Compare commits
14 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
6bf0a59f78 | ||
|
5c58cf5ef7 | ||
|
61d8caa61f | ||
|
f974d29a95 | ||
|
0df96f0075 | ||
|
ca968dc74d | ||
|
2fea4b636f | ||
|
a595f1f67e | ||
|
e3f2dd04fb | ||
|
1c90146a07 | ||
|
22f8c10386 | ||
|
cd72fea100 | ||
|
60defecb59 | ||
|
b041e6aa22 |
@ -1 +0,0 @@
|
||||
openssh-5.2p1-noacss.tar.bz2
|
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
openssh-5.3p1-noacss.tar.bz2
|
||||
pam_ssh_agent_auth-0.9.tar.bz2
|
21
Makefile
21
Makefile
@ -1,21 +0,0 @@
|
||||
# Makefile for source rpm: openssh
|
||||
# $Id: Makefile,v 1.1 2004/09/09 09:34:58 cvsdist Exp $
|
||||
NAME := openssh
|
||||
SPECFILE = $(firstword $(wildcard *.spec))
|
||||
|
||||
define find-makefile-common
|
||||
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||
|
||||
ifeq ($(MAKEFILE_COMMON),)
|
||||
# attempt a checkout
|
||||
define checkout-makefile-common
|
||||
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
|
||||
endif
|
||||
|
||||
include $(MAKEFILE_COMMON)
|
@ -1,16 +0,0 @@
|
||||
Search the path for krb5-config if the prefix wasn't specified.
|
||||
--- openssh-3.8p1/configure.ac 2004-02-26 21:17:12.000000000 -0500
|
||||
+++ openssh-3.8p1/configure.ac 2004-02-26 21:17:06.000000000 -0500
|
||||
@@ -2077,8 +2077,10 @@
|
||||
KRB5_MSG="yes"
|
||||
|
||||
AC_MSG_CHECKING(for krb5-config)
|
||||
- if test -x $KRB5ROOT/bin/krb5-config ; then
|
||||
- KRB5CONF=$KRB5ROOT/bin/krb5-config
|
||||
+ AC_PATH_PROG([KRB5CONF],[krb5-config],
|
||||
+ [$KRB5ROOT/bin/krb5-config],
|
||||
+ [$KRB5ROOT/bin:$PATH])
|
||||
+ if test -x $KRB5CONF ; then
|
||||
AC_MSG_RESULT($KRB5CONF)
|
||||
|
||||
AC_MSG_CHECKING(for gssapi support)
|
@ -1,22 +1,20 @@
|
||||
Symptom: intermittent errors on GSSAPI authentication vs
|
||||
machines on DNS loadbalancer, stupid client message "Generic Error",
|
||||
server-side debug complains about unknown principal.
|
||||
|
||||
Comes from the fact that we resolve the generic DNS name once for
|
||||
the connection, then again for getting the GSSAPI/Kerberos service
|
||||
ticket. So the service ticket may be for a different host, if
|
||||
the DNS alias switches in between the two resolves.
|
||||
--- openssh-4.3p2/sshconnect2.c.gss-canohost 2006-11-28 21:58:03.000000000 +0100
|
||||
+++ openssh-4.3p2/sshconnect2.c 2006-11-30 11:33:14.000000000 +0100
|
||||
@@ -485,6 +485,7 @@
|
||||
diff -up openssh-5.3p1/sshconnect2.c.canohost openssh-5.3p1/sshconnect2.c
|
||||
--- openssh-5.3p1/sshconnect2.c.canohost 2009-03-05 14:58:22.000000000 +0100
|
||||
+++ openssh-5.3p1/sshconnect2.c 2009-11-02 11:55:00.000000000 +0100
|
||||
@@ -542,6 +542,12 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
+ const char* remotehost = get_canonical_hostname(1);
|
||||
+ char* remotehost = NULL;
|
||||
+ const char* canonicalhost = get_canonical_hostname(1);
|
||||
+ if ( strcmp( canonicalhost, "UNKNOWN" ) == 0 )
|
||||
+ remotehost = authctxt->host;
|
||||
+ else
|
||||
+ remotehost = canonicalhost;
|
||||
|
||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
||||
* once. */
|
||||
@@ -497,7 +498,7 @@
|
||||
@@ -554,7 +560,7 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
/* My DER encoding requires length<128 */
|
||||
if (gss_supported->elements[mech].length < 128 &&
|
||||
ssh_gssapi_check_mechanism(&gssctxt,
|
||||
|
@ -1,267 +0,0 @@
|
||||
diff -up openssh-5.2p1/auth.c.audit openssh-5.2p1/auth.c
|
||||
--- openssh-5.2p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
|
||||
+++ openssh-5.2p1/auth.c 2009-08-09 09:22:23.634850536 +0200
|
||||
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
+#if HAVE_LINUX_AUDIT
|
||||
+ if (authenticated == 0 && !authctxt->postponed) {
|
||||
+ linux_audit_record_event(-1, authctxt->user, NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
+ }
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
|
||||
+ "sshd", 0);
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.2p1/config.h.in.audit openssh-5.2p1/config.h.in
|
||||
--- openssh-5.2p1/config.h.in.audit 2009-02-23 01:18:12.000000000 +0100
|
||||
+++ openssh-5.2p1/config.h.in 2009-08-09 09:22:28.825939998 +0200
|
||||
@@ -1,5 +1,8 @@
|
||||
/* config.h.in. Generated from configure.ac by autoheader. */
|
||||
|
||||
+/* Define if building universal (internal helper macro) */
|
||||
+#undef AC_APPLE_UNIVERSAL_BUILD
|
||||
+
|
||||
/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
|
||||
*/
|
||||
#undef AIX_GETNAMEINFO_HACK
|
||||
@@ -521,6 +524,9 @@
|
||||
/* Define to 1 if you have the <lastlog.h> header file. */
|
||||
#undef HAVE_LASTLOG_H
|
||||
|
||||
+/* Define to 1 if you have the <libaudit.h> header file. */
|
||||
+#undef HAVE_LIBAUDIT_H
|
||||
+
|
||||
/* Define to 1 if you have the `bsm' library (-lbsm). */
|
||||
#undef HAVE_LIBBSM
|
||||
|
||||
@@ -560,6 +566,9 @@
|
||||
/* Define to 1 if you have the <limits.h> header file. */
|
||||
#undef HAVE_LIMITS_H
|
||||
|
||||
+/* Define if you want Linux audit support. */
|
||||
+#undef HAVE_LINUX_AUDIT
|
||||
+
|
||||
/* Define to 1 if you have the <linux/if_tun.h> header file. */
|
||||
#undef HAVE_LINUX_IF_TUN_H
|
||||
|
||||
@@ -756,6 +765,9 @@
|
||||
/* Define to 1 if you have the `setgroups' function. */
|
||||
#undef HAVE_SETGROUPS
|
||||
|
||||
+/* Define to 1 if you have the `setkeycreatecon' function. */
|
||||
+#undef HAVE_SETKEYCREATECON
|
||||
+
|
||||
/* Define to 1 if you have the `setlogin' function. */
|
||||
#undef HAVE_SETLOGIN
|
||||
|
||||
@@ -1330,6 +1342,10 @@
|
||||
/* Prepend the address family to IP tunnel traffic */
|
||||
#undef SSH_TUN_PREPEND_AF
|
||||
|
||||
+/* Define to your vendor patch level, if it has been modified from the
|
||||
+ upstream source release. */
|
||||
+#undef SSH_VENDOR_PATCHLEVEL
|
||||
+
|
||||
/* Define to 1 if you have the ANSI C header files. */
|
||||
#undef STDC_HEADERS
|
||||
|
||||
@@ -1397,9 +1413,17 @@
|
||||
/* Define if you want SELinux support. */
|
||||
#undef WITH_SELINUX
|
||||
|
||||
-/* Define to 1 if your processor stores words with the most significant byte
|
||||
- first (like Motorola and SPARC, unlike Intel and VAX). */
|
||||
-#undef WORDS_BIGENDIAN
|
||||
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
|
||||
+ significant byte first (like Motorola and SPARC, unlike Intel). */
|
||||
+#if defined AC_APPLE_UNIVERSAL_BUILD
|
||||
+# if defined __BIG_ENDIAN__
|
||||
+# define WORDS_BIGENDIAN 1
|
||||
+# endif
|
||||
+#else
|
||||
+# ifndef WORDS_BIGENDIAN
|
||||
+# undef WORDS_BIGENDIAN
|
||||
+# endif
|
||||
+#endif
|
||||
|
||||
/* Define if xauth is found in your path */
|
||||
#undef XAUTH_PATH
|
||||
diff -up openssh-5.2p1/configure.ac.audit openssh-5.2p1/configure.ac
|
||||
--- openssh-5.2p1/configure.ac.audit 2009-08-09 09:22:23.608877833 +0200
|
||||
+++ openssh-5.2p1/configure.ac 2009-08-09 09:22:23.646244409 +0200
|
||||
@@ -3342,6 +3342,18 @@ AC_ARG_WITH(selinux,
|
||||
fi ]
|
||||
)
|
||||
|
||||
+# Check whether user wants Linux audit support
|
||||
+LINUX_AUDIT_MSG="no"
|
||||
+AC_ARG_WITH(linux-audit,
|
||||
+ [ --with-linux-audit Enable Linux audit support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
|
||||
+ LINUX_AUDIT_MSG="yes"
|
||||
+ AC_CHECK_HEADERS(libaudit.h)
|
||||
+ SSHDLIBS="$SSHDLIBS -laudit"
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@@ -4170,6 +4182,7 @@ echo " PAM support
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " Linux audit support: $LINUX_AUDIT_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
diff -up openssh-5.2p1/loginrec.c.audit openssh-5.2p1/loginrec.c
|
||||
--- openssh-5.2p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
|
||||
+++ openssh-5.2p1/loginrec.c 2009-08-09 09:22:23.667199702 +0200
|
||||
@@ -176,6 +176,10 @@
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+# include <libaudit.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_UTIL_H
|
||||
# include <util.h>
|
||||
#endif
|
||||
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
|
||||
int utmpx_write_entry(struct logininfo *li);
|
||||
int wtmp_write_entry(struct logininfo *li);
|
||||
int wtmpx_write_entry(struct logininfo *li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_write_entry(struct logininfo *li);
|
||||
+#endif
|
||||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
|
||||
@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ if (linux_audit_write_entry(li) == 0)
|
||||
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+#endif
|
||||
#ifdef USE_LOGIN
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
@@ -1394,6 +1405,87 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+static void
|
||||
+_audit_hexscape(const char *what, char *where, unsigned int size)
|
||||
+{
|
||||
+ const char *ptr = what;
|
||||
+ const char *hex = "0123456789ABCDEF";
|
||||
+
|
||||
+ while (*ptr) {
|
||||
+ if (*ptr == '"' || *ptr < 0x21 || *ptr > 0x7E) {
|
||||
+ unsigned int i;
|
||||
+ ptr = what;
|
||||
+ for (i = 0; *ptr && i+2 < size; i += 2) {
|
||||
+ where[i] = hex[((unsigned)*ptr & 0xF0)>>4]; /* Upper nibble */
|
||||
+ where[i+1] = hex[(unsigned)*ptr & 0x0F]; /* Lower nibble */
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ where[i] = '\0';
|
||||
+ return;
|
||||
+ }
|
||||
+ ptr++;
|
||||
+ }
|
||||
+ where[0] = '"';
|
||||
+ if ((unsigned)(ptr - what) < size - 3)
|
||||
+ {
|
||||
+ size = ptr - what + 3;
|
||||
+ }
|
||||
+ strncpy(where + 1, what, size - 3);
|
||||
+ where[size-2] = '"';
|
||||
+ where[size-1] = '\0';
|
||||
+}
|
||||
+
|
||||
+#define AUDIT_LOG_SIZE 128
|
||||
+#define AUDIT_ACCT_SIZE (AUDIT_LOG_SIZE - 8)
|
||||
+
|
||||
+int
|
||||
+linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, rc;
|
||||
+
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 1; /* No audit support in kernel */
|
||||
+ else
|
||||
+ return 0; /* Must prevent login */
|
||||
+ }
|
||||
+ if (username == NULL)
|
||||
+ snprintf(buf, sizeof(buf), "uid=%d", uid);
|
||||
+ else {
|
||||
+ char encoded[AUDIT_ACCT_SIZE];
|
||||
+ _audit_hexscape(username, encoded, sizeof(encoded));
|
||||
+ snprintf(buf, sizeof(buf), "acct=%s", encoded);
|
||||
+ }
|
||||
+ rc = audit_log_user_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
+ buf, hostname, ip, ttyn, success);
|
||||
+ close(audit_fd);
|
||||
+ if (rc >= 0)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+linux_audit_write_entry(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (1); /* We only care about logins */
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
+
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
diff -up openssh-5.2p1/loginrec.h.audit openssh-5.2p1/loginrec.h
|
||||
--- openssh-5.2p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-5.2p1/loginrec.h 2009-08-09 09:22:23.641175349 +0200
|
||||
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
||||
void record_failed_login(const char *, const char *, const char *);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success);
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
|
||||
#endif /* _HAVE_LOGINREC_H_ */
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c
|
||||
--- openssh-5.1p1/channels.c.cloexec 2008-12-11 22:24:49.000000000 +0100
|
||||
+++ openssh-5.1p1/channels.c 2008-12-11 22:29:52.000000000 +0100
|
||||
diff -up openssh-5.3p1/channels.c.cloexec openssh-5.3p1/channels.c
|
||||
--- openssh-5.3p1/channels.c.cloexec 2010-01-25 17:25:58.000000000 +0100
|
||||
+++ openssh-5.3p1/channels.c 2010-01-25 17:26:01.000000000 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#include <termios.h>
|
||||
#include <unistd.h>
|
||||
@ -28,10 +28,10 @@ diff -up openssh-5.1p1/channels.c.cloexec openssh-5.1p1/channels.c
|
||||
c->rfd = rfd;
|
||||
c->wfd = wfd;
|
||||
c->sock = (rfd == wfd) ? rfd : -1;
|
||||
diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
|
||||
--- openssh-5.1p1/sshconnect2.c.cloexec 2008-12-11 22:24:49.000000000 +0100
|
||||
+++ openssh-5.1p1/sshconnect2.c 2008-12-11 22:24:49.000000000 +0100
|
||||
@@ -38,6 +38,7 @@
|
||||
diff -up openssh-5.3p1/sshconnect2.c.cloexec openssh-5.3p1/sshconnect2.c
|
||||
--- openssh-5.3p1/sshconnect2.c.cloexec 2010-01-25 17:25:58.000000000 +0100
|
||||
+++ openssh-5.3p1/sshconnect2.c 2010-01-25 17:26:01.000000000 +0100
|
||||
@@ -39,6 +39,7 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
@ -39,7 +39,7 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
|
||||
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
|
||||
#include <vis.h>
|
||||
#endif
|
||||
@@ -1267,6 +1268,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
|
||||
@@ -1512,6 +1513,7 @@ ssh_keysign(Key *key, u_char **sigp, u_i
|
||||
return -1;
|
||||
}
|
||||
if (pid == 0) {
|
||||
@ -47,9 +47,9 @@ diff -up openssh-5.1p1/sshconnect2.c.cloexec openssh-5.1p1/sshconnect2.c
|
||||
permanently_drop_suid(getuid());
|
||||
close(from[0]);
|
||||
if (dup2(from[1], STDOUT_FILENO) < 0)
|
||||
diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
|
||||
--- openssh-5.1p1/sshconnect.c.cloexec 2008-07-02 14:34:30.000000000 +0200
|
||||
+++ openssh-5.1p1/sshconnect.c 2008-12-11 22:24:49.000000000 +0100
|
||||
diff -up openssh-5.3p1/sshconnect.c.cloexec openssh-5.3p1/sshconnect.c
|
||||
--- openssh-5.3p1/sshconnect.c.cloexec 2009-06-21 10:53:53.000000000 +0200
|
||||
+++ openssh-5.3p1/sshconnect.c 2010-01-25 17:26:01.000000000 +0100
|
||||
@@ -38,6 +38,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@ -58,7 +58,7 @@ diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
@@ -194,8 +195,11 @@ ssh_create_socket(int privileged, struct
|
||||
@@ -191,8 +192,11 @@ ssh_create_socket(int privileged, struct
|
||||
return sock;
|
||||
}
|
||||
sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
|
||||
@ -71,3 +71,17 @@ diff -up openssh-5.1p1/sshconnect.c.cloexec openssh-5.1p1/sshconnect.c
|
||||
|
||||
/* Bind the socket to an alternative local IP address */
|
||||
if (options.bind_address == NULL)
|
||||
diff -up openssh-5.3p1/sshd.c.cloexec openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.cloexec 2010-01-25 17:25:55.000000000 +0100
|
||||
+++ openssh-5.3p1/sshd.c 2010-01-25 18:29:23.000000000 +0100
|
||||
@@ -1756,6 +1756,10 @@ main(int ac, char **av)
|
||||
sock_in, sock_out, newsock, startup_pipe, config_s[0]);
|
||||
}
|
||||
|
||||
+ /* set fd cloexec on io/sockets to avoid to forward them to childern */
|
||||
+ fcntl(sock_out, F_SETFD, FD_CLOEXEC);
|
||||
+ fcntl(sock_in, F_SETFD, FD_CLOEXEC);
|
||||
+
|
||||
/*
|
||||
* Disable the key regeneration alarm. We will not regenerate the
|
||||
* key since we are no longer in a position to give it to anyone. We
|
||||
|
@ -1,28 +0,0 @@
|
||||
Skip the initial empty-password check if permit_empty_passwd is disabled. This
|
||||
doesn't change the timing profiles of the host because the additional condition
|
||||
check which can short-circuit the call to pam_authenticate() has no dependency
|
||||
on the identity of the user who is being authenticated.
|
||||
diff -up openssh-5.1p1/auth1.c.skip-initial openssh-5.1p1/auth1.c
|
||||
--- openssh-5.1p1/auth1.c.skip-initial 2008-07-09 12:54:05.000000000 +0200
|
||||
+++ openssh-5.1p1/auth1.c 2008-07-23 18:26:01.000000000 +0200
|
||||
@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
|
||||
authctxt->valid ? "" : "invalid user ", authctxt->user);
|
||||
|
||||
/* If the user has no password, accept authentication immediately. */
|
||||
- if (options.password_authentication &&
|
||||
+ if (options.permit_empty_passwd && options.password_authentication &&
|
||||
#ifdef KRB5
|
||||
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
||||
#endif
|
||||
diff -up openssh-5.1p1/auth2-none.c.skip-initial openssh-5.1p1/auth2-none.c
|
||||
--- openssh-5.1p1/auth2-none.c.skip-initial 2008-07-02 14:56:09.000000000 +0200
|
||||
+++ openssh-5.1p1/auth2-none.c 2008-07-23 18:26:01.000000000 +0200
|
||||
@@ -65,7 +65,7 @@ userauth_none(Authctxt *authctxt)
|
||||
if (check_nt_auth(1, authctxt->pw) == 0)
|
||||
return (0);
|
||||
#endif
|
||||
- if (options.password_authentication)
|
||||
+ if (options.permit_empty_passwd && options.password_authentication)
|
||||
return (PRIVSEP(auth_password(authctxt, "")));
|
||||
return (0);
|
||||
}
|
9
openssh-5.2p1-engine.patch
Normal file
9
openssh-5.2p1-engine.patch
Normal file
@ -0,0 +1,9 @@
|
||||
--- openssh-5.2p1/openbsd-compat/openssl-compat.c~ 2010-01-27 17:36:29.000000000 -0500
|
||||
+++ openssh-5.2p1/openbsd-compat/openssl-compat.c 2010-01-28 10:52:53.000000000 -0500
|
||||
@@ -58,5 +58,6 @@
|
||||
/* Enable use of crypto hardware */
|
||||
ENGINE_load_builtin_engines();
|
||||
ENGINE_register_all_complete();
|
||||
+ OPENSSL_config(NULL);
|
||||
}
|
||||
#endif
|
@ -1,47 +0,0 @@
|
||||
diff -up openssh-5.2p1/ssh.c.pathmax openssh-5.2p1/ssh.c
|
||||
--- openssh-5.2p1/ssh.c.pathmax 2009-07-08 14:23:19.000000000 +0200
|
||||
+++ openssh-5.2p1/ssh.c 2009-07-08 14:26:26.000000000 +0200
|
||||
@@ -49,6 +49,7 @@
|
||||
#include <sys/resource.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/socket.h>
|
||||
+#include <sys/param.h>
|
||||
|
||||
#include <ctype.h>
|
||||
#include <errno.h>
|
||||
@@ -208,8 +209,8 @@ void muxserver_listen(void);
|
||||
int
|
||||
main(int ac, char **av)
|
||||
{
|
||||
- int i, opt, exit_status, use_syslog;
|
||||
- char *p, *cp, *line, buf[256];
|
||||
+ int i, r, opt, exit_status, use_syslog;
|
||||
+ char *p, *cp, *line, buf[MAXPATHLEN];
|
||||
struct stat st;
|
||||
struct passwd *pw;
|
||||
int dummy, timeout_ms;
|
||||
@@ -624,9 +625,10 @@ main(int ac, char **av)
|
||||
fatal("Can't open user config file %.100s: "
|
||||
"%.100s", config, strerror(errno));
|
||||
} else {
|
||||
- snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
|
||||
+ r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
|
||||
_PATH_SSH_USER_CONFFILE);
|
||||
- (void)read_config_file(buf, host, &options, 1);
|
||||
+ if (r > 0 && (size_t)r < sizeof(buf))
|
||||
+ (void)read_config_file(buf, host, &options, 1);
|
||||
|
||||
/* Read systemwide configuration file after use config. */
|
||||
(void)read_config_file(_PATH_HOST_CONFIG_FILE, host,
|
||||
@@ -787,9 +789,9 @@ main(int ac, char **av)
|
||||
* Now that we are back to our own permissions, create ~/.ssh
|
||||
* directory if it doesn't already exist.
|
||||
*/
|
||||
- snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir,
|
||||
+ r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
|
||||
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
|
||||
- if (stat(buf, &st) < 0)
|
||||
+ if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0)
|
||||
if (mkdir(buf, 0700) < 0)
|
||||
error("Could not create directory '%.200s'.", buf);
|
||||
|
153
openssh-5.3p1-audit.patch
Normal file
153
openssh-5.3p1-audit.patch
Normal file
@ -0,0 +1,153 @@
|
||||
diff -up openssh-5.3p1/auth.c.audit openssh-5.3p1/auth.c
|
||||
--- openssh-5.3p1/auth.c.audit 2008-11-05 06:12:54.000000000 +0100
|
||||
+++ openssh-5.3p1/auth.c 2009-12-21 08:50:12.000000000 +0100
|
||||
@@ -287,6 +287,12 @@ auth_log(Authctxt *authctxt, int authent
|
||||
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
|
||||
# endif
|
||||
#endif
|
||||
+#if HAVE_LINUX_AUDIT
|
||||
+ if (authenticated == 0 && !authctxt->postponed) {
|
||||
+ linux_audit_record_event(-1, authctxt->user, NULL,
|
||||
+ get_remote_ipaddr(), "sshd", 0);
|
||||
+ }
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
if (authenticated == 0 && !authctxt->postponed)
|
||||
audit_event(audit_classify_auth(method));
|
||||
@@ -533,6 +539,10 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
get_canonical_hostname(options.use_dns), "ssh");
|
||||
#endif
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ linux_audit_record_event(-1, user, NULL, get_remote_ipaddr(),
|
||||
+ "sshd", 0);
|
||||
+#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_event(SSH_INVALID_USER);
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-5.3p1/configure.ac.audit openssh-5.3p1/configure.ac
|
||||
--- openssh-5.3p1/configure.ac.audit 2009-12-21 08:48:59.000000000 +0100
|
||||
+++ openssh-5.3p1/configure.ac 2009-12-21 08:51:47.000000000 +0100
|
||||
@@ -3409,6 +3409,18 @@ AC_ARG_WITH(selinux,
|
||||
fi ]
|
||||
)
|
||||
|
||||
+# Check whether user wants Linux audit support
|
||||
+LINUX_AUDIT_MSG="no"
|
||||
+AC_ARG_WITH(linux-audit,
|
||||
+ [ --with-linux-audit Enable Linux audit support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE(HAVE_LINUX_AUDIT,1,[Define if you want Linux audit support.])
|
||||
+ LINUX_AUDIT_MSG="yes"
|
||||
+ AC_CHECK_HEADERS(libaudit.h)
|
||||
+ SSHDLIBS="$SSHDLIBS -laudit"
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
AC_ARG_WITH(kerberos5,
|
||||
@@ -4234,6 +4246,7 @@ echo " PAM support
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " Linux audit support: $LINUX_AUDIT_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
diff -up openssh-5.3p1/loginrec.c.audit openssh-5.3p1/loginrec.c
|
||||
--- openssh-5.3p1/loginrec.c.audit 2009-02-12 03:12:22.000000000 +0100
|
||||
+++ openssh-5.3p1/loginrec.c 2009-12-21 08:54:17.000000000 +0100
|
||||
@@ -176,6 +176,10 @@
|
||||
#include "auth.h"
|
||||
#include "buffer.h"
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+# include <libaudit.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_UTIL_H
|
||||
# include <util.h>
|
||||
#endif
|
||||
@@ -202,6 +206,9 @@ int utmp_write_entry(struct logininfo *l
|
||||
int utmpx_write_entry(struct logininfo *li);
|
||||
int wtmp_write_entry(struct logininfo *li);
|
||||
int wtmpx_write_entry(struct logininfo *li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_write_entry(struct logininfo *li);
|
||||
+#endif
|
||||
int lastlog_write_entry(struct logininfo *li);
|
||||
int syslogin_write_entry(struct logininfo *li);
|
||||
|
||||
@@ -440,6 +447,10 @@ login_write(struct logininfo *li)
|
||||
|
||||
/* set the timestamp */
|
||||
login_set_current_time(li);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+ if (linux_audit_write_entry(li) == 0)
|
||||
+ fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+#endif
|
||||
#ifdef USE_LOGIN
|
||||
syslogin_write_entry(li);
|
||||
#endif
|
||||
@@ -1394,6 +1405,47 @@ wtmpx_get_entry(struct logininfo *li)
|
||||
}
|
||||
#endif /* USE_WTMPX */
|
||||
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int
|
||||
+linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success)
|
||||
+{
|
||||
+ int audit_fd, rc;
|
||||
+
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 1; /* No audit support in kernel */
|
||||
+ else
|
||||
+ return 0; /* Must prevent login */
|
||||
+ }
|
||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
+ NULL, "login", username ? username : "(unknown)",
|
||||
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
+ close(audit_fd);
|
||||
+ if (rc >= 0)
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+linux_audit_write_entry(struct logininfo *li)
|
||||
+{
|
||||
+ switch(li->type) {
|
||||
+ case LTYPE_LOGIN:
|
||||
+ return (linux_audit_record_event(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1));
|
||||
+ case LTYPE_LOGOUT:
|
||||
+ return (1); /* We only care about logins */
|
||||
+ default:
|
||||
+ logit("%s: invalid type field", __func__);
|
||||
+ return (0);
|
||||
+ }
|
||||
+}
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
+
|
||||
/**
|
||||
** Low-level libutil login() functions
|
||||
**/
|
||||
diff -up openssh-5.3p1/loginrec.h.audit openssh-5.3p1/loginrec.h
|
||||
--- openssh-5.3p1/loginrec.h.audit 2006-08-05 04:39:40.000000000 +0200
|
||||
+++ openssh-5.3p1/loginrec.h 2009-12-21 08:48:59.000000000 +0100
|
||||
@@ -127,5 +127,9 @@ char *line_stripname(char *dst, const ch
|
||||
char *line_abbrevname(char *dst, const char *src, int dstsize);
|
||||
|
||||
void record_failed_login(const char *, const char *, const char *);
|
||||
+#ifdef HAVE_LINUX_AUDIT
|
||||
+int linux_audit_record_event(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success);
|
||||
+#endif /* HAVE_LINUX_AUDIT */
|
||||
|
||||
#endif /* _HAVE_LOGINREC_H_ */
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
|
||||
--- openssh-5.2p1/auth2-pubkey.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/auth2-pubkey.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/auth2-pubkey.c.fips openssh-5.3p1/auth2-pubkey.c
|
||||
--- openssh-5.3p1/auth2-pubkey.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/auth2-pubkey.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -33,6 +33,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
@ -9,7 +9,7 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
@@ -243,7 +244,7 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
@@ -240,7 +241,7 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
found_key = 1;
|
||||
debug("matching key found: file %s, line %lu",
|
||||
file, linenum);
|
||||
@ -18,9 +18,9 @@ diff -up openssh-5.2p1/auth2-pubkey.c.fips openssh-5.2p1/auth2-pubkey.c
|
||||
verbose("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
xfree(fp);
|
||||
diff -up openssh-5.2p1/authfile.c.fips openssh-5.2p1/authfile.c
|
||||
--- openssh-5.2p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.2p1/authfile.c 2009-05-15 16:08:34.000000000 +0200
|
||||
diff -up openssh-5.3p1/authfile.c.fips openssh-5.3p1/authfile.c
|
||||
--- openssh-5.3p1/authfile.c.fips 2006-09-01 07:38:36.000000000 +0200
|
||||
+++ openssh-5.3p1/authfile.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -143,8 +143,14 @@ key_save_private_rsa1(Key *key, const ch
|
||||
/* Allocate space for the private part of the key in the buffer. */
|
||||
cp = buffer_append_space(&encrypted, buffer_len(&buffer));
|
||||
@ -55,9 +55,9 @@ diff -up openssh-5.2p1/authfile.c.fips openssh-5.2p1/authfile.c
|
||||
cipher_crypt(&ciphercontext, cp,
|
||||
buffer_ptr(&buffer), buffer_len(&buffer));
|
||||
cipher_cleanup(&ciphercontext);
|
||||
diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
|
||||
--- openssh-5.2p1/cipher.c.fips 2009-03-06 18:23:21.000000000 +0100
|
||||
+++ openssh-5.2p1/cipher.c 2009-05-15 16:14:16.000000000 +0200
|
||||
diff -up openssh-5.3p1/cipher.c.fips openssh-5.3p1/cipher.c
|
||||
--- openssh-5.3p1/cipher.c.fips 2009-10-02 13:44:03.000000000 +0200
|
||||
+++ openssh-5.3p1/cipher.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -142,9 +142,9 @@ diff -up openssh-5.2p1/cipher.c.fips openssh-5.2p1/cipher.c
|
||||
}
|
||||
|
||||
/*
|
||||
diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c
|
||||
--- openssh-5.2p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
|
||||
+++ openssh-5.2p1/cipher-ctr.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/cipher-ctr.c.fips openssh-5.3p1/cipher-ctr.c
|
||||
--- openssh-5.3p1/cipher-ctr.c.fips 2007-06-14 15:21:33.000000000 +0200
|
||||
+++ openssh-5.3p1/cipher-ctr.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
@ -155,9 +155,9 @@ diff -up openssh-5.2p1/cipher-ctr.c.fips openssh-5.2p1/cipher-ctr.c
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-5.2p1/cipher.h.fips openssh-5.2p1/cipher.h
|
||||
--- openssh-5.2p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.2p1/cipher.h 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/cipher.h.fips openssh-5.3p1/cipher.h
|
||||
--- openssh-5.3p1/cipher.h.fips 2009-01-28 06:38:41.000000000 +0100
|
||||
+++ openssh-5.3p1/cipher.h 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -78,7 +78,7 @@ void cipher_init(CipherContext *, Ciphe
|
||||
const u_char *, u_int, int);
|
||||
void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
|
||||
@ -167,9 +167,9 @@ diff -up openssh-5.2p1/cipher.h.fips openssh-5.2p1/cipher.h
|
||||
u_int cipher_blocksize(const Cipher *);
|
||||
u_int cipher_keylen(const Cipher *);
|
||||
u_int cipher_is_cbc(const Cipher *);
|
||||
diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
|
||||
--- openssh-5.2p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.2p1/mac.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/mac.c.fips openssh-5.3p1/mac.c
|
||||
--- openssh-5.3p1/mac.c.fips 2008-06-13 02:58:50.000000000 +0200
|
||||
+++ openssh-5.3p1/mac.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -28,6 +28,7 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -219,10 +219,10 @@ diff -up openssh-5.2p1/mac.c.fips openssh-5.2p1/mac.c
|
||||
|
||||
for (i = 0; macs[i].name; i++) {
|
||||
if (strcmp(name, macs[i].name) == 0) {
|
||||
diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
|
||||
--- openssh-5.2p1/Makefile.in.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/Makefile.in 2009-05-15 15:51:01.000000000 +0200
|
||||
@@ -134,28 +134,28 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
diff -up openssh-5.3p1/Makefile.in.fips openssh-5.3p1/Makefile.in
|
||||
--- openssh-5.3p1/Makefile.in.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/Makefile.in 2009-10-02 14:20:18.000000000 +0200
|
||||
@@ -136,28 +136,28 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
@ -231,7 +231,7 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
@ -248,19 +248,19 @@ diff -up openssh-5.2p1/Makefile.in.fips openssh-5.2p1/Makefile.in
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
|
||||
--- openssh-5.2p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
|
||||
+++ openssh-5.2p1/myproposal.h 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/myproposal.h.fips openssh-5.3p1/myproposal.h
|
||||
--- openssh-5.3p1/myproposal.h.fips 2009-01-28 06:33:31.000000000 +0100
|
||||
+++ openssh-5.3p1/myproposal.h 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -53,7 +53,12 @@
|
||||
"hmac-sha1-96,hmac-md5-96"
|
||||
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
|
||||
@ -275,9 +275,9 @@ diff -up openssh-5.2p1/myproposal.h.fips openssh-5.2p1/myproposal.h
|
||||
|
||||
static char *myproposal[PROPOSAL_MAX] = {
|
||||
KEX_DEFAULT_KEX,
|
||||
diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
|
||||
--- openssh-5.2p1/nsskeys.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/nsskeys.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/nsskeys.c.fips openssh-5.3p1/nsskeys.c
|
||||
--- openssh-5.3p1/nsskeys.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/nsskeys.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -183,8 +183,8 @@ nss_convert_pubkey(Key *k)
|
||||
break;
|
||||
}
|
||||
@ -289,9 +289,9 @@ diff -up openssh-5.2p1/nsskeys.c.fips openssh-5.2p1/nsskeys.c
|
||||
xfree(p);
|
||||
|
||||
return 0;
|
||||
diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
|
||||
+++ openssh-5.2p1/openbsd-compat/bsd-arc4random.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.3p1/openbsd-compat/bsd-arc4random.c
|
||||
--- openssh-5.3p1/openbsd-compat/bsd-arc4random.c.fips 2008-06-04 02:54:00.000000000 +0200
|
||||
+++ openssh-5.3p1/openbsd-compat/bsd-arc4random.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -39,6 +39,7 @@
|
||||
static int rc4_ready = 0;
|
||||
static RC4_KEY rc4;
|
||||
@ -333,9 +333,9 @@ diff -up openssh-5.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.2p1/openbs
|
||||
#endif /* !HAVE_ARC4RANDOM */
|
||||
|
||||
#ifndef ARC4RANDOM_BUF
|
||||
diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
|
||||
--- openssh-5.2p1/ssh-add.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/ssh-add.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/ssh-add.c.fips openssh-5.3p1/ssh-add.c
|
||||
--- openssh-5.3p1/ssh-add.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-add.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -42,6 +42,7 @@
|
||||
#include <sys/param.h>
|
||||
|
||||
@ -353,9 +353,9 @@ diff -up openssh-5.2p1/ssh-add.c.fips openssh-5.2p1/ssh-add.c
|
||||
SSH_FP_HEX);
|
||||
printf("%d %s %s (%s)\n",
|
||||
key_size(key), fp, comment, key_type(key));
|
||||
diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
|
||||
--- openssh-5.2p1/ssh-agent.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/ssh-agent.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/ssh-agent.c.fips openssh-5.3p1/ssh-agent.c
|
||||
--- openssh-5.3p1/ssh-agent.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-agent.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -51,6 +51,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -377,10 +377,10 @@ diff -up openssh-5.2p1/ssh-agent.c.fips openssh-5.2p1/ssh-agent.c
|
||||
ret = 0;
|
||||
xfree(p);
|
||||
|
||||
diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
|
||||
--- openssh-5.2p1/ssh.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/ssh.c 2009-05-15 15:51:01.000000000 +0200
|
||||
@@ -71,6 +71,8 @@
|
||||
diff -up openssh-5.3p1/ssh.c.fips openssh-5.3p1/ssh.c
|
||||
--- openssh-5.3p1/ssh.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -72,6 +72,8 @@
|
||||
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
@ -389,7 +389,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -220,6 +222,10 @@ main(int ac, char **av)
|
||||
@@ -221,6 +223,10 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -400,7 +400,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
|
||||
init_rng();
|
||||
|
||||
/*
|
||||
@@ -279,6 +285,9 @@ main(int ac, char **av)
|
||||
@@ -281,6 +287,9 @@ main(int ac, char **av)
|
||||
"ACD:F:I:KL:MNO:PR:S:TVw:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
@ -410,7 +410,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -550,7 +559,6 @@ main(int ac, char **av)
|
||||
@@ -552,7 +561,6 @@ main(int ac, char **av)
|
||||
if (!host)
|
||||
usage();
|
||||
|
||||
@ -418,7 +418,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
/* Initialize the command to execute on remote host. */
|
||||
@@ -635,6 +643,10 @@ main(int ac, char **av)
|
||||
@@ -638,6 +646,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
@ -429,7 +429,7 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -701,6 +713,12 @@ main(int ac, char **av)
|
||||
@@ -704,6 +716,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
@ -442,9 +442,9 @@ diff -up openssh-5.2p1/ssh.c.fips openssh-5.2p1/ssh.c
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts, &timeout_ms,
|
||||
diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
|
||||
--- openssh-5.2p1/sshconnect2.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/sshconnect2.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/sshconnect2.c.fips openssh-5.3p1/sshconnect2.c
|
||||
--- openssh-5.3p1/sshconnect2.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/sshconnect2.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
@ -454,7 +454,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -115,6 +117,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
@@ -116,6 +118,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -465,7 +465,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -130,7 +136,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
@@ -131,7 +137,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -477,7 +477,7 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
|
||||
if (options.hostkeyalgorithms != NULL)
|
||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||
options.hostkeyalgorithms;
|
||||
@@ -507,8 +517,8 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
@@ -508,8 +518,8 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
@ -488,9 +488,9 @@ diff -up openssh-5.2p1/sshconnect2.c.fips openssh-5.2p1/sshconnect2.c
|
||||
xfree(fp);
|
||||
|
||||
/*
|
||||
diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
--- openssh-5.2p1/sshconnect.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/sshconnect.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/sshconnect.c.fips openssh-5.3p1/sshconnect.c
|
||||
--- openssh-5.3p1/sshconnect.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/sshconnect.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -40,6 +40,8 @@
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
@ -500,7 +500,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
#include "xmalloc.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@@ -761,6 +763,7 @@ check_host_key(char *hostname, struct so
|
||||
@@ -763,6 +765,7 @@ check_host_key(char *hostname, struct so
|
||||
goto fail;
|
||||
} else if (options.strict_host_key_checking == 2) {
|
||||
char msg1[1024], msg2[1024];
|
||||
@ -508,7 +508,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
|
||||
if (show_other_keys(host, host_key))
|
||||
snprintf(msg1, sizeof(msg1),
|
||||
@@ -769,8 +772,8 @@ check_host_key(char *hostname, struct so
|
||||
@@ -771,8 +774,8 @@ check_host_key(char *hostname, struct so
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
@ -519,7 +519,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
SSH_FP_RANDOMART);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
@@ -786,10 +789,10 @@ check_host_key(char *hostname, struct so
|
||||
@@ -788,10 +791,10 @@ check_host_key(char *hostname, struct so
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
"established%s\n"
|
||||
@ -532,7 +532,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
options.visual_host_key ? "\n" : "",
|
||||
options.visual_host_key ? ra : "",
|
||||
msg2);
|
||||
@@ -1077,17 +1080,18 @@ show_key_from_file(const char *file, con
|
||||
@@ -1079,17 +1082,18 @@ show_key_from_file(const char *file, con
|
||||
Key *found;
|
||||
char *fp, *ra;
|
||||
int line, ret;
|
||||
@ -555,7 +555,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
xfree(ra);
|
||||
xfree(fp);
|
||||
}
|
||||
@@ -1133,8 +1137,9 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1135,8 +1139,9 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
const char *type = key_type(host_key);
|
||||
@ -566,7 +566,7 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
|
||||
@@ -1142,8 +1147,8 @@ warn_changed_key(Key *host_key)
|
||||
@@ -1144,8 +1149,8 @@ warn_changed_key(Key *host_key)
|
||||
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
|
||||
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
|
||||
error("It is also possible that the %s host key has just been changed.", type);
|
||||
@ -577,9 +577,9 @@ diff -up openssh-5.2p1/sshconnect.c.fips openssh-5.2p1/sshconnect.c
|
||||
error("Please contact your system administrator.");
|
||||
|
||||
xfree(fp);
|
||||
diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
--- openssh-5.2p1/sshd.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/sshd.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/sshd.c.fips openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -76,6 +76,8 @@
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/md5.h>
|
||||
@ -589,7 +589,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
#ifdef HAVE_SECUREWARE
|
||||
@@ -1260,6 +1262,12 @@ main(int ac, char **av)
|
||||
@@ -1261,6 +1263,12 @@ main(int ac, char **av)
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
@ -602,7 +602,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
init_rng();
|
||||
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
@@ -1412,8 +1420,6 @@ main(int ac, char **av)
|
||||
@@ -1413,8 +1421,6 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
@ -611,7 +611,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
/*
|
||||
* Force logging to stderr until we have loaded the private host
|
||||
* key (unless started from inetd)
|
||||
@@ -1531,6 +1537,10 @@ main(int ac, char **av)
|
||||
@@ -1532,6 +1538,10 @@ main(int ac, char **av)
|
||||
debug("private host key: #%d type %d %s", i, key->type,
|
||||
key_type(key));
|
||||
}
|
||||
@ -622,7 +622,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -1655,6 +1665,10 @@ main(int ac, char **av)
|
||||
@@ -1656,6 +1666,10 @@ main(int ac, char **av)
|
||||
/* Initialize the random number generator. */
|
||||
arc4random_stir();
|
||||
|
||||
@ -633,7 +633,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
chdir("/");
|
||||
@@ -2182,6 +2196,9 @@ do_ssh2_kex(void)
|
||||
@@ -2183,6 +2197,9 @@ do_ssh2_kex(void)
|
||||
if (options.ciphers != NULL) {
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||
@ -643,7 +643,7 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
}
|
||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||
@@ -2191,6 +2208,9 @@ do_ssh2_kex(void)
|
||||
@@ -2192,6 +2209,9 @@ do_ssh2_kex(void)
|
||||
if (options.macs != NULL) {
|
||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||
@ -653,9 +653,9 @@ diff -up openssh-5.2p1/sshd.c.fips openssh-5.2p1/sshd.c
|
||||
}
|
||||
if (options.compression == COMP_NONE) {
|
||||
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
|
||||
diff -up openssh-5.2p1/ssh-keygen.c.fips openssh-5.2p1/ssh-keygen.c
|
||||
--- openssh-5.2p1/ssh-keygen.c.fips 2009-05-15 15:51:01.000000000 +0200
|
||||
+++ openssh-5.2p1/ssh-keygen.c 2009-05-15 15:51:01.000000000 +0200
|
||||
diff -up openssh-5.3p1/ssh-keygen.c.fips openssh-5.3p1/ssh-keygen.c
|
||||
--- openssh-5.3p1/ssh-keygen.c.fips 2009-10-02 14:12:00.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh-keygen.c 2009-10-02 14:12:00.000000000 +0200
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include <openssl/evp.h>
|
2929
openssh-5.3p1-gsskex.patch
Normal file
2929
openssh-5.3p1-gsskex.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,18 @@
|
||||
diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c
|
||||
--- openssh-5.1p1/misc.c.mls 2008-06-13 06:48:59.000000000 +0200
|
||||
+++ openssh-5.1p1/misc.c 2008-07-23 18:53:37.000000000 +0200
|
||||
@@ -427,6 +427,7 @@ char *
|
||||
diff -up openssh-5.3p1/configure.ac.mls openssh-5.3p1/configure.ac
|
||||
--- openssh-5.3p1/configure.ac.mls 2009-10-02 14:04:31.000000000 +0200
|
||||
+++ openssh-5.3p1/configure.ac 2009-10-02 14:04:31.000000000 +0200
|
||||
@@ -3404,6 +3404,7 @@ AC_ARG_WITH(selinux,
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
LIBS="$LIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
+ AC_CHECK_FUNCS(setkeycreatecon)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
diff -up openssh-5.3p1/misc.c.mls openssh-5.3p1/misc.c
|
||||
--- openssh-5.3p1/misc.c.mls 2009-02-21 22:47:02.000000000 +0100
|
||||
+++ openssh-5.3p1/misc.c 2009-10-02 14:04:31.000000000 +0200
|
||||
@@ -423,6 +423,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -9,7 +20,7 @@ diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return (0);
|
||||
@@ -440,8 +441,13 @@ colon(char *cp)
|
||||
@@ -436,8 +437,13 @@ colon(char *cp)
|
||||
return (cp+1);
|
||||
if (*cp == ':' && !flag)
|
||||
return (cp);
|
||||
@ -25,23 +36,9 @@ diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c
|
||||
}
|
||||
return (0);
|
||||
}
|
||||
diff -up openssh-5.1p1/session.c.mls openssh-5.1p1/session.c
|
||||
--- openssh-5.1p1/session.c.mls 2008-06-16 15:29:18.000000000 +0200
|
||||
+++ openssh-5.1p1/session.c 2008-07-23 18:53:37.000000000 +0200
|
||||
@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
|
||||
#endif
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
||||
-
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
-#endif
|
||||
}
|
||||
|
||||
static void
|
||||
diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.1p1/openbsd-compat/port-linux.c.mls 2008-07-23 18:53:37.000000000 +0200
|
||||
+++ openssh-5.1p1/openbsd-compat/port-linux.c 2008-07-23 18:53:37.000000000 +0200
|
||||
diff -up openssh-5.3p1/openbsd-compat/port-linux.c.mls openssh-5.3p1/openbsd-compat/port-linux.c
|
||||
--- openssh-5.3p1/openbsd-compat/port-linux.c.mls 2009-10-02 14:04:31.000000000 +0200
|
||||
+++ openssh-5.3p1/openbsd-compat/port-linux.c 2009-10-02 14:04:31.000000000 +0200
|
||||
@@ -33,12 +33,23 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
@ -419,20 +416,23 @@ diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-com
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh-5.1p1/configure.ac.mls openssh-5.1p1/configure.ac
|
||||
--- openssh-5.1p1/configure.ac.mls 2008-07-23 18:53:37.000000000 +0200
|
||||
+++ openssh-5.1p1/configure.ac 2008-07-23 18:53:37.000000000 +0200
|
||||
@@ -3311,6 +3311,7 @@ AC_ARG_WITH(selinux,
|
||||
SSHDLIBS="$SSHDLIBS $LIBSELINUX"
|
||||
LIBS="$LIBS $LIBSELINUX"
|
||||
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
|
||||
+ AC_CHECK_FUNCS(setkeycreatecon)
|
||||
LIBS="$save_LIBS"
|
||||
fi ]
|
||||
)
|
||||
diff -up openssh-5.1p1/sshd.c.mls openssh-5.1p1/sshd.c
|
||||
--- openssh-5.1p1/sshd.c.mls 2008-07-23 18:53:37.000000000 +0200
|
||||
+++ openssh-5.1p1/sshd.c 2008-07-23 18:53:37.000000000 +0200
|
||||
diff -up openssh-5.3p1/session.c.mls openssh-5.3p1/session.c
|
||||
--- openssh-5.3p1/session.c.mls 2009-08-20 08:20:50.000000000 +0200
|
||||
+++ openssh-5.3p1/session.c 2009-10-02 14:06:12.000000000 +0200
|
||||
@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
|
||||
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
|
||||
-
|
||||
-#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
-#endif
|
||||
}
|
||||
|
||||
static void
|
||||
diff -up openssh-5.3p1/sshd.c.mls openssh-5.3p1/sshd.c
|
||||
--- openssh-5.3p1/sshd.c.mls 2009-10-02 14:04:31.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd.c 2009-10-02 14:04:31.000000000 +0200
|
||||
@@ -1896,6 +1896,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
File diff suppressed because it is too large
Load Diff
444
openssh-5.3p1-pka.patch
Normal file
444
openssh-5.3p1-pka.patch
Normal file
@ -0,0 +1,444 @@
|
||||
diff -up openssh-5.3p1/auth2-pubkey.c.pka openssh-5.3p1/auth2-pubkey.c
|
||||
--- openssh-5.3p1/auth2-pubkey.c.pka 2009-03-08 01:40:28.000000000 +0100
|
||||
+++ openssh-5.3p1/auth2-pubkey.c 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -175,26 +175,14 @@ done:
|
||||
|
||||
/* return 1 if user allows given key */
|
||||
static int
|
||||
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
||||
+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
|
||||
{
|
||||
char line[SSH_MAX_PUBKEY_BYTES];
|
||||
int found_key = 0;
|
||||
- FILE *f;
|
||||
u_long linenum = 0;
|
||||
Key *found;
|
||||
char *fp;
|
||||
|
||||
- /* Temporarily use the user's uid. */
|
||||
- temporarily_use_uid(pw);
|
||||
-
|
||||
- debug("trying public key file %s", file);
|
||||
- f = auth_openkeyfile(file, pw, options.strict_modes);
|
||||
-
|
||||
- if (!f) {
|
||||
- restore_uid();
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
found_key = 0;
|
||||
found = key_new(key->type);
|
||||
|
||||
@@ -239,21 +227,160 @@ user_key_allowed2(struct passwd *pw, Key
|
||||
break;
|
||||
}
|
||||
}
|
||||
- restore_uid();
|
||||
- fclose(f);
|
||||
key_free(found);
|
||||
if (!found_key)
|
||||
debug2("key not found");
|
||||
return found_key;
|
||||
}
|
||||
|
||||
-/* check whether given key is in .ssh/authorized_keys* */
|
||||
+
|
||||
+/* return 1 if user allows given key */
|
||||
+static int
|
||||
+user_key_allowed2(struct passwd *pw, Key *key, char *file)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ int found_key = 0;
|
||||
+
|
||||
+ /* Temporarily use the user's uid. */
|
||||
+ temporarily_use_uid(pw);
|
||||
+
|
||||
+ debug("trying public key file %s", file);
|
||||
+ f = auth_openkeyfile(file, pw, options.strict_modes);
|
||||
+
|
||||
+ if (f) {
|
||||
+ found_key = user_search_key_in_file (f, file, key, pw);
|
||||
+ fclose(f);
|
||||
+ }
|
||||
+
|
||||
+ restore_uid();
|
||||
+ return found_key;
|
||||
+}
|
||||
+
|
||||
+#ifdef WITH_PUBKEY_AGENT
|
||||
+
|
||||
+#define WHITESPACE " \t\r\n"
|
||||
+
|
||||
+/* return 1 if user allows given key */
|
||||
+static int
|
||||
+user_key_via_agent_allowed2(struct passwd *pw, Key *key)
|
||||
+{
|
||||
+ FILE *f;
|
||||
+ int found_key = 0;
|
||||
+ char *pubkey_agent_string = NULL;
|
||||
+ char *tmp_pubkey_agent_string = NULL;
|
||||
+ char *progname;
|
||||
+ char *cp;
|
||||
+ struct passwd *runas_pw;
|
||||
+ struct stat st;
|
||||
+
|
||||
+ if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
|
||||
+ return -1;
|
||||
+
|
||||
+ /* get the run as identity from config */
|
||||
+ runas_pw = (options.pubkey_agent_runas == NULL)? pw
|
||||
+ : getpwnam (options.pubkey_agent_runas);
|
||||
+ if (!runas_pw) {
|
||||
+ error("%s: getpwnam(\"%s\"): %s", __func__,
|
||||
+ options.pubkey_agent_runas, strerror(errno));
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* Temporarily use the specified uid. */
|
||||
+ if (runas_pw->pw_uid != 0)
|
||||
+ temporarily_use_uid(runas_pw);
|
||||
+
|
||||
+ pubkey_agent_string = percent_expand(options.pubkey_agent,
|
||||
+ "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
|
||||
+
|
||||
+ /* Test whether agent can be modified by non root user */
|
||||
+ tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
|
||||
+ progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
|
||||
+
|
||||
+ debug3("%s: checking program '%s'", __func__, progname);
|
||||
+
|
||||
+ if (stat (progname, &st) < 0) {
|
||||
+ error("%s: stat(\"%s\"): %s", __func__,
|
||||
+ progname, strerror(errno));
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+
|
||||
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
|
||||
+ error("bad ownership or modes for pubkey agent \"%s\"",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+
|
||||
+ if (!S_ISREG(st.st_mode)) {
|
||||
+ error("pubkey agent \"%s\" is not a regular file",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Descend the path, checking that each component is a
|
||||
+ * root-owned directory with strict permissions.
|
||||
+ */
|
||||
+ do {
|
||||
+ if ((cp = strrchr(progname, '/')) == NULL)
|
||||
+ break;
|
||||
+ else
|
||||
+ *cp = '\0';
|
||||
+
|
||||
+ debug3("%s: checking component '%s'", __func__, progname);
|
||||
+
|
||||
+ if (stat(progname, &st) != 0) {
|
||||
+ error("%s: stat(\"%s\"): %s", __func__,
|
||||
+ progname, strerror(errno));
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
|
||||
+ error("bad ownership or modes for pubkey agent path component \"%s\"",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+ if (!S_ISDIR(st.st_mode)) {
|
||||
+ error("pubkey agent path component \"%s\" is not a directory",
|
||||
+ progname);
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+ } while (0);
|
||||
+
|
||||
+ /* open the pipe and read the keys */
|
||||
+ f = popen (pubkey_agent_string, "r");
|
||||
+ if (!f) {
|
||||
+ error("%s: popen (\"%s\", \"r\"): %s", __func__,
|
||||
+ pubkey_agent_string, strerror (errno));
|
||||
+ goto go_away;
|
||||
+ }
|
||||
+
|
||||
+ found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
|
||||
+ pclose (f);
|
||||
+
|
||||
+go_away:
|
||||
+ if (tmp_pubkey_agent_string)
|
||||
+ xfree (tmp_pubkey_agent_string);
|
||||
+ if (pubkey_agent_string)
|
||||
+ xfree (pubkey_agent_string);
|
||||
+
|
||||
+ if (runas_pw->pw_uid != 0)
|
||||
+ restore_uid();
|
||||
+ return found_key;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
|
||||
int
|
||||
user_key_allowed(struct passwd *pw, Key *key)
|
||||
{
|
||||
int success;
|
||||
char *file;
|
||||
|
||||
+#ifdef WITH_PUBKEY_AGENT
|
||||
+ success = user_key_via_agent_allowed2(pw, key);
|
||||
+ if (success >= 0)
|
||||
+ return success;
|
||||
+#endif
|
||||
+
|
||||
file = authorized_keys_file(pw);
|
||||
success = user_key_allowed2(pw, key, file);
|
||||
xfree(file);
|
||||
diff -up openssh-5.3p1/configure.pka openssh-5.3p1/configure
|
||||
--- openssh-5.3p1/configure.pka 2009-10-13 19:27:51.000000000 +0200
|
||||
+++ openssh-5.3p1/configure 2009-10-15 06:26:33.000000000 +0200
|
||||
@@ -769,6 +769,7 @@ with_skey
|
||||
with_tcp_wrappers
|
||||
with_libedit
|
||||
with_audit
|
||||
+with_pka
|
||||
with_ssl_dir
|
||||
with_openssl_header_check
|
||||
with_ssl_engine
|
||||
@@ -1473,6 +1474,7 @@ Optional Packages:
|
||||
--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
|
||||
--with-libedit[=PATH] Enable libedit support for sftp
|
||||
--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)
|
||||
+ --with-pka Enable pubkey agent support
|
||||
--with-ssl-dir=PATH Specify path to OpenSSL installation
|
||||
--without-openssl-header-check Disable OpenSSL version consistency check
|
||||
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
|
||||
@@ -13443,6 +13445,25 @@ $as_echo "$as_me: error: Unknown audit m
|
||||
fi
|
||||
|
||||
|
||||
+# Check whether user wants pubkey agent support
|
||||
+PKA_MSG="no"
|
||||
+
|
||||
+# Check whether --with-pka was given.
|
||||
+if test "${with_pka+set}" = set; then
|
||||
+ withval=$with_pka;
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+
|
||||
+cat >>confdefs.h <<\_ACEOF
|
||||
+#define WITH_PUBKEY_AGENT 1
|
||||
+_ACEOF
|
||||
+
|
||||
+ PKA_MSG="yes"
|
||||
+ fi
|
||||
+
|
||||
+
|
||||
+fi
|
||||
+
|
||||
+
|
||||
|
||||
|
||||
|
||||
@@ -32772,6 +32793,7 @@ echo " Linux audit support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
+echo " PKA support: $PKA_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.3p1/configure.ac.pka openssh-5.3p1/configure.ac
|
||||
--- openssh-5.3p1/configure.ac.pka 2009-09-11 06:56:08.000000000 +0200
|
||||
+++ openssh-5.3p1/configure.ac 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -1319,6 +1319,18 @@ AC_ARG_WITH(audit,
|
||||
esac ]
|
||||
)
|
||||
|
||||
+# Check whether user wants pubkey agent support
|
||||
+PKA_MSG="no"
|
||||
+AC_ARG_WITH(pka,
|
||||
+ [ --with-pka Enable pubkey agent support],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
|
||||
+ PKA_MSG="yes"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
dnl Checks for library functions. Please keep in alphabetical order
|
||||
AC_CHECK_FUNCS( \
|
||||
arc4random \
|
||||
@@ -4229,6 +4241,7 @@ echo " SELinux support
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
echo " TCP Wrappers support: $TCPW_MSG"
|
||||
+echo " PKA support: $PKA_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh-5.3p1/servconf.c.pka openssh-5.3p1/servconf.c
|
||||
--- openssh-5.3p1/servconf.c.pka 2009-06-21 12:26:17.000000000 +0200
|
||||
+++ openssh-5.3p1/servconf.c 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -127,6 +127,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
options->chroot_directory = NULL;
|
||||
+ options->pubkey_agent = NULL;
|
||||
+ options->pubkey_agent_runas = NULL;
|
||||
options->zero_knowledge_password_authentication = -1;
|
||||
}
|
||||
|
||||
@@ -306,6 +308,7 @@ typedef enum {
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sZeroKnowledgePasswordAuthentication,
|
||||
+ sPubkeyAgent, sPubkeyAgentRunAs,
|
||||
sDeprecated, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -424,6 +427,13 @@ static struct {
|
||||
{ "permitopen", sPermitOpen, SSHCFG_ALL },
|
||||
{ "forcecommand", sForceCommand, SSHCFG_ALL },
|
||||
{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
|
||||
+#ifdef WITH_PUBKEY_AGENT
|
||||
+ { "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
|
||||
+ { "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
|
||||
+#else
|
||||
+ { "pubkeyagent", sUnsupported, SSHCFG_ALL },
|
||||
+ { "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
|
||||
+#endif
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -1294,6 +1304,20 @@ process_server_config_line(ServerOptions
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
+ case sPubkeyAgent:
|
||||
+ len = strspn(cp, WHITESPACE);
|
||||
+ if (*activep && options->pubkey_agent == NULL)
|
||||
+ options->pubkey_agent = xstrdup(cp + len);
|
||||
+ return 0;
|
||||
+
|
||||
+ case sPubkeyAgentRunAs:
|
||||
+ charptr = &options->pubkey_agent_runas;
|
||||
+
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (*activep && *charptr == NULL)
|
||||
+ *charptr = xstrdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case sDeprecated:
|
||||
logit("%s line %d: Deprecated option %s",
|
||||
filename, linenum, arg);
|
||||
@@ -1387,6 +1411,8 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(rsa_authentication);
|
||||
M_CP_INTOPT(pubkey_authentication);
|
||||
+ M_CP_STROPT(pubkey_agent);
|
||||
+ M_CP_STROPT(pubkey_agent_runas);
|
||||
M_CP_INTOPT(kerberos_authentication);
|
||||
M_CP_INTOPT(hostbased_authentication);
|
||||
M_CP_INTOPT(kbd_interactive_authentication);
|
||||
@@ -1626,6 +1652,10 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
|
||||
dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
+#ifdef WITH_PUBKEY_AGENT
|
||||
+ dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
|
||||
+ dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
|
||||
+#endif
|
||||
|
||||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-5.3p1/servconf.h.pka openssh-5.3p1/servconf.h
|
||||
--- openssh-5.3p1/servconf.h.pka 2009-01-28 06:31:23.000000000 +0100
|
||||
+++ openssh-5.3p1/servconf.h 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -151,6 +151,8 @@ typedef struct {
|
||||
int num_permitted_opens;
|
||||
|
||||
char *chroot_directory;
|
||||
+ char *pubkey_agent;
|
||||
+ char *pubkey_agent_runas;
|
||||
} ServerOptions;
|
||||
|
||||
void initialize_server_options(ServerOptions *);
|
||||
diff -up openssh-5.3p1/sshd_config.0.pka openssh-5.3p1/sshd_config.0
|
||||
--- openssh-5.3p1/sshd_config.0.pka 2009-09-26 08:31:16.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd_config.0 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -344,10 +344,11 @@ DESCRIPTION
|
||||
AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
|
||||
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
|
||||
KbdInteractiveAuthentication, KerberosAuthentication,
|
||||
- MaxAuthTries, MaxSessions, PasswordAuthentication,
|
||||
- PermitEmptyPasswords, PermitOpen, PermitRootLogin,
|
||||
- RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
|
||||
- X11Forwarding and X11UseLocalHost.
|
||||
+ MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
|
||||
+ PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
|
||||
+ PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
|
||||
+ RSAAuthentication, X11DisplayOffset, X11Forwarding and
|
||||
+ X11UseLocalHost.
|
||||
|
||||
MaxAuthTries
|
||||
Specifies the maximum number of authentication attempts permitted
|
||||
@@ -455,6 +456,17 @@ DESCRIPTION
|
||||
fault is ``yes''. Note that this option applies to protocol ver-
|
||||
sion 2 only.
|
||||
|
||||
+ PubkeyAgent
|
||||
+ Specifies which agent is used for lookup of the user's public
|
||||
+ keys. Empty string means to use the authorized_keys file. By
|
||||
+ default there is no PubkeyAgent set. Note that this option has
|
||||
+ an effect only with PubkeyAuthentication switched on.
|
||||
+
|
||||
+ PubkeyAgentRunAs
|
||||
+ Specifies the user under whose account the PubkeyAgent is run.
|
||||
+ Empty string (the default value) means the user being authorized
|
||||
+ is used.
|
||||
+
|
||||
RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication to-
|
||||
gether with successful RSA host authentication is allowed. The
|
||||
diff -up openssh-5.3p1/sshd_config.pka openssh-5.3p1/sshd_config
|
||||
--- openssh-5.3p1/sshd_config.pka 2008-07-02 14:35:43.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd_config 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -46,6 +46,8 @@ Protocol 2
|
||||
#RSAAuthentication yes
|
||||
#PubkeyAuthentication yes
|
||||
#AuthorizedKeysFile .ssh/authorized_keys
|
||||
+#PubkeyAgent none
|
||||
+#PubkeyAgentRunAs nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#RhostsRSAAuthentication no
|
||||
diff -up openssh-5.3p1/sshd_config.5.pka openssh-5.3p1/sshd_config.5
|
||||
--- openssh-5.3p1/sshd_config.5.pka 2009-08-28 02:27:08.000000000 +0200
|
||||
+++ openssh-5.3p1/sshd_config.5 2010-01-04 16:07:53.000000000 +0100
|
||||
@@ -610,6 +610,9 @@ Available keywords are
|
||||
.Cm KerberosAuthentication ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
+.Cm PubkeyAuthentication ,
|
||||
+.Cm PubkeyAgent ,
|
||||
+.Cm PubkeyAgentRunAs ,
|
||||
.Cm PasswordAuthentication ,
|
||||
.Cm PermitEmptyPasswords ,
|
||||
.Cm PermitOpen ,
|
||||
@@ -805,6 +808,16 @@ Specifies whether public key authenticat
|
||||
The default is
|
||||
.Dq yes .
|
||||
Note that this option applies to protocol version 2 only.
|
||||
+.It Cm PubkeyAgent
|
||||
+Specifies which agent is used for lookup of the user's public
|
||||
+keys. Empty string means to use the authorized_keys file.
|
||||
+By default there is no PubkeyAgent set.
|
||||
+Note that this option has an effect only with PubkeyAuthentication
|
||||
+switched on.
|
||||
+.It Cm PubkeyAgentRunAs
|
||||
+Specifies the user under whose account the PubkeyAgent is run. Empty
|
||||
+string (the default value) means the user being authorized is used.
|
||||
+.Dq
|
||||
.It Cm RhostsRSAAuthentication
|
||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||
with successful RSA host authentication is allowed.
|
13
openssh-5.3p1-randclean.patch
Normal file
13
openssh-5.3p1-randclean.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -up openssh-5.3p1/entropy.c.randclean openssh-5.3p1/entropy.c
|
||||
--- openssh-5.3p1/entropy.c.randclean 2010-01-21 09:26:30.000000000 +0100
|
||||
+++ openssh-5.3p1/entropy.c 2010-01-21 09:26:37.000000000 +0100
|
||||
@@ -159,6 +159,9 @@ init_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
original_uid = getuid();
|
||||
original_euid = geteuid();
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-copy-id
|
||||
--- openssh-5.2p1/contrib/ssh-copy-id.selabel 2009-01-21 10:29:21.000000000 +0100
|
||||
+++ openssh-5.2p1/contrib/ssh-copy-id 2009-07-08 14:28:27.000000000 +0200
|
||||
diff -up openssh-5.3p1/contrib/ssh-copy-id.selabel openssh-5.3p1/contrib/ssh-copy-id
|
||||
--- openssh-5.3p1/contrib/ssh-copy-id.selabel 2009-01-21 10:29:21.000000000 +0100
|
||||
+++ openssh-5.3p1/contrib/ssh-copy-id 2009-10-02 14:21:54.000000000 +0200
|
||||
@@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] ||
|
||||
exit 1
|
||||
fi
|
||||
@ -10,10 +10,10 @@ diff -up openssh-5.2p1/contrib/ssh-copy-id.selabel openssh-5.2p1/contrib/ssh-cop
|
||||
|
||||
cat <<EOF
|
||||
Now try logging into the machine, with "ssh '$1'", and check in:
|
||||
diff -up openssh-5.2p1/Makefile.in.selabel openssh-5.2p1/Makefile.in
|
||||
--- openssh-5.2p1/Makefile.in.selabel 2009-07-08 14:28:25.000000000 +0200
|
||||
+++ openssh-5.2p1/Makefile.in 2009-07-08 14:28:27.000000000 +0200
|
||||
@@ -134,7 +134,7 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
diff -up openssh-5.3p1/Makefile.in.selabel openssh-5.3p1/Makefile.in
|
||||
--- openssh-5.3p1/Makefile.in.selabel 2009-10-02 14:21:54.000000000 +0200
|
||||
+++ openssh-5.3p1/Makefile.in 2009-10-02 14:23:23.000000000 +0200
|
||||
@@ -136,7 +136,7 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
@ -21,10 +21,10 @@ diff -up openssh-5.2p1/Makefile.in.selabel openssh-5.2p1/Makefile.in
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck -lselinux $(LIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) -lfipscheck $(LIBS)
|
||||
diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c
|
||||
--- openssh-5.2p1/ssh.c.selabel 2009-07-08 14:28:27.000000000 +0200
|
||||
+++ openssh-5.2p1/ssh.c 2009-07-08 14:34:00.000000000 +0200
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS)
|
||||
diff -up openssh-5.3p1/ssh.c.selabel openssh-5.3p1/ssh.c
|
||||
--- openssh-5.3p1/ssh.c.selabel 2009-10-02 14:21:54.000000000 +0200
|
||||
+++ openssh-5.3p1/ssh.c 2009-10-02 14:21:54.000000000 +0200
|
||||
@@ -74,6 +74,7 @@
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/fips.h>
|
||||
@ -33,7 +33,7 @@ diff -up openssh-5.2p1/ssh.c.selabel openssh-5.2p1/ssh.c
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -791,10 +792,15 @@ main(int ac, char **av)
|
||||
@@ -792,10 +793,15 @@ main(int ac, char **av)
|
||||
*/
|
||||
r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir,
|
||||
strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
|
24
openssh-5.3p1-skip-initial.patch
Normal file
24
openssh-5.3p1-skip-initial.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up openssh-5.3p1/auth1.c.skip-initial openssh-5.3p1/auth1.c
|
||||
--- openssh-5.3p1/auth1.c.skip-initial 2009-03-08 01:40:28.000000000 +0100
|
||||
+++ openssh-5.3p1/auth1.c 2009-10-02 13:55:00.000000000 +0200
|
||||
@@ -244,7 +244,7 @@ do_authloop(Authctxt *authctxt)
|
||||
authctxt->valid ? "" : "invalid user ", authctxt->user);
|
||||
|
||||
/* If the user has no password, accept authentication immediately. */
|
||||
- if (options.password_authentication &&
|
||||
+ if (options.permit_empty_passwd && options.password_authentication &&
|
||||
#ifdef KRB5
|
||||
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
|
||||
#endif
|
||||
diff -up openssh-5.3p1/auth2-none.c.skip-initial openssh-5.3p1/auth2-none.c
|
||||
--- openssh-5.3p1/auth2-none.c.skip-initial 2009-03-08 01:40:28.000000000 +0100
|
||||
+++ openssh-5.3p1/auth2-none.c 2009-10-02 13:56:21.000000000 +0200
|
||||
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
|
||||
{
|
||||
none_enabled = 0;
|
||||
packet_check_eom();
|
||||
- if (options.password_authentication)
|
||||
+ if (options.permit_empty_passwd && options.password_authentication)
|
||||
return (PRIVSEP(auth_password(authctxt, "")));
|
||||
return (0);
|
||||
}
|
146
openssh.spec
146
openssh.spec
@ -32,6 +32,9 @@
|
||||
# Whether or not /sbin/nologin exists.
|
||||
%define nologin 1
|
||||
|
||||
# Whether to build pam_ssh_agent_auth
|
||||
%define pam_ssh_agent 1
|
||||
|
||||
# Reserve options to override askpass settings with:
|
||||
# rpm -ba|--rebuild --define 'skip_xxx 1'
|
||||
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
|
||||
@ -58,13 +61,17 @@
|
||||
%if %{rescue}
|
||||
%define kerberos5 0
|
||||
%define libedit 0
|
||||
%define pam_ssh_agent 0
|
||||
%endif
|
||||
|
||||
%define pam_ssh_agent_ver 0.9
|
||||
|
||||
Summary: An open source implementation of SSH protocol versions 1 and 2
|
||||
Name: openssh
|
||||
Version: 5.2p1
|
||||
Release: 28%{?dist}%{?rescue_rel}
|
||||
Version: 5.3p1
|
||||
Release: 19%{?dist}%{?rescue_rel}
|
||||
URL: http://www.openssh.com/portable.html
|
||||
#URL1: http://pamsshauth.sourceforge.net
|
||||
#Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||
# This package differs from the upstream OpenSSH tarball in that
|
||||
@ -74,13 +81,16 @@ Source0: openssh-%{version}-noacss.tar.bz2
|
||||
Source1: openssh-nukeacss.sh
|
||||
Source2: sshd.pam
|
||||
Source3: sshd.init
|
||||
Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.bz2
|
||||
Source5: pam_ssh_agent-rmheaders
|
||||
Patch0: openssh-5.2p1-redhat.patch
|
||||
Patch2: openssh-5.1p1-skip-initial.patch
|
||||
Patch3: openssh-3.8.1p1-krb5-config.patch
|
||||
Patch2: openssh-5.3p1-skip-initial.patch
|
||||
Patch4: openssh-5.2p1-vendor.patch
|
||||
Patch5: openssh-5.2p1-engine.patch
|
||||
Patch10: pam_ssh_agent_auth-0.9-build.patch
|
||||
Patch12: openssh-5.2p1-selinux.patch
|
||||
Patch13: openssh-5.1p1-mls.patch
|
||||
Patch16: openssh-4.7p1-audit.patch
|
||||
Patch13: openssh-5.3p1-mls.patch
|
||||
Patch16: openssh-5.3p1-audit.patch
|
||||
Patch18: openssh-5.0p1-pam_selinux.patch
|
||||
Patch19: openssh-5.2p1-sesftp.patch
|
||||
Patch22: openssh-3.9p1-askpass-keep-above.patch
|
||||
@ -92,13 +102,15 @@ Patch38: openssh-4.3p2-askpass-grab-info.patch
|
||||
Patch39: openssh-4.3p2-no-v6only.patch
|
||||
Patch44: openssh-5.2p1-allow-ip-opts.patch
|
||||
Patch49: openssh-4.3p2-gssapi-canohost.patch
|
||||
Patch51: openssh-5.2p1-nss-keys.patch
|
||||
Patch51: openssh-5.3p1-nss-keys.patch
|
||||
Patch55: openssh-5.1p1-cloexec.patch
|
||||
Patch62: openssh-5.1p1-scp-manpage.patch
|
||||
Patch65: openssh-5.2p1-fips.patch
|
||||
Patch68: openssh-5.2p1-pathmax.patch
|
||||
Patch69: openssh-5.2p1-selabel.patch
|
||||
Patch65: openssh-5.3p1-fips.patch
|
||||
Patch69: openssh-5.3p1-selabel.patch
|
||||
Patch71: openssh-5.2p1-edns.patch
|
||||
Patch72: openssh-5.3p1-pka.patch
|
||||
Patch73: openssh-5.3p1-gsskex.patch
|
||||
Patch74: openssh-5.3p1-randclean.patch
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
@ -170,6 +182,14 @@ Requires: openssh = %{version}-%{release}
|
||||
Obsoletes: openssh-askpass-gnome
|
||||
Provides: openssh-askpass-gnome
|
||||
|
||||
%package -n pam_ssh_agent_auth
|
||||
Summary: PAM module for authentication with ssh-agent
|
||||
Group: System Environment/Base
|
||||
Version: %{pam_ssh_agent_ver}
|
||||
# There is special exception added to the GPLv3+ license to
|
||||
# permit linking with OpenSSL licensed code
|
||||
License: GPLv3+ and OpenSSL and BSD
|
||||
|
||||
%description
|
||||
SSH (Secure SHell) is a program for logging into and executing
|
||||
commands on a remote machine. SSH is intended to replace rlogin and
|
||||
@ -200,12 +220,28 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||
into and executing commands on a remote machine. This package contains
|
||||
an X11 passphrase dialog for OpenSSH.
|
||||
|
||||
%description -n pam_ssh_agent_auth
|
||||
This package contains a PAM module which can be used to authenticate
|
||||
users using ssh keys stored in a ssh-agent. Through the use of the
|
||||
forwarding of ssh-agent connection it also allows to authenticate with
|
||||
remote ssh-agent instance.
|
||||
|
||||
The module is most useful for su and sudo service stacks.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%setup -q -a 4
|
||||
%patch0 -p1 -b .redhat
|
||||
%patch2 -p1 -b .skip-initial
|
||||
%patch3 -p1 -b .krb5-config
|
||||
%patch4 -p1 -b .vendor
|
||||
%patch5 -p1 -b .engine
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
%patch10 -p1 -b .psaa-build
|
||||
# Remove duplicate headers
|
||||
rm -f $(cat %{SOURCE5})
|
||||
popd
|
||||
%endif
|
||||
|
||||
%if %{WITH_SELINUX}
|
||||
#SELinux
|
||||
@ -229,9 +265,11 @@ an X11 passphrase dialog for OpenSSH.
|
||||
%patch55 -p1 -b .cloexec
|
||||
%patch62 -p1 -b .manpage
|
||||
%patch65 -p1 -b .fips
|
||||
%patch68 -p1 -b .pathmax
|
||||
%patch69 -p1 -b .selabel
|
||||
%patch71 -p1 -b .edns
|
||||
%patch72 -p1 -b .pka
|
||||
%patch73 -p1 -b .gsskex
|
||||
%patch74 -p1 -b .randclean
|
||||
|
||||
autoreconf
|
||||
|
||||
@ -242,11 +280,12 @@ CFLAGS="$CFLAGS -Os"
|
||||
%endif
|
||||
%if %{pie}
|
||||
%ifarch s390 s390x sparc sparcv9 sparc64
|
||||
CFLAGS="$CFLAGS -fPIE"
|
||||
CFLAGS="$CFLAGS -fPIC"
|
||||
%else
|
||||
CFLAGS="$CFLAGS -fpie"
|
||||
CFLAGS="$CFLAGS -fpic"
|
||||
%endif
|
||||
export CFLAGS
|
||||
SAVE_LDFLAGS="$LDFLAGS"
|
||||
LDFLAGS="$LDFLAGS -pie"; export LDFLAGS
|
||||
%endif
|
||||
%if %{kerberos5}
|
||||
@ -326,6 +365,14 @@ fi
|
||||
popd
|
||||
%endif
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
LDFLAGS="$SAVE_LDFLAGS"
|
||||
%configure --with-selinux --libexecdir=/%{_lib}/security
|
||||
make
|
||||
popd
|
||||
%endif
|
||||
|
||||
# Add generation of HMAC checksums of the final stripped binaries
|
||||
%define __spec_install_post \
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
@ -375,6 +422,12 @@ rm -f README.nss.nss-keys
|
||||
%if ! %{nss}
|
||||
rm -f README.nss
|
||||
%endif
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
make install DESTDIR=$RPM_BUILD_ROOT
|
||||
popd
|
||||
%endif
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
@ -465,7 +518,70 @@ fi
|
||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
||||
%endif
|
||||
|
||||
%if %{pam_ssh_agent}
|
||||
%files -n pam_ssh_agent_auth
|
||||
%defattr(-,root,root)
|
||||
%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/GPL_LICENSE
|
||||
%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
|
||||
%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/LICENSE.OpenSSL
|
||||
%attr(0755,root,root) /%{_lib}/security/pam_ssh_agent_auth.so
|
||||
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 10 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-19
|
||||
- Allow to use hardware crypto if awailable (#559555)
|
||||
|
||||
* Thu Jan 28 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-18
|
||||
- optimized FD_CLOEXEC on accept socket (#541809)
|
||||
|
||||
* Thu Jan 21 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-17
|
||||
- optimized RAND_cleanup patch (#557166)
|
||||
|
||||
* Wed Jan 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-16
|
||||
- add RAND_cleanup at the exit of each program using RAND (#557166)
|
||||
|
||||
* Tue Jan 19 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-15
|
||||
- set FD_CLOEXEC on accepted socket (#541809)
|
||||
|
||||
* Tue Jan 5 2010 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-14
|
||||
- Update the pka patch
|
||||
|
||||
* Mon Dec 21 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-13
|
||||
- Update the audit patch
|
||||
- Add possibility to autocreate only RSA key into initscript (#533339)
|
||||
- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
|
||||
|
||||
* Mon Nov 30 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-11
|
||||
- Update NSS key patch including future SEC_ERROR_LOCKED_PASSWORD (#537411, #356451)
|
||||
|
||||
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-9
|
||||
- Add gssapi key exchange patch (#455351)
|
||||
|
||||
* Fri Nov 20 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-8
|
||||
- Add public key agent patch (#455350)
|
||||
|
||||
* Mon Nov 2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-7
|
||||
- Repair canohost patch to allow gssapi to work when host is acessed via pipe proxy (#531849)
|
||||
|
||||
* Thu Oct 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-6
|
||||
- Modify the init script to prevent it to hang during generating the keys (#515145)
|
||||
|
||||
* Tue Oct 27 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-5
|
||||
- Add README.nss
|
||||
|
||||
* Mon Oct 19 2009 Tomas Mraz <tmraz@redhat.com> - 5.3p1-4
|
||||
- Add pam_ssh_agent_auth module to a subpackage.
|
||||
|
||||
* Fri Oct 16 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-3
|
||||
- Reenable audit.
|
||||
|
||||
* Fri Oct 2 2009 Jan F. Chadima <jchadima@redhat.com> - 5.3p1-2
|
||||
- Upgrade to new wersion 5.3p1
|
||||
|
||||
* Tue Sep 29 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-29
|
||||
- Resolve locking in ssh-add (#491312)
|
||||
|
||||
* Thu Sep 24 2009 Jan F. Chadima <jchadima@redhat.com> - 5.2p1-28
|
||||
- Repair initscript to be acord to guidelines (#521860)
|
||||
- Add bugzilla# to application of edns and xmodifiers patch
|
||||
|
20
pam_ssh_agent-rmheaders
Normal file
20
pam_ssh_agent-rmheaders
Normal file
@ -0,0 +1,20 @@
|
||||
atomicio.h
|
||||
authfd.h
|
||||
buffer.h
|
||||
cipher.h
|
||||
compat.h
|
||||
defines.h
|
||||
entropy.h
|
||||
includes.h
|
||||
kex.h
|
||||
key.h
|
||||
log.h
|
||||
match.h
|
||||
misc.h
|
||||
pathnames.h
|
||||
platform.h
|
||||
rsa.h
|
||||
ssh.h
|
||||
ssh2.h
|
||||
uuencode.h
|
||||
xmalloc.h
|
190
pam_ssh_agent_auth-0.9-build.patch
Normal file
190
pam_ssh_agent_auth-0.9-build.patch
Normal file
@ -0,0 +1,190 @@
|
||||
diff -up pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c
|
||||
--- pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c.psaa-build 2009-08-08 11:51:04.000000000 +0200
|
||||
+++ pam_ssh_agent_auth-0.9/iterate_ssh_agent_keys.c 2009-10-16 15:20:55.000000000 +0200
|
||||
@@ -41,7 +41,16 @@
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "authfd.h"
|
||||
+#include "ssh.h"
|
||||
#include <stdio.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/un.h>
|
||||
+#include <unistd.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include "userauth_pubkey_from_id.h"
|
||||
@@ -73,6 +82,96 @@ session_id2_gen()
|
||||
return cookie;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Added by Jamie Beverly, ensure socket fd points to a socket owned by the user
|
||||
+ * A cursory check is done, but to avoid race conditions, it is necessary
|
||||
+ * to drop effective UID when connecting to the socket.
|
||||
+ *
|
||||
+ * If the cause of error is EACCES, because we verified we would not have that
|
||||
+ * problem initially, we can safely assume that somebody is attempting to find a
|
||||
+ * race condition; so a more "direct" log message is generated.
|
||||
+ */
|
||||
+
|
||||
+int
|
||||
+ssh_get_authentication_socket_for_uid(uid_t uid)
|
||||
+{
|
||||
+ const char *authsocket;
|
||||
+ int sock;
|
||||
+ struct sockaddr_un sunaddr;
|
||||
+ struct stat sock_st;
|
||||
+
|
||||
+ authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
|
||||
+ if (!authsocket)
|
||||
+ return -1;
|
||||
+
|
||||
+ /* Advisory only; seteuid ensures no race condition; but will only log if we see EACCES */
|
||||
+ if( stat(authsocket,&sock_st) == 0) {
|
||||
+ if(uid != 0 && sock_st.st_uid != uid) {
|
||||
+ fatal("uid %lu attempted to open an agent socket owned by uid %lu", (unsigned long) uid, (unsigned long) sock_st.st_uid);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Ensures that the EACCES tested for below can _only_ happen if somebody
|
||||
+ * is attempting to race the stat above to bypass authentication.
|
||||
+ */
|
||||
+ if( (sock_st.st_mode & S_IWUSR) != S_IWUSR || (sock_st.st_mode & S_IRUSR) != S_IRUSR) {
|
||||
+ error("ssh-agent socket has incorrect permissions for owner");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ sunaddr.sun_family = AF_UNIX;
|
||||
+ strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
|
||||
+
|
||||
+ sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
+ if (sock < 0)
|
||||
+ return -1;
|
||||
+
|
||||
+ /* close on exec */
|
||||
+ if (fcntl(sock, F_SETFD, 1) == -1) {
|
||||
+ close(sock);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ errno = 0;
|
||||
+ seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
|
||||
+ above, we will temporarily drop UID to the caller */
|
||||
+ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
||||
+ close(sock);
|
||||
+ if(errno == EACCES)
|
||||
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ seteuid(0); /* we now continue the regularly scheduled programming */
|
||||
+
|
||||
+ return sock;
|
||||
+}
|
||||
+
|
||||
+AuthenticationConnection *
|
||||
+ssh_get_authentication_connection_for_uid(uid_t uid)
|
||||
+{
|
||||
+ AuthenticationConnection *auth;
|
||||
+ int sock;
|
||||
+
|
||||
+ sock = ssh_get_authentication_socket_for_uid(uid);
|
||||
+
|
||||
+ /*
|
||||
+ * Fail if we couldn't obtain a connection. This happens if we
|
||||
+ * exited due to a timeout.
|
||||
+ */
|
||||
+ if (sock < 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ auth = xmalloc(sizeof(*auth));
|
||||
+ auth->fd = sock;
|
||||
+ buffer_init(&auth->identities);
|
||||
+ auth->howmany = 0;
|
||||
+
|
||||
+ return auth;
|
||||
+}
|
||||
+
|
||||
int
|
||||
find_authorized_keys(uid_t uid)
|
||||
{
|
||||
@@ -85,7 +184,7 @@ find_authorized_keys(uid_t uid)
|
||||
OpenSSL_add_all_digests();
|
||||
session_id2 = session_id2_gen();
|
||||
|
||||
- if ((ac = ssh_get_authentication_connection(uid))) {
|
||||
+ if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||
verbose("Contacted ssh-agent of user %s (%u)", getpwuid(uid)->pw_name, uid);
|
||||
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
||||
{
|
||||
@@ -113,3 +212,4 @@ find_authorized_keys(uid_t uid)
|
||||
EVP_cleanup();
|
||||
return retval;
|
||||
}
|
||||
+
|
||||
diff -up pam_ssh_agent_auth-0.9/Makefile.in.psaa-build pam_ssh_agent_auth-0.9/Makefile.in
|
||||
--- pam_ssh_agent_auth-0.9/Makefile.in.psaa-build 2009-08-06 07:40:16.000000000 +0200
|
||||
+++ pam_ssh_agent_auth-0.9/Makefile.in 2009-10-16 15:20:55.000000000 +0200
|
||||
@@ -28,7 +28,7 @@ PATHS=
|
||||
CC=@CC@
|
||||
LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
+CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
@@ -37,7 +37,7 @@ INSTALL=@INSTALL@
|
||||
PERL=@PERL@
|
||||
SED=@SED@
|
||||
ENT=@ENT@
|
||||
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
|
||||
LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
||||
EXEEXT=@EXEEXT@
|
||||
|
||||
@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
|
||||
|
||||
SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
|
||||
|
||||
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o
|
||||
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o secure_filename.o
|
||||
|
||||
|
||||
MANPAGES_IN = pam_ssh_agent_auth.pod
|
||||
@@ -67,13 +67,13 @@ $(PAM_MODULES): Makefile.in config.h
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
||||
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
|
||||
+LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
|
||||
$(LIBCOMPAT): always
|
||||
(cd openbsd-compat && $(MAKE))
|
||||
always:
|
||||
|
||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o
|
||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -lpam -lnss3 pam_ssh_agent_auth.o
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
||||
diff -up pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c
|
||||
--- pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c.psaa-build 2009-07-29 02:46:38.000000000 +0200
|
||||
+++ pam_ssh_agent_auth-0.9/pam_user_authorized_keys.c 2009-10-16 15:50:36.000000000 +0200
|
||||
@@ -94,7 +94,7 @@ parse_authorized_key_file(const char *us
|
||||
/*
|
||||
* temporary copy, so that both tilde expansion and percent expansion both get to apply to the path
|
||||
*/
|
||||
- strncat(auth_keys_file_buf, authorized_keys_file_input, 4096);
|
||||
+ strncat(auth_keys_file_buf, authorized_keys_file_input, sizeof(auth_keys_file_buf)-1);
|
||||
|
||||
if(allow_user_owned_authorized_keys_file)
|
||||
authorized_keys_file_allowed_owner_uid = getpwnam(user)->pw_uid;
|
3
sources
3
sources
@ -1 +1,2 @@
|
||||
41c61b5e2c2cddfd53897582b114ffe1 openssh-5.2p1-noacss.tar.bz2
|
||||
89f85c1da83c24ca0b10c05344f7c93c openssh-5.3p1-noacss.tar.bz2
|
||||
1868cb825393678489b1d48c97819f76 pam_ssh_agent_auth-0.9.tar.bz2
|
||||
|
15
sshd.init
15
sshd.init
@ -49,7 +49,8 @@ runlevel=$(set -- $(runlevel); eval "echo \$$#" )
|
||||
do_rsa1_keygen() {
|
||||
if [ ! -s $RSA1_KEY ]; then
|
||||
echo -n $"Generating SSH1 RSA host key: "
|
||||
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||
rm -f $RSA1_KEY
|
||||
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA1_KEY
|
||||
chmod 644 $RSA1_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
@ -68,7 +69,8 @@ do_rsa1_keygen() {
|
||||
do_rsa_keygen() {
|
||||
if [ ! -s $RSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 RSA host key: "
|
||||
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||
rm -f $RSA_KEY
|
||||
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $RSA_KEY
|
||||
chmod 644 $RSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
@ -87,7 +89,8 @@ do_rsa_keygen() {
|
||||
do_dsa_keygen() {
|
||||
if [ ! -s $DSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 DSA host key: "
|
||||
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
rm -f $DSA_KEY
|
||||
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chmod 600 $DSA_KEY
|
||||
chmod 644 $DSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
@ -119,9 +122,11 @@ start()
|
||||
[ -f /etc/ssh/sshd_config ] || exit 6
|
||||
# Create keys if necessary
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
|
||||
do_rsa1_keygen
|
||||
do_rsa_keygen
|
||||
do_dsa_keygen
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
|
||||
do_rsa1_keygen
|
||||
do_dsa_keygen
|
||||
fi
|
||||
fi
|
||||
|
||||
echo -n $"Starting $prog: "
|
||||
|
Loading…
Reference in New Issue
Block a user