Compare commits
14 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
d0a123de59 | ||
|
8e4734d190 | ||
|
dea4ec84f7 | ||
|
7126dda63a | ||
|
37a151ef1a | ||
|
36116fbf1f | ||
|
5eab591ecf | ||
|
fbb4501051 | ||
|
39e9abc944 | ||
|
963137cbfb | ||
|
de69b66ff7 | ||
|
45ce750683 | ||
|
7ead42662f | ||
|
0269d39f77 |
@ -1670,7 +1670,7 @@ index 0c7f2e3..f47c7df 100644
|
|||||||
|
|
||||||
struct Session;
|
struct Session;
|
||||||
diff --git a/packet.c b/packet.c
|
diff --git a/packet.c b/packet.c
|
||||||
index a51c1f2..faa3a85 100644
|
index 06406dc..0e58db3 100644
|
||||||
--- a/packet.c
|
--- a/packet.c
|
||||||
+++ b/packet.c
|
+++ b/packet.c
|
||||||
@@ -60,6 +60,7 @@
|
@@ -60,6 +60,7 @@
|
||||||
@ -1780,7 +1780,7 @@ index a51c1f2..faa3a85 100644
|
|||||||
}
|
}
|
||||||
active_state->newkeys[mode] = kex_get_newkeys(mode);
|
active_state->newkeys[mode] = kex_get_newkeys(mode);
|
||||||
if (active_state->newkeys[mode] == NULL)
|
if (active_state->newkeys[mode] == NULL)
|
||||||
@@ -1971,6 +1989,47 @@ packet_get_newkeys(int mode)
|
@@ -1975,6 +1993,47 @@ packet_get_newkeys(int mode)
|
||||||
return (void *)active_state->newkeys[mode];
|
return (void *)active_state->newkeys[mode];
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1828,7 +1828,7 @@ index a51c1f2..faa3a85 100644
|
|||||||
/*
|
/*
|
||||||
* Save the state for the real connection, and use a separate state when
|
* Save the state for the real connection, and use a separate state when
|
||||||
* resuming a suspended connection.
|
* resuming a suspended connection.
|
||||||
@@ -1978,18 +2037,12 @@ packet_get_newkeys(int mode)
|
@@ -1982,18 +2041,12 @@ packet_get_newkeys(int mode)
|
||||||
void
|
void
|
||||||
packet_backup_state(void)
|
packet_backup_state(void)
|
||||||
{
|
{
|
||||||
@ -1848,7 +1848,7 @@ index a51c1f2..faa3a85 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -2006,9 +2059,7 @@ packet_restore_state(void)
|
@@ -2010,9 +2063,7 @@ packet_restore_state(void)
|
||||||
backup_state = active_state;
|
backup_state = active_state;
|
||||||
active_state = tmp;
|
active_state = tmp;
|
||||||
active_state->connection_in = backup_state->connection_in;
|
active_state->connection_in = backup_state->connection_in;
|
||||||
@ -1858,7 +1858,7 @@ index a51c1f2..faa3a85 100644
|
|||||||
len = buffer_len(&backup_state->input);
|
len = buffer_len(&backup_state->input);
|
||||||
if (len > 0) {
|
if (len > 0) {
|
||||||
buf = buffer_ptr(&backup_state->input);
|
buf = buffer_ptr(&backup_state->input);
|
||||||
@@ -2016,4 +2067,10 @@ packet_restore_state(void)
|
@@ -2020,4 +2071,10 @@ packet_restore_state(void)
|
||||||
buffer_clear(&backup_state->input);
|
buffer_clear(&backup_state->input);
|
||||||
add_recv_bytes(len);
|
add_recv_bytes(len);
|
||||||
}
|
}
|
||||||
@ -2063,7 +2063,7 @@ index cbb8e3a..fc6a7d3 100644
|
|||||||
void session_close(Session *);
|
void session_close(Session *);
|
||||||
void do_setusercontext(struct passwd *);
|
void do_setusercontext(struct passwd *);
|
||||||
diff --git a/sshd.c b/sshd.c
|
diff --git a/sshd.c b/sshd.c
|
||||||
index 740ef4b..9aff64c 100644
|
index 740ef4b..61ab3f5 100644
|
||||||
--- a/sshd.c
|
--- a/sshd.c
|
||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -118,6 +118,7 @@
|
@@ -118,6 +118,7 @@
|
||||||
@ -2187,6 +2187,15 @@ index 740ef4b..9aff64c 100644
|
|||||||
}
|
}
|
||||||
/* Certs do not need demotion */
|
/* Certs do not need demotion */
|
||||||
}
|
}
|
||||||
|
@@ -646,7 +697,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||||
|
|
||||||
|
if (use_privsep == PRIVSEP_ON)
|
||||||
|
box = ssh_sandbox_init();
|
||||||
|
- pid = fork();
|
||||||
|
+ pmonitor->m_pid = pid = fork();
|
||||||
|
if (pid == -1) {
|
||||||
|
fatal("fork of unprivileged child failed");
|
||||||
|
} else if (pid != 0) {
|
||||||
@@ -700,6 +751,8 @@ privsep_preauth(Authctxt *authctxt)
|
@@ -700,6 +751,8 @@ privsep_preauth(Authctxt *authctxt)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -2283,7 +2292,7 @@ index 740ef4b..9aff64c 100644
|
|||||||
pmonitor->m_pid, strerror(errno));
|
pmonitor->m_pid, strerror(errno));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
+ is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
|
+ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
|
||||||
+ if (sensitive_data.host_keys != NULL)
|
+ if (sensitive_data.host_keys != NULL)
|
||||||
+ destroy_sensitive_data(is_privsep_child);
|
+ destroy_sensitive_data(is_privsep_child);
|
||||||
+ packet_destroy_all(1, is_privsep_child);
|
+ packet_destroy_all(1, is_privsep_child);
|
||||||
|
@ -26,7 +26,7 @@ diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
|
|||||||
+
|
+
|
||||||
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
+To use ssh-keycat, set these options in /etc/ssh/sshd_config file:
|
||||||
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
+ AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat
|
||||||
+ AuthorizedKeysCommandRunAs root
|
+ AuthorizedKeysCommandUser root
|
||||||
+
|
+
|
||||||
+Do not forget to enable public key authentication:
|
+Do not forget to enable public key authentication:
|
||||||
+ PubkeyAuthentication yes
|
+ PubkeyAuthentication yes
|
||||||
|
@ -759,10 +759,9 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
|
|||||||
+
|
+
|
||||||
+#endif /* LDAPBODY_H */
|
+#endif /* LDAPBODY_H */
|
||||||
+
|
+
|
||||||
diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
--- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100
|
||||||
--- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200
|
+++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100
|
||||||
+++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200
|
@@ -0,0 +1,720 @@
|
||||||
@@ -0,0 +1,691 @@
|
|
||||||
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
|
||||||
@ -886,6 +885,35 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+ return lBadOption;
|
+ return lBadOption;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
|
+/* Characters considered whitespace in strsep calls. */
|
||||||
|
+#define WHITESPACE " \t\r\n"
|
||||||
|
+
|
||||||
|
+/* return next token in configuration line */
|
||||||
|
+static char *
|
||||||
|
+ldap_strdelim(char **s)
|
||||||
|
+{
|
||||||
|
+ char *old;
|
||||||
|
+ int wspace = 0;
|
||||||
|
+
|
||||||
|
+ if (*s == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ old = *s;
|
||||||
|
+
|
||||||
|
+ *s = strpbrk(*s, WHITESPACE);
|
||||||
|
+ if (*s == NULL)
|
||||||
|
+ return (old);
|
||||||
|
+
|
||||||
|
+ *s[0] = '\0';
|
||||||
|
+
|
||||||
|
+ /* Skip any extra whitespace after first token */
|
||||||
|
+ *s += strspn(*s + 1, WHITESPACE) + 1;
|
||||||
|
+ if (*s[0] == '=' && !wspace)
|
||||||
|
+ *s += strspn(*s + 1, WHITESPACE) + 1;
|
||||||
|
+
|
||||||
|
+ return (old);
|
||||||
|
+}
|
||||||
|
+
|
||||||
+/*
|
+/*
|
||||||
+ * Processes a single option line as used in the configuration files. This
|
+ * Processes a single option line as used in the configuration files. This
|
||||||
+ * only sets those values that have not already been set.
|
+ * only sets those values that have not already been set.
|
||||||
@ -909,11 +937,11 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+
|
+
|
||||||
+ s = line;
|
+ s = line;
|
||||||
+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
|
+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
|
||||||
+ if ((keyword = strdelim(&s)) == NULL)
|
+ if ((keyword = ldap_strdelim(&s)) == NULL)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ /* Ignore leading whitespace. */
|
+ /* Ignore leading whitespace. */
|
||||||
+ if (*keyword == '\0')
|
+ if (*keyword == '\0')
|
||||||
+ keyword = strdelim(&s);
|
+ keyword = ldap_strdelim(&s);
|
||||||
+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
|
+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+
|
+
|
||||||
@ -949,7 +977,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+ case lBindPW:
|
+ case lBindPW:
|
||||||
+ charptr = &options.bindpw;
|
+ charptr = &options.bindpw;
|
||||||
+parse_string:
|
+parse_string:
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||||
+ if (*charptr == NULL)
|
+ if (*charptr == NULL)
|
||||||
@ -962,7 +990,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+
|
+
|
||||||
+ case lScope:
|
+ case lScope:
|
||||||
+ intptr = &options.scope;
|
+ intptr = &options.scope;
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
|
||||||
+ value = 0; /* To avoid compiler warning... */
|
+ value = 0; /* To avoid compiler warning... */
|
||||||
@ -980,7 +1008,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+
|
+
|
||||||
+ case lDeref:
|
+ case lDeref:
|
||||||
+ intptr = &options.scope;
|
+ intptr = &options.scope;
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
|
||||||
+ value = 0; /* To avoid compiler warning... */
|
+ value = 0; /* To avoid compiler warning... */
|
||||||
@ -1001,7 +1029,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+ case lPort:
|
+ case lPort:
|
||||||
+ intptr = &options.port;
|
+ intptr = &options.port;
|
||||||
+parse_int:
|
+parse_int:
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||||
+ if (arg[0] < '0' || arg[0] > '9')
|
+ if (arg[0] < '0' || arg[0] > '9')
|
||||||
@ -1018,7 +1046,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+ case lTimeLimit:
|
+ case lTimeLimit:
|
||||||
+ intptr = &options.timelimit;
|
+ intptr = &options.timelimit;
|
||||||
+parse_time:
|
+parse_time:
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%s line %d: missing time value.",
|
+ fatal("%s line %d: missing time value.",
|
||||||
+ filename, linenum);
|
+ filename, linenum);
|
||||||
@ -1039,7 +1067,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+
|
+
|
||||||
+ case lBind_Policy:
|
+ case lBind_Policy:
|
||||||
+ intptr = &options.bind_policy;
|
+ intptr = &options.bind_policy;
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
|
||||||
+ value = 0; /* To avoid compiler warning... */
|
+ value = 0; /* To avoid compiler warning... */
|
||||||
@ -1058,7 +1086,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+
|
+
|
||||||
+ case lSSL:
|
+ case lSSL:
|
||||||
+ intptr = &options.ssl;
|
+ intptr = &options.ssl;
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
|
||||||
+ value = 0; /* To avoid compiler warning... */
|
+ value = 0; /* To avoid compiler warning... */
|
||||||
@ -1077,7 +1105,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+ case lReferrals:
|
+ case lReferrals:
|
||||||
+ intptr = &options.referrals;
|
+ intptr = &options.referrals;
|
||||||
+parse_flag:
|
+parse_flag:
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
|
||||||
+ value = 0; /* To avoid compiler warning... */
|
+ value = 0; /* To avoid compiler warning... */
|
||||||
@ -1097,7 +1125,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+
|
+
|
||||||
+ case lTLS_CheckPeer:
|
+ case lTLS_CheckPeer:
|
||||||
+ intptr = &options.tls_checkpeer;
|
+ intptr = &options.tls_checkpeer;
|
||||||
+ arg = strdelim(&s);
|
+ arg = ldap_strdelim(&s);
|
||||||
+ if (!arg || *arg == '\0')
|
+ if (!arg || *arg == '\0')
|
||||||
+ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
|
+ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
|
||||||
+ value = 0; /* To avoid compiler warning... */
|
+ value = 0; /* To avoid compiler warning... */
|
||||||
@ -1171,7 +1199,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ /* Check that there is no garbage at end of line. */
|
+ /* Check that there is no garbage at end of line. */
|
||||||
+ if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
+ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
|
||||||
+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
|
+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
|
||||||
+ filename, linenum, arg);
|
+ filename, linenum, arg);
|
||||||
+ }
|
+ }
|
||||||
|
80
openssh-6.2p2-CVE-2014-2653.patch
Normal file
80
openssh-6.2p2-CVE-2014-2653.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
diff --git a/ChangeLog b/ChangeLog
|
||||||
|
index 29d70ec..a0fb67e 100644
|
||||||
|
--- a/ChangeLog
|
||||||
|
+++ b/ChangeLog
|
||||||
|
@@ -1,3 +1,14 @@
|
||||||
|
+20140420
|
||||||
|
+ - djm@cvs.openbsd.org 2014/04/01 03:34:10
|
||||||
|
+ [sshconnect.c]
|
||||||
|
+ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
|
||||||
|
+ certificate keys to plain keys and attempt SSHFP resolution.
|
||||||
|
+
|
||||||
|
+ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||||
|
+ dialog by offering only certificate keys.
|
||||||
|
+
|
||||||
|
+ Reported by mcv21 AT cam.ac.uk
|
||||||
|
+
|
||||||
|
20131010
|
||||||
|
- dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||||
|
[dh.c dh.h]
|
||||||
|
diff --git a/sshconnect.c b/sshconnect.c
|
||||||
|
index f2ba1b2..f0fdc70 100644
|
||||||
|
--- a/sshconnect.c
|
||||||
|
+++ b/sshconnect.c
|
||||||
|
@@ -1137,30 +1137,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||||
|
{
|
||||||
|
int flags = 0;
|
||||||
|
char *fp;
|
||||||
|
+ Key *plain = NULL;
|
||||||
|
|
||||||
|
fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
|
||||||
|
debug("Server host key: %s %s%s", key_type(host_key),
|
||||||
|
key_fingerprint_prefix(), fp);
|
||||||
|
xfree(fp);
|
||||||
|
|
||||||
|
- /* XXX certs are not yet supported for DNS */
|
||||||
|
- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
|
||||||
|
- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
|
||||||
|
- if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
-
|
||||||
|
- if (options.verify_host_key_dns == 1 &&
|
||||||
|
- flags & DNS_VERIFY_MATCH &&
|
||||||
|
- flags & DNS_VERIFY_SECURE)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
- if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
- matching_host_key_dns = 1;
|
||||||
|
- } else {
|
||||||
|
- warn_changed_key(host_key);
|
||||||
|
- error("Update the SSHFP RR in DNS with the new "
|
||||||
|
- "host key to get rid of this message.");
|
||||||
|
+ if (options.verify_host_key_dns) {
|
||||||
|
+ /*
|
||||||
|
+ * XXX certs are not yet supported for DNS, so downgrade
|
||||||
|
+ * them and try the plain key.
|
||||||
|
+ */
|
||||||
|
+ plain = key_from_private(host_key);
|
||||||
|
+ if (key_is_cert(plain))
|
||||||
|
+ key_drop_cert(plain);
|
||||||
|
+ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
|
||||||
|
+ if (flags & DNS_VERIFY_FOUND) {
|
||||||
|
+ if (options.verify_host_key_dns == 1 &&
|
||||||
|
+ flags & DNS_VERIFY_MATCH &&
|
||||||
|
+ flags & DNS_VERIFY_SECURE) {
|
||||||
|
+ key_free(plain);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (flags & DNS_VERIFY_MATCH) {
|
||||||
|
+ matching_host_key_dns = 1;
|
||||||
|
+ } else {
|
||||||
|
+ warn_changed_key(plain);
|
||||||
|
+ error("Update the SSHFP RR in DNS "
|
||||||
|
+ "with the new host key to get rid "
|
||||||
|
+ "of this message.");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ key_free(plain);
|
||||||
|
}
|
||||||
|
|
||||||
|
return check_host_key(host, hostaddr, options.port, host_key, RDRW,
|
16
openssh-6.2p2-fromto-remote.patch
Normal file
16
openssh-6.2p2-fromto-remote.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
diff --git a/scp.c b/scp.c
|
||||||
|
index d98fa67..25d347b 100644
|
||||||
|
--- a/scp.c
|
||||||
|
+++ b/scp.c
|
||||||
|
@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
|
||||||
|
addargs(&alist, "%s", ssh_program);
|
||||||
|
addargs(&alist, "-x");
|
||||||
|
addargs(&alist, "-oClearAllForwardings=yes");
|
||||||
|
- addargs(&alist, "-n");
|
||||||
|
+ if (isatty(fileno(stdin)))
|
||||||
|
+ addargs(&alist, "-t");
|
||||||
|
+ else
|
||||||
|
+ addargs(&alist, "-n");
|
||||||
|
for (j = 0; j < remote_remote_args.num; j++) {
|
||||||
|
addargs(&alist, "%s",
|
||||||
|
remote_remote_args.list[j]);
|
37
openssh-6.2p2-ignore-bad-env-var.patch
Normal file
37
openssh-6.2p2-ignore-bad-env-var.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
|
||||||
|
--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100
|
||||||
|
+++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100
|
||||||
|
@@ -0,0 +1,7 @@
|
||||||
|
+20140304
|
||||||
|
+ - OpenBSD CVS Sync
|
||||||
|
+ - djm@cvs.openbsd.org 2014/03/03 22:22:30
|
||||||
|
+ [session.c]
|
||||||
|
+ ignore enviornment variables with embedded '=' or '\0' characters;
|
||||||
|
+ spotted by Jann Horn; ok deraadt@
|
||||||
|
+
|
||||||
|
diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
|
||||||
|
--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100
|
||||||
|
+++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100
|
||||||
|
@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
|
||||||
|
u_int envsize;
|
||||||
|
u_int i, namelen;
|
||||||
|
|
||||||
|
+ if (strchr(name, '=') != NULL) {
|
||||||
|
+ error("Invalid environment variable \"%.100s\"", name);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* If we're passed an uninitialized list, allocate a single null
|
||||||
|
* entry before continuing.
|
||||||
|
@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
|
||||||
|
char *name, *val;
|
||||||
|
u_int name_len, val_len, i;
|
||||||
|
|
||||||
|
- name = packet_get_string(&name_len);
|
||||||
|
- val = packet_get_string(&val_len);
|
||||||
|
+ name = packet_get_cstring(&name_len);
|
||||||
|
+ val = packet_get_cstring(&val_len);
|
||||||
|
packet_check_eom();
|
||||||
|
|
||||||
|
/* Don't set too many environment variables */
|
59
openssh-6.2p2-increase-size-of-DF-groups.patch
Normal file
59
openssh-6.2p2-increase-size-of-DF-groups.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
diff -U0 openssh-6.2p2/ChangeLog.dh openssh-6.2p2/ChangeLog
|
||||||
|
--- openssh-6.2p2/ChangeLog.dh 2013-11-18 12:14:09.662240103 +0100
|
||||||
|
+++ openssh-6.2p2/ChangeLog 2013-11-18 12:14:09.665240089 +0100
|
||||||
|
@@ -0,0 +1,8 @@
|
||||||
|
+20131010
|
||||||
|
+ - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
|
||||||
|
+ [dh.c dh.h]
|
||||||
|
+ Increase the size of the Diffie-Hellman groups requested for a each
|
||||||
|
+ symmetric key size. New values from NIST Special Publication 800-57 with
|
||||||
|
+ the upper limit specified by RFC4419. Pointed out by Peter Backes, ok
|
||||||
|
+ djm@.
|
||||||
|
+
|
||||||
|
diff -up openssh-6.2p2/dh.c.dh openssh-6.2p2/dh.c
|
||||||
|
--- openssh-6.2p2/dh.c.dh 2011-12-19 00:52:52.000000000 +0100
|
||||||
|
+++ openssh-6.2p2/dh.c 2013-11-18 12:14:09.665240089 +0100
|
||||||
|
@@ -332,17 +332,20 @@ dh_new_group14(void)
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Estimates the group order for a Diffie-Hellman group that has an
|
||||||
|
- * attack complexity approximately the same as O(2**bits). Estimate
|
||||||
|
- * with: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3)))
|
||||||
|
+ * attack complexity approximately the same as O(2**bits).
|
||||||
|
+ * Values from NIST Special Publication 800-57: Recommendation for Key
|
||||||
|
+ * Management Part 1 (rev 3) limited by the recommended maximum value
|
||||||
|
+ * from RFC4419 section 3.
|
||||||
|
*/
|
||||||
|
|
||||||
|
int
|
||||||
|
dh_estimate(int bits)
|
||||||
|
{
|
||||||
|
-
|
||||||
|
+ if (bits <= 112)
|
||||||
|
+ return 2048;
|
||||||
|
if (bits <= 128)
|
||||||
|
- return (1024); /* O(2**86) */
|
||||||
|
+ return 3072;
|
||||||
|
if (bits <= 192)
|
||||||
|
- return (2048); /* O(2**116) */
|
||||||
|
- return (4096); /* O(2**156) */
|
||||||
|
+ return 7680;
|
||||||
|
+ return 8192;
|
||||||
|
}
|
||||||
|
diff -up openssh-6.2p2/dh.h.dh openssh-6.2p2/dh.h
|
||||||
|
--- openssh-6.2p2/dh.h.dh 2008-06-29 14:47:04.000000000 +0200
|
||||||
|
+++ openssh-6.2p2/dh.h 2013-11-18 12:14:09.665240089 +0100
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* $OpenBSD: dh.h,v 1.10 2008/06/26 09:19:40 djm Exp $ */
|
||||||
|
+/* $OpenBSD: dh.h,v 1.11 2013/10/08 11:42:13 dtucker Exp $ */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2000 Niels Provos. All rights reserved.
|
||||||
|
@@ -43,6 +43,7 @@ int dh_pub_is_valid(DH *, BIGNUM *);
|
||||||
|
|
||||||
|
int dh_estimate(int);
|
||||||
|
|
||||||
|
+/* Min and max values from RFC4419. */
|
||||||
|
#define DH_GRP_MIN 1024
|
||||||
|
#define DH_GRP_MAX 8192
|
||||||
|
|
59
openssh-6.2p2-legacy-ssh-copy-id.patch
Normal file
59
openssh-6.2p2-legacy-ssh-copy-id.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||||
|
index 9f2817b..1530f6f 100644
|
||||||
|
--- a/contrib/ssh-copy-id
|
||||||
|
+++ b/contrib/ssh-copy-id
|
||||||
|
@@ -77,7 +77,7 @@ use_id_file() {
|
||||||
|
PUB_ID_FILE="$L_ID_FILE.pub"
|
||||||
|
fi
|
||||||
|
|
||||||
|
- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||||
|
+ [ "x$SSH_COPY_ID_LEGACY" != "x" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||||
|
|
||||||
|
# check that the files are readable
|
||||||
|
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
|
||||||
|
@@ -243,7 +243,7 @@ populate_new_ids() {
|
||||||
|
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
|
||||||
|
+[ "x$SSH_COPY_ID_LEGACY" != "x" ] || REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
|
||||||
|
sed -ne 's/.*remote software version //p')
|
||||||
|
|
||||||
|
case "$REMOTE_VERSION" in
|
||||||
|
@@ -268,7 +268,11 @@ case "$REMOTE_VERSION" in
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
|
||||||
|
- populate_new_ids 0
|
||||||
|
+ if [ "x$SSH_COPY_ID_LEGACY" != "x" ]; then
|
||||||
|
+ NEW_IDS=`eval "$GET_ID"`
|
||||||
|
+ else
|
||||||
|
+ populate_new_ids 0
|
||||||
|
+ fi
|
||||||
|
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
|
||||||
|
umask 077 ;
|
||||||
|
mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
|
||||||
|
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
|
||||||
|
index 67a59e4..edbf56f 100644
|
||||||
|
--- a/contrib/ssh-copy-id.1
|
||||||
|
+++ b/contrib/ssh-copy-id.1
|
||||||
|
@@ -180,6 +180,19 @@ should prove enlightening (N.B. the modern approach is to use the
|
||||||
|
.Fl W
|
||||||
|
option, rather than
|
||||||
|
.Xr nc 1 ) .
|
||||||
|
+.Sh ENVIRONMENT
|
||||||
|
+.Bl -tag -width Ds
|
||||||
|
+.Pp
|
||||||
|
+.It Pa SSH_COPY_ID_LEGACY
|
||||||
|
+If the
|
||||||
|
+.Cm SSH_COPY_ID_LEGACY
|
||||||
|
+environment variable is set, the
|
||||||
|
+.Nm
|
||||||
|
+is run in a legacy mode. In this mode, the
|
||||||
|
+.Nm
|
||||||
|
+doesn't check an existence of a private key and doesn't do remote checks
|
||||||
|
+of the remote server versions or if public keys are already installed.
|
||||||
|
+.El
|
||||||
|
.Sh "SEE ALSO"
|
||||||
|
.Xr ssh 1 ,
|
||||||
|
.Xr ssh-agent 1 ,
|
37
openssh.spec
37
openssh.spec
@ -64,7 +64,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 6.2p2
|
%define openssh_ver 6.2p2
|
||||||
%define openssh_rel 5
|
%define openssh_rel 8
|
||||||
%define pam_ssh_agent_ver 0.9.3
|
%define pam_ssh_agent_ver 0.9.3
|
||||||
%define pam_ssh_agent_rel 5
|
%define pam_ssh_agent_rel 5
|
||||||
|
|
||||||
@ -186,6 +186,18 @@ Patch907: openssh-6.2p1-aarch64.patch
|
|||||||
Patch908: openssh-6.2p2-sftp-multibyte.patch
|
Patch908: openssh-6.2p2-sftp-multibyte.patch
|
||||||
# don't show Success for EAI_SYSTEM (#985964)
|
# don't show Success for EAI_SYSTEM (#985964)
|
||||||
Patch909: openssh-6.2p2-ssh_gai_strerror.patch
|
Patch909: openssh-6.2p2-ssh_gai_strerror.patch
|
||||||
|
# increase the size of the Diffie-Hellman groups (#1010607)
|
||||||
|
Patch910: openssh-6.2p2-increase-size-of-DF-groups.patch
|
||||||
|
# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set
|
||||||
|
# http://bugzilla.mindrot.org/show_bug.cgi?id=2110
|
||||||
|
Patch911: openssh-6.2p2-legacy-ssh-copy-id.patch
|
||||||
|
# Use tty allocation for a remote scp (#985650)
|
||||||
|
Patch912: openssh-6.2p2-fromto-remote.patch
|
||||||
|
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
|
||||||
|
# dialog by offering only certificate keys. (#1081338)
|
||||||
|
Patch913: openssh-6.2p2-CVE-2014-2653.patch
|
||||||
|
# ignore environment variables with embedded '=' or '\0' characters (#1077843)
|
||||||
|
Patch914: openssh-6.2p2-ignore-bad-env-var.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -408,6 +420,11 @@ popd
|
|||||||
%patch907 -p1 -b .aarch64
|
%patch907 -p1 -b .aarch64
|
||||||
%patch908 -p1 -b .sftp-multibyte
|
%patch908 -p1 -b .sftp-multibyte
|
||||||
%patch909 -p1 -b .ssh_gai_strerror
|
%patch909 -p1 -b .ssh_gai_strerror
|
||||||
|
%patch910 -p1 -b .dh
|
||||||
|
%patch911 -p1 -b .legacy-ssh-copy-id
|
||||||
|
%patch912 -p1 -b .fromto-remote
|
||||||
|
%patch913 -p1 -b .CVE-2014-2653
|
||||||
|
%patch914 -p1 -b .bad-env-var
|
||||||
|
|
||||||
%if 0
|
%if 0
|
||||||
# Nothing here yet
|
# Nothing here yet
|
||||||
@ -628,7 +645,7 @@ getent passwd sshd >/dev/null || \
|
|||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
||||||
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||||
%if ! %{rescue}
|
%if ! %{rescue}
|
||||||
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||||
@ -722,6 +739,22 @@ getent passwd sshd >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 19 2014 Petr Lautrbach <plautrba@redhat.com> 6.2p2-8 + 0.9.3-5
|
||||||
|
- fix fatal() cleanup in the audit patch (#1029074)
|
||||||
|
- fix parsing logic of ldap.conf file (#1033662)
|
||||||
|
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
|
||||||
|
- make /etc/ssh/moduli file public (#1043661)
|
||||||
|
- prevent a server from skipping SSHFP lookup - CVE-2014-2653 (#1081338)
|
||||||
|
- ignore environment variables with embedded '=' or '\0' characters - CVE-2014-2532
|
||||||
|
(#1077843)
|
||||||
|
|
||||||
|
* Wed Dec 11 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-7 + 0.9.3-5
|
||||||
|
- sshd-keygen - use correct permissions on ecdsa host key (#1023945)
|
||||||
|
|
||||||
|
* Mon Nov 18 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-6 + 0.9.3-5
|
||||||
|
- increase the size of the Diffie-Hellman groups (#1010607)
|
||||||
|
- sshd-keygen to generate ECDSA keys <i.grok@comcast.net> (#1019222)
|
||||||
|
|
||||||
* Wed Jul 31 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-5 + 0.9.3-5
|
* Wed Jul 31 2013 Petr Lautrbach <plautrba@redhat.com> 6.2p2-5 + 0.9.3-5
|
||||||
- gssapi credentials need to be stored before a pam session opened (#987792)
|
- gssapi credentials need to be stored before a pam session opened (#987792)
|
||||||
|
|
||||||
|
23
sshd-keygen
23
sshd-keygen
@ -13,6 +13,7 @@ KEYGEN=/usr/bin/ssh-keygen
|
|||||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||||
|
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
|
||||||
|
|
||||||
# pull in sysconfig settings
|
# pull in sysconfig settings
|
||||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||||
@ -88,11 +89,33 @@ do_dsa_keygen() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
do_ecdsa_keygen() {
|
||||||
|
if [ ! -s $ECDSA_KEY ]; then
|
||||||
|
echo -n $"Generating SSH2 ECDSA host key: "
|
||||||
|
rm -f $ECDSA_KEY
|
||||||
|
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
||||||
|
chgrp ssh_keys $ECDSA_KEY
|
||||||
|
chmod 640 $ECDSA_KEY
|
||||||
|
chmod 644 $ECDSA_KEY.pub
|
||||||
|
if [ -x /sbin/restorecon ]; then
|
||||||
|
/sbin/restorecon $ECDSA_KEY.pub
|
||||||
|
fi
|
||||||
|
success $"ECDSA key generation"
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
failure $"ECDSA key generation"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Create keys if necessary
|
# Create keys if necessary
|
||||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
|
if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
|
||||||
do_rsa_keygen
|
do_rsa_keygen
|
||||||
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
|
if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
|
||||||
do_rsa1_keygen
|
do_rsa1_keygen
|
||||||
do_dsa_keygen
|
do_dsa_keygen
|
||||||
|
do_ecdsa_keygen
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user