Compare commits
13 Commits
Author | SHA1 | Date |
---|---|---|
Petr Lautrbach | 1385c62c25 | |
Petr Lautrbach | adc15bb688 | |
Petr Lautrbach | 33f98c4937 | |
Petr Lautrbach | 43a679b047 | |
Petr Lautrbach | 86d8dd4628 | |
Petr Lautrbach | a09799e377 | |
Petr Lautrbach | 460af950e1 | |
Petr Lautrbach | 5442ee7f31 | |
Petr Lautrbach | 9c823ca43b | |
Petr Lautrbach | 466615c721 | |
Petr Lautrbach | 5c5980005f | |
Petr Lautrbach | 20d52ca62c | |
Petr Lautrbach | ffc52de0e8 |
|
@ -1,24 +0,0 @@
|
||||||
diff -up openssh-5.8p1/sshconnect2.c.canohost openssh-5.8p1/sshconnect2.c
|
|
||||||
--- openssh-5.8p1/sshconnect2.c.canohost 2011-02-14 15:15:15.000000000 +0100
|
|
||||||
+++ openssh-5.8p1/sshconnect2.c 2011-02-14 15:21:45.000000000 +0100
|
|
||||||
@@ -697,14 +697,17 @@ userauth_gssapi(Authctxt *authctxt)
|
|
||||||
static u_int mech = 0;
|
|
||||||
OM_uint32 min;
|
|
||||||
int ok = 0;
|
|
||||||
- const char *gss_host;
|
|
||||||
+ const char *gss_host = NULL;
|
|
||||||
|
|
||||||
if (options.gss_server_identity)
|
|
||||||
gss_host = options.gss_server_identity;
|
|
||||||
else if (options.gss_trust_dns)
|
|
||||||
gss_host = get_canonical_hostname(1);
|
|
||||||
- else
|
|
||||||
- gss_host = authctxt->host;
|
|
||||||
+ else {
|
|
||||||
+ gss_host = get_canonical_hostname(1);
|
|
||||||
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
|
|
||||||
+ gss_host = authctxt->host;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Try one GSSAPI method at a time, rather than sending them all at
|
|
||||||
* once. */
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
diff -up openssh-5.9p1/servconf.c.max-startups openssh-5.9p1/servconf.c
|
||||||
|
--- openssh-5.9p1/servconf.c.max-startups 2013-02-08 15:59:09.785709477 +0100
|
||||||
|
+++ openssh-5.9p1/servconf.c 2013-02-08 15:59:09.792709448 +0100
|
||||||
|
@@ -265,11 +265,11 @@ fill_default_server_options(ServerOption
|
||||||
|
if (options->gateway_ports == -1)
|
||||||
|
options->gateway_ports = 0;
|
||||||
|
if (options->max_startups == -1)
|
||||||
|
- options->max_startups = 10;
|
||||||
|
+ options->max_startups = 100;
|
||||||
|
if (options->max_startups_rate == -1)
|
||||||
|
- options->max_startups_rate = 100; /* 100% */
|
||||||
|
+ options->max_startups_rate = 30; /* 30% */
|
||||||
|
if (options->max_startups_begin == -1)
|
||||||
|
- options->max_startups_begin = options->max_startups;
|
||||||
|
+ options->max_startups_begin = 10;
|
||||||
|
if (options->max_authtries == -1)
|
||||||
|
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
|
||||||
|
if (options->max_sessions == -1)
|
||||||
|
diff -up openssh-5.9p1/sshd_config.5.max-startups openssh-5.9p1/sshd_config.5
|
||||||
|
--- openssh-5.9p1/sshd_config.5.max-startups 2013-02-08 15:59:09.786709473 +0100
|
||||||
|
+++ openssh-5.9p1/sshd_config.5 2013-02-08 15:59:09.793709444 +0100
|
||||||
|
@@ -796,7 +796,7 @@ SSH daemon.
|
||||||
|
Additional connections will be dropped until authentication succeeds or the
|
||||||
|
.Cm LoginGraceTime
|
||||||
|
expires for a connection.
|
||||||
|
-The default is 10.
|
||||||
|
+The default is 10:30:100.
|
||||||
|
.Pp
|
||||||
|
Alternatively, random early drop can be enabled by specifying
|
||||||
|
the three colon separated values
|
||||||
|
diff -up openssh-5.9p1/sshd_config.max-startups openssh-5.9p1/sshd_config
|
||||||
|
--- openssh-5.9p1/sshd_config.max-startups 2013-02-08 15:59:09.000000000 +0100
|
||||||
|
+++ openssh-5.9p1/sshd_config 2013-02-08 16:00:03.784485797 +0100
|
||||||
|
@@ -120,7 +120,7 @@ X11Forwarding yes
|
||||||
|
#ShowPatchLevel no
|
||||||
|
#UseDNS yes
|
||||||
|
#PidFile /var/run/sshd.pid
|
||||||
|
-#MaxStartups 10
|
||||||
|
+#MaxStartups 10:30:100
|
||||||
|
#PermitTunnel no
|
||||||
|
#ChrootDirectory none
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
diff -up openssh-5.9p1/sshconnect2.c.canohost openssh-5.9p1/sshconnect2.c
|
||||||
|
--- openssh-5.9p1/sshconnect2.c.canohost 2012-10-31 16:42:37.598288999 +0100
|
||||||
|
+++ openssh-5.9p1/sshconnect2.c 2012-10-31 16:47:40.963288964 +0100
|
||||||
|
@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
|
||||||
|
static u_int mech = 0;
|
||||||
|
OM_uint32 min;
|
||||||
|
int ok = 0;
|
||||||
|
- const char *gss_host;
|
||||||
|
+ const char *gss_host = NULL;
|
||||||
|
|
||||||
|
if (options.gss_server_identity)
|
||||||
|
gss_host = options.gss_server_identity;
|
||||||
|
- else if (options.gss_trust_dns)
|
||||||
|
+ else if (options.gss_trust_dns) {
|
||||||
|
gss_host = get_canonical_hostname(1);
|
||||||
|
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
|
||||||
|
+ gss_host = authctxt->host;
|
||||||
|
+ }
|
||||||
|
else
|
||||||
|
gss_host = authctxt->host;
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
diff -up openssh-5.9p1/packet.c.ipqos openssh-5.9p1/packet.c
|
||||||
|
--- openssh-5.9p1/packet.c.ipqos 2012-11-26 16:15:50.664604385 +0100
|
||||||
|
+++ openssh-5.9p1/packet.c 2012-11-26 16:15:50.793603960 +0100
|
||||||
|
@@ -435,8 +435,6 @@ packet_connection_af(void)
|
||||||
|
if (getsockname(active_state->connection_out, (struct sockaddr *)&to,
|
||||||
|
&tolen) < 0)
|
||||||
|
return 0;
|
||||||
|
- if (to.ss_family == AF_INET)
|
||||||
|
- return 1;
|
||||||
|
#ifdef IPV4_IN_IPV6
|
||||||
|
if (to.ss_family == AF_INET6 &&
|
||||||
|
IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr))
|
|
@ -0,0 +1,24 @@
|
||||||
|
diff -up openssh-6.1p1/moduli.0.man-moduli openssh-6.1p1/moduli.0
|
||||||
|
--- openssh-6.1p1/moduli.0.man-moduli 2012-11-06 09:42:13.677062887 +0100
|
||||||
|
+++ openssh-6.1p1/moduli.0 2012-11-06 09:42:58.693543381 +0100
|
||||||
|
@@ -25,7 +25,7 @@ DESCRIPTION
|
||||||
|
|
||||||
|
0 Unknown, not tested.
|
||||||
|
2 "Safe" prime; (p-1)/2 is also prime.
|
||||||
|
- 4 Sophie Germain; (p+1)*2 is also prime.
|
||||||
|
+ 4 Sophie Germain; (p*2)+1 is also prime.
|
||||||
|
|
||||||
|
Moduli candidates initially produced by ssh-keygen(1)
|
||||||
|
are Sophie Germain primes (type 4). Further primality
|
||||||
|
diff -up openssh-6.1p1/moduli.5.man-moduli openssh-6.1p1/moduli.5
|
||||||
|
--- openssh-6.1p1/moduli.5.man-moduli 2012-11-06 09:42:17.730035388 +0100
|
||||||
|
+++ openssh-6.1p1/moduli.5 2012-11-06 09:43:31.403180375 +0100
|
||||||
|
@@ -61,7 +61,7 @@ Unknown, not tested.
|
||||||
|
.It 2
|
||||||
|
"Safe" prime; (p-1)/2 is also prime.
|
||||||
|
.It 4
|
||||||
|
-Sophie Germain; (p+1)*2 is also prime.
|
||||||
|
+Sophie Germain; (p*2)+1 is also prime.
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
Moduli candidates initially produced by
|
|
@ -1,128 +1,6 @@
|
||||||
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
|
|
||||||
--- openssh-5.9p1/auth.c.required-authentication 2012-07-27 12:21:41.181601972 +0200
|
|
||||||
+++ openssh-5.9p1/auth.c 2012-07-27 12:21:41.203602020 +0200
|
|
||||||
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
|
|
||||||
}
|
|
||||||
|
|
||||||
void
|
|
||||||
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
|
||||||
+auth_log(Authctxt *authctxt, int authenticated, const char *method,
|
|
||||||
+ const char *submethod, const char *info)
|
|
||||||
{
|
|
||||||
void (*authlog) (const char *fmt,...) = verbose;
|
|
||||||
char *authmsg;
|
|
||||||
@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
|
|
||||||
else
|
|
||||||
authmsg = authenticated ? "Accepted" : "Failed";
|
|
||||||
|
|
||||||
- authlog("%s %s for %s%.100s from %.200s port %d%s",
|
|
||||||
+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
|
|
||||||
authmsg,
|
|
||||||
method,
|
|
||||||
+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
|
|
||||||
authctxt->valid ? "" : "invalid user ",
|
|
||||||
authctxt->user,
|
|
||||||
get_remote_ipaddr(),
|
|
||||||
@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
|
|
||||||
* Check whether root logins are disallowed.
|
|
||||||
*/
|
|
||||||
int
|
|
||||||
-auth_root_allowed(char *method)
|
|
||||||
+auth_root_allowed(const char *method)
|
|
||||||
{
|
|
||||||
switch (options.permit_root_login) {
|
|
||||||
case PERMIT_YES:
|
|
||||||
@@ -694,3 +696,57 @@ fakepw(void)
|
|
||||||
|
|
||||||
return (&fake);
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+int
|
|
||||||
+auth_method_in_list(const char *list, const char *method)
|
|
||||||
+{
|
|
||||||
+ char *cp;
|
|
||||||
+
|
|
||||||
+ cp = match_list(method, list, NULL);
|
|
||||||
+ if (cp != NULL) {
|
|
||||||
+ xfree(cp);
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define DELIM ","
|
|
||||||
+int
|
|
||||||
+auth_remove_from_list(char **list, const char *method)
|
|
||||||
+{
|
|
||||||
+ char *oldlist, *cp, *newlist = NULL;
|
|
||||||
+ u_int len = 0, ret = 0;
|
|
||||||
+
|
|
||||||
+ if (list == NULL || *list == NULL)
|
|
||||||
+ return (0);
|
|
||||||
+
|
|
||||||
+ oldlist = *list;
|
|
||||||
+ len = strlen(oldlist) + 1;
|
|
||||||
+ newlist = xmalloc(len);
|
|
||||||
+ memset(newlist, '\0', len);
|
|
||||||
+
|
|
||||||
+ /* Remove method from list, if present */
|
|
||||||
+ for (;;) {
|
|
||||||
+ if ((cp = strsep(&oldlist, DELIM)) == NULL)
|
|
||||||
+ break;
|
|
||||||
+ if (*cp == '\0')
|
|
||||||
+ continue;
|
|
||||||
+ if (strcmp(cp, method) != 0) {
|
|
||||||
+ if (*newlist != '\0')
|
|
||||||
+ strlcat(newlist, DELIM, len);
|
|
||||||
+ strlcat(newlist, cp, len);
|
|
||||||
+ } else
|
|
||||||
+ ret++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Return NULL instead of empty list */
|
|
||||||
+ if (*newlist == '\0') {
|
|
||||||
+ xfree(newlist);
|
|
||||||
+ newlist = NULL;
|
|
||||||
+ }
|
|
||||||
+ xfree(*list);
|
|
||||||
+ *list = newlist;
|
|
||||||
+
|
|
||||||
+ return (ret);
|
|
||||||
+}
|
|
||||||
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
|
|
||||||
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
|
|
||||||
+++ openssh-5.9p1/auth.h 2012-07-27 12:21:41.204602022 +0200
|
|
||||||
@@ -142,10 +142,11 @@ void disable_forwarding(void);
|
|
||||||
void do_authentication(Authctxt *);
|
|
||||||
void do_authentication2(Authctxt *);
|
|
||||||
|
|
||||||
-void auth_log(Authctxt *, int, char *, char *);
|
|
||||||
-void userauth_finish(Authctxt *, int, char *);
|
|
||||||
+void auth_log(Authctxt *, int, const char *, const char *, const char *);
|
|
||||||
+void userauth_finish(Authctxt *, int, const char *, const char *);
|
|
||||||
+int auth_root_allowed(const char *);
|
|
||||||
+
|
|
||||||
void userauth_send_banner(const char *);
|
|
||||||
-int auth_root_allowed(char *);
|
|
||||||
|
|
||||||
char *auth2_read_banner(void);
|
|
||||||
|
|
||||||
@@ -192,6 +193,11 @@ void auth_debug_send(void);
|
|
||||||
void auth_debug_reset(void);
|
|
||||||
|
|
||||||
struct passwd *fakepw(void);
|
|
||||||
+int auth_method_in_list(const char *, const char *);
|
|
||||||
+int auth_remove_from_list(char **, const char *);
|
|
||||||
+
|
|
||||||
+int auth1_check_required(const char *);
|
|
||||||
+int auth2_check_required(const char *);
|
|
||||||
|
|
||||||
int sys_auth_passwd(Authctxt *, const char *);
|
|
||||||
|
|
||||||
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
|
diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
|
||||||
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
|
--- openssh-5.9p1/auth1.c.required-authentication 2010-08-31 14:36:39.000000000 +0200
|
||||||
+++ openssh-5.9p1/auth1.c 2012-07-27 12:50:50.708706675 +0200
|
+++ openssh-5.9p1/auth1.c 2012-11-26 15:36:02.138986418 +0100
|
||||||
@@ -98,6 +98,55 @@ static const struct AuthMethod1
|
@@ -98,6 +98,55 @@ static const struct AuthMethod1
|
||||||
return (NULL);
|
return (NULL);
|
||||||
}
|
}
|
||||||
|
@ -281,9 +159,22 @@ diff -up openssh-5.9p1/auth1.c.required-authentication openssh-5.9p1/auth1.c
|
||||||
|
|
||||||
packet_start(SSH_SMSG_FAILURE);
|
packet_start(SSH_SMSG_FAILURE);
|
||||||
packet_send();
|
packet_send();
|
||||||
|
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
|
||||||
|
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
|
||||||
|
+++ openssh-5.9p1/auth2-chall.c 2012-11-26 15:36:02.138986418 +0100
|
||||||
|
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
|
||||||
|
auth2_challenge_start(authctxt);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- userauth_finish(authctxt, authenticated, method);
|
||||||
|
+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
|
||||||
|
+ authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
|
||||||
|
xfree(method);
|
||||||
|
}
|
||||||
|
|
||||||
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
|
diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
|
||||||
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
--- openssh-5.9p1/auth2.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||||
+++ openssh-5.9p1/auth2.c 2012-07-27 12:51:59.048241612 +0200
|
+++ openssh-5.9p1/auth2.c 2012-11-26 15:36:02.138986418 +0100
|
||||||
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
|
@@ -215,7 +215,7 @@ input_userauth_request(int type, u_int32
|
||||||
{
|
{
|
||||||
Authctxt *authctxt = ctxt;
|
Authctxt *authctxt = ctxt;
|
||||||
|
@ -454,7 +345,7 @@ diff -up openssh-5.9p1/auth2.c.required-authentication openssh-5.9p1/auth2.c
|
||||||
+
|
+
|
||||||
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
|
diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-gss.c
|
||||||
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
--- openssh-5.9p1/auth2-gss.c.required-authentication 2011-05-05 06:04:11.000000000 +0200
|
||||||
+++ openssh-5.9p1/auth2-gss.c 2012-07-27 12:21:41.206602026 +0200
|
+++ openssh-5.9p1/auth2-gss.c 2012-11-26 15:36:02.138986418 +0100
|
||||||
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
|
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t p
|
||||||
}
|
}
|
||||||
authctxt->postponed = 0;
|
authctxt->postponed = 0;
|
||||||
|
@ -482,22 +373,9 @@ diff -up openssh-5.9p1/auth2-gss.c.required-authentication openssh-5.9p1/auth2-g
|
||||||
}
|
}
|
||||||
|
|
||||||
Authmethod method_gssapi = {
|
Authmethod method_gssapi = {
|
||||||
diff -up openssh-5.9p1/auth2-chall.c.required-authentication openssh-5.9p1/auth2-chall.c
|
|
||||||
--- openssh-5.9p1/auth2-chall.c.required-authentication 2009-01-28 06:13:39.000000000 +0100
|
|
||||||
+++ openssh-5.9p1/auth2-chall.c 2012-07-27 12:21:41.206602026 +0200
|
|
||||||
@@ -341,7 +341,8 @@ input_userauth_info_response(int type, u
|
|
||||||
auth2_challenge_start(authctxt);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- userauth_finish(authctxt, authenticated, method);
|
|
||||||
+ userauth_finish(authctxt, authenticated, "keyboard-interactive",
|
|
||||||
+ authctxt->kbdintctxt?kbdintctxt->device->name:NULL);
|
|
||||||
xfree(method);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
|
diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-none.c
|
||||||
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
|
--- openssh-5.9p1/auth2-none.c.required-authentication 2010-06-26 02:01:33.000000000 +0200
|
||||||
+++ openssh-5.9p1/auth2-none.c 2012-07-27 12:21:41.207602028 +0200
|
+++ openssh-5.9p1/auth2-none.c 2012-11-26 15:36:02.139986402 +0100
|
||||||
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
|
@@ -61,7 +61,7 @@ userauth_none(Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
none_enabled = 0;
|
none_enabled = 0;
|
||||||
|
@ -507,9 +385,131 @@ diff -up openssh-5.9p1/auth2-none.c.required-authentication openssh-5.9p1/auth2-
|
||||||
return (PRIVSEP(auth_password(authctxt, "")));
|
return (PRIVSEP(auth_password(authctxt, "")));
|
||||||
return (0);
|
return (0);
|
||||||
}
|
}
|
||||||
|
diff -up openssh-5.9p1/auth.c.required-authentication openssh-5.9p1/auth.c
|
||||||
|
--- openssh-5.9p1/auth.c.required-authentication 2012-11-26 15:27:28.134216999 +0100
|
||||||
|
+++ openssh-5.9p1/auth.c 2012-11-26 15:36:02.137986437 +0100
|
||||||
|
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
|
||||||
|
+auth_log(Authctxt *authctxt, int authenticated, const char *method,
|
||||||
|
+ const char *submethod, const char *info)
|
||||||
|
{
|
||||||
|
void (*authlog) (const char *fmt,...) = verbose;
|
||||||
|
char *authmsg;
|
||||||
|
@@ -271,9 +272,10 @@ auth_log(Authctxt *authctxt, int authent
|
||||||
|
else
|
||||||
|
authmsg = authenticated ? "Accepted" : "Failed";
|
||||||
|
|
||||||
|
- authlog("%s %s for %s%.100s from %.200s port %d%s",
|
||||||
|
+ authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
|
||||||
|
authmsg,
|
||||||
|
method,
|
||||||
|
+ submethod == NULL ? "" : "/", submethod == NULL ? "" : submethod,
|
||||||
|
authctxt->valid ? "" : "invalid user ",
|
||||||
|
authctxt->user,
|
||||||
|
get_remote_ipaddr(),
|
||||||
|
@@ -303,7 +305,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||||
|
* Check whether root logins are disallowed.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
-auth_root_allowed(char *method)
|
||||||
|
+auth_root_allowed(const char *method)
|
||||||
|
{
|
||||||
|
switch (options.permit_root_login) {
|
||||||
|
case PERMIT_YES:
|
||||||
|
@@ -694,3 +696,57 @@ fakepw(void)
|
||||||
|
|
||||||
|
return (&fake);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+auth_method_in_list(const char *list, const char *method)
|
||||||
|
+{
|
||||||
|
+ char *cp;
|
||||||
|
+
|
||||||
|
+ cp = match_list(method, list, NULL);
|
||||||
|
+ if (cp != NULL) {
|
||||||
|
+ xfree(cp);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define DELIM ","
|
||||||
|
+int
|
||||||
|
+auth_remove_from_list(char **list, const char *method)
|
||||||
|
+{
|
||||||
|
+ char *oldlist, *cp, *newlist = NULL;
|
||||||
|
+ u_int len = 0, ret = 0;
|
||||||
|
+
|
||||||
|
+ if (list == NULL || *list == NULL)
|
||||||
|
+ return (0);
|
||||||
|
+
|
||||||
|
+ oldlist = *list;
|
||||||
|
+ len = strlen(oldlist) + 1;
|
||||||
|
+ newlist = xmalloc(len);
|
||||||
|
+ memset(newlist, '\0', len);
|
||||||
|
+
|
||||||
|
+ /* Remove method from list, if present */
|
||||||
|
+ for (;;) {
|
||||||
|
+ if ((cp = strsep(&oldlist, DELIM)) == NULL)
|
||||||
|
+ break;
|
||||||
|
+ if (*cp == '\0')
|
||||||
|
+ continue;
|
||||||
|
+ if (strcmp(cp, method) != 0) {
|
||||||
|
+ if (*newlist != '\0')
|
||||||
|
+ strlcat(newlist, DELIM, len);
|
||||||
|
+ strlcat(newlist, cp, len);
|
||||||
|
+ } else
|
||||||
|
+ ret++;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Return NULL instead of empty list */
|
||||||
|
+ if (*newlist == '\0') {
|
||||||
|
+ xfree(newlist);
|
||||||
|
+ newlist = NULL;
|
||||||
|
+ }
|
||||||
|
+ xfree(*list);
|
||||||
|
+ *list = newlist;
|
||||||
|
+
|
||||||
|
+ return (ret);
|
||||||
|
+}
|
||||||
|
diff -up openssh-5.9p1/auth.h.required-authentication openssh-5.9p1/auth.h
|
||||||
|
--- openssh-5.9p1/auth.h.required-authentication 2011-05-29 13:39:38.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/auth.h 2012-11-26 15:36:02.138986418 +0100
|
||||||
|
@@ -142,10 +142,11 @@ void disable_forwarding(void);
|
||||||
|
void do_authentication(Authctxt *);
|
||||||
|
void do_authentication2(Authctxt *);
|
||||||
|
|
||||||
|
-void auth_log(Authctxt *, int, char *, char *);
|
||||||
|
-void userauth_finish(Authctxt *, int, char *);
|
||||||
|
+void auth_log(Authctxt *, int, const char *, const char *, const char *);
|
||||||
|
+void userauth_finish(Authctxt *, int, const char *, const char *);
|
||||||
|
+int auth_root_allowed(const char *);
|
||||||
|
+
|
||||||
|
void userauth_send_banner(const char *);
|
||||||
|
-int auth_root_allowed(char *);
|
||||||
|
|
||||||
|
char *auth2_read_banner(void);
|
||||||
|
|
||||||
|
@@ -192,6 +193,11 @@ void auth_debug_send(void);
|
||||||
|
void auth_debug_reset(void);
|
||||||
|
|
||||||
|
struct passwd *fakepw(void);
|
||||||
|
+int auth_method_in_list(const char *, const char *);
|
||||||
|
+int auth_remove_from_list(char **, const char *);
|
||||||
|
+
|
||||||
|
+int auth1_check_required(const char *);
|
||||||
|
+int auth2_check_required(const char *);
|
||||||
|
|
||||||
|
int sys_auth_passwd(Authctxt *, const char *);
|
||||||
|
|
||||||
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||||
--- openssh-5.9p1/monitor.c.required-authentication 2012-07-27 12:21:41.161601930 +0200
|
--- openssh-5.9p1/monitor.c.required-authentication 2012-11-26 15:27:28.128217022 +0100
|
||||||
+++ openssh-5.9p1/monitor.c 2012-07-27 12:51:18.884927066 +0200
|
+++ openssh-5.9p1/monitor.c 2012-11-26 15:36:02.140986390 +0100
|
||||||
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
|
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
|
||||||
static char *hostbased_cuser = NULL;
|
static char *hostbased_cuser = NULL;
|
||||||
static char *hostbased_chost = NULL;
|
static char *hostbased_chost = NULL;
|
||||||
|
@ -708,8 +708,8 @@ diff -up openssh-5.9p1/monitor.c.required-authentication openssh-5.9p1/monitor.c
|
||||||
}
|
}
|
||||||
|
|
||||||
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
|
diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf.c
|
||||||
--- openssh-5.9p1/servconf.c.required-authentication 2012-07-27 12:21:41.167601942 +0200
|
--- openssh-5.9p1/servconf.c.required-authentication 2012-11-26 15:27:28.129217018 +0100
|
||||||
+++ openssh-5.9p1/servconf.c 2012-07-27 12:21:41.209602032 +0200
|
+++ openssh-5.9p1/servconf.c 2012-11-26 15:36:02.140986390 +0100
|
||||||
@@ -42,6 +42,8 @@
|
@@ -42,6 +42,8 @@
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
#include "kex.h"
|
#include "kex.h"
|
||||||
|
@ -745,56 +745,77 @@ diff -up openssh-5.9p1/servconf.c.required-authentication openssh-5.9p1/servconf
|
||||||
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
{ "ipqos", sIPQoS, SSHCFG_ALL },
|
||||||
{ NULL, sBadOption, 0 }
|
{ NULL, sBadOption, 0 }
|
||||||
};
|
};
|
||||||
@@ -1220,6 +1227,33 @@ process_server_config_line(ServerOptions
|
@@ -1220,6 +1227,37 @@ process_server_config_line(ServerOptions
|
||||||
options->max_startups = options->max_startups_begin;
|
options->max_startups = options->max_startups_begin;
|
||||||
break;
|
break;
|
||||||
|
|
||||||
+
|
+
|
||||||
+ case sRequiredAuthentications1:
|
+ case sRequiredAuthentications1:
|
||||||
+ charptr = &options->required_auth1;
|
+ if (*activep && options->required_auth1 == NULL) {
|
||||||
+ arg = strdelim(&cp);
|
+ charptr = &options->required_auth1;
|
||||||
+ if (!arg || *arg == '\0')
|
+ arg = strdelim(&cp);
|
||||||
+ fatal("%.200s line %d: Missing argument.",
|
+ if (!arg || *arg == '\0')
|
||||||
+ filename, linenum);
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
+ if (auth1_check_required(arg) != 0)
|
+ filename, linenum);
|
||||||
+ fatal("%.200s line %d: Invalid required authentication "
|
+ if (auth1_check_required(arg) != 0)
|
||||||
+ "list", filename, linenum);
|
+ fatal("%.200s line %d: Invalid required authentication "
|
||||||
+ if (*charptr == NULL)
|
+ "list", filename, linenum);
|
||||||
+ *charptr = xstrdup(arg);
|
+ if (*charptr == NULL)
|
||||||
+ break;
|
+ *charptr = xstrdup(arg);
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
+
|
+
|
||||||
+ case sRequiredAuthentications2:
|
+ case sRequiredAuthentications2:
|
||||||
+ charptr = &options->required_auth2;
|
+ if (*activep && options->required_auth2 == NULL) {
|
||||||
+ arg = strdelim(&cp);
|
+ charptr = &options->required_auth2;
|
||||||
+ if (!arg || *arg == '\0')
|
+ arg = strdelim(&cp);
|
||||||
+ fatal("%.200s line %d: Missing argument.",
|
+ if (!arg || *arg == '\0')
|
||||||
+ filename, linenum);
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
+ if (auth2_check_required(arg) != 0)
|
+ filename, linenum);
|
||||||
+ fatal("%.200s line %d: Invalid required authentication "
|
+ if (auth2_check_required(arg) != 0)
|
||||||
+ "list", filename, linenum);
|
+ fatal("%.200s line %d: Invalid required authentication "
|
||||||
+ if (*charptr == NULL)
|
+ "list", filename, linenum);
|
||||||
+ *charptr = xstrdup(arg);
|
+ if (*charptr == NULL)
|
||||||
+ break;
|
+ *charptr = xstrdup(arg);
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
+
|
+
|
||||||
case sMaxAuthTries:
|
case sMaxAuthTries:
|
||||||
intptr = &options->max_authtries;
|
intptr = &options->max_authtries;
|
||||||
goto parse_int;
|
goto parse_int;
|
||||||
|
@@ -1776,6 +1814,7 @@ dump_config(ServerOptions *o)
|
||||||
|
dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
|
||||||
|
dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
|
||||||
|
dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
|
||||||
|
+ dump_cfg_string(sRequiredAuthentications2, o->required_auth2);
|
||||||
|
|
||||||
|
/* other arguments */
|
||||||
|
for (i = 0; i < o->num_subsystems; i++)
|
||||||
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
|
diff -up openssh-5.9p1/servconf.h.required-authentication openssh-5.9p1/servconf.h
|
||||||
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
|
--- openssh-5.9p1/servconf.h.required-authentication 2011-06-23 00:30:03.000000000 +0200
|
||||||
+++ openssh-5.9p1/servconf.h 2012-07-27 12:21:41.210602035 +0200
|
+++ openssh-5.9p1/servconf.h 2012-11-26 15:40:11.694443938 +0100
|
||||||
@@ -154,6 +154,9 @@ typedef struct {
|
@@ -154,6 +154,9 @@ typedef struct {
|
||||||
u_int num_authkeys_files; /* Files containing public keys */
|
u_int num_authkeys_files; /* Files containing public keys */
|
||||||
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
char *authorized_keys_files[MAX_AUTHKEYS_FILES];
|
||||||
|
|
||||||
+ char *required_auth1; /* Required, but not sufficient */
|
+ char *required_auth1;
|
||||||
+ char *required_auth2;
|
+ char *required_auth2;
|
||||||
+
|
+
|
||||||
char *adm_forced_command;
|
char *adm_forced_command;
|
||||||
|
|
||||||
int use_pam; /* Enable auth via PAM */
|
int use_pam; /* Enable auth via PAM */
|
||||||
|
@@ -180,6 +183,8 @@ typedef struct {
|
||||||
|
M_CP_STROPT(revoked_keys_file); \
|
||||||
|
M_CP_STROPT(authorized_principals_file); \
|
||||||
|
M_CP_STRARRAYOPT(authorized_keys_files, num_authkeys_files); \
|
||||||
|
+ M_CP_STROPT(required_auth1); \
|
||||||
|
+ M_CP_STROPT(required_auth2); \
|
||||||
|
} while (0)
|
||||||
|
|
||||||
|
void initialize_server_options(ServerOptions *);
|
||||||
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
|
diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_config.5
|
||||||
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
|
--- openssh-5.9p1/sshd_config.5.required-authentication 2011-08-05 22:17:33.000000000 +0200
|
||||||
+++ openssh-5.9p1/sshd_config.5 2012-07-27 12:38:47.607222070 +0200
|
+++ openssh-5.9p1/sshd_config.5 2012-11-26 15:36:02.141986377 +0100
|
||||||
@@ -723,6 +723,8 @@ Available keywords are
|
@@ -723,6 +723,8 @@ Available keywords are
|
||||||
.Cm PermitOpen ,
|
.Cm PermitOpen ,
|
||||||
.Cm PermitRootLogin ,
|
.Cm PermitRootLogin ,
|
||||||
|
@ -804,25 +825,36 @@ diff -up openssh-5.9p1/sshd_config.5.required-authentication openssh-5.9p1/sshd_
|
||||||
.Cm PubkeyAuthentication ,
|
.Cm PubkeyAuthentication ,
|
||||||
.Cm RhostsRSAAuthentication ,
|
.Cm RhostsRSAAuthentication ,
|
||||||
.Cm RSAAuthentication ,
|
.Cm RSAAuthentication ,
|
||||||
@@ -920,6 +922,21 @@ Specifies a list of revoked public keys.
|
@@ -920,6 +922,32 @@ Specifies a list of revoked public keys.
|
||||||
Keys listed in this file will be refused for public key authentication.
|
Keys listed in this file will be refused for public key authentication.
|
||||||
Note that if this file is not readable, then public key authentication will
|
Note that if this file is not readable, then public key authentication will
|
||||||
be refused for all users.
|
be refused for all users.
|
||||||
+.It Cm RequiredAuthentications[12]
|
+.It Cm RequiredAuthentications[12]
|
||||||
+ Specifies required methods of authentications that has to succeed before authorizing the connection.
|
+Specifies required methods of authentications that has to succeed before
|
||||||
+ (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
|
+authorizing the connection. (RequiredAuthentication1 for Protocol version 1,
|
||||||
+
|
+and RequiredAuthentication2 for v2)
|
||||||
+ RequiredAuthentications1 method[,method...]
|
+.Pp
|
||||||
+ RequiredAuthentications2 method[,method...]
|
+.Bl -item -offset indent -compact
|
||||||
+
|
+.It
|
||||||
|
+RequiredAuthentications1 method[,method...]
|
||||||
|
+.It
|
||||||
|
+RequiredAuthentications2 method[,method...]
|
||||||
|
+.El
|
||||||
+.Pp
|
+.Pp
|
||||||
+Example 1:
|
+Example 1:
|
||||||
+
|
+.Bl -item -offset indent -compact
|
||||||
+ RequiredAuthentications2 password,hostbased
|
+RequiredAuthentications2 password,hostbased
|
||||||
+
|
+.El
|
||||||
+Example 2:
|
+Example 2:
|
||||||
+ RequiredAuthentications2 publickey,password
|
+.Bl -item -offset indent -compact
|
||||||
+
|
+RequiredAuthentications2 publickey,password
|
||||||
|
+.El
|
||||||
|
+.Pp
|
||||||
|
+Available methods:
|
||||||
|
+.Bl -item -offset indent -compact
|
||||||
|
+.It
|
||||||
|
+password, keyboard-interactive, publickey, hostbased, gssapi-keyex, gssapi-with-mic
|
||||||
|
+.El
|
||||||
.It Cm RhostsRSAAuthentication
|
.It Cm RhostsRSAAuthentication
|
||||||
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
Specifies whether rhosts or /etc/hosts.equiv authentication together
|
||||||
with successful RSA host authentication is allowed.
|
with successful RSA host authentication is allowed.
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.c
|
diff -up openssh-5.9p1/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p1/openbsd-compat/port-linux.c
|
||||||
--- openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot 2011-09-01 04:12:22.743024608 +0200
|
--- openssh-5.9p1/openbsd-compat/port-linux.c.sftp-chroot 2012-11-05 16:32:23.932502573 +0100
|
||||||
+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-09-01 04:12:23.069088065 +0200
|
+++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-11-05 16:34:28.383235006 +0100
|
||||||
@@ -503,6 +503,23 @@ ssh_selinux_change_context(const char *n
|
@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
|
||||||
xfree(newctx);
|
xfree(newctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
+void
|
+void
|
||||||
+ssh_selinux_copy_context(void)
|
+ssh_selinux_copy_context(void)
|
||||||
+{
|
+{
|
||||||
+ char *ctx;
|
+ security_context_t *ctx;
|
||||||
+
|
+
|
||||||
+ if (!ssh_selinux_enabled())
|
+ if (!ssh_selinux_enabled())
|
||||||
+ return;
|
+ return;
|
||||||
|
@ -17,17 +17,19 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.sftp-chroot openssh-5.9p0/ope
|
||||||
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+ if (setcon(ctx) < 0)
|
+ if (ctx != NULL) {
|
||||||
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
+ if (setcon(ctx) < 0)
|
||||||
+ xfree(ctx);
|
+ logit("%s: setcon failed with %s", __func__, strerror (errno));
|
||||||
|
+ freecon(ctx);
|
||||||
|
+ }
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
#endif /* WITH_SELINUX */
|
#endif /* WITH_SELINUX */
|
||||||
|
|
||||||
#ifdef LINUX_OOM_ADJUST
|
#ifdef LINUX_OOM_ADJUST
|
||||||
diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/openbsd-compat/port-linux.h
|
diff -up openssh-5.9p1/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p1/openbsd-compat/port-linux.h
|
||||||
--- openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot 2011-01-25 02:16:18.000000000 +0100
|
--- openssh-5.9p1/openbsd-compat/port-linux.h.sftp-chroot 2011-01-25 02:16:18.000000000 +0100
|
||||||
+++ openssh-5.9p0/openbsd-compat/port-linux.h 2011-09-01 04:12:23.163088777 +0200
|
+++ openssh-5.9p1/openbsd-compat/port-linux.h 2012-11-05 16:32:23.935502591 +0100
|
||||||
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
|
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
|
||||||
void ssh_selinux_setup_pty(char *, const char *);
|
void ssh_selinux_setup_pty(char *, const char *);
|
||||||
void ssh_selinux_setup_exec_context(char *);
|
void ssh_selinux_setup_exec_context(char *);
|
||||||
|
@ -36,9 +38,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.h.sftp-chroot openssh-5.9p0/ope
|
||||||
void ssh_selinux_setfscreatecon(const char *);
|
void ssh_selinux_setfscreatecon(const char *);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
diff -up openssh-5.9p0/session.c.sftp-chroot openssh-5.9p0/session.c
|
diff -up openssh-5.9p1/session.c.sftp-chroot openssh-5.9p1/session.c
|
||||||
--- openssh-5.9p0/session.c.sftp-chroot 2011-09-01 04:12:19.698049195 +0200
|
--- openssh-5.9p1/session.c.sftp-chroot 2012-11-05 16:32:23.913502453 +0100
|
||||||
+++ openssh-5.9p0/session.c 2011-09-01 04:40:03.598148719 +0200
|
+++ openssh-5.9p1/session.c 2012-11-05 16:32:23.935502591 +0100
|
||||||
@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
|
@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
|
||||||
pw->pw_uid);
|
pw->pw_uid);
|
||||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
diff -U0 openssh-5.9p1/ChangeLog.sftp-multibyte openssh-5.9p1/ChangeLog
|
||||||
|
--- openssh-5.9p1/ChangeLog.sftp-multibyte 2011-09-07 01:13:15.000000000 +0200
|
||||||
|
+++ openssh-5.9p1/ChangeLog 2013-06-20 10:46:26.236734807 +0200
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+20130605
|
||||||
|
+ - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
|
||||||
|
+ [sftp.c]
|
||||||
|
+ Make sftp's libedit interface marginally multibyte aware by building up
|
||||||
|
+ the quoted string by character instead of by byte. Prevents failures
|
||||||
|
+ when linked against a libedit built with wide character support (bz#1990).
|
||||||
|
+ "looks ok" djm
|
||||||
|
+
|
||||||
|
diff -up openssh-5.9p1/sftp.c.sftp-multibyte openssh-5.9p1/sftp.c
|
||||||
|
--- openssh-5.9p1/sftp.c.sftp-multibyte 2013-06-20 10:46:26.050735604 +0200
|
||||||
|
+++ openssh-5.9p1/sftp.c 2013-06-20 10:46:26.237734803 +0200
|
||||||
|
@@ -38,6 +38,7 @@
|
||||||
|
#ifdef HAVE_LIBGEN_H
|
||||||
|
#include <libgen.h>
|
||||||
|
#endif
|
||||||
|
+#include <locale.h>
|
||||||
|
#ifdef USE_LIBEDIT
|
||||||
|
#include <histedit.h>
|
||||||
|
#else
|
||||||
|
@@ -1692,8 +1693,9 @@ complete_match(EditLine *el, struct sftp
|
||||||
|
char *file, int remote, int lastarg, char quote, int terminated)
|
||||||
|
{
|
||||||
|
glob_t g;
|
||||||
|
- char *tmp, *tmp2, ins[3];
|
||||||
|
+ char *tmp, *tmp2, ins[8];
|
||||||
|
u_int i, hadglob, pwdlen, len, tmplen, filelen;
|
||||||
|
+ int clen;
|
||||||
|
const LineInfo *lf;
|
||||||
|
|
||||||
|
/* Glob from "file" location */
|
||||||
|
@@ -1749,10 +1751,13 @@ complete_match(EditLine *el, struct sftp
|
||||||
|
tmp2 = tmp + filelen;
|
||||||
|
len = strlen(tmp2);
|
||||||
|
/* quote argument on way out */
|
||||||
|
- for (i = 0; i < len; i++) {
|
||||||
|
+ for (i = 0; i < len; i += clen) {
|
||||||
|
+ if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
|
||||||
|
+ (size_t)clen > sizeof(ins) - 2)
|
||||||
|
+ fatal("invalid multibyte character");
|
||||||
|
ins[0] = '\\';
|
||||||
|
- ins[1] = tmp2[i];
|
||||||
|
- ins[2] = '\0';
|
||||||
|
+ memcpy(ins + 1, tmp2 + i, clen);
|
||||||
|
+ ins[clen + 1] = '\0';
|
||||||
|
switch (tmp2[i]) {
|
||||||
|
case '\'':
|
||||||
|
case '"':
|
||||||
|
@@ -2099,6 +2104,7 @@ main(int argc, char **argv)
|
||||||
|
|
||||||
|
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||||
|
sanitise_stdfd();
|
||||||
|
+ setlocale(LC_CTYPE, "");
|
||||||
|
|
||||||
|
__progname = ssh_get_progname(argv[0]);
|
||||||
|
memset(&args, '\0', sizeof(args));
|
64
openssh.spec
64
openssh.spec
|
@ -15,10 +15,6 @@
|
||||||
# Do we want to link against a static libcrypto? (1=yes 0=no)
|
# Do we want to link against a static libcrypto? (1=yes 0=no)
|
||||||
%define static_libcrypto 0
|
%define static_libcrypto 0
|
||||||
|
|
||||||
# Do we want smartcard support (1=yes 0=no)
|
|
||||||
#Smartcard support is broken from 5.4p1
|
|
||||||
%define scard 0
|
|
||||||
|
|
||||||
# Use GTK2 instead of GNOME in gnome-ssh-askpass
|
# Use GTK2 instead of GNOME in gnome-ssh-askpass
|
||||||
%define gtk2 1
|
%define gtk2 1
|
||||||
|
|
||||||
|
@ -57,10 +53,6 @@
|
||||||
# rpm -ba|--rebuild --define "static_openssl 1"
|
# rpm -ba|--rebuild --define "static_openssl 1"
|
||||||
%{?static_openssl:%global static_libcrypto 1}
|
%{?static_openssl:%global static_libcrypto 1}
|
||||||
|
|
||||||
# Options for Smartcard support: (needs libsectok and openssl-engine)
|
|
||||||
# rpm -ba|--rebuild --define "smartcard 1"
|
|
||||||
%{?smartcard:%global scard 1}
|
|
||||||
|
|
||||||
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
|
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
|
||||||
%define rescue 0
|
%define rescue 0
|
||||||
%{?build_rescue:%global rescue 1}
|
%{?build_rescue:%global rescue 1}
|
||||||
|
@ -75,7 +67,7 @@
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 5.9p1
|
%define openssh_ver 5.9p1
|
||||||
%define openssh_rel 26
|
%define openssh_rel 30
|
||||||
%define pam_ssh_agent_ver 0.9.3
|
%define pam_ssh_agent_ver 0.9.3
|
||||||
%define pam_ssh_agent_rel 1
|
%define pam_ssh_agent_rel 1
|
||||||
|
|
||||||
|
@ -217,14 +209,18 @@ Patch800: openssh-5.9p1-gsskex.patch
|
||||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||||
Patch801: openssh-5.8p2-force_krb.patch
|
Patch801: openssh-5.8p2-force_krb.patch
|
||||||
|
|
||||||
#?
|
Patch900: openssh-5.9p1-gssapi-canohost.patch
|
||||||
Patch900: openssh-5.8p1-gssapi-canohost.patch
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
|
||||||
Patch901: openssh-5.9p1-kuserok.patch
|
Patch901: openssh-5.9p1-kuserok.patch
|
||||||
#---
|
#https://bugzilla.redhat.com/show_bug.cgi?id=841065
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
|
Patch902: openssh-5.9p1-man-moduli.patch
|
||||||
# sctp
|
#https://bugzilla.redhat.com/show_bug.cgi?id=861818
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1873 => https://bugzilla.redhat.com/show_bug.cgi?id=668993
|
Patch903: openssh-5.9p1-ipqos.patch
|
||||||
|
# change default value of MaxStartups - CVE-2010-5107 - #908707
|
||||||
|
Patch904: openssh-5.9p1-change-max-startups.patch
|
||||||
|
# make sftp's libedit interface marginally multibyte aware (#841771)
|
||||||
|
Patch908: openssh-5.9p1-sftp-multibyte.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
|
@ -242,9 +238,6 @@ BuildRequires: gnome-libs-devel
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if %{scard}
|
|
||||||
BuildRequires: sharutils
|
|
||||||
%endif
|
|
||||||
%if %{ldap}
|
%if %{ldap}
|
||||||
BuildRequires: openldap-devel
|
BuildRequires: openldap-devel
|
||||||
%endif
|
%endif
|
||||||
|
@ -469,6 +462,10 @@ popd
|
||||||
|
|
||||||
%patch900 -p1 -b .canohost
|
%patch900 -p1 -b .canohost
|
||||||
%patch901 -p1 -b .kuserok
|
%patch901 -p1 -b .kuserok
|
||||||
|
%patch902 -p1 -b .man-moduli
|
||||||
|
%patch903 -p1 -b .ipqos
|
||||||
|
%patch904 -p1 -b .max-startups
|
||||||
|
%patch908 -p1 -b .sftp-multibyte
|
||||||
|
|
||||||
%if 0
|
%if 0
|
||||||
# Nothing here yet
|
# Nothing here yet
|
||||||
|
@ -520,8 +517,8 @@ fi
|
||||||
--libexecdir=%{_libexecdir}/openssh \
|
--libexecdir=%{_libexecdir}/openssh \
|
||||||
--datadir=%{_datadir}/openssh \
|
--datadir=%{_datadir}/openssh \
|
||||||
--with-tcp-wrappers \
|
--with-tcp-wrappers \
|
||||||
--with-default-path=/usr/local/bin:/bin:/usr/bin \
|
--with-default-path=/usr/local/bin:/usr/bin \
|
||||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
|
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||||
--with-privsep-path=%{_var}/empty/sshd \
|
--with-privsep-path=%{_var}/empty/sshd \
|
||||||
--enable-vendor-patchlevel="FC-%{version}-%{release}" \
|
--enable-vendor-patchlevel="FC-%{version}-%{release}" \
|
||||||
--disable-strip \
|
--disable-strip \
|
||||||
|
@ -529,9 +526,6 @@ fi
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
--with-authorized-keys-command \
|
--with-authorized-keys-command \
|
||||||
--with-ipaddr-display \
|
--with-ipaddr-display \
|
||||||
%if %{scard}
|
|
||||||
--with-smartcard \
|
|
||||||
%endif
|
|
||||||
%if %{ldap}
|
%if %{ldap}
|
||||||
--with-ldap \
|
--with-ldap \
|
||||||
%endif
|
%endif
|
||||||
|
@ -631,10 +625,6 @@ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if ! %{scard}
|
|
||||||
rm -f $RPM_BUILD_ROOT%{_datadir}/openssh/Ssh.bin
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%if ! %{no_gnome_askpass}
|
%if ! %{no_gnome_askpass}
|
||||||
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
|
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
|
||||||
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||||
|
@ -716,10 +706,6 @@ fi
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
|
%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||||
%endif
|
%endif
|
||||||
%if %{scard}
|
|
||||||
%attr(0755,root,root) %dir %{_datadir}/openssh
|
|
||||||
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%files clients
|
%files clients
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
|
@ -807,6 +793,22 @@ fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 20 2013 Petr Lautrbach <plautrba@redhat.com> 5.9p1-30 + 0.9.3-1
|
||||||
|
- make sftp's libedit interface marginally multibyte aware (#841771)
|
||||||
|
|
||||||
|
* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 5.9p1-29 + 0.9.3-1
|
||||||
|
- change default value of MaxStartups - CVE-2010-5107 (#908707)
|
||||||
|
|
||||||
|
* Mon Nov 26 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-28 + 0.9.3-1
|
||||||
|
- avoid xfree(NULL) in ssh_selinux_copy_context() (#789502)
|
||||||
|
- fix the man moduli page (#841065)
|
||||||
|
- fix the required authentications patch (#872608)
|
||||||
|
- fix IPQoS not being set on non-mapped v4-in-v6 addressed connections (#861818)
|
||||||
|
|
||||||
|
* Wed Oct 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-27 + 0.9.3-1
|
||||||
|
- don't use /bin and /sbin paths (#856590)
|
||||||
|
- fix gssapi canohost patch (#863350)
|
||||||
|
|
||||||
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-26 + 0.9.3-1
|
* Mon Aug 06 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-26 + 0.9.3-1
|
||||||
- change SELinux context also for root user (#827109)
|
- change SELinux context also for root user (#827109)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue