Compare commits
23 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
180d4765d3 | ||
|
0a18e4800e | ||
|
10f391c509 | ||
|
47f126ca0a | ||
|
08f0c1b883 | ||
|
5cbd391da9 | ||
|
2cc5f8d34f | ||
|
17fe33f562 | ||
|
1163e29a09 | ||
|
f57d783933 | ||
|
88e0ad5272 | ||
|
a78d20aea9 | ||
|
76d20b5d73 | ||
|
851c2edb82 | ||
|
c4d3e04417 | ||
|
e41c4da9c3 | ||
|
7eedf13e93 | ||
|
b03894d4b8 | ||
|
4f43511091 | ||
|
e18038aa0e | ||
|
8cbf67daf2 | ||
|
23f2b8953b | ||
|
4776fad91e |
@ -12,12 +12,14 @@ diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c
|
|||||||
index 742b4b9..acae399 100644
|
index 742b4b9..acae399 100644
|
||||||
--- a/openbsd-compat/glob.c
|
--- a/openbsd-compat/glob.c
|
||||||
+++ b/openbsd-compat/glob.c
|
+++ b/openbsd-compat/glob.c
|
||||||
@@ -130,7 +130,7 @@ typedef char Char;
|
@@ -130,8 +130,8 @@ typedef char Char;
|
||||||
|
#define M_CLASS META(':')
|
||||||
#define ismeta(c) (((c)&M_QUOTE) != 0)
|
#define ismeta(c) (((c)&M_QUOTE) != 0)
|
||||||
|
|
||||||
#define GLOB_LIMIT_MALLOC 65536
|
-#define GLOB_LIMIT_MALLOC 65536
|
||||||
-#define GLOB_LIMIT_STAT 128
|
-#define GLOB_LIMIT_STAT 128
|
||||||
+#define GLOB_LIMIT_STAT 1024
|
+#define GLOB_LIMIT_MALLOC 65536*64
|
||||||
|
+#define GLOB_LIMIT_STAT 128*64
|
||||||
#define GLOB_LIMIT_READDIR 16384
|
#define GLOB_LIMIT_READDIR 16384
|
||||||
|
|
||||||
/* Limit of recursion during matching attempts. */
|
/* Limit of recursion during matching attempts. */
|
||||||
|
@ -2476,6 +2476,18 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
|
|||||||
diff -up openssh/sshd.c.gsskex openssh/sshd.c
|
diff -up openssh/sshd.c.gsskex openssh/sshd.c
|
||||||
--- openssh/sshd.c.gsskex 2015-06-24 11:07:36.217389832 +0200
|
--- openssh/sshd.c.gsskex 2015-06-24 11:07:36.217389832 +0200
|
||||||
+++ openssh/sshd.c 2015-06-24 11:07:36.235389787 +0200
|
+++ openssh/sshd.c 2015-06-24 11:07:36.235389787 +0200
|
||||||
|
@@ -1043,8 +1043,9 @@ notify_hostkeys(struct ssh *ssh)
|
||||||
|
}
|
||||||
|
debug3("%s: sent %d hostkeys", __func__, nkeys);
|
||||||
|
if (nkeys == 0)
|
||||||
|
- fatal("%s: no hostkeys", __func__);
|
||||||
|
- packet_send();
|
||||||
|
+ debug3("%s: no hostkeys", __func__);
|
||||||
|
+ else
|
||||||
|
+ packet_send();
|
||||||
|
sshbuf_free(buf);
|
||||||
|
}
|
||||||
|
|
||||||
@@ -1839,10 +1839,13 @@ main(int ac, char **av)
|
@@ -1839,10 +1839,13 @@ main(int ac, char **av)
|
||||||
logit("Disabling protocol version 1. Could not load host key");
|
logit("Disabling protocol version 1. Could not load host key");
|
||||||
options.protocol &= ~SSH_PROTO_1;
|
options.protocol &= ~SSH_PROTO_1;
|
||||||
@ -2695,3 +2707,26 @@ diff -up openssh/ssh-gss.h.gsskex openssh/ssh-gss.h
|
|||||||
#endif /* GSSAPI */
|
#endif /* GSSAPI */
|
||||||
|
|
||||||
#endif /* _SSH_GSS_H */
|
#endif /* _SSH_GSS_H */
|
||||||
|
|
||||||
|
diff -up openssh-7.1p1/sshkey.c.gsskex openssh-7.1p1/sshkey.c
|
||||||
|
--- openssh-7.1p1/sshkey.c.gsskex 2015-09-17 15:54:32.135673460 +0200
|
||||||
|
+++ openssh-7.1p1/sshkey.c 2015-09-17 15:55:23.014666159 +0200
|
||||||
|
@@ -112,6 +112,7 @@ static const struct keytype keytypes[] =
|
||||||
|
{ "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
|
||||||
|
KEY_DSA_CERT_V00, 0, 1 },
|
||||||
|
#endif /* WITH_OPENSSL */
|
||||||
|
+ { "null", "null", KEY_NULL, 0, 0 },
|
||||||
|
{ NULL, NULL, -1, -1, 0 }
|
||||||
|
};
|
||||||
|
|
||||||
|
diff -up openssh-7.1p1/sshkey.h.gsskex openssh-7.1p1/sshkey.h
|
||||||
|
--- openssh-7.1p1/sshkey.h.gsskex 2015-09-17 15:54:32.135673460 +0200
|
||||||
|
+++ openssh-7.1p1/sshkey.h 2015-09-17 15:55:45.885662877 +0200
|
||||||
|
@@ -62,6 +62,7 @@ enum sshkey_types {
|
||||||
|
KEY_ED25519_CERT,
|
||||||
|
KEY_RSA_CERT_V00,
|
||||||
|
KEY_DSA_CERT_V00,
|
||||||
|
+ KEY_NULL,
|
||||||
|
KEY_UNSPEC
|
||||||
|
};
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh/cipher.c.fips openssh/cipher.c
|
diff -up openssh-6.9p1/cipher.c.fips openssh-6.9p1/cipher.c
|
||||||
--- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200
|
--- openssh-6.9p1/cipher.c.fips 2015-08-20 11:57:44.962287011 +0200
|
||||||
+++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/cipher.c 2015-08-20 11:57:44.968286988 +0200
|
||||||
@@ -39,6 +39,8 @@
|
@@ -39,6 +39,8 @@
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -73,9 +73,9 @@ diff -up openssh/cipher.c.fips openssh/cipher.c
|
|||||||
if (strcasecmp(c->name, name) == 0)
|
if (strcasecmp(c->name, name) == 0)
|
||||||
return c->number;
|
return c->number;
|
||||||
return -1;
|
return -1;
|
||||||
diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
|
diff -up openssh-6.9p1/cipher-ctr.c.fips openssh-6.9p1/cipher-ctr.c
|
||||||
--- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200
|
--- openssh-6.9p1/cipher-ctr.c.fips 2015-08-20 11:57:44.894287276 +0200
|
||||||
+++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200
|
+++ openssh-6.9p1/cipher-ctr.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||||
#ifndef SSH_OLD_EVP
|
#ifndef SSH_OLD_EVP
|
||||||
@ -86,9 +86,9 @@ diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
|
|||||||
#endif
|
#endif
|
||||||
return (&aes_ctr);
|
return (&aes_ctr);
|
||||||
}
|
}
|
||||||
diff -up openssh/dh.h.fips openssh/dh.h
|
diff -up openssh-6.9p1/dh.h.fips openssh-6.9p1/dh.h
|
||||||
--- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200
|
--- openssh-6.9p1/dh.h.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/dh.h 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
|
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
|
||||||
|
|
||||||
/* Min and max values from RFC4419. */
|
/* Min and max values from RFC4419. */
|
||||||
@ -97,9 +97,9 @@ diff -up openssh/dh.h.fips openssh/dh.h
|
|||||||
#define DH_GRP_MAX 8192
|
#define DH_GRP_MAX 8192
|
||||||
|
|
||||||
/*
|
/*
|
||||||
diff -up openssh/entropy.c.fips openssh/entropy.c
|
diff -up openssh-6.9p1/entropy.c.fips openssh-6.9p1/entropy.c
|
||||||
--- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200
|
--- openssh-6.9p1/entropy.c.fips 2015-08-20 11:57:44.887287304 +0200
|
||||||
+++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/entropy.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||||
@ -110,9 +110,9 @@ diff -up openssh/entropy.c.fips openssh/entropy.c
|
|||||||
#ifndef OPENSSL_PRNG_ONLY
|
#ifndef OPENSSL_PRNG_ONLY
|
||||||
if (RAND_status() == 1) {
|
if (RAND_status() == 1) {
|
||||||
debug3("RNG is ready, skipping seeding");
|
debug3("RNG is ready, skipping seeding");
|
||||||
diff -up openssh/kex.c.fips openssh/kex.c
|
diff -up openssh-6.9p1/kex.c.fips openssh-6.9p1/kex.c
|
||||||
--- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200
|
--- openssh-6.9p1/kex.c.fips 2015-08-20 11:57:44.963287007 +0200
|
||||||
+++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200
|
+++ openssh-6.9p1/kex.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -35,6 +35,7 @@
|
@@ -35,6 +35,7 @@
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
@ -168,9 +168,9 @@ diff -up openssh/kex.c.fips openssh/kex.c
|
|||||||
free(s);
|
free(s);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
|
diff -up openssh-6.9p1/kexgexc.c.fips openssh-6.9p1/kexgexc.c
|
||||||
--- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200
|
--- openssh-6.9p1/kexgexc.c.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200
|
+++ openssh-6.9p1/kexgexc.c 2015-08-20 11:57:44.969286984 +0200
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
@ -188,9 +188,9 @@ diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
|
|||||||
kex->max = DH_GRP_MAX;
|
kex->max = DH_GRP_MAX;
|
||||||
kex->nbits = nbits;
|
kex->nbits = nbits;
|
||||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||||
diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
|
diff -up openssh-6.9p1/kexgexs.c.fips openssh-6.9p1/kexgexs.c
|
||||||
--- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200
|
--- openssh-6.9p1/kexgexs.c.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200
|
+++ openssh-6.9p1/kexgexs.c 2015-08-20 11:57:44.970286980 +0200
|
||||||
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
|
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
|
||||||
(r = sshpkt_get_end(ssh)) != 0)
|
(r = sshpkt_get_end(ssh)) != 0)
|
||||||
goto out;
|
goto out;
|
||||||
@ -206,9 +206,9 @@ diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
|
|||||||
nbits = MIN(DH_GRP_MAX, nbits);
|
nbits = MIN(DH_GRP_MAX, nbits);
|
||||||
|
|
||||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||||
diff -up openssh/mac.c.fips openssh/mac.c
|
diff -up openssh-6.9p1/mac.c.fips openssh-6.9p1/mac.c
|
||||||
--- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200
|
--- openssh-6.9p1/mac.c.fips 2015-08-20 11:57:44.963287007 +0200
|
||||||
+++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200
|
+++ openssh-6.9p1/mac.c 2015-08-20 11:57:44.970286980 +0200
|
||||||
@@ -27,6 +27,8 @@
|
@@ -27,6 +27,8 @@
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
@ -270,9 +270,9 @@ diff -up openssh/mac.c.fips openssh/mac.c
|
|||||||
if (strcmp(name, m->name) != 0)
|
if (strcmp(name, m->name) != 0)
|
||||||
continue;
|
continue;
|
||||||
if (mac != NULL)
|
if (mac != NULL)
|
||||||
diff -up openssh/Makefile.in.fips openssh/Makefile.in
|
diff -up openssh-6.9p1/Makefile.in.fips openssh-6.9p1/Makefile.in
|
||||||
--- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200
|
--- openssh-6.9p1/Makefile.in.fips 2015-08-20 11:57:44.963287007 +0200
|
||||||
+++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200
|
+++ openssh-6.9p1/Makefile.in 2015-08-20 11:57:44.970286980 +0200
|
||||||
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||||
$(RANLIB) $@
|
$(RANLIB) $@
|
||||||
|
|
||||||
@ -314,9 +314,9 @@ diff -up openssh/Makefile.in.fips openssh/Makefile.in
|
|||||||
|
|
||||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
diff -up openssh/myproposal.h.fips openssh/myproposal.h
|
diff -up openssh-6.9p1/myproposal.h.fips openssh-6.9p1/myproposal.h
|
||||||
--- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200
|
--- openssh-6.9p1/myproposal.h.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200
|
+++ openssh-6.9p1/myproposal.h 2015-08-20 11:57:44.971286976 +0200
|
||||||
@@ -143,6 +143,28 @@
|
@@ -143,6 +143,28 @@
|
||||||
"hmac-sha1-96," \
|
"hmac-sha1-96," \
|
||||||
"hmac-md5-96"
|
"hmac-md5-96"
|
||||||
@ -346,10 +346,10 @@ diff -up openssh/myproposal.h.fips openssh/myproposal.h
|
|||||||
#else
|
#else
|
||||||
|
|
||||||
#define KEX_SERVER_KEX \
|
#define KEX_SERVER_KEX \
|
||||||
diff -up openssh/servconf.c.fips openssh/servconf.c
|
diff -up openssh-6.9p1/servconf.c.fips openssh-6.9p1/servconf.c
|
||||||
--- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200
|
--- openssh-6.9p1/servconf.c.fips 2015-08-20 11:57:44.958287027 +0200
|
||||||
+++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200
|
+++ openssh-6.9p1/servconf.c 2015-08-20 11:57:44.971286976 +0200
|
||||||
@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o)
|
@@ -2338,8 +2338,10 @@ dump_config(ServerOptions *o)
|
||||||
/* string arguments */
|
/* string arguments */
|
||||||
dump_cfg_string(sPidFile, o->pid_file);
|
dump_cfg_string(sPidFile, o->pid_file);
|
||||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||||
@ -362,7 +362,7 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
|
|||||||
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||||
@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o)
|
@@ -2354,8 +2356,8 @@ dump_config(ServerOptions *o)
|
||||||
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
||||||
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
||||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||||
@ -373,9 +373,9 @@ diff -up openssh/servconf.c.fips openssh/servconf.c
|
|||||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||||
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
|
||||||
diff -up openssh/ssh.c.fips openssh/ssh.c
|
diff -up openssh-6.9p1/ssh.c.fips openssh-6.9p1/ssh.c
|
||||||
--- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200
|
--- openssh-6.9p1/ssh.c.fips 2015-07-01 04:35:31.000000000 +0200
|
||||||
+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200
|
+++ openssh-6.9p1/ssh.c 2015-08-20 11:57:44.972286972 +0200
|
||||||
@@ -75,6 +75,8 @@
|
@@ -75,6 +75,8 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
@ -442,10 +442,10 @@ diff -up openssh/ssh.c.fips openssh/ssh.c
|
|||||||
/* Open a connection to the remote host. */
|
/* Open a connection to the remote host. */
|
||||||
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
||||||
options.address_family, options.connection_attempts,
|
options.address_family, options.connection_attempts,
|
||||||
diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
diff -up openssh-6.9p1/sshconnect2.c.fips openssh-6.9p1/sshconnect2.c
|
||||||
--- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200
|
--- openssh-6.9p1/sshconnect2.c.fips 2015-08-20 11:57:44.959287023 +0200
|
||||||
+++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200
|
+++ openssh-6.9p1/sshconnect2.c 2015-08-20 12:00:06.049736762 +0200
|
||||||
@@ -46,6 +46,8 @@
|
@@ -44,6 +44,8 @@
|
||||||
#include <vis.h>
|
#include <vis.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -454,7 +454,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
|||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -170,21 +172,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
if (options.gss_keyex) {
|
if (options.gss_keyex) {
|
||||||
@ -467,7 +467,8 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
|||||||
- else
|
- else
|
||||||
- gss_host = host;
|
- gss_host = host;
|
||||||
-
|
-
|
||||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
- if (gss) {
|
- if (gss) {
|
||||||
- debug("Offering GSSAPI proposal: %s", gss);
|
- debug("Offering GSSAPI proposal: %s", gss);
|
||||||
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
@ -485,7 +486,8 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
|||||||
+ else
|
+ else
|
||||||
+ gss_host = host;
|
+ gss_host = host;
|
||||||
+
|
+
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
+ if (gss) {
|
+ if (gss) {
|
||||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||||
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
@ -494,7 +496,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
if (options.ciphers != NULL) {
|
if (options.ciphers != NULL) {
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
|
||||||
@ -505,7 +507,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
|||||||
}
|
}
|
||||||
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
|
||||||
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
|
||||||
@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
if (options.macs != NULL) {
|
if (options.macs != NULL) {
|
||||||
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
|
||||||
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
|
||||||
@ -517,7 +519,7 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
|||||||
if (options.hostkeyalgorithms != NULL)
|
if (options.hostkeyalgorithms != NULL)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
compat_pkalg_proposal(options.hostkeyalgorithms);
|
||||||
@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
}
|
}
|
||||||
if (options.kex_algorithms != NULL)
|
if (options.kex_algorithms != NULL)
|
||||||
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
|
||||||
@ -530,9 +532,9 @@ diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
|
|||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
/* If we've got GSSAPI algorithms, then we also support the
|
/* If we've got GSSAPI algorithms, then we also support the
|
||||||
* 'null' hostkey, as a last resort */
|
* 'null' hostkey, as a last resort */
|
||||||
diff -up openssh/sshd.c.fips openssh/sshd.c
|
diff -up openssh-6.9p1/sshd.c.fips openssh-6.9p1/sshd.c
|
||||||
--- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200
|
--- openssh-6.9p1/sshd.c.fips 2015-08-20 11:57:44.966286996 +0200
|
||||||
+++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200
|
+++ openssh-6.9p1/sshd.c 2015-08-20 11:57:44.973286968 +0200
|
||||||
@@ -66,6 +66,7 @@
|
@@ -66,6 +66,7 @@
|
||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
@ -648,9 +650,9 @@ diff -up openssh/sshd.c.fips openssh/sshd.c
|
|||||||
|
|
||||||
if (gss && orig)
|
if (gss && orig)
|
||||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||||
diff -up openssh/sshkey.c.fips openssh/sshkey.c
|
diff -up openssh-6.9p1/sshkey.c.fips openssh-6.9p1/sshkey.c
|
||||||
--- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200
|
--- openssh-6.9p1/sshkey.c.fips 2015-08-20 11:57:44.967286992 +0200
|
||||||
+++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200
|
+++ openssh-6.9p1/sshkey.c 2015-08-20 11:57:44.974286964 +0200
|
||||||
@@ -35,6 +35,7 @@
|
@@ -35,6 +35,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
13
openssh-6.9p1-compat-7.2.patch
Normal file
13
openssh-6.9p1-compat-7.2.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/kexgexs.c b/kexgexs.c
|
||||||
|
index a81fd1e..f69068c 100644
|
||||||
|
--- a/kexgexs.c
|
||||||
|
+++ b/kexgexs.c
|
||||||
|
@@ -81,7 +81,7 @@ input_kex_dh_gex_request(int type, u_int32_t seq, void *ctxt)
|
||||||
|
(r = sshpkt_get_end(ssh)) != 0)
|
||||||
|
goto out;
|
||||||
|
kex->nbits = nbits;
|
||||||
|
- kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||||
|
+ kex->min = min;
|
||||||
|
kex->max = max;
|
||||||
|
min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
||||||
|
max = MIN(DH_GRP_MAX, max);
|
414
openssh-6.9p1-gssKexAlgorithms.patch
Normal file
414
openssh-6.9p1-gssKexAlgorithms.patch
Normal file
@ -0,0 +1,414 @@
|
|||||||
|
diff -up openssh-6.9p1/gss-genr.c.gsskexalg openssh-6.9p1/gss-genr.c
|
||||||
|
--- openssh-6.9p1/gss-genr.c.gsskexalg 2015-08-20 11:54:50.468693843 +0200
|
||||||
|
+++ openssh-6.9p1/gss-genr.c 2015-08-20 11:54:50.525693732 +0200
|
||||||
|
@@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() {
|
||||||
|
*/
|
||||||
|
|
||||||
|
char *
|
||||||
|
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
|
||||||
|
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
|
||||||
|
+ const char *kex) {
|
||||||
|
gss_OID_set gss_supported;
|
||||||
|
OM_uint32 min_status;
|
||||||
|
|
||||||
|
@@ -86,12 +87,12 @@ ssh_gssapi_client_mechanisms(const char
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
|
||||||
|
- host, client));
|
||||||
|
+ host, client, kex));
|
||||||
|
}
|
||||||
|
|
||||||
|
char *
|
||||||
|
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
|
||||||
|
- const char *host, const char *client) {
|
||||||
|
+ const char *host, const char *client, const char *kex) {
|
||||||
|
Buffer buf;
|
||||||
|
size_t i;
|
||||||
|
int oidpos, enclen;
|
||||||
|
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||||
|
char deroid[2];
|
||||||
|
const EVP_MD *evp_md = EVP_md5();
|
||||||
|
EVP_MD_CTX md;
|
||||||
|
+ char *s, *cp, *p;
|
||||||
|
|
||||||
|
if (gss_enc2oid != NULL) {
|
||||||
|
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||||
|
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||||
|
buffer_init(&buf);
|
||||||
|
|
||||||
|
oidpos = 0;
|
||||||
|
+ s = cp = xstrdup(kex);
|
||||||
|
for (i = 0; i < gss_supported->count; i++) {
|
||||||
|
if (gss_supported->elements[i].length < 128 &&
|
||||||
|
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
|
||||||
|
@@ -131,26 +134,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||||
|
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||||
|
encoded, EVP_MD_size(evp_md) * 2);
|
||||||
|
|
||||||
|
- if (oidpos != 0)
|
||||||
|
- buffer_put_char(&buf, ',');
|
||||||
|
-
|
||||||
|
- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
|
||||||
|
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
|
||||||
|
- buffer_append(&buf, encoded, enclen);
|
||||||
|
- buffer_put_char(&buf, ',');
|
||||||
|
- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
|
||||||
|
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
|
||||||
|
- buffer_append(&buf, encoded, enclen);
|
||||||
|
- buffer_put_char(&buf, ',');
|
||||||
|
- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
|
||||||
|
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
|
||||||
|
- buffer_append(&buf, encoded, enclen);
|
||||||
|
+ cp = strncpy(s, kex, strlen(kex));
|
||||||
|
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
|
+ (p = strsep(&cp, ","))) {
|
||||||
|
+ if (buffer_len(&buf) != 0)
|
||||||
|
+ buffer_put_char(&buf, ',');
|
||||||
|
+ buffer_append(&buf, p,
|
||||||
|
+ strlen(p));
|
||||||
|
+ buffer_append(&buf, encoded, enclen);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||||
|
gss_enc2oid[oidpos].encoded = encoded;
|
||||||
|
oidpos++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ free(s);
|
||||||
|
gss_enc2oid[oidpos].oid = NULL;
|
||||||
|
gss_enc2oid[oidpos].encoded = NULL;
|
||||||
|
|
||||||
|
diff -up openssh-6.9p1/gss-serv.c.gsskexalg openssh-6.9p1/gss-serv.c
|
||||||
|
--- openssh-6.9p1/gss-serv.c.gsskexalg 2015-08-20 11:54:50.468693843 +0200
|
||||||
|
+++ openssh-6.9p1/gss-serv.c 2015-08-20 11:54:50.525693732 +0200
|
||||||
|
@@ -150,7 +150,7 @@ ssh_gssapi_server_mechanisms() {
|
||||||
|
|
||||||
|
ssh_gssapi_supported_oids(&supported);
|
||||||
|
return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
|
||||||
|
- NULL, NULL));
|
||||||
|
+ NULL, NULL, options.gss_kex_algorithms));
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Unprivileged */
|
||||||
|
diff -up openssh-6.9p1/kex.c.gsskexalg openssh-6.9p1/kex.c
|
||||||
|
--- openssh-6.9p1/kex.c.gsskexalg 2015-08-20 11:54:50.526693730 +0200
|
||||||
|
+++ openssh-6.9p1/kex.c 2015-08-20 11:56:10.413537466 +0200
|
||||||
|
@@ -50,6 +50,7 @@
|
||||||
|
#include "dispatch.h"
|
||||||
|
#include "monitor.h"
|
||||||
|
#include "roaming.h"
|
||||||
|
+#include "xmalloc.h"
|
||||||
|
|
||||||
|
#include "ssherr.h"
|
||||||
|
#include "sshbuf.h"
|
||||||
|
@@ -170,6 +170,29 @@ kex_names_valid(const char *names)
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Validate GSS KEX method name list */
|
||||||
|
+int
|
||||||
|
+gss_kex_names_valid(const char *names)
|
||||||
|
+{
|
||||||
|
+ char *s, *cp, *p;
|
||||||
|
+
|
||||||
|
+ if (names == NULL || *names == '\0')
|
||||||
|
+ return 0;
|
||||||
|
+ s = cp = xstrdup(names);
|
||||||
|
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
|
+ (p = strsep(&cp, ","))) {
|
||||||
|
+ if (strncmp(p, "gss-", 4) != 0
|
||||||
|
+ || kex_alg_by_name(p) == NULL) {
|
||||||
|
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||||
|
+ free(s);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ debug3("gss kex names ok: [%s]", names);
|
||||||
|
+ free(s);
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* put algorithm proposal into buffer */
|
||||||
|
int
|
||||||
|
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||||
|
diff -up openssh-6.9p1/kex.h.gsskexalg openssh-6.9p1/kex.h
|
||||||
|
--- openssh-6.9p1/kex.h.gsskexalg 2015-08-20 11:54:50.526693730 +0200
|
||||||
|
+++ openssh-6.9p1/kex.h 2015-08-20 11:56:28.588501914 +0200
|
||||||
|
@@ -169,6 +169,7 @@ struct kex {
|
||||||
|
};
|
||||||
|
|
||||||
|
int kex_names_valid(const char *);
|
||||||
|
+int gss_kex_names_valid(const char *);
|
||||||
|
char *kex_alg_list(char);
|
||||||
|
|
||||||
|
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
||||||
|
diff -up openssh-6.9p1/readconf.c.gsskexalg openssh-6.9p1/readconf.c
|
||||||
|
--- openssh-6.9p1/readconf.c.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
|
+++ openssh-6.9p1/readconf.c 2015-08-20 11:54:50.527693728 +0200
|
||||||
|
@@ -61,6 +61,7 @@
|
||||||
|
#include "uidswap.h"
|
||||||
|
#include "myproposal.h"
|
||||||
|
#include "digest.h"
|
||||||
|
+#include "ssh-gss.h"
|
||||||
|
|
||||||
|
/* Format of the configuration file:
|
||||||
|
|
||||||
|
@@ -148,7 +149,7 @@ typedef enum {
|
||||||
|
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||||
|
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||||
|
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
|
||||||
|
- oGssServerIdentity,
|
||||||
|
+ oGssServerIdentity, oGssKexAlgorithms,
|
||||||
|
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||||
|
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||||
|
oHashKnownHosts,
|
||||||
|
@@ -199,6 +200,7 @@ static struct {
|
||||||
|
{ "gssapiclientidentity", oGssClientIdentity },
|
||||||
|
{ "gssapiserveridentity", oGssServerIdentity },
|
||||||
|
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||||
|
+ { "gssapikexalgorithms", oGssKexAlgorithms },
|
||||||
|
#else
|
||||||
|
{ "gssapiauthentication", oUnsupported },
|
||||||
|
{ "gssapikeyexchange", oUnsupported },
|
||||||
|
@@ -206,6 +208,7 @@ static struct {
|
||||||
|
{ "gssapitrustdns", oUnsupported },
|
||||||
|
{ "gssapiclientidentity", oUnsupported },
|
||||||
|
{ "gssapirenewalforcesrekey", oUnsupported },
|
||||||
|
+ { "gssapikexalgorithms", oUnsupported },
|
||||||
|
#endif
|
||||||
|
{ "fallbacktorsh", oDeprecated },
|
||||||
|
{ "usersh", oDeprecated },
|
||||||
|
@@ -927,6 +930,18 @@ parse_time:
|
||||||
|
intptr = &options->gss_renewal_rekey;
|
||||||
|
goto parse_flag;
|
||||||
|
|
||||||
|
+ case oGssKexAlgorithms:
|
||||||
|
+ arg = strdelim(&s);
|
||||||
|
+ if (!arg || *arg == '\0')
|
||||||
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
|
+ filename, linenum);
|
||||||
|
+ if (!gss_kex_names_valid(arg))
|
||||||
|
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||||
|
+ filename, linenum, arg ? arg : "<NONE>");
|
||||||
|
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||||
|
+ options->gss_kex_algorithms = xstrdup(arg);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case oBatchMode:
|
||||||
|
intptr = &options->batch_mode;
|
||||||
|
goto parse_flag;
|
||||||
|
@@ -1640,6 +1655,7 @@ initialize_options(Options * options)
|
||||||
|
options->gss_renewal_rekey = -1;
|
||||||
|
options->gss_client_identity = NULL;
|
||||||
|
options->gss_server_identity = NULL;
|
||||||
|
+ options->gss_kex_algorithms = NULL;
|
||||||
|
options->password_authentication = -1;
|
||||||
|
options->kbd_interactive_authentication = -1;
|
||||||
|
options->kbd_interactive_devices = NULL;
|
||||||
|
@@ -1774,6 +1790,8 @@ fill_default_options(Options * options)
|
||||||
|
options->gss_trust_dns = 0;
|
||||||
|
if (options->gss_renewal_rekey == -1)
|
||||||
|
options->gss_renewal_rekey = 0;
|
||||||
|
+ if (options->gss_kex_algorithms == NULL)
|
||||||
|
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||||
|
if (options->password_authentication == -1)
|
||||||
|
options->password_authentication = 1;
|
||||||
|
if (options->kbd_interactive_authentication == -1)
|
||||||
|
diff -up openssh-6.9p1/readconf.h.gsskexalg openssh-6.9p1/readconf.h
|
||||||
|
--- openssh-6.9p1/readconf.h.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
|
+++ openssh-6.9p1/readconf.h 2015-08-20 11:54:50.527693728 +0200
|
||||||
|
@@ -52,6 +52,7 @@ typedef struct {
|
||||||
|
int gss_renewal_rekey; /* Credential renewal forces rekey */
|
||||||
|
char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
||||||
|
char *gss_server_identity; /* GSSAPI target principal */
|
||||||
|
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||||
|
int password_authentication; /* Try password
|
||||||
|
* authentication. */
|
||||||
|
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||||
|
diff -up openssh-6.9p1/servconf.c.gsskexalg openssh-6.9p1/servconf.c
|
||||||
|
--- openssh-6.9p1/servconf.c.gsskexalg 2015-08-20 11:54:50.515693751 +0200
|
||||||
|
+++ openssh-6.9p1/servconf.c 2015-08-20 11:57:16.443398237 +0200
|
||||||
|
@@ -56,6 +56,7 @@
|
||||||
|
#include "auth.h"
|
||||||
|
#include "myproposal.h"
|
||||||
|
#include "digest.h"
|
||||||
|
+#include "ssh-gss.h"
|
||||||
|
|
||||||
|
static void add_listen_addr(ServerOptions *, char *, int);
|
||||||
|
static void add_one_listen_addr(ServerOptions *, char *, int);
|
||||||
|
@@ -119,6 +120,7 @@ initialize_server_options(ServerOptions
|
||||||
|
options->gss_cleanup_creds = -1;
|
||||||
|
options->gss_strict_acceptor = -1;
|
||||||
|
options->gss_store_rekey = -1;
|
||||||
|
+ options->gss_kex_algorithms = NULL;
|
||||||
|
options->password_authentication = -1;
|
||||||
|
options->kbd_interactive_authentication = -1;
|
||||||
|
options->challenge_response_authentication = -1;
|
||||||
|
@@ -288,6 +290,8 @@ fill_default_server_options(ServerOption
|
||||||
|
options->gss_strict_acceptor = 0;
|
||||||
|
if (options->gss_store_rekey == -1)
|
||||||
|
options->gss_store_rekey = 0;
|
||||||
|
+ if (options->gss_kex_algorithms == NULL)
|
||||||
|
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||||
|
if (options->password_authentication == -1)
|
||||||
|
options->password_authentication = 1;
|
||||||
|
if (options->kbd_interactive_authentication == -1)
|
||||||
|
@@ -416,7 +420,7 @@ typedef enum {
|
||||||
|
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||||
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
|
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||||
|
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||||
|
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
|
||||||
|
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||||
|
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||||
|
sHostCertificate,
|
||||||
|
@@ -494,6 +498,7 @@ static struct {
|
||||||
|
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||||
|
+ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
||||||
|
#else
|
||||||
|
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||||
|
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
@@ -501,6 +506,7 @@ static struct {
|
||||||
|
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||||
|
+ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
#endif
|
||||||
|
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||||
|
@@ -1256,6 +1262,18 @@ process_server_config_line(ServerOptions
|
||||||
|
intptr = &options->gss_store_rekey;
|
||||||
|
goto parse_flag;
|
||||||
|
|
||||||
|
+ case sGssKexAlgorithms:
|
||||||
|
+ arg = strdelim(&cp);
|
||||||
|
+ if (!arg || *arg == '\0')
|
||||||
|
+ fatal("%.200s line %d: Missing argument.",
|
||||||
|
+ filename, linenum);
|
||||||
|
+ if (!gss_kex_names_valid(arg))
|
||||||
|
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||||
|
+ filename, linenum, arg ? arg : "<NONE>");
|
||||||
|
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||||
|
+ options->gss_kex_algorithms = xstrdup(arg);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case sPasswordAuthentication:
|
||||||
|
intptr = &options->password_authentication;
|
||||||
|
goto parse_flag;
|
||||||
|
@@ -2287,6 +2305,7 @@ dump_config(ServerOptions *o)
|
||||||
|
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
||||||
|
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
||||||
|
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
||||||
|
+ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
|
||||||
|
#endif
|
||||||
|
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||||
|
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||||
|
diff -up openssh-6.9p1/servconf.h.gsskexalg openssh-6.9p1/servconf.h
|
||||||
|
--- openssh-6.9p1/servconf.h.gsskexalg 2015-08-20 11:54:50.501693779 +0200
|
||||||
|
+++ openssh-6.9p1/servconf.h 2015-08-20 11:54:50.528693726 +0200
|
||||||
|
@@ -121,6 +121,7 @@ typedef struct {
|
||||||
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
|
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||||
|
int gss_store_rekey;
|
||||||
|
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||||
|
int password_authentication; /* If true, permit password
|
||||||
|
* authentication. */
|
||||||
|
int kbd_interactive_authentication; /* If true, permit */
|
||||||
|
diff -up openssh-6.9p1/ssh.1.gsskexalg openssh-6.9p1/ssh.1
|
||||||
|
--- openssh-6.9p1/ssh.1.gsskexalg 2015-08-20 11:54:50.505693771 +0200
|
||||||
|
+++ openssh-6.9p1/ssh.1 2015-08-20 11:54:50.528693726 +0200
|
||||||
|
@@ -446,6 +446,7 @@ For full details of the options listed b
|
||||||
|
.It GSSAPIDelegateCredentials
|
||||||
|
.It GSSAPIRenewalForcesRekey
|
||||||
|
.It GSSAPITrustDNS
|
||||||
|
+.It GSSAPIKexAlgorithms
|
||||||
|
.It HashKnownHosts
|
||||||
|
.It Host
|
||||||
|
.It HostbasedAuthentication
|
||||||
|
diff -up openssh-6.9p1/ssh_config.5.gsskexalg openssh-6.9p1/ssh_config.5
|
||||||
|
--- openssh-6.9p1/ssh_config.5.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
|
+++ openssh-6.9p1/ssh_config.5 2015-08-20 11:54:50.528693726 +0200
|
||||||
|
@@ -781,6 +781,18 @@ command line will be passed untouched to
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
This option only applies to protocol version 2 connections using GSSAPI.
|
||||||
|
+.It Cm GSSAPIKexAlgorithms
|
||||||
|
+The list of key exchange algorithms that are offered for GSSAPI
|
||||||
|
+key exchange. Possible values are
|
||||||
|
+.Bd -literal -offset 3n
|
||||||
|
+gss-gex-sha1-,
|
||||||
|
+gss-group1-sha1-,
|
||||||
|
+gss-group14-sha1-
|
||||||
|
+.Ed
|
||||||
|
+.Pp
|
||||||
|
+The default is
|
||||||
|
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
|
||||||
|
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||||
|
.It Cm HashKnownHosts
|
||||||
|
Indicates that
|
||||||
|
.Xr ssh 1
|
||||||
|
diff -up openssh-6.9p1/sshconnect2.c.gsskexalg openssh-6.9p1/sshconnect2.c
|
||||||
|
--- openssh-6.9p1/sshconnect2.c.gsskexalg 2015-08-20 11:54:50.523693736 +0200
|
||||||
|
+++ openssh-6.9p1/sshconnect2.c 2015-08-20 11:54:50.529693724 +0200
|
||||||
|
@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||||
|
else
|
||||||
|
gss_host = host;
|
||||||
|
|
||||||
|
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
||||||
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
|
if (gss) {
|
||||||
|
debug("Offering GSSAPI proposal: %s", gss);
|
||||||
|
xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
diff -up openssh-6.9p1/sshd_config.5.gsskexalg openssh-6.9p1/sshd_config.5
|
||||||
|
--- openssh-6.9p1/sshd_config.5.gsskexalg 2015-08-20 11:54:50.517693747 +0200
|
||||||
|
+++ openssh-6.9p1/sshd_config.5 2015-08-20 11:54:50.529693724 +0200
|
||||||
|
@@ -654,6 +654,18 @@ Controls whether the user's GSSAPI crede
|
||||||
|
successful connection rekeying. This option can be used to accepted renewed
|
||||||
|
or updated credentials from a compatible client. The default is
|
||||||
|
.Dq no .
|
||||||
|
+.It Cm GSSAPIKexAlgorithms
|
||||||
|
+The list of key exchange algorithms that are accepted by GSSAPI
|
||||||
|
+key exchange. Possible values are
|
||||||
|
+.Bd -literal -offset 3n
|
||||||
|
+gss-gex-sha1-,
|
||||||
|
+gss-group1-sha1-,
|
||||||
|
+gss-group14-sha1-
|
||||||
|
+.Ed
|
||||||
|
+.Pp
|
||||||
|
+The default is
|
||||||
|
+.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- .
|
||||||
|
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||||
|
.It Cm HostbasedAcceptedKeyTypes
|
||||||
|
Specifies the key types that will be accepted for hostbased authentication
|
||||||
|
as a comma-separated pattern list.
|
||||||
|
diff -up openssh-6.9p1/ssh-gss.h.gsskexalg openssh-6.9p1/ssh-gss.h
|
||||||
|
--- openssh-6.9p1/ssh-gss.h.gsskexalg 2015-08-20 11:54:50.475693830 +0200
|
||||||
|
+++ openssh-6.9p1/ssh-gss.h 2015-08-20 11:54:50.529693724 +0200
|
||||||
|
@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds;
|
||||||
|
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
|
||||||
|
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
|
||||||
|
|
||||||
|
+#define GSS_KEX_DEFAULT_KEX \
|
||||||
|
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||||
|
+ KEX_GSS_GRP1_SHA1_ID "," \
|
||||||
|
+ KEX_GSS_GRP14_SHA1_ID
|
||||||
|
+
|
||||||
|
typedef struct {
|
||||||
|
char *filename;
|
||||||
|
char *envvar;
|
||||||
|
@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct
|
||||||
|
/* In the server */
|
||||||
|
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
|
||||||
|
const char *);
|
||||||
|
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
|
||||||
|
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
|
||||||
|
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
|
||||||
|
- const char *);
|
||||||
|
+ const char *, const char *);
|
||||||
|
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
|
||||||
|
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
|
||||||
|
const char *);
|
63
openssh-6.9p1-security-7.0.patch
Normal file
63
openssh-6.9p1-security-7.0.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
diff --git a/sshpty.c b/sshpty.c
|
||||||
|
index 7bb7641..15da8c6 100644
|
||||||
|
--- a/sshpty.c
|
||||||
|
+++ b/sshpty.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */
|
||||||
|
+/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */
|
||||||
|
/*
|
||||||
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||||
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||||
|
@@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty)
|
||||||
|
/* Determine the group to make the owner of the tty. */
|
||||||
|
grp = getgrnam("tty");
|
||||||
|
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
|
||||||
|
- mode = (grp != NULL) ? 0622 : 0600;
|
||||||
|
+ mode = (grp != NULL) ? 0620 : 0600;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Change owner and mode of the tty as required.
|
||||||
|
diff --git a/monitor.c b/monitor.c
|
||||||
|
index b410965..f1b873d 100644
|
||||||
|
--- a/monitor.c
|
||||||
|
+++ b/monitor.c
|
||||||
|
@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device;
|
||||||
|
int
|
||||||
|
mm_answer_pam_init_ctx(int sock, Buffer *m)
|
||||||
|
{
|
||||||
|
-
|
||||||
|
debug3("%s", __func__);
|
||||||
|
- authctxt->user = buffer_get_string(m, NULL);
|
||||||
|
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
|
||||||
|
sshpam_authok = NULL;
|
||||||
|
buffer_clear(m);
|
||||||
|
@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m)
|
||||||
|
int
|
||||||
|
mm_answer_pam_free_ctx(int sock, Buffer *m)
|
||||||
|
{
|
||||||
|
+ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt;
|
||||||
|
|
||||||
|
debug3("%s", __func__);
|
||||||
|
(sshpam_device.free_ctx)(sshpam_ctxt);
|
||||||
|
+ sshpam_ctxt = sshpam_authok = NULL;
|
||||||
|
buffer_clear(m);
|
||||||
|
mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
|
||||||
|
auth_method = "keyboard-interactive";
|
||||||
|
auth_submethod = "pam";
|
||||||
|
- return (sshpam_authok == sshpam_ctxt);
|
||||||
|
+ return r;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||||
|
index e6217b3..eac421b 100644
|
||||||
|
--- a/monitor_wrap.c
|
||||||
|
+++ b/monitor_wrap.c
|
||||||
|
@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt)
|
||||||
|
|
||||||
|
debug3("%s", __func__);
|
||||||
|
buffer_init(&m);
|
||||||
|
- buffer_put_cstring(&m, authctxt->user);
|
||||||
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
|
||||||
|
debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
|
||||||
|
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
|
79
openssh-6.9p1-security-7.1.patch
Normal file
79
openssh-6.9p1-security-7.1.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
From d77148e3a3ef6c29b26ec74331455394581aa257 Mon Sep 17 00:00:00 2001
|
||||||
|
From: "djm@openbsd.org" <djm@openbsd.org>
|
||||||
|
Date: Sun, 8 Nov 2015 21:59:11 +0000
|
||||||
|
Subject: upstream commit
|
||||||
|
|
||||||
|
fix OOB read in packet code caused by missing return
|
||||||
|
statement found by Ben Hawkes; ok markus@ deraadt@
|
||||||
|
|
||||||
|
Upstream-ID: a3e3a85434ebfa0690d4879091959591f30efc62
|
||||||
|
---
|
||||||
|
packet.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/packet.c b/packet.c
|
||||||
|
index 01d3e29..7b5c419 100644
|
||||||
|
--- a/packet.c
|
||||||
|
+++ b/packet.c
|
||||||
|
@@ -1581,6 +1581,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||||
|
logit("Bad packet length %u.", state->packlen);
|
||||||
|
if ((r = sshpkt_disconnect(ssh, "Packet corrupt")) != 0)
|
||||||
|
return r;
|
||||||
|
+ return SSH_ERR_CONN_CORRUPT;
|
||||||
|
}
|
||||||
|
sshbuf_reset(state->incoming_packet);
|
||||||
|
} else if (state->packlen == 0) {
|
||||||
|
--
|
||||||
|
cgit v0.11.2
|
||||||
|
|
||||||
|
From e6c85f8889c5c9eb04796fdb76d2807636b9eef5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Damien Miller <djm@mindrot.org>
|
||||||
|
Date: Fri, 15 Jan 2016 01:30:36 +1100
|
||||||
|
Subject: forcibly disable roaming support in the client
|
||||||
|
|
||||||
|
---
|
||||||
|
readconf.c | 5 ++---
|
||||||
|
ssh.c | 3 ---
|
||||||
|
2 files changed, 2 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/readconf.c b/readconf.c
|
||||||
|
index 0a38091..dd67811 100644
|
||||||
|
--- a/readconf.c
|
||||||
|
+++ b/readconf.c
|
||||||
|
@@ -1713,7 +1713,7 @@ initialize_options(Options * options)
|
||||||
|
options->tun_remote = -1;
|
||||||
|
options->local_command = NULL;
|
||||||
|
options->permit_local_command = -1;
|
||||||
|
- options->use_roaming = -1;
|
||||||
|
+ options->use_roaming = 0;
|
||||||
|
options->visual_host_key = -1;
|
||||||
|
options->ip_qos_interactive = -1;
|
||||||
|
options->ip_qos_bulk = -1;
|
||||||
|
@@ -1889,8 +1889,7 @@ fill_default_options(Options * options)
|
||||||
|
options->tun_remote = SSH_TUNID_ANY;
|
||||||
|
if (options->permit_local_command == -1)
|
||||||
|
options->permit_local_command = 0;
|
||||||
|
- if (options->use_roaming == -1)
|
||||||
|
- options->use_roaming = 1;
|
||||||
|
+ options->use_roaming = 0;
|
||||||
|
if (options->visual_host_key == -1)
|
||||||
|
options->visual_host_key = 0;
|
||||||
|
if (options->ip_qos_interactive == -1)
|
||||||
|
diff --git a/ssh.c b/ssh.c
|
||||||
|
index 096c5b5..cf6eaeb 100644
|
||||||
|
--- a/ssh.c
|
||||||
|
+++ b/ssh.c
|
||||||
|
@@ -1949,9 +1949,6 @@ ssh_session2(void)
|
||||||
|
fork_postauth();
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (options.use_roaming)
|
||||||
|
- request_roaming();
|
||||||
|
-
|
||||||
|
return client_loop(tty_flag, tty_flag ?
|
||||||
|
options.escape_char : SSH_ESCAPECHAR_NONE, id);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
cgit v0.11.2
|
||||||
|
|
||||||
|
|
306
openssh-6.9p1-show-more-fingerprints.patch
Normal file
306
openssh-6.9p1-show-more-fingerprints.patch
Normal file
@ -0,0 +1,306 @@
|
|||||||
|
diff -up openssh-6.9p1/clientloop.c.fingerprint openssh-6.9p1/clientloop.c
|
||||||
|
--- openssh-6.9p1/clientloop.c.fingerprint 2015-08-20 11:10:36.381765519 +0200
|
||||||
|
+++ openssh-6.9p1/clientloop.c 2015-08-20 11:10:36.436765380 +0200
|
||||||
|
@@ -2206,7 +2206,7 @@ update_known_hosts(struct hostkeys_updat
|
||||||
|
if (ctx->keys_seen[i] != 2)
|
||||||
|
continue;
|
||||||
|
if ((fp = sshkey_fingerprint(ctx->keys[i],
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
do_log2(loglevel, "Learned new hostkey: %s %s",
|
||||||
|
sshkey_type(ctx->keys[i]), fp);
|
||||||
|
@@ -2214,7 +2214,7 @@ update_known_hosts(struct hostkeys_updat
|
||||||
|
}
|
||||||
|
for (i = 0; i < ctx->nold; i++) {
|
||||||
|
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
|
||||||
|
sshkey_type(ctx->old_keys[i]), fp);
|
||||||
|
@@ -2257,7 +2257,7 @@ update_known_hosts(struct hostkeys_updat
|
||||||
|
(r = hostfile_replace_entries(options.user_hostfiles[0],
|
||||||
|
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
|
||||||
|
options.hash_known_hosts, 0,
|
||||||
|
- options.fingerprint_hash)) != 0)
|
||||||
|
+ options.fingerprint_hash[0])) != 0)
|
||||||
|
error("%s: hostfile_replace_entries failed: %s",
|
||||||
|
__func__, ssh_err(r));
|
||||||
|
}
|
||||||
|
@@ -2370,7 +2370,7 @@ client_input_hostkeys(void)
|
||||||
|
error("%s: parse key: %s", __func__, ssh_err(r));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
|
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT);
|
||||||
|
debug3("%s: received %s key %s", __func__,
|
||||||
|
sshkey_type(key), fp);
|
||||||
|
diff -up openssh-6.9p1/readconf.c.fingerprint openssh-6.9p1/readconf.c
|
||||||
|
--- openssh-6.9p1/readconf.c.fingerprint 2015-08-20 11:10:36.385765509 +0200
|
||||||
|
+++ openssh-6.9p1/readconf.c 2015-08-20 11:11:38.216609413 +0200
|
||||||
|
@@ -1497,16 +1497,18 @@ parse_int:
|
||||||
|
goto parse_string;
|
||||||
|
|
||||||
|
case oFingerprintHash:
|
||||||
|
- intptr = &options->fingerprint_hash;
|
||||||
|
- arg = strdelim(&s);
|
||||||
|
- if (!arg || *arg == '\0')
|
||||||
|
- fatal("%.200s line %d: Missing argument.",
|
||||||
|
- filename, linenum);
|
||||||
|
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
||||||
|
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
||||||
|
- filename, linenum, arg);
|
||||||
|
- if (*activep && *intptr == -1)
|
||||||
|
- *intptr = value;
|
||||||
|
+ if (*activep && options->num_fingerprint_hash == 0)
|
||||||
|
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
||||||
|
+ value = ssh_digest_alg_by_name(arg);
|
||||||
|
+ if (value == -1)
|
||||||
|
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
|
||||||
|
+ filename, linenum, arg);
|
||||||
|
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
|
||||||
|
+ fatal("%s line %d: too many fingerprints algorithm specs.",
|
||||||
|
+ filename, linenum);
|
||||||
|
+ options->fingerprint_hash[
|
||||||
|
+ options->num_fingerprint_hash++] = value;
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
|
||||||
|
case oUpdateHostkeys:
|
||||||
|
@@ -1709,7 +1711,7 @@ initialize_options(Options * options)
|
||||||
|
options->canonicalize_fallback_local = -1;
|
||||||
|
options->canonicalize_hostname = -1;
|
||||||
|
options->revoked_host_keys = NULL;
|
||||||
|
- options->fingerprint_hash = -1;
|
||||||
|
+ options->num_fingerprint_hash = 0;
|
||||||
|
options->update_hostkeys = -1;
|
||||||
|
options->hostbased_key_types = NULL;
|
||||||
|
}
|
||||||
|
@@ -1895,8 +1897,10 @@ fill_default_options(Options * options)
|
||||||
|
options->canonicalize_fallback_local = 1;
|
||||||
|
if (options->canonicalize_hostname == -1)
|
||||||
|
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||||
|
- if (options->fingerprint_hash == -1)
|
||||||
|
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||||
|
+ if (options->num_fingerprint_hash == 0) {
|
||||||
|
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
|
||||||
|
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_MD5;
|
||||||
|
+ }
|
||||||
|
if (options->update_hostkeys == -1)
|
||||||
|
options->update_hostkeys = 0;
|
||||||
|
if (options->hostbased_key_types == NULL)
|
||||||
|
@@ -2227,6 +2231,17 @@ dump_cfg_strarray(OpCodes code, u_int co
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
|
||||||
|
+{
|
||||||
|
+ u_int i;
|
||||||
|
+
|
||||||
|
+ printf("%s", lookup_opcode_name(code));
|
||||||
|
+ for (i = 0; i < count; i++)
|
||||||
|
+ printf(" %s", fmt_intarg(code, vals[i]));
|
||||||
|
+ printf("\n");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
|
||||||
|
{
|
||||||
|
u_int i;
|
||||||
|
@@ -2297,7 +2312,6 @@ dump_client_config(Options *o, const cha
|
||||||
|
dump_cfg_fmtint(oControlMaster, o->control_master);
|
||||||
|
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
||||||
|
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
||||||
|
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
|
||||||
|
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
||||||
|
dump_cfg_fmtint(oForwardX11, o->forward_x11);
|
||||||
|
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
|
||||||
|
@@ -2366,6 +2380,7 @@ dump_client_config(Options *o, const cha
|
||||||
|
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
|
||||||
|
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
|
||||||
|
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
|
||||||
|
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
|
||||||
|
|
||||||
|
/* Special cases */
|
||||||
|
|
||||||
|
diff -up openssh-6.9p1/readconf.h.fingerprint openssh-6.9p1/readconf.h
|
||||||
|
--- openssh-6.9p1/readconf.h.fingerprint 2015-08-20 11:10:36.385765509 +0200
|
||||||
|
+++ openssh-6.9p1/readconf.h 2015-08-20 11:10:36.437765377 +0200
|
||||||
|
@@ -21,6 +21,7 @@
|
||||||
|
#define MAX_SEND_ENV 256
|
||||||
|
#define SSH_MAX_HOSTS_FILES 32
|
||||||
|
#define MAX_CANON_DOMAINS 32
|
||||||
|
+#define MAX_SSH_DIGESTS 32
|
||||||
|
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
|
||||||
|
|
||||||
|
struct allowed_cname {
|
||||||
|
@@ -151,7 +152,8 @@ typedef struct {
|
||||||
|
|
||||||
|
char *revoked_host_keys;
|
||||||
|
|
||||||
|
- int fingerprint_hash;
|
||||||
|
+ int num_fingerprint_hash;
|
||||||
|
+ int fingerprint_hash[MAX_SSH_DIGESTS];
|
||||||
|
|
||||||
|
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||||
|
|
||||||
|
diff -up openssh-6.9p1/ssh_config.5.fingerprint openssh-6.9p1/ssh_config.5
|
||||||
|
--- openssh-6.9p1/ssh_config.5.fingerprint 2015-08-20 11:10:36.386765506 +0200
|
||||||
|
+++ openssh-6.9p1/ssh_config.5 2015-08-20 11:10:36.437765377 +0200
|
||||||
|
@@ -642,13 +642,13 @@ or
|
||||||
|
The default is
|
||||||
|
.Dq no .
|
||||||
|
.It Cm FingerprintHash
|
||||||
|
-Specifies the hash algorithm used when displaying key fingerprints.
|
||||||
|
+Specifies the hash algorithms used when displaying key fingerprints.
|
||||||
|
Valid options are:
|
||||||
|
.Dq md5
|
||||||
|
and
|
||||||
|
.Dq sha256 .
|
||||||
|
The default is
|
||||||
|
-.Dq sha256 .
|
||||||
|
+.Dq "sha256 md5".
|
||||||
|
.It Cm ForwardAgent
|
||||||
|
Specifies whether the connection to the authentication agent (if any)
|
||||||
|
will be forwarded to the remote machine.
|
||||||
|
diff -up openssh-6.9p1/sshconnect2.c.fingerprint openssh-6.9p1/sshconnect2.c
|
||||||
|
--- openssh-6.9p1/sshconnect2.c.fingerprint 2015-08-20 11:10:36.403765463 +0200
|
||||||
|
+++ openssh-6.9p1/sshconnect2.c 2015-08-20 11:10:36.437765377 +0200
|
||||||
|
@@ -658,7 +658,7 @@ input_userauth_pk_ok(int type, u_int32_t
|
||||||
|
key->type, pktype);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
|
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
|
goto done;
|
||||||
|
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||||
|
@@ -1135,7 +1135,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
|
||||||
|
int have_sig = 1;
|
||||||
|
char *fp;
|
||||||
|
|
||||||
|
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||||
|
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
|
return 0;
|
||||||
|
debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
|
||||||
|
@@ -1750,7 +1750,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
||||||
|
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT)) == NULL) {
|
||||||
|
error("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
goto out;
|
||||||
|
diff -up openssh-6.9p1/sshconnect.c.fingerprint openssh-6.9p1/sshconnect.c
|
||||||
|
--- openssh-6.9p1/sshconnect.c.fingerprint 2015-08-20 11:10:36.401765468 +0200
|
||||||
|
+++ openssh-6.9p1/sshconnect.c 2015-08-20 11:10:36.437765377 +0200
|
||||||
|
@@ -923,9 +923,9 @@ check_host_key(char *hostname, struct so
|
||||||
|
"of known hosts.", type, ip);
|
||||||
|
} else if (options.visual_host_key) {
|
||||||
|
fp = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||||
|
ra = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||||
|
if (fp == NULL || ra == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
logit("Host key fingerprint is %s\n%s\n", fp, ra);
|
||||||
|
@@ -967,12 +967,6 @@ check_host_key(char *hostname, struct so
|
||||||
|
else
|
||||||
|
snprintf(msg1, sizeof(msg1), ".");
|
||||||
|
/* The default */
|
||||||
|
- fp = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||||
|
- ra = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||||
|
- if (fp == NULL || ra == NULL)
|
||||||
|
- fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
msg2[0] = '\0';
|
||||||
|
if (options.verify_host_key_dns) {
|
||||||
|
if (matching_host_key_dns)
|
||||||
|
@@ -986,16 +980,28 @@ check_host_key(char *hostname, struct so
|
||||||
|
}
|
||||||
|
snprintf(msg, sizeof(msg),
|
||||||
|
"The authenticity of host '%.200s (%s)' can't be "
|
||||||
|
- "established%s\n"
|
||||||
|
- "%s key fingerprint is %s.%s%s\n%s"
|
||||||
|
+ "established%s\n", host, ip, msg1);
|
||||||
|
+ for (i = 0; i < options.num_fingerprint_hash; i++) {
|
||||||
|
+ fp = sshkey_fingerprint(host_key,
|
||||||
|
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
|
||||||
|
+ ra = sshkey_fingerprint(host_key,
|
||||||
|
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
|
||||||
|
+ if (fp == NULL || ra == NULL)
|
||||||
|
+ fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
+ len = strlen(msg);
|
||||||
|
+ snprintf(msg+len, sizeof(msg)-len,
|
||||||
|
+ "%s key fingerprint is %s.%s%s\n%s",
|
||||||
|
+ type, fp,
|
||||||
|
+ options.visual_host_key ? "\n" : "",
|
||||||
|
+ options.visual_host_key ? ra : "",
|
||||||
|
+ msg2);
|
||||||
|
+ free(ra);
|
||||||
|
+ free(fp);
|
||||||
|
+ }
|
||||||
|
+ len = strlen(msg);
|
||||||
|
+ snprintf(msg+len, sizeof(msg)-len,
|
||||||
|
"Are you sure you want to continue connecting "
|
||||||
|
- "(yes/no)? ",
|
||||||
|
- host, ip, msg1, type, fp,
|
||||||
|
- options.visual_host_key ? "\n" : "",
|
||||||
|
- options.visual_host_key ? ra : "",
|
||||||
|
- msg2);
|
||||||
|
- free(ra);
|
||||||
|
- free(fp);
|
||||||
|
+ "(yes/no)? ");
|
||||||
|
if (!confirm(msg))
|
||||||
|
goto fail;
|
||||||
|
hostkey_trusted = 1; /* user explicitly confirmed */
|
||||||
|
@@ -1244,7 +1250,7 @@ verify_host_key(char *host, struct socka
|
||||||
|
struct sshkey *plain = NULL;
|
||||||
|
|
||||||
|
if ((fp = sshkey_fingerprint(host_key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||||
|
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
|
||||||
|
r = -1;
|
||||||
|
goto out;
|
||||||
|
@@ -1408,9 +1414,9 @@ show_other_keys(struct hostkeys *hostkey
|
||||||
|
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||||
|
continue;
|
||||||
|
fp = sshkey_fingerprint(found->key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||||
|
ra = sshkey_fingerprint(found->key,
|
||||||
|
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||||
|
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||||
|
if (fp == NULL || ra == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
logit("WARNING: %s key found for host %s\n"
|
||||||
|
@@ -1433,7 +1439,7 @@ warn_changed_key(Key *host_key)
|
||||||
|
{
|
||||||
|
char *fp;
|
||||||
|
|
||||||
|
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
|
||||||
|
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT);
|
||||||
|
if (fp == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||||
|
diff --git a/ssh-keysign.c b/ssh-keysign.c
|
||||||
|
index 1dca3e2..23bff7d 100644
|
||||||
|
--- a/ssh-keysign.c
|
||||||
|
+++ b/ssh-keysign.c
|
||||||
|
@@ -275,7 +275,7 @@ main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!found) {
|
||||||
|
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||||
|
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||||
|
SSH_FP_DEFAULT)) == NULL)
|
||||||
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||||
|
fatal("no matching hostkey found for key %s %s",
|
72
openssh-6.9p1-xauth.patch
Normal file
72
openssh-6.9p1-xauth.patch
Normal file
@ -0,0 +1,72 @@
|
|||||||
|
commit 9d47b8d3f50c3a6282896df8274147e3b9a38c56
|
||||||
|
Author: Damien Miller <djm@mindrot.org>
|
||||||
|
Date: Thu Mar 10 05:03:39 2016 +1100
|
||||||
|
|
||||||
|
sanitise characters destined for xauth(1)
|
||||||
|
|
||||||
|
reported by github.com/tintinweb
|
||||||
|
|
||||||
|
diff --git a/session.c b/session.c
|
||||||
|
index 7a02500..87fddfc 100644
|
||||||
|
--- a/session.c
|
||||||
|
+++ b/session.c
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
|
||||||
|
#include <arpa/inet.h>
|
||||||
|
|
||||||
|
+#include <ctype.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <grp.h>
|
||||||
|
@@ -274,6 +275,21 @@ do_authenticated(Authctxt *authctxt)
|
||||||
|
do_cleanup(authctxt);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Check untrusted xauth strings for metacharacters */
|
||||||
|
+static int
|
||||||
|
+xauth_valid_string(const char *s)
|
||||||
|
+{
|
||||||
|
+ size_t i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; s[i] != '\0'; i++) {
|
||||||
|
+ if (!isalnum((u_char)s[i]) &&
|
||||||
|
+ s[i] != '.' && s[i] != ':' && s[i] != '/' &&
|
||||||
|
+ s[i] != '-' && s[i] != '_')
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Prepares for an interactive session. This is called after the user has
|
||||||
|
* been successfully authenticated. During this message exchange, pseudo
|
||||||
|
@@ -347,7 +363,13 @@ do_authenticated1(Authctxt *authctxt)
|
||||||
|
s->screen = 0;
|
||||||
|
}
|
||||||
|
packet_check_eom();
|
||||||
|
- success = session_setup_x11fwd(s);
|
||||||
|
+ if (xauth_valid_string(s->auth_proto) &&
|
||||||
|
+ xauth_valid_string(s->auth_data))
|
||||||
|
+ success = session_setup_x11fwd(s);
|
||||||
|
+ else {
|
||||||
|
+ success = 0;
|
||||||
|
+ error("Invalid X11 forwarding data");
|
||||||
|
+ }
|
||||||
|
if (!success) {
|
||||||
|
free(s->auth_proto);
|
||||||
|
free(s->auth_data);
|
||||||
|
@@ -2178,7 +2200,13 @@ session_x11_req(Session *s)
|
||||||
|
s->screen = packet_get_int();
|
||||||
|
packet_check_eom();
|
||||||
|
|
||||||
|
- success = session_setup_x11fwd(s);
|
||||||
|
+ if (xauth_valid_string(s->auth_proto) &&
|
||||||
|
+ xauth_valid_string(s->auth_data))
|
||||||
|
+ success = session_setup_x11fwd(s);
|
||||||
|
+ else {
|
||||||
|
+ success = 0;
|
||||||
|
+ error("Invalid X11 forwarding data");
|
||||||
|
+ }
|
||||||
|
if (!success) {
|
||||||
|
free(s->auth_proto);
|
||||||
|
free(s->auth_data);
|
60
openssh.spec
60
openssh.spec
@ -66,7 +66,7 @@
|
|||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%define openssh_ver 6.9p1
|
%define openssh_ver 6.9p1
|
||||||
%define openssh_rel 4
|
%define openssh_rel 12
|
||||||
%define pam_ssh_agent_ver 0.9.3
|
%define pam_ssh_agent_ver 0.9.3
|
||||||
%define pam_ssh_agent_rel 6
|
%define pam_ssh_agent_rel 6
|
||||||
|
|
||||||
@ -227,7 +227,22 @@ Patch929: openssh-6.9p1-permit-root-login.patch
|
|||||||
Patch930: openssh-6.9p1-authentication-limits-bypass.patch
|
Patch930: openssh-6.9p1-authentication-limits-bypass.patch
|
||||||
# Handle terminal control characters in scp progressmeter (#1247204)
|
# Handle terminal control characters in scp progressmeter (#1247204)
|
||||||
Patch931: openssh-6.9p1-scp-progressmeter.patch
|
Patch931: openssh-6.9p1-scp-progressmeter.patch
|
||||||
|
# Vulnerabilities published with openssh-7.0:
|
||||||
|
# Incorrectly set TTYs to be world-writable (#1252861)
|
||||||
|
# Privilege separation weakness related to PAM support (#1252844)
|
||||||
|
# Use-after-free bug related to PAM support (#1252852)
|
||||||
|
Patch932: openssh-6.9p1-security-7.0.patch
|
||||||
|
# Possibility to validate legacy systems by more fingerprints (#1249626)(#2439)
|
||||||
|
Patch933: openssh-6.9p1-show-more-fingerprints.patch
|
||||||
|
# Add GSSAPIKexAlgorithms option for server and client application
|
||||||
|
Patch934: openssh-6.9p1-gssKexAlgorithms.patch
|
||||||
|
# Vulnerabilities published with openssh-7.1p2 (#1298626)
|
||||||
|
# CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
|
||||||
|
# Fix an out of-bound read access in the packet handling code
|
||||||
|
Patch935: openssh-6.9p1-security-7.1.patch
|
||||||
|
# Fix for security issue (openssh-7.2p2): sanitise characters destined for xauth(1)
|
||||||
|
Patch936: openssh-6.9p1-xauth.patch
|
||||||
|
Patch937: openssh-6.9p1-compat-7.2.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
@ -320,7 +335,7 @@ Requires: openssh = %{version}-%{release}
|
|||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.1
|
||||||
License: BSD
|
License: BSD
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -452,9 +467,15 @@ popd
|
|||||||
%patch929 -p1 -b .root-login
|
%patch929 -p1 -b .root-login
|
||||||
%patch930 -p1 -b .kbd
|
%patch930 -p1 -b .kbd
|
||||||
%patch931 -p1 -b .progressmeter
|
%patch931 -p1 -b .progressmeter
|
||||||
|
%patch932 -p1 -b .security
|
||||||
|
%patch933 -p1 -b .fingerprint
|
||||||
|
%patch934 -p1 -b .gsskexalg
|
||||||
|
%patch935 -p1 -b .security71
|
||||||
|
%patch936 -p1 -b .xauth
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch700 -p1 -b .fips
|
%patch700 -p1 -b .fips
|
||||||
|
%patch937 -p1 -b .compat-7.2
|
||||||
|
|
||||||
%patch100 -p1 -b .coverity
|
%patch100 -p1 -b .coverity
|
||||||
|
|
||||||
@ -763,6 +784,39 @@ getent passwd sshd >/dev/null || \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 02 2016 Jakub Jelen <jjelen@redhat.com> - 6.9p1-12 + 0.9.3-6
|
||||||
|
- Fix DH GEX against non-default group sizes (openssh-7.2) (#1332082)
|
||||||
|
|
||||||
|
* Thu Mar 10 2016 Jakub Jelen <jjelen@redhat.com> 6.9p1-11 + 0.9.3-6
|
||||||
|
- sanitise characters destined for xauth(1) (#1316529)
|
||||||
|
|
||||||
|
* Fri Jan 15 2016 Jakub Jelen <jjelen@redhat.com> 6.9p1-10 + 0.9.3-6
|
||||||
|
- Fix vulnerabilities published with openssh-7.1p2 (#1298626)
|
||||||
|
- CVE-2016-0777 OpenSSH: Client Information leak due to use of roaming connection feature
|
||||||
|
- Fix an out of-bound read access in the packet handling code
|
||||||
|
|
||||||
|
* Tue Oct 06 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-9 + 0.9.3-6
|
||||||
|
- Revert broken GSSAPI keyex offer (#1268968)
|
||||||
|
|
||||||
|
* Thu Oct 01 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-8 + 0.9.3-6
|
||||||
|
- Fix GSSAPI key exchange which was broken for some time (#1261414)
|
||||||
|
- Icrease SFTP glob memory limit to reflect stat limit
|
||||||
|
|
||||||
|
* Wed Sep 09 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-7 + 0.9.3-6
|
||||||
|
- Fix warnings reported by gcc related to keysign and gssKexAlgorithms
|
||||||
|
|
||||||
|
* Thu Aug 20 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-6 + 0.9.3-6
|
||||||
|
- Add possibility to validate legacy system md5 fingerprints (#1249626)
|
||||||
|
- Fix problem with DSA keys using pam_ssh_agent_auth (#1251777)
|
||||||
|
- Add GSSAPIKexAlgorithms option for server and client application
|
||||||
|
|
||||||
|
* Fri Aug 14 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-5 + 0.9.3-6
|
||||||
|
- Fix vulnerabilities published with openssh-7.0:
|
||||||
|
- Incorrectly set TTYs to be world-writable (#1252861)
|
||||||
|
- Privilege separation weakness related to PAM support (#1252844)
|
||||||
|
- Use-after-free bug related to PAM support (#1252852)
|
||||||
|
- Fix pam_ssh_agent_auth after rebase (#1251777)
|
||||||
|
|
||||||
* Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-4 + 0.9.3-6
|
* Tue Jul 28 2015 Jakub Jelen <jjelen@redhat.com> 6.9p1-4 + 0.9.3-6
|
||||||
- Handle terminal control characters in scp progressmeter (#1247204)
|
- Handle terminal control characters in scp progressmeter (#1247204)
|
||||||
|
|
||||||
|
@ -111,7 +111,7 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-a
|
|||||||
buffer_put_string(&b, pkblob, blen);
|
buffer_put_string(&b, pkblob, blen);
|
||||||
|
|
||||||
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
||||||
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 1) != 0)
|
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
|
||||||
goto user_auth_clean_exit;
|
goto user_auth_clean_exit;
|
||||||
|
|
||||||
/* test for correct signature */
|
/* test for correct signature */
|
||||||
|
Loading…
Reference in New Issue
Block a user