Compare commits
16 Commits
Author | SHA1 | Date |
---|---|---|
Jakub Jelen | 2e8c9e1bd6 | |
Jakub Jelen | 8ebd1ac76b | |
Jakub Jelen | 1b87361339 | |
Jakub Jelen | 7936d701cb | |
Jakub Jelen | 88b9f28736 | |
Jakub Jelen | 0ed404cb1d | |
Jakub Jelen | 9245e75858 | |
Jakub Jelen | 6f29c0796b | |
Jakub Jelen | 5e917665b9 | |
Jakub Jelen | c7c6705319 | |
Jakub Jelen | 9106571cc0 | |
Jakub Jelen | 5be5d99670 | |
Jakub Jelen | 88f23cb6fe | |
Jakub Jelen | 7f5b70b83b | |
Jakub Jelen | 6e99f2d387 | |
Jakub Jelen | 6b6760fc06 |
|
@ -736,7 +736,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||||
+ timeout.tv_sec = options.bind_timelimit;
|
+ timeout.tv_sec = options.bind_timelimit;
|
||||||
+ timeout.tv_usec = 0;
|
+ timeout.tv_usec = 0;
|
||||||
+ result = NULL;
|
+ result = NULL;
|
||||||
+ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
|
+ if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
|
||||||
+ error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
|
+ error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
|
||||||
+ ldap_msgfree (result);
|
+ ldap_msgfree (result);
|
||||||
+ return LDAP_OPERATIONS_ERROR;
|
+ return LDAP_OPERATIONS_ERROR;
|
||||||
|
@ -837,7 +837,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (options.ssl_on != SSL_OFF) {
|
+ if (options.ssl_on != SSL_OFF) {
|
||||||
+ if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
|
+ if ((ld = ldapssl_init (options.host, options.port, 1)) == NULL)
|
||||||
+ fatal ("ldapssl_init failed");
|
+ fatal ("ldapssl_init failed");
|
||||||
+ debug3 ("LDAPssl init");
|
+ debug3 ("LDAPssl init");
|
||||||
+ }
|
+ }
|
||||||
|
@ -1041,7 +1041,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||||
+
|
+
|
||||||
+ timeout.tv_sec = options.bind_timelimit;
|
+ timeout.tv_sec = options.bind_timelimit;
|
||||||
+ timeout.tv_usec = 0;
|
+ timeout.tv_usec = 0;
|
||||||
+ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
|
+ if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
|
||||||
+ ld_errno = ldap_get_lderrno (ld, 0, 0);
|
+ ld_errno = ldap_get_lderrno (ld, 0, 0);
|
||||||
+
|
+
|
||||||
+ error ("ldap_result %s", ldap_err2string (ld_errno));
|
+ error ("ldap_result %s", ldap_err2string (ld_errno));
|
||||||
|
@ -1052,7 +1052,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||||
+
|
+
|
||||||
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
|
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
|
||||||
+ controls = NULL;
|
+ controls = NULL;
|
||||||
+ if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
|
+ if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, 1)) != LDAP_SUCCESS)
|
||||||
+ fatal ("ldap_parse_result %s", ldap_err2string (parserc));
|
+ fatal ("ldap_parse_result %s", ldap_err2string (parserc));
|
||||||
+ debug3 ("LDAP parse result OK");
|
+ debug3 ("LDAP parse result OK");
|
||||||
+
|
+
|
||||||
|
@ -1060,7 +1060,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||||
+ ldap_controls_free (controls);
|
+ ldap_controls_free (controls);
|
||||||
+ }
|
+ }
|
||||||
+#else
|
+#else
|
||||||
+ rc = ldap_result2error (session->ld, result, TRUE);
|
+ rc = ldap_result2error (session->ld, result, 1);
|
||||||
+#endif
|
+#endif
|
||||||
+ if (rc != LDAP_SUCCESS)
|
+ if (rc != LDAP_SUCCESS)
|
||||||
+ fatal ("error trying to bind as user \"%s\" (%s)",
|
+ fatal ("error trying to bind as user \"%s\" (%s)",
|
||||||
|
|
|
@ -0,0 +1,146 @@
|
||||||
|
From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: djm <djm@openbsd.org>
|
||||||
|
Date: Tue, 31 Jul 2018 03:10:27 +0000
|
||||||
|
Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
|
||||||
|
=?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
|
||||||
|
=?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
|
||||||
|
=?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
---
|
||||||
|
usr.bin/ssh/auth2-gss.c | 11 +++++++----
|
||||||
|
usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
|
||||||
|
usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++----------
|
||||||
|
3 files changed, 28 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
|
||||||
|
index 649c830916a..c919ef4c353 100644
|
||||||
|
--- a/usr.bin/ssh/auth2-gss.c
|
||||||
|
+++ b/usr.bin/ssh/auth2-gss.c
|
||||||
|
@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)
|
||||||
|
u_int len;
|
||||||
|
u_char *doid = NULL;
|
||||||
|
|
||||||
|
- if (!authctxt->valid || authctxt->user == NULL)
|
||||||
|
- return (0);
|
||||||
|
-
|
||||||
|
mechs = packet_get_int();
|
||||||
|
if (mechs == 0) {
|
||||||
|
debug("Mechanism negotiation is not supported");
|
||||||
|
@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
|
||||||
|
return (0);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
+ free(doid);
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
||||||
|
if (ctxt != NULL)
|
||||||
|
ssh_gssapi_delete_ctx(&ctxt);
|
||||||
|
diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
|
||||||
|
index ad335555934..fb5e5f42272 100644
|
||||||
|
--- a/usr.bin/ssh/auth2-hostbased.c
|
||||||
|
+++ b/usr.bin/ssh/auth2-hostbased.c
|
||||||
|
@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
|
size_t alen, blen, slen;
|
||||||
|
int r, pktype, authenticated = 0;
|
||||||
|
|
||||||
|
- if (!authctxt->valid) {
|
||||||
|
- debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
/* XXX use sshkey_froms() */
|
||||||
|
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
|
||||||
|
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
|
||||||
|
@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
|
||||||
|
authctxt->service;
|
||||||
|
if ((b = sshbuf_new()) == NULL)
|
||||||
|
diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
|
||||||
|
index 195da5e2111..af9e5f04c45 100644
|
||||||
|
--- a/usr.bin/ssh/auth2-pubkey.c
|
||||||
|
+++ b/usr.bin/ssh/auth2-pubkey.c
|
||||||
|
@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
userauth_pubkey(struct ssh *ssh)
|
||||||
|
{
|
||||||
|
Authctxt *authctxt = ssh->authctxt;
|
||||||
|
- struct sshbuf *b;
|
||||||
|
+ struct sshbuf *b = NULL;
|
||||||
|
struct sshkey *key = NULL;
|
||||||
|
- char *pkalg, *userstyle = NULL, *fp = NULL;
|
||||||
|
- u_char *pkblob, *sig, have_sig;
|
||||||
|
+ char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
|
||||||
|
+ u_char *pkblob = NULL, *sig = NULL, have_sig;
|
||||||
|
size_t blen, slen;
|
||||||
|
int r, pktype;
|
||||||
|
int authenticated = 0;
|
||||||
|
|
||||||
|
- if (!authctxt->valid) {
|
||||||
|
- debug2("%s: disabled because of invalid user", __func__);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
|
||||||
|
fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
|
||||||
|
if (ssh->compat & SSH_BUG_PKAUTH) {
|
||||||
|
@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
fatal("%s: sshbuf_put_string session id: %s",
|
||||||
|
__func__, ssh_err(r));
|
||||||
|
}
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user",
|
||||||
|
+ __func__);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
/* reconstruct packet */
|
||||||
|
xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||||
|
authctxt->style ? ":" : "",
|
||||||
|
@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
#ifdef DEBUG_PK
|
||||||
|
sshbuf_dump(b, stderr);
|
||||||
|
#endif
|
||||||
|
-
|
||||||
|
/* test for correct signature */
|
||||||
|
authenticated = 0;
|
||||||
|
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
|
||||||
|
@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
authenticated = 1;
|
||||||
|
}
|
||||||
|
sshbuf_free(b);
|
||||||
|
- free(sig);
|
||||||
|
auth2_record_key(authctxt, authenticated, key);
|
||||||
|
} else {
|
||||||
|
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
|
||||||
|
@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||||
|
fatal("%s: %s", __func__, ssh_err(r));
|
||||||
|
|
||||||
|
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||||
|
+ debug2("%s: disabled because of invalid user",
|
||||||
|
+ __func__);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
/* XXX fake reply and always send PK_OK ? */
|
||||||
|
/*
|
||||||
|
* XXX this allows testing whether a user is allowed
|
||||||
|
@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||||
|
free(pkalg);
|
||||||
|
free(pkblob);
|
||||||
|
free(fp);
|
||||||
|
+ free(sig);
|
||||||
|
return authenticated;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
|
@ -31,7 +31,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
||||||
}
|
}
|
||||||
|
|
||||||
+int
|
+int
|
||||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
+audit_keyusage(int host_user, char *fp, int rv)
|
||||||
+{
|
+{
|
||||||
+ /* not implemented */
|
+ /* not implemented */
|
||||||
+}
|
+}
|
||||||
|
@ -39,7 +39,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
||||||
void
|
void
|
||||||
audit_event(ssh_audit_event_t event)
|
audit_event(ssh_audit_event_t event)
|
||||||
{
|
{
|
||||||
@@ -452,4 +471,40 @@ audit_event(ssh_audit_event_t event)
|
@@ -452,4 +471,34 @@ audit_event(ssh_audit_event_t event)
|
||||||
debug("%s: unhandled event %d", __func__, event);
|
debug("%s: unhandled event %d", __func__, event);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -72,12 +72,6 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
||||||
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||||
+{
|
+{
|
||||||
+ /* not implemented */
|
+ /* not implemented */
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_generate_ephemeral_server_key(const char *fp)
|
|
||||||
+{
|
|
||||||
+ /* not implemented */
|
|
||||||
+}
|
+}
|
||||||
#endif /* BSM */
|
#endif /* BSM */
|
||||||
diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
|
@ -91,7 +85,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
|
|
||||||
#ifdef SSH_AUDIT_EVENTS
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
|
||||||
@@ -34,6 +35,11 @@
|
@@ -34,6 +35,12 @@
|
||||||
#include "key.h"
|
#include "key.h"
|
||||||
#include "hostfile.h"
|
#include "hostfile.h"
|
||||||
#include "auth.h"
|
#include "auth.h"
|
||||||
|
@ -100,6 +94,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
+#include "xmalloc.h"
|
+#include "xmalloc.h"
|
||||||
+#include "misc.h"
|
+#include "misc.h"
|
||||||
+#include "servconf.h"
|
+#include "servconf.h"
|
||||||
|
+#include "ssherr.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Care must be taken when using this since it WILL NOT be initialized when
|
* Care must be taken when using this since it WILL NOT be initialized when
|
||||||
|
@ -127,7 +122,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
return (the_authctxt->user);
|
return (the_authctxt->user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -109,6 +113,37 @@ audit_event_lookup(ssh_audit_event_t ev)
|
@@ -109,6 +113,35 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||||
return(event_lookup[i].name);
|
return(event_lookup[i].name);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -135,12 +130,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
+audit_key(int host_user, int *rv, const Key *key)
|
+audit_key(int host_user, int *rv, const Key *key)
|
||||||
+{
|
+{
|
||||||
+ char *fp;
|
+ char *fp;
|
||||||
+ const char *crypto_name;
|
|
||||||
+
|
+
|
||||||
+ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
|
+ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
|
||||||
+ crypto_name = key_ssh_name(key);
|
+ if (audit_keyusage(host_user, fp, (*rv == 0)) == 0)
|
||||||
+ if (audit_keyusage(host_user, crypto_name, sshkey_size(key), fp, *rv) == 0)
|
+ *rv = -SSH_ERR_INTERNAL_ERROR;
|
||||||
+ *rv = 0;
|
|
||||||
+ free(fp);
|
+ free(fp);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
|
@ -183,7 +176,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
* Called when a user session is started. Argument is the tty allocated to
|
* Called when a user session is started. Argument is the tty allocated to
|
||||||
* the session, or NULL if no tty was allocated.
|
* the session, or NULL if no tty was allocated.
|
||||||
*
|
*
|
||||||
@@ -172,13 +218,91 @@ audit_session_close(struct logininfo *li
|
@@ -172,13 +218,82 @@ audit_session_close(struct logininfo *li
|
||||||
/*
|
/*
|
||||||
* This will be called when a user runs a non-interactive command. Note that
|
* This will be called when a user runs a non-interactive command. Note that
|
||||||
* it may be called multiple times for a single connection since SSH2 allows
|
* it may be called multiple times for a single connection since SSH2 allows
|
||||||
|
@ -219,10 +212,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
|
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
|
||||||
+ */
|
+ */
|
||||||
+int
|
+int
|
||||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
+audit_keyusage(int host_user, char *fp, int rv)
|
||||||
+{
|
+{
|
||||||
+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
+ debug("audit %s key usage euid %d user %s fingerprint %s, result %d",
|
||||||
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
|
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(),
|
||||||
+ fp, rv);
|
+ fp, rv);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
|
@ -265,15 +258,6 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||||
+{
|
+{
|
||||||
+ debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
|
+ debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
|
||||||
+ geteuid(), fp, (long)pid, (unsigned)uid);
|
+ geteuid(), fp, (long)pid, (unsigned)uid);
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * This will be called on generation of the ephemeral server key
|
|
||||||
+ */
|
|
||||||
+void
|
|
||||||
+audit_generate_ephemeral_server_key(const char *)
|
|
||||||
+{
|
|
||||||
+ debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
|
|
||||||
}
|
}
|
||||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||||
#endif /* SSH_AUDIT_EVENTS */
|
#endif /* SSH_AUDIT_EVENTS */
|
||||||
|
@ -288,7 +272,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||||
|
|
||||||
enum ssh_audit_event_type {
|
enum ssh_audit_event_type {
|
||||||
SSH_LOGIN_EXCEED_MAXTRIES,
|
SSH_LOGIN_EXCEED_MAXTRIES,
|
||||||
@@ -43,13 +44,33 @@ enum ssh_audit_event_type {
|
@@ -43,13 +44,32 @@ enum ssh_audit_event_type {
|
||||||
SSH_CONNECTION_ABANDON, /* closed without completing auth */
|
SSH_CONNECTION_ABANDON, /* closed without completing auth */
|
||||||
SSH_AUDIT_UNKNOWN
|
SSH_AUDIT_UNKNOWN
|
||||||
};
|
};
|
||||||
|
@ -311,7 +295,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||||
+int audit_run_command(const char *);
|
+int audit_run_command(const char *);
|
||||||
+void audit_end_command(int, const char *);
|
+void audit_end_command(int, const char *);
|
||||||
ssh_audit_event_t audit_classify_auth(const char *);
|
ssh_audit_event_t audit_classify_auth(const char *);
|
||||||
+int audit_keyusage(int, const char *, unsigned, char *, int);
|
+int audit_keyusage(int, char *, int);
|
||||||
+void audit_key(int, int *, const Key *);
|
+void audit_key(int, int *, const Key *);
|
||||||
+void audit_unsupported(int);
|
+void audit_unsupported(int);
|
||||||
+void audit_kex(int, char *, char *, char *, char *);
|
+void audit_kex(int, char *, char *, char *, char *);
|
||||||
|
@ -320,13 +304,12 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||||
+void audit_session_key_free(int ctos);
|
+void audit_session_key_free(int ctos);
|
||||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||||
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||||
+void audit_generate_ephemeral_server_key(const char *);
|
|
||||||
|
|
||||||
#endif /* _SSH_AUDIT_H */
|
#endif /* _SSH_AUDIT_H */
|
||||||
diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
--- openssh-7.6p1/audit-linux.c.audit 2017-10-02 21:34:26.000000000 +0200
|
--- openssh-7.6p1/audit-linux.c.audit 2017-10-02 21:34:26.000000000 +0200
|
||||||
+++ openssh-7.6p1/audit-linux.c 2017-10-04 17:18:32.835505053 +0200
|
+++ openssh-7.6p1/audit-linux.c 2017-10-04 17:18:32.835505053 +0200
|
||||||
@@ -33,25 +33,38 @@
|
@@ -33,27 +33,40 @@
|
||||||
|
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "audit.h"
|
#include "audit.h"
|
||||||
|
@ -353,7 +336,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
-linux_audit_record_event(int uid, const char *username, const char *hostname,
|
-linux_audit_record_event(int uid, const char *username, const char *hostname,
|
||||||
- const char *ip, const char *ttyn, int success)
|
- const char *ip, const char *ttyn, int success)
|
||||||
+static void
|
+static void
|
||||||
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
|
+linux_audit_user_logxxx(int uid, const char *username,
|
||||||
+ const char *ip, const char *ttyn, int success, int event)
|
+ const char *ip, const char *ttyn, int success, int event)
|
||||||
{
|
{
|
||||||
int audit_fd, rc, saved_errno;
|
int audit_fd, rc, saved_errno;
|
||||||
|
@ -370,9 +353,12 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
||||||
+ rc = audit_log_acct_message(audit_fd, event,
|
+ rc = audit_log_acct_message(audit_fd, event,
|
||||||
NULL, "login", username ? username : "(unknown)",
|
NULL, "login", username ? username : "(unknown)",
|
||||||
username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
- username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||||
|
+ username == NULL ? uid : -1, NULL, ip, ttyn, success);
|
||||||
saved_errno = errno;
|
saved_errno = errno;
|
||||||
@@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const
|
close(audit_fd);
|
||||||
|
|
||||||
|
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
|
||||||
rc = 0;
|
rc = 0;
|
||||||
errno = saved_errno;
|
errno = saved_errno;
|
||||||
|
|
||||||
|
@ -385,7 +371,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
+
|
+
|
||||||
+static void
|
+static void
|
||||||
+linux_audit_user_auth(int uid, const char *username,
|
+linux_audit_user_auth(int uid, const char *username,
|
||||||
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
|
+ const char *ip, const char *ttyn, int success, int event)
|
||||||
+{
|
+{
|
||||||
+ int audit_fd, rc, saved_errno;
|
+ int audit_fd, rc, saved_errno;
|
||||||
+ static const char *event_name[] = {
|
+ static const char *event_name[] = {
|
||||||
|
@ -419,7 +405,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
+
|
+
|
||||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
|
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
|
||||||
+ NULL, event_name[event], username ? username : "(unknown)",
|
+ NULL, event_name[event], username ? username : "(unknown)",
|
||||||
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
+ username == NULL ? uid : -1, NULL, ip, ttyn, success);
|
||||||
+ saved_errno = errno;
|
+ saved_errno = errno;
|
||||||
+ close(audit_fd);
|
+ close(audit_fd);
|
||||||
+ /*
|
+ /*
|
||||||
|
@ -436,7 +422,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+int
|
+int
|
||||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
+audit_keyusage(int host_user, char *fp, int rv)
|
||||||
+{
|
+{
|
||||||
+ char buf[AUDIT_LOG_SIZE];
|
+ char buf[AUDIT_LOG_SIZE];
|
||||||
+ int audit_fd, rc, saved_errno;
|
+ int audit_fd, rc, saved_errno;
|
||||||
|
@ -449,15 +435,14 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
+ else
|
+ else
|
||||||
+ return 0; /* Must prevent login */
|
+ return 0; /* Must prevent login */
|
||||||
+ }
|
+ }
|
||||||
+ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "pubkey" : "hostbased", ssh_remote_port(active_state));
|
+ snprintf(buf, sizeof(buf), "%s_auth grantors=auth-key", host_user ? "pubkey" : "hostbased");
|
||||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
||||||
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
||||||
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
|
+ snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", fp);
|
||||||
+ type, bits, fp, ssh_remote_port(active_state));
|
+ rc = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL,
|
||||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
+ ssh_remote_ipaddr(active_state), NULL, rv);
|
||||||
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
|
||||||
+out:
|
+out:
|
||||||
+ saved_errno = errno;
|
+ saved_errno = errno;
|
||||||
+ audit_close(audit_fd);
|
+ audit_close(audit_fd);
|
||||||
|
@ -471,7 +456,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
/* Below is the sshd audit API code */
|
/* Below is the sshd audit API code */
|
||||||
|
|
||||||
void
|
void
|
||||||
@@ -76,24 +177,51 @@ audit_connection_from(const char *host,
|
@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
|
||||||
/* not implemented */
|
/* not implemented */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -481,21 +466,25 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
{
|
{
|
||||||
- /* not implemented */
|
- /* not implemented */
|
||||||
+ if (!user_login_count++)
|
+ if (!user_login_count++)
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
|
+ ssh_remote_ipaddr(active_state),
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
+ "ssh", 1, AUDIT_USER_LOGIN);
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_START);
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
|
+ ssh_remote_ipaddr(active_state),
|
||||||
|
+ "ssh", 1, AUDIT_USER_START);
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+void
|
||||||
+audit_end_command(int handle, const char *command)
|
+audit_end_command(int handle, const char *command)
|
||||||
+{
|
+{
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_END);
|
+ ssh_remote_ipaddr(active_state),
|
||||||
|
+ "ssh", 1, AUDIT_USER_END);
|
||||||
+ if (user_login_count && !--user_login_count)
|
+ if (user_login_count && !--user_login_count)
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
+ ssh_remote_ipaddr(active_state),
|
||||||
|
+ "ssh", 1, AUDIT_USER_LOGOUT);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+void
|
||||||
|
@ -512,9 +501,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||||
+ if (!user_login_count++)
|
+ if (!user_login_count++)
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
|
+ li->line, 1, AUDIT_USER_LOGIN);
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
+ NULL, li->line, 1, AUDIT_USER_START);
|
+ li->line, 1, AUDIT_USER_START);
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
@ -522,38 +511,37 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
{
|
{
|
||||||
- /* not implemented */
|
- /* not implemented */
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
+ NULL, li->line, 1, AUDIT_USER_END);
|
+ li->line, 1, AUDIT_USER_END);
|
||||||
+ if (user_login_count && !--user_login_count)
|
+ if (user_login_count && !--user_login_count)
|
||||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||||
+ NULL, li->line, 1, AUDIT_USER_LOGOUT);
|
+ li->line, 1, AUDIT_USER_LOGOUT);
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
@@ -103,24 +231,180 @@ audit_event(ssh_audit_event_t event)
|
@@ -102,25 +231,155 @@ audit_event(ssh_audit_event_t event)
|
||||||
|
struct ssh *ssh = active_state; /* XXX */
|
||||||
|
|
||||||
switch(event) {
|
switch(event) {
|
||||||
case SSH_AUTH_SUCCESS:
|
- case SSH_AUTH_SUCCESS:
|
||||||
- case SSH_CONNECTION_CLOSE:
|
- case SSH_CONNECTION_CLOSE:
|
||||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
|
||||||
+ ssh_remote_ipaddr(ssh), "ssh", 1, event);
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
case SSH_NOLOGIN:
|
case SSH_NOLOGIN:
|
||||||
- case SSH_LOGIN_EXCEED_MAXTRIES:
|
- case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||||
case SSH_LOGIN_ROOT_DENIED:
|
case SSH_LOGIN_ROOT_DENIED:
|
||||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
+ linux_audit_user_auth(-1, audit_username(),
|
||||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
||||||
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
+ linux_audit_user_logxxx(-1, audit_username(),
|
||||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||||
break;
|
break;
|
||||||
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
- case SSH_AUTH_FAIL_NONE:
|
||||||
case SSH_AUTH_FAIL_NONE:
|
|
||||||
case SSH_AUTH_FAIL_PASSWD:
|
case SSH_AUTH_FAIL_PASSWD:
|
||||||
|
+ if (options.use_pam)
|
||||||
|
+ break;
|
||||||
|
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||||
case SSH_AUTH_FAIL_KBDINT:
|
case SSH_AUTH_FAIL_KBDINT:
|
||||||
case SSH_AUTH_FAIL_PUBKEY:
|
case SSH_AUTH_FAIL_PUBKEY:
|
||||||
case SSH_AUTH_FAIL_HOSTBASED:
|
case SSH_AUTH_FAIL_HOSTBASED:
|
||||||
case SSH_AUTH_FAIL_GSSAPI:
|
case SSH_AUTH_FAIL_GSSAPI:
|
||||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
+ linux_audit_user_auth(-1, audit_username(),
|
||||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
|
@ -561,11 +549,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
+ if (user_login_count) {
|
+ if (user_login_count) {
|
||||||
+ while (user_login_count--)
|
+ while (user_login_count--)
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
|
+ ssh_remote_ipaddr(ssh),
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_END);
|
+ "ssh", 1, AUDIT_USER_END);
|
||||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||||
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
|
+ ssh_remote_ipaddr(ssh),
|
||||||
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
+ "ssh", 1, AUDIT_USER_LOGOUT);
|
||||||
+ }
|
+ }
|
||||||
+ break;
|
+ break;
|
||||||
+
|
+
|
||||||
|
@ -573,7 +561,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
case SSH_INVALID_USER:
|
case SSH_INVALID_USER:
|
||||||
- linux_audit_record_event(-1, audit_username(), NULL,
|
- linux_audit_record_event(-1, audit_username(), NULL,
|
||||||
- ssh_remote_ipaddr(ssh), "sshd", 0);
|
- ssh_remote_ipaddr(ssh), "sshd", 0);
|
||||||
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
+ linux_audit_user_logxxx(-1, audit_username(),
|
||||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
|
@ -690,28 +678,6 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||||
+ error("cannot write into audit");
|
+ error("cannot write into audit");
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void
|
|
||||||
+audit_generate_ephemeral_server_key(const char *fp)
|
|
||||||
+{
|
|
||||||
+ char buf[AUDIT_LOG_SIZE];
|
|
||||||
+ int audit_fd, audit_ok;
|
|
||||||
+
|
|
||||||
+ snprintf(buf, sizeof(buf), "op=create kind=server fp=%s direction=? ", fp);
|
|
||||||
+ audit_fd = audit_open();
|
|
||||||
+ if (audit_fd < 0) {
|
|
||||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
|
||||||
+ errno != EAFNOSUPPORT)
|
|
||||||
+ error("cannot open audit");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
|
||||||
+ buf, NULL, 0, NULL, 1);
|
|
||||||
+ audit_close(audit_fd);
|
|
||||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
|
||||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
|
||||||
+ error("cannot write into audit");
|
|
||||||
+}
|
+}
|
||||||
#endif /* USE_LINUX_AUDIT */
|
#endif /* USE_LINUX_AUDIT */
|
||||||
diff -up openssh-7.6p1/auditstub.c.audit openssh-7.6p1/auditstub.c
|
diff -up openssh-7.6p1/auditstub.c.audit openssh-7.6p1/auditstub.c
|
||||||
|
@ -848,6 +814,15 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c
|
||||||
diff -up openssh-7.6p1/auth.c.audit openssh-7.6p1/auth.c
|
diff -up openssh-7.6p1/auth.c.audit openssh-7.6p1/auth.c
|
||||||
--- openssh-7.6p1/auth.c.audit 2017-10-04 17:18:32.746504598 +0200
|
--- openssh-7.6p1/auth.c.audit 2017-10-04 17:18:32.746504598 +0200
|
||||||
+++ openssh-7.6p1/auth.c 2017-10-04 17:18:32.835505053 +0200
|
+++ openssh-7.6p1/auth.c 2017-10-04 17:18:32.835505053 +0200
|
||||||
|
@@ -360,7 +360,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||||
|
# endif
|
||||||
|
#endif
|
||||||
|
#ifdef SSH_AUDIT_EVENTS
|
||||||
|
- if (authenticated == 0 && !authctxt->postponed)
|
||||||
|
+ if (authenticated == 0 && !authctxt->postponed && !partial)
|
||||||
|
audit_event(audit_classify_auth(method));
|
||||||
|
#endif
|
||||||
|
}
|
||||||
@@ -599,9 +599,6 @@ getpwnamallow(const char *user)
|
@@ -599,9 +599,6 @@ getpwnamallow(const char *user)
|
||||||
record_failed_login(user,
|
record_failed_login(user,
|
||||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||||
|
|
21
openssh.spec
21
openssh.spec
|
@ -66,7 +66,7 @@
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 7.6p1
|
%global openssh_ver 7.6p1
|
||||||
%global openssh_rel 3
|
%global openssh_rel 6
|
||||||
%global pam_ssh_agent_ver 0.10.3
|
%global pam_ssh_agent_ver 0.10.3
|
||||||
%global pam_ssh_agent_rel 3
|
%global pam_ssh_agent_rel 3
|
||||||
|
|
||||||
|
@ -233,6 +233,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
|
||||||
Patch950: openssh-7.5p1-sandbox.patch
|
Patch950: openssh-7.5p1-sandbox.patch
|
||||||
# PermitOpen bug in OpenSSH 7.6:
|
# PermitOpen bug in OpenSSH 7.6:
|
||||||
Patch951: openssh-7.6p1-permitopen-bug.patch
|
Patch951: openssh-7.6p1-permitopen-bug.patch
|
||||||
|
# CVE-2018-15473: User "enumeration" via malformed packets in authentication requests
|
||||||
|
Patch952: openssh-7.6p1-CVE-2018-15473.patch
|
||||||
|
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
|
@ -295,9 +297,7 @@ Requires: openssh = %{version}-%{release}
|
||||||
Requires(pre): /usr/sbin/useradd
|
Requires(pre): /usr/sbin/useradd
|
||||||
Requires: pam >= 1.0.1-3
|
Requires: pam >= 1.0.1-3
|
||||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
||||||
Requires(post): systemd-units
|
%{?systemd_requires}
|
||||||
Requires(preun): systemd-units
|
|
||||||
Requires(postun): systemd-units
|
|
||||||
|
|
||||||
%if %{ldap}
|
%if %{ldap}
|
||||||
%package ldap
|
%package ldap
|
||||||
|
@ -458,6 +458,7 @@ popd
|
||||||
%patch949 -p1 -b .refactor
|
%patch949 -p1 -b .refactor
|
||||||
%patch950 -p1 -b .sandbox
|
%patch950 -p1 -b .sandbox
|
||||||
%patch951 -p1 -b .permitOpen
|
%patch951 -p1 -b .permitOpen
|
||||||
|
%patch952 -p3 -b .enumeration
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
|
@ -765,6 +766,18 @@ getent passwd sshd >/dev/null || \
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Aug 25 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-6 + 0.10.3-3
|
||||||
|
- Fix CVE-2018-15473 (#1619064)
|
||||||
|
|
||||||
|
* Thu Feb 01 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-5 + 0.10.3-3
|
||||||
|
- Build correctly against systemd
|
||||||
|
|
||||||
|
* Thu Feb 01 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-4 + 0.10.3-3
|
||||||
|
- Whitelist gettid() syscall in seccomp filter (#1524392)
|
||||||
|
- Do not pass hostnames to audit -- UseDNS is usually disabled (#1534577)
|
||||||
|
- Rework audit events to match requirements
|
||||||
|
- Packaging details from rawhide
|
||||||
|
|
||||||
* Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3
|
* Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3
|
||||||
- Do not segfault during audit cleanup (#1524233)
|
- Do not segfault during audit cleanup (#1524233)
|
||||||
- Avoid gcc warnings about uninitialized variables
|
- Avoid gcc warnings about uninitialized variables
|
||||||
|
|
Loading…
Reference in New Issue