Compare commits
16 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
2e8c9e1bd6 | ||
|
8ebd1ac76b | ||
|
1b87361339 | ||
|
7936d701cb | ||
|
88b9f28736 | ||
|
0ed404cb1d | ||
|
9245e75858 | ||
|
6f29c0796b | ||
|
5e917665b9 | ||
|
c7c6705319 | ||
|
9106571cc0 | ||
|
5be5d99670 | ||
|
88f23cb6fe | ||
|
7f5b70b83b | ||
|
6e99f2d387 | ||
|
6b6760fc06 |
@ -736,7 +736,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||
+ timeout.tv_sec = options.bind_timelimit;
|
||||
+ timeout.tv_usec = 0;
|
||||
+ result = NULL;
|
||||
+ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
|
||||
+ if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
|
||||
+ error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
|
||||
+ ldap_msgfree (result);
|
||||
+ return LDAP_OPERATIONS_ERROR;
|
||||
@ -837,7 +837,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||
+ }
|
||||
+
|
||||
+ if (options.ssl_on != SSL_OFF) {
|
||||
+ if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
|
||||
+ if ((ld = ldapssl_init (options.host, options.port, 1)) == NULL)
|
||||
+ fatal ("ldapssl_init failed");
|
||||
+ debug3 ("LDAPssl init");
|
||||
+ }
|
||||
@ -1041,7 +1041,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||
+
|
||||
+ timeout.tv_sec = options.bind_timelimit;
|
||||
+ timeout.tv_usec = 0;
|
||||
+ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
|
||||
+ if ((rc = ldap_result (ld, msgid, 0, &timeout, &result)) < 1) {
|
||||
+ ld_errno = ldap_get_lderrno (ld, 0, 0);
|
||||
+
|
||||
+ error ("ldap_result %s", ldap_err2string (ld_errno));
|
||||
@ -1052,7 +1052,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||
+
|
||||
+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
|
||||
+ controls = NULL;
|
||||
+ if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
|
||||
+ if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, 1)) != LDAP_SUCCESS)
|
||||
+ fatal ("ldap_parse_result %s", ldap_err2string (parserc));
|
||||
+ debug3 ("LDAP parse result OK");
|
||||
+
|
||||
@ -1060,7 +1060,7 @@ diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
|
||||
+ ldap_controls_free (controls);
|
||||
+ }
|
||||
+#else
|
||||
+ rc = ldap_result2error (session->ld, result, TRUE);
|
||||
+ rc = ldap_result2error (session->ld, result, 1);
|
||||
+#endif
|
||||
+ if (rc != LDAP_SUCCESS)
|
||||
+ fatal ("error trying to bind as user \"%s\" (%s)",
|
||||
|
146
openssh-7.6p1-CVE-2018-15473.patch
Normal file
146
openssh-7.6p1-CVE-2018-15473.patch
Normal file
@ -0,0 +1,146 @@
|
||||
From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
|
||||
From: djm <djm@openbsd.org>
|
||||
Date: Tue, 31 Jul 2018 03:10:27 +0000
|
||||
Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
|
||||
=?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
|
||||
=?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
|
||||
=?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
---
|
||||
usr.bin/ssh/auth2-gss.c | 11 +++++++----
|
||||
usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
|
||||
usr.bin/ssh/auth2-pubkey.c | 25 +++++++++++++++----------
|
||||
3 files changed, 28 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
|
||||
index 649c830916a..c919ef4c353 100644
|
||||
--- a/usr.bin/ssh/auth2-gss.c
|
||||
+++ b/usr.bin/ssh/auth2-gss.c
|
||||
@@ -65,9 +65,6 @@ userauth_gssapi(struct ssh *ssh)
|
||||
u_int len;
|
||||
u_char *doid = NULL;
|
||||
|
||||
- if (!authctxt->valid || authctxt->user == NULL)
|
||||
- return (0);
|
||||
-
|
||||
mechs = packet_get_int();
|
||||
if (mechs == 0) {
|
||||
debug("Mechanism negotiation is not supported");
|
||||
@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
|
||||
return (0);
|
||||
}
|
||||
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ debug2("%s: disabled because of invalid user", __func__);
|
||||
+ free(doid);
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
|
||||
if (ctxt != NULL)
|
||||
ssh_gssapi_delete_ctx(&ctxt);
|
||||
diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
|
||||
index ad335555934..fb5e5f42272 100644
|
||||
--- a/usr.bin/ssh/auth2-hostbased.c
|
||||
+++ b/usr.bin/ssh/auth2-hostbased.c
|
||||
@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
|
||||
size_t alen, blen, slen;
|
||||
int r, pktype, authenticated = 0;
|
||||
|
||||
- if (!authctxt->valid) {
|
||||
- debug2("%s: disabled because of invalid user", __func__);
|
||||
- return 0;
|
||||
- }
|
||||
/* XXX use sshkey_froms() */
|
||||
if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
|
||||
(r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
|
||||
@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ debug2("%s: disabled because of invalid user", __func__);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
service = ssh->compat & SSH_BUG_HBSERVICE ? "ssh-userauth" :
|
||||
authctxt->service;
|
||||
if ((b = sshbuf_new()) == NULL)
|
||||
diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
|
||||
index 195da5e2111..af9e5f04c45 100644
|
||||
--- a/usr.bin/ssh/auth2-pubkey.c
|
||||
+++ b/usr.bin/ssh/auth2-pubkey.c
|
||||
@@ -86,18 +86,14 @@ userauth_pubkey(struct ssh *ssh)
|
||||
userauth_pubkey(struct ssh *ssh)
|
||||
{
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
- struct sshbuf *b;
|
||||
+ struct sshbuf *b = NULL;
|
||||
struct sshkey *key = NULL;
|
||||
- char *pkalg, *userstyle = NULL, *fp = NULL;
|
||||
- u_char *pkblob, *sig, have_sig;
|
||||
+ char *pkalg = NULL, *userstyle = NULL, *fp = NULL;
|
||||
+ u_char *pkblob = NULL, *sig = NULL, have_sig;
|
||||
size_t blen, slen;
|
||||
int r, pktype;
|
||||
int authenticated = 0;
|
||||
|
||||
- if (!authctxt->valid) {
|
||||
- debug2("%s: disabled because of invalid user", __func__);
|
||||
- return 0;
|
||||
- }
|
||||
if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0)
|
||||
fatal("%s: sshpkt_get_u8 failed: %s", __func__, ssh_err(r));
|
||||
if (ssh->compat & SSH_BUG_PKAUTH) {
|
||||
@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
|
||||
fatal("%s: sshbuf_put_string session id: %s",
|
||||
__func__, ssh_err(r));
|
||||
}
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ debug2("%s: disabled because of invalid user",
|
||||
+ __func__);
|
||||
+ goto done;
|
||||
+ }
|
||||
/* reconstruct packet */
|
||||
xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||
#ifdef DEBUG_PK
|
||||
sshbuf_dump(b, stderr);
|
||||
#endif
|
||||
-
|
||||
/* test for correct signature */
|
||||
authenticated = 0;
|
||||
if (PRIVSEP(user_key_allowed(authctxt->pw, key, 1)) &&
|
||||
@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
|
||||
authenticated = 1;
|
||||
}
|
||||
sshbuf_free(b);
|
||||
- free(sig);
|
||||
auth2_record_key(authctxt, authenticated, key);
|
||||
} else {
|
||||
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
|
||||
@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
|
||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||
fatal("%s: %s", __func__, ssh_err(r));
|
||||
|
||||
+ if (!authctxt->valid || authctxt->user == NULL) {
|
||||
+ debug2("%s: disabled because of invalid user",
|
||||
+ __func__);
|
||||
+ goto done;
|
||||
+ }
|
||||
/* XXX fake reply and always send PK_OK ? */
|
||||
/*
|
||||
* XXX this allows testing whether a user is allowed
|
||||
@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
|
||||
free(pkalg);
|
||||
free(pkblob);
|
||||
free(fp);
|
||||
+ free(sig);
|
||||
return authenticated;
|
||||
}
|
||||
|
||||
|
@ -31,7 +31,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
||||
}
|
||||
|
||||
+int
|
||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
||||
+audit_keyusage(int host_user, char *fp, int rv)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
@ -39,7 +39,7 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
||||
void
|
||||
audit_event(ssh_audit_event_t event)
|
||||
{
|
||||
@@ -452,4 +471,40 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -452,4 +471,34 @@ audit_event(ssh_audit_event_t event)
|
||||
debug("%s: unhandled event %d", __func__, event);
|
||||
}
|
||||
}
|
||||
@ -72,12 +72,6 @@ diff -up openssh-7.6p1/audit-bsm.c.audit openssh-7.6p1/audit-bsm.c
|
||||
+audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_generate_ephemeral_server_key(const char *fp)
|
||||
+{
|
||||
+ /* not implemented */
|
||||
+}
|
||||
#endif /* BSM */
|
||||
diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
@ -91,7 +85,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
|
||||
@@ -34,6 +35,11 @@
|
||||
@@ -34,6 +35,12 @@
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@ -100,6 +94,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h"
|
||||
+#include "servconf.h"
|
||||
+#include "ssherr.h"
|
||||
|
||||
/*
|
||||
* Care must be taken when using this since it WILL NOT be initialized when
|
||||
@ -127,7 +122,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
return (the_authctxt->user);
|
||||
}
|
||||
|
||||
@@ -109,6 +113,37 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
@@ -109,6 +113,35 @@ audit_event_lookup(ssh_audit_event_t ev)
|
||||
return(event_lookup[i].name);
|
||||
}
|
||||
|
||||
@ -135,12 +130,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
+audit_key(int host_user, int *rv, const Key *key)
|
||||
+{
|
||||
+ char *fp;
|
||||
+ const char *crypto_name;
|
||||
+
|
||||
+ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
|
||||
+ crypto_name = key_ssh_name(key);
|
||||
+ if (audit_keyusage(host_user, crypto_name, sshkey_size(key), fp, *rv) == 0)
|
||||
+ *rv = 0;
|
||||
+ if (audit_keyusage(host_user, fp, (*rv == 0)) == 0)
|
||||
+ *rv = -SSH_ERR_INTERNAL_ERROR;
|
||||
+ free(fp);
|
||||
+}
|
||||
+
|
||||
@ -183,7 +176,7 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
* Called when a user session is started. Argument is the tty allocated to
|
||||
* the session, or NULL if no tty was allocated.
|
||||
*
|
||||
@@ -172,13 +218,91 @@ audit_session_close(struct logininfo *li
|
||||
@@ -172,13 +218,82 @@ audit_session_close(struct logininfo *li
|
||||
/*
|
||||
* This will be called when a user runs a non-interactive command. Note that
|
||||
* it may be called multiple times for a single connection since SSH2 allows
|
||||
@ -219,10 +212,10 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
+ * Type is the key type, len is the key length(byte) and fp is the fingerprint of the key.
|
||||
+ */
|
||||
+int
|
||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
||||
+audit_keyusage(int host_user, char *fp, int rv)
|
||||
+{
|
||||
+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s, result %d",
|
||||
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
|
||||
+ debug("audit %s key usage euid %d user %s fingerprint %s, result %d",
|
||||
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(),
|
||||
+ fp, rv);
|
||||
+}
|
||||
+
|
||||
@ -265,15 +258,6 @@ diff -up openssh-7.6p1/audit.c.audit openssh-7.6p1/audit.c
|
||||
+{
|
||||
+ debug("audit destroy sensitive data euid %d fingerprint %s from pid %ld uid %u",
|
||||
+ geteuid(), fp, (long)pid, (unsigned)uid);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * This will be called on generation of the ephemeral server key
|
||||
+ */
|
||||
+void
|
||||
+audit_generate_ephemeral_server_key(const char *)
|
||||
+{
|
||||
+ debug("audit create ephemeral server key euid %d fingerprint %s", geteuid(), fp);
|
||||
}
|
||||
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
@ -288,7 +272,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||
|
||||
enum ssh_audit_event_type {
|
||||
SSH_LOGIN_EXCEED_MAXTRIES,
|
||||
@@ -43,13 +44,33 @@ enum ssh_audit_event_type {
|
||||
@@ -43,13 +44,32 @@ enum ssh_audit_event_type {
|
||||
SSH_CONNECTION_ABANDON, /* closed without completing auth */
|
||||
SSH_AUDIT_UNKNOWN
|
||||
};
|
||||
@ -311,7 +295,7 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||
+int audit_run_command(const char *);
|
||||
+void audit_end_command(int, const char *);
|
||||
ssh_audit_event_t audit_classify_auth(const char *);
|
||||
+int audit_keyusage(int, const char *, unsigned, char *, int);
|
||||
+int audit_keyusage(int, char *, int);
|
||||
+void audit_key(int, int *, const Key *);
|
||||
+void audit_unsupported(int);
|
||||
+void audit_kex(int, char *, char *, char *, char *);
|
||||
@ -320,13 +304,12 @@ diff -up openssh-7.6p1/audit.h.audit openssh-7.6p1/audit.h
|
||||
+void audit_session_key_free(int ctos);
|
||||
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
|
||||
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
+void audit_generate_ephemeral_server_key(const char *);
|
||||
|
||||
#endif /* _SSH_AUDIT_H */
|
||||
diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
--- openssh-7.6p1/audit-linux.c.audit 2017-10-02 21:34:26.000000000 +0200
|
||||
+++ openssh-7.6p1/audit-linux.c 2017-10-04 17:18:32.835505053 +0200
|
||||
@@ -33,25 +33,38 @@
|
||||
@@ -33,27 +33,40 @@
|
||||
|
||||
#include "log.h"
|
||||
#include "audit.h"
|
||||
@ -353,7 +336,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
-linux_audit_record_event(int uid, const char *username, const char *hostname,
|
||||
- const char *ip, const char *ttyn, int success)
|
||||
+static void
|
||||
+linux_audit_user_logxxx(int uid, const char *username, const char *hostname,
|
||||
+linux_audit_user_logxxx(int uid, const char *username,
|
||||
+ const char *ip, const char *ttyn, int success, int event)
|
||||
{
|
||||
int audit_fd, rc, saved_errno;
|
||||
@ -370,9 +353,12 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
- rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
|
||||
+ rc = audit_log_acct_message(audit_fd, event,
|
||||
NULL, "login", username ? username : "(unknown)",
|
||||
username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
- username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
+ username == NULL ? uid : -1, NULL, ip, ttyn, success);
|
||||
saved_errno = errno;
|
||||
@@ -65,9 +78,97 @@ linux_audit_record_event(int uid, const
|
||||
close(audit_fd);
|
||||
|
||||
@@ -65,9 +78,96 @@ linux_audit_record_event(int uid, const
|
||||
rc = 0;
|
||||
errno = saved_errno;
|
||||
|
||||
@ -385,7 +371,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
+
|
||||
+static void
|
||||
+linux_audit_user_auth(int uid, const char *username,
|
||||
+ const char *hostname, const char *ip, const char *ttyn, int success, int event)
|
||||
+ const char *ip, const char *ttyn, int success, int event)
|
||||
+{
|
||||
+ int audit_fd, rc, saved_errno;
|
||||
+ static const char *event_name[] = {
|
||||
@ -419,7 +405,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
+
|
||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH,
|
||||
+ NULL, event_name[event], username ? username : "(unknown)",
|
||||
+ username == NULL ? uid : -1, hostname, ip, ttyn, success);
|
||||
+ username == NULL ? uid : -1, NULL, ip, ttyn, success);
|
||||
+ saved_errno = errno;
|
||||
+ close(audit_fd);
|
||||
+ /*
|
||||
@ -436,7 +422,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+audit_keyusage(int host_user, const char *type, unsigned bits, char *fp, int rv)
|
||||
+audit_keyusage(int host_user, char *fp, int rv)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, rc, saved_errno;
|
||||
@ -449,15 +435,14 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
+ else
|
||||
+ return 0; /* Must prevent login */
|
||||
+ }
|
||||
+ snprintf(buf, sizeof(buf), "%s_auth rport=%d", host_user ? "pubkey" : "hostbased", ssh_remote_port(active_state));
|
||||
+ snprintf(buf, sizeof(buf), "%s_auth grantors=auth-key", host_user ? "pubkey" : "hostbased");
|
||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
||||
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
||||
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
|
||||
+ goto out;
|
||||
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
|
||||
+ type, bits, fp, ssh_remote_port(active_state));
|
||||
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
|
||||
+ buf, audit_username(), -1, NULL, ssh_remote_ipaddr(active_state), NULL, rv);
|
||||
+ snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", fp);
|
||||
+ rc = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL,
|
||||
+ ssh_remote_ipaddr(active_state), NULL, rv);
|
||||
+out:
|
||||
+ saved_errno = errno;
|
||||
+ audit_close(audit_fd);
|
||||
@ -471,7 +456,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
/* Below is the sshd audit API code */
|
||||
|
||||
void
|
||||
@@ -76,24 +177,51 @@ audit_connection_from(const char *host,
|
||||
@@ -76,24 +177,55 @@ audit_connection_from(const char *host,
|
||||
/* not implemented */
|
||||
}
|
||||
|
||||
@ -481,21 +466,25 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
{
|
||||
- /* not implemented */
|
||||
+ if (!user_login_count++)
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_LOGIN);
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_START);
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ ssh_remote_ipaddr(active_state),
|
||||
+ "ssh", 1, AUDIT_USER_LOGIN);
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ ssh_remote_ipaddr(active_state),
|
||||
+ "ssh", 1, AUDIT_USER_START);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_end_command(int handle, const char *command)
|
||||
+{
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_END);
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ ssh_remote_ipaddr(active_state),
|
||||
+ "ssh", 1, AUDIT_USER_END);
|
||||
+ if (user_login_count && !--user_login_count)
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL, session_get_remote_name_or_ip(active_state, utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ ssh_remote_ipaddr(active_state),
|
||||
+ "ssh", 1, AUDIT_USER_LOGOUT);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
@ -512,9 +501,9 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
- fatal("linux_audit_write_entry failed: %s", strerror(errno));
|
||||
+ if (!user_login_count++)
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_LOGIN);
|
||||
+ li->line, 1, AUDIT_USER_LOGIN);
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_START);
|
||||
+ li->line, 1, AUDIT_USER_START);
|
||||
}
|
||||
|
||||
void
|
||||
@ -522,38 +511,37 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
{
|
||||
- /* not implemented */
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_END);
|
||||
+ li->line, 1, AUDIT_USER_END);
|
||||
+ if (user_login_count && !--user_login_count)
|
||||
+ linux_audit_user_logxxx(li->uid, NULL, li->hostname,
|
||||
+ NULL, li->line, 1, AUDIT_USER_LOGOUT);
|
||||
+ li->line, 1, AUDIT_USER_LOGOUT);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -103,24 +231,180 @@ audit_event(ssh_audit_event_t event)
|
||||
@@ -102,25 +231,155 @@ audit_event(ssh_audit_event_t event)
|
||||
struct ssh *ssh = active_state; /* XXX */
|
||||
|
||||
switch(event) {
|
||||
case SSH_AUTH_SUCCESS:
|
||||
- case SSH_AUTH_SUCCESS:
|
||||
- case SSH_CONNECTION_CLOSE:
|
||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
||||
+ ssh_remote_ipaddr(ssh), "ssh", 1, event);
|
||||
+ break;
|
||||
+
|
||||
case SSH_NOLOGIN:
|
||||
- case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_LOGIN_ROOT_DENIED:
|
||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
||||
+ linux_audit_user_auth(-1, audit_username(),
|
||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
||||
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
||||
+ linux_audit_user_logxxx(-1, audit_username(),
|
||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||
break;
|
||||
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_AUTH_FAIL_NONE:
|
||||
- case SSH_AUTH_FAIL_NONE:
|
||||
case SSH_AUTH_FAIL_PASSWD:
|
||||
+ if (options.use_pam)
|
||||
+ break;
|
||||
+ case SSH_LOGIN_EXCEED_MAXTRIES:
|
||||
case SSH_AUTH_FAIL_KBDINT:
|
||||
case SSH_AUTH_FAIL_PUBKEY:
|
||||
case SSH_AUTH_FAIL_HOSTBASED:
|
||||
case SSH_AUTH_FAIL_GSSAPI:
|
||||
+ linux_audit_user_auth(-1, audit_username(), NULL,
|
||||
+ linux_audit_user_auth(-1, audit_username(),
|
||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, event);
|
||||
+ break;
|
||||
+
|
||||
@ -561,11 +549,11 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
+ if (user_login_count) {
|
||||
+ while (user_login_count--)
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_END);
|
||||
+ ssh_remote_ipaddr(ssh),
|
||||
+ "ssh", 1, AUDIT_USER_END);
|
||||
+ linux_audit_user_logxxx(the_authctxt->pw->pw_uid, NULL,
|
||||
+ session_get_remote_name_or_ip(ssh, utmp_len, options.use_dns),
|
||||
+ NULL, "ssh", 1, AUDIT_USER_LOGOUT);
|
||||
+ ssh_remote_ipaddr(ssh),
|
||||
+ "ssh", 1, AUDIT_USER_LOGOUT);
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
@ -573,7 +561,7 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
case SSH_INVALID_USER:
|
||||
- linux_audit_record_event(-1, audit_username(), NULL,
|
||||
- ssh_remote_ipaddr(ssh), "sshd", 0);
|
||||
+ linux_audit_user_logxxx(-1, audit_username(), NULL,
|
||||
+ linux_audit_user_logxxx(-1, audit_username(),
|
||||
+ ssh_remote_ipaddr(ssh), "ssh", 0, AUDIT_USER_LOGIN);
|
||||
break;
|
||||
default:
|
||||
@ -690,28 +678,6 @@ diff -up openssh-7.6p1/audit-linux.c.audit openssh-7.6p1/audit-linux.c
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+audit_generate_ephemeral_server_key(const char *fp)
|
||||
+{
|
||||
+ char buf[AUDIT_LOG_SIZE];
|
||||
+ int audit_fd, audit_ok;
|
||||
+
|
||||
+ snprintf(buf, sizeof(buf), "op=create kind=server fp=%s direction=? ", fp);
|
||||
+ audit_fd = audit_open();
|
||||
+ if (audit_fd < 0) {
|
||||
+ if (errno != EINVAL && errno != EPROTONOSUPPORT &&
|
||||
+ errno != EAFNOSUPPORT)
|
||||
+ error("cannot open audit");
|
||||
+ return;
|
||||
+ }
|
||||
+ audit_ok = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER,
|
||||
+ buf, NULL, 0, NULL, 1);
|
||||
+ audit_close(audit_fd);
|
||||
+ /* do not abort if the error is EPERM and sshd is run as non root user */
|
||||
+ if ((audit_ok < 0) && ((audit_ok != -1) || (getuid() == 0)))
|
||||
+ error("cannot write into audit");
|
||||
+}
|
||||
#endif /* USE_LINUX_AUDIT */
|
||||
diff -up openssh-7.6p1/auditstub.c.audit openssh-7.6p1/auditstub.c
|
||||
@ -848,6 +814,15 @@ diff -up openssh-7.6p1/auth2-pubkey.c.audit openssh-7.6p1/auth2-pubkey.c
|
||||
diff -up openssh-7.6p1/auth.c.audit openssh-7.6p1/auth.c
|
||||
--- openssh-7.6p1/auth.c.audit 2017-10-04 17:18:32.746504598 +0200
|
||||
+++ openssh-7.6p1/auth.c 2017-10-04 17:18:32.835505053 +0200
|
||||
@@ -360,7 +360,7 @@ auth_log(Authctxt *authctxt, int authent
|
||||
# endif
|
||||
#endif
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
- if (authenticated == 0 && !authctxt->postponed)
|
||||
+ if (authenticated == 0 && !authctxt->postponed && !partial)
|
||||
audit_event(audit_classify_auth(method));
|
||||
#endif
|
||||
}
|
||||
@@ -599,9 +599,6 @@ getpwnamallow(const char *user)
|
||||
record_failed_login(user,
|
||||
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
|
||||
|
21
openssh.spec
21
openssh.spec
@ -66,7 +66,7 @@
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 7.6p1
|
||||
%global openssh_rel 3
|
||||
%global openssh_rel 6
|
||||
%global pam_ssh_agent_ver 0.10.3
|
||||
%global pam_ssh_agent_rel 3
|
||||
|
||||
@ -233,6 +233,8 @@ Patch949: openssh-7.6p1-cleanup-selinux.patch
|
||||
Patch950: openssh-7.5p1-sandbox.patch
|
||||
# PermitOpen bug in OpenSSH 7.6:
|
||||
Patch951: openssh-7.6p1-permitopen-bug.patch
|
||||
# CVE-2018-15473: User "enumeration" via malformed packets in authentication requests
|
||||
Patch952: openssh-7.6p1-CVE-2018-15473.patch
|
||||
|
||||
|
||||
License: BSD
|
||||
@ -295,9 +297,7 @@ Requires: openssh = %{version}-%{release}
|
||||
Requires(pre): /usr/sbin/useradd
|
||||
Requires: pam >= 1.0.1-3
|
||||
Requires: fipscheck-lib%{_isa} >= 1.3.0
|
||||
Requires(post): systemd-units
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
%{?systemd_requires}
|
||||
|
||||
%if %{ldap}
|
||||
%package ldap
|
||||
@ -458,6 +458,7 @@ popd
|
||||
%patch949 -p1 -b .refactor
|
||||
%patch950 -p1 -b .sandbox
|
||||
%patch951 -p1 -b .permitOpen
|
||||
%patch952 -p3 -b .enumeration
|
||||
|
||||
%patch200 -p1 -b .audit
|
||||
%patch201 -p1 -b .audit-race
|
||||
@ -765,6 +766,18 @@ getent passwd sshd >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Aug 25 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-6 + 0.10.3-3
|
||||
- Fix CVE-2018-15473 (#1619064)
|
||||
|
||||
* Thu Feb 01 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-5 + 0.10.3-3
|
||||
- Build correctly against systemd
|
||||
|
||||
* Thu Feb 01 2018 Jakub Jelen <jjelen@redhat.com> - 7.6p1-4 + 0.10.3-3
|
||||
- Whitelist gettid() syscall in seccomp filter (#1524392)
|
||||
- Do not pass hostnames to audit -- UseDNS is usually disabled (#1534577)
|
||||
- Rework audit events to match requirements
|
||||
- Packaging details from rawhide
|
||||
|
||||
* Mon Dec 11 2017 Jakub Jelen <jjelen@redhat.com> - 7.6p1-3 + 0.10.3-3
|
||||
- Do not segfault during audit cleanup (#1524233)
|
||||
- Avoid gcc warnings about uninitialized variables
|
||||
|
Loading…
Reference in New Issue
Block a user