Compare commits

...

31 Commits
master ... f21

Author SHA1 Message Date
Jakub Jelen
900cf59aaa 6.6.1p1-16 + 0.9.3-3 2015-08-14 13:41:31 +02:00
Jakub Jelen
08d2600aab Fix several vulnerabilities published with new openssh-7.0, namely:
Privilege separation weakness related to PAM support (#1252844)
		https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b
	Use-after-free bug related to PAM support (#1252852)
		https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7
2015-08-14 13:40:32 +02:00
Jakub Jelen
9c925c2906 6.6.1p1-15 + 0.9.3-3 2015-07-28 15:10:37 +02:00
Jakub Jelen
5804c90187 Handle terminal control characters in scp progressmeter (#1247204) 2015-07-28 15:09:09 +02:00
Jakub Jelen
c4cc2d9a05 6.6p1-14 + 0.9.3-3 2015-07-23 13:03:15 +02:00
Jakub Jelen
88adbf2b73 only query each keyboard-interactive device once (#1245971) 2015-07-23 13:01:43 +02:00
Jakub Jelen
2cad5f521e 6.6p1-13 + 0.9.3-3 2015-07-01 20:11:01 +02:00
Jakub Jelen
1951e1b5a4 Security fixes released with openssh-6.9
* XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
  * https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d
 * weakness of agent locking (ssh-add -x) to password guessing (#1238238)
  * https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e
  * https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=e97201feca10b5196da35819ae516d0b87cf3a50
2015-07-01 20:11:01 +02:00
Jakub Jelen
90469031ee ssh-copy-id: tcsh doesnt work with multiline strings so we will make it uggly one-line 2015-07-01 19:09:05 +02:00
Jakub Jelen
1f82f4e6c3 Fix auditing when using combination of ForceCommand and PTY to restore ControlPersist function (#1203900) 2015-07-01 19:08:33 +02:00
Petr Lautrbach
39ae32632c fix direction in CRYPTO_SESSION audit message 2015-04-08 18:25:27 +02:00
Jakub Jelen
680ce4039a 6.6.1p1-12 + 0.9.3-3 2015-03-30 08:17:24 +02:00
Jakub Jelen
00050d05ad Solve issue with ssh-copy-id and keys without trailing newline (#1093168) 2015-03-30 08:17:24 +02:00
Jakub Jelen
edabae2a71 Add tmpfiles.d entris (#1196807) 2015-03-30 08:17:20 +02:00
Jakub Jelen
81e0433a58 Remove unused patch 2015-03-30 08:16:54 +02:00
Jakub Jelen
efcbda1905 Fix ssh-copy-id on non-sh shells (#1045191) 2015-03-30 08:16:46 +02:00
Petr Lautrbach
2bcb9f6f88 Merge remote-tracking branch 'origin/master' into f21 2015-01-15 15:04:45 +01:00
Petr Lautrbach
6a46008ce7 Merge remote-tracking branch 'origin/master' into f21 2015-01-14 17:16:34 +01:00
Petr Lautrbach
a955bb2b7a Merge remote-tracking branch 'origin/master' into f21 2014-12-19 10:47:02 +01:00
Petr Lautrbach
392e4a4ec1 Merge remote-tracking branch 'origin/master' into f21 2014-12-15 19:24:24 +01:00
Petr Lautrbach
e3dc63b806 Merge remote-tracking branch 'origin/master' into f21 2014-12-03 18:20:45 +01:00
Petr Lautrbach
f6f4e6e58b Merge remote-tracking branch 'origin/master' into f21 2014-11-13 22:23:33 +01:00
Petr Lautrbach
a861892af4 Merge remote-tracking branch 'origin/master' into f21 2014-11-12 17:42:39 +01:00
Petr Lautrbach
2e03f2060c Merge remote-tracking branch 'origin/master' into f21 2014-11-07 12:58:05 +01:00
Petr Lautrbach
d64ab980a2 Merge remote-tracking branch 'origin/master' into f21 2014-11-04 19:24:28 +01:00
Petr Lautrbach
b7e2bae5c4 Merge remote-tracking branch 'origin/master' into f21 2014-10-26 22:50:54 +01:00
Petr Lautrbach
b496a68195 Merge remote-tracking branch 'origin/master' into f21 2014-09-29 13:11:25 +02:00
Petr Lautrbach
a8b57d6ad1 Merge remote-tracking branch 'origin/master' into f21 2014-09-23 12:33:53 +02:00
Petr Lautrbach
54097638b5 Merge remote-tracking branch 'origin/master' into f21 2014-09-08 10:40:56 +02:00
Peter Robinson
6bf77575df - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild 2014-08-17 14:08:18 +00:00
Tom Callaway
15ef945eda fix license handling 2014-07-18 19:28:49 -04:00
14 changed files with 480 additions and 106 deletions

View File

@ -1,18 +0,0 @@
diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
--- openssh-5.1p1/scp.1.manpage 2008-07-12 09:12:49.000000000 +0200
+++ openssh-5.1p1/scp.1 2008-07-23 19:18:15.000000000 +0200
@@ -66,6 +66,14 @@ treating file names containing
as host specifiers.
Copies between two remote hosts are also permitted.
.Pp
+When copying a source file to a target file which already exists,
+.Nm
+will replace the contents of the target file (keeping the inode).
+.Pp
+If the target file does not yet exist, an empty file with the target
+file name is created, then filled with the source file contents.
+No attempt is made at "near-atomic" transfer using temporary files.
+.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl 1

View File

@ -121,7 +121,7 @@ index ede7b67..eb5f333 100644
dh_need = MAX(dh_need, newkeys->mac.key_len);
+ debug("kex: %s need=%d dh_need=%d", kex->name, need, dh_need);
+#ifdef SSH_AUDIT_EVENTS
+ audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name);
+ audit_kex(mode, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name);
+#endif
}
/* XXX need runden? */

View File

@ -168,15 +168,6 @@ diff --git a/progressmeter.c b/progressmeter.c
index bbbc706..ae6d1aa 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
static time_t last_update; /* last progress update */
-static char *file; /* name of the file being transferred */
+static const char *file; /* name of the file being transferred */
static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
@@ -248,7 +248,7 @@ update_progress_meter(int ignore)
}
@ -185,7 +176,7 @@ index bbbc706..ae6d1aa 100644
+start_progress_meter(const char *f, off_t filesize, off_t *ctr)
{
start = last_update = monotime();
file = f;
if (strlen(f) > file_len) {
diff --git a/progressmeter.h b/progressmeter.h
index 10bab99..e9ca8f0 100644
--- a/progressmeter.h

View File

@ -15,78 +15,24 @@ diff --git a/misc.h b/misc.h
index d4df619..d98b83d 100644
--- a/misc.h
+++ b/misc.h
@@ -106,4 +106,7 @@ char *read_passphrase(const char *, int);
@@ -135,4 +135,8 @@ char *read_passphrase(const char *, int)
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
+/* utf8_stringprep.c */
+int utf8_stringprep(const char *, char *, size_t);
+void sanitize_utf8(char *, const char *, size_t);
+
#endif /* _MISC_H */
diff --git a/sshconnect2.c b/sshconnect2.c
index b00658b..08064f4 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -33,6 +33,8 @@
#include <errno.h>
#include <fcntl.h>
+#include <langinfo.h>
+#include <locale.h>
#include <netdb.h>
#include <pwd.h>
#include <signal.h>
@@ -519,21 +521,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
"type %d", type);
}
+/* Check whether we can display UTF-8 safely */
+static int
+utf8_ok(void)
+{
+ static int ret = -1;
+ char *cp;
+
+ if (ret == -1) {
+ setlocale(LC_CTYPE, "");
+ cp = nl_langinfo(CODESET);
+ ret = strcmp(cp, "UTF-8") == 0;
+ }
+ return ret;
+}
+
/* ARGSUSED */
void
input_userauth_banner(int type, u_int32_t seq, void *ctxt)
{
char *msg, *raw, *lang;
- u_int len;
+ u_int done, len;
debug3("input_userauth_banner");
+
raw = packet_get_string(&len);
lang = packet_get_string(NULL);
if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c
--- openssh-6.8p1/sshconnect2.c.utf8-banner 2015-03-18 12:41:28.161713220 +0100
+++ openssh-6.8p1/sshconnect2.c 2015-03-18 12:44:05.483317714 +0100
@@ -532,7 +534,7 @@ input_userauth_error(int type, u_int32_t
if (len > 65536)
len = 65536;
msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
- strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+ done = 0;
+ if (utf8_ok()) {
+ if (utf8_stringprep(raw, msg, len * 4 + 1) == 0)
+ done = 1;
+ else
+ debug2("%s: UTF8 stringprep failed", __func__);
+ }
+ /*
+ * Fallback to strnvis if UTF8 display not supported or
+ * conversion failed.
+ */
+ if (!done) {
+ strnvis(msg, raw, len * 4 + 1,
+ VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+ }
+ sanitize_utf8(msg, raw, len);
fprintf(stderr, "%s", msg);
free(msg);
}
@ -757,12 +703,10 @@ index 0000000..49f4d9d
+ { 0xE0020, 0xE007F },
+};
+
diff --git a/utf8_stringprep.c b/utf8_stringprep.c
new file mode 100644
index 0000000..bcafae7
--- /dev/null
+++ b/utf8_stringprep.c
@@ -0,0 +1,229 @@
diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c
--- openssh-6.8p1/utf8_stringprep.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
+++ openssh-6.8p1/utf8_stringprep.c 2015-03-18 12:41:28.175713185 +0100
@@ -0,0 +1,265 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
+ *
@ -803,8 +747,12 @@ index 0000000..bcafae7
+#include <string.h>
+#include <limits.h>
+#include <ctype.h>
+#include <langinfo.h>
+#include <locale.h>
+
+#include "includes.h"
+#include "misc.h"
+#include "log.h"
+
+struct u32_range {
+ u_int32_t lo, hi; /* Inclusive */
@ -992,3 +940,35 @@ index 0000000..bcafae7
+ return 0;
+}
+
+/* Check whether we can display UTF-8 safely */
+int
+utf8_ok(void)
+{
+ static int ret = -1;
+ char *cp;
+
+ if (ret == -1) {
+ setlocale(LC_CTYPE, "");
+ cp = nl_langinfo(CODESET);
+ ret = strcmp(cp, "UTF-8") == 0;
+ }
+ return ret;
+}
+
+void
+sanitize_utf8(char *target, const char *source, size_t length)
+{
+ u_int done = 0;
+ if (utf8_ok()) {
+ if (utf8_stringprep(source, target, length * 4 + 1) == 0)
+ done = 1;
+ else
+ debug2("%s: UTF8 stringprep failed", __func__);
+ }
+ /*
+ * Fallback to strnvis if UTF8 display not supported or
+ * conversion failed.
+ */
+ if (!done)
+ strnvis(target, source, length * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
+}

View File

@ -1934,7 +1934,7 @@ index df43592..b186ca1 100644
- PRIVSEP(audit_run_command(shell));
+ s->command = xstrdup(shell);
}
+ if (s->command != NULL)
+ if (s->command != NULL && s->ptyfd == -1)
+ s->command_handle = PRIVSEP(audit_run_command(s->command));
#endif
if (s->ttyfd != -1)
@ -1979,7 +1979,7 @@ index df43592..b186ca1 100644
session_by_tty(char *tty)
{
int i;
@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status)
@@ -2532,6 +2561,32 @@ session_exit_message(Session *s, int sta
chan_write_failed(c);
}
@ -1988,7 +1988,8 @@ index df43592..b186ca1 100644
+session_end_command2(Session *s)
+{
+ if (s->command != NULL) {
+ audit_end_command(s->command_handle, s->command);
+ if (s->command_handle != -1)
+ audit_end_command(s->command_handle, s->command);
+ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;
@ -1999,7 +2000,8 @@ index df43592..b186ca1 100644
+session_end_command(Session *s)
+{
+ if (s->command != NULL) {
+ PRIVSEP(audit_end_command(s->command_handle, s->command));
+ if (s->command_handle != -1)
+ PRIVSEP(audit_end_command(s->command_handle, s->command));
+ free(s->command);
+ s->command = NULL;
+ s->command_handle = -1;

View File

@ -0,0 +1,47 @@
From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 18 Jul 2015 07:57:14 +0000
Subject: upstream commit
only query each keyboard-interactive device once per
authentication request regardless of how many times it is listed; ok markus@
Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
---
auth2-chall.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/auth2-chall.c b/auth2-chall.c
index ddabe1a..4aff09d 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -83,6 +83,7 @@ struct KbdintAuthctxt
void *ctxt;
KbdintDevice *device;
u_int nreq;
+ u_int devices_done;
};
#ifdef USE_PAM
@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
if (len == 0)
break;
for (i = 0; devices[i]; i++) {
- if (!auth2_method_allowed(authctxt,
+ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
+ !auth2_method_allowed(authctxt,
"keyboard-interactive", devices[i]->name))
continue;
- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
+ if (strncmp(kbdintctxt->devices, devices[i]->name,
+ len) == 0) {
kbdintctxt->device = devices[i];
+ kbdintctxt->devices_done |= 1 << i;
+ }
}
t = kbdintctxt->devices;
kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
--
cgit v0.11.2

View File

@ -13,8 +13,8 @@ index 3bb7f00..294bef5 100644
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

View File

@ -0,0 +1,38 @@
diff -up openssh-6.6p1/Makefile.in.progressmeter openssh-6.6p1/Makefile.in
--- openssh-6.6p1/Makefile.in.progressmeter 2015-07-28 14:22:08.740278100 +0200
+++ openssh-6.6p1/Makefile.in 2015-07-28 14:22:08.769278063 +0200
@@ -158,8 +158,8 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SS
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
-scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
- $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
+ $(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-6.6p1/progressmeter.c.progressmeter openssh-6.6p1/progressmeter.c
--- openssh-6.6p1/progressmeter.c.progressmeter 2015-07-28 14:22:08.768278064 +0200
+++ openssh-6.6p1/progressmeter.c 2015-07-28 14:23:51.464143827 +0200
@@ -66,6 +66,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */
static time_t last_update; /* last progress update */
static char *file; /* name of the file being transferred */
+static size_t file_len = 0; /* allocated length of file */
static off_t start_pos; /* initial position of transfer */
static off_t end_pos; /* ending position of transfer */
static off_t cur_pos; /* transfer position as of last refresh */
@@ -251,7 +252,11 @@ void
start_progress_meter(char *f, off_t filesize, off_t *ctr)
{
start = last_update = monotime();
- file = f;
+ if (strlen(f) > file_len) {
+ file_len = strlen(f);
+ file = realloc(file, file_len * 4 + 1);
+ }
+ sanitize_utf8(file, f, file_len);
start_pos = *ctr;
end_pos = filesize;
cur_pos = 0;

View File

@ -0,0 +1,44 @@
diff --git a/monitor.c b/monitor.c
index b410965..f1b873d 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
int
mm_answer_pam_init_ctx(int sock, Buffer *m)
{
-
debug3("%s", __func__);
- authctxt->user = buffer_get_string(m, NULL);
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
int
mm_answer_pam_free_ctx(int sock, Buffer *m)
{
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
debug3("%s", __func__);
(sshpam_device.free_ctx)(sshpam_ctxt);
+ sshpam_ctxt = sshpam_authok = NULL;
buffer_clear(m);
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
auth_method = "keyboard-interactive";
auth_submethod = "pam";
- return (sshpam_authok == sshpam_ctxt);
+ return r;
}
#endif
diff --git a/monitor_wrap.c b/monitor_wrap.c
index e6217b3..eac421b 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
debug3("%s", __func__);
buffer_init(&m);
- buffer_put_cstring(&m, authctxt->user);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);

View File

@ -0,0 +1,214 @@
diff -up openssh-6.6p1/channels.c.security openssh-6.6p1/channels.c
--- openssh-6.6p1/channels.c.security 2015-07-01 19:27:08.521162690 +0200
+++ openssh-6.6p1/channels.c 2015-07-01 19:27:08.597162521 +0200
@@ -151,6 +151,9 @@ static char *x11_saved_proto = NULL;
static char *x11_saved_data = NULL;
static u_int x11_saved_data_len = 0;
+/* Deadline after which all X11 connections are refused */
+static u_int x11_refuse_time;
+
/*
* Fake X11 authentication data. This is what the server will be sending us;
* we should replace any occurrences of this by the real data.
@@ -894,6 +897,13 @@ x11_open_helper(Buffer *b)
u_char *ucp;
u_int proto_len, data_len;
+ /* Is this being called after the refusal deadline? */
+ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
+ verbose("Rejected X11 connection after ForwardX11Timeout "
+ "expired");
+ return -1;
+ }
+
/* Check if the fixed size part of the packet is in buffer. */
if (buffer_len(b) < 12)
return 0;
@@ -1457,6 +1467,12 @@ channel_set_reuseaddr(int fd)
error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
}
+void
+channel_set_x11_refuse_time(u_int refuse_time)
+{
+ x11_refuse_time = refuse_time;
+}
+
/*
* This socket is listening for connections to a forwarded TCP/IP port.
*/
diff -up openssh-6.6p1/channels.h.security openssh-6.6p1/channels.h
--- openssh-6.6p1/channels.h.security 2015-07-01 19:27:08.597162521 +0200
+++ openssh-6.6p1/channels.h 2015-07-01 19:43:32.900950560 +0200
@@ -279,6 +279,7 @@ int permitopen_port(const char *);
/* x11 forwarding */
+void channel_set_x11_refuse_time(u_int);
int x11_connect_display(void);
int x11_create_display_inet(int, int, int, u_int *, int **);
void x11_input_open(int, u_int32_t, void *);
diff -up openssh-6.6p1/clientloop.c.security openssh-6.6p1/clientloop.c
--- openssh-6.6p1/clientloop.c.security 2015-07-01 19:27:08.540162648 +0200
+++ openssh-6.6p1/clientloop.c 2015-07-01 19:44:51.139761508 +0200
@@ -164,7 +164,7 @@ static int connection_in; /* Connection
static int connection_out; /* Connection to server (output). */
static int need_rekeying; /* Set to non-zero if rekeying is requested. */
static int session_closed; /* In SSH2: login session closed. */
-static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
+static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void);
int session_ident = -1;
@@ -302,7 +302,8 @@ client_x11_display_valid(const char *dis
return 1;
}
-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
+#define X11_TIMEOUT_SLACK 60
void
client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, u_int timeout, char **_proto, char **_data)
@@ -315,7 +316,7 @@ client_x11_get_proto(const char *display
int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile;
struct stat st;
- u_int now;
+ u_int now, x11_timeout_real;
xauthdir = xauthfile = NULL;
*_proto = proto;
@@ -348,6 +349,15 @@ client_x11_get_proto(const char *display
xauthdir = xmalloc(MAXPATHLEN);
xauthfile = xmalloc(MAXPATHLEN);
mktemp_proto(xauthdir, MAXPATHLEN);
+ /*
+ * The authentication cookie should briefly outlive
+ * ssh's willingness to forward X11 connections to
+ * avoid nasty fail-open behaviour in the X server.
+ */
+ if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
+ x11_timeout_real = UINT_MAX;
+ else
+ x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
if (mkdtemp(xauthdir) != NULL) {
do_unlink = 1;
snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
@@ -355,17 +365,20 @@ client_x11_get_proto(const char *display
snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
" untrusted timeout %u 2>" _PATH_DEVNULL,
- xauth_path, xauthfile, display, timeout);
+ xauth_path, xauthfile, display,
+ x11_timeout_real);
debug2("x11_get_proto: %s", cmd);
- if (system(cmd) == 0)
- generated = 1;
if (x11_refuse_time == 0) {
now = monotime() + 1;
if (UINT_MAX - timeout < now)
x11_refuse_time = UINT_MAX;
else
x11_refuse_time = now + timeout;
+ channel_set_x11_refuse_time(
+ x11_refuse_time);
}
+ if (system(cmd) == 0)
+ generated = 1;
}
}
@@ -1884,7 +1897,7 @@ client_request_x11(const char *request_t
"malicious server.");
return NULL;
}
- if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) {
+ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
verbose("Rejected X11 connection after ForwardX11Timeout "
"expired");
return NULL;
diff -up openssh-6.6p1/ssh-agent.c.security openssh-6.6p1/ssh-agent.c
--- openssh-6.6p1/ssh-agent.c.security 2015-07-01 19:27:08.597162521 +0200
+++ openssh-6.6p1/ssh-agent.c 2015-07-01 19:42:35.691088800 +0200
@@ -64,6 +64,9 @@
#include <time.h>
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
#include "xmalloc.h"
#include "ssh.h"
@@ -129,8 +130,12 @@ char socket_name[MAXPATHLEN];
char socket_dir[MAXPATHLEN];
/* locking */
+#define LOCK_SIZE 32
+#define LOCK_SALT_SIZE 16
+#define LOCK_ROUNDS 1
int locked = 0;
-char *lock_passwd = NULL;
+char lock_passwd[LOCK_SIZE];
+char lock_salt[LOCK_SALT_SIZE];
extern char *__progname;
@@ -548,22 +553,45 @@ send:
static void
process_lock_agent(SocketEntry *e, int lock)
{
- int success = 0;
- char *passwd;
+ int success = 0, delay;
+ char *passwd, passwdhash[LOCK_SIZE];
+ static u_int fail_count = 0;
+ size_t pwlen;
passwd = buffer_get_string(&e->request, NULL);
- if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
- locked = 0;
- explicit_bzero(lock_passwd, strlen(lock_passwd));
- free(lock_passwd);
- lock_passwd = NULL;
- success = 1;
+ pwlen = strlen(passwd);
+ if (pwlen == 0) {
+ debug("empty password not supported");
+ } else if (locked && !lock) {
+ if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
+ passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0)
+ fatal("bcrypt_pbkdf");
+ if (timingsafe_bcmp(passwdhash, lock_passwd, LOCK_SIZE) == 0) {
+ debug("agent unlocked");
+ locked = 0;
+ fail_count = 0;
+ explicit_bzero(lock_passwd, sizeof(lock_passwd));
+ success = 1;
+ } else {
+ /* delay in 0.1s increments up to 10s */
+ if (fail_count < 100)
+ fail_count++;
+ delay = 100000 * fail_count;
+ debug("unlock failed, delaying %0.1lf seconds",
+ (double)delay/1000000);
+ usleep(delay);
+ }
+ explicit_bzero(passwdhash, sizeof(passwdhash));
} else if (!locked && lock) {
+ debug("agent locked");
locked = 1;
- lock_passwd = xstrdup(passwd);
+ arc4random_buf(lock_salt, sizeof(lock_salt));
+ if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt),
+ lock_passwd, sizeof(lock_passwd), LOCK_ROUNDS) < 0)
+ fatal("bcrypt_pbkdf");
success = 1;
}
- explicit_bzero(passwd, strlen(passwd));
+ explicit_bzero(passwd, pwlen);
free(passwd);
buffer_put_int(&e->output, 1);

View File

@ -0,0 +1,15 @@
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 8e1091c..4bba5d6 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -274,9 +274,7 @@ case "$REMOTE_VERSION" in
populate_new_ids 0
fi
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
- umask 077 ;
+ exec sh -c 'umask 077; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \
- mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
- if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;

View File

@ -0,0 +1,13 @@
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 4bba5d6..ed1208e 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -207,7 +207,7 @@ populate_new_ids() {
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
NEW_IDS=$(
eval $GET_ID | {
- while read ID ; do
+ while read ID || [[ -n $ID ]]; do
printf '%s\n' "$ID" > $L_TMP_ID_FILE
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this

View File

@ -64,7 +64,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.6.1p1
%define openssh_rel 11.1
%define openssh_rel 16
%define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 3
@ -88,6 +88,7 @@ Source10: sshd.socket
Source11: sshd.service
Source12: sshd-keygen.service
Source13: sshd-keygen
Source14: sshd.tmpfiles
# Internal debug
Patch0: openssh-5.9p1-wIm.patch
@ -153,8 +154,6 @@ Patch703: openssh-4.3p2-askpass-grab-info.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=205842
# drop? Patch704: openssh-5.9p1-edns.patch
#?
Patch705: openssh-5.1p1-scp-manpage.patch
#?
Patch706: openssh-6.6.1p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-6.6p1-redhat.patch
@ -223,6 +222,22 @@ Patch918: openssh-6.6.1p1-log-in-chroot.patch
Patch919: openssh-6.6.1p1-scp-non-existing-directory.patch
# Config parser shouldn't accept ip/port syntax (#1130733)
Patch920: openssh-6.6.1p1-ip-port-config-parser.patch
# fix ssh-copy-id on non-sh shells (#1045191)
Patch921: openssh-6.7p1-fix-ssh-copy-id-on-non-sh-shell.patch
# Solve issue with ssh-copy-id and keys without trailing newline (#1093168)
Patch922: openssh-6.7p1-ssh-copy-id-truncated-keys.patch
# Security fixes backported from openssh-6.9
# XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
# weakness of agent locking (ssh-add -x) to password guessing (#1238238)
Patch923: openssh-6.6p1-security-from-6.9.patch
# authentication limits (MaxAuthTries) bypass [security] (#1245971)
Patch924: openssh-6.6p1-authentication-limits-bypass.patch
# Handle terminal control characters in scp progressmeter (#1247204)
Patch925: openssh-6.6p1-scp-progressmeter.patch
# Vulnerabilities published with openssh-7.0:
# Privilege separation weakness related to PAM support (#1252844)
# Use-after-free bug related to PAM support (#1252852)
Patch926: openssh-6.6p1-security-7.0.patch
License: BSD
Group: Applications/Internet
@ -405,7 +420,6 @@ popd
%patch703 -p1 -b .grab-info
# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
# probably not needed anymore %patch704 -p1 -b .edns
# drop it %patch705 -p1 -b .manpage
%patch706 -p1 -b .localdomain
%patch707 -p1 -b .redhat
%patch708 -p1 -b .entropy
@ -437,6 +451,12 @@ popd
%patch919 -p1 -b .scp
%patch920 -p1 -b .config
%patch802 -p1 -b .GSSAPIEnablek5users
%patch921 -p1 -b .ssh-copy-id
%patch922 -p1 -b .newline
%patch923 -p1 -b .security
%patch924 -p1 -b .kbd
%patch925 -p1 -b .progressmeter
%patch926 -p1 -b .security7
%patch200 -p1 -b .audit
%patch201 -p1 -b .audit-fps
@ -601,6 +621,7 @@ install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
%if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@ -715,6 +736,7 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd@.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
%endif
%if %{ldap}
@ -751,6 +773,31 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
* Fri Aug 14 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-16 + 0.9.3-3
- Fix vulnerabilities published with openssh-7.0:
- Privilege separation weakness related to PAM support (#1252844)
- Use-after-free bug related to PAM support (#1252852)
* Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-15 + 0.9.3-3
- Handle terminal control characters in scp progressmeter (#1247204)
* Thu Jul 23 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-14 + 0.9.3-3
- CVE-2015-5600: only query each keyboard-interactive device once (#1245971)
* Wed Jul 01 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-13 + 0.9.3.3
- Security fixes released with openssh-6.9
- XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231)
- weakness of agent locking (ssh-add -x) to password guessing (#1238238)
- ssh-copy-id: tcsh doesnt work with multiline strings so we will make it uggly one-line
- Fix auditing when using combination of ForceCommand and PTY (#1203900)
- fix direction in CRYPTO_SESSION audit message
* Mon Mar 30 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-12 + 0.9.3-3
- Fix ssh-copy-id on non-sh shells (#1045191)
- Add tmpfiles.d entris (#1196807)
- Solve issue with ssh-copy-id and keys without trailing newline (#1093168)
- Remove unused patch
* Thu Jan 15 2015 Jakub Jelen <jjelen@redhat.com> 6.6.1p1-11.1 + 0.9.3-3
- error message if scp when directory doesn't exist (#1142223)
- parsing configuration file values (#1130733)

1
sshd.tmpfiles Normal file
View File

@ -0,0 +1 @@
d /var/empty/sshd 711 root root -