Compare commits
17 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
ac2648baae | ||
|
f0f3114095 | ||
|
df26987d52 | ||
|
f32b842272 | ||
|
446f300da0 | ||
|
a2e7f72c3c | ||
|
44aae310bd | ||
|
9979ff5307 | ||
|
5f230a4999 | ||
|
25c16c68f5 | ||
|
6e1851c5ba | ||
|
7347a74385 | ||
|
ab05c4fa21 | ||
|
106b283ba5 | ||
|
a886069993 | ||
|
1a45c5da8d | ||
|
ee6f0fcc0a |
5
.gitignore
vendored
5
.gitignore
vendored
@ -45,3 +45,8 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
|||||||
/openssh-8.4p1.tar.gz
|
/openssh-8.4p1.tar.gz
|
||||||
/openssh-8.4p1.tar.gz.asc
|
/openssh-8.4p1.tar.gz.asc
|
||||||
/pam_ssh_agent_auth-0.10.4.tar.gz
|
/pam_ssh_agent_auth-0.10.4.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz
|
||||||
|
/openssh-8.5p1.tar.gz.asc
|
||||||
|
/gpgkey-736060BA.gpg
|
||||||
|
/openssh-8.6p1.tar.gz
|
||||||
|
/openssh-8.6p1.tar.gz.asc
|
||||||
|
@ -1,12 +1,11 @@
|
|||||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
|
||||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
|
--- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info 2021-04-19 13:57:11.720113536 +0200
|
||||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
|
+++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c 2021-04-19 13:59:29.842163204 +0200
|
||||||
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
|
@@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
|
||||||
|
|
||||||
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
|
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
|
||||||
GTK_MESSAGE_ERROR,
|
GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
|
||||||
GTK_BUTTONS_CLOSE,
|
- "Could not grab %s. A malicious client may be eavesdropping "
|
||||||
- "Could not grab %s. "
|
|
||||||
- "A malicious client may be eavesdropping "
|
|
||||||
- "on your session.", what);
|
- "on your session.", what);
|
||||||
+ "SSH password dialog could not grab the %s input.\n"
|
+ "SSH password dialog could not grab the %s input.\n"
|
||||||
+ "This might be caused by application such as screensaver, "
|
+ "This might be caused by application such as screensaver, "
|
||||||
|
@ -1,19 +1,19 @@
|
|||||||
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
|
||||||
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200
|
||||||
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
@@ -194,6 +194,11 @@ void
|
||||||
void
|
log_init(const char *av0, LogLevel level, SyslogFacility facility,
|
||||||
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
|
int on_stderr)
|
||||||
{
|
{
|
||||||
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
+ log_init_handler(av0, level, facility, on_stderr, 1);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+void
|
+void
|
||||||
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
|
||||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||||
#endif
|
#endif
|
||||||
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
|
@@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
|||||||
|
|
||||||
log_on_stderr = on_stderr;
|
log_on_stderr = on_stderr;
|
||||||
if (on_stderr)
|
if (on_stderr)
|
||||||
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
|
||||||
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/log.h.log-in-chroot 2021-04-19 14:43:08.544843434 +0200
|
||||||
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
+++ openssh-8.6p1/log.h 2021-04-19 14:56:46.931042176 +0200
|
||||||
@@ -49,6 +49,7 @@ typedef enum {
|
@@ -52,6 +52,7 @@ typedef enum {
|
||||||
typedef void (log_handler_fn)(LogLevel, const char *, void *);
|
typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
|
||||||
|
|
||||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
void log_init(const char *, LogLevel, SyslogFacility, int);
|
||||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
+void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
|
||||||
LogLevel log_level_get(void);
|
LogLevel log_level_get(void);
|
||||||
int log_change_level(LogLevel);
|
int log_change_level(LogLevel);
|
||||||
int log_is_on_stderr(void);
|
int log_is_on_stderr(void);
|
||||||
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
|
||||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
--- openssh-8.6p1/monitor.c.log-in-chroot 2021-04-19 14:43:08.526843298 +0200
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
+++ openssh-8.6p1/monitor.c 2021-04-19 14:55:25.286424043 +0200
|
||||||
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
|
@@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
|
||||||
close(pmonitor->m_log_sendfd);
|
close(pmonitor->m_log_sendfd);
|
||||||
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
||||||
|
|
||||||
@ -49,7 +49,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
authctxt = (Authctxt *)ssh->authctxt;
|
authctxt = (Authctxt *)ssh->authctxt;
|
||||||
memset(authctxt, 0, sizeof(*authctxt));
|
memset(authctxt, 0, sizeof(*authctxt));
|
||||||
ssh->authctxt = authctxt;
|
ssh->authctxt = authctxt;
|
||||||
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
@@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
|
||||||
close(pmonitor->m_recvfd);
|
close(pmonitor->m_recvfd);
|
||||||
pmonitor->m_recvfd = -1;
|
pmonitor->m_recvfd = -1;
|
||||||
|
|
||||||
@ -58,16 +58,16 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
monitor_set_child_handler(pmonitor->m_pid);
|
monitor_set_child_handler(pmonitor->m_pid);
|
||||||
ssh_signal(SIGHUP, &monitor_child_handler);
|
ssh_signal(SIGHUP, &monitor_child_handler);
|
||||||
ssh_signal(SIGTERM, &monitor_child_handler);
|
ssh_signal(SIGTERM, &monitor_child_handler);
|
||||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
@@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
|
||||||
|
/* Log it */
|
||||||
if (log_level_name(level) == NULL)
|
if (log_level_name(level) == NULL)
|
||||||
fatal("%s: invalid log level %u (corrupted message?)",
|
fatal_f("invalid log level %u (corrupted message?)", level);
|
||||||
__func__, level);
|
- sshlogdirect(level, forced, "%s [preauth]", msg);
|
||||||
- do_log2(level, "%s [preauth]", msg);
|
+ sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
|
||||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
|
||||||
|
|
||||||
sshbuf_free(logmsg);
|
sshbuf_free(logmsg);
|
||||||
free(msg);
|
free(msg);
|
||||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
@@ -1868,13 +1872,28 @@ monitor_init(void)
|
||||||
mon = xcalloc(1, sizeof(*mon));
|
mon = xcalloc(1, sizeof(*mon));
|
||||||
monitor_openfds(mon, 1);
|
monitor_openfds(mon, 1);
|
||||||
|
|
||||||
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
|
||||||
+
|
+
|
||||||
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
+ if (stat(dev_log_path, &dev_log_stat) != 0) {
|
||||||
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
|
+ debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
|
||||||
+ do_logfds = 1;
|
+ do_logfds = 1;
|
||||||
+ }
|
+ }
|
||||||
+ free(dev_log_path);
|
+ free(dev_log_path);
|
||||||
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
|
||||||
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100
|
--- openssh-8.6p1/monitor.h.log-in-chroot 2021-04-19 14:43:08.527843305 +0200
|
||||||
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100
|
+++ openssh-8.6p1/monitor.h 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -83,10 +83,11 @@ struct monitor {
|
@@ -80,10 +80,11 @@ struct monitor {
|
||||||
int m_log_sendfd;
|
int m_log_sendfd;
|
||||||
struct kex **m_pkex;
|
struct kex **m_pkex;
|
||||||
pid_t m_pid;
|
pid_t m_pid;
|
||||||
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
|||||||
|
|
||||||
struct Authctxt;
|
struct Authctxt;
|
||||||
void monitor_child_preauth(struct ssh *, struct monitor *);
|
void monitor_child_preauth(struct ssh *, struct monitor *);
|
||||||
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
|
||||||
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
|
--- openssh-8.6p1/session.c.log-in-chroot 2021-04-19 14:43:08.534843358 +0200
|
||||||
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
|
+++ openssh-8.6p1/session.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -160,6 +160,7 @@ login_cap_t *lc;
|
@@ -160,6 +160,7 @@ login_cap_t *lc;
|
||||||
|
|
||||||
static int is_child = 0;
|
static int is_child = 0;
|
||||||
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
|
|
||||||
/* File containing userauth info, if ExposeAuthInfo set */
|
/* File containing userauth info, if ExposeAuthInfo set */
|
||||||
static char *auth_info_file = NULL;
|
static char *auth_info_file = NULL;
|
||||||
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
|
@@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||||
int ret;
|
int ret;
|
||||||
const char *forced = NULL, *tty = NULL;
|
const char *forced = NULL, *tty = NULL;
|
||||||
char session_type[1024];
|
char session_type[1024];
|
||||||
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
|
|
||||||
if (options.adm_forced_command) {
|
if (options.adm_forced_command) {
|
||||||
original_command = command;
|
original_command = command;
|
||||||
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
|
@@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
|
||||||
tty += 5;
|
tty += 5;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -144,7 +144,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||||
session_type,
|
session_type,
|
||||||
tty == NULL ? "" : " on ",
|
tty == NULL ? "" : " on ",
|
||||||
@@ -1486,14 +1492,6 @@ child_close_fds(void)
|
@@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
|
||||||
|
|
||||||
/* Stop directing logs to a high-numbered fd before we close it */
|
/* Stop directing logs to a high-numbered fd before we close it */
|
||||||
log_redirect_stderr_to(NULL);
|
log_redirect_stderr_to(NULL);
|
||||||
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
|
@@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
do_rc_files(ssh, s, shell);
|
do_rc_files(ssh, s, shell);
|
||||||
|
|
||||||
/* restore SIGPIPE for child */
|
/* restore SIGPIPE for child */
|
||||||
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
|
@@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
|
||||||
argv[i] = NULL;
|
argv[i] = NULL;
|
||||||
optind = optreset = 1;
|
optind = optreset = 1;
|
||||||
__progname = argv[0];
|
__progname = argv[0];
|
||||||
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
|||||||
fflush(NULL);
|
fflush(NULL);
|
||||||
|
|
||||||
/* Get the last component of the shell name. */
|
/* Get the last component of the shell name. */
|
||||||
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
|
diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
|
||||||
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/sftp.h.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100
|
+++ openssh-8.6p1/sftp.h 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -97,5 +97,5 @@
|
@@ -97,5 +97,5 @@
|
||||||
|
|
||||||
struct passwd;
|
struct passwd;
|
||||||
@ -197,10 +197,10 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
|
|||||||
-int sftp_server_main(int, char **, struct passwd *);
|
-int sftp_server_main(int, char **, struct passwd *);
|
||||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||||
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
|
||||||
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/sftp-server.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100
|
+++ openssh-8.6p1/sftp-server.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
|
@@ -1644,7 +1644,7 @@ sftp_server_usage(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@ -209,7 +209,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
|||||||
{
|
{
|
||||||
fd_set *rset, *wset;
|
fd_set *rset, *wset;
|
||||||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||||
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
|
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
|
||||||
extern char *__progname;
|
extern char *__progname;
|
||||||
|
|
||||||
__progname = ssh_get_progname(argv[0]);
|
__progname = ssh_get_progname(argv[0]);
|
||||||
@ -218,7 +218,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
|||||||
|
|
||||||
pw = pwcopy(user_pw);
|
pw = pwcopy(user_pw);
|
||||||
|
|
||||||
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
|
@@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -227,20 +227,20 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
||||||
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
|
diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
|
||||||
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-8.6p1/sftp-server-main.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100
|
+++ openssh-8.6p1/sftp-server-main.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -49,5 +49,5 @@ main(int argc, char **argv)
|
@@ -50,5 +50,5 @@ main(int argc, char **argv)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
- return (sftp_server_main(argc, argv, user_pw));
|
- return (sftp_server_main(argc, argv, user_pw));
|
||||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||||
}
|
}
|
||||||
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
|
||||||
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100
|
--- openssh-8.6p1/sshd.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100
|
+++ openssh-8.6p1/sshd.c 2021-04-19 14:43:08.545843441 +0200
|
||||||
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||||
}
|
}
|
||||||
|
|
||||||
/* New socket pair */
|
/* New socket pair */
|
||||||
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
|||||||
|
|
||||||
pmonitor->m_pid = fork();
|
pmonitor->m_pid = fork();
|
||||||
if (pmonitor->m_pid == -1)
|
if (pmonitor->m_pid == -1)
|
||||||
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
|
@@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
|
||||||
|
|
||||||
close(pmonitor->m_sendfd);
|
close(pmonitor->m_sendfd);
|
||||||
pmonitor->m_sendfd = -1;
|
pmonitor->m_sendfd = -1;
|
||||||
|
@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
|
|||||||
+
|
+
|
||||||
+ contexts_path = selinux_openssh_contexts_path();
|
+ contexts_path = selinux_openssh_contexts_path();
|
||||||
+ if (contexts_path == NULL) {
|
+ if (contexts_path == NULL) {
|
||||||
+ debug3("%s: Failed to get the path to SELinux context", __func__);
|
+ debug3_f("Failed to get the path to SELinux context");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||||
+ debug("%s: Failed to open SELinux context file", __func__);
|
+ debug_f("Failed to open SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||||
+ logit("%s: SELinux context file needs to be owned by root"
|
+ logit_f("SELinux context file needs to be owned by root"
|
||||||
+ " and not writable by anyone else", __func__);
|
+ " and not writable by anyone else");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||||
+ arg = strdelim(&cp);
|
+ arg = strdelim(&cp);
|
||||||
+ if (!arg || *arg == '\0') {
|
+ if (!arg || *arg == '\0') {
|
||||||
+ debug("%s: privsep_preauth is empty", __func__);
|
+ debug_f("privsep_preauth is empty");
|
||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
|
|||||||
+ fclose(contexts_file);
|
+ fclose(contexts_file);
|
||||||
+
|
+
|
||||||
+ if (preauth_context == NULL) {
|
+ if (preauth_context == NULL) {
|
||||||
+ debug("%s: Unable to find 'privsep_preauth' option in"
|
+ debug_f("Unable to find 'privsep_preauth' option in"
|
||||||
+ " SELinux context file", __func__);
|
+ " SELinux context file");
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644
|
|||||||
if ((cx = index(cx + 1, ':')))
|
if ((cx = index(cx + 1, ':')))
|
||||||
strlcat(newctx, cx, newlen);
|
strlcat(newctx, cx, newlen);
|
||||||
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
||||||
+ debug("%s: setting context from '%s' to '%s'", __func__,
|
+ debug_f("setting context from '%s' to '%s'",
|
||||||
oldctx, newctx);
|
oldctx, newctx);
|
||||||
if (setcon(newctx) < 0)
|
if (setcon(newctx) < 0)
|
||||||
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
do_log2(log_level, "%s: setcon %s from %s failed with %s",
|
||||||
|
__func__, newctx, oldctx, strerror(errno));
|
||||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||||
index cb51f99..8b7cda2 100644
|
index cb51f99..8b7cda2 100644
|
||||||
--- a/openbsd-compat/port-linux.h
|
--- a/openbsd-compat/port-linux.h
|
||||||
|
@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -418,7 +421,7 @@ typedef enum {
|
@@ -418,7 +421,7 @@ typedef enum {
|
||||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||||
|
@ -1,257 +0,0 @@
|
|||||||
diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
|
||||||
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
|
|
||||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
|
|
||||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
|
||||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
|
||||||
|
|
||||||
.SUFFIXES: .lo
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
|
||||||
|
|
||||||
XMSS_OBJS=\
|
|
||||||
ssh-xmss.o \
|
|
||||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
|
||||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
|
||||||
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
|
||||||
|
|
||||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
|
||||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
+
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
|
||||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
@@ -326,6 +330,7 @@ install-files:
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
|
||||||
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
|
|
||||||
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
|
|
||||||
@@ -0,0 +1,215 @@
|
|
||||||
+/*
|
|
||||||
+ *
|
|
||||||
+ * invocation (all of the following are equal):
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
|
|
||||||
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
|
|
||||||
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <sys/param.h>
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+#include <ctype.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "log.h"
|
|
||||||
+#include "ssherr.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+
|
|
||||||
+/* compatibility with old or broken OpenSSL versions */
|
|
||||||
+#include "openbsd-compat/openssl-compat.h"
|
|
||||||
+
|
|
||||||
+void usage(void) {
|
|
||||||
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
|
|
||||||
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
|
|
||||||
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
|
|
||||||
+ "Hexadecimal output is printed to stdout.\n"
|
|
||||||
+ "Hexadecimal input data can be alternatively read from stdin.\n");
|
|
||||||
+ exit(1);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+void *fromhex(char *hex, size_t *len)
|
|
||||||
+{
|
|
||||||
+ unsigned char *bin;
|
|
||||||
+ char *p;
|
|
||||||
+ size_t n = 0;
|
|
||||||
+ int shift = 4;
|
|
||||||
+ unsigned char out = 0;
|
|
||||||
+ unsigned char *optr;
|
|
||||||
+
|
|
||||||
+ bin = xmalloc(strlen(hex)/2);
|
|
||||||
+ optr = bin;
|
|
||||||
+
|
|
||||||
+ for (p = hex; *p != '\0'; ++p) {
|
|
||||||
+ unsigned char c;
|
|
||||||
+
|
|
||||||
+ c = *p;
|
|
||||||
+ if (isspace(c))
|
|
||||||
+ continue;
|
|
||||||
+
|
|
||||||
+ if (c >= '0' && c <= '9') {
|
|
||||||
+ c = c - '0';
|
|
||||||
+ } else if (c >= 'A' && c <= 'F') {
|
|
||||||
+ c = c - 'A' + 10;
|
|
||||||
+ } else if (c >= 'a' && c <= 'f') {
|
|
||||||
+ c = c - 'a' + 10;
|
|
||||||
+ } else {
|
|
||||||
+ /* truncate on nonhex cipher */
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ out |= c << shift;
|
|
||||||
+ shift = (shift + 4) % 8;
|
|
||||||
+
|
|
||||||
+ if (shift) {
|
|
||||||
+ *(optr++) = out;
|
|
||||||
+ out = 0;
|
|
||||||
+ ++n;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *len = n;
|
|
||||||
+ return bin;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+#define READ_CHUNK 4096
|
|
||||||
+#define MAX_READ_SIZE 1024*1024*100
|
|
||||||
+char *read_stdin(void)
|
|
||||||
+{
|
|
||||||
+ char *buf;
|
|
||||||
+ size_t n, total = 0;
|
|
||||||
+
|
|
||||||
+ buf = xmalloc(READ_CHUNK);
|
|
||||||
+
|
|
||||||
+ do {
|
|
||||||
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
|
|
||||||
+ if (n < READ_CHUNK) /* terminate on short read */
|
|
||||||
+ break;
|
|
||||||
+
|
|
||||||
+ total += n;
|
|
||||||
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
|
|
||||||
+ } while(total < MAX_READ_SIZE);
|
|
||||||
+ return buf;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int main (int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+
|
|
||||||
+ const struct sshcipher *c;
|
|
||||||
+ struct sshcipher_ctx *cc;
|
|
||||||
+ char *algo = "aes128-ctr";
|
|
||||||
+ char *hexkey = NULL;
|
|
||||||
+ char *hexiv = "00000000000000000000000000000000";
|
|
||||||
+ char *hexdata = NULL;
|
|
||||||
+ char *p;
|
|
||||||
+ int i, r;
|
|
||||||
+ int encrypt = 1;
|
|
||||||
+ void *key;
|
|
||||||
+ size_t keylen;
|
|
||||||
+ void *iv;
|
|
||||||
+ size_t ivlen;
|
|
||||||
+ void *data;
|
|
||||||
+ size_t datalen;
|
|
||||||
+ void *outdata;
|
|
||||||
+
|
|
||||||
+ for (i = 1; i < argc; ++i) {
|
|
||||||
+ if (strcmp(argv[i], "--algo") == 0) {
|
|
||||||
+ algo = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--key") == 0) {
|
|
||||||
+ hexkey = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--mode") == 0) {
|
|
||||||
+ ++i;
|
|
||||||
+ if (argv[i] == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ if (strncmp(argv[i], "enc", 3) == 0) {
|
|
||||||
+ encrypt = 1;
|
|
||||||
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
|
|
||||||
+ encrypt = 0;
|
|
||||||
+ } else {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+ } else if (strcmp(argv[i], "--iv") == 0) {
|
|
||||||
+ hexiv = argv[++i];
|
|
||||||
+ } else if (strcmp(argv[i], "--data") == 0) {
|
|
||||||
+ hexdata = argv[++i];
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexkey == NULL || algo == NULL) {
|
|
||||||
+ usage();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ OpenSSL_add_all_algorithms();
|
|
||||||
+
|
|
||||||
+ c = cipher_by_name(algo);
|
|
||||||
+ if (c == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: unknown algorithm\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (hexdata == NULL) {
|
|
||||||
+ hexdata = read_stdin();
|
|
||||||
+ } else {
|
|
||||||
+ hexdata = xstrdup(hexdata);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ key = fromhex(hexkey, &keylen);
|
|
||||||
+
|
|
||||||
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported key length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ iv = fromhex(hexiv, &ivlen);
|
|
||||||
+
|
|
||||||
+ if (ivlen != 16) {
|
|
||||||
+ fprintf(stderr, "Error: unsupported iv length\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data = fromhex(hexdata, &datalen);
|
|
||||||
+
|
|
||||||
+ if (data == NULL || datalen == 0) {
|
|
||||||
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
|
|
||||||
+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(key);
|
|
||||||
+ free(iv);
|
|
||||||
+
|
|
||||||
+ outdata = malloc(datalen);
|
|
||||||
+ if(outdata == NULL) {
|
|
||||||
+ fprintf(stderr, "Error: memory allocation failure\n");
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
|
|
||||||
+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
|
|
||||||
+ return 2;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(data);
|
|
||||||
+
|
|
||||||
+ cipher_free(cc);
|
|
||||||
+
|
|
||||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
|
||||||
+ printf("%02X", (unsigned char)*p);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ free(outdata);
|
|
||||||
+
|
|
||||||
+ printf("\n");
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
@ -1,10 +1,10 @@
|
|||||||
diff -up openssh/auth.c.keycat openssh/misc.c
|
diff -up openssh/misc.c.keycat openssh/misc.c
|
||||||
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||||
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
|
+++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
|
||||||
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
|
@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
|
||||||
|
error("%s: dup2: %s", tag, strerror(errno));
|
||||||
_exit(1);
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ if (sshd_selinux_setup_env_variables() < 0) {
|
+ if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ error ("failed to copy environment: %s",
|
+ error ("failed to copy environment: %s",
|
||||||
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
|
|||||||
+ _exit(127);
|
+ _exit(127);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
if (env != NULL)
|
||||||
execve(av[0], av, child_env);
|
execve(av[0], av, env);
|
||||||
error("%s exec \"%s\": %s", tag, command, strerror(errno));
|
else
|
||||||
_exit(127);
|
|
||||||
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
|
||||||
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
|
||||||
|
@ -193,7 +193,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -399,7 +402,7 @@ typedef enum {
|
@@ -399,7 +402,7 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||||
|
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
||||||
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
debug3("%s: done", __func__);
|
debug3_f("done");
|
||||||
}
|
}
|
||||||
|
|
||||||
+void
|
+void
|
||||||
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
|||||||
+ return;
|
+ return;
|
||||||
+
|
+
|
||||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||||
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno));
|
+ logit_f("getexeccon failed with %s", strerror(errno));
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+ if (ctx != NULL) {
|
+ if (ctx != NULL) {
|
||||||
+ /* unset exec context before we will lose this capabililty */
|
+ /* unset exec context before we will lose this capabililty */
|
||||||
+ if (setexeccon(NULL) != 0)
|
+ if (setexeccon(NULL) != 0)
|
||||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setexeccon failed with %s", strerror(errno));
|
||||||
+ if (setcon(ctx) != 0)
|
+ if (setcon(ctx) != 0)
|
||||||
+ fatal("%s: setcon failed with %s", __func__, strerror(errno));
|
+ fatal_f("setcon failed with %s", strerror(errno));
|
||||||
+ freecon(ctx);
|
+ freecon(ctx);
|
||||||
+ }
|
+ }
|
||||||
+}
|
+}
|
||||||
|
@ -1,3 +1,79 @@
|
|||||||
|
diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
|
||||||
|
--- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100
|
||||||
|
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
|
||||||
|
if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
- if (ai == NULL || ai->ai_addr == NULL)
|
||||||
|
+ if (ai == NULL || ai->ai_addr == NULL) {
|
||||||
|
+ freeaddrinfo(ai);
|
||||||
|
return -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
|
||||||
|
n) == -1) {
|
||||||
|
@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
|
||||||
|
if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
- if (ai == NULL || ai->ai_addr == NULL)
|
||||||
|
+ if (ai == NULL || ai->ai_addr == NULL) {
|
||||||
|
+ freeaddrinfo(ai);
|
||||||
|
return -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (sa != NULL) {
|
||||||
|
- if (slen < ai->ai_addrlen)
|
||||||
|
+ if (slen < ai->ai_addrlen) {
|
||||||
|
+ freeaddrinfo(ai);
|
||||||
|
return -1;
|
||||||
|
+ }
|
||||||
|
memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
|
||||||
|
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
|
||||||
|
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
|
||||||
|
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
|
||||||
|
umask(old_umask);
|
||||||
|
if (tmpfd == -1) {
|
||||||
|
logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
|
+ free(ccname);
|
||||||
|
return oerrno;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
|
||||||
|
oerrno = errno;
|
||||||
|
logit("fchmod(): %.100s", strerror(oerrno));
|
||||||
|
close(tmpfd);
|
||||||
|
+ free(ccname);
|
||||||
|
return oerrno;
|
||||||
|
}
|
||||||
|
/* make sure the KRB5CCNAME is set for non-standard location */
|
||||||
|
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
|
||||||
|
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
|
||||||
|
@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const
|
||||||
|
errstr = "invalid environment string";
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
- if ((cp = strdup(opt)) == NULL)
|
||||||
|
+ if ((cp = strdup(opt)) == NULL) {
|
||||||
|
+ free(opt);
|
||||||
|
goto alloc_fail;
|
||||||
|
+ }
|
||||||
|
cp[tmp - opt] = '\0'; /* truncate at '=' */
|
||||||
|
if (!valid_env_name(cp)) {
|
||||||
|
free(cp);
|
||||||
|
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
/* success */
|
||||||
|
+ sshbuf_free(b);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
||||||
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
|
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
|
||||||
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
|
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
|
||||||
@ -16,6 +92,195 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
|||||||
set_nonblock(efd);
|
set_nonblock(efd);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
|
||||||
|
debug("channel %d: connection failed: %s",
|
||||||
|
c->self, strerror(err));
|
||||||
|
/* Try next address, if any */
|
||||||
|
- if ((sock = connect_next(&c->connect_ctx)) > 0) {
|
||||||
|
+ if ((sock = connect_next(&c->connect_ctx)) >= 0) {
|
||||||
|
close(c->sock);
|
||||||
|
c->sock = c->rfd = c->wfd = sock;
|
||||||
|
channel_find_maxfd(ssh->chanctxt);
|
||||||
|
@@ -3804,7 +3804,7 @@ int
|
||||||
|
channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
|
||||||
|
{
|
||||||
|
int r, success = 0, idx = -1;
|
||||||
|
- char *host_to_connect, *listen_host, *listen_path;
|
||||||
|
+ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
|
||||||
|
int port_to_connect, listen_port;
|
||||||
|
|
||||||
|
/* Send the forward request to the remote side. */
|
||||||
|
@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
|
||||||
|
success = 1;
|
||||||
|
if (success) {
|
||||||
|
/* Record that connection to this host/port is permitted. */
|
||||||
|
- host_to_connect = listen_host = listen_path = NULL;
|
||||||
|
port_to_connect = listen_port = 0;
|
||||||
|
if (fwd->connect_path != NULL) {
|
||||||
|
host_to_connect = xstrdup(fwd->connect_path);
|
||||||
|
@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
|
||||||
|
host_to_connect, port_to_connect,
|
||||||
|
listen_host, listen_path, listen_port, NULL);
|
||||||
|
}
|
||||||
|
+ free(host_to_connect);
|
||||||
|
+ free(listen_host);
|
||||||
|
+ free(listen_path);
|
||||||
|
return idx;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c
|
||||||
|
--- openssh-8.5p1/compat.c.coverity 2021-03-24 12:03:33.768968062 +0100
|
||||||
|
+++ openssh-8.5p1/compat.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
|
@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha
|
||||||
|
return p;
|
||||||
|
debug2_f("original KEX proposal: %s", p);
|
||||||
|
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
|
||||||
|
+ /* coverity[overwrite_var : FALSE] */
|
||||||
|
if ((p = match_filter_denylist(p,
|
||||||
|
"curve25519-sha256@libssh.org")) == NULL)
|
||||||
|
fatal("match_filter_denylist failed");
|
||||||
|
if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
|
||||||
|
+ /* coverity[overwrite_var : FALSE] */
|
||||||
|
if ((p = match_filter_denylist(p,
|
||||||
|
"diffie-hellman-group-exchange-sha256,"
|
||||||
|
"diffie-hellman-group-exchange-sha1")) == NULL)
|
||||||
|
diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
|
||||||
|
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
|
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
|
||||||
|
&hostkey_digest_len, hostkey)) {
|
||||||
|
error("Error calculating key fingerprint.");
|
||||||
|
freerrset(fingerprints);
|
||||||
|
+ free(dnskey_digest);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
|
||||||
|
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
|
||||||
|
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
|
||||||
|
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||||
|
enclen = __b64_ntop(digest,
|
||||||
|
ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
|
||||||
|
ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
|
||||||
|
-
|
||||||
|
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
|
||||||
|
cp = strncpy(s, kex, strlen(kex));
|
||||||
|
+#pragma pop
|
||||||
|
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
|
(p = strsep(&cp, ","))) {
|
||||||
|
if (sshbuf_len(buf) != 0 &&
|
||||||
|
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
|
||||||
|
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
|
||||||
|
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
|
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
|
||||||
|
default:
|
||||||
|
fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
|
}
|
||||||
|
- if (r != 0)
|
||||||
|
+ if (r != 0) {
|
||||||
|
+ ssh_gssapi_delete_ctx(&ctxt);
|
||||||
|
return r;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
token_ptr = GSS_C_NO_BUFFER;
|
||||||
|
|
||||||
|
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
|
||||||
|
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
|
||||||
|
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
|
||||||
|
sshkey_free(key);
|
||||||
|
sshbuf_free(copy);
|
||||||
|
sshbuf_free(sect);
|
||||||
|
+ /* coverity[leaked_storage : FALSE] */
|
||||||
|
return r;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
||||||
|
return r;
|
||||||
|
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
|
||||||
|
free(rb.blob);
|
||||||
|
+ rb.blob = NULL; /* make coverity happy */
|
||||||
|
if (erb != NULL) {
|
||||||
|
KRL_DBG(("revoked by key SHA1"));
|
||||||
|
return SSH_ERR_KEY_REVOKED;
|
||||||
|
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
||||||
|
return r;
|
||||||
|
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
|
||||||
|
free(rb.blob);
|
||||||
|
+ rb.blob = NULL; /* make coverity happy */
|
||||||
|
if (erb != NULL) {
|
||||||
|
KRL_DBG(("revoked by key SHA256"));
|
||||||
|
return SSH_ERR_KEY_REVOKED;
|
||||||
|
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
|
||||||
|
return r;
|
||||||
|
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
|
||||||
|
free(rb.blob);
|
||||||
|
+ rb.blob = NULL; /* make coverity happy */
|
||||||
|
if (erb != NULL) {
|
||||||
|
KRL_DBG(("revoked by explicit key"));
|
||||||
|
return SSH_ERR_KEY_REVOKED;
|
||||||
|
diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
|
||||||
|
--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100
|
||||||
|
+++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100
|
||||||
|
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Use strncpy because we don't necessarily want null termination */
|
||||||
|
+ /* coverity[buffer_size_warning : FALSE] */
|
||||||
|
strncpy(ut->ut_name, li->username,
|
||||||
|
MIN_SIZEOF(ut->ut_name, li->username));
|
||||||
|
# ifdef HAVE_HOST_IN_UTMP
|
||||||
|
+ /* coverity[buffer_size_warning : FALSE] */
|
||||||
|
strncpy(ut->ut_host, li->hostname,
|
||||||
|
MIN_SIZEOF(ut->ut_host, li->hostname));
|
||||||
|
# endif
|
||||||
|
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
|
||||||
|
|
||||||
|
memset(&ut, 0, sizeof(ut));
|
||||||
|
/* strncpy because we don't necessarily want nul termination */
|
||||||
|
+ /* coverity[buffer_size_warning : FALSE] */
|
||||||
|
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
|
||||||
|
strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
|
||||||
|
|
||||||
|
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
|
||||||
|
ut.ut_pid = getpid();
|
||||||
|
|
||||||
|
/* strncpy because we don't necessarily want nul termination */
|
||||||
|
+ /* coverity[buffer_size_warning : FALSE] */
|
||||||
|
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
|
||||||
|
|
||||||
|
if (ssh_packet_connection_is_on_socket(ssh) &&
|
||||||
|
diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
|
||||||
|
--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100
|
||||||
|
+++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100
|
||||||
|
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
|
||||||
|
}
|
||||||
|
if (nullfd > STDERR_FILENO)
|
||||||
|
close(nullfd);
|
||||||
|
+ /* coverity[leaked_handle : FALSE]*/
|
||||||
|
+ /* coverity[leaked_handle : FALSE]*/
|
||||||
|
}
|
||||||
|
|
||||||
|
char *
|
||||||
|
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
|
||||||
|
}
|
||||||
|
if (devnull > STDERR_FILENO)
|
||||||
|
close(devnull);
|
||||||
|
+ /* coverity[leaked_handle : FALSE]*/
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
|
||||||
|
--- openssh-8.5p1/moduli.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/moduli.c 2021-03-24 12:03:33.784968173 +0100
|
||||||
|
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
|
||||||
|
else
|
||||||
|
logit("failed to write to checkpoint file '%s': %s", cpfile,
|
||||||
|
strerror(errno));
|
||||||
|
+ /* coverity[leaked_storage : FALSE] */
|
||||||
|
}
|
||||||
|
|
||||||
|
static unsigned long
|
||||||
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
||||||
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
||||||
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
||||||
@ -28,13 +293,22 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
|||||||
;
|
;
|
||||||
|
|
||||||
if (pmonitor->m_recvfd >= 0)
|
if (pmonitor->m_recvfd >= 0)
|
||||||
|
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
|
||||||
|
s->ptymaster = s->ptyfd;
|
||||||
|
|
||||||
|
debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
|
||||||
|
-
|
||||||
|
+ /* coverity[leaked_handle : FALSE] */
|
||||||
|
return (0);
|
||||||
|
|
||||||
|
error:
|
||||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
||||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
||||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
||||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||||
error("%s: cannot allocate fds for pty", __func__);
|
error_f("cannot allocate fds for pty");
|
||||||
- if (tmp1 > 0)
|
- if (tmp1 > 0)
|
||||||
+ if (tmp1 >= 0)
|
+ if (tmp1 >= 0)
|
||||||
close(tmp1);
|
close(tmp1);
|
||||||
@ -57,6 +331,17 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
|
|||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (sa == NULL) {
|
if (sa == NULL) {
|
||||||
|
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
|
||||||
|
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
|
||||||
|
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
|
||||||
|
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
|
||||||
|
} else if (r != 0) {
|
||||||
|
error("%.200s line %d: glob failed for %s.",
|
||||||
|
filename, linenum, arg2);
|
||||||
|
+ free(arg2);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
free(arg2);
|
||||||
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
||||||
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
|
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
|
||||||
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
|
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
|
||||||
@ -120,11 +405,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
|||||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||||
debug2("%s: reading", __func__);
|
debug2_f("reading");
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||||
debug("%s: invalid tun", __func__);
|
debug_f("invalid tun");
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
- if (auth_opts->force_tun_device != -1) {
|
- if (auth_opts->force_tun_device != -1) {
|
||||||
@ -132,6 +417,24 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
|||||||
if (tun != SSH_TUNID_ANY &&
|
if (tun != SSH_TUNID_ANY &&
|
||||||
auth_opts->force_tun_device != (int)tun)
|
auth_opts->force_tun_device != (int)tun)
|
||||||
goto done;
|
goto done;
|
||||||
|
diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
|
||||||
|
--- openssh-8.5p1/session.c.coverity 2021-03-24 12:03:33.777968124 +0100
|
||||||
|
+++ openssh-8.5p1/session.c 2021-03-24 12:03:33.786968187 +0100
|
||||||
|
@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
|
/* Environment specified by admin */
|
||||||
|
for (i = 0; i < options.num_setenv; i++) {
|
||||||
|
cp = xstrdup(options.setenv[i]);
|
||||||
|
+ /* coverity[overwrite_var : FALSE] */
|
||||||
|
if ((value = strchr(cp, '=')) == NULL) {
|
||||||
|
/* shouldn't happen; vars are checked in servconf.c */
|
||||||
|
fatal("Invalid config SetEnv: %s", options.setenv[i]);
|
||||||
|
}
|
||||||
|
*value++ = '\0';
|
||||||
|
child_set_env(&env, &envsize, cp, value);
|
||||||
|
+ free(cp);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* SSH_CLIENT deprecated */
|
||||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
||||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
||||||
@ -144,9 +447,45 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
_exit(1);
|
_exit(1);
|
||||||
|
@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons
|
||||||
|
fflag || global_fflag) == -1)
|
||||||
|
err = -1;
|
||||||
|
}
|
||||||
|
+ free(abs_dst);
|
||||||
|
+ abs_dst = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
||||||
|
@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co
|
||||||
|
if (lflag & LS_LONG_VIEW) {
|
||||||
|
if (g.gl_statv[i] == NULL) {
|
||||||
|
error("no stat information for %s", fname);
|
||||||
|
+ free(fname);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
lname = ls_file(fname, g.gl_statv[i], 1,
|
||||||
|
diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
|
||||||
|
--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100
|
||||||
|
@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
|
||||||
|
freezero(rks[i], sizeof(*rks[i]));
|
||||||
|
}
|
||||||
|
free(rks);
|
||||||
|
+ free(device);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||||
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||||
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
||||||
|
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
|
||||||
|
|
||||||
|
if (pkcs11_uri_parse(provider, uri) != 0) {
|
||||||
|
error("Failed to parse PKCS#11 URI");
|
||||||
|
+ pkcs11_uri_cleanup(uri);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
/* validate also provider from URI */
|
||||||
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
|
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
|
||||||
sanitise_stdfd();
|
sanitise_stdfd();
|
||||||
|
|
||||||
@ -158,6 +497,17 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
|||||||
|
|
||||||
platform_disable_tracing(0); /* strict=no */
|
platform_disable_tracing(0); /* strict=no */
|
||||||
|
|
||||||
|
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
|
||||||
|
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
|
||||||
|
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
|
||||||
|
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
|
||||||
|
close(muxserver_sock);
|
||||||
|
muxserver_sock = -1;
|
||||||
|
options.control_master = SSHCTL_MASTER_NO;
|
||||||
|
+ /* coverity[leaked_handle: FALSE]*/
|
||||||
|
muxclient(options.control_path);
|
||||||
|
/* muxclient() doesn't return on success. */
|
||||||
|
fatal("Failed to connect to new control master");
|
||||||
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||||
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
||||||
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
||||||
@ -183,3 +533,67 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
if (options.rekey_limit || options.rekey_interval)
|
||||||
|
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
|
||||||
|
options.rekey_interval);
|
||||||
|
-
|
||||||
|
+ /* coverity[leaked_storage : FALSE]*/
|
||||||
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||||
|
ssh, list_hostkey_types());
|
||||||
|
|
||||||
|
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
|
|
||||||
|
if (newstr)
|
||||||
|
myproposal[PROPOSAL_KEX_ALGS] = newstr;
|
||||||
|
- else
|
||||||
|
+ else {
|
||||||
|
fatal("No supported key exchange algorithms");
|
||||||
|
+ free(gss);
|
||||||
|
+ }
|
||||||
|
+ /* coverity[leaked_storage: FALSE]*/
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
|
||||||
|
--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100
|
||||||
|
+++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100
|
||||||
|
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
|
||||||
|
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
|
||||||
|
if (r != 0)
|
||||||
|
fatal_fr(r, "revoke key failed");
|
||||||
|
+ freezero(blob, blen);
|
||||||
|
+ blob = NULL;
|
||||||
|
+ blen = 0;
|
||||||
|
} else {
|
||||||
|
if (strncasecmp(cp, "key:", 4) == 0) {
|
||||||
|
cp += 4;
|
||||||
|
@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c
|
||||||
|
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
|
||||||
|
start_lineno = strtoul(opts[i]+11, NULL, 10);
|
||||||
|
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
|
||||||
|
+ free(checkpoint);
|
||||||
|
checkpoint = xstrdup(opts[i]+11);
|
||||||
|
} else if (strncmp(opts[i], "generator=", 10) == 0) {
|
||||||
|
generator_wanted = (u_int32_t)strtonum(
|
||||||
|
@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c
|
||||||
|
#else /* WITH_OPENSSL */
|
||||||
|
fatal("Moduli screening is not supported");
|
||||||
|
#endif /* WITH_OPENSSL */
|
||||||
|
+ free(checkpoint);
|
||||||
|
+ if (in != stdin)
|
||||||
|
+ fclose(in);
|
||||||
|
}
|
||||||
|
|
||||||
|
static char *
|
||||||
|
diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c
|
||||||
|
--- openssh-8.5p1/sshsig.c.coverity 2021-03-02 11:31:47.000000000 +0100
|
||||||
|
+++ openssh-8.5p1/sshsig.c 2021-03-24 12:03:33.787968194 +0100
|
||||||
|
@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s
|
||||||
|
oerrno = errno;
|
||||||
|
error_f("read: %s", strerror(errno));
|
||||||
|
ssh_digest_free(ctx);
|
||||||
|
+ ctx = NULL;
|
||||||
|
errno = oerrno;
|
||||||
|
r = SSH_ERR_SYSTEM_ERROR;
|
||||||
|
goto out;
|
||||||
|
@ -1,618 +0,0 @@
|
|||||||
diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
|
||||||
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
|
|
||||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
|
|
||||||
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
|
|
||||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
|
||||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
|
||||||
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
|
||||||
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
|
||||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
|
||||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
|
||||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
|
||||||
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
|
||||||
|
|
||||||
.SUFFIXES: .lo
|
|
||||||
|
|
||||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
|
||||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
|
||||||
|
|
||||||
XMSS_OBJS=\
|
|
||||||
ssh-xmss.o \
|
|
||||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
|
||||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
|
||||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
|
|
||||||
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
|
||||||
+
|
|
||||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
|
||||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
|
||||||
|
|
||||||
@@ -331,6 +335,8 @@ install-files:
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
|
|
||||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
|
||||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
|
||||||
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
|
||||||
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
|
||||||
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
@@ -0,0 +1,387 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ * 1. Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, and the entire permission notice in its entirety,
|
|
||||||
+ * including the disclaimer of warranties.
|
|
||||||
+ * 2. Redistributions in binary form must reproduce the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer in the
|
|
||||||
+ * documentation and/or other materials provided with the distribution.
|
|
||||||
+ * 3. The name of the author may not be used to endorse or promote
|
|
||||||
+ * products derived from this software without specific prior
|
|
||||||
+ * written permission.
|
|
||||||
+ *
|
|
||||||
+ * ALTERNATIVELY, this product may be distributed under the terms of
|
|
||||||
+ * the GNU General Public License, in which case the provisions of the GPL2
|
|
||||||
+ * are required INSTEAD OF the above restrictions. (This clause is
|
|
||||||
+ * necessary due to a potential bad interaction between the GPL and
|
|
||||||
+ * the restrictions contained in a BSD-style copyright.)
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
|
||||||
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
||||||
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
|
|
||||||
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
|
|
||||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
||||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
|
|
||||||
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
||||||
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
|
||||||
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
||||||
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
|
||||||
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
|
|
||||||
+ * DAMAGE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+
|
|
||||||
+#include <stdio.h>
|
|
||||||
+#include <stdlib.h>
|
|
||||||
+#include <errno.h>
|
|
||||||
+#include <sys/types.h>
|
|
||||||
+#include <string.h>
|
|
||||||
+
|
|
||||||
+#include <openssl/bn.h>
|
|
||||||
+
|
|
||||||
+#include "xmalloc.h"
|
|
||||||
+#include "sshbuf.h"
|
|
||||||
+#include "sshkey.h"
|
|
||||||
+#include "cipher.h"
|
|
||||||
+#include "kex.h"
|
|
||||||
+#include "packet.h"
|
|
||||||
+#include "digest.h"
|
|
||||||
+
|
|
||||||
+static int bin_char(unsigned char hex)
|
|
||||||
+{
|
|
||||||
+ if (48 <= hex && 57 >= hex)
|
|
||||||
+ return (hex - 48);
|
|
||||||
+ if (65 <= hex && 70 >= hex)
|
|
||||||
+ return (hex - 55);
|
|
||||||
+ if (97 <= hex && 102 >= hex)
|
|
||||||
+ return (hex - 87);
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert hex representation into binary string
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin output buffer with binary data
|
|
||||||
+ * @binlen length of already allocated bin buffer (should be at least
|
|
||||||
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
|
|
||||||
+ */
|
|
||||||
+static void hex2bin(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char *bin, size_t binlen)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ bin[i] = bin_char(hex[(i*2)]) << 4;
|
|
||||||
+ bin[i] |= bin_char(hex[((i*2)+1)]);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Allocate sufficient space for binary representation of hex
|
|
||||||
+ * and convert hex into bin
|
|
||||||
+ *
|
|
||||||
+ * Caller must free bin
|
|
||||||
+ * @hex input buffer with hex representation
|
|
||||||
+ * @hexlen length of hex
|
|
||||||
+ * @bin return value holding the pointer to the newly allocated buffer
|
|
||||||
+ * @binlen return value holding the allocated size of bin
|
|
||||||
+ *
|
|
||||||
+ * return: 0 on success, !0 otherwise
|
|
||||||
+ */
|
|
||||||
+static int hex2bin_alloc(const char *hex, size_t hexlen,
|
|
||||||
+ unsigned char **bin, size_t *binlen)
|
|
||||||
+{
|
|
||||||
+ unsigned char *out = NULL;
|
|
||||||
+ size_t outlen = 0;
|
|
||||||
+
|
|
||||||
+ if (!hexlen)
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
+ outlen = (hexlen + 1) / 2;
|
|
||||||
+
|
|
||||||
+ out = calloc(1, outlen);
|
|
||||||
+ if (!out)
|
|
||||||
+ return -errno;
|
|
||||||
+
|
|
||||||
+ hex2bin(hex, hexlen, out, outlen);
|
|
||||||
+ *bin = out;
|
|
||||||
+ *binlen = outlen;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
|
|
||||||
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
|
|
||||||
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
|
|
||||||
+static char hex_char(unsigned int bin, int u)
|
|
||||||
+{
|
|
||||||
+ if (bin < sizeof(hex_char_map_l))
|
|
||||||
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
|
|
||||||
+ return 'X';
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Convert binary string into hex representation
|
|
||||||
+ * @bin input buffer with binary data
|
|
||||||
+ * @binlen length of bin
|
|
||||||
+ * @hex output buffer to store hex data
|
|
||||||
+ * @hexlen length of already allocated hex buffer (should be at least
|
|
||||||
+ * twice binlen -- if not, only a fraction of binlen is converted)
|
|
||||||
+ * @u case of hex characters (0=>lower case, 1=>upper case)
|
|
||||||
+ */
|
|
||||||
+static void bin2hex(const unsigned char *bin, size_t binlen,
|
|
||||||
+ char *hex, size_t hexlen, int u)
|
|
||||||
+{
|
|
||||||
+ size_t i = 0;
|
|
||||||
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < chars; i++) {
|
|
||||||
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
|
|
||||||
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+struct kdf_cavs {
|
|
||||||
+ unsigned char *K;
|
|
||||||
+ size_t Klen;
|
|
||||||
+ unsigned char *H;
|
|
||||||
+ size_t Hlen;
|
|
||||||
+ unsigned char *session_id;
|
|
||||||
+ size_t session_id_len;
|
|
||||||
+
|
|
||||||
+ unsigned int iv_len;
|
|
||||||
+ unsigned int ek_len;
|
|
||||||
+ unsigned int ik_len;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int sshkdf_cavs(struct kdf_cavs *test)
|
|
||||||
+{
|
|
||||||
+ int ret = 0;
|
|
||||||
+ struct kex kex;
|
|
||||||
+ struct sshbuf *Kb = NULL;
|
|
||||||
+ BIGNUM *Kbn = NULL;
|
|
||||||
+ int mode = 0;
|
|
||||||
+ struct newkeys *ctoskeys;
|
|
||||||
+ struct newkeys *stockeys;
|
|
||||||
+ struct ssh *ssh = NULL;
|
|
||||||
+
|
|
||||||
+#define HEXOUTLEN 500
|
|
||||||
+ char hex[HEXOUTLEN];
|
|
||||||
+
|
|
||||||
+ memset(&kex, 0, sizeof(struct kex));
|
|
||||||
+
|
|
||||||
+ Kbn = BN_new();
|
|
||||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
|
||||||
+ if (!Kbn) {
|
|
||||||
+ printf("cannot convert K into bignum\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ Kb = sshbuf_new();
|
|
||||||
+ if (!Kb) {
|
|
||||||
+ printf("cannot convert K into sshbuf\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ sshbuf_put_bignum2(Kb, Kbn);
|
|
||||||
+
|
|
||||||
+ kex.session_id = test->session_id;
|
|
||||||
+ kex.session_id_len = test->session_id_len;
|
|
||||||
+
|
|
||||||
+ /* setup kex */
|
|
||||||
+
|
|
||||||
+ /* select the right hash based on struct ssh_digest digests */
|
|
||||||
+ switch (test->ik_len) {
|
|
||||||
+ case 20:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA1;
|
|
||||||
+ break;
|
|
||||||
+ case 32:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA256;
|
|
||||||
+ break;
|
|
||||||
+ case 48:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA384;
|
|
||||||
+ break;
|
|
||||||
+ case 64:
|
|
||||||
+ kex.hash_alg = SSH_DIGEST_SHA512;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement choose_enc */
|
|
||||||
+ for (mode = 0; mode < 2; mode++) {
|
|
||||||
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
|
|
||||||
+ if (!kex.newkeys[mode]) {
|
|
||||||
+ printf("allocation of newkeys failed\n");
|
|
||||||
+ ret = 1;
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
|
|
||||||
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
|
|
||||||
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
|
|
||||||
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* implement kex_choose_conf */
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.key_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.block_size;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
|
|
||||||
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
|
|
||||||
+ kex.we_need = kex.newkeys[0]->mac.key_len;
|
|
||||||
+
|
|
||||||
+ /* MODE_OUT (1) -> server to client
|
|
||||||
+ * MODE_IN (0) -> client to server */
|
|
||||||
+ kex.server = 1;
|
|
||||||
+
|
|
||||||
+ /* do it */
|
|
||||||
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
|
|
||||||
+ printf("Allocation error\n");
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ ssh->kex = &kex;
|
|
||||||
+ kex_derive_keys(ssh, test->H, test->Hlen, Kb);
|
|
||||||
+
|
|
||||||
+ ctoskeys = kex.newkeys[0];
|
|
||||||
+ stockeys = kex.newkeys[1];
|
|
||||||
+
|
|
||||||
+ /* get data */
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (client to server) = %s\n", hex);
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Initial IV (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (client to server) = %s\n", hex);
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Encryption key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (client to server) = %s\n", hex);
|
|
||||||
+ memset(hex, 0, HEXOUTLEN);
|
|
||||||
+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
|
|
||||||
+ hex, HEXOUTLEN, 0);
|
|
||||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (Kbn)
|
|
||||||
+ BN_free(Kbn);
|
|
||||||
+ if (Kb)
|
|
||||||
+ sshbuf_free(Kb);
|
|
||||||
+ if (ssh)
|
|
||||||
+ ssh_packet_close(ssh);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void usage(void)
|
|
||||||
+{
|
|
||||||
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
|
|
||||||
+ fprintf(stderr, "Usage:\n");
|
|
||||||
+ fprintf(stderr, "\t-K\tShared secret string\n");
|
|
||||||
+ fprintf(stderr, "\t-H\tHash string\n");
|
|
||||||
+ fprintf(stderr, "\t-s\tSession ID string\n");
|
|
||||||
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
|
|
||||||
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Test command example:
|
|
||||||
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
|
|
||||||
+ *
|
|
||||||
+ * Initial IV (client to server) = 4bb320d1679dfd3a
|
|
||||||
+ * Initial IV (server to client) = 43dea6fdf263a308
|
|
||||||
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
|
|
||||||
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
|
|
||||||
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
|
|
||||||
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
|
|
||||||
+ */
|
|
||||||
+int main(int argc, char *argv[])
|
|
||||||
+{
|
|
||||||
+ struct kdf_cavs test;
|
|
||||||
+ int ret = 1;
|
|
||||||
+ int opt = 0;
|
|
||||||
+
|
|
||||||
+ memset(&test, 0, sizeof(struct kdf_cavs));
|
|
||||||
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
|
|
||||||
+ {
|
|
||||||
+ size_t len = 0;
|
|
||||||
+ switch(opt)
|
|
||||||
+ {
|
|
||||||
+ /*
|
|
||||||
+ * CAVS K is MPINT
|
|
||||||
+ * we want a hex (i.e. the caller must ensure the
|
|
||||||
+ * following transformations already happened):
|
|
||||||
+ * 1. cut off first four bytes
|
|
||||||
+ * 2. if most significant bit of value is
|
|
||||||
+ * 1, prepend 0 byte
|
|
||||||
+ */
|
|
||||||
+ case 'K':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.K, &test.Klen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'H':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.H, &test.Hlen);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 's':
|
|
||||||
+ len = strlen(optarg);
|
|
||||||
+ ret = hex2bin_alloc(optarg, len,
|
|
||||||
+ &test.session_id,
|
|
||||||
+ &test.session_id_len);
|
|
||||||
+ if (ret)
|
|
||||||
+ goto out;
|
|
||||||
+ break;
|
|
||||||
+ case 'i':
|
|
||||||
+ test.iv_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'e':
|
|
||||||
+ test.ek_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ case 'm':
|
|
||||||
+ test.ik_len = strtoul(optarg, NULL, 10);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ usage();
|
|
||||||
+ goto out;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = sshkdf_cavs(&test);
|
|
||||||
+
|
|
||||||
+out:
|
|
||||||
+ if (test.session_id)
|
|
||||||
+ free(test.session_id);
|
|
||||||
+ if (test.K)
|
|
||||||
+ free(test.K);
|
|
||||||
+ if (test.H)
|
|
||||||
+ free(test.H);
|
|
||||||
+ return ret;
|
|
||||||
+
|
|
||||||
+}
|
|
||||||
diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
|
|
||||||
--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
|
|
||||||
@@ -0,0 +1,184 @@
|
|
||||||
+#!/usr/bin/env perl
|
|
||||||
+#
|
|
||||||
+# CAVS test driver for OpenSSH
|
|
||||||
+#
|
|
||||||
+# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
|
||||||
+#
|
|
||||||
+# Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
+# of this software and associated documentation files (the "Software"), to deal
|
|
||||||
+# in the Software without restriction, including without limitation the rights
|
|
||||||
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
+# copies of the Software, and to permit persons to whom the Software is
|
|
||||||
+# furnished to do so, subject to the following conditions:
|
|
||||||
+#
|
|
||||||
+# The above copyright notice and this permission notice shall be included in
|
|
||||||
+# all copies or substantial portions of the Software.
|
|
||||||
+#
|
|
||||||
+# NO WARRANTY
|
|
||||||
+#
|
|
||||||
+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
|
||||||
+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
|
||||||
+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
|
||||||
+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
|
||||||
+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
||||||
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
|
||||||
+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
|
||||||
+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
|
||||||
+# REPAIR OR CORRECTION.
|
|
||||||
+#
|
|
||||||
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
|
||||||
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
|
||||||
+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
|
||||||
+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
|
||||||
+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
|
||||||
+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
|
||||||
+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
|
||||||
+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
|
||||||
+# POSSIBILITY OF SUCH DAMAGES.
|
|
||||||
+#
|
|
||||||
+use strict;
|
|
||||||
+use warnings;
|
|
||||||
+use IPC::Open2;
|
|
||||||
+
|
|
||||||
+# Executing a program by feeding STDIN and retrieving
|
|
||||||
+# STDOUT
|
|
||||||
+# $1: data string to be piped to the app on STDIN
|
|
||||||
+# rest: program and args
|
|
||||||
+# returns: STDOUT of program as string
|
|
||||||
+sub pipe_through_program($@) {
|
|
||||||
+ my $in = shift;
|
|
||||||
+ my @args = @_;
|
|
||||||
+
|
|
||||||
+ my ($CO, $CI);
|
|
||||||
+ my $pid = open2($CO, $CI, @args);
|
|
||||||
+
|
|
||||||
+ my $out = "";
|
|
||||||
+ my $len = length($in);
|
|
||||||
+ my $first = 1;
|
|
||||||
+ while (1) {
|
|
||||||
+ my $rin = "";
|
|
||||||
+ my $win = "";
|
|
||||||
+ # Output of prog is FD that we read
|
|
||||||
+ vec($rin,fileno($CO),1) = 1;
|
|
||||||
+ # Input of prog is FD that we write
|
|
||||||
+ # check for $first is needed because we can have NULL input
|
|
||||||
+ # that is to be written to the app
|
|
||||||
+ if ( $len > 0 || $first) {
|
|
||||||
+ (vec($win,fileno($CI),1) = 1);
|
|
||||||
+ $first=0;
|
|
||||||
+ }
|
|
||||||
+ # Let us wait for 100ms
|
|
||||||
+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
|
|
||||||
+ if ( $wout ) {
|
|
||||||
+ my $written = syswrite($CI, $in, $len);
|
|
||||||
+ die "broken pipe" if !defined $written;
|
|
||||||
+ $len -= $written;
|
|
||||||
+ substr($in, 0, $written) = "";
|
|
||||||
+ if ($len <= 0) {
|
|
||||||
+ close $CI or die "broken pipe: $!";
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if ( $rout ) {
|
|
||||||
+ my $tmp_out = "";
|
|
||||||
+ my $bytes_read = sysread($CO, $tmp_out, 4096);
|
|
||||||
+ $out .= $tmp_out;
|
|
||||||
+ last if ($bytes_read == 0);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ close $CO or die "broken pipe: $!";
|
|
||||||
+ waitpid $pid, 0;
|
|
||||||
+
|
|
||||||
+ return $out;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Parser of CAVS test vector file
|
|
||||||
+# $1: Test vector file
|
|
||||||
+# $2: Output file for test results
|
|
||||||
+# return: nothing
|
|
||||||
+sub parse($$) {
|
|
||||||
+ my $infile = shift;
|
|
||||||
+ my $outfile = shift;
|
|
||||||
+
|
|
||||||
+ my $out = "";
|
|
||||||
+
|
|
||||||
+ my $K = "";
|
|
||||||
+ my $H = "";
|
|
||||||
+ my $session_id = "";
|
|
||||||
+ my $ivlen = 0;
|
|
||||||
+ my $eklen = "";
|
|
||||||
+ my $iklen = "";
|
|
||||||
+
|
|
||||||
+ open(IN, "<$infile");
|
|
||||||
+ while(<IN>) {
|
|
||||||
+
|
|
||||||
+ my $line = $_;
|
|
||||||
+ chomp($line);
|
|
||||||
+ $line =~ s/\r//;
|
|
||||||
+
|
|
||||||
+ if ($line =~ /\[SHA-1\]/) {
|
|
||||||
+ $iklen = 20;
|
|
||||||
+ } elsif ($line =~ /\[SHA-256\]/) {
|
|
||||||
+ $iklen = 32;
|
|
||||||
+ } elsif ($line =~ /\[SHA-384\]/) {
|
|
||||||
+ $iklen = 48;
|
|
||||||
+ } elsif ($line =~ /\[SHA-512\]/) {
|
|
||||||
+ $iklen = 64;
|
|
||||||
+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
|
|
||||||
+ $ivlen = $1;
|
|
||||||
+ $ivlen = $ivlen / 8;
|
|
||||||
+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
|
|
||||||
+ $eklen = $1;
|
|
||||||
+ $eklen = $eklen / 8;
|
|
||||||
+ } elsif ($line =~ /^K\s*=\s*(.*)/) {
|
|
||||||
+ $K = $1;
|
|
||||||
+ $K = substr($K, 8);
|
|
||||||
+ $K = "00" . $K;
|
|
||||||
+ } elsif ($line =~ /^H\s*=\s*(.*)/) {
|
|
||||||
+ $H = $1;
|
|
||||||
+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) {
|
|
||||||
+ $session_id = $1;
|
|
||||||
+ }
|
|
||||||
+ $out .= $line . "\n";
|
|
||||||
+
|
|
||||||
+ if ($K ne "" && $H ne "" && $session_id ne "" &&
|
|
||||||
+ $ivlen ne "" && $eklen ne "" && $iklen > 0) {
|
|
||||||
+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
|
|
||||||
+
|
|
||||||
+ $K = "";
|
|
||||||
+ $H = "";
|
|
||||||
+ $session_id = "";
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ close IN;
|
|
||||||
+ $out =~ s/\n/\r\n/g; # make it a dos file
|
|
||||||
+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
|
|
||||||
+ print OUT $out;
|
|
||||||
+ close OUT;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+############################################################
|
|
||||||
+#
|
|
||||||
+# let us pretend to be C :-)
|
|
||||||
+sub main() {
|
|
||||||
+
|
|
||||||
+ my $infile=$ARGV[0];
|
|
||||||
+ die "Error: Test vector file $infile not found" if (! -f $infile);
|
|
||||||
+
|
|
||||||
+ my $outfile = $infile;
|
|
||||||
+ # let us add .rsp regardless whether we could strip .req
|
|
||||||
+ $outfile =~ s/\.req$//;
|
|
||||||
+ $outfile .= ".rsp";
|
|
||||||
+ if (-f $outfile) {
|
|
||||||
+ die "Output file $outfile could not be removed: $?"
|
|
||||||
+ unless unlink($outfile);
|
|
||||||
+ }
|
|
||||||
+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
|
|
||||||
+
|
|
||||||
+ # Do the job
|
|
||||||
+ parse($infile, $outfile);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+###########################################
|
|
||||||
+# Call it
|
|
||||||
+main();
|
|
||||||
+1;
|
|
@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
|||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+ int r, ret = 0;
|
+ int r, ret = 0;
|
||||||
+
|
+
|
||||||
+ debug3("%s: entering", __func__);
|
+ debug3_f("entering");
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ do {
|
+ do {
|
||||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||||
+ if (blen == 0) /* closed pipe */
|
+ if (blen == 0) /* closed pipe */
|
||||||
+ break;
|
+ break;
|
||||||
+ if (blen != sizeof(buf)) {
|
+ if (blen != sizeof(buf)) {
|
||||||
+ error("%s: Failed to read the buffer from child", __func__);
|
+ error_f("Failed to read the buffer from child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ msg_len = get_u32(buf);
|
+ msg_len = get_u32(buf);
|
||||||
+ if (msg_len > 256 * 1024)
|
+ if (msg_len > 256 * 1024)
|
||||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
+ fatal_f("read: bad msg_len %d", msg_len);
|
||||||
+ sshbuf_reset(m);
|
+ sshbuf_reset(m);
|
||||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
+ error_f("Failed to read the the buffer content from the child");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
+ error_f("Failed to write the message to the monitor");
|
||||||
+ ret = -1;
|
+ ret = -1;
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
|
@ -49,7 +49,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+
|
+
|
||||||
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
||||||
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
|
+ debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
|
||||||
+ if (k5login_directory == NULL || ret != 0) {
|
+ if (k5login_directory == NULL || ret != 0) {
|
||||||
+ /* If not set, the library will look for k5login
|
+ /* If not set, the library will look for k5login
|
||||||
+ * files in the user's home directory, with the filename .k5login.
|
+ * files in the user's home directory, with the filename .k5login.
|
||||||
@ -64,7 +64,7 @@ index a7c0c5f..df8cc9a 100644
|
|||||||
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
||||||
+ pw->pw_name);
|
+ pw->pw_name);
|
||||||
+ }
|
+ }
|
||||||
+ debug("%s: Checking existence of file %s", __func__, file);
|
+ debug_f("Checking existence of file %s", file);
|
||||||
|
|
||||||
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||||
return access(file, F_OK) == 0;
|
return access(file, F_OK) == 0;
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -2,9 +2,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
|||||||
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
||||||
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -72,6 +72,9 @@
|
@@ -72,6 +72,9 @@
|
||||||
|
|
||||||
|
/* import */
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
extern u_char *session_id2;
|
|
||||||
extern u_int session_id2_len;
|
|
||||||
+extern int inetd_flag;
|
+extern int inetd_flag;
|
||||||
+extern int rexeced_flag;
|
+extern int rexeced_flag;
|
||||||
+extern Authctxt *the_authctxt;
|
+extern Authctxt *the_authctxt;
|
||||||
@ -12,59 +12,59 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
|||||||
static char *
|
static char *
|
||||||
format_key(const struct sshkey *key)
|
format_key(const struct sshkey *key)
|
||||||
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
||||||
|
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
||||||
|
if ((pid = subprocess("AuthorizedKeysCommand", command,
|
||||||
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
|
|
||||||
ac, av, &f,
|
ac, av, &f,
|
||||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
|
||||||
|
+ runas_pw, temporarily_use_uid, restore_uid,
|
||||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
uid_swapped = 1;
|
uid_swapped = 1;
|
||||||
diff -up openssh/auth.c.refactor openssh/auth.c
|
diff -up openssh/misc.c.refactor openssh/misc.c
|
||||||
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
--- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
||||||
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
||||||
*/
|
|
||||||
pid_t
|
pid_t
|
||||||
subprocess(const char *tag, struct passwd *pw, const char *command,
|
subprocess(const char *tag, const char *command,
|
||||||
- int ac, char **av, FILE **child, u_int flags)
|
int ac, char **av, FILE **child, u_int flags,
|
||||||
+ int ac, char **av, FILE **child, u_int flags, int inetd,
|
- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
|
||||||
+ void *the_authctxt)
|
+ struct passwd *pw, privdrop_fn *drop_privs,
|
||||||
|
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
|
||||||
{
|
{
|
||||||
FILE *f = NULL;
|
FILE *f = NULL;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
||||||
|
_exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef WITH_SELINUX
|
#ifdef WITH_SELINUX
|
||||||
- if (sshd_selinux_setup_env_variables() < 0) {
|
- if (sshd_selinux_setup_env_variables() < 0) {
|
||||||
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
||||||
error ("failed to copy environment: %s",
|
error ("failed to copy environment: %s",
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
_exit(127);
|
_exit(127);
|
||||||
diff -up openssh/auth.h.refactor openssh/auth.h
|
diff -up openssh/misc.h.refactor openssh/misc.h
|
||||||
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
--- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
||||||
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
||||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
#define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
|
||||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
#define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
|
||||||
pid_t subprocess(const char *, struct passwd *,
|
pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
|
||||||
- const char *, int, char **, FILE **, u_int flags);
|
- struct passwd *, privdrop_fn *, privrestore_fn *);
|
||||||
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
+ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
|
||||||
|
|
||||||
int sys_auth_passwd(struct ssh *, const char *);
|
|
||||||
|
|
||||||
|
typedef struct arglist arglist;
|
||||||
|
struct arglist {
|
||||||
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
||||||
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
||||||
@ -145,7 +145,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
char *role;
|
char *role;
|
||||||
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||||
@ -203,10 +203,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
||||||
switch (security_getenforce()) {
|
switch (security_getenforce()) {
|
||||||
case -1:
|
case -1:
|
||||||
fatal("%s: security_getenforce() failed", __func__);
|
fatal_f("security_getenforce() failed");
|
||||||
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||||
|
|
||||||
debug3("%s: setting execution context", __func__);
|
debug3_f("setting execution context");
|
||||||
|
|
||||||
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
||||||
@ -269,3 +269,15 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (options.use_pam) {
|
if (options.use_pam) {
|
||||||
|
diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
|
||||||
|
--- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100
|
||||||
|
+++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100
|
||||||
|
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
|
||||||
|
|
||||||
|
if ((pid = subprocess(tag, command, ac, av, &f,
|
||||||
|
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
|
||||||
|
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
|
||||||
|
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
|
diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
|
||||||
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200
|
--- openssh-8.6p1/cipher-ctr.c.fips 2021-04-19 16:53:02.994577324 +0200
|
||||||
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200
|
+++ openssh-8.6p1/cipher-ctr.c 2021-04-19 16:53:03.064577862 +0200
|
||||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||||
#ifndef SSH_OLD_EVP
|
#ifndef SSH_OLD_EVP
|
||||||
@ -11,10 +11,10 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
|
|||||||
#endif
|
#endif
|
||||||
return (&aes_ctr);
|
return (&aes_ctr);
|
||||||
}
|
}
|
||||||
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
|
diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
|
||||||
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
|
+++ openssh-8.6p1/dh.c 2021-04-19 16:58:47.750263410 +0200
|
||||||
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
|
@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
|
||||||
int best, bestcount, which, linenum;
|
int best, bestcount, which, linenum;
|
||||||
struct dhgroup dhg;
|
struct dhgroup dhg;
|
||||||
|
|
||||||
@ -24,10 +24,10 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
|
|||||||
+ return (dh_new_group_fallback(max));
|
+ return (dh_new_group_fallback(max));
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
|
if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
|
||||||
logit("WARNING: could not open %s (%s), using fixed modulus",
|
logit("WARNING: could not open %s (%s), using fixed modulus",
|
||||||
_PATH_DH_MODULI, strerror(errno));
|
get_moduli_filename(), strerror(errno));
|
||||||
@@ -489,4 +495,38 @@ dh_estimate(int bits)
|
@@ -502,4 +508,38 @@ dh_estimate(int bits)
|
||||||
return 8192;
|
return 8192;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -66,21 +66,21 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
|
|||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h
|
diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
|
||||||
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-8.6p1/dh.h.fips 2021-04-19 16:53:03.064577862 +0200
|
||||||
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200
|
+++ openssh-8.6p1/dh.h 2021-04-19 16:59:31.951616078 +0200
|
||||||
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);
|
@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
|
||||||
|
|
||||||
int dh_gen_key(DH *, int);
|
int dh_gen_key(DH *, int);
|
||||||
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
||||||
+int dh_is_known_group(const DH *);
|
+int dh_is_known_group(const DH *);
|
||||||
|
|
||||||
u_int dh_estimate(int);
|
u_int dh_estimate(int);
|
||||||
|
void dh_set_moduli_file(const char *);
|
||||||
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
|
diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
|
||||||
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200
|
--- openssh-8.6p1/kex.c.fips 2021-04-19 16:53:03.058577815 +0200
|
||||||
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.6p1/kex.c 2021-04-19 16:53:03.065577869 +0200
|
||||||
@@ -199,7 +199,10 @@ kex_names_valid(const char *names)
|
@@ -203,7 +203,10 @@ kex_names_valid(const char *names)
|
||||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||||
(p = strsep(&cp, ","))) {
|
(p = strsep(&cp, ","))) {
|
||||||
if (kex_alg_by_name(p) == NULL) {
|
if (kex_alg_by_name(p) == NULL) {
|
||||||
@ -92,9 +92,9 @@ diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
|
|||||||
free(s);
|
free(s);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
|
diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
|
||||||
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.6p1/kexgexc.c 2021-04-19 16:53:03.065577869 +0200
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
|
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
@ -103,7 +103,7 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
|
|||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32
|
@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
|
||||||
r = SSH_ERR_ALLOC_FAIL;
|
r = SSH_ERR_ALLOC_FAIL;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
@ -114,10 +114,10 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
|
|||||||
p = g = NULL; /* belong to kex->dh now */
|
p = g = NULL; /* belong to kex->dh now */
|
||||||
|
|
||||||
/* generate and send 'e', client DH public key */
|
/* generate and send 'e', client DH public key */
|
||||||
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
|
||||||
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
--- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
|
||||||
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200
|
||||||
@@ -111,6 +111,20 @@
|
@@ -57,6 +57,20 @@
|
||||||
"rsa-sha2-256," \
|
"rsa-sha2-256," \
|
||||||
"ssh-rsa"
|
"ssh-rsa"
|
||||||
|
|
||||||
@ -138,7 +138,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
|||||||
#define KEX_SERVER_ENCRYPT \
|
#define KEX_SERVER_ENCRYPT \
|
||||||
"chacha20-poly1305@openssh.com," \
|
"chacha20-poly1305@openssh.com," \
|
||||||
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||||
@@ -134,6 +142,27 @@
|
@@ -78,6 +92,27 @@
|
||||||
|
|
||||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||||
|
|
||||||
@ -165,11 +165,11 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
|||||||
+
|
+
|
||||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||||
#define SSH_ALLOWED_CA_SIGALGS \
|
#define SSH_ALLOWED_CA_SIGALGS \
|
||||||
"ecdsa-sha2-nistp256," \
|
"ssh-ed25519," \
|
||||||
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
|
||||||
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
--- openssh-8.6p1/readconf.c.fips 2021-04-19 16:53:02.999577362 +0200
|
||||||
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.6p1/readconf.c 2021-04-19 16:53:03.065577869 +0200
|
||||||
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
|
@@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
/* remove unsupported algos from default lists */
|
/* remove unsupported algos from default lists */
|
||||||
@ -191,10 +191,10 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
|||||||
#define ASSEMBLE(what, defaults, all) \
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
do { \
|
do { \
|
||||||
if ((r = kex_assemble_names(&options->what, \
|
if ((r = kex_assemble_names(&options->what, \
|
||||||
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
|
diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
|
||||||
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
|
--- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-04-19 16:53:03.034577631 +0200
|
||||||
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
|
+++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-04-19 16:53:03.065577869 +0200
|
||||||
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
|
@@ -160,6 +160,9 @@ static const struct sock_filter preauth_
|
||||||
#ifdef __NR_open
|
#ifdef __NR_open
|
||||||
SC_DENY(__NR_open, EACCES),
|
SC_DENY(__NR_open, EACCES),
|
||||||
#endif
|
#endif
|
||||||
@ -204,10 +204,10 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
|
|||||||
#ifdef __NR_openat
|
#ifdef __NR_openat
|
||||||
SC_DENY(__NR_openat, EACCES),
|
SC_DENY(__NR_openat, EACCES),
|
||||||
#endif
|
#endif
|
||||||
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
|
||||||
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
|
--- openssh-8.6p1/servconf.c.fips 2021-04-19 16:53:03.027577577 +0200
|
||||||
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
|
+++ openssh-8.6p1/servconf.c 2021-04-19 16:53:03.066577877 +0200
|
||||||
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
|
@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
|
||||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||||
/* remove unsupported algos from default lists */
|
/* remove unsupported algos from default lists */
|
||||||
@ -229,10 +229,10 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
|||||||
#define ASSEMBLE(what, defaults, all) \
|
#define ASSEMBLE(what, defaults, all) \
|
||||||
do { \
|
do { \
|
||||||
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
||||||
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
|
||||||
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
--- openssh-8.6p1/ssh.c.fips 2021-04-19 16:53:03.038577662 +0200
|
||||||
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
+++ openssh-8.6p1/ssh.c 2021-04-19 16:53:03.066577877 +0200
|
||||||
@@ -76,6 +76,7 @@
|
@@ -77,6 +77,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
#endif
|
#endif
|
||||||
@ -240,21 +240,21 @@ diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
|||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
@@ -614,6 +626,10 @@ main(int ac, char **av)
|
@@ -1516,6 +1517,10 @@ main(int ac, char **av)
|
||||||
dump_client_config(&options, host);
|
|
||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
+
|
|
||||||
+ if (FIPS_mode()) {
|
+ if (FIPS_mode()) {
|
||||||
+ debug("FIPS mode initialized");
|
+ debug("FIPS mode initialized");
|
||||||
+ }
|
+ }
|
||||||
|
+
|
||||||
/* Expand SecurityKeyProvider if it refers to an environment variable */
|
/* Expand SecurityKeyProvider if it refers to an environment variable */
|
||||||
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
|
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
|
||||||
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
strlen(options.sk_provider) > 1) {
|
||||||
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
|
diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
|
||||||
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
|
--- openssh-8.6p1/sshconnect2.c.fips 2021-04-19 16:53:03.055577792 +0200
|
||||||
@@ -44,6 +44,8 @@
|
+++ openssh-8.6p1/sshconnect2.c 2021-04-19 16:53:03.066577877 +0200
|
||||||
|
@@ -45,6 +45,8 @@
|
||||||
#include <vis.h>
|
#include <vis.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -263,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
#include "openbsd-compat/sys-queue.h"
|
#include "openbsd-compat/sys-queue.h"
|
||||||
|
|
||||||
#include "xmalloc.h"
|
#include "xmalloc.h"
|
||||||
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
@@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||||
|
|
||||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
if (options.gss_keyex) {
|
if (options.gss_keyex) {
|
||||||
@ -279,24 +279,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
- * and can not use DNS on that socket */
|
- * and can not use DNS on that socket */
|
||||||
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||||
- free(gss_host);
|
- free(gss_host);
|
||||||
- gss_host = xstrdup(host);
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- gss_host = xstrdup(host);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
|
||||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
|
||||||
- if (gss) {
|
|
||||||
- debug("Offering GSSAPI proposal: %s", gss);
|
|
||||||
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
|
||||||
- "%s,%s", gss, orig);
|
|
||||||
-
|
|
||||||
- /* If we've got GSSAPI algorithms, then we also support the
|
|
||||||
- * 'null' hostkey, as a last resort */
|
|
||||||
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
|
||||||
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
|
||||||
- "%s,null", orig);
|
|
||||||
+ if (FIPS_mode()) {
|
+ if (FIPS_mode()) {
|
||||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||||
+ options.gss_keyex = 0;
|
+ options.gss_keyex = 0;
|
||||||
@ -316,9 +298,24 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
+ gss_host = xstrdup(host);
|
+ gss_host = xstrdup(host);
|
||||||
+ }
|
+ }
|
||||||
+ } else {
|
+ } else {
|
||||||
+ gss_host = xstrdup(host);
|
gss_host = xstrdup(host);
|
||||||
+ }
|
}
|
||||||
+
|
- } else {
|
||||||
|
- gss_host = xstrdup(host);
|
||||||
|
- }
|
||||||
|
|
||||||
|
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
|
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
|
- if (gss) {
|
||||||
|
- debug("Offering GSSAPI proposal: %s", gss);
|
||||||
|
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||||
|
- "%s,%s", gss, orig);
|
||||||
|
-
|
||||||
|
- /* If we've got GSSAPI algorithms, then we also support the
|
||||||
|
- * 'null' hostkey, as a last resort */
|
||||||
|
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||||
|
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||||
|
- "%s,null", orig);
|
||||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||||
+ if (gss) {
|
+ if (gss) {
|
||||||
@ -335,9 +332,9 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
|
||||||
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200
|
--- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200
|
||||||
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200
|
+++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200
|
||||||
@@ -66,6 +66,7 @@
|
@@ -66,6 +66,7 @@
|
||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
@ -354,7 +351,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
|||||||
#include "openbsd-compat/openssl-compat.h"
|
#include "openbsd-compat/openssl-compat.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -1529,6 +1532,7 @@ main(int ac, char **av)
|
@@ -1619,6 +1621,7 @@ main(int ac, char **av)
|
||||||
#endif
|
#endif
|
||||||
__progname = ssh_get_progname(av[0]);
|
__progname = ssh_get_progname(av[0]);
|
||||||
|
|
||||||
@ -362,7 +359,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
|||||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||||
saved_argc = ac;
|
saved_argc = ac;
|
||||||
rexec_argc = ac;
|
rexec_argc = ac;
|
||||||
@@ -1992,6 +2007,10 @@ main(int ac, char **av)
|
@@ -2110,6 +2113,10 @@ main(int ac, char **av)
|
||||||
/* Reinitialize the log (because of the fork above). */
|
/* Reinitialize the log (because of the fork above). */
|
||||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||||
|
|
||||||
@ -370,10 +367,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
|||||||
+ debug("FIPS mode initialized");
|
+ debug("FIPS mode initialized");
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
/* Chdir to the root directory so that the current disk can be
|
/*
|
||||||
unmounted if desired. */
|
* Chdir to the root directory so that the current disk can be
|
||||||
if (chdir("/") == -1)
|
* unmounted if desired.
|
||||||
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||||
orig = NULL;
|
orig = NULL;
|
||||||
|
|
||||||
@ -392,9 +389,9 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
|||||||
|
|
||||||
if (gss && orig)
|
if (gss && orig)
|
||||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||||
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
|
diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
|
||||||
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200
|
--- openssh-8.6p1/sshkey.c.fips 2021-04-19 16:53:03.061577838 +0200
|
||||||
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200
|
+++ openssh-8.6p1/sshkey.c 2021-04-19 16:53:03.067577885 +0200
|
||||||
@@ -34,6 +34,7 @@
|
@@ -34,6 +34,7 @@
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
@ -411,19 +408,19 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
|
|||||||
#include "ssh-sk.h"
|
#include "ssh-sk.h"
|
||||||
|
|
||||||
#ifdef WITH_XMSS
|
#ifdef WITH_XMSS
|
||||||
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
|
@@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||||
}
|
}
|
||||||
if (!BN_set_word(f4, RSA_F4) ||
|
if (!BN_set_word(f4, RSA_F4) ||
|
||||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||||
+ if (FIPS_mode())
|
+ if (FIPS_mode())
|
||||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
+ logit_f("the key length might be unsupported by FIPS mode approved key generation method");
|
||||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
|
diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
|
||||||
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200
|
--- openssh-8.6p1/ssh-keygen.c.fips 2021-04-19 16:53:03.038577662 +0200
|
||||||
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200
|
+++ openssh-8.6p1/ssh-keygen.c 2021-04-19 16:53:03.068577892 +0200
|
||||||
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
|
@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
#ifdef WITH_OPENSSL
|
#ifdef WITH_OPENSSL
|
||||||
@ -436,7 +433,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
|
|||||||
switch (type) {
|
switch (type) {
|
||||||
case KEY_DSA:
|
case KEY_DSA:
|
||||||
if (*bitsp != 1024)
|
if (*bitsp != 1024)
|
||||||
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||||
first = 1;
|
first = 1;
|
||||||
printf("%s: generating new host keys: ", __progname);
|
printf("%s: generating new host keys: ", __progname);
|
||||||
}
|
}
|
||||||
|
@ -1,7 +1,26 @@
|
|||||||
diff --git a/auth-krb5.c b/auth-krb5.c
|
diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
|
||||||
index a5a81ed2..63f877f2 100644
|
--- openssh-8.6p1/auth.h.ccache_name 2021-04-19 14:05:10.820744325 +0200
|
||||||
--- a/auth-krb5.c
|
+++ openssh-8.6p1/auth.h 2021-04-19 14:05:10.853744569 +0200
|
||||||
+++ b/auth-krb5.c
|
@@ -83,6 +83,7 @@ struct Authctxt {
|
||||||
|
krb5_principal krb5_user;
|
||||||
|
char *krb5_ticket_file;
|
||||||
|
char *krb5_ccname;
|
||||||
|
+ int krb5_set_env;
|
||||||
|
#endif
|
||||||
|
struct sshbuf *loginmsg;
|
||||||
|
|
||||||
|
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
|
||||||
|
int sys_auth_passwd(struct ssh *, const char *);
|
||||||
|
|
||||||
|
#if defined(KRB5) && !defined(HEIMDAL)
|
||||||
|
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
||||||
|
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* AUTH_H */
|
||||||
|
diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
|
||||||
|
--- openssh-8.6p1/auth-krb5.c.ccache_name 2021-04-16 05:55:25.000000000 +0200
|
||||||
|
+++ openssh-8.6p1/auth-krb5.c 2021-04-19 14:40:55.142832954 +0200
|
||||||
@@ -51,6 +51,7 @@
|
@@ -51,6 +51,7 @@
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
@ -10,7 +29,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
|
|
||||||
extern ServerOptions options;
|
extern ServerOptions options;
|
||||||
|
|
||||||
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
#endif
|
#endif
|
||||||
krb5_error_code problem;
|
krb5_error_code problem;
|
||||||
krb5_ccache ccache = NULL;
|
krb5_ccache ccache = NULL;
|
||||||
@ -19,24 +38,18 @@ index a5a81ed2..63f877f2 100644
|
|||||||
char *client, *platform_client;
|
char *client, *platform_client;
|
||||||
const char *errmsg;
|
const char *errmsg;
|
||||||
|
|
||||||
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
|
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
|
||||||
|
- &authctxt->krb5_fwd_ccache);
|
||||||
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
|
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
|
||||||
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
||||||
if (problem)
|
if (problem)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
if (problem)
|
|
||||||
goto out;
|
|
||||||
|
|
||||||
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
|
||||||
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
|
||||||
&creds);
|
|
||||||
if (problem)
|
|
||||||
goto out;
|
goto out;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -57,7 +70,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
@@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||||
void
|
void
|
||||||
krb5_cleanup_proc(Authctxt *authctxt)
|
krb5_cleanup_proc(Authctxt *authctxt)
|
||||||
{
|
{
|
||||||
@ -113,7 +126,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
if (authctxt->krb5_user) {
|
if (authctxt->krb5_user) {
|
||||||
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
||||||
authctxt->krb5_user = NULL;
|
authctxt->krb5_user = NULL;
|
||||||
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
@@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -151,7 +164,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ssh_krb5_expand_template(char **result, const char *template) {
|
+ssh_krb5_expand_template(char **result, const char *template) {
|
||||||
+ char *p_n, *p_o, *r, *tmp_template;
|
+ char *p_n, *p_o, *r, *tmp_template;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called, template = %s", __func__, template);
|
+ debug3_f("called, template = %s", template);
|
||||||
+ if (template == NULL)
|
+ if (template == NULL)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+
|
+
|
||||||
@ -179,7 +192,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ } else {
|
+ } else {
|
||||||
+ p_o = strchr(p_n, '}') + 1;
|
+ p_o = strchr(p_n, '}') + 1;
|
||||||
+ *p_o = '\0';
|
+ *p_o = '\0';
|
||||||
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
+ debug_f("unsupported token %s in %s", p_n, template);
|
||||||
+ /* unknown token, fallback to the default */
|
+ /* unknown token, fallback to the default */
|
||||||
+ goto cleanup;
|
+ goto cleanup;
|
||||||
+ }
|
+ }
|
||||||
@ -198,16 +211,13 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ return -1;
|
+ return -1;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
krb5_error_code
|
+krb5_error_code
|
||||||
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
|
||||||
- int tmpfd, ret, oerrno;
|
|
||||||
- char ccname[40];
|
|
||||||
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
||||||
+ profile_t p;
|
+ profile_t p;
|
||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+ char *value = NULL;
|
+ char *value = NULL;
|
||||||
+
|
+
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ ret = krb5_get_profile(ctx, &p);
|
+ ret = krb5_get_profile(ctx, &p);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
@ -218,11 +228,14 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+
|
+
|
||||||
+ ret = ssh_krb5_expand_template(ccname, value);
|
+ ret = ssh_krb5_expand_template(ccname, value);
|
||||||
+
|
+
|
||||||
+ debug3("%s: returning with ccname = %s", __func__, *ccname);
|
+ debug3_f("returning with ccname = %s", *ccname);
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+krb5_error_code
|
krb5_error_code
|
||||||
|
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||||
|
- int tmpfd, ret, oerrno;
|
||||||
|
- char ccname[40];
|
||||||
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
||||||
+ int tmpfd, ret, oerrno, type_len;
|
+ int tmpfd, ret, oerrno, type_len;
|
||||||
+ char *ccname = NULL;
|
+ char *ccname = NULL;
|
||||||
@ -242,7 +255,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||||
- return oerrno;
|
- return oerrno;
|
||||||
- }
|
- }
|
||||||
+ debug3("%s: called", __func__);
|
+ debug3_f("called");
|
||||||
+ if (need_environment)
|
+ if (need_environment)
|
||||||
+ *need_environment = 0;
|
+ *need_environment = 0;
|
||||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||||
@ -283,7 +296,7 @@ index a5a81ed2..63f877f2 100644
|
|||||||
- close(tmpfd);
|
- close(tmpfd);
|
||||||
|
|
||||||
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ debug3("%s: setting default ccname to %s", __func__, ccname);
|
+ debug3_f("setting default ccname to %s", ccname);
|
||||||
+ /* set the default with already expanded user IDs */
|
+ /* set the default with already expanded user IDs */
|
||||||
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
@ -304,13 +317,13 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * a primary cache for this collection, if it supports that (non-FILE)
|
+ * a primary cache for this collection, if it supports that (non-FILE)
|
||||||
+ */
|
+ */
|
||||||
+ if (krb5_cc_support_switch(ctx, type)) {
|
+ if (krb5_cc_support_switch(ctx, type)) {
|
||||||
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
|
+ debug3_f("calling cc_new_unique(%s)", ccname);
|
||||||
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ if (ret)
|
+ if (ret)
|
||||||
+ return ret;
|
+ return ret;
|
||||||
+
|
+
|
||||||
+ debug3("%s: calling cc_switch()", __func__);
|
+ debug3_f("calling cc_switch()");
|
||||||
+ return krb5_cc_switch(ctx, *ccache);
|
+ return krb5_cc_switch(ctx, *ccache);
|
||||||
+ } else {
|
+ } else {
|
||||||
+ /* Otherwise, we can not create a unique ccname here (either
|
+ /* Otherwise, we can not create a unique ccname here (either
|
||||||
@ -318,36 +331,47 @@ index a5a81ed2..63f877f2 100644
|
|||||||
+ * collections
|
+ * collections
|
||||||
+ */
|
+ */
|
||||||
+ free(type);
|
+ free(type);
|
||||||
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname);
|
+ debug3_f("calling cc_resolve(%s)", ccname);
|
||||||
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||||
+ }
|
+ }
|
||||||
}
|
}
|
||||||
#endif /* !HEIMDAL */
|
#endif /* !HEIMDAL */
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
diff --git a/auth.h b/auth.h
|
diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
|
||||||
index 29491df9..fdab5040 100644
|
--- openssh-8.6p1/gss-serv.c.ccache_name 2021-04-19 14:05:10.844744503 +0200
|
||||||
--- a/auth.h
|
+++ openssh-8.6p1/gss-serv.c 2021-04-19 14:05:10.854744577 +0200
|
||||||
+++ b/auth.h
|
@@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
|
||||||
@@ -82,6 +82,7 @@ struct Authctxt {
|
}
|
||||||
krb5_principal krb5_user;
|
|
||||||
char *krb5_ticket_file;
|
|
||||||
char *krb5_ccname;
|
|
||||||
+ int krb5_set_env;
|
|
||||||
#endif
|
|
||||||
struct sshbuf *loginmsg;
|
|
||||||
|
|
||||||
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *);
|
/* As user */
|
||||||
int sys_auth_passwd(struct ssh *, const char *);
|
-void
|
||||||
|
+int
|
||||||
|
ssh_gssapi_storecreds(void)
|
||||||
|
{
|
||||||
|
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
||||||
|
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||||
|
} else
|
||||||
|
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(KRB5) && !defined(HEIMDAL)
|
/* This allows GSSAPI methods to do things to the child's environment based
|
||||||
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
@@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
|
||||||
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
char *envstr;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif /* AUTH_H */
|
- if (gssapi_client.store.filename == NULL &&
|
||||||
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
- gssapi_client.store.envval == NULL &&
|
||||||
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100
|
- gssapi_client.store.envvar == NULL)
|
||||||
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100
|
+ if (gssapi_client.store.envval == NULL)
|
||||||
|
return;
|
||||||
|
|
||||||
|
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
|
||||||
|
diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
|
||||||
|
--- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
|
||||||
|
+++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200
|
||||||
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||||
/* This writes out any forwarded credentials from the structure populated
|
/* This writes out any forwarded credentials from the structure populated
|
||||||
* during userauth. Called after we have setuid to the user */
|
* during userauth. Called after we have setuid to the user */
|
||||||
@ -450,7 +474,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
|||||||
do_pam_putenv(client->store.envvar, client->store.envval);
|
do_pam_putenv(client->store.envvar, client->store.envval);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
@@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||||
|
|
||||||
client->store.data = krb_context;
|
client->store.data = krb_context;
|
||||||
|
|
||||||
@ -459,43 +483,10 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
diff --git a/gss-serv.c b/gss-serv.c
|
diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
|
||||||
index 6cae720e..16e55cbc 100644
|
--- openssh-8.6p1/servconf.c.ccache_name 2021-04-19 14:05:10.848744532 +0200
|
||||||
--- a/gss-serv.c
|
+++ openssh-8.6p1/servconf.c 2021-04-19 14:05:10.854744577 +0200
|
||||||
+++ b/gss-serv.c
|
@@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
|
||||||
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* As user */
|
|
||||||
-void
|
|
||||||
+int
|
|
||||||
ssh_gssapi_storecreds(void)
|
|
||||||
{
|
|
||||||
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
|
||||||
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
|
||||||
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
|
||||||
} else
|
|
||||||
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* This allows GSSAPI methods to do things to the child's environment based
|
|
||||||
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
|
|
||||||
char *envstr;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- if (gssapi_client.store.filename == NULL &&
|
|
||||||
- gssapi_client.store.envval == NULL &&
|
|
||||||
- gssapi_client.store.envvar == NULL)
|
|
||||||
+ if (gssapi_client.store.envval == NULL)
|
|
||||||
return;
|
|
||||||
|
|
||||||
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
|
|
||||||
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|
||||||
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
|
|
||||||
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
|
|
||||||
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
|
|
||||||
options->kerberos_or_local_passwd = -1;
|
options->kerberos_or_local_passwd = -1;
|
||||||
options->kerberos_ticket_cleanup = -1;
|
options->kerberos_ticket_cleanup = -1;
|
||||||
options->kerberos_get_afs_token = -1;
|
options->kerberos_get_afs_token = -1;
|
||||||
@ -503,7 +494,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
options->gss_authentication=-1;
|
options->gss_authentication=-1;
|
||||||
options->gss_keyex = -1;
|
options->gss_keyex = -1;
|
||||||
options->gss_cleanup_creds = -1;
|
options->gss_cleanup_creds = -1;
|
||||||
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
|
@@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
|
||||||
options->kerberos_ticket_cleanup = 1;
|
options->kerberos_ticket_cleanup = 1;
|
||||||
if (options->kerberos_get_afs_token == -1)
|
if (options->kerberos_get_afs_token == -1)
|
||||||
options->kerberos_get_afs_token = 0;
|
options->kerberos_get_afs_token = 0;
|
||||||
@ -512,8 +503,8 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
if (options->gss_authentication == -1)
|
if (options->gss_authentication == -1)
|
||||||
options->gss_authentication = 0;
|
options->gss_authentication = 0;
|
||||||
if (options->gss_keyex == -1)
|
if (options->gss_keyex == -1)
|
||||||
@@ -447,7 +450,8 @@ typedef enum {
|
@@ -506,7 +509,8 @@ typedef enum {
|
||||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
|
||||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||||
@ -522,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||||
sListenAddress, sAddressFamily,
|
sListenAddress, sAddressFamily,
|
||||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||||
@@ -526,11 +530,13 @@ static struct {
|
@@ -593,11 +597,13 @@ static struct {
|
||||||
#else
|
#else
|
||||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||||
#endif
|
#endif
|
||||||
@ -536,7 +527,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
#endif
|
#endif
|
||||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||||
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
@@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
|
||||||
intptr = &options->kerberos_get_afs_token;
|
intptr = &options->kerberos_get_afs_token;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
|
|
||||||
@ -547,7 +538,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
case sGssAuthentication:
|
case sGssAuthentication:
|
||||||
intptr = &options->gss_authentication;
|
intptr = &options->gss_authentication;
|
||||||
goto parse_flag;
|
goto parse_flag;
|
||||||
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
|
@@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
|
||||||
# ifdef USE_AFS
|
# ifdef USE_AFS
|
||||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||||
# endif
|
# endif
|
||||||
@ -555,11 +546,10 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
|||||||
#endif
|
#endif
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||||
diff --git a/servconf.h b/servconf.h
|
diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
|
||||||
index db8362c6..4fa42d64 100644
|
--- openssh-8.6p1/servconf.h.ccache_name 2021-04-19 14:05:10.848744532 +0200
|
||||||
--- a/servconf.h
|
+++ openssh-8.6p1/servconf.h 2021-04-19 14:05:10.855744584 +0200
|
||||||
+++ b/servconf.h
|
@@ -140,6 +140,8 @@ typedef struct {
|
||||||
@@ -123,6 +123,8 @@ typedef struct {
|
|
||||||
* file on logout. */
|
* file on logout. */
|
||||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||||
* authenticated with Kerberos. */
|
* authenticated with Kerberos. */
|
||||||
@ -568,11 +558,10 @@ index db8362c6..4fa42d64 100644
|
|||||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||||
diff --git a/session.c b/session.c
|
diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
|
||||||
index 85df6a27..480a5ead 100644
|
--- openssh-8.6p1/session.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
|
||||||
--- a/session.c
|
+++ openssh-8.6p1/session.c 2021-04-19 14:05:10.855744584 +0200
|
||||||
+++ b/session.c
|
@@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
|
||||||
/* Allow any GSSAPI methods that we've used to alter
|
/* Allow any GSSAPI methods that we've used to alter
|
||||||
* the child's environment as they see fit
|
* the child's environment as they see fit
|
||||||
*/
|
*/
|
||||||
@ -582,7 +571,7 @@ index 85df6a27..480a5ead 100644
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Set basic environment. */
|
/* Set basic environment. */
|
||||||
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
@@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef KRB5
|
#ifdef KRB5
|
||||||
@ -591,33 +580,10 @@ index 85df6a27..480a5ead 100644
|
|||||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||||
s->authctxt->krb5_ccname);
|
s->authctxt->krb5_ccname);
|
||||||
#endif
|
#endif
|
||||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c
|
||||||
index 6593e422..245178af 100644
|
--- openssh-8.6p1/sshd.c.ccache_name 2021-04-19 14:05:10.849744540 +0200
|
||||||
--- a/ssh-gss.h
|
+++ openssh-8.6p1/sshd.c 2021-04-19 14:05:10.855744584 +0200
|
||||||
+++ b/ssh-gss.h
|
@@ -2284,7 +2284,7 @@ main(int ac, char **av)
|
||||||
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
|
|
||||||
int (*dochild) (ssh_gssapi_client *);
|
|
||||||
int (*userok) (ssh_gssapi_client *, char *);
|
|
||||||
int (*localname) (ssh_gssapi_client *, char **);
|
|
||||||
- void (*storecreds) (ssh_gssapi_client *);
|
|
||||||
+ int (*storecreds) (ssh_gssapi_client *);
|
|
||||||
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
|
||||||
} ssh_gssapi_mech;
|
|
||||||
|
|
||||||
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
|
|
||||||
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
|
||||||
void ssh_gssapi_do_child(char ***, u_int *);
|
|
||||||
void ssh_gssapi_cleanup_creds(void);
|
|
||||||
-void ssh_gssapi_storecreds(void);
|
|
||||||
+int ssh_gssapi_storecreds(void);
|
|
||||||
const char *ssh_gssapi_displayname(void);
|
|
||||||
|
|
||||||
char *ssh_gssapi_server_mechanisms(void);
|
|
||||||
diff --git a/sshd.c b/sshd.c
|
|
||||||
index edbe815c..89514e8a 100644
|
|
||||||
--- a/sshd.c
|
|
||||||
+++ b/sshd.c
|
|
||||||
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
|
|
||||||
#ifdef GSSAPI
|
#ifdef GSSAPI
|
||||||
if (options.gss_authentication) {
|
if (options.gss_authentication) {
|
||||||
temporarily_use_uid(authctxt->pw);
|
temporarily_use_uid(authctxt->pw);
|
||||||
@ -626,11 +592,10 @@ index edbe815c..89514e8a 100644
|
|||||||
restore_uid();
|
restore_uid();
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
diff --git a/sshd_config.5 b/sshd_config.5
|
diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
|
||||||
index c0683d4a..2349f477 100644
|
--- openssh-8.6p1/sshd_config.5.ccache_name 2021-04-19 14:05:10.849744540 +0200
|
||||||
--- a/sshd_config.5
|
+++ openssh-8.6p1/sshd_config.5 2021-04-19 14:05:10.856744592 +0200
|
||||||
+++ b/sshd_config.5
|
@@ -939,6 +939,14 @@ Specifies whether to automatically destr
|
||||||
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
|
|
||||||
file on logout.
|
file on logout.
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
@ -645,3 +610,24 @@ index c0683d4a..2349f477 100644
|
|||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
Specifies the available KEX (Key Exchange) algorithms.
|
Specifies the available KEX (Key Exchange) algorithms.
|
||||||
Multiple algorithms must be comma-separated.
|
Multiple algorithms must be comma-separated.
|
||||||
|
diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
|
||||||
|
--- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200
|
||||||
|
+++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200
|
||||||
|
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
|
||||||
|
int (*dochild) (ssh_gssapi_client *);
|
||||||
|
int (*userok) (ssh_gssapi_client *, char *);
|
||||||
|
int (*localname) (ssh_gssapi_client *, char **);
|
||||||
|
- void (*storecreds) (ssh_gssapi_client *);
|
||||||
|
+ int (*storecreds) (ssh_gssapi_client *);
|
||||||
|
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
||||||
|
} ssh_gssapi_mech;
|
||||||
|
|
||||||
|
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
|
||||||
|
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||||
|
void ssh_gssapi_do_child(char ***, u_int *);
|
||||||
|
void ssh_gssapi_cleanup_creds(void);
|
||||||
|
-void ssh_gssapi_storecreds(void);
|
||||||
|
+int ssh_gssapi_storecreds(void);
|
||||||
|
const char *ssh_gssapi_displayname(void);
|
||||||
|
|
||||||
|
char *ssh_gssapi_server_mechanisms(void);
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
diff --git a/sshd.c b/sshd.c
|
diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
|
||||||
--- a/sshd.c
|
--- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
|
||||||
+++ b/sshd.c
|
+++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200
|
||||||
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
@@ -1749,6 +1749,10 @@ main(int ac, char **av)
|
||||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||||
cfg, &includes, NULL);
|
cfg, &includes, NULL);
|
||||||
|
|
||||||
@ -9,13 +9,13 @@ diff --git a/sshd.c b/sshd.c
|
|||||||
+ if (! options.use_pam)
|
+ if (! options.use_pam)
|
||||||
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
||||||
+
|
+
|
||||||
/* Fill in default values for those options not explicitly set. */
|
#ifdef WITH_OPENSSL
|
||||||
fill_default_server_options(&options);
|
if (options.moduli_file != NULL)
|
||||||
|
dh_set_moduli_file(options.moduli_file);
|
||||||
diff --git a/sshd_config b/sshd_config
|
diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
|
||||||
--- a/sshd_config
|
--- openssh-8.6p1/sshd_config.log-usepam-no 2021-04-19 14:00:45.098735121 +0200
|
||||||
+++ b/sshd_config
|
+++ openssh-8.6p1/sshd_config 2021-04-19 14:00:45.099735129 +0200
|
||||||
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
|
@@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||||
# If you just want the PAM account and session checks to run without
|
# If you just want the PAM account and session checks to run without
|
||||||
# PAM authentication, then enable this but set PasswordAuthentication
|
# PAM authentication, then enable this but set PasswordAuthentication
|
||||||
# and ChallengeResponseAuthentication to 'no'.
|
# and ChallengeResponseAuthentication to 'no'.
|
||||||
|
@ -52,7 +52,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
gss_buffer_desc mic, gssbuf;
|
gss_buffer_desc mic, gssbuf;
|
||||||
const char *displayname;
|
const char *displayname;
|
||||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
mic.value = p;
|
mic.value = p;
|
||||||
mic.length = len;
|
mic.length = len;
|
||||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
@ -63,7 +63,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
|||||||
+#endif
|
+#endif
|
||||||
+ micuser = authctxt->user;
|
+ micuser = authctxt->user;
|
||||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||||
"gssapi-with-mic");
|
"gssapi-with-mic", ssh->kex->session_id);
|
||||||
|
|
||||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||||
@ -80,7 +80,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
|||||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||||
/* reconstruct packet */
|
/* reconstruct packet */
|
||||||
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
|
||||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
+ (authctxt->role
|
+ (authctxt->role
|
||||||
@ -224,8 +224,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
+ monitor_permit_authentications(1);
|
+ monitor_permit_authentications(1);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ debug3("%s: role=%s", __func__, authctxt->role);
|
+ debug3_f("role=%s", authctxt->role);
|
||||||
+
|
+
|
||||||
+ if (strlen(authctxt->role) == 0) {
|
+ if (strlen(authctxt->role) == 0) {
|
||||||
+ free(authctxt->role);
|
+ free(authctxt->role);
|
||||||
@ -251,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(cp, '/')) != NULL)
|
+ if ((s = strchr(cp, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
@ -269,7 +269,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
|||||||
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||||
fail++;
|
fail++;
|
||||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse userstyle");
|
||||||
+ if ((s = strchr(p, '/')) != NULL)
|
+ if ((s = strchr(p, '/')) != NULL)
|
||||||
+ *s = '\0';
|
+ *s = '\0';
|
||||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||||
@ -305,12 +305,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
|||||||
+ int r;
|
+ int r;
|
||||||
+ struct sshbuf *m;
|
+ struct sshbuf *m;
|
||||||
+
|
+
|
||||||
+ debug3("%s entering", __func__);
|
+ debug3_f("entering");
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_f("buffer error: %s", ssh_err(r));
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
@ -357,7 +357,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
-void
|
-void
|
||||||
-ssh_selinux_setup_exec_context(char *pwname)
|
-ssh_selinux_setup_exec_context(char *pwname)
|
||||||
-{
|
-{
|
||||||
- security_context_t user_ctx = NULL;
|
- char *user_ctx = NULL;
|
||||||
-
|
-
|
||||||
- if (!ssh_selinux_enabled())
|
- if (!ssh_selinux_enabled())
|
||||||
- return;
|
- return;
|
||||||
@ -393,7 +393,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
|
|||||||
|
|
||||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||||
+ if (getexeccon(&user_ctx) != 0) {
|
+ if (getexeccon(&user_ctx) != 0) {
|
||||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
+ error_f("getexeccon: %s", strerror(errno));
|
||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -418,7 +418,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
|
|||||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||||
@@ -0,0 +1,425 @@
|
@@ -0,0 +1,421 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||||
@ -530,7 +530,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ access_vector_t bit;
|
+ access_vector_t bit;
|
||||||
+ security_class_t class;
|
+ security_class_t class;
|
||||||
+
|
+
|
||||||
+ debug("%s: src:%s dst:%s", __func__, src, dst);
|
+ debug_f("src:%s dst:%s", src, dst);
|
||||||
+ class = string_to_security_class("context");
|
+ class = string_to_security_class("context");
|
||||||
+ if (!class) {
|
+ if (!class) {
|
||||||
+ error("string_to_security_class failed to translate security class context");
|
+ error("string_to_security_class failed to translate security class context");
|
||||||
@ -692,7 +692,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ /* we actually don't change level */
|
+ /* we actually don't change level */
|
||||||
+ reqlvl = "";
|
+ reqlvl = "";
|
||||||
+
|
+
|
||||||
+ debug("%s: current connection level '%s'", __func__, reqlvl);
|
+ debug_f("current connection level '%s'", reqlvl);
|
||||||
+
|
+
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -720,8 +720,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0) {
|
+ if (r != 0) {
|
||||||
+ error("%s: Failed to get default SELinux security "
|
+ error_f("Failed to get default SELinux security "
|
||||||
+ "context for %s", __func__, pwname);
|
+ "context for %s", pwname);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+#ifdef HAVE_GETSEUSERBYNAME
|
+#ifdef HAVE_GETSEUSERBYNAME
|
||||||
@ -746,7 +746,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ char *use_current;
|
+ char *use_current;
|
||||||
+ int rv;
|
+ int rv;
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
+ ssh_selinux_get_role_level(&role, &reqlvl);
|
||||||
+
|
+
|
||||||
@ -783,32 +783,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (sshd_selinux_setup_pam_variables()) {
|
+ if (sshd_selinux_setup_pam_variables()) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
|
+ error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
|
+ fatal_f("SELinux PAM variable setup failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ debug3("%s: setting execution context", __func__);
|
+ debug3_f("setting execution context");
|
||||||
+
|
+
|
||||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||||
+ if (r >= 0) {
|
+ if (r >= 0) {
|
||||||
+ r = setexeccon(user_ctx);
|
+ r = setexeccon(user_ctx);
|
||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ error("%s: Failed to set SELinux execution context %s for %s",
|
+ error_f("Failed to set SELinux execution context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#ifdef HAVE_SETKEYCREATECON
|
+#ifdef HAVE_SETKEYCREATECON
|
||||||
+ else if (setkeycreatecon(user_ctx) < 0) {
|
+ else if (setkeycreatecon(user_ctx) < 0) {
|
||||||
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
|
+ error_f("Failed to set SELinux keyring creation context %s for %s",
|
||||||
+ __func__, user_ctx, pwname);
|
+ user_ctx, pwname);
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+ }
|
+ }
|
||||||
@ -823,14 +821,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (r < 0) {
|
+ if (r < 0) {
|
||||||
+ switch (security_getenforce()) {
|
+ switch (security_getenforce()) {
|
||||||
+ case -1:
|
+ case -1:
|
||||||
+ fatal("%s: security_getenforce() failed", __func__);
|
+ fatal_f("security_getenforce() failed");
|
||||||
+ case 0:
|
+ case 0:
|
||||||
+ error("%s: SELinux failure. Continuing in permissive mode.",
|
+ error_f("ELinux failure. Continuing in permissive mode.");
|
||||||
+ __func__);
|
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: SELinux failure. Aborting connection.",
|
+ fatal_f("SELinux failure. Aborting connection.");
|
||||||
+ __func__);
|
|
||||||
+ }
|
+ }
|
||||||
+ }
|
+ }
|
||||||
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
+ if (user_ctx != NULL && user_ctx != default_ctx)
|
||||||
@ -838,7 +834,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
|||||||
+ if (default_ctx != NULL)
|
+ if (default_ctx != NULL)
|
||||||
+ freecon(default_ctx);
|
+ freecon(default_ctx);
|
||||||
+
|
+
|
||||||
+ debug3("%s: done", __func__);
|
+ debug3_f("done");
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Jelen <jjelen@redhat.com>
|
|
||||||
Date: Tue, 29 Sep 2020 10:02:45 +0000
|
|
||||||
Subject: [PATCH] Fail hard on the first failed attempt to write the
|
|
||||||
authorized_keys_file
|
|
||||||
|
|
||||||
---
|
|
||||||
ssh-copy-id | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 392f64f..e69a23f 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -251,7 +251,7 @@ installkeys_sh() {
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
|
|
||||||
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
|
||||||
cat >> ${AUTH_KEY_FILE} ||
|
|
||||||
exit 1;
|
|
||||||
if type restorecon >/dev/null 2>&1; then
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
|
||||||
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
--- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200
|
||||||
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
+++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200
|
||||||
@@ -359,17 +359,17 @@ or
|
@@ -368,15 +368,13 @@ or
|
||||||
.Qq *.c.example.com
|
.Qq *.c.example.com
|
||||||
domains.
|
domains.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -14,19 +14,16 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
will not accept host certificates signed using algorithms other than those
|
will not accept host certificates signed using algorithms other than those
|
||||||
specified.
|
specified.
|
||||||
+.Pp
|
@@ -436,20 +434,25 @@ If the option is set to
|
||||||
.It Cm CertificateFile
|
(the default),
|
||||||
Specifies a file from which the user's certificate is read.
|
|
||||||
A corresponding private key must be provided separately in order
|
|
||||||
@@ -424,20 +424,25 @@ If the option is set to
|
|
||||||
.Cm no ,
|
|
||||||
the check will not be executed.
|
the check will not be executed.
|
||||||
.It Cm Ciphers
|
.It Cm Ciphers
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
@ -55,7 +52,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The supported ciphers are:
|
The supported ciphers are:
|
||||||
.Bd -literal -offset indent
|
.Bd -literal -offset indent
|
||||||
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
|
@@ -465,13 +468,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -69,7 +66,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
.It Cm ClearAllForwardings
|
.It Cm ClearAllForwardings
|
||||||
@@ -812,6 +810,11 @@ command line will be passed untouched to
|
@@ -826,6 +822,11 @@ command line will be passed untouched to
|
||||||
The default is
|
The default is
|
||||||
.Dq no .
|
.Dq no .
|
||||||
.It Cm GSSAPIKexAlgorithms
|
.It Cm GSSAPIKexAlgorithms
|
||||||
@ -81,7 +78,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
The list of key exchange algorithms that are offered for GSSAPI
|
The list of key exchange algorithms that are offered for GSSAPI
|
||||||
key exchange. Possible values are
|
key exchange. Possible values are
|
||||||
.Bd -literal -offset 3n
|
.Bd -literal -offset 3n
|
||||||
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
|
@@ -838,10 +839,8 @@ gss-nistp256-sha256-,
|
||||||
gss-curve25519-sha256-
|
gss-curve25519-sha256-
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
@ -93,7 +90,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
.It Cm HashKnownHosts
|
.It Cm HashKnownHosts
|
||||||
Indicates that
|
Indicates that
|
||||||
.Xr ssh 1
|
.Xr ssh 1
|
||||||
@@ -1149,29 +1150,25 @@ it may be zero or more of:
|
@@ -1169,29 +1168,25 @@ it may be zero or more of:
|
||||||
and
|
and
|
||||||
.Cm pam .
|
.Cm pam .
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
@ -132,9 +129,9 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q kex .
|
.Qq ssh -Q kex .
|
||||||
@@ -1231,37 +1228,33 @@ The default is INFO.
|
@@ -1301,37 +1296,33 @@ function, and all code in the
|
||||||
DEBUG and DEBUG1 are equivalent.
|
file.
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -179,56 +176,57 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm NoHostAuthenticationForLocalhost
|
.It Cm NoHostAuthenticationForLocalhost
|
||||||
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
@@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
|
||||||
The default is
|
The default is
|
||||||
.Cm no .
|
.Cm no .
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the key types that will be used for public key authentication
|
Specifies the signature algorithms that will be used for public key
|
||||||
as a comma-separated list of patterns.
|
authentication as a comma-separated list of patterns.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq +
|
.Sq +
|
||||||
-character, then the key types after it will be appended to the default
|
-character, then the algorithms after it will be appended to the default
|
||||||
-instead of replacing it.
|
-instead of replacing it.
|
||||||
+character, then the key types after it will be appended to the built-in
|
+character, then the algorithms after it will be appended to the built-in
|
||||||
+openssh default instead of replacing it.
|
+openssh default instead of replacing it.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq -
|
.Sq -
|
||||||
character, then the specified key types (including wildcards) will be removed
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
-from the default set instead of replacing them.
|
-from the default set instead of replacing them.
|
||||||
+from the built-in openssh default set instead of replacing them.
|
+from the built-in openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified algorithms will be placed at the head of the
|
||||||
-default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+built-in openssh default set.
|
+built-in openssh default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
|
||||||
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
--- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200
|
||||||
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
+++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200
|
||||||
@@ -375,16 +375,16 @@ If the argument is
|
@@ -373,15 +373,13 @@ If the argument is
|
||||||
then no banner is displayed.
|
then no banner is displayed.
|
||||||
By default, no banner is displayed.
|
By default, no banner is displayed.
|
||||||
.It Cm CASignatureAlgorithms
|
.It Cm CASignatureAlgorithms
|
||||||
@ -241,17 +239,15 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
by certificate authorities (CAs).
|
by certificate authorities (CAs).
|
||||||
-The default is:
|
-The default is:
|
||||||
-.Bd -literal -offset indent
|
-.Bd -literal -offset indent
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
|
-rsa-sha2-512,rsa-sha2-256
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
Certificates signed using other algorithms will not be accepted for
|
Certificates signed using other algorithms will not be accepted for
|
||||||
public key or host-based authentication.
|
public key or host-based authentication.
|
||||||
+.Pp
|
|
||||||
.It Cm ChallengeResponseAuthentication
|
.It Cm ChallengeResponseAuthentication
|
||||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
@@ -445,20 +443,25 @@ The default is
|
||||||
PAM or through authentication styles supported in
|
|
||||||
@@ -446,20 +446,25 @@ The default is
|
|
||||||
indicating not to
|
indicating not to
|
||||||
.Xr chroot 2 .
|
.Xr chroot 2 .
|
||||||
.It Cm Ciphers
|
.It Cm Ciphers
|
||||||
@ -281,7 +277,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The supported ciphers are:
|
The supported ciphers are:
|
||||||
.Pp
|
.Pp
|
||||||
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
|
@@ -485,13 +488,6 @@ aes256-gcm@openssh.com
|
||||||
chacha20-poly1305@openssh.com
|
chacha20-poly1305@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -295,7 +291,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The list of available ciphers may also be obtained using
|
The list of available ciphers may also be obtained using
|
||||||
.Qq ssh -Q cipher .
|
.Qq ssh -Q cipher .
|
||||||
.It Cm ClientAliveCountMax
|
.It Cm ClientAliveCountMax
|
||||||
@@ -681,22 +679,24 @@ For this to work
|
@@ -680,21 +676,22 @@ For this to work
|
||||||
.Cm GSSAPIKeyExchange
|
.Cm GSSAPIKeyExchange
|
||||||
needs to be enabled in the server and also used by the client.
|
needs to be enabled in the server and also used by the client.
|
||||||
.It Cm GSSAPIKexAlgorithms
|
.It Cm GSSAPIKexAlgorithms
|
||||||
@ -326,11 +322,9 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
This option only applies to connections using GSSAPI.
|
This option only applies to connections using GSSAPI.
|
||||||
+.Pp
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
@@ -794,26 +791,13 @@ is specified, the location of the socket
|
||||||
as a list of comma-separated patterns.
|
|
||||||
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
|
||||||
.Ev SSH_AUTH_SOCK
|
.Ev SSH_AUTH_SOCK
|
||||||
environment variable.
|
environment variable.
|
||||||
.It Cm HostKeyAlgorithms
|
.It Cm HostKeyAlgorithms
|
||||||
@ -339,29 +333,30 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the host key algorithms
|
Specifies the host key signature algorithms
|
||||||
that the server offers.
|
that the server offers.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
-.Pp
|
-.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q HostKeyAlgorithms .
|
.Qq ssh -Q HostKeyAlgorithms .
|
||||||
.It Cm IgnoreRhosts
|
.It Cm IgnoreRhosts
|
||||||
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
@@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
.It Cm KexAlgorithms
|
.It Cm KexAlgorithms
|
||||||
@ -391,8 +386,8 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The supported algorithms are:
|
The supported algorithms are:
|
||||||
.Pp
|
.Pp
|
||||||
.Bl -item -compact -offset indent
|
.Bl -item -compact -offset indent
|
||||||
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
@@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
|
||||||
sntrup4591761x25519-sha512@tinyssh.org
|
sntrup761x25519-sha512@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
-The default is:
|
-The default is:
|
||||||
@ -407,9 +402,9 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The list of available key exchange algorithms may also be obtained using
|
The list of available key exchange algorithms may also be obtained using
|
||||||
.Qq ssh -Q KexAlgorithms .
|
.Qq ssh -Q KexAlgorithms .
|
||||||
.It Cm ListenAddress
|
.It Cm ListenAddress
|
||||||
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
@@ -1097,21 +1077,26 @@ function, and all code in the
|
||||||
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
file.
|
||||||
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
This option is intended for debugging and no overrides are enabled by default.
|
||||||
.It Cm MACs
|
.It Cm MACs
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
@ -438,7 +433,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
.Pp
|
.Pp
|
||||||
The algorithms that contain
|
The algorithms that contain
|
||||||
.Qq -etm
|
.Qq -etm
|
||||||
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
|
@@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
|
||||||
umac-128-etm@openssh.com
|
umac-128-etm@openssh.com
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
@ -454,49 +449,50 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
|||||||
The list of available MAC algorithms may also be obtained using
|
The list of available MAC algorithms may also be obtained using
|
||||||
.Qq ssh -Q mac .
|
.Qq ssh -Q mac .
|
||||||
.It Cm Match
|
.It Cm Match
|
||||||
@@ -1480,36 +1460,25 @@ or equivalent.)
|
@@ -1541,37 +1517,25 @@ or equivalent.)
|
||||||
The default is
|
The default is
|
||||||
.Cm yes .
|
.Cm yes .
|
||||||
.It Cm PubkeyAcceptedKeyTypes
|
.It Cm PubkeyAcceptedAlgorithms
|
||||||
+The default is handled system-wide by
|
+The default is handled system-wide by
|
||||||
+.Xr crypto-policies 7 .
|
+.Xr crypto-policies 7 .
|
||||||
+To see the defaults and how to modify this default, see manual page
|
+To see the defaults and how to modify this default, see manual page
|
||||||
+.Xr update-crypto-policies 8 .
|
+.Xr update-crypto-policies 8 .
|
||||||
+.Pp
|
+.Pp
|
||||||
Specifies the key types that will be accepted for public key authentication
|
Specifies the signature algorithms that will be accepted for public key
|
||||||
as a list of comma-separated patterns.
|
authentication as a list of comma-separated patterns.
|
||||||
Alternately if the specified list begins with a
|
Alternately if the specified list begins with a
|
||||||
.Sq +
|
.Sq +
|
||||||
-character, then the specified key types will be appended to the default set
|
-character, then the specified algorithms will be appended to the default set
|
||||||
-instead of replacing them.
|
-instead of replacing them.
|
||||||
+character, then the specified key types will be appended to the built-in
|
+character, then the specified algorithms will be appended to the built-in
|
||||||
+openssh default set instead of replacing them.
|
+openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq -
|
.Sq -
|
||||||
character, then the specified key types (including wildcards) will be removed
|
character, then the specified algorithms (including wildcards) will be removed
|
||||||
-from the default set instead of replacing them.
|
-from the default set instead of replacing them.
|
||||||
+from the built-in openssh default set instead of replacing them.
|
+from the built-in openssh default set instead of replacing them.
|
||||||
If the specified list begins with a
|
If the specified list begins with a
|
||||||
.Sq ^
|
.Sq ^
|
||||||
character, then the specified key types will be placed at the head of the
|
character, then the specified algorithms will be placed at the head of the
|
||||||
-default set.
|
-default set.
|
||||||
-The default for this option is:
|
-The default for this option is:
|
||||||
-.Bd -literal -offset 3n
|
-.Bd -literal -offset 3n
|
||||||
|
-ssh-ed25519-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
|
||||||
-ssh-ed25519-cert-v01@openssh.com,
|
|
||||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||||
|
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||||
-rsa-sha2-512-cert-v01@openssh.com,
|
-rsa-sha2-512-cert-v01@openssh.com,
|
||||||
-rsa-sha2-256-cert-v01@openssh.com,
|
-rsa-sha2-256-cert-v01@openssh.com,
|
||||||
-ssh-rsa-cert-v01@openssh.com,
|
-ssh-rsa-cert-v01@openssh.com,
|
||||||
|
-ssh-ed25519,
|
||||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||||
|
-sk-ssh-ed25519@openssh.com,
|
||||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
|
||||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||||
-.Ed
|
-.Ed
|
||||||
+built-in openssh default set.
|
+built-in openssh default set.
|
||||||
.Pp
|
.Pp
|
||||||
The list of available key types may also be obtained using
|
The list of available signature algorithms may also be obtained using
|
||||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
.Qq ssh -Q PubkeyAcceptedAlgorithms .
|
||||||
|
@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
|
|||||||
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||||
kexgexc.o kexgexs.o \
|
kexgexc.o kexgexs.o \
|
||||||
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
|
kexsntrup761x25519.o sntrup761.o kexgen.o \
|
||||||
+ kexgssc.o \
|
+ kexgssc.o \
|
||||||
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
|
||||||
sshbuf-io.o
|
sshbuf-io.o
|
||||||
@ -17,7 +17,7 @@ index e7549470..b68c1710 100644
|
|||||||
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||||
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
|
||||||
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
sftp-server.o sftp-common.o \
|
srclimit.o sftp-server.o sftp-common.o \
|
||||||
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||||
diff --git a/auth.c b/auth.c
|
diff --git a/auth.c b/auth.c
|
||||||
index 086b8ebb..687c57b4 100644
|
index 086b8ebb..687c57b4 100644
|
||||||
@ -138,7 +138,7 @@ index 9351e042..d6446c0c 100644
|
|||||||
--- a/auth2-gss.c
|
--- a/auth2-gss.c
|
||||||
+++ b/auth2-gss.c
|
+++ b/auth2-gss.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
|
/* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
@ -165,19 +165,19 @@ index 9351e042..d6446c0c 100644
|
|||||||
+
|
+
|
||||||
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
|
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
|
||||||
+ (r = sshpkt_get_end(ssh)) != 0)
|
+ (r = sshpkt_get_end(ssh)) != 0)
|
||||||
+ fatal("%s: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "parsing");
|
||||||
+
|
+
|
||||||
+ if ((b = sshbuf_new()) == NULL)
|
+ if ((b = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ mic.value = p;
|
+ mic.value = p;
|
||||||
+ mic.length = len;
|
+ mic.length = len;
|
||||||
+
|
+
|
||||||
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||||
+ "gssapi-keyex");
|
+ "gssapi-keyex", ssh->kex->session_id);
|
||||||
+
|
+
|
||||||
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
|
+ fatal_f("sshbuf_mutable_ptr failed");
|
||||||
+ gssbuf.length = sshbuf_len(b);
|
+ gssbuf.length = sshbuf_len(b);
|
||||||
+
|
+
|
||||||
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
+ /* gss_kex_context is NULL with privsep, so we can't check it here */
|
||||||
@ -197,7 +197,7 @@ index 9351e042..d6446c0c 100644
|
|||||||
* how to check local user kuserok and the like)
|
* how to check local user kuserok and the like)
|
||||||
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
|
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
|
||||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||||
fatal("%s: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse packet");
|
||||||
|
|
||||||
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
|
||||||
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
|
||||||
@ -441,7 +441,7 @@ index d56257b4..763a63ff 100644
|
|||||||
--- a/gss-genr.c
|
--- a/gss-genr.c
|
||||||
+++ b/gss-genr.c
|
+++ b/gss-genr.c
|
||||||
@@ -1,7 +1,7 @@
|
@@ -1,7 +1,7 @@
|
||||||
/* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
|
/* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
|
||||||
@ -449,7 +449,7 @@ index d56257b4..763a63ff 100644
|
|||||||
*
|
*
|
||||||
* Redistribution and use in source and binary forms, with or without
|
* Redistribution and use in source and binary forms, with or without
|
||||||
* modification, are permitted provided that the following conditions
|
* modification, are permitted provided that the following conditions
|
||||||
@@ -41,12 +41,36 @@
|
@@ -41,9 +41,33 @@
|
||||||
#include "sshbuf.h"
|
#include "sshbuf.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "ssh2.h"
|
#include "ssh2.h"
|
||||||
@ -461,9 +461,6 @@ index d56257b4..763a63ff 100644
|
|||||||
|
|
||||||
#include "ssh-gss.h"
|
#include "ssh-gss.h"
|
||||||
|
|
||||||
extern u_char *session_id2;
|
|
||||||
extern u_int session_id2_len;
|
|
||||||
|
|
||||||
+typedef struct {
|
+typedef struct {
|
||||||
+ char *encoded;
|
+ char *encoded;
|
||||||
+ gss_OID oid;
|
+ gss_OID oid;
|
||||||
@ -486,7 +483,7 @@ index d56257b4..763a63ff 100644
|
|||||||
/* sshbuf_get for gss_buffer_desc */
|
/* sshbuf_get for gss_buffer_desc */
|
||||||
int
|
int
|
||||||
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||||
@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
@@ -62,6 +86,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -548,7 +545,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ (gss_supported->count + 1));
|
+ (gss_supported->count + 1));
|
||||||
+
|
+
|
||||||
+ if ((buf = sshbuf_new()) == NULL)
|
+ if ((buf = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ oidpos = 0;
|
+ oidpos = 0;
|
||||||
+ s = cp = xstrdup(kex);
|
+ s = cp = xstrdup(kex);
|
||||||
@ -565,8 +562,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ gss_supported->elements[i].elements,
|
+ gss_supported->elements[i].elements,
|
||||||
+ gss_supported->elements[i].length)) != 0 ||
|
+ gss_supported->elements[i].length)) != 0 ||
|
||||||
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
|
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
|
||||||
+ fatal("%s: digest failed: %s", __func__,
|
+ fatal_fr(r, "digest failed");
|
||||||
+ ssh_err(r));
|
|
||||||
+ ssh_digest_free(md);
|
+ ssh_digest_free(md);
|
||||||
+ md = NULL;
|
+ md = NULL;
|
||||||
+
|
+
|
||||||
@ -581,12 +577,10 @@ index d56257b4..763a63ff 100644
|
|||||||
+ (p = strsep(&cp, ","))) {
|
+ (p = strsep(&cp, ","))) {
|
||||||
+ if (sshbuf_len(buf) != 0 &&
|
+ if (sshbuf_len(buf) != 0 &&
|
||||||
+ (r = sshbuf_put_u8(buf, ',')) != 0)
|
+ (r = sshbuf_put_u8(buf, ',')) != 0)
|
||||||
+ fatal("%s: sshbuf_put_u8 error: %s",
|
+ fatal_fr(r, "sshbuf_put_u8 error");
|
||||||
+ __func__, ssh_err(r));
|
|
||||||
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
|
||||||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
+ (r = sshbuf_put(buf, encoded, enclen)) != 0)
|
||||||
+ fatal("%s: sshbuf_put error: %s",
|
+ fatal_fr(r, "sshbuf_put error");
|
||||||
+ __func__, ssh_err(r));
|
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||||
@ -599,7 +593,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+ gss_enc2oid[oidpos].encoded = NULL;
|
+ gss_enc2oid[oidpos].encoded = NULL;
|
||||||
+
|
+
|
||||||
+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
|
+ if ((mechs = sshbuf_dup_string(buf)) == NULL)
|
||||||
+ fatal("%s: sshbuf_dup_string failed", __func__);
|
+ fatal_f("sshbuf_dup_string failed");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(buf);
|
+ sshbuf_free(buf);
|
||||||
+
|
+
|
||||||
@ -721,7 +715,7 @@ index d56257b4..763a63ff 100644
|
|||||||
+
|
+
|
||||||
void
|
void
|
||||||
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||||
const char *context)
|
const char *context, const struct sshbuf *session_id)
|
||||||
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1123,10 +1117,10 @@ index ab3a15f0..6ce56e92 100644
|
|||||||
+
|
+
|
||||||
+ if (gssapi_client.store.data != NULL) {
|
+ if (gssapi_client.store.data != NULL) {
|
||||||
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
|
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
|
||||||
+ debug("%s: krb5_cc_resolve(): %.100s", __func__,
|
+ debug_f("krb5_cc_resolve(): %.100s",
|
||||||
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
|
||||||
+ debug("%s: krb5_cc_destroy(): %.100s", __func__,
|
+ debug_f("krb5_cc_destroy(): %.100s",
|
||||||
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
+ krb5_get_err_text(gssapi_client.store.data, problem));
|
||||||
+ } else {
|
+ } else {
|
||||||
+ krb5_free_context(gssapi_client.store.data);
|
+ krb5_free_context(gssapi_client.store.data);
|
||||||
@ -1375,7 +1369,7 @@ index ce85f043..574c7609 100644
|
|||||||
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
|
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
|
||||||
sshbuf_free(kex->server_version);
|
sshbuf_free(kex->server_version);
|
||||||
sshbuf_free(kex->client_pub);
|
sshbuf_free(kex->client_pub);
|
||||||
free(kex->session_id);
|
sshbuf_free(kex->session_id);
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+ free(kex->gss_host);
|
+ free(kex->gss_host);
|
||||||
+#endif /* GSSAPI */
|
+#endif /* GSSAPI */
|
||||||
@ -1389,7 +1383,7 @@ index a5ae6ac0..fe714141 100644
|
|||||||
@@ -102,6 +102,15 @@ enum kex_exchange {
|
@@ -102,6 +102,15 @@ enum kex_exchange {
|
||||||
KEX_ECDH_SHA2,
|
KEX_ECDH_SHA2,
|
||||||
KEX_C25519_SHA256,
|
KEX_C25519_SHA256,
|
||||||
KEX_KEM_SNTRUP4591761X25519_SHA512,
|
KEX_KEM_SNTRUP761X25519_SHA512,
|
||||||
+#ifdef GSSAPI
|
+#ifdef GSSAPI
|
||||||
+ KEX_GSS_GRP1_SHA1,
|
+ KEX_GSS_GRP1_SHA1,
|
||||||
+ KEX_GSS_GRP14_SHA1,
|
+ KEX_GSS_GRP14_SHA1,
|
||||||
@ -1498,7 +1492,7 @@ new file mode 100644
|
|||||||
index 00000000..f6e1405e
|
index 00000000..f6e1405e
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/kexgssc.c
|
+++ b/kexgssc.c
|
||||||
@@ -0,0 +1,606 @@
|
@@ -0,0 +1,599 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -1597,7 +1591,7 @@ index 00000000..f6e1405e
|
|||||||
+ r = kex_c25519_keypair(kex);
|
+ r = kex_c25519_keypair(kex);
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0)
|
||||||
+ return r;
|
+ return r;
|
||||||
@ -1785,7 +1779,7 @@ index 00000000..f6e1405e
|
|||||||
+ server_blob,
|
+ server_blob,
|
||||||
+ shared_secret,
|
+ shared_secret,
|
||||||
+ hash, &hashlen)) != 0)
|
+ hash, &hashlen)) != 0)
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+
|
+
|
||||||
+ gssbuf.value = hash;
|
+ gssbuf.value = hash;
|
||||||
+ gssbuf.length = hashlen;
|
+ gssbuf.length = hashlen;
|
||||||
@ -2074,13 +2068,6 @@ index 00000000..f6e1405e
|
|||||||
+
|
+
|
||||||
+ gss_release_buffer(&min_status, &msg_tok);
|
+ gss_release_buffer(&min_status, &msg_tok);
|
||||||
+
|
+
|
||||||
+ /* save session id */
|
|
||||||
+ if (kex->session_id == NULL) {
|
|
||||||
+ kex->session_id_len = hashlen;
|
|
||||||
+ kex->session_id = xmalloc(kex->session_id_len);
|
|
||||||
+ memcpy(kex->session_id, hash, kex->session_id_len);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (kex->gss_deleg_creds)
|
+ if (kex->gss_deleg_creds)
|
||||||
+ ssh_gssapi_credentials_updated(ctxt);
|
+ ssh_gssapi_credentials_updated(ctxt);
|
||||||
+
|
+
|
||||||
@ -2202,12 +2189,12 @@ index 00000000..60bc02de
|
|||||||
+ free(mechs);
|
+ free(mechs);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ debug2("%s: Identifying %s", __func__, kex->name);
|
+ debug2_f("Identifying %s", kex->name);
|
||||||
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
||||||
+ if (oid == GSS_C_NO_OID)
|
+ if (oid == GSS_C_NO_OID)
|
||||||
+ fatal("Unknown gssapi mechanism");
|
+ fatal("Unknown gssapi mechanism");
|
||||||
+
|
+
|
||||||
+ debug2("%s: Acquiring credentials", __func__);
|
+ debug2_f("Acquiring credentials");
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
||||||
+ fatal("Unable to acquire credentials for the server");
|
+ fatal("Unable to acquire credentials for the server");
|
||||||
@ -2242,7 +2229,7 @@ index 00000000..60bc02de
|
|||||||
+ &shared_secret);
|
+ &shared_secret);
|
||||||
+ break;
|
+ break;
|
||||||
+ default:
|
+ default:
|
||||||
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
|
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
|
||||||
+ }
|
+ }
|
||||||
+ if (r != 0)
|
+ if (r != 0)
|
||||||
+ goto out;
|
+ goto out;
|
||||||
@ -2398,12 +2385,12 @@ index 00000000..60bc02de
|
|||||||
+ if ((mechs = ssh_gssapi_server_mechanisms()))
|
+ if ((mechs = ssh_gssapi_server_mechanisms()))
|
||||||
+ free(mechs);
|
+ free(mechs);
|
||||||
+
|
+
|
||||||
+ debug2("%s: Identifying %s", __func__, kex->name);
|
+ debug2_f("Identifying %s", kex->name);
|
||||||
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
|
||||||
+ if (oid == GSS_C_NO_OID)
|
+ if (oid == GSS_C_NO_OID)
|
||||||
+ fatal("Unknown gssapi mechanism");
|
+ fatal("Unknown gssapi mechanism");
|
||||||
+
|
+
|
||||||
+ debug2("%s: Acquiring credentials", __func__);
|
+ debug2_f("Acquiring credentials");
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
|
||||||
+ fatal("Unable to acquire credentials for the server");
|
+ fatal("Unable to acquire credentials for the server");
|
||||||
@ -2656,29 +2643,29 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+# endif
|
+# endif
|
||||||
#endif /* WITH_OPENSSL */
|
#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||||
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
u_char *p;
|
u_char *p;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "parse");
|
||||||
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
OM_uint32 flags = 0; /* GSI needs this */
|
OM_uint32 flags = 0; /* GSI needs this */
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
|
||||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
fatal_fr(r, "ssh_gssapi_get_buffer_desc");
|
||||||
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
|
||||||
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
|
||||||
@ -2692,9 +2679,9 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
int r;
|
int r;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
|
||||||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
|
||||||
@ -2707,13 +2694,13 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
const char *displayname;
|
const char *displayname;
|
||||||
|
|
||||||
- if (!options.gss_authentication)
|
- if (!options.gss_authentication)
|
||||||
- fatal("%s: GSSAPI authentication not enabled", __func__);
|
- fatal_f("GSSAPI authentication not enabled");
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
|
|
||||||
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
|
||||||
+ if ((r = sshbuf_get_u32(m, &kex)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &kex)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ authenticated = authctxt->valid &&
|
+ authenticated = authctxt->valid &&
|
||||||
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
|
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
|
||||||
@ -2721,7 +2708,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
sshbuf_reset(m);
|
sshbuf_reset(m);
|
||||||
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
if ((r = sshbuf_put_u32(m, authenticated)) != 0)
|
||||||
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
debug3("%s: sending result %d", __func__, authenticated);
|
debug3_f("sending result %d", authenticated);
|
||||||
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
|
||||||
|
|
||||||
- auth_method = "gssapi-with-mic";
|
- auth_method = "gssapi-with-mic";
|
||||||
@ -2733,7 +2720,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
|
|
||||||
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
if ((displayname = ssh_gssapi_displayname()) != NULL)
|
||||||
auth2_record_info(authctxt, "%s", displayname);
|
auth2_record_info(authctxt, "%s", displayname);
|
||||||
@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
@@ -1921,5 +1958,84 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||||
/* Monitor loop will terminate if authenticated */
|
/* Monitor loop will terminate if authenticated */
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
@ -2749,16 +2736,15 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+ data.value = p;
|
+ data.value = p;
|
||||||
+ data.length = len;
|
+ data.length = len;
|
||||||
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
|
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
|
||||||
+ if (data.length != 20 && data.length != 32 && data.length != 64)
|
+ if (data.length != 20 && data.length != 32 && data.length != 64)
|
||||||
+ fatal("%s: data length incorrect: %d", __func__,
|
+ fatal_f("data length incorrect: %d", (int) data.length);
|
||||||
+ (int) data.length);
|
|
||||||
+
|
+
|
||||||
+ /* Save the session ID on the first time around */
|
+ /* Save the session ID on the first time around */
|
||||||
+ if (session_id2_len == 0) {
|
+ if (session_id2_len == 0) {
|
||||||
@ -2774,7 +2760,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+
|
+
|
||||||
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
|
+ if ((r = sshbuf_put_u32(m, major)) != 0 ||
|
||||||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
|
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
|
||||||
+
|
+
|
||||||
@ -2795,12 +2781,12 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+ int r, ok;
|
+ int r, ok;
|
||||||
+
|
+
|
||||||
+ if (!options.gss_authentication && !options.gss_keyex)
|
+ if (!options.gss_authentication && !options.gss_keyex)
|
||||||
+ fatal("%s: GSSAPI not enabled", __func__);
|
+ fatal_f("GSSAPI not enabled");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
|
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
|
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
|
||||||
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
|
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ ok = ssh_gssapi_update_creds(&store);
|
+ ok = ssh_gssapi_update_creds(&store);
|
||||||
+
|
+
|
||||||
@ -2810,7 +2796,7 @@ index 2ce89fe9..ebf76c7f 100644
|
|||||||
+
|
+
|
||||||
+ sshbuf_reset(m);
|
+ sshbuf_reset(m);
|
||||||
+ if ((r = sshbuf_put_u32(m, ok)) != 0)
|
+ if ((r = sshbuf_put_u32(m, ok)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
|
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
|
||||||
+
|
+
|
||||||
@ -2847,14 +2833,14 @@ index 001a8fa1..6edb509a 100644
|
|||||||
int r, authenticated = 0;
|
int r, authenticated = 0;
|
||||||
|
|
||||||
if ((m = sshbuf_new()) == NULL)
|
if ((m = sshbuf_new()) == NULL)
|
||||||
fatal("%s: sshbuf_new failed", __func__);
|
fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_u32(m, kex)) != 0)
|
+ if ((r = sshbuf_put_u32(m, kex)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
|
|
||||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
|
||||||
mm_request_receive_expect(pmonitor->m_recvfd,
|
mm_request_receive_expect(pmonitor->m_recvfd,
|
||||||
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
|
||||||
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
|
debug3_f("user %sauthenticated", authenticated ? "" : "not ");
|
||||||
return (authenticated);
|
return (authenticated);
|
||||||
}
|
}
|
||||||
+
|
+
|
||||||
@ -2866,16 +2852,16 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ int r;
|
+ int r;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
|
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
|
+ if ((r = sshbuf_get_u32(m, &major)) != 0 ||
|
||||||
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
|
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
@ -2889,7 +2875,7 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ int r, ok;
|
+ int r, ok;
|
||||||
+
|
+
|
||||||
+ if ((m = sshbuf_new()) == NULL)
|
+ if ((m = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_put_cstring(m,
|
+ if ((r = sshbuf_put_cstring(m,
|
||||||
+ store->filename ? store->filename : "")) != 0 ||
|
+ store->filename ? store->filename : "")) != 0 ||
|
||||||
@ -2897,13 +2883,13 @@ index 001a8fa1..6edb509a 100644
|
|||||||
+ store->envvar ? store->envvar : "")) != 0 ||
|
+ store->envvar ? store->envvar : "")) != 0 ||
|
||||||
+ (r = sshbuf_put_cstring(m,
|
+ (r = sshbuf_put_cstring(m,
|
||||||
+ store->envval ? store->envval : "")) != 0)
|
+ store->envval ? store->envval : "")) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
|
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
|
||||||
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
|
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
|
||||||
+
|
+
|
||||||
+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
|
+ if ((r = sshbuf_get_u32(m, &ok)) != 0)
|
||||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "buffer error");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(m);
|
+ sshbuf_free(m);
|
||||||
+
|
+
|
||||||
@ -3124,7 +3110,7 @@ index 70f5f73f..191575a1 100644
|
|||||||
options->password_authentication = 1;
|
options->password_authentication = 1;
|
||||||
if (options->kbd_interactive_authentication == -1)
|
if (options->kbd_interactive_authentication == -1)
|
||||||
@@ -531,6 +543,7 @@ typedef enum {
|
@@ -531,6 +543,7 @@ typedef enum {
|
||||||
sHostKeyAlgorithms,
|
sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
|
||||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||||
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||||
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
||||||
@ -3246,7 +3232,7 @@ index 36180d07..70dd3665 100644
|
|||||||
--- a/ssh-gss.h
|
--- a/ssh-gss.h
|
||||||
+++ b/ssh-gss.h
|
+++ b/ssh-gss.h
|
||||||
@@ -1,6 +1,6 @@
|
@@ -1,6 +1,6 @@
|
||||||
/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
|
/* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
|
||||||
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
|
||||||
@ -3332,7 +3318,7 @@ index 36180d07..70dd3665 100644
|
|||||||
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
|
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
|
||||||
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||||
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
|
void ssh_gssapi_buildmic(struct sshbuf *, const char *,
|
||||||
const char *, const char *);
|
const char *, const char *, const struct sshbuf *);
|
||||||
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
|
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
|
||||||
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
|
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
|
||||||
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
|
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
|
||||||
@ -3382,7 +3368,7 @@ index 60de6087..db5c65bc 100644
|
|||||||
+.It GSSAPITrustDns
|
+.It GSSAPITrustDns
|
||||||
.It HashKnownHosts
|
.It HashKnownHosts
|
||||||
.It Host
|
.It Host
|
||||||
.It HostbasedAuthentication
|
.It HostbasedAcceptedAlgorithms
|
||||||
@@ -579,6 +585,8 @@ flag),
|
@@ -579,6 +585,8 @@ flag),
|
||||||
(supported message integrity codes),
|
(supported message integrity codes),
|
||||||
.Ar kex
|
.Ar kex
|
||||||
@ -3526,9 +3512,9 @@ index af00fb30..03bc87eb 100644
|
|||||||
+
|
+
|
||||||
xxx_host = host;
|
xxx_host = host;
|
||||||
xxx_hostaddr = hostaddr;
|
xxx_hostaddr = hostaddr;
|
||||||
|
xxx_conn_info = cinfo;
|
||||||
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
|
||||||
compat_pkalg_proposal(options.hostkeyalgorithms);
|
compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
|
||||||
}
|
}
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3588,7 +3574,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+# endif
|
+# endif
|
||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
|
||||||
ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
|
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
|
||||||
ssh->kex->verify_host_key=&verify_host_key_callback;
|
ssh->kex->verify_host_key=&verify_host_key_callback;
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
@ -3604,7 +3590,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
|
|
||||||
/* remove ext-info from the KEX proposals for rekeying */
|
/* remove ext-info from the KEX proposals for rekeying */
|
||||||
myproposal[PROPOSAL_KEX_ALGS] =
|
myproposal[PROPOSAL_KEX_ALGS] =
|
||||||
compat_kex_proposal(options.kex_algorithms);
|
compat_kex_proposal(ssh, options.kex_algorithms);
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ /* repair myproposal after it was crumpled by the */
|
+ /* repair myproposal after it was crumpled by the */
|
||||||
+ /* ext-info removal above */
|
+ /* ext-info removal above */
|
||||||
@ -3616,7 +3602,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
|
||||||
fatal("kex_prop2buf: %s", ssh_err(r));
|
fatal_r(r, "kex_prop2buf");
|
||||||
|
|
||||||
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
|
||||||
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
static int input_gssapi_token(int type, u_int32_t, struct ssh *);
|
||||||
@ -3714,13 +3700,13 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((b = sshbuf_new()) == NULL)
|
+ if ((b = sshbuf_new()) == NULL)
|
||||||
+ fatal("%s: sshbuf_new failed", __func__);
|
+ fatal_f("sshbuf_new failed");
|
||||||
+
|
+
|
||||||
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
|
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
|
||||||
+ "gssapi-keyex");
|
+ "gssapi-keyex", ssh->kex->session_id);
|
||||||
+
|
+
|
||||||
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||||
+ fatal("%s: sshbuf_mutable_ptr failed", __func__);
|
+ fatal_f("sshbuf_mutable_ptr failed");
|
||||||
+ gssbuf.length = sshbuf_len(b);
|
+ gssbuf.length = sshbuf_len(b);
|
||||||
+
|
+
|
||||||
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
|
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
|
||||||
@ -3734,7 +3720,7 @@ index af00fb30..03bc87eb 100644
|
|||||||
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
|
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
|
||||||
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
|
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
|
||||||
+ (r = sshpkt_send(ssh)) != 0)
|
+ (r = sshpkt_send(ssh)) != 0)
|
||||||
+ fatal("%s: %s", __func__, ssh_err(r));
|
+ fatal_fr(r, "parsing");
|
||||||
+
|
+
|
||||||
+ sshbuf_free(b);
|
+ sshbuf_free(b);
|
||||||
+ gss_release_buffer(&ms, &mic);
|
+ gss_release_buffer(&ms, &mic);
|
||||||
@ -3751,11 +3737,11 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+++ b/sshd.c
|
+++ b/sshd.c
|
||||||
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
|
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
|
||||||
}
|
}
|
||||||
debug3("%s: sent %u hostkeys", __func__, nkeys);
|
debug3_f("sent %u hostkeys", nkeys);
|
||||||
if (nkeys == 0)
|
if (nkeys == 0)
|
||||||
- fatal("%s: no hostkeys", __func__);
|
- fatal_f("no hostkeys");
|
||||||
- if ((r = sshpkt_send(ssh)) != 0)
|
- if ((r = sshpkt_send(ssh)) != 0)
|
||||||
+ debug3("%s: no hostkeys", __func__);
|
+ debug3_f("no hostkeys");
|
||||||
+ else if ((r = sshpkt_send(ssh)) != 0)
|
+ else if ((r = sshpkt_send(ssh)) != 0)
|
||||||
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
sshpkt_fatal(ssh, r, "%s: send", __func__);
|
||||||
sshbuf_free(buf);
|
sshbuf_free(buf);
|
||||||
@ -3772,7 +3758,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
}
|
}
|
||||||
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
|
||||||
list_hostkey_types());
|
ssh, list_hostkey_types());
|
||||||
|
|
||||||
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||||
+ {
|
+ {
|
||||||
@ -3818,7 +3804,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+
|
+
|
||||||
/* start key exchange */
|
/* start key exchange */
|
||||||
if ((r = kex_setup(ssh, myproposal)) != 0)
|
if ((r = kex_setup(ssh, myproposal)) != 0)
|
||||||
fatal("kex_setup: %s", ssh_err(r));
|
fatal_r(r, "kex_setup");
|
||||||
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
|
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
|
||||||
# ifdef OPENSSL_HAS_ECC
|
# ifdef OPENSSL_HAS_ECC
|
||||||
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
|
||||||
@ -3837,7 +3823,7 @@ index 60b2aaf7..d92f03aa 100644
|
|||||||
+# endif
|
+# endif
|
||||||
+#endif /* WITH_OPENSSL */
|
+#endif /* WITH_OPENSSL */
|
||||||
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
kex->kex[KEX_C25519_SHA256] = kex_gen_server;
|
||||||
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
|
kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
|
||||||
kex->load_host_public_key=&get_hostkey_public_by_type;
|
kex->load_host_public_key=&get_hostkey_public_by_type;
|
||||||
diff --git a/sshd_config b/sshd_config
|
diff --git a/sshd_config b/sshd_config
|
||||||
index 19b7c91a..2c48105f 100644
|
index 19b7c91a..2c48105f 100644
|
||||||
@ -3898,9 +3884,9 @@ index 70ccea44..f6b41a2f 100644
|
|||||||
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||||
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||||
+This option only applies to connections using GSSAPI.
|
+This option only applies to connections using GSSAPI.
|
||||||
.It Cm HostbasedAcceptedKeyTypes
|
.It Cm HostbasedAcceptedAlgorithms
|
||||||
Specifies the key types that will be accepted for hostbased authentication
|
Specifies the signature algorithms that will be accepted for hostbased
|
||||||
as a list of comma-separated patterns.
|
authentication as a list of comma-separated patterns.
|
||||||
diff --git a/sshkey.c b/sshkey.c
|
diff --git a/sshkey.c b/sshkey.c
|
||||||
index 57995ee6..fd5b7724 100644
|
index 57995ee6..fd5b7724 100644
|
||||||
--- a/sshkey.c
|
--- a/sshkey.c
|
||||||
|
12
openssh-8.0p1-keygen-strip-doseol.patch
Normal file
12
openssh-8.0p1-keygen-strip-doseol.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
|
||||||
|
--- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100
|
||||||
|
+++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100
|
||||||
|
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
|
||||||
|
while (getline(&line, &linesize, f) != -1) {
|
||||||
|
lnum++;
|
||||||
|
cp = line;
|
||||||
|
- cp[strcspn(cp, "\n")] = '\0';
|
||||||
|
+ cp[strcspn(cp, "\r\n")] = '\0';
|
||||||
|
/* Trim leading space and comments */
|
||||||
|
cp = line + strspn(line, " \t");
|
||||||
|
if (*cp == '#' || *cp == '\0')
|
@ -96,7 +96,7 @@ index b6f041f4..1fbce2bb 100644
|
|||||||
+ goto out;
|
+ goto out;
|
||||||
+ }
|
+ }
|
||||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||||
+ kex->session_id, kex->session_id_len);
|
+ sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
|
||||||
+ if (r != 1) {
|
+ if (r != 1) {
|
||||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||||
+ goto out;
|
+ goto out;
|
||||||
|
File diff suppressed because it is too large
Load Diff
44
openssh-8.0p1-preserve-pam-errors.patch
Normal file
44
openssh-8.0p1-preserve-pam-errors.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
|
||||||
|
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
|
||||||
|
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
|
||||||
|
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
|
||||||
|
goto auth_fail;
|
||||||
|
|
||||||
|
if (!do_pam_account()) {
|
||||||
|
- sshpam_err = PAM_ACCT_EXPIRED;
|
||||||
|
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
|
||||||
|
+ * Backward compatibility for other errors. */
|
||||||
|
+ if (sshpam_err != PAM_PERM_DENIED
|
||||||
|
+ && sshpam_err != PAM_USER_UNKNOWN)
|
||||||
|
+ sshpam_err = PAM_ACCT_EXPIRED;
|
||||||
|
goto auth_fail;
|
||||||
|
}
|
||||||
|
if (sshpam_authctxt->force_pwchange) {
|
||||||
|
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
|
||||||
|
pam_strerror(sshpam_handle, sshpam_err))) != 0)
|
||||||
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||||
|
/* XXX - can't do much about an error here */
|
||||||
|
- if (sshpam_err == PAM_ACCT_EXPIRED)
|
||||||
|
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
|
||||||
|
+ if (sshpam_err == PAM_PERM_DENIED
|
||||||
|
+ || sshpam_err == PAM_USER_UNKNOWN
|
||||||
|
+ || sshpam_err == PAM_ACCT_EXPIRED)
|
||||||
|
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
|
||||||
|
else if (sshpam_maxtries_reached)
|
||||||
|
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
|
||||||
|
else
|
||||||
|
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
|
||||||
|
plen++;
|
||||||
|
free(msg);
|
||||||
|
break;
|
||||||
|
+ case PAM_USER_UNKNOWN:
|
||||||
|
+ case PAM_PERM_DENIED:
|
||||||
|
case PAM_ACCT_EXPIRED:
|
||||||
|
+ sshpam_account_status = 0;
|
||||||
|
+ /* FALLTHROUGH */
|
||||||
|
case PAM_MAXTRIES:
|
||||||
|
- if (type == PAM_ACCT_EXPIRED)
|
||||||
|
- sshpam_account_status = 0;
|
||||||
|
if (type == PAM_MAXTRIES)
|
||||||
|
sshpam_set_maxtries_reached(1);
|
||||||
|
/* FALLTHROUGH */
|
@ -7,8 +7,8 @@ diff --git a/channels.c b/channels.c
|
|||||||
if (x11_use_localhost)
|
if (x11_use_localhost)
|
||||||
set_reuseaddr(sock);
|
set_reuseaddr(sock);
|
||||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||||
debug2("%s: bind port %d: %.100s", __func__,
|
debug2_f("bind port %d: %.100s", port,
|
||||||
port, strerror(errno));
|
strerror(errno));
|
||||||
close(sock);
|
close(sock);
|
||||||
+
|
+
|
||||||
+ /* do not remove successfully opened
|
+ /* do not remove successfully opened
|
||||||
|
@ -37,8 +37,8 @@
|
|||||||
+ * SHA2 signature types.
|
+ * SHA2 signature types.
|
||||||
+ */
|
+ */
|
||||||
+ if (alg == NULL &&
|
+ if (alg == NULL &&
|
||||||
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
|
+ (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
|
||||||
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
|
+ oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
|
||||||
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||||
+ if (sshkey_type_from_name(cp) != key->type)
|
+ if (sshkey_type_from_name(cp) != key->type)
|
||||||
+ continue;
|
+ continue;
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
||||||
index e0768c06..5065ae7e 100644
|
|
||||||
--- a/sandbox-seccomp-filter.c
|
|
||||||
+++ b/sandbox-seccomp-filter.c
|
|
||||||
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
||||||
#ifdef __NR_pselect6
|
|
||||||
SC_ALLOW(__NR_pselect6),
|
|
||||||
#endif
|
|
||||||
+#ifdef __NR_pselect6_time64
|
|
||||||
+ SC_ALLOW(__NR_pselect6_time64),
|
|
||||||
+#endif
|
|
||||||
#ifdef __NR_read
|
|
||||||
SC_ALLOW(__NR_read),
|
|
||||||
#endif
|
|
@ -1,130 +0,0 @@
|
|||||||
From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Oleg <Fallmay@users.noreply.github.com>
|
|
||||||
Date: Thu, 1 Oct 2020 12:09:08 +0300
|
|
||||||
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
|
|
||||||
|
|
||||||
---
|
|
||||||
contrib/ssh-copy-id | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 392f64f94..a76907717 100644
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -247,7 +247,7 @@ installkeys_sh() {
|
|
||||||
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
|
|
||||||
# the cat adds the keys we're getting via STDIN
|
|
||||||
# and if available restorecon is used to restore the SELinux context
|
|
||||||
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
|
|
||||||
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
@@ -258,6 +258,7 @@ installkeys_sh() {
|
|
||||||
restorecon -F .ssh ${AUTH_KEY_FILE};
|
|
||||||
fi
|
|
||||||
EOF
|
|
||||||
+ )
|
|
||||||
|
|
||||||
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
|
|
||||||
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
|
|
||||||
|
|
||||||
From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Philip Hands <phil@hands.com>
|
|
||||||
Date: Sat, 3 Oct 2020 00:20:07 +0200
|
|
||||||
Subject: [PATCH] un-nest $() to make ksh cheerful
|
|
||||||
|
|
||||||
---
|
|
||||||
ssh-copy-id | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Philip Hands <phil@hands.com>
|
|
||||||
Date: Fri, 2 Oct 2020 21:30:10 +0200
|
|
||||||
Subject: [PATCH] ksh doesn't grok 'local'
|
|
||||||
|
|
||||||
and AFAICT it's not actually doing anything useful in the code, so let's
|
|
||||||
see how things go without it.
|
|
||||||
---
|
|
||||||
ssh-copy-id | 11 +++++------
|
|
||||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index a769077..11c9463 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -76,7 +76,7 @@ quote() {
|
|
||||||
}
|
|
||||||
|
|
||||||
use_id_file() {
|
|
||||||
- local L_ID_FILE="$1"
|
|
||||||
+ L_ID_FILE="$1"
|
|
||||||
|
|
||||||
if [ -z "$L_ID_FILE" ] ; then
|
|
||||||
printf '%s: ERROR: no ID file found\n' "$0"
|
|
||||||
@@ -94,7 +94,7 @@ use_id_file() {
|
|
||||||
# check that the files are readable
|
|
||||||
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
|
|
||||||
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
|
|
||||||
- local L_PRIVMSG=""
|
|
||||||
+ L_PRIVMSG=""
|
|
||||||
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
|
|
||||||
printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
|
|
||||||
exit 1
|
|
||||||
@@ -169,7 +169,7 @@ fi
|
|
||||||
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
|
|
||||||
# and has the side effect of setting $NEW_IDS
|
|
||||||
populate_new_ids() {
|
|
||||||
- local L_SUCCESS="$1"
|
|
||||||
+ L_SUCCESS="$1"
|
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
|
||||||
if [ "$FORCED" ] ; then
|
|
||||||
@@ -181,13 +181,12 @@ populate_new_ids() {
|
|
||||||
eval set -- "$SSH_OPTS"
|
|
||||||
|
|
||||||
umask 0177
|
|
||||||
- local L_TMP_ID_FILE
|
|
||||||
L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
|
||||||
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
|
||||||
printf '%s: ERROR: mktemp failed\n' "$0" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
- local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
|
||||||
+ L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
|
||||||
# shellcheck disable=SC2064
|
|
||||||
trap "$L_CLEANUP" EXIT TERM INT QUIT
|
|
||||||
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
|
||||||
@@ -237,7 +236,7 @@ populate_new_ids() {
|
|
||||||
# produce a one-liner to add the keys to remote authorized_keys file
|
|
||||||
# optionally takes an alternative path for authorized_keys
|
|
||||||
installkeys_sh() {
|
|
||||||
- local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
+ AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
|
|
||||||
# In setting INSTALLKEYS_SH:
|
|
||||||
# the tr puts it all on one line (to placate tcsh)
|
|
||||||
--
|
|
||||||
|
|
||||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
|
||||||
index 11c9463..ee3f637 100755
|
|
||||||
--- a/contrib/ssh-copy-id
|
|
||||||
+++ b/contrib/ssh-copy-id
|
|
||||||
@@ -237,6 +237,7 @@ populate_new_ids() {
|
|
||||||
# optionally takes an alternative path for authorized_keys
|
|
||||||
installkeys_sh() {
|
|
||||||
AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
|
||||||
+ AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
|
|
||||||
|
|
||||||
# In setting INSTALLKEYS_SH:
|
|
||||||
# the tr puts it all on one line (to placate tcsh)
|
|
||||||
@@ -249,7 +250,7 @@ installkeys_sh() {
|
|
||||||
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
|
||||||
cd;
|
|
||||||
umask 077;
|
|
||||||
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
|
||||||
+ mkdir -p "${AUTH_KEY_DIR}" &&
|
|
||||||
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
|
||||||
cat >> ${AUTH_KEY_FILE} ||
|
|
||||||
exit 1;
|
|
||||||
--
|
|
@ -13,9 +13,8 @@ addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
|
|||||||
# sshd config and sysconfig is not supposed to be world readable
|
# sshd config and sysconfig is not supposed to be world readable
|
||||||
addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
|
addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
|
||||||
|
|
||||||
# The /var/empty/sshd is supposed to have the given permissions
|
# /usr/share/empty.sshd is required to have the given permissions
|
||||||
addFilter(r'non-standard-dir-perm /var/empty/sshd 711')
|
addFilter(r'non-standard-dir-perm /usr/share/empty.sshd 711')
|
||||||
addFilter(r'non-standard-dir-in-var empty')
|
|
||||||
|
|
||||||
# Spelling false-positives
|
# Spelling false-positives
|
||||||
addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')
|
addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')
|
||||||
|
90
openssh.spec
90
openssh.spec
@ -50,10 +50,10 @@
|
|||||||
%{?static_openssl:%global static_libcrypto 1}
|
%{?static_openssl:%global static_libcrypto 1}
|
||||||
|
|
||||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||||
%global openssh_ver 8.4p1
|
%global openssh_ver 8.6p1
|
||||||
%global openssh_rel 4
|
%global openssh_rel 1
|
||||||
%global pam_ssh_agent_ver 0.10.4
|
%global pam_ssh_agent_ver 0.10.4
|
||||||
%global pam_ssh_agent_rel 1
|
%global pam_ssh_agent_rel 3
|
||||||
|
|
||||||
Summary: An open source implementation of SSH protocol version 2
|
Summary: An open source implementation of SSH protocol version 2
|
||||||
Name: openssh
|
Name: openssh
|
||||||
@ -64,7 +64,7 @@ URL: http://www.openssh.com/portable.html
|
|||||||
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
|
||||||
Source2: sshd.pam
|
Source2: sshd.pam
|
||||||
Source3: DJM-GPG-KEY.gpg
|
Source3: gpgkey-736060BA.gpg
|
||||||
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
|
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
|
||||||
Source5: pam_ssh_agent-rmheaders
|
Source5: pam_ssh_agent-rmheaders
|
||||||
Source6: ssh-keycat.pam
|
Source6: ssh-keycat.pam
|
||||||
@ -74,8 +74,8 @@ Source10: sshd.socket
|
|||||||
Source11: sshd.service
|
Source11: sshd.service
|
||||||
Source12: sshd-keygen@.service
|
Source12: sshd-keygen@.service
|
||||||
Source13: sshd-keygen
|
Source13: sshd-keygen
|
||||||
Source14: sshd.tmpfiles
|
|
||||||
Source15: sshd-keygen.target
|
Source15: sshd-keygen.target
|
||||||
|
Source16: ssh-agent.service
|
||||||
|
|
||||||
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
|
||||||
Patch100: openssh-6.7p1-coverity.patch
|
Patch100: openssh-6.7p1-coverity.patch
|
||||||
@ -133,10 +133,6 @@ Patch707: openssh-7.7p1-redhat.patch
|
|||||||
Patch711: openssh-7.8p1-UsePAM-warning.patch
|
Patch711: openssh-7.8p1-UsePAM-warning.patch
|
||||||
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
|
||||||
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
Patch712: openssh-6.3p1-ctr-evp-fast.patch
|
||||||
# add cavs test binary for the aes-ctr
|
|
||||||
Patch713: openssh-6.6p1-ctr-cavstest.patch
|
|
||||||
# add SSH KDF CAVS test driver
|
|
||||||
Patch714: openssh-6.7p1-kdf-cavs.patch
|
|
||||||
|
|
||||||
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
|
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
|
||||||
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
|
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
|
||||||
@ -183,9 +179,6 @@ Patch950: openssh-7.5p1-sandbox.patch
|
|||||||
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
Patch951: openssh-8.0p1-pkcs11-uri.patch
|
||||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||||
# ssh-copy-id is unmaintained: Aggreagete patches
|
|
||||||
# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
|
|
||||||
Patch958: openssh-7.9p1-ssh-copy-id.patch
|
|
||||||
# Mention crypto-policies in manual pages (#1668325)
|
# Mention crypto-policies in manual pages (#1668325)
|
||||||
Patch962: openssh-8.0p1-crypto-policies.patch
|
Patch962: openssh-8.0p1-crypto-policies.patch
|
||||||
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
# Use OpenSSL high-level API to produce and verify signatures (#1707485)
|
||||||
@ -196,11 +189,12 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
|
|||||||
Patch965: openssh-8.2p1-visibility.patch
|
Patch965: openssh-8.2p1-visibility.patch
|
||||||
# Do not break X11 without IPv6
|
# Do not break X11 without IPv6
|
||||||
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
||||||
Patch967: openssh-8.4p1-ssh-copy-id.patch
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
|
|
||||||
Patch968: openssh-8.4p1-sandbox-seccomp.patch
|
|
||||||
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213
|
||||||
Patch969: openssh-8.4p1-debian-compat.patch
|
Patch969: openssh-8.4p1-debian-compat.patch
|
||||||
|
# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
|
||||||
|
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
|
||||||
|
# sshd provides PAM an incorrect error code (#1879503)
|
||||||
|
Patch975: openssh-8.0p1-preserve-pam-errors.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -221,11 +215,13 @@ BuildRequires: pam-devel
|
|||||||
BuildRequires: openssl-devel >= 0.9.8j
|
BuildRequires: openssl-devel >= 0.9.8j
|
||||||
BuildRequires: perl-podlators
|
BuildRequires: perl-podlators
|
||||||
BuildRequires: systemd-devel
|
BuildRequires: systemd-devel
|
||||||
|
BuildRequires: systemd-rpm-macros
|
||||||
BuildRequires: gcc make
|
BuildRequires: gcc make
|
||||||
BuildRequires: p11-kit-devel
|
BuildRequires: p11-kit-devel
|
||||||
BuildRequires: libfido2-devel
|
BuildRequires: libfido2-devel
|
||||||
Recommends: p11-kit
|
Recommends: p11-kit
|
||||||
Obsoletes: openssh-ldap < 8.3p1-4
|
Obsoletes: openssh-ldap < 8.3p1-4
|
||||||
|
Obsoletes: openssh-cavs < 8.4p1-5
|
||||||
|
|
||||||
%if %{kerberos5}
|
%if %{kerberos5}
|
||||||
BuildRequires: krb5-devel
|
BuildRequires: krb5-devel
|
||||||
@ -267,14 +263,10 @@ Requires: openssh = %{version}-%{release}
|
|||||||
Summary: A passphrase dialog for OpenSSH and X
|
Summary: A passphrase dialog for OpenSSH and X
|
||||||
Requires: openssh = %{version}-%{release}
|
Requires: openssh = %{version}-%{release}
|
||||||
|
|
||||||
%package cavs
|
|
||||||
Summary: CAVS tests for FIPS validation
|
|
||||||
Requires: openssh = %{version}-%{release}
|
|
||||||
|
|
||||||
%package -n pam_ssh_agent_auth
|
%package -n pam_ssh_agent_auth
|
||||||
Summary: PAM module for authentication with ssh-agent
|
Summary: PAM module for authentication with ssh-agent
|
||||||
Version: %{pam_ssh_agent_ver}
|
Version: %{pam_ssh_agent_ver}
|
||||||
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2
|
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -311,10 +303,6 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
|||||||
into and executing commands on a remote machine. This package contains
|
into and executing commands on a remote machine. This package contains
|
||||||
an X11 passphrase dialog for OpenSSH.
|
an X11 passphrase dialog for OpenSSH.
|
||||||
|
|
||||||
%description cavs
|
|
||||||
This package contains test binaries and scripts to make FIPS validation
|
|
||||||
easier. Now contains CTR and KDF CAVS test driver.
|
|
||||||
|
|
||||||
%description -n pam_ssh_agent_auth
|
%description -n pam_ssh_agent_auth
|
||||||
This package contains a PAM module which can be used to authenticate
|
This package contains a PAM module which can be used to authenticate
|
||||||
users using ssh keys stored in a ssh-agent. Through the use of the
|
users using ssh keys stored in a ssh-agent. Through the use of the
|
||||||
@ -355,8 +343,6 @@ popd
|
|||||||
%patch707 -p1 -b .redhat
|
%patch707 -p1 -b .redhat
|
||||||
%patch711 -p1 -b .log-usepam-no
|
%patch711 -p1 -b .log-usepam-no
|
||||||
%patch712 -p1 -b .evp-ctr
|
%patch712 -p1 -b .evp-ctr
|
||||||
%patch713 -p1 -b .ctr-cavs
|
|
||||||
%patch714 -p1 -b .kdf-cavs
|
|
||||||
#
|
#
|
||||||
%patch800 -p1 -b .gsskex
|
%patch800 -p1 -b .gsskex
|
||||||
%patch801 -p1 -b .force_krb
|
%patch801 -p1 -b .force_krb
|
||||||
@ -378,15 +364,14 @@ popd
|
|||||||
%patch950 -p1 -b .sandbox
|
%patch950 -p1 -b .sandbox
|
||||||
%patch951 -p1 -b .pkcs11-uri
|
%patch951 -p1 -b .pkcs11-uri
|
||||||
%patch953 -p1 -b .scp-ipv6
|
%patch953 -p1 -b .scp-ipv6
|
||||||
%patch958 -p1 -b .ssh-copy-id
|
|
||||||
%patch962 -p1 -b .crypto-policies
|
%patch962 -p1 -b .crypto-policies
|
||||||
%patch963 -p1 -b .openssl-evp
|
%patch963 -p1 -b .openssl-evp
|
||||||
%patch964 -p1 -b .openssl-kdf
|
%patch964 -p1 -b .openssl-kdf
|
||||||
%patch965 -p1 -b .visibility
|
%patch965 -p1 -b .visibility
|
||||||
%patch966 -p1 -b .x11-ipv6
|
%patch966 -p1 -b .x11-ipv6
|
||||||
%patch967 -p1 -b .ssh-copy-id
|
|
||||||
%patch968 -p1 -b .seccomp
|
|
||||||
%patch969 -p0 -b .debian
|
%patch969 -p0 -b .debian
|
||||||
|
%patch974 -p1 -b .keygen-strip-doseol
|
||||||
|
%patch975 -p1 -b .preserve-pam-errors
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
@ -438,7 +423,7 @@ fi
|
|||||||
--datadir=%{_datadir}/openssh \
|
--datadir=%{_datadir}/openssh \
|
||||||
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
|
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
|
||||||
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
||||||
--with-privsep-path=%{_var}/empty/sshd \
|
--with-privsep-path=%{_datadir}/empty.sshd \
|
||||||
--disable-strip \
|
--disable-strip \
|
||||||
--without-zlib-version-check \
|
--without-zlib-version-check \
|
||||||
--with-ssl-engine \
|
--with-ssl-engine \
|
||||||
@ -515,7 +500,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
|||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
|
||||||
%make_install
|
%make_install
|
||||||
|
|
||||||
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||||
@ -532,10 +516,12 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
|
|||||||
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
|
||||||
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
|
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
|
||||||
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
|
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
|
||||||
|
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
|
||||||
|
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
|
||||||
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
|
||||||
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
|
||||||
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
|
||||||
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
|
install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
|
||||||
|
|
||||||
%if ! %{no_gnome_askpass}
|
%if ! %{no_gnome_askpass}
|
||||||
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||||
@ -566,7 +552,7 @@ getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
|
|||||||
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
|
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
|
||||||
getent passwd sshd >/dev/null || \
|
getent passwd sshd >/dev/null || \
|
||||||
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
|
||||||
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
|
-s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
|
||||||
|
|
||||||
%post server
|
%post server
|
||||||
%systemd_post sshd.service sshd.socket
|
%systemd_post sshd.service sshd.socket
|
||||||
@ -588,6 +574,12 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%postun server
|
%postun server
|
||||||
%systemd_postun_with_restart sshd.service
|
%systemd_postun_with_restart sshd.service
|
||||||
|
|
||||||
|
%post clients
|
||||||
|
%systemd_user_post ssh-agent.service
|
||||||
|
|
||||||
|
%preun clients
|
||||||
|
%systemd_user_preun ssh-agent.service
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license LICENCE
|
%license LICENCE
|
||||||
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
|
||||||
@ -622,9 +614,10 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||||
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
|
||||||
|
%attr(0644,root,root) %{_userunitdir}/ssh-agent.service
|
||||||
|
|
||||||
%files server
|
%files server
|
||||||
%dir %attr(0711,root,root) %{_var}/empty/sshd
|
%dir %attr(0711,root,root) %{_datadir}/empty.sshd
|
||||||
%attr(0755,root,root) %{_sbindir}/sshd
|
%attr(0755,root,root) %{_sbindir}/sshd
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
|
||||||
@ -642,7 +635,6 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
%attr(0644,root,root) %{_unitdir}/sshd.socket
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
|
||||||
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
|
||||||
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
|
|
||||||
|
|
||||||
%files keycat
|
%files keycat
|
||||||
%doc HOWTO.ssh-keycat
|
%doc HOWTO.ssh-keycat
|
||||||
@ -656,11 +648,6 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%files cavs
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
|
|
||||||
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
|
|
||||||
|
|
||||||
%if %{pam_ssh_agent}
|
%if %{pam_ssh_agent}
|
||||||
%files -n pam_ssh_agent_auth
|
%files -n pam_ssh_agent_auth
|
||||||
%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
|
%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
|
||||||
@ -669,6 +656,29 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 19 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1 + 0.10.4-3
|
||||||
|
- New upstream release (#1950819)
|
||||||
|
- ssh-keygen printing fingerprint issue with Windows keys (#1901518)
|
||||||
|
- sshd provides PAM an incorrect error code (#1879503)
|
||||||
|
|
||||||
|
* Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
|
||||||
|
- ssh-agent.serivce is user unit (#1761817#27)
|
||||||
|
|
||||||
|
* Wed Mar 03 2021 Jakub Jelen <jjelen@redhat.com> - 8.5p1-1 + 0.10.4-2
|
||||||
|
- New upstream release (#1934336)
|
||||||
|
|
||||||
|
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.4p1-5.2
|
||||||
|
- Rebuilt for updated systemd-rpm-macros
|
||||||
|
See https://pagure.io/fesco/issue/2583.
|
||||||
|
|
||||||
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.4p1-5.1
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
* Fri Jan 22 2021 Jakub Jelen <jjelen@redhat.com> - 8.4p1-5 + 0.10.4-1
|
||||||
|
- Use /usr/share/empty.sshd instead of /var/empty/sshd
|
||||||
|
- Allow emptu labels in PKCS#11 tokens (#1919007)
|
||||||
|
- Drop openssh-cavs subpackage
|
||||||
|
|
||||||
* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
|
* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
|
||||||
- Remove "PasswordAuthentication yes" from vendor configuration as it is
|
- Remove "PasswordAuthentication yes" from vendor configuration as it is
|
||||||
already default and it might be hard to override.
|
already default and it might be hard to override.
|
||||||
|
6
sources
6
sources
@ -1,4 +1,4 @@
|
|||||||
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
|
SHA512 (openssh-8.6p1.tar.gz) = 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
|
||||||
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
|
SHA512 (openssh-8.6p1.tar.gz.asc) = ea75d7fe350fd1761ee5490b222249e9b8915b2a02a1d41979195f15d239def387e4c6467362ab9515d517087750fa66bc368f5baa15c325502f725172631967
|
||||||
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21
|
||||||
|
14
ssh-agent.service
Normal file
14
ssh-agent.service
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
|
||||||
|
# set in environment, handled for example in plasma via
|
||||||
|
# /etc/xdg/plasma-workspace/env/ssh-agent.sh
|
||||||
|
[Unit]
|
||||||
|
ConditionEnvironment=!SSH_AGENT_PID
|
||||||
|
Description=OpenSSH key agent
|
||||||
|
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
|
||||||
|
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
|
||||||
|
PassEnvironment=SSH_AGENT_PID
|
||||||
|
SuccessExitStatus=2
|
||||||
|
Type=forking
|
@ -1 +0,0 @@
|
|||||||
d /var/empty/sshd 711 root root -
|
|
Loading…
Reference in New Issue
Block a user