Compare commits
21 Commits
Author | SHA1 | Date |
---|---|---|
|
36854a5a23 | |
|
3b37f5b889 | |
|
6ca2f775e1 | |
|
a23056d990 | |
|
8115d9469c | |
|
05765c1225 | |
|
c7eccad288 | |
|
82946ad504 | |
|
b5b762a4d1 | |
|
1784dd0d3b | |
|
fb00871f19 | |
|
1e3cc96dcb | |
|
3c8d85c214 | |
|
134fe470bd | |
|
52161dcd5f | |
|
7524ce4c02 | |
|
5c8cd31261 | |
|
fa0507a75a | |
|
8b4b7fffad | |
|
a9eca237d2 | |
|
984bb05a16 |
|
@ -1,9 +1,9 @@
|
|||
diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c
|
||||
--- openssh-6.1p1/auth2-pubkey.c.keycat 2012-11-01 13:37:59.000000000 +0100
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-01 14:03:47.402279914 +0100
|
||||
@@ -564,6 +564,14 @@ user_key_command_allowed2(struct passwd
|
||||
--- openssh-6.1p1/auth2-pubkey.c.keycat 2013-02-14 17:39:21.000000000 +0100
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2013-02-14 17:40:42.600050510 +0100
|
||||
@@ -571,6 +571,14 @@ user_key_command_allowed2(struct passwd
|
||||
_exit(1);
|
||||
}
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (ssh_selinux_setup_env_variables() < 0) {
|
||||
|
@ -14,11 +14,11 @@ diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c
|
|||
+#endif
|
||||
+
|
||||
execl(options.authorized_keys_command,
|
||||
options.authorized_keys_command, pw->pw_name, NULL);
|
||||
options.authorized_keys_command, user_pw->pw_name, NULL);
|
||||
|
||||
diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat
|
||||
--- openssh-6.1p1/HOWTO.ssh-keycat.keycat 2012-11-01 13:37:59.417280097 +0100
|
||||
+++ openssh-6.1p1/HOWTO.ssh-keycat 2012-11-01 13:37:59.417280097 +0100
|
||||
--- openssh-6.1p1/HOWTO.ssh-keycat.keycat 2013-02-14 17:39:21.148382013 +0100
|
||||
+++ openssh-6.1p1/HOWTO.ssh-keycat 2013-02-14 17:39:21.148382013 +0100
|
||||
@@ -0,0 +1,12 @@
|
||||
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
|
||||
+of an user in any environment. This includes environments with
|
||||
|
@ -26,15 +26,15 @@ diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat
|
|||
+
|
||||
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||
+ AuthorizedKeysCommandRunAs root
|
||||
+ AuthorizedKeysCommandUser root
|
||||
+
|
||||
+Do not forget to enable public key authentication:
|
||||
+ PubkeyAuthentication yes
|
||||
+
|
||||
+
|
||||
diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
|
||||
--- openssh-6.1p1/Makefile.in.keycat 2012-11-01 13:37:59.413280097 +0100
|
||||
+++ openssh-6.1p1/Makefile.in 2012-11-01 13:37:59.418280097 +0100
|
||||
--- openssh-6.1p1/Makefile.in.keycat 2013-02-14 17:39:21.143382033 +0100
|
||||
+++ openssh-6.1p1/Makefile.in 2013-02-14 17:39:21.148382013 +0100
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
|
@ -71,8 +71,8 @@ diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in
|
|||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.1p1/openbsd-compat/port-linux.c.keycat 2012-11-01 13:37:59.367280097 +0100
|
||||
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-01 13:37:59.419280097 +0100
|
||||
--- openssh-6.1p1/openbsd-compat/port-linux.c.keycat 2013-02-14 17:39:21.126382101 +0100
|
||||
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2013-02-14 17:39:21.149382009 +0100
|
||||
@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
|
@ -128,8 +128,8 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-
|
|||
void
|
||||
ssh_selinux_setup_exec_context(char *pwname)
|
||||
diff -up openssh-6.1p1/ssh-keycat.c.keycat openssh-6.1p1/ssh-keycat.c
|
||||
--- openssh-6.1p1/ssh-keycat.c.keycat 2012-11-01 13:37:59.420280097 +0100
|
||||
+++ openssh-6.1p1/ssh-keycat.c 2012-11-01 13:37:59.420280097 +0100
|
||||
--- openssh-6.1p1/ssh-keycat.c.keycat 2013-02-14 17:39:21.149382009 +0100
|
||||
+++ openssh-6.1p1/ssh-keycat.c 2013-02-14 17:39:21.149382009 +0100
|
||||
@@ -0,0 +1,238 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
||||
--- openssh-6.1p1/auth2-pubkey.c.akc 2012-11-28 17:12:43.238524384 +0100
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2012-11-28 17:12:43.263524297 +0100
|
||||
--- openssh-6.1p1/auth2-pubkey.c.akc 2013-02-14 17:46:45.259546968 +0100
|
||||
+++ openssh-6.1p1/auth2-pubkey.c 2013-02-14 17:48:19.072137541 +0100
|
||||
@@ -27,9 +27,13 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
|
@ -71,7 +71,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
key_free(found);
|
||||
if (!found_key)
|
||||
debug2("key not found");
|
||||
@@ -453,7 +446,173 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
@@ -453,7 +446,180 @@ user_cert_trusted_ca(struct passwd *pw,
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
@ -112,45 +112,48 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
+ struct stat st;
|
||||
+ int status, devnull, p[2], i;
|
||||
+ pid_t pid;
|
||||
+ char errmsg[512];
|
||||
+ char *username, errmsg[512];
|
||||
+
|
||||
+ if (options.authorized_keys_command == NULL ||
|
||||
+ options.authorized_keys_command[0] != '/')
|
||||
+ return 0;
|
||||
+
|
||||
+ /* If no user specified to run commands the default to target user */
|
||||
+ if (options.authorized_keys_command_user == NULL)
|
||||
+ if (options.authorized_keys_command_user == NULL) {
|
||||
+ pw = user_pw;
|
||||
+ }
|
||||
+ else {
|
||||
+ pw = getpwnam(options.authorized_keys_command_user);
|
||||
+ username = percent_expand(options.authorized_keys_command_user,
|
||||
+ "u", user_pw->pw_name, (char *)NULL);
|
||||
+ pw = getpwnam(username);
|
||||
+ if (pw == NULL) {
|
||||
+ error("AuthorizedKeyCommandUser \"%s\" not found: %s",
|
||||
+ options.authorized_keys_command, strerror(errno));
|
||||
+ username, strerror(errno));
|
||||
+ free(username);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ free(username);
|
||||
+ }
|
||||
+
|
||||
+ temporarily_use_uid(pw);
|
||||
+
|
||||
+ if (stat(options.authorized_keys_command, &st) < 0) {
|
||||
+ error("Could not stat AuthorizedKeysCommand \"%s\": %s",
|
||||
+ options.authorized_keys_command, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0,
|
||||
+ errmsg, sizeof(errmsg)) != 0) {
|
||||
+ error("Unsafe AuthorizedKeysCommand: %s", errmsg);
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ /* open the pipe and read the keys */
|
||||
+ if (pipe(p) != 0) {
|
||||
+ error("%s: pipe: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"",
|
||||
+ options.authorized_keys_command, pw->pw_name);
|
||||
+ debug3("Running AuthorizedKeysCommand: \"%s %s\" as \"%s\"",
|
||||
+ options.authorized_keys_command, user_pw->pw_name, pw->pw_name);
|
||||
+
|
||||
+ /*
|
||||
+ * Don't want to call this in the child, where it can fatal() and
|
||||
|
@ -168,6 +171,19 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
+ for (i = 0; i < NSIG; i++)
|
||||
+ signal(i, SIG_DFL);
|
||||
+
|
||||
+ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
||||
+ error("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
||||
+ strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+ /* Keep stderr around a while longer to catch errors */
|
||||
+ if (dup2(devnull, STDIN_FILENO) == -1 ||
|
||||
+ dup2(p[1], STDOUT_FILENO) == -1) {
|
||||
+ error("%s: dup2: %s", __func__, strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+ closefrom(STDERR_FILENO + 1);
|
||||
+
|
||||
+ /* Don't use permanently_set_uid() here to avoid fatal() */
|
||||
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) {
|
||||
+ error("setresgid %u: %s", (u_int)pw->pw_gid,
|
||||
|
@ -179,23 +195,14 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
+ strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+
|
||||
+ close(p[0]);
|
||||
+ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) {
|
||||
+ error("%s: open %s: %s", __func__, _PATH_DEVNULL,
|
||||
+ strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+ if (dup2(devnull, STDIN_FILENO) == -1 ||
|
||||
+ dup2(p[1], STDOUT_FILENO) == -1 ||
|
||||
+ dup2(devnull, STDERR_FILENO) == -1) {
|
||||
+ /* stdin is pointed to /dev/null at this point */
|
||||
+ if (dup2(STDIN_FILENO, STDERR_FILENO) == -1) {
|
||||
+ error("%s: dup2: %s", __func__, strerror(errno));
|
||||
+ _exit(1);
|
||||
+ }
|
||||
+ closefrom(STDERR_FILENO + 1);
|
||||
+
|
||||
+ execl(options.authorized_keys_command,
|
||||
+ options.authorized_keys_command, pw->pw_name, NULL);
|
||||
+ options.authorized_keys_command, user_pw->pw_name, NULL);
|
||||
+
|
||||
+ error("AuthorizedKeysCommand %s exec failed: %s",
|
||||
+ options.authorized_keys_command, strerror(errno));
|
||||
|
@ -211,6 +218,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
+ error("%s: fdopen: %s", __func__, strerror(errno));
|
||||
+ close(p[0]);
|
||||
+ /* Don't leave zombie child */
|
||||
+ kill(pid, SIGTERM);
|
||||
+ while (waitpid(pid, NULL, 0) == -1 && errno == EINTR)
|
||||
+ ;
|
||||
+ goto out;
|
||||
|
@ -236,7 +244,6 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
+ found_key = ok;
|
||||
+ out:
|
||||
+ restore_uid();
|
||||
+
|
||||
+ return found_key;
|
||||
+}
|
||||
+
|
||||
|
@ -246,7 +253,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
int
|
||||
user_key_allowed(struct passwd *pw, Key *key)
|
||||
{
|
||||
@@ -469,6 +628,10 @@ user_key_allowed(struct passwd *pw, Key
|
||||
@@ -469,9 +635,17 @@ user_key_allowed(struct passwd *pw, Key
|
||||
if (success)
|
||||
return success;
|
||||
|
||||
|
@ -255,12 +262,19 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c
|
|||
+ return success;
|
||||
+
|
||||
for (i = 0; !success && i < options.num_authkeys_files; i++) {
|
||||
+
|
||||
+ if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
|
||||
+ continue;
|
||||
file = expand_authorized_keys(
|
||||
options.authorized_keys_files[i], pw);
|
||||
+
|
||||
success = user_key_allowed2(pw, key, file);
|
||||
xfree(file);
|
||||
}
|
||||
diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
|
||||
--- openssh-6.1p1/auth.c.akc 2012-11-28 17:12:43.187524558 +0100
|
||||
+++ openssh-6.1p1/auth.c 2012-11-28 17:12:43.263524297 +0100
|
||||
@@ -411,39 +411,41 @@ check_key_in_hostfiles(struct passwd *pw
|
||||
--- openssh-6.1p1/auth.c.akc 2013-02-14 17:46:45.189547274 +0100
|
||||
+++ openssh-6.1p1/auth.c 2013-02-14 17:46:45.273546907 +0100
|
||||
@@ -415,39 +415,41 @@ check_key_in_hostfiles(struct passwd *pw
|
||||
|
||||
|
||||
/*
|
||||
|
@ -315,7 +329,7 @@ diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
|
|||
snprintf(err, errlen, "bad ownership or modes for file %s",
|
||||
buf);
|
||||
return -1;
|
||||
@@ -479,6 +481,31 @@ secure_filename(FILE *f, const char *fil
|
||||
@@ -483,6 +485,31 @@ secure_filename(FILE *f, const char *fil
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -348,8 +362,8 @@ diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c
|
|||
auth_openfile(const char *file, struct passwd *pw, int strict_modes,
|
||||
int log_missing, char *file_type)
|
||||
diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
|
||||
--- openssh-6.1p1/auth.h.akc 2012-11-28 17:12:43.239524381 +0100
|
||||
+++ openssh-6.1p1/auth.h 2012-11-28 17:12:43.263524297 +0100
|
||||
--- openssh-6.1p1/auth.h.akc 2013-02-14 17:46:45.259546968 +0100
|
||||
+++ openssh-6.1p1/auth.h 2013-02-14 17:46:45.274546903 +0100
|
||||
@@ -125,6 +125,10 @@ int auth_rhosts_rsa_key_allowed(struct
|
||||
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
|
||||
int user_key_allowed(struct passwd *, Key *);
|
||||
|
@ -362,8 +376,8 @@ diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h
|
|||
int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
|
||||
int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
|
||||
diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
||||
--- openssh-6.1p1/servconf.c.akc 2012-11-28 17:12:43.198524521 +0100
|
||||
+++ openssh-6.1p1/servconf.c 2012-11-28 17:14:50.314005026 +0100
|
||||
--- openssh-6.1p1/servconf.c.akc 2013-02-14 17:46:45.193547257 +0100
|
||||
+++ openssh-6.1p1/servconf.c 2013-02-14 17:46:45.274546903 +0100
|
||||
@@ -137,6 +137,8 @@ initialize_server_options(ServerOptions
|
||||
options->num_permitted_opens = -1;
|
||||
options->adm_forced_command = NULL;
|
||||
|
@ -437,8 +451,8 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c
|
|||
/* string arguments requiring a lookup */
|
||||
dump_cfg_string(sLogLevel, log_level_name(o->log_level));
|
||||
diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
|
||||
--- openssh-6.1p1/servconf.h.akc 2012-11-28 17:12:43.000000000 +0100
|
||||
+++ openssh-6.1p1/servconf.h 2012-11-28 17:18:41.217055157 +0100
|
||||
--- openssh-6.1p1/servconf.h.akc 2013-02-14 17:46:45.194547252 +0100
|
||||
+++ openssh-6.1p1/servconf.h 2013-02-14 17:46:45.275546898 +0100
|
||||
@@ -167,6 +167,8 @@ typedef struct {
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
|
@ -449,8 +463,8 @@ diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h
|
|||
char *version_addendum; /* Appended to SSH banner */
|
||||
|
||||
diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
|
||||
--- openssh-6.1p1/sshd.c.akc 2012-11-28 17:12:43.245524360 +0100
|
||||
+++ openssh-6.1p1/sshd.c 2012-11-28 17:12:43.265524291 +0100
|
||||
--- openssh-6.1p1/sshd.c.akc 2013-02-14 17:46:45.270546920 +0100
|
||||
+++ openssh-6.1p1/sshd.c 2013-02-14 17:46:45.276546894 +0100
|
||||
@@ -366,9 +366,20 @@ main_sigchld_handler(int sig)
|
||||
static void
|
||||
grace_alarm_handler(int sig)
|
||||
|
@ -474,7 +488,7 @@ diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c
|
|||
}
|
||||
diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
||||
--- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd_config.0 2012-11-28 17:12:43.265524291 +0100
|
||||
+++ openssh-6.1p1/sshd_config.0 2013-02-14 17:46:45.276546894 +0100
|
||||
@@ -71,6 +71,23 @@ DESCRIPTION
|
||||
|
||||
See PATTERNS in ssh_config(5) for more information on patterns.
|
||||
|
@ -510,8 +524,8 @@ diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0
|
|||
GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
|
||||
HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
|
||||
diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
||||
--- openssh-6.1p1/sshd_config.5.akc 2012-11-28 17:12:43.199524517 +0100
|
||||
+++ openssh-6.1p1/sshd_config.5 2012-11-28 17:16:23.736624980 +0100
|
||||
--- openssh-6.1p1/sshd_config.5.akc 2013-02-14 17:46:45.195547248 +0100
|
||||
+++ openssh-6.1p1/sshd_config.5 2013-02-14 17:46:45.277546890 +0100
|
||||
@@ -173,6 +173,20 @@ Note that each authentication method lis
|
||||
in the configuration.
|
||||
The default is not to require multiple authentication; successful completion
|
||||
|
@ -552,7 +566,7 @@ diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5
|
|||
.Cm PermitOpen ,
|
||||
diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config
|
||||
--- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200
|
||||
+++ openssh-6.1p1/sshd_config 2012-11-28 17:12:43.265524291 +0100
|
||||
+++ openssh-6.1p1/sshd_config 2013-02-14 17:46:45.277546890 +0100
|
||||
@@ -49,6 +49,9 @@
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
|
|
@ -0,0 +1,45 @@
|
|||
diff --git a/servconf.c b/servconf.c
|
||||
index 684fbb4..a230c7b 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -267,11 +267,11 @@ fill_default_server_options(ServerOptions *options)
|
||||
if (options->gateway_ports == -1)
|
||||
options->gateway_ports = 0;
|
||||
if (options->max_startups == -1)
|
||||
- options->max_startups = 10;
|
||||
+ options->max_startups = 100;
|
||||
if (options->max_startups_rate == -1)
|
||||
- options->max_startups_rate = 100; /* 100% */
|
||||
+ options->max_startups_rate = 30; /* 30% */
|
||||
if (options->max_startups_begin == -1)
|
||||
- options->max_startups_begin = options->max_startups;
|
||||
+ options->max_startups_begin = 10;
|
||||
if (options->max_authtries == -1)
|
||||
options->max_authtries = DEFAULT_AUTH_FAIL_MAX;
|
||||
if (options->max_sessions == -1)
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index d1b85d0..5c03fd9 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -126,7 +126,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
|
||||
#ShowPatchLevel no
|
||||
#UseDNS yes
|
||||
#PidFile /var/run/sshd.pid
|
||||
-#MaxStartups 10
|
||||
+#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index fd0d35a..f02f6cc 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -826,7 +826,7 @@ SSH daemon.
|
||||
Additional connections will be dropped until authentication succeeds or the
|
||||
.Cm LoginGraceTime
|
||||
expires for a connection.
|
||||
-The default is 10.
|
||||
+The default is 10:30:100.
|
||||
.Pp
|
||||
Alternatively, random early drop can be enabled by specifying
|
||||
the three colon separated values
|
|
@ -0,0 +1,59 @@
|
|||
diff -U0 openssh-6.2p2/ChangeLog.dh openssh-6.2p2/ChangeLog
|
||||
--- openssh-6.2p2/ChangeLog.dh 2013-11-18 12:14:09.662240103 +0100
|
||||
+++ openssh-6.2p2/ChangeLog 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -0,0 +1,8 @@
|
||||
+20131010
|
||||
+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||
+ [dh.c dh.h]
|
||||
+ Increase the size of the Diffie-Hellman groups requested for a each
|
||||
+ symmetric key size. New values from NIST Special Publication 800-57 with
|
||||
+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
|
||||
+ djm@.
|
||||
+
|
||||
diff -up openssh-6.2p2/dh.c.dh openssh-6.2p2/dh.c
|
||||
--- openssh-6.2p2/dh.c.dh 2011-12-19 00:52:52.000000000 +0100
|
||||
+++ openssh-6.2p2/dh.c 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -332,17 +332,20 @@ dh_new_group14(void)
|
||||
|
||||
/*
|
||||
* Estimates the group order for a Diffie-Hellman group that has an
|
||||
- * attack complexity approximately the same as O(2**bits). Estimate
|
||||
- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
|
||||
+ * attack complexity approximately the same as O(2**bits).
|
||||
+ * Values from NIST Special Publication 800-57: Recommendation for Key
|
||||
+ * Management Part 1 (rev 3) limited by the recommended maximum value
|
||||
+ * from RFC4419 section 3.
|
||||
*/
|
||||
|
||||
int
|
||||
dh_estimate(int bits)
|
||||
{
|
||||
-
|
||||
+ if (bits <= 112)
|
||||
+ return 2048;
|
||||
if (bits <= 128)
|
||||
- return (1024); /* O(2**86) */
|
||||
+ return 3072;
|
||||
if (bits <= 192)
|
||||
- return (2048); /* O(2**116) */
|
||||
- return (4096); /* O(2**156) */
|
||||
+ return 7680;
|
||||
+ return 8192;
|
||||
}
|
||||
diff -up openssh-6.2p2/dh.h.dh openssh-6.2p2/dh.h
|
||||
--- openssh-6.2p2/dh.h.dh 2008-06-29 14:47:04.000000000 +0200
|
||||
+++ openssh-6.2p2/dh.h 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
|
||||
+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
|
||||
|
||||
int dh_estimate(int);
|
||||
|
||||
+/* Min and max values from RFC4419. */
|
||||
#define DH_GRP_MIN 1024
|
||||
#define DH_GRP_MAX 8192
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
diff -U0 openssh-6.1p1/ChangeLog.sftp-multibyte openssh-6.1p1/ChangeLog
|
||||
--- openssh-6.1p1/ChangeLog.sftp-multibyte 2013-06-19 17:32:22.527999462 +0200
|
||||
+++ openssh-6.1p1/ChangeLog 2013-06-19 17:34:12.236533762 +0200
|
||||
@@ -0,0 +1,8 @@
|
||||
+20130605
|
||||
+ - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
|
||||
+ [sftp.c]
|
||||
+ Make sftp's libedit interface marginally multibyte aware by building up
|
||||
+ the quoted string by character instead of by byte. Prevents failures
|
||||
+ when linked against a libedit built with wide character support (bz#1990).
|
||||
+ "looks ok" djm
|
||||
+
|
||||
diff -up openssh-6.1p1/sftp.c.sftp-multibyte openssh-6.1p1/sftp.c
|
||||
--- openssh-6.1p1/sftp.c.sftp-multibyte 2013-06-19 17:32:22.353000206 +0200
|
||||
+++ openssh-6.1p1/sftp.c 2013-06-19 17:36:46.947876920 +0200
|
||||
@@ -38,6 +38,7 @@
|
||||
#ifdef HAVE_LIBGEN_H
|
||||
#include <libgen.h>
|
||||
#endif
|
||||
+#include <locale.h>
|
||||
#ifdef USE_LIBEDIT
|
||||
#include <histedit.h>
|
||||
#else
|
||||
@@ -1694,8 +1695,9 @@ complete_match(EditLine *el, struct sftp
|
||||
char *file, int remote, int lastarg, char quote, int terminated)
|
||||
{
|
||||
glob_t g;
|
||||
- char *tmp, *tmp2, ins[3];
|
||||
+ char *tmp, *tmp2, ins[8];
|
||||
u_int i, hadglob, pwdlen, len, tmplen, filelen;
|
||||
+ int clen;
|
||||
const LineInfo *lf;
|
||||
|
||||
/* Glob from "file" location */
|
||||
@@ -1751,10 +1753,13 @@ complete_match(EditLine *el, struct sftp
|
||||
tmp2 = tmp + filelen;
|
||||
len = strlen(tmp2);
|
||||
/* quote argument on way out */
|
||||
- for (i = 0; i < len; i++) {
|
||||
+ for (i = 0; i < len; i += clen) {
|
||||
+ if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
|
||||
+ (size_t)clen > sizeof(ins) - 2)
|
||||
+ fatal("invalid multibyte character");
|
||||
ins[0] = '\\';
|
||||
- ins[1] = tmp2[i];
|
||||
- ins[2] = '\0';
|
||||
+ memcpy(ins + 1, tmp2 + i, clen);
|
||||
+ ins[clen + 1] = '\0';
|
||||
switch (tmp2[i]) {
|
||||
case '\'':
|
||||
case '"':
|
||||
@@ -2096,6 +2101,7 @@ main(int argc, char **argv)
|
||||
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
sanitise_stdfd();
|
||||
+ setlocale(LC_CTYPE, "");
|
||||
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
memset(&args, '\0', sizeof(args));
|
|
@ -0,0 +1,23 @@
|
|||
diff -U0 openssh-6.2p2/ChangeLog.ssh_gai_strerror openssh-6.2p2/ChangeLog
|
||||
--- openssh-6.2p2/ChangeLog.ssh_gai_strerror 2013-07-23 12:03:41.467902339 +0200
|
||||
+++ openssh-6.2p2/ChangeLog 2013-07-23 12:06:03.414281151 +0200
|
||||
@@ -0,0 +1,7 @@
|
||||
+20130718
|
||||
+ - djm@cvs.openbsd.org 2013/07/12 00:43:50
|
||||
+ [misc.c]
|
||||
+ in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
|
||||
+ errno == 0. Avoids confusing error message in some broken resolver
|
||||
+ cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
|
||||
+
|
||||
diff -up openssh-6.2p2/misc.c.ssh_gai_strerror openssh-6.2p2/misc.c
|
||||
--- openssh-6.2p2/misc.c.ssh_gai_strerror 2013-07-23 12:03:41.321902978 +0200
|
||||
+++ openssh-6.2p2/misc.c 2013-07-23 12:03:41.467902339 +0200
|
||||
@@ -127,7 +127,7 @@ unset_nonblock(int fd)
|
||||
const char *
|
||||
ssh_gai_strerror(int gaierr)
|
||||
{
|
||||
- if (gaierr == EAI_SYSTEM)
|
||||
+ if (gaierr == EAI_SYSTEM && errno != 0)
|
||||
return strerror(errno);
|
||||
return gai_strerror(gaierr);
|
||||
}
|
74
openssh.spec
74
openssh.spec
|
@ -67,7 +67,7 @@
|
|||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.1p1
|
||||
%define openssh_rel 4
|
||||
%define openssh_rel 11
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 3
|
||||
|
||||
|
@ -210,11 +210,15 @@ Patch901: openssh-6.1p1-kuserok.patch
|
|||
Patch902: openssh-6.1p1-man-moduli.patch
|
||||
# obsolete RequiredAuthentications options
|
||||
Patch903: openssh-6.1p1-required-authentications.patch
|
||||
# change default value of MaxStartups - CVE-2010-5107 - #908707
|
||||
Patch904: openssh-6.1p1-change-max-startups.patch
|
||||
# make sftp's libedit interface marginally multibyte aware (#841771)
|
||||
Patch908: openssh-6.1p1-sftp-multibyte.patch
|
||||
# don't show Success for EAI_SYSTEM (#985964)
|
||||
Patch909: openssh-6.1p1-ssh_gai_strerror.patch
|
||||
# increase the size of the Diffie-Hellman groups (#1010607)
|
||||
Patch910: openssh-6.1p1-increase-size-of-DF-groups.patch
|
||||
|
||||
#---
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1604
|
||||
# sctp
|
||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=1873 => https://bugzilla.redhat.com/show_bug.cgi?id=668993
|
||||
|
||||
License: BSD
|
||||
Group: Applications/Internet
|
||||
|
@ -455,6 +459,10 @@ popd
|
|||
%patch901 -p1 -b .kuserok
|
||||
%patch902 -p1 -b .man-moduli
|
||||
%patch903 -p1 -b .required-authentication
|
||||
%patch904 -p1 -b .max-startups
|
||||
%patch908 -p1 -b .sftp-multibyte
|
||||
%patch909 -p1 -b .ssh_gai_strerror
|
||||
%patch910 -p1 -b .dh
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
|
@ -571,7 +579,7 @@ popd
|
|||
%if %{pam_ssh_agent}
|
||||
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
|
||||
LDFLAGS="$SAVE_LDFLAGS"
|
||||
%configure --with-selinux --libexecdir=/%{_lib}/security --with-mantype=man
|
||||
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
|
||||
make
|
||||
popd
|
||||
%endif
|
||||
|
@ -772,11 +780,37 @@ getent passwd sshd >/dev/null || \
|
|||
%files -n pam_ssh_agent_auth
|
||||
%defattr(-,root,root)
|
||||
%doc pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
|
||||
%attr(0755,root,root) /%{_lib}/security/pam_ssh_agent_auth.so
|
||||
%attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so
|
||||
%attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-11 + 0.9.3-3
|
||||
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
|
||||
|
||||
* Mon Nov 18 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-10 + 0.9.3-3
|
||||
- increase the size of the Diffie-Hellman groups (#1010607)
|
||||
- sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222)
|
||||
- don't show Success for EAI_SYSTEM (#985964)
|
||||
|
||||
* Thu Jun 20 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-9 + 0.9.3-3
|
||||
- make sftp's libedit interface marginally multibyte aware (#841771)
|
||||
|
||||
* Tue Apr 23 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-8 + 0.9.3-3
|
||||
- AuthorizedKeysCommandUser: use the user being authenticated by default (#953534)
|
||||
|
||||
* Wed Apr 17 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-7 + 0.9.3-3
|
||||
- allow specification of alternate host key location(s) via /etc/sysconfig/sshd
|
||||
<john_florian@dart.biz> (#865803)
|
||||
- sshd.service: use KillMode=process (#890376)
|
||||
- don't use export in sysconfig file (#953111)
|
||||
|
||||
* Thu Feb 14 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-6 + 0.9.3-3
|
||||
- fix AuthorizedKeysCommand option
|
||||
|
||||
* Fri Feb 08 2013 Petr Lautrbach <plautrba@redhat.com> 6.1p1-5 + 0.9.3-3
|
||||
- change default value of MaxStartups - CVE-2010-5107 (#908707)
|
||||
|
||||
* Mon Dec 03 2012 Petr Lautrbach <plautrba@redhat.com> 6.1p1-4 + 0.9.3-3
|
||||
- fix segfault in openssh-5.8p2-force_krb.patch (#882541)
|
||||
|
||||
|
@ -834,10 +868,10 @@ getent passwd sshd >/dev/null || \
|
|||
* Tue Jan 31 2012 Petr Lautrbach <plautrba@redhat.com> 5.9p1-17 + 0.9.2-32
|
||||
- run privsep slave process as the users SELinux context (#781634)
|
||||
|
||||
* Fri Dec 13 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-16 + 0.9.2-32
|
||||
* Tue Dec 13 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-16 + 0.9.2-32
|
||||
- add CAVS test driver for the aes-ctr ciphers
|
||||
|
||||
* Wed Dec 11 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-15 + 0.9.2-32
|
||||
* Sun Dec 11 2011 Tomas Mraz <tmraz@redhat.com> 5.9p1-15 + 0.9.2-32
|
||||
- enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
|
||||
|
||||
* Tue Dec 06 2011 Petr Lautrbach <plautrba@redhat.com> 5.9p1-14 + 0.9.2-32
|
||||
|
@ -1040,7 +1074,7 @@ getent passwd sshd >/dev/null || \
|
|||
- clean the data structures in the non privileged process
|
||||
- clean the data structures when roaming
|
||||
|
||||
* Tue Feb 2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29
|
||||
* Wed Feb 2 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-28 + 0.9.2-29
|
||||
- clean the data structures in the privileged process
|
||||
|
||||
* Tue Jan 25 2011 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-25 + 0.9.2-29
|
||||
|
@ -1079,10 +1113,10 @@ getent passwd sshd >/dev/null || \
|
|||
* Wed Nov 3 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-15 + 0.9.2-27
|
||||
- add auditing the kex result
|
||||
|
||||
* Fri Nov 2 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-14 + 0.9.2-27
|
||||
* Tue Nov 2 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-14 + 0.9.2-27
|
||||
- add auditing the key ussage
|
||||
|
||||
* Fri Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-12 + 0.9.2-27
|
||||
* Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-12 + 0.9.2-27
|
||||
- update gsskex patch (#645389)
|
||||
|
||||
* Wed Oct 20 2010 Jan F. Chadima <jchadima@redhat.com> - 5.6p1-11 + 0.9.2-27
|
||||
|
@ -1124,7 +1158,7 @@ getent passwd sshd >/dev/null || \
|
|||
* Wed Jun 30 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-17 + 0.9.2-26
|
||||
- improved the x11 patch according to upstream (#598671)
|
||||
|
||||
* Thu Jun 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-16 + 0.9.2-26
|
||||
* Fri Jun 25 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-16 + 0.9.2-26
|
||||
- improved the x11 patch (#598671)
|
||||
|
||||
* Thu Jun 24 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-15 + 0.9.2-26
|
||||
|
@ -1166,7 +1200,7 @@ getent passwd sshd >/dev/null || \
|
|||
- Tweak the ldap patch
|
||||
- Rename stderr patch properly
|
||||
|
||||
* Wed Apr 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-4 + 0.9.2-26
|
||||
* Thu Apr 29 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-4 + 0.9.2-26
|
||||
- Added LDAP support
|
||||
|
||||
* Mon Apr 26 2010 Jan F. Chadima <jchadima@redhat.com> - 5.5p1-3 + 0.9.2-26
|
||||
|
@ -1449,10 +1483,10 @@ getent passwd sshd >/dev/null || \
|
|||
* Mon Mar 19 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-5
|
||||
- make profile.d/gnome-ssh-askpass.* regular files (#226218)
|
||||
|
||||
* Thu Feb 27 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-4
|
||||
* Tue Feb 27 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-4
|
||||
- reject connection if requested mls range is not obtained (#229278)
|
||||
|
||||
* Wed Feb 22 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-3
|
||||
* Thu Feb 22 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-3
|
||||
- improve Buildroot
|
||||
- remove duplicate /etc/ssh from files
|
||||
|
||||
|
@ -1818,16 +1852,16 @@ getent passwd sshd >/dev/null || \
|
|||
complain if setgroups() fails if sshd has euid == 0
|
||||
- handle krb5 installed in %%{_prefix} or elsewhere by using krb5-config
|
||||
|
||||
* Tue Jul 28 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-5
|
||||
* Mon Jul 28 2003 Daniel Walsh <dwalsh@redhat.com> 3.6.1p2-5
|
||||
- Add SELinux patch
|
||||
|
||||
* Tue Jul 22 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-4
|
||||
- rebuild
|
||||
|
||||
* Wed Jun 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-3
|
||||
* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-3
|
||||
- rebuild
|
||||
|
||||
* Wed Jun 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-2
|
||||
* Wed Jul 16 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-2
|
||||
- rebuild
|
||||
|
||||
* Thu Jun 5 2003 Nalin Dahyabhai <nalin@redhat.com> 3.6.1p2-1
|
||||
|
@ -1951,7 +1985,7 @@ getent passwd sshd >/dev/null || \
|
|||
- remove dependency on db1-devel, which has just been swallowed up whole
|
||||
by gnome-libs-devel
|
||||
|
||||
* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
* Sat Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||
- adjust build dependencies so that build6x actually works right (fix
|
||||
from Hugo van der Kooij)
|
||||
|
||||
|
|
29
sshd-keygen
29
sshd-keygen
|
@ -8,14 +8,15 @@
|
|||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
# Some functions to make the below more readable
|
||||
KEYGEN=/usr/bin/ssh-keygen
|
||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
fips_enabled() {
|
||||
if [ -r /proc/sys/crypto/fips_enabled ]; then
|
||||
|
@ -88,11 +89,33 @@ do_dsa_keygen() {
|
|||
fi
|
||||
}
|
||||
|
||||
do_ecdsa_keygen() {
|
||||
if [ ! -s $ECDSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 ECDSA host key: "
|
||||
rm -f $ECDSA_KEY
|
||||
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $ECDSA_KEY
|
||||
chmod 640 $ECDSA_KEY
|
||||
chmod 644 $ECDSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $ECDSA_KEY.pub
|
||||
fi
|
||||
success $"ECDSA key generation"
|
||||
echo
|
||||
else
|
||||
failure $"ECDSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Create keys if necessary
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
|
||||
do_rsa_keygen
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
|
||||
do_rsa1_keygen
|
||||
do_dsa_keygen
|
||||
do_ecdsa_keygen
|
||||
fi
|
||||
fi
|
||||
|
|
|
@ -7,6 +7,7 @@ EnvironmentFile=/etc/sysconfig/sshd
|
|||
ExecStartPre=/usr/sbin/sshd-keygen
|
||||
ExecStart=/usr/sbin/sshd -D $OPTIONS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -9,8 +9,7 @@
|
|||
AUTOCREATE_SERVER_KEYS=YES
|
||||
|
||||
# Do not change this option unless you have hardware random
|
||||
# generator and you REALLY know what you are doing/
|
||||
|
||||
export SSH_USE_STRONG_RNG=0
|
||||
# export SSH_USE_STRONG_RNG=1
|
||||
# generator and you REALLY know what you are doing
|
||||
|
||||
SSH_USE_STRONG_RNG=0
|
||||
# SSH_USE_STRONG_RNG=1
|
||||
|
|
Loading…
Reference in New Issue