Compare commits
200 Commits
Author | SHA1 | Date |
---|---|---|
|
557f728956 | |
|
258db094bd | |
|
d8a80c8be6 | |
|
eced70a8bd | |
|
b6df6b3e29 | |
|
126d278fec | |
|
6a07699454 | |
|
bbe3c2e156 | |
|
a048fcc3d0 | |
|
914eb2d891 | |
|
62e762b7d5 | |
|
dc5e3131ec | |
|
7b064ea363 | |
|
527f79ee8c | |
|
bd35168662 | |
|
3783a5da43 | |
|
9c88962b82 | |
|
7e9d046986 | |
|
10cdecf4f1 | |
|
26c894b07f | |
|
44157573e5 | |
|
4c85eb3d53 | |
|
77aa771110 | |
|
68460c09bb | |
|
dfeecfb1e8 | |
|
fccd87eb18 | |
|
996e25f2f9 | |
|
653d073710 | |
|
ed59cb1783 | |
|
868439f73a | |
|
8b7ddfb28b | |
|
3bd5ced9ee | |
|
7f87bd9cc9 | |
|
5cd9552fc4 | |
|
efd1b7e5c8 | |
|
169fdb8814 | |
|
4e3553bf2a | |
|
a848054c8a | |
|
eb546ec1a7 | |
|
02af5cfa17 | |
|
1cc7c87af2 | |
|
fbd5f1bee2 | |
|
57ba1bd853 | |
|
3e611d91bb | |
|
b2417553a2 | |
|
82f9421fb4 | |
|
51f5c1c99f | |
|
ee9cb005b3 | |
|
2b86acd332 | |
|
a2cffc6e9b | |
|
7f46693182 | |
|
657d132847 | |
|
62361a761c | |
|
c28decf412 | |
|
7254607b91 | |
|
d26b44fe7f | |
|
6a2fce44b5 | |
|
36fef5669a | |
|
5eb2d51328 | |
|
d19ba936f2 | |
|
0ca1614ae2 | |
|
73b069e926 | |
|
5d6a14bd4a | |
|
30922f629c | |
|
358f62be8a | |
|
e9bd9a2128 | |
|
0b10752bbc | |
|
36a44721c5 | |
|
e9a555ffbf | |
|
58ee5c17a8 | |
|
eda4c070da | |
|
4bd6cfb874 | |
|
fdbd5bc6f9 | |
|
3153574729 | |
|
dad744a32b | |
|
56494b92a4 | |
|
50e2b60d3f | |
|
56fdfa2a52 | |
|
f15fbdc5fe | |
|
66e9887b15 | |
|
7f1ad371a4 | |
|
7a14283cba | |
|
ae802a53d8 | |
|
53c9085316 | |
|
f726e51d86 | |
|
751cd9acc7 | |
|
6caa973459 | |
|
4feb6a973f | |
|
b33caef080 | |
|
f660e11adc | |
|
ec02bb9685 | |
|
def1debf2e | |
|
f51d092120 | |
|
cb35953bec | |
|
91aa3d4921 | |
|
81a703d751 | |
|
c53a1d4e90 | |
|
c694548168 | |
|
3339efd12d | |
|
586cf149b5 | |
|
1341391c78 | |
|
3722267e80 | |
|
ae07017120 | |
|
7295e97cd1 | |
|
d711f557f7 | |
|
e8524ac3f4 | |
|
8622e384ef | |
|
ffb1787c07 | |
|
4e5f61c2a0 | |
|
7c726e0a13 | |
|
018ac8d1d9 | |
|
311908c042 | |
|
1b0cc8ff3b | |
|
ba99e00fe8 | |
|
40d2a04909 | |
|
322896958a | |
|
661c7c0582 | |
|
d6cc5f4740 | |
|
a4c0a26cd4 | |
|
57e280d1f4 | |
|
3ae9c1b0c1 | |
|
03264b16f7 | |
|
0b6cc18df0 | |
|
be6a344dcd | |
|
9f2c8b948c | |
|
e8876f1b1f | |
|
6666c19414 | |
|
eaa7af2e41 | |
|
8089081fa9 | |
|
6c9d993869 | |
|
f3715e62da | |
|
97ee52c0a3 | |
|
8ebb9915a3 | |
|
84d3ff9306 | |
|
e815fba204 | |
|
55520c5691 | |
|
178f3a4f56 | |
|
8b9448c5ba | |
|
dba154f20c | |
|
90edc0cc1d | |
|
9409715f65 | |
|
c60b555ac2 | |
|
4c36c2a9ee | |
|
afaf23f6c3 | |
|
bbf61daf97 | |
|
01ba761e18 | |
|
44e2032a0a | |
|
951e3ca00b | |
|
baff4a61a7 | |
|
009e39709f | |
|
600d4011b5 | |
|
e1d855438b | |
|
6c68d655b2 | |
|
191bbb979e | |
|
62f1736470 | |
|
1176788778 | |
|
4ef6823ff4 | |
|
04ca5e7b0b | |
|
48cef7a0b8 | |
|
836590e795 | |
|
ab24bd6608 | |
|
b0815ca514 | |
|
af10de8f01 | |
|
273086d13a | |
|
42fe13ff31 | |
|
077597136c | |
|
aad4430f17 | |
|
7e9748a2b5 | |
|
3cd4899257 | |
|
1ce235ac38 | |
|
6b2140deea | |
|
b4cbb0fe23 | |
|
830acce379 | |
|
cbb6ca5123 | |
|
c8f1381d11 | |
|
92b8e55bea | |
|
bd5b563008 | |
|
c2a9e41702 | |
|
07c951f665 | |
|
a6b5c2c42d | |
|
5f6f10859d | |
|
13efdb1d7f | |
|
6a6c2bc3ab | |
|
0780f33c5f | |
|
bb4b7b77fc | |
|
f61eaad2bd | |
|
c45ece5fe8 | |
|
6996c6f503 | |
|
9b05c6d476 | |
|
667e6f013f | |
|
57349a88a8 | |
|
427beb2f9e | |
|
b1ec43ef50 | |
|
0f4b4ccdea | |
|
38b67ad605 | |
|
4d97279349 | |
|
f284c5eb83 | |
|
32dc9bd1cd | |
|
316553ade0 | |
|
871dc3ed3e |
|
@ -27,3 +27,21 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||||
/pam_ssh_agent_auth-0.10.3.tar.bz2
|
/pam_ssh_agent_auth-0.10.3.tar.bz2
|
||||||
/openssh-7.5p1.tar.gz
|
/openssh-7.5p1.tar.gz
|
||||||
/openssh-7.6p1.tar.gz
|
/openssh-7.6p1.tar.gz
|
||||||
|
/openssh-7.7p1.tar.gz
|
||||||
|
/openssh-7.7p1.tar.gz.asc
|
||||||
|
/DJM-GPG-KEY.gpg
|
||||||
|
/openssh-7.8p1.tar.gz
|
||||||
|
/openssh-7.8p1.tar.gz.asc
|
||||||
|
/openssh-7.9p1.tar.gz
|
||||||
|
/openssh-7.9p1.tar.gz.asc
|
||||||
|
/openssh-8.0p1.tar.gz
|
||||||
|
/openssh-8.0p1.tar.gz.asc
|
||||||
|
/openssh-8.1p1.tar.gz
|
||||||
|
/openssh-8.1p1.tar.gz.asc
|
||||||
|
/openssh-8.2p1.tar.gz
|
||||||
|
/openssh-8.2p1.tar.gz.asc
|
||||||
|
/openssh-8.3p1.tar.gz
|
||||||
|
/openssh-8.3p1.tar.gz.asc
|
||||||
|
/openssh-8.4p1.tar.gz
|
||||||
|
/openssh-8.4p1.tar.gz.asc
|
||||||
|
/pam_ssh_agent_auth-0.10.4.tar.gz
|
||||||
|
|
|
@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
||||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
||||||
@@ -53,6 +53,7 @@
|
@@ -53,6 +53,7 @@
|
||||||
#include <string.h>
|
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
#include <X11/Xlib.h>
|
#include <X11/Xlib.h>
|
||||||
+#include <glib.h>
|
+#include <glib.h>
|
||||||
#include <gtk/gtk.h>
|
#include <gtk/gtk.h>
|
||||||
#include <gdk/gdkx.h>
|
#include <gdk/gdkx.h>
|
||||||
|
#include <gdk/gdkkeysyms.h>
|
||||||
@@ -81,13 +82,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
+static void
|
+static void
|
||||||
|
@ -25,57 +25,59 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
static int
|
static int
|
||||||
passphrase_dialog(char *message)
|
passphrase_dialog(char *message, int prompt_type)
|
||||||
{
|
{
|
||||||
const char *failed;
|
const char *failed;
|
||||||
char *passphrase, *local;
|
char *passphrase, *local;
|
||||||
int result, grab_tries, grab_server, grab_pointer;
|
int result, grab_tries, grab_server, grab_pointer;
|
||||||
|
int buttons, default_response;
|
||||||
- GtkWidget *parent_window, *dialog, *entry;
|
- GtkWidget *parent_window, *dialog, *entry;
|
||||||
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
||||||
GdkGrabStatus status;
|
GdkGrabStatus status;
|
||||||
|
GdkColor fg, bg;
|
||||||
|
int fg_set = 0, bg_set = 0;
|
||||||
|
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
|
||||||
|
gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
|
||||||
|
|
||||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
|
||||||
@@ -104,14 +116,32 @@ passphrase_dialog(char *message)
|
|
||||||
"%s",
|
|
||||||
message);
|
|
||||||
|
|
||||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||||
+ FALSE, 0);
|
+ FALSE, 0);
|
||||||
+ gtk_widget_show(hbox);
|
+ gtk_widget_show(hbox);
|
||||||
+
|
+
|
||||||
entry = gtk_entry_new();
|
entry = gtk_entry_new();
|
||||||
|
if (fg_set)
|
||||||
|
gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
|
||||||
|
if (bg_set)
|
||||||
|
gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
|
||||||
gtk_box_pack_start(
|
gtk_box_pack_start(
|
||||||
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), entry,
|
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
|
||||||
- FALSE, FALSE, 0);
|
- entry, FALSE, FALSE, 0);
|
||||||
+ GTK_BOX(hbox), entry,
|
+ GTK_BOX(hbox), entry, TRUE, FALSE, 0);
|
||||||
+ TRUE, FALSE, 0);
|
|
||||||
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
||||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||||
gtk_widget_grab_focus(entry);
|
gtk_widget_grab_focus(entry);
|
||||||
gtk_widget_show(entry);
|
if (prompt_type == PROMPT_ENTRY) {
|
||||||
|
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
|
||||||
|
g_signal_connect(G_OBJECT(entry), "key_press_event",
|
||||||
|
G_CALLBACK(check_none), dialog);
|
||||||
|
}
|
||||||
|
+
|
||||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
|
||||||
+ FALSE, 8);
|
+ hbox, FALSE, FALSE, 8);
|
||||||
+ gtk_widget_show(hbox);
|
+ gtk_widget_show(hbox);
|
||||||
+
|
+
|
||||||
+ progress = gtk_progress_bar_new();
|
+ progress = gtk_progress_bar_new();
|
||||||
+
|
+
|
||||||
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
|
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
|
||||||
|
+ "Passphrase length hidden intentionally");
|
||||||
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
||||||
+ TRUE, 5);
|
+ TRUE, 5);
|
||||||
+ gtk_widget_show(progress);
|
+ gtk_widget_show(progress);
|
||||||
+
|
|
||||||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
|
||||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
|
||||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
|
||||||
@@ -120,6 +150,8 @@ passphrase_dialog(char *message)
|
|
||||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
|
||||||
g_signal_connect(G_OBJECT(entry), "activate",
|
|
||||||
G_CALLBACK(ok_dialog), dialog);
|
|
||||||
+ g_signal_connect(G_OBJECT(entry), "changed",
|
+ g_signal_connect(G_OBJECT(entry), "changed",
|
||||||
+ G_CALLBACK(move_progress), progress);
|
+ G_CALLBACK(move_progress), progress);
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
/* Grab focus */
|
||||||
|
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
|
|
||||||
--- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
|
|
||||||
+++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
|
|
||||||
@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
|
|
||||||
memset(&hints, 0, sizeof(hints));
|
|
||||||
hints.ai_family = IPv4or6;
|
|
||||||
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
|
||||||
+#ifdef AI_ADDRCONFIG
|
|
||||||
+ hints.ai_flags |= AI_ADDRCONFIG;
|
|
||||||
+#endif
|
|
||||||
hints.ai_socktype = SOCK_STREAM;
|
|
||||||
snprintf(strport, sizeof strport, "%d", port);
|
|
||||||
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
|
|
||||||
diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
|
|
||||||
--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
|
|
||||||
+++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
|
|
||||||
@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
|
|
||||||
memset(&hints, 0, sizeof(hints));
|
|
||||||
hints.ai_family = family;
|
|
||||||
hints.ai_socktype = SOCK_STREAM;
|
|
||||||
+ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
|
|
||||||
snprintf(strport, sizeof strport, "%u", port);
|
|
||||||
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
|
|
||||||
fatal("%s: Could not resolve hostname %.100s: %s", __progname,
|
|
|
@ -1,12 +0,0 @@
|
||||||
diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
|
|
||||||
--- openssh-6.8p1/packet.c.packet 2015-03-18 10:56:32.286930601 +0100
|
|
||||||
+++ openssh-6.8p1/packet.c 2015-03-18 10:58:38.535629739 +0100
|
|
||||||
@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc
|
|
||||||
struct sockaddr_storage from, to;
|
|
||||||
socklen_t fromlen, tolen;
|
|
||||||
|
|
||||||
+ if (!state)
|
|
||||||
+ return 0;
|
|
||||||
if (state->connection_in == -1 || state->connection_out == -1)
|
|
||||||
return 0;
|
|
||||||
|
|
|
@ -1,78 +0,0 @@
|
||||||
diff -up openssh-5.9p1/Makefile.in.wIm openssh-5.9p1/Makefile.in
|
|
||||||
--- openssh-5.9p1/Makefile.in.wIm 2011-08-05 22:15:18.000000000 +0200
|
|
||||||
+++ openssh-5.9p1/Makefile.in 2011-09-12 16:24:18.643674014 +0200
|
|
||||||
@@ -66,7 +66,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
|
||||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
|
||||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
|
||||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
|
||||||
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
|
||||||
+ readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
|
|
||||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
|
||||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
|
||||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
|
||||||
diff -up openssh-5.9p1/log.h.wIm openssh-5.9p1/log.h
|
|
||||||
--- openssh-5.9p1/log.h.wIm 2011-06-20 06:42:23.000000000 +0200
|
|
||||||
+++ openssh-5.9p1/log.h 2011-09-12 16:34:52.984674326 +0200
|
|
||||||
@@ -65,6 +65,8 @@ void verbose(const char *, ...) __at
|
|
||||||
void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
|
|
||||||
void debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
|
|
||||||
void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
|
|
||||||
+void _debug_wIm_body(const char *, int, const char *, const char *, int);
|
|
||||||
+#define debug_wIm(a,b) _debug_wIm_body(a,b,__func__,__FILE__,__LINE__)
|
|
||||||
|
|
||||||
|
|
||||||
void set_log_handler(log_handler_fn *, void *);
|
|
||||||
diff -up openssh-5.9p1/sshd.c.wIm openssh-5.9p1/sshd.c
|
|
||||||
--- openssh-5.9p1/sshd.c.wIm 2011-06-23 11:45:51.000000000 +0200
|
|
||||||
+++ openssh-5.9p1/sshd.c 2011-09-12 16:38:35.787816490 +0200
|
|
||||||
@@ -140,6 +140,9 @@ int deny_severity;
|
|
||||||
|
|
||||||
extern char *__progname;
|
|
||||||
|
|
||||||
+/* trace of fork processes */
|
|
||||||
+extern int whereIam;
|
|
||||||
+
|
|
||||||
/* Server configuration options. */
|
|
||||||
ServerOptions options;
|
|
||||||
|
|
||||||
@@ -666,6 +669,7 @@ privsep_preauth(Authctxt *authctxt)
|
|
||||||
return 1;
|
|
||||||
} else {
|
|
||||||
/* child */
|
|
||||||
+ whereIam = 1;
|
|
||||||
close(pmonitor->m_sendfd);
|
|
||||||
close(pmonitor->m_log_recvfd);
|
|
||||||
|
|
||||||
@@ -715,6 +719,7 @@ privsep_postauth(Authctxt *authctxt)
|
|
||||||
|
|
||||||
/* child */
|
|
||||||
|
|
||||||
+ whereIam = 2;
|
|
||||||
close(pmonitor->m_sendfd);
|
|
||||||
pmonitor->m_sendfd = -1;
|
|
||||||
|
|
||||||
@@ -1325,6 +1330,8 @@ main(int ac, char **av)
|
|
||||||
Key *key;
|
|
||||||
Authctxt *authctxt;
|
|
||||||
|
|
||||||
+ whereIam = 0;
|
|
||||||
+
|
|
||||||
#ifdef HAVE_SECUREWARE
|
|
||||||
(void)set_auth_parameters(ac, av);
|
|
||||||
#endif
|
|
||||||
diff -up openssh-5.9p1/whereIam.c.wIm openssh-5.9p1/whereIam.c
|
|
||||||
--- openssh-5.9p1/whereIam.c.wIm 2011-09-12 16:24:18.722674167 +0200
|
|
||||||
+++ openssh-5.9p1/whereIam.c 2011-09-12 16:24:18.724674418 +0200
|
|
||||||
@@ -0,0 +1,12 @@
|
|
||||||
+
|
|
||||||
+int whereIam = -1;
|
|
||||||
+
|
|
||||||
+void _debug_wIm_body(const char *txt, int val, const char *func, const char *file, int line)
|
|
||||||
+{
|
|
||||||
+ if (txt)
|
|
||||||
+ debug("%s=%d, %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, val, func, file, line, whereIam, getuid(), geteuid());
|
|
||||||
+ else
|
|
||||||
+ debug("%s(%s:%d) wIm = %d, uid=%d, euid=%d", func, file, line, whereIam, getuid(), geteuid());
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
|
@ -1,21 +0,0 @@
|
||||||
diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
|
|
||||||
--- openssh-6.1p1/sshconnect2.c.canohost 2012-10-30 10:52:59.593301692 +0100
|
|
||||||
+++ openssh-6.1p1/sshconnect2.c 2012-10-30 11:01:12.870301632 +0100
|
|
||||||
@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
|
|
||||||
static u_int mech = 0;
|
|
||||||
OM_uint32 min;
|
|
||||||
int ok = 0;
|
|
||||||
- const char *gss_host;
|
|
||||||
+ const char *gss_host = NULL;
|
|
||||||
|
|
||||||
if (options.gss_server_identity)
|
|
||||||
gss_host = options.gss_server_identity;
|
|
||||||
- else if (options.gss_trust_dns)
|
|
||||||
+ else if (options.gss_trust_dns) {
|
|
||||||
gss_host = get_canonical_hostname(active_state, 1);
|
|
||||||
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
|
|
||||||
+ gss_host = authctxt->host;
|
|
||||||
+ }
|
|
||||||
else
|
|
||||||
gss_host = authctxt->host;
|
|
||||||
|
|
|
@ -1,157 +0,0 @@
|
||||||
diff -up openssh-7.4p1/configure.ac.vendor openssh-7.4p1/configure.ac
|
|
||||||
--- openssh-7.4p1/configure.ac.vendor 2016-12-23 13:34:51.681253844 +0100
|
|
||||||
+++ openssh-7.4p1/configure.ac 2016-12-23 13:34:51.694253847 +0100
|
|
||||||
@@ -4930,6 +4930,12 @@ AC_ARG_WITH([lastlog],
|
|
||||||
fi
|
|
||||||
]
|
|
||||||
)
|
|
||||||
+AC_ARG_ENABLE(vendor-patchlevel,
|
|
||||||
+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
|
|
||||||
+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
|
||||||
+ SSH_VENDOR_PATCHLEVEL="$enableval"],
|
|
||||||
+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
|
||||||
+ SSH_VENDOR_PATCHLEVEL=none])
|
|
||||||
|
|
||||||
dnl lastlog, [uw]tmpx? detection
|
|
||||||
dnl NOTE: set the paths in the platform section to avoid the
|
|
||||||
@@ -5194,6 +5200,7 @@ echo " Translate v4 in v6 hack
|
|
||||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
|
||||||
echo " Random number source: $RAND_MSG"
|
|
||||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
|
||||||
+echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
diff -up openssh-7.4p1/servconf.c.vendor openssh-7.4p1/servconf.c
|
|
||||||
--- openssh-7.4p1/servconf.c.vendor 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/servconf.c 2016-12-23 13:36:07.555268628 +0100
|
|
||||||
@@ -143,6 +143,7 @@ initialize_server_options(ServerOptions
|
|
||||||
options->max_authtries = -1;
|
|
||||||
options->max_sessions = -1;
|
|
||||||
options->banner = NULL;
|
|
||||||
+ options->show_patchlevel = -1;
|
|
||||||
options->use_dns = -1;
|
|
||||||
options->client_alive_interval = -1;
|
|
||||||
options->client_alive_count_max = -1;
|
|
||||||
@@ -325,6 +326,8 @@ fill_default_server_options(ServerOption
|
|
||||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
|
||||||
if (options->version_addendum == NULL)
|
|
||||||
options->version_addendum = xstrdup("");
|
|
||||||
+ if (options->show_patchlevel == -1)
|
|
||||||
+ options->show_patchlevel = 0;
|
|
||||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
|
||||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
|
||||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
|
||||||
@@ -402,7 +405,7 @@ typedef enum {
|
|
||||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sPidFile,
|
|
||||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
|
|
||||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
|
||||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
|
||||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
|
||||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
|
||||||
sHostKeyAlgorithms,
|
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
|
||||||
@@ -528,6 +531,7 @@ static struct {
|
|
||||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
|
||||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
|
||||||
{ "banner", sBanner, SSHCFG_ALL },
|
|
||||||
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
|
||||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
|
||||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
|
||||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
|
||||||
@@ -1369,6 +1373,10 @@ process_server_config_line(ServerOptions
|
|
||||||
intptr = &options->disable_forwarding;
|
|
||||||
goto parse_flag;
|
|
||||||
|
|
||||||
+ case sShowPatchLevel:
|
|
||||||
+ intptr = &options->show_patchlevel;
|
|
||||||
+ goto parse_flag;
|
|
||||||
+
|
|
||||||
case sAllowUsers:
|
|
||||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
|
||||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
|
||||||
@@ -2269,6 +2277,7 @@ dump_config(ServerOptions *o)
|
|
||||||
dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
|
|
||||||
dump_cfg_fmtint(sCompression, o->compression);
|
|
||||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
|
||||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
|
||||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
|
||||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
|
||||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
|
||||||
diff -up openssh-7.4p1/servconf.h.vendor openssh-7.4p1/servconf.h
|
|
||||||
--- openssh-7.4p1/servconf.h.vendor 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/servconf.h 2016-12-23 13:34:51.694253847 +0100
|
|
||||||
@@ -149,6 +149,7 @@ typedef struct {
|
|
||||||
int max_authtries;
|
|
||||||
int max_sessions;
|
|
||||||
char *banner; /* SSH-2 banner message */
|
|
||||||
+ int show_patchlevel; /* Show vendor patch level to clients */
|
|
||||||
int use_dns;
|
|
||||||
int client_alive_interval; /*
|
|
||||||
* poke the client this often to
|
|
||||||
diff -up openssh-7.4p1/sshd_config.0.vendor openssh-7.4p1/sshd_config.0
|
|
||||||
--- openssh-7.4p1/sshd_config.0.vendor 2016-12-23 13:34:51.695253847 +0100
|
|
||||||
+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:36:53.146277511 +0100
|
|
||||||
@@ -792,6 +792,11 @@ DESCRIPTION
|
|
||||||
ssh-keygen(1). For more information on KRLs, see the KEY
|
|
||||||
REVOCATION LISTS section in ssh-keygen(1).
|
|
||||||
|
|
||||||
+ ShowPatchLevel
|
|
||||||
+ Specifies whether sshd will display the specific patch level of
|
|
||||||
+ the binary in the server identification string. The patch level
|
|
||||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
|
||||||
+
|
|
||||||
StreamLocalBindMask
|
|
||||||
Sets the octal file creation mode mask (umask) used when creating
|
|
||||||
a Unix-domain socket file for local or remote port forwarding.
|
|
||||||
diff -up openssh-7.4p1/sshd_config.5.vendor openssh-7.4p1/sshd_config.5
|
|
||||||
--- openssh-7.4p1/sshd_config.5.vendor 2016-12-23 13:34:51.695253847 +0100
|
|
||||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:37:17.482282253 +0100
|
|
||||||
@@ -1334,6 +1334,13 @@ an OpenSSH Key Revocation List (KRL) as
|
|
||||||
.Xr ssh-keygen 1 .
|
|
||||||
For more information on KRLs, see the KEY REVOCATION LISTS section in
|
|
||||||
.Xr ssh-keygen 1 .
|
|
||||||
+.It Cm ShowPatchLevel
|
|
||||||
+Specifies whether
|
|
||||||
+.Nm sshd
|
|
||||||
+will display the patch level of the binary in the identification string.
|
|
||||||
+The patch level is set at compile-time.
|
|
||||||
+The default is
|
|
||||||
+.Dq no .
|
|
||||||
.It Cm StreamLocalBindMask
|
|
||||||
Sets the octal file creation mode mask
|
|
||||||
.Pq umask
|
|
||||||
diff -up openssh-7.4p1/sshd_config.vendor openssh-7.4p1/sshd_config
|
|
||||||
--- openssh-7.4p1/sshd_config.vendor 2016-12-23 13:34:51.690253846 +0100
|
|
||||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:34:51.695253847 +0100
|
|
||||||
@@ -105,6 +105,7 @@ X11Forwarding yes
|
|
||||||
#Compression delayed
|
|
||||||
#ClientAliveInterval 0
|
|
||||||
#ClientAliveCountMax 3
|
|
||||||
+#ShowPatchLevel no
|
|
||||||
#UseDNS no
|
|
||||||
#PidFile /var/run/sshd.pid
|
|
||||||
#MaxStartups 10:30:100
|
|
||||||
diff -up openssh-7.4p1/sshd.c.vendor openssh-7.4p1/sshd.c
|
|
||||||
--- openssh-7.4p1/sshd.c.vendor 2016-12-23 13:34:51.682253844 +0100
|
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 13:38:32.434296856 +0100
|
|
||||||
@@ -367,7 +367,8 @@ sshd_exchange_identification(struct ssh
|
|
||||||
char remote_version[256]; /* Must be at least as big as buf. */
|
|
||||||
|
|
||||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
|
|
||||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
|
||||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
|
||||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
|
||||||
*options.version_addendum == '\0' ? "" : " ",
|
|
||||||
options.version_addendum);
|
|
||||||
|
|
||||||
@@ -1650,7 +1651,8 @@ main(int ac, char **av)
|
|
||||||
exit(1);
|
|
||||||
}
|
|
||||||
|
|
||||||
- debug("sshd version %s, %s", SSH_VERSION,
|
|
||||||
+ debug("sshd version %s, %s",
|
|
||||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
SSLeay_version(SSLEAY_VERSION)
|
|
||||||
#else
|
|
|
@ -1,247 +0,0 @@
|
||||||
diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
|
|
||||||
--- openssh-6.3p1/auth-krb5.c.ccache_name 2013-10-23 22:03:52.322950759 +0200
|
|
||||||
+++ openssh-6.3p1/auth-krb5.c 2013-10-23 22:04:24.295799873 +0200
|
|
||||||
@@ -50,7 +50,9 @@
|
|
||||||
#include <errno.h>
|
|
||||||
#include <unistd.h>
|
|
||||||
#include <string.h>
|
|
||||||
+#include <sys/stat.h>
|
|
||||||
#include <krb5.h>
|
|
||||||
+#include <profile.h>
|
|
||||||
|
|
||||||
extern ServerOptions options;
|
|
||||||
|
|
||||||
@@ -91,6 +93,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
|
||||||
#endif
|
|
||||||
krb5_error_code problem;
|
|
||||||
krb5_ccache ccache = NULL;
|
|
||||||
+ const char *ccache_type;
|
|
||||||
int len;
|
|
||||||
char *client, *platform_client;
|
|
||||||
const char *errmsg;
|
|
||||||
@@ -191,12 +194,30 @@ auth_krb5_password(Authctxt *authctxt, c
|
|
||||||
goto out;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
|
||||||
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
|
||||||
|
|
||||||
- len = strlen(authctxt->krb5_ticket_file) + 6;
|
|
||||||
+ if (authctxt->krb5_ticket_file[0] == ':')
|
|
||||||
+ authctxt->krb5_ticket_file++;
|
|
||||||
+
|
|
||||||
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
|
|
||||||
authctxt->krb5_ccname = xmalloc(len);
|
|
||||||
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
|
||||||
+
|
|
||||||
+#ifdef USE_CCAPI
|
|
||||||
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
|
|
||||||
authctxt->krb5_ticket_file);
|
|
||||||
+#else
|
|
||||||
+ snprintf(authctxt->krb5_ccname, len, "%s:%s",
|
|
||||||
+ ccache_type, authctxt->krb5_ticket_file);
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ if (strcmp(ccache_type, "DIR") == 0) {
|
|
||||||
+ char *p;
|
|
||||||
+ p = strrchr(authctxt->krb5_ccname, '/');
|
|
||||||
+ if (p)
|
|
||||||
+ *p = '\0';
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
|
|
||||||
#ifdef USE_PAM
|
|
||||||
if (options.use_pam)
|
|
||||||
@@ -235,10 +256,34 @@ auth_krb5_password(Authctxt *authctxt, c
|
|
||||||
void
|
|
||||||
krb5_cleanup_proc(Authctxt *authctxt)
|
|
||||||
{
|
|
||||||
+ struct stat krb5_ccname_stat;
|
|
||||||
+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
|
|
||||||
+
|
|
||||||
debug("krb5_cleanup_proc called");
|
|
||||||
if (authctxt->krb5_fwd_ccache) {
|
|
||||||
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
|
||||||
authctxt->krb5_fwd_ccache = NULL;
|
|
||||||
+
|
|
||||||
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
|
|
||||||
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
|
|
||||||
+ *krb5_ccname_dir_start++ = '\0';
|
|
||||||
+ if (strcmp(krb5_ccname, "DIR") == 0) {
|
|
||||||
+
|
|
||||||
+ strcat(krb5_ccname_dir_start, "/primary");
|
|
||||||
+
|
|
||||||
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
|
|
||||||
+ if (unlink(krb5_ccname_dir_start) == 0) {
|
|
||||||
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
|
|
||||||
+ *krb5_ccname_dir_end = '\0';
|
|
||||||
+ if (rmdir(krb5_ccname_dir_start) == -1)
|
|
||||||
+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ debug("cache primary file '%s', remove failed: %s",
|
|
||||||
+ krb5_ccname_dir_start, strerror(errno)
|
|
||||||
+ );
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
if (authctxt->krb5_user) {
|
|
||||||
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
|
||||||
@@ -250,34 +295,139 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+int
|
|
||||||
+ssh_asprintf_append(char **dsc, const char *fmt, ...) {
|
|
||||||
+ char *src, *old;
|
|
||||||
+ va_list ap;
|
|
||||||
+ int i;
|
|
||||||
+
|
|
||||||
+ va_start(ap, fmt);
|
|
||||||
+ i = vasprintf(&src, fmt, ap);
|
|
||||||
+ va_end(ap);
|
|
||||||
+
|
|
||||||
+ if (i == -1 || src == NULL)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ old = *dsc;
|
|
||||||
+
|
|
||||||
+ i = asprintf(dsc, "%s%s", *dsc, src);
|
|
||||||
+ if (i == -1 || src == NULL) {
|
|
||||||
+ free(src);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(old);
|
|
||||||
+ free(src);
|
|
||||||
+
|
|
||||||
+ return i;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+ssh_krb5_expand_template(char **result, const char *template) {
|
|
||||||
+ char *p_n, *p_o, *r, *tmp_template;
|
|
||||||
+
|
|
||||||
+ if (template == NULL)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ tmp_template = p_n = p_o = xstrdup(template);
|
|
||||||
+ r = xstrdup("");
|
|
||||||
+
|
|
||||||
+ while ((p_n = strstr(p_o, "%{")) != NULL) {
|
|
||||||
+
|
|
||||||
+ *p_n++ = '\0';
|
|
||||||
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
|
||||||
+ goto cleanup;
|
|
||||||
+
|
|
||||||
+ if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
|
|
||||||
+ strncmp(p_n, "{USERID}", 8) == 0) {
|
|
||||||
+ p_o = strchr(p_n, '}') + 1;
|
|
||||||
+ if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+ else if (strncmp(p_n, "{TEMP}", 6) == 0) {
|
|
||||||
+ p_o = strchr(p_n, '}') + 1;
|
|
||||||
+ if (ssh_asprintf_append(&r, "/tmp") == -1)
|
|
||||||
+ goto cleanup;
|
|
||||||
+ continue;
|
|
||||||
+ } else {
|
|
||||||
+ p_o = strchr(p_n, '}') + 1;
|
|
||||||
+ p_o = '\0';
|
|
||||||
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
|
||||||
+ /* unknown token, fallback to the default */
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
|
||||||
+ goto cleanup;
|
|
||||||
+
|
|
||||||
+ *result = r;
|
|
||||||
+ free(tmp_template);
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+cleanup:
|
|
||||||
+ free(r);
|
|
||||||
+ free(tmp_template);
|
|
||||||
+ return -1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+krb5_error_code
|
|
||||||
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
|
||||||
+ profile_t p;
|
|
||||||
+ int ret = 0;
|
|
||||||
+ char *value = NULL;
|
|
||||||
+
|
|
||||||
+ ret = krb5_get_profile(ctx, &p);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+ ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
|
|
||||||
+ if (ret)
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+ ret = ssh_krb5_expand_template(ccname, value);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#ifndef HEIMDAL
|
|
||||||
krb5_error_code
|
|
||||||
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
|
||||||
int tmpfd, ret, oerrno;
|
|
||||||
- char ccname[40];
|
|
||||||
+ char *ccname;
|
|
||||||
+#ifdef USE_CCAPI
|
|
||||||
+ char cctemplate[] = "API:krb5cc_%d";
|
|
||||||
+#else
|
|
||||||
mode_t old_umask;
|
|
||||||
+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
|
|
||||||
|
|
||||||
- ret = snprintf(ccname, sizeof(ccname),
|
|
||||||
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
|
||||||
- if (ret < 0 || (size_t)ret >= sizeof(ccname))
|
|
||||||
- return ENOMEM;
|
|
||||||
-
|
|
||||||
- old_umask = umask(0177);
|
|
||||||
- tmpfd = mkstemp(ccname + strlen("FILE:"));
|
|
||||||
- oerrno = errno;
|
|
||||||
- umask(old_umask);
|
|
||||||
- if (tmpfd == -1) {
|
|
||||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
|
||||||
- return oerrno;
|
|
||||||
- }
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
|
||||||
|
|
||||||
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
|
||||||
+ if (ret) {
|
|
||||||
+ ret = asprintf(&ccname, cctemplate, geteuid());
|
|
||||||
+ if (ret == -1)
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ old_umask = umask(0177);
|
|
||||||
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
|
|
||||||
oerrno = errno;
|
|
||||||
- logit("fchmod(): %.100s", strerror(oerrno));
|
|
||||||
+ umask(old_umask);
|
|
||||||
+ if (tmpfd == -1) {
|
|
||||||
+ logit("mkstemp(): %.100s", strerror(oerrno));
|
|
||||||
+ return oerrno;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
|
||||||
+ oerrno = errno;
|
|
||||||
+ logit("fchmod(): %.100s", strerror(oerrno));
|
|
||||||
+ close(tmpfd);
|
|
||||||
+ return oerrno;
|
|
||||||
+ }
|
|
||||||
close(tmpfd);
|
|
||||||
- return oerrno;
|
|
||||||
}
|
|
||||||
- close(tmpfd);
|
|
||||||
+ debug("%s: Setting ccname to %s", __func__, ccname);
|
|
||||||
|
|
||||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
|
||||||
}
|
|
|
@ -1,54 +0,0 @@
|
||||||
diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c
|
|
||||||
--- openssh-6.8p1/compat.c.cisco-dh 2015-03-17 06:49:20.000000000 +0100
|
|
||||||
+++ openssh-6.8p1/compat.c 2015-03-19 12:57:58.862606969 +0100
|
|
||||||
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
|
|
||||||
SSH_BUG_SCANNER },
|
|
||||||
{ "Probe-*",
|
|
||||||
SSH_BUG_PROBE },
|
|
||||||
+ { "Cisco-*", SSH_BUG_MAX4096DH },
|
|
||||||
{ NULL, 0 }
|
|
||||||
};
|
|
||||||
|
|
||||||
diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h
|
|
||||||
--- openssh-6.8p1/compat.h.cisco-dh 2015-03-17 06:49:20.000000000 +0100
|
|
||||||
+++ openssh-6.8p1/compat.h 2015-03-19 12:57:58.862606969 +0100
|
|
||||||
@@ -60,6 +60,7 @@
|
|
||||||
#define SSH_NEW_OPENSSH 0x04000000
|
|
||||||
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
|
||||||
#define SSH_BUG_CURVE25519PAD 0x10000000
|
|
||||||
+#define SSH_BUG_MAX4096DH 0x20000000
|
|
||||||
|
|
||||||
void enable_compat13(void);
|
|
||||||
void enable_compat20(void);
|
|
||||||
diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c
|
|
||||||
--- openssh-6.8p1/kexgexc.c.cisco-dh 2015-03-19 12:57:58.862606969 +0100
|
|
||||||
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:11:52.320519969 +0100
|
|
||||||
@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh)
|
|
||||||
|
|
||||||
kex->min = DH_GRP_MIN;
|
|
||||||
kex->max = DH_GRP_MAX;
|
|
||||||
+
|
|
||||||
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
|
||||||
+ * We need to also ensure that min < nbits < max */
|
|
||||||
+
|
|
||||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
|
||||||
+ /* The largest min for these servers is 4096 */
|
|
||||||
+ kex->min = MIN(kex->min, 4096);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
kex->nbits = nbits;
|
|
||||||
- if (ssh->compat & SSH_OLD_DHGEX) {
|
|
||||||
+ kex->nbits = MIN(nbits, kex->max);
|
|
||||||
+ kex->nbits = MAX(nbits, kex->min);
|
|
||||||
+
|
|
||||||
+ if (ssh->compat & SSH_BUG_MAX4096DH) {
|
|
||||||
+ /* Cannot have a nbits > 4096 for these servers */
|
|
||||||
+ kex->nbits = MIN(kex->nbits, 4096);
|
|
||||||
+ /* nbits has to be powers of two */
|
|
||||||
+ if (kex->nbits == 3072)
|
|
||||||
+ kex->nbits = 4096;
|
|
||||||
+ }
|
|
||||||
+ if (ssh->compat & SSH_OLD_DHGEX) { /* Old GEX request */
|
|
||||||
/* Old GEX request */
|
|
||||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD))
|
|
||||||
!= 0 ||
|
|
|
@ -1,24 +0,0 @@
|
||||||
diff --git a/misc.c b/misc.c
|
|
||||||
index 2f11de4..36402d1 100644
|
|
||||||
--- a/misc.c
|
|
||||||
+++ b/misc.c
|
|
||||||
@@ -396,7 +396,7 @@ hpdelim(char **cp)
|
|
||||||
return NULL;
|
|
||||||
else
|
|
||||||
s++;
|
|
||||||
- } else if ((s = strpbrk(s, ":/")) == NULL)
|
|
||||||
+ } else if ((s = strpbrk(s, ":")) == NULL)
|
|
||||||
s = *cp + strlen(*cp); /* skip to end (see first case below) */
|
|
||||||
|
|
||||||
switch (*s) {
|
|
||||||
@@ -405,7 +405,6 @@ hpdelim(char **cp)
|
|
||||||
break;
|
|
||||||
|
|
||||||
case ':':
|
|
||||||
- case '/':
|
|
||||||
*s = '\0'; /* terminate */
|
|
||||||
*cp = s + 1;
|
|
||||||
break;
|
|
||||||
--
|
|
||||||
2.1.0
|
|
||||||
|
|
|
@ -34,9 +34,9 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
||||||
|
|
||||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
void log_init(char *, LogLevel, SyslogFacility, int);
|
||||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
||||||
|
LogLevel log_level_get(void);
|
||||||
int log_change_level(LogLevel);
|
int log_change_level(LogLevel);
|
||||||
int log_is_on_stderr(void);
|
int log_is_on_stderr(void);
|
||||||
void log_redirect_stderr_to(const char *);
|
|
||||||
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
||||||
|
@ -46,9 +46,9 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||||
|
|
||||||
+ pmonitor->m_state = "preauth";
|
+ pmonitor->m_state = "preauth";
|
||||||
+
|
+
|
||||||
authctxt = _authctxt;
|
authctxt = (Authctxt *)ssh->authctxt;
|
||||||
memset(authctxt, 0, sizeof(*authctxt));
|
memset(authctxt, 0, sizeof(*authctxt));
|
||||||
|
ssh->authctxt = authctxt;
|
||||||
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
||||||
close(pmonitor->m_recvfd);
|
close(pmonitor->m_recvfd);
|
||||||
pmonitor->m_recvfd = -1;
|
pmonitor->m_recvfd = -1;
|
||||||
|
@ -56,8 +56,8 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||||
+ pmonitor->m_state = "postauth";
|
+ pmonitor->m_state = "postauth";
|
||||||
+
|
+
|
||||||
monitor_set_child_handler(pmonitor->m_pid);
|
monitor_set_child_handler(pmonitor->m_pid);
|
||||||
signal(SIGHUP, &monitor_child_handler);
|
ssh_signal(SIGHUP, &monitor_child_handler);
|
||||||
signal(SIGTERM, &monitor_child_handler);
|
ssh_signal(SIGTERM, &monitor_child_handler);
|
||||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
||||||
if (log_level_name(level) == NULL)
|
if (log_level_name(level) == NULL)
|
||||||
fatal("%s: invalid log level %u (corrupted message?)",
|
fatal("%s: invalid log level %u (corrupted message?)",
|
||||||
|
@ -65,7 +65,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||||
- do_log2(level, "%s [preauth]", msg);
|
- do_log2(level, "%s [preauth]", msg);
|
||||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
||||||
|
|
||||||
buffer_free(&logmsg);
|
sshbuf_free(logmsg);
|
||||||
free(msg);
|
free(msg);
|
||||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
||||||
mon = xcalloc(1, sizeof(*mon));
|
mon = xcalloc(1, sizeof(*mon));
|
||||||
|
@ -113,7 +113,7 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
||||||
+void monitor_reinit(struct monitor *, const char *);
|
+void monitor_reinit(struct monitor *, const char *);
|
||||||
|
|
||||||
struct Authctxt;
|
struct Authctxt;
|
||||||
void monitor_child_preauth(struct Authctxt *, struct monitor *);
|
void monitor_child_preauth(struct ssh *, struct monitor *);
|
||||||
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||||
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
|
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
|
||||||
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
|
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
|
||||||
|
@ -145,9 +145,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||||
session_type,
|
session_type,
|
||||||
tty == NULL ? "" : " on ",
|
tty == NULL ? "" : " on ",
|
||||||
@@ -1486,14 +1492,6 @@ child_close_fds(void)
|
@@ -1486,14 +1492,6 @@ child_close_fds(void)
|
||||||
* descriptors left by system functions. They will be closed later.
|
|
||||||
*/
|
/* Stop directing logs to a high-numbered fd before we close it */
|
||||||
endpwent();
|
log_redirect_stderr_to(NULL);
|
||||||
-
|
-
|
||||||
- /*
|
- /*
|
||||||
- * Close any extra open file descriptors so that we don't have them
|
- * Close any extra open file descriptors so that we don't have them
|
||||||
|
@ -165,7 +165,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||||
|
|
||||||
- closefrom(STDERR_FILENO + 1);
|
- closefrom(STDERR_FILENO + 1);
|
||||||
-
|
-
|
||||||
do_rc_files(s, shell);
|
do_rc_files(ssh, s, shell);
|
||||||
|
|
||||||
/* restore SIGPIPE for child */
|
/* restore SIGPIPE for child */
|
||||||
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
|
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
|
||||||
|
@ -210,8 +210,8 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
||||||
fd_set *rset, *wset;
|
fd_set *rset, *wset;
|
||||||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||||
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
|
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
|
||||||
|
extern char *__progname;
|
||||||
|
|
||||||
ssh_malloc_init(); /* must be called before any mallocs */
|
|
||||||
__progname = ssh_get_progname(argv[0]);
|
__progname = ssh_get_progname(argv[0]);
|
||||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||||
|
|
|
@ -10,5 +10,5 @@
|
||||||
+ }
|
+ }
|
||||||
omode = mode;
|
omode = mode;
|
||||||
mode |= S_IWUSR;
|
mode |= S_IWUSR;
|
||||||
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
|
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) == -1) {
|
||||||
--
|
--
|
||||||
|
|
|
@ -7,7 +7,7 @@ index 8f32464..18a2ca4 100644
|
||||||
#include "servconf.h"
|
#include "servconf.h"
|
||||||
#include "port-linux.h"
|
#include "port-linux.h"
|
||||||
+#include "misc.h"
|
+#include "misc.h"
|
||||||
#include "key.h"
|
#include "sshkey.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||||
|
@ -19,7 +19,7 @@ index 8f32464..18a2ca4 100644
|
||||||
|
|
||||||
if (!sshd_selinux_enabled())
|
if (!sshd_selinux_enabled())
|
||||||
return;
|
return;
|
||||||
@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
|
@@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -30,13 +30,27 @@ index 8f32464..18a2ca4 100644
|
||||||
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
||||||
+ const char *contexts_path;
|
+ const char *contexts_path;
|
||||||
+ FILE *contexts_file;
|
+ FILE *contexts_file;
|
||||||
+
|
|
||||||
+ contexts_path = selinux_openssh_contexts_path();
|
|
||||||
+ if (contexts_path != NULL) {
|
|
||||||
+ if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
|
|
||||||
+ struct stat sb;
|
+ struct stat sb;
|
||||||
+
|
+
|
||||||
+ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
|
+ contexts_path = selinux_openssh_contexts_path();
|
||||||
|
+ if (contexts_path == NULL) {
|
||||||
|
+ debug3("%s: Failed to get the path to SELinux context", __func__);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||||
|
+ debug("%s: Failed to open SELinux context file", __func__);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||||
|
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||||
|
+ logit("%s: SELinux context file needs to be owned by root"
|
||||||
|
+ " and not writable by anyone else", __func__);
|
||||||
|
+ fclose(contexts_file);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
+ while (fgets(line, sizeof(line), contexts_file)) {
|
+ while (fgets(line, sizeof(line), contexts_file)) {
|
||||||
+ /* Strip trailing whitespace */
|
+ /* Strip trailing whitespace */
|
||||||
+ for (len = strlen(line) - 1; len > 0; len--) {
|
+ for (len = strlen(line) - 1; len > 0; len--) {
|
||||||
|
@ -50,10 +64,10 @@ index 8f32464..18a2ca4 100644
|
||||||
+
|
+
|
||||||
+ cp = line;
|
+ cp = line;
|
||||||
+ arg = strdelim(&cp);
|
+ arg = strdelim(&cp);
|
||||||
+ if (*arg == '\0')
|
+ if (arg && *arg == '\0')
|
||||||
+ arg = strdelim(&cp);
|
+ arg = strdelim(&cp);
|
||||||
+
|
+
|
||||||
+ if (strcmp(arg, "privsep_preauth") == 0) {
|
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||||
+ arg = strdelim(&cp);
|
+ arg = strdelim(&cp);
|
||||||
+ if (!arg || *arg == '\0') {
|
+ if (!arg || *arg == '\0') {
|
||||||
+ debug("%s: privsep_preauth is empty", __func__);
|
+ debug("%s: privsep_preauth is empty", __func__);
|
||||||
|
@ -63,13 +77,13 @@ index 8f32464..18a2ca4 100644
|
||||||
+ preauth_context = xstrdup(arg);
|
+ preauth_context = xstrdup(arg);
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ }
|
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
+
|
||||||
+ if (preauth_context == NULL)
|
+ if (preauth_context == NULL) {
|
||||||
+ preauth_context = xstrdup("sshd_net_t");
|
+ debug("%s: Unable to find 'privsep_preauth' option in"
|
||||||
|
+ " SELinux context file", __func__);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ ssh_selinux_change_context(preauth_context);
|
+ ssh_selinux_change_context(preauth_context);
|
||||||
+ free(preauth_context);
|
+ free(preauth_context);
|
||||||
|
@ -116,38 +130,3 @@ index 2871fe9..39b9c08 100644
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Demote the child */
|
/* Demote the child */
|
||||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
|
||||||
index 12c014e..c5ef2ff 100644
|
|
||||||
--- a/openbsd-compat/port-linux.c
|
|
||||||
+++ b/openbsd-compat/port-linux.c
|
|
||||||
@@ -35,7 +35,6 @@
|
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
|
||||||
#include <selinux/selinux.h>
|
|
||||||
-#include <selinux/flask.h>
|
|
||||||
#include <selinux/get_context_list.h>
|
|
||||||
|
|
||||||
#ifndef SSH_SELINUX_UNCONFINED_TYPE
|
|
||||||
@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
|
||||||
security_context_t new_tty_ctx = NULL;
|
|
||||||
security_context_t user_ctx = NULL;
|
|
||||||
security_context_t old_tty_ctx = NULL;
|
|
||||||
+ security_class_t class;
|
|
||||||
|
|
||||||
if (!ssh_selinux_enabled())
|
|
||||||
return;
|
|
||||||
@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ class = string_to_security_class("chr_file");
|
|
||||||
+ if (!class) {
|
|
||||||
+ error("string_to_security_class failed to translate security class context");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
if (security_compute_relabel(user_ctx, old_tty_ctx,
|
|
||||||
- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
|
|
||||||
+ class, &new_tty_ctx) != 0) {
|
|
||||||
error("%s: security_compute_relabel: %s",
|
|
||||||
__func__, strerror(errno));
|
|
||||||
goto out;
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-ser
|
||||||
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
char file[MAXPATHLEN];
|
char file[MAXPATHLEN];
|
||||||
char line[BUFSIZ] = "";
|
char *line = NULL;
|
||||||
- char kuser[65]; /* match krb5_kuserok() */
|
- char kuser[65]; /* match krb5_kuserok() */
|
||||||
struct stat st;
|
struct stat st;
|
||||||
struct passwd *pw = the_authctxt->pw;
|
struct passwd *pw = the_authctxt->pw;
|
||||||
|
@ -22,15 +22,15 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||||
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
|
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
|
||||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100
|
+++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100
|
||||||
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
|
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
|
||||||
options->gss_strict_acceptor = -1;
|
|
||||||
options->gss_store_rekey = -1;
|
options->gss_store_rekey = -1;
|
||||||
|
options->gss_kex_algorithms = NULL;
|
||||||
options->use_kuserok = -1;
|
options->use_kuserok = -1;
|
||||||
+ options->enable_k5users = -1;
|
+ options->enable_k5users = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
||||||
options->gss_store_rekey = 0;
|
#endif
|
||||||
if (options->use_kuserok == -1)
|
if (options->use_kuserok == -1)
|
||||||
options->use_kuserok = 1;
|
options->use_kuserok = 1;
|
||||||
+ if (options->enable_k5users == -1)
|
+ if (options->enable_k5users == -1)
|
||||||
|
@ -44,20 +44,22 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||||
@@ -497,12 +500,14 @@ static struct {
|
@@ -497,14 +500,16 @@ static struct {
|
||||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
|
||||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
||||||
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||||
#else
|
#else
|
||||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
|
||||||
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||||
#endif
|
#endif
|
||||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
@ -70,9 +72,9 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||||
+ intptr = &options->enable_k5users;
|
+ intptr = &options->enable_k5users;
|
||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
|
case sPermitListen:
|
||||||
case sPermitOpen:
|
case sPermitOpen:
|
||||||
arg = strdelim(&cp);
|
if (opcode == sPermitListen) {
|
||||||
if (!arg || *arg == '\0')
|
|
||||||
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(ip_qos_interactive);
|
M_CP_INTOPT(ip_qos_interactive);
|
||||||
M_CP_INTOPT(ip_qos_bulk);
|
M_CP_INTOPT(ip_qos_bulk);
|
||||||
|
@ -82,8 +84,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||||
M_CP_INTOPT(rekey_interval);
|
M_CP_INTOPT(rekey_interval);
|
||||||
M_CP_INTOPT(log_level);
|
M_CP_INTOPT(log_level);
|
||||||
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
|
||||||
# endif
|
# endif
|
||||||
|
dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||||
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||||
#endif
|
#endif
|
||||||
|
@ -93,8 +95,8 @@ diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
|
||||||
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
|
+++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
|
||||||
@@ -174,6 +174,7 @@ typedef struct {
|
@@ -174,6 +174,7 @@ typedef struct {
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||||
* authenticated with Kerberos. */
|
* be stored in per-session ccache */
|
||||||
int use_kuserok;
|
int use_kuserok;
|
||||||
+ int enable_k5users;
|
+ int enable_k5users;
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
|
@ -120,7 +122,7 @@ diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
|
||||||
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||||
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
||||||
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
||||||
GSSAPICleanupCredentials no
|
#GSSAPICleanupCredentials yes
|
||||||
#GSSAPIStrictAcceptorCheck yes
|
#GSSAPIStrictAcceptorCheck yes
|
||||||
#GSSAPIKeyExchange no
|
#GSSAPIKeyExchange no
|
||||||
+#GSSAPIEnablek5users no
|
+#GSSAPIEnablek5users no
|
||||||
|
|
|
@ -2,35 +2,35 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||||
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
|
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
|
||||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
|
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
|
||||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
||||||
MANFMT=@MANFMT@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
|
||||||
|
|
||||||
LIBOPENSSH_OBJS=\
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||||
ssh_api.o \
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||||
|
|
||||||
|
XMSS_OBJS=\
|
||||||
|
ssh-xmss.o \
|
||||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||||
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||||
|
|
||||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@@ -326,6 +330,7 @@ install-files:
|
@@ -326,6 +330,7 @@ install-files:
|
||||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
fi
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
@ -39,7 +39,7 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||||
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||||
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
|
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
|
||||||
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
|
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
|
||||||
@@ -0,0 +1,208 @@
|
@@ -0,0 +1,215 @@
|
||||||
+/*
|
+/*
|
||||||
+ *
|
+ *
|
||||||
+ * invocation (all of the following are equal):
|
+ * invocation (all of the following are equal):
|
||||||
|
@ -60,6 +60,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||||
+
|
+
|
||||||
+#include "xmalloc.h"
|
+#include "xmalloc.h"
|
||||||
+#include "log.h"
|
+#include "log.h"
|
||||||
|
+#include "ssherr.h"
|
||||||
+#include "cipher.h"
|
+#include "cipher.h"
|
||||||
+
|
+
|
||||||
+/* compatibility with old or broken OpenSSL versions */
|
+/* compatibility with old or broken OpenSSL versions */
|
||||||
|
@ -148,7 +149,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||||
+ char *hexiv = "00000000000000000000000000000000";
|
+ char *hexiv = "00000000000000000000000000000000";
|
||||||
+ char *hexdata = NULL;
|
+ char *hexdata = NULL;
|
||||||
+ char *p;
|
+ char *p;
|
||||||
+ int i;
|
+ int i, r;
|
||||||
+ int encrypt = 1;
|
+ int encrypt = 1;
|
||||||
+ void *key;
|
+ void *key;
|
||||||
+ size_t keylen;
|
+ size_t keylen;
|
||||||
|
@ -186,7 +187,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||||
+ usage();
|
+ usage();
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ SSLeay_add_all_algorithms();
|
+ OpenSSL_add_all_algorithms();
|
||||||
+
|
+
|
||||||
+ c = cipher_by_name(algo);
|
+ c = cipher_by_name(algo);
|
||||||
+ if (c == NULL) {
|
+ if (c == NULL) {
|
||||||
|
@ -221,7 +222,10 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||||
+ return 2;
|
+ return 2;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
|
+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
|
||||||
|
+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ free(key);
|
+ free(key);
|
||||||
+ free(iv);
|
+ free(iv);
|
||||||
|
@ -232,7 +236,10 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||||
+ return 2;
|
+ return 2;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ cipher_crypt(cc, 0, outdata, data, datalen, 0, 0);
|
+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
|
||||||
|
+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
+
|
+
|
||||||
+ free(data);
|
+ free(data);
|
||||||
+
|
+
|
||||||
|
|
|
@ -1,261 +0,0 @@
|
||||||
diff -up openssh-7.4p1/entropy.c.entropy openssh-7.4p1/entropy.c
|
|
||||||
--- openssh-7.4p1/entropy.c.entropy 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/entropy.c 2016-12-23 18:34:27.769753570 +0100
|
|
||||||
@@ -229,6 +229,9 @@ seed_rng(void)
|
|
||||||
memset(buf, '\0', sizeof(buf));
|
|
||||||
|
|
||||||
#endif /* OPENSSL_PRNG_ONLY */
|
|
||||||
+#ifdef __linux__
|
|
||||||
+ linux_seed();
|
|
||||||
+#endif /* __linux__ */
|
|
||||||
if (RAND_status() != 1)
|
|
||||||
fatal("PRNG is not seeded");
|
|
||||||
}
|
|
||||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.entropy openssh-7.4p1/openbsd-compat/Makefile.in
|
|
||||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.entropy 2016-12-23 18:34:53.715762155 +0100
|
|
||||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 18:35:15.890769493 +0100
|
|
||||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
|
||||||
|
|
||||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
|
||||||
|
|
||||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
|
||||||
|
|
||||||
.c.o:
|
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
|
||||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.entropy openssh-7.4p1/openbsd-compat/port-linux.h
|
|
||||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.entropy 2016-12-23 18:34:27.747753563 +0100
|
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:34:27.769753570 +0100
|
|
||||||
@@ -34,4 +34,6 @@ void oom_adjust_restore(void);
|
|
||||||
void oom_adjust_setup(void);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+void linux_seed(void);
|
|
||||||
+
|
|
||||||
#endif /* ! _PORT_LINUX_H */
|
|
||||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy openssh-7.4p1/openbsd-compat/port-linux-prng.c
|
|
||||||
--- openssh-7.4p1/openbsd-compat/port-linux-prng.c.entropy 2016-12-23 18:34:27.769753570 +0100
|
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux-prng.c 2016-12-23 18:34:27.769753570 +0100
|
|
||||||
@@ -0,0 +1,59 @@
|
|
||||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
|
||||||
+ *
|
|
||||||
+ * Permission to use, copy, modify, and distribute this software for any
|
|
||||||
+ * purpose with or without fee is hereby granted, provided that the above
|
|
||||||
+ * copyright notice and this permission notice appear in all copies.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
||||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
||||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
||||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
||||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
||||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
||||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Linux-specific portability code - prng support
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <openssl/rand.h>
|
|
||||||
+
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
|
||||||
+#include "servconf.h"
|
|
||||||
+#include "port-linux.h"
|
|
||||||
+#include "key.h"
|
|
||||||
+#include "hostfile.h"
|
|
||||||
+#include "auth.h"
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+linux_seed(void)
|
|
||||||
+{
|
|
||||||
+ char *env = getenv("SSH_USE_STRONG_RNG");
|
|
||||||
+ char *random = "/dev/random";
|
|
||||||
+ size_t len, ienv, randlen = 14;
|
|
||||||
+
|
|
||||||
+ if (!env || !strcmp(env, "0"))
|
|
||||||
+ random = "/dev/urandom";
|
|
||||||
+ else if ((ienv = atoi(env)) > randlen)
|
|
||||||
+ randlen = ienv;
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ if ((len = RAND_load_file(random, randlen)) != randlen) {
|
|
||||||
+ if (errno)
|
|
||||||
+ fatal ("cannot read from %s, %s", random, strerror(errno));
|
|
||||||
+ else
|
|
||||||
+ fatal ("EOF reading %s", random);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff -up openssh-7.4p1/ssh.1.entropy openssh-7.4p1/ssh.1
|
|
||||||
--- openssh-7.4p1/ssh.1.entropy 2016-12-23 18:34:27.754753565 +0100
|
|
||||||
+++ openssh-7.4p1/ssh.1 2016-12-23 18:34:27.770753571 +0100
|
|
||||||
@@ -1441,6 +1441,23 @@ For more information, see the
|
|
||||||
.Cm PermitUserEnvironment
|
|
||||||
option in
|
|
||||||
.Xr sshd_config 5 .
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds -compact
|
|
||||||
.It Pa ~/.rhosts
|
|
||||||
diff -up openssh-7.4p1/ssh-add.1.entropy openssh-7.4p1/ssh-add.1
|
|
||||||
--- openssh-7.4p1/ssh-add.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/ssh-add.1 2016-12-23 18:34:27.770753571 +0100
|
|
||||||
@@ -171,6 +171,20 @@ to make this work.)
|
|
||||||
Identifies the path of a
|
|
||||||
.Ux Ns -domain
|
|
||||||
socket used to communicate with the agent.
|
|
||||||
+.It Ev SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
.El
|
|
||||||
.Sh FILES
|
|
||||||
.Bl -tag -width Ds
|
|
||||||
diff -up openssh-7.4p1/ssh-agent.1.entropy openssh-7.4p1/ssh-agent.1
|
|
||||||
--- openssh-7.4p1/ssh-agent.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/ssh-agent.1 2016-12-23 18:34:27.770753571 +0100
|
|
||||||
@@ -214,6 +214,24 @@ sockets used to contain the connection t
|
|
||||||
These sockets should only be readable by the owner.
|
|
||||||
The sockets should get automatically removed when the agent exits.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
diff -up openssh-7.4p1/sshd.8.entropy openssh-7.4p1/sshd.8
|
|
||||||
--- openssh-7.4p1/sshd.8.entropy 2016-12-23 18:34:27.755753566 +0100
|
|
||||||
+++ openssh-7.4p1/sshd.8 2016-12-23 18:34:27.770753571 +0100
|
|
||||||
@@ -920,6 +920,24 @@ concurrently for different ports, this c
|
|
||||||
started last).
|
|
||||||
The content of this file is not sensitive; it can be world-readable.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh IPV6
|
|
||||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
|
||||||
.Sh SEE ALSO
|
|
||||||
diff -up openssh-7.4p1/ssh-keygen.1.entropy openssh-7.4p1/ssh-keygen.1
|
|
||||||
--- openssh-7.4p1/ssh-keygen.1.entropy 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/ssh-keygen.1 2016-12-23 18:34:27.770753571 +0100
|
|
||||||
@@ -848,6 +848,24 @@ Contains Diffie-Hellman groups used for
|
|
||||||
The file format is described in
|
|
||||||
.Xr moduli 5 .
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-add 1 ,
|
|
||||||
diff -up openssh-7.4p1/ssh-keysign.8.entropy openssh-7.4p1/ssh-keysign.8
|
|
||||||
--- openssh-7.4p1/ssh-keysign.8.entropy 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/ssh-keysign.8 2016-12-23 18:34:27.770753571 +0100
|
|
||||||
@@ -80,6 +80,24 @@ must be set-uid root if host-based authe
|
|
||||||
If these files exist they are assumed to contain public certificate
|
|
||||||
information corresponding with the private keys above.
|
|
||||||
.El
|
|
||||||
+.Sh ENVIRONMENT
|
|
||||||
+.Bl -tag -width Ds -compact
|
|
||||||
+.Pp
|
|
||||||
+.It Pa SSH_USE_STRONG_RNG
|
|
||||||
+The reseeding of the OpenSSL random generator is usually done from
|
|
||||||
+.Cm /dev/urandom .
|
|
||||||
+If the
|
|
||||||
+.Cm SSH_USE_STRONG_RNG
|
|
||||||
+environment variable is set to value other than
|
|
||||||
+.Cm 0
|
|
||||||
+the OpenSSL random generator is reseeded from
|
|
||||||
+.Cm /dev/random .
|
|
||||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
|
||||||
+Minimum is 14 bytes.
|
|
||||||
+This setting is not recommended on the computers without the hardware
|
|
||||||
+random generator because insufficient entropy causes the connection to
|
|
||||||
+be blocked until enough entropy is available.
|
|
||||||
+.El
|
|
||||||
.Sh SEE ALSO
|
|
||||||
.Xr ssh 1 ,
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
|
@ -11,9 +11,9 @@ index 413b845..54dd383 100644
|
||||||
+#include <unistd.h>
|
+#include <unistd.h>
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
#include "key.h"
|
#include "sshkey.h"
|
||||||
@@ -45,6 +47,7 @@
|
@@ -45,6 +47,7 @@
|
||||||
#include "buffer.h"
|
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
|
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
|
@ -66,7 +66,7 @@ index 413b845..54dd383 100644
|
||||||
} else
|
} else
|
||||||
retval = 0;
|
retval = 0;
|
||||||
|
|
||||||
@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
@@ -110,6 +133,137 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -97,13 +97,14 @@ index 413b845..54dd383 100644
|
||||||
+{
|
+{
|
||||||
+ FILE *fp;
|
+ FILE *fp;
|
||||||
+ char file[MAXPATHLEN];
|
+ char file[MAXPATHLEN];
|
||||||
+ char line[BUFSIZ] = "";
|
+ char *line = NULL;
|
||||||
+ char kuser[65]; /* match krb5_kuserok() */
|
+ char kuser[65]; /* match krb5_kuserok() */
|
||||||
+ struct stat st;
|
+ struct stat st;
|
||||||
+ struct passwd *pw = the_authctxt->pw;
|
+ struct passwd *pw = the_authctxt->pw;
|
||||||
+ int found_principal = 0;
|
+ int found_principal = 0;
|
||||||
+ int ncommands = 0, allcommands = 0;
|
+ int ncommands = 0, allcommands = 0;
|
||||||
+ u_long linenum;
|
+ u_long linenum = 0;
|
||||||
|
+ size_t linesize = 0;
|
||||||
+
|
+
|
||||||
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||||
+ /* If both .k5login and .k5users DNE, self-login is ok. */
|
+ /* If both .k5login and .k5users DNE, self-login is ok. */
|
||||||
|
@ -147,9 +148,9 @@ index 413b845..54dd383 100644
|
||||||
+ k5users_allowed_cmds = xcalloc(++ncommands,
|
+ k5users_allowed_cmds = xcalloc(++ncommands,
|
||||||
+ sizeof(*k5users_allowed_cmds));
|
+ sizeof(*k5users_allowed_cmds));
|
||||||
+
|
+
|
||||||
+ /* Check each line. ksu allows unlimited length lines. We don't. */
|
+ /* Check each line. ksu allows unlimited length lines. */
|
||||||
+ while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line),
|
+ while (!allcommands && getline(&line, &linesize, fp) != -1) {
|
||||||
+ &linenum) != -1) {
|
+ linenum++;
|
||||||
+ char *token;
|
+ char *token;
|
||||||
+
|
+
|
||||||
+ /* we parse just like ksu, even though we could do better */
|
+ /* we parse just like ksu, even though we could do better */
|
||||||
|
@ -182,6 +183,7 @@ index 413b845..54dd383 100644
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
|
+ free(line);
|
||||||
+ if (k5users_allowed_cmds) {
|
+ if (k5users_allowed_cmds) {
|
||||||
+ /* terminate vector */
|
+ /* terminate vector */
|
||||||
+ k5users_allowed_cmds[ncommands-1] = NULL;
|
+ k5users_allowed_cmds[ncommands-1] = NULL;
|
||||||
|
@ -207,7 +209,7 @@ index 28659ec..9c94d8e 100644
|
||||||
--- a/session.c
|
--- a/session.c
|
||||||
+++ b/session.c
|
+++ b/session.c
|
||||||
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
|
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
|
||||||
command = forced_command;
|
command = auth_opts->force_command;
|
||||||
forced = "(key-option)";
|
forced = "(key-option)";
|
||||||
}
|
}
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
|
@ -233,9 +235,9 @@ index 28659ec..9c94d8e 100644
|
||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
|
s->forced = 0;
|
||||||
if (forced != NULL) {
|
if (forced != NULL) {
|
||||||
if (IS_INTERNAL_SFTP(command)) {
|
s->forced = 1;
|
||||||
s->is_subsystem = s->is_subsystem ?
|
|
||||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||||
index 0374c88..509109a 100644
|
index 0374c88..509109a 100644
|
||||||
--- a/ssh-gss.h
|
--- a/ssh-gss.h
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
diff -up openssh/misc.c.keycat openssh/misc.c
|
diff -up openssh/auth.c.keycat openssh/misc.c
|
||||||
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||||
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
|
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
|
||||||
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
|
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -36,44 +36,44 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||||
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
|
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
|
||||||
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
|
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
|
||||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
|
||||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
|
||||||
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
||||||
|
K5LIBS=@K5LIBS@
|
||||||
GSSLIBS=@GSSLIBS@
|
GSSLIBS=@GSSLIBS@
|
||||||
SSHLIBS=@SSHLIBS@
|
|
||||||
SSHDLIBS=@SSHDLIBS@
|
SSHDLIBS=@SSHDLIBS@
|
||||||
+KEYCATLIBS=@KEYCATLIBS@
|
+KEYCATLIBS=@KEYCATLIBS@
|
||||||
LIBEDIT=@LIBEDIT@
|
LIBEDIT=@LIBEDIT@
|
||||||
|
LIBFIDO2=@LIBFIDO2@
|
||||||
AR=@AR@
|
AR=@AR@
|
||||||
AWK=@AWK@
|
|
||||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||||
MANFMT=@MANFMT@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
|
||||||
|
|
||||||
LIBOPENSSH_OBJS=\
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||||
ssh_api.o \
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||||
|
|
||||||
|
XMSS_OBJS=\
|
||||||
|
ssh-xmss.o \
|
||||||
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
|
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS)
|
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
|
||||||
|
|
||||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||||
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS)
|
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@@ -321,6 +325,7 @@ install-files:
|
@@ -321,6 +325,7 @@ install-files:
|
||||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
fi
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
@ -203,7 +203,7 @@ diff -up openssh/platform.c.keycat openssh/platform.c
|
||||||
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||||
--- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
|
--- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
|
||||||
+++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
|
+++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
|
||||||
@@ -0,0 +1,238 @@
|
@@ -0,0 +1,241 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
+ * Redistribution and use in source and binary forms, with or without
|
||||||
+ * modification, are permitted provided that the following conditions
|
+ * modification, are permitted provided that the following conditions
|
||||||
|
@ -253,6 +253,9 @@ diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||||
+#include <pwd.h>
|
+#include <pwd.h>
|
||||||
+#include <fcntl.h>
|
+#include <fcntl.h>
|
||||||
+#include <unistd.h>
|
+#include <unistd.h>
|
||||||
|
+#ifdef HAVE_STDINT_H
|
||||||
|
+#include <stdint.h>
|
||||||
|
+#endif
|
||||||
+
|
+
|
||||||
+#include <security/pam_appl.h>
|
+#include <security/pam_appl.h>
|
||||||
+
|
+
|
||||||
|
@ -463,16 +466,16 @@ index 3bbccfd..6481f1f 100644
|
||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
|
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
|
||||||
|
fi ]
|
||||||
)
|
)
|
||||||
AC_SUBST([SSHLIBS])
|
|
||||||
AC_SUBST([SSHDLIBS])
|
AC_SUBST([SSHDLIBS])
|
||||||
+AC_SUBST([KEYCATLIBS])
|
+AC_SUBST([KEYCATLIBS])
|
||||||
|
|
||||||
# Check whether user wants Kerberos 5 support
|
# Check whether user wants Kerberos 5 support
|
||||||
KRB5_MSG="no"
|
KRB5_MSG="no"
|
||||||
@@ -5031,6 +5034,9 @@ fi
|
@@ -5031,6 +5034,9 @@ fi
|
||||||
if test ! -z "${SSHLIBS}"; then
|
if test ! -z "${SSHDLIBS}"; then
|
||||||
echo " +for ssh: ${SSHLIBS}"
|
echo " +for sshd: ${SSHDLIBS}"
|
||||||
fi
|
fi
|
||||||
+if test ! -z "${KEYCATLIBS}"; then
|
+if test ! -z "${KEYCATLIBS}"; then
|
||||||
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
diff --git a/authfile.c b/authfile.c
|
diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
|
||||||
index e93d867..4fc5b3d 100644
|
--- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100
|
||||||
--- a/authfile.c
|
+++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100
|
||||||
+++ b/authfile.c
|
@@ -31,6 +31,7 @@
|
||||||
@@ -32,6 +32,7 @@
|
|
||||||
|
|
||||||
#include <errno.h>
|
#include <errno.h>
|
||||||
#include <fcntl.h>
|
#include <fcntl.h>
|
||||||
|
@ -10,17 +9,23 @@ index e93d867..4fc5b3d 100644
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <stdarg.h>
|
#include <stdarg.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
|
@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen
|
||||||
#ifdef HAVE_CYGWIN
|
#ifdef HAVE_CYGWIN
|
||||||
if (check_ntsec(filename))
|
if (check_ntsec(filename))
|
||||||
#endif
|
#endif
|
||||||
|
+
|
||||||
|
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
|
||||||
+ if (st.st_mode & 040) {
|
+ if (st.st_mode & 040) {
|
||||||
+ struct group *gr;
|
+ struct group *gr;
|
||||||
+
|
+
|
||||||
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
|
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {
|
||||||
+ st.st_mode &= ~040;
|
+ /* The only additional bit is read
|
||||||
|
+ * for ssh_keys group, which is fine */
|
||||||
|
+ if ((st.st_mode & 077) == 040 ) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+
|
|
||||||
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
|
|
||||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||||
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
|
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
|
||||||
|
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||||
|
|
|
@ -176,17 +176,17 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||||
--- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100
|
--- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100
|
||||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100
|
+++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100
|
||||||
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
|
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
|
||||||
options->gss_cleanup_creds = -1;
|
|
||||||
options->gss_strict_acceptor = -1;
|
options->gss_strict_acceptor = -1;
|
||||||
options->gss_store_rekey = -1;
|
options->gss_store_rekey = -1;
|
||||||
|
options->gss_kex_algorithms = NULL;
|
||||||
+ options->use_kuserok = -1;
|
+ options->use_kuserok = -1;
|
||||||
options->password_authentication = -1;
|
options->password_authentication = -1;
|
||||||
options->kbd_interactive_authentication = -1;
|
options->kbd_interactive_authentication = -1;
|
||||||
options->challenge_response_authentication = -1;
|
options->challenge_response_authentication = -1;
|
||||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||||
options->gss_strict_acceptor = 1;
|
if (options->gss_kex_algorithms == NULL)
|
||||||
if (options->gss_store_rekey == -1)
|
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||||
options->gss_store_rekey = 0;
|
#endif
|
||||||
+ if (options->use_kuserok == -1)
|
+ if (options->use_kuserok == -1)
|
||||||
+ options->use_kuserok = 1;
|
+ options->use_kuserok = 1;
|
||||||
if (options->password_authentication == -1)
|
if (options->password_authentication == -1)
|
||||||
|
@ -196,36 +196,37 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken,
|
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
+ sKerberosGetAFSToken, sKerberosUseKuserok,
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
|
||||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
sChallengeResponseAuthentication,
|
||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
sListenAddress, sAddressFamily,
|
sListenAddress, sAddressFamily,
|
||||||
@@ -478,11 +481,13 @@ static struct {
|
@@ -478,12 +481,14 @@ static struct {
|
||||||
#else
|
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
|
{ "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
|
||||||
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
||||||
#else
|
#else
|
||||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
||||||
#endif
|
#endif
|
||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||||
*activep = value;
|
*inc_flags &= ~SSHCFG_MATCH_ONLY;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
+ case sKerberosUseKuserok:
|
+ case sKerberosUseKuserok:
|
||||||
+ intptr = &options->use_kuserok;
|
+ intptr = &options->use_kuserok;
|
||||||
+ goto parse_flag;
|
+ goto parse_flag;
|
||||||
+
|
+
|
||||||
|
case sPermitListen:
|
||||||
case sPermitOpen:
|
case sPermitOpen:
|
||||||
arg = strdelim(&cp);
|
if (opcode == sPermitListen) {
|
||||||
if (!arg || *arg == '\0')
|
|
||||||
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
||||||
M_CP_INTOPT(client_alive_interval);
|
M_CP_INTOPT(client_alive_interval);
|
||||||
M_CP_INTOPT(ip_qos_interactive);
|
M_CP_INTOPT(ip_qos_interactive);
|
||||||
|
@ -235,9 +236,9 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||||
M_CP_INTOPT(rekey_interval);
|
M_CP_INTOPT(rekey_interval);
|
||||||
M_CP_INTOPT(log_level);
|
M_CP_INTOPT(log_level);
|
||||||
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
||||||
# ifdef USE_AFS
|
|
||||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||||
# endif
|
# endif
|
||||||
|
dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||||
#endif
|
#endif
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
|
@ -246,9 +247,9 @@ diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
|
||||||
--- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100
|
--- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100
|
||||||
+++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
|
+++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
|
||||||
@@ -118,6 +118,7 @@ typedef struct {
|
@@ -118,6 +118,7 @@ typedef struct {
|
||||||
* file on logout. */
|
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
|
int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||||
|
* be stored in per-session ccache */
|
||||||
+ int use_kuserok;
|
+ int use_kuserok;
|
||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||||
|
@ -257,9 +258,9 @@ diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
|
||||||
--- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
|
--- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
|
||||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
|
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
|
||||||
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
|
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
|
||||||
file on logout.
|
.Cm no
|
||||||
The default is
|
can lead to overwriting previous tickets by subseqent connections to the same
|
||||||
.Cm yes .
|
user account.
|
||||||
+.It Cm KerberosUseKuserok
|
+.It Cm KerberosUseKuserok
|
||||||
+Specifies whether to look at .k5login file for user's aliases.
|
+Specifies whether to look at .k5login file for user's aliases.
|
||||||
+The default is
|
+The default is
|
||||||
|
@ -285,4 +286,4 @@ diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
|
||||||
+#KerberosUseKuserok yes
|
+#KerberosUseKuserok yes
|
||||||
|
|
||||||
# GSSAPI options
|
# GSSAPI options
|
||||||
GSSAPIAuthentication yes
|
#GSSAPIAuthentication no
|
||||||
|
|
|
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
||||||
+ return;
|
+ return;
|
||||||
+
|
+
|
||||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||||
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno));
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+ if (ctx != NULL) {
|
+ if (ctx != NULL) {
|
||||||
+ /* unset exec context before we will lose this capabililty */
|
+ /* unset exec context before we will lose this capabililty */
|
||||||
+ if (setexeccon(NULL) != 0)
|
+ if (setexeccon(NULL) != 0)
|
||||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror (errno));
|
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
|
||||||
+ if (setcon(ctx) != 0)
|
+ if (setcon(ctx) != 0)
|
||||||
+ fatal("%s: setcon failed with %s", __func__, strerror (errno));
|
+ fatal("%s: setcon failed with %s", __func__, strerror(errno));
|
||||||
+ freecon(ctx);
|
+ freecon(ctx);
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
|
@ -54,9 +54,9 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
||||||
if (setusercontext(lc, pw, pw->pw_uid,
|
if (setusercontext(lc, pw, pw->pw_uid,
|
||||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||||
@@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
|
@@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
|
||||||
pw->pw_uid);
|
(unsigned long long)pw->pw_uid);
|
||||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||||
"u", pw->pw_name, (char *)NULL);
|
"u", pw->pw_name, "U", uidstr, (char *)NULL);
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ sshd_selinux_copy_context();
|
+ sshd_selinux_copy_context();
|
||||||
+#endif
|
+#endif
|
||||||
|
|
|
@ -1,156 +0,0 @@
|
||||||
diff -up openssh-7.4p1/ssh_config.redhat openssh-7.4p1/ssh_config
|
|
||||||
--- openssh-7.4p1/ssh_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/ssh_config 2016-12-23 13:32:00.045220402 +0100
|
|
||||||
@@ -48,3 +48,7 @@
|
|
||||||
# VisualHostKey no
|
|
||||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
|
||||||
# RekeyLimit 1G 1h
|
|
||||||
+#
|
|
||||||
+# To modify the system-wide ssh configuration, create a *.conf file under
|
|
||||||
+# /etc/ssh/ssh_config.d/ which will be automatically included below
|
|
||||||
+Include /etc/ssh/ssh_config.d/*.conf
|
|
||||||
diff -up openssh-7.4p1/ssh_config_redhat.redhat openssh-7.4p1/ssh_config_redhat
|
|
||||||
--- openssh-7.4p1/ssh_config_redhat.redhat 2016-12-23 13:32:00.045220402 +0100
|
|
||||||
+++ openssh-7.4p1/ssh_config_redhat 2016-12-23 13:32:00.045220402 +0100
|
|
||||||
@@ -0,0 +1,20 @@
|
|
||||||
+# Follow system-wide Crypto Policy, if defined:
|
|
||||||
+Include /etc/crypto-policies/back-ends/openssh.config
|
|
||||||
+
|
|
||||||
+# Uncomment this if you want to use .local domain
|
|
||||||
+# Host *.local
|
|
||||||
+# CheckHostIP no
|
|
||||||
+
|
|
||||||
+Host *
|
|
||||||
+ GSSAPIAuthentication yes
|
|
||||||
+
|
|
||||||
+# If this option is set to yes then remote X11 clients will have full access
|
|
||||||
+# to the original X11 display. As virtually no X11 client supports the untrusted
|
|
||||||
+# mode correctly we set this to yes.
|
|
||||||
+ ForwardX11Trusted yes
|
|
||||||
+
|
|
||||||
+# Send locale-related environment variables
|
|
||||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
+ SendEnv XMODIFIERS
|
|
||||||
diff -up openssh-7.4p1/sshd_config.0.redhat openssh-7.4p1/sshd_config.0
|
|
||||||
--- openssh-7.4p1/sshd_config.0.redhat 2016-12-19 06:21:22.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/sshd_config.0 2016-12-23 13:32:00.045220402 +0100
|
|
||||||
@@ -837,9 +837,9 @@ DESCRIPTION
|
|
||||||
|
|
||||||
SyslogFacility
|
|
||||||
Gives the facility code that is used when logging messages from
|
|
||||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
|
||||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
|
||||||
- default is AUTH.
|
|
||||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
|
||||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
|
||||||
+ The default is AUTH.
|
|
||||||
|
|
||||||
TCPKeepAlive
|
|
||||||
Specifies whether the system should send TCP keepalive messages
|
|
||||||
diff -up openssh-7.4p1/sshd_config.5.redhat openssh-7.4p1/sshd_config.5
|
|
||||||
--- openssh-7.4p1/sshd_config.5.redhat 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 13:32:00.046220403 +0100
|
|
||||||
@@ -1393,7 +1393,7 @@ By default no subsystems are defined.
|
|
||||||
.It Cm SyslogFacility
|
|
||||||
Gives the facility code that is used when logging messages from
|
|
||||||
.Xr sshd 8 .
|
|
||||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
|
||||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
|
||||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
|
||||||
The default is AUTH.
|
|
||||||
.It Cm TCPKeepAlive
|
|
||||||
diff -up openssh-7.4p1/sshd_config.redhat openssh-7.4p1/sshd_config
|
|
||||||
--- openssh-7.4p1/sshd_config.redhat 2016-12-19 05:59:41.000000000 +0100
|
|
||||||
+++ openssh-7.4p1/sshd_config 2016-12-23 13:33:05.386233133 +0100
|
|
||||||
@@ -10,21 +10,35 @@
|
|
||||||
# possible, but leave them commented. Uncommented options override the
|
|
||||||
# default value.
|
|
||||||
|
|
||||||
+# If you want to change the port on a SELinux system, you have to tell
|
|
||||||
+# SELinux about this change.
|
|
||||||
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
|
||||||
+#
|
|
||||||
#Port 22
|
|
||||||
#AddressFamily any
|
|
||||||
#ListenAddress 0.0.0.0
|
|
||||||
#ListenAddress ::
|
|
||||||
|
|
||||||
-#HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
+HostKey /etc/ssh/ssh_host_rsa_key
|
|
||||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
|
||||||
-#HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
-#HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
+HostKey /etc/ssh/ssh_host_ecdsa_key
|
|
||||||
+HostKey /etc/ssh/ssh_host_ed25519_key
|
|
||||||
|
|
||||||
# Ciphers and keying
|
|
||||||
#RekeyLimit default none
|
|
||||||
|
|
||||||
+# System-wide Crypto policy:
|
|
||||||
+# If this system is following system-wide crypto policy, the changes to
|
|
||||||
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
|
|
||||||
+# effect here. They will be overridden by command-line options passed on
|
|
||||||
+# the server start up.
|
|
||||||
+# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
|
|
||||||
+# variable in /etc/sysconfig/sshd to overwrite the policy.
|
|
||||||
+# For more information, see manual page for update-crypto-policies(8).
|
|
||||||
+
|
|
||||||
# Logging
|
|
||||||
#SyslogFacility AUTH
|
|
||||||
+SyslogFacility AUTHPRIV
|
|
||||||
#LogLevel INFO
|
|
||||||
|
|
||||||
# Authentication:
|
|
||||||
@@ -57,9 +62,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
|
||||||
#PasswordAuthentication yes
|
|
||||||
#PermitEmptyPasswords no
|
|
||||||
+PasswordAuthentication yes
|
|
||||||
|
|
||||||
# Change to no to disable s/key passwords
|
|
||||||
#ChallengeResponseAuthentication yes
|
|
||||||
+ChallengeResponseAuthentication no
|
|
||||||
|
|
||||||
# Kerberos options
|
|
||||||
#KerberosAuthentication no
|
|
||||||
@@ -68,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
#KerberosGetAFSToken no
|
|
||||||
|
|
||||||
# GSSAPI options
|
|
||||||
-#GSSAPIAuthentication no
|
|
||||||
-#GSSAPICleanupCredentials yes
|
|
||||||
+GSSAPIAuthentication yes
|
|
||||||
+GSSAPICleanupCredentials no
|
|
||||||
|
|
||||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
|
||||||
# and session processing. If this is enabled, PAM authentication will
|
|
||||||
@@ -80,12 +87,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# If you just want the PAM account and session checks to run without
|
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
|
||||||
-#UsePAM no
|
|
||||||
+UsePAM yes
|
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
|
||||||
#AllowTcpForwarding yes
|
|
||||||
#GatewayPorts no
|
|
||||||
-#X11Forwarding no
|
|
||||||
+X11Forwarding yes
|
|
||||||
#X11DisplayOffset 10
|
|
||||||
#X11UseLocalhost yes
|
|
||||||
#PermitTTY yes
|
|
||||||
@@ -108,6 +115,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
|
||||||
# no default banner path
|
|
||||||
#Banner none
|
|
||||||
|
|
||||||
+# Accept locale-related environment variables
|
|
||||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
|
||||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
|
||||||
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
|
||||||
+AcceptEnv XMODIFIERS
|
|
||||||
+
|
|
||||||
# override default of no subsystems
|
|
||||||
Subsystem sftp /usr/libexec/sftp-server
|
|
||||||
|
|
|
@ -20,14 +20,14 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
||||||
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
||||||
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||||
mm_get_keystate(pmonitor);
|
mm_get_keystate(ssh, pmonitor);
|
||||||
|
|
||||||
/* Drain any buffered messages from the child */
|
/* Drain any buffered messages from the child */
|
||||||
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||||
;
|
;
|
||||||
|
|
||||||
close(pmonitor->m_sendfd);
|
if (pmonitor->m_recvfd >= 0)
|
||||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
||||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
||||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
||||||
|
@ -120,27 +120,27 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||||
debug2("notify_done: reading");
|
debug2("%s: reading", __func__);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||||
}
|
debug("%s: invalid tun", __func__);
|
||||||
|
goto done;
|
||||||
tun = packet_get_int();
|
}
|
||||||
- if (forced_tun_device != -1) {
|
- if (auth_opts->force_tun_device != -1) {
|
||||||
+ if (forced_tun_device >= 0) {
|
+ if (auth_opts->force_tun_device >= 0) {
|
||||||
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
|
if (tun != SSH_TUNID_ANY &&
|
||||||
|
auth_opts->force_tun_device != (int)tun)
|
||||||
goto done;
|
goto done;
|
||||||
tun = forced_tun_device;
|
|
||||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
||||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
||||||
@@ -224,7 +224,7 @@ killchild(int signo)
|
@@ -224,7 +224,7 @@ killchild(int signo)
|
||||||
{
|
pid = sshpid;
|
||||||
if (sshpid > 1) {
|
if (pid > 1) {
|
||||||
kill(sshpid, SIGTERM);
|
kill(pid, SIGTERM);
|
||||||
- waitpid(sshpid, NULL, 0);
|
- waitpid(pid, NULL, 0);
|
||||||
+ (void) waitpid(sshpid, NULL, 0);
|
+ (void) waitpid(pid, NULL, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
_exit(1);
|
_exit(1);
|
||||||
|
@ -163,7 +163,7 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
||||||
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
|
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||||
|
|
||||||
privsep_preauth_child();
|
privsep_preauth_child(ssh);
|
||||||
setproctitle("%s", "[net]");
|
setproctitle("%s", "[net]");
|
||||||
- if (box != NULL)
|
- if (box != NULL)
|
||||||
+ if (box != NULL) {
|
+ if (box != NULL) {
|
||||||
|
@ -174,8 +174,8 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
|
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
|
||||||
if (num_listen_socks < 0)
|
explicit_bzero(rnd, sizeof(rnd));
|
||||||
break;
|
}
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
+ if (fdset != NULL)
|
+ if (fdset != NULL)
|
||||||
|
|
|
@ -1,140 +0,0 @@
|
||||||
diff -up openssh-7.4p1/configure.ac.tcp_wrappers openssh-7.4p1/configure.ac
|
|
||||||
--- openssh-7.4p1/configure.ac.tcp_wrappers 2016-12-23 15:36:38.745411192 +0100
|
|
||||||
+++ openssh-7.4p1/configure.ac 2016-12-23 15:36:38.777411197 +0100
|
|
||||||
@@ -1491,6 +1491,62 @@ AC_ARG_WITH([skey],
|
|
||||||
]
|
|
||||||
)
|
|
||||||
|
|
||||||
+# Check whether user wants TCP wrappers support
|
|
||||||
+TCPW_MSG="no"
|
|
||||||
+AC_ARG_WITH([tcp-wrappers],
|
|
||||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
|
||||||
+ [
|
|
||||||
+ if test "x$withval" != "xno" ; then
|
|
||||||
+ saved_LIBS="$LIBS"
|
|
||||||
+ saved_LDFLAGS="$LDFLAGS"
|
|
||||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
|
||||||
+ if test -n "${withval}" && \
|
|
||||||
+ test "x${withval}" != "xyes"; then
|
|
||||||
+ if test -d "${withval}/lib"; then
|
|
||||||
+ if test -n "${need_dash_r}"; then
|
|
||||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
|
||||||
+ else
|
|
||||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
|
||||||
+ fi
|
|
||||||
+ else
|
|
||||||
+ if test -n "${need_dash_r}"; then
|
|
||||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
|
||||||
+ else
|
|
||||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ if test -d "${withval}/include"; then
|
|
||||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
|
||||||
+ else
|
|
||||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ LIBS="-lwrap $LIBS"
|
|
||||||
+ AC_MSG_CHECKING([for libwrap])
|
|
||||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/socket.h>
|
|
||||||
+#include <netinet/in.h>
|
|
||||||
+#include <tcpd.h>
|
|
||||||
+int deny_severity = 0, allow_severity = 0;
|
|
||||||
+ ]], [[
|
|
||||||
+ hosts_access(0);
|
|
||||||
+ ]])], [
|
|
||||||
+ AC_MSG_RESULT([yes])
|
|
||||||
+ AC_DEFINE([LIBWRAP], [1],
|
|
||||||
+ [Define if you want
|
|
||||||
+ TCP Wrappers support])
|
|
||||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
|
||||||
+ TCPW_MSG="yes"
|
|
||||||
+ ], [
|
|
||||||
+ AC_MSG_ERROR([*** libwrap missing])
|
|
||||||
+
|
|
||||||
+ ])
|
|
||||||
+ LIBS="$saved_LIBS"
|
|
||||||
+ fi
|
|
||||||
+ ]
|
|
||||||
+)
|
|
||||||
+
|
|
||||||
# Check whether user wants to use ldns
|
|
||||||
LDNS_MSG="no"
|
|
||||||
AC_ARG_WITH(ldns,
|
|
||||||
@@ -5214,6 +5270,7 @@ echo " KerberosV support
|
|
||||||
echo " SELinux support: $SELINUX_MSG"
|
|
||||||
echo " Smartcard support: $SCARD_MSG"
|
|
||||||
echo " S/KEY support: $SKEY_MSG"
|
|
||||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
|
||||||
echo " MD5 password support: $MD5_MSG"
|
|
||||||
echo " libedit support: $LIBEDIT_MSG"
|
|
||||||
echo " libldns support: $LDNS_MSG"
|
|
||||||
diff -up openssh-7.4p1/sshd.8.tcp_wrappers openssh-7.4p1/sshd.8
|
|
||||||
--- openssh-7.4p1/sshd.8.tcp_wrappers 2016-12-23 15:36:38.759411194 +0100
|
|
||||||
+++ openssh-7.4p1/sshd.8 2016-12-23 15:36:38.778411197 +0100
|
|
||||||
@@ -836,6 +836,12 @@ the user's home directory becomes access
|
|
||||||
This file should be writable only by the user, and need not be
|
|
||||||
readable by anyone else.
|
|
||||||
.Pp
|
|
||||||
+.It Pa /etc/hosts.allow
|
|
||||||
+.It Pa /etc/hosts.deny
|
|
||||||
+Access controls that should be enforced by tcp-wrappers are defined here.
|
|
||||||
+Further details are described in
|
|
||||||
+.Xr hosts_access 5 .
|
|
||||||
+.Pp
|
|
||||||
.It Pa /etc/hosts.equiv
|
|
||||||
This file is for host-based authentication (see
|
|
||||||
.Xr ssh 1 ) .
|
|
||||||
@@ -960,6 +966,7 @@ IPv6 address can be used everywhere wher
|
|
||||||
.Xr ssh-keygen 1 ,
|
|
||||||
.Xr ssh-keyscan 1 ,
|
|
||||||
.Xr chroot 2 ,
|
|
||||||
+.Xr hosts_access 5 ,
|
|
||||||
.Xr login.conf 5 ,
|
|
||||||
.Xr moduli 5 ,
|
|
||||||
.Xr sshd_config 5 ,
|
|
||||||
diff -up openssh-7.4p1/sshd.c.tcp_wrappers openssh-7.4p1/sshd.c
|
|
||||||
--- openssh-7.4p1/sshd.c.tcp_wrappers 2016-12-23 15:36:38.772411196 +0100
|
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 15:37:15.032417028 +0100
|
|
||||||
@@ -123,6 +123,13 @@
|
|
||||||
#include "version.h"
|
|
||||||
#include "ssherr.h"
|
|
||||||
|
|
||||||
+#ifdef LIBWRAP
|
|
||||||
+#include <tcpd.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
+int allow_severity;
|
|
||||||
+int deny_severity;
|
|
||||||
+#endif /* LIBWRAP */
|
|
||||||
+
|
|
||||||
/* Re-exec fds */
|
|
||||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
|
||||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
|
||||||
@@ -2012,6 +2019,24 @@ main(int ac, char **av)
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
|
||||||
audit_connection_from(remote_ip, remote_port);
|
|
||||||
#endif
|
|
||||||
+#ifdef LIBWRAP
|
|
||||||
+ allow_severity = options.log_facility|LOG_INFO;
|
|
||||||
+ deny_severity = options.log_facility|LOG_WARNING;
|
|
||||||
+ /* Check whether logins are denied from this host. */
|
|
||||||
+ if (packet_connection_is_on_socket()) {
|
|
||||||
+ struct request_info req;
|
|
||||||
+
|
|
||||||
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
|
||||||
+ fromhost(&req);
|
|
||||||
+
|
|
||||||
+ if (!hosts_access(&req)) {
|
|
||||||
+ debug("Connection refused by tcp wrapper");
|
|
||||||
+ refuse(&req);
|
|
||||||
+ /* NOTREACHED */
|
|
||||||
+ fatal("libwrap refuse returns");
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+#endif /* LIBWRAP */
|
|
||||||
|
|
||||||
/* Log the connection. */
|
|
||||||
laddr = get_local_ipaddr(sock_in);
|
|
|
@ -2,34 +2,34 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||||
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
|
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
|
||||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
|
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
|
||||||
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
|
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
|
||||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||||
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||||
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
|
||||||
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
||||||
MANFMT=@MANFMT@
|
|
||||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
.SUFFIXES: .lo
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
|
||||||
|
|
||||||
LIBOPENSSH_OBJS=\
|
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||||
ssh_api.o \
|
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
||||||
|
|
||||||
|
XMSS_OBJS=\
|
||||||
|
ssh-xmss.o \
|
||||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
||||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
|
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
|
||||||
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
+
|
+
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
@@ -331,6 +335,8 @@ install-files:
|
@@ -331,6 +335,8 @@ install-files:
|
||||||
fi
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
|
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
|
||||||
|
@ -40,7 +40,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||||
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||||
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
||||||
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
|
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
|
||||||
@@ -0,0 +1,380 @@
|
@@ -0,0 +1,387 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||||
+ *
|
+ *
|
||||||
|
@ -88,11 +88,12 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||||
+#include <openssl/bn.h>
|
+#include <openssl/bn.h>
|
||||||
+
|
+
|
||||||
+#include "xmalloc.h"
|
+#include "xmalloc.h"
|
||||||
+#include "buffer.h"
|
+#include "sshbuf.h"
|
||||||
+#include "key.h"
|
+#include "sshkey.h"
|
||||||
+#include "cipher.h"
|
+#include "cipher.h"
|
||||||
+#include "kex.h"
|
+#include "kex.h"
|
||||||
+#include "packet.h"
|
+#include "packet.h"
|
||||||
|
+#include "digest.h"
|
||||||
+
|
+
|
||||||
+static int bin_char(unsigned char hex)
|
+static int bin_char(unsigned char hex)
|
||||||
+{
|
+{
|
||||||
|
@ -207,6 +208,7 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||||
+{
|
+{
|
||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+ struct kex kex;
|
+ struct kex kex;
|
||||||
|
+ struct sshbuf *Kb = NULL;
|
||||||
+ BIGNUM *Kbn = NULL;
|
+ BIGNUM *Kbn = NULL;
|
||||||
+ int mode = 0;
|
+ int mode = 0;
|
||||||
+ struct newkeys *ctoskeys;
|
+ struct newkeys *ctoskeys;
|
||||||
|
@ -221,10 +223,17 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||||
+ Kbn = BN_new();
|
+ Kbn = BN_new();
|
||||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||||
+ if (!Kbn) {
|
+ if (!Kbn) {
|
||||||
+ printf("cannot convert K into BIGNUM\n");
|
+ printf("cannot convert K into bignum\n");
|
||||||
+ ret = 1;
|
+ ret = 1;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
|
+ Kb = sshbuf_new();
|
||||||
|
+ if (!Kb) {
|
||||||
|
+ printf("cannot convert K into sshbuf\n");
|
||||||
|
+ ret = 1;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ sshbuf_put_bignum2(Kb, Kbn);
|
||||||
+
|
+
|
||||||
+ kex.session_id = test->session_id;
|
+ kex.session_id = test->session_id;
|
||||||
+ kex.session_id_len = test->session_id_len;
|
+ kex.session_id_len = test->session_id_len;
|
||||||
|
@ -234,16 +243,16 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||||
+ /* select the right hash based on struct ssh_digest digests */
|
+ /* select the right hash based on struct ssh_digest digests */
|
||||||
+ switch (test->ik_len) {
|
+ switch (test->ik_len) {
|
||||||
+ case 20:
|
+ case 20:
|
||||||
+ kex.hash_alg = 2;
|
+ kex.hash_alg = SSH_DIGEST_SHA1;
|
||||||
+ break;
|
+ break;
|
||||||
+ case 32:
|
+ case 32:
|
||||||
+ kex.hash_alg = 3;
|
+ kex.hash_alg = SSH_DIGEST_SHA256;
|
||||||
+ break;
|
+ break;
|
||||||
+ case 48:
|
+ case 48:
|
||||||
+ kex.hash_alg = 4;
|
+ kex.hash_alg = SSH_DIGEST_SHA384;
|
||||||
+ break;
|
+ break;
|
||||||
+ case 64:
|
+ case 64:
|
||||||
+ kex.hash_alg = 5;
|
+ kex.hash_alg = SSH_DIGEST_SHA512;
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||||
|
@ -284,7 +293,7 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ ssh->kex = &kex;
|
+ ssh->kex = &kex;
|
||||||
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
|
+ kex_derive_keys(ssh, test->H, test->Hlen, Kb);
|
||||||
+
|
+
|
||||||
+ ctoskeys = kex.newkeys[0];
|
+ ctoskeys = kex.newkeys[0];
|
||||||
+ stockeys = kex.newkeys[1];
|
+ stockeys = kex.newkeys[1];
|
||||||
|
@ -320,10 +329,8 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||||
+out:
|
+out:
|
||||||
+ if (Kbn)
|
+ if (Kbn)
|
||||||
+ BN_free(Kbn);
|
+ BN_free(Kbn);
|
||||||
+ if (kex.newkeys[0])
|
+ if (Kb)
|
||||||
+ free(kex.newkeys[0]);
|
+ sshbuf_free(Kb);
|
||||||
+ if (kex.newkeys[1])
|
|
||||||
+ free(kex.newkeys[1]);
|
|
||||||
+ if (ssh)
|
+ if (ssh)
|
||||||
+ ssh_packet_close(ssh);
|
+ ssh_packet_close(ssh);
|
||||||
+ return ret;
|
+ return ret;
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -2,21 +2,23 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
|
||||||
--- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
|
--- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
|
||||||
+++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
|
+++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
|
||||||
@@ -38,6 +38,7 @@
|
@@ -38,6 +38,7 @@
|
||||||
.Op Fl P Ar blacklisted_requests
|
.Op Fl P Ar denied_requests
|
||||||
.Op Fl p Ar whitelisted_requests
|
.Op Fl p Ar allowed_requests
|
||||||
.Op Fl u Ar umask
|
.Op Fl u Ar umask
|
||||||
+.Op Fl m Ar force_file_perms
|
+.Op Fl m Ar force_file_perms
|
||||||
.Ek
|
.Ek
|
||||||
.Nm
|
.Nm
|
||||||
.Fl Q Ar protocol_feature
|
.Fl Q Ar protocol_feature
|
||||||
@@ -138,6 +139,10 @@ Sets an explicit
|
@@ -138,6 +139,12 @@ Sets an explicit
|
||||||
.Xr umask 2
|
.Xr umask 2
|
||||||
to be applied to newly-created files and directories, instead of the
|
to be applied to newly-created files and directories, instead of the
|
||||||
user's default mask.
|
user's default mask.
|
||||||
+.It Fl m Ar force_file_perms
|
+.It Fl m Ar force_file_perms
|
||||||
+Sets explicit file permissions to be applied to newly-created files instead
|
+Sets explicit file permissions to be applied to newly-created files instead
|
||||||
+of the default or client requested mode. Numeric values include:
|
+of the default or client requested mode. Numeric values include:
|
||||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
+777, 755, 750, 666, 644, 640, etc. Using both -m and -u switches makes the
|
||||||
|
+umask (-u) effective only for newly created directories and explicit mode (-m)
|
||||||
|
+for newly created files.
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
On some systems,
|
On some systems,
|
||||||
|
@ -65,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
|
||||||
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
|
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
"[-l log_level]\n\t[-P denied_requests] "
|
||||||
- "[-p whitelisted_requests] [-u umask]\n"
|
- "[-p allowed_requests] [-u umask]\n"
|
||||||
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
|
+ "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
|
||||||
" %s -Q protocol_feature\n",
|
" %s -Q protocol_feature\n",
|
||||||
__progname, __progname);
|
__progname, __progname);
|
||||||
exit(1);
|
exit(1);
|
||||||
|
|
|
@ -1,24 +0,0 @@
|
||||||
diff -up openssh-7.4p1/servconf.c.memory openssh-7.4p1/servconf.c
|
|
||||||
--- openssh-7.4p1/servconf.c.memory 2016-12-23 15:37:48.181422360 +0100
|
|
||||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:38:30.189429116 +0100
|
|
||||||
@@ -2006,6 +2006,8 @@ copy_set_server_options(ServerOptions *d
|
|
||||||
dst->n = src->n; \
|
|
||||||
} while (0)
|
|
||||||
|
|
||||||
+ u_int i;
|
|
||||||
+
|
|
||||||
M_CP_INTOPT(password_authentication);
|
|
||||||
M_CP_INTOPT(gss_authentication);
|
|
||||||
M_CP_INTOPT(pubkey_authentication);
|
|
||||||
@@ -2058,8 +2060,10 @@ copy_set_server_options(ServerOptions *d
|
|
||||||
} while(0)
|
|
||||||
#define M_CP_STRARRAYOPT(n, num_n) do {\
|
|
||||||
if (src->num_n != 0) { \
|
|
||||||
+ for (i = 0; i < dst->num_n; i++) \
|
|
||||||
+ free(dst->n[i]); \
|
|
||||||
for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
|
|
||||||
- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
|
|
||||||
+ dst->n[dst->num_n] = src->n[dst->num_n]; \
|
|
||||||
} \
|
|
||||||
} while(0)
|
|
||||||
#define M_CP_STRARRAYOPT_ALLOC(n, num_n) do { \
|
|
|
@ -3,25 +3,10 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c
|
||||||
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
||||||
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||||
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
dump_cfg_string(sCiphers, o->ciphers);
|
||||||
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
dump_cfg_string(sMacs, o->macs);
|
||||||
- dump_cfg_string(sBanner, o->banner);
|
- dump_cfg_string(sBanner, o->banner);
|
||||||
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||||
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
|
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
|
||||||
diff -up openssh/ssh.1.sshdt openssh/ssh.1
|
|
||||||
--- openssh/ssh.1.sshdt 2015-06-24 11:42:19.565102807 +0200
|
|
||||||
+++ openssh/ssh.1 2015-06-24 11:42:29.042078701 +0200
|
|
||||||
@@ -441,7 +441,11 @@ For full details of the options listed b
|
|
||||||
.It GatewayPorts
|
|
||||||
.It GlobalKnownHostsFile
|
|
||||||
.It GSSAPIAuthentication
|
|
||||||
+.It GSSAPIKeyExchange
|
|
||||||
+.It GSSAPIClientIdentity
|
|
||||||
.It GSSAPIDelegateCredentials
|
|
||||||
+.It GSSAPIRenewalForcesRekey
|
|
||||||
+.It GSSAPITrustDNS
|
|
||||||
.It HashKnownHosts
|
|
||||||
.It Host
|
|
||||||
.It HostbasedAuthentication
|
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
diff -up openssh-7.0p1/sshd_config.root-login openssh-7.0p1/sshd_config
|
|
||||||
--- openssh-7.0p1/sshd_config.root-login 2015-08-12 11:29:12.919269245 +0200
|
|
||||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:31:03.653096466 +0200
|
|
||||||
@@ -46,7 +46,7 @@ SyslogFacility AUTHPRIV
|
|
||||||
# Authentication:
|
|
||||||
|
|
||||||
#LoginGraceTime 2m
|
|
||||||
-#PermitRootLogin prohibit-password
|
|
||||||
+PermitRootLogin yes
|
|
||||||
#StrictModes yes
|
|
||||||
#MaxAuthTries 6
|
|
||||||
#MaxSessions 10
|
|
|
@ -1,417 +0,0 @@
|
||||||
diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
|
||||||
--- openssh-7.0p1/gss-genr.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
|
||||||
+++ openssh-7.0p1/gss-genr.c 2015-08-19 12:28:38.078518839 +0200
|
|
||||||
@@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() {
|
|
||||||
*/
|
|
||||||
|
|
||||||
char *
|
|
||||||
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
|
|
||||||
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
|
|
||||||
+ const char *kex) {
|
|
||||||
gss_OID_set gss_supported;
|
|
||||||
OM_uint32 min_status;
|
|
||||||
|
|
||||||
@@ -86,12 +87,12 @@ ssh_gssapi_client_mechanisms(const char
|
|
||||||
return NULL;
|
|
||||||
|
|
||||||
return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
|
|
||||||
- host, client));
|
|
||||||
+ host, client, kex));
|
|
||||||
}
|
|
||||||
|
|
||||||
char *
|
|
||||||
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
|
|
||||||
- const char *host, const char *client) {
|
|
||||||
+ const char *host, const char *client, const char *kex) {
|
|
||||||
Buffer buf;
|
|
||||||
size_t i;
|
|
||||||
int oidpos, enclen;
|
|
||||||
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
|
||||||
char deroid[2];
|
|
||||||
const EVP_MD *evp_md = EVP_md5();
|
|
||||||
EVP_MD_CTX md;
|
|
||||||
+ char *s, *cp, *p;
|
|
||||||
|
|
||||||
if (gss_enc2oid != NULL) {
|
|
||||||
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
|
||||||
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
|
||||||
buffer_init(&buf);
|
|
||||||
|
|
||||||
oidpos = 0;
|
|
||||||
+ s = cp = xstrdup(kex);
|
|
||||||
for (i = 0; i < gss_supported->count; i++) {
|
|
||||||
if (gss_supported->elements[i].length < 128 &&
|
|
||||||
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
|
|
||||||
@@ -131,26 +134,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
|
||||||
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
|
||||||
encoded, EVP_MD_size(evp_md) * 2);
|
|
||||||
|
|
||||||
- if (oidpos != 0)
|
|
||||||
- buffer_put_char(&buf, ',');
|
|
||||||
-
|
|
||||||
- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
|
|
||||||
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
|
|
||||||
- buffer_append(&buf, encoded, enclen);
|
|
||||||
- buffer_put_char(&buf, ',');
|
|
||||||
- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
|
|
||||||
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
|
|
||||||
- buffer_append(&buf, encoded, enclen);
|
|
||||||
- buffer_put_char(&buf, ',');
|
|
||||||
- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
|
|
||||||
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
|
|
||||||
- buffer_append(&buf, encoded, enclen);
|
|
||||||
+ cp = strncpy(s, kex, strlen(kex));
|
|
||||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
|
||||||
+ (p = strsep(&cp, ","))) {
|
|
||||||
+ if (buffer_len(&buf) != 0)
|
|
||||||
+ buffer_put_char(&buf, ',');
|
|
||||||
+ buffer_append(&buf, p,
|
|
||||||
+ strlen(p));
|
|
||||||
+ buffer_append(&buf, encoded, enclen);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
|
||||||
gss_enc2oid[oidpos].encoded = encoded;
|
|
||||||
oidpos++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
+ free(s);
|
|
||||||
gss_enc2oid[oidpos].oid = NULL;
|
|
||||||
gss_enc2oid[oidpos].encoded = NULL;
|
|
||||||
|
|
||||||
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
|
||||||
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
|
||||||
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
|
|
||||||
@@ -149,7 +149,8 @@ ssh_gssapi_server_mechanisms() {
|
|
||||||
if (supported_oids == NULL)
|
|
||||||
ssh_gssapi_prepare_supported_oids();
|
|
||||||
return (ssh_gssapi_kex_mechs(supported_oids,
|
|
||||||
- &ssh_gssapi_server_check_mech, NULL, NULL));
|
|
||||||
+ &ssh_gssapi_server_check_mech, NULL, NULL,
|
|
||||||
+ options.gss_kex_algorithms));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Unprivileged */
|
|
||||||
diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
|
|
||||||
--- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
|
||||||
+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200
|
|
||||||
@@ -50,6 +50,7 @@
|
|
||||||
#include "misc.h"
|
|
||||||
#include "dispatch.h"
|
|
||||||
#include "monitor.h"
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
|
|
||||||
#include "ssherr.h"
|
|
||||||
#include "sshbuf.h"
|
|
||||||
@@ -232,6 +232,29 @@ kex_assemble_names(const char *def, char
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+/* Validate GSS KEX method name list */
|
|
||||||
+int
|
|
||||||
+gss_kex_names_valid(const char *names)
|
|
||||||
+{
|
|
||||||
+ char *s, *cp, *p;
|
|
||||||
+
|
|
||||||
+ if (names == NULL || *names == '\0')
|
|
||||||
+ return 0;
|
|
||||||
+ s = cp = xstrdup(names);
|
|
||||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
|
||||||
+ (p = strsep(&cp, ","))) {
|
|
||||||
+ if (strncmp(p, "gss-", 4) != 0
|
|
||||||
+ || kex_alg_by_name(p) == NULL) {
|
|
||||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
|
||||||
+ free(s);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ debug3("gss kex names ok: [%s]", names);
|
|
||||||
+ free(s);
|
|
||||||
+ return 1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/* put algorithm proposal into buffer */
|
|
||||||
int
|
|
||||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
|
||||||
diff -up openssh-7.0p1/kex.h.gsskexalg openssh-7.0p1/kex.h
|
|
||||||
--- openssh-7.0p1/kex.h.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
|
||||||
+++ openssh-7.0p1/kex.h 2015-08-19 12:30:52.404218958 +0200
|
|
||||||
@@ -173,6 +173,7 @@ int kex_names_valid(const char *);
|
|
||||||
char *kex_alg_list(char);
|
|
||||||
char *kex_names_cat(const char *, const char *);
|
|
||||||
int kex_assemble_names(const char *, char **);
|
|
||||||
+int gss_kex_names_valid(const char *);
|
|
||||||
|
|
||||||
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
|
||||||
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
|
|
||||||
diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
|
||||||
--- openssh-7.0p1/readconf.c.gsskexalg 2015-08-19 12:28:38.026518955 +0200
|
|
||||||
+++ openssh-7.0p1/readconf.c 2015-08-19 12:31:28.333138747 +0200
|
|
||||||
@@ -61,6 +61,7 @@
|
|
||||||
#include "uidswap.h"
|
|
||||||
#include "myproposal.h"
|
|
||||||
#include "digest.h"
|
|
||||||
+#include "ssh-gss.h"
|
|
||||||
|
|
||||||
/* Format of the configuration file:
|
|
||||||
|
|
||||||
@@ -148,7 +149,7 @@ typedef enum {
|
|
||||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
|
||||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
|
||||||
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
|
|
||||||
- oGssServerIdentity,
|
|
||||||
+ oGssServerIdentity, oGssKexAlgorithms,
|
|
||||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
|
||||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
|
||||||
oHashKnownHosts,
|
|
||||||
@@ -200,6 +201,7 @@ static struct {
|
|
||||||
{ "gssapiclientidentity", oGssClientIdentity },
|
|
||||||
{ "gssapiserveridentity", oGssServerIdentity },
|
|
||||||
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
|
||||||
+ { "gssapikexalgorithms", oGssKexAlgorithms },
|
|
||||||
# else
|
|
||||||
{ "gssapiauthentication", oUnsupported },
|
|
||||||
{ "gssapikeyexchange", oUnsupported },
|
|
||||||
@@ -207,6 +209,7 @@ static struct {
|
|
||||||
{ "gssapitrustdns", oUnsupported },
|
|
||||||
{ "gssapiclientidentity", oUnsupported },
|
|
||||||
{ "gssapirenewalforcesrekey", oUnsupported },
|
|
||||||
+ { "gssapikexalgorithms", oUnsupported },
|
|
||||||
#endif
|
|
||||||
#ifdef ENABLE_PKCS11
|
|
||||||
{ "smartcarddevice", oPKCS11Provider },
|
|
||||||
@@ -929,6 +932,18 @@ parse_time:
|
|
||||||
intptr = &options->gss_renewal_rekey;
|
|
||||||
goto parse_flag;
|
|
||||||
|
|
||||||
+ case oGssKexAlgorithms:
|
|
||||||
+ arg = strdelim(&s);
|
|
||||||
+ if (!arg || *arg == '\0')
|
|
||||||
+ fatal("%.200s line %d: Missing argument.",
|
|
||||||
+ filename, linenum);
|
|
||||||
+ if (!gss_kex_names_valid(arg))
|
|
||||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
|
||||||
+ filename, linenum, arg ? arg : "<NONE>");
|
|
||||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
|
||||||
+ options->gss_kex_algorithms = xstrdup(arg);
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
case oBatchMode:
|
|
||||||
intptr = &options->batch_mode;
|
|
||||||
goto parse_flag;
|
|
||||||
@@ -1638,6 +1653,7 @@ initialize_options(Options * options)
|
|
||||||
options->gss_renewal_rekey = -1;
|
|
||||||
options->gss_client_identity = NULL;
|
|
||||||
options->gss_server_identity = NULL;
|
|
||||||
+ options->gss_kex_algorithms = NULL;
|
|
||||||
options->password_authentication = -1;
|
|
||||||
options->kbd_interactive_authentication = -1;
|
|
||||||
options->kbd_interactive_devices = NULL;
|
|
||||||
@@ -1773,6 +1789,10 @@ fill_default_options(Options * options)
|
|
||||||
options->gss_trust_dns = 0;
|
|
||||||
if (options->gss_renewal_rekey == -1)
|
|
||||||
options->gss_renewal_rekey = 0;
|
|
||||||
+#ifdef GSSAPI
|
|
||||||
+ if (options->gss_kex_algorithms == NULL)
|
|
||||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
|
||||||
+#endif
|
|
||||||
if (options->password_authentication == -1)
|
|
||||||
options->password_authentication = 1;
|
|
||||||
if (options->kbd_interactive_authentication == -1)
|
|
||||||
diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h
|
|
||||||
--- openssh-7.0p1/readconf.h.gsskexalg 2015-08-19 12:28:38.026518955 +0200
|
|
||||||
+++ openssh-7.0p1/readconf.h 2015-08-19 12:28:38.079518836 +0200
|
|
||||||
@@ -51,6 +51,7 @@ typedef struct {
|
|
||||||
int gss_renewal_rekey; /* Credential renewal forces rekey */
|
|
||||||
char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
|
||||||
char *gss_server_identity; /* GSSAPI target principal */
|
|
||||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
|
||||||
int password_authentication; /* Try password
|
|
||||||
* authentication. */
|
|
||||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
|
||||||
diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
|
||||||
--- openssh-7.0p1/servconf.c.gsskexalg 2015-08-19 12:28:38.074518847 +0200
|
|
||||||
+++ openssh-7.0p1/servconf.c 2015-08-19 12:33:13.599902732 +0200
|
|
||||||
@@ -57,6 +57,7 @@
|
|
||||||
#include "auth.h"
|
|
||||||
#include "myproposal.h"
|
|
||||||
#include "digest.h"
|
|
||||||
+#include "ssh-gss.h"
|
|
||||||
|
|
||||||
static void add_listen_addr(ServerOptions *, char *, int);
|
|
||||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
|
||||||
@@ -121,6 +122,7 @@ initialize_server_options(ServerOptions
|
|
||||||
options->gss_cleanup_creds = -1;
|
|
||||||
options->gss_strict_acceptor = -1;
|
|
||||||
options->gss_store_rekey = -1;
|
|
||||||
+ options->gss_kex_algorithms = NULL;
|
|
||||||
options->use_kuserok = -1;
|
|
||||||
options->enable_k5users = -1;
|
|
||||||
options->password_authentication = -1;
|
|
||||||
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
|
|
||||||
options->gss_strict_acceptor = 1;
|
|
||||||
if (options->gss_store_rekey == -1)
|
|
||||||
options->gss_store_rekey = 0;
|
|
||||||
+#ifdef GSSAPI
|
|
||||||
+ if (options->gss_kex_algorithms == NULL)
|
|
||||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
|
||||||
+#endif
|
|
||||||
if (options->use_kuserok == -1)
|
|
||||||
options->use_kuserok = 1;
|
|
||||||
if (options->enable_k5users == -1)
|
|
||||||
@@ -427,7 +431,7 @@ typedef enum {
|
|
||||||
sHostKeyAlgorithms,
|
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
|
||||||
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
|
||||||
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
|
|
||||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
|
||||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
|
||||||
sHostCertificate,
|
|
||||||
@@ -506,6 +510,7 @@ static struct {
|
|
||||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
|
||||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
|
||||||
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
|
||||||
+ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
|
||||||
#else
|
|
||||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
|
||||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
@@ -513,6 +518,7 @@ static struct {
|
|
||||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
|
||||||
+ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
#endif
|
|
||||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
|
||||||
@@ -1273,6 +1279,18 @@ process_server_config_line(ServerOptions
|
|
||||||
intptr = &options->gss_store_rekey;
|
|
||||||
goto parse_flag;
|
|
||||||
|
|
||||||
+ case sGssKexAlgorithms:
|
|
||||||
+ arg = strdelim(&cp);
|
|
||||||
+ if (!arg || *arg == '\0')
|
|
||||||
+ fatal("%.200s line %d: Missing argument.",
|
|
||||||
+ filename, linenum);
|
|
||||||
+ if (!gss_kex_names_valid(arg))
|
|
||||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
|
||||||
+ filename, linenum, arg ? arg : "<NONE>");
|
|
||||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
|
||||||
+ options->gss_kex_algorithms = xstrdup(arg);
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
case sPasswordAuthentication:
|
|
||||||
intptr = &options->password_authentication;
|
|
||||||
goto parse_flag;
|
|
||||||
@@ -2304,6 +2322,7 @@ dump_config(ServerOptions *o)
|
|
||||||
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
|
||||||
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
|
||||||
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
|
||||||
+ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
|
|
||||||
#endif
|
|
||||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
|
||||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
|
||||||
diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h
|
|
||||||
--- openssh-7.0p1/servconf.h.gsskexalg 2015-08-19 12:28:38.080518834 +0200
|
|
||||||
+++ openssh-7.0p1/servconf.h 2015-08-19 12:34:46.328693944 +0200
|
|
||||||
@@ -122,6 +122,7 @@ typedef struct {
|
|
||||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
|
||||||
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
|
||||||
int gss_store_rekey;
|
|
||||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
|
||||||
int password_authentication; /* If true, permit password
|
|
||||||
* authentication. */
|
|
||||||
int kbd_interactive_authentication; /* If true, permit */
|
|
||||||
diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1
|
|
||||||
--- openssh-7.0p1/ssh.1.gsskexalg 2015-08-19 12:28:38.081518832 +0200
|
|
||||||
+++ openssh-7.0p1/ssh.1 2015-08-19 12:35:31.741591692 +0200
|
|
||||||
@@ -496,6 +496,7 @@ For full details of the options listed b
|
|
||||||
.It GSSAPIDelegateCredentials
|
|
||||||
.It GSSAPIRenewalForcesRekey
|
|
||||||
.It GSSAPITrustDNS
|
|
||||||
+.It GSSAPIKexAlgorithms
|
|
||||||
.It HashKnownHosts
|
|
||||||
.It Host
|
|
||||||
.It HostbasedAuthentication
|
|
||||||
diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
|
|
||||||
--- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200
|
|
||||||
+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200
|
|
||||||
@@ -786,6 +786,18 @@ command line will be passed untouched to
|
|
||||||
command line will be passed untouched to the GSSAPI library.
|
|
||||||
The default is
|
|
||||||
.Dq no .
|
|
||||||
+.It Cm GSSAPIKexAlgorithms
|
|
||||||
+The list of key exchange algorithms that are offered for GSSAPI
|
|
||||||
+key exchange. Possible values are
|
|
||||||
+.Bd -literal -offset 3n
|
|
||||||
+gss-gex-sha1-,
|
|
||||||
+gss-group1-sha1-,
|
|
||||||
+gss-group14-sha1-
|
|
||||||
+.Ed
|
|
||||||
+.Pp
|
|
||||||
+The default is
|
|
||||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
|
||||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
|
||||||
.It Cm HashKnownHosts
|
|
||||||
Indicates that
|
|
||||||
.Xr ssh 1
|
|
||||||
diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
|
|
||||||
--- openssh-7.0p1/sshconnect2.c.gsskexalg 2015-08-19 12:28:38.045518912 +0200
|
|
||||||
+++ openssh-7.0p1/sshconnect2.c 2015-08-19 12:28:38.081518832 +0200
|
|
||||||
@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
|
|
||||||
else
|
|
||||||
gss_host = host;
|
|
||||||
|
|
||||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
|
||||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
|
||||||
if (gss) {
|
|
||||||
debug("Offering GSSAPI proposal: %s", gss);
|
|
||||||
xasprintf(&options.kex_algorithms,
|
|
||||||
--- openssh-7.1p1/sshd_config.5.gsskexalg 2015-12-10 15:32:48.105418092 +0100
|
|
||||||
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:33:47.771279548 +0100
|
|
||||||
@@ -663,6 +663,18 @@ or updated credentials from a compatible
|
|
||||||
For this to work
|
|
||||||
.Cm GSSAPIKeyExchange
|
|
||||||
needs to be enabled in the server and also used by the client.
|
|
||||||
+.It Cm GSSAPIKexAlgorithms
|
|
||||||
+The list of key exchange algorithms that are accepted by GSSAPI
|
|
||||||
+key exchange. Possible values are
|
|
||||||
+.Bd -literal -offset 3n
|
|
||||||
+gss-gex-sha1-,
|
|
||||||
+gss-group1-sha1-,
|
|
||||||
+gss-group14-sha1-
|
|
||||||
+.Ed
|
|
||||||
+.Pp
|
|
||||||
+The default is
|
|
||||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
|
||||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
|
||||||
as a comma-separated pattern list.
|
|
||||||
diff -up openssh-7.0p1/ssh-gss.h.gsskexalg openssh-7.0p1/ssh-gss.h
|
|
||||||
--- openssh-7.0p1/ssh-gss.h.gsskexalg 2015-08-19 12:28:38.031518944 +0200
|
|
||||||
+++ openssh-7.0p1/ssh-gss.h 2015-08-19 12:28:38.081518832 +0200
|
|
||||||
@@ -76,6 +76,10 @@ extern char **k5users_allowed_cmds;
|
|
||||||
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
|
|
||||||
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
|
|
||||||
|
|
||||||
+#define GSS_KEX_DEFAULT_KEX \
|
|
||||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
|
||||||
+ KEX_GSS_GRP14_SHA1_ID
|
|
||||||
+
|
|
||||||
typedef struct {
|
|
||||||
char *filename;
|
|
||||||
char *envvar;
|
|
||||||
@@ -147,9 +151,9 @@ int ssh_gssapi_credentials_updated(Gssct
|
|
||||||
/* In the server */
|
|
||||||
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
|
|
||||||
const char *);
|
|
||||||
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
|
|
||||||
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
|
|
||||||
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
|
|
||||||
- const char *);
|
|
||||||
+ const char *, const char *);
|
|
||||||
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
|
|
||||||
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
|
|
||||||
const char *);
|
|
|
@ -1,324 +0,0 @@
|
||||||
diff -up openssh/clientloop.c.fingerprint openssh/clientloop.c
|
|
||||||
--- openssh/clientloop.c.fingerprint 2017-09-26 15:21:22.582477729 +0200
|
|
||||||
+++ openssh/clientloop.c 2017-09-26 15:21:22.620477932 +0200
|
|
||||||
@@ -1854,7 +1854,7 @@ update_known_hosts(struct hostkeys_updat
|
|
||||||
if (ctx->keys_seen[i] != 2)
|
|
||||||
continue;
|
|
||||||
if ((fp = sshkey_fingerprint(ctx->keys[i],
|
|
||||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
|
||||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
|
||||||
do_log2(loglevel, "Learned new hostkey: %s %s",
|
|
||||||
sshkey_type(ctx->keys[i]), fp);
|
|
||||||
@@ -1862,7 +1862,7 @@ update_known_hosts(struct hostkeys_updat
|
|
||||||
}
|
|
||||||
for (i = 0; i < ctx->nold; i++) {
|
|
||||||
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
|
|
||||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
|
||||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
|
||||||
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
|
|
||||||
sshkey_type(ctx->old_keys[i]), fp);
|
|
||||||
@@ -1905,7 +1905,7 @@ update_known_hosts(struct hostkeys_updat
|
|
||||||
(r = hostfile_replace_entries(options.user_hostfiles[0],
|
|
||||||
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
|
|
||||||
options.hash_known_hosts, 0,
|
|
||||||
- options.fingerprint_hash)) != 0)
|
|
||||||
+ options.fingerprint_hash[0])) != 0)
|
|
||||||
error("%s: hostfile_replace_entries failed: %s",
|
|
||||||
__func__, ssh_err(r));
|
|
||||||
}
|
|
||||||
@@ -2038,7 +2038,7 @@ client_input_hostkeys(void)
|
|
||||||
error("%s: parse key: %s", __func__, ssh_err(r));
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
|
||||||
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
|
||||||
SSH_FP_DEFAULT);
|
|
||||||
debug3("%s: received %s key %s", __func__,
|
|
||||||
sshkey_type(key), fp);
|
|
||||||
diff -up openssh/readconf.c.fingerprint openssh/readconf.c
|
|
||||||
--- openssh/readconf.c.fingerprint 2017-09-26 15:21:22.618477921 +0200
|
|
||||||
+++ openssh/readconf.c 2017-09-26 15:21:22.621477937 +0200
|
|
||||||
@@ -1681,16 +1681,18 @@ parse_keytypes:
|
|
||||||
goto parse_string;
|
|
||||||
|
|
||||||
case oFingerprintHash:
|
|
||||||
- intptr = &options->fingerprint_hash;
|
|
||||||
- arg = strdelim(&s);
|
|
||||||
- if (!arg || *arg == '\0')
|
|
||||||
- fatal("%.200s line %d: Missing argument.",
|
|
||||||
- filename, linenum);
|
|
||||||
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
|
||||||
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
|
||||||
- filename, linenum, arg);
|
|
||||||
- if (*activep && *intptr == -1)
|
|
||||||
- *intptr = value;
|
|
||||||
+ if (*activep && options->num_fingerprint_hash == 0)
|
|
||||||
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
|
||||||
+ value = ssh_digest_alg_by_name(arg);
|
|
||||||
+ if (value == -1)
|
|
||||||
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
|
|
||||||
+ filename, linenum, arg);
|
|
||||||
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
|
|
||||||
+ fatal("%s line %d: too many fingerprints algorithm specs.",
|
|
||||||
+ filename, linenum);
|
|
||||||
+ options->fingerprint_hash[
|
|
||||||
+ options->num_fingerprint_hash++] = value;
|
|
||||||
+ }
|
|
||||||
break;
|
|
||||||
|
|
||||||
case oUpdateHostkeys:
|
|
||||||
@@ -1917,7 +1919,7 @@ initialize_options(Options * options)
|
|
||||||
options->canonicalize_fallback_local = -1;
|
|
||||||
options->canonicalize_hostname = -1;
|
|
||||||
options->revoked_host_keys = NULL;
|
|
||||||
- options->fingerprint_hash = -1;
|
|
||||||
+ options->num_fingerprint_hash = 0;
|
|
||||||
options->update_hostkeys = -1;
|
|
||||||
options->hostbased_key_types = NULL;
|
|
||||||
options->pubkey_key_types = NULL;
|
|
||||||
@@ -2096,8 +2098,10 @@ fill_default_options(Options * options)
|
|
||||||
options->canonicalize_fallback_local = 1;
|
|
||||||
if (options->canonicalize_hostname == -1)
|
|
||||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
|
||||||
- if (options->fingerprint_hash == -1)
|
|
||||||
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
|
||||||
+ if (options->num_fingerprint_hash == 0) {
|
|
||||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
|
|
||||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_MD5;
|
|
||||||
+ }
|
|
||||||
if (options->update_hostkeys == -1)
|
|
||||||
options->update_hostkeys = 0;
|
|
||||||
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
|
||||||
@@ -2474,6 +2478,17 @@ dump_cfg_strarray(OpCodes code, u_int co
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
|
|
||||||
+{
|
|
||||||
+ u_int i;
|
|
||||||
+
|
|
||||||
+ printf("%s", lookup_opcode_name(code));
|
|
||||||
+ for (i = 0; i < count; i++)
|
|
||||||
+ printf(" %s", fmt_intarg(code, vals[i]));
|
|
||||||
+ printf("\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
|
|
||||||
{
|
|
||||||
u_int i;
|
|
||||||
@@ -2549,7 +2564,6 @@ dump_client_config(Options *o, const cha
|
|
||||||
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
|
||||||
dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
|
|
||||||
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
|
||||||
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
|
|
||||||
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
|
||||||
dump_cfg_fmtint(oForwardX11, o->forward_x11);
|
|
||||||
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
|
|
||||||
@@ -2618,6 +2632,7 @@ dump_client_config(Options *o, const cha
|
|
||||||
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
|
|
||||||
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
|
|
||||||
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
|
|
||||||
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
|
|
||||||
|
|
||||||
/* Special cases */
|
|
||||||
|
|
||||||
diff -up openssh/readconf.h.fingerprint openssh/readconf.h
|
|
||||||
--- openssh/readconf.h.fingerprint 2017-09-26 15:21:22.618477921 +0200
|
|
||||||
+++ openssh/readconf.h 2017-09-26 15:21:22.621477937 +0200
|
|
||||||
@@ -21,6 +21,7 @@
|
|
||||||
#define MAX_SEND_ENV 256
|
|
||||||
#define SSH_MAX_HOSTS_FILES 32
|
|
||||||
#define MAX_CANON_DOMAINS 32
|
|
||||||
+#define MAX_SSH_DIGESTS 32
|
|
||||||
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
|
|
||||||
|
|
||||||
struct allowed_cname {
|
|
||||||
@@ -157,7 +158,8 @@ typedef struct {
|
|
||||||
|
|
||||||
char *revoked_host_keys;
|
|
||||||
|
|
||||||
- int fingerprint_hash;
|
|
||||||
+ int num_fingerprint_hash;
|
|
||||||
+ int fingerprint_hash[MAX_SSH_DIGESTS];
|
|
||||||
|
|
||||||
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
|
||||||
|
|
||||||
diff -up openssh/ssh_config.5.fingerprint openssh/ssh_config.5
|
|
||||||
--- openssh/ssh_config.5.fingerprint 2017-09-26 15:21:22.618477921 +0200
|
|
||||||
+++ openssh/ssh_config.5 2017-09-26 15:21:22.621477937 +0200
|
|
||||||
@@ -624,12 +624,13 @@ or
|
|
||||||
.Cm no
|
|
||||||
(the default).
|
|
||||||
.It Cm FingerprintHash
|
|
||||||
-Specifies the hash algorithm used when displaying key fingerprints.
|
|
||||||
+Specifies the hash algorithms used when displaying key fingerprints.
|
|
||||||
Valid options are:
|
|
||||||
.Cm md5
|
|
||||||
and
|
|
||||||
-.Cm sha256
|
|
||||||
-(the default).
|
|
||||||
+.Cm sha256 .
|
|
||||||
+The default is
|
|
||||||
+.Cm "sha256 md5".
|
|
||||||
.It Cm ForwardAgent
|
|
||||||
Specifies whether the connection to the authentication agent (if any)
|
|
||||||
will be forwarded to the remote machine.
|
|
||||||
diff -up openssh/sshconnect2.c.fingerprint openssh/sshconnect2.c
|
|
||||||
--- openssh/sshconnect2.c.fingerprint 2017-09-26 15:21:22.619477926 +0200
|
|
||||||
+++ openssh/sshconnect2.c 2017-09-26 15:21:50.677628003 +0200
|
|
||||||
@@ -679,7 +679,7 @@ input_userauth_pk_ok(int type, u_int32_t
|
|
||||||
key->type, pktype);
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
|
||||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
|
||||||
SSH_FP_DEFAULT)) == NULL)
|
|
||||||
goto done;
|
|
||||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
|
||||||
@@ -1198,7 +1198,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
|
||||||
int matched, ret = -1, have_sig = 1;
|
|
||||||
char *fp;
|
|
||||||
|
|
||||||
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
|
||||||
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
|
||||||
SSH_FP_DEFAULT)) == NULL)
|
|
||||||
return 0;
|
|
||||||
debug3("%s: %s %s", __func__, key_type(id->key), fp);
|
|
||||||
@@ -1620,7 +1620,7 @@ userauth_pubkey(Authctxt *authctxt)
|
|
||||||
if (id->key != NULL) {
|
|
||||||
if (try_identity(id)) {
|
|
||||||
if ((fp = sshkey_fingerprint(id->key,
|
|
||||||
- options.fingerprint_hash,
|
|
||||||
+ options.fingerprint_hash[0],
|
|
||||||
SSH_FP_DEFAULT)) == NULL) {
|
|
||||||
error("%s: sshkey_fingerprint failed",
|
|
||||||
__func__);
|
|
||||||
@@ -1914,7 +1914,7 @@ userauth_hostbased(Authctxt *authctxt)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
|
||||||
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
|
||||||
SSH_FP_DEFAULT)) == NULL) {
|
|
||||||
error("%s: sshkey_fingerprint failed", __func__);
|
|
||||||
goto out;
|
|
||||||
diff -up openssh/sshconnect.c.fingerprint openssh/sshconnect.c
|
|
||||||
--- openssh/sshconnect.c.fingerprint 2017-09-25 01:48:10.000000000 +0200
|
|
||||||
+++ openssh/sshconnect.c 2017-09-26 15:21:22.622477943 +0200
|
|
||||||
@@ -861,9 +861,9 @@ check_host_key(char *hostname, struct so
|
|
||||||
"of known hosts.", type, ip);
|
|
||||||
} else if (options.visual_host_key) {
|
|
||||||
fp = sshkey_fingerprint(host_key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
|
||||||
ra = sshkey_fingerprint(host_key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
|
||||||
if (fp == NULL || ra == NULL)
|
|
||||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
|
||||||
logit("Host key fingerprint is %s\n%s", fp, ra);
|
|
||||||
@@ -907,12 +907,6 @@ check_host_key(char *hostname, struct so
|
|
||||||
else
|
|
||||||
snprintf(msg1, sizeof(msg1), ".");
|
|
||||||
/* The default */
|
|
||||||
- fp = sshkey_fingerprint(host_key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
||||||
- ra = sshkey_fingerprint(host_key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
|
||||||
- if (fp == NULL || ra == NULL)
|
|
||||||
- fatal("%s: sshkey_fingerprint fail", __func__);
|
|
||||||
msg2[0] = '\0';
|
|
||||||
if (options.verify_host_key_dns) {
|
|
||||||
if (matching_host_key_dns)
|
|
||||||
@@ -926,16 +920,28 @@ check_host_key(char *hostname, struct so
|
|
||||||
}
|
|
||||||
snprintf(msg, sizeof(msg),
|
|
||||||
"The authenticity of host '%.200s (%s)' can't be "
|
|
||||||
- "established%s\n"
|
|
||||||
- "%s key fingerprint is %s.%s%s\n%s"
|
|
||||||
+ "established%s\n", host, ip, msg1);
|
|
||||||
+ for (i = 0; i < (u_int) options.num_fingerprint_hash; i++) {
|
|
||||||
+ fp = sshkey_fingerprint(host_key,
|
|
||||||
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
|
|
||||||
+ ra = sshkey_fingerprint(host_key,
|
|
||||||
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
|
|
||||||
+ if (fp == NULL || ra == NULL)
|
|
||||||
+ fatal("%s: sshkey_fingerprint fail", __func__);
|
|
||||||
+ len = strlen(msg);
|
|
||||||
+ snprintf(msg+len, sizeof(msg)-len,
|
|
||||||
+ "%s key fingerprint is %s.%s%s\n%s",
|
|
||||||
+ type, fp,
|
|
||||||
+ options.visual_host_key ? "\n" : "",
|
|
||||||
+ options.visual_host_key ? ra : "",
|
|
||||||
+ msg2);
|
|
||||||
+ free(ra);
|
|
||||||
+ free(fp);
|
|
||||||
+ }
|
|
||||||
+ len = strlen(msg);
|
|
||||||
+ snprintf(msg+len, sizeof(msg)-len,
|
|
||||||
"Are you sure you want to continue connecting "
|
|
||||||
- "(yes/no)? ",
|
|
||||||
- host, ip, msg1, type, fp,
|
|
||||||
- options.visual_host_key ? "\n" : "",
|
|
||||||
- options.visual_host_key ? ra : "",
|
|
||||||
- msg2);
|
|
||||||
- free(ra);
|
|
||||||
- free(fp);
|
|
||||||
+ "(yes/no)? ");
|
|
||||||
if (!confirm(msg))
|
|
||||||
goto fail;
|
|
||||||
hostkey_trusted = 1; /* user explicitly confirmed */
|
|
||||||
@@ -1192,7 +1198,7 @@ verify_host_key(char *host, struct socka
|
|
||||||
struct sshkey *plain = NULL;
|
|
||||||
|
|
||||||
if ((fp = sshkey_fingerprint(host_key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
|
||||||
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
|
|
||||||
r = -1;
|
|
||||||
goto out;
|
|
||||||
@@ -1200,7 +1206,7 @@ verify_host_key(char *host, struct socka
|
|
||||||
|
|
||||||
if (sshkey_is_cert(host_key)) {
|
|
||||||
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
|
||||||
error("%s: fingerprint CA key: %s",
|
|
||||||
__func__, ssh_err(r));
|
|
||||||
r = -1;
|
|
||||||
@@ -1369,9 +1375,9 @@ show_other_keys(struct hostkeys *hostkey
|
|
||||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
|
||||||
continue;
|
|
||||||
fp = sshkey_fingerprint(found->key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
|
||||||
ra = sshkey_fingerprint(found->key,
|
|
||||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
|
||||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
|
||||||
if (fp == NULL || ra == NULL)
|
|
||||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
|
||||||
logit("WARNING: %s key found for host %s\n"
|
|
||||||
@@ -1394,7 +1400,7 @@ warn_changed_key(struct sshkey *host_key
|
|
||||||
{
|
|
||||||
char *fp;
|
|
||||||
|
|
||||||
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
|
|
||||||
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
|
|
||||||
SSH_FP_DEFAULT);
|
|
||||||
if (fp == NULL)
|
|
||||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
|
||||||
diff -up openssh/ssh-keysign.c.fingerprint openssh/ssh-keysign.c
|
|
||||||
--- openssh/ssh-keysign.c.fingerprint 2017-09-25 01:48:10.000000000 +0200
|
|
||||||
+++ openssh/ssh-keysign.c 2017-09-26 15:21:22.622477943 +0200
|
|
||||||
@@ -285,7 +285,7 @@ main(int argc, char **argv)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (!found) {
|
|
||||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
|
||||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
|
||||||
SSH_FP_DEFAULT)) == NULL)
|
|
||||||
fatal("%s: sshkey_fingerprint failed", __progname);
|
|
||||||
fatal("no matching hostkey found for key %s %s",
|
|
|
@ -1,52 +0,0 @@
|
||||||
diff -up openssh-7.4p1/ssh_config.5.gss-docs openssh-7.4p1/ssh_config.5
|
|
||||||
--- openssh-7.4p1/ssh_config.5.gss-docs 2016-12-23 14:28:34.051714486 +0100
|
|
||||||
+++ openssh-7.4p1/ssh_config.5 2016-12-23 14:34:24.568522417 +0100
|
|
||||||
@@ -765,10 +765,19 @@ The default is
|
|
||||||
If set to
|
|
||||||
.Dq yes
|
|
||||||
then renewal of the client's GSSAPI credentials will force the rekeying of the
|
|
||||||
-ssh connection. With a compatible server, this can delegate the renewed
|
|
||||||
+ssh connection. With a compatible server, this will delegate the renewed
|
|
||||||
credentials to a session on the server.
|
|
||||||
+.Pp
|
|
||||||
+Checks are made to ensure that credentials are only propagated when the new
|
|
||||||
+credentials match the old ones on the originating client and where the
|
|
||||||
+receiving server still has the old set in its cache.
|
|
||||||
+.Pp
|
|
||||||
The default is
|
|
||||||
.Dq no .
|
|
||||||
+.Pp
|
|
||||||
+For this to work
|
|
||||||
+.Cm GSSAPIKeyExchange
|
|
||||||
+needs to be enabled in the server and also used by the client.
|
|
||||||
.It Cm GSSAPIServerIdentity
|
|
||||||
If set, specifies the GSSAPI server identity that ssh should expect when
|
|
||||||
connecting to the server. The default is unset, which means that the
|
|
||||||
@@ -776,9 +785,11 @@ expected GSSAPI server identity will be
|
|
||||||
hostname.
|
|
||||||
.It Cm GSSAPITrustDns
|
|
||||||
Set to
|
|
||||||
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
|
||||||
+.Dq yes
|
|
||||||
+to indicate that the DNS is trusted to securely canonicalize
|
|
||||||
the name of the host being connected to. If
|
|
||||||
-.Dq no, the hostname entered on the
|
|
||||||
+.Dq no ,
|
|
||||||
+the hostname entered on the
|
|
||||||
command line will be passed untouched to the GSSAPI library.
|
|
||||||
The default is
|
|
||||||
.Dq no .
|
|
||||||
diff -up openssh-7.4p1/sshd_config.5.gss-docs openssh-7.4p1/sshd_config.5
|
|
||||||
--- openssh-7.4p1/sshd_config.5.gss-docs 2016-12-23 14:28:34.043714490 +0100
|
|
||||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 14:28:34.051714486 +0100
|
|
||||||
@@ -652,6 +652,10 @@ Controls whether the user's GSSAPI crede
|
|
||||||
successful connection rekeying. This option can be used to accepted renewed
|
|
||||||
or updated credentials from a compatible client. The default is
|
|
||||||
.Dq no .
|
|
||||||
+.Pp
|
|
||||||
+For this to work
|
|
||||||
+.Cm GSSAPIKeyExchange
|
|
||||||
+needs to be enabled in the server and also used by the client.
|
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
|
||||||
as a comma-separated pattern list.
|
|
|
@ -1,20 +1,21 @@
|
||||||
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||||
--- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100
|
--- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100
|
||||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100
|
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100
|
||||||
@@ -1107,4 +1107,48 @@ mm_audit_destroy_sensitive_data(const ch
|
@@ -1107,4 +1107,50 @@ mm_audit_destroy_sensitive_data(const ch
|
||||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||||
buffer_free(&m);
|
sshbuf_free(m);
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
+int mm_forward_audit_messages(int fdin)
|
+int mm_forward_audit_messages(int fdin)
|
||||||
+{
|
+{
|
||||||
+ u_char buf[4];
|
+ u_char buf[4];
|
||||||
+ u_int blen, msg_len;
|
+ u_int blen, msg_len;
|
||||||
+ Buffer m;
|
+ struct sshbuf *m;
|
||||||
+ int ret = 0;
|
+ int r, ret = 0;
|
||||||
+
|
+
|
||||||
+ debug3("%s: entering", __func__);
|
+ debug3("%s: entering", __func__);
|
||||||
+ buffer_init(&m);
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
+ do {
|
+ do {
|
||||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||||
+ if (blen == 0) /* closed pipe */
|
+ if (blen == 0) /* closed pipe */
|
||||||
|
@ -28,21 +29,22 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||||
+ msg_len = get_u32(buf);
|
+ msg_len = get_u32(buf);
|
||||||
+ if (msg_len > 256 * 1024)
|
+ if (msg_len > 256 * 1024)
|
||||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
||||||
+ buffer_clear(&m);
|
+ sshbuf_reset(m);
|
||||||
+ buffer_append_space(&m, msg_len);
|
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||||
+ if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) {
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||||
+ atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) {
|
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
+ error("%s: Failed to write the message to the monitor", __func__);
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+ } while (1);
|
+ } while (1);
|
||||||
+ buffer_free(&m);
|
+ sshbuf_free(m);
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+void mm_set_monitor_pipe(int fd)
|
+void mm_set_monitor_pipe(int fd)
|
||||||
|
@ -54,9 +56,9 @@ diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
|
||||||
--- openssh-7.4p1/monitor_wrap.h.audit-race 2016-12-23 16:35:52.694685771 +0100
|
--- openssh-7.4p1/monitor_wrap.h.audit-race 2016-12-23 16:35:52.694685771 +0100
|
||||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 16:35:52.698685772 +0100
|
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 16:35:52.698685772 +0100
|
||||||
@@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
|
@@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
|
||||||
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
|
||||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
|
||||||
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
|
||||||
+int mm_forward_audit_messages(int);
|
+int mm_forward_audit_messages(int);
|
||||||
+void mm_set_monitor_pipe(int);
|
+void mm_set_monitor_pipe(int);
|
||||||
#endif
|
#endif
|
||||||
|
@ -80,16 +82,16 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
+void child_destory_sensitive_data();
|
+void child_destory_sensitive_data(struct ssh *ssh);
|
||||||
+
|
+
|
||||||
#define USE_PIPES 1
|
#define USE_PIPES 1
|
||||||
/*
|
/*
|
||||||
* This is called to fork and execute a command when we have no tty. This
|
* This is called to fork and execute a command when we have no tty. This
|
||||||
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
|
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
close(err[0]);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+ child_destory_sensitive_data();
|
+ child_destory_sensitive_data(ssh);
|
||||||
+
|
+
|
||||||
/* Do processing for the child (exec command etc). */
|
/* Do processing for the child (exec command etc). */
|
||||||
do_child(ssh, s, command);
|
do_child(ssh, s, command);
|
||||||
|
@ -99,15 +101,15 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||||
close(ttyfd);
|
close(ttyfd);
|
||||||
|
|
||||||
+ /* Do this early, so we will not block large MOTDs */
|
+ /* Do this early, so we will not block large MOTDs */
|
||||||
+ child_destory_sensitive_data();
|
+ child_destory_sensitive_data(ssh);
|
||||||
+
|
+
|
||||||
/* record login, etc. similar to login(1) */
|
/* record login, etc. similar to login(1) */
|
||||||
#ifdef _UNICOS
|
#ifndef HAVE_OSF_SIA
|
||||||
cray_init_job(s->pw); /* set up cray jid and tmpdir */
|
do_login(ssh, s, command);
|
||||||
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
||||||
}
|
}
|
||||||
if (s->command != NULL && s->ptyfd == -1)
|
if (s->command != NULL && s->ptyfd == -1)
|
||||||
s->command_handle = PRIVSEP(audit_run_command(s->command));
|
s->command_handle = PRIVSEP(audit_run_command(ssh, s->command));
|
||||||
+ if (pipe(paudit) < 0)
|
+ if (pipe(paudit) < 0)
|
||||||
+ fatal("pipe: %s", strerror(errno));
|
+ fatal("pipe: %s", strerror(errno));
|
||||||
#endif
|
#endif
|
||||||
|
@ -115,7 +117,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||||
ret = do_exec_pty(ssh, s, command);
|
ret = do_exec_pty(ssh, s, command);
|
||||||
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
|
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
|
||||||
*/
|
*/
|
||||||
buffer_clear(&loginmsg);
|
sshbuf_reset(loginmsg);
|
||||||
|
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ close(paudit[1]);
|
+ close(paudit[1]);
|
||||||
|
@ -135,11 +137,11 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1538,6 +1565,34 @@ child_close_fds(void)
|
@@ -1538,6 +1565,34 @@ child_close_fds(void)
|
||||||
endpwent();
|
log_redirect_stderr_to(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
+void
|
+void
|
||||||
+child_destory_sensitive_data()
|
+child_destory_sensitive_data(struct ssh *ssh)
|
||||||
+{
|
+{
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ int pparent = paudit[1];
|
+ int pparent = paudit[1];
|
||||||
|
@ -150,15 +152,15 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
+ /* remove hostkey from the child's memory */
|
+ /* remove hostkey from the child's memory */
|
||||||
+ destroy_sensitive_data(use_privsep);
|
+ destroy_sensitive_data(ssh, use_privsep);
|
||||||
+ /*
|
+ /*
|
||||||
+ * We can audit this, because we hacked the pipe to direct the
|
+ * We can audit this, because we hacked the pipe to direct the
|
||||||
+ * messages over postauth child. But this message requires answer
|
+ * messages over postauth child. But this message requires answer
|
||||||
+ * which we can't do using one-way pipe.
|
+ * which we can't do using one-way pipe.
|
||||||
+ */
|
+ */
|
||||||
+ packet_destroy_all(0, 1);
|
+ packet_destroy_all(ssh, 0, 1);
|
||||||
+ /* XXX this will clean the rest but should not audit anymore */
|
+ /* XXX this will clean the rest but should not audit anymore */
|
||||||
+ /* packet_clear_keys(); */
|
+ /* packet_clear_keys(ssh); */
|
||||||
+
|
+
|
||||||
+#ifdef SSH_AUDIT_EVENTS
|
+#ifdef SSH_AUDIT_EVENTS
|
||||||
+ /* Notify parent that we are done */
|
+ /* Notify parent that we are done */
|
||||||
|
@ -170,15 +172,15 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||||
* Performs common processing for the child, such as setting up the
|
* Performs common processing for the child, such as setting up the
|
||||||
* environment, closing extra file descriptors, setting the user and group
|
* environment, closing extra file descriptors, setting the user and group
|
||||||
@@ -1554,13 +1608,6 @@ do_child(Session *s, const char *command
|
@@ -1554,13 +1608,6 @@ do_child(Session *s, const char *command
|
||||||
struct passwd *pw = s->pw;
|
|
||||||
int r = 0;
|
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||||
|
|
||||||
- /* remove hostkey from the child's memory */
|
- /* remove hostkey from the child's memory */
|
||||||
- destroy_sensitive_data(1);
|
- destroy_sensitive_data(ssh, 1);
|
||||||
- packet_clear_keys();
|
- ssh_packet_clear_keys(ssh);
|
||||||
- /* Don't audit this - both us and the parent would be talking to the
|
- /* Don't audit this - both us and the parent would be talking to the
|
||||||
- monitor over a single socket, with no synchronization. */
|
- monitor over a single socket, with no synchronization. */
|
||||||
- packet_destroy_all(0, 1);
|
- packet_destroy_all(ssh, 0, 1);
|
||||||
-
|
-
|
||||||
/* Force a password change */
|
/* Force a password change */
|
||||||
if (s->authctxt->force_pwchange) {
|
if (s->authctxt->force_pwchange) {
|
||||||
|
|
|
@ -1,707 +0,0 @@
|
||||||
diff -up openssh-7.5p1/cipher.c.fips openssh-7.5p1/cipher.c
|
|
||||||
--- openssh-7.5p1/cipher.c.fips 2017-06-30 12:06:36.455713788 +0200
|
|
||||||
+++ openssh-7.5p1/cipher.c 2017-06-30 12:06:36.465713761 +0200
|
|
||||||
@@ -39,6 +39,8 @@
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
@@ -116,6 +118,27 @@ static const struct sshcipher ciphers[]
|
|
||||||
{ NULL, 0, 0, 0, 0, 0, NULL }
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const struct sshcipher fips_ciphers[] = {
|
|
||||||
+#ifdef WITH_OPENSSL
|
|
||||||
+ { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
|
|
||||||
+ { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
|
|
||||||
+ { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
|
|
||||||
+ { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
|
|
||||||
+ { "rijndael-cbc@lysator.liu.se",
|
|
||||||
+ 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
|
|
||||||
+ { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
|
|
||||||
+ { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
|
|
||||||
+ { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
|
|
||||||
+#else
|
|
||||||
+ { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
|
|
||||||
+ { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },
|
|
||||||
+ { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL },
|
|
||||||
+#endif
|
|
||||||
+ { "none", 8, 0, 0, 0, CFLAG_NONE, NULL },
|
|
||||||
+
|
|
||||||
+ { NULL, 0, 0, 0, 0, 0, NULL }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/*--*/
|
|
||||||
|
|
||||||
/* Returns a comma-separated list of supported ciphers. */
|
|
||||||
@@ -126,7 +142,7 @@ cipher_alg_list(char sep, int auth_only)
|
|
||||||
size_t nlen, rlen = 0;
|
|
||||||
const struct sshcipher *c;
|
|
||||||
|
|
||||||
- for (c = ciphers; c->name != NULL; c++) {
|
|
||||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
|
|
||||||
if ((c->flags & CFLAG_INTERNAL) != 0)
|
|
||||||
continue;
|
|
||||||
if (auth_only && c->auth_len == 0)
|
|
||||||
@@ -222,7 +238,7 @@ const struct sshcipher *
|
|
||||||
cipher_by_name(const char *name)
|
|
||||||
{
|
|
||||||
const struct sshcipher *c;
|
|
||||||
- for (c = ciphers; c->name != NULL; c++)
|
|
||||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
|
||||||
if (strcmp(c->name, name) == 0)
|
|
||||||
return c;
|
|
||||||
return NULL;
|
|
||||||
diff -up openssh-7.5p1/cipher-ctr.c.fips openssh-7.5p1/cipher-ctr.c
|
|
||||||
--- openssh-7.5p1/cipher-ctr.c.fips 2017-06-30 12:06:36.386713974 +0200
|
|
||||||
+++ openssh-7.5p1/cipher-ctr.c 2017-06-30 12:06:36.465713761 +0200
|
|
||||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
|
||||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
|
||||||
#ifndef SSH_OLD_EVP
|
|
||||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
|
||||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
|
||||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
|
||||||
+ EVP_CIPH_FLAG_FIPS;
|
|
||||||
#endif
|
|
||||||
return (&aes_ctr);
|
|
||||||
}
|
|
||||||
diff -up openssh-7.5p1/clientloop.c.fips openssh-7.5p1/clientloop.c
|
|
||||||
--- openssh-7.5p1/clientloop.c.fips 2017-06-30 12:06:36.466713758 +0200
|
|
||||||
+++ openssh-7.5p1/clientloop.c 2017-06-30 12:09:11.503295871 +0200
|
|
||||||
@@ -2412,7 +2412,8 @@ key_accepted_by_hostkeyalgs(const struct
|
|
||||||
{
|
|
||||||
const char *ktype = sshkey_ssh_name(key);
|
|
||||||
const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?
|
|
||||||
- options.hostkeyalgorithms : KEX_DEFAULT_PK_ALG;
|
|
||||||
+ options.hostkeyalgorithms : (FIPS_mode() ?
|
|
||||||
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG);
|
|
||||||
|
|
||||||
if (key == NULL || key->type == KEY_UNSPEC)
|
|
||||||
return 0;
|
|
||||||
diff -up openssh-7.5p1/dh.h.fips openssh-7.5p1/dh.h
|
|
||||||
--- openssh-7.5p1/dh.h.fips 2017-03-20 03:39:27.000000000 +0100
|
|
||||||
+++ openssh-7.5p1/dh.h 2017-06-30 12:06:36.466713758 +0200
|
|
||||||
@@ -51,6 +51,7 @@ u_int dh_estimate(int);
|
|
||||||
* Miniumum increased in light of DH precomputation attacks.
|
|
||||||
*/
|
|
||||||
#define DH_GRP_MIN 2048
|
|
||||||
+#define DH_GRP_MIN_FIPS 2048
|
|
||||||
#define DH_GRP_MAX 8192
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff -up openssh-7.5p1/entropy.c.fips openssh-7.5p1/entropy.c
|
|
||||||
--- openssh-7.5p1/entropy.c.fips 2017-06-30 12:06:36.377713998 +0200
|
|
||||||
+++ openssh-7.5p1/entropy.c 2017-06-30 12:06:36.466713758 +0200
|
|
||||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
|
||||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
|
||||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
|
||||||
|
|
||||||
+ /* clean the PRNG status when exiting the program */
|
|
||||||
+ atexit(RAND_cleanup);
|
|
||||||
+
|
|
||||||
#ifndef OPENSSL_PRNG_ONLY
|
|
||||||
if (RAND_status() == 1) {
|
|
||||||
debug3("RNG is ready, skipping seeding");
|
|
||||||
diff -up openssh-7.5p1/kex.c.fips openssh-7.5p1/kex.c
|
|
||||||
--- openssh-7.5p1/kex.c.fips 2017-06-30 12:06:36.455713788 +0200
|
|
||||||
+++ openssh-7.5p1/kex.c 2017-06-30 12:06:36.466713758 +0200
|
|
||||||
@@ -35,6 +35,7 @@
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
#include <openssl/crypto.h>
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "ssh2.h"
|
|
||||||
@@ -125,6 +126,26 @@ static const struct kexalg kexalgs[] = {
|
|
||||||
{ NULL, -1, -1, -1},
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const struct kexalg kexalgs_fips[] = {
|
|
||||||
+ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
|
|
||||||
+ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
|
|
||||||
+ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
|
|
||||||
+#ifdef HAVE_EVP_SHA256
|
|
||||||
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
|
||||||
+#endif
|
|
||||||
+#ifdef OPENSSL_HAS_ECC
|
|
||||||
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
|
|
||||||
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
|
|
||||||
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
|
|
||||||
+ SSH_DIGEST_SHA384 },
|
|
||||||
+# ifdef OPENSSL_HAS_NISTP521
|
|
||||||
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
|
|
||||||
+ SSH_DIGEST_SHA512 },
|
|
||||||
+# endif
|
|
||||||
+#endif
|
|
||||||
+ { NULL, -1, -1, -1},
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
char *
|
|
||||||
kex_alg_list(char sep)
|
|
||||||
{
|
|
||||||
@@ -152,7 +173,7 @@ kex_alg_by_name(const char *name)
|
|
||||||
{
|
|
||||||
const struct kexalg *k;
|
|
||||||
|
|
||||||
- for (k = kexalgs; k->name != NULL; k++) {
|
|
||||||
+ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) {
|
|
||||||
if (strcmp(k->name, name) == 0)
|
|
||||||
return k;
|
|
||||||
#ifdef GSSAPI
|
|
||||||
@@ -178,7 +199,10 @@ kex_names_valid(const char *names)
|
|
||||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
|
||||||
(p = strsep(&cp, ","))) {
|
|
||||||
if (kex_alg_by_name(p) == NULL) {
|
|
||||||
- error("Unsupported KEX algorithm \"%.100s\"", p);
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ error("\"%.100s\" is not allowed in FIPS mode", p);
|
|
||||||
+ else
|
|
||||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
|
||||||
free(s);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
diff -up openssh-7.5p1/kexgexc.c.fips openssh-7.5p1/kexgexc.c
|
|
||||||
--- openssh-7.5p1/kexgexc.c.fips 2017-03-20 03:39:27.000000000 +0100
|
|
||||||
+++ openssh-7.5p1/kexgexc.c 2017-06-30 12:06:36.467713756 +0200
|
|
||||||
@@ -28,6 +28,7 @@
|
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
#include <sys/types.h>
|
|
||||||
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
|
|
||||||
|
|
||||||
nbits = dh_estimate(kex->dh_need * 8);
|
|
||||||
|
|
||||||
- kex->min = DH_GRP_MIN;
|
|
||||||
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
|
||||||
kex->max = DH_GRP_MAX;
|
|
||||||
kex->nbits = nbits;
|
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
|
||||||
diff -up openssh-7.5p1/kexgexs.c.fips openssh-7.5p1/kexgexs.c
|
|
||||||
--- openssh-7.5p1/kexgexs.c.fips 2017-03-20 03:39:27.000000000 +0100
|
|
||||||
+++ openssh-7.5p1/kexgexs.c 2017-06-30 12:06:36.467713756 +0200
|
|
||||||
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
|
|
||||||
kex->nbits = nbits;
|
|
||||||
kex->min = min;
|
|
||||||
kex->max = max;
|
|
||||||
- min = MAXIMUM(DH_GRP_MIN, min);
|
|
||||||
+ min = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
|
||||||
max = MINIMUM(DH_GRP_MAX, max);
|
|
||||||
- nbits = MAXIMUM(DH_GRP_MIN, nbits);
|
|
||||||
+ nbits = MAXIMUM(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
|
|
||||||
nbits = MINIMUM(DH_GRP_MAX, nbits);
|
|
||||||
|
|
||||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
|
||||||
diff -up openssh-7.5p1/mac.c.fips openssh-7.5p1/mac.c
|
|
||||||
--- openssh-7.5p1/mac.c.fips 2017-06-30 12:06:36.456713785 +0200
|
|
||||||
+++ openssh-7.5p1/mac.c 2017-06-30 12:06:36.467713756 +0200
|
|
||||||
@@ -27,6 +27,8 @@
|
|
||||||
|
|
||||||
#include <sys/types.h>
|
|
||||||
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+
|
|
||||||
#include <string.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
|
|
||||||
@@ -54,7 +56,7 @@ struct macalg {
|
|
||||||
int etm; /* Encrypt-then-MAC */
|
|
||||||
};
|
|
||||||
|
|
||||||
-static const struct macalg macs[] = {
|
|
||||||
+static const struct macalg all_macs[] = {
|
|
||||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
|
||||||
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
|
||||||
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
|
|
||||||
@@ -89,6 +91,24 @@ static const struct macalg macs[] = {
|
|
||||||
{ NULL, 0, 0, 0, 0, 0, 0 }
|
|
||||||
};
|
|
||||||
|
|
||||||
+static const struct macalg fips_macs[] = {
|
|
||||||
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
|
||||||
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
|
||||||
+#ifdef HAVE_EVP_SHA256
|
|
||||||
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
|
|
||||||
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ /* Encrypt-then-MAC variants */
|
|
||||||
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
|
|
||||||
+#ifdef HAVE_EVP_SHA256
|
|
||||||
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
|
|
||||||
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+ { NULL, 0, 0, 0, 0, 0, 0 }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
/* Returns a list of supported MACs separated by the specified char. */
|
|
||||||
char *
|
|
||||||
mac_alg_list(char sep)
|
|
||||||
@@ -97,7 +117,7 @@ mac_alg_list(char sep)
|
|
||||||
size_t nlen, rlen = 0;
|
|
||||||
const struct macalg *m;
|
|
||||||
|
|
||||||
- for (m = macs; m->name != NULL; m++) {
|
|
||||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
|
||||||
if (ret != NULL)
|
|
||||||
ret[rlen++] = sep;
|
|
||||||
nlen = strlen(m->name);
|
|
||||||
@@ -136,7 +156,7 @@ mac_setup(struct sshmac *mac, char *name
|
|
||||||
{
|
|
||||||
const struct macalg *m;
|
|
||||||
|
|
||||||
- for (m = macs; m->name != NULL; m++) {
|
|
||||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
|
||||||
if (strcmp(name, m->name) != 0)
|
|
||||||
continue;
|
|
||||||
if (mac != NULL)
|
|
||||||
diff -up openssh-7.5p1/Makefile.in.fips openssh-7.5p1/Makefile.in
|
|
||||||
--- openssh-7.5p1/Makefile.in.fips 2017-06-30 12:06:36.456713785 +0200
|
|
||||||
+++ openssh-7.5p1/Makefile.in 2017-06-30 12:06:36.467713756 +0200
|
|
||||||
@@ -169,25 +169,25 @@ libssh.a: $(LIBSSH_OBJS)
|
|
||||||
$(RANLIB) $@
|
|
||||||
|
|
||||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
|
||||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
|
||||||
|
|
||||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
|
||||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
|
||||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
|
||||||
|
|
||||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
|
||||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
|
||||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
|
||||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
|
||||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
|
|
||||||
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
|
||||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
@@ -205,7 +205,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
|
||||||
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
|
||||||
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
|
||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
|
||||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
diff -up openssh-7.5p1/myproposal.h.fips openssh-7.5p1/myproposal.h
|
|
||||||
--- openssh-7.5p1/myproposal.h.fips 2017-03-20 03:39:27.000000000 +0100
|
|
||||||
+++ openssh-7.5p1/myproposal.h 2017-06-30 12:10:21.953116208 +0200
|
|
||||||
@@ -114,6 +114,14 @@
|
|
||||||
"rsa-sha2-256," \
|
|
||||||
"ssh-rsa"
|
|
||||||
|
|
||||||
+#define KEX_FIPS_PK_ALG \
|
|
||||||
+ HOSTKEY_ECDSA_CERT_METHODS \
|
|
||||||
+ "ssh-rsa-cert-v01@openssh.com," \
|
|
||||||
+ HOSTKEY_ECDSA_METHODS \
|
|
||||||
+ "rsa-sha2-512," \
|
|
||||||
+ "rsa-sha2-256," \
|
|
||||||
+ "ssh-rsa"
|
|
||||||
+
|
|
||||||
/* the actual algorithms */
|
|
||||||
|
|
||||||
#define KEX_SERVER_ENCRYPT \
|
|
||||||
@@ -138,6 +146,37 @@
|
|
||||||
|
|
||||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
|
||||||
|
|
||||||
+#define KEX_FIPS_ENCRYPT \
|
|
||||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
|
||||||
+ "aes128-cbc,3des-cbc," \
|
|
||||||
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
|
|
||||||
+#ifdef HAVE_EVP_SHA256
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ KEX_ECDH_METHODS \
|
|
||||||
+ KEX_SHA2_METHODS \
|
|
||||||
+ "diffie-hellman-group14-sha256"
|
|
||||||
+# define KEX_FIPS_MAC \
|
|
||||||
+ "hmac-sha1," \
|
|
||||||
+ "hmac-sha2-256," \
|
|
||||||
+ "hmac-sha2-512," \
|
|
||||||
+ "hmac-sha1-etm@openssh.com," \
|
|
||||||
+ "hmac-sha2-256-etm@openssh.com," \
|
|
||||||
+ "hmac-sha2-512-etm@openssh.com"
|
|
||||||
+#else
|
|
||||||
+# ifdef OPENSSL_HAS_NISTP521
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ "ecdh-sha2-nistp256," \
|
|
||||||
+ "ecdh-sha2-nistp384," \
|
|
||||||
+ "ecdh-sha2-nistp521"
|
|
||||||
+# else
|
|
||||||
+# define KEX_DEFAULT_KEX_FIPS \
|
|
||||||
+ "ecdh-sha2-nistp256," \
|
|
||||||
+ "ecdh-sha2-nistp384"
|
|
||||||
+# endif
|
|
||||||
+#define KEX_FIPS_MAC \
|
|
||||||
+ "hmac-sha1"
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
#else /* WITH_OPENSSL */
|
|
||||||
|
|
||||||
#define KEX_SERVER_KEX \
|
|
||||||
diff -up openssh-7.5p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips openssh-7.5p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
|
||||||
--- openssh-7.5p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.fips 2017-06-30 12:06:36.340714098 +0200
|
|
||||||
+++ openssh-7.5p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-06-30 12:06:36.467713756 +0200
|
|
||||||
@@ -55,6 +55,7 @@
|
|
||||||
#include "secure_filename.h"
|
|
||||||
#include "uidswap.h"
|
|
||||||
#include <unistd.h>
|
|
||||||
+#include <openssl/crypto.h>
|
|
||||||
|
|
||||||
#include "identity.h"
|
|
||||||
|
|
||||||
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
||||||
found_key = 1;
|
|
||||||
logit("matching key found: file/command %s, line %lu", file,
|
|
||||||
linenum);
|
|
||||||
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
|
||||||
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
|
|
||||||
+ SSH_FP_HEX);
|
|
||||||
logit("Found matching %s key: %s",
|
|
||||||
sshkey_type(found), fp);
|
|
||||||
free(fp);
|
|
||||||
diff -up openssh-7.5p1/readconf.c.fips openssh-7.5p1/readconf.c
|
|
||||||
--- openssh-7.5p1/readconf.c.fips 2017-06-30 12:06:36.468713753 +0200
|
|
||||||
+++ openssh-7.5p1/readconf.c 2017-06-30 12:12:40.560769198 +0200
|
|
||||||
@@ -2132,12 +2132,17 @@ fill_default_options(Options * options)
|
|
||||||
}
|
|
||||||
if (options->update_hostkeys == -1)
|
|
||||||
options->update_hostkeys = 0;
|
|
||||||
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
|
||||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
|
||||||
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
|
||||||
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
|
||||||
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
|
||||||
+ : KEX_DEFAULT_PK_ALG),
|
|
||||||
&options->hostbased_key_types) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
|
||||||
+ : KEX_DEFAULT_PK_ALG),
|
|
||||||
&options->pubkey_key_types) != 0)
|
|
||||||
fatal("%s: kex_assemble_names failed", __func__);
|
|
||||||
|
|
||||||
diff -up openssh-7.5p1/sandbox-seccomp-filter.c.fips openssh-7.5p1/sandbox-seccomp-filter.c
|
|
||||||
--- openssh-7.5p1/sandbox-seccomp-filter.c.fips 2017-06-30 12:06:36.458713780 +0200
|
|
||||||
+++ openssh-7.5p1/sandbox-seccomp-filter.c 2017-06-30 12:06:36.468713753 +0200
|
|
||||||
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
|
|
||||||
#ifdef __NR_open
|
|
||||||
SC_DENY(__NR_open, EACCES),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_socket
|
|
||||||
+ SC_DENY(__NR_socket, EACCES),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_openat
|
|
||||||
SC_DENY(__NR_openat, EACCES),
|
|
||||||
#endif
|
|
||||||
diff -up openssh-7.5p1/servconf.c.fips openssh-7.5p1/servconf.c
|
|
||||||
--- openssh-7.5p1/servconf.c.fips 2017-06-30 12:06:36.468713753 +0200
|
|
||||||
+++ openssh-7.5p1/servconf.c 2017-06-30 12:14:09.260547133 +0200
|
|
||||||
@@ -185,14 +185,20 @@ option_clear_or_none(const char *o)
|
|
||||||
static void
|
|
||||||
assemble_algorithms(ServerOptions *o)
|
|
||||||
{
|
|
||||||
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
|
||||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
|
||||||
+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 ||
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
|
||||||
+ : KEX_SERVER_MAC), &o->macs) != 0 ||
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
|
||||||
+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 ||
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
|
||||||
+ : KEX_DEFAULT_PK_ALG),
|
|
||||||
&o->hostkeyalgorithms) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
|
||||||
+ : KEX_DEFAULT_PK_ALG),
|
|
||||||
&o->hostbased_key_types) != 0 ||
|
|
||||||
- kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->pubkey_key_types) != 0)
|
|
||||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
|
||||||
+ : KEX_DEFAULT_PK_ALG), &o->pubkey_key_types) != 0)
|
|
||||||
fatal("kex_assemble_names failed");
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssh-7.5p1/ssh.c.fips openssh-7.5p1/ssh.c
|
|
||||||
--- openssh-7.5p1/ssh.c.fips 2017-03-20 03:39:27.000000000 +0100
|
|
||||||
+++ openssh-7.5p1/ssh.c 2017-06-30 12:06:36.469713750 +0200
|
|
||||||
@@ -76,6 +76,8 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#endif
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#include <fipscheck.h>
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
|
|
||||||
@@ -530,6 +532,14 @@ main(int ac, char **av)
|
|
||||||
sanitise_stdfd();
|
|
||||||
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
+ SSLeay_add_all_algorithms();
|
|
||||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
|
||||||
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ fatal("FIPS integrity verification test failed.");
|
|
||||||
+ else
|
|
||||||
+ logit("FIPS integrity verification test failed.");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
#ifndef HAVE_SETPROCTITLE
|
|
||||||
/* Prepare for later setproctitle emulation */
|
|
||||||
@@ -964,7 +977,6 @@ main(int ac, char **av)
|
|
||||||
host_arg = xstrdup(host);
|
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
|
||||||
- OpenSSL_add_all_algorithms();
|
|
||||||
ERR_load_crypto_strings();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -1175,6 +1187,10 @@ main(int ac, char **av)
|
|
||||||
|
|
||||||
seed_rng();
|
|
||||||
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ logit("FIPS mode initialized");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (options.user == NULL)
|
|
||||||
options.user = xstrdup(pw->pw_name);
|
|
||||||
|
|
||||||
diff -up openssh-7.5p1/sshconnect2.c.fips openssh-7.5p1/sshconnect2.c
|
|
||||||
--- openssh-7.5p1/sshconnect2.c.fips 2017-06-30 12:06:36.439713831 +0200
|
|
||||||
+++ openssh-7.5p1/sshconnect2.c 2017-06-30 12:06:36.469713750 +0200
|
|
||||||
@@ -44,6 +44,8 @@
|
|
||||||
#include <vis.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+
|
|
||||||
#include "openbsd-compat/sys-queue.h"
|
|
||||||
|
|
||||||
#include "xmalloc.h"
|
|
||||||
@@ -117,7 +119,8 @@ order_hostkeyalgs(char *host, struct soc
|
|
||||||
for (i = 0; i < options.num_system_hostfiles; i++)
|
|
||||||
load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
|
|
||||||
|
|
||||||
- oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
|
|
||||||
+ oavail = avail = xstrdup((FIPS_mode()
|
|
||||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
|
||||||
maxlen = strlen(avail) + 1;
|
|
||||||
first = xmalloc(maxlen);
|
|
||||||
last = xmalloc(maxlen);
|
|
||||||
@@ -172,21 +175,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
|
||||||
|
|
||||||
#ifdef GSSAPI
|
|
||||||
if (options.gss_keyex) {
|
|
||||||
- /* Add the GSSAPI mechanisms currently supported on this
|
|
||||||
- * client to the key exchange algorithm proposal */
|
|
||||||
- orig = options.kex_algorithms;
|
|
||||||
-
|
|
||||||
- if (options.gss_trust_dns)
|
|
||||||
- gss_host = (char *)get_canonical_hostname(active_state, 1);
|
|
||||||
- else
|
|
||||||
- gss_host = host;
|
|
||||||
-
|
|
||||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
|
||||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
|
||||||
- if (gss) {
|
|
||||||
- debug("Offering GSSAPI proposal: %s", gss);
|
|
||||||
- xasprintf(&options.kex_algorithms,
|
|
||||||
- "%s,%s", gss, orig);
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
|
||||||
+ options.gss_keyex = 0;
|
|
||||||
+ } else {
|
|
||||||
+ /* Add the GSSAPI mechanisms currently supported on this
|
|
||||||
+ * client to the key exchange algorithm proposal */
|
|
||||||
+ orig = options.kex_algorithms;
|
|
||||||
+
|
|
||||||
+ if (options.gss_trust_dns)
|
|
||||||
+ gss_host = (char *)get_canonical_hostname(active_state, 1);
|
|
||||||
+ else
|
|
||||||
+ gss_host = host;
|
|
||||||
+
|
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
|
||||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
|
||||||
+ if (gss) {
|
|
||||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
|
||||||
+ xasprintf(&options.kex_algorithms,
|
|
||||||
+ "%s,%s", gss, orig);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
@@ -204,14 +212,16 @@ ssh_kex2(char *host, struct sockaddr *ho
|
|
||||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
|
||||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
|
||||||
if (options.hostkeyalgorithms != NULL) {
|
|
||||||
- if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
|
||||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_PK_ALG
|
|
||||||
+ : KEX_DEFAULT_PK_ALG),
|
|
||||||
&options.hostkeyalgorithms) != 0)
|
|
||||||
fatal("%s: kex_assemble_namelist", __func__);
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
|
||||||
} else {
|
|
||||||
/* Enforce default */
|
|
||||||
- options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
|
|
||||||
+ options.hostkeyalgorithms = xstrdup((FIPS_mode()
|
|
||||||
+ ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG));
|
|
||||||
/* Prefer algorithms that we already have keys for */
|
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
|
||||||
compat_pkalg_proposal(
|
|
||||||
diff -up openssh-7.5p1/sshd.c.fips openssh-7.5p1/sshd.c
|
|
||||||
--- openssh-7.5p1/sshd.c.fips 2017-06-30 12:06:36.459713777 +0200
|
|
||||||
+++ openssh-7.5p1/sshd.c 2017-06-30 12:06:36.469713750 +0200
|
|
||||||
@@ -66,6 +66,7 @@
|
|
||||||
#include <grp.h>
|
|
||||||
#include <pwd.h>
|
|
||||||
#include <signal.h>
|
|
||||||
+#include <syslog.h>
|
|
||||||
#include <stdarg.h>
|
|
||||||
#include <stdio.h>
|
|
||||||
#include <stdlib.h>
|
|
||||||
@@ -77,6 +78,8 @@
|
|
||||||
#include <openssl/dh.h>
|
|
||||||
#include <openssl/bn.h>
|
|
||||||
#include <openssl/rand.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
+#include <fipscheck.h>
|
|
||||||
#include "openbsd-compat/openssl-compat.h"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -1484,6 +1487,18 @@ main(int ac, char **av)
|
|
||||||
#endif
|
|
||||||
__progname = ssh_get_progname(av[0]);
|
|
||||||
|
|
||||||
+ SSLeay_add_all_algorithms();
|
|
||||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
|
||||||
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
|
||||||
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
|
|
||||||
+ cleanup_exit(255);
|
|
||||||
+ }
|
|
||||||
+ else
|
|
||||||
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
|
|
||||||
+ closelog();
|
|
||||||
+ }
|
|
||||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
|
||||||
saved_argc = ac;
|
|
||||||
rexec_argc = ac;
|
|
||||||
@@ -1632,7 +1647,7 @@ main(int ac, char **av)
|
|
||||||
else
|
|
||||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
|
||||||
|
|
||||||
-#ifdef WITH_OPENSSL
|
|
||||||
+#if 0 /* FIPS */
|
|
||||||
OpenSSL_add_all_algorithms();
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -1951,6 +1966,10 @@ main(int ac, char **av)
|
|
||||||
/* Reinitialize the log (because of the fork above). */
|
|
||||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
|
||||||
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ logit("FIPS mode initialized");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Chdir to the root directory so that the current disk can be
|
|
||||||
unmounted if desired. */
|
|
||||||
if (chdir("/") == -1)
|
|
||||||
@@ -2328,10 +2347,14 @@ do_ssh2_kex(void)
|
|
||||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
|
||||||
orig = NULL;
|
|
||||||
|
|
||||||
- if (options.gss_keyex)
|
|
||||||
- gss = ssh_gssapi_server_mechanisms();
|
|
||||||
- else
|
|
||||||
- gss = NULL;
|
|
||||||
+ if (options.gss_keyex) {
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
|
||||||
+ options.gss_keyex = 0;
|
|
||||||
+ } else {
|
|
||||||
+ gss = ssh_gssapi_server_mechanisms();
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (gss && orig)
|
|
||||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
|
||||||
diff -up openssh-7.5p1/sshkey.c.fips openssh-7.5p1/sshkey.c
|
|
||||||
--- openssh-7.5p1/sshkey.c.fips 2017-06-30 12:06:36.459713777 +0200
|
|
||||||
+++ openssh-7.5p1/sshkey.c 2017-06-30 12:06:36.470713747 +0200
|
|
||||||
@@ -34,6 +34,7 @@
|
|
||||||
#include <openssl/evp.h>
|
|
||||||
#include <openssl/err.h>
|
|
||||||
#include <openssl/pem.h>
|
|
||||||
+#include <openssl/fips.h>
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#include "crypto_api.h"
|
|
||||||
@@ -58,6 +59,7 @@
|
|
||||||
#define SSHKEY_INTERNAL
|
|
||||||
#include "sshkey.h"
|
|
||||||
#include "match.h"
|
|
||||||
+#include "log.h"
|
|
||||||
|
|
||||||
/* openssh private key file format */
|
|
||||||
#define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
|
|
||||||
@@ -1587,6 +1589,8 @@ rsa_generate_private_key(u_int bits, RSA
|
|
||||||
}
|
|
||||||
if (!BN_set_word(f4, RSA_F4) ||
|
|
||||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
|
||||||
+ if (FIPS_mode())
|
|
||||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
diff -up openssh-7.5p1/ssh-keygen.c.fips openssh-7.5p1/ssh-keygen.c
|
|
||||||
--- openssh-7.5p1/ssh-keygen.c.fips 2017-03-20 03:39:27.000000000 +0100
|
|
||||||
+++ openssh-7.5p1/ssh-keygen.c 2017-06-30 12:06:36.470713747 +0200
|
|
||||||
@@ -217,6 +217,12 @@ type_bits_valid(int type, const char *na
|
|
||||||
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
|
|
||||||
if (*bitsp > maxbits)
|
|
||||||
fatal("key bits exceeds maximum %d", maxbits);
|
|
||||||
+ if (FIPS_mode()) {
|
|
||||||
+ if (type == KEY_DSA)
|
|
||||||
+ fatal("DSA keys are not allowed in FIPS mode");
|
|
||||||
+ if (type == KEY_ED25519)
|
|
||||||
+ fatal("ED25519 keys are not allowed in FIPS mode");
|
|
||||||
+ }
|
|
||||||
switch (type) {
|
|
||||||
case KEY_DSA:
|
|
||||||
if (*bitsp != 1024)
|
|
File diff suppressed because it is too large
Load Diff
|
@ -2,10 +2,11 @@ diff --git a/auth-krb5.c b/auth-krb5.c
|
||||||
index 2b02a04..19b9364 100644
|
index 2b02a04..19b9364 100644
|
||||||
--- a/auth-krb5.c
|
--- a/auth-krb5.c
|
||||||
+++ b/auth-krb5.c
|
+++ b/auth-krb5.c
|
||||||
@@ -375,6 +375,22 @@ cleanup:
|
@@ -375,5 +375,21 @@ cleanup:
|
||||||
return -1;
|
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
+/*
|
+/*
|
||||||
+ * Reads k5login_directory option from the krb5.conf
|
+ * Reads k5login_directory option from the krb5.conf
|
||||||
+ */
|
+ */
|
||||||
|
@ -21,22 +22,21 @@ index 2b02a04..19b9364 100644
|
||||||
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
|
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
|
||||||
+ k5login_directory);
|
+ k5login_directory);
|
||||||
+}
|
+}
|
||||||
+
|
#endif /* !HEIMDAL */
|
||||||
krb5_error_code
|
#endif /* KRB5 */
|
||||||
ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
|
||||||
profile_t p;
|
|
||||||
diff --git a/auth.h b/auth.h
|
diff --git a/auth.h b/auth.h
|
||||||
index f9d191c..c432d2f 100644
|
index f9d191c..c432d2f 100644
|
||||||
--- a/auth.h
|
--- a/auth.h
|
||||||
+++ b/auth.h
|
+++ b/auth.h
|
||||||
@@ -222,5 +222,7 @@ int sys_auth_passwd(Authctxt *, const char *);
|
@@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *);
|
||||||
|
|
||||||
#if defined(KRB5) && !defined(HEIMDAL)
|
#if defined(KRB5) && !defined(HEIMDAL)
|
||||||
#include <krb5.h>
|
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
||||||
krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
|
||||||
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
||||||
+ char **k5login_directory);
|
+ char **k5login_directory);
|
||||||
#endif
|
#endif
|
||||||
#endif
|
|
||||||
|
#endif /* AUTH_H */
|
||||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||||
index a7c0c5f..df8cc9a 100644
|
index a7c0c5f..df8cc9a 100644
|
||||||
--- a/gss-serv-krb5.c
|
--- a/gss-serv-krb5.c
|
||||||
|
|
|
@ -48,5 +48,5 @@ Author: Harald Freudenberger <freude@de.ibm.com>
|
||||||
+#endif
|
+#endif
|
||||||
}
|
}
|
||||||
(void) closedir(dirp);
|
(void) closedir(dirp);
|
||||||
} else
|
return;
|
||||||
|
|
||||||
|
|
|
@ -14,7 +14,7 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
||||||
+ if (len <= 0)
|
+ if (len <= 0)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||||
if (sock < 0)
|
if (sock == -1)
|
||||||
error("socket: %.100s", strerror(errno));
|
error("socket: %.100s", strerror(errno));
|
||||||
memset(&addr, 0, sizeof(addr));
|
memset(&addr, 0, sizeof(addr));
|
||||||
addr.sun_family = AF_UNIX;
|
addr.sun_family = AF_UNIX;
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -10,8 +10,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
||||||
+/* Minimum port number for X11 forwarding */
|
+/* Minimum port number for X11 forwarding */
|
||||||
+#define X11_PORT_MIN 6000
|
+#define X11_PORT_MIN 6000
|
||||||
|
|
||||||
/*
|
/* Per-channel callback for pre/post select() actions */
|
||||||
* Data structure for storing which hosts are permitted for forward requests.
|
typedef void chan_fn(struct ssh *, Channel *c,
|
||||||
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
|
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
|
@ -59,7 +59,7 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
||||||
ssh_gai_strerror(gaierr));
|
ssh_gai_strerror(gaierr));
|
||||||
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
|
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
|
||||||
/* Connect it to the display. */
|
/* Connect it to the display. */
|
||||||
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
|
if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
debug2("connect %.100s port %u: %.100s", buf,
|
debug2("connect %.100s port %u: %.100s", buf,
|
||||||
- 6000 + display_number, strerror(errno));
|
- 6000 + display_number, strerror(errno));
|
||||||
+ X11_PORT_MIN + display_number, strerror(errno));
|
+ X11_PORT_MIN + display_number, strerror(errno));
|
||||||
|
@ -197,7 +197,7 @@ diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
|
||||||
+.Cm X11MaxDisplays ,
|
+.Cm X11MaxDisplays ,
|
||||||
.Cm X11Forwarding
|
.Cm X11Forwarding
|
||||||
and
|
and
|
||||||
.Cm X11UseLocalHost .
|
.Cm X11UseLocalhost .
|
||||||
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
|
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
|
||||||
X11 forwarding.
|
X11 forwarding.
|
||||||
This prevents sshd from interfering with real X11 servers.
|
This prevents sshd from interfering with real X11 servers.
|
||||||
|
|
|
@ -1,259 +0,0 @@
|
||||||
diff --git a/auth-krb5.c b/auth-krb5.c
|
|
||||||
index 09ed151..282fcca 100644
|
|
||||||
--- a/auth-krb5.c
|
|
||||||
+++ b/auth-krb5.c
|
|
||||||
@@ -182,7 +182,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
|
|
||||||
+ problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
|
|
||||||
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
|
||||||
if (problem)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
@@ -192,7 +192,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
|
||||||
|
|
||||||
|
|
||||||
#ifdef USE_PAM
|
|
||||||
- if (options.use_pam)
|
|
||||||
+ if (options.use_pam && authctxt->krb5_set_env)
|
|
||||||
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -412,7 +413,7 @@ ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
|
||||||
|
|
||||||
#ifndef HEIMDAL
|
|
||||||
krb5_error_code
|
|
||||||
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
|
||||||
+ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
|
||||||
int tmpfd, ret, oerrno;
|
|
||||||
char *ccname;
|
|
||||||
#ifdef USE_CCAPI
|
|
||||||
@@ -423,8 +424,10 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
|
||||||
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+ if (need_environment)
|
|
||||||
+ *need_environment = 0;
|
|
||||||
ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
|
||||||
-
|
|
||||||
+ /* fallback to the ccache in /tmp */
|
|
||||||
if (ret) {
|
|
||||||
ret = asprintf(&ccname, cctemplate, geteuid());
|
|
||||||
if (ret == -1)
|
|
||||||
@@ -444,6 +447,9 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
|
||||||
close(tmpfd);
|
|
||||||
return oerrno;
|
|
||||||
}
|
|
||||||
+ /* make sure the KRBCCNAME is set for non-standard location */
|
|
||||||
+ if (need_environment)
|
|
||||||
+ *need_environment = 1;
|
|
||||||
close(tmpfd);
|
|
||||||
}
|
|
||||||
debug("%s: Setting ccname to %s", __func__, ccname);
|
|
||||||
diff --git a/auth.h b/auth.h
|
|
||||||
index 954a0dd..0819483 100644
|
|
||||||
--- a/auth.h
|
|
||||||
+++ b/auth.h
|
|
||||||
@@ -78,6 +78,7 @@ struct Authctxt {
|
|
||||||
krb5_principal krb5_user;
|
|
||||||
char *krb5_ticket_file;
|
|
||||||
char *krb5_ccname;
|
|
||||||
+ int krb5_set_env;
|
|
||||||
#endif
|
|
||||||
struct sshbuf *loginmsg;
|
|
||||||
|
|
||||||
@@ -220,7 +221,7 @@ int sys_auth_passwd(Authctxt *, const char *);
|
|
||||||
|
|
||||||
#if defined(KRB5) && !defined(HEIMDAL)
|
|
||||||
#include <krb5.h>
|
|
||||||
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
|
||||||
+krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *, int *);
|
|
||||||
krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
|
||||||
char **k5login_directory);
|
|
||||||
#endif
|
|
||||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
|
||||||
index 0fa3838..4127245 100644
|
|
||||||
--- a/gss-serv-krb5.c
|
|
||||||
+++ b/gss-serv-krb5.c
|
|
||||||
@@ -382,7 +382,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
|
|
||||||
/* This writes out any forwarded credentials from the structure populated
|
|
||||||
* during userauth. Called after we have setuid to the user */
|
|
||||||
|
|
||||||
-static void
|
|
||||||
+static int
|
|
||||||
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
{
|
|
||||||
krb5_ccache ccache;
|
|
||||||
@@ -391,14 +391,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
OM_uint32 maj_status, min_status;
|
|
||||||
const char *new_ccname, *new_cctype;
|
|
||||||
const char *errmsg;
|
|
||||||
+ int set_env = 0;
|
|
||||||
|
|
||||||
if (client->creds == NULL) {
|
|
||||||
debug("No credentials stored");
|
|
||||||
- return;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ssh_gssapi_krb5_init() == 0)
|
|
||||||
- return;
|
|
||||||
+ return 0;
|
|
||||||
|
|
||||||
#ifdef HEIMDAL
|
|
||||||
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
|
|
||||||
@@ -412,14 +413,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
krb5_get_err_text(krb_context, problem));
|
|
||||||
# endif
|
|
||||||
krb5_free_error_message(krb_context, errmsg);
|
|
||||||
- return;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
- if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
|
|
||||||
+ if ((problem = ssh_krb5_cc_gen(krb_context, &ccache, &set_env))) {
|
|
||||||
errmsg = krb5_get_error_message(krb_context, problem);
|
|
||||||
logit("ssh_krb5_cc_gen(): %.100s", errmsg);
|
|
||||||
krb5_free_error_message(krb_context, errmsg);
|
|
||||||
- return;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
#endif /* #ifdef HEIMDAL */
|
|
||||||
|
|
||||||
@@ -428,7 +429,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
errmsg = krb5_get_error_message(krb_context, problem);
|
|
||||||
logit("krb5_parse_name(): %.100s", errmsg);
|
|
||||||
krb5_free_error_message(krb_context, errmsg);
|
|
||||||
- return;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
|
|
||||||
@@ -437,7 +438,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
krb5_free_error_message(krb_context, errmsg);
|
|
||||||
krb5_free_principal(krb_context, princ);
|
|
||||||
krb5_cc_destroy(krb_context, ccache);
|
|
||||||
- return;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
krb5_free_principal(krb_context, princ);
|
|
||||||
@@ -446,7 +447,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
client->creds, ccache))) {
|
|
||||||
logit("gss_krb5_copy_ccache() failed");
|
|
||||||
krb5_cc_destroy(krb_context, ccache);
|
|
||||||
- return;
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
new_cctype = krb5_cc_get_type(krb_context, ccache);
|
|
||||||
@@ -471,7 +478,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef USE_PAM
|
|
||||||
- if (options.use_pam)
|
|
||||||
+ if (options.use_pam && set_env)
|
|
||||||
do_pam_putenv(client->store.envvar, client->store.envval);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
@@ -479,7 +486,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
|
||||||
|
|
||||||
client->store.data = krb_context;
|
|
||||||
|
|
||||||
- return;
|
|
||||||
+ return set_env;
|
|
||||||
}
|
|
||||||
|
|
||||||
int
|
|
||||||
diff --git a/gss-serv.c b/gss-serv.c
|
|
||||||
index 681847a..2a02dae 100644
|
|
||||||
--- a/gss-serv.c
|
|
||||||
+++ b/gss-serv.c
|
|
||||||
@@ -404,7 +404,7 @@ ssh_gssapi_cleanup_creds(void)
|
|
||||||
debug("%s: krb5_cc_resolve(): %.100s", __func__,
|
|
||||||
krb5_get_err_text(gssapi_client.store.data, problem));
|
|
||||||
} else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
|
||||||
- debug("%s: krb5_cc_resolve(): %.100s", __func__,
|
|
||||||
+ debug("%s: krb5_cc_destroy(): %.100s", __func__,
|
|
||||||
krb5_get_err_text(gssapi_client.store.data, problem));
|
|
||||||
} else {
|
|
||||||
krb5_free_context(gssapi_client.store.data);
|
|
||||||
@@ -414,13 +414,15 @@ ssh_gssapi_cleanup_creds(void)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* As user */
|
|
||||||
-void
|
|
||||||
+int
|
|
||||||
ssh_gssapi_storecreds(void)
|
|
||||||
{
|
|
||||||
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
|
||||||
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
|
||||||
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
|
||||||
} else
|
|
||||||
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* This allows GSSAPI methods to do things to the childs environment based
|
|
||||||
diff --git a/session.c b/session.c
|
|
||||||
index df4985a..b7a6a57 100644
|
|
||||||
--- a/session.c
|
|
||||||
+++ b/session.c
|
|
||||||
@@ -1084,7 +1084,8 @@ do_setup_env(Session *s, const char *shell)
|
|
||||||
/* Allow any GSSAPI methods that we've used to alter
|
|
||||||
* the childs environment as they see fit
|
|
||||||
*/
|
|
||||||
- ssh_gssapi_do_child(&env, &envsize);
|
|
||||||
+ if (s->authctxt->krb5_set_env)
|
|
||||||
+ ssh_gssapi_do_child(&env, &envsize);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Set basic environment. */
|
|
||||||
@@ -1196,7 +1197,7 @@ do_setup_env(Session *s, const char *shell)
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
#ifdef KRB5
|
|
||||||
- if (s->authctxt->krb5_ccname)
|
|
||||||
+ if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
|
|
||||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
|
||||||
s->authctxt->krb5_ccname);
|
|
||||||
#endif
|
|
||||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
|
||||||
index 6f2b0ac..73ef2c2 100644
|
|
||||||
--- a/ssh-gss.h
|
|
||||||
+++ b/ssh-gss.h
|
|
||||||
@@ -106,7 +106,7 @@ typedef struct ssh_gssapi_mech_struct {
|
|
||||||
int (*dochild) (ssh_gssapi_client *);
|
|
||||||
int (*userok) (ssh_gssapi_client *, char *);
|
|
||||||
int (*localname) (ssh_gssapi_client *, char **);
|
|
||||||
- void (*storecreds) (ssh_gssapi_client *);
|
|
||||||
+ int (*storecreds) (ssh_gssapi_client *);
|
|
||||||
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
|
||||||
} ssh_gssapi_mech;
|
|
||||||
|
|
||||||
@@ -163,7 +163,7 @@ char* ssh_gssapi_get_displayname(void);
|
|
||||||
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
|
||||||
void ssh_gssapi_do_child(char ***, u_int *);
|
|
||||||
void ssh_gssapi_cleanup_creds(void);
|
|
||||||
-void ssh_gssapi_storecreds(void);
|
|
||||||
+int ssh_gssapi_storecreds(void);
|
|
||||||
const char *ssh_gssapi_displayname(void);
|
|
||||||
|
|
||||||
char *ssh_gssapi_server_mechanisms(void);
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index ce2e374..3c4e13e 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
+++ b/sshd.c
|
|
||||||
@@ -2221,7 +2221,7 @@ main(int ac, char **av)
|
|
||||||
#ifdef GSSAPI
|
|
||||||
if (options.gss_authentication) {
|
|
||||||
temporarily_use_uid(authctxt->pw);
|
|
||||||
- ssh_gssapi_storecreds();
|
|
||||||
+ authctxt->krb5_set_env = ssh_gssapi_storecreds();
|
|
||||||
restore_uid();
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -20,8 +20,8 @@ index ca75cc7..6e7de31 100644
|
||||||
+#if defined(__NR_flock) && defined(__s390__)
|
+#if defined(__NR_flock) && defined(__s390__)
|
||||||
+ SC_ALLOW(__NR_flock),
|
+ SC_ALLOW(__NR_flock),
|
||||||
+#endif
|
+#endif
|
||||||
#ifdef __NR_getpgid
|
#ifdef __NR_futex
|
||||||
SC_ALLOW(__NR_getpgid),
|
SC_ALLOW(__NR_futex),
|
||||||
#endif
|
#endif
|
||||||
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||||
#ifdef __NR_gettimeofday
|
#ifdef __NR_gettimeofday
|
||||||
|
@ -30,8 +30,8 @@ index ca75cc7..6e7de31 100644
|
||||||
+#if defined(__NR_ipc) && defined(__s390__)
|
+#if defined(__NR_ipc) && defined(__s390__)
|
||||||
+ SC_ALLOW(__NR_ipc),
|
+ SC_ALLOW(__NR_ipc),
|
||||||
+#endif
|
+#endif
|
||||||
#ifdef __NR_madvise
|
#ifdef __NR_getuid
|
||||||
SC_ALLOW(__NR_madvise),
|
SC_ALLOW(__NR_getuid),
|
||||||
#endif
|
#endif
|
||||||
--
|
--
|
||||||
1.9.1
|
1.9.1
|
||||||
|
@ -69,29 +69,6 @@ index 6e7de31..e86aa2c 100644
|
||||||
SC_ALLOW(__NR_getrandom),
|
SC_ALLOW(__NR_getrandom),
|
||||||
#endif
|
#endif
|
||||||
-- 1.9.1
|
-- 1.9.1
|
||||||
|
|
||||||
The EP11 crypto card needs to make an ioctl call, which receives an
|
|
||||||
specific argument. This crypto card is for s390 only.
|
|
||||||
|
|
||||||
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
||||||
---
|
|
||||||
sandbox-seccomp-filter.c | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index e86aa2c..98062f1 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
|
|
||||||
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
|
||||||
+ /* Allow ioctls for EP11 crypto card on s390 */
|
|
||||||
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
|
||||||
#endif
|
|
||||||
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
|
||||||
/*
|
|
||||||
--
|
|
||||||
1.9.1
|
1.9.1
|
||||||
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
||||||
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
||||||
|
@ -106,3 +83,4 @@ diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-se
|
||||||
#ifdef __NR_getrandom
|
#ifdef __NR_getrandom
|
||||||
SC_ALLOW(__NR_getrandom),
|
SC_ALLOW(__NR_getrandom),
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,6 +1,6 @@
|
||||||
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||||
--- openssh/auth2-pubkey.c.refactor 2017-09-27 13:10:19.556830609 +0200
|
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
||||||
+++ openssh/auth2-pubkey.c 2017-09-27 13:10:19.677831274 +0200
|
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -72,6 +72,9 @@
|
@@ -72,6 +72,9 @@
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
extern u_char *session_id2;
|
extern u_char *session_id2;
|
||||||
|
@ -9,11 +9,11 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||||
+extern int rexeced_flag;
|
+extern int rexeced_flag;
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
|
|
||||||
static int
|
static char *
|
||||||
userauth_pubkey(struct ssh *ssh)
|
format_key(const struct sshkey *key)
|
||||||
@@ -432,7 +435,8 @@ match_principals_command(struct passwd *
|
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
||||||
|
|
||||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", pw, command,
|
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
|
@ -21,9 +21,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
@@ -762,7 +766,8 @@ user_key_command_allowed2(struct passwd
|
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
||||||
|
|
||||||
if ((pid = subprocess("AuthorizedKeysCommand", pw, command,
|
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
|
@ -31,10 +31,10 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
diff -up openssh/misc.c.refactor openssh/misc.c
|
diff -up openssh/auth.c.refactor openssh/auth.c
|
||||||
--- openssh/misc.c.refactor 2017-09-27 13:10:19.640831071 +0200
|
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
||||||
+++ openssh/misc.c 2017-09-27 13:10:19.678831279 +0200
|
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -1435,7 +1435,8 @@ argv_assemble(int argc, char **argv)
|
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
||||||
*/
|
*/
|
||||||
pid_t
|
pid_t
|
||||||
subprocess(const char *tag, struct passwd *pw, const char *command,
|
subprocess(const char *tag, struct passwd *pw, const char *command,
|
||||||
|
@ -44,7 +44,7 @@ diff -up openssh/misc.c.refactor openssh/misc.c
|
||||||
{
|
{
|
||||||
FILE *f = NULL;
|
FILE *f = NULL;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@@ -1551,7 +1552,7 @@ subprocess(const char *tag, struct passw
|
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
|
@ -53,21 +53,21 @@ diff -up openssh/misc.c.refactor openssh/misc.c
|
||||||
error ("failed to copy environment: %s",
|
error ("failed to copy environment: %s",
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
_exit(127);
|
_exit(127);
|
||||||
diff -up openssh/misc.h.refactor openssh/misc.h
|
diff -up openssh/auth.h.refactor openssh/auth.h
|
||||||
--- openssh/misc.h.refactor 2017-09-25 01:48:10.000000000 +0200
|
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
||||||
+++ openssh/misc.h 2017-09-27 13:10:19.678831279 +0200
|
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -144,7 +144,7 @@ int exited_cleanly(pid_t, const char *,
|
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
||||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
||||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
||||||
pid_t subprocess(const char *, struct passwd *,
|
pid_t subprocess(const char *, struct passwd *,
|
||||||
- const char *, int, char **, FILE **, u_int flags);
|
- const char *, int, char **, FILE **, u_int flags);
|
||||||
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
||||||
|
|
||||||
struct stat;
|
int sys_auth_passwd(struct ssh *, const char *);
|
||||||
int safe_path(const char *, struct stat *, const char *, uid_t,
|
|
||||||
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
||||||
--- openssh/openbsd-compat/port-linux.h.refactor 2017-09-27 13:10:19.634831038 +0200
|
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux.h 2017-09-27 13:10:54.954025248 +0200
|
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
|
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
|
||||||
|
|
||||||
int sshd_selinux_enabled(void);
|
int sshd_selinux_enabled(void);
|
||||||
|
@ -80,9 +80,9 @@ diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/por
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
|
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
|
||||||
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2017-09-27 13:10:19.634831038 +0200
|
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2017-09-27 13:12:06.811420371 +0200
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -48,11 +48,6 @@
|
@@ -49,11 +49,6 @@
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -94,7 +94,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||||
int
|
int
|
||||||
sshd_selinux_enabled(void)
|
sshd_selinux_enabled(void)
|
||||||
@@ -222,7 +217,8 @@ get_user_context(const char *sename, con
|
@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
@ -104,7 +104,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
{
|
{
|
||||||
*role = NULL;
|
*role = NULL;
|
||||||
*level = NULL;
|
*level = NULL;
|
||||||
@@ -240,8 +236,8 @@ ssh_selinux_get_role_level(char **role,
|
@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
|
||||||
|
|
||||||
/* Return the default security context for the given username */
|
/* Return the default security context for the given username */
|
||||||
static int
|
static int
|
||||||
|
@ -115,7 +115,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
{
|
{
|
||||||
char *sename, *lvl;
|
char *sename, *lvl;
|
||||||
char *role;
|
char *role;
|
||||||
@@ -249,7 +245,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||||
int r = 0;
|
int r = 0;
|
||||||
context_t con = NULL;
|
context_t con = NULL;
|
||||||
|
|
||||||
|
@ -124,7 +124,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
|
|
||||||
#ifdef HAVE_GETSEUSERBYNAME
|
#ifdef HAVE_GETSEUSERBYNAME
|
||||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||||
@@ -271,7 +267,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||||
|
|
||||||
if (r == 0) {
|
if (r == 0) {
|
||||||
/* If launched from xinetd, we must use current level */
|
/* If launched from xinetd, we must use current level */
|
||||||
|
@ -133,7 +133,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
security_context_t sshdsc=NULL;
|
security_context_t sshdsc=NULL;
|
||||||
|
|
||||||
if (getcon_raw(&sshdsc) < 0)
|
if (getcon_raw(&sshdsc) < 0)
|
||||||
@@ -332,7 +328,8 @@ sshd_selinux_getctxbyname(char *pwname,
|
@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||||
|
|
||||||
/* Setup environment variables for pam_selinux */
|
/* Setup environment variables for pam_selinux */
|
||||||
static int
|
static int
|
||||||
|
@ -143,7 +143,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
{
|
{
|
||||||
const char *reqlvl;
|
const char *reqlvl;
|
||||||
char *role;
|
char *role;
|
||||||
@@ -341,11 +338,11 @@ sshd_selinux_setup_variables(int(*set_it
|
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3("%s: setting execution context", __func__);
|
||||||
|
|
||||||
|
@ -157,7 +157,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
use_current = "1";
|
use_current = "1";
|
||||||
} else {
|
} else {
|
||||||
use_current = "";
|
use_current = "";
|
||||||
@@ -361,9 +358,10 @@ sshd_selinux_setup_variables(int(*set_it
|
@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
|
@ -170,7 +170,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
@@ -373,25 +371,28 @@ do_setenv(char *name, const char *value)
|
@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
@ -204,7 +204,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
switch (security_getenforce()) {
|
switch (security_getenforce()) {
|
||||||
case -1:
|
case -1:
|
||||||
fatal("%s: security_getenforce() failed", __func__);
|
fatal("%s: security_getenforce() failed", __func__);
|
||||||
@@ -409,7 +410,7 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3("%s: setting execution context", __func__);
|
||||||
|
|
||||||
|
@ -214,9 +214,9 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
||||||
r = setexeccon(user_ctx);
|
r = setexeccon(user_ctx);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
diff -up openssh/platform.c.refactor openssh/platform.c
|
diff -up openssh/platform.c.refactor openssh/platform.c
|
||||||
--- openssh/platform.c.refactor 2017-09-27 13:10:19.574830708 +0200
|
--- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200
|
||||||
+++ openssh/platform.c 2017-09-27 13:11:45.475303050 +0200
|
+++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200
|
||||||
@@ -33,6 +33,9 @@
|
@@ -32,6 +32,9 @@
|
||||||
|
|
||||||
extern int use_privsep;
|
extern int use_privsep;
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
|
@ -226,7 +226,7 @@ diff -up openssh/platform.c.refactor openssh/platform.c
|
||||||
|
|
||||||
void
|
void
|
||||||
platform_pre_listen(void)
|
platform_pre_listen(void)
|
||||||
@@ -184,7 +187,9 @@ platform_setusercontext_post_groups(stru
|
@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
|
||||||
}
|
}
|
||||||
#endif /* HAVE_SETPCRED */
|
#endif /* HAVE_SETPCRED */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
|
@ -238,9 +238,27 @@ diff -up openssh/platform.c.refactor openssh/platform.c
|
||||||
}
|
}
|
||||||
|
|
||||||
diff -up openssh/sshd.c.refactor openssh/sshd.c
|
diff -up openssh/sshd.c.refactor openssh/sshd.c
|
||||||
--- openssh/sshd.c.refactor 2017-09-27 13:10:19.674831257 +0200
|
--- openssh/sshd.c.refactor 2019-04-04 13:19:12.275822068 +0200
|
||||||
+++ openssh/sshd.c 2017-09-27 13:12:01.635391909 +0200
|
+++ openssh/sshd.c 2019-04-04 13:19:51.270195262 +0200
|
||||||
@@ -2135,7 +2135,9 @@ main(int ac, char **av)
|
@@ -158,7 +158,7 @@ int debug_flag = 0;
|
||||||
|
static int test_flag = 0;
|
||||||
|
|
||||||
|
/* Flag indicating that the daemon is being started from inetd. */
|
||||||
|
-static int inetd_flag = 0;
|
||||||
|
+int inetd_flag = 0;
|
||||||
|
|
||||||
|
/* Flag indicating that sshd should not detach and become a daemon. */
|
||||||
|
static int no_daemon_flag = 0;
|
||||||
|
@@ -171,7 +171,7 @@ static char **saved_argv;
|
||||||
|
static int saved_argc;
|
||||||
|
|
||||||
|
/* re-exec */
|
||||||
|
-static int rexeced_flag = 0;
|
||||||
|
+int rexeced_flag = 0;
|
||||||
|
static int rexec_flag = 1;
|
||||||
|
static int rexec_argc = 0;
|
||||||
|
static char **rexec_argv;
|
||||||
|
@@ -2192,7 +2192,9 @@ main(int ac, char **av)
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
|
|
|
@ -1,47 +0,0 @@
|
||||||
From 7c9613fac3371cf65fb07739212cdd1ebf6575da Mon Sep 17 00:00:00 2001
|
|
||||||
From: "djm@openbsd.org" <djm@openbsd.org>
|
|
||||||
Date: Wed, 4 Oct 2017 18:49:30 +0000
|
|
||||||
Subject: [PATCH] upstream commit
|
|
||||||
|
|
||||||
fix (another) problem in PermitOpen introduced during the
|
|
||||||
channels.c refactor: the third and subsequent arguments to PermitOpen were
|
|
||||||
being silently ignored; ok markus@
|
|
||||||
|
|
||||||
Upstream-ID: 067c89f1f53cbc381628012ba776d6861e6782fd
|
|
||||||
---
|
|
||||||
servconf.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/servconf.c b/servconf.c
|
|
||||||
index 2c321a4ad..956862959 100644
|
|
||||||
--- a/servconf.c
|
|
||||||
+++ b/servconf.c
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
|
|
||||||
-/* $OpenBSD: servconf.c,v 1.312 2017/10/02 19:33:20 djm Exp $ */
|
|
||||||
+/* $OpenBSD: servconf.c,v 1.313 2017/10/04 18:49:30 djm Exp $ */
|
|
||||||
/*
|
|
||||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
||||||
* All rights reserved
|
|
||||||
@@ -1663,9 +1663,9 @@ process_server_config_line(ServerOptions *options, char *line,
|
|
||||||
if (!arg || *arg == '\0')
|
|
||||||
fatal("%s line %d: missing PermitOpen specification",
|
|
||||||
filename, linenum);
|
|
||||||
- i = options->num_permitted_opens; /* modified later */
|
|
||||||
+ value = options->num_permitted_opens; /* modified later */
|
|
||||||
if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
|
|
||||||
- if (*activep && i == 0) {
|
|
||||||
+ if (*activep && value == 0) {
|
|
||||||
options->num_permitted_opens = 1;
|
|
||||||
options->permitted_opens = xcalloc(1,
|
|
||||||
sizeof(*options->permitted_opens));
|
|
||||||
@@ -1683,7 +1683,7 @@ process_server_config_line(ServerOptions *options, char *line,
|
|
||||||
if (arg == NULL || ((port = permitopen_port(arg)) < 0))
|
|
||||||
fatal("%s line %d: bad port number in "
|
|
||||||
"PermitOpen", filename, linenum);
|
|
||||||
- if (*activep && i == 0) {
|
|
||||||
+ if (*activep && value == 0) {
|
|
||||||
options->permitted_opens = xrecallocarray(
|
|
||||||
options->permitted_opens,
|
|
||||||
options->num_permitted_opens,
|
|
||||||
|
|
|
@ -0,0 +1,457 @@
|
||||||
|
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
|
||||||
|
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200
|
||||||
|
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200
|
||||||
|
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||||
|
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||||
|
#ifndef SSH_OLD_EVP
|
||||||
|
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||||
|
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||||
|
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
||||||
|
+ EVP_CIPH_FLAG_FIPS;
|
||||||
|
#endif
|
||||||
|
return (&aes_ctr);
|
||||||
|
}
|
||||||
|
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
|
||||||
|
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
|
||||||
|
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
|
||||||
|
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
|
||||||
|
int best, bestcount, which, linenum;
|
||||||
|
struct dhgroup dhg;
|
||||||
|
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit("Using arbitrary primes is not allowed in FIPS mode."
|
||||||
|
+ " Falling back to known groups.");
|
||||||
|
+ return (dh_new_group_fallback(max));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
|
||||||
|
logit("WARNING: could not open %s (%s), using fixed modulus",
|
||||||
|
_PATH_DH_MODULI, strerror(errno));
|
||||||
|
@@ -489,4 +495,38 @@ dh_estimate(int bits)
|
||||||
|
return 8192;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Compares the received DH parameters with known-good groups,
|
||||||
|
+ * which might be either from group14, group16 or group18.
|
||||||
|
+ */
|
||||||
|
+int
|
||||||
|
+dh_is_known_group(const DH *dh)
|
||||||
|
+{
|
||||||
|
+ const BIGNUM *p, *g;
|
||||||
|
+ const BIGNUM *known_p, *known_g;
|
||||||
|
+ DH *known = NULL;
|
||||||
|
+ int bits = 0, rv = 0;
|
||||||
|
+
|
||||||
|
+ DH_get0_pqg(dh, &p, NULL, &g);
|
||||||
|
+ bits = BN_num_bits(p);
|
||||||
|
+
|
||||||
|
+ if (bits <= 3072) {
|
||||||
|
+ known = dh_new_group14();
|
||||||
|
+ } else if (bits <= 6144) {
|
||||||
|
+ known = dh_new_group16();
|
||||||
|
+ } else {
|
||||||
|
+ known = dh_new_group18();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ DH_get0_pqg(known, &known_p, NULL, &known_g);
|
||||||
|
+
|
||||||
|
+ if (BN_cmp(g, known_g) == 0 &&
|
||||||
|
+ BN_cmp(p, known_p) == 0) {
|
||||||
|
+ rv = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ DH_free(known);
|
||||||
|
+ return rv;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#endif /* WITH_OPENSSL */
|
||||||
|
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h
|
||||||
|
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200
|
||||||
|
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200
|
||||||
|
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);
|
||||||
|
|
||||||
|
int dh_gen_key(DH *, int);
|
||||||
|
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
||||||
|
+int dh_is_known_group(const DH *);
|
||||||
|
|
||||||
|
u_int dh_estimate(int);
|
||||||
|
|
||||||
|
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
|
||||||
|
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200
|
||||||
|
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
|
@@ -199,7 +199,10 @@ kex_names_valid(const char *names)
|
||||||
|
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
|
(p = strsep(&cp, ","))) {
|
||||||
|
if (kex_alg_by_name(p) == NULL) {
|
||||||
|
- error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ error("\"%.100s\" is not allowed in FIPS mode", p);
|
||||||
|
+ else
|
||||||
|
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||||
|
free(s);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
|
||||||
|
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200
|
||||||
|
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
|
@@ -28,6 +28,7 @@
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32
|
||||||
|
r = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {
|
||||||
|
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
p = g = NULL; /* belong to kex->dh now */
|
||||||
|
|
||||||
|
/* generate and send 'e', client DH public key */
|
||||||
|
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
||||||
|
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
||||||
|
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
||||||
|
@@ -111,6 +111,20 @@
|
||||||
|
"rsa-sha2-256," \
|
||||||
|
"ssh-rsa"
|
||||||
|
|
||||||
|
+#define KEX_FIPS_PK_ALG \
|
||||||
|
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||||
|
+ "rsa-sha2-512-cert-v01@openssh.com," \
|
||||||
|
+ "rsa-sha2-256-cert-v01@openssh.com," \
|
||||||
|
+ "ssh-rsa-cert-v01@openssh.com," \
|
||||||
|
+ "ecdsa-sha2-nistp256," \
|
||||||
|
+ "ecdsa-sha2-nistp384," \
|
||||||
|
+ "ecdsa-sha2-nistp521," \
|
||||||
|
+ "rsa-sha2-512," \
|
||||||
|
+ "rsa-sha2-256," \
|
||||||
|
+ "ssh-rsa"
|
||||||
|
+
|
||||||
|
#define KEX_SERVER_ENCRYPT \
|
||||||
|
"chacha20-poly1305@openssh.com," \
|
||||||
|
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
|
@@ -134,6 +142,27 @@
|
||||||
|
|
||||||
|
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||||
|
|
||||||
|
+#define KEX_FIPS_ENCRYPT \
|
||||||
|
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
|
+ "aes128-cbc,3des-cbc," \
|
||||||
|
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
|
||||||
|
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
|
||||||
|
+#define KEX_DEFAULT_KEX_FIPS \
|
||||||
|
+ "ecdh-sha2-nistp256," \
|
||||||
|
+ "ecdh-sha2-nistp384," \
|
||||||
|
+ "ecdh-sha2-nistp521," \
|
||||||
|
+ "diffie-hellman-group-exchange-sha256," \
|
||||||
|
+ "diffie-hellman-group16-sha512," \
|
||||||
|
+ "diffie-hellman-group18-sha512," \
|
||||||
|
+ "diffie-hellman-group14-sha256"
|
||||||
|
+#define KEX_FIPS_MAC \
|
||||||
|
+ "hmac-sha1," \
|
||||||
|
+ "hmac-sha2-256," \
|
||||||
|
+ "hmac-sha2-512," \
|
||||||
|
+ "hmac-sha1-etm@openssh.com," \
|
||||||
|
+ "hmac-sha2-256-etm@openssh.com," \
|
||||||
|
+ "hmac-sha2-512-etm@openssh.com"
|
||||||
|
+
|
||||||
|
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||||
|
#define SSH_ALLOWED_CA_SIGALGS \
|
||||||
|
"ecdsa-sha2-nistp256," \
|
||||||
|
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
||||||
|
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
||||||
|
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
|
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
|
||||||
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
|
/* remove unsupported algos from default lists */
|
||||||
|
- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
|
||||||
|
- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
|
||||||
|
- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
|
||||||
|
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
|
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
|
||||||
|
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
|
||||||
|
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
|
||||||
|
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||||
|
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||||
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
|
do { \
|
||||||
|
if ((r = kex_assemble_names(&options->what, \
|
||||||
|
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
|
||||||
|
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
|
||||||
|
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
|
||||||
|
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
|
||||||
|
#ifdef __NR_open
|
||||||
|
SC_DENY(__NR_open, EACCES),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_socket
|
||||||
|
+ SC_DENY(__NR_socket, EACCES),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_openat
|
||||||
|
SC_DENY(__NR_openat, EACCES),
|
||||||
|
#endif
|
||||||
|
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
||||||
|
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
|
||||||
|
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
|
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
|
||||||
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
|
/* remove unsupported algos from default lists */
|
||||||
|
- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
|
||||||
|
- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
|
||||||
|
- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
|
||||||
|
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||||
|
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||||
|
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
|
||||||
|
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
|
||||||
|
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
|
||||||
|
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||||
|
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||||
|
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||||
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
|
do { \
|
||||||
|
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
||||||
|
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
||||||
|
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
||||||
|
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
|
@@ -76,6 +76,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#endif
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
|
@@ -614,6 +626,10 @@ main(int ac, char **av)
|
||||||
|
dump_client_config(&options, host);
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ debug("FIPS mode initialized");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Expand SecurityKeyProvider if it refers to an environment variable */
|
||||||
|
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
|
||||||
|
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
||||||
|
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
|
||||||
|
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
|
@@ -44,6 +44,8 @@
|
||||||
|
#include <vis.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
+
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
|
||||||
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
|
if (options.gss_keyex) {
|
||||||
|
- /* Add the GSSAPI mechanisms currently supported on this
|
||||||
|
- * client to the key exchange algorithm proposal */
|
||||||
|
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||||
|
-
|
||||||
|
- if (options.gss_server_identity) {
|
||||||
|
- gss_host = xstrdup(options.gss_server_identity);
|
||||||
|
- } else if (options.gss_trust_dns) {
|
||||||
|
- gss_host = remote_hostname(ssh);
|
||||||
|
- /* Fall back to specified host if we are using proxy command
|
||||||
|
- * and can not use DNS on that socket */
|
||||||
|
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
- free(gss_host);
|
||||||
|
- gss_host = xstrdup(host);
|
||||||
|
- }
|
||||||
|
- } else {
|
||||||
|
- gss_host = xstrdup(host);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
|
- if (gss) {
|
||||||
|
- debug("Offering GSSAPI proposal: %s", gss);
|
||||||
|
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
- "%s,%s", gss, orig);
|
||||||
|
-
|
||||||
|
- /* If we've got GSSAPI algorithms, then we also support the
|
||||||
|
- * 'null' hostkey, as a last resort */
|
||||||
|
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||||
|
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||||
|
- "%s,null", orig);
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||||
|
+ options.gss_keyex = 0;
|
||||||
|
+ } else {
|
||||||
|
+ /* Add the GSSAPI mechanisms currently supported on this
|
||||||
|
+ * client to the key exchange algorithm proposal */
|
||||||
|
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||||
|
+
|
||||||
|
+ if (options.gss_server_identity) {
|
||||||
|
+ gss_host = xstrdup(options.gss_server_identity);
|
||||||
|
+ } else if (options.gss_trust_dns) {
|
||||||
|
+ gss_host = remote_hostname(ssh);
|
||||||
|
+ /* Fall back to specified host if we are using proxy command
|
||||||
|
+ * and can not use DNS on that socket */
|
||||||
|
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
|
+ free(gss_host);
|
||||||
|
+ gss_host = xstrdup(host);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ gss_host = xstrdup(host);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
|
+ if (gss) {
|
||||||
|
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||||
|
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
+ "%s,%s", gss, orig);
|
||||||
|
+
|
||||||
|
+ /* If we've got GSSAPI algorithms, then we also support the
|
||||||
|
+ * 'null' hostkey, as a last resort */
|
||||||
|
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||||
|
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||||
|
+ "%s,null", orig);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
||||||
|
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200
|
||||||
|
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200
|
||||||
|
@@ -66,6 +66,7 @@
|
||||||
|
#include <grp.h>
|
||||||
|
#include <pwd.h>
|
||||||
|
#include <signal.h>
|
||||||
|
+#include <syslog.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
@@ -77,6 +78,7 @@
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
#include <openssl/bn.h>
|
||||||
|
#include <openssl/rand.h>
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -1529,6 +1532,7 @@ main(int ac, char **av)
|
||||||
|
#endif
|
||||||
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
|
||||||
|
+ OpenSSL_add_all_algorithms();
|
||||||
|
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||||
|
saved_argc = ac;
|
||||||
|
rexec_argc = ac;
|
||||||
|
@@ -1992,6 +2007,10 @@ main(int ac, char **av)
|
||||||
|
/* Reinitialize the log (because of the fork above). */
|
||||||
|
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||||
|
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ debug("FIPS mode initialized");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* Chdir to the root directory so that the current disk can be
|
||||||
|
unmounted if desired. */
|
||||||
|
if (chdir("/") == -1)
|
||||||
|
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||||
|
orig = NULL;
|
||||||
|
|
||||||
|
- if (options.gss_keyex)
|
||||||
|
- gss = ssh_gssapi_server_mechanisms();
|
||||||
|
- else
|
||||||
|
- gss = NULL;
|
||||||
|
+ if (options.gss_keyex) {
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||||
|
+ options.gss_keyex = 0;
|
||||||
|
+ } else {
|
||||||
|
+ gss = ssh_gssapi_server_mechanisms();
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (gss && orig)
|
||||||
|
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||||
|
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
|
||||||
|
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200
|
||||||
|
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200
|
||||||
|
@@ -34,6 +34,7 @@
|
||||||
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/err.h>
|
||||||
|
#include <openssl/pem.h>
|
||||||
|
+#include <openssl/crypto.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "crypto_api.h"
|
||||||
|
@@ -57,6 +58,7 @@
|
||||||
|
#define SSHKEY_INTERNAL
|
||||||
|
#include "sshkey.h"
|
||||||
|
#include "match.h"
|
||||||
|
+#include "log.h"
|
||||||
|
#include "ssh-sk.h"
|
||||||
|
|
||||||
|
#ifdef WITH_XMSS
|
||||||
|
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||||
|
}
|
||||||
|
if (!BN_set_word(f4, RSA_F4) ||
|
||||||
|
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||||
|
+ if (FIPS_mode())
|
||||||
|
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||||
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
|
||||||
|
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200
|
||||||
|
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200
|
||||||
|
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
+ if (FIPS_mode()) {
|
||||||
|
+ if (type == KEY_DSA)
|
||||||
|
+ fatal("DSA keys are not allowed in FIPS mode");
|
||||||
|
+ if (type == KEY_ED25519)
|
||||||
|
+ fatal("ED25519 keys are not allowed in FIPS mode");
|
||||||
|
+ }
|
||||||
|
switch (type) {
|
||||||
|
case KEY_DSA:
|
||||||
|
if (*bitsp != 1024)
|
||||||
|
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
|
first = 1;
|
||||||
|
printf("%s: generating new host keys: ", __progname);
|
||||||
|
}
|
||||||
|
+ type = sshkey_type_from_name(key_types[i].key_type);
|
||||||
|
+
|
||||||
|
+ /* Skip the keys that are not supported in FIPS mode */
|
||||||
|
+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
|
||||||
|
+ logit("Skipping %s key in FIPS mode",
|
||||||
|
+ key_types[i].key_type_display);
|
||||||
|
+ goto next;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
printf("%s ", key_types[i].key_type_display);
|
||||||
|
fflush(stdout);
|
||||||
|
- type = sshkey_type_from_name(key_types[i].key_type);
|
||||||
|
if ((fd = mkstemp(prv_tmp)) == -1) {
|
||||||
|
error("Could not save your private key in %s: %s",
|
||||||
|
prv_tmp, strerror(errno));
|
|
@ -0,0 +1,647 @@
|
||||||
|
diff --git a/auth-krb5.c b/auth-krb5.c
|
||||||
|
index a5a81ed2..63f877f2 100644
|
||||||
|
--- a/auth-krb5.c
|
||||||
|
+++ b/auth-krb5.c
|
||||||
|
@@ -51,6 +51,7 @@
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <krb5.h>
|
||||||
|
+#include <profile.h>
|
||||||
|
|
||||||
|
extern ServerOptions options;
|
||||||
|
|
||||||
|
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||||
|
#endif
|
||||||
|
krb5_error_code problem;
|
||||||
|
krb5_ccache ccache = NULL;
|
||||||
|
- int len;
|
||||||
|
+ char *ticket_name = NULL;
|
||||||
|
char *client, *platform_client;
|
||||||
|
const char *errmsg;
|
||||||
|
|
||||||
|
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
|
||||||
|
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
|
||||||
|
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
||||||
|
if (problem)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||||
|
if (problem)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
||||||
|
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
||||||
|
&creds);
|
||||||
|
if (problem)
|
||||||
|
goto out;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||||
|
+ problem = krb5_cc_get_full_name(authctxt->krb5_ctx,
|
||||||
|
+ authctxt->krb5_fwd_ccache, &ticket_name);
|
||||||
|
|
||||||
|
- len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||||
|
- authctxt->krb5_ccname = xmalloc(len);
|
||||||
|
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||||
|
- authctxt->krb5_ticket_file);
|
||||||
|
+ authctxt->krb5_ccname = xstrdup(ticket_name);
|
||||||
|
+ krb5_free_string(authctxt->krb5_ctx, ticket_name);
|
||||||
|
|
||||||
|
#ifdef USE_PAM
|
||||||
|
- if (options.use_pam)
|
||||||
|
+ if (options.use_pam && authctxt->krb5_set_env)
|
||||||
|
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||||
|
void
|
||||||
|
krb5_cleanup_proc(Authctxt *authctxt)
|
||||||
|
{
|
||||||
|
+ struct stat krb5_ccname_stat;
|
||||||
|
+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
|
||||||
|
+
|
||||||
|
debug("krb5_cleanup_proc called");
|
||||||
|
if (authctxt->krb5_fwd_ccache) {
|
||||||
|
- krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||||
|
+ krb5_context ctx = authctxt->krb5_ctx;
|
||||||
|
+ krb5_cccol_cursor cursor;
|
||||||
|
+ krb5_ccache ccache;
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ krb5_cc_destroy(ctx, authctxt->krb5_fwd_ccache);
|
||||||
|
authctxt->krb5_fwd_ccache = NULL;
|
||||||
|
+
|
||||||
|
+ ret = krb5_cccol_cursor_new(ctx, &cursor);
|
||||||
|
+ if (ret)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ ret = krb5_cccol_cursor_next(ctx, cursor, &ccache);
|
||||||
|
+ if (ret == 0 && ccache != NULL) {
|
||||||
|
+ /* There is at least one other ccache in collection
|
||||||
|
+ * we can switch to */
|
||||||
|
+ krb5_cc_switch(ctx, ccache);
|
||||||
|
+ } else if (authctxt->krb5_ccname != NULL) {
|
||||||
|
+ /* Clean up the collection too */
|
||||||
|
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
|
||||||
|
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
|
||||||
|
+ *krb5_ccname_dir_start++ = '\0';
|
||||||
|
+ if (strcmp(krb5_ccname, "DIR") == 0) {
|
||||||
|
+
|
||||||
|
+ strcat(krb5_ccname_dir_start, "/primary");
|
||||||
|
+
|
||||||
|
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
|
||||||
|
+ if (unlink(krb5_ccname_dir_start) == 0) {
|
||||||
|
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
|
||||||
|
+ *krb5_ccname_dir_end = '\0';
|
||||||
|
+ if (rmdir(krb5_ccname_dir_start) == -1)
|
||||||
|
+ debug("cache dir '%s' remove failed: %s",
|
||||||
|
+ krb5_ccname_dir_start, strerror(errno));
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ debug("cache primary file '%s', remove failed: %s",
|
||||||
|
+ krb5_ccname_dir_start, strerror(errno));
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ krb5_cccol_cursor_free(ctx, &cursor);
|
||||||
|
}
|
||||||
|
+out:
|
||||||
|
if (authctxt->krb5_user) {
|
||||||
|
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
||||||
|
authctxt->krb5_user = NULL;
|
||||||
|
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifndef HEIMDAL
|
||||||
|
+
|
||||||
|
+#if !defined(HEIMDAL)
|
||||||
|
+int
|
||||||
|
+ssh_asprintf_append(char **dsc, const char *fmt, ...) {
|
||||||
|
+ char *src, *old;
|
||||||
|
+ va_list ap;
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ va_start(ap, fmt);
|
||||||
|
+ i = vasprintf(&src, fmt, ap);
|
||||||
|
+ va_end(ap);
|
||||||
|
+
|
||||||
|
+ if (i == -1 || src == NULL)
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+ old = *dsc;
|
||||||
|
+
|
||||||
|
+ i = asprintf(dsc, "%s%s", *dsc, src);
|
||||||
|
+ if (i == -1 || src == NULL) {
|
||||||
|
+ free(src);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(old);
|
||||||
|
+ free(src);
|
||||||
|
+
|
||||||
|
+ return i;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+ssh_krb5_expand_template(char **result, const char *template) {
|
||||||
|
+ char *p_n, *p_o, *r, *tmp_template;
|
||||||
|
+
|
||||||
|
+ debug3("%s: called, template = %s", __func__, template);
|
||||||
|
+ if (template == NULL)
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+ tmp_template = p_n = p_o = xstrdup(template);
|
||||||
|
+ r = xstrdup("");
|
||||||
|
+
|
||||||
|
+ while ((p_n = strstr(p_o, "%{")) != NULL) {
|
||||||
|
+
|
||||||
|
+ *p_n++ = '\0';
|
||||||
|
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
|
||||||
|
+ strncmp(p_n, "{USERID}", 8) == 0) {
|
||||||
|
+ p_o = strchr(p_n, '}') + 1;
|
||||||
|
+ if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ else if (strncmp(p_n, "{TEMP}", 6) == 0) {
|
||||||
|
+ p_o = strchr(p_n, '}') + 1;
|
||||||
|
+ if (ssh_asprintf_append(&r, "/tmp") == -1)
|
||||||
|
+ goto cleanup;
|
||||||
|
+ continue;
|
||||||
|
+ } else {
|
||||||
|
+ p_o = strchr(p_n, '}') + 1;
|
||||||
|
+ *p_o = '\0';
|
||||||
|
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
||||||
|
+ /* unknown token, fallback to the default */
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
||||||
|
+ goto cleanup;
|
||||||
|
+
|
||||||
|
+ *result = r;
|
||||||
|
+ free(tmp_template);
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+cleanup:
|
||||||
|
+ free(r);
|
||||||
|
+ free(tmp_template);
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
krb5_error_code
|
||||||
|
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||||
|
- int tmpfd, ret, oerrno;
|
||||||
|
- char ccname[40];
|
||||||
|
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
||||||
|
+ profile_t p;
|
||||||
|
+ int ret = 0;
|
||||||
|
+ char *value = NULL;
|
||||||
|
+
|
||||||
|
+ debug3("%s: called", __func__);
|
||||||
|
+ ret = krb5_get_profile(ctx, &p);
|
||||||
|
+ if (ret)
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
+ ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
|
||||||
|
+ if (ret || !value)
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
+ ret = ssh_krb5_expand_template(ccname, value);
|
||||||
|
+
|
||||||
|
+ debug3("%s: returning with ccname = %s", __func__, *ccname);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+krb5_error_code
|
||||||
|
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
||||||
|
+ int tmpfd, ret, oerrno, type_len;
|
||||||
|
+ char *ccname = NULL;
|
||||||
|
mode_t old_umask;
|
||||||
|
+ char *type = NULL, *colon = NULL;
|
||||||
|
|
||||||
|
- ret = snprintf(ccname, sizeof(ccname),
|
||||||
|
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
||||||
|
- if (ret < 0 || (size_t)ret >= sizeof(ccname))
|
||||||
|
- return ENOMEM;
|
||||||
|
-
|
||||||
|
- old_umask = umask(0177);
|
||||||
|
- tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||||
|
- oerrno = errno;
|
||||||
|
- umask(old_umask);
|
||||||
|
- if (tmpfd == -1) {
|
||||||
|
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
|
- return oerrno;
|
||||||
|
- }
|
||||||
|
+ debug3("%s: called", __func__);
|
||||||
|
+ if (need_environment)
|
||||||
|
+ *need_environment = 0;
|
||||||
|
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||||
|
+ if (ret || !ccname || options.kerberos_unique_ccache) {
|
||||||
|
+ /* Otherwise, go with the old method */
|
||||||
|
+ if (ccname)
|
||||||
|
+ free(ccname);
|
||||||
|
+ ccname = NULL;
|
||||||
|
+
|
||||||
|
+ ret = asprintf(&ccname,
|
||||||
|
+ "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
||||||
|
+ if (ret < 0)
|
||||||
|
+ return ENOMEM;
|
||||||
|
|
||||||
|
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||||
|
+ old_umask = umask(0177);
|
||||||
|
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||||
|
oerrno = errno;
|
||||||
|
- logit("fchmod(): %.100s", strerror(oerrno));
|
||||||
|
+ umask(old_umask);
|
||||||
|
+ if (tmpfd == -1) {
|
||||||
|
+ logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
|
+ return oerrno;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||||
|
+ oerrno = errno;
|
||||||
|
+ logit("fchmod(): %.100s", strerror(oerrno));
|
||||||
|
+ close(tmpfd);
|
||||||
|
+ return oerrno;
|
||||||
|
+ }
|
||||||
|
+ /* make sure the KRB5CCNAME is set for non-standard location */
|
||||||
|
+ if (need_environment)
|
||||||
|
+ *need_environment = 1;
|
||||||
|
close(tmpfd);
|
||||||
|
- return oerrno;
|
||||||
|
}
|
||||||
|
- close(tmpfd);
|
||||||
|
|
||||||
|
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
|
+ debug3("%s: setting default ccname to %s", __func__, ccname);
|
||||||
|
+ /* set the default with already expanded user IDs */
|
||||||
|
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
||||||
|
+ if (ret)
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
+ if ((colon = strstr(ccname, ":")) != NULL) {
|
||||||
|
+ type_len = colon - ccname;
|
||||||
|
+ type = malloc((type_len + 1) * sizeof(char));
|
||||||
|
+ if (type == NULL)
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ strncpy(type, ccname, type_len);
|
||||||
|
+ type[type_len] = 0;
|
||||||
|
+ } else {
|
||||||
|
+ type = strdup(ccname);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* If we have a credential cache from krb5.conf, we need to switch
|
||||||
|
+ * a primary cache for this collection, if it supports that (non-FILE)
|
||||||
|
+ */
|
||||||
|
+ if (krb5_cc_support_switch(ctx, type)) {
|
||||||
|
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
|
||||||
|
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
||||||
|
+ free(type);
|
||||||
|
+ if (ret)
|
||||||
|
+ return ret;
|
||||||
|
+
|
||||||
|
+ debug3("%s: calling cc_switch()", __func__);
|
||||||
|
+ return krb5_cc_switch(ctx, *ccache);
|
||||||
|
+ } else {
|
||||||
|
+ /* Otherwise, we can not create a unique ccname here (either
|
||||||
|
+ * it is already unique from above or the type does not support
|
||||||
|
+ * collections
|
||||||
|
+ */
|
||||||
|
+ free(type);
|
||||||
|
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname);
|
||||||
|
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
#endif /* !HEIMDAL */
|
||||||
|
#endif /* KRB5 */
|
||||||
|
diff --git a/auth.h b/auth.h
|
||||||
|
index 29491df9..fdab5040 100644
|
||||||
|
--- a/auth.h
|
||||||
|
+++ b/auth.h
|
||||||
|
@@ -82,6 +82,7 @@ struct Authctxt {
|
||||||
|
krb5_principal krb5_user;
|
||||||
|
char *krb5_ticket_file;
|
||||||
|
char *krb5_ccname;
|
||||||
|
+ int krb5_set_env;
|
||||||
|
#endif
|
||||||
|
struct sshbuf *loginmsg;
|
||||||
|
|
||||||
|
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *);
|
||||||
|
int sys_auth_passwd(struct ssh *, const char *);
|
||||||
|
|
||||||
|
#if defined(KRB5) && !defined(HEIMDAL)
|
||||||
|
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
||||||
|
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* AUTH_H */
|
||||||
|
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
||||||
|
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100
|
||||||
|
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100
|
||||||
|
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||||
|
/* This writes out any forwarded credentials from the structure populated
|
||||||
|
* during userauth. Called after we have setuid to the user */
|
||||||
|
|
||||||
|
-static void
|
||||||
|
+static int
|
||||||
|
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||||
|
{
|
||||||
|
krb5_ccache ccache;
|
||||||
|
@@ -276,14 +276,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
OM_uint32 maj_status, min_status;
|
||||||
|
const char *new_ccname, *new_cctype;
|
||||||
|
const char *errmsg;
|
||||||
|
+ int set_env = 0;
|
||||||
|
|
||||||
|
if (client->creds == NULL) {
|
||||||
|
debug("No credentials stored");
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ssh_gssapi_krb5_init() == 0)
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
|
||||||
|
#ifdef HEIMDAL
|
||||||
|
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
|
||||||
|
@@ -297,14 +298,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
krb5_get_err_text(krb_context, problem));
|
||||||
|
# endif
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
- if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
|
||||||
|
+ if ((problem = ssh_krb5_cc_new_unique(krb_context, &ccache, &set_env)) != 0) {
|
||||||
|
errmsg = krb5_get_error_message(krb_context, problem);
|
||||||
|
- logit("ssh_krb5_cc_gen(): %.100s", errmsg);
|
||||||
|
+ logit("ssh_krb5_cc_new_unique(): %.100s", errmsg);
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
#endif /* #ifdef HEIMDAL */
|
||||||
|
|
||||||
|
@@ -313,7 +314,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
errmsg = krb5_get_error_message(krb_context, problem);
|
||||||
|
logit("krb5_parse_name(): %.100s", errmsg);
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
|
||||||
|
@@ -322,7 +323,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
krb5_free_error_message(krb_context, errmsg);
|
||||||
|
krb5_free_principal(krb_context, princ);
|
||||||
|
krb5_cc_destroy(krb_context, ccache);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
krb5_free_principal(krb_context, princ);
|
||||||
|
@@ -331,32 +332,21 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
client->creds, ccache))) {
|
||||||
|
logit("gss_krb5_copy_ccache() failed");
|
||||||
|
krb5_cc_destroy(krb_context, ccache);
|
||||||
|
- return;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
new_cctype = krb5_cc_get_type(krb_context, ccache);
|
||||||
|
new_ccname = krb5_cc_get_name(krb_context, ccache);
|
||||||
|
-
|
||||||
|
- client->store.envvar = "KRB5CCNAME";
|
||||||
|
-#ifdef USE_CCAPI
|
||||||
|
- xasprintf(&client->store.envval, "API:%s", new_ccname);
|
||||||
|
- client->store.filename = NULL;
|
||||||
|
-#else
|
||||||
|
- if (new_ccname[0] == ':')
|
||||||
|
- new_ccname++;
|
||||||
|
xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
|
||||||
|
- if (strcmp(new_cctype, "DIR") == 0) {
|
||||||
|
- char *p;
|
||||||
|
- p = strrchr(client->store.envval, '/');
|
||||||
|
- if (p)
|
||||||
|
- *p = '\0';
|
||||||
|
+
|
||||||
|
+ if (set_env) {
|
||||||
|
+ client->store.envvar = "KRB5CCNAME";
|
||||||
|
}
|
||||||
|
if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
|
||||||
|
client->store.filename = xstrdup(new_ccname);
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
#ifdef USE_PAM
|
||||||
|
- if (options.use_pam)
|
||||||
|
+ if (options.use_pam && set_env)
|
||||||
|
do_pam_putenv(client->store.envvar, client->store.envval);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
|
||||||
|
client->store.data = krb_context;
|
||||||
|
|
||||||
|
- return;
|
||||||
|
+ return set_env;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
diff --git a/gss-serv.c b/gss-serv.c
|
||||||
|
index 6cae720e..16e55cbc 100644
|
||||||
|
--- a/gss-serv.c
|
||||||
|
+++ b/gss-serv.c
|
||||||
|
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* As user */
|
||||||
|
-void
|
||||||
|
+int
|
||||||
|
ssh_gssapi_storecreds(void)
|
||||||
|
{
|
||||||
|
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
||||||
|
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
} else
|
||||||
|
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* This allows GSSAPI methods to do things to the child's environment based
|
||||||
|
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
|
||||||
|
char *envstr;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if (gssapi_client.store.filename == NULL &&
|
||||||
|
- gssapi_client.store.envval == NULL &&
|
||||||
|
- gssapi_client.store.envvar == NULL)
|
||||||
|
+ if (gssapi_client.store.envval == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
|
||||||
|
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
||||||
|
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
|
||||||
|
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
|
||||||
|
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
|
||||||
|
options->kerberos_or_local_passwd = -1;
|
||||||
|
options->kerberos_ticket_cleanup = -1;
|
||||||
|
options->kerberos_get_afs_token = -1;
|
||||||
|
+ options->kerberos_unique_ccache = -1;
|
||||||
|
options->gss_authentication=-1;
|
||||||
|
options->gss_keyex = -1;
|
||||||
|
options->gss_cleanup_creds = -1;
|
||||||
|
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
|
||||||
|
options->kerberos_ticket_cleanup = 1;
|
||||||
|
if (options->kerberos_get_afs_token == -1)
|
||||||
|
options->kerberos_get_afs_token = 0;
|
||||||
|
+ if (options->kerberos_unique_ccache == -1)
|
||||||
|
+ options->kerberos_unique_ccache = 0;
|
||||||
|
if (options->gss_authentication == -1)
|
||||||
|
options->gss_authentication = 0;
|
||||||
|
if (options->gss_keyex == -1)
|
||||||
|
@@ -447,7 +450,8 @@ typedef enum {
|
||||||
|
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||||
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
|
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||||
|
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
|
+ sChallengeResponseAuthentication,
|
||||||
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
|
sListenAddress, sAddressFamily,
|
||||||
|
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||||
|
@@ -526,11 +530,13 @@ static struct {
|
||||||
|
#else
|
||||||
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
#endif
|
||||||
|
+ { "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
|
||||||
|
#else
|
||||||
|
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
|
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
+ { "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
#endif
|
||||||
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||||
|
intptr = &options->kerberos_get_afs_token;
|
||||||
|
goto parse_flag;
|
||||||
|
|
||||||
|
+ case sKerberosUniqueCCache:
|
||||||
|
+ intptr = &options->kerberos_unique_ccache;
|
||||||
|
+ goto parse_flag;
|
||||||
|
+
|
||||||
|
case sGssAuthentication:
|
||||||
|
intptr = &options->gss_authentication;
|
||||||
|
goto parse_flag;
|
||||||
|
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
|
||||||
|
# ifdef USE_AFS
|
||||||
|
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||||
|
# endif
|
||||||
|
+ dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||||
|
#endif
|
||||||
|
#ifdef GSSAPI
|
||||||
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
|
diff --git a/servconf.h b/servconf.h
|
||||||
|
index db8362c6..4fa42d64 100644
|
||||||
|
--- a/servconf.h
|
||||||
|
+++ b/servconf.h
|
||||||
|
@@ -123,6 +123,8 @@ typedef struct {
|
||||||
|
* file on logout. */
|
||||||
|
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||||
|
* authenticated with Kerberos. */
|
||||||
|
+ int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||||
|
+ * be stored in per-session ccache */
|
||||||
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
|
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||||
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
|
diff --git a/session.c b/session.c
|
||||||
|
index 85df6a27..480a5ead 100644
|
||||||
|
--- a/session.c
|
||||||
|
+++ b/session.c
|
||||||
|
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
|
/* Allow any GSSAPI methods that we've used to alter
|
||||||
|
* the child's environment as they see fit
|
||||||
|
*/
|
||||||
|
- ssh_gssapi_do_child(&env, &envsize);
|
||||||
|
+ if (s->authctxt->krb5_set_env)
|
||||||
|
+ ssh_gssapi_do_child(&env, &envsize);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Set basic environment. */
|
||||||
|
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef KRB5
|
||||||
|
- if (s->authctxt->krb5_ccname)
|
||||||
|
+ if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
|
||||||
|
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||||
|
s->authctxt->krb5_ccname);
|
||||||
|
#endif
|
||||||
|
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||||
|
index 6593e422..245178af 100644
|
||||||
|
--- a/ssh-gss.h
|
||||||
|
+++ b/ssh-gss.h
|
||||||
|
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
|
||||||
|
int (*dochild) (ssh_gssapi_client *);
|
||||||
|
int (*userok) (ssh_gssapi_client *, char *);
|
||||||
|
int (*localname) (ssh_gssapi_client *, char **);
|
||||||
|
- void (*storecreds) (ssh_gssapi_client *);
|
||||||
|
+ int (*storecreds) (ssh_gssapi_client *);
|
||||||
|
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
||||||
|
} ssh_gssapi_mech;
|
||||||
|
|
||||||
|
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
|
||||||
|
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||||
|
void ssh_gssapi_do_child(char ***, u_int *);
|
||||||
|
void ssh_gssapi_cleanup_creds(void);
|
||||||
|
-void ssh_gssapi_storecreds(void);
|
||||||
|
+int ssh_gssapi_storecreds(void);
|
||||||
|
const char *ssh_gssapi_displayname(void);
|
||||||
|
|
||||||
|
char *ssh_gssapi_server_mechanisms(void);
|
||||||
|
diff --git a/sshd.c b/sshd.c
|
||||||
|
index edbe815c..89514e8a 100644
|
||||||
|
--- a/sshd.c
|
||||||
|
+++ b/sshd.c
|
||||||
|
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
|
||||||
|
#ifdef GSSAPI
|
||||||
|
if (options.gss_authentication) {
|
||||||
|
temporarily_use_uid(authctxt->pw);
|
||||||
|
- ssh_gssapi_storecreds();
|
||||||
|
+ authctxt->krb5_set_env = ssh_gssapi_storecreds();
|
||||||
|
restore_uid();
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
diff --git a/sshd_config.5 b/sshd_config.5
|
||||||
|
index c0683d4a..2349f477 100644
|
||||||
|
--- a/sshd_config.5
|
||||||
|
+++ b/sshd_config.5
|
||||||
|
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
|
||||||
|
file on logout.
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
+.It Cm KerberosUniqueCCache
|
||||||
|
+Specifies whether to store the acquired tickets in the per-session credential
|
||||||
|
+cache under /tmp/ or whether to use per-user credential cache as configured in
|
||||||
|
+.Pa /etc/krb5.conf .
|
||||||
|
+The default value
|
||||||
|
+.Cm no
|
||||||
|
+can lead to overwriting previous tickets by subseqent connections to the same
|
||||||
|
+user account.
|
||||||
|
.It Cm KexAlgorithms
|
||||||
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
|
Multiple algorithms must be comma-separated.
|
|
@ -0,0 +1,117 @@
|
||||||
|
diff -up openssh/ssh_config.redhat openssh/ssh_config
|
||||||
|
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
|
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
||||||
|
@@ -43,3 +43,10 @@
|
||||||
|
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||||
|
# RekeyLimit 1G 1h
|
||||||
|
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
|
||||||
|
+#
|
||||||
|
+# This system is following system-wide crypto policy.
|
||||||
|
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
|
||||||
|
+# file under /etc/ssh/ssh_config.d/ which will be automatically
|
||||||
|
+# included below. For more information, see manual page for
|
||||||
|
+# update-crypto-policies(8) and ssh_config(5).
|
||||||
|
+Include /etc/ssh/ssh_config.d/*.conf
|
||||||
|
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
|
||||||
|
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
|
||||||
|
+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
|
||||||
|
@@ -0,0 +1,21 @@
|
||||||
|
+# The options here are in the "Match final block" to be applied as the last
|
||||||
|
+# options and could be potentially overwritten by the user configuration
|
||||||
|
+Match final all
|
||||||
|
+ # Follow system-wide Crypto Policy, if defined:
|
||||||
|
+ Include /etc/crypto-policies/back-ends/openssh.config
|
||||||
|
+
|
||||||
|
+ GSSAPIAuthentication yes
|
||||||
|
+
|
||||||
|
+# If this option is set to yes then remote X11 clients will have full access
|
||||||
|
+# to the original X11 display. As virtually no X11 client supports the untrusted
|
||||||
|
+# mode correctly we set this to yes.
|
||||||
|
+ ForwardX11Trusted yes
|
||||||
|
+
|
||||||
|
+# Send locale-related environment variables
|
||||||
|
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
+ SendEnv XMODIFIERS
|
||||||
|
+
|
||||||
|
+# Uncomment this if you want to use .local domain
|
||||||
|
+# Host *.local
|
||||||
|
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
|
||||||
|
--- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100
|
||||||
|
+++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100
|
||||||
|
@@ -970,9 +970,9 @@ DESCRIPTION
|
||||||
|
|
||||||
|
SyslogFacility
|
||||||
|
Gives the facility code that is used when logging messages from
|
||||||
|
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||||
|
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||||
|
- default is AUTH.
|
||||||
|
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||||
|
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||||
|
+ The default is AUTH.
|
||||||
|
|
||||||
|
TCPKeepAlive
|
||||||
|
Specifies whether the system should send TCP keepalive messages
|
||||||
|
diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
|
||||||
|
--- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
|
+++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100
|
||||||
|
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
|
||||||
|
.It Cm SyslogFacility
|
||||||
|
Gives the facility code that is used when logging messages from
|
||||||
|
.Xr sshd 8 .
|
||||||
|
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||||
|
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||||
|
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||||
|
The default is AUTH.
|
||||||
|
.It Cm TCPKeepAlive
|
||||||
|
diff -up openssh/sshd_config.redhat openssh/sshd_config
|
||||||
|
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||||
|
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
|
||||||
|
@@ -10,6 +10,14 @@
|
||||||
|
# possible, but leave them commented. Uncommented options override the
|
||||||
|
# default value.
|
||||||
|
|
||||||
|
+# To modify the system-wide sshd configuration, create a *.conf file under
|
||||||
|
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||||
|
+Include /etc/ssh/sshd_config.d/*.conf
|
||||||
|
+
|
||||||
|
+# If you want to change the port on a SELinux system, you have to tell
|
||||||
|
+# SELinux about this change.
|
||||||
|
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||||
|
+#
|
||||||
|
#Port 22
|
||||||
|
#AddressFamily any
|
||||||
|
#ListenAddress 0.0.0.0
|
||||||
|
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
||||||
|
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
|
||||||
|
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
|
||||||
|
@@ -0,0 +1,28 @@
|
||||||
|
+# This system is following system-wide crypto policy. The changes to
|
||||||
|
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
|
||||||
|
+# this or following included files. To override some configuration option,
|
||||||
|
+# write it before this block or include it before this file.
|
||||||
|
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||||
|
+Include /etc/crypto-policies/back-ends/opensshserver.config
|
||||||
|
+
|
||||||
|
+SyslogFacility AUTHPRIV
|
||||||
|
+
|
||||||
|
+ChallengeResponseAuthentication no
|
||||||
|
+
|
||||||
|
+GSSAPIAuthentication yes
|
||||||
|
+GSSAPICleanupCredentials no
|
||||||
|
+
|
||||||
|
+UsePAM yes
|
||||||
|
+
|
||||||
|
+X11Forwarding yes
|
||||||
|
+
|
||||||
|
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
|
||||||
|
+# as it is more configurable and versatile than the built-in version.
|
||||||
|
+PrintMotd no
|
||||||
|
+
|
||||||
|
+# Accept locale-related environment variables
|
||||||
|
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||||
|
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||||
|
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||||
|
+AcceptEnv XMODIFIERS
|
||||||
|
+
|
|
@ -3,15 +3,15 @@ diff --git a/sshd.c b/sshd.c
|
||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
||||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||||
&cfg, NULL);
|
cfg, &includes, NULL);
|
||||||
|
|
||||||
+ /* 'UsePAM no' is not supported in Fedora */
|
+ /* 'UsePAM no' is not supported in Fedora */
|
||||||
+ if (! options.use_pam)
|
+ if (! options.use_pam)
|
||||||
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
||||||
+
|
+
|
||||||
seed_rng();
|
|
||||||
|
|
||||||
/* Fill in default values for those options not explicitly set. */
|
/* Fill in default values for those options not explicitly set. */
|
||||||
|
fill_default_server_options(&options);
|
||||||
|
|
||||||
diff --git a/sshd_config b/sshd_config
|
diff --git a/sshd_config b/sshd_config
|
||||||
--- a/sshd_config
|
--- a/sshd_config
|
||||||
+++ b/sshd_config
|
+++ b/sshd_config
|
||||||
|
@ -21,6 +21,6 @@ diff --git a/sshd_config b/sshd_config
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||||
+# problems.
|
+# problems.
|
||||||
UsePAM yes
|
#UsePAM no
|
||||||
|
|
||||||
#AllowAgentForwarding yes
|
#AllowAgentForwarding yes
|
|
@ -1,17 +1,17 @@
|
||||||
diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||||
--- openssh-7.4p1/auth2.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/auth2.c 2016-12-23 12:19:58.587459379 +0100
|
+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
|
||||||
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
|
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
|
||||||
Authctxt *authctxt = ssh->authctxt;
|
Authctxt *authctxt = ssh->authctxt;
|
||||||
Authmethod *m = NULL;
|
Authmethod *m = NULL;
|
||||||
char *user, *service, *method, *style = NULL;
|
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ char *role = NULL;
|
+ char *role = NULL;
|
||||||
+#endif
|
+#endif
|
||||||
int authenticated = 0;
|
int r, authenticated = 0;
|
||||||
|
double tstart = monotime_double();
|
||||||
|
|
||||||
if (authctxt == NULL)
|
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
|
||||||
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32
|
|
||||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||||
|
|
||||||
|
@ -23,7 +23,7 @@ diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
||||||
if ((style = strchr(user, ':')) != NULL)
|
if ((style = strchr(user, ':')) != NULL)
|
||||||
*style++ = 0;
|
*style++ = 0;
|
||||||
|
|
||||||
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
|
@@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
|
||||||
use_privsep ? " [net]" : "");
|
use_privsep ? " [net]" : "");
|
||||||
authctxt->service = xstrdup(service);
|
authctxt->service = xstrdup(service);
|
||||||
authctxt->style = style ? xstrdup(style) : NULL;
|
authctxt->style = style ? xstrdup(style) : NULL;
|
||||||
|
@ -37,52 +37,51 @@ diff -up openssh-7.4p1/auth2.c.role-mls openssh-7.4p1/auth2.c
|
||||||
+ mm_inform_authrole(role);
|
+ mm_inform_authrole(role);
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
+ }
|
||||||
userauth_banner();
|
userauth_banner(ssh);
|
||||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||||
packet_disconnect("no authentication methods enabled");
|
ssh_packet_disconnect(ssh,
|
||||||
diff -up openssh-7.4p1/auth2-gss.c.role-mls openssh-7.4p1/auth2-gss.c
|
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||||
--- openssh-7.4p1/auth2-gss.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/auth2-gss.c 2016-12-23 12:19:58.586459382 +0100
|
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||||
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
Authctxt *authctxt = ssh->authctxt;
|
Authctxt *authctxt = ssh->authctxt;
|
||||||
Gssctxt *gssctxt;
|
Gssctxt *gssctxt;
|
||||||
int authenticated = 0;
|
int r, authenticated = 0;
|
||||||
+ char *micuser;
|
+ char *micuser;
|
||||||
Buffer b;
|
struct sshbuf *b;
|
||||||
gss_buffer_desc mic, gssbuf;
|
gss_buffer_desc mic, gssbuf;
|
||||||
u_int len;
|
const char *displayname;
|
||||||
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
mic.value = packet_get_string(&len);
|
fatal("%s: sshbuf_new failed", __func__);
|
||||||
|
mic.value = p;
|
||||||
mic.length = len;
|
mic.length = len;
|
||||||
|
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
+ if (authctxt->role && authctxt->role[0] != 0)
|
||||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||||
+ else
|
+ else
|
||||||
+#endif
|
+#endif
|
||||||
+ micuser = authctxt->user;
|
+ micuser = authctxt->user;
|
||||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||||
"gssapi-with-mic");
|
"gssapi-with-mic");
|
||||||
|
|
||||||
gssbuf.value = buffer_ptr(&b);
|
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
logit("GSSAPI MIC check failed");
|
logit("GSSAPI MIC check failed");
|
||||||
|
|
||||||
buffer_free(&b);
|
sshbuf_free(b);
|
||||||
+ if (micuser != authctxt->user)
|
+ if (micuser != authctxt->user)
|
||||||
+ free(micuser);
|
+ free(micuser);
|
||||||
free(mic.value);
|
free(mic.value);
|
||||||
|
|
||||||
if ((!use_privsep || mm_is_monitor()) &&
|
if ((!use_privsep || mm_is_monitor()) &&
|
||||||
diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.c
|
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||||
--- openssh-7.4p1/auth2-hostbased.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/auth2-hostbased.c 2016-12-23 12:19:58.586459382 +0100
|
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||||
@@ -121,7 +121,16 @@ userauth_hostbased(Authctxt *authctxt)
|
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
||||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||||
- (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ (authctxt->role
|
+ (authctxt->role
|
||||||
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
|
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
|
||||||
|
@ -91,16 +90,16 @@ diff -up openssh-7.4p1/auth2-hostbased.c.role-mls openssh-7.4p1/auth2-hostbased.
|
||||||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
|
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
|
||||||
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
|
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
|
||||||
+#else
|
+#else
|
||||||
+ (r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||||
+#endif
|
+#endif
|
||||||
(r = sshbuf_put_cstring(b, service)) != 0 ||
|
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
|
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
|
||||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||||
diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
|
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||||
--- openssh-7.4p1/auth2-pubkey.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
||||||
+++ openssh-7.4p1/auth2-pubkey.c 2016-12-23 12:19:58.587459379 +0100
|
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
|
||||||
@@ -151,9 +151,15 @@ userauth_pubkey(Authctxt *authctxt)
|
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
__func__, ssh_err(r));
|
goto done;
|
||||||
}
|
}
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
|
@ -110,17 +109,18 @@ diff -up openssh-7.4p1/auth2-pubkey.c.role-mls openssh-7.4p1/auth2-pubkey.c
|
||||||
+ authctxt->style ? authctxt->style : "",
|
+ authctxt->style ? authctxt->style : "",
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ authctxt->role ? "/" : "",
|
+ authctxt->role ? "/" : "",
|
||||||
+ authctxt->role ? authctxt->role : "");
|
+ authctxt->role ? authctxt->role : ""
|
||||||
+#else
|
+#else
|
||||||
+ "", "");
|
+ "", ""
|
||||||
+#endif
|
+#endif
|
||||||
|
+ );
|
||||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||||
(r = sshbuf_put_cstring(b, ssh->compat & SSH_BUG_PKSERVICE ?
|
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||||
diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
|
diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||||
--- openssh-7.4p1/auth.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/auth.h 2016-12-23 12:19:43.478510375 +0100
|
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
|
||||||
@@ -62,6 +62,9 @@ struct Authctxt {
|
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||||
char *service;
|
char *service;
|
||||||
struct passwd *pw; /* set if 'valid' */
|
struct passwd *pw; /* set if 'valid' */
|
||||||
char *style;
|
char *style;
|
||||||
|
@ -130,10 +130,10 @@ diff -up openssh-7.4p1/auth.h.role-mls openssh-7.4p1/auth.h
|
||||||
|
|
||||||
/* Method lists for multiple authentication */
|
/* Method lists for multiple authentication */
|
||||||
char **auth_methods; /* modified from server config */
|
char **auth_methods; /* modified from server config */
|
||||||
diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
|
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||||
--- openssh-7.4p1/auth-pam.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/auth-pam.c 2016-12-23 12:19:43.477510378 +0100
|
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
|
||||||
@@ -1087,7 +1087,7 @@ is_pam_session_open(void)
|
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
|
||||||
* during the ssh authentication process.
|
* during the ssh authentication process.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
|
@ -141,12 +141,12 @@ diff -up openssh-7.4p1/auth-pam.c.role-mls openssh-7.4p1/auth-pam.c
|
||||||
+do_pam_putenv(char *name, const char *value)
|
+do_pam_putenv(char *name, const char *value)
|
||||||
{
|
{
|
||||||
int ret = 1;
|
int ret = 1;
|
||||||
#ifdef HAVE_PAM_PUTENV
|
char *compound;
|
||||||
diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
|
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||||
--- openssh-7.4p1/auth-pam.h.role-mls 2016-12-23 12:19:43.478510375 +0100
|
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/auth-pam.h 2016-12-23 12:21:44.698101234 +0100
|
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
||||||
@@ -31,7 +31,7 @@ u_int do_pam_account(void);
|
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||||
void do_pam_session(void);
|
void do_pam_session(struct ssh *);
|
||||||
void do_pam_setcred(int );
|
void do_pam_setcred(int );
|
||||||
void do_pam_chauthtok(void);
|
void do_pam_chauthtok(void);
|
||||||
-int do_pam_putenv(char *, char *);
|
-int do_pam_putenv(char *, char *);
|
||||||
|
@ -154,10 +154,10 @@ diff -up openssh-7.4p1/auth-pam.h.role-mls openssh-7.4p1/auth-pam.h
|
||||||
char ** fetch_pam_environment(void);
|
char ** fetch_pam_environment(void);
|
||||||
char ** fetch_pam_child_environment(void);
|
char ** fetch_pam_child_environment(void);
|
||||||
void free_pam_environment(char **);
|
void free_pam_environment(char **);
|
||||||
diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
|
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||||
--- openssh-7.4p1/misc.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/misc.c 2016-12-23 12:19:58.587459379 +0100
|
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||||
@@ -432,6 +432,7 @@ char *
|
@@ -542,6 +542,7 @@ char *
|
||||||
colon(char *cp)
|
colon(char *cp)
|
||||||
{
|
{
|
||||||
int flag = 0;
|
int flag = 0;
|
||||||
|
@ -165,7 +165,7 @@ diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
|
||||||
|
|
||||||
if (*cp == ':') /* Leading colon is part of file name. */
|
if (*cp == ':') /* Leading colon is part of file name. */
|
||||||
return NULL;
|
return NULL;
|
||||||
@@ -447,6 +448,13 @@ colon(char *cp)
|
@@ -557,6 +558,13 @@ colon(char *cp)
|
||||||
return (cp);
|
return (cp);
|
||||||
if (*cp == '/')
|
if (*cp == '/')
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -179,20 +179,20 @@ diff -up openssh-7.4p1/misc.c.role-mls openssh-7.4p1/misc.c
|
||||||
}
|
}
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||||
--- openssh-7.4p1/monitor.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/monitor.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 12:23:03.503835248 +0100
|
+++ openssh/monitor.c 2018-08-22 11:19:56.006844867 +0200
|
||||||
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
|
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
|
||||||
int mm_answer_pwnamallow(int, Buffer *);
|
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_authserv(int, Buffer *);
|
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+int mm_answer_authrole(int, Buffer *);
|
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
|
||||||
+#endif
|
+#endif
|
||||||
int mm_answer_authpassword(int, Buffer *);
|
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_bsdauthquery(int, Buffer *);
|
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||||
@@ -202,6 +205,9 @@ struct mon_table mon_dispatch_proto20[]
|
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||||
|
@ -202,7 +202,7 @@ diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -769,6 +775,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
|
||||||
|
|
||||||
/* Allow service/style information on the auth context */
|
/* Allow service/style information on the auth context */
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||||
|
@ -212,19 +212,20 @@ diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
@@ -810,6 +819,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
|
||||||
return (0);
|
return found;
|
||||||
}
|
}
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+int
|
+int
|
||||||
+mm_answer_authrole(int sock, Buffer *m)
|
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
+{
|
+{
|
||||||
|
+ int r;
|
||||||
+ monitor_permit_authentications(1);
|
+ monitor_permit_authentications(1);
|
||||||
+
|
+
|
||||||
+ authctxt->role = buffer_get_string(m, NULL);
|
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||||
+ debug3("%s: role=%s",
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
+ __func__, authctxt->role);
|
+ debug3("%s: role=%s", __func__, authctxt->role);
|
||||||
+
|
+
|
||||||
+ if (strlen(authctxt->role) == 0) {
|
+ if (strlen(authctxt->role) == 0) {
|
||||||
+ free(authctxt->role);
|
+ free(authctxt->role);
|
||||||
|
@ -236,48 +237,48 @@ diff -up openssh-7.4p1/monitor.c.role-mls openssh-7.4p1/monitor.c
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
int
|
int
|
||||||
mm_answer_authpassword(int sock, Buffer *m)
|
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
{
|
{
|
||||||
@@ -1208,7 +1236,7 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
|
||||||
{
|
{
|
||||||
Buffer b;
|
struct sshbuf *b;
|
||||||
u_char *p;
|
const u_char *p;
|
||||||
- char *userstyle, *cp;
|
- char *userstyle, *cp;
|
||||||
+ char *userstyle, *r, *cp;
|
+ char *userstyle, *s, *cp;
|
||||||
u_int len;
|
size_t len;
|
||||||
int fail = 0;
|
u_char type;
|
||||||
|
int r, fail = 0;
|
||||||
@@ -1234,6 +1262,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
|
||||||
fail++;
|
fail++;
|
||||||
cp = buffer_get_cstring(&b, NULL);
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
+ if ((r = strchr(cp, '/')) != NULL)
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
+ *r = '\0';
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
authctxt->style ? ":" : "",
|
authctxt->style ? ":" : "",
|
||||||
authctxt->style ? authctxt->style : "");
|
authctxt->style ? authctxt->style : "");
|
||||||
@@ -1269,7 +1299,7 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
char *chost)
|
|
||||||
{
|
{
|
||||||
Buffer b;
|
struct sshbuf *b;
|
||||||
- char *p, *userstyle;
|
const u_char *p;
|
||||||
+ char *p, *r, *userstyle;
|
- char *cp, *userstyle;
|
||||||
u_int len;
|
+ char *cp, *s, *userstyle;
|
||||||
int fail = 0;
|
size_t len;
|
||||||
|
int r, fail = 0;
|
||||||
@@ -1286,6 +1316,8 @@ monitor_valid_hostbasedblob(u_char *data
|
u_char type;
|
||||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
fail++;
|
fail++;
|
||||||
p = buffer_get_cstring(&b, NULL);
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
+ if ((r = strchr(p, '/')) != NULL)
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
+ *r = '\0';
|
+ if ((s = strchr(p, '/')) != NULL)
|
||||||
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
authctxt->style ? ":" : "",
|
authctxt->style ? ":" : "",
|
||||||
authctxt->style ? authctxt->style : "");
|
authctxt->style ? authctxt->style : "");
|
||||||
diff -up openssh-7.4p1/monitor.h.role-mls openssh-7.4p1/monitor.h
|
diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||||
--- openssh-7.4p1/monitor.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/monitor.h 2016-12-23 12:19:58.588459376 +0100
|
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
|
||||||
@@ -57,6 +57,10 @@ enum monitor_reqtype {
|
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||||
MONITOR_REQ_TERM = 50,
|
MONITOR_REQ_TERM = 50,
|
||||||
|
|
||||||
|
@ -288,11 +289,11 @@ diff -up openssh-7.4p1/monitor.h.role-mls openssh-7.4p1/monitor.h
|
||||||
MONITOR_REQ_PAM_START = 100,
|
MONITOR_REQ_PAM_START = 100,
|
||||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||||
diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
|
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||||
--- openssh-7.4p1/monitor_wrap.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 12:19:58.588459376 +0100
|
+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
|
||||||
@@ -345,6 +345,25 @@ mm_inform_authserv(char *service, char *
|
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
|
||||||
buffer_free(&m);
|
sshbuf_free(m);
|
||||||
}
|
}
|
||||||
|
|
||||||
+/* Inform the privileged process about role */
|
+/* Inform the privileged process about role */
|
||||||
|
@ -301,51 +302,54 @@ diff -up openssh-7.4p1/monitor_wrap.c.role-mls openssh-7.4p1/monitor_wrap.c
|
||||||
+void
|
+void
|
||||||
+mm_inform_authrole(char *role)
|
+mm_inform_authrole(char *role)
|
||||||
+{
|
+{
|
||||||
+ Buffer m;
|
+ int r;
|
||||||
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering", __func__);
|
+ debug3("%s entering", __func__);
|
||||||
+
|
+
|
||||||
+ buffer_init(&m);
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ buffer_put_cstring(&m, role ? role : "");
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
|
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
|
+ sshbuf_free(m);
|
||||||
+
|
|
||||||
+ buffer_free(&m);
|
|
||||||
+}
|
+}
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
/* Do the password authentication */
|
/* Do the password authentication */
|
||||||
int
|
int
|
||||||
mm_auth_password(Authctxt *authctxt, char *password)
|
mm_auth_password(struct ssh *ssh, char *password)
|
||||||
diff -up openssh-7.4p1/monitor_wrap.h.role-mls openssh-7.4p1/monitor_wrap.h
|
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||||
--- openssh-7.4p1/monitor_wrap.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 12:19:58.588459376 +0100
|
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||||
int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int,
|
const u_char *, size_t, const char *, const char *,
|
||||||
const char *);
|
const char *, u_int compat);
|
||||||
void mm_inform_authserv(char *, char *);
|
void mm_inform_authserv(char *, char *);
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+void mm_inform_authrole(char *);
|
+void mm_inform_authrole(char *);
|
||||||
+#endif
|
+#endif
|
||||||
struct passwd *mm_getpwnamallow(const char *);
|
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||||
char *mm_auth2_read_banner(void);
|
char *mm_auth2_read_banner(void);
|
||||||
int mm_auth_password(struct Authctxt *, char *);
|
int mm_auth_password(struct ssh *, char *);
|
||||||
diff -up openssh-7.4p1/openbsd-compat/Makefile.in.role-mls openssh-7.4p1/openbsd-compat/Makefile.in
|
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
|
||||||
--- openssh-7.4p1/openbsd-compat/Makefile.in.role-mls 2016-12-23 12:19:58.588459376 +0100
|
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/openbsd-compat/Makefile.in 2016-12-23 12:24:06.042643938 +0100
|
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||||
|
port-linux.o \
|
||||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-getpagesize.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-malloc.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xcrypt.o kludge-fd_set.o
|
port-solaris.o \
|
||||||
|
port-net.o \
|
||||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
- port-uw.o
|
||||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
+ port-uw.o \
|
||||||
|
+ port-linux-sshd.o
|
||||||
|
|
||||||
.c.o:
|
.c.o:
|
||||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.c.role-mls openssh-7.4p1/openbsd-compat/port-linux.c
|
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||||
--- openssh-7.4p1/openbsd-compat/port-linux.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux.c 2016-12-23 12:19:58.590459369 +0100
|
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||||
return sc;
|
return sc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -396,9 +400,9 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux.c.role-mls openssh-7.4p1/openbs
|
||||||
|
|
||||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||||
|
|
||||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.role-mls openssh-7.4p1/openbsd-compat/port-linux.h
|
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
|
||||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 12:19:58.591459365 +0100
|
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -20,9 +20,10 @@
|
@@ -20,9 +20,10 @@
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
int ssh_selinux_enabled(void);
|
int ssh_selinux_enabled(void);
|
||||||
|
@ -411,10 +415,10 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux.h.role-mls openssh-7.4p1/openbs
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef LINUX_OOM_ADJUST
|
#ifdef LINUX_OOM_ADJUST
|
||||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/openbsd-compat/port-linux-sshd.c
|
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls 2016-12-23 12:19:58.590459369 +0100
|
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 12:19:58.590459369 +0100
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -0,0 +1,424 @@
|
@@ -0,0 +1,425 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
@ -443,13 +447,14 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/o
|
||||||
+#include <stdarg.h>
|
+#include <stdarg.h>
|
||||||
+#include <string.h>
|
+#include <string.h>
|
||||||
+#include <stdio.h>
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
+
|
+
|
||||||
+#include "log.h"
|
+#include "log.h"
|
||||||
+#include "xmalloc.h"
|
+#include "xmalloc.h"
|
||||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||||
+#include "servconf.h"
|
+#include "servconf.h"
|
||||||
+#include "port-linux.h"
|
+#include "port-linux.h"
|
||||||
+#include "key.h"
|
+#include "sshkey.h"
|
||||||
+#include "hostfile.h"
|
+#include "hostfile.h"
|
||||||
+#include "auth.h"
|
+#include "auth.h"
|
||||||
+
|
+
|
||||||
|
@ -839,10 +844,10 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-7.4p1/o
|
||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
diff -up openssh-7.4p1/platform.c.role-mls openssh-7.4p1/platform.c
|
diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||||
--- openssh-7.4p1/platform.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/platform.c 2016-12-23 12:19:58.591459365 +0100
|
+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
|
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
|
||||||
}
|
}
|
||||||
#endif /* HAVE_SETPCRED */
|
#endif /* HAVE_SETPCRED */
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
|
@ -851,10 +856,10 @@ diff -up openssh-7.4p1/platform.c.role-mls openssh-7.4p1/platform.c
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
|
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||||
--- openssh-7.4p1/sshd.c.role-mls 2016-12-19 05:59:41.000000000 +0100
|
--- openssh/sshd.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 12:19:58.591459365 +0100
|
+++ openssh/sshd.c 2018-08-22 11:14:56.820430957 +0200
|
||||||
@@ -2053,6 +2053,9 @@ main(int ac, char **av)
|
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
||||||
restore_uid();
|
restore_uid();
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -864,16 +869,3 @@ diff -up openssh-7.4p1/sshd.c.role-mls openssh-7.4p1/sshd.c
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam) {
|
if (options.use_pam) {
|
||||||
do_pam_setcred(1);
|
do_pam_setcred(1);
|
||||||
--- openssh/configure.ac.role-mls 2017-09-27 12:54:52.926425979 +0200
|
|
||||||
+++ openssh/configure.ac 2017-09-27 12:57:06.854224956 +0200
|
|
||||||
@@ -4158,10 +4158,7 @@
|
|
||||||
LIBS="$LIBS -lselinux"
|
|
||||||
],
|
|
||||||
AC_MSG_ERROR([SELinux support requires libselinux library]))
|
|
||||||
- SSHLIBS="$SSHLIBS $LIBSELINUX"
|
|
||||||
- SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
|
||||||
AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level])
|
|
||||||
- LIBS="$save_LIBS"
|
|
||||||
fi ]
|
|
||||||
)
|
|
||||||
AC_SUBST([SSHLIBS])
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
diff --git a/scp.c b/scp.c
|
||||||
|
index 60682c68..9344806e 100644
|
||||||
|
--- a/scp.c
|
||||||
|
+++ b/scp.c
|
||||||
|
@@ -714,7 +714,9 @@ toremote(int argc, char **argv)
|
||||||
|
addargs(&alist, "%s", host);
|
||||||
|
addargs(&alist, "%s", cmd);
|
||||||
|
addargs(&alist, "%s", src);
|
||||||
|
- addargs(&alist, "%s%s%s:%s",
|
||||||
|
+ addargs(&alist,
|
||||||
|
+ /* IPv6 address needs to be enclosed with sqare brackets */
|
||||||
|
+ strchr(host, ':') != NULL ? "%s%s[%s]:%s" : "%s%s%s:%s",
|
||||||
|
tuser ? tuser : "", tuser ? "@" : "",
|
||||||
|
thost, targ);
|
||||||
|
if (do_local_cmd(&alist) != 0)
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Tue, 29 Sep 2020 10:02:45 +0000
|
||||||
|
Subject: [PATCH] Fail hard on the first failed attempt to write the
|
||||||
|
authorized_keys_file
|
||||||
|
|
||||||
|
---
|
||||||
|
ssh-copy-id | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||||
|
index 392f64f..e69a23f 100755
|
||||||
|
--- a/contrib/ssh-copy-id
|
||||||
|
+++ b/contrib/ssh-copy-id
|
||||||
|
@@ -251,7 +251,7 @@ installkeys_sh() {
|
||||||
|
cd;
|
||||||
|
umask 077;
|
||||||
|
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
||||||
|
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
|
||||||
|
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
||||||
|
cat >> ${AUTH_KEY_FILE} ||
|
||||||
|
exit 1;
|
||||||
|
if type restorecon >/dev/null 2>&1; then
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,502 @@
|
||||||
|
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
||||||
|
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
||||||
|
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
||||||
|
@@ -359,17 +359,17 @@ or
|
||||||
|
.Qq *.c.example.com
|
||||||
|
domains.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
|
by certificate authorities (CAs).
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
.Xr ssh 1
|
||||||
|
will not accept host certificates signed using algorithms other than those
|
||||||
|
specified.
|
||||||
|
+.Pp
|
||||||
|
.It Cm CertificateFile
|
||||||
|
Specifies a file from which the user's certificate is read.
|
||||||
|
A corresponding private key must be provided separately in order
|
||||||
|
@@ -424,20 +424,25 @@ If the option is set to
|
||||||
|
.Cm no ,
|
||||||
|
the check will not be executed.
|
||||||
|
.It Cm Ciphers
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the ciphers allowed and their order of preference.
|
||||||
|
Multiple ciphers must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified ciphers will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Bd -literal -offset indent
|
||||||
|
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
|
||||||
|
chacha20-poly1305@openssh.com
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-chacha20-poly1305@openssh.com,
|
||||||
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available ciphers may also be obtained using
|
||||||
|
.Qq ssh -Q cipher .
|
||||||
|
.It Cm ClearAllForwardings
|
||||||
|
@@ -812,6 +810,11 @@ command line will be passed untouched to
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
.It Cm GSSAPIKexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
The list of key exchange algorithms that are offered for GSSAPI
|
||||||
|
key exchange. Possible values are
|
||||||
|
.Bd -literal -offset 3n
|
||||||
|
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
|
||||||
|
gss-curve25519-sha256-
|
||||||
|
.Ed
|
||||||
|
.Pp
|
||||||
|
-The default is
|
||||||
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
+.Pp
|
||||||
|
.It Cm HashKnownHosts
|
||||||
|
Indicates that
|
||||||
|
.Xr ssh 1
|
||||||
|
@@ -1149,29 +1150,25 @@ it may be zero or more of:
|
||||||
|
and
|
||||||
|
.Cm pam .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified methods will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified methods will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified methods (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified methods will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
|
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
-diffie-hellman-group-exchange-sha256,
|
||||||
|
-diffie-hellman-group16-sha512,
|
||||||
|
-diffie-hellman-group18-sha512,
|
||||||
|
-diffie-hellman-group14-sha256
|
||||||
|
-.Ed
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q kex .
|
||||||
|
@@ -1231,37 +1228,33 @@ The default is INFO.
|
||||||
|
DEBUG and DEBUG1 are equivalent.
|
||||||
|
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
||||||
|
.It Cm MACs
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the MAC (message authentication code) algorithms
|
||||||
|
in order of preference.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The algorithms that contain
|
||||||
|
.Qq -etm
|
||||||
|
calculate the MAC after encryption (encrypt-then-mac).
|
||||||
|
These are considered safer and their use recommended.
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||||
|
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||||
|
-hmac-sha1-etm@openssh.com,
|
||||||
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
|
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
||||||
|
The default is
|
||||||
|
.Cm no .
|
||||||
|
.It Cm PubkeyAcceptedKeyTypes
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the key types that will be used for public key authentication
|
||||||
|
as a comma-separated list of patterns.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the key types after it will be appended to the default
|
||||||
|
-instead of replacing it.
|
||||||
|
+character, then the key types after it will be appended to the built-in
|
||||||
|
+openssh default instead of replacing it.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified key types (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified key types will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
-.Ed
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The list of available key types may also be obtained using
|
||||||
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||||
|
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
||||||
|
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
||||||
|
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
||||||
|
@@ -375,16 +375,16 @@ If the argument is
|
||||||
|
then no banner is displayed.
|
||||||
|
By default, no banner is displayed.
|
||||||
|
.It Cm CASignatureAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies which algorithms are allowed for signing of certificates
|
||||||
|
by certificate authorities (CAs).
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
Certificates signed using other algorithms will not be accepted for
|
||||||
|
public key or host-based authentication.
|
||||||
|
+.Pp
|
||||||
|
.It Cm ChallengeResponseAuthentication
|
||||||
|
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||||
|
PAM or through authentication styles supported in
|
||||||
|
@@ -446,20 +446,25 @@ The default is
|
||||||
|
indicating not to
|
||||||
|
.Xr chroot 2 .
|
||||||
|
.It Cm Ciphers
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the ciphers allowed.
|
||||||
|
Multiple ciphers must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified ciphers will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified ciphers will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified ciphers (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified ciphers will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The supported ciphers are:
|
||||||
|
.Pp
|
||||||
|
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
|
||||||
|
chacha20-poly1305@openssh.com
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-chacha20-poly1305@openssh.com,
|
||||||
|
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||||
|
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available ciphers may also be obtained using
|
||||||
|
.Qq ssh -Q cipher .
|
||||||
|
.It Cm ClientAliveCountMax
|
||||||
|
@@ -681,22 +679,24 @@ For this to work
|
||||||
|
.Cm GSSAPIKeyExchange
|
||||||
|
needs to be enabled in the server and also used by the client.
|
||||||
|
.It Cm GSSAPIKexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
The list of key exchange algorithms that are accepted by GSSAPI
|
||||||
|
key exchange. Possible values are
|
||||||
|
.Bd -literal -offset 3n
|
||||||
|
-gss-gex-sha1-,
|
||||||
|
-gss-group1-sha1-,
|
||||||
|
-gss-group14-sha1-,
|
||||||
|
-gss-group14-sha256-,
|
||||||
|
-gss-group16-sha512-,
|
||||||
|
-gss-nistp256-sha256-,
|
||||||
|
+gss-gex-sha1-
|
||||||
|
+gss-group1-sha1-
|
||||||
|
+gss-group14-sha1-
|
||||||
|
+gss-group14-sha256-
|
||||||
|
+gss-group16-sha512-
|
||||||
|
+gss-nistp256-sha256-
|
||||||
|
gss-curve25519-sha256-
|
||||||
|
.Ed
|
||||||
|
-.Pp
|
||||||
|
-The default is
|
||||||
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
|
This option only applies to connections using GSSAPI.
|
||||||
|
+.Pp
|
||||||
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
|
as a list of comma-separated patterns.
|
||||||
|
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
||||||
|
.Ev SSH_AUTH_SOCK
|
||||||
|
environment variable.
|
||||||
|
.It Cm HostKeyAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the host key algorithms
|
||||||
|
that the server offers.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available key types may also be obtained using
|
||||||
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
|
.It Cm IgnoreRhosts
|
||||||
|
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm KexAlgorithms
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified methods will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified methods will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified methods (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified methods will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
The supported algorithms are:
|
||||||
|
.Pp
|
||||||
|
.Bl -item -compact -offset indent
|
||||||
|
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
||||||
|
sntrup4591761x25519-sha512@tinyssh.org
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||||
|
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||||
|
-diffie-hellman-group-exchange-sha256,
|
||||||
|
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||||
|
-diffie-hellman-group14-sha256
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available key exchange algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q KexAlgorithms .
|
||||||
|
.It Cm ListenAddress
|
||||||
|
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
||||||
|
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
||||||
|
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
||||||
|
.It Cm MACs
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the available MAC (message authentication code) algorithms.
|
||||||
|
The MAC algorithm is used for data integrity protection.
|
||||||
|
Multiple algorithms must be comma-separated.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified algorithms will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified algorithms will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The algorithms that contain
|
||||||
|
.Qq -etm
|
||||||
|
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
|
||||||
|
umac-128-etm@openssh.com
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
-The default is:
|
||||||
|
-.Bd -literal -offset indent
|
||||||
|
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||||
|
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||||
|
-hmac-sha1-etm@openssh.com,
|
||||||
|
-umac-64@openssh.com,umac-128@openssh.com,
|
||||||
|
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||||
|
-.Ed
|
||||||
|
-.Pp
|
||||||
|
The list of available MAC algorithms may also be obtained using
|
||||||
|
.Qq ssh -Q mac .
|
||||||
|
.It Cm Match
|
||||||
|
@@ -1480,36 +1460,25 @@ or equivalent.)
|
||||||
|
The default is
|
||||||
|
.Cm yes .
|
||||||
|
.It Cm PubkeyAcceptedKeyTypes
|
||||||
|
+The default is handled system-wide by
|
||||||
|
+.Xr crypto-policies 7 .
|
||||||
|
+To see the defaults and how to modify this default, see manual page
|
||||||
|
+.Xr update-crypto-policies 8 .
|
||||||
|
+.Pp
|
||||||
|
Specifies the key types that will be accepted for public key authentication
|
||||||
|
as a list of comma-separated patterns.
|
||||||
|
Alternately if the specified list begins with a
|
||||||
|
.Sq +
|
||||||
|
-character, then the specified key types will be appended to the default set
|
||||||
|
-instead of replacing them.
|
||||||
|
+character, then the specified key types will be appended to the built-in
|
||||||
|
+openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq -
|
||||||
|
character, then the specified key types (including wildcards) will be removed
|
||||||
|
-from the default set instead of replacing them.
|
||||||
|
+from the built-in openssh default set instead of replacing them.
|
||||||
|
If the specified list begins with a
|
||||||
|
.Sq ^
|
||||||
|
character, then the specified key types will be placed at the head of the
|
||||||
|
-default set.
|
||||||
|
-The default for this option is:
|
||||||
|
-.Bd -literal -offset 3n
|
||||||
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
|
-.Ed
|
||||||
|
+built-in openssh default set.
|
||||||
|
.Pp
|
||||||
|
The list of available key types may also be obtained using
|
||||||
|
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,720 @@
|
||||||
|
From ed7ec0cdf577ffbb0b15145340cf51596ca3eb89 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Tue, 14 May 2019 10:45:45 +0200
|
||||||
|
Subject: [PATCH] Use high-level OpenSSL API for signatures
|
||||||
|
|
||||||
|
---
|
||||||
|
digest-openssl.c | 16 ++++
|
||||||
|
digest.h | 6 ++
|
||||||
|
ssh-dss.c | 65 ++++++++++------
|
||||||
|
ssh-ecdsa.c | 69 ++++++++++-------
|
||||||
|
ssh-rsa.c | 193 +++++++++--------------------------------------
|
||||||
|
sshkey.c | 77 +++++++++++++++++++
|
||||||
|
sshkey.h | 4 +
|
||||||
|
7 files changed, 221 insertions(+), 209 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/digest-openssl.c b/digest-openssl.c
|
||||||
|
index da7ed72bc..6a21d8adb 100644
|
||||||
|
--- a/digest-openssl.c
|
||||||
|
+++ b/digest-openssl.c
|
||||||
|
@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = {
|
||||||
|
{ -1, NULL, 0, NULL },
|
||||||
|
};
|
||||||
|
|
||||||
|
+const EVP_MD *
|
||||||
|
+ssh_digest_to_md(int digest_type)
|
||||||
|
+{
|
||||||
|
+ switch (digest_type) {
|
||||||
|
+ case SSH_DIGEST_SHA1:
|
||||||
|
+ return EVP_sha1();
|
||||||
|
+ case SSH_DIGEST_SHA256:
|
||||||
|
+ return EVP_sha256();
|
||||||
|
+ case SSH_DIGEST_SHA384:
|
||||||
|
+ return EVP_sha384();
|
||||||
|
+ case SSH_DIGEST_SHA512:
|
||||||
|
+ return EVP_sha512();
|
||||||
|
+ }
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static const struct ssh_digest *
|
||||||
|
ssh_digest_by_alg(int alg)
|
||||||
|
{
|
||||||
|
diff --git a/digest.h b/digest.h
|
||||||
|
index 274574d0e..c7ceeb36f 100644
|
||||||
|
--- a/digest.h
|
||||||
|
+++ b/digest.h
|
||||||
|
@@ -32,6 +32,12 @@
|
||||||
|
struct sshbuf;
|
||||||
|
struct ssh_digest_ctx;
|
||||||
|
|
||||||
|
+#ifdef WITH_OPENSSL
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
+/* Converts internal digest representation to the OpenSSL one */
|
||||||
|
+const EVP_MD *ssh_digest_to_md(int digest_type);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Looks up a digest algorithm by name */
|
||||||
|
int ssh_digest_alg_by_name(const char *name);
|
||||||
|
|
||||||
|
diff --git a/ssh-dss.c b/ssh-dss.c
|
||||||
|
index a23c383dc..ea45e7275 100644
|
||||||
|
--- a/ssh-dss.c
|
||||||
|
+++ b/ssh-dss.c
|
||||||
|
@@ -52,11 +52,15 @@ int
|
||||||
|
ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
const u_char *data, size_t datalen, u_int compat)
|
||||||
|
{
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
DSA_SIG *sig = NULL;
|
||||||
|
const BIGNUM *sig_r, *sig_s;
|
||||||
|
- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
|
||||||
|
- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
|
||||||
|
+ u_char sigblob[SIGBLOB_LEN];
|
||||||
|
+ size_t rlen, slen;
|
||||||
|
+ int len;
|
||||||
|
struct sshbuf *b = NULL;
|
||||||
|
+ u_char *sigb = NULL;
|
||||||
|
+ const u_char *psig = NULL;
|
||||||
|
int ret = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
|
||||||
|
if (lenp != NULL)
|
||||||
|
@@ -67,17 +71,24 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
if (key == NULL || key->dsa == NULL ||
|
||||||
|
sshkey_type_plain(key->type) != KEY_DSA)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
- if (dlen == 0)
|
||||||
|
- return SSH_ERR_INTERNAL_ERROR;
|
||||||
|
|
||||||
|
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
|
||||||
|
- digest, sizeof(digest))) != 0)
|
||||||
|
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||||
|
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1)
|
||||||
|
+ return SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len,
|
||||||
|
+ data, datalen);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
goto out;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
|
||||||
|
+ psig = sigb;
|
||||||
|
+ if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) {
|
||||||
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+ free(sigb);
|
||||||
|
+ sigb = NULL;
|
||||||
|
|
||||||
|
DSA_SIG_get0(sig, &sig_r, &sig_s);
|
||||||
|
rlen = BN_num_bytes(sig_r);
|
||||||
|
@@ -110,7 +121,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
*lenp = len;
|
||||||
|
ret = 0;
|
||||||
|
out:
|
||||||
|
- explicit_bzero(digest, sizeof(digest));
|
||||||
|
+ free(sigb);
|
||||||
|
DSA_SIG_free(sig);
|
||||||
|
sshbuf_free(b);
|
||||||
|
return ret;
|
||||||
|
@@ -121,20 +132,20 @@ ssh_dss_verify(const struct sshkey *key,
|
||||||
|
const u_char *signature, size_t signaturelen,
|
||||||
|
const u_char *data, size_t datalen, u_int compat)
|
||||||
|
{
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
DSA_SIG *sig = NULL;
|
||||||
|
BIGNUM *sig_r = NULL, *sig_s = NULL;
|
||||||
|
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
|
||||||
|
- size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
|
||||||
|
+ u_char *sigblob = NULL;
|
||||||
|
+ size_t len, slen;
|
||||||
|
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
struct sshbuf *b = NULL;
|
||||||
|
char *ktype = NULL;
|
||||||
|
+ u_char *sigb = NULL, *psig = NULL;
|
||||||
|
|
||||||
|
if (key == NULL || key->dsa == NULL ||
|
||||||
|
sshkey_type_plain(key->type) != KEY_DSA ||
|
||||||
|
signature == NULL || signaturelen == 0)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
- if (dlen == 0)
|
||||||
|
- return SSH_ERR_INTERNAL_ERROR;
|
||||||
|
|
||||||
|
/* fetch signature */
|
||||||
|
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
|
||||||
|
@@ -176,25 +187,31 @@ ssh_dss_verify(const struct sshkey *key,
|
||||||
|
}
|
||||||
|
sig_r = sig_s = NULL; /* transferred */
|
||||||
|
|
||||||
|
- /* sha1 the data */
|
||||||
|
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
|
||||||
|
- digest, sizeof(digest))) != 0)
|
||||||
|
+ if ((slen = i2d_DSA_SIG(sig, NULL)) == 0) {
|
||||||
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto out;
|
||||||
|
-
|
||||||
|
- switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
|
||||||
|
- case 1:
|
||||||
|
- ret = 0;
|
||||||
|
- break;
|
||||||
|
- case 0:
|
||||||
|
- ret = SSH_ERR_SIGNATURE_INVALID;
|
||||||
|
+ }
|
||||||
|
+ if ((sigb = malloc(slen)) == NULL) {
|
||||||
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto out;
|
||||||
|
- default:
|
||||||
|
+ }
|
||||||
|
+ psig = sigb;
|
||||||
|
+ if ((slen = i2d_DSA_SIG(sig, &psig)) == 0) {
|
||||||
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||||
|
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) {
|
||||||
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen,
|
||||||
|
+ sigb, slen);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
+
|
||||||
|
out:
|
||||||
|
- explicit_bzero(digest, sizeof(digest));
|
||||||
|
+ free(sigb);
|
||||||
|
DSA_SIG_free(sig);
|
||||||
|
BN_clear_free(sig_r);
|
||||||
|
BN_clear_free(sig_s);
|
||||||
|
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
|
||||||
|
index 599c7199d..b036796e8 100644
|
||||||
|
--- a/ssh-ecdsa.c
|
||||||
|
+++ b/ssh-ecdsa.c
|
||||||
|
@@ -50,11 +50,13 @@ int
|
||||||
|
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
const u_char *data, size_t datalen, u_int compat)
|
||||||
|
{
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
ECDSA_SIG *sig = NULL;
|
||||||
|
+ unsigned char *sigb = NULL;
|
||||||
|
+ const unsigned char *psig;
|
||||||
|
const BIGNUM *sig_r, *sig_s;
|
||||||
|
int hash_alg;
|
||||||
|
- u_char digest[SSH_DIGEST_MAX_LENGTH];
|
||||||
|
- size_t len, dlen;
|
||||||
|
+ int len;
|
||||||
|
struct sshbuf *b = NULL, *bb = NULL;
|
||||||
|
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
|
||||||
|
@@ -67,18 +69,24 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
sshkey_type_plain(key->type) != KEY_ECDSA)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
|
||||||
|
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
|
||||||
|
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
|
||||||
|
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
||||||
|
return SSH_ERR_INTERNAL_ERROR;
|
||||||
|
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||||
|
- digest, sizeof(digest))) != 0)
|
||||||
|
+
|
||||||
|
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||||
|
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
|
||||||
|
+ return SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
|
||||||
|
+ datalen);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
goto out;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
|
||||||
|
+ psig = sigb;
|
||||||
|
+ if ((sig = d2i_ECDSA_SIG(NULL, &psig, len)) == NULL) {
|
||||||
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
|
||||||
|
ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto out;
|
||||||
|
@@ -102,7 +110,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
*lenp = len;
|
||||||
|
ret = 0;
|
||||||
|
out:
|
||||||
|
- explicit_bzero(digest, sizeof(digest));
|
||||||
|
+ free(sigb);
|
||||||
|
sshbuf_free(b);
|
||||||
|
sshbuf_free(bb);
|
||||||
|
ECDSA_SIG_free(sig);
|
||||||
|
@@ -115,22 +123,21 @@ ssh_ecdsa_verify(const struct sshkey *key,
|
||||||
|
const u_char *signature, size_t signaturelen,
|
||||||
|
const u_char *data, size_t datalen, u_int compat)
|
||||||
|
{
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
ECDSA_SIG *sig = NULL;
|
||||||
|
BIGNUM *sig_r = NULL, *sig_s = NULL;
|
||||||
|
- int hash_alg;
|
||||||
|
- u_char digest[SSH_DIGEST_MAX_LENGTH];
|
||||||
|
- size_t dlen;
|
||||||
|
+ int hash_alg, len;
|
||||||
|
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
struct sshbuf *b = NULL, *sigbuf = NULL;
|
||||||
|
char *ktype = NULL;
|
||||||
|
+ unsigned char *sigb = NULL, *psig = NULL;
|
||||||
|
|
||||||
|
if (key == NULL || key->ecdsa == NULL ||
|
||||||
|
sshkey_type_plain(key->type) != KEY_ECDSA ||
|
||||||
|
signature == NULL || signaturelen == 0)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
|
||||||
|
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
|
||||||
|
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
|
||||||
|
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
||||||
|
return SSH_ERR_INTERNAL_ERROR;
|
||||||
|
|
||||||
|
/* fetch signature */
|
||||||
|
@@ -166,28 +173,36 @@ ssh_ecdsa_verify(const struct sshkey *key,
|
||||||
|
}
|
||||||
|
sig_r = sig_s = NULL; /* transferred */
|
||||||
|
|
||||||
|
- if (sshbuf_len(sigbuf) != 0) {
|
||||||
|
- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
|
||||||
|
+ /* Figure out the length */
|
||||||
|
+ if ((len = i2d_ECDSA_SIG(sig, NULL)) == 0) {
|
||||||
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ if ((sigb = malloc(len)) == NULL) {
|
||||||
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||||
|
- digest, sizeof(digest))) != 0)
|
||||||
|
+ psig = sigb;
|
||||||
|
+ if ((len = i2d_ECDSA_SIG(sig, &psig)) == 0) {
|
||||||
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
goto out;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
|
||||||
|
- case 1:
|
||||||
|
- ret = 0;
|
||||||
|
- break;
|
||||||
|
- case 0:
|
||||||
|
- ret = SSH_ERR_SIGNATURE_INVALID;
|
||||||
|
+ if (sshbuf_len(sigbuf) != 0) {
|
||||||
|
+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
|
||||||
|
goto out;
|
||||||
|
- default:
|
||||||
|
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||||
|
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) {
|
||||||
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
|
||||||
|
out:
|
||||||
|
- explicit_bzero(digest, sizeof(digest));
|
||||||
|
+ free(sigb);
|
||||||
|
sshbuf_free(sigbuf);
|
||||||
|
sshbuf_free(b);
|
||||||
|
ECDSA_SIG_free(sig);
|
||||||
|
diff --git a/ssh-rsa.c b/ssh-rsa.c
|
||||||
|
index 9b14f9a9a..8ef3a6aca 100644
|
||||||
|
--- a/ssh-rsa.c
|
||||||
|
+++ b/ssh-rsa.c
|
||||||
|
@@ -37,7 +37,7 @@
|
||||||
|
|
||||||
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
|
|
||||||
|
-static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
|
||||||
|
+static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *);
|
||||||
|
|
||||||
|
static const char *
|
||||||
|
rsa_hash_alg_ident(int hash_alg)
|
||||||
|
@@ -90,21 +90,6 @@ rsa_hash_id_from_keyname(const char *alg)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int
|
||||||
|
-rsa_hash_alg_nid(int type)
|
||||||
|
-{
|
||||||
|
- switch (type) {
|
||||||
|
- case SSH_DIGEST_SHA1:
|
||||||
|
- return NID_sha1;
|
||||||
|
- case SSH_DIGEST_SHA256:
|
||||||
|
- return NID_sha256;
|
||||||
|
- case SSH_DIGEST_SHA512:
|
||||||
|
- return NID_sha512;
|
||||||
|
- default:
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
int
|
||||||
|
ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
|
||||||
|
{
|
||||||
|
@@ -164,11 +149,10 @@ int
|
||||||
|
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
const u_char *data, size_t datalen, const char *alg_ident)
|
||||||
|
{
|
||||||
|
- const BIGNUM *rsa_n;
|
||||||
|
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
|
||||||
|
- size_t slen = 0;
|
||||||
|
- u_int dlen, len;
|
||||||
|
- int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
+ u_char *sig = NULL;
|
||||||
|
+ int len, slen = 0;
|
||||||
|
+ int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
struct sshbuf *b = NULL;
|
||||||
|
|
||||||
|
if (lenp != NULL)
|
||||||
|
@@ -180,33 +164,24 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
hash_alg = SSH_DIGEST_SHA1;
|
||||||
|
else
|
||||||
|
hash_alg = rsa_hash_id_from_keyname(alg_ident);
|
||||||
|
+
|
||||||
|
if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
|
||||||
|
sshkey_type_plain(key->type) != KEY_RSA)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
|
||||||
|
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||||
|
- return SSH_ERR_KEY_LENGTH;
|
||||||
|
slen = RSA_size(key->rsa);
|
||||||
|
- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
||||||
|
- return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
-
|
||||||
|
- /* hash the data */
|
||||||
|
- nid = rsa_hash_alg_nid(hash_alg);
|
||||||
|
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
|
||||||
|
- return SSH_ERR_INTERNAL_ERROR;
|
||||||
|
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||||
|
- digest, sizeof(digest))) != 0)
|
||||||
|
- goto out;
|
||||||
|
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||||
|
+ return SSH_ERR_KEY_LENGTH;
|
||||||
|
|
||||||
|
- if ((sig = malloc(slen)) == NULL) {
|
||||||
|
- ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||||
|
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
|
||||||
|
+ return SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
|
||||||
|
+ datalen);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
|
||||||
|
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
- goto out;
|
||||||
|
- }
|
||||||
|
if (len < slen) {
|
||||||
|
size_t diff = slen - len;
|
||||||
|
memmove(sig + diff, sig, len);
|
||||||
|
@@ -215,6 +190,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
/* encode signature */
|
||||||
|
if ((b = sshbuf_new()) == NULL) {
|
||||||
|
ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
@@ -235,7 +211,6 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||||
|
*lenp = len;
|
||||||
|
ret = 0;
|
||||||
|
out:
|
||||||
|
- explicit_bzero(digest, sizeof(digest));
|
||||||
|
freezero(sig, slen);
|
||||||
|
sshbuf_free(b);
|
||||||
|
return ret;
|
||||||
|
@@ -246,10 +221,10 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||||
|
const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
|
||||||
|
const char *alg)
|
||||||
|
{
|
||||||
|
- const BIGNUM *rsa_n;
|
||||||
|
+ EVP_PKEY *pkey = NULL;
|
||||||
|
char *sigtype = NULL;
|
||||||
|
int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
- size_t len = 0, diff, modlen, dlen;
|
||||||
|
+ size_t len = 0, diff, modlen;
|
||||||
|
struct sshbuf *b = NULL;
|
||||||
|
u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
|
||||||
|
|
||||||
|
@@ -257,8 +232,7 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||||
|
sshkey_type_plain(key->type) != KEY_RSA ||
|
||||||
|
sig == NULL || siglen == 0)
|
||||||
|
return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
|
||||||
|
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||||
|
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||||
|
return SSH_ERR_KEY_LENGTH;
|
||||||
|
|
||||||
|
if ((b = sshbuf_from(sig, siglen)) == NULL)
|
||||||
|
@@ -310,16 +284,15 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||||
|
explicit_bzero(sigblob, diff);
|
||||||
|
len = modlen;
|
||||||
|
}
|
||||||
|
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
|
||||||
|
- ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
+
|
||||||
|
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||||
|
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) {
|
||||||
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||||
|
- digest, sizeof(digest))) != 0)
|
||||||
|
- goto out;
|
||||||
|
+ ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey);
|
||||||
|
+ EVP_PKEY_free(pkey);
|
||||||
|
|
||||||
|
- ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
|
||||||
|
- key->rsa);
|
||||||
|
out:
|
||||||
|
freezero(sigblob, len);
|
||||||
|
free(sigtype);
|
||||||
|
@@ -328,122 +301,26 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/*
|
||||||
|
- * See:
|
||||||
|
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
|
||||||
|
- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
-/*
|
||||||
|
- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
|
||||||
|
- * oiw(14) secsig(3) algorithms(2) 26 }
|
||||||
|
- */
|
||||||
|
-static const u_char id_sha1[] = {
|
||||||
|
- 0x30, 0x21, /* type Sequence, length 0x21 (33) */
|
||||||
|
- 0x30, 0x09, /* type Sequence, length 0x09 */
|
||||||
|
- 0x06, 0x05, /* type OID, length 0x05 */
|
||||||
|
- 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
|
||||||
|
- 0x05, 0x00, /* NULL */
|
||||||
|
- 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-/*
|
||||||
|
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
|
||||||
|
- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
|
||||||
|
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
|
||||||
|
- * id-sha256(1) }
|
||||||
|
- */
|
||||||
|
-static const u_char id_sha256[] = {
|
||||||
|
- 0x30, 0x31, /* type Sequence, length 0x31 (49) */
|
||||||
|
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
|
||||||
|
- 0x06, 0x09, /* type OID, length 0x09 */
|
||||||
|
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
|
||||||
|
- 0x05, 0x00, /* NULL */
|
||||||
|
- 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-/*
|
||||||
|
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
|
||||||
|
- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
|
||||||
|
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
|
||||||
|
- * id-sha256(3) }
|
||||||
|
- */
|
||||||
|
-static const u_char id_sha512[] = {
|
||||||
|
- 0x30, 0x51, /* type Sequence, length 0x51 (81) */
|
||||||
|
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
|
||||||
|
- 0x06, 0x09, /* type OID, length 0x09 */
|
||||||
|
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
|
||||||
|
- 0x05, 0x00, /* NULL */
|
||||||
|
- 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
static int
|
||||||
|
-rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp)
|
||||||
|
+openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen,
|
||||||
|
+ u_char *sigbuf, size_t siglen, EVP_PKEY *pkey)
|
||||||
|
{
|
||||||
|
- switch (hash_alg) {
|
||||||
|
- case SSH_DIGEST_SHA1:
|
||||||
|
- *oidp = id_sha1;
|
||||||
|
- *oidlenp = sizeof(id_sha1);
|
||||||
|
- break;
|
||||||
|
- case SSH_DIGEST_SHA256:
|
||||||
|
- *oidp = id_sha256;
|
||||||
|
- *oidlenp = sizeof(id_sha256);
|
||||||
|
- break;
|
||||||
|
- case SSH_DIGEST_SHA512:
|
||||||
|
- *oidp = id_sha512;
|
||||||
|
- *oidlenp = sizeof(id_sha512);
|
||||||
|
- break;
|
||||||
|
- default:
|
||||||
|
- return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
- }
|
||||||
|
- return 0;
|
||||||
|
-}
|
||||||
|
+ size_t rsasize = 0;
|
||||||
|
+ const RSA *rsa;
|
||||||
|
+ int ret;
|
||||||
|
|
||||||
|
-static int
|
||||||
|
-openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
|
||||||
|
- u_char *sigbuf, size_t siglen, RSA *rsa)
|
||||||
|
-{
|
||||||
|
- size_t rsasize = 0, oidlen = 0, hlen = 0;
|
||||||
|
- int ret, len, oidmatch, hashmatch;
|
||||||
|
- const u_char *oid = NULL;
|
||||||
|
- u_char *decrypted = NULL;
|
||||||
|
-
|
||||||
|
- if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
|
||||||
|
- return ret;
|
||||||
|
- ret = SSH_ERR_INTERNAL_ERROR;
|
||||||
|
- hlen = ssh_digest_bytes(hash_alg);
|
||||||
|
- if (hashlen != hlen) {
|
||||||
|
- ret = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
+ rsa = EVP_PKEY_get0_RSA(pkey);
|
||||||
|
rsasize = RSA_size(rsa);
|
||||||
|
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
|
||||||
|
siglen == 0 || siglen > rsasize) {
|
||||||
|
ret = SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- if ((decrypted = malloc(rsasize)) == NULL) {
|
||||||
|
- ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
|
||||||
|
- RSA_PKCS1_PADDING)) < 0) {
|
||||||
|
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- if (len < 0 || (size_t)len != hlen + oidlen) {
|
||||||
|
- ret = SSH_ERR_INVALID_FORMAT;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
|
||||||
|
- hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
|
||||||
|
- if (!oidmatch || !hashmatch) {
|
||||||
|
- ret = SSH_ERR_SIGNATURE_INVALID;
|
||||||
|
- goto done;
|
||||||
|
- }
|
||||||
|
- ret = 0;
|
||||||
|
+
|
||||||
|
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen,
|
||||||
|
+ sigbuf, siglen);
|
||||||
|
+
|
||||||
|
done:
|
||||||
|
- freezero(decrypted, rsasize);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
#endif /* WITH_OPENSSL */
|
||||||
|
diff --git a/sshkey.c b/sshkey.c
|
||||||
|
index ad1957762..b95ed0b10 100644
|
||||||
|
--- a/sshkey.c
|
||||||
|
+++ b/sshkey.c
|
||||||
|
@@ -358,6 +358,83 @@ sshkey_type_plain(int type)
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
+int
|
||||||
|
+sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp,
|
||||||
|
+ int *lenp, const u_char *data, size_t datalen)
|
||||||
|
+{
|
||||||
|
+ EVP_MD_CTX *ctx = NULL;
|
||||||
|
+ u_char *sig = NULL;
|
||||||
|
+ int ret, slen, len;
|
||||||
|
+
|
||||||
|
+ if (sigp == NULL || lenp == NULL) {
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ slen = EVP_PKEY_size(pkey);
|
||||||
|
+ if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+
|
||||||
|
+ len = slen;
|
||||||
|
+ if ((sig = malloc(slen)) == NULL) {
|
||||||
|
+ return SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
||||||
|
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+ if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||||
|
+ EVP_SignUpdate(ctx, data, datalen) <= 0 ||
|
||||||
|
+ EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
|
||||||
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *sigp = sig;
|
||||||
|
+ *lenp = len;
|
||||||
|
+ /* Now owned by the caller */
|
||||||
|
+ sig = NULL;
|
||||||
|
+ ret = 0;
|
||||||
|
+
|
||||||
|
+error:
|
||||||
|
+ EVP_MD_CTX_free(ctx);
|
||||||
|
+ free(sig);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data,
|
||||||
|
+ size_t datalen, u_char *sigbuf, int siglen)
|
||||||
|
+{
|
||||||
|
+ EVP_MD_CTX *ctx = NULL;
|
||||||
|
+ int ret;
|
||||||
|
+
|
||||||
|
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
||||||
|
+ return SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ }
|
||||||
|
+ if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||||
|
+ EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
|
||||||
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
|
||||||
|
+ switch (ret) {
|
||||||
|
+ case 1:
|
||||||
|
+ ret = 0;
|
||||||
|
+ break;
|
||||||
|
+ case 0:
|
||||||
|
+ ret = SSH_ERR_SIGNATURE_INVALID;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+done:
|
||||||
|
+ EVP_MD_CTX_free(ctx);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* XXX: these are really begging for a table-driven approach */
|
||||||
|
int
|
||||||
|
sshkey_curve_name_to_nid(const char *name)
|
||||||
|
diff --git a/sshkey.h b/sshkey.h
|
||||||
|
index a91e60436..270901a87 100644
|
||||||
|
--- a/sshkey.h
|
||||||
|
+++ b/sshkey.h
|
||||||
|
@@ -179,6 +179,10 @@ const char *sshkey_ssh_name(const struct sshkey *);
|
||||||
|
const char *sshkey_ssh_name_plain(const struct sshkey *);
|
||||||
|
int sshkey_names_valid2(const char *, int);
|
||||||
|
char *sshkey_alg_list(int, int, int, char);
|
||||||
|
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
|
||||||
|
+ int *, const u_char *, size_t);
|
||||||
|
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
|
||||||
|
+ size_t, u_char *, int);
|
||||||
|
|
||||||
|
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
|
||||||
|
int sshkey_fromb(struct sshbuf *, struct sshkey **);
|
||||||
|
|
|
@ -0,0 +1,137 @@
|
||||||
|
commit 2c3ef499bfffce3cfd315edeebf202850ba4e00a
|
||||||
|
Author: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Tue Apr 16 15:35:18 2019 +0200
|
||||||
|
|
||||||
|
Use the new OpenSSL KDF
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 2a455e4e..e01c3d43 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -2712,6 +2712,7 @@ if test "x$openssl" = "xyes" ; then
|
||||||
|
HMAC_CTX_init \
|
||||||
|
RSA_generate_key_ex \
|
||||||
|
RSA_get_default_method \
|
||||||
|
+ EVP_KDF_CTX_new_id \
|
||||||
|
])
|
||||||
|
|
||||||
|
# OpenSSL_add_all_algorithms may be a macro.
|
||||||
|
diff --git a/kex.c b/kex.c
|
||||||
|
index b6f041f4..1fbce2bb 100644
|
||||||
|
--- a/kex.c
|
||||||
|
+++ b/kex.c
|
||||||
|
@@ -38,6 +38,9 @@
|
||||||
|
#ifdef WITH_OPENSSL
|
||||||
|
#include <openssl/crypto.h>
|
||||||
|
#include <openssl/dh.h>
|
||||||
|
+# ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
||||||
|
+# include <openssl/kdf.h>
|
||||||
|
+# endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "ssh.h"
|
||||||
|
@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh)
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
||||||
|
+static const EVP_MD *
|
||||||
|
+digest_to_md(int digest_type)
|
||||||
|
+{
|
||||||
|
+ switch (digest_type) {
|
||||||
|
+ case SSH_DIGEST_SHA1:
|
||||||
|
+ return EVP_sha1();
|
||||||
|
+ case SSH_DIGEST_SHA256:
|
||||||
|
+ return EVP_sha256();
|
||||||
|
+ case SSH_DIGEST_SHA384:
|
||||||
|
+ return EVP_sha384();
|
||||||
|
+ case SSH_DIGEST_SHA512:
|
||||||
|
+ return EVP_sha512();
|
||||||
|
+ }
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||||
|
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||||
|
+{
|
||||||
|
+ struct kex *kex = ssh->kex;
|
||||||
|
+ EVP_KDF_CTX *ctx = NULL;
|
||||||
|
+ u_char *key = NULL;
|
||||||
|
+ int r, key_len;
|
||||||
|
+
|
||||||
|
+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0)
|
||||||
|
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||||
|
+ key_len = ROUNDUP(need, key_len);
|
||||||
|
+ if ((key = calloc(1, key_len)) == NULL) {
|
||||||
|
+ r = SSH_ERR_ALLOC_FAIL;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
|
||||||
|
+ if (!ctx) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg));
|
||||||
|
+ if (r != 1) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
|
||||||
|
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
|
||||||
|
+ if (r != 1) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen);
|
||||||
|
+ if (r != 1) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id);
|
||||||
|
+ if (r != 1) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||||
|
+ kex->session_id, kex->session_id_len);
|
||||||
|
+ if (r != 1) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ r = EVP_KDF_derive(ctx, key, key_len);
|
||||||
|
+ if (r != 1) {
|
||||||
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+#ifdef DEBUG_KEX
|
||||||
|
+ fprintf(stderr, "key '%c'== ", id);
|
||||||
|
+ dump_digest("key", key, key_len);
|
||||||
|
+#endif
|
||||||
|
+ *keyp = key;
|
||||||
|
+ key = NULL;
|
||||||
|
+ r = 0;
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ free (key);
|
||||||
|
+ EVP_KDF_CTX_free(ctx);
|
||||||
|
+ if (r < 0) {
|
||||||
|
+ return r;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+#else
|
||||||
|
static int
|
||||||
|
derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||||
|
const struct sshbuf *shared_secret, u_char **keyp)
|
||||||
|
@@ -1004,6 +1096,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||||
|
ssh_digest_free(hashctx);
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */
|
||||||
|
|
||||||
|
#define NKEYS 6
|
||||||
|
int
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,40 @@
|
||||||
|
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
index dca158de..afdcb1d2 100644
|
||||||
|
--- a/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
+++ b/regress/misc/sk-dummy/sk-dummy.c
|
||||||
|
@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
-uint32_t
|
||||||
|
+uint32_t __attribute__((visibility("default")))
|
||||||
|
sk_api_version(void)
|
||||||
|
{
|
||||||
|
return SSH_SK_VERSION_MAJOR;
|
||||||
|
@@ -220,7 +220,7 @@ check_options(struct sk_option **options)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
|
||||||
|
const char *application, uint8_t flags, const char *pin,
|
||||||
|
struct sk_option **options, struct sk_enroll_response **enroll_response)
|
||||||
|
@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
|
||||||
|
const char *application, const uint8_t *key_handle, size_t key_handle_len,
|
||||||
|
uint8_t flags, const char *pin, struct sk_option **options,
|
||||||
|
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int
|
||||||
|
+int __attribute__((visibility("default")))
|
||||||
|
sk_load_resident_keys(const char *pin, struct sk_option **options,
|
||||||
|
struct sk_resident_key ***rks, size_t *nrks)
|
||||||
|
{
|
|
@ -0,0 +1,30 @@
|
||||||
|
diff --git a/channels.c b/channels.c
|
||||||
|
--- a/channels.c
|
||||||
|
+++ b/channels.c
|
||||||
|
@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_
|
||||||
|
if (ai->ai_family == AF_INET6)
|
||||||
|
sock_set_v6only(sock);
|
||||||
|
if (x11_use_localhost)
|
||||||
|
set_reuseaddr(sock);
|
||||||
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
|
debug2("%s: bind port %d: %.100s", __func__,
|
||||||
|
port, strerror(errno));
|
||||||
|
close(sock);
|
||||||
|
+
|
||||||
|
+ /* do not remove successfully opened
|
||||||
|
+ * sockets if the request failed because
|
||||||
|
+ * the protocol IPv4/6 is not available
|
||||||
|
+ * (e.g. IPv6 may be disabled while being
|
||||||
|
+ * supported)
|
||||||
|
+ */
|
||||||
|
+ if (EADDRNOTAVAIL == errno)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
for (n = 0; n < num_socks; n++)
|
||||||
|
close(socks[n]);
|
||||||
|
num_socks = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
socks[num_socks++] = sock;
|
||||||
|
if (num_socks == NUM_SOCKS)
|
||||||
|
break;
|
|
@ -0,0 +1,57 @@
|
||||||
|
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
|
||||||
|
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
|
||||||
|
@@ -34,7 +34,7 @@
|
||||||
|
|
||||||
|
#define SSH_BUG_UTF8TTYMODE 0x00000001
|
||||||
|
#define SSH_BUG_SIGTYPE 0x00000002
|
||||||
|
-/* #define unused 0x00000004 */
|
||||||
|
+#define SSH_BUG_SIGTYPE74 0x00000004
|
||||||
|
/* #define unused 0x00000008 */
|
||||||
|
#define SSH_OLD_SESSIONID 0x00000010
|
||||||
|
/* #define unused 0x00000020 */
|
||||||
|
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
|
||||||
|
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
|
||||||
|
@@ -65,11 +65,12 @@
|
||||||
|
{ "OpenSSH_6.5*,"
|
||||||
|
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
|
||||||
|
SSH_BUG_SIGTYPE},
|
||||||
|
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
|
||||||
|
+ SSH_BUG_SIGTYPE74},
|
||||||
|
{ "OpenSSH_7.0*,"
|
||||||
|
"OpenSSH_7.1*,"
|
||||||
|
"OpenSSH_7.2*,"
|
||||||
|
"OpenSSH_7.3*,"
|
||||||
|
- "OpenSSH_7.4*,"
|
||||||
|
"OpenSSH_7.5*,"
|
||||||
|
"OpenSSH_7.6*,"
|
||||||
|
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
|
||||||
|
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
|
||||||
|
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
|
||||||
|
@@ -1305,6 +1305,26 @@
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
free(oallowed);
|
||||||
|
+ /*
|
||||||
|
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
|
||||||
|
+ * support. For that release, check the local policy against the
|
||||||
|
+ * SHA2 signature types.
|
||||||
|
+ */
|
||||||
|
+ if (alg == NULL &&
|
||||||
|
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
|
||||||
|
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
|
||||||
|
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||||
|
+ if (sshkey_type_from_name(cp) != key->type)
|
||||||
|
+ continue;
|
||||||
|
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
|
||||||
|
+ if (tmp != NULL)
|
||||||
|
+ alg = xstrdup(cp);
|
||||||
|
+ free(tmp);
|
||||||
|
+ if (alg != NULL)
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ free(oallowed);
|
||||||
|
+ }
|
||||||
|
return alg;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||||
|
index e0768c06..5065ae7e 100644
|
||||||
|
--- a/sandbox-seccomp-filter.c
|
||||||
|
+++ b/sandbox-seccomp-filter.c
|
||||||
|
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||||
|
#ifdef __NR_pselect6
|
||||||
|
SC_ALLOW(__NR_pselect6),
|
||||||
|
#endif
|
||||||
|
+#ifdef __NR_pselect6_time64
|
||||||
|
+ SC_ALLOW(__NR_pselect6_time64),
|
||||||
|
+#endif
|
||||||
|
#ifdef __NR_read
|
||||||
|
SC_ALLOW(__NR_read),
|
||||||
|
#endif
|
|
@ -0,0 +1,130 @@
|
||||||
|
From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Oleg <Fallmay@users.noreply.github.com>
|
||||||
|
Date: Thu, 1 Oct 2020 12:09:08 +0300
|
||||||
|
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
|
||||||
|
|
||||||
|
---
|
||||||
|
contrib/ssh-copy-id | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||||
|
index 392f64f94..a76907717 100644
|
||||||
|
--- a/contrib/ssh-copy-id
|
||||||
|
+++ b/contrib/ssh-copy-id
|
||||||
|
@@ -247,7 +247,7 @@ installkeys_sh() {
|
||||||
|
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
|
||||||
|
# the cat adds the keys we're getting via STDIN
|
||||||
|
# and if available restorecon is used to restore the SELinux context
|
||||||
|
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
|
||||||
|
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
||||||
|
cd;
|
||||||
|
umask 077;
|
||||||
|
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
||||||
|
@@ -258,6 +258,7 @@ installkeys_sh() {
|
||||||
|
restorecon -F .ssh ${AUTH_KEY_FILE};
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
+ )
|
||||||
|
|
||||||
|
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
|
||||||
|
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
|
||||||
|
|
||||||
|
From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Philip Hands <phil@hands.com>
|
||||||
|
Date: Sat, 3 Oct 2020 00:20:07 +0200
|
||||||
|
Subject: [PATCH] un-nest $() to make ksh cheerful
|
||||||
|
|
||||||
|
---
|
||||||
|
ssh-copy-id | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Philip Hands <phil@hands.com>
|
||||||
|
Date: Fri, 2 Oct 2020 21:30:10 +0200
|
||||||
|
Subject: [PATCH] ksh doesn't grok 'local'
|
||||||
|
|
||||||
|
and AFAICT it's not actually doing anything useful in the code, so let's
|
||||||
|
see how things go without it.
|
||||||
|
---
|
||||||
|
ssh-copy-id | 11 +++++------
|
||||||
|
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||||
|
index a769077..11c9463 100755
|
||||||
|
--- a/contrib/ssh-copy-id
|
||||||
|
+++ b/contrib/ssh-copy-id
|
||||||
|
@@ -76,7 +76,7 @@ quote() {
|
||||||
|
}
|
||||||
|
|
||||||
|
use_id_file() {
|
||||||
|
- local L_ID_FILE="$1"
|
||||||
|
+ L_ID_FILE="$1"
|
||||||
|
|
||||||
|
if [ -z "$L_ID_FILE" ] ; then
|
||||||
|
printf '%s: ERROR: no ID file found\n' "$0"
|
||||||
|
@@ -94,7 +94,7 @@ use_id_file() {
|
||||||
|
# check that the files are readable
|
||||||
|
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
|
||||||
|
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
|
||||||
|
- local L_PRIVMSG=""
|
||||||
|
+ L_PRIVMSG=""
|
||||||
|
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
|
||||||
|
printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
|
||||||
|
exit 1
|
||||||
|
@@ -169,7 +169,7 @@ fi
|
||||||
|
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
|
||||||
|
# and has the side effect of setting $NEW_IDS
|
||||||
|
populate_new_ids() {
|
||||||
|
- local L_SUCCESS="$1"
|
||||||
|
+ L_SUCCESS="$1"
|
||||||
|
|
||||||
|
# shellcheck disable=SC2086
|
||||||
|
if [ "$FORCED" ] ; then
|
||||||
|
@@ -181,13 +181,12 @@ populate_new_ids() {
|
||||||
|
eval set -- "$SSH_OPTS"
|
||||||
|
|
||||||
|
umask 0177
|
||||||
|
- local L_TMP_ID_FILE
|
||||||
|
L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
||||||
|
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
||||||
|
printf '%s: ERROR: mktemp failed\n' "$0" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
- local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
||||||
|
+ L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
||||||
|
# shellcheck disable=SC2064
|
||||||
|
trap "$L_CLEANUP" EXIT TERM INT QUIT
|
||||||
|
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
||||||
|
@@ -237,7 +236,7 @@ populate_new_ids() {
|
||||||
|
# produce a one-liner to add the keys to remote authorized_keys file
|
||||||
|
# optionally takes an alternative path for authorized_keys
|
||||||
|
installkeys_sh() {
|
||||||
|
- local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
||||||
|
+ AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
||||||
|
|
||||||
|
# In setting INSTALLKEYS_SH:
|
||||||
|
# the tr puts it all on one line (to placate tcsh)
|
||||||
|
--
|
||||||
|
|
||||||
|
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||||
|
index 11c9463..ee3f637 100755
|
||||||
|
--- a/contrib/ssh-copy-id
|
||||||
|
+++ b/contrib/ssh-copy-id
|
||||||
|
@@ -237,6 +237,7 @@ populate_new_ids() {
|
||||||
|
# optionally takes an alternative path for authorized_keys
|
||||||
|
installkeys_sh() {
|
||||||
|
AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
||||||
|
+ AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
|
||||||
|
|
||||||
|
# In setting INSTALLKEYS_SH:
|
||||||
|
# the tr puts it all on one line (to placate tcsh)
|
||||||
|
@@ -249,7 +250,7 @@ installkeys_sh() {
|
||||||
|
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
||||||
|
cd;
|
||||||
|
umask 077;
|
||||||
|
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
||||||
|
+ mkdir -p "${AUTH_KEY_DIR}" &&
|
||||||
|
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
||||||
|
cat >> ${AUTH_KEY_FILE} ||
|
||||||
|
exit 1;
|
||||||
|
--
|
|
@ -0,0 +1,21 @@
|
||||||
|
# I do not know about any better place where to put profile files
|
||||||
|
addFilter(r'openssh-askpass.x86_64: W: non-conffile-in-etc /etc/profile.d/gnome-ssh-askpass.c?sh')
|
||||||
|
|
||||||
|
# The ssh-keysign is not supposed to have standard permissions
|
||||||
|
addFilter(r'openssh.x86_64: E: non-standard-executable-perm /usr/libexec/openssh/ssh-keysign 2555')
|
||||||
|
addFilter(r'openssh.x86_64: E: setgid-binary /usr/libexec/openssh/ssh-keysign ssh_keys 2555')
|
||||||
|
addFilter(r'openssh.x86_64: W: non-standard-gid /usr/libexec/openssh/ssh-keysign ssh_keys')
|
||||||
|
|
||||||
|
# The -cavs subpackage is internal without documentation
|
||||||
|
# The -askpass is not intended to be used directly so it is missing documentation
|
||||||
|
addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
|
||||||
|
|
||||||
|
# sshd config and sysconfig is not supposed to be world readable
|
||||||
|
addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
|
||||||
|
|
||||||
|
# The /var/empty/sshd is supposed to have the given permissions
|
||||||
|
addFilter(r'non-standard-dir-perm /var/empty/sshd 711')
|
||||||
|
addFilter(r'non-standard-dir-in-var empty')
|
||||||
|
|
||||||
|
# Spelling false-positives
|
||||||
|
addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')
|
526
openssh.spec
526
openssh.spec
|
@ -29,9 +29,6 @@
|
||||||
# Do we want libedit support
|
# Do we want libedit support
|
||||||
%global libedit 1
|
%global libedit 1
|
||||||
|
|
||||||
# Do we want LDAP support
|
|
||||||
%global ldap 1
|
|
||||||
|
|
||||||
# Whether to build pam_ssh_agent_auth
|
# Whether to build pam_ssh_agent_auth
|
||||||
%if 0%{?!nopam:1}
|
%if 0%{?!nopam:1}
|
||||||
%global pam_ssh_agent 1
|
%global pam_ssh_agent 1
|
||||||
|
@ -52,34 +49,23 @@
|
||||||
# rpm -ba|--rebuild --define "static_openssl 1"
|
# rpm -ba|--rebuild --define "static_openssl 1"
|
||||||
%{?static_openssl:%global static_libcrypto 1}
|
%{?static_openssl:%global static_libcrypto 1}
|
||||||
|
|
||||||
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
|
|
||||||
%global rescue 0
|
|
||||||
%{?build_rescue:%global rescue 1}
|
|
||||||
%{?build_rescue:%global rescue_rel rescue}
|
|
||||||
|
|
||||||
# Turn off some stuff for resuce builds
|
|
||||||
%if %{rescue}
|
|
||||||
%global kerberos5 0
|
|
||||||
%global libedit 0
|
|
||||||
%global pam_ssh_agent 0
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 7.6p1
|
%global openssh_ver 8.4p1
|
||||||
%global openssh_rel 3
|
%global openssh_rel 4
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 3
|
%global pam_ssh_agent_rel 1
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
Version: %{openssh_ver}
|
Version: %{openssh_ver}
|
||||||
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
|
Release: %{openssh_rel}%{?dist}
|
||||||
URL: http://www.openssh.com/portable.html
|
URL: http://www.openssh.com/portable.html
|
||||||
#URL1: http://pamsshagentauth.sourceforge.net
|
#URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
|
||||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||||
Source2: sshd.pam
|
Source2: sshd.pam
|
||||||
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
|
Source3: DJM-GPG-KEY.gpg
|
||||||
|
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
|
||||||
Source5: pam_ssh_agent-rmheaders
|
Source5: pam_ssh_agent-rmheaders
|
||||||
Source6: ssh-keycat.pam
|
Source6: ssh-keycat.pam
|
||||||
Source7: sshd.sysconfig
|
Source7: sshd.sysconfig
|
||||||
|
@ -91,18 +77,8 @@ Source13: sshd-keygen
|
||||||
Source14: sshd.tmpfiles
|
Source14: sshd.tmpfiles
|
||||||
Source15: sshd-keygen.target
|
Source15: sshd-keygen.target
|
||||||
|
|
||||||
# Internal debug
|
|
||||||
Patch0: openssh-5.9p1-wIm.patch
|
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||||
Patch100: openssh-6.7p1-coverity.patch
|
Patch100: openssh-6.7p1-coverity.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
|
|
||||||
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
|
|
||||||
#Patch102: openssh-5.8p1-getaddrinfo.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1889
|
|
||||||
Patch103: openssh-5.8p1-packet.patch
|
|
||||||
# OpenSSL 1.1.0 compatibility
|
|
||||||
Patch104: openssh-7.3p1-openssl-1.1.0.patch
|
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
|
||||||
|
@ -128,12 +104,9 @@ Patch306: pam_ssh_agent_auth-0.10.2-compat.patch
|
||||||
Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
|
Patch307: pam_ssh_agent_auth-0.10.2-dereference.patch
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
|
||||||
Patch400: openssh-6.6p1-role-mls.patch
|
Patch400: openssh-7.8p1-role-mls.patch
|
||||||
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
|
||||||
Patch404: openssh-6.6p1-privsep-selinux.patch
|
Patch404: openssh-6.6p1-privsep-selinux.patch
|
||||||
|
|
||||||
#?-- unwanted child :(
|
|
||||||
Patch501: openssh-6.7p1-ldap.patch
|
|
||||||
#?
|
#?
|
||||||
Patch502: openssh-6.6p1-keycat.patch
|
Patch502: openssh-6.6p1-keycat.patch
|
||||||
|
|
||||||
|
@ -149,19 +122,15 @@ Patch607: openssh-5.8p2-sigpipe.patch
|
||||||
Patch609: openssh-7.2p2-x11.patch
|
Patch609: openssh-7.2p2-x11.patch
|
||||||
|
|
||||||
#?
|
#?
|
||||||
Patch700: openssh-7.2p1-fips.patch
|
Patch700: openssh-7.7p1-fips.patch
|
||||||
#?
|
#?
|
||||||
Patch702: openssh-5.1p1-askpass-progress.patch
|
Patch702: openssh-5.1p1-askpass-progress.patch
|
||||||
#https://bugzilla.redhat.com/show_bug.cgi?id=198332
|
#https://bugzilla.redhat.com/show_bug.cgi?id=198332
|
||||||
Patch703: openssh-4.3p2-askpass-grab-info.patch
|
Patch703: openssh-4.3p2-askpass-grab-info.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
|
||||||
Patch707: openssh-6.6p1-redhat.patch
|
Patch707: openssh-7.7p1-redhat.patch
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
|
|
||||||
Patch708: openssh-6.6p1-entropy.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
|
|
||||||
Patch709: openssh-6.2p1-vendor.patch
|
|
||||||
# warn users for unsupported UsePAM=no (#757545)
|
# warn users for unsupported UsePAM=no (#757545)
|
||||||
Patch711: openssh-7.2p2-UsePAM-UseLogin-warning.patch
|
Patch711: openssh-7.8p1-UsePAM-warning.patch
|
||||||
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
||||||
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
||||||
# add cavs test binary for the aes-ctr
|
# add cavs test binary for the aes-ctr
|
||||||
|
@ -169,58 +138,35 @@ Patch713: openssh-6.6p1-ctr-cavstest.patch
|
||||||
# add SSH KDF CAVS test driver
|
# add SSH KDF CAVS test driver
|
||||||
Patch714: openssh-6.7p1-kdf-cavs.patch
|
Patch714: openssh-6.7p1-kdf-cavs.patch
|
||||||
|
|
||||||
|
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
|
||||||
#http://www.sxw.org.uk/computing/patches/openssh.html
|
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
|
||||||
#changed cache storage type - #848228
|
Patch800: openssh-8.0p1-gssapi-keyex.patch
|
||||||
Patch800: openssh-7.2p1-gsskex.patch
|
|
||||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||||
Patch801: openssh-6.6p1-force_krb.patch
|
Patch801: openssh-6.6p1-force_krb.patch
|
||||||
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
||||||
# CVE-2014-9278
|
# CVE-2014-9278
|
||||||
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
|
Patch802: openssh-6.6p1-GSSAPIEnablek5users.patch
|
||||||
# Documentation about GSSAPI
|
# Improve ccache handling in openssh (#991186, #1199363, #1566494)
|
||||||
# from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765655
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=2775
|
||||||
Patch803: openssh-7.1p1-gssapi-documentation.patch
|
Patch804: openssh-7.7p1-gssapi-new-unique.patch
|
||||||
# use default_ccache_name from /etc/krb5.conf (#991186)
|
|
||||||
Patch804: openssh-6.3p1-krb5-use-default_ccache_name.patch
|
|
||||||
# Respect k5login_directory option in krk5.conf (#1328243)
|
# Respect k5login_directory option in krk5.conf (#1328243)
|
||||||
Patch805: openssh-7.2p2-k5login_directory.patch
|
Patch805: openssh-7.2p2-k5login_directory.patch
|
||||||
# Do not export KRBCCNAME if the default path is used (#1199363)
|
|
||||||
Patch806: openssh-7.5p1-gss-environment.patch
|
|
||||||
# Support SHA2 in GSS key exchanges from draft-ssorce-gss-keyex-sha2-02
|
|
||||||
Patch807: openssh-7.5p1-gssapi-kex-with-ec.patch
|
|
||||||
|
|
||||||
Patch900: openssh-6.1p1-gssapi-canohost.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||||
Patch901: openssh-6.6p1-kuserok.patch
|
Patch901: openssh-6.6p1-kuserok.patch
|
||||||
# Use tty allocation for a remote scp (#985650)
|
# Use tty allocation for a remote scp (#985650)
|
||||||
Patch906: openssh-6.4p1-fromto-remote.patch
|
Patch906: openssh-6.4p1-fromto-remote.patch
|
||||||
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
# privsep_preauth: use SELinux context from selinux-policy (#1008580)
|
||||||
Patch916: openssh-6.6.1p1-selinux-contexts.patch
|
Patch916: openssh-6.6.1p1-selinux-contexts.patch
|
||||||
# use different values for DH for Cisco servers (#1026430)
|
|
||||||
Patch917: openssh-6.6.1p1-cisco-dh-keys.patch
|
|
||||||
# log via monitor in chroots without /dev/log (#2681)
|
# log via monitor in chroots without /dev/log (#2681)
|
||||||
Patch918: openssh-6.6.1p1-log-in-chroot.patch
|
Patch918: openssh-6.6.1p1-log-in-chroot.patch
|
||||||
# scp file into non-existing directory (#1142223)
|
# scp file into non-existing directory (#1142223)
|
||||||
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
|
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
|
||||||
# Config parser shouldn't accept ip/port syntax (#1130733)
|
|
||||||
Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
|
|
||||||
# restore tcp wrappers support, based on Debian patch
|
|
||||||
# https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
|
|
||||||
Patch921: openssh-6.7p1-debian-restore-tcp-wrappers.patch
|
|
||||||
# apply upstream patch and make sshd -T more consistent (#1187521)
|
# apply upstream patch and make sshd -T more consistent (#1187521)
|
||||||
Patch922: openssh-6.8p1-sshdT-output.patch
|
Patch922: openssh-6.8p1-sshdT-output.patch
|
||||||
# Add sftp option to force mode of created files (#1191055)
|
# Add sftp option to force mode of created files (#1191055)
|
||||||
Patch926: openssh-6.7p1-sftp-force-permission.patch
|
Patch926: openssh-6.7p1-sftp-force-permission.patch
|
||||||
# Memory problems
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=2401
|
|
||||||
Patch928: openssh-6.8p1-memory-problems.patch
|
|
||||||
# Restore compatible default (#89216)
|
|
||||||
Patch929: openssh-6.9p1-permit-root-login.patch
|
|
||||||
# Add GSSAPIKexAlgorithms option for server and client application
|
|
||||||
Patch932: openssh-7.0p1-gssKexAlgorithms.patch
|
|
||||||
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
|
|
||||||
Patch933: openssh-7.0p1-show-more-fingerprints.patch
|
|
||||||
# make s390 use /dev/ crypto devices -- ignore closefrom
|
# make s390 use /dev/ crypto devices -- ignore closefrom
|
||||||
Patch939: openssh-7.2p2-s390-closefrom.patch
|
Patch939: openssh-7.2p2-s390-closefrom.patch
|
||||||
# Move MAX_DISPLAYS to a configuration option (#1341302)
|
# Move MAX_DISPLAYS to a configuration option (#1341302)
|
||||||
|
@ -231,16 +177,33 @@ Patch948: openssh-7.4p1-systemd.patch
|
||||||
Patch949: openssh-7.6p1-cleanup-selinux.patch
|
Patch949: openssh-7.6p1-cleanup-selinux.patch
|
||||||
# Sandbox adjustments for s390 and audit
|
# Sandbox adjustments for s390 and audit
|
||||||
Patch950: openssh-7.5p1-sandbox.patch
|
Patch950: openssh-7.5p1-sandbox.patch
|
||||||
# PermitOpen bug in OpenSSH 7.6:
|
# PKCS#11 URIs (upstream #2817, 2nd iteration)
|
||||||
Patch951: openssh-7.6p1-permitopen-bug.patch
|
# https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
|
||||||
|
# git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
|
||||||
|
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
||||||
|
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||||
|
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||||
|
# ssh-copy-id is unmaintained: Aggreagete patches
|
||||||
|
# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
|
||||||
|
Patch958: openssh-7.9p1-ssh-copy-id.patch
|
||||||
|
# Mention crypto-policies in manual pages (#1668325)
|
||||||
|
Patch962: openssh-8.0p1-crypto-policies.patch
|
||||||
|
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
||||||
|
Patch963: openssh-8.0p1-openssl-evp.patch
|
||||||
|
# Use OpenSSL KDF (#1631761)
|
||||||
|
Patch964: openssh-8.0p1-openssl-kdf.patch
|
||||||
|
# sk-dummy.so built with -fvisibility=hidden does not work
|
||||||
|
Patch965: openssh-8.2p1-visibility.patch
|
||||||
|
# Do not break X11 without IPv6
|
||||||
|
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||||
|
Patch967: openssh-8.4p1-ssh-copy-id.patch
|
||||||
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
|
||||||
|
Patch968: openssh-8.4p1-sandbox-seccomp.patch
|
||||||
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
||||||
|
Patch969: openssh-8.4p1-debian-compat.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
Obsoletes: openssh-clients-fips, openssh-server-fips
|
|
||||||
Obsoletes: openssh-server-sysvinit
|
|
||||||
|
|
||||||
%if ! %{no_gnome_askpass}
|
%if ! %{no_gnome_askpass}
|
||||||
%if %{gtk2}
|
%if %{gtk2}
|
||||||
|
@ -251,18 +214,18 @@ BuildRequires: gnome-libs-devel
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
BuildRequires: openldap-devel
|
|
||||||
%endif
|
|
||||||
BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
|
BuildRequires: autoconf, automake, perl-interpreter, perl-generators, zlib-devel
|
||||||
BuildRequires: audit-libs-devel >= 2.0.5
|
BuildRequires: audit-libs-devel >= 2.0.5
|
||||||
BuildRequires: util-linux, groff
|
BuildRequires: util-linux, groff
|
||||||
BuildRequires: pam-devel
|
BuildRequires: pam-devel
|
||||||
BuildRequires: tcp_wrappers-devel
|
|
||||||
BuildRequires: fipscheck-devel >= 1.3.0
|
|
||||||
BuildRequires: openssl-devel >= 0.9.8j
|
BuildRequires: openssl-devel >= 0.9.8j
|
||||||
BuildRequires: perl-podlators
|
BuildRequires: perl-podlators
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
|
BuildRequires: gcc make
|
||||||
|
BuildRequires: p11-kit-devel
|
||||||
|
BuildRequires: libfido2-devel
|
||||||
|
Recommends: p11-kit
|
||||||
|
Obsoletes: openssh-ldap < 8.3p1-4
|
||||||
|
|
||||||
%if %{kerberos5}
|
%if %{kerberos5}
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
|
@ -280,54 +243,38 @@ BuildRequires: audit-libs >= 1.0.8
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
BuildRequires: xauth
|
BuildRequires: xauth
|
||||||
|
# for tarball signature verification
|
||||||
|
BuildRequires: gnupg2
|
||||||
|
|
||||||
%package clients
|
%package clients
|
||||||
Summary: An open source SSH client applications
|
Summary: An open source SSH client applications
|
||||||
Group: Applications/Internet
|
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
Requires: crypto-policies >= 20200610-1
|
||||||
Recommends: crypto-policies
|
|
||||||
|
|
||||||
%package server
|
%package server
|
||||||
Summary: An open source SSH server daemon
|
Summary: An open source SSH server daemon
|
||||||
Group: System Environment/Daemons
|
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Requires(pre): /usr/sbin/useradd
|
Requires(pre): /usr/sbin/useradd
|
||||||
Requires: pam >= 1.0.1-3
|
Requires: pam >= 1.0.1-3
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
Requires: crypto-policies >= 20200610-1
|
||||||
Requires(post): systemd-units
|
%{?systemd_requires}
|
||||||
Requires(preun): systemd-units
|
|
||||||
Requires(postun): systemd-units
|
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%package ldap
|
|
||||||
Summary: A LDAP support for open source SSH server daemon
|
|
||||||
Requires: openssh = %{version}-%{release}
|
|
||||||
Group: System Environment/Daemons
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%package keycat
|
%package keycat
|
||||||
Summary: A mls keycat backend for openssh
|
Summary: A mls keycat backend for openssh
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Group: System Environment/Daemons
|
|
||||||
|
|
||||||
%package askpass
|
%package askpass
|
||||||
Summary: A passphrase dialog for OpenSSH and X
|
Summary: A passphrase dialog for OpenSSH and X
|
||||||
Group: Applications/Internet
|
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
Obsoletes: openssh-askpass-gnome
|
|
||||||
Provides: openssh-askpass-gnome
|
|
||||||
|
|
||||||
%package cavs
|
%package cavs
|
||||||
Summary: CAVS tests for FIPS validation
|
Summary: CAVS tests for FIPS validation
|
||||||
Group: Applications/Internet
|
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
|
|
||||||
%package -n pam_ssh_agent_auth
|
%package -n pam_ssh_agent_auth
|
||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Group: System Environment/Base
|
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
|
||||||
License: BSD
|
License: BSD
|
||||||
|
|
||||||
%description
|
%description
|
||||||
|
@ -355,12 +302,6 @@ into and executing commands on a remote machine. This package contains
|
||||||
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
|
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
|
||||||
securely connect to your SSH server.
|
securely connect to your SSH server.
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%description ldap
|
|
||||||
OpenSSH LDAP backend is a way how to distribute the authorized tokens
|
|
||||||
among the servers in the network.
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%description keycat
|
%description keycat
|
||||||
OpenSSH mls keycat is backend for using the authorized keys in the
|
OpenSSH mls keycat is backend for using the authorized keys in the
|
||||||
openssh in the mls mode.
|
openssh in the mls mode.
|
||||||
|
@ -383,17 +324,11 @@ remote ssh-agent instance.
|
||||||
The module is most useful for su and sudo service stacks.
|
The module is most useful for su and sudo service stacks.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
|
||||||
%setup -q -a 4
|
%setup -q -a 4
|
||||||
#Do not enable by default
|
|
||||||
%if 0
|
|
||||||
%patch0 -p1 -b .wIm
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# investigate %patch102 -p1 -b .getaddrinfo
|
|
||||||
%patch103 -p1 -b .packet
|
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
%patch300 -p2 -b .psaa-build
|
%patch300 -p2 -b .psaa-build
|
||||||
%patch301 -p2 -b .psaa-seteuid
|
%patch301 -p2 -b .psaa-seteuid
|
||||||
%patch302 -p2 -b .psaa-visibility
|
%patch302 -p2 -b .psaa-visibility
|
||||||
|
@ -408,9 +343,6 @@ popd
|
||||||
%patch400 -p1 -b .role-mls
|
%patch400 -p1 -b .role-mls
|
||||||
%patch404 -p1 -b .privsep-selinux
|
%patch404 -p1 -b .privsep-selinux
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%patch501 -p1 -b .ldap
|
|
||||||
%endif
|
|
||||||
%patch502 -p1 -b .keycat
|
%patch502 -p1 -b .keycat
|
||||||
|
|
||||||
%patch601 -p1 -b .ip-opts
|
%patch601 -p1 -b .ip-opts
|
||||||
|
@ -421,8 +353,6 @@ popd
|
||||||
%patch702 -p1 -b .progress
|
%patch702 -p1 -b .progress
|
||||||
%patch703 -p1 -b .grab-info
|
%patch703 -p1 -b .grab-info
|
||||||
%patch707 -p1 -b .redhat
|
%patch707 -p1 -b .redhat
|
||||||
%patch708 -p1 -b .entropy
|
|
||||||
%patch709 -p1 -b .vendor
|
|
||||||
%patch711 -p1 -b .log-usepam-no
|
%patch711 -p1 -b .log-usepam-no
|
||||||
%patch712 -p1 -b .evp-ctr
|
%patch712 -p1 -b .evp-ctr
|
||||||
%patch713 -p1 -b .ctr-cavs
|
%patch713 -p1 -b .ctr-cavs
|
||||||
|
@ -430,58 +360,49 @@ popd
|
||||||
#
|
#
|
||||||
%patch800 -p1 -b .gsskex
|
%patch800 -p1 -b .gsskex
|
||||||
%patch801 -p1 -b .force_krb
|
%patch801 -p1 -b .force_krb
|
||||||
%patch803 -p1 -b .gss-docs
|
|
||||||
%patch804 -p1 -b .ccache_name
|
%patch804 -p1 -b .ccache_name
|
||||||
%patch805 -p1 -b .k5login
|
%patch805 -p1 -b .k5login
|
||||||
%patch806 -p1 -b .gss-env
|
|
||||||
#
|
#
|
||||||
%patch900 -p1 -b .canohost
|
|
||||||
%patch901 -p1 -b .kuserok
|
%patch901 -p1 -b .kuserok
|
||||||
%patch906 -p1 -b .fromto-remote
|
%patch906 -p1 -b .fromto-remote
|
||||||
%patch916 -p1 -b .contexts
|
%patch916 -p1 -b .contexts
|
||||||
#%patch917 -p1 -b .cisco-dh # investigate
|
|
||||||
%patch918 -p1 -b .log-in-chroot
|
%patch918 -p1 -b .log-in-chroot
|
||||||
%patch919 -p1 -b .scp
|
%patch919 -p1 -b .scp
|
||||||
%patch920 -p1 -b .config
|
|
||||||
%patch802 -p1 -b .GSSAPIEnablek5users
|
%patch802 -p1 -b .GSSAPIEnablek5users
|
||||||
%patch921 -p1 -b .tcp_wrappers
|
|
||||||
%patch922 -p1 -b .sshdt
|
%patch922 -p1 -b .sshdt
|
||||||
%patch926 -p1 -b .sftp-force-mode
|
%patch926 -p1 -b .sftp-force-mode
|
||||||
%patch928 -p1 -b .memory
|
|
||||||
%patch929 -p1 -b .root-login
|
|
||||||
%patch932 -p1 -b .gsskexalg
|
|
||||||
%patch933 -p1 -b .fingerprint
|
|
||||||
%patch939 -p1 -b .s390-dev
|
%patch939 -p1 -b .s390-dev
|
||||||
%patch944 -p1 -b .x11max
|
%patch944 -p1 -b .x11max
|
||||||
%patch948 -p1 -b .systemd
|
%patch948 -p1 -b .systemd
|
||||||
%patch807 -p1 -b .gsskex-ec
|
|
||||||
%patch949 -p1 -b .refactor
|
%patch949 -p1 -b .refactor
|
||||||
%patch950 -p1 -b .sandbox
|
%patch950 -p1 -b .sandbox
|
||||||
%patch951 -p1 -b .permitOpen
|
%patch951 -p1 -b .pkcs11-uri
|
||||||
|
%patch953 -p1 -b .scp-ipv6
|
||||||
|
%patch958 -p1 -b .ssh-copy-id
|
||||||
|
%patch962 -p1 -b .crypto-policies
|
||||||
|
%patch963 -p1 -b .openssl-evp
|
||||||
|
%patch964 -p1 -b .openssl-kdf
|
||||||
|
%patch965 -p1 -b .visibility
|
||||||
|
%patch966 -p1 -b .x11-ipv6
|
||||||
|
%patch967 -p1 -b .ssh-copy-id
|
||||||
|
%patch968 -p1 -b .seccomp
|
||||||
|
%patch969 -p0 -b .debian
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
%patch700 -p1 -b .fips
|
%patch700 -p1 -b .fips
|
||||||
|
|
||||||
%patch100 -p1 -b .coverity
|
%patch100 -p1 -b .coverity
|
||||||
%patch104 -p1 -b .openssl
|
|
||||||
|
|
||||||
%if 0
|
|
||||||
# Nothing here yet
|
|
||||||
%endif
|
|
||||||
|
|
||||||
autoreconf
|
autoreconf
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
autoreconf
|
autoreconf
|
||||||
popd
|
popd
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
|
# the -fvisibility=hidden is needed for clean build of the pam_ssh_agent_auth
|
||||||
# and it makes the ssh build more clean and even optimized better
|
# it is needed for lib(open)ssh build too since it is linked to the pam module too
|
||||||
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
|
CFLAGS="$RPM_OPT_FLAGS -fvisibility=hidden"; export CFLAGS
|
||||||
%if %{rescue}
|
|
||||||
CFLAGS="$CFLAGS -Os"
|
|
||||||
%endif
|
|
||||||
%if %{pie}
|
%if %{pie}
|
||||||
%ifarch s390 s390x sparc sparcv9 sparc64
|
%ifarch s390 s390x sparc sparcv9 sparc64
|
||||||
CFLAGS="$CFLAGS -fPIC"
|
CFLAGS="$CFLAGS -fPIC"
|
||||||
|
@ -515,25 +436,19 @@ fi
|
||||||
--sysconfdir=%{_sysconfdir}/ssh \
|
--sysconfdir=%{_sysconfdir}/ssh \
|
||||||
--libexecdir=%{_libexecdir}/openssh \
|
--libexecdir=%{_libexecdir}/openssh \
|
||||||
--datadir=%{_datadir}/openssh \
|
--datadir=%{_datadir}/openssh \
|
||||||
--with-tcp-wrappers \
|
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
|
||||||
--with-default-path=/usr/local/bin:/usr/bin \
|
|
||||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||||
--with-privsep-path=%{_var}/empty/sshd \
|
--with-privsep-path=%{_var}/empty/sshd \
|
||||||
--enable-vendor-patchlevel="FC-%{openssh_ver}-%{openssh_rel}" \
|
|
||||||
--disable-strip \
|
--disable-strip \
|
||||||
--without-zlib-version-check \
|
--without-zlib-version-check \
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
--with-ipaddr-display \
|
--with-ipaddr-display \
|
||||||
--with-pie=no \
|
--with-pie=no \
|
||||||
|
--without-hardening `# The hardening flags are configured by system` \
|
||||||
--with-systemd \
|
--with-systemd \
|
||||||
%if %{ldap}
|
--with-default-pkcs11-provider=yes \
|
||||||
--with-ldap \
|
--with-security-key-builtin=yes \
|
||||||
%endif
|
|
||||||
%if %{rescue}
|
|
||||||
--without-pam \
|
|
||||||
%else
|
|
||||||
--with-pam \
|
--with-pam \
|
||||||
%endif
|
|
||||||
%if %{WITH_SELINUX}
|
%if %{WITH_SELINUX}
|
||||||
--with-selinux --with-audit=linux \
|
--with-selinux --with-audit=linux \
|
||||||
--with-sandbox=seccomp_filter \
|
--with-sandbox=seccomp_filter \
|
||||||
|
@ -553,10 +468,10 @@ fi
|
||||||
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
make
|
%make_build
|
||||||
|
|
||||||
# Define a variable to toggle gnome1/gtk2 building. This is necessary
|
# Define a variable to toggle gnome1/gtk2 building. This is necessary
|
||||||
# because RPM doesn't handle nested %if statements.
|
# because RPM doesn't handle nested %%if statements.
|
||||||
%if %{gtk2}
|
%if %{gtk2}
|
||||||
gtk2=yes
|
gtk2=yes
|
||||||
%else
|
%else
|
||||||
|
@ -578,21 +493,16 @@ popd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
LDFLAGS="$SAVE_LDFLAGS"
|
LDFLAGS="$SAVE_LDFLAGS"
|
||||||
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
|
%configure --with-selinux \
|
||||||
make
|
--libexecdir=/%{_libdir}/security \
|
||||||
|
--with-mantype=man \
|
||||||
|
--without-openssl-header-check `# The check is broken`
|
||||||
|
%make_build
|
||||||
popd
|
popd
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Add generation of HMAC checksums of the final stripped binaries
|
|
||||||
%global __spec_install_post \
|
|
||||||
%%{?__debug_package:%%{__debug_install_post}} \
|
|
||||||
%%{__arch_install_post} \
|
|
||||||
%%{__os_install_post} \
|
|
||||||
fipshmac -d $RPM_BUILD_ROOT%{_libdir}/fipscheck $RPM_BUILD_ROOT%{_bindir}/ssh $RPM_BUILD_ROOT%{_sbindir}/sshd \
|
|
||||||
%{nil}
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
#to run tests use "--with check"
|
#to run tests use "--with check"
|
||||||
%if %{?_with_check:1}%{!?_with_check:0}
|
%if %{?_with_check:1}%{!?_with_check:0}
|
||||||
|
@ -603,19 +513,19 @@ make tests
|
||||||
rm -rf $RPM_BUILD_ROOT
|
rm -rf $RPM_BUILD_ROOT
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
|
||||||
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
%make_install
|
||||||
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf
|
|
||||||
|
|
||||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||||
install -d $RPM_BUILD_ROOT/etc/sysconfig/
|
install -d $RPM_BUILD_ROOT/etc/sysconfig/
|
||||||
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck
|
|
||||||
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
|
||||||
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
|
||||||
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf
|
install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/50-redhat.conf
|
||||||
|
install -m644 sshd_config_redhat $RPM_BUILD_ROOT/etc/ssh/sshd_config.d/50-redhat.conf
|
||||||
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
|
||||||
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
|
||||||
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
||||||
|
@ -645,13 +555,10 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
|
||||||
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||||
make install DESTDIR=$RPM_BUILD_ROOT
|
%make_install
|
||||||
popd
|
popd
|
||||||
%endif
|
%endif
|
||||||
%clean
|
|
||||||
rm -rf $RPM_BUILD_ROOT
|
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
|
getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
|
||||||
|
|
||||||
|
@ -663,6 +570,17 @@ getent passwd sshd >/dev/null || \
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
%systemd_post sshd.service sshd.socket
|
%systemd_post sshd.service sshd.socket
|
||||||
|
# Migration scriptlet for Fedora 31 and 32 installations to sshd_config
|
||||||
|
# drop-in directory (in F32+).
|
||||||
|
# Do this only if the file generated by anaconda exists, contains our config
|
||||||
|
# directive and sshd_config contains include directive as shipped in our package
|
||||||
|
%global sysconfig_anaconda /etc/sysconfig/sshd-permitrootlogin
|
||||||
|
test -f %{sysconfig_anaconda} && \
|
||||||
|
test ! -f /etc/ssh/sshd_config.d/01-permitrootlogin.conf && \
|
||||||
|
grep -q '^PERMITROOTLOGIN="-oPermitRootLogin=yes"' %{sysconfig_anaconda} && \
|
||||||
|
grep -q '^Include /etc/ssh/sshd_config.d/\*.conf' /etc/ssh/sshd_config && \
|
||||||
|
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config.d/25-permitrootlogin.conf && \
|
||||||
|
rm %{sysconfig_anaconda} || :
|
||||||
|
|
||||||
%preun server
|
%preun server
|
||||||
%systemd_preun sshd.service sshd.socket
|
%systemd_preun sshd.service sshd.socket
|
||||||
|
@ -672,47 +590,42 @@ getent passwd sshd >/dev/null || \
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENCE
|
%license LICENCE
|
||||||
%doc CREDITS ChangeLog INSTALL OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||||
%if ! %{rescue}
|
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||||
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||||
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
%attr(2555,root,ssh_keys) %{_libexecdir}/openssh/ssh-keysign
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||||
%endif
|
|
||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%attr(0755,root,root) %{_bindir}/ssh
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac
|
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
||||||
%attr(0755,root,root) %{_bindir}/scp
|
%attr(0755,root,root) %{_bindir}/scp
|
||||||
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||||
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
|
%dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d/
|
||||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/50-redhat.conf
|
||||||
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||||
%if ! %{rescue}
|
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-agent
|
%attr(0755,root,root) %{_bindir}/ssh-agent
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-add
|
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||||
%attr(0755,root,root) %{_bindir}/sftp
|
%attr(0755,root,root) %{_bindir}/sftp
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-copy-id
|
%attr(0755,root,root) %{_bindir}/ssh-copy-id
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||||
%endif
|
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
||||||
|
|
||||||
%if ! %{rescue}
|
|
||||||
%files server
|
%files server
|
||||||
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
||||||
%attr(0755,root,root) %{_sbindir}/sshd
|
%attr(0755,root,root) %{_sbindir}/sshd
|
||||||
%attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
||||||
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||||
|
@ -720,6 +633,8 @@ getent passwd sshd >/dev/null || \
|
||||||
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
|
%dir %attr(0700,root,root) %{_sysconfdir}/ssh/sshd_config.d/
|
||||||
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/50-redhat.conf
|
||||||
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||||
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd.service
|
%attr(0644,root,root) %{_unitdir}/sshd.service
|
||||||
|
@ -728,17 +643,6 @@ getent passwd sshd >/dev/null || \
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
||||||
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
|
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
|
||||||
%endif
|
|
||||||
|
|
||||||
%if %{ldap}
|
|
||||||
%files ldap
|
|
||||||
%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf
|
|
||||||
%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper
|
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8*
|
|
||||||
%attr(0644,root,root) %{_mandir}/man5/ssh-ldap.conf.5*
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%files keycat
|
%files keycat
|
||||||
%doc HOWTO.ssh-keycat
|
%doc HOWTO.ssh-keycat
|
||||||
|
@ -759,12 +663,228 @@ getent passwd sshd >/dev/null || \
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
%files -n pam_ssh_agent_auth
|
%files -n pam_ssh_agent_auth
|
||||||
%license pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
|
%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
|
||||||
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
|
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
|
||||||
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
|
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
|
||||||
|
- Remove "PasswordAuthentication yes" from vendor configuration as it is
|
||||||
|
already default and it might be hard to override.
|
||||||
|
- Fix broken obsoletes for openssh-ldap (#1902084)
|
||||||
|
|
||||||
|
* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-3 + 0.10.4-1
|
||||||
|
- Unbreak seccomp filter on arm (#1897712)
|
||||||
|
- Add a workaround for Debian's broken OpenSSH (#1881301)
|
||||||
|
|
||||||
|
* Tue Oct 06 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-2 + 0.10.4-1
|
||||||
|
- Unbreak ssh-copy-id after a release (#1884231)
|
||||||
|
- Remove misleading comment from sysconfig
|
||||||
|
|
||||||
|
* Tue Sep 29 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-1 + 0.10.4-1
|
||||||
|
- New upstream release of OpenSSH and pam_ssh_agent_auth (#1882995)
|
||||||
|
|
||||||
|
* Fri Aug 21 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-4 + 0.10.3-10
|
||||||
|
- Remove openssh-ldap subpackage (#1871025)
|
||||||
|
- pkcs11: Do not crash with invalid paths in ssh-agent (#1868996)
|
||||||
|
- Clarify documentation about sftp-server -m (#1862504)
|
||||||
|
|
||||||
|
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.3p1-3.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Jun 10 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-3 + 0.10.3-10
|
||||||
|
- Do not lose PIN when more slots match PKCS#11 URI (#1843372)
|
||||||
|
- Update to new crypto-policies version on server (using sshd_config include)
|
||||||
|
- Move redhat configuraion files to larger number to allow simpler override
|
||||||
|
- Move sshd_config include before any other definitions (#1824913)
|
||||||
|
|
||||||
|
* Mon Jun 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-2 + 0.10.3-10
|
||||||
|
- Fix crash on cleanup (#1842281)
|
||||||
|
|
||||||
|
* Wed May 27 2020 Jakub Jelen <jjelen@redhat.com> - 8.3p1-1 + 0.10.3-10
|
||||||
|
- New upstream release (#1840503)
|
||||||
|
- Unbreak corner cases of sshd_config include
|
||||||
|
- Fix order of gssapi key exchange algorithms
|
||||||
|
|
||||||
|
* Wed Apr 08 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-3 + 0.10.3-9
|
||||||
|
- Simplify reference to crypto policies in configuration files
|
||||||
|
- Unbreak gssapi authentication with GSSAPITrustDNS over jump hosts
|
||||||
|
- Correctly print FIPS mode initialized in debug mode
|
||||||
|
- Enable SHA2-based GSSAPI key exchange methods (#1666781)
|
||||||
|
- Do not break X11 forwarding when IPv6 is disabled
|
||||||
|
- Remove fipscheck dependency as OpenSSH is no longer FIPS module
|
||||||
|
- Improve documentation about crypto policies defaults in manual pages
|
||||||
|
|
||||||
|
* Thu Feb 20 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-2 + 0.10.3-9
|
||||||
|
- Build against libfido2 to unbreak internal u2f support
|
||||||
|
|
||||||
|
* Mon Feb 17 2020 Jakub Jelen <jjelen@redhat.com> - 8.2p1-1 + 0.10.3-9
|
||||||
|
- New upstrem reelase (#1803290)
|
||||||
|
- New /etc/ssh/sshd_config.d drop in directory
|
||||||
|
- Support for U2F security keys
|
||||||
|
- Correctly report invalid key permissions (#1801459)
|
||||||
|
- Do not write bogus information on stderr in FIPS mode (#1778224)
|
||||||
|
|
||||||
|
* Mon Feb 03 2020 Jakub Jelen <jjelen@redhat.com> - 8.1p1-4 + 0.10.3-8
|
||||||
|
- Unbreak seccomp filter on ARM (#1796267)
|
||||||
|
|
||||||
|
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.1p1-3.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
* Wed Nov 27 2019 Jakub Jelen <jjelen@redhat.com> - 8.1p1-3 + 0.10.3-8
|
||||||
|
- Unbreak seccomp filter also on ARM (#1777054)
|
||||||
|
|
||||||
|
* Thu Nov 14 2019 Jakub Jelen <jjelen@redhat.com> - 8.1p1-2 + 0.10.3-8
|
||||||
|
- Unbreak seccomp filter with latest glibc (#1771946)
|
||||||
|
|
||||||
|
* Wed Oct 09 2019 Jakub Jelen <jjelen@redhat.com> - 8.1p1-1 + 0.10.3-8
|
||||||
|
- New upstream release (#1759750)
|
||||||
|
|
||||||
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.0p1-8.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 23 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-8 + 0.10.3-7
|
||||||
|
- Use the upstream-accepted version of the PKCS#8 PEM support (#1722285)
|
||||||
|
|
||||||
|
* Fri Jul 12 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-7 + 0.10.3-7
|
||||||
|
- Use the environment file under /etc/sysconfig for anaconda configuration (#1722928)
|
||||||
|
|
||||||
|
* Wed Jul 03 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-6 + 0.10.3-7
|
||||||
|
- Provide the entry point for anaconda configuration in service file (#1722928)
|
||||||
|
|
||||||
|
* Wed Jun 26 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-5 + 0.10.3-7
|
||||||
|
- Disable root password logins (#1722928)
|
||||||
|
- Fix typo in manual pages related to crypto-policies
|
||||||
|
- Fix the gating test to make sure it removes the test user
|
||||||
|
- Cleanu up spec file and get rid of some rpmlint warnings
|
||||||
|
|
||||||
|
* Mon Jun 17 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-4 + 0.10.3-7
|
||||||
|
- Compatibility with ibmca engine for ECC
|
||||||
|
- Generate more modern PEM files using new OpenSSL API
|
||||||
|
- Provide correct signature types for RSA keys using SHA2 from agent
|
||||||
|
|
||||||
|
* Mon May 27 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-3 + 0.10.3-7
|
||||||
|
- Remove problematic patch updating cached pw structure
|
||||||
|
- Do not require the labels on the public objects (#1710832)
|
||||||
|
|
||||||
|
* Tue May 14 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-2 + 0.10.3-7
|
||||||
|
- Use OpenSSL KDF
|
||||||
|
- Use high-level OpenSSL API for signatures handling
|
||||||
|
- Mention crypto-policies in manual pages instead of hardcoded defaults
|
||||||
|
- Verify in package testsuite that SCP vulnerabilities are fixed
|
||||||
|
- Do not fail in FIPS mode, when unsupported algorithm is listed in configuration
|
||||||
|
|
||||||
|
* Fri Apr 26 2019 Jakub Jelen <jjelen@redhat.com> - 8.0p1-1 + 0.10.3-7
|
||||||
|
- New upstream release (#1701072)
|
||||||
|
- Removed support for VendroPatchLevel configuration option
|
||||||
|
- Significant rework of GSSAPI Key Exchange
|
||||||
|
- Significant rework of PKCS#11 URI support
|
||||||
|
|
||||||
|
* Mon Mar 11 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-5 + 0.10.3.6
|
||||||
|
- Fix kerberos cleanup procedures with GSSAPI
|
||||||
|
- Update cached passwd structure after PAM authentication
|
||||||
|
- Do not fall back to sshd_net_t SELinux context
|
||||||
|
- Fix corner cases of PKCS#11 URI implementation
|
||||||
|
- Do not negotiate arbitrary primes with DH GEX in FIPS
|
||||||
|
|
||||||
|
* Wed Feb 06 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-4 + 0.10.3.6
|
||||||
|
- Log when a client requests an interactive session and only sftp is allowed
|
||||||
|
- Fix minor issues in ssh-copy-id
|
||||||
|
- Enclose redhat specific configuration with Match final block
|
||||||
|
|
||||||
|
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.9p1-3.2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||||
|
|
||||||
|
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 7.9p1-3.1
|
||||||
|
- Rebuilt for libcrypt.so.2 (#1666033)
|
||||||
|
|
||||||
|
* Mon Jan 14 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-3 + 0.10.3.6
|
||||||
|
- Backport Match final to unbreak canonicalization with crypto-policies (#1630166)
|
||||||
|
- gsskex: Dump correct option
|
||||||
|
- Backport several fixes from 7_9 branch, mostly related to certificate authentication (#1665611)
|
||||||
|
- Backport patch for CVE-2018-20685 (#1665786)
|
||||||
|
- Correctly initialize ECDSA key structures from PKCS#11
|
||||||
|
|
||||||
|
* Wed Nov 14 2018 Jakub Jelen <jjelen@redhat.com> - 7.9p1-2 + 0.10.3-6
|
||||||
|
- Fix LDAP configure test (#1642414)
|
||||||
|
- Avoid segfault on kerberos authentication failure
|
||||||
|
- Reference correct file in configuration example (#1643274)
|
||||||
|
- Dump missing GSSAPI configuration options
|
||||||
|
- Allow to disable RSA signatures with SHA-1
|
||||||
|
|
||||||
|
* Fri Oct 19 2018 Jakub Jelen <jjelen@redhat.com> - 7.9p1-1 + 0.10.3-6
|
||||||
|
- New upstream release OpenSSH 7.9p1 (#1632902, #1630166)
|
||||||
|
- Honor GSSAPIServerIdentity option for GSSAPI key exchange
|
||||||
|
- Do not break gsssapi-keyex authentication method when specified in
|
||||||
|
AuthenticationMethods
|
||||||
|
- Follow the system-wide PATH settings (#1633756)
|
||||||
|
- Address some coverity issues
|
||||||
|
|
||||||
|
* Mon Sep 24 2018 Jakub Jelen <jjelen@redhat.com> - 7.8p1-3 + 0.10.3-5
|
||||||
|
- Disable OpenSSH hardening flags and use the ones provided by system
|
||||||
|
- Ignore unknown parts of PKCS#11 URI
|
||||||
|
- Do not fail with GSSAPI enabled in match blocks (#1580017)
|
||||||
|
- Fix the segfaulting cavs test (#1628962)
|
||||||
|
|
||||||
|
* Fri Aug 31 2018 Jakub Jelen <jjelen@redhat.com> - 7.8p1-2 + 0.10.3-5
|
||||||
|
- New upstream release fixing CVE 2018-15473
|
||||||
|
- Remove unused patches
|
||||||
|
- Remove reference to unused enviornment variable SSH_USE_STRONG_RNG
|
||||||
|
- Address coverity issues
|
||||||
|
- Unbreak scp between two IPv6 hosts
|
||||||
|
- Unbreak GSSAPI key exchange (#1624344)
|
||||||
|
- Unbreak rekeying with GSSAPI key exchange (#1624344)
|
||||||
|
|
||||||
|
* Thu Aug 09 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-6 + 0.10.3-4
|
||||||
|
- Fix listing of kex algoritms in FIPS mode
|
||||||
|
- Allow aes-gcm cipher modes in FIPS mode
|
||||||
|
- Coverity fixes
|
||||||
|
|
||||||
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.7p1-5.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
* Tue Jul 03 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-5 + 0.10.3-4
|
||||||
|
- Disable manual printing of motd by default (#1591381)
|
||||||
|
|
||||||
|
* Wed Jun 27 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-4 + 0.10.3-4
|
||||||
|
- Better handling of kerberos tickets storage (#1566494)
|
||||||
|
- Add pam_motd to pam stack (#1591381)
|
||||||
|
|
||||||
|
* Mon Apr 16 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-3 + 0.10.3-4
|
||||||
|
- Fix tun devices and other issues fixed after release upstream (#1567775)
|
||||||
|
|
||||||
|
* Thu Apr 12 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-2 + 0.10.3-4
|
||||||
|
- Do not break quotes parsing in configuration file (#1566295)
|
||||||
|
|
||||||
|
* Wed Apr 04 2018 Jakub Jelen <jjelen@redhat.com> - 7.7p1-1 + 0.10.3-4
|
||||||
|
- New upstream release (#1563223)
|
||||||
|
- Add support for ECDSA keys in PKCS#11 (#1354510)
|
||||||
|
- Add support for PKCS#11 URIs
|
||||||
|
|
||||||
|
* Tue Mar 06 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-7 + 0.10.3-3
|
||||||
|
- Require crypto-policies version and new path
|
||||||
|
- Remove bogus NSS linking
|
||||||
|
|
||||||
|
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.6p1-6.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jan 26 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-6 + 0.10.3-3
|
||||||
|
- Rebuild for gcc bug on i386 (#1536555)
|
||||||
|
|
||||||
|
* Thu Jan 25 2018 Florian Weimer <fweimer@redhat.com> - 7.6p1-5.2
|
||||||
|
- Rebuild to work around gcc bug leading to sshd miscompilation (#1538648)
|
||||||
|
|
||||||
|
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 7.6p1-5.1.1
|
||||||
|
- Rebuilt for switch to libxcrypt
|
||||||
|
|
||||||
|
* Wed Jan 17 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-5 + 0.10.3-3
|
||||||
|
- Drop support for TCP wrappers (#1530163)
|
||||||
|
- Do not pass hostnames to audit -- UseDNS is usually disabled (#1534577)
|
||||||
|
|
||||||
|
* Thu Dec 14 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-4 + 0.10.3-3
|
||||||
|
- Whitelist gettid() syscall in seccomp filter (#1524392)
|
||||||
|
|
||||||
* Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3
|
* Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3
|
||||||
- Do not segfault during audit cleanup (#1524233)
|
- Do not segfault during audit cleanup (#1524233)
|
||||||
- Avoid gcc warnings about uninitialized variables
|
- Avoid gcc warnings about uninitialized variables
|
||||||
|
@ -780,7 +900,7 @@ getent passwd sshd >/dev/null || \
|
||||||
- Drop support for ExposeAuthenticationMethods option
|
- Drop support for ExposeAuthenticationMethods option
|
||||||
|
|
||||||
* Mon Sep 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-6 + 0.10.3-2
|
* Mon Sep 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.5p1-6 + 0.10.3-2
|
||||||
- Do not export KRBCCNAME if the default path is used (#1199363)
|
- Do not export KRB5CCNAME if the default path is used (#1199363)
|
||||||
- Add enablement for openssl-ibmca and openssl-ibmpkcs11 (#1477636)
|
- Add enablement for openssl-ibmca and openssl-ibmpkcs11 (#1477636)
|
||||||
- Add new GSSAPI kex algorithms with SHA-2, but leave them disabled for now
|
- Add new GSSAPI kex algorithms with SHA-2, but leave them disabled for now
|
||||||
- Enforce pam_sepermit for all logins in SSH (#1492313)
|
- Enforce pam_sepermit for all logins in SSH (#1492313)
|
||||||
|
|
|
@ -9,7 +9,6 @@ buffer.c
|
||||||
cleanup.c
|
cleanup.c
|
||||||
cipher.h
|
cipher.h
|
||||||
compat.h
|
compat.h
|
||||||
defines.h
|
|
||||||
entropy.c
|
entropy.c
|
||||||
entropy.h
|
entropy.h
|
||||||
fatal.c
|
fatal.c
|
||||||
|
|
|
@ -1,7 +1,15 @@
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c 2017-02-07 14:41:20.483509205 +0100
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/get_command_line.c 2020-09-23 10:52:16.424001475 +0200
|
||||||
@@ -65,8 +65,8 @@ proc_pid_cmdline(char *** inargv)
|
@@ -27,6 +27,7 @@
|
||||||
|
* or implied, of Jamie Beverly.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <string.h>
|
||||||
|
@@ -66,8 +67,8 @@ proc_pid_cmdline(char *** inargv)
|
||||||
case EOF:
|
case EOF:
|
||||||
case '\0':
|
case '\0':
|
||||||
if (len > 0) {
|
if (len > 0) {
|
||||||
|
@ -12,7 +20,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat
|
||||||
strncpy(argv[count++], argbuf, len);
|
strncpy(argv[count++], argbuf, len);
|
||||||
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
|
memset(argbuf, '\0', MAX_LEN_PER_CMDLINE_ARG + 1);
|
||||||
len = 0;
|
len = 0;
|
||||||
@@ -105,9 +105,9 @@ pamsshagentauth_free_command_line(char *
|
@@ -106,9 +107,9 @@ pamsshagentauth_free_command_line(char *
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
for (i = 0; i < n_args; i++)
|
for (i = 0; i < n_args; i++)
|
||||||
|
@ -24,9 +32,43 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/get_command_line.c.psaa-compat
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-compat 2017-02-07 14:41:20.479509208 +0100
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 14:41:20.481509206 +0100
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/identity.h 2020-09-23 10:52:16.424001475 +0200
|
||||||
|
@@ -30,8 +30,8 @@
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "log.h"
|
||||||
|
-#include "buffer.h"
|
||||||
|
-#include "key.h"
|
||||||
|
+#include "sshbuf.h"
|
||||||
|
+#include "sshkey.h"
|
||||||
|
#include "authfd.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
@@ -41,7 +41,7 @@ typedef struct idlist Idlist;
|
||||||
|
struct identity {
|
||||||
|
TAILQ_ENTRY(identity) next;
|
||||||
|
AuthenticationConnection *ac; /* set if agent supports key */
|
||||||
|
- Key *key; /* public/private key */
|
||||||
|
+ struct sshkey *key; /* public/private key */
|
||||||
|
char *filename; /* comment for agent-only keys */
|
||||||
|
int tried;
|
||||||
|
int isprivate; /* key points to the private key */
|
||||||
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c
|
||||||
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c.psaa-compat 2020-09-23 10:52:16.421001434 +0200
|
||||||
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/iterate_ssh_agent_keys.c 2020-09-23 10:52:16.424001475 +0200
|
||||||
|
@@ -36,8 +36,8 @@
|
||||||
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "log.h"
|
||||||
|
-#include "buffer.h"
|
||||||
|
-#include "key.h"
|
||||||
|
+#include "sshbuf.h"
|
||||||
|
+#include "sshkey.h"
|
||||||
|
#include "authfd.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <openssl/evp.h>
|
||||||
@@ -58,6 +58,8 @@
|
@@ -58,6 +58,8 @@
|
||||||
#include "get_command_line.h"
|
#include "get_command_line.h"
|
||||||
extern char **environ;
|
extern char **environ;
|
||||||
|
@ -45,25 +87,48 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
strcat(buf, (i > 0) ? " '" : "'");
|
strcat(buf, (i > 0) ? " '" : "'");
|
||||||
strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
|
strncat(buf, action[i], MAX_LEN_PER_CMDLINE_ARG);
|
||||||
@@ -90,12 +92,12 @@ void
|
@@ -87,21 +89,25 @@ log_action(char ** action, size_t count)
|
||||||
agent_action(Buffer *buf, char ** action, size_t count)
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-agent_action(Buffer *buf, char ** action, size_t count)
|
||||||
|
+agent_action(struct sshbuf **buf, char ** action, size_t count)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
- pamsshagentauth_buffer_init(buf);
|
- pamsshagentauth_buffer_init(buf);
|
||||||
+ buffer_init(buf);
|
+ int r;
|
||||||
|
|
||||||
- pamsshagentauth_buffer_put_int(buf, count);
|
- pamsshagentauth_buffer_put_int(buf, count);
|
||||||
+ buffer_put_int(buf, count);
|
+ if ((*buf = sshbuf_new()) == NULL)
|
||||||
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
|
+ if ((r = sshbuf_put_u32(*buf, count)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
- pamsshagentauth_buffer_put_cstring(buf, action[i]);
|
- pamsshagentauth_buffer_put_cstring(buf, action[i]);
|
||||||
+ buffer_put_cstring(buf, action[i]);
|
+ if ((r = sshbuf_put_cstring(*buf, action[i])) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -119,17 +121,17 @@ pamsshagentauth_session_id2_gen(Buffer *
|
|
||||||
|
-void
|
||||||
|
-pamsshagentauth_session_id2_gen(Buffer * session_id2, const char * user,
|
||||||
|
+static void
|
||||||
|
+pamsshagentauth_session_id2_gen(struct sshbuf ** session_id2, const char * user,
|
||||||
|
const char * ruser, const char * servicename)
|
||||||
|
{
|
||||||
|
u_char *cookie = NULL;
|
||||||
|
@@ -114,22 +120,23 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
|
char ** reported_argv = NULL;
|
||||||
|
size_t count = 0;
|
||||||
|
char * action_logbuf = NULL;
|
||||||
|
- Buffer action_agentbuf;
|
||||||
|
+ struct sshbuf *action_agentbuf = NULL;
|
||||||
|
uint8_t free_logbuf = 0;
|
||||||
char * retc;
|
char * retc;
|
||||||
int32_t reti;
|
int32_t reti;
|
||||||
|
+ int r;
|
||||||
|
|
||||||
- rnd = pamsshagentauth_arc4random();
|
- rnd = pamsshagentauth_arc4random();
|
||||||
+ rnd = arc4random();
|
+ rnd = arc4random();
|
||||||
|
@ -73,7 +138,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||||
}
|
}
|
||||||
|
|
||||||
- cookie = pamsshagentauth_xcalloc(1,cookie_len);
|
- cookie = pamsshagentauth_xcalloc(1,cookie_len);
|
||||||
+ cookie = xcalloc(1,cookie_len);
|
+ cookie = xcalloc(1, cookie_len);
|
||||||
|
|
||||||
for (i = 0; i < cookie_len; i++) {
|
for (i = 0; i < cookie_len; i++) {
|
||||||
if (i % 4 == 0) {
|
if (i % 4 == 0) {
|
||||||
|
@ -82,21 +147,23 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||||
}
|
}
|
||||||
cookie[i] = (u_char) rnd;
|
cookie[i] = (u_char) rnd;
|
||||||
rnd >>= 8;
|
rnd >>= 8;
|
||||||
@@ -144,7 +146,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
@@ -144,7 +151,8 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
action_logbuf = "unknown on this platform";
|
action_logbuf = "unknown on this platform";
|
||||||
- pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
- pamsshagentauth_buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
||||||
+ buffer_init(&action_agentbuf); /* stays empty, means unavailable */
|
+ if ((action_agentbuf = sshbuf_new()) == NULL) /* stays empty, means unavailable */
|
||||||
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -161,35 +163,35 @@ pamsshagentauth_session_id2_gen(Buffer *
|
@@ -161,35 +169,39 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||||
retc = getcwd(pwd, sizeof(pwd) - 1);
|
retc = getcwd(pwd, sizeof(pwd) - 1);
|
||||||
time(&ts);
|
time(&ts);
|
||||||
|
|
||||||
- pamsshagentauth_buffer_init(session_id2);
|
- pamsshagentauth_buffer_init(session_id2);
|
||||||
+ buffer_init(session_id2);
|
+ if ((*session_id2 = sshbuf_new()) == NULL)
|
||||||
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
|
|
||||||
- pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
- pamsshagentauth_buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
||||||
- /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */
|
- /* pamsshagentauth_debug3("cookie: %s", pamsshagentauth_tohex(cookie, cookie_len)); */
|
||||||
|
@ -108,48 +175,77 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||||
- /* pamsshagentauth_debug3("servicename: %s", servicename); */
|
- /* pamsshagentauth_debug3("servicename: %s", servicename); */
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, servicename);
|
- pamsshagentauth_buffer_put_cstring(session_id2, servicename);
|
||||||
- /* pamsshagentauth_debug3("pwd: %s", pwd); */
|
- /* pamsshagentauth_debug3("pwd: %s", pwd); */
|
||||||
+ buffer_put_int(session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1);
|
- if(retc)
|
||||||
+ /* debug3("cookie: %s", tohex(cookie, cookie_len)); */
|
|
||||||
+ buffer_put_string(session_id2, cookie, cookie_len);
|
|
||||||
+ /* debug3("user: %s", user); */
|
|
||||||
+ buffer_put_cstring(session_id2, user);
|
|
||||||
+ /* debug3("ruser: %s", ruser); */
|
|
||||||
+ buffer_put_cstring(session_id2, ruser);
|
|
||||||
+ /* debug3("servicename: %s", servicename); */
|
|
||||||
+ buffer_put_cstring(session_id2, servicename);
|
|
||||||
+ /* debug3("pwd: %s", pwd); */
|
|
||||||
if(retc)
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, pwd);
|
- pamsshagentauth_buffer_put_cstring(session_id2, pwd);
|
||||||
+ buffer_put_cstring(session_id2, pwd);
|
- else
|
||||||
else
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
||||||
- /* pamsshagentauth_debug3("action: %s", action_logbuf); */
|
- /* pamsshagentauth_debug3("action: %s", action_logbuf); */
|
||||||
- pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
|
- pamsshagentauth_buffer_put_string(session_id2, action_agentbuf.buf + action_agentbuf.offset, action_agentbuf.end - action_agentbuf.offset);
|
||||||
+ buffer_put_cstring(session_id2, "");
|
+ if ((r = sshbuf_put_u32(*session_id2, PAM_SSH_AGENT_AUTH_REQUESTv1)) != 0 ||
|
||||||
+ /* debug3("action: %s", action_logbuf); */
|
+ (r = sshbuf_put_string(*session_id2, cookie, cookie_len)) != 0 ||
|
||||||
+ buffer_put_string(session_id2, sshbuf_ptr(&action_agentbuf), sshbuf_len(&action_agentbuf));
|
+ (r = sshbuf_put_cstring(*session_id2, user)) != 0 ||
|
||||||
|
+ (r = sshbuf_put_cstring(*session_id2, ruser)) != 0 ||
|
||||||
|
+ (r = sshbuf_put_cstring(*session_id2, servicename)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
+ if (retc) {
|
||||||
|
+ if ((r = sshbuf_put_cstring(*session_id2, pwd)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
+ } else {
|
||||||
|
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
+ }
|
||||||
|
+ if ((r = sshbuf_put_stringb(*session_id2, action_agentbuf)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
if (free_logbuf) {
|
if (free_logbuf) {
|
||||||
- pamsshagentauth_xfree(action_logbuf);
|
- pamsshagentauth_xfree(action_logbuf);
|
||||||
- pamsshagentauth_buffer_free(&action_agentbuf);
|
- pamsshagentauth_buffer_free(&action_agentbuf);
|
||||||
+ free(action_logbuf);
|
+ free(action_logbuf);
|
||||||
+ buffer_free(&action_agentbuf);
|
+ sshbuf_free(action_agentbuf);
|
||||||
|
+ }
|
||||||
|
+ /* debug3("hostname: %s", hostname); */
|
||||||
|
+ if (reti >= 0) {
|
||||||
|
+ if ((r = sshbuf_put_cstring(*session_id2, hostname)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
+ } else {
|
||||||
|
+ if ((r = sshbuf_put_cstring(*session_id2, "")) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
}
|
}
|
||||||
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
- /* pamsshagentauth_debug3("hostname: %s", hostname); */
|
||||||
+ /* debug3("hostname: %s", hostname); */
|
- if(reti >= 0)
|
||||||
if(reti >= 0)
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, hostname);
|
- pamsshagentauth_buffer_put_cstring(session_id2, hostname);
|
||||||
+ buffer_put_cstring(session_id2, hostname);
|
- else
|
||||||
else
|
|
||||||
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
- pamsshagentauth_buffer_put_cstring(session_id2, "");
|
||||||
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
- /* pamsshagentauth_debug3("ts: %ld", ts); */
|
||||||
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
- pamsshagentauth_buffer_put_int64(session_id2, (uint64_t) ts);
|
||||||
+ buffer_put_cstring(session_id2, "");
|
|
||||||
+ /* debug3("ts: %ld", ts); */
|
+ /* debug3("ts: %ld", ts); */
|
||||||
+ buffer_put_int64(session_id2, (uint64_t) ts);
|
+ if ((r = sshbuf_put_u64(*session_id2, (uint64_t) ts)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
free(cookie);
|
free(cookie);
|
||||||
return;
|
return;
|
||||||
@@ -295,29 +297,29 @@ pamsshagentauth_find_authorized_keys(con
|
@@ -278,7 +290,8 @@ ssh_get_authentication_connection_for_ui
|
||||||
|
|
||||||
|
auth = xmalloc(sizeof(*auth));
|
||||||
|
auth->fd = sock;
|
||||||
|
- buffer_init(&auth->identities);
|
||||||
|
+ if ((auth->identities = sshbuf_new()) == NULL)
|
||||||
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
|
auth->howmany = 0;
|
||||||
|
|
||||||
|
return auth;
|
||||||
|
@@ -287,9 +300,9 @@ ssh_get_authentication_connection_for_ui
|
||||||
|
int
|
||||||
|
pamsshagentauth_find_authorized_keys(const char * user, const char * ruser, const char * servicename)
|
||||||
|
{
|
||||||
|
- Buffer session_id2 = { 0 };
|
||||||
|
+ struct sshbuf *session_id2 = NULL;
|
||||||
|
Identity *id;
|
||||||
|
- Key *key;
|
||||||
|
+ struct sshkey *key;
|
||||||
|
AuthenticationConnection *ac;
|
||||||
|
char *comment;
|
||||||
|
uint8_t retval = 0;
|
||||||
|
@@ -299,31 +312,30 @@ pamsshagentauth_find_authorized_keys(con
|
||||||
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||||
|
|
||||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||||
|
@ -163,7 +259,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||||
id->key = key;
|
id->key = key;
|
||||||
id->filename = comment;
|
id->filename = comment;
|
||||||
id->ac = ac;
|
id->ac = ac;
|
||||||
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
- if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
||||||
|
+ if(userauth_pubkey_from_id(ruser, id, session_id2)) {
|
||||||
retval = 1;
|
retval = 1;
|
||||||
}
|
}
|
||||||
- pamsshagentauth_xfree(id->filename);
|
- pamsshagentauth_xfree(id->filename);
|
||||||
|
@ -177,19 +274,21 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-c
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
- pamsshagentauth_buffer_free(&session_id2);
|
- pamsshagentauth_buffer_free(&session_id2);
|
||||||
+ buffer_free(&session_id2);
|
+ sshbuf_free(session_id2);
|
||||||
ssh_close_authentication_connection(ac);
|
ssh_close_authentication_connection(ac);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
- pamsshagentauth_verbose("No ssh-agent could be contacted");
|
- pamsshagentauth_verbose("No ssh-agent could be contacted");
|
||||||
+ verbose("No ssh-agent could be contacted");
|
+ verbose("No ssh-agent could be contacted");
|
||||||
}
|
}
|
||||||
/* pamsshagentauth_xfree(session_id2); */
|
- /* pamsshagentauth_xfree(session_id2); */
|
||||||
EVP_cleanup();
|
EVP_cleanup();
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c
|
return retval;
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compat 2017-02-07 14:41:20.480509207 +0100
|
}
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c 2017-02-07 14:44:20.549369019 +0100
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c
|
||||||
@@ -104,7 +104,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c.psaa-compat 2020-09-23 10:52:16.423001461 +0200
|
||||||
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_ssh_agent_auth.c 2020-09-23 10:53:10.631727657 +0200
|
||||||
|
@@ -106,7 +106,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
* a patch 8-)
|
* a patch 8-)
|
||||||
*/
|
*/
|
||||||
#if ! HAVE___PROGNAME || HAVE_BUNDLE
|
#if ! HAVE___PROGNAME || HAVE_BUNDLE
|
||||||
|
@ -198,7 +297,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
|
for(i = argc, argv_ptr = (char **) argv; i > 0; ++argv_ptr, i--) {
|
||||||
@@ -130,11 +130,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
@@ -132,11 +132,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -212,7 +311,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||||
|
|
||||||
if(ruser_ptr) {
|
if(ruser_ptr) {
|
||||||
strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
|
strncpy(ruser, ruser_ptr, sizeof(ruser) - 1);
|
||||||
@@ -149,12 +149,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
@@ -151,12 +151,12 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
#ifdef ENABLE_SUDO_HACK
|
#ifdef ENABLE_SUDO_HACK
|
||||||
if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
|
if( (strlen(sudo_service_name) > 0) && strncasecmp(servicename, sudo_service_name, sizeof(sudo_service_name) - 1) == 0 && getenv("SUDO_USER") ) {
|
||||||
strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
|
strncpy(ruser, getenv("SUDO_USER"), sizeof(ruser) - 1 );
|
||||||
|
@ -227,7 +326,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||||
goto cleanexit;
|
goto cleanexit;
|
||||||
}
|
}
|
||||||
strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
|
strncpy(ruser, getpwuid(getuid())->pw_name, sizeof(ruser) - 1);
|
||||||
@@ -163,11 +163,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
@@ -165,11 +165,11 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
|
||||||
/* Might as well explicitely confirm the user exists here */
|
/* Might as well explicitely confirm the user exists here */
|
||||||
if(! getpwnam(ruser) ) {
|
if(! getpwnam(ruser) ) {
|
||||||
|
@ -241,7 +340,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||||
goto cleanexit;
|
goto cleanexit;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -177,8 +177,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
@@ -179,8 +179,8 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
*/
|
*/
|
||||||
parse_authorized_key_file(user, authorized_keys_file_input);
|
parse_authorized_key_file(user, authorized_keys_file_input);
|
||||||
} else {
|
} else {
|
||||||
|
@ -252,7 +351,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -187,19 +187,19 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
@@ -189,7 +189,7 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if(user && strlen(ruser) > 0) {
|
if(user && strlen(ruser) > 0) {
|
||||||
|
@ -260,11 +359,26 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||||
+ verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
+ verbose("Attempting authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
* Attempt to read data from the sshd if we're being called as an auth agent.
|
||||||
|
@@ -197,10 +197,10 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
|
const char* ssh_user_auth = pam_getenv(pamh, "SSH_AUTH_INFO_0");
|
||||||
|
int sshd_service = strncasecmp(servicename, sshd_service_name, sizeof(sshd_service_name) - 1);
|
||||||
|
if (sshd_service == 0 && ssh_user_auth != NULL) {
|
||||||
|
- pamsshagentauth_verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
|
||||||
|
+ verbose("Got SSH_AUTH_INFO_0: `%.20s...'", ssh_user_auth);
|
||||||
|
if (userauth_pubkey_from_pam(ruser, ssh_user_auth) > 0) {
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
- pamsshagentauth_logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
+ logit("Authenticated (sshd): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
goto cleanexit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -208,13 +208,13 @@ pam_sm_authenticate(pam_handle_t * pamh,
|
||||||
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
|
* this pw_uid is used to validate the SSH_AUTH_SOCK, and so must be the uid of the ruser invoking the program, not the target-user
|
||||||
*/
|
*/
|
||||||
if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
|
if(pamsshagentauth_find_authorized_keys(user, ruser, servicename)) { /* getpwnam(ruser)->pw_uid)) { */
|
||||||
- pamsshagentauth_logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
- pamsshagentauth_logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
+ logit("Authenticated: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
+ logit("Authenticated (agent): `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
retval = PAM_SUCCESS;
|
retval = PAM_SUCCESS;
|
||||||
} else {
|
} else {
|
||||||
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
- pamsshagentauth_logit("Failed Authentication: `%s' as `%s' using %s", ruser, user, authorized_keys_file);
|
||||||
|
@ -276,10 +390,29 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_ssh_agent_auth.c.psaa-compa
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanexit:
|
cleanexit:
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c 2017-02-07 14:41:20.484509204 +0100
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.c 2020-09-23 10:52:16.424001475 +0200
|
||||||
@@ -117,12 +117,12 @@ parse_authorized_key_file(const char *us
|
@@ -66,8 +66,8 @@
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "match.h"
|
||||||
|
#include "log.h"
|
||||||
|
-#include "buffer.h"
|
||||||
|
-#include "key.h"
|
||||||
|
+#include "sshbuf.h"
|
||||||
|
+#include "sshkey.h"
|
||||||
|
#include "misc.h"
|
||||||
|
|
||||||
|
#include "xmalloc.h"
|
||||||
|
@@ -77,7 +77,6 @@
|
||||||
|
#include "pathnames.h"
|
||||||
|
#include "secure_filename.h"
|
||||||
|
|
||||||
|
-#include "identity.h"
|
||||||
|
#include "pam_user_key_allowed2.h"
|
||||||
|
|
||||||
|
extern char *authorized_keys_file;
|
||||||
|
@@ -117,12 +116,12 @@ parse_authorized_key_file(const char *us
|
||||||
} else {
|
} else {
|
||||||
slash_ptr = strchr(auth_keys_file_buf, '/');
|
slash_ptr = strchr(auth_keys_file_buf, '/');
|
||||||
if(!slash_ptr)
|
if(!slash_ptr)
|
||||||
|
@ -294,7 +427,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa
|
||||||
|
|
||||||
strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
strncat(owner_uname, auth_keys_file_buf + 1, owner_uname_len);
|
||||||
if(!authorized_keys_file_allowed_owner_uid)
|
if(!authorized_keys_file_allowed_owner_uid)
|
||||||
@@ -130,11 +130,11 @@ parse_authorized_key_file(const char *us
|
@@ -130,11 +129,11 @@ parse_authorized_key_file(const char *us
|
||||||
getpwnam(owner_uname)->pw_uid;
|
getpwnam(owner_uname)->pw_uid;
|
||||||
}
|
}
|
||||||
authorized_keys_file =
|
authorized_keys_file =
|
||||||
|
@ -308,7 +441,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa
|
||||||
percent_expand
|
percent_expand
|
||||||
later, we'd step
|
later, we'd step
|
||||||
on this, so free
|
on this, so free
|
||||||
@@ -150,7 +150,7 @@ parse_authorized_key_file(const char *us
|
@@ -150,13 +149,13 @@ parse_authorized_key_file(const char *us
|
||||||
strncat(hostname, fqdn, strcspn(fqdn, "."));
|
strncat(hostname, fqdn, strcspn(fqdn, "."));
|
||||||
#endif
|
#endif
|
||||||
authorized_keys_file =
|
authorized_keys_file =
|
||||||
|
@ -317,38 +450,78 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_authorized_keys.c.psaa
|
||||||
getpwnam(user)->pw_dir, "H", hostname,
|
getpwnam(user)->pw_dir, "H", hostname,
|
||||||
"f", fqdn, "u", user, NULL);
|
"f", fqdn, "u", user, NULL);
|
||||||
}
|
}
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
int
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-02-07 14:41:20.484509204 +0100
|
-pam_user_key_allowed(const char *ruser, Key * key)
|
||||||
@@ -48,11 +48,13 @@
|
+pam_user_key_allowed(const char *ruser, struct sshkey * key)
|
||||||
#include "buffer.h"
|
{
|
||||||
|
return
|
||||||
|
pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
||||||
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h
|
||||||
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_authorized_keys.h 2020-09-23 10:52:16.424001475 +0200
|
||||||
|
@@ -32,7 +32,7 @@
|
||||||
|
#define _PAM_USER_KEY_ALLOWED_H
|
||||||
|
|
||||||
|
#include "identity.h"
|
||||||
|
-int pam_user_key_allowed(const char *, Key *);
|
||||||
|
+int pam_user_key_allowed(const char *, struct sshkey *);
|
||||||
|
void parse_authorized_key_file(const char *, const char *);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c
|
||||||
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.c 2020-09-23 10:52:16.424001475 +0200
|
||||||
|
@@ -45,44 +45,46 @@
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "ssh.h"
|
||||||
|
#include "ssh2.h"
|
||||||
|
-#include "buffer.h"
|
||||||
|
+#include "sshbuf.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "compat.h"
|
#include "compat.h"
|
||||||
|
-#include "key.h"
|
||||||
+#include "digest.h"
|
+#include "digest.h"
|
||||||
#include "key.h"
|
+#include "sshkey.h"
|
||||||
#include "pathnames.h"
|
#include "pathnames.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
#include "secure_filename.h"
|
#include "secure_filename.h"
|
||||||
#include "uidswap.h"
|
#include "uidswap.h"
|
||||||
|
-
|
||||||
|
-#include "identity.h"
|
||||||
+#include <unistd.h>
|
+#include <unistd.h>
|
||||||
|
|
||||||
#include "identity.h"
|
/* return 1 if user allows given key */
|
||||||
|
/* Modified slightly from original found in auth2-pubkey.c */
|
||||||
@@ -68,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
static int
|
||||||
|
-pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
|
||||||
|
+pamsshagentauth_check_authkeys_file(FILE * f, char *file, struct sshkey * key)
|
||||||
|
{
|
||||||
|
- char line[SSH_MAX_PUBKEY_BYTES];
|
||||||
|
+ char *line = NULL;
|
||||||
|
int found_key = 0;
|
||||||
|
u_long linenum = 0;
|
||||||
|
- Key *found;
|
||||||
|
+ struct sshkey *found;
|
||||||
char *fp;
|
char *fp;
|
||||||
|
+ size_t linesize = 0;
|
||||||
|
|
||||||
found_key = 0;
|
found_key = 0;
|
||||||
- found = pamsshagentauth_key_new(key->type);
|
- found = pamsshagentauth_key_new(key->type);
|
||||||
+ found = key_new(key->type);
|
+ found = sshkey_new(key->type);
|
||||||
|
|
||||||
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
- while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
||||||
|
+ while ((getline(&line, &linesize, f)) != -1) {
|
||||||
char *cp = NULL; /* *key_options = NULL; */
|
char *cp = NULL; /* *key_options = NULL; */
|
||||||
@@ -78,11 +80,11 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
||||||
|
+ linenum++;
|
||||||
|
/* Skip leading whitespace, empty and comment lines. */
|
||||||
|
for(cp = line; *cp == ' ' || *cp == '\t'; cp++);
|
||||||
if(!*cp || *cp == '\n' || *cp == '#')
|
if(!*cp || *cp == '\n' || *cp == '#')
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
||||||
+ if(key_read(found, &cp) != 1) {
|
+ if (sshkey_read(found, &cp) != 0) {
|
||||||
/* no key? check if there are options for this key */
|
/* no key? check if there are options for this key */
|
||||||
int quoted = 0;
|
int quoted = 0;
|
||||||
|
|
||||||
|
@ -357,20 +530,20 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
/* key_options = cp; */
|
/* key_options = cp; */
|
||||||
for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
for(; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
|
||||||
if(*cp == '\\' && cp[1] == '"')
|
if(*cp == '\\' && cp[1] == '"')
|
||||||
@@ -92,26 +94,26 @@ pamsshagentauth_check_authkeys_file(FILE
|
@@ -92,26 +94,27 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||||
}
|
}
|
||||||
/* Skip remaining whitespace. */
|
/* Skip remaining whitespace. */
|
||||||
for(; *cp == ' ' || *cp == '\t'; cp++);
|
for(; *cp == ' ' || *cp == '\t'; cp++);
|
||||||
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
- if(pamsshagentauth_key_read(found, &cp) != 1) {
|
||||||
- pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp);
|
- pamsshagentauth_verbose("user_key_allowed: advance: '%s'", cp);
|
||||||
+ if(key_read(found, &cp) != 1) {
|
+ if(sshkey_read(found, &cp) != 0) {
|
||||||
+ verbose("user_key_allowed: advance: '%s'", cp);
|
+ verbose("user_key_allowed: advance: '%s'", cp);
|
||||||
/* still no key? advance to next line */
|
/* still no key? advance to next line */
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
- if(pamsshagentauth_key_equal(found, key)) {
|
- if(pamsshagentauth_key_equal(found, key)) {
|
||||||
+ if(key_equal(found, key)) {
|
+ if(sshkey_equal(found, key)) {
|
||||||
found_key = 1;
|
found_key = 1;
|
||||||
- pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
|
- pamsshagentauth_logit("matching key found: file/command %s, line %lu", file,
|
||||||
+ logit("matching key found: file/command %s, line %lu", file,
|
+ logit("matching key found: file/command %s, line %lu", file,
|
||||||
|
@ -379,23 +552,34 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
- pamsshagentauth_logit("Found matching %s key: %s",
|
- pamsshagentauth_logit("Found matching %s key: %s",
|
||||||
- pamsshagentauth_key_type(found), fp);
|
- pamsshagentauth_key_type(found), fp);
|
||||||
- pamsshagentauth_xfree(fp);
|
- pamsshagentauth_xfree(fp);
|
||||||
+ fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
+ fp = sshkey_fingerprint(found, SSH_DIGEST_SHA256, SSH_FP_BASE64);
|
||||||
+ logit("Found matching %s key: %s",
|
+ logit("Found matching %s key: %s",
|
||||||
+ key_type(found), fp);
|
+ sshkey_type(found), fp);
|
||||||
+ free(fp);
|
+ free(fp);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
- pamsshagentauth_key_free(found);
|
- pamsshagentauth_key_free(found);
|
||||||
+ key_free(found);
|
+ free(line);
|
||||||
|
+ sshkey_free(found);
|
||||||
if(!found_key)
|
if(!found_key)
|
||||||
- pamsshagentauth_verbose("key not found");
|
- pamsshagentauth_verbose("key not found");
|
||||||
+ verbose("key not found");
|
+ verbose("key not found");
|
||||||
return found_key;
|
return found_key;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -128,11 +130,11 @@ pamsshagentauth_user_key_allowed2(struct
|
@@ -120,19 +123,19 @@ pamsshagentauth_check_authkeys_file(FILE
|
||||||
char buf[SSH_MAX_PUBKEY_BYTES];
|
* returns 1 if the key is allowed or 0 otherwise.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
-pamsshagentauth_user_key_allowed2(struct passwd *pw, Key * key, char *file)
|
||||||
|
+pamsshagentauth_user_key_allowed2(struct passwd *pw, struct sshkey * key, char *file)
|
||||||
|
{
|
||||||
|
FILE *f;
|
||||||
|
int found_key = 0;
|
||||||
|
struct stat st;
|
||||||
|
- char buf[SSH_MAX_PUBKEY_BYTES];
|
||||||
|
+ char buf[256];
|
||||||
|
|
||||||
/* Temporarily use the user's uid. */
|
/* Temporarily use the user's uid. */
|
||||||
- pamsshagentauth_verbose("trying public key file %s", file);
|
- pamsshagentauth_verbose("trying public key file %s", file);
|
||||||
|
@ -408,7 +592,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -144,7 +146,7 @@ pamsshagentauth_user_key_allowed2(struct
|
@@ -144,7 +147,7 @@ pamsshagentauth_user_key_allowed2(struct
|
||||||
|
|
||||||
if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
|
if(pamsshagentauth_secure_filename(f, file, pw, buf, sizeof(buf)) != 0) {
|
||||||
fclose(f);
|
fclose(f);
|
||||||
|
@ -417,7 +601,16 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -187,44 +189,44 @@ pamsshagentauth_user_key_command_allowed
|
@@ -160,7 +163,7 @@ pamsshagentauth_user_key_allowed2(struct
|
||||||
|
int
|
||||||
|
pamsshagentauth_user_key_command_allowed2(char *authorized_keys_command,
|
||||||
|
char *authorized_keys_command_user,
|
||||||
|
- struct passwd *user_pw, Key * key)
|
||||||
|
+ struct passwd *user_pw, struct sshkey * key)
|
||||||
|
{
|
||||||
|
FILE *f;
|
||||||
|
int ok, found_key = 0;
|
||||||
|
@@ -187,44 +190,44 @@ pamsshagentauth_user_key_command_allowed
|
||||||
else {
|
else {
|
||||||
pw = getpwnam(authorized_keys_command_user);
|
pw = getpwnam(authorized_keys_command_user);
|
||||||
if(pw == NULL) {
|
if(pw == NULL) {
|
||||||
|
@ -470,7 +663,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
close(p[0]);
|
close(p[0]);
|
||||||
close(p[1]);
|
close(p[1]);
|
||||||
return 0;
|
return 0;
|
||||||
@@ -234,13 +236,13 @@ pamsshagentauth_user_key_command_allowed
|
@@ -234,13 +237,13 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
|
||||||
/* do this before the setresuid so thta they can be logged */
|
/* do this before the setresuid so thta they can be logged */
|
||||||
if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
if((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
||||||
|
@ -486,7 +679,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
|
#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID)
|
||||||
@@ -248,7 +250,7 @@ pamsshagentauth_user_key_command_allowed
|
@@ -248,7 +251,7 @@ pamsshagentauth_user_key_command_allowed
|
||||||
#else
|
#else
|
||||||
if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
|
if (setgid(pw->pw_gid) != 0 || setegid(pw->pw_gid) != 0) {
|
||||||
#endif
|
#endif
|
||||||
|
@ -495,7 +688,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
@@ -258,7 +260,7 @@ pamsshagentauth_user_key_command_allowed
|
@@ -258,7 +261,7 @@ pamsshagentauth_user_key_command_allowed
|
||||||
#else
|
#else
|
||||||
if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
|
if (setuid(pw->pw_uid) != 0 || seteuid(pw->pw_uid) != 0) {
|
||||||
#endif
|
#endif
|
||||||
|
@ -504,7 +697,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
@@ -270,18 +272,18 @@ pamsshagentauth_user_key_command_allowed
|
@@ -270,18 +273,18 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
|
||||||
/* pretty sure this will barf because we are now suid, but since we
|
/* pretty sure this will barf because we are now suid, but since we
|
||||||
should't reach this anyway, I'll leave it here */
|
should't reach this anyway, I'll leave it here */
|
||||||
|
@ -526,7 +719,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
close(p[0]);
|
close(p[0]);
|
||||||
/* Don't leave zombie child */
|
/* Don't leave zombie child */
|
||||||
while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
|
while(waitpid(pid, NULL, 0) == -1 && errno == EINTR);
|
||||||
@@ -292,22 +294,22 @@ pamsshagentauth_user_key_command_allowed
|
@@ -292,22 +295,22 @@ pamsshagentauth_user_key_command_allowed
|
||||||
|
|
||||||
while(waitpid(pid, &status, 0) == -1) {
|
while(waitpid(pid, &status, 0) == -1) {
|
||||||
if(errno != EINTR) {
|
if(errno != EINTR) {
|
||||||
|
@ -553,9 +746,33 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-co
|
||||||
+ restore_uid();
|
+ restore_uid();
|
||||||
return found_key;
|
return found_key;
|
||||||
}
|
}
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c 2017-02-07 14:41:20.481509206 +0100
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/pam_user_key_allowed2.h 2020-09-23 10:52:16.424001475 +0200
|
||||||
|
@@ -32,7 +32,7 @@
|
||||||
|
#define _PAM_USER_KEY_ALLOWED_H
|
||||||
|
|
||||||
|
#include "identity.h"
|
||||||
|
-int pamsshagentauth_user_key_allowed2(struct passwd *, Key *, char *);
|
||||||
|
-int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, Key *);
|
||||||
|
+int pamsshagentauth_user_key_allowed2(struct passwd *, struct sshkey *, char *);
|
||||||
|
+int pamsshagentauth_user_key_command_allowed2(char *, char *, struct passwd *, struct sshkey *);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c
|
||||||
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/secure_filename.c 2020-09-23 10:52:16.424001475 +0200
|
||||||
|
@@ -53,8 +53,8 @@
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "match.h"
|
||||||
|
#include "log.h"
|
||||||
|
-#include "buffer.h"
|
||||||
|
-#include "key.h"
|
||||||
|
+#include "sshbuf.h"
|
||||||
|
+#include "sshkey.h"
|
||||||
|
#include "misc.h"
|
||||||
|
|
||||||
|
|
||||||
@@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c
|
@@ -80,7 +80,7 @@ pamsshagentauth_auth_secure_path(const c
|
||||||
int comparehome = 0;
|
int comparehome = 0;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
|
@ -586,10 +803,24 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/secure_filename.c.psaa-compat o
|
||||||
buf);
|
buf);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-02-07 14:41:20.484509204 +0100
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.c 2020-09-23 10:52:16.424001475 +0200
|
||||||
@@ -48,6 +48,8 @@
|
@@ -37,10 +37,11 @@
|
||||||
|
#include "xmalloc.h"
|
||||||
|
#include "ssh.h"
|
||||||
|
#include "ssh2.h"
|
||||||
|
-#include "buffer.h"
|
||||||
|
+#include "sshbuf.h"
|
||||||
|
#include "log.h"
|
||||||
|
#include "compat.h"
|
||||||
|
-#include "key.h"
|
||||||
|
+#include "sshkey.h"
|
||||||
|
+#include "ssherr.h"
|
||||||
|
#include "pathnames.h"
|
||||||
|
#include "misc.h"
|
||||||
|
#include "secure_filename.h"
|
||||||
|
@@ -48,54 +49,59 @@
|
||||||
#include "identity.h"
|
#include "identity.h"
|
||||||
#include "pam_user_authorized_keys.h"
|
#include "pam_user_authorized_keys.h"
|
||||||
|
|
||||||
|
@ -598,7 +829,22 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||||
/* extern u_char *session_id2;
|
/* extern u_char *session_id2;
|
||||||
extern uint8_t session_id_len;
|
extern uint8_t session_id_len;
|
||||||
*/
|
*/
|
||||||
@@ -65,37 +67,38 @@ userauth_pubkey_from_id(const char *ruse
|
|
||||||
|
int
|
||||||
|
-userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
||||||
|
+userauth_pubkey_from_id(const char *ruser, Identity * id, struct sshbuf * session_id2)
|
||||||
|
{
|
||||||
|
- Buffer b = { 0 };
|
||||||
|
+ struct sshbuf *b = NULL;
|
||||||
|
char *pkalg = NULL;
|
||||||
|
u_char *pkblob = NULL, *sig = NULL;
|
||||||
|
- u_int blen = 0, slen = 0;
|
||||||
|
- int authenticated = 0;
|
||||||
|
+ size_t blen = 0, slen = 0;
|
||||||
|
+ int r, authenticated = 0;
|
||||||
|
|
||||||
|
- pkalg = (char *) key_ssh_name(id->key);
|
||||||
|
+ pkalg = (char *) sshkey_ssh_name(id->key);
|
||||||
|
|
||||||
/* first test if this key is even allowed */
|
/* first test if this key is even allowed */
|
||||||
if(! pam_user_key_allowed(ruser, id->key))
|
if(! pam_user_key_allowed(ruser, id->key))
|
||||||
|
@ -607,12 +853,13 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||||
|
|
||||||
- if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
|
- if(pamsshagentauth_key_to_blob(id->key, &pkblob, &blen) == 0)
|
||||||
- goto user_auth_clean_exit;
|
- goto user_auth_clean_exit;
|
||||||
+ if(key_to_blob(id->key, &pkblob, &blen) == 0)
|
+ if(sshkey_to_blob(id->key, &pkblob, &blen) != 0)
|
||||||
+ goto user_auth_clean_exit_without_buffer;
|
+ goto user_auth_clean_exit_without_buffer;
|
||||||
|
|
||||||
/* construct packet to sign and test */
|
/* construct packet to sign and test */
|
||||||
- pamsshagentauth_buffer_init(&b);
|
- pamsshagentauth_buffer_init(&b);
|
||||||
+ buffer_init(&b);
|
+ if ((b = sshbuf_new()) == NULL)
|
||||||
|
+ fatal("%s: sshbuf_new failed", __func__);
|
||||||
|
|
||||||
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
|
- pamsshagentauth_buffer_put_string(&b, session_id2->buf + session_id2->offset, session_id2->end - session_id2->offset);
|
||||||
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
- pamsshagentauth_buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
||||||
|
@ -622,28 +869,29 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||||
- pamsshagentauth_buffer_put_char(&b, 1);
|
- pamsshagentauth_buffer_put_char(&b, 1);
|
||||||
- pamsshagentauth_buffer_put_cstring(&b, pkalg);
|
- pamsshagentauth_buffer_put_cstring(&b, pkalg);
|
||||||
- pamsshagentauth_buffer_put_string(&b, pkblob, blen);
|
- pamsshagentauth_buffer_put_string(&b, pkblob, blen);
|
||||||
+ buffer_put_string(&b, sshbuf_ptr(session_id2), sshbuf_len(session_id2));
|
+ if ((r = sshbuf_put_string(b, sshbuf_ptr(session_id2), sshbuf_len(session_id2))) != 0 ||
|
||||||
+ buffer_put_char(&b, SSH2_MSG_USERAUTH_TRUST_REQUEST);
|
+ (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_TRUST_REQUEST)) != 0 ||
|
||||||
+ buffer_put_cstring(&b, ruser);
|
+ (r = sshbuf_put_cstring(b, ruser)) != 0 ||
|
||||||
+ buffer_put_cstring(&b, "pam_ssh_agent_auth");
|
+ (r = sshbuf_put_cstring(b, "pam_ssh_agent_auth")) != 0 ||
|
||||||
+ buffer_put_cstring(&b, "publickey");
|
+ (r = sshbuf_put_cstring(b, "publickey")) != 0 ||
|
||||||
+ buffer_put_char(&b, 1);
|
+ (r = sshbuf_put_u8(b, 1)) != 0 ||
|
||||||
+ buffer_put_cstring(&b, pkalg);
|
+ (r = sshbuf_put_cstring(b, pkalg)) != 0 ||
|
||||||
+ buffer_put_string(&b, pkblob, blen);
|
+ (r = sshbuf_put_string(b, pkblob, blen)) != 0)
|
||||||
|
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0)
|
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) != 0)
|
||||||
+ if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
+ if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
|
||||||
goto user_auth_clean_exit;
|
goto user_auth_clean_exit;
|
||||||
|
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
- if(pamsshagentauth_key_verify(id->key, sig, slen, pamsshagentauth_buffer_ptr(&b), pamsshagentauth_buffer_len(&b)) == 1)
|
||||||
+ if(key_verify(id->key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
|
+ if (sshkey_verify(id->key, sig, slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0, NULL) == 0)
|
||||||
authenticated = 1;
|
authenticated = 1;
|
||||||
|
|
||||||
user_auth_clean_exit:
|
user_auth_clean_exit:
|
||||||
/* if(&b != NULL) */
|
/* if(&b != NULL) */
|
||||||
- pamsshagentauth_buffer_free(&b);
|
- pamsshagentauth_buffer_free(&b);
|
||||||
+ buffer_free(&b);
|
+ sshbuf_free(b);
|
||||||
+ user_auth_clean_exit_without_buffer:
|
+ user_auth_clean_exit_without_buffer:
|
||||||
if(sig != NULL)
|
if(sig != NULL)
|
||||||
- pamsshagentauth_xfree(sig);
|
- pamsshagentauth_xfree(sig);
|
||||||
|
@ -654,9 +902,22 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-
|
||||||
CRYPTO_cleanup_all_ex_data();
|
CRYPTO_cleanup_all_ex_data();
|
||||||
return authenticated;
|
return authenticated;
|
||||||
}
|
}
|
||||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h
|
||||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat 2016-11-13 04:24:32.000000000 +0100
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c 2017-02-07 14:41:20.484509204 +0100
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_id.h 2020-09-23 10:52:16.424001475 +0200
|
||||||
|
@@ -31,7 +31,7 @@
|
||||||
|
#ifndef _USERAUTH_PUBKEY_FROM_ID_H
|
||||||
|
#define _USERAUTH_PUBKEY_FROM_ID_H
|
||||||
|
|
||||||
|
-#include <identity.h>
|
||||||
|
-int userauth_pubkey_from_id(const char *, Identity *, Buffer *);
|
||||||
|
+#include "identity.h"
|
||||||
|
+int userauth_pubkey_from_id(const char *, Identity *, struct sshbuf *);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff -up openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c
|
||||||
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c.psaa-compat 2019-07-08 18:36:13.000000000 +0200
|
||||||
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/uuencode.c 2020-09-23 10:52:16.424001475 +0200
|
||||||
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
|
@@ -56,7 +56,7 @@ pamsshagentauth_uudecode(const char *src
|
||||||
/* and remove trailing whitespace because __b64_pton needs this */
|
/* and remove trailing whitespace because __b64_pton needs this */
|
||||||
*p = '\0';
|
*p = '\0';
|
||||||
|
@ -682,3 +943,50 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/uuencode.c.psaa-compat openssh-
|
||||||
- pamsshagentauth_xfree(buf);
|
- pamsshagentauth_xfree(buf);
|
||||||
+ free(buf);
|
+ free(buf);
|
||||||
}
|
}
|
||||||
|
--- openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c.compat 2020-09-23 11:32:30.783695267 +0200
|
||||||
|
+++ openssh/pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4/userauth_pubkey_from_pam.c 2020-09-23 11:33:21.383389036 +0200
|
||||||
|
@@ -33,7 +33,8 @@
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#include "defines.h"
|
||||||
|
-#include "key.h"
|
||||||
|
+#include <includes.h>
|
||||||
|
+#include "sshkey.h"
|
||||||
|
#include "log.h"
|
||||||
|
|
||||||
|
#include "pam_user_authorized_keys.h"
|
||||||
|
@@ -42,28 +42,28 @@
|
||||||
|
int authenticated = 0;
|
||||||
|
const char method[] = "publickey ";
|
||||||
|
|
||||||
|
- char* ai = pamsshagentauth_xstrdup(ssh_auth_info);
|
||||||
|
+ char* ai = xstrdup(ssh_auth_info);
|
||||||
|
char* saveptr;
|
||||||
|
|
||||||
|
char* auth_line = strtok_r(ai, "\n", &saveptr);
|
||||||
|
while (auth_line != NULL) {
|
||||||
|
if (strncmp(auth_line, method, sizeof(method) - 1) == 0) {
|
||||||
|
char* key_str = auth_line + sizeof(method) - 1;
|
||||||
|
- Key* key = pamsshagentauth_key_new(KEY_UNSPEC);
|
||||||
|
+ struct sshkey* key = sshkey_new(KEY_UNSPEC);
|
||||||
|
if (key == NULL) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
- int r = pamsshagentauth_key_read(key, &key_str);
|
||||||
|
+ int r = sshkey_read(key, &key_str);
|
||||||
|
if (r == 1) {
|
||||||
|
if (pam_user_key_allowed(ruser, key)) {
|
||||||
|
authenticated = 1;
|
||||||
|
- pamsshagentauth_key_free(key);
|
||||||
|
+ sshkey_free(key);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- pamsshagentauth_verbose("Failed to create key for %s: %d", auth_line, r);
|
||||||
|
+ verbose("Failed to create key for %s: %d", auth_line, r);
|
||||||
|
}
|
||||||
|
- pamsshagentauth_key_free(key);
|
||||||
|
+ sshkey_free(key);
|
||||||
|
}
|
||||||
|
auth_line = strtok_r(NULL, "\n", &saveptr);
|
||||||
|
}
|
||||||
|
|
|
@ -3,7 +3,7 @@ diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c b/pam_ssh_agen
|
||||||
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
||||||
@@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user,
|
@@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user,
|
||||||
int
|
int
|
||||||
pam_user_key_allowed(const char *ruser, Key * key)
|
pam_user_key_allowed(const char *ruser, struct sshkey * key)
|
||||||
{
|
{
|
||||||
+ struct passwd *pw;
|
+ struct passwd *pw;
|
||||||
return
|
return
|
||||||
|
|
|
@ -7,7 +7,7 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh
|
||||||
|
|
||||||
+typedef struct {
|
+typedef struct {
|
||||||
+ int fd;
|
+ int fd;
|
||||||
+ Buffer identities;
|
+ struct sshbuf *identities;
|
||||||
+ int howmany;
|
+ int howmany;
|
||||||
+} AuthenticationConnection;
|
+} AuthenticationConnection;
|
||||||
+
|
+
|
||||||
|
@ -18,8 +18,8 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
|
||||||
@@ -39,6 +39,7 @@
|
@@ -39,6 +39,7 @@
|
||||||
#include "buffer.h"
|
#include "sshbuf.h"
|
||||||
#include "key.h"
|
#include "sshkey.h"
|
||||||
#include "authfd.h"
|
#include "authfd.h"
|
||||||
+#include "ssherr.h"
|
+#include "ssherr.h"
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
|
@ -27,9 +27,9 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
|
@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
|
||||||
{
|
{
|
||||||
Buffer session_id2 = { 0 };
|
struct sshbuf *session_id2 = NULL;
|
||||||
Identity *id;
|
Identity *id;
|
||||||
- Key *key;
|
- struct sshkey *key;
|
||||||
AuthenticationConnection *ac;
|
AuthenticationConnection *ac;
|
||||||
- char *comment;
|
- char *comment;
|
||||||
uint8_t retval = 0;
|
uint8_t retval = 0;
|
||||||
|
@ -44,22 +44,23 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||||
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||||
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
||||||
|
- {
|
||||||
|
- if(key != NULL) {
|
||||||
+ if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
|
+ if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
|
||||||
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
||||||
+ fprintf(stderr, "error fetching identities for "
|
+ fprintf(stderr, "error fetching identities for "
|
||||||
+ "protocol %d: %s\n", 2, ssh_err(r));
|
+ "protocol %d: %s\n", 2, ssh_err(r));
|
||||||
+ } else {
|
+ } else {
|
||||||
+ for (i = 0; i < idlist->nkeys; i++)
|
+ for (i = 0; i < idlist->nkeys; i++)
|
||||||
{
|
+ {
|
||||||
- if(key != NULL) {
|
+ if (idlist->keys[i] != NULL) {
|
||||||
+ if(idlist->keys[i] != NULL) {
|
|
||||||
id = xcalloc(1, sizeof(*id));
|
id = xcalloc(1, sizeof(*id));
|
||||||
- id->key = key;
|
- id->key = key;
|
||||||
- id->filename = comment;
|
- id->filename = comment;
|
||||||
+ id->key = idlist->keys[i];
|
+ id->key = idlist->keys[i];
|
||||||
+ id->filename = idlist->comments[i];
|
+ id->filename = idlist->comments[i];
|
||||||
id->ac = ac;
|
id->ac = ac;
|
||||||
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
if(userauth_pubkey_from_id(ruser, id, session_id2)) {
|
||||||
retval = 1;
|
retval = 1;
|
||||||
}
|
}
|
||||||
- free(id->filename);
|
- free(id->filename);
|
||||||
|
@ -67,90 +68,29 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||||
free(id);
|
free(id);
|
||||||
if(retval == 1)
|
if(retval == 1)
|
||||||
break;
|
break;
|
||||||
}
|
- }
|
||||||
}
|
- }
|
||||||
buffer_free(&session_id2);
|
+ }
|
||||||
|
+ }
|
||||||
|
- sshbuf_free(session_id2);
|
||||||
- ssh_close_authentication_connection(ac);
|
- ssh_close_authentication_connection(ac);
|
||||||
|
+ sshbuf_free(session_id2);
|
||||||
+ ssh_free_identitylist(idlist);
|
+ ssh_free_identitylist(idlist);
|
||||||
|
+ }
|
||||||
+ ssh_close_authentication_socket(ac->fd);
|
+ ssh_close_authentication_socket(ac->fd);
|
||||||
+ free(ac);
|
+ free(ac);
|
||||||
+ }
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
verbose("No ssh-agent could be contacted");
|
verbose("No ssh-agent could be contacted");
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c
|
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c.psaa-agent 2017-09-27 14:26:04.277820716 +0200
|
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/pam_user_key_allowed2.c 2017-09-27 14:26:34.426986497 +0200
|
|
||||||
@@ -70,7 +70,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
||||||
char *fp;
|
|
||||||
|
|
||||||
found_key = 0;
|
|
||||||
- found = key_new(key->type);
|
|
||||||
+ found = sshkey_new(key->type);
|
|
||||||
|
|
||||||
while(read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
|
|
||||||
char *cp = NULL; /* *key_options = NULL; */
|
|
||||||
@@ -80,7 +80,7 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
||||||
if(!*cp || *cp == '\n' || *cp == '#')
|
|
||||||
continue;
|
|
||||||
|
|
||||||
- if(key_read(found, &cp) != 1) {
|
|
||||||
+ if(sshkey_read(found, &cp) != 0) {
|
|
||||||
/* no key? check if there are options for this key */
|
|
||||||
int quoted = 0;
|
|
||||||
|
|
||||||
@@ -94,24 +94,24 @@ pamsshagentauth_check_authkeys_file(FILE
|
|
||||||
}
|
|
||||||
/* Skip remaining whitespace. */
|
|
||||||
for(; *cp == ' ' || *cp == '\t'; cp++);
|
|
||||||
- if(key_read(found, &cp) != 1) {
|
|
||||||
+ if(sshkey_read(found, &cp) != 0) {
|
|
||||||
verbose("user_key_allowed: advance: '%s'", cp);
|
|
||||||
/* still no key? advance to next line */
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- if(key_equal(found, key)) {
|
|
||||||
+ if(sshkey_equal(found, key)) {
|
|
||||||
found_key = 1;
|
|
||||||
logit("matching key found: file/command %s, line %lu", file,
|
|
||||||
linenum);
|
|
||||||
fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
|
||||||
logit("Found matching %s key: %s",
|
|
||||||
- key_type(found), fp);
|
|
||||||
+ sshkey_type(found), fp);
|
|
||||||
free(fp);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- key_free(found);
|
|
||||||
+ sshkey_free(found);
|
|
||||||
if(!found_key)
|
|
||||||
verbose("key not found");
|
|
||||||
return found_key;
|
|
||||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
||||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
|
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
|
||||||
@@ -57,10 +57,11 @@ extern uint8_t session_id_len;
|
|
||||||
int
|
|
||||||
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
|
||||||
{
|
|
||||||
- Buffer b = { 0 };
|
|
||||||
+ Buffer b;
|
|
||||||
char *pkalg = NULL;
|
|
||||||
u_char *pkblob = NULL, *sig = NULL;
|
|
||||||
- u_int blen = 0, slen = 0;
|
|
||||||
+ u_int blen = 0;
|
|
||||||
+ size_t slen = 0;
|
|
||||||
int authenticated = 0;
|
|
||||||
|
|
||||||
pkalg = (char *) key_ssh_name(id->key);
|
|
||||||
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
|
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
|
||||||
buffer_put_cstring(&b, pkalg);
|
(r = sshbuf_put_string(b, pkblob, blen)) != 0)
|
||||||
buffer_put_string(&b, pkblob, blen);
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
- if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
|
||||||
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
|
+ if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0)
|
||||||
goto user_auth_clean_exit;
|
goto user_auth_clean_exit;
|
||||||
|
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
|
|
|
@ -155,25 +155,27 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
|
||||||
LD=@LD@
|
LD=@LD@
|
||||||
CFLAGS=@CFLAGS@
|
CFLAGS=@CFLAGS@
|
||||||
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||||
+CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@
|
+CPPFLAGS=-I.. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||||
LIBS=@LIBS@
|
LIBS=@LIBS@
|
||||||
AR=@AR@
|
AR=@AR@
|
||||||
AWK=@AWK@
|
AWK=@AWK@
|
||||||
@@ -61,7 +61,7 @@ INSTALL=@INSTALL@
|
@@ -61,8 +61,8 @@ INSTALL=@INSTALL@
|
||||||
PERL=@PERL@
|
PERL=@PERL@
|
||||||
SED=@SED@
|
SED=@SED@
|
||||||
ENT=@ENT@
|
ENT=@ENT@
|
||||||
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
|
-LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
||||||
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
|
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
|
||||||
LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
+LDFLAGS_SHARED =-Wl,-z,defs @LDFLAGS_SHARED@
|
||||||
EXEEXT=@EXEEXT@
|
EXEEXT=@EXEEXT@
|
||||||
|
|
||||||
|
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
|
||||||
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
|
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
|
||||||
|
|
||||||
ED25519OBJS=ed25519-donna/ed25519.o
|
ED25519OBJS=ed25519-donna/ed25519.o
|
||||||
|
|
||||||
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
|
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o
|
||||||
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
|
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o secure_filename.o
|
||||||
|
|
||||||
|
|
||||||
MANPAGES_IN = pam_ssh_agent_auth.pod
|
MANPAGES_IN = pam_ssh_agent_auth.pod
|
||||||
|
@ -189,8 +191,8 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
|
||||||
|
|
||||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
||||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o ../ssh-sk-client.o
|
||||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam -lnss3
|
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) ../ssh-sk-client.o $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
|
||||||
|
|
||||||
$(MANPAGES): $(MANPAGES_IN)
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
||||||
|
|
6
sources
6
sources
|
@ -1,2 +1,4 @@
|
||||||
SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72
|
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
|
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
|
||||||
|
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||||
|
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||||
|
|
1
sshd.pam
1
sshd.pam
|
@ -12,5 +12,6 @@ session required pam_loginuid.so
|
||||||
session required pam_selinux.so open env_params
|
session required pam_selinux.so open env_params
|
||||||
session required pam_namespace.so
|
session required pam_namespace.so
|
||||||
session optional pam_keyinit.so force revoke
|
session optional pam_keyinit.so force revoke
|
||||||
|
session optional pam_motd.so
|
||||||
session include password-auth
|
session include password-auth
|
||||||
session include postlogin
|
session include postlogin
|
||||||
|
|
|
@ -6,9 +6,8 @@ Wants=sshd-keygen.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=notify
|
Type=notify
|
||||||
EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config
|
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
|
ExecStart=/usr/sbin/sshd -D $OPTIONS
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
KillMode=process
|
KillMode=process
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|
|
@ -5,13 +5,3 @@
|
||||||
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
||||||
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
||||||
# creation.
|
# creation.
|
||||||
|
|
||||||
# Do not change this option unless you have hardware random
|
|
||||||
# generator and you REALLY know what you are doing
|
|
||||||
|
|
||||||
SSH_USE_STRONG_RNG=0
|
|
||||||
# SSH_USE_STRONG_RNG=1
|
|
||||||
|
|
||||||
# System-wide crypto policy:
|
|
||||||
# To opt-out, uncomment the following line
|
|
||||||
# CRYPTO_POLICY=
|
|
||||||
|
|
|
@ -5,7 +5,6 @@ Wants=sshd-keygen.target
|
||||||
After=sshd-keygen.target
|
After=sshd-keygen.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
EnvironmentFile=-/etc/crypto-policies/back-ends/openssh-server.config
|
|
||||||
EnvironmentFile=-/etc/sysconfig/sshd
|
EnvironmentFile=-/etc/sysconfig/sshd
|
||||||
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
|
ExecStart=-/usr/sbin/sshd -i $OPTIONS
|
||||||
StandardInput=socket
|
StandardInput=socket
|
||||||
|
|
|
@ -0,0 +1,64 @@
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||||
|
# Description: This is a basic sanity test for pam_ssh_agent_auth
|
||||||
|
# Author: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE pam_save_ssh_var.c
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
-include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Jakub Jelen <jjelen@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: This is basic sanity test for pam_ssh_agent_auth" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 5m" >> $(METADATA)
|
||||||
|
@echo "RunFor: openssh" >> $(METADATA)
|
||||||
|
@echo "Requires: openssh pam_ssh_agent_auth pam-devel expect" >> $(METADATA)
|
||||||
|
@echo "RhtsRequires: library(distribution/fips)" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2+" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
|
@ -0,0 +1,7 @@
|
||||||
|
PURPOSE of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||||
|
Description: This is basic sanity test for pam_ssh_agent_auth
|
||||||
|
Author: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
|
||||||
|
Created as a response to rhbz#1251777 and previous one rhbz#1225106.
|
||||||
|
The code of pam module is outdated and compiled with current openssh
|
||||||
|
version which went through quite enough refactoring.
|
|
@ -0,0 +1,73 @@
|
||||||
|
/*
|
||||||
|
This simple pam module saves the content of SSH_USER_AUTH variable to /tmp/SSH_USER_AUTH
|
||||||
|
file.
|
||||||
|
|
||||||
|
Setup:
|
||||||
|
- gcc -fPIC -DPIC -shared -rdynamic -o pam_save_ssh_var.o pam_save_ssh_var.c
|
||||||
|
- copy pam_save_ssh_var.o to /lib/security resp. /lib64/security
|
||||||
|
- add to /etc/pam.d/sshd
|
||||||
|
auth requisite pam_save_ssh_var.o
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Define which PAM interfaces we provide */
|
||||||
|
#define PAM_SM_ACCOUNT
|
||||||
|
#define PAM_SM_AUTH
|
||||||
|
#define PAM_SM_PASSWORD
|
||||||
|
#define PAM_SM_SESSION
|
||||||
|
|
||||||
|
/* Include PAM headers */
|
||||||
|
#include <security/pam_appl.h>
|
||||||
|
#include <security/pam_modules.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
int save_ssh_var(pam_handle_t *pamh, const char *phase) {
|
||||||
|
FILE *fp;
|
||||||
|
const char *var;
|
||||||
|
|
||||||
|
fp = fopen("/tmp/SSH_USER_AUTH","a");
|
||||||
|
fprintf(fp, "BEGIN (%s)\n", phase);
|
||||||
|
var = pam_getenv(pamh, "SSH_USER_AUTH");
|
||||||
|
if (var != NULL) {
|
||||||
|
fprintf(fp, "SSH_USER_AUTH: '%s'\n", var);
|
||||||
|
}
|
||||||
|
fprintf(fp, "END (%s)\n", phase);
|
||||||
|
fclose(fp);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* PAM entry point for session creation */
|
||||||
|
int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||||
|
return(PAM_IGNORE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* PAM entry point for session cleanup */
|
||||||
|
int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||||
|
return(PAM_IGNORE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* PAM entry point for accounting */
|
||||||
|
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||||
|
return(PAM_IGNORE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* PAM entry point for authentication verification */
|
||||||
|
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||||
|
save_ssh_var(pamh, "auth");
|
||||||
|
return(PAM_IGNORE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
PAM entry point for setting user credentials (that is, to actually
|
||||||
|
establish the authenticated user's credentials to the service provider)
|
||||||
|
*/
|
||||||
|
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||||
|
return(PAM_IGNORE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* PAM entry point for authentication token (password) changes */
|
||||||
|
int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||||
|
return(PAM_IGNORE);
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,184 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||||
|
# Description: This is a basic sanity test for pam_ssh_agent_auth
|
||||||
|
# Author: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2015 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License as
|
||||||
|
# published by the Free Software Foundation, either version 2 of
|
||||||
|
# the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/bin/rhts-environment.sh || exit 1
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="openssh"
|
||||||
|
PAM_SUDO="/etc/pam.d/sudo"
|
||||||
|
PAM_SSHD="/etc/pam.d/sshd"
|
||||||
|
PAM_MODULE="pam_save_ssh_var"
|
||||||
|
SUDOERS_CFG="/etc/sudoers.d/01_pam_ssh_auth"
|
||||||
|
SSHD_CFG="/etc/ssh/sshd_config"
|
||||||
|
USER="testuser$RANDOM"
|
||||||
|
PASS="testpassxy4re.3298fhdsaf"
|
||||||
|
AUTH_KEYS="/etc/security/authorized_keys"
|
||||||
|
AK_COMMAND_BIN="/root/ak.sh"
|
||||||
|
AK_COMMAND_KEYS="/root/akeys"
|
||||||
|
declare -a KEYS=("rsa" "ecdsa")
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlAssertRpm pam_ssh_agent_auth
|
||||||
|
rlImport distribution/fips
|
||||||
|
rlServiceStart sshd
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "cp ${PAM_MODULE}.c $TmpDir/"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlFileBackup --clean $PAM_SUDO /etc/sudoers /etc/sudoers.d/ /etc/security/ $AUTH_KEYS
|
||||||
|
rlRun "sed -i '1 a\
|
||||||
|
auth sufficient pam_ssh_agent_auth.so file=$AUTH_KEYS' $PAM_SUDO"
|
||||||
|
rlRun "echo 'Defaults env_keep += \"SSH_AUTH_SOCK\"' > $SUDOERS_CFG"
|
||||||
|
rlRun "echo 'Defaults !requiretty' >> $SUDOERS_CFG"
|
||||||
|
grep '^%wheel' /etc/sudoers || \
|
||||||
|
rlRun "echo '%wheel ALL=(ALL) ALL' >> $SUDOERS_CFG"
|
||||||
|
rlRun "useradd $USER -G wheel"
|
||||||
|
rlRun "echo $PASS |passwd --stdin $USER"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
if ! fipsIsEnabled; then
|
||||||
|
KEYS+=("dsa")
|
||||||
|
fi
|
||||||
|
|
||||||
|
for KEY in "${KEYS[@]}"; do
|
||||||
|
rlPhaseStartTest "Test with key type $KEY"
|
||||||
|
rlRun "su $USER -c 'ssh-keygen -t $KEY -f ~/.ssh/my_id_$KEY -N \"\"'" 0
|
||||||
|
|
||||||
|
# Without authorized_keys, the authentication should fail
|
||||||
|
rlRun -s "su $USER -c 'eval \`ssh-agent\`; sudo id; ssh-agent -k'" 0
|
||||||
|
rlAssertNotGrep "uid=0(root) gid=0(root)" $rlRun_LOG
|
||||||
|
|
||||||
|
# Append the keys only to make sure we can match also the non-first line
|
||||||
|
rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >> $AUTH_KEYS"
|
||||||
|
rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
|
||||||
|
rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
done
|
||||||
|
|
||||||
|
if rlIsRHEL '<6.8' || ( rlIsRHEL '<7.3' && rlIsRHEL 7 ) ; then
|
||||||
|
: # not available
|
||||||
|
else
|
||||||
|
rlPhaseStartSetup "Setup for authorized_keys_command"
|
||||||
|
rlFileBackup --namespace ak_command $PAM_SUDO
|
||||||
|
rlRun "rm -f $AUTH_KEYS"
|
||||||
|
cat >$AK_COMMAND_BIN <<_EOF
|
||||||
|
#!/bin/bash
|
||||||
|
cat $AK_COMMAND_KEYS
|
||||||
|
_EOF
|
||||||
|
rlRun "chmod +x $AK_COMMAND_BIN"
|
||||||
|
rlRun "sed -i 's|.*pam_ssh_agent_auth.*|auth sufficient pam_ssh_agent_auth.so authorized_keys_command=$AK_COMMAND_BIN authorized_keys_command_user=root|' $PAM_SUDO"
|
||||||
|
rlRun "cat $PAM_SUDO"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
for KEY in "${KEYS[@]}"; do
|
||||||
|
rlPhaseStartTest "Test authorized_keys_command with key type $KEY (bz1299555, bz1317858)"
|
||||||
|
rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >$AK_COMMAND_KEYS"
|
||||||
|
rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
|
||||||
|
rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
done
|
||||||
|
|
||||||
|
rlPhaseStartCleanup "Cleanup for authorized_keys_command"
|
||||||
|
rlFileRestore --namespace ak_command
|
||||||
|
rlRun "rm -f $AK_COMMAND_BIN $AK_COMMAND_KEYS"
|
||||||
|
rlPhaseEnd
|
||||||
|
fi
|
||||||
|
|
||||||
|
if rlIsRHEL '>=7.3'; then # not in Fedora anymore
|
||||||
|
rlPhaseStartTest "bz1312304 - Exposing information about succesful auth"
|
||||||
|
rlRun "rlFileBackup --namespace exposing $PAM_SSHD"
|
||||||
|
rlRun "rlFileBackup --namespace exposing $SSHD_CFG"
|
||||||
|
rlRun "rlFileBackup --namespace exposing /root/.ssh/"
|
||||||
|
rlRun "rm -f ~/.ssh/id_rsa*"
|
||||||
|
rlRun "ssh-keygen -f ~/.ssh/id_rsa -N \"\"" 0
|
||||||
|
rlRun "ssh-keyscan localhost >~/.ssh/known_hosts" 0
|
||||||
|
USER_AK_FILE=~$USER/.ssh/authorized_keys
|
||||||
|
rlRun "cat ~/.ssh/id_rsa.pub >$USER_AK_FILE"
|
||||||
|
rlRun "chown $USER:$USER $USER_AK_FILE"
|
||||||
|
rlRun "chmod 0600 $USER_AK_FILE"
|
||||||
|
rlRun "gcc -fPIC -DPIC -shared -rdynamic -o $PAM_MODULE.o $PAM_MODULE.c"
|
||||||
|
rlRun "test -d /lib64/security && cp $PAM_MODULE.o /lib64/security/" 0,1
|
||||||
|
rlRun "test -d /lib/security && cp $PAM_MODULE.o /lib/security/" 0,1
|
||||||
|
rlRun "sed -i '1 i auth optional $PAM_MODULE.o' $PAM_SSHD"
|
||||||
|
|
||||||
|
# pam-and-env should expose information to both PAM and environmental variable;
|
||||||
|
# we will be testing only env variable here for the time being,
|
||||||
|
rlRun "echo 'ExposeAuthenticationMethods pam-and-env' >>$SSHD_CFG"
|
||||||
|
rlRun "sed -i '/^ChallengeResponseAuthentication/ d' $SSHD_CFG"
|
||||||
|
rlRun "service sshd restart"
|
||||||
|
rlWaitForSocket 22 -t 5
|
||||||
|
rlRun -s "ssh -i ~/.ssh/id_rsa $USER@localhost \"env|grep SSH_USER_AUTH\"" 0 \
|
||||||
|
"Environment variable SSH_USER_AUTH is set"
|
||||||
|
rlAssertGrep "^SSH_USER_AUTH=publickey:" $rlRun_LOG
|
||||||
|
rlRun "rm -f $rlRun_LOG"
|
||||||
|
|
||||||
|
# pam-only should expose information only to PAM and not to environment variable
|
||||||
|
rlRun "sed -i 's/pam-and-env/pam-only/' $SSHD_CFG"
|
||||||
|
rlRun "echo 'AuthenticationMethods publickey,keyboard-interactive:pam' >>$SSHD_CFG"
|
||||||
|
rlRun "service sshd restart"
|
||||||
|
rlWaitForSocket 22 -t 5
|
||||||
|
ssh_with_pass() {
|
||||||
|
ssh_args=("-i /root/.ssh/id_rsa")
|
||||||
|
ssh_args+=("$USER@localhost")
|
||||||
|
cat >ssh.exp <<_EOF
|
||||||
|
#!/usr/bin/expect -f
|
||||||
|
|
||||||
|
set timeout 5
|
||||||
|
spawn ssh ${ssh_args[*]} "echo CONNECTED; env|grep SSH_USER_AUTH"
|
||||||
|
expect {
|
||||||
|
-re {.*[Pp]assword.*} { send -- "$PASS\r"; exp_continue }
|
||||||
|
timeout { exit 1 }
|
||||||
|
eof { exit 0 }
|
||||||
|
}
|
||||||
|
_EOF
|
||||||
|
rlRun -s "expect -f ssh.exp"
|
||||||
|
}
|
||||||
|
#rlRun -s "ssh ${ssh_args[*]} \"echo CONNECTED; env|grep SSH_USER_AUTH\"" 1 \
|
||||||
|
#"Environment variable SSH_USER_AUTH is NOT set"
|
||||||
|
rlRun "ssh_with_pass"
|
||||||
|
rlRun "grep -q CONNECTED $rlRun_LOG" 0 "Connection was successful"
|
||||||
|
rlAssertGrep "^SSH_USER_AUTH: 'publickey:" /tmp/SSH_USER_AUTH
|
||||||
|
rlRun "cat /tmp/SSH_USER_AUTH"
|
||||||
|
rlRun "rm -f $rlRun_LOG /tmp/SSH_USER_AUTH"
|
||||||
|
for pm in /lib64/security/$PAM_MODULE.o /lib/security/$PAM_MODULE.o; do
|
||||||
|
rlRun "test -e $pm && rm -f $pm" 0,1
|
||||||
|
done
|
||||||
|
rlRun "rlFileRestore --namespace exposing"
|
||||||
|
rlPhaseEnd
|
||||||
|
fi
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlRun "userdel -fr $USER"
|
||||||
|
rlFileRestore
|
||||||
|
rlServiceRestore sshd
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
|
@ -42,7 +42,7 @@ clean:
|
||||||
rm -f *~ $(BUILT_FILES)
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
include /usr/share/rhts/lib/rhts-make.include
|
-include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
$(METADATA): Makefile
|
$(METADATA): Makefile
|
||||||
@echo "Owner: Stanislav Zidek <szidek@redhat.com>" > $(METADATA)
|
@echo "Owner: Stanislav Zidek <szidek@redhat.com>" > $(METADATA)
|
||||||
|
|
|
@ -39,11 +39,10 @@ SSH_OPTIONS="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
|
||||||
rlJournalStart
|
rlJournalStart
|
||||||
rlPhaseStartSetup
|
rlPhaseStartSetup
|
||||||
rlAssertRpm $PACKAGE
|
rlAssertRpm $PACKAGE
|
||||||
rlFileBackup /etc/ssh/sshd_config /var/log/secure
|
rlFileBackup /etc/ssh/sshd_config
|
||||||
rlRun "useradd -m $USER"
|
rlRun "useradd -m $USER"
|
||||||
rlRun "su - $USER -c \"mkdir .ssh; chmod 700 .ssh; cd .ssh; ssh-keygen -N '' -f id_rsa; cat id_rsa.pub >authorized_keys; chmod 600 authorized_keys\""
|
rlRun "su - $USER -c \"mkdir .ssh; chmod 700 .ssh; cd .ssh; ssh-keygen -N '' -f id_rsa; cat id_rsa.pub >authorized_keys; chmod 600 authorized_keys\""
|
||||||
rlRun "echo 'LogLevel DEBUG' >>/etc/ssh/sshd_config"
|
rlRun "echo 'LogLevel DEBUG' >>/etc/ssh/sshd_config"
|
||||||
rlRun "echo '' >/var/log/secure"
|
|
||||||
rlServiceStart sshd
|
rlServiceStart sshd
|
||||||
rlRun "IP=\$( ip a |grep 'scope global' |grep -w inet |cut -d'/' -f1 |awk '{ print \$2 }' |tail -1 )"
|
rlRun "IP=\$( ip a |grep 'scope global' |grep -w inet |cut -d'/' -f1 |awk '{ print \$2 }' |tail -1 )"
|
||||||
rlRun "echo 'IP=$IP'"
|
rlRun "echo 'IP=$IP'"
|
||||||
|
@ -67,7 +66,7 @@ forwarding_test() {
|
||||||
rlRun "echo SSH_PID is '$SSH_PID'"
|
rlRun "echo SSH_PID is '$SSH_PID'"
|
||||||
rlWaitForSocket $FORWARDED -t $TIMEOUT
|
rlWaitForSocket $FORWARDED -t $TIMEOUT
|
||||||
rlRun "[[ -n '$SSH_PID' ]] && ps -fp $SSH_PID"
|
rlRun "[[ -n '$SSH_PID' ]] && ps -fp $SSH_PID"
|
||||||
rlRun "echo '$MESSAGE'|nc localhost $FORWARDED"
|
rlRun "echo '$MESSAGE'|nc localhost $FORWARDED" 0,1
|
||||||
|
|
||||||
if [[ $EXP_RESULT == "success" ]]; then
|
if [[ $EXP_RESULT == "success" ]]; then
|
||||||
rlAssertGrep "$MESSAGE" listen.log
|
rlAssertGrep "$MESSAGE" listen.log
|
||||||
|
@ -83,10 +82,9 @@ forwarding_test() {
|
||||||
if ! rlGetPhaseState; then
|
if ! rlGetPhaseState; then
|
||||||
rlRun "cat listen.log"
|
rlRun "cat listen.log"
|
||||||
rlRun "cat tunnel.log"
|
rlRun "cat tunnel.log"
|
||||||
rlRun "cat /var/log/secure"
|
|
||||||
fi
|
fi
|
||||||
rlFileSubmit listen.log tunnel.log /var/log/secure
|
rlFileSubmit listen.log tunnel.log
|
||||||
rlRun "rm -f *.log; echo '' >/var/log/secure"
|
rlRun "rm -f *.log;"
|
||||||
}
|
}
|
||||||
|
|
||||||
rlPhaseStartTest "Local forwarding"
|
rlPhaseStartTest "Local forwarding"
|
||||||
|
@ -144,7 +142,7 @@ forwarding_test() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rlPhaseStartCleanup
|
rlPhaseStartCleanup
|
||||||
rlRun "userdel -r $USER"
|
rlRun "userdel -rf $USER"
|
||||||
rlRun "popd"
|
rlRun "popd"
|
||||||
rlFileRestore
|
rlFileRestore
|
||||||
rlServiceRestore sshd
|
rlServiceRestore sshd
|
||||||
|
|
|
@ -15,6 +15,7 @@
|
||||||
- role: standard-test-beakerlib
|
- role: standard-test-beakerlib
|
||||||
tests:
|
tests:
|
||||||
- port-forwarding
|
- port-forwarding
|
||||||
|
- pam_ssh_agent_auth
|
||||||
required_packages:
|
required_packages:
|
||||||
- iproute # needs ip command
|
- iproute # needs ip command
|
||||||
- procps-ng # needs ps and pgrep commands
|
- procps-ng # needs ps and pgrep commands
|
||||||
|
@ -24,3 +25,7 @@
|
||||||
- net-tools # needs netstat command
|
- net-tools # needs netstat command
|
||||||
- libselinux-utils # needs selinuxenabled command
|
- libselinux-utils # needs selinuxenabled command
|
||||||
- nmap-ncat # needs nc command
|
- nmap-ncat # needs nc command
|
||||||
|
- pam_ssh_agent_auth
|
||||||
|
- gcc # needs to test pam_ssh_agent_auth
|
||||||
|
- pam-devel # needs to test pam_ssh_agent_auth
|
||||||
|
- expect # needs to test pam_ssh_agent_auth
|
||||||
|
|
Loading…
Reference in New Issue