is 1024.
+ ShowPatchLevel
+ Specifies whether sshd will display the specific patch level of
+ the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+
StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding.
diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.vendor 2015-08-12 11:14:54.125628363 +0200
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:14:54.131628353 +0200
@@ -1411,6 +1411,13 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The default and minimum value is 1024.
+.It Cm ShowPatchLevel
+Specifies whether
+.Nm sshd
+will display the patch level of the binary in the identification string.
+The patch level is set at compile-time.
+The default is
+.Dq no .
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
--- openssh-7.0p1/sshd_config.vendor 2015-08-12 11:14:54.125628363 +0200
+++ openssh-7.0p1/sshd_config 2015-08-12 11:14:54.131628353 +0200
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c
--- openssh-7.0p1/sshd.c.vendor 2015-08-12 11:14:54.100628403 +0200
+++ openssh-7.0p1/sshd.c 2015-08-12 11:14:54.131628353 +0200
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
- major, minor, SSH_VERSION,
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
@@ -1749,7 +1749,8 @@ main(int ac, char **av)
exit(1);
}
- debug("sshd version %s, %s", SSH_VERSION,
+ debug("sshd version %s, %s",
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
#ifdef WITH_OPENSSL
SSLeay_version(SSLEAY_VERSION)
#else

View File

@ -1,247 +0,0 @@
diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
--- openssh-6.3p1/auth-krb5.c.ccache_name 2013-10-23 22:03:52.322950759 +0200
+++ openssh-6.3p1/auth-krb5.c 2013-10-23 22:04:24.295799873 +0200
@@ -50,7 +50,9 @@
#include <errno.h>
#include <unistd.h>
#include <string.h>
+#include <sys/stat.h>
#include <krb5.h>
+#include <profile.h>
extern ServerOptions options;
@@ -91,6 +93,7 @@ auth_krb5_password(Authctxt *authctxt, c
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
+ const char *ccache_type;
int len;
char *client, *platform_client;
const char *errmsg;
@@ -191,12 +194,30 @@ auth_krb5_password(Authctxt *authctxt, c
goto out;
#endif
+ ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
- len = strlen(authctxt->krb5_ticket_file) + 6;
+ if (authctxt->krb5_ticket_file[0] == ':')
+ authctxt->krb5_ticket_file++;
+
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
+
+#ifdef USE_CCAPI
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
authctxt->krb5_ticket_file);
+#else
+ snprintf(authctxt->krb5_ccname, len, "%s:%s",
+ ccache_type, authctxt->krb5_ticket_file);
+#endif
+
+ if (strcmp(ccache_type, "DIR") == 0) {
+ char *p;
+ p = strrchr(authctxt->krb5_ccname, '/');
+ if (p)
+ *p = '\0';
+ }
+
#ifdef USE_PAM
if (options.use_pam)
@@ -235,10 +256,34 @@ auth_krb5_password(Authctxt *authctxt, c
void
krb5_cleanup_proc(Authctxt *authctxt)
{
+ struct stat krb5_ccname_stat;
+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
+
debug("krb5_cleanup_proc called");
if (authctxt->krb5_fwd_ccache) {
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_fwd_ccache = NULL;
+
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
+ *krb5_ccname_dir_start++ = '\0';
+ if (strcmp(krb5_ccname, "DIR") == 0) {
+
+ strcat(krb5_ccname_dir_start, "/primary");
+
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname_dir_start) == 0) {
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname_dir_start) == -1)
+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname_dir_start, strerror(errno)
+ );
+ }
+ }
}
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
@@ -250,34 +295,139 @@ krb5_cleanup_proc(Authctxt *authctxt)
}
}
+int
+ssh_asprintf_append(char **dsc, const char *fmt, ...) {
+ char *src, *old;
+ va_list ap;
+ int i;
+
+ va_start(ap, fmt);
+ i = vasprintf(&src, fmt, ap);
+ va_end(ap);
+
+ if (i == -1 || src == NULL)
+ return -1;
+
+ old = *dsc;
+
+ i = asprintf(dsc, "%s%s", *dsc, src);
+ if (i == -1 || src == NULL) {
+ free(src);
+ return -1;
+ }
+
+ free(old);
+ free(src);
+
+ return i;
+}
+
+int
+ssh_krb5_expand_template(char **result, const char *template) {
+ char *p_n, *p_o, *r, *tmp_template;
+
+ if (template == NULL)
+ return -1;
+
+ tmp_template = p_n = p_o = xstrdup(template);
+ r = xstrdup("");
+
+ while ((p_n = strstr(p_o, "%{")) != NULL) {
+
+ *p_n++ = '\0';
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
+ goto cleanup;
+
+ if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
+ strncmp(p_n, "{USERID}", 8) == 0) {
+ p_o = strchr(p_n, '}') + 1;
+ if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
+ goto cleanup;
+ continue;
+ }
+ else if (strncmp(p_n, "{TEMP}", 6) == 0) {
+ p_o = strchr(p_n, '}') + 1;
+ if (ssh_asprintf_append(&r, "/tmp") == -1)
+ goto cleanup;
+ continue;
+ } else {
+ p_o = strchr(p_n, '}') + 1;
+ p_o = '\0';
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
+ /* unknown token, fallback to the default */
+ goto cleanup;
+ }
+ }
+
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
+ goto cleanup;
+
+ *result = r;
+ free(tmp_template);
+ return 0;
+
+cleanup:
+ free(r);
+ free(tmp_template);
+ return -1;
+}
+
+krb5_error_code
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ profile_t p;
+ int ret = 0;
+ char *value = NULL;
+
+ ret = krb5_get_profile(ctx, &p);
+ if (ret)
+ return ret;
+
+ ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
+ if (ret)
+ return ret;
+
+ ret = ssh_krb5_expand_template(ccname, value);
+
+ return ret;
+}
+
#ifndef HEIMDAL
krb5_error_code
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
int tmpfd, ret, oerrno;
- char ccname[40];
+ char *ccname;
+#ifdef USE_CCAPI
+ char cctemplate[] = "API:krb5cc_%d";
+#else
mode_t old_umask;
+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
- ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
- if (ret < 0 || (size_t)ret >= sizeof(ccname))
- return ENOMEM;
-
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
- oerrno = errno;
- umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(oerrno));
- return oerrno;
- }
+#endif
+
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ if (ret) {
+ ret = asprintf(&ccname, cctemplate, geteuid());
+ if (ret == -1)
+ return ENOMEM;
+ old_umask = umask(0177);
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
oerrno = errno;
- logit("fchmod(): %.100s", strerror(oerrno));
+ umask(old_umask);
+ if (tmpfd == -1) {
+ logit("mkstemp(): %.100s", strerror(oerrno));
+ return oerrno;
+ }
+
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ oerrno = errno;
+ logit("fchmod(): %.100s", strerror(oerrno));
+ close(tmpfd);
+ return oerrno;
+ }
close(tmpfd);
- return oerrno;
}
- close(tmpfd);
+ debug("%s: Setting ccname to %s", __func__, ccname);
return (krb5_cc_resolve(ctx, ccname, ccache));
}

View File

@ -1,54 +0,0 @@
diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c
--- openssh-6.8p1/compat.c.cisco-dh 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/compat.c 2015-03-19 12:57:58.862606969 +0100
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
SSH_BUG_SCANNER },
{ "Probe-*",
SSH_BUG_PROBE },
+ { "Cisco-*", SSH_BUG_MAX4096DH },
{ NULL, 0 }
};
diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h
--- openssh-6.8p1/compat.h.cisco-dh 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/compat.h 2015-03-19 12:57:58.862606969 +0100
@@ -60,6 +60,7 @@
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
#define SSH_BUG_CURVE25519PAD 0x10000000
+#define SSH_BUG_MAX4096DH 0x20000000
void enable_compat13(void);
void enable_compat20(void);
diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c
--- openssh-6.8p1/kexgexc.c.cisco-dh 2015-03-19 12:57:58.862606969 +0100
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:11:52.320519969 +0100
@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh)
kex->min = DH_GRP_MIN;
kex->max = DH_GRP_MAX;
+
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
+ * We need to also ensure that min < nbits < max */
+
+ if (datafellows & SSH_BUG_MAX4096DH) {
+ /* The largest min for these servers is 4096 */
+ kex->min = MIN(kex->min, 4096);
+ }
+
kex->nbits = nbits;
- if (ssh->compat & SSH_OLD_DHGEX) {
+ kex->nbits = MIN(nbits, kex->max);
+ kex->nbits = MAX(nbits, kex->min);
+
+ if (ssh->compat & SSH_BUG_MAX4096DH) {
+ /* Cannot have a nbits > 4096 for these servers */
+ kex->nbits = MIN(kex->nbits, 4096);
+ /* nbits has to be powers of two */
+ if (kex->nbits == 3072)
+ kex->nbits = 4096;
+ }
+ if (ssh->compat & SSH_OLD_DHGEX) { /* Old GEX request */
/* Old GEX request */
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD))
!= 0 ||

View File

@ -1,24 +0,0 @@
diff --git a/misc.c b/misc.c
index 2f11de4..36402d1 100644
--- a/misc.c
+++ b/misc.c
@@ -396,7 +396,7 @@ hpdelim(char **cp)
return NULL;
else
s++;
- } else if ((s = strpbrk(s, ":/")) == NULL)
+ } else if ((s = strpbrk(s, ":")) == NULL)
s = *cp + strlen(*cp); /* skip to end (see first case below) */
switch (*s) {
@@ -405,7 +405,6 @@ hpdelim(char **cp)
break;
case ':':
- case '/':
*s = '\0'; /* terminate */
*cp = s + 1;
break;
--
2.1.0

View File

@ -1,12 +0,0 @@
diff --git a/ssh_config b/ssh_config
index 03a228f..49a4f6c 100644
--- a/ssh_config
+++ b/ssh_config
@@ -46,3 +46,7 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+#
+# Uncomment this if you want to use .local domain
+# Host *.local
+# CheckHostIP no

View File

@ -1,7 +1,7 @@
diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
--- openssh-6.8p1/log.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/log.c 2015-03-18 12:59:29.694022313 +0100 +++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
@@ -241,6 +241,11 @@ debug3(const char *fmt,...) @@ -250,6 +250,11 @@ debug3(const char *fmt,...)
void void
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
{ {
@ -13,7 +13,7 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT; struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif #endif
@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl @@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
exit(1); exit(1);
} }
@ -26,50 +26,50 @@ diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
log_on_stderr = on_stderr; log_on_stderr = on_stderr;
if (on_stderr) if (on_stderr)
diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
--- openssh-6.8p1/log.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/log.h 2015-03-18 12:59:29.694022313 +0100 +++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
@@ -49,6 +49,7 @@ typedef enum { @@ -49,6 +49,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, const char *, void *); typedef void (log_handler_fn)(LogLevel, const char *, void *);
void log_init(char *, LogLevel, SyslogFacility, int); void log_init(char *, LogLevel, SyslogFacility, int);
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int); +void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
void log_change_level(LogLevel); LogLevel log_level_get(void);
int log_change_level(LogLevel);
int log_is_on_stderr(void); int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *); diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c --- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
--- openssh-6.8p1/monitor.c.log-in-chroot 2015-03-18 12:59:29.669022374 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
+++ openssh-6.8p1/monitor.c 2015-03-18 13:01:52.894671198 +0100 @@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx close(pmonitor->m_log_sendfd);
close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
+ pmonitor->m_state = "preauth"; + pmonitor->m_state = "preauth";
+ +
authctxt = _authctxt; authctxt = (Authctxt *)ssh->authctxt;
memset(authctxt, 0, sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt));
ssh->authctxt = authctxt;
@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p @@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
close(pmonitor->m_recvfd); close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1; pmonitor->m_recvfd = -1;
+ pmonitor->m_state = "postauth"; + pmonitor->m_state = "postauth";
+ +
monitor_set_child_handler(pmonitor->m_pid); monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler); ssh_signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler); ssh_signal(SIGTERM, &monitor_child_handler);
@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito @@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
if (log_level_name(level) == NULL) if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)", fatal("%s: invalid log level %u (corrupted message?)",
__func__, level); __func__, level);
- do_log2(level, "%s [preauth]", msg); - do_log2(level, "%s [preauth]", msg);
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state); + do_log2(level, "%s [%s]", msg, pmonitor->m_state);
buffer_free(&logmsg); sshbuf_free(logmsg);
free(msg); free(msg);
@@ -1998,13 +2002,28 @@ monitor_init(void) @@ -1719,13 +1723,28 @@ monitor_init(void)
(ssh_packet_comp_free_func *)mm_zfree); mon = xcalloc(1, sizeof(*mon));
} monitor_openfds(mon, 1);
+ mon->m_state = ""; + mon->m_state = "";
+ +
@ -98,11 +98,11 @@ diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
} }
#ifdef GSSAPI #ifdef GSSAPI
diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
--- openssh-6.8p1/monitor.h.log-in-chroot 2015-03-18 12:59:29.695022310 +0100 --- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100
+++ openssh-6.8p1/monitor.h 2015-03-18 13:02:56.926514197 +0100 +++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100
@@ -83,10 +83,11 @@ struct monitor { @@ -83,10 +83,11 @@ struct monitor {
struct mm_master *m_zlib; int m_log_sendfd;
struct kex **m_pkex; struct kex **m_pkex;
pid_t m_pid; pid_t m_pid;
+ char *m_state; + char *m_state;
@ -111,43 +111,21 @@ diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
struct monitor *monitor_init(void); struct monitor *monitor_init(void);
-void monitor_reinit(struct monitor *); -void monitor_reinit(struct monitor *);
+void monitor_reinit(struct monitor *, const char *); +void monitor_reinit(struct monitor *, const char *);
void monitor_sync(struct monitor *);
struct Authctxt; struct Authctxt;
diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c void monitor_child_preauth(struct ssh *, struct monitor *);
--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100 diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
+++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100 --- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
@@ -161,6 +161,7 @@ login_cap_t *lc; +++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
@@ -160,6 +160,7 @@ login_cap_t *lc;
static int is_child = 0; static int is_child = 0;
static int in_chroot = 0; static int in_chroot = 0;
+static int have_dev_log = 1; +static int have_dev_log = 1;
/* Name and directory of socket for authentication agent forwarding. */ /* File containing userauth info, if ExposeAuthInfo set */
static char *auth_sock_name = NULL; static char *auth_info_file = NULL;
@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c @@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */
- log_init(__progname, options.log_level,
- options.log_facility, log_stderr);
+ log_init_handler(__progname, options.log_level,
+ options.log_facility, log_stderr, have_dev_log);
/*
* Create a new session and process group since the 4.4BSD
@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm
close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */
- log_init(__progname, options.log_level,
- options.log_facility, log_stderr);
+ log_init_handler(__progname, options.log_level,
+ options.log_facility, log_stderr, have_dev_log);
/* Close the master side of the pseudo tty. */
close(ptyfd);
@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
int ret; int ret;
const char *forced = NULL, *tty = NULL; const char *forced = NULL, *tty = NULL;
char session_type[1024]; char session_type[1024];
@ -155,7 +133,7 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
if (options.adm_forced_command) { if (options.adm_forced_command) {
original_command = command; original_command = command;
@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command) @@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
tty += 5; tty += 5;
} }
@ -166,10 +144,10 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type, session_type,
tty == NULL ? "" : " on ", tty == NULL ? "" : " on ",
@@ -1678,14 +1685,6 @@ child_close_fds(void) @@ -1486,14 +1492,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later.
*/ /* Stop directing logs to a high-numbered fd before we close it */
endpwent(); log_redirect_stderr_to(NULL);
- -
- /* - /*
- * Close any extra open file descriptors so that we don't have them - * Close any extra open file descriptors so that we don't have them
@ -181,16 +159,16 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
} }
/* /*
@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command @@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
exit(1); exit(1);
} }
- closefrom(STDERR_FILENO + 1); - closefrom(STDERR_FILENO + 1);
- -
if (!options.use_login) do_rc_files(ssh, s, shell);
do_rc_files(s, shell);
@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command /* restore SIGPIPE for child */
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -208,21 +186,21 @@ diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
+ +
fflush(NULL); fflush(NULL);
if (options.use_login) { /* Get the last component of the shell name. */
diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
--- openssh-6.8p1/sftp-server-main.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/sftp-server-main.c 2015-03-18 12:59:29.696022308 +0100 +++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100
@@ -47,5 +47,5 @@ main(int argc, char **argv) @@ -97,5 +97,5 @@
return 1;
}
- return (sftp_server_main(argc, argv, user_pw)); struct passwd;
+ return (sftp_server_main(argc, argv, user_pw, 0));
} -int sftp_server_main(int, char **, struct passwd *);
diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c +int sftp_server_main(int, char **, struct passwd *, int);
--- openssh-6.8p1/sftp-server.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 void sftp_server_cleanup_exit(int) __attribute__((noreturn));
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:03:52.510377911 +0100 diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
@@ -1502,7 +1502,7 @@ sftp_server_usage(void) --- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
} }
int int
@ -231,38 +209,38 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
{ {
fd_set *rset, *wset; fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv, @@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
ssh_malloc_init(); /* must be called before any mallocs */
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
- log_init(__progname, log_level, log_facility, log_stderr); - log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv, @@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
} }
} }
- log_init(__progname, log_level, log_facility, log_stderr); - log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* /*
diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h * On platforms where we can, avoid making /proc/self/{mem,maps}
--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
+++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100 --- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
@@ -97,5 +97,5 @@ +++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100
@@ -49,5 +49,5 @@ main(int argc, char **argv)
return 1;
}
struct passwd; - return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0));
-int sftp_server_main(int, char **, struct passwd *); }
+int sftp_server_main(int, char **, struct passwd *, int); diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
void sftp_server_cleanup_exit(int) __attribute__((noreturn)); --- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100
diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c +++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100
--- openssh-6.8p1/sshd.c.log-in-chroot 2015-03-18 12:59:29.691022320 +0100 @@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
+++ openssh-6.8p1/sshd.c 2015-03-18 12:59:29.697022305 +0100
@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
} }
/* New socket pair */ /* New socket pair */
@ -271,7 +249,7 @@ diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
pmonitor->m_pid = fork(); pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1) if (pmonitor->m_pid == -1)
@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt) @@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1; pmonitor->m_sendfd = -1;

View File

@ -10,5 +10,5 @@
+ } + }
omode = mode; omode = mode;
mode |= S_IWUSR; mode |= S_IWUSR;
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) == -1) {
-- --

View File

@ -7,7 +7,7 @@ index 8f32464..18a2ca4 100644
#include "servconf.h" #include "servconf.h"
#include "port-linux.h" #include "port-linux.h"
+#include "misc.h" +#include "misc.h"
#include "key.h" #include "sshkey.h"
#include "hostfile.h" #include "hostfile.h"
#include "auth.h" #include "auth.h"
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname) @@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
@ -19,7 +19,7 @@ index 8f32464..18a2ca4 100644
if (!sshd_selinux_enabled()) if (!sshd_selinux_enabled())
return; return;
@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void) @@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
} }
} }
@ -30,46 +30,60 @@ index 8f32464..18a2ca4 100644
+ char line[1024], *preauth_context = NULL, *cp, *arg; + char line[1024], *preauth_context = NULL, *cp, *arg;
+ const char *contexts_path; + const char *contexts_path;
+ FILE *contexts_file; + FILE *contexts_file;
+ struct stat sb;
+ +
+ contexts_path = selinux_openssh_contexts_path(); + contexts_path = selinux_openssh_contexts_path();
+ if (contexts_path != NULL) { + if (contexts_path == NULL) {
+ if ((contexts_file = fopen(contexts_path, "r")) != NULL) { + debug3("%s: Failed to get the path to SELinux context", __func__);
+ struct stat sb; + return;
+
+ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
+ while (fgets(line, sizeof(line), contexts_file)) {
+ /* Strip trailing whitespace */
+ for (len = strlen(line) - 1; len > 0; len--) {
+ if (strchr(" \t\r\n", line[len]) == NULL)
+ break;
+ line[len] = '\0';
+ }
+
+ if (line[0] == '\0')
+ continue;
+
+ cp = line;
+ arg = strdelim(&cp);
+ if (*arg == '\0')
+ arg = strdelim(&cp);
+
+ if (strcmp(arg, "privsep_preauth") == 0) {
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0') {
+ debug("%s: privsep_preauth is empty", __func__);
+ fclose(contexts_file);
+ return;
+ }
+ preauth_context = xstrdup(arg);
+ }
+ }
+ }
+ fclose(contexts_file);
+ }
+ } + }
+ +
+ if (preauth_context == NULL) + if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
+ preauth_context = xstrdup("sshd_net_t"); + debug("%s: Failed to open SELinux context file", __func__);
+ return;
+ }
+
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
+ logit("%s: SELinux context file needs to be owned by root"
+ " and not writable by anyone else", __func__);
+ fclose(contexts_file);
+ return;
+ }
+
+ while (fgets(line, sizeof(line), contexts_file)) {
+ /* Strip trailing whitespace */
+ for (len = strlen(line) - 1; len > 0; len--) {
+ if (strchr(" \t\r\n", line[len]) == NULL)
+ break;
+ line[len] = '\0';
+ }
+
+ if (line[0] == '\0')
+ continue;
+
+ cp = line;
+ arg = strdelim(&cp);
+ if (arg && *arg == '\0')
+ arg = strdelim(&cp);
+
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0') {
+ debug("%s: privsep_preauth is empty", __func__);
+ fclose(contexts_file);
+ return;
+ }
+ preauth_context = xstrdup(arg);
+ }
+ }
+ fclose(contexts_file);
+
+ if (preauth_context == NULL) {
+ debug("%s: Unable to find 'privsep_preauth' option in"
+ " SELinux context file", __func__);
+ return;
+ }
+ +
+ ssh_selinux_change_context(preauth_context); + ssh_selinux_change_context(preauth_context);
+ free(preauth_context); + free(preauth_context);
@ -116,38 +130,3 @@ index 2871fe9..39b9c08 100644
#endif #endif
/* Demote the child */ /* Demote the child */
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 12c014e..c5ef2ff 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -35,7 +35,6 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
-#include <selinux/flask.h>
#include <selinux/get_context_list.h>
#ifndef SSH_SELINUX_UNCONFINED_TYPE
@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
security_context_t new_tty_ctx = NULL;
security_context_t user_ctx = NULL;
security_context_t old_tty_ctx = NULL;
+ security_class_t class;
if (!ssh_selinux_enabled())
return;
@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
goto out;
}
+ class = string_to_security_class("chr_file");
+ if (!class) {
+ error("string_to_security_class failed to translate security class context");
+ goto out;
+ }
if (security_compute_relabel(user_ctx, old_tty_ctx,
- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
+ class, &new_tty_ctx) != 0) {
error("%s: security_compute_relabel: %s",
__func__, strerror(errno));
goto out;

View File

@ -1,12 +0,0 @@
diff -up openssh/servconf.c.servconf openssh/servconf.c
--- openssh/servconf.c.servconf 2015-06-24 11:26:26.186527736 +0200
+++ openssh/servconf.c 2015-06-24 11:26:39.847493075 +0200
@@ -1815,6 +1815,8 @@ process_server_config_line(ServerOptions
break;
case sAuthenticationMethods:
+ if (cp == NULL || *cp == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
if (options->num_auth_methods == 0) {
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_auth_methods >=

View File

@ -1,970 +0,0 @@
diff -up openssh-6.8p1/Makefile.in.utf8-banner openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.utf8-banner 2015-03-18 12:41:28.174713188 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 12:45:52.723048114 +0100
@@ -94,7 +94,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
poly1305.o chacha.o cipher-chachapoly.o \
- ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
+ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o utf8_stringprep.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
diff -up openssh-6.8p1/misc.h.utf8-banner openssh-6.8p1/misc.h
--- openssh-6.8p1/misc.h.utf8-banner 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/misc.h 2015-03-18 12:41:28.175713185 +0100
@@ -135,4 +135,8 @@ char *read_passphrase(const char *, int)
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
+/* utf8_stringprep.c */
+int utf8_stringprep(const char *, char *, size_t);
+void sanitize_utf8(char *, const char *, size_t);
+
#endif /* _MISC_H */
diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c
--- openssh-6.8p1/sshconnect2.c.utf8-banner 2015-03-18 12:41:28.161713220 +0100
+++ openssh-6.8p1/sshconnect2.c 2015-03-18 12:44:05.483317714 +0100
@@ -532,7 +534,7 @@ input_userauth_error(int type, u_int32_t
if (len > 65536)
len = 65536;
msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
- strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+ sanitize_utf8(msg, raw, len);
fprintf(stderr, "%s", msg);
free(msg);
}
diff -up openssh-6.8p1/stringprep-tables.c.utf8-banner openssh-6.8p1/stringprep-tables.c
--- openssh-6.8p1/stringprep-tables.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
+++ openssh-6.8p1/stringprep-tables.c 2015-03-18 12:41:28.175713185 +0100
@@ -0,0 +1,661 @@
+/* Public domain. */
+
+/* $OpenBSD$ */
+
+/*
+ * Tables for RFC3454 stringprep algorithm, updated with a table of allocated
+ * characters generated from Unicode.6.2's UnicodeData.txt
+ *
+ * Intended to be included directly from utf8_stringprep.c
+ */
+
+/* Unassigned characters in Unicode 6.2 */
+static const struct u32_range unassigned[] = {
+ { 0x0378, 0x0379 },
+ { 0x037F, 0x0383 },
+ { 0x038B, 0x038B },
+ { 0x038D, 0x038D },
+ { 0x03A2, 0x03A2 },
+ { 0x0528, 0x0530 },
+ { 0x0557, 0x0558 },
+ { 0x0560, 0x0560 },
+ { 0x0588, 0x0588 },
+ { 0x058B, 0x058E },
+ { 0x0590, 0x0590 },
+ { 0x05C8, 0x05CF },
+ { 0x05EB, 0x05EF },
+ { 0x05F5, 0x05FF },
+ { 0x0605, 0x0605 },
+ { 0x061C, 0x061D },
+ { 0x070E, 0x070E },
+ { 0x074B, 0x074C },
+ { 0x07B2, 0x07BF },
+ { 0x07FB, 0x07FF },
+ { 0x082E, 0x082F },
+ { 0x083F, 0x083F },
+ { 0x085C, 0x085D },
+ { 0x085F, 0x089F },
+ { 0x08A1, 0x08A1 },
+ { 0x08AD, 0x08E3 },
+ { 0x08FF, 0x08FF },
+ { 0x0978, 0x0978 },
+ { 0x0980, 0x0980 },
+ { 0x0984, 0x0984 },
+ { 0x098D, 0x098E },
+ { 0x0991, 0x0992 },
+ { 0x09A9, 0x09A9 },
+ { 0x09B1, 0x09B1 },
+ { 0x09B3, 0x09B5 },
+ { 0x09BA, 0x09BB },
+ { 0x09C5, 0x09C6 },
+ { 0x09C9, 0x09CA },
+ { 0x09CF, 0x09D6 },
+ { 0x09D8, 0x09DB },
+ { 0x09DE, 0x09DE },
+ { 0x09E4, 0x09E5 },
+ { 0x09FC, 0x0A00 },
+ { 0x0A04, 0x0A04 },
+ { 0x0A0B, 0x0A0E },
+ { 0x0A11, 0x0A12 },
+ { 0x0A29, 0x0A29 },
+ { 0x0A31, 0x0A31 },
+ { 0x0A34, 0x0A34 },
+ { 0x0A37, 0x0A37 },
+ { 0x0A3A, 0x0A3B },
+ { 0x0A3D, 0x0A3D },
+ { 0x0A43, 0x0A46 },
+ { 0x0A49, 0x0A4A },
+ { 0x0A4E, 0x0A50 },
+ { 0x0A52, 0x0A58 },
+ { 0x0A5D, 0x0A5D },
+ { 0x0A5F, 0x0A65 },
+ { 0x0A76, 0x0A80 },
+ { 0x0A84, 0x0A84 },
+ { 0x0A8E, 0x0A8E },
+ { 0x0A92, 0x0A92 },
+ { 0x0AA9, 0x0AA9 },
+ { 0x0AB1, 0x0AB1 },
+ { 0x0AB4, 0x0AB4 },
+ { 0x0ABA, 0x0ABB },
+ { 0x0AC6, 0x0AC6 },
+ { 0x0ACA, 0x0ACA },
+ { 0x0ACE, 0x0ACF },
+ { 0x0AD1, 0x0ADF },
+ { 0x0AE4, 0x0AE5 },
+ { 0x0AF2, 0x0B00 },
+ { 0x0B04, 0x0B04 },
+ { 0x0B0D, 0x0B0E },
+ { 0x0B11, 0x0B12 },
+ { 0x0B29, 0x0B29 },
+ { 0x0B31, 0x0B31 },
+ { 0x0B34, 0x0B34 },
+ { 0x0B3A, 0x0B3B },
+ { 0x0B45, 0x0B46 },
+ { 0x0B49, 0x0B4A },
+ { 0x0B4E, 0x0B55 },
+ { 0x0B58, 0x0B5B },
+ { 0x0B5E, 0x0B5E },
+ { 0x0B64, 0x0B65 },
+ { 0x0B78, 0x0B81 },
+ { 0x0B84, 0x0B84 },
+ { 0x0B8B, 0x0B8D },
+ { 0x0B91, 0x0B91 },
+ { 0x0B96, 0x0B98 },
+ { 0x0B9B, 0x0B9B },
+ { 0x0B9D, 0x0B9D },
+ { 0x0BA0, 0x0BA2 },
+ { 0x0BA5, 0x0BA7 },
+ { 0x0BAB, 0x0BAD },
+ { 0x0BBA, 0x0BBD },
+ { 0x0BC3, 0x0BC5 },
+ { 0x0BC9, 0x0BC9 },
+ { 0x0BCE, 0x0BCF },
+ { 0x0BD1, 0x0BD6 },
+ { 0x0BD8, 0x0BE5 },
+ { 0x0BFB, 0x0C00 },
+ { 0x0C04, 0x0C04 },
+ { 0x0C0D, 0x0C0D },
+ { 0x0C11, 0x0C11 },
+ { 0x0C29, 0x0C29 },
+ { 0x0C34, 0x0C34 },
+ { 0x0C3A, 0x0C3C },
+ { 0x0C45, 0x0C45 },
+ { 0x0C49, 0x0C49 },
+ { 0x0C4E, 0x0C54 },
+ { 0x0C57, 0x0C57 },
+ { 0x0C5A, 0x0C5F },
+ { 0x0C64, 0x0C65 },
+ { 0x0C70, 0x0C77 },
+ { 0x0C80, 0x0C81 },
+ { 0x0C84, 0x0C84 },
+ { 0x0C8D, 0x0C8D },
+ { 0x0C91, 0x0C91 },
+ { 0x0CA9, 0x0CA9 },
+ { 0x0CB4, 0x0CB4 },
+ { 0x0CBA, 0x0CBB },
+ { 0x0CC5, 0x0CC5 },
+ { 0x0CC9, 0x0CC9 },
+ { 0x0CCE, 0x0CD4 },
+ { 0x0CD7, 0x0CDD },
+ { 0x0CDF, 0x0CDF },
+ { 0x0CE4, 0x0CE5 },
+ { 0x0CF0, 0x0CF0 },
+ { 0x0CF3, 0x0D01 },
+ { 0x0D04, 0x0D04 },
+ { 0x0D0D, 0x0D0D },
+ { 0x0D11, 0x0D11 },
+ { 0x0D3B, 0x0D3C },
+ { 0x0D45, 0x0D45 },
+ { 0x0D49, 0x0D49 },
+ { 0x0D4F, 0x0D56 },
+ { 0x0D58, 0x0D5F },
+ { 0x0D64, 0x0D65 },
+ { 0x0D76, 0x0D78 },
+ { 0x0D80, 0x0D81 },
+ { 0x0D84, 0x0D84 },
+ { 0x0D97, 0x0D99 },
+ { 0x0DB2, 0x0DB2 },
+ { 0x0DBC, 0x0DBC },
+ { 0x0DBE, 0x0DBF },
+ { 0x0DC7, 0x0DC9 },
+ { 0x0DCB, 0x0DCE },
+ { 0x0DD5, 0x0DD5 },
+ { 0x0DD7, 0x0DD7 },
+ { 0x0DE0, 0x0DF1 },
+ { 0x0DF5, 0x0E00 },
+ { 0x0E3B, 0x0E3E },
+ { 0x0E5C, 0x0E80 },
+ { 0x0E83, 0x0E83 },
+ { 0x0E85, 0x0E86 },
+ { 0x0E89, 0x0E89 },
+ { 0x0E8B, 0x0E8C },
+ { 0x0E8E, 0x0E93 },
+ { 0x0E98, 0x0E98 },
+ { 0x0EA0, 0x0EA0 },
+ { 0x0EA4, 0x0EA4 },
+ { 0x0EA6, 0x0EA6 },
+ { 0x0EA8, 0x0EA9 },
+ { 0x0EAC, 0x0EAC },
+ { 0x0EBA, 0x0EBA },
+ { 0x0EBE, 0x0EBF },
+ { 0x0EC5, 0x0EC5 },
+ { 0x0EC7, 0x0EC7 },
+ { 0x0ECE, 0x0ECF },
+ { 0x0EDA, 0x0EDB },
+ { 0x0EE0, 0x0EFF },
+ { 0x0F48, 0x0F48 },
+ { 0x0F6D, 0x0F70 },
+ { 0x0F98, 0x0F98 },
+ { 0x0FBD, 0x0FBD },
+ { 0x0FCD, 0x0FCD },
+ { 0x0FDB, 0x0FFF },
+ { 0x10C6, 0x10C6 },
+ { 0x10C8, 0x10CC },
+ { 0x10CE, 0x10CF },
+ { 0x1249, 0x1249 },
+ { 0x124E, 0x124F },
+ { 0x1257, 0x1257 },
+ { 0x1259, 0x1259 },
+ { 0x125E, 0x125F },
+ { 0x1289, 0x1289 },
+ { 0x128E, 0x128F },
+ { 0x12B1, 0x12B1 },
+ { 0x12B6, 0x12B7 },
+ { 0x12BF, 0x12BF },
+ { 0x12C1, 0x12C1 },
+ { 0x12C6, 0x12C7 },
+ { 0x12D7, 0x12D7 },
+ { 0x1311, 0x1311 },
+ { 0x1316, 0x1317 },
+ { 0x135B, 0x135C },
+ { 0x137D, 0x137F },
+ { 0x139A, 0x139F },
+ { 0x13F5, 0x13FF },
+ { 0x169D, 0x169F },
+ { 0x16F1, 0x16FF },
+ { 0x170D, 0x170D },
+ { 0x1715, 0x171F },
+ { 0x1737, 0x173F },
+ { 0x1754, 0x175F },
+ { 0x176D, 0x176D },
+ { 0x1771, 0x1771 },
+ { 0x1774, 0x177F },
+ { 0x17DE, 0x17DF },
+ { 0x17EA, 0x17EF },
+ { 0x17FA, 0x17FF },
+ { 0x180F, 0x180F },
+ { 0x181A, 0x181F },
+ { 0x1878, 0x187F },
+ { 0x18AB, 0x18AF },
+ { 0x18F6, 0x18FF },
+ { 0x191D, 0x191F },
+ { 0x192C, 0x192F },
+ { 0x193C, 0x193F },
+ { 0x1941, 0x1943 },
+ { 0x196E, 0x196F },
+ { 0x1975, 0x197F },
+ { 0x19AC, 0x19AF },
+ { 0x19CA, 0x19CF },
+ { 0x19DB, 0x19DD },
+ { 0x1A1C, 0x1A1D },
+ { 0x1A5F, 0x1A5F },
+ { 0x1A7D, 0x1A7E },
+ { 0x1A8A, 0x1A8F },
+ { 0x1A9A, 0x1A9F },
+ { 0x1AAE, 0x1AFF },
+ { 0x1B4C, 0x1B4F },
+ { 0x1B7D, 0x1B7F },
+ { 0x1BF4, 0x1BFB },
+ { 0x1C38, 0x1C3A },
+ { 0x1C4A, 0x1C4C },
+ { 0x1C80, 0x1CBF },
+ { 0x1CC8, 0x1CCF },
+ { 0x1CF7, 0x1CFF },
+ { 0x1DE7, 0x1DFB },
+ { 0x1F16, 0x1F17 },
+ { 0x1F1E, 0x1F1F },
+ { 0x1F46, 0x1F47 },
+ { 0x1F4E, 0x1F4F },
+ { 0x1F58, 0x1F58 },
+ { 0x1F5A, 0x1F5A },
+ { 0x1F5C, 0x1F5C },
+ { 0x1F5E, 0x1F5E },
+ { 0x1F7E, 0x1F7F },
+ { 0x1FB5, 0x1FB5 },
+ { 0x1FC5, 0x1FC5 },
+ { 0x1FD4, 0x1FD5 },
+ { 0x1FDC, 0x1FDC },
+ { 0x1FF0, 0x1FF1 },
+ { 0x1FF5, 0x1FF5 },
+ { 0x1FFF, 0x1FFF },
+ { 0x2065, 0x2069 },
+ { 0x2072, 0x2073 },
+ { 0x208F, 0x208F },
+ { 0x209D, 0x209F },
+ { 0x20BB, 0x20CF },
+ { 0x20F1, 0x20FF },
+ { 0x218A, 0x218F },
+ { 0x23F4, 0x23FF },
+ { 0x2427, 0x243F },
+ { 0x244B, 0x245F },
+ { 0x2700, 0x2700 },
+ { 0x2B4D, 0x2B4F },
+ { 0x2B5A, 0x2BFF },
+ { 0x2C2F, 0x2C2F },
+ { 0x2C5F, 0x2C5F },
+ { 0x2CF4, 0x2CF8 },
+ { 0x2D26, 0x2D26 },
+ { 0x2D28, 0x2D2C },
+ { 0x2D2E, 0x2D2F },
+ { 0x2D68, 0x2D6E },
+ { 0x2D71, 0x2D7E },
+ { 0x2D97, 0x2D9F },
+ { 0x2DA7, 0x2DA7 },
+ { 0x2DAF, 0x2DAF },
+ { 0x2DB7, 0x2DB7 },
+ { 0x2DBF, 0x2DBF },
+ { 0x2DC7, 0x2DC7 },
+ { 0x2DCF, 0x2DCF },
+ { 0x2DD7, 0x2DD7 },
+ { 0x2DDF, 0x2DDF },
+ { 0x2E3C, 0x2E7F },
+ { 0x2E9A, 0x2E9A },
+ { 0x2EF4, 0x2EFF },
+ { 0x2FD6, 0x2FEF },
+ { 0x2FFC, 0x2FFF },
+ { 0x3040, 0x3040 },
+ { 0x3097, 0x3098 },
+ { 0x3100, 0x3104 },
+ { 0x312E, 0x3130 },
+ { 0x318F, 0x318F },
+ { 0x31BB, 0x31BF },
+ { 0x31E4, 0x31EF },
+ { 0x321F, 0x321F },
+ { 0x32FF, 0x32FF },
+ { 0x4DB6, 0x4DBF },
+ { 0x9FA6, 0x9FCB },
+ { 0x9FCD, 0x9FFF },
+ { 0xA48D, 0xA48F },
+ { 0xA4C7, 0xA4CF },
+ { 0xA62C, 0xA63F },
+ { 0xA698, 0xA69E },
+ { 0xA6F8, 0xA6FF },
+ { 0xA78F, 0xA78F },
+ { 0xA794, 0xA79F },
+ { 0xA7AB, 0xA7F7 },
+ { 0xA82C, 0xA82F },
+ { 0xA83A, 0xA83F },
+ { 0xA878, 0xA87F },
+ { 0xA8C5, 0xA8CD },
+ { 0xA8DA, 0xA8DF },
+ { 0xA8FC, 0xA8FF },
+ { 0xA954, 0xA95E },
+ { 0xA97D, 0xA97F },
+ { 0xA9CE, 0xA9CE },
+ { 0xA9DA, 0xA9DD },
+ { 0xA9E0, 0xA9FF },
+ { 0xAA37, 0xAA3F },
+ { 0xAA4E, 0xAA4F },
+ { 0xAA5A, 0xAA5B },
+ { 0xAA7C, 0xAA7F },
+ { 0xAAC3, 0xAADA },
+ { 0xAAF7, 0xAB00 },
+ { 0xAB07, 0xAB08 },
+ { 0xAB0F, 0xAB10 },
+ { 0xAB17, 0xAB1F },
+ { 0xAB27, 0xAB27 },
+ { 0xAB2F, 0xABBF },
+ { 0xABEE, 0xABEF },
+ { 0xABFA, 0xABFF },
+ { 0xD7A4, 0xD7AF },
+ { 0xD7C7, 0xD7CA },
+ { 0xD7FC, 0xD7FF },
+ { 0xFA6E, 0xFA6F },
+ { 0xFADA, 0xFAFF },
+ { 0xFB07, 0xFB12 },
+ { 0xFB18, 0xFB1C },
+ { 0xFB37, 0xFB37 },
+ { 0xFB3D, 0xFB3D },
+ { 0xFB3F, 0xFB3F },
+ { 0xFB42, 0xFB42 },
+ { 0xFB45, 0xFB45 },
+ { 0xFBC2, 0xFBD2 },
+ { 0xFD40, 0xFD4F },
+ { 0xFD90, 0xFD91 },
+ { 0xFDC8, 0xFDCF },
+ { 0xFDFE, 0xFDFF },
+ { 0xFE1A, 0xFE1F },
+ { 0xFE27, 0xFE2F },
+ { 0xFE53, 0xFE53 },
+ { 0xFE67, 0xFE67 },
+ { 0xFE6C, 0xFE6F },
+ { 0xFE75, 0xFE75 },
+ { 0xFEFD, 0xFEFE },
+ { 0xFF00, 0xFF00 },
+ { 0xFFBF, 0xFFC1 },
+ { 0xFFC8, 0xFFC9 },
+ { 0xFFD0, 0xFFD1 },
+ { 0xFFD8, 0xFFD9 },
+ { 0xFFDD, 0xFFDF },
+ { 0xFFE7, 0xFFE7 },
+ { 0xFFEF, 0xFFF8 },
+ { 0x1000C, 0x1000C },
+ { 0x10027, 0x10027 },
+ { 0x1003B, 0x1003B },
+ { 0x1003E, 0x1003E },
+ { 0x1004E, 0x1004F },
+ { 0x1005E, 0x1007F },
+ { 0x100FB, 0x100FF },
+ { 0x10103, 0x10106 },
+ { 0x10134, 0x10136 },
+ { 0x1018B, 0x1018F },
+ { 0x1019C, 0x101CF },
+ { 0x101FE, 0x1027F },
+ { 0x1029D, 0x1029F },
+ { 0x102D1, 0x102FF },
+ { 0x1031F, 0x1031F },
+ { 0x10324, 0x1032F },
+ { 0x1034B, 0x1037F },
+ { 0x1039E, 0x1039E },
+ { 0x103C4, 0x103C7 },
+ { 0x103D6, 0x103FF },
+ { 0x1049E, 0x1049F },
+ { 0x104AA, 0x107FF },
+ { 0x10806, 0x10807 },
+ { 0x10809, 0x10809 },
+ { 0x10836, 0x10836 },
+ { 0x10839, 0x1083B },
+ { 0x1083D, 0x1083E },
+ { 0x10856, 0x10856 },
+ { 0x10860, 0x108FF },
+ { 0x1091C, 0x1091E },
+ { 0x1093A, 0x1093E },
+ { 0x10940, 0x1097F },
+ { 0x109B8, 0x109BD },
+ { 0x109C0, 0x109FF },
+ { 0x10A04, 0x10A04 },
+ { 0x10A07, 0x10A0B },
+ { 0x10A14, 0x10A14 },
+ { 0x10A18, 0x10A18 },
+ { 0x10A34, 0x10A37 },
+ { 0x10A3B, 0x10A3E },
+ { 0x10A48, 0x10A4F },
+ { 0x10A59, 0x10A5F },
+ { 0x10A80, 0x10AFF },
+ { 0x10B36, 0x10B38 },
+ { 0x10B56, 0x10B57 },
+ { 0x10B73, 0x10B77 },
+ { 0x10B80, 0x10BFF },
+ { 0x10C49, 0x10E5F },
+ { 0x10E7F, 0x10FFF },
+ { 0x1104E, 0x11051 },
+ { 0x11070, 0x1107F },
+ { 0x110C2, 0x110CF },
+ { 0x110E9, 0x110EF },
+ { 0x110FA, 0x110FF },
+ { 0x11135, 0x11135 },
+ { 0x11144, 0x1117F },
+ { 0x111C9, 0x111CF },
+ { 0x111DA, 0x1167F },
+ { 0x116B8, 0x116BF },
+ { 0x116CA, 0x11FFF },
+ { 0x1236F, 0x123FF },
+ { 0x12463, 0x1246F },
+ { 0x12474, 0x12FFF },
+ { 0x1342F, 0x167FF },
+ { 0x16A39, 0x16EFF },
+ { 0x16F45, 0x16F4F },
+ { 0x16F7F, 0x16F8E },
+ { 0x16FA0, 0x1AFFF },
+ { 0x1B002, 0x1CFFF },
+ { 0x1D0F6, 0x1D0FF },
+ { 0x1D127, 0x1D128 },
+ { 0x1D1DE, 0x1D1FF },
+ { 0x1D246, 0x1D2FF },
+ { 0x1D357, 0x1D35F },
+ { 0x1D372, 0x1D3FF },
+ { 0x1D455, 0x1D455 },
+ { 0x1D49D, 0x1D49D },
+ { 0x1D4A0, 0x1D4A1 },
+ { 0x1D4A3, 0x1D4A4 },
+ { 0x1D4A7, 0x1D4A8 },
+ { 0x1D4AD, 0x1D4AD },
+ { 0x1D4BA, 0x1D4BA },
+ { 0x1D4BC, 0x1D4BC },
+ { 0x1D4C4, 0x1D4C4 },
+ { 0x1D506, 0x1D506 },
+ { 0x1D50B, 0x1D50C },
+ { 0x1D515, 0x1D515 },
+ { 0x1D51D, 0x1D51D },
+ { 0x1D53A, 0x1D53A },
+ { 0x1D53F, 0x1D53F },
+ { 0x1D545, 0x1D545 },
+ { 0x1D547, 0x1D549 },
+ { 0x1D551, 0x1D551 },
+ { 0x1D6A6, 0x1D6A7 },
+ { 0x1D7CC, 0x1D7CD },
+ { 0x1D800, 0x1EDFF },
+ { 0x1EE04, 0x1EE04 },
+ { 0x1EE20, 0x1EE20 },
+ { 0x1EE23, 0x1EE23 },
+ { 0x1EE25, 0x1EE26 },
+ { 0x1EE28, 0x1EE28 },
+ { 0x1EE33, 0x1EE33 },
+ { 0x1EE38, 0x1EE38 },
+ { 0x1EE3A, 0x1EE3A },
+ { 0x1EE3C, 0x1EE41 },
+ { 0x1EE43, 0x1EE46 },
+ { 0x1EE48, 0x1EE48 },
+ { 0x1EE4A, 0x1EE4A },
+ { 0x1EE4C, 0x1EE4C },
+ { 0x1EE50, 0x1EE50 },
+ { 0x1EE53, 0x1EE53 },
+ { 0x1EE55, 0x1EE56 },
+ { 0x1EE58, 0x1EE58 },
+ { 0x1EE5A, 0x1EE5A },
+ { 0x1EE5C, 0x1EE5C },
+ { 0x1EE5E, 0x1EE5E },
+ { 0x1EE60, 0x1EE60 },
+ { 0x1EE63, 0x1EE63 },
+ { 0x1EE65, 0x1EE66 },
+ { 0x1EE6B, 0x1EE6B },
+ { 0x1EE73, 0x1EE73 },
+ { 0x1EE78, 0x1EE78 },
+ { 0x1EE7D, 0x1EE7D },
+ { 0x1EE7F, 0x1EE7F },
+ { 0x1EE8A, 0x1EE8A },
+ { 0x1EE9C, 0x1EEA0 },
+ { 0x1EEA4, 0x1EEA4 },
+ { 0x1EEAA, 0x1EEAA },
+ { 0x1EEBC, 0x1EEEF },
+ { 0x1EEF2, 0x1EFFF },
+ { 0x1F02C, 0x1F02F },
+ { 0x1F094, 0x1F09F },
+ { 0x1F0AF, 0x1F0B0 },
+ { 0x1F0BF, 0x1F0C0 },
+ { 0x1F0D0, 0x1F0D0 },
+ { 0x1F0E0, 0x1F0FF },
+ { 0x1F10B, 0x1F10F },
+ { 0x1F12F, 0x1F12F },
+ { 0x1F16C, 0x1F16F },
+ { 0x1F19B, 0x1F1E5 },
+ { 0x1F203, 0x1F20F },
+ { 0x1F23B, 0x1F23F },
+ { 0x1F249, 0x1F24F },
+ { 0x1F252, 0x1F2FF },
+ { 0x1F321, 0x1F32F },
+ { 0x1F336, 0x1F336 },
+ { 0x1F37D, 0x1F37F },
+ { 0x1F394, 0x1F39F },
+ { 0x1F3C5, 0x1F3C5 },
+ { 0x1F3CB, 0x1F3DF },
+ { 0x1F3F1, 0x1F3FF },
+ { 0x1F43F, 0x1F43F },
+ { 0x1F441, 0x1F441 },
+ { 0x1F4F8, 0x1F4F8 },
+ { 0x1F4FD, 0x1F4FF },
+ { 0x1F53E, 0x1F53F },
+ { 0x1F544, 0x1F54F },
+ { 0x1F568, 0x1F5FA },
+ { 0x1F641, 0x1F644 },
+ { 0x1F650, 0x1F67F },
+ { 0x1F6C6, 0x1F6FF },
+ { 0x1F774, 0x1FFFD },
+ { 0x2A6D7, 0x2A6FF },
+ { 0x2A701, 0x2B733 },
+ { 0x2B735, 0x2B73F },
+ { 0x2B741, 0x2B81C },
+ { 0x2B81E, 0x2F7FF },
+ { 0x2FA1E, 0x2FFFD },
+ { 0x30000, 0x3FFFD },
+ { 0x40000, 0x4FFFD },
+ { 0x50000, 0x5FFFD },
+ { 0x60000, 0x6FFFD },
+ { 0x70000, 0x7FFFD },
+ { 0x80000, 0x8FFFD },
+ { 0x90000, 0x9FFFD },
+ { 0xA0000, 0xAFFFD },
+ { 0xB0000, 0xBFFFD },
+ { 0xC0000, 0xCFFFD },
+ { 0xD0000, 0xDFFFD },
+ { 0xE0000, 0xE0000 },
+ { 0xE0002, 0xE001F },
+ { 0xE0080, 0xE00FF },
+ { 0xE01F0, 0xEFFFD },
+};
+
+/* RFC3454 Table B.1 */
+static const struct u32_range map_to_nothing[] = {
+ { 0x00AD, 0x00AD },
+ { 0x034F, 0x034F },
+ { 0x1806, 0x1806 },
+ { 0x180B, 0x180D },
+ { 0x200B, 0x200D },
+ { 0x2060, 0x2060 },
+ { 0xFE00, 0xFE0F },
+ { 0xFEFF, 0xFEFF },
+};
+
+/* Local: allow tab, CR and LF */
+static const struct u32_range whitelist[] = {
+ { 0x09, 0x09 },
+ { 0x0a, 0x0a },
+ { 0x0d, 0x0d },
+};
+
+/* RFC3454 Tables in appendix C */
+static const struct u32_range prohibited[] = {
+ /* C.2.1 ASCII control characters */
+ { 0x0000, 0x001F },
+ { 0x007F, 0x007F },
+ /* C.2.2 Non-ASCII control characters */
+ { 0x0080, 0x009F },
+ { 0x06DD, 0x06DD },
+ { 0x070F, 0x070F },
+ { 0x180E, 0x180E },
+ { 0x200C, 0x200C },
+ { 0x200D, 0x200D },
+ { 0x2028, 0x2028 },
+ { 0x2029, 0x2029 },
+ { 0x2060, 0x2060 },
+ { 0x2061, 0x2061 },
+ { 0x2062, 0x2062 },
+ { 0x2063, 0x2063 },
+ { 0x206A, 0x206F },
+ { 0xFEFF, 0xFEFF },
+ { 0xFFF9, 0xFFFC },
+ { 0x1D173, 0x1D17A },
+ /* C.3 Private use */
+ { 0xE000, 0xF8FF },
+ { 0xF0000, 0xFFFFD },
+ { 0x100000, 0x10FFFD },
+ /* C.4 Non-character code points */
+ { 0xFDD0, 0xFDEF },
+ { 0xFFFE, 0xFFFF },
+ { 0x1FFFE, 0x1FFFF },
+ { 0x2FFFE, 0x2FFFF },
+ { 0x3FFFE, 0x3FFFF },
+ { 0x4FFFE, 0x4FFFF },
+ { 0x5FFFE, 0x5FFFF },
+ { 0x6FFFE, 0x6FFFF },
+ { 0x7FFFE, 0x7FFFF },
+ { 0x8FFFE, 0x8FFFF },
+ { 0x9FFFE, 0x9FFFF },
+ { 0xAFFFE, 0xAFFFF },
+ { 0xBFFFE, 0xBFFFF },
+ { 0xCFFFE, 0xCFFFF },
+ { 0xDFFFE, 0xDFFFF },
+ { 0xEFFFE, 0xEFFFF },
+ { 0xFFFFE, 0xFFFFF },
+ { 0x10FFFE, 0x10FFFF },
+ /* C.5 Surrogate codes */
+ { 0xD800, 0xDFFF },
+ /* C.6 Inappropriate for plain text */
+ { 0xFFF9, 0xFFF9 },
+ { 0xFFFA, 0xFFFA },
+ { 0xFFFB, 0xFFFB },
+ { 0xFFFC, 0xFFFC },
+ { 0xFFFD, 0xFFFD },
+ /* C.7 Inappropriate for canonical representation */
+ { 0x2FF0, 0x2FFB },
+ /* C.8 Change display properties or are deprecated */
+ { 0x0340, 0x0340 },
+ { 0x0341, 0x0341 },
+ { 0x200E, 0x200E },
+ { 0x200F, 0x200F },
+ { 0x202A, 0x202A },
+ { 0x202B, 0x202B },
+ { 0x202C, 0x202C },
+ { 0x202D, 0x202D },
+ { 0x202E, 0x202E },
+ { 0x206A, 0x206A },
+ { 0x206B, 0x206B },
+ { 0x206C, 0x206C },
+ { 0x206D, 0x206D },
+ { 0x206E, 0x206E },
+ { 0x206F, 0x206F },
+ /* C.9 Tagging characters */
+ { 0xE0001, 0xE0001 },
+ { 0xE0020, 0xE007F },
+};
+
diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c
--- openssh-6.8p1/utf8_stringprep.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
+++ openssh-6.8p1/utf8_stringprep.c 2015-03-18 12:41:28.175713185 +0100
@@ -0,0 +1,265 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is a simple RFC3454 stringprep profile to sanitise UTF-8 strings
+ * from untrusted sources.
+ *
+ * It is intended to be used prior to display of untrusted strings only.
+ * It should not be used for logging because of bi-di ambiguity. It
+ * should also not be used in any case where lack of normalisation may
+ * cause problems.
+ *
+ * This profile uses the prohibition and mapping tables from RFC3454
+ * (listed below) but the unassigned character table has been updated to
+ * Unicode 6.2. It uses a local whitelist of whitespace characters (\n,
+ * \a and \t). Unicode normalisation and bi-di testing are not used.
+ *
+ * XXX: implement bi-di handling (needed for logs)
+ * XXX: implement KC normalisation (needed for passing to libs/syscalls)
+ */
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+#include <ctype.h>
+#include <langinfo.h>
+#include <locale.h>
+
+#include "includes.h"
+#include "misc.h"
+#include "log.h"
+
+struct u32_range {
+ u_int32_t lo, hi; /* Inclusive */
+};
+
+#include "stringprep-tables.c"
+
+/* Returns 1 if code 'c' appears in the table or 0 otherwise */
+static int
+code_in_table(u_int32_t c, const struct u32_range *table, size_t tlen)
+{
+ const struct u32_range *e, *end = (void *)(tlen + (char *)table);
+
+ for (e = table; e < end; e++) {
+ if (c >= e->lo && c <= e->hi)
+ return 1;
+ }
+ return 0;
+}
+
+/*
+ * Decode the next valid UCS character from a UTF-8 string, skipping past bad
+ * codes. Returns the decoded character or 0 for end-of-string and updates
+ * nextc to point to the start of the next character (if any).
+ * had_error is set if an invalid code was encountered.
+ */
+static u_int32_t
+decode_utf8(const char *in, const char **nextc, int *had_error)
+{
+ int state = 0;
+ size_t i;
+ u_int32_t c, e;
+
+ e = c = 0;
+ for (i = 0; in[i] != '\0'; i++) {
+ e = (u_char)in[i];
+ /* Invalid code point state */
+ if (state == -1) {
+ /*
+ * Continue eating continuation characters until
+ * a new start character comes along.
+ */
+ if ((e & 0xc0) == 0x80)
+ continue;
+ state = 0;
+ }
+
+ /* New code point state */
+ if (state == 0) {
+ if ((e & 0x80) == 0) { /* 7 bit code */
+ c = e & 0x7f;
+ goto have_code;
+ } else if ((e & 0xe0) == 0xc0) { /* 11 bit code point */
+ state = 1;
+ c = (e & 0x1f) << 6;
+ } else if ((e & 0xf0) == 0xe0) { /* 16 bit code point */
+ state = 2;
+ c = (e & 0xf) << 12;
+ } else if ((e & 0xf8) == 0xf0) { /* 21 bit code point */
+ state = 3;
+ c = (e & 0x7) << 18;
+ } else {
+ /* A five or six byte header, or 0xff */
+ goto bad_encoding;
+ }
+ /*
+ * Check that the header byte has some non-zero data
+ * after masking off the length marker. If not it is
+ * an invalid encoding.
+ */
+ if (c == 0) {
+ bad_encoding:
+ c = 0;
+ state = -1;
+ if (had_error != NULL)
+ *had_error = 1;
+ }
+ continue;
+ }
+
+ /* Sanity check: should never happen */
+ if (state < 1 || state > 5) {
+ *nextc = NULL;
+ if (had_error != NULL)
+ *had_error = 1;
+ return 0;
+ }
+ /* Multibyte code point state */
+ state--;
+ c |= (e & 0x3f) << (state * 6);
+ if (state > 0)
+ continue;
+
+ /* RFC3629 bans codepoints > U+10FFFF */
+ if (c > 0x10FFFF) {
+ if (had_error != NULL)
+ *had_error = 1;
+ continue;
+ }
+ have_code:
+ *nextc = in + i + 1;
+ return c;
+ }
+ if (state != 0 && had_error != NULL)
+ *had_error = 1;
+ *nextc = in + i;
+ return 0;
+}
+
+/*
+ * Attempt to encode a UCS character as a UTF-8 sequence. Returns the number
+ * of characters used or -1 on error (insufficient space or bad code).
+ */
+static int
+encode_utf8(u_int32_t c, char *s, size_t slen)
+{
+ size_t i, need;
+ u_char h;
+
+ if (c < 0x80) {
+ if (slen >= 1) {
+ s[0] = (char)c;
+ }
+ return 1;
+ } else if (c < 0x800) {
+ need = 2;
+ h = 0xc0;
+ } else if (c < 0x10000) {
+ need = 3;
+ h = 0xe0;
+ } else if (c < 0x200000) {
+ need = 4;
+ h = 0xf0;
+ } else {
+ /* Invalid code point > U+10FFFF */
+ return -1;
+ }
+ if (need > slen)
+ return -1;
+ for (i = 0; i < need; i++) {
+ s[i] = (i == 0 ? h : 0x80);
+ s[i] |= (c >> (need - i - 1) * 6) & 0x3f;
+ }
+ return need;
+}
+
+
+/*
+ * Normalise a UTF-8 string using the RFC3454 stringprep algorithm.
+ * Returns 0 on success or -1 on failure (prohibited code or insufficient
+ * length in the output string.
+ * Requires an output buffer at most the same length as the input.
+ */
+int
+utf8_stringprep(const char *in, char *out, size_t olen)
+{
+ int r;
+ size_t o;
+ u_int32_t c;
+
+ if (olen < 1)
+ return -1;
+
+ for (o = 0; (c = decode_utf8(in, &in, NULL)) != 0;) {
+ /* Mapping */
+ if (code_in_table(c, map_to_nothing, sizeof(map_to_nothing)))
+ continue;
+
+ /* Prohibitied output */
+ if (code_in_table(c, prohibited, sizeof(prohibited)) &&
+ !code_in_table(c, whitelist, sizeof(whitelist)))
+ return -1;
+
+ /* Map unassigned code points to U+FFFD */
+ if (code_in_table(c, unassigned, sizeof(unassigned)))
+ c = 0xFFFD;
+
+ /* Encode the character */
+ r = encode_utf8(c, out + o, olen - o - 1);
+ if (r < 0)
+ return -1;
+ o += r;
+ }
+ out[o] = '\0';
+ return 0;
+}
+
+/* Check whether we can display UTF-8 safely */
+int
+utf8_ok(void)
+{
+ static int ret = -1;
+ char *cp;
+
+ if (ret == -1) {
+ setlocale(LC_CTYPE, "");
+ cp = nl_langinfo(CODESET);
+ ret = strcmp(cp, "UTF-8") == 0;
+ }
+ return ret;
+}
+
+void
+sanitize_utf8(char *target, const char *source, size_t length)
+{
+ u_int done = 0;
+ if (utf8_ok()) {
+ if (utf8_stringprep(source, target, length * 4 + 1) == 0)
+ done = 1;
+ else
+ debug2("%s: UTF8 stringprep failed", __func__);
+ }
+ /*
+ * Fallback to strnvis if UTF8 display not supported or
+ * conversion failed.
+ */
+ if (!done)
+ strnvis(target, source, length * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+}

View File

@ -1,15 +1,15 @@
diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200 --- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:27:44.047407912 +0200 +++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 15:18:40.628216102 +0100
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp; FILE *fp;
char file[MAXPATHLEN]; char file[MAXPATHLEN];
char line[BUFSIZ] = ""; char *line = NULL;
- char kuser[65]; /* match krb5_kuserok() */ - char kuser[65]; /* match krb5_kuserok() */
struct stat st; struct stat st;
struct passwd *pw = the_authctxt->pw; struct passwd *pw = the_authctxt->pw;
int found_principal = 0; int found_principal = 0;
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */ /* If both .k5login and .k5users DNE, self-login is ok. */
@ -18,51 +18,53 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-ser
return ssh_krb5_kuserok(krb_context, principal, luser, return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists); k5login_exists);
} }
diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users 2015-08-12 11:27:44.036407930 +0200 --- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
+++ openssh-7.0p1/servconf.c 2015-08-12 11:28:49.087306430 +0200 +++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100
@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions @@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL; options->gss_store_rekey = -1;
options->fingerprint_hash = -1; options->gss_kex_algorithms = NULL;
options->use_kuserok = -1; options->use_kuserok = -1;
+ options->enable_k5users = -1; + options->enable_k5users = -1;
} options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ options->challenge_response_authentication = -1;
@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption @@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0; #endif
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->enable_k5users == -1)
+ options->enable_k5users = 0;
if (options->use_kuserok == -1) if (options->use_kuserok == -1)
options->use_kuserok = 1; options->use_kuserok = 1;
+ if (options->enable_k5users == -1)
@@ -423,7 +426,7 @@ typedef enum { + options->enable_k5users = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms, sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sAcceptEnv, sSetEnv, sPermitTunnel,
sUsePrivilegeSeparation, sAllowAgentForwarding, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
@@ -502,12 +505,14 @@ static struct { @@ -497,14 +500,16 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL }, + { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
#else #else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL }, + { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
#endif #endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions @@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok; intptr = &options->use_kuserok;
goto parse_flag; goto parse_flag;
@ -70,59 +72,57 @@ diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
+ intptr = &options->enable_k5users; + intptr = &options->enable_k5users;
+ goto parse_flag; + goto parse_flag;
+ +
case sPermitListen:
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); if (opcode == sPermitListen) {
if (!arg || *arg == '\0') @@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok); M_CP_INTOPT(use_kuserok);
+ M_CP_INTOPT(enable_k5users); + M_CP_INTOPT(enable_k5users);
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
M_CP_INTOPT(log_level);
@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o) @@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); # endif
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); + dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
#endif
/* string arguments */ #ifdef GSSAPI
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200 --- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
+++ openssh-7.0p1/servconf.h 2015-08-12 11:27:44.048407911 +0200 +++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
@@ -180,7 +180,8 @@ typedef struct { @@ -174,6 +174,7 @@ typedef struct {
int kerberos_unique_ccache; /* If true, the acquired ticket will
int num_permitted_opens; * be stored in per-session ccache */
int use_kuserok;
- int use_kuserok;
+ int use_kuserok;
+ int enable_k5users; + int enable_k5users;
char *chroot_directory; int gss_authentication; /* If true, permit GSSAPI authentication */
char *revoked_keys_file; int gss_keyex; /* If true, permit GSSAPI key exchange */
char *trusted_user_ca_keys; int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 --- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2016-12-23 15:18:40.630216103 +0100
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:36:21.607408435 +0100
@@ -633,6 +633,12 @@ on logout. @@ -628,6 +628,12 @@ Specifies whether to automatically destr
on logout. on logout.
The default is The default is
.Dq yes . .Cm yes .
+.It Cm GSSAPIEnablek5users +.It Cm GSSAPIEnablek5users
+Specifies whether to look at .k5users file for GSSAPI authentication +Specifies whether to look at .k5users file for GSSAPI authentication
+access control. Further details are described in +access control. Further details are described in
+.Xr ksu 1 . +.Xr ksu 1 .
+The default is +The default is
+.Dq no . +.Cm no .
.It Cm GSSAPIStrictAcceptorCheck .It Cm GSSAPIKeyExchange
Determines whether to be strict about the identity of the GSSAPI acceptor Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
a client authenticates against. doesn't rely on ssh keys to verify host identity.
diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200 --- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
+++ openssh-7.0p1/sshd_config 2015-08-12 11:27:44.048407911 +0200 +++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes @@ -80,6 +80,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no #GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes #GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no #GSSAPIKeyExchange no
+#GSSAPIEnablek5users no +#GSSAPIEnablek5users no

View File

@ -1,20 +1,19 @@
diff --git a/canohost.c b/canohost.c diff -up openssh/sshd.c.ip-opts openssh/sshd.c
index a61a8c9..97ce58c 100644 --- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
--- a/canohost.c +++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
+++ b/canohost.c @@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr)
option_size = sizeof(options); if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
&option_size) >= 0 && option_size != 0) { &option_size) >= 0 && option_size != 0) {
- text[0] = '\0'; - text[0] = '\0';
- for (i = 0; i < option_size; i++) - for (i = 0; i < option_size; i++)
- snprintf(text + i*3, sizeof(text) - i*3, - snprintf(text + i*3, sizeof(text) - i*3,
- " %2.2x", options[i]); - " %2.2x", opts[i]);
- fatal("Connection from %.100s with IP options:%.800s", - fatal("Connection from %.100s port %d with IP opts: %.800s",
- ipaddr, text); - ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
+ i = 0; + i = 0;
+ do { + do {
+ switch (options[i]) { + switch (opts[i]) {
+ case 0: + case 0:
+ case 1: + case 1:
+ ++i; + ++i;
@ -22,7 +21,7 @@ index a61a8c9..97ce58c 100644
+ case 130: + case 130:
+ case 133: + case 133:
+ case 134: + case 134:
+ i += options[i + 1]; + i += opts[i + 1];
+ break; + break;
+ default: + default:
+ /* Fail, fatally, if we detect either loose or strict + /* Fail, fatally, if we detect either loose or strict
@ -30,11 +29,11 @@ index a61a8c9..97ce58c 100644
+ text[0] = '\0'; + text[0] = '\0';
+ for (i = 0; i < option_size; i++) + for (i = 0; i < option_size; i++)
+ snprintf(text + i*3, sizeof(text) - i*3, + snprintf(text + i*3, sizeof(text) - i*3,
+ " %2.2x", options[i]); + " %2.2x", opts[i]);
+ fatal("Connection from %.100s with IP options:%.800s", + fatal("Connection from %.100s port %d with IP options:%.800s",
+ ipaddr, text); + ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
+ } + }
+ } while (i < option_size); + } while (i < option_size);
} }
return;
#endif /* IP_OPTIONS */ #endif /* IP_OPTIONS */
}

View File

@ -2,35 +2,35 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100 --- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100 +++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper SFTP_SERVER=$(libexecdir)/sftp-server
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_KEYCAT=$(libexecdir)/ssh-keycat SSH_KEYCAT=$(libexecdir)/ssh-keycat
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest +CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@ @@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) .SUFFIXES: .lo
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
LIBOPENSSH_OBJS=\ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
ssh_api.o \ +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l @@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o +ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) + $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -326,6 +330,7 @@ install-files: @@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
fi $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
@ -39,7 +39,7 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100 --- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100 +++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
@@ -0,0 +1,208 @@ @@ -0,0 +1,215 @@
+/* +/*
+ * + *
+ * invocation (all of the following are equal): + * invocation (all of the following are equal):
@ -60,6 +60,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ +
+#include "xmalloc.h" +#include "xmalloc.h"
+#include "log.h" +#include "log.h"
+#include "ssherr.h"
+#include "cipher.h" +#include "cipher.h"
+ +
+/* compatibility with old or broken OpenSSL versions */ +/* compatibility with old or broken OpenSSL versions */
@ -142,13 +143,13 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+{ +{
+ +
+ const struct sshcipher *c; + const struct sshcipher *c;
+ struct sshcipher_ctx cc; + struct sshcipher_ctx *cc;
+ char *algo = "aes128-ctr"; + char *algo = "aes128-ctr";
+ char *hexkey = NULL; + char *hexkey = NULL;
+ char *hexiv = "00000000000000000000000000000000"; + char *hexiv = "00000000000000000000000000000000";
+ char *hexdata = NULL; + char *hexdata = NULL;
+ char *p; + char *p;
+ int i; + int i, r;
+ int encrypt = 1; + int encrypt = 1;
+ void *key; + void *key;
+ size_t keylen; + size_t keylen;
@ -186,7 +187,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ usage(); + usage();
+ } + }
+ +
+ SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms();
+ +
+ c = cipher_by_name(algo); + c = cipher_by_name(algo);
+ if (c == NULL) { + if (c == NULL) {
@ -221,10 +222,13 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ return 2; + return 2;
+ } + }
+ +
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt); + if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
+ return 2;
+ }
+ +
+ free(key); + free(key);
+ free(iv); + free(iv);
+ +
+ outdata = malloc(datalen); + outdata = malloc(datalen);
+ if(outdata == NULL) { + if(outdata == NULL) {
@ -232,11 +236,14 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ return 2; + return 2;
+ } + }
+ +
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0); + if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
+ return 2;
+ }
+ +
+ free(data); + free(data);
+ +
+ cipher_cleanup(&cc); + cipher_free(cc);
+ +
+ for (p = outdata; datalen > 0; ++p, --datalen) { + for (p = outdata; datalen > 0; ++p, --datalen) {
+ printf("%02X", (unsigned char)*p); + printf("%02X", (unsigned char)*p);

View File

@ -1,282 +0,0 @@
diff --git a/entropy.c b/entropy.c
index 1e9d52a..d24e724 100644
--- a/entropy.c
+++ b/entropy.c
@@ -227,6 +227,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
+#ifdef __linux__
+ linux_seed();
+#endif /* __linux__ */
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 843225d..041bbab 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
new file mode 100644
index 0000000..da84bf2
--- /dev/null
+++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,59 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
+/*
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - prng support
+ */
+
+#include "includes.h"
+
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+#include <openssl/rand.h>
+
+#include "log.h"
+#include "xmalloc.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+
+void
+linux_seed(void)
+{
+ char *env = getenv("SSH_USE_STRONG_RNG");
+ char *random = "/dev/random";
+ size_t len, ienv, randlen = 14;
+
+ if (!env || !strcmp(env, "0"))
+ random = "/dev/urandom";
+ else if ((ienv = atoi(env)) > randlen)
+ randlen = ienv;
+
+ errno = 0;
+ if ((len = RAND_load_file(random, randlen)) != randlen) {
+ if (errno)
+ fatal ("cannot read from %s, %s", random, strerror(errno));
+ else
+ fatal ("EOF reading %s", random);
+ }
+}
diff --git a/ssh-add.0 b/ssh-add.0
index f16165a..17d22cf 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -82,6 +82,16 @@ ENVIRONMENT
Identifies the path of a UNIX-domain socket used to communicate
with the agent.
+ SSH_USE_STRONG_RNG
+ The reseeding of the OpenSSL random generator is usually done
+ from /dev/urandom. If the SSH_USE_STRONG_RNG environment vari-
+ able is set to value other than 0 the OpenSSL random generator is
+ reseeded from /dev/random. The number of bytes read is defined
+ by the SSH_USE_STRONG_RNG value. Minimum is 14 bytes. This set-
+ ting is not recommended on the computers without the hardware
+ random generator because insufficient entropy causes the connec-
+ tion to be blocked until enough entropy is available.
+
FILES
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
diff --git a/ssh-add.1 b/ssh-add.1
index 04d1840..db883a4 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -170,6 +170,20 @@ to make this work.)
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
.El
.Sh FILES
.Bl -tag -width Ds
diff --git a/ssh-agent.1 b/ssh-agent.1
index d7e791b..7332f0d 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 276dacc..a09d9b1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 69d0829..02d79f8 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
If these files exist they are assumed to contain public certificate
information corresponding with the private keys above.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
diff --git a/ssh.1 b/ssh.1
index 4a476c2..410a04a 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1299,6 +1299,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh FILES
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff --git a/sshd.8 b/sshd.8
index cb866b5..adcaaf9 100644
--- a/sshd.8
+++ b/sshd.8
@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
+.Pp
+.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
+.Cm SSH_USE_STRONG_RNG
+environment variable is set to value other than
+.Cm 0
+the OpenSSL random generator is reseeded from
+.Cm /dev/random .
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
+Minimum is 14 bytes.
+This setting is not recommended on the computers without the hardware
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
.Sh IPV6
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO

View File

@ -11,9 +11,9 @@ index 413b845..54dd383 100644
+#include <unistd.h> +#include <unistd.h>
#include "xmalloc.h" #include "xmalloc.h"
#include "key.h" #include "sshkey.h"
@@ -45,6 +47,7 @@ @@ -45,6 +47,7 @@
#include "buffer.h"
#include "ssh-gss.h" #include "ssh-gss.h"
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
@ -66,7 +66,7 @@ index 413b845..54dd383 100644
} else } else
retval = 0; retval = 0;
@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) @@ -110,6 +133,137 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
return retval; return retval;
} }
@ -97,13 +97,14 @@ index 413b845..54dd383 100644
+{ +{
+ FILE *fp; + FILE *fp;
+ char file[MAXPATHLEN]; + char file[MAXPATHLEN];
+ char line[BUFSIZ] = ""; + char *line = NULL;
+ char kuser[65]; /* match krb5_kuserok() */ + char kuser[65]; /* match krb5_kuserok() */
+ struct stat st; + struct stat st;
+ struct passwd *pw = the_authctxt->pw; + struct passwd *pw = the_authctxt->pw;
+ int found_principal = 0; + int found_principal = 0;
+ int ncommands = 0, allcommands = 0; + int ncommands = 0, allcommands = 0;
+ u_long linenum; + u_long linenum = 0;
+ size_t linesize = 0;
+ +
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); + snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
+ /* If both .k5login and .k5users DNE, self-login is ok. */ + /* If both .k5login and .k5users DNE, self-login is ok. */
@ -147,9 +148,9 @@ index 413b845..54dd383 100644
+ k5users_allowed_cmds = xcalloc(++ncommands, + k5users_allowed_cmds = xcalloc(++ncommands,
+ sizeof(*k5users_allowed_cmds)); + sizeof(*k5users_allowed_cmds));
+ +
+ /* Check each line. ksu allows unlimited length lines. We don't. */ + /* Check each line. ksu allows unlimited length lines. */
+ while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line), + while (!allcommands && getline(&line, &linesize, fp) != -1) {
+ &linenum) != -1) { + linenum++;
+ char *token; + char *token;
+ +
+ /* we parse just like ksu, even though we could do better */ + /* we parse just like ksu, even though we could do better */
@ -182,6 +183,7 @@ index 413b845..54dd383 100644
+ } + }
+ } + }
+ } + }
+ free(line);
+ if (k5users_allowed_cmds) { + if (k5users_allowed_cmds) {
+ /* terminate vector */ + /* terminate vector */
+ k5users_allowed_cmds[ncommands-1] = NULL; + k5users_allowed_cmds[ncommands-1] = NULL;
@ -207,7 +209,7 @@ index 28659ec..9c94d8e 100644
--- a/session.c --- a/session.c
+++ b/session.c +++ b/session.c
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command) @@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
command = forced_command; command = auth_opts->force_command;
forced = "(key-option)"; forced = "(key-option)";
} }
+#ifdef GSSAPI +#ifdef GSSAPI
@ -233,9 +235,9 @@ index 28659ec..9c94d8e 100644
+#endif +#endif
+#endif +#endif
+ +
s->forced = 0;
if (forced != NULL) { if (forced != NULL) {
if (IS_INTERNAL_SFTP(command)) { s->forced = 1;
s->is_subsystem = s->is_subsystem ?
diff --git a/ssh-gss.h b/ssh-gss.h diff --git a/ssh-gss.h b/ssh-gss.h
index 0374c88..509109a 100644 index 0374c88..509109a 100644
--- a/ssh-gss.h --- a/ssh-gss.h

View File

@ -1,7 +1,7 @@
diff -up openssh/auth2-pubkey.c.keycat openssh/auth2-pubkey.c diff -up openssh/auth.c.keycat openssh/misc.c
--- openssh/auth2-pubkey.c.keycat 2015-06-24 10:57:50.158849606 +0200 --- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/auth2-pubkey.c 2015-06-24 11:04:23.989868638 +0200 +++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw @@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
_exit(1); _exit(1);
} }
@ -36,36 +36,44 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200 --- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200 +++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+SSH_KEYCAT=$(libexecdir)/ssh-keycat +SSH_KEYCAT=$(libexecdir)/ssh-keycat
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
SSHDLIBS=@SSHDLIBS@
+KEYCATLIBS=@KEYCATLIBS@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
AR=@AR@
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ @@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) .SUFFIXES: .lo
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
LIBOPENSSH_OBJS=\ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
ssh_api.o \ +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) @@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) + $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -321,6 +325,7 @@ install-files: @@ -321,6 +325,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
fi $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@ -195,7 +203,7 @@ diff -up openssh/platform.c.keycat openssh/platform.c
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
--- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200 --- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
+++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200 +++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
@@ -0,0 +1,238 @@ @@ -0,0 +1,241 @@
+/* +/*
+ * Redistribution and use in source and binary forms, with or without + * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions + * modification, are permitted provided that the following conditions
@ -245,6 +253,9 @@ diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
+#include <pwd.h> +#include <pwd.h>
+#include <fcntl.h> +#include <fcntl.h>
+#include <unistd.h> +#include <unistd.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+ +
+#include <security/pam_appl.h> +#include <security/pam_appl.h>
+ +
@ -434,3 +445,41 @@ diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
+ } + }
+ return ev; + return ev;
+} +}
diff --git a/configure.ac b/configure.ac
index 3bbccfd..6481f1f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2952,6 +2952,7 @@ AC_ARG_WITH([pam],
PAM_MSG="yes"
SSHDLIBS="$SSHDLIBS -lpam"
+ KEYCATLIBS="$KEYCATLIBS -lpam"
AC_DEFINE([USE_PAM], [1],
[Define if you want to enable PAM support])
@@ -3105,6 +3106,7 @@
;;
*)
SSHDLIBS="$SSHDLIBS -ldl"
+ KEYCATLIBS="$KEYCATLIBS -ldl"
;;
esac
fi
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
fi ]
)
AC_SUBST([SSHDLIBS])
+AC_SUBST([KEYCATLIBS])
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@@ -5031,6 +5034,9 @@ fi
if test ! -z "${SSHDLIBS}"; then
echo " +for sshd: ${SSHDLIBS}"
fi
+if test ! -z "${KEYCATLIBS}"; then
+echo " +for ssh-keycat: ${KEYCATLIBS}"
+fi
echo ""

View File

@ -1,8 +1,7 @@
diff --git a/authfile.c b/authfile.c diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
index e93d867..4fc5b3d 100644 --- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100
--- a/authfile.c +++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100
+++ b/authfile.c @@ -31,6 +31,7 @@
@@ -32,6 +32,7 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h> #include <fcntl.h>
@ -10,17 +9,23 @@ index e93d867..4fc5b3d 100644
#include <stdio.h> #include <stdio.h>
#include <stdarg.h> #include <stdarg.h>
#include <stdlib.h> #include <stdlib.h>
@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename) @@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen
#ifdef HAVE_CYGWIN #ifdef HAVE_CYGWIN
if (check_ntsec(filename)) if (check_ntsec(filename))
#endif #endif
+ if (st.st_mode & 040) {
+ struct group *gr;
+
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
+ st.st_mode &= ~040;
+ }
+ +
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
+ if (st.st_mode & 040) {
+ struct group *gr;
+
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {
+ /* The only additional bit is read
+ * for ssh_keys group, which is fine */
+ if ((st.st_mode & 077) == 040 ) {
+ return 0;
+ }
+ }
+ }
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

View File

@ -1,7 +1,7 @@
diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
--- openssh-7.0p1/auth-krb5.c.kuserok 2015-08-11 10:57:29.000000000 +0200 --- openssh-7.4p1/auth-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
+++ openssh-7.0p1/auth-krb5.c 2015-08-12 11:26:21.874536127 +0200 +++ openssh-7.4p1/auth-krb5.c 2016-12-23 14:36:07.644465936 +0100
@@ -55,6 +55,21 @@ @@ -56,6 +56,21 @@
extern ServerOptions options; extern ServerOptions options;
@ -23,7 +23,7 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
static int static int
krb5_init(void *context) krb5_init(void *context)
{ {
@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c @@ -160,8 +175,9 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem) if (problem)
goto out; goto out;
@ -35,9 +35,9 @@ diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
problem = -1; problem = -1;
goto out; goto out;
} }
diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
--- openssh-7.0p1/gss-serv-krb5.c.kuserok 2015-08-12 11:26:21.868536137 +0200 --- openssh-7.4p1/gss-serv-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:26:21.875536126 +0200 +++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 14:36:07.644465936 +0100
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int); int);
@ -160,7 +160,7 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
retval = 1; retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value); name, (char *)client->displayname.value);
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -190,9 +289,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */ /* If both .k5login and .k5users DNE, self-login is ok. */
if (!k5login_exists && (access(file, F_OK) == -1)) { if (!k5login_exists && (access(file, F_OK) == -1)) {
@ -172,117 +172,118 @@ diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
} }
if ((fp = fopen(file, "r")) == NULL) { if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno; int saved_errno = errno;
diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
--- openssh-7.0p1/servconf.c.kuserok 2015-08-12 11:26:21.865536141 +0200 --- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100
+++ openssh-7.0p1/servconf.c 2015-08-12 11:27:14.126454598 +0200 +++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions @@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
options->ip_qos_bulk = -1; options->gss_strict_acceptor = -1;
options->version_addendum = NULL; options->gss_store_rekey = -1;
options->fingerprint_hash = -1; options->gss_kex_algorithms = NULL;
+ options->use_kuserok = -1; + options->use_kuserok = -1;
} options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ options->challenge_response_authentication = -1;
@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0; if (options->gss_kex_algorithms == NULL)
if (options->fingerprint_hash == -1) options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
options->fingerprint_hash = SSH_FP_HASH_DEFAULT; #endif
+ if (options->use_kuserok == -1) + if (options->use_kuserok == -1)
+ options->use_kuserok = 1; + options->use_kuserok = 1;
if (options->password_authentication == -1)
assemble_algorithms(options); options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -404,7 +407,7 @@ typedef enum { @@ -399,7 +402,7 @@ typedef enum {
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, - sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sKerberosGetAFSToken, sKerberosUseKuserok, + sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
sKerberosTgtPassing, sChallengeResponseAuthentication, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -483,11 +486,13 @@ static struct { @@ -478,12 +481,14 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
{ "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL }, + { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
#else #else
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL }, { "kerberosauthentication", sUnsupported, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL }, { "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL }, { "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL }, + { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
*activep = value; *inc_flags &= ~SSHCFG_MATCH_ONLY;
break; break;
+ case sKerberosUseKuserok: + case sKerberosUseKuserok:
+ intptr = &options->use_kuserok; + intptr = &options->use_kuserok;
+ goto parse_flag; + goto parse_flag;
+ +
case sPermitListen:
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); if (opcode == sPermitListen) {
if (!arg || *arg == '\0') @@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(client_alive_interval);
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok); + M_CP_INTOPT(use_kuserok);
M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval); M_CP_INTOPT(rekey_interval);
M_CP_INTOPT(log_level);
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o) @@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); # endif
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
#endif
/* string arguments */ #ifdef GSSAPI
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
--- openssh-7.0p1/servconf.h.kuserok 2015-08-12 11:26:21.865536141 +0200 --- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100
+++ openssh-7.0p1/servconf.h 2015-08-12 11:26:21.876536124 +0200 +++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
@@ -180,6 +180,7 @@ typedef struct { @@ -118,6 +118,7 @@ typedef struct {
* authenticated with Kerberos. */
int num_permitted_opens; int kerberos_unique_ccache; /* If true, the acquired ticket will
* be stored in per-session ccache */
+ int use_kuserok; + int use_kuserok;
char *chroot_directory; int gss_authentication; /* If true, permit GSSAPI authentication */
char *revoked_keys_file; int gss_keyex; /* If true, permit GSSAPI key exchange */
char *trusted_user_ca_keys; int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5 diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
--- openssh-7.0p1/sshd_config.5.kuserok 2015-08-12 11:26:21.867536138 +0200 --- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:26:21.877536123 +0200 +++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
@@ -872,6 +872,10 @@ Specifies whether to automatically destr @@ -850,6 +850,10 @@ Specifies whether to automatically destr
file on logout. .Cm no
The default is can lead to overwriting previous tickets by subseqent connections to the same
.Dq yes . user account.
+.It Cm KerberosUseKuserok +.It Cm KerberosUseKuserok
+Specifies whether to look at .k5login file for user's aliases. +Specifies whether to look at .k5login file for user's aliases.
+The default is +The default is
+.Dq yes . +.Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
@@ -1116,6 +1120,7 @@ Available keywords are @@ -1078,6 +1082,7 @@ Available keywords are
.Cm IPQoS , .Cm IPQoS ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok , +.Cm KerberosUseKuserok ,
.Cm LogLevel ,
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
.Cm PasswordAuthentication , diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config --- openssh-7.4p1/sshd_config.kuserok 2016-12-23 14:36:07.631465943 +0100
--- openssh-7.0p1/sshd_config.kuserok 2015-08-12 11:26:21.867536138 +0200 +++ openssh-7.4p1/sshd_config 2016-12-23 14:36:07.646465935 +0100
+++ openssh-7.0p1/sshd_config 2015-08-12 11:26:21.876536124 +0200 @@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes #KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes #KerberosTicketCleanup yes
#KerberosGetAFSToken no #KerberosGetAFSToken no
+#KerberosUseKuserok yes +#KerberosUseKuserok yes
# GSSAPI options # GSSAPI options
GSSAPIAuthentication yes #GSSAPIAuthentication no

View File

@ -1,8 +1,18 @@
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h
index c18524e..d04f4ed 100644 --- openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux 2016-12-23 18:58:52.972122201 +0100
--- a/openbsd-compat/port-linux-sshd.c +++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:58:52.974122201 +0100
+++ b/openbsd-compat/port-linux-sshd.c @@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
@@ -409,6 +409,28 @@ sshd_selinux_setup_exec_context(char *pwname) void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
#endif
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: done", __func__); debug3("%s: done", __func__);
} }
@ -15,15 +25,15 @@ index c18524e..d04f4ed 100644
+ return; + return;
+ +
+ if (getexeccon((security_context_t *)&ctx) != 0) { + if (getexeccon((security_context_t *)&ctx) != 0) {
+ logit("%s: getcon failed with %s", __func__, strerror (errno)); + logit("%s: getexeccon failed with %s", __func__, strerror(errno));
+ return; + return;
+ } + }
+ if (ctx != NULL) { + if (ctx != NULL) {
+ /* unset exec context before we will lose this capabililty */ + /* unset exec context before we will lose this capabililty */
+ if (setexeccon(NULL) != 0) + if (setexeccon(NULL) != 0)
+ fatal("%s: setexeccon failed with %s", __func__, strerror (errno)); + fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
+ if (setcon(ctx) != 0) + if (setcon(ctx) != 0)
+ fatal("%s: setcon failed with %s", __func__, strerror (errno)); + fatal("%s: setcon failed with %s", __func__, strerror(errno));
+ freecon(ctx); + freecon(ctx);
+ } + }
+} +}
@ -31,33 +41,29 @@ index c18524e..d04f4ed 100644
#endif #endif
#endif #endif
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
index 8ef6cc4..b18893c 100644 --- openssh-7.4p1/session.c.privsep-selinux 2016-12-19 05:59:41.000000000 +0100
--- a/openbsd-compat/port-linux.h +++ openssh-7.4p1/session.c 2016-12-23 18:58:52.974122201 +0100
+++ b/openbsd-compat/port-linux.h @@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw)
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+void sshd_selinux_copy_context(void); platform_setusercontext(pw);
void sshd_selinux_setup_exec_context(char *);
#endif
diff --git a/session.c b/session.c - if (platform_privileged_uidswap()) {
index 2bcf818..b5dc144 100644 + if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
--- a/session.c #ifdef HAVE_LOGIN_CAP
+++ b/session.c if (setusercontext(lc, pw, pw->pw_uid,
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw) (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
pw->pw_uid); @@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
chroot_path = percent_expand(tmp, "h", pw->pw_dir, (unsigned long long)pw->pw_uid);
"u", pw->pw_name, (char *)NULL); chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, "U", uidstr, (char *)NULL);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ sshd_selinux_copy_context(); + sshd_selinux_copy_context();
+#endif +#endif
safely_chroot(chroot_path, pw->pw_uid); safely_chroot(chroot_path, pw->pw_uid);
free(tmp); free(tmp);
free(chroot_path); free(chroot_path);
@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw) @@ -1396,6 +1399,11 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */ /* Permanently switch to the desired uid. */
permanently_set_uid(pw); permanently_set_uid(pw);
#endif #endif
@ -69,7 +75,7 @@ index 2bcf818..b5dc144 100644
} else if (options.chroot_directory != NULL && } else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) { strcasecmp(options.chroot_directory, "none") != 0) {
fatal("server lacks privileges to chroot to ChrootDirectory"); fatal("server lacks privileges to chroot to ChrootDirectory");
@@ -1588,9 +1588,6 @@ do_pwchange(Session *s) @@ -1413,9 +1421,6 @@ do_pwchange(Session *s)
if (s->ttyfd != -1) { if (s->ttyfd != -1) {
fprintf(stderr, fprintf(stderr,
"You must change your password now and login again!\n"); "You must change your password now and login again!\n");
@ -79,7 +85,7 @@ index 2bcf818..b5dc144 100644
#ifdef PASSWD_NEEDS_USERNAME #ifdef PASSWD_NEEDS_USERNAME
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name, execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
(char *)NULL); (char *)NULL);
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command) @@ -1625,9 +1630,6 @@ do_child(Session *s, const char *command
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -89,11 +95,10 @@ index 2bcf818..b5dc144 100644
exit(sftp_server_main(i, argv, s->pw)); exit(sftp_server_main(i, argv, s->pw));
} }
diff --git a/sshd.c b/sshd.c diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
index 07f9926..a97f8b7 100644 --- openssh-7.4p1/sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
--- a/sshd.c +++ openssh-7.4p1/sshd.c 2016-12-23 18:59:13.808124269 +0100
+++ b/sshd.c @@ -540,6 +540,10 @@ privsep_preauth_child(void)
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
demote_sensitive_data(); demote_sensitive_data();
@ -102,28 +107,15 @@ index 07f9926..a97f8b7 100644
+#endif +#endif
+ +
/* Demote the child */ /* Demote the child */
if (getuid() == 0 || geteuid() == 0) { if (privsep_chroot) {
/* Change our root directory */ /* Change our root directory */
@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt) @@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
{
#ifdef DISABLE_FD_PASSING #ifdef DISABLE_FD_PASSING
if (1) { if (1) {
+#elif defined(WITH_SELINUX) +#elif defined(WITH_SELINUX)
+ if (options.use_login) { + if (0) {
+ /* even root user can be confined by SELinux */ + /* even root user can be confined by SELinux */
#else #else
if (authctxt->pw->pw_uid == 0 || options.use_login) { if (authctxt->pw->pw_uid == 0) {
#endif #endif
diff --git a/session.c b/session.c
index 684f867..09048bc 100644
--- a/session.c
+++ b/session.c
@@ -1538,7 +1538,7 @@ do_setusercontext(struct passwd *pw)
platform_setusercontext(pw);
- if (platform_privileged_uidswap()) {
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {

View File

@ -1,138 +0,0 @@
diff --git a/ssh_config b/ssh_config
index 49a4f6c..3f83c40 100644
--- a/ssh_config
+++ b/ssh_config
@@ -50,3 +50,15 @@
# Uncomment this if you want to use .local domain
# Host *.local
# CheckHostIP no
+
+Host *
+ GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
diff --git a/sshd_config b/sshd_config
index c735429..e68ddee 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,10 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -21,10 +25,10 @@
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
@@ -36,6 +40,7 @@
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
+PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys
#KerberosGetAFSToken no
# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations.
# no default banner path
#Banner none
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
diff --git a/sshd_config.0 b/sshd_config.0
index 413c260..87e7ee7 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -675,9 +675,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe..12465c2 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive

View File

@ -1,84 +0,0 @@
diff -up openssh-6.8p1/canohost.c.set_remote_ipaddr openssh-6.8p1/canohost.c
--- openssh-6.8p1/canohost.c.set_remote_ipaddr 2015-03-18 12:40:03.702925550 +0100
+++ openssh-6.8p1/canohost.c 2015-03-18 12:40:03.749925432 +0100
@@ -349,6 +349,21 @@ clear_cached_addr(void)
cached_port = -1;
}
+void set_remote_ipaddr(void) {
+ if (canonical_host_ip != NULL)
+ free(canonical_host_ip);
+
+ if (active_state != NULL && packet_connection_is_on_socket()) {
+ canonical_host_ip =
+ get_peer_ipaddr(packet_get_connection_in());
+ if (canonical_host_ip == NULL)
+ cleanup_exit(255);
+ } else {
+ /* If not on socket, return UNKNOWN. */
+ canonical_host_ip = xstrdup("UNKNOWN");
+ }
+}
+
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
@@ -358,17 +373,9 @@ const char *
get_remote_ipaddr(void)
{
/* Check whether we have cached the ipaddr. */
- if (canonical_host_ip == NULL) {
- if (packet_connection_is_on_socket()) {
- canonical_host_ip =
- get_peer_ipaddr(packet_get_connection_in());
- if (canonical_host_ip == NULL)
- cleanup_exit(255);
- } else {
- /* If not on socket, return UNKNOWN. */
- canonical_host_ip = xstrdup("UNKNOWN");
- }
- }
+ if (canonical_host_ip == NULL)
+ set_remote_ipaddr();
+
return canonical_host_ip;
}
diff -up openssh-6.8p1/canohost.h.set_remote_ipaddr openssh-6.8p1/canohost.h
--- openssh-6.8p1/canohost.h.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/canohost.h 2015-03-18 12:40:03.749925432 +0100
@@ -13,6 +13,7 @@
*/
const char *get_canonical_hostname(int);
+void set_remote_ipaddr(void);
const char *get_remote_ipaddr(void);
const char *get_remote_name_or_ip(u_int, int);
diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c
--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100
@@ -65,6 +65,7 @@
#include "authfile.h"
#include "ssherr.h"
#include "authfd.h"
+#include "canohost.h"
char *client_version_string = NULL;
char *server_version_string = NULL;
@@ -174,6 +175,7 @@ ssh_proxy_fdpass_connect(const char *hos
/* Set the connection file descriptors. */
packet_set_connection(sock, sock);
+ set_remote_ipaddr();
return 0;
}
@@ -496,6 +498,7 @@ ssh_connect_direct(const char *host, str
/* Set the connection. */
packet_set_connection(sock, sock);
+ set_remote_ipaddr();
return 0;
}

View File

@ -1,39 +1,7 @@
diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100 --- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
+++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * @@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
signal(SIGCHLD, sshpam_oldsig);
- waitpid(thread, &status, 0);
+ while (waitpid(thread, &status, 0) < 0) {
+ if (errno == EINTR)
+ continue;
+ fatal("%s: waitpid: %s", __func__,
+ strerror(errno));
+ }
return (status);
}
#endif
diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100
+++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100
@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
- if (rfd != -1)
+ if (rfd >= 0)
fcntl(rfd, F_SETFD, FD_CLOEXEC);
- if (wfd != -1 && wfd != rfd)
+ if (wfd >= 0 && wfd != rfd)
fcntl(wfd, F_SETFD, FD_CLOEXEC);
- if (efd != -1 && efd != rfd && efd != wfd)
+ if (efd >= 0 && efd != rfd && efd != wfd)
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */ /* enable nonblocking mode */
if (nonblock) { if (nonblock) {
@ -48,70 +16,22 @@ diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
set_nonblock(efd); set_nonblock(efd);
} }
} }
@@ -3972,13 +3972,13 @@ connect_local_xsocket_path(const char *p diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
int sock; --- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
struct sockaddr_un addr; +++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
+ if (len <= 0) mm_get_keystate(ssh, pmonitor);
+ return -1;
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock < 0)
error("socket: %.100s", strerror(errno));
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
- if (len <= 0)
- return -1;
if (len > sizeof addr.sun_path)
len = sizeof addr.sun_path;
memcpy(addr.sun_path, pathname, len);
diff -up openssh-6.8p1/entropy.c.coverity openssh-6.8p1/entropy.c
--- openssh-6.8p1/entropy.c.coverity 2015-03-18 17:21:51.891264843 +0100
+++ openssh-6.8p1/entropy.c 2015-03-18 17:21:51.897264831 +0100
@@ -46,6 +46,7 @@
#include <openssl/err.h>
#include "openbsd-compat/openssl-compat.h"
+#include "openbsd-compat/port-linux.h"
#include "ssh.h"
#include "misc.h"
diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
--- openssh-6.8p1/monitor.c.coverity 2015-03-18 17:21:51.887264852 +0100
+++ openssh-6.8p1/monitor.c 2015-03-18 17:21:51.897264831 +0100
@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */ /* Drain any buffered messages from the child */
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) - while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0) + while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
; ;
close(pmonitor->m_sendfd); if (pmonitor->m_recvfd >= 0)
@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
break; --- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
} +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
} @@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
+
+ debug3("%s: key %p is %s",
+ __func__, key, allowed ? "allowed" : "not allowed");
+
if (key != NULL)
key_free(key);
@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
free(chost);
}
- debug3("%s: key %p is %s",
- __func__, key, allowed ? "allowed" : "not allowed");
-
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100
@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) { (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__); error("%s: cannot allocate fds for pty", __func__);
@ -125,9 +45,9 @@ diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
return 0; return 0;
} }
close(tmp1); close(tmp1);
diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/bindresvport.c 2015-03-18 17:21:51.897264831 +0100 +++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6; struct sockaddr_in6 *in6;
u_int16_t *portp; u_int16_t *portp;
@ -137,20 +57,10 @@ diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity 2015-03-18 17:21:51.861264906 +0100 --- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 17:21:51.897264831 +0100 +++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
@@ -37,4 +37,6 @@ void oom_adjust_restore(void); @@ -157,7 +157,7 @@ killchild(int signo)
void oom_adjust_setup(void);
#endif
+void linux_seed(void);
+
#endif /* ! _PORT_LINUX_H */
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
@@ -156,7 +156,7 @@ killchild(int signo)
{ {
if (do_cmd_pid > 1) { if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM); kill(do_cmd_pid, signo ? signo : SIGTERM);
@ -159,10 +69,10 @@ diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
} }
if (signo) if (signo)
diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-6.8p1/servconf.c.coverity 2015-03-18 17:21:51.893264839 +0100 --- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 17:21:58.281251460 +0100 +++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions @@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.", fatal("%s line %d: Missing subsystem name.",
filename, linenum); filename, linenum);
if (!*activep) { if (!*activep) {
@ -171,7 +81,7 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
break; break;
} }
for (i = 0; i < options->num_subsystems; i++) for (i = 0; i < options->num_subsystems; i++)
@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions @@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) { if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid()); *charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */ /* increase optional counter */
@ -183,10 +93,10 @@ diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
} }
break; break;
diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
--- openssh-6.8p1/serverloop.c.coverity 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-6.8p1/serverloop.c 2015-03-18 17:28:45.616436080 +0100 +++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100
@@ -147,13 +147,13 @@ notify_setup(void) @@ -125,13 +125,13 @@ notify_setup(void)
static void static void
notify_parent(void) notify_parent(void)
{ {
@ -202,7 +112,7 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
FD_SET(notify_pipe[0], readset); FD_SET(notify_pipe[0], readset);
} }
static void static void
@@ -161,8 +161,8 @@ notify_done(fd_set *readset) @@ -139,8 +139,8 @@ notify_done(fd_set *readset)
{ {
char c; char c;
@ -210,197 +120,34 @@ diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
- while (read(notify_pipe[0], &c, 1) != -1) - while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) + if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
+ while (read(notify_pipe[0], &c, 1) >= 0) + while (read(notify_pipe[0], &c, 1) >= 0)
debug2("notify_done: reading"); debug2("%s: reading", __func__);
} }
@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea @@ -518,7 +518,7 @@ server_request_tun(void)
* If we have buffered data, try to write some of that data debug("%s: invalid tun", __func__);
* to the program. goto done;
*/
- if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
+ if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
FD_SET(fdin, *writesetp);
} }
notify_prepare(*readsetp); - if (auth_opts->force_tun_device != -1) {
@@ -477,7 +477,7 @@ process_output(fd_set *writeset) + if (auth_opts->force_tun_device >= 0) {
int len; if (tun != SSH_TUNID_ANY &&
auth_opts->force_tun_device != (int)tun)
/* Write buffered data to program stdin. */
- if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
+ if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
- if (fderr != -1)
+ if (fderr >= 0)
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
- if (fderr != -1)
+ if (fderr >= 0)
max_fd = MAX(max_fd, fderr);
#endif
@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
- if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
+ if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
if (fdin != fdout)
close(fdin);
else
@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
- if (fdout != -1)
+ if (fdout >= 0)
close(fdout);
fdout = -1;
fdout_eof = 1;
- if (fderr != -1)
+ if (fderr >= 0)
close(fderr);
fderr = -1;
fderr_eof = 1;
- if (fdin != -1)
+ if (fdin >= 0)
close(fdin);
fdin = -1;
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
- if (fdin != -1)
+ if (fdin >= 0)
pty_change_window_size(fdin, row, col, xpixel, ypixel);
return 0;
}
@@ -1043,7 +1043,7 @@ server_request_tun(void)
}
tun = packet_get_int();
- if (forced_tun_device != -1) {
+ if (forced_tun_device >= 0) {
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done; goto done;
tun = forced_tun_device; diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
--- openssh-6.8p1/sftp.c.coverity 2015-03-17 06:49:20.000000000 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
+++ openssh-6.8p1/sftp.c 2015-03-18 17:21:58.283251456 +0100 @@ -224,7 +224,7 @@ killchild(int signo)
@@ -223,7 +223,7 @@ killchild(int signo) pid = sshpid;
{ if (pid > 1) {
if (sshpid > 1) { kill(pid, SIGTERM);
kill(sshpid, SIGTERM); - waitpid(pid, NULL, 0);
- waitpid(sshpid, NULL, 0); + (void) waitpid(pid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
} }
_exit(1); _exit(1);
@@ -335,7 +335,7 @@ local_do_ls(const char *args) diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
/* Strip one path (usually the pwd) from the start of another */ +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
static char * @@ -1220,8 +1220,8 @@ main(int ac, char **av)
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -563,7 +563,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag, int resume, int fflag)
{
char *abs_src = NULL;
@@ -669,7 +669,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag, int resume, int fflag)
{
char *tmp_dst = NULL;
@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
char *fname, *lname;
@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100
@@ -1166,8 +1166,8 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
/* drop */ /* drop */
@ -409,14 +156,14 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
+ (void) setegid(getgid()); + (void) setegid(getgid());
+ (void) setgid(getgid()); + (void) setgid(getgid());
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) platform_disable_tracing(0); /* strict=no */
/* Disable ptrace on Linux without sgid bit */
diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
privsep_preauth_child(); diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
privsep_preauth_child(ssh);
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
- if (box != NULL) - if (box != NULL)
+ if (box != NULL) { + if (box != NULL) {
@ -426,24 +173,13 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
return 0; return 0;
} }
@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so @@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0) explicit_bzero(rnd, sizeof(rnd));
break; }
} }
+ +
+ if (fdset != NULL) + if (fdset != NULL)
+ free(fdset); + free(fdset);
} }
/*
diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
--- openssh-6.8p1/sshkey.c.coverity 2015-03-18 17:21:58.285251452 +0100
+++ openssh-6.8p1/sshkey.c 2015-03-18 17:45:32.232705363 +0100
@@ -58,6 +58,7 @@
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
+#include "log.h"
#include "match.h"
/* openssh private key file format */

View File

@ -1,140 +0,0 @@
diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
--- openssh/configure.ac.tcp_wrappers 2015-06-24 11:41:04.519293694 +0200
+++ openssh/configure.ac 2015-06-24 11:41:04.556293600 +0200
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
]
)
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5034,6 +5090,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
--- openssh/sshd.8.tcp_wrappers 2015-06-24 11:41:04.527293674 +0200
+++ openssh/sshd.8 2015-06-24 11:41:04.556293600 +0200
@@ -860,6 +860,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
--- openssh/sshd.c.tcp_wrappers 2015-06-24 11:41:04.549293618 +0200
+++ openssh/sshd.c 2015-06-24 11:41:53.331169536 +0200
@@ -125,6 +125,13 @@
#include "version.h"
#include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -2158,6 +2165,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (packet_connection_is_on_socket()) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
/* Log the connection. */
laddr = get_local_ipaddr(sock_in);

View File

@ -2,34 +2,34 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100 --- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100 +++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h @@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_KEYCAT=$(libexecdir)/ssh-keycat SSH_KEYCAT=$(libexecdir)/ssh-keycat
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+SSH_CAVS=$(libexecdir)/ssh-cavs +SSH_CAVS=$(libexecdir)/ssh-cavs
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@ PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@ @@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) .SUFFIXES: .lo
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
LIBOPENSSH_OBJS=\ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
ssh_api.o \ +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD @@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o +ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ +
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -331,6 +335,8 @@ install-files: @@ -331,6 +335,8 @@ install-files:
fi $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
@ -40,7 +40,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100 --- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100 +++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,383 @@ @@ -0,0 +1,387 @@
+/* +/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de> + * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ * + *
@ -88,11 +88,12 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
+#include <openssl/bn.h> +#include <openssl/bn.h>
+ +
+#include "xmalloc.h" +#include "xmalloc.h"
+#include "buffer.h" +#include "sshbuf.h"
+#include "key.h" +#include "sshkey.h"
+#include "cipher.h" +#include "cipher.h"
+#include "kex.h" +#include "kex.h"
+#include "packet.h" +#include "packet.h"
+#include "digest.h"
+ +
+static int bin_char(unsigned char hex) +static int bin_char(unsigned char hex)
+{ +{
@ -207,6 +208,7 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
+{ +{
+ int ret = 0; + int ret = 0;
+ struct kex kex; + struct kex kex;
+ struct sshbuf *Kb = NULL;
+ BIGNUM *Kbn = NULL; + BIGNUM *Kbn = NULL;
+ int mode = 0; + int mode = 0;
+ struct newkeys *ctoskeys; + struct newkeys *ctoskeys;
@ -221,10 +223,17 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
+ Kbn = BN_new(); + Kbn = BN_new();
+ BN_bin2bn(test->K, test->Klen, Kbn); + BN_bin2bn(test->K, test->Klen, Kbn);
+ if (!Kbn) { + if (!Kbn) {
+ printf("cannot convert K into BIGNUM\n"); + printf("cannot convert K into bignum\n");
+ ret = 1; + ret = 1;
+ goto out; + goto out;
+ } + }
+ Kb = sshbuf_new();
+ if (!Kb) {
+ printf("cannot convert K into sshbuf\n");
+ ret = 1;
+ goto out;
+ }
+ sshbuf_put_bignum2(Kb, Kbn);
+ +
+ kex.session_id = test->session_id; + kex.session_id = test->session_id;
+ kex.session_id_len = test->session_id_len; + kex.session_id_len = test->session_id_len;
@ -234,16 +243,16 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
+ /* select the right hash based on struct ssh_digest digests */ + /* select the right hash based on struct ssh_digest digests */
+ switch (test->ik_len) { + switch (test->ik_len) {
+ case 20: + case 20:
+ kex.hash_alg = 2; + kex.hash_alg = SSH_DIGEST_SHA1;
+ break; + break;
+ case 32: + case 32:
+ kex.hash_alg = 3; + kex.hash_alg = SSH_DIGEST_SHA256;
+ break; + break;
+ case 48: + case 48:
+ kex.hash_alg = 4; + kex.hash_alg = SSH_DIGEST_SHA384;
+ break; + break;
+ case 64: + case 64:
+ kex.hash_alg = 5; + kex.hash_alg = SSH_DIGEST_SHA512;
+ break; + break;
+ default: + default:
+ printf("Wrong hash type %u\n", test->ik_len); + printf("Wrong hash type %u\n", test->ik_len);
@ -284,7 +293,7 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
+ goto out; + goto out;
+ } + }
+ ssh->kex = &kex; + ssh->kex = &kex;
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn); + kex_derive_keys(ssh, test->H, test->Hlen, Kb);
+ +
+ ctoskeys = kex.newkeys[0]; + ctoskeys = kex.newkeys[0];
+ stockeys = kex.newkeys[1]; + stockeys = kex.newkeys[1];
@ -317,16 +326,11 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
+ hex, HEXOUTLEN, 0); + hex, HEXOUTLEN, 0);
+ printf("Integrity key (server to client) = %s\n", hex); + printf("Integrity key (server to client) = %s\n", hex);
+ +
+ free(ctoskeys);
+ free(stockeys);
+
+out: +out:
+ if (Kbn) + if (Kbn)
+ BN_free(Kbn); + BN_free(Kbn);
+ if (kex.newkeys[0]) + if (Kb)
+ free(kex.newkeys[0]); + sshbuf_free(Kb);
+ if (kex.newkeys[1])
+ free(kex.newkeys[1]);
+ if (ssh) + if (ssh)
+ ssh_packet_close(ssh); + ssh_packet_close(ssh);
+ return ret; + return ret;

File diff suppressed because it is too large Load Diff

View File

@ -1,29 +1,31 @@
diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8 diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
--- openssh-6.8p1/sftp-server.8.sftp-force-mode 2015-03-17 06:49:20.000000000 +0100 --- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
+++ openssh-6.8p1/sftp-server.8 2015-03-18 13:18:05.898306477 +0100 +++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
@@ -38,6 +38,7 @@ @@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests .Op Fl P Ar denied_requests
.Op Fl p Ar whitelisted_requests .Op Fl p Ar allowed_requests
.Op Fl u Ar umask .Op Fl u Ar umask
+.Op Fl m Ar force_file_perms +.Op Fl m Ar force_file_perms
.Ek .Ek
.Nm .Nm
.Fl Q Ar protocol_feature .Fl Q Ar protocol_feature
@@ -138,6 +139,10 @@ Sets an explicit @@ -138,6 +139,12 @@ Sets an explicit
.Xr umask 2 .Xr umask 2
to be applied to newly-created files and directories, instead of the to be applied to newly-created files and directories, instead of the
user's default mask. user's default mask.
+.It Fl m Ar force_file_perms +.It Fl m Ar force_file_perms
+Sets explicit file permissions to be applied to newly-created files instead +Sets explicit file permissions to be applied to newly-created files instead
+of the default or client requested mode. Numeric values include: +of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set. +777, 755, 750, 666, 644, 640, etc. Using both -m and -u switches makes the
+umask (-u) effective only for newly created directories and explicit mode (-m)
+for newly created files.
.El .El
.Pp .Pp
On some systems, On some systems,
diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
--- openssh-6.8p1/sftp-server.c.sftp-force-mode 2015-03-18 13:18:05.883306513 +0100 --- openssh-7.2p2/sftp-server.c.sftp-force-mode 2016-06-23 16:18:20.446854128 +0200
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:18:36.697232193 +0100 +++ openssh-7.2p2/sftp-server.c 2016-06-23 16:20:37.950766082 +0200
@@ -70,6 +70,10 @@ struct sshbuf *oqueue; @@ -69,6 +69,10 @@ struct sshbuf *oqueue;
/* Version of client */ /* Version of client */
static u_int version; static u_int version;
@ -34,27 +36,44 @@ diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
/* SSH2_FXP_INIT received */ /* SSH2_FXP_INIT received */
static int init_done; static int init_done;
@@ -693,6 +697,10 @@ process_open(u_int32_t id) @@ -683,6 +687,7 @@ process_open(u_int32_t id)
Attrib a;
char *name;
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
+ mode_t old_umask = 0;
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
@@ -692,6 +697,10 @@ process_open(u_int32_t id)
debug3("request %u: open flags %d", id, pflags); debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags); flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666; mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+ if (permforce == 1) { /* Force perm if -m is set */ + if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode; + mode = permforcemode;
+ (void)umask(0); /* so umask does not interfere */ + old_umask = umask(0); /* so umask does not interfere */
+ } + }
logit("open \"%s\" flags %s mode 0%o", logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode); name, string_from_portable(pflags), mode);
if (readonly && if (readonly &&
@@ -1495,7 +1503,7 @@ sftp_server_usage(void) @@ -713,6 +722,8 @@ process_open(u_int32_t id)
}
}
}
+ if (permforce == 1)
+ (void) umask(old_umask); /* restore umask to something sane */
if (status != SSH2_FX_OK)
send_status(id, status);
free(name);
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
fprintf(stderr, fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] " "usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] " "[-l log_level]\n\t[-P denied_requests] "
- "[-p whitelisted_requests] [-u umask]\n" - "[-p allowed_requests] [-u umask]\n"
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n" + "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
" %s -Q protocol_feature\n", " %s -Q protocol_feature\n",
__progname, __progname); __progname, __progname);
exit(1); exit(1);
@@ -1520,7 +1528,7 @@ sftp_server_main(int argc, char **argv, @@ -1520,7 +1531,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv, while (!skipargs && (ch = getopt(argc, argv,
@ -63,7 +82,7 @@ diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
switch (ch) { switch (ch) {
case 'Q': case 'Q':
if (strcasecmp(optarg, "requests") != 0) { if (strcasecmp(optarg, "requests") != 0) {
@@ -1580,6 +1588,15 @@ sftp_server_main(int argc, char **argv, @@ -1580,6 +1591,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg); fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask); (void)umask((mode_t)mask);
break; break;

View File

@ -1,25 +0,0 @@
diff --git a/servconf.c b/servconf.c
index ad5869b..0255ed3 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1910,6 +1910,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
dst->n = src->n; \
} while (0)
+ u_int i;
+
M_CP_INTOPT(password_authentication);
M_CP_INTOPT(gss_authentication);
M_CP_INTOPT(rsa_authentication);
@@ -1947,8 +1949,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
} while(0)
#define M_CP_STRARRAYOPT(n, num_n) do {\
if (src->num_n != 0) { \
+ for (i = 0; i < dst->num_n; i++) \
+ free(dst->n[i]); \
for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
+ dst->n[dst->num_n] = src->n[dst->num_n]; \
} \
} while(0)

View File

@ -3,25 +3,10 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200 +++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o) @@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
dump_cfg_string(sXAuthLocation, o->xauth_location); dump_cfg_string(sXAuthLocation, o->xauth_location);
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); dump_cfg_string(sCiphers, o->ciphers);
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); dump_cfg_string(sMacs, o->macs);
- dump_cfg_string(sBanner, o->banner); - dump_cfg_string(sBanner, o->banner);
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none"); + dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory); dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
diff -up openssh/ssh.1.sshdt openssh/ssh.1
--- openssh/ssh.1.sshdt 2015-06-24 11:42:19.565102807 +0200
+++ openssh/ssh.1 2015-06-24 11:42:29.042078701 +0200
@@ -441,7 +441,11 @@ For full details of the options listed b
.It GatewayPorts
.It GlobalKnownHostsFile
.It GSSAPIAuthentication
+.It GSSAPIKeyExchange
+.It GSSAPIClientIdentity
.It GSSAPIDelegateCredentials
+.It GSSAPIRenewalForcesRekey
+.It GSSAPITrustDNS
.It HashKnownHosts
.It Host
.It HostbasedAuthentication

View File

@ -1,12 +0,0 @@
diff -up openssh-7.0p1/sshd_config.root-login openssh-7.0p1/sshd_config
--- openssh-7.0p1/sshd_config.root-login 2015-08-12 11:29:12.919269245 +0200
+++ openssh-7.0p1/sshd_config 2015-08-12 11:31:03.653096466 +0200
@@ -46,7 +46,7 @@ SyslogFacility AUTHPRIV
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
+PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

View File

@ -1,42 +0,0 @@
diff --git a/progressmeter.c b/progressmeter.c
index 319b747..b54738c 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -66,7 +66,8 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
static time_t last_update; /* last progress update */
-static const char *file; /* name of the file being transferred */
+static char *file; /* name of the file being transferred */
+static size_t file_len = 0; /* allocated length of file */
static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
@@ -250,7 +251,11 @@ update_progress_meter(int ignore)
start_progress_meter(const char *f, off_t filesize, off_t *ctr)
{
start = last_update = monotime();
- file = f;
+ if (strlen(f) > file_len) {
+ file_len = strlen(f);
+ file = realloc(file, file_len * 4 + 1);
+ }
+ sanitize_utf8(file, f, file_len);
start_pos = *ctr;
end_pos = filesize;
cur_pos = 0;
diff --git a/Makefile.in b/Makefile.in
index ac45b05..6978081 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -173,8 +173,8 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
-scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
+ $(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

View File

@ -1,32 +0,0 @@
diff -up openssh/configure.ac.seccomp openssh/configure.ac
diff -up openssh/sandbox-seccomp-filter.c.seccomp openssh/sandbox-seccomp-filter.c
--- openssh/sandbox-seccomp-filter.c.seccomp 2015-06-24 11:45:44.001581471 +0200
+++ openssh/sandbox-seccomp-filter.c 2015-06-24 11:51:54.032635297 +0200
@@ -165,6 +165,9 @@ static const struct sock_filter preauth_
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#endif
+#ifdef __NR_pselect6 /* AArch64 */
+ SC_ALLOW(pselect6),
+#endif
#ifdef __NR_poll
SC_ALLOW(poll),
#endif
diff --git a/configure.ac b/configure.ac
index 24378a7..0bed910 100644
--- a/configure.ac
+++ b/configure.ac
@@ -811,6 +811,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
aarch64*-*)
seccomp_audit_arch=AUDIT_ARCH_AARCH64
;;
+ s390x-*)
+ seccomp_audit_arch=AUDIT_ARCH_S390X
+ ;;
+ s390-*)
+ seccomp_audit_arch=AUDIT_ARCH_S390
+ ;;
esac
if test "x$seccomp_audit_arch" != "x" ; then
AC_MSG_RESULT(["$seccomp_audit_arch"])

View File

@ -1,416 +0,0 @@
diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
--- openssh-7.0p1/gss-genr.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
+++ openssh-7.0p1/gss-genr.c 2015-08-19 12:28:38.078518839 +0200
@@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() {
*/
char *
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
+ const char *kex) {
gss_OID_set gss_supported;
OM_uint32 min_status;
@@ -86,12 +87,12 @@ ssh_gssapi_client_mechanisms(const char
return NULL;
return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
- host, client));
+ host, client, kex));
}
char *
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
- const char *host, const char *client) {
+ const char *host, const char *client, const char *kex) {
Buffer buf;
size_t i;
int oidpos, enclen;
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
char deroid[2];
const EVP_MD *evp_md = EVP_md5();
EVP_MD_CTX md;
+ char *s, *cp, *p;
if (gss_enc2oid != NULL) {
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
buffer_init(&buf);
oidpos = 0;
+ s = cp = xstrdup(kex);
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
@@ -131,26 +134,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
encoded, EVP_MD_size(evp_md) * 2);
- if (oidpos != 0)
- buffer_put_char(&buf, ',');
-
- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
- buffer_append(&buf, encoded, enclen);
- buffer_put_char(&buf, ',');
- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
- buffer_append(&buf, encoded, enclen);
- buffer_put_char(&buf, ',');
- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
- buffer_append(&buf, encoded, enclen);
+ cp = strncpy(s, kex, strlen(kex));
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
+ (p = strsep(&cp, ","))) {
+ if (buffer_len(&buf) != 0)
+ buffer_put_char(&buf, ',');
+ buffer_append(&buf, p,
+ strlen(p));
+ buffer_append(&buf, encoded, enclen);
+ }
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
gss_enc2oid[oidpos].encoded = encoded;
oidpos++;
}
}
+ free(s);
gss_enc2oid[oidpos].oid = NULL;
gss_enc2oid[oidpos].encoded = NULL;
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
@@ -150,7 +150,7 @@ ssh_gssapi_server_mechanisms() {
ssh_gssapi_supported_oids(&supported);
return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
- NULL, NULL));
+ NULL, NULL, options.gss_kex_algorithms));
}
/* Unprivileged */
diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
--- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200
+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200
@@ -50,6 +50,7 @@
#include "misc.h"
#include "dispatch.h"
#include "monitor.h"
+#include "xmalloc.h"
#include "ssherr.h"
#include "sshbuf.h"
@@ -232,6 +232,29 @@ kex_assemble_names(const char *def, char
return 0;
}
+/* Validate GSS KEX method name list */
+int
+gss_kex_names_valid(const char *names)
+{
+ char *s, *cp, *p;
+
+ if (names == NULL || *names == '\0')
+ return 0;
+ s = cp = xstrdup(names);
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
+ (p = strsep(&cp, ","))) {
+ if (strncmp(p, "gss-", 4) != 0
+ || kex_alg_by_name(p) == NULL) {
+ error("Unsupported KEX algorithm \"%.100s\"", p);
+ free(s);
+ return 0;
+ }
+ }
+ debug3("gss kex names ok: [%s]", names);
+ free(s);
+ return 1;
+}
+
/* put algorithm proposal into buffer */
int
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
diff -up openssh-7.0p1/kex.h.gsskexalg openssh-7.0p1/kex.h
--- openssh-7.0p1/kex.h.gsskexalg 2015-08-19 12:28:38.078518839 +0200
+++ openssh-7.0p1/kex.h 2015-08-19 12:30:52.404218958 +0200
@@ -173,6 +173,7 @@ int kex_names_valid(const char *);
char *kex_alg_list(char);
char *kex_names_cat(const char *, const char *);
int kex_assemble_names(const char *, char **);
+int gss_kex_names_valid(const char *);
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
--- openssh-7.0p1/readconf.c.gsskexalg 2015-08-19 12:28:38.026518955 +0200
+++ openssh-7.0p1/readconf.c 2015-08-19 12:31:28.333138747 +0200
@@ -61,6 +61,7 @@
#include "uidswap.h"
#include "myproposal.h"
#include "digest.h"
+#include "ssh-gss.h"
/* Format of the configuration file:
@@ -148,7 +149,7 @@ typedef enum {
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
- oGssServerIdentity,
+ oGssServerIdentity, oGssKexAlgorithms,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -200,6 +201,7 @@ static struct {
{ "gssapiclientidentity", oGssClientIdentity },
{ "gssapiserveridentity", oGssServerIdentity },
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
+ { "gssapikexalgorithms", oGssKexAlgorithms },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapikeyexchange", oUnsupported },
@@ -207,6 +209,7 @@ static struct {
{ "gssapitrustdns", oUnsupported },
{ "gssapiclientidentity", oUnsupported },
{ "gssapirenewalforcesrekey", oUnsupported },
+ { "gssapikexalgorithms", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -929,6 +932,18 @@ parse_time:
intptr = &options->gss_renewal_rekey;
goto parse_flag;
+ case oGssKexAlgorithms:
+ arg = strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (!gss_kex_names_valid(arg))
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*activep && options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = xstrdup(arg);
+ break;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1638,6 +1653,7 @@ initialize_options(Options * options)
options->gss_renewal_rekey = -1;
options->gss_client_identity = NULL;
options->gss_server_identity = NULL;
+ options->gss_kex_algorithms = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1773,6 +1789,10 @@ fill_default_options(Options * options)
options->gss_trust_dns = 0;
if (options->gss_renewal_rekey == -1)
options->gss_renewal_rekey = 0;
+#ifdef GSSAPI
+ if (options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h
--- openssh-7.0p1/readconf.h.gsskexalg 2015-08-19 12:28:38.026518955 +0200
+++ openssh-7.0p1/readconf.h 2015-08-19 12:28:38.079518836 +0200
@@ -51,6 +51,7 @@ typedef struct {
int gss_renewal_rekey; /* Credential renewal forces rekey */
char *gss_client_identity; /* Principal to initiate GSSAPI with */
char *gss_server_identity; /* GSSAPI target principal */
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
--- openssh-7.0p1/servconf.c.gsskexalg 2015-08-19 12:28:38.074518847 +0200
+++ openssh-7.0p1/servconf.c 2015-08-19 12:33:13.599902732 +0200
@@ -57,6 +57,7 @@
#include "auth.h"
#include "myproposal.h"
#include "digest.h"
+#include "ssh-gss.h"
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -121,6 +122,7 @@ initialize_server_options(ServerOptions
options->gss_cleanup_creds = -1;
options->gss_strict_acceptor = -1;
options->gss_store_rekey = -1;
+ options->gss_kex_algorithms = NULL;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
options->gss_strict_acceptor = 0;
if (options->gss_store_rekey == -1)
options->gss_store_rekey = 0;
+#ifdef GSSAPI
+ if (options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
+#endif
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
@@ -427,7 +431,7 @@ typedef enum {
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -506,6 +510,7 @@ static struct {
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
+ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
@@ -513,6 +518,7 @@ static struct {
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
+ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1273,6 +1279,18 @@ process_server_config_line(ServerOptions
intptr = &options->gss_store_rekey;
goto parse_flag;
+ case sGssKexAlgorithms:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.",
+ filename, linenum);
+ if (!gss_kex_names_valid(arg))
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
+ filename, linenum, arg ? arg : "<NONE>");
+ if (*activep && options->gss_kex_algorithms == NULL)
+ options->gss_kex_algorithms = xstrdup(arg);
+ break;
+
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
@@ -2304,6 +2322,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
+ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
#endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h
--- openssh-7.0p1/servconf.h.gsskexalg 2015-08-19 12:28:38.080518834 +0200
+++ openssh-7.0p1/servconf.h 2015-08-19 12:34:46.328693944 +0200
@@ -122,6 +122,7 @@ typedef struct {
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
int gss_store_rekey;
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1
--- openssh-7.0p1/ssh.1.gsskexalg 2015-08-19 12:28:38.081518832 +0200
+++ openssh-7.0p1/ssh.1 2015-08-19 12:35:31.741591692 +0200
@@ -496,6 +496,7 @@ For full details of the options listed b
.It GSSAPIDelegateCredentials
.It GSSAPIRenewalForcesRekey
.It GSSAPITrustDNS
+.It GSSAPIKexAlgorithms
.It HashKnownHosts
.It Host
.It HostbasedAuthentication
diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
--- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200
+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200
@@ -786,6 +786,18 @@ command line will be passed untouched to
command line will be passed untouched to the GSSAPI library.
The default is
.Dq no .
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are offered for GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
--- openssh-7.0p1/sshconnect2.c.gsskexalg 2015-08-19 12:28:38.045518912 +0200
+++ openssh-7.0p1/sshconnect2.c 2015-08-19 12:28:38.081518832 +0200
@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
else
gss_host = host;
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
if (gss) {
debug("Offering GSSAPI proposal: %s", gss);
xasprintf(&options.kex_algorithms,
--- openssh-7.1p1/sshd_config.5.gsskexalg 2015-12-10 15:32:48.105418092 +0100
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:33:47.771279548 +0100
@@ -663,6 +663,18 @@ or updated credentials from a compatible
For this to work
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
+.It Cm GSSAPIKexAlgorithms
+The list of key exchange algorithms that are accepted by GSSAPI
+key exchange. Possible values are
+.Bd -literal -offset 3n
+gss-gex-sha1-,
+gss-group1-sha1-,
+gss-group14-sha1-
+.Ed
+.Pp
+The default is
+.Dq gss-gex-sha1-,gss-group14-sha1- .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list.
diff -up openssh-7.0p1/ssh-gss.h.gsskexalg openssh-7.0p1/ssh-gss.h
--- openssh-7.0p1/ssh-gss.h.gsskexalg 2015-08-19 12:28:38.031518944 +0200
+++ openssh-7.0p1/ssh-gss.h 2015-08-19 12:28:38.081518832 +0200
@@ -76,6 +76,10 @@ extern char **k5users_allowed_cmds;
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
+#define GSS_KEX_DEFAULT_KEX \
+ KEX_GSS_GEX_SHA1_ID "," \
+ KEX_GSS_GRP14_SHA1_ID
+
typedef struct {
char *filename;
char *envvar;
@@ -147,9 +151,9 @@ int ssh_gssapi_credentials_updated(Gssct
/* In the server */
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
const char *);
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
- const char *);
+ const char *, const char *);
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
const char *);

View File

@ -1,345 +0,0 @@
From e1d58c44bd911e5ee4dddb6205e16eb9a03cc736 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 7 Aug 2015 10:18:54 +0200
Subject: [PATCH] Possibility tu specify more fingerprint algorithms on client
side for smother transition
---
clientloop.c | 8 ++++----
readconf.c | 43 +++++++++++++++++++++++++++++--------------
readconf.h | 4 +++-
ssh_config.5 | 4 ++--
sshconnect.c | 48 +++++++++++++++++++++++++++---------------------
sshconnect2.c | 6 +++---
6 files changed, 68 insertions(+), 45 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 87ceb3d..4553114 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -2194,7 +2194,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
if (ctx->keys_seen[i] != 2)
continue;
if ((fp = sshkey_fingerprint(ctx->keys[i],
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Learned new hostkey: %s %s",
sshkey_type(ctx->keys[i]), fp);
@@ -2202,7 +2202,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
}
for (i = 0; i < ctx->nold; i++) {
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __func__);
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
sshkey_type(ctx->old_keys[i]), fp);
@@ -2245,7 +2245,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
(r = hostfile_replace_entries(options.user_hostfiles[0],
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
options.hash_known_hosts, 0,
- options.fingerprint_hash)) != 0)
+ options.fingerprint_hash[0])) != 0)
error("%s: hostfile_replace_entries failed: %s",
__func__, ssh_err(r));
}
@@ -2358,7 +2358,7 @@ client_input_hostkeys(void)
error("%s: parse key: %s", __func__, ssh_err(r));
goto out;
}
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT);
debug3("%s: received %s key %s", __func__,
sshkey_type(key), fp);
diff --git a/readconf.c b/readconf.c
index 1d03bdf..6af4c62 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1471,16 +1471,18 @@ parse_keytypes:
goto parse_string;
case oFingerprintHash:
- intptr = &options->fingerprint_hash;
- arg = strdelim(&s);
- if (!arg || *arg == '\0')
- fatal("%.200s line %d: Missing argument.",
- filename, linenum);
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
- filename, linenum, arg);
- if (*activep && *intptr == -1)
- *intptr = value;
+ if (*activep && options->num_fingerprint_hash == 0)
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+ value = ssh_digest_alg_by_name(arg);
+ if (value == -1)
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
+ filename, linenum, arg);
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
+ fatal("%s line %d: too many fingerprints algorithm specs.",
+ filename, linenum);
+ options->fingerprint_hash[
+ options->num_fingerprint_hash++] = value;
+ }
break;
case oUpdateHostkeys:
@@ -1673,7 +1675,7 @@ initialize_options(Options * options)
options->canonicalize_fallback_local = -1;
options->canonicalize_hostname = -1;
options->revoked_host_keys = NULL;
- options->fingerprint_hash = -1;
+ options->num_fingerprint_hash = 0;
options->update_hostkeys = -1;
options->hostbased_key_types = NULL;
options->pubkey_key_types = NULL;
@@ -1851,8 +1853,10 @@ fill_default_options(Options * options)
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
- if (options->fingerprint_hash == -1)
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->num_fingerprint_hash == 0) {
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_MD5;
+ }
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
@@ -2189,6 +2193,17 @@ dump_cfg_strarray(OpCodes code, u_int count, char **vals)
}
static void
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
+{
+ u_int i;
+
+ printf("%s", lookup_opcode_name(code));
+ for (i = 0; i < count; i++)
+ printf(" %s", fmt_intarg(code, vals[i]));
+ printf("\n");
+}
+
+static void
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
{
u_int i;
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
dump_cfg_fmtint(oControlMaster, o->control_master);
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
dump_cfg_fmtint(oForwardX11, o->forward_x11);
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
@@ -2328,6 +2342,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
/* Special cases */
diff --git a/readconf.h b/readconf.h
index bb2d552..d817f92 100644
--- a/readconf.h
+++ b/readconf.h
@@ -21,6 +21,7 @@
#define MAX_SEND_ENV 256
#define SSH_MAX_HOSTS_FILES 32
#define MAX_CANON_DOMAINS 32
+#define MAX_SSH_DIGESTS 32
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
struct allowed_cname {
@@ -146,7 +147,8 @@ typedef struct {
char *revoked_host_keys;
- int fingerprint_hash;
+ int num_fingerprint_hash;
+ int fingerprint_hash[MAX_SSH_DIGESTS];
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
diff --git a/ssh_config.5 b/ssh_config.5
index 5b0975f..e8e6458 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -647,13 +647,13 @@ or
The default is
.Dq no .
.It Cm FingerprintHash
-Specifies the hash algorithm used when displaying key fingerprints.
+Specifies the hash algorithms used when displaying key fingerprints.
Valid options are:
.Dq md5
and
.Dq sha256 .
The default is
-.Dq sha256 .
+.Dq "sha256 md5".
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
diff --git a/sshconnect.c b/sshconnect.c
index f41960c..e12932f 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -920,9 +920,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
fp = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
ra = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_RANDOMART);
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
logit("Host key fingerprint is %s\n%s", fp, ra);
@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
- fp = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
- ra = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_RANDOMART);
- if (fp == NULL || ra == NULL)
- fatal("%s: sshkey_fingerprint fail", __func__);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -983,16 +977,28 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
}
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
- "established%s\n"
- "%s key fingerprint is %s.%s%s\n%s"
+ "established%s\n", host, ip, msg1);
+ for (i = 0; i < options.num_fingerprint_hash; i++) {
+ fp = sshkey_fingerprint(host_key,
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
+ ra = sshkey_fingerprint(host_key,
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
+ if (fp == NULL || ra == NULL)
+ fatal("%s: sshkey_fingerprint fail", __func__);
+ len = strlen(msg);
+ snprintf(msg+len, sizeof(msg)-len,
+ "%s key fingerprint is %s.%s%s\n%s",
+ type, fp,
+ options.visual_host_key ? "\n" : "",
+ options.visual_host_key ? ra : "",
+ msg2);
+ free(ra);
+ free(fp);
+ }
+ len = strlen(msg);
+ snprintf(msg+len, sizeof(msg)-len,
"Are you sure you want to continue connecting "
- "(yes/no)? ",
- host, ip, msg1, type, fp,
- options.visual_host_key ? "\n" : "",
- options.visual_host_key ? ra : "",
- msg2);
- free(ra);
- free(fp);
+ "(yes/no)? ");
if (!confirm(msg))
goto fail;
hostkey_trusted = 1; /* user explicitly confirmed */
@@ -1241,7 +1247,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
struct sshkey *plain = NULL;
if ((fp = sshkey_fingerprint(host_key,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
r = -1;
goto out;
@@ -1405,9 +1411,9 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
fp = sshkey_fingerprint(found->key,
- options.fingerprint_hash, SSH_FP_DEFAULT);
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
ra = sshkey_fingerprint(found->key,
- options.fingerprint_hash, SSH_FP_RANDOMART);
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
if (fp == NULL || ra == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
logit("WARNING: %s key found for host %s\n"
@@ -1430,7 +1436,7 @@ warn_changed_key(Key *host_key)
{
char *fp;
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
SSH_FP_DEFAULT);
if (fp == NULL)
fatal("%s: sshkey_fingerprint fail", __func__);
diff --git a/sshconnect2.c b/sshconnect2.c
index 7751031..82ed92e 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -589,7 +589,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
key->type, pktype);
goto done;
}
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
goto done;
debug2("input_userauth_pk_ok: fp %s", fp);
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
int matched, ret = -1, have_sig = 1;
char *fp;
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
return 0;
debug3("%s: %s %s", __func__, key_type(id->key), fp);
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
goto out;
}
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL) {
error("%s: sshkey_fingerprint failed", __func__);
goto out;
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 1dca3e2..23bff7d 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -275,7 +275,7 @@ main(int argc, char **argv)
}
}
if (!found) {
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
SSH_FP_DEFAULT)) == NULL)
fatal("%s: sshkey_fingerprint failed", __progname);
fatal("no matching hostkey found for key %s %s",
--
2.1.0
diff --git a/sshconnect.c b/sshconnect.c
index de7ace6..f16e606 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
if (sshkey_is_cert(host_key)) {
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
error("%s: fingerprint CA key: %s",
__func__, ssh_err(r));
r = -1;

View File

@ -1,47 +0,0 @@
diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
--- openssh-7.1p1/ssh_config.5.gss-docs 2015-12-10 15:28:47.451966457 +0100
+++ openssh-7.1p1/ssh_config.5 2015-12-10 15:30:28.070738047 +0100
@@ -773,15 +773,26 @@ Note that this option applies to protoco
If set to
.Dq yes
then renewal of the client's GSSAPI credentials will force the rekeying of the
-ssh connection. With a compatible server, this can delegate the renewed
+ssh connection. With a compatible server, this will delegate the renewed
credentials to a session on the server.
+.Pp
+Checks are made to ensure that credentials are only propagated when the new
+credentials match the old ones on the originating client and where the
+receiving server still has the old set in its cache.
+.Pp
The default is
.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
.It Cm GSSAPITrustDns
Set to
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
+.Dq yes
+to indicate that the DNS is trusted to securely canonicalize
the name of the host being connected to. If
-.Dq no, the hostname entered on the
+.Dq no ,
+the hostname entered on the
command line will be passed untouched to the GSSAPI library.
The default is
.Dq no .
diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5
--- openssh-7.1p1/sshd_config.5.gss-docs 2015-12-10 15:28:47.453966452 +0100
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:28:47.461966434 +0100
@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede
successful connection rekeying. This option can be used to accepted renewed
or updated credentials from a compatible client. The default is
.Dq no .
+.Pp
+For this to work
+.Cm GSSAPIKeyExchange
+needs to be enabled in the server and also used by the client.
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a comma-separated pattern list.

View File

@ -1,31 +0,0 @@
diff --git a/PROTOCOL b/PROTOCOL
index 131adfe..c828087 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -328,6 +328,11 @@ a server may offer multiple keys of the same type for a period (to
give clients an opportunity to learn them using this extension) before
removing the deprecated key from those offered.
+2.6. connection: add IUTF8 terminal mode flag
+
+OpenSSH supports the IUTF8 terminal mode flag and encodes it in "pty-req"
+messages as opcode value 42.
+
3. SFTP protocol changes
3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
diff --git a/ttymodes.h b/ttymodes.h
index 4d848fe..396ae88 100644
--- a/ttymodes.h
+++ b/ttymodes.h
@@ -127,6 +127,9 @@ TTYMODE(IXOFF, c_iflag, 40)
#ifdef IMAXBEL
TTYMODE(IMAXBEL,c_iflag, 41)
#endif /* IMAXBEL */
+#ifdef IUTF8
+TTYMODE(IUTF8, c_iflag, 42)
+#endif /* IUTF8 */
TTYMODE(ISIG, c_lflag, 50)
TTYMODE(ICANON, c_lflag, 51)

View File

@ -1,21 +1,21 @@
diff --git a/monitor_wrap.c b/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
index 89a1762..fe98e08 100644 --- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100
--- a/monitor_wrap.c +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100
+++ b/monitor_wrap.c @@ -1107,4 +1107,50 @@ mm_audit_destroy_sensitive_data(const ch
@@ -1251,4 +1251,48 @@ mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid) mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m); sshbuf_free(m);
buffer_free(&m);
} }
+ +
+int mm_forward_audit_messages(int fdin) +int mm_forward_audit_messages(int fdin)
+{ +{
+ u_char buf[4]; + u_char buf[4];
+ u_int blen, msg_len; + u_int blen, msg_len;
+ Buffer m; + struct sshbuf *m;
+ int ret = 0; + int r, ret = 0;
+ +
+ debug3("%s: entering", __func__); + debug3("%s: entering", __func__);
+ buffer_init(&m); + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ do { + do {
+ blen = atomicio(read, fdin, buf, sizeof(buf)); + blen = atomicio(read, fdin, buf, sizeof(buf));
+ if (blen == 0) /* closed pipe */ + if (blen == 0) /* closed pipe */
@ -29,21 +29,22 @@ index 89a1762..fe98e08 100644
+ msg_len = get_u32(buf); + msg_len = get_u32(buf);
+ if (msg_len > 256 * 1024) + if (msg_len > 256 * 1024)
+ fatal("%s: read: bad msg_len %d", __func__, msg_len); + fatal("%s: read: bad msg_len %d", __func__, msg_len);
+ buffer_clear(&m); + sshbuf_reset(m);
+ buffer_append_space(&m, msg_len); + if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
+ if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) { + fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ error("%s: Failed to read the the buffer conent from the child", __func__); + if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to read the the buffer content from the child", __func__);
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || + if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
+ atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) { + atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to write the messag to the monitor", __func__); + error("%s: Failed to write the message to the monitor", __func__);
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }
+ } while (1); + } while (1);
+ buffer_free(&m); + sshbuf_free(m);
+ return ret; + return ret;
+} +}
+void mm_set_monitor_pipe(int fd) +void mm_set_monitor_pipe(int fd)
@ -51,24 +52,22 @@ index 89a1762..fe98e08 100644
+ pmonitor->m_recvfd = fd; + pmonitor->m_recvfd = fd;
+} +}
#endif /* SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */
diff --git a/monitor_wrap.h b/monitor_wrap.h diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
index e73134e..fbfe395 100644 --- openssh-7.4p1/monitor_wrap.h.audit-race 2016-12-23 16:35:52.694685771 +0100
--- a/monitor_wrap.h +++ openssh-7.4p1/monitor_wrap.h 2016-12-23 16:35:52.698685772 +0100
+++ b/monitor_wrap.h @@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
@@ -86,6 +86,8 @@ void mm_audit_unsupported_body(int); void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
void mm_audit_session_key_free_body(int, pid_t, uid_t); void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
+int mm_forward_audit_messages(int); +int mm_forward_audit_messages(int);
+void mm_set_monitor_pipe(int); +void mm_set_monitor_pipe(int);
#endif #endif
struct Session; struct Session;
diff --git a/session.c b/session.c diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
index 8949fd1..9afb764 100644 --- openssh-7.4p1/session.c.audit-race 2016-12-23 16:35:52.695685771 +0100
--- a/session.c +++ openssh-7.4p1/session.c 2016-12-23 16:37:26.339730596 +0100
+++ b/session.c @@ -162,6 +162,10 @@ static Session *sessions = NULL;
@@ -159,6 +159,10 @@ static Session *sessions = NULL;
login_cap_t *lc; login_cap_t *lc;
#endif #endif
@ -79,18 +78,46 @@ index 8949fd1..9afb764 100644
static int is_child = 0; static int is_child = 0;
static int in_chroot = 0; static int in_chroot = 0;
static int have_dev_log = 1; static int have_dev_log = 1;
@@ -875,6 +879,8 @@ do_exec(Session *s, const char *command) @@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
return 1;
}
+void child_destory_sensitive_data(struct ssh *ssh);
+
#define USE_PIPES 1
/*
* This is called to fork and execute a command when we have no tty. This
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
close(err[0]);
#endif
+ child_destory_sensitive_data(ssh);
+
/* Do processing for the child (exec command etc). */
do_child(ssh, s, command);
/* NOTREACHED */
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
/* Close the extra descriptor for the pseudo tty. */
close(ttyfd);
+ /* Do this early, so we will not block large MOTDs */
+ child_destory_sensitive_data(ssh);
+
/* record login, etc. similar to login(1) */
#ifndef HAVE_OSF_SIA
do_login(ssh, s, command);
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
} }
if (s->command != NULL && s->ptyfd == -1) if (s->command != NULL && s->ptyfd == -1)
s->command_handle = PRIVSEP(audit_run_command(s->command)); s->command_handle = PRIVSEP(audit_run_command(ssh, s->command));
+ if (pipe(paudit) < 0) + if (pipe(paudit) < 0)
+ fatal("pipe: %s", strerror(errno)); + fatal("pipe: %s", strerror(errno));
#endif #endif
if (s->ttyfd != -1) if (s->ttyfd != -1)
ret = do_exec_pty(s, command); ret = do_exec_pty(ssh, s, command);
@@ -890,6 +896,20 @@ do_exec(Session *s, const char *command) @@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
*/ */
buffer_clear(&loginmsg); sshbuf_reset(loginmsg);
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ close(paudit[1]); + close(paudit[1]);
@ -109,10 +136,13 @@ index 8949fd1..9afb764 100644
return ret; return ret;
} }
@@ -1707,12 +1727,28 @@ do_child(Session *s, const char *command) @@ -1538,6 +1565,34 @@ child_close_fds(void)
struct passwd *pw = s->pw; log_redirect_stderr_to(NULL);
int r = 0; }
+void
+child_destory_sensitive_data(struct ssh *ssh)
+{
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ int pparent = paudit[1]; + int pparent = paudit[1];
+ close(paudit[0]); + close(paudit[0]);
@ -121,23 +151,37 @@ index 8949fd1..9afb764 100644
+ mm_set_monitor_pipe(pparent); + mm_set_monitor_pipe(pparent);
+#endif +#endif
+ +
/* remove hostkey from the child's memory */ + /* remove hostkey from the child's memory */
- destroy_sensitive_data(1); + destroy_sensitive_data(ssh, use_privsep);
- /* Don't audit this - both us and the parent would be talking to the
- monitor over a single socket, with no synchronization. */
+ destroy_sensitive_data(use_privsep);
+ /* + /*
+ * We can audit this, because wer hacked the pipe to direct the + * We can audit this, because we hacked the pipe to direct the
+ * messages over postauth child. But this message requires answer + * messages over postauth child. But this message requires answer
+ * which we can't do using one-way pipe. + * which we can't do using one-way pipe.
+ */ + */
packet_destroy_all(0, 1); + packet_destroy_all(ssh, 0, 1);
+ /* XXX this will clean the rest but should not audit anymore */
+ /* packet_clear_keys(ssh); */
+
+#ifdef SSH_AUDIT_EVENTS +#ifdef SSH_AUDIT_EVENTS
+ /* Notify parent that we are done */ + /* Notify parent that we are done */
+ close(pparent); + close(pparent);
+#endif +#endif
+}
+ +
/*
* Performs common processing for the child, such as setting up the
* environment, closing extra file descriptors, setting the user and group
@@ -1554,13 +1608,6 @@ do_child(Session *s, const char *command
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
- /* remove hostkey from the child's memory */
- destroy_sensitive_data(ssh, 1);
- ssh_packet_clear_keys(ssh);
- /* Don't audit this - both us and the parent would be talking to the
- monitor over a single socket, with no synchronization. */
- packet_destroy_all(ssh, 0, 1);
-
/* Force a password change */ /* Force a password change */
if (s->authctxt->force_pwchange) { if (s->authctxt->force_pwchange) {
do_setusercontext(pw); do_setusercontext(pw);

File diff suppressed because it is too large Load Diff

View File

@ -1,661 +0,0 @@
diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
--- openssh-7.2p1/cipher.c.fips 2016-02-12 18:53:56.083665235 +0100
+++ openssh-7.2p1/cipher.c 2016-02-12 18:53:56.090665235 +0100
@@ -39,6 +39,8 @@
#include <sys/types.h>
+#include <openssl/fips.h>
+
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[]
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
+static const struct sshcipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se",
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+#ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+#endif
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+};
+
/*--*/
/* Returns a comma-separated list of supported ciphers. */
@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
if (auth_only && c->auth_len == 0)
@@ -193,7 +215,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
return NULL;
@@ -203,7 +225,7 @@ const struct sshcipher *
cipher_by_number(int id)
{
const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id)
return c;
return NULL;
@@ -244,7 +266,7 @@ cipher_number(const char *name)
const struct sshcipher *c;
if (name == NULL)
return -1;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c
--- openssh-7.2p1/cipher-ctr.c.fips 2016-02-12 18:53:56.013665228 +0100
+++ openssh-7.2p1/cipher-ctr.c 2016-02-12 18:53:56.090665235 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h
--- openssh-7.2p1/dh.h.fips 2016-02-12 18:53:56.090665235 +0100
+++ openssh-7.2p1/dh.h 2016-02-12 18:54:48.425670204 +0100
@@ -49,6 +49,7 @@ u_int dh_estimate(int);
* Miniumum increased in light of DH precomputation attacks.
*/
#define DH_GRP_MIN 2048
+#define DH_GRP_MIN_FIPS 2048
#define DH_GRP_MAX 8192
/*
diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c
--- openssh-7.2p1/entropy.c.fips 2016-02-12 18:53:56.005665227 +0100
+++ openssh-7.2p1/entropy.c 2016-02-12 18:53:56.091665235 +0100
@@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ /* clean the PRNG status when exiting the program */
+ atexit(RAND_cleanup);
+
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
--- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100
+++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100
@@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
+#include <openssl/fips.h>
#endif
#include "ssh2.h"
@@ -121,6 +122,25 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1},
};
+static const struct kexalg kexalgs_fips[] = {
+ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+#ifdef HAVE_EVP_SHA256
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
+#endif
+#ifdef OPENSSL_HAS_ECC
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
+ SSH_DIGEST_SHA384 },
+# ifdef OPENSSL_HAS_NISTP521
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
+ SSH_DIGEST_SHA512 },
+# endif
+#endif
+ { NULL, -1, -1, -1},
+};
+
char *
kex_alg_list(char sep)
{
@@ -148,7 +168,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
- for (k = kexalgs; k->name != NULL; k++) {
+ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
#ifdef GSSAPI
@@ -174,7 +194,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
- error("Unsupported KEX algorithm \"%.100s\"", p);
+ if (FIPS_mode())
+ error("\"%.100s\" is not allowed in FIPS mode", p);
+ else
+ error("Unsupported KEX algorithm \"%.100s\"", p);
free(s);
return 0;
}
diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c
--- openssh-7.2p1/kexgexc.c.fips 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.2p1/kexgexc.c 2016-02-12 18:53:56.091665235 +0100
@@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL
+#include <openssl/fips.h>
#include <sys/param.h>
#include <sys/types.h>
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
- kex->min = DH_GRP_MIN;
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
diff -up openssh-7.2p1/kexgexs.c.fips openssh-7.2p1/kexgexs.c
--- openssh-7.2p1/kexgexs.c.fips 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.2p1/kexgexs.c 2016-02-12 18:53:56.091665235 +0100
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
- nbits = MAX(DH_GRP_MIN, nbits);
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
nbits = MIN(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
--- openssh-7.2p1/mac.c.fips 2016-02-12 18:53:56.084665234 +0100
+++ openssh-7.2p1/mac.c 2016-02-12 18:53:56.091665235 +0100
@@ -27,6 +27,8 @@
#include <sys/types.h>
+#include <openssl/fips.h>
+
#include <string.h>
#include <stdio.h>
@@ -54,7 +56,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
-static const struct macalg macs[] = {
+static const struct macalg all_macs[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
@@ -85,6 +87,24 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 }
};
+static const struct macalg fips_macs[] = {
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
+#endif
+
+ /* Encrypt-then-MAC variants */
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
+#endif
+
+ { NULL, 0, 0, 0, 0, 0, 0 }
+};
+
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
@@ -93,7 +113,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0;
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name
{
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
--- openssh-7.2p1/Makefile.in.fips 2016-02-12 18:53:56.085665235 +0100
+++ openssh-7.2p1/Makefile.in 2016-02-12 18:53:56.092665235 +0100
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h
--- openssh-7.2p1/myproposal.h.fips 2016-02-12 18:53:56.092665235 +0100
+++ openssh-7.2p1/myproposal.h 2016-02-12 18:55:42.137675304 +0100
@@ -129,6 +129,28 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \
+ KEX_SHA256_METHODS \
+ "diffie-hellman-group-exchange-sha1," \
+ "diffie-hellman-group14-sha1"
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
+#ifdef HAVE_EVP_SHA256
+#define KEX_FIPS_MAC \
+ "hmac-sha1," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
+ "hmac-sha1-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com"
+#else
+#define KEX_FIPS_MAC \
+ "hmac-sha1"
+#endif
+
#else /* WITH_OPENSSL */
#define KEX_SERVER_KEX \
diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c
--- openssh-7.2p1/readconf.c.fips 2016-02-12 18:53:56.073665234 +0100
+++ openssh-7.2p1/readconf.c 2016-02-12 18:53:56.092665235 +0100
@@ -1969,9 +1969,12 @@ fill_default_options(Options * options)
}
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
&options->hostbased_key_types) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
--- openssh-7.2p1/servconf.c.fips 2016-02-12 18:53:56.068665233 +0100
+++ openssh-7.2p1/servconf.c 2016-02-12 18:56:52.185681954 +0100
@@ -188,9 +188,12 @@ option_clear_or_none(const char *o)
static void
assemble_algorithms(ServerOptions *o)
{
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
+ : KEX_SERVER_MAC), &o->macs) != 0 ||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
&o->hostkeyalgorithms) != 0 ||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
@@ -2376,8 +2379,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2392,8 +2397,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
--- openssh-7.2p1/ssh.c.fips 2016-02-12 11:47:25.000000000 +0100
+++ openssh-7.2p1/ssh.c 2016-02-12 18:53:56.093665236 +0100
@@ -75,6 +75,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#endif
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -531,6 +533,14 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)){
+ if (FIPS_mode())
+ fatal("FIPS integrity verification test failed.");
+ else
+ logit("FIPS integrity verification test failed.");
+ }
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -608,6 +618,9 @@ main(int ac, char **av)
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
+ fatal("Protocol 1 not allowed in the FIPS mode.");
+ }
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -952,7 +965,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
#ifdef WITH_OPENSSL
- OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
#endif
@@ -1126,6 +1138,10 @@ main(int ac, char **av)
seed_rng();
+ if (FIPS_mode()) {
+ logit("FIPS mode initialized");
+ }
+
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -1206,6 +1222,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
+ if (FIPS_mode()) {
+ options.protocol &= SSH_PROTO_2;
+ if (options.protocol == 0)
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
+ }
+
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
--- openssh-7.2p1/sshconnect2.c.fips 2016-02-12 18:53:56.074665234 +0100
+++ openssh-7.2p1/sshconnect2.c 2016-02-12 18:53:56.094665236 +0100
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
+#include <openssl/fips.h>
+
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -171,21 +173,26 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI
if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this
- * client to the key exchange algorithm proposal */
- orig = options.kex_algorithms;
-
- if (options.gss_trust_dns)
- gss_host = (char *)get_canonical_hostname(1);
- else
- gss_host = host;
-
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&options.kex_algorithms,
- "%s,%s", gss, orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = options.kex_algorithms;
+
+ if (options.gss_trust_dns)
+ gss_host = (char *)get_canonical_hostname(1);
+ else
+ gss_host = host;
+
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
+ xasprintf(&options.kex_algorithms,
+ "%s,%s", gss, orig);
+ }
}
}
#endif
diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
--- openssh-7.2p1/sshd.c.fips 2016-02-12 18:53:56.088665235 +0100
+++ openssh-7.2p1/sshd.c 2016-02-12 18:53:56.094665236 +0100
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
#include <signal.h>
+#include <syslog.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@@ -77,6 +78,8 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -1555,6 +1558,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)) {
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
+ if (FIPS_mode()) {
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
+ cleanup_exit(255);
+ }
+ else
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
+ closelog();
+ }
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1707,7 +1722,7 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
-#ifdef WITH_OPENSSL
+#if 0 /* FIPS */
OpenSSL_add_all_algorithms();
#endif
@@ -1906,6 +1921,10 @@ main(int ac, char **av)
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
free(fp);
}
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
+ options.protocol &= ~SSH_PROTO_1;
+ }
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -2074,6 +2093,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ if (FIPS_mode()) {
+ logit("FIPS mode initialized");
+ }
+
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2695,10 +2718,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
- if (options.gss_keyex)
- gss = ssh_gssapi_server_mechanisms();
- else
- gss = NULL;
+ if (options.gss_keyex) {
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ gss = ssh_gssapi_server_mechanisms();
+ }
+ }
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
--- openssh-7.2p1/sshkey.c.fips 2016-02-12 18:53:56.089665235 +0100
+++ openssh-7.2p1/sshkey.c 2016-02-12 18:53:56.095665236 +0100
@@ -35,6 +35,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/fips.h>
#endif
#include "crypto_api.h"
@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode())
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
index 688b1b1..a3c1541 100644
--- a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
@@ -55,6 +55,7 @@
#include "secure_filename.h"
#include "uidswap.h"
#include <unistd.h>
+#include <openssl/crypto.h>
#include "identity.h"
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
found_key = 1;
logit("matching key found: file/command %s, line %lu", file,
linenum);
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
+ SSH_FP_HEX);
logit("Found matching %s key: %s",
key_type(found), fp);
free(fp);

File diff suppressed because it is too large Load Diff

View File

@ -1,32 +0,0 @@
From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Wed, 13 Apr 2016 10:39:57 +1000
Subject: ignore PAM environment vars when UseLogin=yes
If PAM is configured to read user-specified environment variables
and UseLogin=yes in sshd_config, then a hostile local user may
attack /bin/login via LD_PRELOAD or similar environment variables
set via PAM.
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
---
session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/session.c b/session.c
index 4859245..4653b09 100644
--- a/session.c
+++ b/session.c
@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
* Pull in any environment variables that may have
* been set by PAM.
*/
- if (options.use_pam) {
+ if (options.use_pam && !options.use_login) {
char **p;
p = fetch_pam_child_environment();
--
cgit v0.11.2

View File

@ -1,102 +0,0 @@
diff --git a/configure.ac b/configure.ac
index aeef42a..d01e67e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4998,6 +4998,37 @@ if test -n "$conf_lastlog_location"; then
[Define if you want to specify the path to your lastlog file])
fi
+AC_ARG_WITH(libcap-ng,
+ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],,
+ with_libcap_ng=auto)
+
+dnl libcap-ng detection
+if test x$with_libcap_ng = xno ; then
+ have_libcap_ng=no;
+else
+ # Start by checking for header file
+ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
+
+ # See if we have libcap-ng library
+ AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,)
+
+ # Check results are usable
+ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
+ AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
+ fi
+ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
+ AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
+ fi
+fi
+AC_MSG_CHECKING(whether to use libcap-ng)
+if test x$CAPNG_LDADD != x ; then
+ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
+ SSHDLIBS="$SSHDLIBS -lcap-ng"
+ AC_MSG_RESULT(yes)
+else
+ AC_MSG_RESULT(no)
+fi
+
dnl utmp detection
AC_MSG_CHECKING([if your system defines UTMP_FILE])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
diff --git a/session.c b/session.c
index 6cfcba4..80d2806 100644
--- a/session.c
+++ b/session.c
@@ -96,6 +96,10 @@
#include "monitor_wrap.h"
#include "sftp.h"
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
+
#if defined(KRB5) && defined(USE_AFS)
#include <kafs.h>
#endif
@@ -1586,6 +1590,7 @@ void
do_setusercontext(struct passwd *pw)
{
char *chroot_path, *tmp;
+ int dropped_suid = -1;
platform_setusercontext(pw);
@@ -1619,10 +1624,24 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
+#ifdef HAVE_LIBCAP_NG
+ /* drop suid soon, retain SYS_CHROOT capability */
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT);
+ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0)
+ logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid);
+#endif
#ifdef WITH_SELINUX
sshd_selinux_copy_context();
#endif
safely_chroot(chroot_path, pw->pw_uid);
+#ifdef HAVE_LIBCAP_NG
+ /* Drop chroot capability. Already used */
+ if (dropped_suid == 0) {
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_apply(CAPNG_SELECT_BOTH);
+ }
+#endif
free(tmp);
free(chroot_path);
/* Make sure we don't attempt to chroot again */
@@ -1654,8 +1673,9 @@ do_setusercontext(struct passwd *pw)
if (!in_chroot && set_id(pw->pw_name) != 0)
fatal("set_id(%s) Failed", pw->pw_name);
# endif /* USE_LIBIAF */
- /* Permanently switch to the desired uid. */
- permanently_set_uid(pw);
+ /* Permanently switch to the desired uid if not yet done. */
+ if (dropped_suid != 0)
+ permanently_set_uid(pw);
#endif
#ifdef WITH_SELINUX

View File

@ -0,0 +1,87 @@
diff --git a/auth-krb5.c b/auth-krb5.c
index 2b02a04..19b9364 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -375,5 +375,21 @@ cleanup:
return (krb5_cc_resolve(ctx, ccname, ccache));
}
}
+
+/*
+ * Reads k5login_directory option from the krb5.conf
+ */
+krb5_error_code
+ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
+ profile_t p;
+ int ret = 0;
+
+ ret = krb5_get_profile(ctx, &p);
+ if (ret)
+ return ret;
+
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
+ k5login_directory);
+}
#endif /* !HEIMDAL */
#endif /* KRB5 */
diff --git a/auth.h b/auth.h
index f9d191c..c432d2f 100644
--- a/auth.h
+++ b/auth.h
@@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
+ char **k5login_directory);
#endif
#endif /* AUTH_H */
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index a7c0c5f..df8cc9a 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
{
char file[MAXPATHLEN];
struct passwd *pw = the_authctxt->pw;
+ char *k5login_directory = NULL;
+ int ret = 0;
+
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
+ if (k5login_directory == NULL || ret != 0) {
+ /* If not set, the library will look for k5login
+ * files in the user's home directory, with the filename .k5login.
+ */
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
+ } else {
+ /* If set, the library will look for a local user's k5login file
+ * within the named directory, with a filename corresponding to the
+ * local username.
+ */
+ snprintf(file, sizeof(file), "%s%s%s", k5login_directory,
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
+ pw->pw_name);
+ }
+ debug("%s: Checking existence of file %s", __func__, file);
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
return access(file, F_OK) == 0;
}
diff --git a/sshd.8 b/sshd.8
index 5c4f15b..135e290 100644
--- a/sshd.8
+++ b/sshd.8
@@ -806,6 +806,10 @@ rlogin/rsh.
These files enforce GSSAPI/Kerberos authentication access control.
Further details are described in
.Xr ksu 1 .
+The location of the k5login file depends on the configuration option
+.Cm k5login_directory
+in the
+.Xr krb5.conf 5 .
.Pp
.It Pa ~/.ssh/
This directory is the default location for all user-specific configuration

View File

@ -0,0 +1,52 @@
Zseries only: Leave the hardware filedescriptors open.
All filedescriptors above 2 are getting closed when a new
sshd process to handle a new client connection is
spawned. As the process also chroot into an empty filesystem
without any device nodes, there is no chance to reopen the
files. This patch filters out the reqired fds in the
closefrom function so these are skipped in the close loop.
Author: Harald Freudenberger <freude@de.ibm.com>
---
openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
--- a/openbsd-compat/bsd-closefrom.c
+++ b/openbsd-compat/bsd-closefrom.c
@@ -82,7 +82,33 @@ closefrom(int lowfd)
fd = strtol(dent->d_name, &endp, 10);
if (dent->d_name != endp && *endp == '\0' &&
fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
+#ifdef __s390__
+ {
+ /*
+ * the filedescriptors used to communicate with
+ * the device drivers to provide hardware support
+ * should survive. HF <freude@de.ibm.com>
+ */
+ char fpath[PATH_MAX], lpath[PATH_MAX];
+ len = snprintf(fpath, sizeof(fpath), "%s/%s",
+ fdpath, dent->d_name);
+ if (len > 0 && (size_t)len <= sizeof(fpath)) {
+ len = readlink(fpath, lpath, sizeof(lpath));
+ if (len > 0) {
+ lpath[len] = 0;
+ if (strstr(lpath, "dev/z90crypt")
+ || strstr(lpath, "dev/zcrypt")
+ || strstr(lpath, "dev/prandom")
+ || strstr(lpath, "dev/shm/icastats"))
+ fd = -1;
+ }
+ }
+ if (fd >= 0)
+ (void) close((int) fd);
+ }
+#else
(void) close((int) fd);
+#endif
}
(void) closedir(dirp);
return;

View File

@ -1,215 +0,0 @@
From 9286875a73b2de7736b5e50692739d314cd8d9dc Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 15 Jul 2016 13:32:45 +1000
Subject: [PATCH] Determine appropriate salt for invalid users.
When sshd is processing a non-PAM login for a non-existent user it uses
the string from the fakepw structure as the salt for crypt(3)ing the
password supplied by the client. That string has a Blowfish prefix, so on
systems that don't understand that crypt will fail fast due to an invalid
salt, and even on those that do it may have significantly different timing
from the hash methods used for real accounts (eg sha512). This allows
user enumeration by, eg, sending large password strings. This was noted
by EddieEzra.Harari at verint.com (CVE-2016-6210).
To mitigate, use the same hash algorithm that root uses for hashing
passwords for users that do not exist on the system. ok djm@
---
auth-passwd.c | 12 ++++++++----
openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 4 deletions(-)
diff --git a/auth-passwd.c b/auth-passwd.c
index 63ccf3c..530b5d4 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -193,7 +193,7 @@ int
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
- char *encrypted_password;
+ char *encrypted_password, *salt = NULL;
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
@@ -202,9 +202,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return (1);
- /* Encrypt the candidate password using the proper salt. */
- encrypted_password = xcrypt(password,
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
+ /*
+ * Encrypt the candidate password using the proper salt, or pass a
+ * NULL and let xcrypt pick one.
+ */
+ if (authctxt->valid && pw_password[0] && pw_password[1])
+ salt = pw_password;
+ encrypted_password = xcrypt(password, salt);
/*
* Authentication is accepted if the encrypted passwords
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index 8577cbd..8913bb8 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -25,6 +25,7 @@
#include "includes.h"
#include <sys/types.h>
+#include <string.h>
#include <unistd.h>
#include <pwd.h>
@@ -62,11 +63,44 @@
# define crypt DES_crypt
# endif
+/*
+ * Pick an appropriate password encryption type and salt for the running
+ * system.
+ */
+static const char *
+pick_salt(void)
+{
+ struct passwd *pw;
+ char *passwd, *p;
+ size_t typelen;
+ static char salt[32];
+
+ if (salt[0] != '\0')
+ return salt;
+ strlcpy(salt, "xx", sizeof(salt));
+ if ((pw = getpwuid(0)) == NULL)
+ return salt;
+ passwd = shadow_pw(pw);
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
+ return salt; /* no $, DES */
+ typelen = p - passwd + 1;
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
+ explicit_bzero(passwd, strlen(passwd));
+ return salt;
+}
+
char *
xcrypt(const char *password, const char *salt)
{
char *crypted;
+ /*
+ * If we don't have a salt we are encrypting a fake password for
+ * for timing purposes. Pick an appropriate salt.
+ */
+ if (salt == NULL)
+ salt = pick_salt();
+
# ifdef HAVE_MD5_PASSWORDS
if (is_md5_salt(salt))
crypted = md5_crypt(password, salt);
From 283b97ff33ea2c641161950849931bd578de6946 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 15 Jul 2016 13:49:44 +1000
Subject: [PATCH] Mitigate timing of disallowed users PAM logins.
When sshd decides to not allow a login (eg PermitRootLogin=no) and
it's using PAM, it sends a fake password to PAM so that the timing for
the failure is not noticeably different whether or not the password
is correct. This behaviour can be detected by sending a very long
password string which is slower to hash than the fake password.
Mitigate by constructing an invalid password that is the same length
as the one from the client and thus takes the same time to hash.
Diff from djm@
---
auth-pam.c | 35 +++++++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)
diff --git a/auth-pam.c b/auth-pam.c
index 451de78..465b5a7 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -232,7 +232,6 @@ static int sshpam_account_status = -1;
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
static const char *sshpam_password = NULL;
-static char badpw[] = "\b\n\r\177INCORRECT";
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@@ -795,12 +794,35 @@ sshpam_query(void *ctx, char **name, char **info,
return (-1);
}
+/*
+ * Returns a junk password of identical length to that the user supplied.
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
+ * vary processing time in proportion to password length.
+ */
+static char *
+fake_password(const char *wire_password)
+{
+ const char junk[] = "\b\n\r\177INCORRECT";
+ char *ret = NULL;
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
+
+ if (l >= INT_MAX)
+ fatal("%s: password length too long: %zu", __func__, l);
+
+ ret = malloc(l + 1);
+ for (i = 0; i < l; i++)
+ ret[i] = junk[i % (sizeof(junk) - 1)];
+ ret[i] = '\0';
+ return ret;
+}
+
/* XXX - see also comment in auth-chall.c:verify_response */
static int
sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
+ char *fake;
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
@@ -821,8 +843,11 @@ sshpam_respond(void *ctx, u_int num, char **resp)
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
- else
- buffer_put_cstring(&buffer, badpw);
+ else {
+ fake = fake_password(*resp);
+ buffer_put_cstring(&buffer, fake);
+ free(fake);
+ }
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
buffer_free(&buffer);
return (-1);
@@ -1166,6 +1191,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
{
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
+ char *fake = NULL;
if (!options.use_pam || sshpam_handle == NULL)
fatal("PAM: %s called when PAM disabled or failed to "
@@ -1181,7 +1207,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
options.permit_root_login != PERMIT_YES))
- sshpam_password = badpw;
+ sshpam_password = fake = fake_password(password);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
@@ -1191,6 +1217,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
+ free(fake);
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);

View File

@ -1,7 +1,7 @@
diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
--- openssh-5.3p1/channels.c.bz595935 2010-08-12 14:19:28.000000000 +0200 --- openssh-7.2p2/channels.c.x11 2016-03-09 19:04:48.000000000 +0100
+++ openssh-5.3p1/channels.c 2010-08-12 14:33:51.000000000 +0200 +++ openssh-7.2p2/channels.c 2016-06-03 10:42:04.775164520 +0200
@@ -3185,7 +3185,7 @@ x11_create_display_inet(int x11_display_ @@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
} }
static int static int
@ -10,14 +10,16 @@ diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
{ {
int sock; int sock;
struct sockaddr_un addr; struct sockaddr_un addr;
@@ -3195,11 +3195,14 @@ connect_local_xsocket_path(const char *p
+ if (len <= 0)
+ return -1;
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock == -1)
error("socket: %.100s", strerror(errno)); error("socket: %.100s", strerror(errno));
memset(&addr, 0, sizeof(addr)); memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX; addr.sun_family = AF_UNIX;
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); - strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
- if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) - if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
+ if (len <= 0)
+ return -1;
+ if (len > sizeof addr.sun_path) + if (len > sizeof addr.sun_path)
+ len = sizeof addr.sun_path; + len = sizeof addr.sun_path;
+ memcpy(addr.sun_path, pathname, len); + memcpy(addr.sun_path, pathname, len);
@ -28,7 +30,7 @@ diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
return -1; return -1;
} }
@@ -3207,8 +3210,18 @@ static int @@ -4012,8 +4015,18 @@ static int
connect_local_xsocket(u_int dnr) connect_local_xsocket(u_int dnr)
{ {
char buf[1024]; char buf[1024];
@ -48,4 +50,4 @@ diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
+ return -1; + return -1;
} }
int #ifdef __APPLE__

View File

@ -1,48 +0,0 @@
From 28652bca29046f62c7045e933e6b931de1d16737 Mon Sep 17 00:00:00 2001
From: "markus@openbsd.org" <markus@openbsd.org>
Date: Mon, 19 Sep 2016 19:02:19 +0000
Subject: upstream commit
move inbound NEWKEYS handling to kex layer; otherwise
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
with & ok djm@
Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
---
kex.c | 4 +++-
packet.c | 6 ++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
index f4c130f..8800d40 100644
--- a/kex.c
+++ b/kex.c
@@ -425,6 +425,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
if ((r = sshpkt_get_end(ssh)) != 0)
return r;
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+ return r;
kex->done = 1;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
diff --git a/packet.c b/packet.c
index 711091d..fb316ac 100644
--- a/packet.c
+++ b/packet.c
@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
return r;
return SSH_ERR_PROTOCOL_ERROR;
}
- if (*typep == SSH2_MSG_NEWKEYS)
- r = ssh_set_newkeys(ssh, MODE_IN);
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
r = ssh_packet_enable_delayed_compress(ssh);
else
r = 0;
--
cgit v0.12
0

View File

@ -0,0 +1,213 @@
diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
#define FWD_PERMIT_ANY_HOST "*"
/* -- X11 forwarding */
-/* Maximum number of fake X11 displays to try. */
-#define MAX_DISPLAYS 1000
+/* Minimum port number for X11 forwarding */
+#define X11_PORT_MIN 6000
/* Per-channel callback for pre/post select() actions */
typedef void chan_fn(struct ssh *, Channel *c,
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
*/
int
x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
- int x11_use_localhost, int single_connection,
+ int x11_use_localhost, int x11_max_displays, int single_connection,
u_int *display_numberp, int **chanids)
{
Channel *nc = NULL;
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
if (chanids == NULL)
return -1;
+ /* Try to bind ports starting at 6000+X11DisplayOffset */
+ x11_max_displays = x11_max_displays + x11_display_offset;
+
for (display_number = x11_display_offset;
- display_number < MAX_DISPLAYS;
+ display_number < x11_max_displays;
display_number++) {
- port = 6000 + display_number;
+ port = X11_PORT_MIN + display_number;
+ if (port < X11_PORT_MIN) /* overflow */
+ break;
memset(&hints, 0, sizeof(hints));
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
if (num_socks > 0)
break;
}
- if (display_number >= MAX_DISPLAYS) {
+ if (display_number >= x11_max_displays || port < X11_PORT_MIN ) {
error("Failed to allocate internet-domain X11 display socket.");
return -1;
}
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
memset(&hints, 0, sizeof(hints));
hints.ai_family = ssh->chanctxt->IPv4or6;
hints.ai_socktype = SOCK_STREAM;
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
+ snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number);
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf,
ssh_gai_strerror(gaierr));
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
/* Connect it to the display. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
debug2("connect %.100s port %u: %.100s", buf,
- 6000 + display_number, strerror(errno));
+ X11_PORT_MIN + display_number, strerror(errno));
close(sock);
continue;
}
@@ -4466,8 +4472,8 @@ x11_connect_display(void)
}
freeaddrinfo(aitop);
if (!ai) {
- error("connect %.100s port %u: %.100s", buf,
- 6000 + display_number, strerror(errno));
+ error("connect %.100s port %u: %.100s", buf,
+ X11_PORT_MIN + display_number, strerror(errno));
return -1;
}
set_nodelay(sock);
diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
--- openssh-7.4p1/channels.h.x11max 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
void channel_set_x11_refuse_time(struct ssh *, u_int);
int x11_connect_display(struct ssh *);
-int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
+int x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **);
void x11_request_forwarding_with_spoofing(struct ssh *, int,
const char *, const char *, const char *, int);
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
options->print_lastlog = -1;
options->x11_forwarding = -1;
options->x11_display_offset = -1;
+ options->x11_max_displays = -1;
options->x11_use_localhost = -1;
options->permit_tty = -1;
options->permit_user_rc = -1;
@@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
options->x11_forwarding = 0;
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
+ if (options->x11_max_displays == -1)
+ options->x11_max_displays = DEFAULT_MAX_DISPLAYS;
if (options->x11_use_localhost == -1)
options->x11_use_localhost = 1;
if (options->xauth_location == NULL)
@@ -419,7 +422,7 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@ -540,6 +543,7 @@ static struct {
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
+ { "x11maxdisplays", sX11MaxDisplays, SSHCFG_ALL },
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
*intptr = value;
break;
+ case sX11MaxDisplays:
+ intptr = &options->x11_max_displays;
+ goto parse_int;
+
case sX11UseLocalhost:
intptr = &options->x11_use_localhost;
goto parse_flag;
@@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
M_CP_INTOPT(x11_display_offset);
M_CP_INTOPT(x11_forwarding);
+ M_CP_INTOPT(x11_max_displays);
M_CP_INTOPT(x11_use_localhost);
M_CP_INTOPT(permit_tty);
M_CP_INTOPT(permit_user_rc);
@@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
#endif
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
dump_cfg_int(sMaxAuthTries, o->max_authtries);
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
--- openssh-7.4p1/servconf.h.x11max 2016-12-23 15:46:32.133506635 +0100
+++ openssh-7.4p1/servconf.h 2016-12-23 15:46:32.140506636 +0100
@@ -55,6 +55,7 @@
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
+#define DEFAULT_MAX_DISPLAYS 1000 /* Maximum number of fake X11 displays to try. */
/* Magic name for internal sftp-server */
#define INTERNAL_SFTP_NAME "internal-sftp"
@@ -85,6 +86,7 @@ typedef struct {
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
int x11_display_offset; /* What DISPLAY number to start
* searching at */
+ int x11_max_displays; /* Number of displays to search */
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
char *xauth_location; /* Location of xauth program */
int permit_tty; /* If false, deny pty allocation */
diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
--- openssh-7.4p1/session.c.x11max 2016-12-23 15:46:32.136506636 +0100
+++ openssh-7.4p1/session.c 2016-12-23 15:46:32.141506636 +0100
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
return 0;
}
if (x11_create_display_inet(ssh, options.x11_display_offset,
- options.x11_use_localhost, s->single_connection,
- &s->display_number, &s->x11_chanids) == -1) {
+ options.x11_use_localhost, options.x11_max_displays,
+ s->single_connection, &s->display_number,
+ &s->x11_chanids) == -1) {
debug("x11_create_display_inet failed.");
return 0;
}
diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
--- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
@@ -1133,6 +1133,7 @@ Available keywords are
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
.Cm X11DisplayOffset ,
+.Cm X11MaxDisplays ,
.Cm X11Forwarding
and
.Cm X11UseLocalhost .
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
X11 forwarding.
This prevents sshd from interfering with real X11 servers.
The default is 10.
+.It Cm X11MaxDisplays
+Specifies the maximum number of displays available for
+.Xr sshd 8 Ns 's
+X11 forwarding.
+This prevents sshd from exhausting local ports.
+The default is 1000.
.It Cm X11Forwarding
Specifies whether X11 forwarding is permitted.
The argument must be

View File

@ -0,0 +1,98 @@
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
Author: Jakub Jelen <jjelen@redhat.com>
Date: Mon Nov 21 15:04:06 2016 +0100
systemd stuff
diff --git a/configure.ac b/configure.ac
index 2ffc369..162ce92 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
+AC_ARG_WITH(systemd,
+ [ --with-systemd Enable systemd support],
+ [ if test "x$withval" != "xno" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "$PKGCONFIG" != "no"; then
+ AC_MSG_CHECKING([for libsystemd])
+ if $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+ SYSTEMD_MSG="yes"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ fi ]
+)
+
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
+echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/contrib/sshd.service b/contrib/sshd.service
new file mode 100644
index 0000000..e0d4923
--- /dev/null
+++ b/contrib/sshd.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenSSH server daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/sbin/sshd -D $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+RestartPreventExitStatus=255
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/sshd.c b/sshd.c
index 816611c..b8b9d13 100644
--- a/sshd.c
+++ b/sshd.c
@@ -85,6 +85,10 @@
#include <prot.h>
#endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -1888,6 +1892,11 @@ main(int ac, char **av)
}
}
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are ready to accept connections */
+ sd_notify(0, "READY=1");
+#endif
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);

View File

@ -0,0 +1,86 @@
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
---
sandbox-seccomp-filter.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ca75cc7..6e7de31 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_exit_group
SC_ALLOW(__NR_exit_group),
#endif
+#if defined(__NR_flock) && defined(__s390__)
+ SC_ALLOW(__NR_flock),
+#endif
#ifdef __NR_futex
SC_ALLOW(__NR_futex),
#endif
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_gettimeofday
SC_ALLOW(__NR_gettimeofday),
#endif
+#if defined(__NR_ipc) && defined(__s390__)
+ SC_ALLOW(__NR_ipc),
+#endif
#ifdef __NR_getuid
SC_ALLOW(__NR_getuid),
#endif
--
1.9.1
getuid and geteuid are needed when using an openssl engine that calls a
crypto card, e.g. ICA (libica).
Those syscalls are also needed by the distros for audit code.
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
---
sandbox-seccomp-filter.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 6e7de31..e86aa2c 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_getpid
SC_ALLOW(__NR_getpid),
#endif
+#ifdef __NR_getuid
+ SC_ALLOW(__NR_getuid),
+#endif
+#ifdef __NR_getuid32
+ SC_ALLOW(__NR_getuid32),
+#endif
+#ifdef __NR_geteuid
+ SC_ALLOW(__NR_geteuid),
+#endif
+#ifdef __NR_geteuid32
+ SC_ALLOW(__NR_geteuid32),
+#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),
#endif
-- 1.9.1
1.9.1
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
+++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
#ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32),
#endif
+#ifdef __NR_gettid
+ SC_ALLOW(__NR_gettid),
+#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),
#endif

2326
openssh-7.6p1-audit.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,271 @@
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
@@ -72,6 +72,9 @@
extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
+extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt;
static char *
format_key(const struct sshkey *key)
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out;
uid_swapped = 1;
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out;
uid_swapped = 1;
diff -up openssh/auth.c.refactor openssh/auth.c
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
*/
pid_t
subprocess(const char *tag, struct passwd *pw, const char *command,
- int ac, char **av, FILE **child, u_int flags)
+ int ac, char **av, FILE **child, u_int flags, int inetd,
+ void *the_authctxt)
{
FILE *f = NULL;
struct stat st;
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
}
#ifdef WITH_SELINUX
- if (sshd_selinux_setup_env_variables() < 0) {
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
error ("failed to copy environment: %s",
strerror(errno));
_exit(127);
diff -up openssh/auth.h.refactor openssh/auth.h
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
pid_t subprocess(const char *, struct passwd *,
- const char *, int, char **, FILE **, u_int flags);
+ const char *, int, char **, FILE **, u_int flags, int, void *);
int sys_auth_passwd(struct ssh *, const char *);
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
-void sshd_selinux_setup_exec_context(char *);
-int sshd_selinux_setup_env_variables(void);
+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
+int sshd_selinux_setup_env_variables(int inetd, void *);
void sshd_selinux_change_privsep_preauth_context(void);
#endif
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200
@@ -49,11 +49,6 @@
#include <unistd.h>
#endif
-extern ServerOptions options;
-extern Authctxt *the_authctxt;
-extern int inetd_flag;
-extern int rexeced_flag;
-
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
sshd_selinux_enabled(void)
@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
}
static void
-ssh_selinux_get_role_level(char **role, const char **level)
+ssh_selinux_get_role_level(char **role, const char **level,
+ Authctxt *the_authctxt)
{
*role = NULL;
*level = NULL;
@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
/* Return the default security context for the given username */
static int
-sshd_selinux_getctxbyname(char *pwname,
- security_context_t *default_sc, security_context_t *user_sc)
+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
+ security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
{
char *sename, *lvl;
char *role;
@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
int r = 0;
context_t con = NULL;
- ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
#ifdef HAVE_GETSEUSERBYNAME
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
if (r == 0) {
/* If launched from xinetd, we must use current level */
- if (inetd_flag && !rexeced_flag) {
+ if (inetd) {
security_context_t sshdsc=NULL;
if (getcon_raw(&sshdsc) < 0)
@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
+ Authctxt *the_authctxt)
{
const char *reqlvl;
char *role;
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
debug3("%s: setting execution context", __func__);
- ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- if (inetd_flag && !rexeced_flag) {
+ if (inetd) {
use_current = "1";
} else {
use_current = "";
@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
}
static int
-sshd_selinux_setup_pam_variables(void)
+sshd_selinux_setup_pam_variables(int inetd,
+ int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
{
- return sshd_selinux_setup_variables(do_pam_putenv);
+ return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
}
static int
@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
}
int
-sshd_selinux_setup_env_variables(void)
+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
{
- return sshd_selinux_setup_variables(do_setenv);
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
+ return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
}
/* Set the execution context to the default for the specified user */
void
-sshd_selinux_setup_exec_context(char *pwname)
+sshd_selinux_setup_exec_context(char *pwname, int inetd,
+ int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
{
security_context_t user_ctx = NULL;
int r = 0;
security_context_t default_ctx = NULL;
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
if (!sshd_selinux_enabled())
return;
- if (options.use_pam) {
+ if (use_pam) {
/* do not compute context, just setup environment for pam_selinux */
- if (sshd_selinux_setup_pam_variables()) {
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
switch (security_getenforce()) {
case -1:
fatal("%s: security_getenforce() failed", __func__);
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: setting execution context", __func__);
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
if (r >= 0) {
r = setexeccon(user_ctx);
if (r < 0) {
diff -up openssh/platform.c.refactor openssh/platform.c
--- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200
+++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200
@@ -32,6 +32,9 @@
extern int use_privsep;
extern ServerOptions options;
+extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt;
void
platform_pre_listen(void)
@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(pw->pw_name);
+ sshd_selinux_setup_exec_context(pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
}
diff -up openssh/sshd.c.refactor openssh/sshd.c
--- openssh/sshd.c.refactor 2019-04-04 13:19:12.275822068 +0200
+++ openssh/sshd.c 2019-04-04 13:19:51.270195262 +0200
@@ -158,7 +158,7 @@ int debug_flag = 0;
static int test_flag = 0;
/* Flag indicating that the daemon is being started from inetd. */
-static int inetd_flag = 0;
+int inetd_flag = 0;
/* Flag indicating that sshd should not detach and become a daemon. */
static int no_daemon_flag = 0;
@@ -171,7 +171,7 @@ static char **saved_argv;
static int saved_argc;
/* re-exec */
-static int rexeced_flag = 0;
+int rexeced_flag = 0;
static int rexec_flag = 1;
static int rexec_argc = 0;
static char **rexec_argv;
@@ -2192,7 +2192,9 @@ main(int ac, char **av)
}
#endif
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
#ifdef USE_PAM
if (options.use_pam) {

457
openssh-7.7p1-fips.patch Normal file
View File

@ -0,0 +1,457 @@
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
int best, bestcount, which, linenum;
struct dhgroup dhg;
+ if (FIPS_mode()) {
+ logit("Using arbitrary primes is not allowed in FIPS mode."
+ " Falling back to known groups.");
+ return (dh_new_group_fallback(max));
+ }
+
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
logit("WARNING: could not open %s (%s), using fixed modulus",
_PATH_DH_MODULI, strerror(errno));
@@ -489,4 +495,38 @@ dh_estimate(int bits)
return 8192;
}
+/*
+ * Compares the received DH parameters with known-good groups,
+ * which might be either from group14, group16 or group18.
+ */
+int
+dh_is_known_group(const DH *dh)
+{
+ const BIGNUM *p, *g;
+ const BIGNUM *known_p, *known_g;
+ DH *known = NULL;
+ int bits = 0, rv = 0;
+
+ DH_get0_pqg(dh, &p, NULL, &g);
+ bits = BN_num_bits(p);
+
+ if (bits <= 3072) {
+ known = dh_new_group14();
+ } else if (bits <= 6144) {
+ known = dh_new_group16();
+ } else {
+ known = dh_new_group18();
+ }
+
+ DH_get0_pqg(known, &known_p, NULL, &known_g);
+
+ if (BN_cmp(g, known_g) == 0 &&
+ BN_cmp(p, known_p) == 0) {
+ rv = 1;
+ }
+
+ DH_free(known);
+ return rv;
+}
+
#endif /* WITH_OPENSSL */
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);
int dh_gen_key(DH *, int);
int dh_pub_is_valid(const DH *, const BIGNUM *);
+int dh_is_known_group(const DH *);
u_int dh_estimate(int);
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200
@@ -199,7 +199,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
- error("Unsupported KEX algorithm \"%.100s\"", p);
+ if (FIPS_mode())
+ error("\"%.100s\" is not allowed in FIPS mode", p);
+ else
+ error("Unsupported KEX algorithm \"%.100s\"", p);
free(s);
return 0;
}
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200
@@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL
+#include <openssl/crypto.h>
#include <sys/types.h>
#include <openssl/dh.h>
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {
+ r = SSH_ERR_INVALID_ARGUMENT;
+ goto out;
+ }
p = g = NULL; /* belong to kex->dh now */
/* generate and send 'e', client DH public key */
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
@@ -111,6 +111,20 @@
"rsa-sha2-256," \
"ssh-rsa"
+#define KEX_FIPS_PK_ALG \
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
+ "rsa-sha2-512-cert-v01@openssh.com," \
+ "rsa-sha2-256-cert-v01@openssh.com," \
+ "ssh-rsa-cert-v01@openssh.com," \
+ "ecdsa-sha2-nistp256," \
+ "ecdsa-sha2-nistp384," \
+ "ecdsa-sha2-nistp521," \
+ "rsa-sha2-512," \
+ "rsa-sha2-256," \
+ "ssh-rsa"
+
#define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr," \
@@ -134,6 +142,27 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
+#define KEX_DEFAULT_KEX_FIPS \
+ "ecdh-sha2-nistp256," \
+ "ecdh-sha2-nistp384," \
+ "ecdh-sha2-nistp521," \
+ "diffie-hellman-group-exchange-sha256," \
+ "diffie-hellman-group16-sha512," \
+ "diffie-hellman-group18-sha512," \
+ "diffie-hellman-group14-sha256"
+#define KEX_FIPS_MAC \
+ "hmac-sha1," \
+ "hmac-sha2-256," \
+ "hmac-sha2-512," \
+ "hmac-sha1-etm@openssh.com," \
+ "hmac-sha2-256-etm@openssh.com," \
+ "hmac-sha2-512-etm@openssh.com"
+
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
"ecdsa-sha2-nistp256," \
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
+ def_mac = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
+ def_kex = match_filter_allowlist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
+ def_key = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&options->what, \
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open
SC_DENY(__NR_open, EACCES),
#endif
+#ifdef __NR_socket
+ SC_DENY(__NR_socket, EACCES),
+#endif
#ifdef __NR_openat
SC_DENY(__NR_openat, EACCES),
#endif
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */
- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
+ def_mac = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
+ def_kex = match_filter_allowlist((FIPS_mode() ?
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
+ def_key = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
+ def_sig = match_filter_allowlist((FIPS_mode() ?
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
#define ASSEMBLE(what, defaults, all) \
do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
@@ -76,6 +76,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#endif
+#include <openssl/crypto.h>
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -614,6 +626,10 @@ main(int ac, char **av)
dump_client_config(&options, host);
exit(0);
}
+
+ if (FIPS_mode()) {
+ debug("FIPS mode initialized");
+ }
/* Expand SecurityKeyProvider if it refers to an environment variable */
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
@@ -44,6 +44,8 @@
#include <vis.h>
#endif
+#include <openssl/crypto.h>
+
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
#if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this
- * client to the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS];
-
- if (options.gss_server_identity) {
- gss_host = xstrdup(options.gss_server_identity);
- } else if (options.gss_trust_dns) {
- gss_host = remote_hostname(ssh);
- /* Fall back to specified host if we are using proxy command
- * and can not use DNS on that socket */
- if (strcmp(gss_host, "UNKNOWN") == 0) {
- free(gss_host);
- gss_host = xstrdup(host);
- }
- } else {
- gss_host = xstrdup(host);
- }
-
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
-
- /* If we've got GSSAPI algorithms, then we also support the
- * 'null' hostkey, as a last resort */
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
+ if (options.gss_server_identity) {
+ gss_host = xstrdup(options.gss_server_identity);
+ } else if (options.gss_trust_dns) {
+ gss_host = remote_hostname(ssh);
+ /* Fall back to specified host if we are using proxy command
+ * and can not use DNS on that socket */
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
+ free(gss_host);
+ gss_host = xstrdup(host);
+ }
+ } else {
+ gss_host = xstrdup(host);
+ }
+
+ gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+ "%s,%s", gss, orig);
+
+ /* If we've got GSSAPI algorithms, then we also support the
+ * 'null' hostkey, as a last resort */
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
+ "%s,null", orig);
+ }
}
}
#endif
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
#include <signal.h>
+#include <syslog.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
@@ -77,6 +78,7 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
+#include <openssl/crypto.h>
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -1529,6 +1532,7 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
+ OpenSSL_add_all_algorithms();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1992,6 +2007,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
+ if (FIPS_mode()) {
+ debug("FIPS mode initialized");
+ }
+
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
- if (options.gss_keyex)
- gss = ssh_gssapi_server_mechanisms();
- else
- gss = NULL;
+ if (options.gss_keyex) {
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
+ } else {
+ gss = ssh_gssapi_server_mechanisms();
+ }
+ }
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200
@@ -34,6 +34,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/crypto.h>
#endif
#include "crypto_api.h"
@@ -57,6 +58,7 @@
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
+#include "log.h"
#include "ssh-sk.h"
#ifdef WITH_XMSS
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode())
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
#endif
}
#ifdef WITH_OPENSSL
+ if (FIPS_mode()) {
+ if (type == KEY_DSA)
+ fatal("DSA keys are not allowed in FIPS mode");
+ if (type == KEY_ED25519)
+ fatal("ED25519 keys are not allowed in FIPS mode");
+ }
switch (type) {
case KEY_DSA:
if (*bitsp != 1024)
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1;
printf("%s: generating new host keys: ", __progname);
}
+ type = sshkey_type_from_name(key_types[i].key_type);
+
+ /* Skip the keys that are not supported in FIPS mode */
+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
+ logit("Skipping %s key in FIPS mode",
+ key_types[i].key_type_display);
+ goto next;
+ }
+
printf("%s ", key_types[i].key_type_display);
fflush(stdout);
- type = sshkey_type_from_name(key_types[i].key_type);
if ((fd = mkstemp(prv_tmp)) == -1) {
error("Could not save your private key in %s: %s",
prv_tmp, strerror(errno));

View File

@ -0,0 +1,647 @@
diff --git a/auth-krb5.c b/auth-krb5.c
index a5a81ed2..63f877f2 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -51,6 +51,7 @@
#include <unistd.h>
#include <string.h>
#include <krb5.h>
+#include <profile.h>
extern ServerOptions options;
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
- int len;
+ char *ticket_name = NULL;
char *client, *platform_client;
const char *errmsg;
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
goto out;
}
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
if (problem)
goto out;
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem)
goto out;
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
goto out;
#endif
- authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ problem = krb5_cc_get_full_name(authctxt->krb5_ctx,
+ authctxt->krb5_fwd_ccache, &ticket_name);
- len = strlen(authctxt->krb5_ticket_file) + 6;
- authctxt->krb5_ccname = xmalloc(len);
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
- authctxt->krb5_ticket_file);
+ authctxt->krb5_ccname = xstrdup(ticket_name);
+ krb5_free_string(authctxt->krb5_ctx, ticket_name);
#ifdef USE_PAM
- if (options.use_pam)
+ if (options.use_pam && authctxt->krb5_set_env)
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
void
krb5_cleanup_proc(Authctxt *authctxt)
{
+ struct stat krb5_ccname_stat;
+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
+
debug("krb5_cleanup_proc called");
if (authctxt->krb5_fwd_ccache) {
- krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
+ krb5_context ctx = authctxt->krb5_ctx;
+ krb5_cccol_cursor cursor;
+ krb5_ccache ccache;
+ int ret;
+
+ krb5_cc_destroy(ctx, authctxt->krb5_fwd_ccache);
authctxt->krb5_fwd_ccache = NULL;
+
+ ret = krb5_cccol_cursor_new(ctx, &cursor);
+ if (ret)
+ goto out;
+
+ ret = krb5_cccol_cursor_next(ctx, cursor, &ccache);
+ if (ret == 0 && ccache != NULL) {
+ /* There is at least one other ccache in collection
+ * we can switch to */
+ krb5_cc_switch(ctx, ccache);
+ } else if (authctxt->krb5_ccname != NULL) {
+ /* Clean up the collection too */
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
+ *krb5_ccname_dir_start++ = '\0';
+ if (strcmp(krb5_ccname, "DIR") == 0) {
+
+ strcat(krb5_ccname_dir_start, "/primary");
+
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
+ if (unlink(krb5_ccname_dir_start) == 0) {
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
+ *krb5_ccname_dir_end = '\0';
+ if (rmdir(krb5_ccname_dir_start) == -1)
+ debug("cache dir '%s' remove failed: %s",
+ krb5_ccname_dir_start, strerror(errno));
+ }
+ else
+ debug("cache primary file '%s', remove failed: %s",
+ krb5_ccname_dir_start, strerror(errno));
+ }
+ }
+ }
+ krb5_cccol_cursor_free(ctx, &cursor);
}
+out:
if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
authctxt->krb5_user = NULL;
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
}
}
-#ifndef HEIMDAL
+
+#if !defined(HEIMDAL)
+int
+ssh_asprintf_append(char **dsc, const char *fmt, ...) {
+ char *src, *old;
+ va_list ap;
+ int i;
+
+ va_start(ap, fmt);
+ i = vasprintf(&src, fmt, ap);
+ va_end(ap);
+
+ if (i == -1 || src == NULL)
+ return -1;
+
+ old = *dsc;
+
+ i = asprintf(dsc, "%s%s", *dsc, src);
+ if (i == -1 || src == NULL) {
+ free(src);
+ return -1;
+ }
+
+ free(old);
+ free(src);
+
+ return i;
+}
+
+int
+ssh_krb5_expand_template(char **result, const char *template) {
+ char *p_n, *p_o, *r, *tmp_template;
+
+ debug3("%s: called, template = %s", __func__, template);
+ if (template == NULL)
+ return -1;
+
+ tmp_template = p_n = p_o = xstrdup(template);
+ r = xstrdup("");
+
+ while ((p_n = strstr(p_o, "%{")) != NULL) {
+
+ *p_n++ = '\0';
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
+ goto cleanup;
+
+ if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
+ strncmp(p_n, "{USERID}", 8) == 0) {
+ p_o = strchr(p_n, '}') + 1;
+ if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
+ goto cleanup;
+ continue;
+ }
+ else if (strncmp(p_n, "{TEMP}", 6) == 0) {
+ p_o = strchr(p_n, '}') + 1;
+ if (ssh_asprintf_append(&r, "/tmp") == -1)
+ goto cleanup;
+ continue;
+ } else {
+ p_o = strchr(p_n, '}') + 1;
+ *p_o = '\0';
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
+ /* unknown token, fallback to the default */
+ goto cleanup;
+ }
+ }
+
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
+ goto cleanup;
+
+ *result = r;
+ free(tmp_template);
+ return 0;
+
+cleanup:
+ free(r);
+ free(tmp_template);
+ return -1;
+}
+
krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ profile_t p;
+ int ret = 0;
+ char *value = NULL;
+
+ debug3("%s: called", __func__);
+ ret = krb5_get_profile(ctx, &p);
+ if (ret)
+ return ret;
+
+ ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
+ if (ret || !value)
+ return ret;
+
+ ret = ssh_krb5_expand_template(ccname, value);
+
+ debug3("%s: returning with ccname = %s", __func__, *ccname);
+ return ret;
+}
+
+krb5_error_code
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
+ int tmpfd, ret, oerrno, type_len;
+ char *ccname = NULL;
mode_t old_umask;
+ char *type = NULL, *colon = NULL;
- ret = snprintf(ccname, sizeof(ccname),
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
- if (ret < 0 || (size_t)ret >= sizeof(ccname))
- return ENOMEM;
-
- old_umask = umask(0177);
- tmpfd = mkstemp(ccname + strlen("FILE:"));
- oerrno = errno;
- umask(old_umask);
- if (tmpfd == -1) {
- logit("mkstemp(): %.100s", strerror(oerrno));
- return oerrno;
- }
+ debug3("%s: called", __func__);
+ if (need_environment)
+ *need_environment = 0;
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
+ if (ret || !ccname || options.kerberos_unique_ccache) {
+ /* Otherwise, go with the old method */
+ if (ccname)
+ free(ccname);
+ ccname = NULL;
+
+ ret = asprintf(&ccname,
+ "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
+ if (ret < 0)
+ return ENOMEM;
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ old_umask = umask(0177);
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
oerrno = errno;
- logit("fchmod(): %.100s", strerror(oerrno));
+ umask(old_umask);
+ if (tmpfd == -1) {
+ logit("mkstemp(): %.100s", strerror(oerrno));
+ return oerrno;
+ }
+
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
+ oerrno = errno;
+ logit("fchmod(): %.100s", strerror(oerrno));
+ close(tmpfd);
+ return oerrno;
+ }
+ /* make sure the KRB5CCNAME is set for non-standard location */
+ if (need_environment)
+ *need_environment = 1;
close(tmpfd);
- return oerrno;
}
- close(tmpfd);
- return (krb5_cc_resolve(ctx, ccname, ccache));
+ debug3("%s: setting default ccname to %s", __func__, ccname);
+ /* set the default with already expanded user IDs */
+ ret = krb5_cc_set_default_name(ctx, ccname);
+ if (ret)
+ return ret;
+
+ if ((colon = strstr(ccname, ":")) != NULL) {
+ type_len = colon - ccname;
+ type = malloc((type_len + 1) * sizeof(char));
+ if (type == NULL)
+ return ENOMEM;
+ strncpy(type, ccname, type_len);
+ type[type_len] = 0;
+ } else {
+ type = strdup(ccname);
+ }
+
+ /* If we have a credential cache from krb5.conf, we need to switch
+ * a primary cache for this collection, if it supports that (non-FILE)
+ */
+ if (krb5_cc_support_switch(ctx, type)) {
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
+ free(type);
+ if (ret)
+ return ret;
+
+ debug3("%s: calling cc_switch()", __func__);
+ return krb5_cc_switch(ctx, *ccache);
+ } else {
+ /* Otherwise, we can not create a unique ccname here (either
+ * it is already unique from above or the type does not support
+ * collections
+ */
+ free(type);
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname);
+ return (krb5_cc_resolve(ctx, ccname, ccache));
+ }
}
#endif /* !HEIMDAL */
#endif /* KRB5 */
diff --git a/auth.h b/auth.h
index 29491df9..fdab5040 100644
--- a/auth.h
+++ b/auth.h
@@ -82,6 +82,7 @@ struct Authctxt {
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *);
int sys_auth_passwd(struct ssh *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
#endif
#endif /* AUTH_H */
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
-static void
+static int
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
@@ -276,14 +276,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
OM_uint32 maj_status, min_status;
const char *new_ccname, *new_cctype;
const char *errmsg;
+ int set_env = 0;
if (client->creds == NULL) {
debug("No credentials stored");
- return;
+ return 0;
}
if (ssh_gssapi_krb5_init() == 0)
- return;
+ return 0;
#ifdef HEIMDAL
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
@@ -297,14 +298,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_get_err_text(krb_context, problem));
# endif
krb5_free_error_message(krb_context, errmsg);
- return;
+ return 0;
}
#else
- if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
+ if ((problem = ssh_krb5_cc_new_unique(krb_context, &ccache, &set_env)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
- logit("ssh_krb5_cc_gen(): %.100s", errmsg);
+ logit("ssh_krb5_cc_new_unique(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
- return;
+ return 0;
}
#endif /* #ifdef HEIMDAL */
@@ -313,7 +314,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
- return;
+ return 0;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
@@ -322,7 +323,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
- return;
+ return 0;
}
krb5_free_principal(krb_context, princ);
@@ -331,32 +332,21 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
- return;
+ return 0;
}
new_cctype = krb5_cc_get_type(krb_context, ccache);
new_ccname = krb5_cc_get_name(krb_context, ccache);
-
- client->store.envvar = "KRB5CCNAME";
-#ifdef USE_CCAPI
- xasprintf(&client->store.envval, "API:%s", new_ccname);
- client->store.filename = NULL;
-#else
- if (new_ccname[0] == ':')
- new_ccname++;
xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
- if (strcmp(new_cctype, "DIR") == 0) {
- char *p;
- p = strrchr(client->store.envval, '/');
- if (p)
- *p = '\0';
+
+ if (set_env) {
+ client->store.envvar = "KRB5CCNAME";
}
if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
client->store.filename = xstrdup(new_ccname);
-#endif
#ifdef USE_PAM
- if (options.use_pam)
+ if (options.use_pam && set_env)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
client->store.data = krb_context;
- return;
+ return set_env;
}
int
diff --git a/gss-serv.c b/gss-serv.c
index 6cae720e..16e55cbc 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
}
/* As user */
-void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
/* This allows GSSAPI methods to do things to the child's environment based
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
char *envstr;
#endif
- if (gssapi_client.store.filename == NULL &&
- gssapi_client.store.envval == NULL &&
- gssapi_client.store.envvar == NULL)
+ if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
+ options->kerberos_unique_ccache = -1;
options->gss_authentication=-1;
options->gss_keyex = -1;
options->gss_cleanup_creds = -1;
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
+ if (options->kerberos_unique_ccache == -1)
+ options->kerberos_unique_ccache = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
if (options->gss_keyex == -1)
@@ -447,7 +450,8 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
+ sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -526,11 +530,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
+ { "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
#else
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
+ { "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->kerberos_get_afs_token;
goto parse_flag;
+ case sKerberosUniqueCCache:
+ intptr = &options->kerberos_unique_ccache;
+ goto parse_flag;
+
case sGssAuthentication:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
# ifdef USE_AFS
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
# endif
+ dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/servconf.h b/servconf.h
index db8362c6..4fa42d64 100644
--- a/servconf.h
+++ b/servconf.h
@@ -123,6 +123,8 @@ typedef struct {
* file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
+ int kerberos_unique_ccache; /* If true, the acquired ticket will
+ * be stored in per-session ccache */
int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff --git a/session.c b/session.c
index 85df6a27..480a5ead 100644
--- a/session.c
+++ b/session.c
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
/* Allow any GSSAPI methods that we've used to alter
* the child's environment as they see fit
*/
- ssh_gssapi_do_child(&env, &envsize);
+ if (s->authctxt->krb5_set_env)
+ ssh_gssapi_do_child(&env, &envsize);
#endif
/* Set basic environment. */
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
}
#endif
#ifdef KRB5
- if (s->authctxt->krb5_ccname)
+ if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
child_set_env(&env, &envsize, "KRB5CCNAME",
s->authctxt->krb5_ccname);
#endif
diff --git a/ssh-gss.h b/ssh-gss.h
index 6593e422..245178af 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);
diff --git a/sshd.c b/sshd.c
index edbe815c..89514e8a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
#ifdef GSSAPI
if (options.gss_authentication) {
temporarily_use_uid(authctxt->pw);
- ssh_gssapi_storecreds();
+ authctxt->krb5_set_env = ssh_gssapi_storecreds();
restore_uid();
}
#endif
diff --git a/sshd_config.5 b/sshd_config.5
index c0683d4a..2349f477 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
file on logout.
The default is
.Cm yes .
+.It Cm KerberosUniqueCCache
+Specifies whether to store the acquired tickets in the per-session credential
+cache under /tmp/ or whether to use per-user credential cache as configured in
+.Pa /etc/krb5.conf .
+The default value
+.Cm no
+can lead to overwriting previous tickets by subseqent connections to the same
+user account.
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.

117
openssh-7.7p1-redhat.patch Normal file
View File

@ -0,0 +1,117 @@
diff -up openssh/ssh_config.redhat openssh/ssh_config
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
@@ -43,3 +43,10 @@
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
+#
+# This system is following system-wide crypto policy.
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
+# file under /etc/ssh/ssh_config.d/ which will be automatically
+# included below. For more information, see manual page for
+# update-crypto-policies(8) and ssh_config(5).
+Include /etc/ssh/ssh_config.d/*.conf
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
@@ -0,0 +1,21 @@
+# The options here are in the "Match final block" to be applied as the last
+# options and could be potentially overwritten by the user configuration
+Match final all
+ # Follow system-wide Crypto Policy, if defined:
+ Include /etc/crypto-policies/back-ends/openssh.config
+
+ GSSAPIAuthentication yes
+
+# If this option is set to yes then remote X11 clients will have full access
+# to the original X11 display. As virtually no X11 client supports the untrusted
+# mode correctly we set this to yes.
+ ForwardX11Trusted yes
+
+# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
+
+# Uncomment this if you want to use .local domain
+# Host *.local
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
--- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100
+++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100
@@ -970,9 +970,9 @@ DESCRIPTION
SyslogFacility
Gives the facility code that is used when logging messages from
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
- default is AUTH.
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
TCPKeepAlive
Specifies whether the system should send TCP keepalive messages
diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
--- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
.It Cm SyslogFacility
Gives the facility code that is used when logging messages from
.Xr sshd 8 .
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
.It Cm TCPKeepAlive
diff -up openssh/sshd_config.redhat openssh/sshd_config
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
@@ -10,6 +10,14 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+# To modify the system-wide sshd configuration, create a *.conf file under
+# /etc/ssh/sshd_config.d/ which will be automatically included below
+Include /etc/ssh/sshd_config.d/*.conf
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
@@ -0,0 +1,28 @@
+# This system is following system-wide crypto policy. The changes to
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
+# this or following included files. To override some configuration option,
+# write it before this block or include it before this file.
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
+Include /etc/crypto-policies/back-ends/opensshserver.config
+
+SyslogFacility AUTHPRIV
+
+ChallengeResponseAuthentication no
+
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+
+UsePAM yes
+
+X11Forwarding yes
+
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+

View File

@ -1,20 +1,18 @@
diff --git a/sshd.c b/sshd.c diff --git a/sshd.c b/sshd.c
index a7b8b6a..24ab272 100644
--- a/sshd.c --- a/sshd.c
+++ b/sshd.c +++ b/sshd.c
@@ -1620,6 +1620,10 @@ main(int ac, char **av) @@ -1701,6 +1701,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL); cfg, &includes, NULL);
+ /* 'UsePAM no' is not supported in Fedora */ + /* 'UsePAM no' is not supported in Fedora */
+ if (! options.use_pam) + if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+ +
seed_rng();
/* Fill in default values for those options not explicitly set. */ /* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index 36cb27a..c1b7c03 100644
--- a/sshd_config --- a/sshd_config
+++ b/sshd_config +++ b/sshd_config
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no @@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
@ -23,6 +21,6 @@ index 36cb27a..c1b7c03 100644
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems. +# problems.
UsePAM yes #UsePAM no
#AllowAgentForwarding yes #AllowAgentForwarding yes

View File

@ -1,164 +1,17 @@
diff -up openssh-6.8p1/auth-pam.c.role-mls openssh-6.8p1/auth-pam.c diff -up openssh/auth2.c.role-mls openssh/auth2.c
--- openssh-6.8p1/auth-pam.c.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/auth-pam.c 2015-03-18 11:04:21.045817122 +0100 +++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
@@ -1068,7 +1068,7 @@ is_pam_session_open(void) @@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
* during the ssh authentication process. Authctxt *authctxt = ssh->authctxt;
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
diff -up openssh-6.8p1/auth-pam.h.role-mls openssh-6.8p1/auth-pam.h
--- openssh-6.8p1/auth-pam.h.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth-pam.h 2015-03-18 11:04:21.045817122 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh-6.8p1/auth.h.role-mls openssh-6.8p1/auth.h
--- openssh-6.8p1/auth.h.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth.h 2015-03-18 11:04:21.045817122 +0100
@@ -62,6 +62,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH
diff -up openssh-6.8p1/auth1.c.role-mls openssh-6.8p1/auth1.c
--- openssh-6.8p1/auth1.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth1.c 2015-03-18 11:04:21.046817119 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role=NULL;
+#endif
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+#ifdef WITH_SELINUX
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
+#endif
authctxt->user = user;
authctxt->style = style;
+#ifdef WITH_SELINUX
+ authctxt->role = role;
+#endif
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-6.8p1/auth2-gss.c.role-mls openssh-6.8p1/auth2-gss.c
--- openssh-6.8p1/auth2-gss.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2-gss.c 2015-03-18 11:04:21.046817119 +0100
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
+ char *micuser;
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && (strlen(authctxt->role) > 0))
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
+ if (micuser != authctxt->user)
+ free(micuser);
free(mic.value);
authctxt->postponed = 0;
diff -up openssh-6.8p1/auth2-hostbased.c.role-mls openssh-6.8p1/auth2-hostbased.c
--- openssh-6.8p1/auth2-hostbased.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2-hostbased.c 2015-03-18 11:04:21.046817119 +0100
@@ -122,7 +122,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+ if (authctxt->role) {
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
+ buffer_put_char(&b, '/');
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
+ } else
+#endif
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff -up openssh-6.8p1/auth2-pubkey.c.role-mls openssh-6.8p1/auth2-pubkey.c
--- openssh-6.8p1/auth2-pubkey.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:04:21.046817119 +0100
@@ -145,9 +145,11 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
- authctxt->style ? authctxt->style : "");
+ authctxt->style ? authctxt->style : "",
+ authctxt->role ? "/" : "",
+ authctxt->role ? authctxt->role : "");
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c
--- openssh-6.8p1/auth2.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/auth2.c 2015-03-18 11:04:21.046817119 +0100
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL; Authmethod *m = NULL;
char *user, *service, *method, *style = NULL; char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ char *role = NULL; + char *role = NULL;
+#endif +#endif
int authenticated = 0; int r, authenticated = 0;
double tstart = monotime_double();
if (authctxt == NULL) @@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method); debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@ -170,7 +23,7 @@ diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c
if ((style = strchr(user, ':')) != NULL) if ((style = strchr(user, ':')) != NULL)
*style++ = 0; *style++ = 0;
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32 @@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : ""); use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service); authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL; authctxt->style = style ? xstrdup(style) : NULL;
@ -184,13 +37,127 @@ diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c
+ mm_inform_authrole(role); + mm_inform_authrole(role);
+#endif +#endif
+ } + }
userauth_banner(); userauth_banner(ssh);
if (auth2_setup_methods_lists(authctxt) != 0) if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled"); ssh_packet_disconnect(ssh,
diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
--- openssh-6.8p1/misc.c.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/misc.c 2015-03-18 11:04:21.046817119 +0100 +++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
@@ -431,6 +431,7 @@ char * @@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ssh->authctxt;
Gssctxt *gssctxt;
int r, authenticated = 0;
+ char *micuser;
struct sshbuf *b;
gss_buffer_desc mic, gssbuf;
const char *displayname;
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal("%s: sshbuf_new failed", __func__);
mic.value = p;
mic.length = len;
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+ if (authctxt->role && authctxt->role[0] != 0)
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+ else
+#endif
+ micuser = authctxt->user;
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
"gssapi-with-mic");
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
sshbuf_free(b);
+ if (micuser != authctxt->user)
+ free(micuser);
free(mic.value);
if ((!use_privsep || mm_is_monitor()) &&
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
/* reconstruct packet */
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
+#ifdef WITH_SELINUX
+ (authctxt->role
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
+ (r = sshbuf_put(b, authctxt->user, strlen(authctxt->user))) != 0 ||
+ (r = sshbuf_put_u8(b, '/') != 0) ||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
+#else
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
+#endif
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
goto done;
}
/* reconstruct packet */
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
- authctxt->style ? authctxt->style : "");
+ authctxt->style ? authctxt->style : "",
+#ifdef WITH_SELINUX
+ authctxt->role ? "/" : "",
+ authctxt->role ? authctxt->role : ""
+#else
+ "", ""
+#endif
+ );
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
diff -up openssh/auth.h.role-mls openssh/auth.h
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
@@ -65,6 +65,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
{
int ret = 1;
char *compound;
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
void do_pam_session(struct ssh *);
void do_pam_setcred(int );
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff -up openssh/misc.c.role-mls openssh/misc.c
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
@@ -542,6 +542,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
int flag = 0; int flag = 0;
@ -198,7 +165,7 @@ diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c
if (*cp == ':') /* Leading colon is part of file name. */ if (*cp == ':') /* Leading colon is part of file name. */
return NULL; return NULL;
@@ -446,6 +447,13 @@ colon(char *cp) @@ -557,6 +558,13 @@ colon(char *cp)
return (cp); return (cp);
if (*cp == '/') if (*cp == '/')
return NULL; return NULL;
@ -212,20 +179,20 @@ diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c
} }
return NULL; return NULL;
} }
diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c diff -up openssh/monitor.c.role-mls openssh/monitor.c
--- openssh-6.8p1/monitor.c.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/monitor.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/monitor.c 2015-03-18 11:04:21.047817117 +0100 +++ openssh/monitor.c 2018-08-22 11:19:56.006844867 +0200
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *); @@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
int mm_answer_pwnamallow(int, Buffer *); int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(int, Buffer *); int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *); +int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
+#endif +#endif
int mm_answer_authpassword(int, Buffer *); int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -206,6 +209,9 @@ struct mon_table mon_dispatch_proto20[] @@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -235,29 +202,30 @@ diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -862,6 +868,9 @@ mm_answer_pwnamallow(int sock, Buffer *m @@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
else {
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif +#endif
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM #ifdef USE_PAM
@@ -903,6 +912,25 @@ mm_answer_authserv(int sock, Buffer *m) @@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
return (0); return found;
} }
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+int +int
+mm_answer_authrole(int sock, Buffer *m) +mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
+{ +{
+ int r;
+ monitor_permit_authentications(1); + monitor_permit_authentications(1);
+ +
+ authctxt->role = buffer_get_string(m, NULL); + if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+ debug3("%s: role=%s", + fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ __func__, authctxt->role); + debug3("%s: role=%s", __func__, authctxt->role);
+ +
+ if (strlen(authctxt->role) == 0) { + if (strlen(authctxt->role) == 0) {
+ free(authctxt->role); + free(authctxt->role);
@ -269,48 +237,48 @@ diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c
+#endif +#endif
+ +
int int
mm_answer_authpassword(int sock, Buffer *m) mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{ {
@@ -1291,7 +1319,7 @@ static int @@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
monitor_valid_userblob(u_char *data, u_int datalen)
{ {
Buffer b; struct sshbuf *b;
- char *p, *userstyle; const u_char *p;
+ char *p, *r, *userstyle; - char *userstyle, *cp;
u_int len; + char *userstyle, *s, *cp;
int fail = 0; size_t len;
u_char type;
@@ -1317,6 +1345,8 @@ monitor_valid_userblob(u_char *data, u_i int r, fail = 0;
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) @@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
fail++; fail++;
p = buffer_get_cstring(&b, NULL); if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
+ if ((r = strchr(p, '/')) != NULL) fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ *r = '\0'; + if ((s = strchr(cp, '/')) != NULL)
+ *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
@@ -1352,7 +1382,7 @@ monitor_valid_hostbasedblob(u_char *data @@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{ {
Buffer b; struct sshbuf *b;
- char *p, *userstyle; const u_char *p;
+ char *p, *r, *userstyle; - char *cp, *userstyle;
u_int len; + char *cp, *s, *userstyle;
int fail = 0; size_t len;
int r, fail = 0;
@@ -1369,6 +1399,8 @@ monitor_valid_hostbasedblob(u_char *data u_char type;
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) @@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
fail++; fail++;
p = buffer_get_cstring(&b, NULL); if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
+ if ((r = strchr(p, '/')) != NULL) fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ *r = '\0'; + if ((s = strchr(p, '/')) != NULL)
+ *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "", authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : ""); authctxt->style ? authctxt->style : "");
diff -up openssh-6.8p1/monitor.h.role-mls openssh-6.8p1/monitor.h diff -up openssh/monitor.h.role-mls openssh/monitor.h
--- openssh-6.8p1/monitor.h.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/monitor.h 2015-03-18 11:04:21.047817117 +0100 +++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
@@ -57,6 +57,10 @@ enum monitor_reqtype { @@ -55,6 +55,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50, MONITOR_REQ_TERM = 50,
@ -321,11 +289,11 @@ diff -up openssh-6.8p1/monitor.h.role-mls openssh-6.8p1/monitor.h
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
diff -up openssh-6.8p1/monitor_wrap.c.role-mls openssh-6.8p1/monitor_wrap.c diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
--- openssh-6.8p1/monitor_wrap.c.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 11:04:21.047817117 +0100 +++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
@@ -347,6 +347,25 @@ mm_inform_authserv(char *service, char * @@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
buffer_free(&m); sshbuf_free(m);
} }
+/* Inform the privileged process about role */ +/* Inform the privileged process about role */
@ -334,51 +302,123 @@ diff -up openssh-6.8p1/monitor_wrap.c.role-mls openssh-6.8p1/monitor_wrap.c
+void +void
+mm_inform_authrole(char *role) +mm_inform_authrole(char *role)
+{ +{
+ Buffer m; + int r;
+ struct sshbuf *m;
+ +
+ debug3("%s entering", __func__); + debug3("%s entering", __func__);
+ +
+ buffer_init(&m); + if ((m = sshbuf_new()) == NULL)
+ buffer_put_cstring(&m, role ? role : ""); + fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); + sshbuf_free(m);
+
+ buffer_free(&m);
+} +}
+#endif +#endif
+ +
/* Do the password authentication */ /* Do the password authentication */
int int
mm_auth_password(Authctxt *authctxt, char *password) mm_auth_password(struct ssh *ssh, char *password)
diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
--- openssh-6.8p1/monitor_wrap.h.role-mls 2015-03-18 11:04:21.047817117 +0100 --- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
+++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100 +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
@@ -42,6 +42,9 @@ int mm_is_monitor(void); @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
DH *mm_choose_dh(int, int, int); const u_char *, size_t, const char *, const char *,
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *); const char *, u_int compat);
void mm_inform_authserv(char *, char *); void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+void mm_inform_authrole(char *); +void mm_inform_authrole(char *);
+#endif +#endif
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct ssh *, char *);
diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd-compat/Makefile.in diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
--- openssh-6.8p1/openbsd-compat/Makefile.in.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/openbsd-compat/Makefile.in 2015-03-18 11:04:21.047817117 +0100 +++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf @@ -92,7 +92,8 @@ PORTS= port-aix.o \
port-linux.o \
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o port-solaris.o \
port-net.o \
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o - port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o + port-uw.o \
+ port-linux-sshd.o
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100 --- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100 +++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
@@ -0,0 +1,424 @@ @@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
-/* Set the execution context to the default for the specified user */
-void
-ssh_selinux_setup_exec_context(char *pwname)
-{
- security_context_t user_ctx = NULL;
-
- if (!ssh_selinux_enabled())
- return;
-
- debug3("%s: setting execution context", __func__);
-
- user_ctx = ssh_selinux_getctxbyname(pwname);
- if (setexeccon(user_ctx) != 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: security_getenforce() failed", __func__);
- case 0:
- error("%s: Failed to set SELinux execution "
- "context for %s", __func__, pwname);
- break;
- default:
- fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname);
- }
- }
- if (user_ctx != NULL)
- freecon(user_ctx);
-
- debug3("%s: done", __func__);
-}
-
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno));
+ goto out;
+ }
+
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
@@ -20,9 +20,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+
+void sshd_selinux_setup_exec_context(char *);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
@@ -0,0 +1,425 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -407,13 +447,14 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
+#include <stdarg.h> +#include <stdarg.h>
+#include <string.h> +#include <string.h>
+#include <stdio.h> +#include <stdio.h>
+#include <stdlib.h>
+ +
+#include "log.h" +#include "log.h"
+#include "xmalloc.h" +#include "xmalloc.h"
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h" +#include "servconf.h"
+#include "port-linux.h" +#include "port-linux.h"
+#include "key.h" +#include "sshkey.h"
+#include "hostfile.h" +#include "hostfile.h"
+#include "auth.h" +#include "auth.h"
+ +
@ -803,66 +844,10 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
+#endif +#endif
+#endif +#endif
+ +
diff -up openssh-6.8p1/openbsd-compat/port-linux.c.role-mls openssh-6.8p1/openbsd-compat/port-linux.c diff -up openssh/platform.c.role-mls openssh/platform.c
--- openssh-6.8p1/openbsd-compat/port-linux.c.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/openbsd-compat/port-linux.c 2015-03-18 11:04:21.048817114 +0100 +++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname) @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
return sc;
}
-/* Set the execution context to the default for the specified user */
-void
-ssh_selinux_setup_exec_context(char *pwname)
-{
- security_context_t user_ctx = NULL;
-
- if (!ssh_selinux_enabled())
- return;
-
- debug3("%s: setting execution context", __func__);
-
- user_ctx = ssh_selinux_getctxbyname(pwname);
- if (setexeccon(user_ctx) != 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: security_getenforce() failed", __func__);
- case 0:
- error("%s: Failed to set SELinux execution "
- "context for %s", __func__, pwname);
- break;
- default:
- fatal("%s: Failed to set SELinux execution context "
- "for %s (in enforcing mode)", __func__, pwname);
- }
- }
- if (user_ctx != NULL)
- freecon(user_ctx);
-
- debug3("%s: done", __func__);
-}
-
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.role-mls openssh-6.8p1/openbsd-compat/port-linux.h
--- openssh-6.8p1/openbsd-compat/port-linux.h.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:04:21.048817114 +0100
@@ -22,9 +22,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+
+void sshd_selinux_setup_exec_context(char *);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh-6.8p1/platform.c.role-mls openssh-6.8p1/platform.c
--- openssh-6.8p1/platform.c.role-mls 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/platform.c 2015-03-18 11:04:21.048817114 +0100
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
} }
#endif /* HAVE_SETPCRED */ #endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
@ -871,10 +856,10 @@ diff -up openssh-6.8p1/platform.c.role-mls openssh-6.8p1/platform.c
#endif #endif
} }
diff -up openssh-6.8p1/sshd.c.role-mls openssh-6.8p1/sshd.c diff -up openssh/sshd.c.role-mls openssh/sshd.c
--- openssh-6.8p1/sshd.c.role-mls 2015-03-17 06:49:20.000000000 +0100 --- openssh/sshd.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh-6.8p1/sshd.c 2015-03-18 11:04:21.048817114 +0100 +++ openssh/sshd.c 2018-08-22 11:14:56.820430957 +0200
@@ -2220,6 +2220,9 @@ main(int ac, char **av) @@ -2186,6 +2186,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif
@ -884,20 +869,3 @@ diff -up openssh-6.8p1/sshd.c.role-mls openssh-6.8p1/sshd.c
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) { if (options.use_pam) {
do_pam_setcred(1); do_pam_setcred(1);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 22ea8ef..2660085 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -116,7 +116,11 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno));
+ goto out;
+ }
+
/* XXX: should these calls fatal() upon failure in enforcing mode? */

View File

@ -0,0 +1,16 @@
diff --git a/scp.c b/scp.c
index 60682c68..9344806e 100644
--- a/scp.c
+++ b/scp.c
@@ -714,7 +714,9 @@ toremote(int argc, char **argv)
addargs(&alist, "%s", host);
addargs(&alist, "%s", cmd);
addargs(&alist, "%s", src);
- addargs(&alist, "%s%s%s:%s",
+ addargs(&alist,
+ /* IPv6 address needs to be enclosed with sqare brackets */
+ strchr(host, ':') != NULL ? "%s%s[%s]:%s" : "%s%s%s:%s",
tuser ? tuser : "", tuser ? "@" : "",
thost, targ);
if (do_local_cmd(&alist) != 0)

View File

@ -0,0 +1,27 @@
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 29 Sep 2020 10:02:45 +0000
Subject: [PATCH] Fail hard on the first failed attempt to write the
authorized_keys_file
---
ssh-copy-id | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f..e69a23f 100755
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -251,7 +251,7 @@ installkeys_sh() {
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
cat >> ${AUTH_KEY_FILE} ||
exit 1;
if type restorecon >/dev/null 2>&1; then
--
GitLab

View File

@ -0,0 +1,502 @@
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
@@ -359,17 +359,17 @@ or
.Qq *.c.example.com
domains.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
-.Pp
.Xr ssh 1
will not accept host certificates signed using algorithms other than those
specified.
+.Pp
.It Cm CertificateFile
Specifies a file from which the user's certificate is read.
A corresponding private key must be provided separately in order
@@ -424,20 +424,25 @@ If the option is set to
.Cm no ,
the check will not be executed.
.It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the ciphers allowed and their order of preference.
Multiple ciphers must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified ciphers will be appended to the default set
-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified ciphers will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The supported ciphers are:
.Bd -literal -offset indent
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.Ed
.Pp
-The default is:
-.Bd -literal -offset indent
-chacha20-poly1305@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
-.Ed
-.Pp
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClearAllForwardings
@@ -812,6 +810,11 @@ command line will be passed untouched to
The default is
.Dq no .
.It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256-
.Ed
.Pp
-The default is
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
+.Pp
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
@@ -1149,29 +1150,25 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified methods will be appended to the default set
-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified methods will be placed at the head of the
-default set.
-The default is:
-.Bd -literal -offset indent
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,
-diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
-.Ed
+built-in openssh default set.
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1231,37 +1228,33 @@ The default is INFO.
DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
.It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the MAC (message authentication code) algorithms
in order of preference.
The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The algorithms that contain
.Qq -etm
calculate the MAC after encryption (encrypt-then-mac).
These are considered safer and their use recommended.
.Pp
-The default is:
-.Bd -literal -offset indent
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-sha1-etm@openssh.com,
-umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
-.Ed
-.Pp
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
The default is
.Cm no .
.It Cm PubkeyAcceptedKeyTypes
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the key types that will be used for public key authentication
as a comma-separated list of patterns.
If the specified list begins with a
.Sq +
-character, then the key types after it will be appended to the default
-instead of replacing it.
+character, then the key types after it will be appended to the built-in
+openssh default instead of replacing it.
If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified key types will be placed at the head of the
-default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
+built-in openssh default set.
.Pp
The list of available key types may also be obtained using
.Qq ssh -Q PubkeyAcceptedKeyTypes .
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
@@ -375,16 +375,16 @@ If the argument is
then no banner is displayed.
By default, no banner is displayed.
.It Cm CASignatureAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies which algorithms are allowed for signing of certificates
by certificate authorities (CAs).
-The default is:
-.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
-.Pp
Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
+.Pp
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
PAM or through authentication styles supported in
@@ -446,20 +446,25 @@ The default is
indicating not to
.Xr chroot 2 .
.It Cm Ciphers
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the ciphers allowed.
Multiple ciphers must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified ciphers will be appended to the default set
-instead of replacing them.
+character, then the specified ciphers will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified ciphers (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified ciphers will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The supported ciphers are:
.Pp
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-chacha20-poly1305@openssh.com,
-aes128-ctr,aes192-ctr,aes256-ctr,
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
-.Ed
-.Pp
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClientAliveCountMax
@@ -681,22 +679,24 @@ For this to work
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
The list of key exchange algorithms that are accepted by GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
-gss-gex-sha1-,
-gss-group1-sha1-,
-gss-group14-sha1-,
-gss-group14-sha256-,
-gss-group16-sha512-,
-gss-nistp256-sha256-,
+gss-gex-sha1-
+gss-group1-sha1-
+gss-group14-sha1-
+gss-group14-sha256-
+gss-group16-sha512-
+gss-nistp256-sha256-
gss-curve25519-sha256-
.Ed
-.Pp
-The default is
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI.
+.Pp
.It Cm HostbasedAcceptedKeyTypes
Specifies the key types that will be accepted for hostbased authentication
as a list of comma-separated patterns.
@@ -793,25 +793,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK
environment variable.
.It Cm HostKeyAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the host key algorithms
that the server offers.
-The default for this option is:
-.Bd -literal -offset 3n
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
-.Pp
The list of available key types may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
The default is
.Cm yes .
.It Cm KexAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
Alternately if the specified list begins with a
.Sq +
-character, then the specified methods will be appended to the default set
-instead of replacing them.
+character, then the specified methods will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified methods (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified methods will be placed at the head of the
-default set.
+built-in openssh default set.
The supported algorithms are:
.Pp
.Bl -item -compact -offset indent
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
sntrup4591761x25519-sha512@tinyssh.org
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
-.Ed
-.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
Logging with a DEBUG level violates the privacy of users and is not recommended.
.It Cm MACs
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the available MAC (message authentication code) algorithms.
The MAC algorithm is used for data integrity protection.
Multiple algorithms must be comma-separated.
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
+character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
.Pp
The algorithms that contain
.Qq -etm
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com
.El
.Pp
-The default is:
-.Bd -literal -offset indent
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-sha1-etm@openssh.com,
-umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
-.Ed
-.Pp
The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac .
.It Cm Match
@@ -1480,36 +1460,25 @@ or equivalent.)
The default is
.Cm yes .
.It Cm PubkeyAcceptedKeyTypes
+The default is handled system-wide by
+.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 .
+.Pp
Specifies the key types that will be accepted for public key authentication
as a list of comma-separated patterns.
Alternately if the specified list begins with a
.Sq +
-character, then the specified key types will be appended to the default set
-instead of replacing them.
+character, then the specified key types will be appended to the built-in
+openssh default set instead of replacing them.
If the specified list begins with a
.Sq -
character, then the specified key types (including wildcards) will be removed
-from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them.
If the specified list begins with a
.Sq ^
character, then the specified key types will be placed at the head of the
-default set.
-The default for this option is:
-.Bd -literal -offset 3n
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed
+built-in openssh default set.
.Pp
The list of available key types may also be obtained using
.Qq ssh -Q PubkeyAcceptedKeyTypes .

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,720 @@
From ed7ec0cdf577ffbb0b15145340cf51596ca3eb89 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 14 May 2019 10:45:45 +0200
Subject: [PATCH] Use high-level OpenSSL API for signatures
---
digest-openssl.c | 16 ++++
digest.h | 6 ++
ssh-dss.c | 65 ++++++++++------
ssh-ecdsa.c | 69 ++++++++++-------
ssh-rsa.c | 193 +++++++++--------------------------------------
sshkey.c | 77 +++++++++++++++++++
sshkey.h | 4 +
7 files changed, 221 insertions(+), 209 deletions(-)
diff --git a/digest-openssl.c b/digest-openssl.c
index da7ed72bc..6a21d8adb 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = {
{ -1, NULL, 0, NULL },
};
+const EVP_MD *
+ssh_digest_to_md(int digest_type)
+{
+ switch (digest_type) {
+ case SSH_DIGEST_SHA1:
+ return EVP_sha1();
+ case SSH_DIGEST_SHA256:
+ return EVP_sha256();
+ case SSH_DIGEST_SHA384:
+ return EVP_sha384();
+ case SSH_DIGEST_SHA512:
+ return EVP_sha512();
+ }
+ return NULL;
+}
+
static const struct ssh_digest *
ssh_digest_by_alg(int alg)
{
diff --git a/digest.h b/digest.h
index 274574d0e..c7ceeb36f 100644
--- a/digest.h
+++ b/digest.h
@@ -32,6 +32,12 @@
struct sshbuf;
struct ssh_digest_ctx;
+#ifdef WITH_OPENSSL
+#include <openssl/evp.h>
+/* Converts internal digest representation to the OpenSSL one */
+const EVP_MD *ssh_digest_to_md(int digest_type);
+#endif
+
/* Looks up a digest algorithm by name */
int ssh_digest_alg_by_name(const char *name);
diff --git a/ssh-dss.c b/ssh-dss.c
index a23c383dc..ea45e7275 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -52,11 +52,15 @@ int
ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
DSA_SIG *sig = NULL;
const BIGNUM *sig_r, *sig_s;
- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
+ u_char sigblob[SIGBLOB_LEN];
+ size_t rlen, slen;
+ int len;
struct sshbuf *b = NULL;
+ u_char *sigb = NULL;
+ const u_char *psig = NULL;
int ret = SSH_ERR_INVALID_ARGUMENT;
if (lenp != NULL)
@@ -67,17 +71,24 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA)
return SSH_ERR_INVALID_ARGUMENT;
- if (dlen == 0)
- return SSH_ERR_INTERNAL_ERROR;
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
- digest, sizeof(digest))) != 0)
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1)
+ return SSH_ERR_ALLOC_FAIL;
+ ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len,
+ data, datalen);
+ EVP_PKEY_free(pkey);
+ if (ret < 0) {
goto out;
+ }
- if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
+ psig = sigb;
+ if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
+ free(sigb);
+ sigb = NULL;
DSA_SIG_get0(sig, &sig_r, &sig_s);
rlen = BN_num_bytes(sig_r);
@@ -110,7 +121,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
*lenp = len;
ret = 0;
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
DSA_SIG_free(sig);
sshbuf_free(b);
return ret;
@@ -121,20 +132,20 @@ ssh_dss_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
DSA_SIG *sig = NULL;
BIGNUM *sig_r = NULL, *sig_s = NULL;
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
- size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
+ u_char *sigblob = NULL;
+ size_t len, slen;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
char *ktype = NULL;
+ u_char *sigb = NULL, *psig = NULL;
if (key == NULL || key->dsa == NULL ||
sshkey_type_plain(key->type) != KEY_DSA ||
signature == NULL || signaturelen == 0)
return SSH_ERR_INVALID_ARGUMENT;
- if (dlen == 0)
- return SSH_ERR_INTERNAL_ERROR;
/* fetch signature */
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
@@ -176,25 +187,31 @@ ssh_dss_verify(const struct sshkey *key,
}
sig_r = sig_s = NULL; /* transferred */
- /* sha1 the data */
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
- digest, sizeof(digest))) != 0)
+ if ((slen = i2d_DSA_SIG(sig, NULL)) == 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
-
- switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
- case 1:
- ret = 0;
- break;
- case 0:
- ret = SSH_ERR_SIGNATURE_INVALID;
+ }
+ if ((sigb = malloc(slen)) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
- default:
+ }
+ psig = sigb;
+ if ((slen = i2d_DSA_SIG(sig, &psig)) == 0) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) {
+ ret = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+ ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen,
+ sigb, slen);
+ EVP_PKEY_free(pkey);
+
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
DSA_SIG_free(sig);
BN_clear_free(sig_r);
BN_clear_free(sig_s);
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index 599c7199d..b036796e8 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -50,11 +50,13 @@ int
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
ECDSA_SIG *sig = NULL;
+ unsigned char *sigb = NULL;
+ const unsigned char *psig;
const BIGNUM *sig_r, *sig_s;
int hash_alg;
- u_char digest[SSH_DIGEST_MAX_LENGTH];
- size_t len, dlen;
+ int len;
struct sshbuf *b = NULL, *bb = NULL;
int ret = SSH_ERR_INTERNAL_ERROR;
@@ -67,18 +69,24 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
sshkey_type_plain(key->type) != KEY_ECDSA)
return SSH_ERR_INVALID_ARGUMENT;
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
return SSH_ERR_INTERNAL_ERROR;
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
+
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
+ return SSH_ERR_ALLOC_FAIL;
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
+ datalen);
+ EVP_PKEY_free(pkey);
+ if (ret < 0) {
goto out;
+ }
- if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
+ psig = sigb;
+ if ((sig = d2i_ECDSA_SIG(NULL, &psig, len)) == NULL) {
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
-
if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -102,7 +110,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
*lenp = len;
ret = 0;
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
sshbuf_free(b);
sshbuf_free(bb);
ECDSA_SIG_free(sig);
@@ -115,22 +123,21 @@ ssh_ecdsa_verify(const struct sshkey *key,
const u_char *signature, size_t signaturelen,
const u_char *data, size_t datalen, u_int compat)
{
+ EVP_PKEY *pkey = NULL;
ECDSA_SIG *sig = NULL;
BIGNUM *sig_r = NULL, *sig_s = NULL;
- int hash_alg;
- u_char digest[SSH_DIGEST_MAX_LENGTH];
- size_t dlen;
+ int hash_alg, len;
int ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL, *sigbuf = NULL;
char *ktype = NULL;
+ unsigned char *sigb = NULL, *psig = NULL;
if (key == NULL || key->ecdsa == NULL ||
sshkey_type_plain(key->type) != KEY_ECDSA ||
signature == NULL || signaturelen == 0)
return SSH_ERR_INVALID_ARGUMENT;
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
return SSH_ERR_INTERNAL_ERROR;
/* fetch signature */
@@ -166,28 +173,36 @@ ssh_ecdsa_verify(const struct sshkey *key,
}
sig_r = sig_s = NULL; /* transferred */
- if (sshbuf_len(sigbuf) != 0) {
- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+ /* Figure out the length */
+ if ((len = i2d_ECDSA_SIG(sig, NULL)) == 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ if ((sigb = malloc(len)) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
+ psig = sigb;
+ if ((len = i2d_ECDSA_SIG(sig, &psig)) == 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
+ }
- switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
- case 1:
- ret = 0;
- break;
- case 0:
- ret = SSH_ERR_SIGNATURE_INVALID;
+ if (sshbuf_len(sigbuf) != 0) {
+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
- default:
- ret = SSH_ERR_LIBCRYPTO_ERROR;
+ }
+
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len);
+ EVP_PKEY_free(pkey);
out:
- explicit_bzero(digest, sizeof(digest));
+ free(sigb);
sshbuf_free(sigbuf);
sshbuf_free(b);
ECDSA_SIG_free(sig);
diff --git a/ssh-rsa.c b/ssh-rsa.c
index 9b14f9a9a..8ef3a6aca 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -37,7 +37,7 @@
#include "openbsd-compat/openssl-compat.h"
-static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
+static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *);
static const char *
rsa_hash_alg_ident(int hash_alg)
@@ -90,21 +90,6 @@ rsa_hash_id_from_keyname(const char *alg)
return -1;
}
-static int
-rsa_hash_alg_nid(int type)
-{
- switch (type) {
- case SSH_DIGEST_SHA1:
- return NID_sha1;
- case SSH_DIGEST_SHA256:
- return NID_sha256;
- case SSH_DIGEST_SHA512:
- return NID_sha512;
- default:
- return -1;
- }
-}
-
int
ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
{
@@ -164,11 +149,10 @@ int
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, const char *alg_ident)
{
- const BIGNUM *rsa_n;
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
- size_t slen = 0;
- u_int dlen, len;
- int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
+ EVP_PKEY *pkey = NULL;
+ u_char *sig = NULL;
+ int len, slen = 0;
+ int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
struct sshbuf *b = NULL;
if (lenp != NULL)
@@ -180,33 +164,24 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
hash_alg = SSH_DIGEST_SHA1;
else
hash_alg = rsa_hash_id_from_keyname(alg_ident);
+
if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
sshkey_type_plain(key->type) != KEY_RSA)
return SSH_ERR_INVALID_ARGUMENT;
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
- return SSH_ERR_KEY_LENGTH;
slen = RSA_size(key->rsa);
- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
- return SSH_ERR_INVALID_ARGUMENT;
-
- /* hash the data */
- nid = rsa_hash_alg_nid(hash_alg);
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
- return SSH_ERR_INTERNAL_ERROR;
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
- goto out;
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
+ return SSH_ERR_KEY_LENGTH;
- if ((sig = malloc(slen)) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
+ return SSH_ERR_ALLOC_FAIL;
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
+ datalen);
+ EVP_PKEY_free(pkey);
+ if (ret < 0) {
goto out;
}
- if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
- ret = SSH_ERR_LIBCRYPTO_ERROR;
- goto out;
- }
if (len < slen) {
size_t diff = slen - len;
memmove(sig + diff, sig, len);
@@ -215,6 +190,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
ret = SSH_ERR_INTERNAL_ERROR;
goto out;
}
+
/* encode signature */
if ((b = sshbuf_new()) == NULL) {
ret = SSH_ERR_ALLOC_FAIL;
@@ -235,7 +211,6 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
*lenp = len;
ret = 0;
out:
- explicit_bzero(digest, sizeof(digest));
freezero(sig, slen);
sshbuf_free(b);
return ret;
@@ -246,10 +221,10 @@ ssh_rsa_verify(const struct sshkey *key,
const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
const char *alg)
{
- const BIGNUM *rsa_n;
+ EVP_PKEY *pkey = NULL;
char *sigtype = NULL;
int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
- size_t len = 0, diff, modlen, dlen;
+ size_t len = 0, diff, modlen;
struct sshbuf *b = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
@@ -257,8 +232,7 @@ ssh_rsa_verify(const struct sshkey *key,
sshkey_type_plain(key->type) != KEY_RSA ||
sig == NULL || siglen == 0)
return SSH_ERR_INVALID_ARGUMENT;
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
return SSH_ERR_KEY_LENGTH;
if ((b = sshbuf_from(sig, siglen)) == NULL)
@@ -310,16 +284,15 @@ ssh_rsa_verify(const struct sshkey *key,
explicit_bzero(sigblob, diff);
len = modlen;
}
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
- ret = SSH_ERR_INTERNAL_ERROR;
+
+ if ((pkey = EVP_PKEY_new()) == NULL ||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) {
+ ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
- digest, sizeof(digest))) != 0)
- goto out;
+ ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey);
+ EVP_PKEY_free(pkey);
- ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
- key->rsa);
out:
freezero(sigblob, len);
free(sigtype);
@@ -328,122 +301,26 @@ ssh_rsa_verify(const struct sshkey *key,
return ret;
}
-/*
- * See:
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
- */
-
-/*
- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
- * oiw(14) secsig(3) algorithms(2) 26 }
- */
-static const u_char id_sha1[] = {
- 0x30, 0x21, /* type Sequence, length 0x21 (33) */
- 0x30, 0x09, /* type Sequence, length 0x09 */
- 0x06, 0x05, /* type OID, length 0x05 */
- 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
- 0x05, 0x00, /* NULL */
- 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
-};
-
-/*
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
- * id-sha256(1) }
- */
-static const u_char id_sha256[] = {
- 0x30, 0x31, /* type Sequence, length 0x31 (49) */
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
- 0x06, 0x09, /* type OID, length 0x09 */
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
- 0x05, 0x00, /* NULL */
- 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */
-};
-
-/*
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
- * id-sha256(3) }
- */
-static const u_char id_sha512[] = {
- 0x30, 0x51, /* type Sequence, length 0x51 (81) */
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
- 0x06, 0x09, /* type OID, length 0x09 */
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
- 0x05, 0x00, /* NULL */
- 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */
-};
-
static int
-rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp)
+openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen,
+ u_char *sigbuf, size_t siglen, EVP_PKEY *pkey)
{
- switch (hash_alg) {
- case SSH_DIGEST_SHA1:
- *oidp = id_sha1;
- *oidlenp = sizeof(id_sha1);
- break;
- case SSH_DIGEST_SHA256:
- *oidp = id_sha256;
- *oidlenp = sizeof(id_sha256);
- break;
- case SSH_DIGEST_SHA512:
- *oidp = id_sha512;
- *oidlenp = sizeof(id_sha512);
- break;
- default:
- return SSH_ERR_INVALID_ARGUMENT;
- }
- return 0;
-}
+ size_t rsasize = 0;
+ const RSA *rsa;
+ int ret;
-static int
-openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
- u_char *sigbuf, size_t siglen, RSA *rsa)
-{
- size_t rsasize = 0, oidlen = 0, hlen = 0;
- int ret, len, oidmatch, hashmatch;
- const u_char *oid = NULL;
- u_char *decrypted = NULL;
-
- if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
- return ret;
- ret = SSH_ERR_INTERNAL_ERROR;
- hlen = ssh_digest_bytes(hash_alg);
- if (hashlen != hlen) {
- ret = SSH_ERR_INVALID_ARGUMENT;
- goto done;
- }
+ rsa = EVP_PKEY_get0_RSA(pkey);
rsasize = RSA_size(rsa);
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
siglen == 0 || siglen > rsasize) {
ret = SSH_ERR_INVALID_ARGUMENT;
goto done;
}
- if ((decrypted = malloc(rsasize)) == NULL) {
- ret = SSH_ERR_ALLOC_FAIL;
- goto done;
- }
- if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
- RSA_PKCS1_PADDING)) < 0) {
- ret = SSH_ERR_LIBCRYPTO_ERROR;
- goto done;
- }
- if (len < 0 || (size_t)len != hlen + oidlen) {
- ret = SSH_ERR_INVALID_FORMAT;
- goto done;
- }
- oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
- hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
- if (!oidmatch || !hashmatch) {
- ret = SSH_ERR_SIGNATURE_INVALID;
- goto done;
- }
- ret = 0;
+
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen,
+ sigbuf, siglen);
+
done:
- freezero(decrypted, rsasize);
return ret;
}
#endif /* WITH_OPENSSL */
diff --git a/sshkey.c b/sshkey.c
index ad1957762..b95ed0b10 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -358,6 +358,83 @@ sshkey_type_plain(int type)
}
#ifdef WITH_OPENSSL
+int
+sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp,
+ int *lenp, const u_char *data, size_t datalen)
+{
+ EVP_MD_CTX *ctx = NULL;
+ u_char *sig = NULL;
+ int ret, slen, len;
+
+ if (sigp == NULL || lenp == NULL) {
+ return SSH_ERR_INVALID_ARGUMENT;
+ }
+
+ slen = EVP_PKEY_size(pkey);
+ if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
+ return SSH_ERR_INVALID_ARGUMENT;
+
+ len = slen;
+ if ((sig = malloc(slen)) == NULL) {
+ return SSH_ERR_ALLOC_FAIL;
+ }
+
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
+ ret = SSH_ERR_ALLOC_FAIL;
+ goto error;
+ }
+ if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
+ EVP_SignUpdate(ctx, data, datalen) <= 0 ||
+ EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ goto error;
+ }
+
+ *sigp = sig;
+ *lenp = len;
+ /* Now owned by the caller */
+ sig = NULL;
+ ret = 0;
+
+error:
+ EVP_MD_CTX_free(ctx);
+ free(sig);
+ return ret;
+}
+
+int
+sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data,
+ size_t datalen, u_char *sigbuf, int siglen)
+{
+ EVP_MD_CTX *ctx = NULL;
+ int ret;
+
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
+ return SSH_ERR_ALLOC_FAIL;
+ }
+ if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
+ EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ goto done;
+ }
+ ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
+ switch (ret) {
+ case 1:
+ ret = 0;
+ break;
+ case 0:
+ ret = SSH_ERR_SIGNATURE_INVALID;
+ break;
+ default:
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ break;
+ }
+
+done:
+ EVP_MD_CTX_free(ctx);
+ return ret;
+}
+
/* XXX: these are really begging for a table-driven approach */
int
sshkey_curve_name_to_nid(const char *name)
diff --git a/sshkey.h b/sshkey.h
index a91e60436..270901a87 100644
--- a/sshkey.h
+++ b/sshkey.h
@@ -179,6 +179,10 @@ const char *sshkey_ssh_name(const struct sshkey *);
const char *sshkey_ssh_name_plain(const struct sshkey *);
int sshkey_names_valid2(const char *, int);
char *sshkey_alg_list(int, int, int, char);
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
+ int *, const u_char *, size_t);
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
+ size_t, u_char *, int);
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
int sshkey_fromb(struct sshbuf *, struct sshkey **);

View File

@ -0,0 +1,137 @@
commit 2c3ef499bfffce3cfd315edeebf202850ba4e00a
Author: Jakub Jelen <jjelen@redhat.com>
Date: Tue Apr 16 15:35:18 2019 +0200
Use the new OpenSSL KDF
diff --git a/configure.ac b/configure.ac
index 2a455e4e..e01c3d43 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2712,6 +2712,7 @@ if test "x$openssl" = "xyes" ; then
HMAC_CTX_init \
RSA_generate_key_ex \
RSA_get_default_method \
+ EVP_KDF_CTX_new_id \
])
# OpenSSL_add_all_algorithms may be a macro.
diff --git a/kex.c b/kex.c
index b6f041f4..1fbce2bb 100644
--- a/kex.c
+++ b/kex.c
@@ -38,6 +38,9 @@
#ifdef WITH_OPENSSL
#include <openssl/crypto.h>
#include <openssl/dh.h>
+# ifdef HAVE_EVP_KDF_CTX_NEW_ID
+# include <openssl/kdf.h>
+# endif
#endif
#include "ssh.h"
@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh)
return r;
}
+#ifdef HAVE_EVP_KDF_CTX_NEW_ID
+static const EVP_MD *
+digest_to_md(int digest_type)
+{
+ switch (digest_type) {
+ case SSH_DIGEST_SHA1:
+ return EVP_sha1();
+ case SSH_DIGEST_SHA256:
+ return EVP_sha256();
+ case SSH_DIGEST_SHA384:
+ return EVP_sha384();
+ case SSH_DIGEST_SHA512:
+ return EVP_sha512();
+ }
+ return NULL;
+}
+
+static int
+derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
+ const struct sshbuf *shared_secret, u_char **keyp)
+{
+ struct kex *kex = ssh->kex;
+ EVP_KDF_CTX *ctx = NULL;
+ u_char *key = NULL;
+ int r, key_len;
+
+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0)
+ return SSH_ERR_INVALID_ARGUMENT;
+ key_len = ROUNDUP(need, key_len);
+ if ((key = calloc(1, key_len)) == NULL) {
+ r = SSH_ERR_ALLOC_FAIL;
+ goto out;
+ }
+
+ ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
+ if (!ctx) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg));
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen);
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id);
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+ kex->session_id, kex->session_id_len);
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+ r = EVP_KDF_derive(ctx, key, key_len);
+ if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
+#ifdef DEBUG_KEX
+ fprintf(stderr, "key '%c'== ", id);
+ dump_digest("key", key, key_len);
+#endif
+ *keyp = key;
+ key = NULL;
+ r = 0;
+
+out:
+ free (key);
+ EVP_KDF_CTX_free(ctx);
+ if (r < 0) {
+ return r;
+ }
+ return 0;
+}
+#else
static int
derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
const struct sshbuf *shared_secret, u_char **keyp)
@@ -1004,6 +1096,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
ssh_digest_free(hashctx);
return r;
}
+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */
#define NKEYS 6
int

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,40 @@
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
index dca158de..afdcb1d2 100644
--- a/regress/misc/sk-dummy/sk-dummy.c
+++ b/regress/misc/sk-dummy/sk-dummy.c
@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
#endif
}
-uint32_t
+uint32_t __attribute__((visibility("default")))
sk_api_version(void)
{
return SSH_SK_VERSION_MAJOR;
@@ -220,7 +220,7 @@ check_options(struct sk_option **options)
return 0;
}
-int
+int __attribute__((visibility("default")))
sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
const char *application, uint8_t flags, const char *pin,
struct sk_option **options, struct sk_enroll_response **enroll_response)
@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len,
return ret;
}
-int
+int __attribute__((visibility("default")))
sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
const char *application, const uint8_t *key_handle, size_t key_handle_len,
uint8_t flags, const char *pin, struct sk_option **options,
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
return ret;
}
-int
+int __attribute__((visibility("default")))
sk_load_resident_keys(const char *pin, struct sk_option **options,
struct sk_resident_key ***rks, size_t *nrks)
{

View File

@ -0,0 +1,30 @@
diff --git a/channels.c b/channels.c
--- a/channels.c
+++ b/channels.c
@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_
if (ai->ai_family == AF_INET6)
sock_set_v6only(sock);
if (x11_use_localhost)
set_reuseaddr(sock);
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
debug2("%s: bind port %d: %.100s", __func__,
port, strerror(errno));
close(sock);
+
+ /* do not remove successfully opened
+ * sockets if the request failed because
+ * the protocol IPv4/6 is not available
+ * (e.g. IPv6 may be disabled while being
+ * supported)
+ */
+ if (EADDRNOTAVAIL == errno)
+ continue;
+
for (n = 0; n < num_socks; n++)
close(socks[n]);
num_socks = 0;
break;
}
socks[num_socks++] = sock;
if (num_socks == NUM_SOCKS)
break;

View File

@ -0,0 +1,57 @@
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
@@ -34,7 +34,7 @@
#define SSH_BUG_UTF8TTYMODE 0x00000001
#define SSH_BUG_SIGTYPE 0x00000002
-/* #define unused 0x00000004 */
+#define SSH_BUG_SIGTYPE74 0x00000004
/* #define unused 0x00000008 */
#define SSH_OLD_SESSIONID 0x00000010
/* #define unused 0x00000020 */
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
@@ -65,11 +65,12 @@
{ "OpenSSH_6.5*,"
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
SSH_BUG_SIGTYPE},
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
+ SSH_BUG_SIGTYPE74},
{ "OpenSSH_7.0*,"
"OpenSSH_7.1*,"
"OpenSSH_7.2*,"
"OpenSSH_7.3*,"
- "OpenSSH_7.4*,"
"OpenSSH_7.5*,"
"OpenSSH_7.6*,"
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
@@ -1305,6 +1305,26 @@
break;
}
free(oallowed);
+ /*
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
+ * support. For that release, check the local policy against the
+ * SHA2 signature types.
+ */
+ if (alg == NULL &&
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
+ while ((cp = strsep(&allowed, ",")) != NULL) {
+ if (sshkey_type_from_name(cp) != key->type)
+ continue;
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
+ if (tmp != NULL)
+ alg = xstrdup(cp);
+ free(tmp);
+ if (alg != NULL)
+ break;
+ }
+ free(oallowed);
+ }
return alg;
}

View File

@ -0,0 +1,14 @@
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index e0768c06..5065ae7e 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_pselect6
SC_ALLOW(__NR_pselect6),
#endif
+#ifdef __NR_pselect6_time64
+ SC_ALLOW(__NR_pselect6_time64),
+#endif
#ifdef __NR_read
SC_ALLOW(__NR_read),
#endif

View File

@ -0,0 +1,130 @@
From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
From: Oleg <Fallmay@users.noreply.github.com>
Date: Thu, 1 Oct 2020 12:09:08 +0300
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
---
contrib/ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f94..a76907717 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -247,7 +247,7 @@ installkeys_sh() {
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
# the cat adds the keys we're getting via STDIN
# and if available restorecon is used to restore the SELinux context
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
@@ -258,6 +258,7 @@ installkeys_sh() {
restorecon -F .ssh ${AUTH_KEY_FILE};
fi
EOF
+ )
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Sat, 3 Oct 2020 00:20:07 +0200
Subject: [PATCH] un-nest $() to make ksh cheerful
---
ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Fri, 2 Oct 2020 21:30:10 +0200
Subject: [PATCH] ksh doesn't grok 'local'
and AFAICT it's not actually doing anything useful in the code, so let's
see how things go without it.
---
ssh-copy-id | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index a769077..11c9463 100755
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -76,7 +76,7 @@ quote() {
}
use_id_file() {
- local L_ID_FILE="$1"
+ L_ID_FILE="$1"
if [ -z "$L_ID_FILE" ] ; then
printf '%s: ERROR: no ID file found\n' "$0"
@@ -94,7 +94,7 @@ use_id_file() {
# check that the files are readable
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
- local L_PRIVMSG=""
+ L_PRIVMSG=""
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
exit 1
@@ -169,7 +169,7 @@ fi
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
# and has the side effect of setting $NEW_IDS
populate_new_ids() {
- local L_SUCCESS="$1"
+ L_SUCCESS="$1"
# shellcheck disable=SC2086
if [ "$FORCED" ] ; then
@@ -181,13 +181,12 @@ populate_new_ids() {
eval set -- "$SSH_OPTS"
umask 0177
- local L_TMP_ID_FILE
L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
printf '%s: ERROR: mktemp failed\n' "$0" >&2
exit 1
fi
- local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+ L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
# shellcheck disable=SC2064
trap "$L_CLEANUP" EXIT TERM INT QUIT
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
@@ -237,7 +236,7 @@ populate_new_ids() {
# produce a one-liner to add the keys to remote authorized_keys file
# optionally takes an alternative path for authorized_keys
installkeys_sh() {
- local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+ AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
# In setting INSTALLKEYS_SH:
# the tr puts it all on one line (to placate tcsh)
--
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 11c9463..ee3f637 100755
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -237,6 +237,7 @@ populate_new_ids() {
# optionally takes an alternative path for authorized_keys
installkeys_sh() {
AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+ AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
# In setting INSTALLKEYS_SH:
# the tr puts it all on one line (to placate tcsh)
@@ -249,7 +250,7 @@ installkeys_sh() {
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+ mkdir -p "${AUTH_KEY_DIR}" &&
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
cat >> ${AUTH_KEY_FILE} ||
exit 1;
--

21
openssh.rpmlintrc Normal file
View File

@ -0,0 +1,21 @@
# I do not know about any better place where to put profile files
addFilter(r'openssh-askpass.x86_64: W: non-conffile-in-etc /etc/profile.d/gnome-ssh-askpass.c?sh')
# The ssh-keysign is not supposed to have standard permissions
addFilter(r'openssh.x86_64: E: non-standard-executable-perm /usr/libexec/openssh/ssh-keysign 2555')
addFilter(r'openssh.x86_64: E: setgid-binary /usr/libexec/openssh/ssh-keysign ssh_keys 2555')
addFilter(r'openssh.x86_64: W: non-standard-gid /usr/libexec/openssh/ssh-keysign ssh_keys')
# The -cavs subpackage is internal without documentation
# The -askpass is not intended to be used directly so it is missing documentation
addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
# sshd config and sysconfig is not supposed to be world readable
addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
# The /var/empty/sshd is supposed to have the given permissions
addFilter(r'non-standard-dir-perm /var/empty/sshd 711')
addFilter(r'non-standard-dir-in-var empty')
# Spelling false-positives
addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')

File diff suppressed because it is too large Load Diff

View File

@ -9,7 +9,6 @@ buffer.c
cleanup.c cleanup.c
cipher.h cipher.h
compat.h compat.h
defines.h
entropy.c entropy.c
entropy.h entropy.h
fatal.c fatal.c

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,20 @@
diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
--- a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
@@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user,
int
pam_user_key_allowed(const char *ruser, struct sshkey * key)
{
+ struct passwd *pw;
return
- pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
- key, authorized_keys_file)
- || pamsshagentauth_user_key_allowed2(getpwuid(0), key,
- authorized_keys_file)
+ ( (pw = getpwuid(authorized_keys_file_allowed_owner_uid)) &&
+ pamsshagentauth_user_key_allowed2(pw, key, authorized_keys_file))
+ || ((pw = getpwuid(0)) &&
+ pamsshagentauth_user_key_allowed2(pw, key, authorized_keys_file))
|| pamsshagentauth_user_key_command_allowed2(authorized_keys_command,
authorized_keys_command_user,
getpwnam(ruser), key);

View File

@ -0,0 +1,37 @@
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid 2017-02-07 15:41:53.172334151 +0100
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 15:41:53.174334149 +0100
@@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui
}
errno = 0;
- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
- above, we will temporarily drop UID to the caller */
- if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
+ /* To ensure a race condition is not used to circumvent the stat
+ above, we will temporarily drop UID to the caller */
+ if (seteuid(uid) == -1) {
close(sock);
- if(errno == EACCES)
- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
+ error("seteuid(%lu) failed with error: %s",
+ (unsigned long) uid, strerror(errno));
return -1;
}
+ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
+ close(sock);
+ sock = -1;
+ if(errno == EACCES)
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
+ }
- seteuid(0); /* we now continue the regularly scheduled programming */
-
+ /* we now continue the regularly scheduled programming */
+ if (0 != seteuid(0)) {
+ fatal("setuid(0) failed with error: %s", strerror(errno));
+ return -1;
+ }
return sock;
}

View File

@ -1,27 +0,0 @@
diff -up pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c
--- pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid 2010-09-08 08:54:29.000000000 +0200
+++ pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c 2010-11-22 08:38:05.000000000 +0100
@@ -131,13 +131,18 @@ ssh_get_authentication_socket_for_uid(ui
}
errno = 0;
- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
- above, we will temporarily drop UID to the caller */
+ /* To ensure a race condition is not used to circumvent the stat
+ above, we will temporarily drop UID to the caller */
+ if (seteuid(uid) == -1) {
+ close(sock);
+ error("seteuid(%lu) failed", (unsigned long) uid);
+ return -1;
+ }
if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
close(sock);
- if(errno == EACCES)
- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
- return -1;
+ sock = -1;
+ if(errno == EACCES)
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
}
seteuid(0); /* we now continue the regularly scheduled programming */

View File

@ -1,41 +1,42 @@
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent 2014-03-31 19:35:16.000000000 +0200 --- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent 2016-11-13 04:24:32.000000000 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h 2016-01-22 15:47:15.999919059 +0100 +++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2017-09-27 14:25:49.421739027 +0200
@@ -38,6 +38,12 @@ @@ -38,6 +38,12 @@
typedef struct identity Identity; typedef struct identity Identity;
typedef struct idlist Idlist; typedef struct idlist Idlist;
+typedef struct { +typedef struct {
+ int fd; + int fd;
+ Buffer identities; + struct sshbuf *identities;
+ int howmany; + int howmany;
+} AuthenticationConnection; +} AuthenticationConnection;
+ +
struct identity { struct identity {
TAILQ_ENTRY(identity) next; TAILQ_ENTRY(identity) next;
AuthenticationConnection *ac; /* set if agent supports key */ AuthenticationConnection *ac; /* set if agent supports key */
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent 2016-01-22 15:47:15.998919060 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:53:38.427768239 +0100 +++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
@@ -39,6 +39,7 @@ @@ -39,6 +39,7 @@
#include "buffer.h" #include "sshbuf.h"
#include "key.h" #include "sshkey.h"
#include "authfd.h" #include "authfd.h"
+#include "ssherr.h" +#include "ssherr.h"
#include <stdio.h> #include <stdio.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include "ssh2.h" #include "ssh2.h"
@@ -285,36 +286,43 @@ pamsshagentauth_find_authorized_keys(con @@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
{ {
Buffer session_id2 = { 0 }; struct sshbuf *session_id2 = NULL;
Identity *id; Identity *id;
- Key *key; - struct sshkey *key;
AuthenticationConnection *ac; AuthenticationConnection *ac;
- char *comment; - char *comment;
uint8_t retval = 0; uint8_t retval = 0;
uid_t uid = getpwnam(ruser)->pw_uid; uid_t uid = getpwnam(ruser)->pw_uid;
+ struct ssh_identitylist *idlist; + struct ssh_identitylist *idlist;
+ int r, i; + int r;
+ unsigned int i;
OpenSSL_add_all_digests(); OpenSSL_add_all_digests();
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename); pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
@ -43,23 +44,23 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
if ((ac = ssh_get_authentication_connection_for_uid(uid))) { if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid); verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) - for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
+ if ((r = ssh_fetch_identitylist(ac->fd, 2, - {
+ &idlist)) != 0) {
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
+ fprintf(stderr, "error fetching identities for "
+ "protocol %d: %s\n", 2, ssh_err(r));
+ } else {
+ for (i = 0; i < idlist->nkeys; i++)
{
- if(key != NULL) { - if(key != NULL) {
+ if(idlist->keys[i] != NULL) { + if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
+ fprintf(stderr, "error fetching identities for "
+ "protocol %d: %s\n", 2, ssh_err(r));
+ } else {
+ for (i = 0; i < idlist->nkeys; i++)
+ {
+ if (idlist->keys[i] != NULL) {
id = xcalloc(1, sizeof(*id)); id = xcalloc(1, sizeof(*id));
- id->key = key; - id->key = key;
- id->filename = comment; - id->filename = comment;
+ id->key = idlist->keys[i]; + id->key = idlist->keys[i];
+ id->filename = idlist->comments[i]; + id->filename = idlist->comments[i];
id->ac = ac; id->ac = ac;
if(userauth_pubkey_from_id(ruser, id, &session_id2)) { if(userauth_pubkey_from_id(ruser, id, session_id2)) {
retval = 1; retval = 1;
} }
- free(id->filename); - free(id->filename);
@ -67,53 +68,29 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-a
free(id); free(id);
if(retval == 1) if(retval == 1)
break; break;
} - }
} - }
buffer_free(&session_id2); + }
+ }
- sshbuf_free(session_id2);
- ssh_close_authentication_connection(ac); - ssh_close_authentication_connection(ac);
+ ssh_free_identitylist(idlist); + sshbuf_free(session_id2);
+ ssh_free_identitylist(idlist);
+ }
+ ssh_close_authentication_socket(ac->fd); + ssh_close_authentication_socket(ac->fd);
+ free(ac); + free(ac);
+ }
} }
else { else {
verbose("No ssh-agent could be contacted"); verbose("No ssh-agent could be contacted");
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent 2016-01-22 15:47:15.995919061 +0100 --- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c 2016-01-22 16:06:20.611464261 +0100 +++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
@@ -55,10 +55,11 @@ extern uint8_t session_id_len; @@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
int (r = sshbuf_put_string(b, pkblob, blen)) != 0)
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2) fatal("%s: buffer error: %s", __func__, ssh_err(r));
{
- Buffer b = { 0 };
+ Buffer b;
char *pkalg = NULL;
u_char *pkblob = NULL, *sig = NULL;
- u_int blen = 0, slen = 0;
+ u_int blen = 0;
+ size_t slen = 0;
int authenticated = 0;
pkalg = (char *) key_ssh_name(id->key); - if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
@@ -82,7 +83,7 @@ userauth_pubkey_from_id(const char *ruse + if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0)
buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, pkblob, blen);
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
goto user_auth_clean_exit; goto user_auth_clean_exit;
/* test for correct signature */ /* test for correct signature */
diff --git a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
--- a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
+++ b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
@@ -85,7 +85,7 @@ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
buffer_put_cstring(&b, pkalg);
buffer_put_string(&b, pkblob, blen);
- if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
goto user_auth_clean_exit;
/* test for correct signature */

View File

@ -1,6 +1,6 @@
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build 2016-01-22 14:59:18.943919791 +0100 --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build 2016-11-13 04:24:32.000000000 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:16:12.534599318 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 14:29:41.626116675 +0100
@@ -43,12 +43,31 @@ @@ -43,12 +43,31 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include "ssh2.h" #include "ssh2.h"
@ -42,7 +42,7 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-b
uint8_t i = 0; uint8_t i = 0;
uint32_t rnd = 0; uint32_t rnd = 0;
uint8_t cookie_len; uint8_t cookie_len;
@@ -110,7 +129,7 @@ pamsshagentauth_session_id2_gen(Buffer * @@ -112,7 +131,7 @@ pamsshagentauth_session_id2_gen(Buffer *
if (i % 4 == 0) { if (i % 4 == 0) {
rnd = pamsshagentauth_arc4random(); rnd = pamsshagentauth_arc4random();
} }
@ -51,7 +51,7 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-b
rnd >>= 8; rnd >>= 8;
} }
@@ -142,6 +161,86 @@ pamsshagentauth_session_id2_gen(Buffer * @@ -177,6 +196,86 @@ pamsshagentauth_session_id2_gen(Buffer *
} }
int int
@ -147,39 +147,41 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-b
pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid); pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2)) for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
{ {
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build 2014-03-31 19:35:17.000000000 +0200 --- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build 2016-11-13 04:24:32.000000000 +0100
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in 2016-01-22 15:20:16.479521651 +0100 +++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in 2017-02-07 14:40:14.407566921 +0100
@@ -52,7 +52,7 @@ PATHS= @@ -52,7 +52,7 @@ PATHS=
CC=@CC@ CC=@CC@
LD=@LD@ LD=@LD@
CFLAGS=@CFLAGS@ CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@ +CPPFLAGS=-I.. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@ LIBS=@LIBS@
AR=@AR@ AR=@AR@
AWK=@AWK@ AWK=@AWK@
@@ -61,7 +61,7 @@ INSTALL=@INSTALL@ @@ -61,8 +61,8 @@ INSTALL=@INSTALL@
PERL=@PERL@ PERL=@PERL@
SED=@SED@ SED=@SED@
ENT=@ENT@ ENT=@ENT@
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ -LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
-LDFLAGS_SHARED = @LDFLAGS_SHARED@
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@ +LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
LDFLAGS_SHARED = @LDFLAGS_SHARED@ +LDFLAGS_SHARED =-Wl,-z,defs @LDFLAGS_SHARED@
EXEEXT=@EXEEXT@ EXEEXT=@EXEEXT@
@@ -72,7 +72,7 @@ PAM_MODULES=pam_ssh_agent_auth.so INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o uidswap.o ED25519OBJS=ed25519-donna/ed25519.o
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o -PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o +PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o secure_filename.o
MANPAGES_IN = pam_ssh_agent_auth.pod MANPAGES_IN = pam_ssh_agent_auth.pod
@@ -91,13 +91,13 @@ $(PAM_MODULES): Makefile.in config.h @@ -94,13 +94,13 @@ $(PAM_MODULES): Makefile.in config.h
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a -LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
+LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a +LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
@ -187,10 +189,10 @@ diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build openssh-
(cd openbsd-compat && $(MAKE)) (cd openbsd-compat && $(MAKE))
always: always:
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o -pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam - $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o +pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o ../ssh-sk-client.o
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam -lnss3 + $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) ../ssh-sk-client.o $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
$(MANPAGES): $(MANPAGES_IN) $(MANPAGES): $(MANPAGES_IN)
pod2man --section=8 --release=v0.10.2 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8 pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8

View File

@ -1,2 +1,4 @@
a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2 SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
13009a9156510d8f27e752659075cced openssh-7.2p2.tar.gz SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d

View File

@ -1,168 +1,40 @@
#!/bin/bash #!/bin/bash
# Create the host keys for the OpenSSH server. # Create the host keys for the OpenSSH server.
# KEYTYPE=$1
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment case $KEYTYPE in
# variable. "dsa") ;& # disabled in FIPS
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" "ed25519")
FIPS=/proc/sys/crypto/fips_enabled
if [ -f /etc/rc.d/init.d/functions ]; then if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
# source function library exit 0
. /etc/rc.d/init.d/functions fi ;;
else "rsa") ;; # always ok
# minimal implimantation of success and failure function "ecdsa") ;;
success() *) # wrong argument
{ exit 12 ;;
echo -en $"[ OK ]\r"
return 0
}
failure()
{
echo -en $"[FAILED]\r"
return 1
}
fi
# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
fips_enabled() {
if [ -r /proc/sys/crypto/fips_enabled ]; then
cat /proc/sys/crypto/fips_enabled
else
echo 0
fi
}
do_rsa1_keygen() {
if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH1 RSA host key: "
rm -f $RSA1_KEY
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA1_KEY
chmod 640 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY{,.pub}
fi
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $RSA_KEY
chmod 640 $RSA_KEY
chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY{,.pub}
fi
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}
do_dsa_keygen() {
if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH2 DSA host key: "
rm -f $DSA_KEY
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $DSA_KEY
chmod 640 $DSA_KEY
chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY{,.pub}
fi
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}
do_ecdsa_keygen() {
if [ ! -s $ECDSA_KEY ]; then
echo -n $"Generating SSH2 ECDSA host key: "
rm -f $ECDSA_KEY
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $ECDSA_KEY
chmod 640 $ECDSA_KEY
chmod 644 $ECDSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $ECDSA_KEY{,.pub}
fi
success $"ECDSA key generation"
echo
else
failure $"ECDSA key generation"
echo
exit 1
fi
fi
}
do_ed25519_keygen() {
if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
echo -n $"Generating SSH2 ED25519 host key: "
rm -f $ED25519_KEY
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
chgrp ssh_keys $ED25519_KEY
chmod 640 $ED25519_KEY
chmod 644 $ED25519_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $ED25519_KEY{,.pub}
fi
success $"ED25519 key generation"
echo
else
failure $"ED25519 key generation"
echo
exit 1
fi
fi
}
if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
exit 0
fi
# legacy options
case $AUTOCREATE_SERVER_KEYS in
NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
esac esac
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key
for KEY in $AUTOCREATE_SERVER_KEYS; do KEYGEN=/usr/bin/ssh-keygen
case $KEY in if [[ ! -x $KEYGEN ]]; then
DSA) do_dsa_keygen;; exit 13
RSA) do_rsa_keygen;; fi
ECDSA) do_ecdsa_keygen;;
ED25519) do_ed25519_keygen;; # remove old keys
esac rm -f $KEY{,.pub}
done
# create new keys
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
exit 1
fi
# sanitize permissions
/usr/bin/chgrp ssh_keys $KEY
/usr/bin/chmod 640 $KEY
/usr/bin/chmod 644 $KEY.pub
if [[ -x /usr/sbin/restorecon ]]; then
/usr/sbin/restorecon $KEY{,.pub}
fi
exit 0

View File

@ -1,11 +0,0 @@
[Unit]
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
PartOf=sshd.service sshd.socket
[Service]
ExecStart=/usr/sbin/sshd-keygen
Type=oneshot
RemainAfterExit=yes

5
sshd-keygen.target Normal file
View File

@ -0,0 +1,5 @@
[Unit]
Wants=sshd-keygen@rsa.service
Wants=sshd-keygen@ecdsa.service
Wants=sshd-keygen@ed25519.service
PartOf=sshd.service

11
sshd-keygen@.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=OpenSSH %i Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_%i_key
[Service]
Type=oneshot
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/libexec/openssh/sshd-keygen %i
[Install]
WantedBy=sshd-keygen.target

184
sshd.init
View File

@ -1,184 +0,0 @@
#!/bin/bash
#
# sshd Start up the OpenSSH server daemon
#
# chkconfig: 2345 55 25
# description: SSH is a protocol for secure remote shell access. \
# This service starts up the OpenSSH server daemon.
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid
### BEGIN INIT INFO
# Provides: sshd
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $syslog
# Should-Start: $syslog
# Should-Stop: $network $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start up the OpenSSH server daemon
# Description: SSH is a protocol for secure remote shell access.
# This service starts up the OpenSSH server daemon.
### END INIT INFO
# source function library
. /etc/rc.d/init.d/functions
# pull in sysconfig settings
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
RETVAL=0
prog="sshd"
lockfile=/var/lock/subsys/$prog
# Some functions to make the below more readable
SSHD=/usr/sbin/sshd
XPID_FILE=/var/run/sshd.pid
PID_FILE=/var/run/sshd-s.pid
runlevel=$(set -- $(runlevel); eval "echo \$$#" )
do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
}
start()
{
[ -x $SSHD ] || exit 5
[ -f /etc/ssh/sshd_config ] || exit 6
# Create keys if necessary
/usr/sbin/sshd-keygen
echo -n $"Starting $prog: "
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $lockfile
[ $RETVAL -eq 0 ] && cp -f $XPID_FILE $PID_FILE
echo
return $RETVAL
}
stop()
{
echo -n $"Stopping $prog: "
if [ ! -f "$PID_FILE" ]; then
# not running; per LSB standards this is "ok"
action $"Stopping $prog: " /bin/true
return 0
fi
PID=`cat "$PID_FILE"`
if [ -n "$PID" ]; then
/bin/kill "$PID" >/dev/null 2>&1
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
RETVAL=1
action $"Stopping $prog: " /bin/false
else
action $"Stopping $prog: " /bin/true
fi
else
# failed to read pidfile
action $"Stopping $prog: " /bin/false
RETVAL=4
fi
# if we are in halt or reboot runlevel kill all running sessions
# so the TCP connections are closed cleanly
if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
trap '' TERM
killall $prog 2>/dev/null
trap TERM
fi
[ $RETVAL -eq 0 ] && rm -f $lockfile
rm -f "$PID_FILE"
return $RETVAL
}
reload()
{
echo -n $"Reloading $prog: "
if [ -n "`pidfileofproc $SSHD`" ] ; then
killproc $SSHD -HUP
else
failure $"Reloading $prog"
fi
RETVAL=$?
echo
}
restart() {
stop
start
}
force_reload() {
restart
}
rh_status() {
status -p $PID_FILE openssh-daemon
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
start
;;
stop)
if ! rh_status_q; then
rm -f $lockfile
exit 0
fi
stop
;;
restart)
restart
;;
reload)
rh_status_q || exit 7
reload
;;
force-reload)
force_reload
;;
condrestart|try-restart)
rh_status_q || exit 0
if [ -f $lockfile ] ; then
do_restart_sanity_check
if [ $RETVAL -eq 0 ] ; then
stop
# avoid race
sleep 3
start
else
RETVAL=6
fi
fi
;;
status)
rh_status
RETVAL=$?
if [ $RETVAL -eq 3 -a -f $lockfile ] ; then
RETVAL=2
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"
RETVAL=2
esac
exit $RETVAL

View File

@ -1,9 +1,7 @@
#%PAM-1.0 #%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth auth substack password-auth
auth include postlogin auth include postlogin
# Used with polkit to reauthorize users in remote sessions account required pam_sepermit.so
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so account required pam_nologin.so
account include password-auth account include password-auth
password include password-auth password include password-auth
@ -14,7 +12,6 @@ session required pam_loginuid.so
session required pam_selinux.so open env_params session required pam_selinux.so open env_params
session required pam_namespace.so session required pam_namespace.so
session optional pam_keyinit.so force revoke session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth session include password-auth
session include postlogin session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare

View File

@ -1,14 +1,13 @@
[Unit] [Unit]
Description=OpenSSH server daemon Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5) Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service After=network.target sshd-keygen.target
Wants=sshd-keygen.service Wants=sshd-keygen.target
[Service] [Service]
Type=forking Type=notify
PIDFile=/var/run/sshd.pid
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd $OPTIONS ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID ExecReload=/bin/kill -HUP $MAINPID
KillMode=process KillMode=process
Restart=on-failure Restart=on-failure

View File

@ -1,15 +1,7 @@
# Configuration file for the sshd service. # Configuration file for the sshd service.
# The server keys are automatically generated if they are missing. # The server keys are automatically generated if they are missing.
# To change the automatic creation uncomment and change the appropriate # To change the automatic creation, adjust sshd.service options for
# line. Accepted key types are: DSA RSA ECDSA ED25519. # example using systemctl enable sshd-keygen@dsa.service to allow creation
# The default is "RSA ECDSA ED25519" # of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation.
# AUTOCREATE_SERVER_KEYS=""
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing
SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1

View File

@ -1,8 +1,8 @@
[Unit] [Unit]
Description=OpenSSH per-connection server daemon Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5) Documentation=man:sshd(8) man:sshd_config(5)
Wants=sshd-keygen.service Wants=sshd-keygen.target
After=sshd-keygen.service After=sshd-keygen.target
[Service] [Service]
EnvironmentFile=-/etc/sysconfig/sshd EnvironmentFile=-/etc/sysconfig/sshd

View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
# Description: This is a basic sanity test for pam_ssh_agent_auth
# Author: Jakub Jelen <jjelen@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/openssh/Sanity/pam_ssh_agent_auth
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE pam_save_ssh_var.c
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
-include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Jakub Jelen <jjelen@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: This is basic sanity test for pam_ssh_agent_auth" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: openssh" >> $(METADATA)
@echo "Requires: openssh pam_ssh_agent_auth pam-devel expect" >> $(METADATA)
@echo "RhtsRequires: library(distribution/fips)" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,7 @@
PURPOSE of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
Description: This is basic sanity test for pam_ssh_agent_auth
Author: Jakub Jelen <jjelen@redhat.com>
Created as a response to rhbz#1251777 and previous one rhbz#1225106.
The code of pam module is outdated and compiled with current openssh
version which went through quite enough refactoring.

View File

@ -0,0 +1,73 @@
/*
This simple pam module saves the content of SSH_USER_AUTH variable to /tmp/SSH_USER_AUTH
file.
Setup:
- gcc -fPIC -DPIC -shared -rdynamic -o pam_save_ssh_var.o pam_save_ssh_var.c
- copy pam_save_ssh_var.o to /lib/security resp. /lib64/security
- add to /etc/pam.d/sshd
auth requisite pam_save_ssh_var.o
*/
/* Define which PAM interfaces we provide */
#define PAM_SM_ACCOUNT
#define PAM_SM_AUTH
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION
/* Include PAM headers */
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <stdlib.h>
#include <stdio.h>
int save_ssh_var(pam_handle_t *pamh, const char *phase) {
FILE *fp;
const char *var;
fp = fopen("/tmp/SSH_USER_AUTH","a");
fprintf(fp, "BEGIN (%s)\n", phase);
var = pam_getenv(pamh, "SSH_USER_AUTH");
if (var != NULL) {
fprintf(fp, "SSH_USER_AUTH: '%s'\n", var);
}
fprintf(fp, "END (%s)\n", phase);
fclose(fp);
return 0;
}
/* PAM entry point for session creation */
int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return(PAM_IGNORE);
}
/* PAM entry point for session cleanup */
int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return(PAM_IGNORE);
}
/* PAM entry point for accounting */
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return(PAM_IGNORE);
}
/* PAM entry point for authentication verification */
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
save_ssh_var(pamh, "auth");
return(PAM_IGNORE);
}
/*
PAM entry point for setting user credentials (that is, to actually
establish the authenticated user's credentials to the service provider)
*/
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return(PAM_IGNORE);
}
/* PAM entry point for authentication token (password) changes */
int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
return(PAM_IGNORE);
}

View File

@ -0,0 +1,184 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
# Description: This is a basic sanity test for pam_ssh_agent_auth
# Author: Jakub Jelen <jjelen@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="openssh"
PAM_SUDO="/etc/pam.d/sudo"
PAM_SSHD="/etc/pam.d/sshd"
PAM_MODULE="pam_save_ssh_var"
SUDOERS_CFG="/etc/sudoers.d/01_pam_ssh_auth"
SSHD_CFG="/etc/ssh/sshd_config"
USER="testuser$RANDOM"
PASS="testpassxy4re.3298fhdsaf"
AUTH_KEYS="/etc/security/authorized_keys"
AK_COMMAND_BIN="/root/ak.sh"
AK_COMMAND_KEYS="/root/akeys"
declare -a KEYS=("rsa" "ecdsa")
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlAssertRpm pam_ssh_agent_auth
rlImport distribution/fips
rlServiceStart sshd
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "cp ${PAM_MODULE}.c $TmpDir/"
rlRun "pushd $TmpDir"
rlFileBackup --clean $PAM_SUDO /etc/sudoers /etc/sudoers.d/ /etc/security/ $AUTH_KEYS
rlRun "sed -i '1 a\
auth sufficient pam_ssh_agent_auth.so file=$AUTH_KEYS' $PAM_SUDO"
rlRun "echo 'Defaults env_keep += \"SSH_AUTH_SOCK\"' > $SUDOERS_CFG"
rlRun "echo 'Defaults !requiretty' >> $SUDOERS_CFG"
grep '^%wheel' /etc/sudoers || \
rlRun "echo '%wheel ALL=(ALL) ALL' >> $SUDOERS_CFG"
rlRun "useradd $USER -G wheel"
rlRun "echo $PASS |passwd --stdin $USER"
rlPhaseEnd
if ! fipsIsEnabled; then
KEYS+=("dsa")
fi
for KEY in "${KEYS[@]}"; do
rlPhaseStartTest "Test with key type $KEY"
rlRun "su $USER -c 'ssh-keygen -t $KEY -f ~/.ssh/my_id_$KEY -N \"\"'" 0
# Without authorized_keys, the authentication should fail
rlRun -s "su $USER -c 'eval \`ssh-agent\`; sudo id; ssh-agent -k'" 0
rlAssertNotGrep "uid=0(root) gid=0(root)" $rlRun_LOG
# Append the keys only to make sure we can match also the non-first line
rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >> $AUTH_KEYS"
rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
rlPhaseEnd
done
if rlIsRHEL '<6.8' || ( rlIsRHEL '<7.3' && rlIsRHEL 7 ) ; then
: # not available
else
rlPhaseStartSetup "Setup for authorized_keys_command"
rlFileBackup --namespace ak_command $PAM_SUDO
rlRun "rm -f $AUTH_KEYS"
cat >$AK_COMMAND_BIN <<_EOF
#!/bin/bash
cat $AK_COMMAND_KEYS
_EOF
rlRun "chmod +x $AK_COMMAND_BIN"
rlRun "sed -i 's|.*pam_ssh_agent_auth.*|auth sufficient pam_ssh_agent_auth.so authorized_keys_command=$AK_COMMAND_BIN authorized_keys_command_user=root|' $PAM_SUDO"
rlRun "cat $PAM_SUDO"
rlPhaseEnd
for KEY in "${KEYS[@]}"; do
rlPhaseStartTest "Test authorized_keys_command with key type $KEY (bz1299555, bz1317858)"
rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >$AK_COMMAND_KEYS"
rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
rlPhaseEnd
done
rlPhaseStartCleanup "Cleanup for authorized_keys_command"
rlFileRestore --namespace ak_command
rlRun "rm -f $AK_COMMAND_BIN $AK_COMMAND_KEYS"
rlPhaseEnd
fi
if rlIsRHEL '>=7.3'; then # not in Fedora anymore
rlPhaseStartTest "bz1312304 - Exposing information about succesful auth"
rlRun "rlFileBackup --namespace exposing $PAM_SSHD"
rlRun "rlFileBackup --namespace exposing $SSHD_CFG"
rlRun "rlFileBackup --namespace exposing /root/.ssh/"
rlRun "rm -f ~/.ssh/id_rsa*"
rlRun "ssh-keygen -f ~/.ssh/id_rsa -N \"\"" 0
rlRun "ssh-keyscan localhost >~/.ssh/known_hosts" 0
USER_AK_FILE=~$USER/.ssh/authorized_keys
rlRun "cat ~/.ssh/id_rsa.pub >$USER_AK_FILE"
rlRun "chown $USER:$USER $USER_AK_FILE"
rlRun "chmod 0600 $USER_AK_FILE"
rlRun "gcc -fPIC -DPIC -shared -rdynamic -o $PAM_MODULE.o $PAM_MODULE.c"
rlRun "test -d /lib64/security && cp $PAM_MODULE.o /lib64/security/" 0,1
rlRun "test -d /lib/security && cp $PAM_MODULE.o /lib/security/" 0,1
rlRun "sed -i '1 i auth optional $PAM_MODULE.o' $PAM_SSHD"
# pam-and-env should expose information to both PAM and environmental variable;
# we will be testing only env variable here for the time being,
rlRun "echo 'ExposeAuthenticationMethods pam-and-env' >>$SSHD_CFG"
rlRun "sed -i '/^ChallengeResponseAuthentication/ d' $SSHD_CFG"
rlRun "service sshd restart"
rlWaitForSocket 22 -t 5
rlRun -s "ssh -i ~/.ssh/id_rsa $USER@localhost \"env|grep SSH_USER_AUTH\"" 0 \
"Environment variable SSH_USER_AUTH is set"
rlAssertGrep "^SSH_USER_AUTH=publickey:" $rlRun_LOG
rlRun "rm -f $rlRun_LOG"
# pam-only should expose information only to PAM and not to environment variable
rlRun "sed -i 's/pam-and-env/pam-only/' $SSHD_CFG"
rlRun "echo 'AuthenticationMethods publickey,keyboard-interactive:pam' >>$SSHD_CFG"
rlRun "service sshd restart"
rlWaitForSocket 22 -t 5
ssh_with_pass() {
ssh_args=("-i /root/.ssh/id_rsa")
ssh_args+=("$USER@localhost")
cat >ssh.exp <<_EOF
#!/usr/bin/expect -f
set timeout 5
spawn ssh ${ssh_args[*]} "echo CONNECTED; env|grep SSH_USER_AUTH"
expect {
-re {.*[Pp]assword.*} { send -- "$PASS\r"; exp_continue }
timeout { exit 1 }
eof { exit 0 }
}
_EOF
rlRun -s "expect -f ssh.exp"
}
#rlRun -s "ssh ${ssh_args[*]} \"echo CONNECTED; env|grep SSH_USER_AUTH\"" 1 \
#"Environment variable SSH_USER_AUTH is NOT set"
rlRun "ssh_with_pass"
rlRun "grep -q CONNECTED $rlRun_LOG" 0 "Connection was successful"
rlAssertGrep "^SSH_USER_AUTH: 'publickey:" /tmp/SSH_USER_AUTH
rlRun "cat /tmp/SSH_USER_AUTH"
rlRun "rm -f $rlRun_LOG /tmp/SSH_USER_AUTH"
for pm in /lib64/security/$PAM_MODULE.o /lib/security/$PAM_MODULE.o; do
rlRun "test -e $pm && rm -f $pm" 0,1
done
rlRun "rlFileRestore --namespace exposing"
rlPhaseEnd
fi
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlRun "userdel -fr $USER"
rlFileRestore
rlServiceRestore sshd
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

View File

@ -0,0 +1,63 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/openssh/Sanity/port-forwarding
# Description: Testing port forwarding (ideally all possibilities: -L, -R, -D)
# Author: Stanislav Zidek <szidek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2015 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/openssh/Sanity/port-forwarding
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
-include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Stanislav Zidek <szidek@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Testing port forwarding (ideally all possibilities: -L, -R, -D)" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: openssh" >> $(METADATA)
@echo "Requires: openssh net-tools nc" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: yes" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/openssh/Sanity/port-forwarding
Description: Testing port forwarding (ideally all possibilities: -L, -R, -D)
Author: Stanislav Zidek <szidek@redhat.com>

Some files were not shown because too many files have changed in this diff Show More