Compare commits
14 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
d0a123de59 | ||
|
8e4734d190 | ||
|
dea4ec84f7 | ||
|
7126dda63a | ||
|
37a151ef1a | ||
|
36116fbf1f | ||
|
5eab591ecf | ||
|
fbb4501051 | ||
|
39e9abc944 | ||
|
963137cbfb | ||
|
de69b66ff7 | ||
|
45ce750683 | ||
|
7ead42662f | ||
|
0269d39f77 |
@ -1670,7 +1670,7 @@ index 0c7f2e3..f47c7df 100644
|
||||
|
||||
struct Session;
|
||||
diff --git a/packet.c b/packet.c
|
||||
index a51c1f2..faa3a85 100644
|
||||
index 06406dc..0e58db3 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -60,6 +60,7 @@
|
||||
@ -1780,7 +1780,7 @@ index a51c1f2..faa3a85 100644
|
||||
}
|
||||
active_state->newkeys[mode] = kex_get_newkeys(mode);
|
||||
if (active_state->newkeys[mode] == NULL)
|
||||
@@ -1971,6 +1989,47 @@ packet_get_newkeys(int mode)
|
||||
@@ -1975,6 +1993,47 @@ packet_get_newkeys(int mode)
|
||||
return (void *)active_state->newkeys[mode];
|
||||
}
|
||||
|
||||
@ -1828,7 +1828,7 @@ index a51c1f2..faa3a85 100644
|
||||
/*
|
||||
* Save the state for the real connection, and use a separate state when
|
||||
* resuming a suspended connection.
|
||||
@@ -1978,18 +2037,12 @@ packet_get_newkeys(int mode)
|
||||
@@ -1982,18 +2041,12 @@ packet_get_newkeys(int mode)
|
||||
void
|
||||
packet_backup_state(void)
|
||||
{
|
||||
@ -1848,7 +1848,7 @@ index a51c1f2..faa3a85 100644
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -2006,9 +2059,7 @@ packet_restore_state(void)
|
||||
@@ -2010,9 +2063,7 @@ packet_restore_state(void)
|
||||
backup_state = active_state;
|
||||
active_state = tmp;
|
||||
active_state->connection_in = backup_state->connection_in;
|
||||
@ -1858,7 +1858,7 @@ index a51c1f2..faa3a85 100644
|
||||
len = buffer_len(&backup_state->input);
|
||||
if (len > 0) {
|
||||
buf = buffer_ptr(&backup_state->input);
|
||||
@@ -2016,4 +2067,10 @@ packet_restore_state(void)
|
||||
@@ -2020,4 +2071,10 @@ packet_restore_state(void)
|
||||
buffer_clear(&backup_state->input);
|
||||
add_recv_bytes(len);
|
||||
}
|
||||
@ -2063,7 +2063,7 @@ index cbb8e3a..fc6a7d3 100644
|
||||
void session_close(Session *);
|
||||
void do_setusercontext(struct passwd *);
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 740ef4b..9aff64c 100644
|
||||
index 740ef4b..61ab3f5 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -118,6 +118,7 @@
|
||||
@ -2187,6 +2187,15 @@ index 740ef4b..9aff64c 100644
|
||||
}
|
||||
/* Certs do not need demotion */
|
||||
}
|
||||
@@ -646,7 +697,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
|
||||
if (use_privsep == PRIVSEP_ON)
|
||||
box = ssh_sandbox_init();
|
||||
- pid = fork();
|
||||
+ pmonitor->m_pid = pid = fork();
|
||||
if (pid == -1) {
|
||||
fatal("fork of unprivileged child failed");
|
||||
} else if (pid != 0) {
|
||||
@@ -700,6 +751,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||
}
|
||||
}
|
||||
@ -2283,7 +2292,7 @@ index 740ef4b..9aff64c 100644
|
||||
pmonitor->m_pid, strerror(errno));
|
||||
}
|
||||
}
|
||||
+ is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
|
||||
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
||||
+ if (sensitive_data.host_keys != NULL)
|
||||
+ destroy_sensitive_data(is_privsep_child);
|
||||
+ packet_destroy_all(1, is_privsep_child);
|
||||
|
@ -26,7 +26,7 @@ diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
|
||||
+
|
||||
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||
+ AuthorizedKeysCommandRunAs root
|
||||
+ AuthorizedKeysCommandUser root
|
||||
+
|
||||
+Do not forget to enable public key authentication:
|
||||
+ PubkeyAuthentication yes
|
||||
|
@ -759,10 +759,9 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
|
||||
+
|
||||
+#endif /* LDAPBODY_H */
|
||||
+
|
||||
diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
--- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200
|
||||
+++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200
|
||||
@@ -0,0 +1,691 @@
|
||||
--- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100
|
||||
+++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100
|
||||
@@ -0,0 +1,720 @@
|
||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||
+/*
|
||||
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
||||
@ -886,6 +885,35 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+ return lBadOption;
|
||||
+}
|
||||
+
|
||||
+/* Characters considered whitespace in strsep calls. */
|
||||
+#define WHITESPACE " \t\r\n"
|
||||
+
|
||||
+/* return next token in configuration line */
|
||||
+static char *
|
||||
+ldap_strdelim(char **s)
|
||||
+{
|
||||
+ char *old;
|
||||
+ int wspace = 0;
|
||||
+
|
||||
+ if (*s == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ old = *s;
|
||||
+
|
||||
+ *s = strpbrk(*s, WHITESPACE);
|
||||
+ if (*s == NULL)
|
||||
+ return (old);
|
||||
+
|
||||
+ *s[0] = '\0';
|
||||
+
|
||||
+ /* Skip any extra whitespace after first token */
|
||||
+ *s += strspn(*s + 1, WHITESPACE) + 1;
|
||||
+ if (*s[0] == '=' && !wspace)
|
||||
+ *s += strspn(*s + 1, WHITESPACE) + 1;
|
||||
+
|
||||
+ return (old);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Processes a single option line as used in the configuration files. This
|
||||
+ * only sets those values that have not already been set.
|
||||
@ -909,11 +937,11 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+
|
||||
+ s = line;
|
||||
+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
|
||||
+ if ((keyword = strdelim(&s)) == NULL)
|
||||
+ if ((keyword = ldap_strdelim(&s)) == NULL)
|
||||
+ return 0;
|
||||
+ /* Ignore leading whitespace. */
|
||||
+ if (*keyword == '\0')
|
||||
+ keyword = strdelim(&s);
|
||||
+ keyword = ldap_strdelim(&s);
|
||||
+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
|
||||
+ return 0;
|
||||
+
|
||||
@ -949,7 +977,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+ case lBindPW:
|
||||
+ charptr = &options.bindpw;
|
||||
+parse_string:
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
+ if (*charptr == NULL)
|
||||
@ -962,7 +990,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+
|
||||
+ case lScope:
|
||||
+ intptr = &options.scope;
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
|
||||
+ value = 0; /* To avoid compiler warning... */
|
||||
@ -980,7 +1008,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+
|
||||
+ case lDeref:
|
||||
+ intptr = &options.scope;
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
|
||||
+ value = 0; /* To avoid compiler warning... */
|
||||
@ -1001,7 +1029,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+ case lPort:
|
||||
+ intptr = &options.port;
|
||||
+parse_int:
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
+ if (arg[0] < '0' || arg[0] > '9')
|
||||
@ -1018,7 +1046,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+ case lTimeLimit:
|
||||
+ intptr = &options.timelimit;
|
||||
+parse_time:
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%s line %d: missing time value.",
|
||||
+ filename, linenum);
|
||||
@ -1039,7 +1067,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+
|
||||
+ case lBind_Policy:
|
||||
+ intptr = &options.bind_policy;
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
|
||||
+ value = 0; /* To avoid compiler warning... */
|
||||
@ -1058,7 +1086,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+
|
||||
+ case lSSL:
|
||||
+ intptr = &options.ssl;
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
|
||||
+ value = 0; /* To avoid compiler warning... */
|
||||
@ -1077,7 +1105,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+ case lReferrals:
|
||||
+ intptr = &options.referrals;
|
||||
+parse_flag:
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
|
||||
+ value = 0; /* To avoid compiler warning... */
|
||||
@ -1097,7 +1125,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+
|
||||
+ case lTLS_CheckPeer:
|
||||
+ intptr = &options.tls_checkpeer;
|
||||
+ arg = strdelim(&s);
|
||||
+ arg = ldap_strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
|
||||
+ value = 0; /* To avoid compiler warning... */
|
||||
@ -1171,7 +1199,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
||||
+ }
|
||||
+
|
||||
+ /* Check that there is no garbage at end of line. */
|
||||
+ if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
||||
+ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
|
||||
+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
|
||||
+ filename, linenum, arg);
|
||||
+ }
|
||||
|
80
openssh-6.2p2-CVE-2014-2653.patch
Normal file
80
openssh-6.2p2-CVE-2014-2653.patch
Normal file
@ -0,0 +1,80 @@
|
||||
diff --git a/ChangeLog b/ChangeLog
|
||||
index 29d70ec..a0fb67e 100644
|
||||
--- a/ChangeLog
|
||||
+++ b/ChangeLog
|
||||
@@ -1,3 +1,14 @@
|
||||
+20140420
|
||||
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
|
||||
+ [sshconnect.c]
|
||||
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
|
||||
+ certificate keys to plain keys and attempt SSHFP resolution.
|
||||
+
|
||||
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||
+ dialog by offering only certificate keys.
|
||||
+
|
||||
+ Reported by mcv21 AT cam.ac.uk
|
||||
+
|
||||
20131010
|
||||
- dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||
[dh.c dh.h]
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index f2ba1b2..f0fdc70 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -1137,30 +1137,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
{
|
||||
int flags = 0;
|
||||
char *fp;
|
||||
+ Key *plain = NULL;
|
||||
|
||||
fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||
debug("Server host key: %s %s%s", key_type(host_key),
|
||||
key_fingerprint_prefix(), fp);
|
||||
xfree(fp);
|
||||
|
||||
- /* XXX certs are not yet supported for DNS */
|
||||
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||
- if (flags & DNS_VERIFY_FOUND) {
|
||||
-
|
||||
- if (options.verify_host_key_dns == 1 &&
|
||||
- flags & DNS_VERIFY_MATCH &&
|
||||
- flags & DNS_VERIFY_SECURE)
|
||||
- return 0;
|
||||
-
|
||||
- if (flags & DNS_VERIFY_MATCH) {
|
||||
- matching_host_key_dns = 1;
|
||||
- } else {
|
||||
- warn_changed_key(host_key);
|
||||
- error("Update the SSHFP RR in DNS with the new "
|
||||
- "host key to get rid of this message.");
|
||||
+ if (options.verify_host_key_dns) {
|
||||
+ /*
|
||||
+ * XXX certs are not yet supported for DNS, so downgrade
|
||||
+ * them and try the plain key.
|
||||
+ */
|
||||
+ plain = key_from_private(host_key);
|
||||
+ if (key_is_cert(plain))
|
||||
+ key_drop_cert(plain);
|
||||
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
||||
+ if (flags & DNS_VERIFY_FOUND) {
|
||||
+ if (options.verify_host_key_dns == 1 &&
|
||||
+ flags & DNS_VERIFY_MATCH &&
|
||||
+ flags & DNS_VERIFY_SECURE) {
|
||||
+ key_free(plain);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (flags & DNS_VERIFY_MATCH) {
|
||||
+ matching_host_key_dns = 1;
|
||||
+ } else {
|
||||
+ warn_changed_key(plain);
|
||||
+ error("Update the SSHFP RR in DNS "
|
||||
+ "with the new host key to get rid "
|
||||
+ "of this message.");
|
||||
+ }
|
||||
}
|
||||
}
|
||||
+ key_free(plain);
|
||||
}
|
||||
|
||||
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
16
openssh-6.2p2-fromto-remote.patch
Normal file
16
openssh-6.2p2-fromto-remote.patch
Normal file
@ -0,0 +1,16 @@
|
||||
diff --git a/scp.c b/scp.c
|
||||
index d98fa67..25d347b 100644
|
||||
--- a/scp.c
|
||||
+++ b/scp.c
|
||||
@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
|
||||
addargs(&alist, "%s", ssh_program);
|
||||
addargs(&alist, "-x");
|
||||
addargs(&alist, "-oClearAllForwardings=yes");
|
||||
- addargs(&alist, "-n");
|
||||
+ if (isatty(fileno(stdin)))
|
||||
+ addargs(&alist, "-t");
|
||||
+ else
|
||||
+ addargs(&alist, "-n");
|
||||
for (j = 0; j < remote_remote_args.num; j++) {
|
||||
addargs(&alist, "%s",
|
||||
remote_remote_args.list[j]);
|
37
openssh-6.2p2-ignore-bad-env-var.patch
Normal file
37
openssh-6.2p2-ignore-bad-env-var.patch
Normal file
@ -0,0 +1,37 @@
|
||||
diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
|
||||
--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100
|
||||
+++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100
|
||||
@@ -0,0 +1,7 @@
|
||||
+20140304
|
||||
+ - OpenBSD CVS Sync
|
||||
+ - djm@cvs.openbsd.org 2014/03/03 22:22:30
|
||||
+ [session.c]
|
||||
+ ignore enviornment variables with embedded '=' or '\0' characters;
|
||||
+ spotted by Jann Horn; ok deraadt@
|
||||
+
|
||||
diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
|
||||
--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100
|
||||
+++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100
|
||||
@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
|
||||
u_int envsize;
|
||||
u_int i, namelen;
|
||||
|
||||
+ if (strchr(name, '=') != NULL) {
|
||||
+ error("Invalid environment variable \"%.100s\"", name);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* If we're passed an uninitialized list, allocate a single null
|
||||
* entry before continuing.
|
||||
@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
|
||||
char *name, *val;
|
||||
u_int name_len, val_len, i;
|
||||
|
||||
- name = packet_get_string(&name_len);
|
||||
- val = packet_get_string(&val_len);
|
||||
+ name = packet_get_cstring(&name_len);
|
||||
+ val = packet_get_cstring(&val_len);
|
||||
packet_check_eom();
|
||||
|
||||
/* Don't set too many environment variables */
|
59
openssh-6.2p2-increase-size-of-DF-groups.patch
Normal file
59
openssh-6.2p2-increase-size-of-DF-groups.patch
Normal file
@ -0,0 +1,59 @@
|
||||
diff -U0 openssh-6.2p2/ChangeLog.dh openssh-6.2p2/ChangeLog
|
||||
--- openssh-6.2p2/ChangeLog.dh 2013-11-18 12:14:09.662240103 +0100
|
||||
+++ openssh-6.2p2/ChangeLog 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -0,0 +1,8 @@
|
||||
+20131010
|
||||
+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||
+ [dh.c dh.h]
|
||||
+ Increase the size of the Diffie-Hellman groups requested for a each
|
||||
+ symmetric key size. New values from NIST Special Publication 800-57 with
|
||||
+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
|
||||
+ djm@.
|
||||
+
|
||||
diff -up openssh-6.2p2/dh.c.dh openssh-6.2p2/dh.c
|
||||
--- openssh-6.2p2/dh.c.dh 2011-12-19 00:52:52.000000000 +0100
|
||||
+++ openssh-6.2p2/dh.c 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -332,17 +332,20 @@ dh_new_group14(void)
|
||||
|
||||
/*
|
||||
* Estimates the group order for a Diffie-Hellman group that has an
|
||||
- * attack complexity approximately the same as O(2**bits). Estimate
|
||||
- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
|
||||
+ * attack complexity approximately the same as O(2**bits).
|
||||
+ * Values from NIST Special Publication 800-57: Recommendation for Key
|
||||
+ * Management Part 1 (rev 3) limited by the recommended maximum value
|
||||
+ * from RFC4419 section 3.
|
||||
*/
|
||||
|
||||
int
|
||||
dh_estimate(int bits)
|
||||
{
|
||||
-
|
||||
+ if (bits <= 112)
|
||||
+ return 2048;
|
||||
if (bits <= 128)
|
||||
- return (1024); /* O(2**86) */
|
||||
+ return 3072;
|
||||
if (bits <= 192)
|
||||
- return (2048); /* O(2**116) */
|
||||
- return (4096); /* O(2**156) */
|
||||
+ return 7680;
|
||||
+ return 8192;
|
||||
}
|
||||
diff -up openssh-6.2p2/dh.h.dh openssh-6.2p2/dh.h
|
||||
--- openssh-6.2p2/dh.h.dh 2008-06-29 14:47:04.000000000 +0200
|
||||
+++ openssh-6.2p2/dh.h 2013-11-18 12:14:09.665240089 +0100
|
||||
@@ -1,4 +1,4 @@
|
||||
-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
|
||||
+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||
@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
|
||||
|
||||
int dh_estimate(int);
|
||||
|
||||
+/* Min and max values from RFC4419. */
|
||||
#define DH_GRP_MIN 1024
|
||||
#define DH_GRP_MAX 8192
|
||||
|
59
openssh-6.2p2-legacy-ssh-copy-id.patch
Normal file
59
openssh-6.2p2-legacy-ssh-copy-id.patch
Normal file
@ -0,0 +1,59 @@
|
||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||
index 9f2817b..1530f6f 100644
|
||||
--- a/contrib/ssh-copy-id
|
||||
+++ b/contrib/ssh-copy-id
|
||||
@@ -77,7 +77,7 @@ use_id_file() {
|
||||
PUB_ID_FILE="$L_ID_FILE.pub"
|
||||
fi
|
||||
|
||||
- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||
+ [ "x$SSH_COPY_ID_LEGACY" != "x" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||
|
||||
# check that the files are readable
|
||||
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
|
||||
@@ -243,7 +243,7 @@ populate_new_ids() {
|
||||
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
||||
}
|
||||
|
||||
-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
|
||||
+[ "x$SSH_COPY_ID_LEGACY" != "x" ] || REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
|
||||
sed -ne 's/.*remote software version //p')
|
||||
|
||||
case "$REMOTE_VERSION" in
|
||||
@@ -268,7 +268,11 @@ case "$REMOTE_VERSION" in
|
||||
;;
|
||||
*)
|
||||
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
|
||||
- populate_new_ids 0
|
||||
+ if [ "x$SSH_COPY_ID_LEGACY" != "x" ]; then
|
||||
+ NEW_IDS=`eval "$GET_ID"`
|
||||
+ else
|
||||
+ populate_new_ids 0
|
||||
+ fi
|
||||
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
|
||||
umask 077 ;
|
||||
mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
|
||||
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
|
||||
index 67a59e4..edbf56f 100644
|
||||
--- a/contrib/ssh-copy-id.1
|
||||
+++ b/contrib/ssh-copy-id.1
|
||||
@@ -180,6 +180,19 @@ should prove enlightening (N.B. the modern approach is to use the
|
||||
.Fl W
|
||||
option, rather than
|
||||
.Xr nc 1 ) .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds
|
||||
+.Pp
|
||||
+.It Pa SSH_COPY_ID_LEGACY
|
||||
+If the
|
||||
+.Cm SSH_COPY_ID_LEGACY
|
||||
+environment variable is set, the
|
||||
+.Nm
|
||||
+is run in a legacy mode. In this mode, the
|
||||
+.Nm
|
||||
+doesn't check an existence of a private key and doesn't do remote checks
|
||||
+of the remote server versions or if public keys are already installed.
|
||||
+.El
|
||||
.Sh "SEE ALSO"
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-agent 1 ,
|
37
openssh.spec
37
openssh.spec
@ -64,7 +64,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%define openssh_ver 6.2p2
|
||||
%define openssh_rel 5
|
||||
%define openssh_rel 8
|
||||
%define pam_ssh_agent_ver 0.9.3
|
||||
%define pam_ssh_agent_rel 5
|
||||
|
||||
@ -186,6 +186,18 @@ Patch907: openssh-6.2p1-aarch64.patch
|
||||
Patch908: openssh-6.2p2-sftp-multibyte.patch
|
||||
# don't show Success for EAI_SYSTEM (#985964)
|
||||
Patch909: openssh-6.2p2-ssh_gai_strerror.patch
|
||||
# increase the size of the Diffie-Hellman groups (#1010607)
|
||||
Patch910: openssh-6.2p2-increase-size-of-DF-groups.patch
|
||||
# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set
|
||||
# http://bugzilla.mindrot.org/show_bug.cgi?id=2110
|
||||
Patch911: openssh-6.2p2-legacy-ssh-copy-id.patch
|
||||
# Use tty allocation for a remote scp (#985650)
|
||||
Patch912: openssh-6.2p2-fromto-remote.patch
|
||||
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||
# dialog by offering only certificate keys. (#1081338)
|
||||
Patch913: openssh-6.2p2-CVE-2014-2653.patch
|
||||
# ignore environment variables with embedded '=' or '\0' characters (#1077843)
|
||||
Patch914: openssh-6.2p2-ignore-bad-env-var.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -408,6 +420,11 @@ popd
|
||||
%patch907 -p1 -b .aarch64
|
||||
%patch908 -p1 -b .sftp-multibyte
|
||||
%patch909 -p1 -b .ssh_gai_strerror
|
||||
%patch910 -p1 -b .dh
|
||||
%patch911 -p1 -b .legacy-ssh-copy-id
|
||||
%patch912 -p1 -b .fromto-remote
|
||||
%patch913 -p1 -b .CVE-2014-2653
|
||||
%patch914 -p1 -b .bad-env-var
|
||||
|
||||
%if 0
|
||||
# Nothing here yet
|
||||
@ -628,7 +645,7 @@ getent passwd sshd >/dev/null || \
|
||||
%defattr(-,root,root)
|
||||
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||
%if ! %{rescue}
|
||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||
@ -722,6 +739,22 @@ getent passwd sshd >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon May 19 2014 Petr Lautrbach <plautrba@redhat.com> 6.2p2-8 + 0.9.3-5
|
||||
- fix fatal() cleanup in the audit patch (#1029074)
|
||||
- fix parsing logic of ldap.conf file (#1033662)
|
||||
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
|
||||
- make /etc/ssh/moduli file public (#1043661)
|
||||
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
|
||||
- ignore environment variables with embedded '=' or '\0' characters - CVE-2014-2532
|
||||
(#1077843)
|
||||
|
||||
* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-7 + 0.9.3-5
|
||||
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
|
||||
|
||||
* Mon Nov 18 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-6 + 0.9.3-5
|
||||
- increase the size of the Diffie-Hellman groups (#1010607)
|
||||
- sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222)
|
||||
|
||||
* Wed Jul 31 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-5 + 0.9.3-5
|
||||
- gssapi credentials need to be stored before a pam session opened (#987792)
|
||||
|
||||
|
23
sshd-keygen
23
sshd-keygen
@ -13,6 +13,7 @@ KEYGEN=/usr/bin/ssh-keygen
|
||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
@ -88,11 +89,33 @@ do_dsa_keygen() {
|
||||
fi
|
||||
}
|
||||
|
||||
do_ecdsa_keygen() {
|
||||
if [ ! -s $ECDSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 ECDSA host key: "
|
||||
rm -f $ECDSA_KEY
|
||||
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $ECDSA_KEY
|
||||
chmod 640 $ECDSA_KEY
|
||||
chmod 644 $ECDSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $ECDSA_KEY.pub
|
||||
fi
|
||||
success $"ECDSA key generation"
|
||||
echo
|
||||
else
|
||||
failure $"ECDSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Create keys if necessary
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
|
||||
do_rsa_keygen
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
|
||||
do_rsa1_keygen
|
||||
do_dsa_keygen
|
||||
do_ecdsa_keygen
|
||||
fi
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user