Compare commits
8 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
e7932f4770 | ||
|
5f3ebc826d | ||
|
986af88658 | ||
|
5d464e8b62 | ||
|
2762c74636 | ||
|
920d3a7915 | ||
|
cb306d6a7c | ||
|
669db41533 |
23
.gitignore
vendored
23
.gitignore
vendored
@ -22,26 +22,3 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
|
||||
/pam_ssh_agent_auth-0.10.2.tar.bz2
|
||||
/openssh-7.2p1.tar.gz
|
||||
/openssh-7.2p2.tar.gz
|
||||
/openssh-7.3p1.tar.gz
|
||||
/openssh-7.4p1.tar.gz
|
||||
/pam_ssh_agent_auth-0.10.3.tar.bz2
|
||||
/openssh-7.5p1.tar.gz
|
||||
/openssh-7.6p1.tar.gz
|
||||
/openssh-7.7p1.tar.gz
|
||||
/openssh-7.7p1.tar.gz.asc
|
||||
/DJM-GPG-KEY.gpg
|
||||
/openssh-7.8p1.tar.gz
|
||||
/openssh-7.8p1.tar.gz.asc
|
||||
/openssh-7.9p1.tar.gz
|
||||
/openssh-7.9p1.tar.gz.asc
|
||||
/openssh-8.0p1.tar.gz
|
||||
/openssh-8.0p1.tar.gz.asc
|
||||
/openssh-8.1p1.tar.gz
|
||||
/openssh-8.1p1.tar.gz.asc
|
||||
/openssh-8.2p1.tar.gz
|
||||
/openssh-8.2p1.tar.gz.asc
|
||||
/openssh-8.3p1.tar.gz
|
||||
/openssh-8.3p1.tar.gz.asc
|
||||
/openssh-8.4p1.tar.gz
|
||||
/openssh-8.4p1.tar.gz.asc
|
||||
/pam_ssh_agent_auth-0.10.4.tar.gz
|
||||
|
@ -1,8 +1,7 @@
|
||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100
|
||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100
|
||||
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi
|
||||
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
|
||||
--- openssh-4.3p2/contrib/gnome-ssh-askpass2.c.grab-info 2006-07-17 15:10:11.000000000 +0200
|
||||
+++ openssh-4.3p2/contrib/gnome-ssh-askpass2.c 2006-07-17 15:25:04.000000000 +0200
|
||||
@@ -65,9 +65,12 @@
|
||||
err = gtk_message_dialog_new(NULL, 0,
|
||||
GTK_MESSAGE_ERROR,
|
||||
GTK_BUTTONS_CLOSE,
|
||||
- "Could not grab %s. "
|
||||
@ -15,5 +14,5 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/cont
|
||||
+ "Either close the application which grabs the %s or "
|
||||
+ "log out and log in again to prevent this from happening.", what, what);
|
||||
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||
|
||||
gtk_dialog_run(GTK_DIALOG(err));
|
||||
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
|
||||
TRUE);
|
||||
|
@ -1,16 +1,16 @@
|
||||
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100
|
||||
diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c
|
||||
--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress 2008-07-23 19:05:26.000000000 +0200
|
||||
+++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c 2008-07-23 19:05:26.000000000 +0200
|
||||
@@ -53,6 +53,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <X11/Xlib.h>
|
||||
+#include <glib.h>
|
||||
#include <gtk/gtk.h>
|
||||
#include <gdk/gdkx.h>
|
||||
#include <gdk/gdkkeysyms.h>
|
||||
@@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||
return 1;
|
||||
|
||||
@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
|
||||
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
}
|
||||
|
||||
+static void
|
||||
@ -25,59 +25,55 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr
|
||||
+}
|
||||
+
|
||||
static int
|
||||
passphrase_dialog(char *message, int prompt_type)
|
||||
passphrase_dialog(char *message)
|
||||
{
|
||||
const char *failed;
|
||||
char *passphrase, *local;
|
||||
int result, grab_tries, grab_server, grab_pointer;
|
||||
int buttons, default_response;
|
||||
- GtkWidget *parent_window, *dialog, *entry;
|
||||
+ GtkWidget *parent_window, *dialog, *entry, *progress, *hbox;
|
||||
- GtkWidget *dialog, *entry;
|
||||
+ GtkWidget *dialog, *entry, *progress, *hbox;
|
||||
GdkGrabStatus status;
|
||||
GdkColor fg, bg;
|
||||
int fg_set = 0, bg_set = 0;
|
||||
@@ -104,14 +116,19 @@ passphrase_dialog(char *message)
|
||||
gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
|
||||
|
||||
if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
|
||||
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||
@@ -102,13 +114,31 @@ passphrase_dialog(char *message)
|
||||
"%s",
|
||||
message);
|
||||
|
||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||
+ FALSE, 0);
|
||||
+ gtk_widget_show(hbox);
|
||||
+
|
||||
entry = gtk_entry_new();
|
||||
if (fg_set)
|
||||
gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
|
||||
if (bg_set)
|
||||
gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
|
||||
gtk_box_pack_start(
|
||||
- GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
|
||||
- entry, FALSE, FALSE, 0);
|
||||
+ GTK_BOX(hbox), entry, TRUE, FALSE, 0);
|
||||
- gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
|
||||
+ gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
|
||||
FALSE, 0);
|
||||
+ gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
|
||||
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||
gtk_widget_grab_focus(entry);
|
||||
if (prompt_type == PROMPT_ENTRY) {
|
||||
@@ -130,6 +145,22 @@ passphrase_dialog(char *message)
|
||||
g_signal_connect(G_OBJECT(entry), "key_press_event",
|
||||
G_CALLBACK(check_none), dialog);
|
||||
}
|
||||
+
|
||||
gtk_widget_show(entry);
|
||||
|
||||
+ hbox = gtk_hbox_new(FALSE, 0);
|
||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox),
|
||||
+ hbox, FALSE, FALSE, 8);
|
||||
+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
|
||||
+ FALSE, 8);
|
||||
+ gtk_widget_show(hbox);
|
||||
+
|
||||
+ progress = gtk_progress_bar_new();
|
||||
+
|
||||
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress),
|
||||
+ "Passphrase length hidden intentionally");
|
||||
+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
|
||||
+ gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
|
||||
+ TRUE, 5);
|
||||
+ gtk_widget_show(progress);
|
||||
+
|
||||
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
||||
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
@@ -119,6 +149,8 @@ passphrase_dialog(char *message)
|
||||
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||
g_signal_connect(G_OBJECT(entry), "activate",
|
||||
G_CALLBACK(ok_dialog), dialog);
|
||||
+ g_signal_connect(G_OBJECT(entry), "changed",
|
||||
+ G_CALLBACK(move_progress), progress);
|
||||
+
|
||||
}
|
||||
|
||||
/* Grab focus */
|
||||
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
||||
--- openssh-7.2p2/channels.c.x11 2016-03-09 19:04:48.000000000 +0100
|
||||
+++ openssh-7.2p2/channels.c 2016-06-03 10:42:04.775164520 +0200
|
||||
@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
|
||||
diff -up openssh-5.3p1/channels.c.bz595935 openssh-5.3p1/channels.c
|
||||
--- openssh-5.3p1/channels.c.bz595935 2010-08-12 14:19:28.000000000 +0200
|
||||
+++ openssh-5.3p1/channels.c 2010-08-12 14:33:51.000000000 +0200
|
||||
@@ -3185,7 +3185,7 @@ x11_create_display_inet(int x11_display_
|
||||
}
|
||||
|
||||
static int
|
||||
@ -10,16 +10,14 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
||||
{
|
||||
int sock;
|
||||
struct sockaddr_un addr;
|
||||
|
||||
+ if (len <= 0)
|
||||
+ return -1;
|
||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
if (sock == -1)
|
||||
@@ -3195,11 +3195,14 @@ connect_local_xsocket_path(const char *p
|
||||
error("socket: %.100s", strerror(errno));
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
addr.sun_family = AF_UNIX;
|
||||
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
|
||||
- if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
|
||||
+ if (len <= 0)
|
||||
+ return -1;
|
||||
+ if (len > sizeof addr.sun_path)
|
||||
+ len = sizeof addr.sun_path;
|
||||
+ memcpy(addr.sun_path, pathname, len);
|
||||
@ -30,7 +28,7 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -4012,8 +4015,18 @@ static int
|
||||
@@ -3207,8 +3210,18 @@ static int
|
||||
connect_local_xsocket(u_int dnr)
|
||||
{
|
||||
char buf[1024];
|
||||
@ -50,4 +48,4 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
#ifdef __APPLE__
|
||||
int
|
24
openssh-5.8p1-getaddrinfo.patch
Normal file
24
openssh-5.8p1-getaddrinfo.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up openssh-5.6p1/channels.c.getaddrinfo openssh-5.6p1/channels.c
|
||||
--- openssh-5.6p1/channels.c.getaddrinfo 2012-02-14 16:12:54.427852524 +0100
|
||||
+++ openssh-5.6p1/channels.c 2012-02-14 16:13:22.818928690 +0100
|
||||
@@ -3275,6 +3275,9 @@ x11_create_display_inet(int x11_display_
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = IPv4or6;
|
||||
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
||||
+#ifdef AI_ADDRCONFIG
|
||||
+ hints.ai_flags |= AI_ADDRCONFIG;
|
||||
+#endif
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
snprintf(strport, sizeof strport, "%d", port);
|
||||
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
|
||||
diff -up openssh-5.6p1/sshconnect.c.getaddrinfo openssh-5.6p1/sshconnect.c
|
||||
--- openssh-5.6p1/sshconnect.c.getaddrinfo 2012-02-14 16:09:25.057964291 +0100
|
||||
+++ openssh-5.6p1/sshconnect.c 2012-02-14 16:09:25.106047007 +0100
|
||||
@@ -343,6 +343,7 @@ ssh_connect(const char *host, struct soc
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = family;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
+ hints.ai_flags = AI_V4MAPPED | AI_ADDRCONFIG;
|
||||
snprintf(strport, sizeof strport, "%u", port);
|
||||
if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
|
||||
fatal("%s: Could not resolve hostname %.100s: %s", __progname,
|
12
openssh-5.8p1-packet.patch
Normal file
12
openssh-5.8p1-packet.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
|
||||
--- openssh-6.8p1/packet.c.packet 2015-03-18 10:56:32.286930601 +0100
|
||||
+++ openssh-6.8p1/packet.c 2015-03-18 10:58:38.535629739 +0100
|
||||
@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc
|
||||
struct sockaddr_storage from, to;
|
||||
socklen_t fromlen, tolen;
|
||||
|
||||
+ if (!state)
|
||||
+ return 0;
|
||||
/* filedescriptors in and out are the same, so it's a socket */
|
||||
if (state->connection_in == state->connection_out)
|
||||
return 1;
|
78
openssh-5.9p1-wIm.patch
Normal file
78
openssh-5.9p1-wIm.patch
Normal file
@ -0,0 +1,78 @@
|
||||
diff -up openssh-5.9p1/Makefile.in.wIm openssh-5.9p1/Makefile.in
|
||||
--- openssh-5.9p1/Makefile.in.wIm 2011-08-05 22:15:18.000000000 +0200
|
||||
+++ openssh-5.9p1/Makefile.in 2011-09-12 16:24:18.643674014 +0200
|
||||
@@ -66,7 +66,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||
+ readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
|
||||
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||
diff -up openssh-5.9p1/log.h.wIm openssh-5.9p1/log.h
|
||||
--- openssh-5.9p1/log.h.wIm 2011-06-20 06:42:23.000000000 +0200
|
||||
+++ openssh-5.9p1/log.h 2011-09-12 16:34:52.984674326 +0200
|
||||
@@ -65,6 +65,8 @@ void verbose(const char *, ...) __at
|
||||
void debug(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
void debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
+void _debug_wIm_body(const char *, int, const char *, const char *, int);
|
||||
+#define debug_wIm(a,b) _debug_wIm_body(a,b,__func__,__FILE__,__LINE__)
|
||||
|
||||
|
||||
void set_log_handler(log_handler_fn *, void *);
|
||||
diff -up openssh-5.9p1/sshd.c.wIm openssh-5.9p1/sshd.c
|
||||
--- openssh-5.9p1/sshd.c.wIm 2011-06-23 11:45:51.000000000 +0200
|
||||
+++ openssh-5.9p1/sshd.c 2011-09-12 16:38:35.787816490 +0200
|
||||
@@ -140,6 +140,9 @@ int deny_severity;
|
||||
|
||||
extern char *__progname;
|
||||
|
||||
+/* trace of fork processes */
|
||||
+extern int whereIam;
|
||||
+
|
||||
/* Server configuration options. */
|
||||
ServerOptions options;
|
||||
|
||||
@@ -666,6 +669,7 @@ privsep_preauth(Authctxt *authctxt)
|
||||
return 1;
|
||||
} else {
|
||||
/* child */
|
||||
+ whereIam = 1;
|
||||
close(pmonitor->m_sendfd);
|
||||
close(pmonitor->m_log_recvfd);
|
||||
|
||||
@@ -715,6 +719,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
/* child */
|
||||
|
||||
+ whereIam = 2;
|
||||
close(pmonitor->m_sendfd);
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
||||
@@ -1325,6 +1330,8 @@ main(int ac, char **av)
|
||||
Key *key;
|
||||
Authctxt *authctxt;
|
||||
|
||||
+ whereIam = 0;
|
||||
+
|
||||
#ifdef HAVE_SECUREWARE
|
||||
(void)set_auth_parameters(ac, av);
|
||||
#endif
|
||||
diff -up openssh-5.9p1/whereIam.c.wIm openssh-5.9p1/whereIam.c
|
||||
--- openssh-5.9p1/whereIam.c.wIm 2011-09-12 16:24:18.722674167 +0200
|
||||
+++ openssh-5.9p1/whereIam.c 2011-09-12 16:24:18.724674418 +0200
|
||||
@@ -0,0 +1,12 @@
|
||||
+
|
||||
+int whereIam = -1;
|
||||
+
|
||||
+void _debug_wIm_body(const char *txt, int val, const char *func, const char *file, int line)
|
||||
+{
|
||||
+ if (txt)
|
||||
+ debug("%s=%d, %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, val, func, file, line, whereIam, getuid(), geteuid());
|
||||
+ else
|
||||
+ debug("%s(%s:%d) wIm = %d, uid=%d, euid=%d", func, file, line, whereIam, getuid(), geteuid());
|
||||
+}
|
||||
+
|
||||
+
|
21
openssh-6.1p1-gssapi-canohost.patch
Normal file
21
openssh-6.1p1-gssapi-canohost.patch
Normal file
@ -0,0 +1,21 @@
|
||||
diff -up openssh-6.1p1/sshconnect2.c.canohost openssh-6.1p1/sshconnect2.c
|
||||
--- openssh-6.1p1/sshconnect2.c.canohost 2012-10-30 10:52:59.593301692 +0100
|
||||
+++ openssh-6.1p1/sshconnect2.c 2012-10-30 11:01:12.870301632 +0100
|
||||
@@ -699,12 +699,15 @@ userauth_gssapi(Authctxt *authctxt)
|
||||
static u_int mech = 0;
|
||||
OM_uint32 min;
|
||||
int ok = 0;
|
||||
- const char *gss_host;
|
||||
+ const char *gss_host = NULL;
|
||||
|
||||
if (options.gss_server_identity)
|
||||
gss_host = options.gss_server_identity;
|
||||
- else if (options.gss_trust_dns)
|
||||
+ else if (options.gss_trust_dns) {
|
||||
gss_host = get_canonical_hostname(1);
|
||||
+ if ( strcmp( gss_host, "UNKNOWN" ) == 0 )
|
||||
+ gss_host = authctxt->host;
|
||||
+ }
|
||||
else
|
||||
gss_host = authctxt->host;
|
||||
|
156
openssh-6.2p1-vendor.patch
Normal file
156
openssh-6.2p1-vendor.patch
Normal file
@ -0,0 +1,156 @@
|
||||
diff -up openssh-7.0p1/configure.ac.vendor openssh-7.0p1/configure.ac
|
||||
--- openssh-7.0p1/configure.ac.vendor 2015-08-12 11:14:54.102628399 +0200
|
||||
+++ openssh-7.0p1/configure.ac 2015-08-12 11:14:54.129628356 +0200
|
||||
@@ -4776,6 +4776,12 @@ AC_ARG_WITH([lastlog],
|
||||
fi
|
||||
]
|
||||
)
|
||||
+AC_ARG_ENABLE(vendor-patchlevel,
|
||||
+ [ --enable-vendor-patchlevel=TAG specify a vendor patch level],
|
||||
+ [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
||||
+ SSH_VENDOR_PATCHLEVEL="$enableval"],
|
||||
+ [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
|
||||
+ SSH_VENDOR_PATCHLEVEL=none])
|
||||
|
||||
dnl lastlog, [uw]tmpx? detection
|
||||
dnl NOTE: set the paths in the platform section to avoid the
|
||||
@@ -5038,6 +5044,7 @@ echo " Translate v4 in v6 hack
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
echo " Random number source: $RAND_MSG"
|
||||
echo " Privsep sandbox style: $SANDBOX_STYLE"
|
||||
+echo " Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
|
||||
|
||||
echo ""
|
||||
|
||||
diff -up openssh-7.0p1/servconf.c.vendor openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.vendor 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-12 11:15:33.201565712 +0200
|
||||
@@ -149,6 +149,7 @@ initialize_server_options(ServerOptions
|
||||
options->max_authtries = -1;
|
||||
options->max_sessions = -1;
|
||||
options->banner = NULL;
|
||||
+ options->show_patchlevel = -1;
|
||||
options->use_dns = -1;
|
||||
options->client_alive_interval = -1;
|
||||
options->client_alive_count_max = -1;
|
||||
@@ -335,6 +336,8 @@ fill_default_server_options(ServerOption
|
||||
options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
+ if (options->show_patchlevel == -1)
|
||||
+ options->show_patchlevel = 0;
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
options->fwd_opts.streamlocal_bind_mask = 0177;
|
||||
if (options->fwd_opts.streamlocal_bind_unlink == -1)
|
||||
@@ -407,7 +410,7 @@ typedef enum {
|
||||
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
|
||||
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
|
||||
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
|
||||
- sBanner, sUseDNS, sHostbasedAuthentication,
|
||||
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
@@ -529,6 +532,7 @@ static struct {
|
||||
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
|
||||
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
|
||||
{ "banner", sBanner, SSHCFG_ALL },
|
||||
+ { "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
|
||||
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
|
||||
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
|
||||
@@ -1389,6 +1393,10 @@ process_server_config_line(ServerOptions
|
||||
multistate_ptr = multistate_privsep;
|
||||
goto parse_multistate;
|
||||
|
||||
+ case sShowPatchLevel:
|
||||
+ intptr = &options->show_patchlevel;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sAllowUsers:
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_allow_users >= MAX_ALLOW_USERS)
|
||||
@@ -2266,6 +2274,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUseLogin, o->use_login);
|
||||
dump_cfg_fmtint(sCompression, o->compression);
|
||||
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
|
||||
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
|
||||
dump_cfg_fmtint(sUseDNS, o->use_dns);
|
||||
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
|
||||
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
|
||||
diff -up openssh-7.0p1/servconf.h.vendor openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.vendor 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-12 11:14:54.130628355 +0200
|
||||
@@ -155,6 +155,7 @@ typedef struct {
|
||||
int max_authtries;
|
||||
int max_sessions;
|
||||
char *banner; /* SSH-2 banner message */
|
||||
+ int show_patchlevel; /* Show vendor patch level to clients */
|
||||
int use_dns;
|
||||
int client_alive_interval; /*
|
||||
* poke the client this often to
|
||||
diff -up openssh-7.0p1/sshd_config.0.vendor openssh-7.0p1/sshd_config.0
|
||||
--- openssh-7.0p1/sshd_config.0.vendor 2015-08-12 11:14:54.125628363 +0200
|
||||
+++ openssh-7.0p1/sshd_config.0 2015-08-12 11:14:54.130628355 +0200
|
||||
@@ -841,6 +841,11 @@ DESCRIPTION
|
||||
Defines the number of bits in the ephemeral protocol version 1
|
||||
server key. The default and minimum value is 1024.
|
||||
|
||||
+ ShowPatchLevel
|
||||
+ Specifies whether sshd will display the specific patch level of
|
||||
+ the binary in the server identification string. The patch level
|
||||
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
|
||||
+
|
||||
StreamLocalBindMask
|
||||
Sets the octal file creation mode mask (umask) used when creating
|
||||
a Unix-domain socket file for local or remote port forwarding.
|
||||
diff -up openssh-7.0p1/sshd_config.5.vendor openssh-7.0p1/sshd_config.5
|
||||
--- openssh-7.0p1/sshd_config.5.vendor 2015-08-12 11:14:54.125628363 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:14:54.131628353 +0200
|
||||
@@ -1411,6 +1411,13 @@ This option applies to protocol version
|
||||
.It Cm ServerKeyBits
|
||||
Defines the number of bits in the ephemeral protocol version 1 server key.
|
||||
The default and minimum value is 1024.
|
||||
+.It Cm ShowPatchLevel
|
||||
+Specifies whether
|
||||
+.Nm sshd
|
||||
+will display the patch level of the binary in the identification string.
|
||||
+The patch level is set at compile-time.
|
||||
+The default is
|
||||
+.Dq no .
|
||||
.It Cm StreamLocalBindMask
|
||||
Sets the octal file creation mode mask
|
||||
.Pq umask
|
||||
diff -up openssh-7.0p1/sshd_config.vendor openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.vendor 2015-08-12 11:14:54.125628363 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:14:54.131628353 +0200
|
||||
@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
+#ShowPatchLevel no
|
||||
#UseDNS no
|
||||
#PidFile /var/run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
diff -up openssh-7.0p1/sshd.c.vendor openssh-7.0p1/sshd.c
|
||||
--- openssh-7.0p1/sshd.c.vendor 2015-08-12 11:14:54.100628403 +0200
|
||||
+++ openssh-7.0p1/sshd.c 2015-08-12 11:14:54.131628353 +0200
|
||||
@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in
|
||||
}
|
||||
|
||||
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
|
||||
- major, minor, SSH_VERSION,
|
||||
+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
*options.version_addendum == '\0' ? "" : " ",
|
||||
options.version_addendum, newline);
|
||||
|
||||
@@ -1749,7 +1749,8 @@ main(int ac, char **av)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- debug("sshd version %s, %s", SSH_VERSION,
|
||||
+ debug("sshd version %s, %s",
|
||||
+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
|
||||
#ifdef WITH_OPENSSL
|
||||
SSLeay_version(SSLEAY_VERSION)
|
||||
#else
|
247
openssh-6.3p1-krb5-use-default_ccache_name.patch
Normal file
247
openssh-6.3p1-krb5-use-default_ccache_name.patch
Normal file
@ -0,0 +1,247 @@
|
||||
diff -up openssh-6.3p1/auth-krb5.c.ccache_name openssh-6.3p1/auth-krb5.c
|
||||
--- openssh-6.3p1/auth-krb5.c.ccache_name 2013-10-23 22:03:52.322950759 +0200
|
||||
+++ openssh-6.3p1/auth-krb5.c 2013-10-23 22:04:24.295799873 +0200
|
||||
@@ -50,7 +50,9 @@
|
||||
#include <errno.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
+#include <sys/stat.h>
|
||||
#include <krb5.h>
|
||||
+#include <profile.h>
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
@@ -91,6 +93,7 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
#endif
|
||||
krb5_error_code problem;
|
||||
krb5_ccache ccache = NULL;
|
||||
+ const char *ccache_type;
|
||||
int len;
|
||||
char *client, *platform_client;
|
||||
const char *errmsg;
|
||||
@@ -191,12 +194,30 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
goto out;
|
||||
#endif
|
||||
|
||||
+ ccache_type = krb5_cc_get_type(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
|
||||
- len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||
+ if (authctxt->krb5_ticket_file[0] == ':')
|
||||
+ authctxt->krb5_ticket_file++;
|
||||
+
|
||||
+ len = strlen(authctxt->krb5_ticket_file) + strlen(ccache_type) + 2;
|
||||
authctxt->krb5_ccname = xmalloc(len);
|
||||
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||
+
|
||||
+#ifdef USE_CCAPI
|
||||
+ snprintf(authctxt->krb5_ccname, len, "API:%s",
|
||||
authctxt->krb5_ticket_file);
|
||||
+#else
|
||||
+ snprintf(authctxt->krb5_ccname, len, "%s:%s",
|
||||
+ ccache_type, authctxt->krb5_ticket_file);
|
||||
+#endif
|
||||
+
|
||||
+ if (strcmp(ccache_type, "DIR") == 0) {
|
||||
+ char *p;
|
||||
+ p = strrchr(authctxt->krb5_ccname, '/');
|
||||
+ if (p)
|
||||
+ *p = '\0';
|
||||
+ }
|
||||
+
|
||||
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam)
|
||||
@@ -235,10 +256,34 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
void
|
||||
krb5_cleanup_proc(Authctxt *authctxt)
|
||||
{
|
||||
+ struct stat krb5_ccname_stat;
|
||||
+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
|
||||
+
|
||||
debug("krb5_cleanup_proc called");
|
||||
if (authctxt->krb5_fwd_ccache) {
|
||||
krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
authctxt->krb5_fwd_ccache = NULL;
|
||||
+
|
||||
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
|
||||
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
|
||||
+ *krb5_ccname_dir_start++ = '\0';
|
||||
+ if (strcmp(krb5_ccname, "DIR") == 0) {
|
||||
+
|
||||
+ strcat(krb5_ccname_dir_start, "/primary");
|
||||
+
|
||||
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
|
||||
+ if (unlink(krb5_ccname_dir_start) == 0) {
|
||||
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
|
||||
+ *krb5_ccname_dir_end = '\0';
|
||||
+ if (rmdir(krb5_ccname_dir_start) == -1)
|
||||
+ debug("cache dir '%s' remove failed: %s", krb5_ccname_dir_start, strerror(errno));
|
||||
+ }
|
||||
+ else
|
||||
+ debug("cache primary file '%s', remove failed: %s",
|
||||
+ krb5_ccname_dir_start, strerror(errno)
|
||||
+ );
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
if (authctxt->krb5_user) {
|
||||
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
||||
@@ -250,34 +295,139 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
}
|
||||
}
|
||||
|
||||
+int
|
||||
+ssh_asprintf_append(char **dsc, const char *fmt, ...) {
|
||||
+ char *src, *old;
|
||||
+ va_list ap;
|
||||
+ int i;
|
||||
+
|
||||
+ va_start(ap, fmt);
|
||||
+ i = vasprintf(&src, fmt, ap);
|
||||
+ va_end(ap);
|
||||
+
|
||||
+ if (i == -1 || src == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
+ old = *dsc;
|
||||
+
|
||||
+ i = asprintf(dsc, "%s%s", *dsc, src);
|
||||
+ if (i == -1 || src == NULL) {
|
||||
+ free(src);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ free(old);
|
||||
+ free(src);
|
||||
+
|
||||
+ return i;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+ssh_krb5_expand_template(char **result, const char *template) {
|
||||
+ char *p_n, *p_o, *r, *tmp_template;
|
||||
+
|
||||
+ if (template == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
+ tmp_template = p_n = p_o = xstrdup(template);
|
||||
+ r = xstrdup("");
|
||||
+
|
||||
+ while ((p_n = strstr(p_o, "%{")) != NULL) {
|
||||
+
|
||||
+ *p_n++ = '\0';
|
||||
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
|
||||
+ strncmp(p_n, "{USERID}", 8) == 0) {
|
||||
+ p_o = strchr(p_n, '}') + 1;
|
||||
+ if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
|
||||
+ goto cleanup;
|
||||
+ continue;
|
||||
+ }
|
||||
+ else if (strncmp(p_n, "{TEMP}", 6) == 0) {
|
||||
+ p_o = strchr(p_n, '}') + 1;
|
||||
+ if (ssh_asprintf_append(&r, "/tmp") == -1)
|
||||
+ goto cleanup;
|
||||
+ continue;
|
||||
+ } else {
|
||||
+ p_o = strchr(p_n, '}') + 1;
|
||||
+ p_o = '\0';
|
||||
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
||||
+ /* unknown token, fallback to the default */
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ *result = r;
|
||||
+ free(tmp_template);
|
||||
+ return 0;
|
||||
+
|
||||
+cleanup:
|
||||
+ free(r);
|
||||
+ free(tmp_template);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+krb5_error_code
|
||||
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
||||
+ profile_t p;
|
||||
+ int ret = 0;
|
||||
+ char *value = NULL;
|
||||
+
|
||||
+ ret = krb5_get_profile(ctx, &p);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ ret = ssh_krb5_expand_template(ccname, value);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
#ifndef HEIMDAL
|
||||
krb5_error_code
|
||||
ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||
int tmpfd, ret, oerrno;
|
||||
- char ccname[40];
|
||||
+ char *ccname;
|
||||
+#ifdef USE_CCAPI
|
||||
+ char cctemplate[] = "API:krb5cc_%d";
|
||||
+#else
|
||||
mode_t old_umask;
|
||||
+ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX";
|
||||
|
||||
- ret = snprintf(ccname, sizeof(ccname),
|
||||
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
||||
- if (ret < 0 || (size_t)ret >= sizeof(ccname))
|
||||
- return ENOMEM;
|
||||
-
|
||||
- old_umask = umask(0177);
|
||||
- tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
- oerrno = errno;
|
||||
- umask(old_umask);
|
||||
- if (tmpfd == -1) {
|
||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||
- return oerrno;
|
||||
- }
|
||||
+#endif
|
||||
+
|
||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||
|
||||
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||
+ if (ret) {
|
||||
+ ret = asprintf(&ccname, cctemplate, geteuid());
|
||||
+ if (ret == -1)
|
||||
+ return ENOMEM;
|
||||
+ old_umask = umask(0177);
|
||||
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
oerrno = errno;
|
||||
- logit("fchmod(): %.100s", strerror(oerrno));
|
||||
+ umask(old_umask);
|
||||
+ if (tmpfd == -1) {
|
||||
+ logit("mkstemp(): %.100s", strerror(oerrno));
|
||||
+ return oerrno;
|
||||
+ }
|
||||
+
|
||||
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||
+ oerrno = errno;
|
||||
+ logit("fchmod(): %.100s", strerror(oerrno));
|
||||
+ close(tmpfd);
|
||||
+ return oerrno;
|
||||
+ }
|
||||
close(tmpfd);
|
||||
- return oerrno;
|
||||
}
|
||||
- close(tmpfd);
|
||||
+ debug("%s: Setting ccname to %s", __func__, ccname);
|
||||
|
||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
}
|
54
openssh-6.6.1p1-cisco-dh-keys.patch
Normal file
54
openssh-6.6.1p1-cisco-dh-keys.patch
Normal file
@ -0,0 +1,54 @@
|
||||
diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c
|
||||
--- openssh-6.8p1/compat.c.cisco-dh 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/compat.c 2015-03-19 12:57:58.862606969 +0100
|
||||
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
|
||||
SSH_BUG_SCANNER },
|
||||
{ "Probe-*",
|
||||
SSH_BUG_PROBE },
|
||||
+ { "Cisco-*", SSH_BUG_MAX4096DH },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h
|
||||
--- openssh-6.8p1/compat.h.cisco-dh 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/compat.h 2015-03-19 12:57:58.862606969 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#define SSH_NEW_OPENSSH 0x04000000
|
||||
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
|
||||
#define SSH_BUG_CURVE25519PAD 0x10000000
|
||||
+#define SSH_BUG_MAX4096DH 0x20000000
|
||||
|
||||
void enable_compat13(void);
|
||||
void enable_compat20(void);
|
||||
diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c
|
||||
--- openssh-6.8p1/kexgexc.c.cisco-dh 2015-03-19 12:57:58.862606969 +0100
|
||||
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:11:52.320519969 +0100
|
||||
@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
kex->min = DH_GRP_MIN;
|
||||
kex->max = DH_GRP_MAX;
|
||||
+
|
||||
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
|
||||
+ * We need to also ensure that min < nbits < max */
|
||||
+
|
||||
+ if (datafellows & SSH_BUG_MAX4096DH) {
|
||||
+ /* The largest min for these servers is 4096 */
|
||||
+ kex->min = MIN(kex->min, 4096);
|
||||
+ }
|
||||
+
|
||||
kex->nbits = nbits;
|
||||
- if (ssh->compat & SSH_OLD_DHGEX) {
|
||||
+ kex->nbits = MIN(nbits, kex->max);
|
||||
+ kex->nbits = MAX(nbits, kex->min);
|
||||
+
|
||||
+ if (ssh->compat & SSH_BUG_MAX4096DH) {
|
||||
+ /* Cannot have a nbits > 4096 for these servers */
|
||||
+ kex->nbits = MIN(kex->nbits, 4096);
|
||||
+ /* nbits has to be powers of two */
|
||||
+ if (kex->nbits == 3072)
|
||||
+ kex->nbits = 4096;
|
||||
+ }
|
||||
+ if (ssh->compat & SSH_OLD_DHGEX) { /* Old GEX request */
|
||||
/* Old GEX request */
|
||||
if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD))
|
||||
!= 0 ||
|
24
openssh-6.6.1p1-ip-port-config-parser.patch
Normal file
24
openssh-6.6.1p1-ip-port-config-parser.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff --git a/misc.c b/misc.c
|
||||
index 2f11de4..36402d1 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -396,7 +396,7 @@ hpdelim(char **cp)
|
||||
return NULL;
|
||||
else
|
||||
s++;
|
||||
- } else if ((s = strpbrk(s, ":/")) == NULL)
|
||||
+ } else if ((s = strpbrk(s, ":")) == NULL)
|
||||
s = *cp + strlen(*cp); /* skip to end (see first case below) */
|
||||
|
||||
switch (*s) {
|
||||
@@ -405,7 +405,6 @@ hpdelim(char **cp)
|
||||
break;
|
||||
|
||||
case ':':
|
||||
- case '/':
|
||||
*s = '\0'; /* terminate */
|
||||
*cp = s + 1;
|
||||
break;
|
||||
--
|
||||
2.1.0
|
||||
|
12
openssh-6.6.1p1-localdomain.patch
Normal file
12
openssh-6.6.1p1-localdomain.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
index 03a228f..49a4f6c 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -46,3 +46,7 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
+#
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+# Host *.local
|
||||
+# CheckHostIP no
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
||||
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100
|
||||
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
|
||||
diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
|
||||
--- openssh-6.8p1/log.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/log.c 2015-03-18 12:59:29.694022313 +0100
|
||||
@@ -241,6 +241,11 @@ debug3(const char *fmt,...)
|
||||
void
|
||||
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
|
||||
{
|
||||
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
||||
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
|
||||
struct syslog_data sdata = SYSLOG_DATA_INIT;
|
||||
#endif
|
||||
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl
|
||||
@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl
|
||||
exit(1);
|
||||
}
|
||||
|
||||
@ -26,50 +26,50 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
|
||||
|
||||
log_on_stderr = on_stderr;
|
||||
if (on_stderr)
|
||||
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
|
||||
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100
|
||||
diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
|
||||
--- openssh-6.8p1/log.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/log.h 2015-03-18 12:59:29.694022313 +0100
|
||||
@@ -49,6 +49,7 @@ typedef enum {
|
||||
typedef void (log_handler_fn)(LogLevel, const char *, void *);
|
||||
|
||||
void log_init(char *, LogLevel, SyslogFacility, int);
|
||||
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int);
|
||||
LogLevel log_level_get(void);
|
||||
int log_change_level(LogLevel);
|
||||
void log_change_level(LogLevel);
|
||||
int log_is_on_stderr(void);
|
||||
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100
|
||||
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
void log_redirect_stderr_to(const char *);
|
||||
diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
|
||||
--- openssh-6.8p1/monitor.c.log-in-chroot 2015-03-18 12:59:29.669022374 +0100
|
||||
+++ openssh-6.8p1/monitor.c 2015-03-18 13:01:52.894671198 +0100
|
||||
@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
close(pmonitor->m_log_sendfd);
|
||||
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
|
||||
|
||||
+ pmonitor->m_state = "preauth";
|
||||
+
|
||||
authctxt = (Authctxt *)ssh->authctxt;
|
||||
authctxt = _authctxt;
|
||||
memset(authctxt, 0, sizeof(*authctxt));
|
||||
ssh->authctxt = authctxt;
|
||||
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p
|
||||
|
||||
@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p
|
||||
close(pmonitor->m_recvfd);
|
||||
pmonitor->m_recvfd = -1;
|
||||
|
||||
+ pmonitor->m_state = "postauth";
|
||||
+
|
||||
monitor_set_child_handler(pmonitor->m_pid);
|
||||
ssh_signal(SIGHUP, &monitor_child_handler);
|
||||
ssh_signal(SIGTERM, &monitor_child_handler);
|
||||
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
|
||||
signal(SIGHUP, &monitor_child_handler);
|
||||
signal(SIGTERM, &monitor_child_handler);
|
||||
@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito
|
||||
if (log_level_name(level) == NULL)
|
||||
fatal("%s: invalid log level %u (corrupted message?)",
|
||||
__func__, level);
|
||||
- do_log2(level, "%s [preauth]", msg);
|
||||
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
|
||||
|
||||
sshbuf_free(logmsg);
|
||||
buffer_free(&logmsg);
|
||||
free(msg);
|
||||
@@ -1719,13 +1723,28 @@ monitor_init(void)
|
||||
mon = xcalloc(1, sizeof(*mon));
|
||||
monitor_openfds(mon, 1);
|
||||
@@ -1998,13 +2002,28 @@ monitor_init(void)
|
||||
(ssh_packet_comp_free_func *)mm_zfree);
|
||||
}
|
||||
|
||||
+ mon->m_state = "";
|
||||
+
|
||||
@ -98,11 +98,11 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
|
||||
}
|
||||
|
||||
#ifdef GSSAPI
|
||||
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
||||
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100
|
||||
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100
|
||||
diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
|
||||
--- openssh-6.8p1/monitor.h.log-in-chroot 2015-03-18 12:59:29.695022310 +0100
|
||||
+++ openssh-6.8p1/monitor.h 2015-03-18 13:02:56.926514197 +0100
|
||||
@@ -83,10 +83,11 @@ struct monitor {
|
||||
int m_log_sendfd;
|
||||
struct mm_master *m_zlib;
|
||||
struct kex **m_pkex;
|
||||
pid_t m_pid;
|
||||
+ char *m_state;
|
||||
@ -111,21 +111,43 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
|
||||
struct monitor *monitor_init(void);
|
||||
-void monitor_reinit(struct monitor *);
|
||||
+void monitor_reinit(struct monitor *, const char *);
|
||||
void monitor_sync(struct monitor *);
|
||||
|
||||
struct Authctxt;
|
||||
void monitor_child_preauth(struct ssh *, struct monitor *);
|
||||
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100
|
||||
@@ -160,6 +160,7 @@ login_cap_t *lc;
|
||||
diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
|
||||
--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100
|
||||
+++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100
|
||||
@@ -161,6 +161,7 @@ login_cap_t *lc;
|
||||
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
+static int have_dev_log = 1;
|
||||
|
||||
/* File containing userauth info, if ExposeAuthInfo set */
|
||||
static char *auth_info_file = NULL;
|
||||
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command)
|
||||
/* Name and directory of socket for authentication agent forwarding. */
|
||||
static char *auth_sock_name = NULL;
|
||||
@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
is_child = 1;
|
||||
|
||||
/* Child. Reinitialize the log since the pid has changed. */
|
||||
- log_init(__progname, options.log_level,
|
||||
- options.log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, options.log_level,
|
||||
+ options.log_facility, log_stderr, have_dev_log);
|
||||
|
||||
/*
|
||||
* Create a new session and process group since the 4.4BSD
|
||||
@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm
|
||||
close(ptymaster);
|
||||
|
||||
/* Child. Reinitialize the log because the pid has changed. */
|
||||
- log_init(__progname, options.log_level,
|
||||
- options.log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, options.log_level,
|
||||
+ options.log_facility, log_stderr, have_dev_log);
|
||||
/* Close the master side of the pseudo tty. */
|
||||
close(ptyfd);
|
||||
|
||||
@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
|
||||
int ret;
|
||||
const char *forced = NULL, *tty = NULL;
|
||||
char session_type[1024];
|
||||
@ -133,7 +155,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
|
||||
if (options.adm_forced_command) {
|
||||
original_command = command;
|
||||
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command)
|
||||
@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command)
|
||||
tty += 5;
|
||||
}
|
||||
|
||||
@ -144,10 +166,10 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
|
||||
session_type,
|
||||
tty == NULL ? "" : " on ",
|
||||
@@ -1486,14 +1492,6 @@ child_close_fds(void)
|
||||
|
||||
/* Stop directing logs to a high-numbered fd before we close it */
|
||||
log_redirect_stderr_to(NULL);
|
||||
@@ -1678,14 +1685,6 @@ child_close_fds(void)
|
||||
* descriptors left by system functions. They will be closed later.
|
||||
*/
|
||||
endpwent();
|
||||
-
|
||||
- /*
|
||||
- * Close any extra open file descriptors so that we don't have them
|
||||
@ -159,16 +181,16 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command
|
||||
@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- closefrom(STDERR_FILENO + 1);
|
||||
-
|
||||
do_rc_files(ssh, s, shell);
|
||||
if (!options.use_login)
|
||||
do_rc_files(s, shell);
|
||||
|
||||
/* restore SIGPIPE for child */
|
||||
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command
|
||||
@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
@ -186,21 +208,21 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
|
||||
+
|
||||
fflush(NULL);
|
||||
|
||||
/* Get the last component of the shell name. */
|
||||
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
|
||||
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100
|
||||
@@ -97,5 +97,5 @@
|
||||
if (options.use_login) {
|
||||
diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c
|
||||
--- openssh-6.8p1/sftp-server-main.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp-server-main.c 2015-03-18 12:59:29.696022308 +0100
|
||||
@@ -47,5 +47,5 @@ main(int argc, char **argv)
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct passwd;
|
||||
|
||||
-int sftp_server_main(int, char **, struct passwd *);
|
||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
||||
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100
|
||||
@@ -1497,7 +1497,7 @@ sftp_server_usage(void)
|
||||
- return (sftp_server_main(argc, argv, user_pw));
|
||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||
}
|
||||
diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
|
||||
--- openssh-6.8p1/sftp-server.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:03:52.510377911 +0100
|
||||
@@ -1502,7 +1502,7 @@ sftp_server_usage(void)
|
||||
}
|
||||
|
||||
int
|
||||
@ -209,38 +231,38 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
|
||||
{
|
||||
fd_set *rset, *wset;
|
||||
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
|
||||
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv,
|
||||
extern char *__progname;
|
||||
@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv,
|
||||
@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv,
|
||||
}
|
||||
}
|
||||
|
||||
- log_init(__progname, log_level, log_facility, log_stderr);
|
||||
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
|
||||
|
||||
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
||||
/*
|
||||
* On platforms where we can, avoid making /proc/self/{mem,maps}
|
||||
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c
|
||||
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100
|
||||
@@ -49,5 +49,5 @@ main(int argc, char **argv)
|
||||
return 1;
|
||||
}
|
||||
diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
|
||||
--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100
|
||||
@@ -97,5 +97,5 @@
|
||||
|
||||
- return (sftp_server_main(argc, argv, user_pw));
|
||||
+ return (sftp_server_main(argc, argv, user_pw, 0));
|
||||
}
|
||||
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100
|
||||
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
struct passwd;
|
||||
|
||||
-int sftp_server_main(int, char **, struct passwd *);
|
||||
+int sftp_server_main(int, char **, struct passwd *, int);
|
||||
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
|
||||
diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.log-in-chroot 2015-03-18 12:59:29.691022320 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 12:59:29.697022305 +0100
|
||||
@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
|
||||
}
|
||||
|
||||
/* New socket pair */
|
||||
@ -249,7 +271,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
|
||||
|
||||
pmonitor->m_pid = fork();
|
||||
if (pmonitor->m_pid == -1)
|
||||
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt)
|
||||
@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
close(pmonitor->m_sendfd);
|
||||
pmonitor->m_sendfd = -1;
|
||||
|
@ -10,5 +10,5 @@
|
||||
+ }
|
||||
omode = mode;
|
||||
mode |= S_IWUSR;
|
||||
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) == -1) {
|
||||
if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
|
||||
--
|
||||
|
@ -7,7 +7,7 @@ index 8f32464..18a2ca4 100644
|
||||
#include "servconf.h"
|
||||
#include "port-linux.h"
|
||||
+#include "misc.h"
|
||||
#include "sshkey.h"
|
||||
#include "key.h"
|
||||
#include "hostfile.h"
|
||||
#include "auth.h"
|
||||
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
@ -19,7 +19,7 @@ index 8f32464..18a2ca4 100644
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
@@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
|
||||
@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
|
||||
}
|
||||
}
|
||||
|
||||
@ -30,27 +30,13 @@ index 8f32464..18a2ca4 100644
|
||||
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
||||
+ const char *contexts_path;
|
||||
+ FILE *contexts_file;
|
||||
+ struct stat sb;
|
||||
+
|
||||
+ contexts_path = selinux_openssh_contexts_path();
|
||||
+ if (contexts_path == NULL) {
|
||||
+ debug3("%s: Failed to get the path to SELinux context", __func__);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
||||
+ debug("%s: Failed to open SELinux context file", __func__);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
||||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
||||
+ logit("%s: SELinux context file needs to be owned by root"
|
||||
+ " and not writable by anyone else", __func__);
|
||||
+ fclose(contexts_file);
|
||||
+ return;
|
||||
+ }
|
||||
+ if (contexts_path != NULL) {
|
||||
+ if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
|
||||
+ struct stat sb;
|
||||
+
|
||||
+ if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
|
||||
+ while (fgets(line, sizeof(line), contexts_file)) {
|
||||
+ /* Strip trailing whitespace */
|
||||
+ for (len = strlen(line) - 1; len > 0; len--) {
|
||||
@ -64,10 +50,10 @@ index 8f32464..18a2ca4 100644
|
||||
+
|
||||
+ cp = line;
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (arg && *arg == '\0')
|
||||
+ if (*arg == '\0')
|
||||
+ arg = strdelim(&cp);
|
||||
+
|
||||
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
||||
+ if (strcmp(arg, "privsep_preauth") == 0) {
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0') {
|
||||
+ debug("%s: privsep_preauth is empty", __func__);
|
||||
@ -77,13 +63,13 @@ index 8f32464..18a2ca4 100644
|
||||
+ preauth_context = xstrdup(arg);
|
||||
+ }
|
||||
+ }
|
||||
+ fclose(contexts_file);
|
||||
+
|
||||
+ if (preauth_context == NULL) {
|
||||
+ debug("%s: Unable to find 'privsep_preauth' option in"
|
||||
+ " SELinux context file", __func__);
|
||||
+ return;
|
||||
+ }
|
||||
+ fclose(contexts_file);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (preauth_context == NULL)
|
||||
+ preauth_context = xstrdup("sshd_net_t");
|
||||
+
|
||||
+ ssh_selinux_change_context(preauth_context);
|
||||
+ free(preauth_context);
|
||||
@ -130,3 +116,38 @@ index 2871fe9..39b9c08 100644
|
||||
#endif
|
||||
|
||||
/* Demote the child */
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 12c014e..c5ef2ff 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -35,7 +35,6 @@
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
-#include <selinux/flask.h>
|
||||
#include <selinux/get_context_list.h>
|
||||
|
||||
#ifndef SSH_SELINUX_UNCONFINED_TYPE
|
||||
@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
security_context_t new_tty_ctx = NULL;
|
||||
security_context_t user_ctx = NULL;
|
||||
security_context_t old_tty_ctx = NULL;
|
||||
+ security_class_t class;
|
||||
|
||||
if (!ssh_selinux_enabled())
|
||||
return;
|
||||
@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ class = string_to_security_class("chr_file");
|
||||
+ if (!class) {
|
||||
+ error("string_to_security_class failed to translate security class context");
|
||||
+ goto out;
|
||||
+ }
|
||||
if (security_compute_relabel(user_ctx, old_tty_ctx,
|
||||
- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
|
||||
+ class, &new_tty_ctx) != 0) {
|
||||
error("%s: security_compute_relabel: %s",
|
||||
__func__, strerror(errno));
|
||||
goto out;
|
||||
|
12
openssh-6.6.1p1-servconf-parser.patch
Normal file
12
openssh-6.6.1p1-servconf-parser.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up openssh/servconf.c.servconf openssh/servconf.c
|
||||
--- openssh/servconf.c.servconf 2015-06-24 11:26:26.186527736 +0200
|
||||
+++ openssh/servconf.c 2015-06-24 11:26:39.847493075 +0200
|
||||
@@ -1815,6 +1815,8 @@ process_server_config_line(ServerOptions
|
||||
break;
|
||||
|
||||
case sAuthenticationMethods:
|
||||
+ if (cp == NULL || *cp == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
|
||||
if (options->num_auth_methods == 0) {
|
||||
while ((arg = strdelim(&cp)) && *arg != '\0') {
|
||||
if (options->num_auth_methods >=
|
970
openssh-6.6.1p1-utf8-banner.patch
Normal file
970
openssh-6.6.1p1-utf8-banner.patch
Normal file
@ -0,0 +1,970 @@
|
||||
diff -up openssh-6.8p1/Makefile.in.utf8-banner openssh-6.8p1/Makefile.in
|
||||
--- openssh-6.8p1/Makefile.in.utf8-banner 2015-03-18 12:41:28.174713188 +0100
|
||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 12:45:52.723048114 +0100
|
||||
@@ -94,7 +94,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
ssh-pkcs11.o smult_curve25519_ref.o \
|
||||
poly1305.o chacha.o cipher-chachapoly.o \
|
||||
- ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
|
||||
+ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o utf8_stringprep.o \
|
||||
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
|
||||
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
|
||||
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
|
||||
diff -up openssh-6.8p1/misc.h.utf8-banner openssh-6.8p1/misc.h
|
||||
--- openssh-6.8p1/misc.h.utf8-banner 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/misc.h 2015-03-18 12:41:28.175713185 +0100
|
||||
@@ -135,4 +135,8 @@ char *read_passphrase(const char *, int)
|
||||
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
|
||||
int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
|
||||
|
||||
+/* utf8_stringprep.c */
|
||||
+int utf8_stringprep(const char *, char *, size_t);
|
||||
+void sanitize_utf8(char *, const char *, size_t);
|
||||
+
|
||||
#endif /* _MISC_H */
|
||||
diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c
|
||||
--- openssh-6.8p1/sshconnect2.c.utf8-banner 2015-03-18 12:41:28.161713220 +0100
|
||||
+++ openssh-6.8p1/sshconnect2.c 2015-03-18 12:44:05.483317714 +0100
|
||||
@@ -532,7 +534,7 @@ input_userauth_error(int type, u_int32_t
|
||||
if (len > 65536)
|
||||
len = 65536;
|
||||
msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
|
||||
- strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
|
||||
+ sanitize_utf8(msg, raw, len);
|
||||
fprintf(stderr, "%s", msg);
|
||||
free(msg);
|
||||
}
|
||||
diff -up openssh-6.8p1/stringprep-tables.c.utf8-banner openssh-6.8p1/stringprep-tables.c
|
||||
--- openssh-6.8p1/stringprep-tables.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
|
||||
+++ openssh-6.8p1/stringprep-tables.c 2015-03-18 12:41:28.175713185 +0100
|
||||
@@ -0,0 +1,661 @@
|
||||
+/* Public domain. */
|
||||
+
|
||||
+/* $OpenBSD$ */
|
||||
+
|
||||
+/*
|
||||
+ * Tables for RFC3454 stringprep algorithm, updated with a table of allocated
|
||||
+ * characters generated from Unicode.6.2's UnicodeData.txt
|
||||
+ *
|
||||
+ * Intended to be included directly from utf8_stringprep.c
|
||||
+ */
|
||||
+
|
||||
+/* Unassigned characters in Unicode 6.2 */
|
||||
+static const struct u32_range unassigned[] = {
|
||||
+ { 0x0378, 0x0379 },
|
||||
+ { 0x037F, 0x0383 },
|
||||
+ { 0x038B, 0x038B },
|
||||
+ { 0x038D, 0x038D },
|
||||
+ { 0x03A2, 0x03A2 },
|
||||
+ { 0x0528, 0x0530 },
|
||||
+ { 0x0557, 0x0558 },
|
||||
+ { 0x0560, 0x0560 },
|
||||
+ { 0x0588, 0x0588 },
|
||||
+ { 0x058B, 0x058E },
|
||||
+ { 0x0590, 0x0590 },
|
||||
+ { 0x05C8, 0x05CF },
|
||||
+ { 0x05EB, 0x05EF },
|
||||
+ { 0x05F5, 0x05FF },
|
||||
+ { 0x0605, 0x0605 },
|
||||
+ { 0x061C, 0x061D },
|
||||
+ { 0x070E, 0x070E },
|
||||
+ { 0x074B, 0x074C },
|
||||
+ { 0x07B2, 0x07BF },
|
||||
+ { 0x07FB, 0x07FF },
|
||||
+ { 0x082E, 0x082F },
|
||||
+ { 0x083F, 0x083F },
|
||||
+ { 0x085C, 0x085D },
|
||||
+ { 0x085F, 0x089F },
|
||||
+ { 0x08A1, 0x08A1 },
|
||||
+ { 0x08AD, 0x08E3 },
|
||||
+ { 0x08FF, 0x08FF },
|
||||
+ { 0x0978, 0x0978 },
|
||||
+ { 0x0980, 0x0980 },
|
||||
+ { 0x0984, 0x0984 },
|
||||
+ { 0x098D, 0x098E },
|
||||
+ { 0x0991, 0x0992 },
|
||||
+ { 0x09A9, 0x09A9 },
|
||||
+ { 0x09B1, 0x09B1 },
|
||||
+ { 0x09B3, 0x09B5 },
|
||||
+ { 0x09BA, 0x09BB },
|
||||
+ { 0x09C5, 0x09C6 },
|
||||
+ { 0x09C9, 0x09CA },
|
||||
+ { 0x09CF, 0x09D6 },
|
||||
+ { 0x09D8, 0x09DB },
|
||||
+ { 0x09DE, 0x09DE },
|
||||
+ { 0x09E4, 0x09E5 },
|
||||
+ { 0x09FC, 0x0A00 },
|
||||
+ { 0x0A04, 0x0A04 },
|
||||
+ { 0x0A0B, 0x0A0E },
|
||||
+ { 0x0A11, 0x0A12 },
|
||||
+ { 0x0A29, 0x0A29 },
|
||||
+ { 0x0A31, 0x0A31 },
|
||||
+ { 0x0A34, 0x0A34 },
|
||||
+ { 0x0A37, 0x0A37 },
|
||||
+ { 0x0A3A, 0x0A3B },
|
||||
+ { 0x0A3D, 0x0A3D },
|
||||
+ { 0x0A43, 0x0A46 },
|
||||
+ { 0x0A49, 0x0A4A },
|
||||
+ { 0x0A4E, 0x0A50 },
|
||||
+ { 0x0A52, 0x0A58 },
|
||||
+ { 0x0A5D, 0x0A5D },
|
||||
+ { 0x0A5F, 0x0A65 },
|
||||
+ { 0x0A76, 0x0A80 },
|
||||
+ { 0x0A84, 0x0A84 },
|
||||
+ { 0x0A8E, 0x0A8E },
|
||||
+ { 0x0A92, 0x0A92 },
|
||||
+ { 0x0AA9, 0x0AA9 },
|
||||
+ { 0x0AB1, 0x0AB1 },
|
||||
+ { 0x0AB4, 0x0AB4 },
|
||||
+ { 0x0ABA, 0x0ABB },
|
||||
+ { 0x0AC6, 0x0AC6 },
|
||||
+ { 0x0ACA, 0x0ACA },
|
||||
+ { 0x0ACE, 0x0ACF },
|
||||
+ { 0x0AD1, 0x0ADF },
|
||||
+ { 0x0AE4, 0x0AE5 },
|
||||
+ { 0x0AF2, 0x0B00 },
|
||||
+ { 0x0B04, 0x0B04 },
|
||||
+ { 0x0B0D, 0x0B0E },
|
||||
+ { 0x0B11, 0x0B12 },
|
||||
+ { 0x0B29, 0x0B29 },
|
||||
+ { 0x0B31, 0x0B31 },
|
||||
+ { 0x0B34, 0x0B34 },
|
||||
+ { 0x0B3A, 0x0B3B },
|
||||
+ { 0x0B45, 0x0B46 },
|
||||
+ { 0x0B49, 0x0B4A },
|
||||
+ { 0x0B4E, 0x0B55 },
|
||||
+ { 0x0B58, 0x0B5B },
|
||||
+ { 0x0B5E, 0x0B5E },
|
||||
+ { 0x0B64, 0x0B65 },
|
||||
+ { 0x0B78, 0x0B81 },
|
||||
+ { 0x0B84, 0x0B84 },
|
||||
+ { 0x0B8B, 0x0B8D },
|
||||
+ { 0x0B91, 0x0B91 },
|
||||
+ { 0x0B96, 0x0B98 },
|
||||
+ { 0x0B9B, 0x0B9B },
|
||||
+ { 0x0B9D, 0x0B9D },
|
||||
+ { 0x0BA0, 0x0BA2 },
|
||||
+ { 0x0BA5, 0x0BA7 },
|
||||
+ { 0x0BAB, 0x0BAD },
|
||||
+ { 0x0BBA, 0x0BBD },
|
||||
+ { 0x0BC3, 0x0BC5 },
|
||||
+ { 0x0BC9, 0x0BC9 },
|
||||
+ { 0x0BCE, 0x0BCF },
|
||||
+ { 0x0BD1, 0x0BD6 },
|
||||
+ { 0x0BD8, 0x0BE5 },
|
||||
+ { 0x0BFB, 0x0C00 },
|
||||
+ { 0x0C04, 0x0C04 },
|
||||
+ { 0x0C0D, 0x0C0D },
|
||||
+ { 0x0C11, 0x0C11 },
|
||||
+ { 0x0C29, 0x0C29 },
|
||||
+ { 0x0C34, 0x0C34 },
|
||||
+ { 0x0C3A, 0x0C3C },
|
||||
+ { 0x0C45, 0x0C45 },
|
||||
+ { 0x0C49, 0x0C49 },
|
||||
+ { 0x0C4E, 0x0C54 },
|
||||
+ { 0x0C57, 0x0C57 },
|
||||
+ { 0x0C5A, 0x0C5F },
|
||||
+ { 0x0C64, 0x0C65 },
|
||||
+ { 0x0C70, 0x0C77 },
|
||||
+ { 0x0C80, 0x0C81 },
|
||||
+ { 0x0C84, 0x0C84 },
|
||||
+ { 0x0C8D, 0x0C8D },
|
||||
+ { 0x0C91, 0x0C91 },
|
||||
+ { 0x0CA9, 0x0CA9 },
|
||||
+ { 0x0CB4, 0x0CB4 },
|
||||
+ { 0x0CBA, 0x0CBB },
|
||||
+ { 0x0CC5, 0x0CC5 },
|
||||
+ { 0x0CC9, 0x0CC9 },
|
||||
+ { 0x0CCE, 0x0CD4 },
|
||||
+ { 0x0CD7, 0x0CDD },
|
||||
+ { 0x0CDF, 0x0CDF },
|
||||
+ { 0x0CE4, 0x0CE5 },
|
||||
+ { 0x0CF0, 0x0CF0 },
|
||||
+ { 0x0CF3, 0x0D01 },
|
||||
+ { 0x0D04, 0x0D04 },
|
||||
+ { 0x0D0D, 0x0D0D },
|
||||
+ { 0x0D11, 0x0D11 },
|
||||
+ { 0x0D3B, 0x0D3C },
|
||||
+ { 0x0D45, 0x0D45 },
|
||||
+ { 0x0D49, 0x0D49 },
|
||||
+ { 0x0D4F, 0x0D56 },
|
||||
+ { 0x0D58, 0x0D5F },
|
||||
+ { 0x0D64, 0x0D65 },
|
||||
+ { 0x0D76, 0x0D78 },
|
||||
+ { 0x0D80, 0x0D81 },
|
||||
+ { 0x0D84, 0x0D84 },
|
||||
+ { 0x0D97, 0x0D99 },
|
||||
+ { 0x0DB2, 0x0DB2 },
|
||||
+ { 0x0DBC, 0x0DBC },
|
||||
+ { 0x0DBE, 0x0DBF },
|
||||
+ { 0x0DC7, 0x0DC9 },
|
||||
+ { 0x0DCB, 0x0DCE },
|
||||
+ { 0x0DD5, 0x0DD5 },
|
||||
+ { 0x0DD7, 0x0DD7 },
|
||||
+ { 0x0DE0, 0x0DF1 },
|
||||
+ { 0x0DF5, 0x0E00 },
|
||||
+ { 0x0E3B, 0x0E3E },
|
||||
+ { 0x0E5C, 0x0E80 },
|
||||
+ { 0x0E83, 0x0E83 },
|
||||
+ { 0x0E85, 0x0E86 },
|
||||
+ { 0x0E89, 0x0E89 },
|
||||
+ { 0x0E8B, 0x0E8C },
|
||||
+ { 0x0E8E, 0x0E93 },
|
||||
+ { 0x0E98, 0x0E98 },
|
||||
+ { 0x0EA0, 0x0EA0 },
|
||||
+ { 0x0EA4, 0x0EA4 },
|
||||
+ { 0x0EA6, 0x0EA6 },
|
||||
+ { 0x0EA8, 0x0EA9 },
|
||||
+ { 0x0EAC, 0x0EAC },
|
||||
+ { 0x0EBA, 0x0EBA },
|
||||
+ { 0x0EBE, 0x0EBF },
|
||||
+ { 0x0EC5, 0x0EC5 },
|
||||
+ { 0x0EC7, 0x0EC7 },
|
||||
+ { 0x0ECE, 0x0ECF },
|
||||
+ { 0x0EDA, 0x0EDB },
|
||||
+ { 0x0EE0, 0x0EFF },
|
||||
+ { 0x0F48, 0x0F48 },
|
||||
+ { 0x0F6D, 0x0F70 },
|
||||
+ { 0x0F98, 0x0F98 },
|
||||
+ { 0x0FBD, 0x0FBD },
|
||||
+ { 0x0FCD, 0x0FCD },
|
||||
+ { 0x0FDB, 0x0FFF },
|
||||
+ { 0x10C6, 0x10C6 },
|
||||
+ { 0x10C8, 0x10CC },
|
||||
+ { 0x10CE, 0x10CF },
|
||||
+ { 0x1249, 0x1249 },
|
||||
+ { 0x124E, 0x124F },
|
||||
+ { 0x1257, 0x1257 },
|
||||
+ { 0x1259, 0x1259 },
|
||||
+ { 0x125E, 0x125F },
|
||||
+ { 0x1289, 0x1289 },
|
||||
+ { 0x128E, 0x128F },
|
||||
+ { 0x12B1, 0x12B1 },
|
||||
+ { 0x12B6, 0x12B7 },
|
||||
+ { 0x12BF, 0x12BF },
|
||||
+ { 0x12C1, 0x12C1 },
|
||||
+ { 0x12C6, 0x12C7 },
|
||||
+ { 0x12D7, 0x12D7 },
|
||||
+ { 0x1311, 0x1311 },
|
||||
+ { 0x1316, 0x1317 },
|
||||
+ { 0x135B, 0x135C },
|
||||
+ { 0x137D, 0x137F },
|
||||
+ { 0x139A, 0x139F },
|
||||
+ { 0x13F5, 0x13FF },
|
||||
+ { 0x169D, 0x169F },
|
||||
+ { 0x16F1, 0x16FF },
|
||||
+ { 0x170D, 0x170D },
|
||||
+ { 0x1715, 0x171F },
|
||||
+ { 0x1737, 0x173F },
|
||||
+ { 0x1754, 0x175F },
|
||||
+ { 0x176D, 0x176D },
|
||||
+ { 0x1771, 0x1771 },
|
||||
+ { 0x1774, 0x177F },
|
||||
+ { 0x17DE, 0x17DF },
|
||||
+ { 0x17EA, 0x17EF },
|
||||
+ { 0x17FA, 0x17FF },
|
||||
+ { 0x180F, 0x180F },
|
||||
+ { 0x181A, 0x181F },
|
||||
+ { 0x1878, 0x187F },
|
||||
+ { 0x18AB, 0x18AF },
|
||||
+ { 0x18F6, 0x18FF },
|
||||
+ { 0x191D, 0x191F },
|
||||
+ { 0x192C, 0x192F },
|
||||
+ { 0x193C, 0x193F },
|
||||
+ { 0x1941, 0x1943 },
|
||||
+ { 0x196E, 0x196F },
|
||||
+ { 0x1975, 0x197F },
|
||||
+ { 0x19AC, 0x19AF },
|
||||
+ { 0x19CA, 0x19CF },
|
||||
+ { 0x19DB, 0x19DD },
|
||||
+ { 0x1A1C, 0x1A1D },
|
||||
+ { 0x1A5F, 0x1A5F },
|
||||
+ { 0x1A7D, 0x1A7E },
|
||||
+ { 0x1A8A, 0x1A8F },
|
||||
+ { 0x1A9A, 0x1A9F },
|
||||
+ { 0x1AAE, 0x1AFF },
|
||||
+ { 0x1B4C, 0x1B4F },
|
||||
+ { 0x1B7D, 0x1B7F },
|
||||
+ { 0x1BF4, 0x1BFB },
|
||||
+ { 0x1C38, 0x1C3A },
|
||||
+ { 0x1C4A, 0x1C4C },
|
||||
+ { 0x1C80, 0x1CBF },
|
||||
+ { 0x1CC8, 0x1CCF },
|
||||
+ { 0x1CF7, 0x1CFF },
|
||||
+ { 0x1DE7, 0x1DFB },
|
||||
+ { 0x1F16, 0x1F17 },
|
||||
+ { 0x1F1E, 0x1F1F },
|
||||
+ { 0x1F46, 0x1F47 },
|
||||
+ { 0x1F4E, 0x1F4F },
|
||||
+ { 0x1F58, 0x1F58 },
|
||||
+ { 0x1F5A, 0x1F5A },
|
||||
+ { 0x1F5C, 0x1F5C },
|
||||
+ { 0x1F5E, 0x1F5E },
|
||||
+ { 0x1F7E, 0x1F7F },
|
||||
+ { 0x1FB5, 0x1FB5 },
|
||||
+ { 0x1FC5, 0x1FC5 },
|
||||
+ { 0x1FD4, 0x1FD5 },
|
||||
+ { 0x1FDC, 0x1FDC },
|
||||
+ { 0x1FF0, 0x1FF1 },
|
||||
+ { 0x1FF5, 0x1FF5 },
|
||||
+ { 0x1FFF, 0x1FFF },
|
||||
+ { 0x2065, 0x2069 },
|
||||
+ { 0x2072, 0x2073 },
|
||||
+ { 0x208F, 0x208F },
|
||||
+ { 0x209D, 0x209F },
|
||||
+ { 0x20BB, 0x20CF },
|
||||
+ { 0x20F1, 0x20FF },
|
||||
+ { 0x218A, 0x218F },
|
||||
+ { 0x23F4, 0x23FF },
|
||||
+ { 0x2427, 0x243F },
|
||||
+ { 0x244B, 0x245F },
|
||||
+ { 0x2700, 0x2700 },
|
||||
+ { 0x2B4D, 0x2B4F },
|
||||
+ { 0x2B5A, 0x2BFF },
|
||||
+ { 0x2C2F, 0x2C2F },
|
||||
+ { 0x2C5F, 0x2C5F },
|
||||
+ { 0x2CF4, 0x2CF8 },
|
||||
+ { 0x2D26, 0x2D26 },
|
||||
+ { 0x2D28, 0x2D2C },
|
||||
+ { 0x2D2E, 0x2D2F },
|
||||
+ { 0x2D68, 0x2D6E },
|
||||
+ { 0x2D71, 0x2D7E },
|
||||
+ { 0x2D97, 0x2D9F },
|
||||
+ { 0x2DA7, 0x2DA7 },
|
||||
+ { 0x2DAF, 0x2DAF },
|
||||
+ { 0x2DB7, 0x2DB7 },
|
||||
+ { 0x2DBF, 0x2DBF },
|
||||
+ { 0x2DC7, 0x2DC7 },
|
||||
+ { 0x2DCF, 0x2DCF },
|
||||
+ { 0x2DD7, 0x2DD7 },
|
||||
+ { 0x2DDF, 0x2DDF },
|
||||
+ { 0x2E3C, 0x2E7F },
|
||||
+ { 0x2E9A, 0x2E9A },
|
||||
+ { 0x2EF4, 0x2EFF },
|
||||
+ { 0x2FD6, 0x2FEF },
|
||||
+ { 0x2FFC, 0x2FFF },
|
||||
+ { 0x3040, 0x3040 },
|
||||
+ { 0x3097, 0x3098 },
|
||||
+ { 0x3100, 0x3104 },
|
||||
+ { 0x312E, 0x3130 },
|
||||
+ { 0x318F, 0x318F },
|
||||
+ { 0x31BB, 0x31BF },
|
||||
+ { 0x31E4, 0x31EF },
|
||||
+ { 0x321F, 0x321F },
|
||||
+ { 0x32FF, 0x32FF },
|
||||
+ { 0x4DB6, 0x4DBF },
|
||||
+ { 0x9FA6, 0x9FCB },
|
||||
+ { 0x9FCD, 0x9FFF },
|
||||
+ { 0xA48D, 0xA48F },
|
||||
+ { 0xA4C7, 0xA4CF },
|
||||
+ { 0xA62C, 0xA63F },
|
||||
+ { 0xA698, 0xA69E },
|
||||
+ { 0xA6F8, 0xA6FF },
|
||||
+ { 0xA78F, 0xA78F },
|
||||
+ { 0xA794, 0xA79F },
|
||||
+ { 0xA7AB, 0xA7F7 },
|
||||
+ { 0xA82C, 0xA82F },
|
||||
+ { 0xA83A, 0xA83F },
|
||||
+ { 0xA878, 0xA87F },
|
||||
+ { 0xA8C5, 0xA8CD },
|
||||
+ { 0xA8DA, 0xA8DF },
|
||||
+ { 0xA8FC, 0xA8FF },
|
||||
+ { 0xA954, 0xA95E },
|
||||
+ { 0xA97D, 0xA97F },
|
||||
+ { 0xA9CE, 0xA9CE },
|
||||
+ { 0xA9DA, 0xA9DD },
|
||||
+ { 0xA9E0, 0xA9FF },
|
||||
+ { 0xAA37, 0xAA3F },
|
||||
+ { 0xAA4E, 0xAA4F },
|
||||
+ { 0xAA5A, 0xAA5B },
|
||||
+ { 0xAA7C, 0xAA7F },
|
||||
+ { 0xAAC3, 0xAADA },
|
||||
+ { 0xAAF7, 0xAB00 },
|
||||
+ { 0xAB07, 0xAB08 },
|
||||
+ { 0xAB0F, 0xAB10 },
|
||||
+ { 0xAB17, 0xAB1F },
|
||||
+ { 0xAB27, 0xAB27 },
|
||||
+ { 0xAB2F, 0xABBF },
|
||||
+ { 0xABEE, 0xABEF },
|
||||
+ { 0xABFA, 0xABFF },
|
||||
+ { 0xD7A4, 0xD7AF },
|
||||
+ { 0xD7C7, 0xD7CA },
|
||||
+ { 0xD7FC, 0xD7FF },
|
||||
+ { 0xFA6E, 0xFA6F },
|
||||
+ { 0xFADA, 0xFAFF },
|
||||
+ { 0xFB07, 0xFB12 },
|
||||
+ { 0xFB18, 0xFB1C },
|
||||
+ { 0xFB37, 0xFB37 },
|
||||
+ { 0xFB3D, 0xFB3D },
|
||||
+ { 0xFB3F, 0xFB3F },
|
||||
+ { 0xFB42, 0xFB42 },
|
||||
+ { 0xFB45, 0xFB45 },
|
||||
+ { 0xFBC2, 0xFBD2 },
|
||||
+ { 0xFD40, 0xFD4F },
|
||||
+ { 0xFD90, 0xFD91 },
|
||||
+ { 0xFDC8, 0xFDCF },
|
||||
+ { 0xFDFE, 0xFDFF },
|
||||
+ { 0xFE1A, 0xFE1F },
|
||||
+ { 0xFE27, 0xFE2F },
|
||||
+ { 0xFE53, 0xFE53 },
|
||||
+ { 0xFE67, 0xFE67 },
|
||||
+ { 0xFE6C, 0xFE6F },
|
||||
+ { 0xFE75, 0xFE75 },
|
||||
+ { 0xFEFD, 0xFEFE },
|
||||
+ { 0xFF00, 0xFF00 },
|
||||
+ { 0xFFBF, 0xFFC1 },
|
||||
+ { 0xFFC8, 0xFFC9 },
|
||||
+ { 0xFFD0, 0xFFD1 },
|
||||
+ { 0xFFD8, 0xFFD9 },
|
||||
+ { 0xFFDD, 0xFFDF },
|
||||
+ { 0xFFE7, 0xFFE7 },
|
||||
+ { 0xFFEF, 0xFFF8 },
|
||||
+ { 0x1000C, 0x1000C },
|
||||
+ { 0x10027, 0x10027 },
|
||||
+ { 0x1003B, 0x1003B },
|
||||
+ { 0x1003E, 0x1003E },
|
||||
+ { 0x1004E, 0x1004F },
|
||||
+ { 0x1005E, 0x1007F },
|
||||
+ { 0x100FB, 0x100FF },
|
||||
+ { 0x10103, 0x10106 },
|
||||
+ { 0x10134, 0x10136 },
|
||||
+ { 0x1018B, 0x1018F },
|
||||
+ { 0x1019C, 0x101CF },
|
||||
+ { 0x101FE, 0x1027F },
|
||||
+ { 0x1029D, 0x1029F },
|
||||
+ { 0x102D1, 0x102FF },
|
||||
+ { 0x1031F, 0x1031F },
|
||||
+ { 0x10324, 0x1032F },
|
||||
+ { 0x1034B, 0x1037F },
|
||||
+ { 0x1039E, 0x1039E },
|
||||
+ { 0x103C4, 0x103C7 },
|
||||
+ { 0x103D6, 0x103FF },
|
||||
+ { 0x1049E, 0x1049F },
|
||||
+ { 0x104AA, 0x107FF },
|
||||
+ { 0x10806, 0x10807 },
|
||||
+ { 0x10809, 0x10809 },
|
||||
+ { 0x10836, 0x10836 },
|
||||
+ { 0x10839, 0x1083B },
|
||||
+ { 0x1083D, 0x1083E },
|
||||
+ { 0x10856, 0x10856 },
|
||||
+ { 0x10860, 0x108FF },
|
||||
+ { 0x1091C, 0x1091E },
|
||||
+ { 0x1093A, 0x1093E },
|
||||
+ { 0x10940, 0x1097F },
|
||||
+ { 0x109B8, 0x109BD },
|
||||
+ { 0x109C0, 0x109FF },
|
||||
+ { 0x10A04, 0x10A04 },
|
||||
+ { 0x10A07, 0x10A0B },
|
||||
+ { 0x10A14, 0x10A14 },
|
||||
+ { 0x10A18, 0x10A18 },
|
||||
+ { 0x10A34, 0x10A37 },
|
||||
+ { 0x10A3B, 0x10A3E },
|
||||
+ { 0x10A48, 0x10A4F },
|
||||
+ { 0x10A59, 0x10A5F },
|
||||
+ { 0x10A80, 0x10AFF },
|
||||
+ { 0x10B36, 0x10B38 },
|
||||
+ { 0x10B56, 0x10B57 },
|
||||
+ { 0x10B73, 0x10B77 },
|
||||
+ { 0x10B80, 0x10BFF },
|
||||
+ { 0x10C49, 0x10E5F },
|
||||
+ { 0x10E7F, 0x10FFF },
|
||||
+ { 0x1104E, 0x11051 },
|
||||
+ { 0x11070, 0x1107F },
|
||||
+ { 0x110C2, 0x110CF },
|
||||
+ { 0x110E9, 0x110EF },
|
||||
+ { 0x110FA, 0x110FF },
|
||||
+ { 0x11135, 0x11135 },
|
||||
+ { 0x11144, 0x1117F },
|
||||
+ { 0x111C9, 0x111CF },
|
||||
+ { 0x111DA, 0x1167F },
|
||||
+ { 0x116B8, 0x116BF },
|
||||
+ { 0x116CA, 0x11FFF },
|
||||
+ { 0x1236F, 0x123FF },
|
||||
+ { 0x12463, 0x1246F },
|
||||
+ { 0x12474, 0x12FFF },
|
||||
+ { 0x1342F, 0x167FF },
|
||||
+ { 0x16A39, 0x16EFF },
|
||||
+ { 0x16F45, 0x16F4F },
|
||||
+ { 0x16F7F, 0x16F8E },
|
||||
+ { 0x16FA0, 0x1AFFF },
|
||||
+ { 0x1B002, 0x1CFFF },
|
||||
+ { 0x1D0F6, 0x1D0FF },
|
||||
+ { 0x1D127, 0x1D128 },
|
||||
+ { 0x1D1DE, 0x1D1FF },
|
||||
+ { 0x1D246, 0x1D2FF },
|
||||
+ { 0x1D357, 0x1D35F },
|
||||
+ { 0x1D372, 0x1D3FF },
|
||||
+ { 0x1D455, 0x1D455 },
|
||||
+ { 0x1D49D, 0x1D49D },
|
||||
+ { 0x1D4A0, 0x1D4A1 },
|
||||
+ { 0x1D4A3, 0x1D4A4 },
|
||||
+ { 0x1D4A7, 0x1D4A8 },
|
||||
+ { 0x1D4AD, 0x1D4AD },
|
||||
+ { 0x1D4BA, 0x1D4BA },
|
||||
+ { 0x1D4BC, 0x1D4BC },
|
||||
+ { 0x1D4C4, 0x1D4C4 },
|
||||
+ { 0x1D506, 0x1D506 },
|
||||
+ { 0x1D50B, 0x1D50C },
|
||||
+ { 0x1D515, 0x1D515 },
|
||||
+ { 0x1D51D, 0x1D51D },
|
||||
+ { 0x1D53A, 0x1D53A },
|
||||
+ { 0x1D53F, 0x1D53F },
|
||||
+ { 0x1D545, 0x1D545 },
|
||||
+ { 0x1D547, 0x1D549 },
|
||||
+ { 0x1D551, 0x1D551 },
|
||||
+ { 0x1D6A6, 0x1D6A7 },
|
||||
+ { 0x1D7CC, 0x1D7CD },
|
||||
+ { 0x1D800, 0x1EDFF },
|
||||
+ { 0x1EE04, 0x1EE04 },
|
||||
+ { 0x1EE20, 0x1EE20 },
|
||||
+ { 0x1EE23, 0x1EE23 },
|
||||
+ { 0x1EE25, 0x1EE26 },
|
||||
+ { 0x1EE28, 0x1EE28 },
|
||||
+ { 0x1EE33, 0x1EE33 },
|
||||
+ { 0x1EE38, 0x1EE38 },
|
||||
+ { 0x1EE3A, 0x1EE3A },
|
||||
+ { 0x1EE3C, 0x1EE41 },
|
||||
+ { 0x1EE43, 0x1EE46 },
|
||||
+ { 0x1EE48, 0x1EE48 },
|
||||
+ { 0x1EE4A, 0x1EE4A },
|
||||
+ { 0x1EE4C, 0x1EE4C },
|
||||
+ { 0x1EE50, 0x1EE50 },
|
||||
+ { 0x1EE53, 0x1EE53 },
|
||||
+ { 0x1EE55, 0x1EE56 },
|
||||
+ { 0x1EE58, 0x1EE58 },
|
||||
+ { 0x1EE5A, 0x1EE5A },
|
||||
+ { 0x1EE5C, 0x1EE5C },
|
||||
+ { 0x1EE5E, 0x1EE5E },
|
||||
+ { 0x1EE60, 0x1EE60 },
|
||||
+ { 0x1EE63, 0x1EE63 },
|
||||
+ { 0x1EE65, 0x1EE66 },
|
||||
+ { 0x1EE6B, 0x1EE6B },
|
||||
+ { 0x1EE73, 0x1EE73 },
|
||||
+ { 0x1EE78, 0x1EE78 },
|
||||
+ { 0x1EE7D, 0x1EE7D },
|
||||
+ { 0x1EE7F, 0x1EE7F },
|
||||
+ { 0x1EE8A, 0x1EE8A },
|
||||
+ { 0x1EE9C, 0x1EEA0 },
|
||||
+ { 0x1EEA4, 0x1EEA4 },
|
||||
+ { 0x1EEAA, 0x1EEAA },
|
||||
+ { 0x1EEBC, 0x1EEEF },
|
||||
+ { 0x1EEF2, 0x1EFFF },
|
||||
+ { 0x1F02C, 0x1F02F },
|
||||
+ { 0x1F094, 0x1F09F },
|
||||
+ { 0x1F0AF, 0x1F0B0 },
|
||||
+ { 0x1F0BF, 0x1F0C0 },
|
||||
+ { 0x1F0D0, 0x1F0D0 },
|
||||
+ { 0x1F0E0, 0x1F0FF },
|
||||
+ { 0x1F10B, 0x1F10F },
|
||||
+ { 0x1F12F, 0x1F12F },
|
||||
+ { 0x1F16C, 0x1F16F },
|
||||
+ { 0x1F19B, 0x1F1E5 },
|
||||
+ { 0x1F203, 0x1F20F },
|
||||
+ { 0x1F23B, 0x1F23F },
|
||||
+ { 0x1F249, 0x1F24F },
|
||||
+ { 0x1F252, 0x1F2FF },
|
||||
+ { 0x1F321, 0x1F32F },
|
||||
+ { 0x1F336, 0x1F336 },
|
||||
+ { 0x1F37D, 0x1F37F },
|
||||
+ { 0x1F394, 0x1F39F },
|
||||
+ { 0x1F3C5, 0x1F3C5 },
|
||||
+ { 0x1F3CB, 0x1F3DF },
|
||||
+ { 0x1F3F1, 0x1F3FF },
|
||||
+ { 0x1F43F, 0x1F43F },
|
||||
+ { 0x1F441, 0x1F441 },
|
||||
+ { 0x1F4F8, 0x1F4F8 },
|
||||
+ { 0x1F4FD, 0x1F4FF },
|
||||
+ { 0x1F53E, 0x1F53F },
|
||||
+ { 0x1F544, 0x1F54F },
|
||||
+ { 0x1F568, 0x1F5FA },
|
||||
+ { 0x1F641, 0x1F644 },
|
||||
+ { 0x1F650, 0x1F67F },
|
||||
+ { 0x1F6C6, 0x1F6FF },
|
||||
+ { 0x1F774, 0x1FFFD },
|
||||
+ { 0x2A6D7, 0x2A6FF },
|
||||
+ { 0x2A701, 0x2B733 },
|
||||
+ { 0x2B735, 0x2B73F },
|
||||
+ { 0x2B741, 0x2B81C },
|
||||
+ { 0x2B81E, 0x2F7FF },
|
||||
+ { 0x2FA1E, 0x2FFFD },
|
||||
+ { 0x30000, 0x3FFFD },
|
||||
+ { 0x40000, 0x4FFFD },
|
||||
+ { 0x50000, 0x5FFFD },
|
||||
+ { 0x60000, 0x6FFFD },
|
||||
+ { 0x70000, 0x7FFFD },
|
||||
+ { 0x80000, 0x8FFFD },
|
||||
+ { 0x90000, 0x9FFFD },
|
||||
+ { 0xA0000, 0xAFFFD },
|
||||
+ { 0xB0000, 0xBFFFD },
|
||||
+ { 0xC0000, 0xCFFFD },
|
||||
+ { 0xD0000, 0xDFFFD },
|
||||
+ { 0xE0000, 0xE0000 },
|
||||
+ { 0xE0002, 0xE001F },
|
||||
+ { 0xE0080, 0xE00FF },
|
||||
+ { 0xE01F0, 0xEFFFD },
|
||||
+};
|
||||
+
|
||||
+/* RFC3454 Table B.1 */
|
||||
+static const struct u32_range map_to_nothing[] = {
|
||||
+ { 0x00AD, 0x00AD },
|
||||
+ { 0x034F, 0x034F },
|
||||
+ { 0x1806, 0x1806 },
|
||||
+ { 0x180B, 0x180D },
|
||||
+ { 0x200B, 0x200D },
|
||||
+ { 0x2060, 0x2060 },
|
||||
+ { 0xFE00, 0xFE0F },
|
||||
+ { 0xFEFF, 0xFEFF },
|
||||
+};
|
||||
+
|
||||
+/* Local: allow tab, CR and LF */
|
||||
+static const struct u32_range whitelist[] = {
|
||||
+ { 0x09, 0x09 },
|
||||
+ { 0x0a, 0x0a },
|
||||
+ { 0x0d, 0x0d },
|
||||
+};
|
||||
+
|
||||
+/* RFC3454 Tables in appendix C */
|
||||
+static const struct u32_range prohibited[] = {
|
||||
+ /* C.2.1 ASCII control characters */
|
||||
+ { 0x0000, 0x001F },
|
||||
+ { 0x007F, 0x007F },
|
||||
+ /* C.2.2 Non-ASCII control characters */
|
||||
+ { 0x0080, 0x009F },
|
||||
+ { 0x06DD, 0x06DD },
|
||||
+ { 0x070F, 0x070F },
|
||||
+ { 0x180E, 0x180E },
|
||||
+ { 0x200C, 0x200C },
|
||||
+ { 0x200D, 0x200D },
|
||||
+ { 0x2028, 0x2028 },
|
||||
+ { 0x2029, 0x2029 },
|
||||
+ { 0x2060, 0x2060 },
|
||||
+ { 0x2061, 0x2061 },
|
||||
+ { 0x2062, 0x2062 },
|
||||
+ { 0x2063, 0x2063 },
|
||||
+ { 0x206A, 0x206F },
|
||||
+ { 0xFEFF, 0xFEFF },
|
||||
+ { 0xFFF9, 0xFFFC },
|
||||
+ { 0x1D173, 0x1D17A },
|
||||
+ /* C.3 Private use */
|
||||
+ { 0xE000, 0xF8FF },
|
||||
+ { 0xF0000, 0xFFFFD },
|
||||
+ { 0x100000, 0x10FFFD },
|
||||
+ /* C.4 Non-character code points */
|
||||
+ { 0xFDD0, 0xFDEF },
|
||||
+ { 0xFFFE, 0xFFFF },
|
||||
+ { 0x1FFFE, 0x1FFFF },
|
||||
+ { 0x2FFFE, 0x2FFFF },
|
||||
+ { 0x3FFFE, 0x3FFFF },
|
||||
+ { 0x4FFFE, 0x4FFFF },
|
||||
+ { 0x5FFFE, 0x5FFFF },
|
||||
+ { 0x6FFFE, 0x6FFFF },
|
||||
+ { 0x7FFFE, 0x7FFFF },
|
||||
+ { 0x8FFFE, 0x8FFFF },
|
||||
+ { 0x9FFFE, 0x9FFFF },
|
||||
+ { 0xAFFFE, 0xAFFFF },
|
||||
+ { 0xBFFFE, 0xBFFFF },
|
||||
+ { 0xCFFFE, 0xCFFFF },
|
||||
+ { 0xDFFFE, 0xDFFFF },
|
||||
+ { 0xEFFFE, 0xEFFFF },
|
||||
+ { 0xFFFFE, 0xFFFFF },
|
||||
+ { 0x10FFFE, 0x10FFFF },
|
||||
+ /* C.5 Surrogate codes */
|
||||
+ { 0xD800, 0xDFFF },
|
||||
+ /* C.6 Inappropriate for plain text */
|
||||
+ { 0xFFF9, 0xFFF9 },
|
||||
+ { 0xFFFA, 0xFFFA },
|
||||
+ { 0xFFFB, 0xFFFB },
|
||||
+ { 0xFFFC, 0xFFFC },
|
||||
+ { 0xFFFD, 0xFFFD },
|
||||
+ /* C.7 Inappropriate for canonical representation */
|
||||
+ { 0x2FF0, 0x2FFB },
|
||||
+ /* C.8 Change display properties or are deprecated */
|
||||
+ { 0x0340, 0x0340 },
|
||||
+ { 0x0341, 0x0341 },
|
||||
+ { 0x200E, 0x200E },
|
||||
+ { 0x200F, 0x200F },
|
||||
+ { 0x202A, 0x202A },
|
||||
+ { 0x202B, 0x202B },
|
||||
+ { 0x202C, 0x202C },
|
||||
+ { 0x202D, 0x202D },
|
||||
+ { 0x202E, 0x202E },
|
||||
+ { 0x206A, 0x206A },
|
||||
+ { 0x206B, 0x206B },
|
||||
+ { 0x206C, 0x206C },
|
||||
+ { 0x206D, 0x206D },
|
||||
+ { 0x206E, 0x206E },
|
||||
+ { 0x206F, 0x206F },
|
||||
+ /* C.9 Tagging characters */
|
||||
+ { 0xE0001, 0xE0001 },
|
||||
+ { 0xE0020, 0xE007F },
|
||||
+};
|
||||
+
|
||||
diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c
|
||||
--- openssh-6.8p1/utf8_stringprep.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
|
||||
+++ openssh-6.8p1/utf8_stringprep.c 2015-03-18 12:41:28.175713185 +0100
|
||||
@@ -0,0 +1,265 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * This is a simple RFC3454 stringprep profile to sanitise UTF-8 strings
|
||||
+ * from untrusted sources.
|
||||
+ *
|
||||
+ * It is intended to be used prior to display of untrusted strings only.
|
||||
+ * It should not be used for logging because of bi-di ambiguity. It
|
||||
+ * should also not be used in any case where lack of normalisation may
|
||||
+ * cause problems.
|
||||
+ *
|
||||
+ * This profile uses the prohibition and mapping tables from RFC3454
|
||||
+ * (listed below) but the unassigned character table has been updated to
|
||||
+ * Unicode 6.2. It uses a local whitelist of whitespace characters (\n,
|
||||
+ * \a and \t). Unicode normalisation and bi-di testing are not used.
|
||||
+ *
|
||||
+ * XXX: implement bi-di handling (needed for logs)
|
||||
+ * XXX: implement KC normalisation (needed for passing to libs/syscalls)
|
||||
+ */
|
||||
+
|
||||
+#include <sys/types.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <limits.h>
|
||||
+#include <ctype.h>
|
||||
+#include <langinfo.h>
|
||||
+#include <locale.h>
|
||||
+
|
||||
+#include "includes.h"
|
||||
+#include "misc.h"
|
||||
+#include "log.h"
|
||||
+
|
||||
+struct u32_range {
|
||||
+ u_int32_t lo, hi; /* Inclusive */
|
||||
+};
|
||||
+
|
||||
+#include "stringprep-tables.c"
|
||||
+
|
||||
+/* Returns 1 if code 'c' appears in the table or 0 otherwise */
|
||||
+static int
|
||||
+code_in_table(u_int32_t c, const struct u32_range *table, size_t tlen)
|
||||
+{
|
||||
+ const struct u32_range *e, *end = (void *)(tlen + (char *)table);
|
||||
+
|
||||
+ for (e = table; e < end; e++) {
|
||||
+ if (c >= e->lo && c <= e->hi)
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Decode the next valid UCS character from a UTF-8 string, skipping past bad
|
||||
+ * codes. Returns the decoded character or 0 for end-of-string and updates
|
||||
+ * nextc to point to the start of the next character (if any).
|
||||
+ * had_error is set if an invalid code was encountered.
|
||||
+ */
|
||||
+static u_int32_t
|
||||
+decode_utf8(const char *in, const char **nextc, int *had_error)
|
||||
+{
|
||||
+ int state = 0;
|
||||
+ size_t i;
|
||||
+ u_int32_t c, e;
|
||||
+
|
||||
+ e = c = 0;
|
||||
+ for (i = 0; in[i] != '\0'; i++) {
|
||||
+ e = (u_char)in[i];
|
||||
+ /* Invalid code point state */
|
||||
+ if (state == -1) {
|
||||
+ /*
|
||||
+ * Continue eating continuation characters until
|
||||
+ * a new start character comes along.
|
||||
+ */
|
||||
+ if ((e & 0xc0) == 0x80)
|
||||
+ continue;
|
||||
+ state = 0;
|
||||
+ }
|
||||
+
|
||||
+ /* New code point state */
|
||||
+ if (state == 0) {
|
||||
+ if ((e & 0x80) == 0) { /* 7 bit code */
|
||||
+ c = e & 0x7f;
|
||||
+ goto have_code;
|
||||
+ } else if ((e & 0xe0) == 0xc0) { /* 11 bit code point */
|
||||
+ state = 1;
|
||||
+ c = (e & 0x1f) << 6;
|
||||
+ } else if ((e & 0xf0) == 0xe0) { /* 16 bit code point */
|
||||
+ state = 2;
|
||||
+ c = (e & 0xf) << 12;
|
||||
+ } else if ((e & 0xf8) == 0xf0) { /* 21 bit code point */
|
||||
+ state = 3;
|
||||
+ c = (e & 0x7) << 18;
|
||||
+ } else {
|
||||
+ /* A five or six byte header, or 0xff */
|
||||
+ goto bad_encoding;
|
||||
+ }
|
||||
+ /*
|
||||
+ * Check that the header byte has some non-zero data
|
||||
+ * after masking off the length marker. If not it is
|
||||
+ * an invalid encoding.
|
||||
+ */
|
||||
+ if (c == 0) {
|
||||
+ bad_encoding:
|
||||
+ c = 0;
|
||||
+ state = -1;
|
||||
+ if (had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ }
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ /* Sanity check: should never happen */
|
||||
+ if (state < 1 || state > 5) {
|
||||
+ *nextc = NULL;
|
||||
+ if (had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ return 0;
|
||||
+ }
|
||||
+ /* Multibyte code point state */
|
||||
+ state--;
|
||||
+ c |= (e & 0x3f) << (state * 6);
|
||||
+ if (state > 0)
|
||||
+ continue;
|
||||
+
|
||||
+ /* RFC3629 bans codepoints > U+10FFFF */
|
||||
+ if (c > 0x10FFFF) {
|
||||
+ if (had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ continue;
|
||||
+ }
|
||||
+ have_code:
|
||||
+ *nextc = in + i + 1;
|
||||
+ return c;
|
||||
+ }
|
||||
+ if (state != 0 && had_error != NULL)
|
||||
+ *had_error = 1;
|
||||
+ *nextc = in + i;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Attempt to encode a UCS character as a UTF-8 sequence. Returns the number
|
||||
+ * of characters used or -1 on error (insufficient space or bad code).
|
||||
+ */
|
||||
+static int
|
||||
+encode_utf8(u_int32_t c, char *s, size_t slen)
|
||||
+{
|
||||
+ size_t i, need;
|
||||
+ u_char h;
|
||||
+
|
||||
+ if (c < 0x80) {
|
||||
+ if (slen >= 1) {
|
||||
+ s[0] = (char)c;
|
||||
+ }
|
||||
+ return 1;
|
||||
+ } else if (c < 0x800) {
|
||||
+ need = 2;
|
||||
+ h = 0xc0;
|
||||
+ } else if (c < 0x10000) {
|
||||
+ need = 3;
|
||||
+ h = 0xe0;
|
||||
+ } else if (c < 0x200000) {
|
||||
+ need = 4;
|
||||
+ h = 0xf0;
|
||||
+ } else {
|
||||
+ /* Invalid code point > U+10FFFF */
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (need > slen)
|
||||
+ return -1;
|
||||
+ for (i = 0; i < need; i++) {
|
||||
+ s[i] = (i == 0 ? h : 0x80);
|
||||
+ s[i] |= (c >> (need - i - 1) * 6) & 0x3f;
|
||||
+ }
|
||||
+ return need;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+/*
|
||||
+ * Normalise a UTF-8 string using the RFC3454 stringprep algorithm.
|
||||
+ * Returns 0 on success or -1 on failure (prohibited code or insufficient
|
||||
+ * length in the output string.
|
||||
+ * Requires an output buffer at most the same length as the input.
|
||||
+ */
|
||||
+int
|
||||
+utf8_stringprep(const char *in, char *out, size_t olen)
|
||||
+{
|
||||
+ int r;
|
||||
+ size_t o;
|
||||
+ u_int32_t c;
|
||||
+
|
||||
+ if (olen < 1)
|
||||
+ return -1;
|
||||
+
|
||||
+ for (o = 0; (c = decode_utf8(in, &in, NULL)) != 0;) {
|
||||
+ /* Mapping */
|
||||
+ if (code_in_table(c, map_to_nothing, sizeof(map_to_nothing)))
|
||||
+ continue;
|
||||
+
|
||||
+ /* Prohibitied output */
|
||||
+ if (code_in_table(c, prohibited, sizeof(prohibited)) &&
|
||||
+ !code_in_table(c, whitelist, sizeof(whitelist)))
|
||||
+ return -1;
|
||||
+
|
||||
+ /* Map unassigned code points to U+FFFD */
|
||||
+ if (code_in_table(c, unassigned, sizeof(unassigned)))
|
||||
+ c = 0xFFFD;
|
||||
+
|
||||
+ /* Encode the character */
|
||||
+ r = encode_utf8(c, out + o, olen - o - 1);
|
||||
+ if (r < 0)
|
||||
+ return -1;
|
||||
+ o += r;
|
||||
+ }
|
||||
+ out[o] = '\0';
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/* Check whether we can display UTF-8 safely */
|
||||
+int
|
||||
+utf8_ok(void)
|
||||
+{
|
||||
+ static int ret = -1;
|
||||
+ char *cp;
|
||||
+
|
||||
+ if (ret == -1) {
|
||||
+ setlocale(LC_CTYPE, "");
|
||||
+ cp = nl_langinfo(CODESET);
|
||||
+ ret = strcmp(cp, "UTF-8") == 0;
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+sanitize_utf8(char *target, const char *source, size_t length)
|
||||
+{
|
||||
+ u_int done = 0;
|
||||
+ if (utf8_ok()) {
|
||||
+ if (utf8_stringprep(source, target, length * 4 + 1) == 0)
|
||||
+ done = 1;
|
||||
+ else
|
||||
+ debug2("%s: UTF8 stringprep failed", __func__);
|
||||
+ }
|
||||
+ /*
|
||||
+ * Fallback to strnvis if UTF8 display not supported or
|
||||
+ * conversion failed.
|
||||
+ */
|
||||
+ if (!done)
|
||||
+ strnvis(target, source, length * 4 + 1, VIS_SAFE|VIS_OCTAL|VIS_NOSLASH);
|
||||
+}
|
@ -1,15 +1,15 @@
|
||||
diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-serv-krb5.c
|
||||
--- openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
|
||||
+++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 15:18:40.628216102 +0100
|
||||
@@ -279,7 +279,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
diff -up openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.0p1/gss-serv-krb5.c
|
||||
--- openssh-7.0p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200
|
||||
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:27:44.047407912 +0200
|
||||
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
FILE *fp;
|
||||
char file[MAXPATHLEN];
|
||||
char *line = NULL;
|
||||
char line[BUFSIZ] = "";
|
||||
- char kuser[65]; /* match krb5_kuserok() */
|
||||
struct stat st;
|
||||
struct passwd *pw = the_authctxt->pw;
|
||||
int found_principal = 0;
|
||||
@@ -288,7 +287,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
@ -18,53 +18,51 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-7.4p1/gss-ser
|
||||
return ssh_krb5_kuserok(krb_context, principal, luser,
|
||||
k5login_exists);
|
||||
}
|
||||
diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.GSSAPIEnablek5users 2016-12-23 15:18:40.615216100 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:35:36.354401156 +0100
|
||||
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
|
||||
options->gss_store_rekey = -1;
|
||||
options->gss_kex_algorithms = NULL;
|
||||
diff -up openssh-7.0p1/servconf.c.GSSAPIEnablek5users openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.GSSAPIEnablek5users 2015-08-12 11:27:44.036407930 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-12 11:28:49.087306430 +0200
|
||||
@@ -173,6 +173,7 @@ initialize_server_options(ServerOptions
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
options->use_kuserok = -1;
|
||||
+ options->enable_k5users = -1;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
|
||||
#endif
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@@ -351,6 +352,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ if (options->enable_k5users == -1)
|
||||
+ options->enable_k5users = 0;
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -418,7 +421,7 @@ typedef enum {
|
||||
if (options->use_kuserok == -1)
|
||||
options->use_kuserok = 1;
|
||||
|
||||
@@ -423,7 +426,7 @@ typedef enum {
|
||||
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
|
||||
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
|
||||
sAcceptEnv, sSetEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
|
||||
@@ -497,14 +500,16 @@ static struct {
|
||||
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
@@ -502,12 +505,14 @@ static struct {
|
||||
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
{ "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
||||
+ { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1653,6 +1658,10 @@ process_server_config_line(ServerOptions
|
||||
@@ -1680,6 +1685,10 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->use_kuserok;
|
||||
goto parse_flag;
|
||||
|
||||
@ -72,57 +70,59 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
|
||||
+ intptr = &options->enable_k5users;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitListen:
|
||||
case sPermitOpen:
|
||||
if (opcode == sPermitListen) {
|
||||
@@ -2026,6 +2035,7 @@ copy_set_server_options(ServerOptions *d
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -2035,6 +2044,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
M_CP_INTOPT(use_kuserok);
|
||||
+ M_CP_INTOPT(enable_k5users);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
M_CP_INTOPT(log_level);
|
||||
@@ -2320,6 +2330,7 @@ dump_config(ServerOptions *o)
|
||||
# endif
|
||||
dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||
|
||||
@@ -2317,6 +2327,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
|
||||
#endif
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
diff -up openssh-7.4p1/servconf.h.GSSAPIEnablek5users openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:18:40.629216102 +0100
|
||||
@@ -174,6 +174,7 @@ typedef struct {
|
||||
int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||
* be stored in per-session ccache */
|
||||
int use_kuserok;
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-7.0p1/servconf.h.GSSAPIEnablek5users openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.GSSAPIEnablek5users 2015-08-12 11:27:44.022407951 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-12 11:27:44.048407911 +0200
|
||||
@@ -180,7 +180,8 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
- int use_kuserok;
|
||||
+ int use_kuserok;
|
||||
+ int enable_k5users;
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
diff -up openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.GSSAPIEnablek5users 2016-12-23 15:18:40.630216103 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:36:21.607408435 +0100
|
||||
@@ -628,6 +628,12 @@ Specifies whether to automatically destr
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users openssh-7.0p1/sshd_config.5
|
||||
--- openssh-7.0p1/sshd_config.5.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:27:44.048407911 +0200
|
||||
@@ -633,6 +633,12 @@ on logout.
|
||||
on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
.Dq yes .
|
||||
+.It Cm GSSAPIEnablek5users
|
||||
+Specifies whether to look at .k5users file for GSSAPI authentication
|
||||
+access control. Further details are described in
|
||||
+.Xr ksu 1 .
|
||||
+The default is
|
||||
+.Cm no .
|
||||
.It Cm GSSAPIKeyExchange
|
||||
Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange
|
||||
doesn't rely on ssh keys to verify host identity.
|
||||
diff -up openssh-7.4p1/sshd_config.GSSAPIEnablek5users openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.GSSAPIEnablek5users 2016-12-23 15:18:40.616216100 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 15:18:40.631216103 +0100
|
||||
@@ -80,6 +80,7 @@ GSSAPIAuthentication yes
|
||||
#GSSAPICleanupCredentials yes
|
||||
+.Dq no .
|
||||
.It Cm GSSAPIStrictAcceptorCheck
|
||||
Determines whether to be strict about the identity of the GSSAPI acceptor
|
||||
a client authenticates against.
|
||||
diff -up openssh-7.0p1/sshd_config.GSSAPIEnablek5users openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.GSSAPIEnablek5users 2015-08-12 11:27:44.023407950 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:27:44.048407911 +0200
|
||||
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
#GSSAPIStrictAcceptorCheck yes
|
||||
#GSSAPIKeyExchange no
|
||||
+#GSSAPIEnablek5users no
|
||||
|
@ -1,19 +1,20 @@
|
||||
diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
||||
--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200
|
||||
+++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200
|
||||
@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
|
||||
|
||||
if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
|
||||
diff --git a/canohost.c b/canohost.c
|
||||
index a61a8c9..97ce58c 100644
|
||||
--- a/canohost.c
|
||||
+++ b/canohost.c
|
||||
@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr)
|
||||
option_size = sizeof(options);
|
||||
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
|
||||
&option_size) >= 0 && option_size != 0) {
|
||||
- text[0] = '\0';
|
||||
- for (i = 0; i < option_size; i++)
|
||||
- snprintf(text + i*3, sizeof(text) - i*3,
|
||||
- " %2.2x", opts[i]);
|
||||
- fatal("Connection from %.100s port %d with IP opts: %.800s",
|
||||
- ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
|
||||
- " %2.2x", options[i]);
|
||||
- fatal("Connection from %.100s with IP options:%.800s",
|
||||
- ipaddr, text);
|
||||
+ i = 0;
|
||||
+ do {
|
||||
+ switch (opts[i]) {
|
||||
+ switch (options[i]) {
|
||||
+ case 0:
|
||||
+ case 1:
|
||||
+ ++i;
|
||||
@ -21,7 +22,7 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
||||
+ case 130:
|
||||
+ case 133:
|
||||
+ case 134:
|
||||
+ i += opts[i + 1];
|
||||
+ i += options[i + 1];
|
||||
+ break;
|
||||
+ default:
|
||||
+ /* Fail, fatally, if we detect either loose or strict
|
||||
@ -29,11 +30,11 @@ diff -up openssh/sshd.c.ip-opts openssh/sshd.c
|
||||
+ text[0] = '\0';
|
||||
+ for (i = 0; i < option_size; i++)
|
||||
+ snprintf(text + i*3, sizeof(text) - i*3,
|
||||
+ " %2.2x", opts[i]);
|
||||
+ fatal("Connection from %.100s port %d with IP options:%.800s",
|
||||
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
|
||||
+ " %2.2x", options[i]);
|
||||
+ fatal("Connection from %.100s with IP options:%.800s",
|
||||
+ ipaddr, text);
|
||||
+ }
|
||||
+ } while (i < option_size);
|
||||
}
|
||||
return;
|
||||
#endif /* IP_OPTIONS */
|
||||
}
|
||||
|
@ -2,35 +2,35 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
|
||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
|
||||
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
.SUFFIXES: .lo
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
|
||||
|
||||
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -326,6 +330,7 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
@ -39,7 +39,7 @@ diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
|
||||
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
|
||||
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
|
||||
@@ -0,0 +1,215 @@
|
||||
@@ -0,0 +1,208 @@
|
||||
+/*
|
||||
+ *
|
||||
+ * invocation (all of the following are equal):
|
||||
@ -60,7 +60,6 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "log.h"
|
||||
+#include "ssherr.h"
|
||||
+#include "cipher.h"
|
||||
+
|
||||
+/* compatibility with old or broken OpenSSL versions */
|
||||
@ -143,13 +142,13 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+{
|
||||
+
|
||||
+ const struct sshcipher *c;
|
||||
+ struct sshcipher_ctx *cc;
|
||||
+ struct sshcipher_ctx cc;
|
||||
+ char *algo = "aes128-ctr";
|
||||
+ char *hexkey = NULL;
|
||||
+ char *hexiv = "00000000000000000000000000000000";
|
||||
+ char *hexdata = NULL;
|
||||
+ char *p;
|
||||
+ int i, r;
|
||||
+ int i;
|
||||
+ int encrypt = 1;
|
||||
+ void *key;
|
||||
+ size_t keylen;
|
||||
@ -187,7 +186,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+ usage();
|
||||
+ }
|
||||
+
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+
|
||||
+ c = cipher_by_name(algo);
|
||||
+ if (c == NULL) {
|
||||
@ -222,10 +221,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
|
||||
+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
|
||||
+ return 2;
|
||||
+ }
|
||||
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
|
||||
+
|
||||
+ free(key);
|
||||
+ free(iv);
|
||||
@ -236,14 +232,11 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
|
||||
+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
|
||||
+ return 2;
|
||||
+ }
|
||||
+ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
|
||||
+
|
||||
+ free(data);
|
||||
+
|
||||
+ cipher_free(cc);
|
||||
+ cipher_cleanup(&cc);
|
||||
+
|
||||
+ for (p = outdata; datalen > 0; ++p, --datalen) {
|
||||
+ printf("%02X", (unsigned char)*p);
|
||||
|
282
openssh-6.6p1-entropy.patch
Normal file
282
openssh-6.6p1-entropy.patch
Normal file
@ -0,0 +1,282 @@
|
||||
diff --git a/entropy.c b/entropy.c
|
||||
index 1e9d52a..d24e724 100644
|
||||
--- a/entropy.c
|
||||
+++ b/entropy.c
|
||||
@@ -227,6 +227,9 @@ seed_rng(void)
|
||||
memset(buf, '\0', sizeof(buf));
|
||||
|
||||
#endif /* OPENSSL_PRNG_ONLY */
|
||||
+#ifdef __linux__
|
||||
+ linux_seed();
|
||||
+#endif /* __linux__ */
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
|
||||
index 843225d..041bbab 100644
|
||||
--- a/openbsd-compat/Makefile.in
|
||||
+++ b/openbsd-compat/Makefile.in
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
|
||||
new file mode 100644
|
||||
index 0000000..da84bf2
|
||||
--- /dev/null
|
||||
+++ b/openbsd-compat/port-linux-prng.c
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
|
||||
+
|
||||
+/*
|
||||
+ * Copyright (c) 2011 Jan F. Chadima <jchadima@redhat.com>
|
||||
+ *
|
||||
+ * Permission to use, copy, modify, and distribute this software for any
|
||||
+ * purpose with or without fee is hereby granted, provided that the above
|
||||
+ * copyright notice and this permission notice appear in all copies.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+/*
|
||||
+ * Linux-specific portability code - prng support
|
||||
+ */
|
||||
+
|
||||
+#include "includes.h"
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <openssl/rand.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
+void
|
||||
+linux_seed(void)
|
||||
+{
|
||||
+ char *env = getenv("SSH_USE_STRONG_RNG");
|
||||
+ char *random = "/dev/random";
|
||||
+ size_t len, ienv, randlen = 14;
|
||||
+
|
||||
+ if (!env || !strcmp(env, "0"))
|
||||
+ random = "/dev/urandom";
|
||||
+ else if ((ienv = atoi(env)) > randlen)
|
||||
+ randlen = ienv;
|
||||
+
|
||||
+ errno = 0;
|
||||
+ if ((len = RAND_load_file(random, randlen)) != randlen) {
|
||||
+ if (errno)
|
||||
+ fatal ("cannot read from %s, %s", random, strerror(errno));
|
||||
+ else
|
||||
+ fatal ("EOF reading %s", random);
|
||||
+ }
|
||||
+}
|
||||
diff --git a/ssh-add.0 b/ssh-add.0
|
||||
index f16165a..17d22cf 100644
|
||||
--- a/ssh-add.0
|
||||
+++ b/ssh-add.0
|
||||
@@ -82,6 +82,16 @@ ENVIRONMENT
|
||||
Identifies the path of a UNIX-domain socket used to communicate
|
||||
with the agent.
|
||||
|
||||
+ SSH_USE_STRONG_RNG
|
||||
+ The reseeding of the OpenSSL random generator is usually done
|
||||
+ from /dev/urandom. If the SSH_USE_STRONG_RNG environment vari-
|
||||
+ able is set to value other than 0 the OpenSSL random generator is
|
||||
+ reseeded from /dev/random. The number of bytes read is defined
|
||||
+ by the SSH_USE_STRONG_RNG value. Minimum is 14 bytes. This set-
|
||||
+ ting is not recommended on the computers without the hardware
|
||||
+ random generator because insufficient entropy causes the connec-
|
||||
+ tion to be blocked until enough entropy is available.
|
||||
+
|
||||
FILES
|
||||
~/.ssh/identity
|
||||
Contains the protocol version 1 RSA authentication identity of
|
||||
diff --git a/ssh-add.1 b/ssh-add.1
|
||||
index 04d1840..db883a4 100644
|
||||
--- a/ssh-add.1
|
||||
+++ b/ssh-add.1
|
||||
@@ -170,6 +170,20 @@ to make this work.)
|
||||
Identifies the path of a
|
||||
.Ux Ns -domain
|
||||
socket used to communicate with the agent.
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index d7e791b..7332f0d 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
|
||||
These sockets should only be readable by the owner.
|
||||
The sockets should get automatically removed when the agent exits.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 276dacc..a09d9b1 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
diff --git a/ssh-keysign.8 b/ssh-keysign.8
|
||||
index 69d0829..02d79f8 100644
|
||||
--- a/ssh-keysign.8
|
||||
+++ b/ssh-keysign.8
|
||||
@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
|
||||
If these files exist they are assumed to contain public certificate
|
||||
information corresponding with the private keys above.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 4a476c2..410a04a 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1299,6 +1299,23 @@ For more information, see the
|
||||
.Cm PermitUserEnvironment
|
||||
option in
|
||||
.Xr sshd_config 5 .
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.It Ev SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Pa ~/.rhosts
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index cb866b5..adcaaf9 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
|
||||
started last).
|
||||
The content of this file is not sensitive; it can be world-readable.
|
||||
.El
|
||||
+.Sh ENVIRONMENT
|
||||
+.Bl -tag -width Ds -compact
|
||||
+.Pp
|
||||
+.It Pa SSH_USE_STRONG_RNG
|
||||
+The reseeding of the OpenSSL random generator is usually done from
|
||||
+.Cm /dev/urandom .
|
||||
+If the
|
||||
+.Cm SSH_USE_STRONG_RNG
|
||||
+environment variable is set to value other than
|
||||
+.Cm 0
|
||||
+the OpenSSL random generator is reseeded from
|
||||
+.Cm /dev/random .
|
||||
+The number of bytes read is defined by the SSH_USE_STRONG_RNG value.
|
||||
+Minimum is 14 bytes.
|
||||
+This setting is not recommended on the computers without the hardware
|
||||
+random generator because insufficient entropy causes the connection to
|
||||
+be blocked until enough entropy is available.
|
||||
+.El
|
||||
.Sh IPV6
|
||||
IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
|
||||
.Sh SEE ALSO
|
@ -11,9 +11,9 @@ index 413b845..54dd383 100644
|
||||
+#include <unistd.h>
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "sshkey.h"
|
||||
#include "key.h"
|
||||
@@ -45,6 +47,7 @@
|
||||
|
||||
#include "buffer.h"
|
||||
#include "ssh-gss.h"
|
||||
|
||||
+extern Authctxt *the_authctxt;
|
||||
@ -66,7 +66,7 @@ index 413b845..54dd383 100644
|
||||
} else
|
||||
retval = 0;
|
||||
|
||||
@@ -110,6 +133,137 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
|
||||
return retval;
|
||||
}
|
||||
|
||||
@ -97,14 +97,13 @@ index 413b845..54dd383 100644
|
||||
+{
|
||||
+ FILE *fp;
|
||||
+ char file[MAXPATHLEN];
|
||||
+ char *line = NULL;
|
||||
+ char line[BUFSIZ] = "";
|
||||
+ char kuser[65]; /* match krb5_kuserok() */
|
||||
+ struct stat st;
|
||||
+ struct passwd *pw = the_authctxt->pw;
|
||||
+ int found_principal = 0;
|
||||
+ int ncommands = 0, allcommands = 0;
|
||||
+ u_long linenum = 0;
|
||||
+ size_t linesize = 0;
|
||||
+ u_long linenum;
|
||||
+
|
||||
+ snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
+ /* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
@ -148,9 +147,9 @@ index 413b845..54dd383 100644
|
||||
+ k5users_allowed_cmds = xcalloc(++ncommands,
|
||||
+ sizeof(*k5users_allowed_cmds));
|
||||
+
|
||||
+ /* Check each line. ksu allows unlimited length lines. */
|
||||
+ while (!allcommands && getline(&line, &linesize, fp) != -1) {
|
||||
+ linenum++;
|
||||
+ /* Check each line. ksu allows unlimited length lines. We don't. */
|
||||
+ while (!allcommands && read_keyfile_line(fp, file, line, sizeof(line),
|
||||
+ &linenum) != -1) {
|
||||
+ char *token;
|
||||
+
|
||||
+ /* we parse just like ksu, even though we could do better */
|
||||
@ -183,7 +182,6 @@ index 413b845..54dd383 100644
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ free(line);
|
||||
+ if (k5users_allowed_cmds) {
|
||||
+ /* terminate vector */
|
||||
+ k5users_allowed_cmds[ncommands-1] = NULL;
|
||||
@ -209,7 +207,7 @@ index 28659ec..9c94d8e 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
|
||||
command = auth_opts->force_command;
|
||||
command = forced_command;
|
||||
forced = "(key-option)";
|
||||
}
|
||||
+#ifdef GSSAPI
|
||||
@ -235,9 +233,9 @@ index 28659ec..9c94d8e 100644
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
s->forced = 0;
|
||||
if (forced != NULL) {
|
||||
s->forced = 1;
|
||||
if (IS_INTERNAL_SFTP(command)) {
|
||||
s->is_subsystem = s->is_subsystem ?
|
||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||
index 0374c88..509109a 100644
|
||||
--- a/ssh-gss.h
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh/auth.c.keycat openssh/misc.c
|
||||
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200
|
||||
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
|
||||
diff -up openssh/auth2-pubkey.c.keycat openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.keycat 2015-06-24 10:57:50.158849606 +0200
|
||||
+++ openssh/auth2-pubkey.c 2015-06-24 11:04:23.989868638 +0200
|
||||
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
|
||||
_exit(1);
|
||||
}
|
||||
|
||||
@ -36,44 +36,36 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in
|
||||
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
|
||||
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
|
||||
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
@@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@
|
||||
K5LIBS=@K5LIBS@
|
||||
GSSLIBS=@GSSLIBS@
|
||||
SSHDLIBS=@SSHDLIBS@
|
||||
+KEYCATLIBS=@KEYCATLIBS@
|
||||
LIBEDIT=@LIBEDIT@
|
||||
LIBFIDO2=@LIBFIDO2@
|
||||
AR=@AR@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
.SUFFIXES: .lo
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
|
||||
ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS)
|
||||
$(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2)
|
||||
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
|
||||
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
|
||||
+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
|
||||
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
|
||||
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -321,6 +325,7 @@ install-files:
|
||||
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
|
||||
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
|
||||
fi
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||
@ -203,7 +195,7 @@ diff -up openssh/platform.c.keycat openssh/platform.c
|
||||
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||
--- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
|
||||
+++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
|
||||
@@ -0,0 +1,241 @@
|
||||
@@ -0,0 +1,238 @@
|
||||
+/*
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
@ -253,9 +245,6 @@ diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||
+#include <pwd.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <unistd.h>
|
||||
+#ifdef HAVE_STDINT_H
|
||||
+#include <stdint.h>
|
||||
+#endif
|
||||
+
|
||||
+#include <security/pam_appl.h>
|
||||
+
|
||||
@ -445,41 +434,3 @@ diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
|
||||
+ }
|
||||
+ return ev;
|
||||
+}
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 3bbccfd..6481f1f 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -2952,6 +2952,7 @@ AC_ARG_WITH([pam],
|
||||
PAM_MSG="yes"
|
||||
|
||||
SSHDLIBS="$SSHDLIBS -lpam"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -lpam"
|
||||
AC_DEFINE([USE_PAM], [1],
|
||||
[Define if you want to enable PAM support])
|
||||
|
||||
@@ -3105,6 +3106,7 @@
|
||||
;;
|
||||
*)
|
||||
SSHDLIBS="$SSHDLIBS -ldl"
|
||||
+ KEYCATLIBS="$KEYCATLIBS -ldl"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux],
|
||||
fi ]
|
||||
)
|
||||
AC_SUBST([SSHDLIBS])
|
||||
+AC_SUBST([KEYCATLIBS])
|
||||
|
||||
# Check whether user wants Kerberos 5 support
|
||||
KRB5_MSG="no"
|
||||
@@ -5031,6 +5034,9 @@ fi
|
||||
if test ! -z "${SSHDLIBS}"; then
|
||||
echo " +for sshd: ${SSHDLIBS}"
|
||||
fi
|
||||
+if test ! -z "${KEYCATLIBS}"; then
|
||||
+echo " +for ssh-keycat: ${KEYCATLIBS}"
|
||||
+fi
|
||||
|
||||
echo ""
|
||||
|
||||
|
@ -1,7 +1,8 @@
|
||||
diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
|
||||
--- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100
|
||||
+++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100
|
||||
@@ -31,6 +31,7 @@
|
||||
diff --git a/authfile.c b/authfile.c
|
||||
index e93d867..4fc5b3d 100644
|
||||
--- a/authfile.c
|
||||
+++ b/authfile.c
|
||||
@@ -32,6 +32,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
@ -9,23 +10,17 @@ diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
|
||||
#include <stdio.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen
|
||||
@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
|
||||
#ifdef HAVE_CYGWIN
|
||||
if (check_ntsec(filename))
|
||||
#endif
|
||||
+
|
||||
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
|
||||
+ if (st.st_mode & 040) {
|
||||
+ struct group *gr;
|
||||
+
|
||||
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {
|
||||
+ /* The only additional bit is read
|
||||
+ * for ssh_keys group, which is fine */
|
||||
+ if ((st.st_mode & 077) == 040 ) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid))
|
||||
+ st.st_mode &= ~040;
|
||||
+ }
|
||||
+
|
||||
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
|
||||
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
|
||||
|
@ -1,7 +1,7 @@
|
||||
diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
|
||||
--- openssh-7.4p1/auth-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
|
||||
+++ openssh-7.4p1/auth-krb5.c 2016-12-23 14:36:07.644465936 +0100
|
||||
@@ -56,6 +56,21 @@
|
||||
diff -up openssh-7.0p1/auth-krb5.c.kuserok openssh-7.0p1/auth-krb5.c
|
||||
--- openssh-7.0p1/auth-krb5.c.kuserok 2015-08-11 10:57:29.000000000 +0200
|
||||
+++ openssh-7.0p1/auth-krb5.c 2015-08-12 11:26:21.874536127 +0200
|
||||
@@ -55,6 +55,21 @@
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
@ -23,7 +23,7 @@ diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
|
||||
static int
|
||||
krb5_init(void *context)
|
||||
{
|
||||
@@ -160,8 +175,9 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
@ -35,9 +35,9 @@ diff -up openssh-7.4p1/auth-krb5.c.kuserok openssh-7.4p1/auth-krb5.c
|
||||
problem = -1;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
|
||||
--- openssh-7.4p1/gss-serv-krb5.c.kuserok 2016-12-23 14:36:07.640465939 +0100
|
||||
+++ openssh-7.4p1/gss-serv-krb5.c 2016-12-23 14:36:07.644465936 +0100
|
||||
diff -up openssh-7.0p1/gss-serv-krb5.c.kuserok openssh-7.0p1/gss-serv-krb5.c
|
||||
--- openssh-7.0p1/gss-serv-krb5.c.kuserok 2015-08-12 11:26:21.868536137 +0200
|
||||
+++ openssh-7.0p1/gss-serv-krb5.c 2015-08-12 11:26:21.875536126 +0200
|
||||
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
|
||||
int);
|
||||
|
||||
@ -160,7 +160,7 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
|
||||
retval = 1;
|
||||
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
|
||||
name, (char *)client->displayname.value);
|
||||
@@ -190,9 +289,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
|
||||
/* If both .k5login and .k5users DNE, self-login is ok. */
|
||||
if (!k5login_exists && (access(file, F_OK) == -1)) {
|
||||
@ -172,118 +172,117 @@ diff -up openssh-7.4p1/gss-serv-krb5.c.kuserok openssh-7.4p1/gss-serv-krb5.c
|
||||
}
|
||||
if ((fp = fopen(file, "r")) == NULL) {
|
||||
int saved_errno = errno;
|
||||
diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.kuserok 2016-12-23 14:36:07.630465944 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:11:52.278133344 +0100
|
||||
@@ -116,6 +116,7 @@ initialize_server_options(ServerOptions
|
||||
options->gss_strict_acceptor = -1;
|
||||
options->gss_store_rekey = -1;
|
||||
options->gss_kex_algorithms = NULL;
|
||||
diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.kuserok 2015-08-12 11:26:21.865536141 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-12 11:27:14.126454598 +0200
|
||||
@@ -172,6 +172,7 @@ initialize_server_options(ServerOptions
|
||||
options->ip_qos_bulk = -1;
|
||||
options->version_addendum = NULL;
|
||||
options->fingerprint_hash = -1;
|
||||
+ options->use_kuserok = -1;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
|
||||
if (options->gss_kex_algorithms == NULL)
|
||||
options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@@ -350,6 +351,8 @@ fill_default_server_options(ServerOption
|
||||
options->fwd_opts.streamlocal_bind_unlink = 0;
|
||||
if (options->fingerprint_hash == -1)
|
||||
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ if (options->use_kuserok == -1)
|
||||
+ options->use_kuserok = 1;
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -399,7 +402,7 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
@@ -404,7 +407,7 @@ typedef enum {
|
||||
sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache, sKerberosUseKuserok,
|
||||
sChallengeResponseAuthentication,
|
||||
- sKerberosGetAFSToken,
|
||||
+ sKerberosGetAFSToken, sKerberosUseKuserok,
|
||||
sKerberosTgtPassing, sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
@@ -478,12 +481,14 @@ static struct {
|
||||
@@ -483,11 +486,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
|
||||
+ { "kerberosusekuserok", sKerberosUseKuserok, SSHCFG_ALL },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "kerberosusekuserok", sUnsupported, SSHCFG_ALL },
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions
|
||||
*inc_flags &= ~SSHCFG_MATCH_ONLY;
|
||||
@@ -1671,6 +1676,10 @@ process_server_config_line(ServerOptions
|
||||
*activep = value;
|
||||
break;
|
||||
|
||||
+ case sKerberosUseKuserok:
|
||||
+ intptr = &options->use_kuserok;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sPermitListen:
|
||||
case sPermitOpen:
|
||||
if (opcode == sPermitListen) {
|
||||
@@ -2016,6 +2025,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(client_alive_interval);
|
||||
arg = strdelim(&cp);
|
||||
if (!arg || *arg == '\0')
|
||||
@@ -2023,6 +2032,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(max_authtries);
|
||||
M_CP_INTOPT(ip_qos_interactive);
|
||||
M_CP_INTOPT(ip_qos_bulk);
|
||||
+ M_CP_INTOPT(use_kuserok);
|
||||
M_CP_INTOPT(rekey_limit);
|
||||
M_CP_INTOPT(rekey_interval);
|
||||
M_CP_INTOPT(log_level);
|
||||
@@ -2309,6 +2319,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||
# endif
|
||||
dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||
|
||||
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
|
||||
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
|
||||
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
|
||||
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
|
||||
#endif
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
diff -up openssh-7.4p1/servconf.h.kuserok openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.kuserok 2016-12-23 14:36:07.630465944 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 14:36:07.645465936 +0100
|
||||
@@ -118,6 +118,7 @@ typedef struct {
|
||||
* authenticated with Kerberos. */
|
||||
int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||
* be stored in per-session ccache */
|
||||
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
diff -up openssh-7.0p1/servconf.h.kuserok openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.kuserok 2015-08-12 11:26:21.865536141 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-12 11:26:21.876536124 +0200
|
||||
@@ -180,6 +180,7 @@ typedef struct {
|
||||
|
||||
int num_permitted_opens;
|
||||
|
||||
+ int use_kuserok;
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
diff -up openssh-7.4p1/sshd_config.5.kuserok openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.kuserok 2016-12-23 14:36:07.637465940 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:14:03.117162222 +0100
|
||||
@@ -850,6 +850,10 @@ Specifies whether to automatically destr
|
||||
.Cm no
|
||||
can lead to overwriting previous tickets by subseqent connections to the same
|
||||
user account.
|
||||
char *chroot_directory;
|
||||
char *revoked_keys_file;
|
||||
char *trusted_user_ca_keys;
|
||||
diff -up openssh-7.0p1/sshd_config.5.kuserok openssh-7.0p1/sshd_config.5
|
||||
--- openssh-7.0p1/sshd_config.5.kuserok 2015-08-12 11:26:21.867536138 +0200
|
||||
+++ openssh-7.0p1/sshd_config.5 2015-08-12 11:26:21.877536123 +0200
|
||||
@@ -872,6 +872,10 @@ Specifies whether to automatically destr
|
||||
file on logout.
|
||||
The default is
|
||||
.Dq yes .
|
||||
+.It Cm KerberosUseKuserok
|
||||
+Specifies whether to look at .k5login file for user's aliases.
|
||||
+The default is
|
||||
+.Cm yes .
|
||||
+.Dq yes .
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
@@ -1078,6 +1082,7 @@ Available keywords are
|
||||
@@ -1116,6 +1120,7 @@ Available keywords are
|
||||
.Cm IPQoS ,
|
||||
.Cm KbdInteractiveAuthentication ,
|
||||
.Cm KerberosAuthentication ,
|
||||
+.Cm KerberosUseKuserok ,
|
||||
.Cm LogLevel ,
|
||||
.Cm MaxAuthTries ,
|
||||
.Cm MaxSessions ,
|
||||
diff -up openssh-7.4p1/sshd_config.kuserok openssh-7.4p1/sshd_config
|
||||
--- openssh-7.4p1/sshd_config.kuserok 2016-12-23 14:36:07.631465943 +0100
|
||||
+++ openssh-7.4p1/sshd_config 2016-12-23 14:36:07.646465935 +0100
|
||||
@@ -73,6 +73,7 @@ ChallengeResponseAuthentication no
|
||||
.Cm PasswordAuthentication ,
|
||||
diff -up openssh-7.0p1/sshd_config.kuserok openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.kuserok 2015-08-12 11:26:21.867536138 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:26:21.876536124 +0200
|
||||
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
+#KerberosUseKuserok yes
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
GSSAPIAuthentication yes
|
||||
|
@ -1,18 +1,20 @@
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index a7b8b6a..24ab272 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -1701,6 +1701,10 @@ main(int ac, char **av)
|
||||
@@ -1620,6 +1620,10 @@ main(int ac, char **av)
|
||||
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
|
||||
cfg, &includes, NULL);
|
||||
&cfg, NULL);
|
||||
|
||||
+ /* 'UsePAM no' is not supported in Fedora */
|
||||
+ if (! options.use_pam)
|
||||
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
|
||||
+
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
fill_default_server_options(&options);
|
||||
seed_rng();
|
||||
|
||||
/* Fill in default values for those options not explicitly set. */
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 36cb27a..c1b7c03 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
|
||||
@ -21,6 +23,6 @@ diff --git a/sshd_config b/sshd_config
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
|
||||
+# problems.
|
||||
#UsePAM no
|
||||
UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
@ -1,18 +1,8 @@
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux 2016-12-23 18:58:52.972122201 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux.h 2016-12-23 18:58:52.974122201 +0100
|
||||
@@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
|
||||
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
||||
index c18524e..d04f4ed 100644
|
||||
--- a/openbsd-compat/port-linux-sshd.c
|
||||
+++ b/openbsd-compat/port-linux-sshd.c
|
||||
@@ -409,6 +409,28 @@ sshd_selinux_setup_exec_context(char *pwname)
|
||||
debug3("%s: done", __func__);
|
||||
}
|
||||
|
||||
@ -25,15 +15,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
||||
+ return;
|
||||
+
|
||||
+ if (getexeccon((security_context_t *)&ctx) != 0) {
|
||||
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno));
|
||||
+ logit("%s: getcon failed with %s", __func__, strerror (errno));
|
||||
+ return;
|
||||
+ }
|
||||
+ if (ctx != NULL) {
|
||||
+ /* unset exec context before we will lose this capabililty */
|
||||
+ if (setexeccon(NULL) != 0)
|
||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
|
||||
+ fatal("%s: setexeccon failed with %s", __func__, strerror (errno));
|
||||
+ if (setcon(ctx) != 0)
|
||||
+ fatal("%s: setcon failed with %s", __func__, strerror(errno));
|
||||
+ fatal("%s: setcon failed with %s", __func__, strerror (errno));
|
||||
+ freecon(ctx);
|
||||
+ }
|
||||
+}
|
||||
@ -41,29 +31,33 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
|
||||
#endif
|
||||
#endif
|
||||
|
||||
diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.privsep-selinux 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 18:58:52.974122201 +0100
|
||||
@@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw)
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index 8ef6cc4..b18893c 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
|
||||
platform_setusercontext(pw);
|
||||
+void sshd_selinux_copy_context(void);
|
||||
void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
@@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw)
|
||||
(unsigned long long)pw->pw_uid);
|
||||
diff --git a/session.c b/session.c
|
||||
index 2bcf818..b5dc144 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, "U", uidstr, (char *)NULL);
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ sshd_selinux_copy_context();
|
||||
+#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
@@ -1396,6 +1399,11 @@ do_setusercontext(struct passwd *pw)
|
||||
@@ -1565,6 +1568,11 @@ do_setusercontext(struct passwd *pw)
|
||||
/* Permanently switch to the desired uid. */
|
||||
permanently_set_uid(pw);
|
||||
#endif
|
||||
@ -75,7 +69,7 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
||||
} else if (options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
fatal("server lacks privileges to chroot to ChrootDirectory");
|
||||
@@ -1413,9 +1421,6 @@ do_pwchange(Session *s)
|
||||
@@ -1588,9 +1588,6 @@ do_pwchange(Session *s)
|
||||
if (s->ttyfd != -1) {
|
||||
fprintf(stderr,
|
||||
"You must change your password now and login again!\n");
|
||||
@ -85,7 +79,7 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
||||
#ifdef PASSWD_NEEDS_USERNAME
|
||||
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
|
||||
(char *)NULL);
|
||||
@@ -1625,9 +1630,6 @@ do_child(Session *s, const char *command
|
||||
@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
|
||||
argv[i] = NULL;
|
||||
optind = optreset = 1;
|
||||
__progname = argv[0];
|
||||
@ -95,10 +89,11 @@ diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c
|
||||
exit(sftp_server_main(i, argv, s->pw));
|
||||
}
|
||||
|
||||
diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 18:59:13.808124269 +0100
|
||||
@@ -540,6 +540,10 @@ privsep_preauth_child(void)
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 07f9926..a97f8b7 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -632,6 +632,10 @@ privsep_preauth_child(void)
|
||||
/* Demote the private keys to public keys. */
|
||||
demote_sensitive_data();
|
||||
|
||||
@ -107,15 +102,28 @@ diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c
|
||||
+#endif
|
||||
+
|
||||
/* Demote the child */
|
||||
if (privsep_chroot) {
|
||||
if (getuid() == 0 || geteuid() == 0) {
|
||||
/* Change our root directory */
|
||||
@@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||
{
|
||||
@@ -755,6 +755,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
if (1) {
|
||||
+#elif defined(WITH_SELINUX)
|
||||
+ if (0) {
|
||||
+ if (options.use_login) {
|
||||
+ /* even root user can be confined by SELinux */
|
||||
#else
|
||||
if (authctxt->pw->pw_uid == 0) {
|
||||
if (authctxt->pw->pw_uid == 0 || options.use_login) {
|
||||
#endif
|
||||
diff --git a/session.c b/session.c
|
||||
index 684f867..09048bc 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1538,7 +1538,7 @@ do_setusercontext(struct passwd *pw)
|
||||
|
||||
platform_setusercontext(pw);
|
||||
|
||||
- if (platform_privileged_uidswap()) {
|
||||
+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
|
||||
#ifdef HAVE_LOGIN_CAP
|
||||
if (setusercontext(lc, pw, pw->pw_uid,
|
||||
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
|
||||
|
138
openssh-6.6p1-redhat.patch
Normal file
138
openssh-6.6p1-redhat.patch
Normal file
@ -0,0 +1,138 @@
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
index 49a4f6c..3f83c40 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -50,3 +50,15 @@
|
||||
# Uncomment this if you want to use .local domain
|
||||
# Host *.local
|
||||
# CheckHostIP no
|
||||
+
|
||||
+Host *
|
||||
+ GSSAPIAuthentication yes
|
||||
+# If this option is set to yes then remote X11 clients will have full access
|
||||
+# to the original X11 display. As virtually no X11 client supports the untrusted
|
||||
+# mode correctly we set this to yes.
|
||||
+ ForwardX11Trusted yes
|
||||
+# Send locale-related environment variables
|
||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+ SendEnv XMODIFIERS
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index c735429..e68ddee 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -10,6 +10,10 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
+# If you want to change the port on a SELinux system, you have to tell
|
||||
+# SELinux about this change.
|
||||
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||
+#
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
@@ -21,10 +25,10 @@
|
||||
# HostKey for protocol version 1
|
||||
#HostKey /etc/ssh/ssh_host_key
|
||||
# HostKeys for protocol version 2
|
||||
-#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
+HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_dsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
-#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
+HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
+HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# Lifetime and size of ephemeral version 1 server key
|
||||
#KeyRegenerationInterval 1h
|
||||
@@ -36,6 +40,7 @@
|
||||
# Logging
|
||||
# obsoletes QuietMode and FascistLogging
|
||||
#SyslogFacility AUTH
|
||||
+SyslogFacility AUTHPRIV
|
||||
#LogLevel INFO
|
||||
|
||||
# Authentication:
|
||||
@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
+PasswordAuthentication yes
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
+ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
-#GSSAPIAuthentication no
|
||||
-#GSSAPICleanupCredentials yes
|
||||
+GSSAPIAuthentication yes
|
||||
+GSSAPICleanupCredentials no
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
-#X11Forwarding no
|
||||
+X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations.
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
+# Accept locale-related environment variables
|
||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+AcceptEnv XMODIFIERS
|
||||
+
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/libexec/sftp-server
|
||||
|
||||
diff --git a/sshd_config.0 b/sshd_config.0
|
||||
index 413c260..87e7ee7 100644
|
||||
--- a/sshd_config.0
|
||||
+++ b/sshd_config.0
|
||||
@@ -675,9 +675,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index ce71efe..12465c2 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
@ -1,17 +1,164 @@
|
||||
diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
|
||||
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
diff -up openssh-6.8p1/auth-pam.c.role-mls openssh-6.8p1/auth-pam.c
|
||||
--- openssh-6.8p1/auth-pam.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth-pam.c 2015-03-18 11:04:21.045817122 +0100
|
||||
@@ -1068,7 +1068,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
#ifdef HAVE_PAM_PUTENV
|
||||
diff -up openssh-6.8p1/auth-pam.h.role-mls openssh-6.8p1/auth-pam.h
|
||||
--- openssh-6.8p1/auth-pam.h.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth-pam.h 2015-03-18 11:04:21.045817122 +0100
|
||||
@@ -38,7 +38,7 @@ void do_pam_session(void);
|
||||
void do_pam_set_tty(const char *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh-6.8p1/auth.h.role-mls openssh-6.8p1/auth.h
|
||||
--- openssh-6.8p1/auth.h.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth.h 2015-03-18 11:04:21.045817122 +0100
|
||||
@@ -62,6 +62,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
void *kbdintctxt;
|
||||
char *info; /* Extra info for next auth_log */
|
||||
#ifdef BSD_AUTH
|
||||
diff -up openssh-6.8p1/auth1.c.role-mls openssh-6.8p1/auth1.c
|
||||
--- openssh-6.8p1/auth1.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth1.c 2015-03-18 11:04:21.046817119 +0100
|
||||
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
|
||||
{
|
||||
u_int ulen;
|
||||
char *user, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role=NULL;
|
||||
+#endif
|
||||
|
||||
/* Get the name of the user that we wish to log in as. */
|
||||
packet_read_expect(SSH_CMSG_USER);
|
||||
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
|
||||
user = packet_get_cstring(&ulen);
|
||||
packet_check_eom();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = '\0';
|
||||
+#endif
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = '\0';
|
||||
+#ifdef WITH_SELINUX
|
||||
+ else
|
||||
+ if (role && (style = strchr(role, ':')) != NULL)
|
||||
+ *style++ = '\0';
|
||||
+#endif
|
||||
|
||||
authctxt->user = user;
|
||||
authctxt->style = style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role = role;
|
||||
+#endif
|
||||
|
||||
/* Verify that the user is a valid user. */
|
||||
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
|
||||
diff -up openssh-6.8p1/auth2-gss.c.role-mls openssh-6.8p1/auth2-gss.c
|
||||
--- openssh-6.8p1/auth2-gss.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth2-gss.c 2015-03-18 11:04:21.046817119 +0100
|
||||
@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int authenticated = 0;
|
||||
+ char *micuser;
|
||||
Buffer b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
u_int len;
|
||||
@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
mic.value = packet_get_string(&len);
|
||||
mic.length = len;
|
||||
|
||||
- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && (strlen(authctxt->role) > 0))
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
gssbuf.value = buffer_ptr(&b);
|
||||
@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
buffer_free(&b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
authctxt->postponed = 0;
|
||||
diff -up openssh-6.8p1/auth2-hostbased.c.role-mls openssh-6.8p1/auth2-hostbased.c
|
||||
--- openssh-6.8p1/auth2-hostbased.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth2-hostbased.c 2015-03-18 11:04:21.046817119 +0100
|
||||
@@ -122,7 +122,15 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
buffer_put_string(&b, session_id2, session_id2_len);
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- buffer_put_cstring(&b, authctxt->user);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role) {
|
||||
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
|
||||
+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
|
||||
+ buffer_put_char(&b, '/');
|
||||
+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
|
||||
+ } else
|
||||
+#endif
|
||||
+ buffer_put_cstring(&b, authctxt->user);
|
||||
buffer_put_cstring(&b, service);
|
||||
buffer_put_cstring(&b, "hostbased");
|
||||
buffer_put_string(&b, pkalg, alen);
|
||||
diff -up openssh-6.8p1/auth2-pubkey.c.role-mls openssh-6.8p1/auth2-pubkey.c
|
||||
--- openssh-6.8p1/auth2-pubkey.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:04:21.046817119 +0100
|
||||
@@ -145,9 +145,11 @@ userauth_pubkey(Authctxt *authctxt)
|
||||
}
|
||||
/* reconstruct packet */
|
||||
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
|
||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
- authctxt->style ? authctxt->style : "");
|
||||
+ authctxt->style ? authctxt->style : "",
|
||||
+ authctxt->role ? "/" : "",
|
||||
+ authctxt->role ? authctxt->role : "");
|
||||
buffer_put_cstring(&b, userstyle);
|
||||
free(userstyle);
|
||||
buffer_put_cstring(&b,
|
||||
diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c
|
||||
--- openssh-6.8p1/auth2.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/auth2.c 2015-03-18 11:04:21.046817119 +0100
|
||||
@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
|
||||
Authctxt *authctxt = ctxt;
|
||||
Authmethod *m = NULL;
|
||||
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||
char *user, *service, *method, *style = NULL;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role = NULL;
|
||||
+#endif
|
||||
int r, authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
int authenticated = 0;
|
||||
|
||||
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
|
||||
if (authctxt == NULL)
|
||||
@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
@ -23,7 +170,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
|
||||
@@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
|
||||
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
@ -37,127 +184,13 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
|
||||
+ mm_inform_authrole(role);
|
||||
+#endif
|
||||
+ }
|
||||
userauth_banner(ssh);
|
||||
userauth_banner();
|
||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||
ssh_packet_disconnect(ssh,
|
||||
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
|
||||
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
|
||||
@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Gssctxt *gssctxt;
|
||||
int r, authenticated = 0;
|
||||
+ char *micuser;
|
||||
struct sshbuf *b;
|
||||
gss_buffer_desc mic, gssbuf;
|
||||
const char *displayname;
|
||||
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
mic.value = p;
|
||||
mic.length = len;
|
||||
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ if (authctxt->role && authctxt->role[0] != 0)
|
||||
+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
|
||||
+ else
|
||||
+#endif
|
||||
+ micuser = authctxt->user;
|
||||
+ ssh_gssapi_buildmic(b, micuser, authctxt->service,
|
||||
"gssapi-with-mic");
|
||||
|
||||
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
|
||||
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
|
||||
logit("GSSAPI MIC check failed");
|
||||
|
||||
sshbuf_free(b);
|
||||
+ if (micuser != authctxt->user)
|
||||
+ free(micuser);
|
||||
free(mic.value);
|
||||
|
||||
if ((!use_privsep || mm_is_monitor()) &&
|
||||
diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
|
||||
--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
|
||||
/* reconstruct packet */
|
||||
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
|
||||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ (authctxt->role
|
||||
+ ? ( (r = sshbuf_put_u32(b, strlen(authctxt->user)+strlen(authctxt->role)+1)) != 0 ||
|
||||
+ (r = sshbuf_put(b, authctxt->user, strlen(authctxt->user))) != 0 ||
|
||||
+ (r = sshbuf_put_u8(b, '/') != 0) ||
|
||||
+ (r = sshbuf_put(b, authctxt->role, strlen(authctxt->role))) != 0)
|
||||
+ : (r = sshbuf_put_cstring(b, authctxt->user)) != 0) ||
|
||||
+#else
|
||||
(r = sshbuf_put_cstring(b, authctxt->user)) != 0 ||
|
||||
+#endif
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, "hostbased")) != 0 ||
|
||||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
|
||||
diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
|
||||
+++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
|
||||
@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
|
||||
goto done;
|
||||
}
|
||||
/* reconstruct packet */
|
||||
- xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
+ xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
- authctxt->style ? authctxt->style : "");
|
||||
+ authctxt->style ? authctxt->style : "",
|
||||
+#ifdef WITH_SELINUX
|
||||
+ authctxt->role ? "/" : "",
|
||||
+ authctxt->role ? authctxt->role : ""
|
||||
+#else
|
||||
+ "", ""
|
||||
+#endif
|
||||
+ );
|
||||
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
|
||||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
|
||||
diff -up openssh/auth.h.role-mls openssh/auth.h
|
||||
--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -65,6 +65,9 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ char *role;
|
||||
+#endif
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
|
||||
--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
|
||||
@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
|
||||
* during the ssh authentication process.
|
||||
*/
|
||||
int
|
||||
-do_pam_putenv(char *name, char *value)
|
||||
+do_pam_putenv(char *name, const char *value)
|
||||
{
|
||||
int ret = 1;
|
||||
char *compound;
|
||||
diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
|
||||
--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
|
||||
void do_pam_session(struct ssh *);
|
||||
void do_pam_setcred(int );
|
||||
void do_pam_chauthtok(void);
|
||||
-int do_pam_putenv(char *, char *);
|
||||
+int do_pam_putenv(char *, const char *);
|
||||
char ** fetch_pam_environment(void);
|
||||
char ** fetch_pam_child_environment(void);
|
||||
void free_pam_environment(char **);
|
||||
diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
|
||||
@@ -542,6 +542,7 @@ char *
|
||||
packet_disconnect("no authentication methods enabled");
|
||||
diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c
|
||||
--- openssh-6.8p1/misc.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/misc.c 2015-03-18 11:04:21.046817119 +0100
|
||||
@@ -431,6 +431,7 @@ char *
|
||||
colon(char *cp)
|
||||
{
|
||||
int flag = 0;
|
||||
@ -165,7 +198,7 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
|
||||
if (*cp == ':') /* Leading colon is part of file name. */
|
||||
return NULL;
|
||||
@@ -557,6 +558,13 @@ colon(char *cp)
|
||||
@@ -446,6 +447,13 @@ colon(char *cp)
|
||||
return (cp);
|
||||
if (*cp == '/')
|
||||
return NULL;
|
||||
@ -179,20 +212,20 @@ diff -up openssh/misc.c.role-mls openssh/misc.c
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
--- openssh/monitor.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/monitor.c 2018-08-22 11:19:56.006844867 +0200
|
||||
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
|
||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||
diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c
|
||||
--- openssh-6.8p1/monitor.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/monitor.c 2015-03-18 11:04:21.047817117 +0100
|
||||
@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
|
||||
int mm_answer_pwnamallow(int, Buffer *);
|
||||
int mm_answer_auth2_read_banner(int, Buffer *);
|
||||
int mm_answer_authserv(int, Buffer *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
|
||||
+int mm_answer_authrole(int, Buffer *);
|
||||
+#endif
|
||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
int mm_answer_authpassword(int, Buffer *);
|
||||
int mm_answer_bsdauthquery(int, Buffer *);
|
||||
int mm_answer_bsdauthrespond(int, Buffer *);
|
||||
@@ -206,6 +209,9 @@ struct mon_table mon_dispatch_proto20[]
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
@ -202,30 +235,29 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -796,6 +802,9 @@ mm_answer_pwnamallow(int sock, struct ss
|
||||
|
||||
@@ -862,6 +868,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
|
||||
else {
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+#ifdef WITH_SELINUX
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
+#endif
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
}
|
||||
#ifdef USE_PAM
|
||||
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
|
||||
return found;
|
||||
@@ -903,6 +912,25 @@ mm_answer_authserv(int sock, Buffer *m)
|
||||
return (0);
|
||||
}
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+int
|
||||
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
+mm_answer_authrole(int sock, Buffer *m)
|
||||
+{
|
||||
+ int r;
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ debug3("%s: role=%s", __func__, authctxt->role);
|
||||
+ authctxt->role = buffer_get_string(m, NULL);
|
||||
+ debug3("%s: role=%s",
|
||||
+ __func__, authctxt->role);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ free(authctxt->role);
|
||||
@ -237,48 +269,48 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
|
||||
+#endif
|
||||
+
|
||||
int
|
||||
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
mm_answer_authpassword(int sock, Buffer *m)
|
||||
{
|
||||
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
@@ -1291,7 +1319,7 @@ static int
|
||||
monitor_valid_userblob(u_char *data, u_int datalen)
|
||||
{
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
- char *userstyle, *cp;
|
||||
+ char *userstyle, *s, *cp;
|
||||
size_t len;
|
||||
u_char type;
|
||||
int r, fail = 0;
|
||||
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
Buffer b;
|
||||
- char *p, *userstyle;
|
||||
+ char *p, *r, *userstyle;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1317,6 +1345,8 @@ monitor_valid_userblob(u_char *data, u_i
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if ((s = strchr(cp, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
+ if ((r = strchr(p, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
@@ -1286,7 +1317,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
@@ -1352,7 +1382,7 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
char *chost)
|
||||
{
|
||||
struct sshbuf *b;
|
||||
const u_char *p;
|
||||
- char *cp, *userstyle;
|
||||
+ char *cp, *s, *userstyle;
|
||||
size_t len;
|
||||
int r, fail = 0;
|
||||
u_char type;
|
||||
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
Buffer b;
|
||||
- char *p, *userstyle;
|
||||
+ char *p, *r, *userstyle;
|
||||
u_int len;
|
||||
int fail = 0;
|
||||
|
||||
@@ -1369,6 +1399,8 @@ monitor_valid_hostbasedblob(u_char *data
|
||||
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
|
||||
fail++;
|
||||
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if ((s = strchr(p, '/')) != NULL)
|
||||
+ *s = '\0';
|
||||
p = buffer_get_cstring(&b, NULL);
|
||||
+ if ((r = strchr(p, '/')) != NULL)
|
||||
+ *r = '\0';
|
||||
xasprintf(&userstyle, "%s%s%s", authctxt->user,
|
||||
authctxt->style ? ":" : "",
|
||||
authctxt->style ? authctxt->style : "");
|
||||
diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
|
||||
@@ -55,6 +55,10 @@ enum monitor_reqtype {
|
||||
diff -up openssh-6.8p1/monitor.h.role-mls openssh-6.8p1/monitor.h
|
||||
--- openssh-6.8p1/monitor.h.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/monitor.h 2015-03-18 11:04:21.047817117 +0100
|
||||
@@ -57,6 +57,10 @@ enum monitor_reqtype {
|
||||
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
|
||||
MONITOR_REQ_TERM = 50,
|
||||
|
||||
@ -289,11 +321,11 @@ diff -up openssh/monitor.h.role-mls openssh/monitor.h
|
||||
MONITOR_REQ_PAM_START = 100,
|
||||
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
|
||||
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
|
||||
diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
|
||||
@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
|
||||
sshbuf_free(m);
|
||||
diff -up openssh-6.8p1/monitor_wrap.c.role-mls openssh-6.8p1/monitor_wrap.c
|
||||
--- openssh-6.8p1/monitor_wrap.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 11:04:21.047817117 +0100
|
||||
@@ -347,6 +347,25 @@ mm_inform_authserv(char *service, char *
|
||||
buffer_free(&m);
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
@ -302,123 +334,51 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ int r;
|
||||
+ struct sshbuf *m;
|
||||
+ Buffer m;
|
||||
+
|
||||
+ debug3("%s entering", __func__);
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||
+ buffer_init(&m);
|
||||
+ buffer_put_cstring(&m, role ? role : "");
|
||||
+
|
||||
+ sshbuf_free(m);
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
|
||||
+
|
||||
+ buffer_free(&m);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
|
||||
--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
|
||||
+++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
|
||||
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
|
||||
const u_char *, size_t, const char *, const char *,
|
||||
const char *, u_int compat);
|
||||
mm_auth_password(Authctxt *authctxt, char *password)
|
||||
diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h
|
||||
--- openssh-6.8p1/monitor_wrap.h.role-mls 2015-03-18 11:04:21.047817117 +0100
|
||||
+++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100
|
||||
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
|
||||
DH *mm_choose_dh(int, int, int);
|
||||
int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *);
|
||||
void mm_inform_authserv(char *, char *);
|
||||
+#ifdef WITH_SELINUX
|
||||
+void mm_inform_authrole(char *);
|
||||
+#endif
|
||||
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||
struct passwd *mm_getpwnamallow(const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
|
||||
--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -92,7 +92,8 @@ PORTS= port-aix.o \
|
||||
port-linux.o \
|
||||
port-solaris.o \
|
||||
port-net.o \
|
||||
- port-uw.o
|
||||
+ port-uw.o \
|
||||
+ port-linux-sshd.o
|
||||
int mm_auth_password(struct Authctxt *, char *);
|
||||
diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd-compat/Makefile.in
|
||||
--- openssh-6.8p1/openbsd-compat/Makefile.in.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/Makefile.in 2015-03-18 11:04:21.047817117 +0100
|
||||
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
|
||||
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
|
||||
diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c
|
||||
--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
-/* Set the execution context to the default for the specified user */
|
||||
-void
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
-{
|
||||
- security_context_t user_ctx = NULL;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
-
|
||||
- debug3("%s: setting execution context", __func__);
|
||||
-
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
- }
|
||||
- }
|
||||
- if (user_ctx != NULL)
|
||||
- freecon(user_ctx);
|
||||
-
|
||||
- debug3("%s: done", __func__);
|
||||
-}
|
||||
-
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) != 0) {
|
||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -20,9 +20,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
+
|
||||
+void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -0,0 +1,425 @@
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100
|
||||
@@ -0,0 +1,424 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
|
||||
@ -447,14 +407,13 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
||||
+#include <stdarg.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+#include "log.h"
|
||||
+#include "xmalloc.h"
|
||||
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
||||
+#include "servconf.h"
|
||||
+#include "port-linux.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "key.h"
|
||||
+#include "hostfile.h"
|
||||
+#include "auth.h"
|
||||
+
|
||||
@ -844,10 +803,66 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
|
||||
@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux.c.role-mls openssh-6.8p1/openbsd-compat/port-linux.c
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux.c 2015-03-18 11:04:21.048817114 +0100
|
||||
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
return sc;
|
||||
}
|
||||
|
||||
-/* Set the execution context to the default for the specified user */
|
||||
-void
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
-{
|
||||
- security_context_t user_ctx = NULL;
|
||||
-
|
||||
- if (!ssh_selinux_enabled())
|
||||
- return;
|
||||
-
|
||||
- debug3("%s: setting execution context", __func__);
|
||||
-
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
- if (setexeccon(user_ctx) != 0) {
|
||||
- switch (security_getenforce()) {
|
||||
- case -1:
|
||||
- fatal("%s: security_getenforce() failed", __func__);
|
||||
- case 0:
|
||||
- error("%s: Failed to set SELinux execution "
|
||||
- "context for %s", __func__, pwname);
|
||||
- break;
|
||||
- default:
|
||||
- fatal("%s: Failed to set SELinux execution context "
|
||||
- "for %s (in enforcing mode)", __func__, pwname);
|
||||
- }
|
||||
- }
|
||||
- if (user_ctx != NULL)
|
||||
- freecon(user_ctx);
|
||||
-
|
||||
- debug3("%s: done", __func__);
|
||||
-}
|
||||
-
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.role-mls openssh-6.8p1/openbsd-compat/port-linux.h
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux.h.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:04:21.048817114 +0100
|
||||
@@ -22,9 +22,10 @@
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
+
|
||||
+void sshd_selinux_setup_exec_context(char *);
|
||||
#endif
|
||||
|
||||
#ifdef LINUX_OOM_ADJUST
|
||||
diff -up openssh-6.8p1/platform.c.role-mls openssh-6.8p1/platform.c
|
||||
--- openssh-6.8p1/platform.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/platform.c 2015-03-18 11:04:21.048817114 +0100
|
||||
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
@ -856,10 +871,10 @@ diff -up openssh/platform.c.role-mls openssh/platform.c
|
||||
#endif
|
||||
}
|
||||
|
||||
diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
--- openssh/sshd.c.role-mls 2018-08-20 07:57:29.000000000 +0200
|
||||
+++ openssh/sshd.c 2018-08-22 11:14:56.820430957 +0200
|
||||
@@ -2186,6 +2186,9 @@ main(int ac, char **av)
|
||||
diff -up openssh-6.8p1/sshd.c.role-mls openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.role-mls 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 11:04:21.048817114 +0100
|
||||
@@ -2220,6 +2220,9 @@ main(int ac, char **av)
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
@ -869,3 +884,20 @@ diff -up openssh/sshd.c.role-mls openssh/sshd.c
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
||||
do_pam_setcred(1);
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 22ea8ef..2660085 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -116,7 +116,11 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ if (getexeccon(&user_ctx) != 0) {
|
||||
+ error("%s: getexeccon: %s", __func__, strerror(errno));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
84
openssh-6.6p1-set_remote_ipaddr.patch
Normal file
84
openssh-6.6p1-set_remote_ipaddr.patch
Normal file
@ -0,0 +1,84 @@
|
||||
diff -up openssh-6.8p1/canohost.c.set_remote_ipaddr openssh-6.8p1/canohost.c
|
||||
--- openssh-6.8p1/canohost.c.set_remote_ipaddr 2015-03-18 12:40:03.702925550 +0100
|
||||
+++ openssh-6.8p1/canohost.c 2015-03-18 12:40:03.749925432 +0100
|
||||
@@ -349,6 +349,21 @@ clear_cached_addr(void)
|
||||
cached_port = -1;
|
||||
}
|
||||
|
||||
+void set_remote_ipaddr(void) {
|
||||
+ if (canonical_host_ip != NULL)
|
||||
+ free(canonical_host_ip);
|
||||
+
|
||||
+ if (active_state != NULL && packet_connection_is_on_socket()) {
|
||||
+ canonical_host_ip =
|
||||
+ get_peer_ipaddr(packet_get_connection_in());
|
||||
+ if (canonical_host_ip == NULL)
|
||||
+ cleanup_exit(255);
|
||||
+ } else {
|
||||
+ /* If not on socket, return UNKNOWN. */
|
||||
+ canonical_host_ip = xstrdup("UNKNOWN");
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Returns the IP-address of the remote host as a string. The returned
|
||||
* string must not be freed.
|
||||
@@ -358,17 +373,9 @@ const char *
|
||||
get_remote_ipaddr(void)
|
||||
{
|
||||
/* Check whether we have cached the ipaddr. */
|
||||
- if (canonical_host_ip == NULL) {
|
||||
- if (packet_connection_is_on_socket()) {
|
||||
- canonical_host_ip =
|
||||
- get_peer_ipaddr(packet_get_connection_in());
|
||||
- if (canonical_host_ip == NULL)
|
||||
- cleanup_exit(255);
|
||||
- } else {
|
||||
- /* If not on socket, return UNKNOWN. */
|
||||
- canonical_host_ip = xstrdup("UNKNOWN");
|
||||
- }
|
||||
- }
|
||||
+ if (canonical_host_ip == NULL)
|
||||
+ set_remote_ipaddr();
|
||||
+
|
||||
return canonical_host_ip;
|
||||
}
|
||||
|
||||
diff -up openssh-6.8p1/canohost.h.set_remote_ipaddr openssh-6.8p1/canohost.h
|
||||
--- openssh-6.8p1/canohost.h.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/canohost.h 2015-03-18 12:40:03.749925432 +0100
|
||||
@@ -13,6 +13,7 @@
|
||||
*/
|
||||
|
||||
const char *get_canonical_hostname(int);
|
||||
+void set_remote_ipaddr(void);
|
||||
const char *get_remote_ipaddr(void);
|
||||
const char *get_remote_name_or_ip(u_int, int);
|
||||
|
||||
diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c
|
||||
--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100
|
||||
@@ -65,6 +65,7 @@
|
||||
#include "authfile.h"
|
||||
#include "ssherr.h"
|
||||
#include "authfd.h"
|
||||
+#include "canohost.h"
|
||||
|
||||
char *client_version_string = NULL;
|
||||
char *server_version_string = NULL;
|
||||
@@ -174,6 +175,7 @@ ssh_proxy_fdpass_connect(const char *hos
|
||||
|
||||
/* Set the connection file descriptors. */
|
||||
packet_set_connection(sock, sock);
|
||||
+ set_remote_ipaddr();
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -496,6 +498,7 @@ ssh_connect_direct(const char *host, str
|
||||
|
||||
/* Set the connection. */
|
||||
packet_set_connection(sock, sock);
|
||||
+ set_remote_ipaddr();
|
||||
|
||||
return 0;
|
||||
}
|
@ -1,7 +1,39 @@
|
||||
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
||||
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
|
||||
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
|
||||
@@ -288,11 +288,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c
|
||||
--- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100
|
||||
+++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100
|
||||
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
|
||||
if (sshpam_thread_status != -1)
|
||||
return (sshpam_thread_status);
|
||||
signal(SIGCHLD, sshpam_oldsig);
|
||||
- waitpid(thread, &status, 0);
|
||||
+ while (waitpid(thread, &status, 0) < 0) {
|
||||
+ if (errno == EINTR)
|
||||
+ continue;
|
||||
+ fatal("%s: waitpid: %s", __func__,
|
||||
+ strerror(errno));
|
||||
+ }
|
||||
return (status);
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
|
||||
--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100
|
||||
+++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100
|
||||
@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
channel_max_fd = MAX(channel_max_fd, wfd);
|
||||
channel_max_fd = MAX(channel_max_fd, efd);
|
||||
|
||||
- if (rfd != -1)
|
||||
+ if (rfd >= 0)
|
||||
fcntl(rfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (wfd != -1 && wfd != rfd)
|
||||
+ if (wfd >= 0 && wfd != rfd)
|
||||
fcntl(wfd, F_SETFD, FD_CLOEXEC);
|
||||
- if (efd != -1 && efd != rfd && efd != wfd)
|
||||
+ if (efd >= 0 && efd != rfd && efd != wfd)
|
||||
fcntl(efd, F_SETFD, FD_CLOEXEC);
|
||||
|
||||
c->rfd = rfd;
|
||||
@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
|
||||
|
||||
/* enable nonblocking mode */
|
||||
if (nonblock) {
|
||||
@ -16,22 +48,70 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
|
||||
set_nonblock(efd);
|
||||
}
|
||||
}
|
||||
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
|
||||
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
|
||||
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
|
||||
@@ -411,7 +411,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
mm_get_keystate(ssh, pmonitor);
|
||||
@@ -3972,13 +3972,13 @@ connect_local_xsocket_path(const char *p
|
||||
int sock;
|
||||
struct sockaddr_un addr;
|
||||
|
||||
+ if (len <= 0)
|
||||
+ return -1;
|
||||
sock = socket(AF_UNIX, SOCK_STREAM, 0);
|
||||
if (sock < 0)
|
||||
error("socket: %.100s", strerror(errno));
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
addr.sun_family = AF_UNIX;
|
||||
- if (len <= 0)
|
||||
- return -1;
|
||||
if (len > sizeof addr.sun_path)
|
||||
len = sizeof addr.sun_path;
|
||||
memcpy(addr.sun_path, pathname, len);
|
||||
diff -up openssh-6.8p1/entropy.c.coverity openssh-6.8p1/entropy.c
|
||||
--- openssh-6.8p1/entropy.c.coverity 2015-03-18 17:21:51.891264843 +0100
|
||||
+++ openssh-6.8p1/entropy.c 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -46,6 +46,7 @@
|
||||
#include <openssl/err.h>
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
+#include "openbsd-compat/port-linux.h"
|
||||
|
||||
#include "ssh.h"
|
||||
#include "misc.h"
|
||||
diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
|
||||
--- openssh-6.8p1/monitor.c.coverity 2015-03-18 17:21:51.887264852 +0100
|
||||
+++ openssh-6.8p1/monitor.c 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx
|
||||
mm_get_keystate(pmonitor);
|
||||
|
||||
/* Drain any buffered messages from the child */
|
||||
- while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
|
||||
+ while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
|
||||
;
|
||||
|
||||
if (pmonitor->m_recvfd >= 0)
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
|
||||
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
close(pmonitor->m_sendfd);
|
||||
@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
break;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ debug3("%s: key %p is %s",
|
||||
+ __func__, key, allowed ? "allowed" : "not allowed");
|
||||
+
|
||||
if (key != NULL)
|
||||
key_free(key);
|
||||
|
||||
@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
|
||||
free(chost);
|
||||
}
|
||||
|
||||
- debug3("%s: key %p is %s",
|
||||
- __func__, key, allowed ? "allowed" : "not allowed");
|
||||
-
|
||||
buffer_clear(m);
|
||||
buffer_put_int(m, allowed);
|
||||
buffer_put_int(m, forced_command != NULL);
|
||||
diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
|
||||
--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100
|
||||
+++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
|
||||
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
|
||||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
|
||||
error("%s: cannot allocate fds for pty", __func__);
|
||||
@ -45,9 +125,9 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
|
||||
return 0;
|
||||
}
|
||||
close(tmp1);
|
||||
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
|
||||
diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c
|
||||
--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/bindresvport.c 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
|
||||
struct sockaddr_in6 *in6;
|
||||
u_int16_t *portp;
|
||||
@ -57,10 +137,20 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
|
||||
int i;
|
||||
|
||||
if (sa == NULL) {
|
||||
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
||||
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
|
||||
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
|
||||
@@ -157,7 +157,7 @@ killchild(int signo)
|
||||
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h
|
||||
--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity 2015-03-18 17:21:51.861264906 +0100
|
||||
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 17:21:51.897264831 +0100
|
||||
@@ -37,4 +37,6 @@ void oom_adjust_restore(void);
|
||||
void oom_adjust_setup(void);
|
||||
#endif
|
||||
|
||||
+void linux_seed(void);
|
||||
+
|
||||
#endif /* ! _PORT_LINUX_H */
|
||||
diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
|
||||
--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
|
||||
+++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
|
||||
@@ -156,7 +156,7 @@ killchild(int signo)
|
||||
{
|
||||
if (do_cmd_pid > 1) {
|
||||
kill(do_cmd_pid, signo ? signo : SIGTERM);
|
||||
@ -69,10 +159,10 @@ diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
|
||||
}
|
||||
|
||||
if (signo)
|
||||
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
|
||||
@@ -1547,7 +1547,7 @@ process_server_config_line(ServerOptions
|
||||
diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
|
||||
--- openssh-6.8p1/servconf.c.coverity 2015-03-18 17:21:51.893264839 +0100
|
||||
+++ openssh-6.8p1/servconf.c 2015-03-18 17:21:58.281251460 +0100
|
||||
@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions
|
||||
fatal("%s line %d: Missing subsystem name.",
|
||||
filename, linenum);
|
||||
if (!*activep) {
|
||||
@ -81,7 +171,7 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||
break;
|
||||
}
|
||||
for (i = 0; i < options->num_subsystems; i++)
|
||||
@@ -1638,8 +1638,9 @@ process_server_config_line(ServerOptions
|
||||
@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions
|
||||
if (*activep && *charptr == NULL) {
|
||||
*charptr = tilde_expand_filename(arg, getuid());
|
||||
/* increase optional counter */
|
||||
@ -93,10 +183,10 @@ diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
|
||||
}
|
||||
break;
|
||||
|
||||
diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||
--- openssh-7.4p1/serverloop.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/serverloop.c 2016-12-23 16:40:26.902788691 +0100
|
||||
@@ -125,13 +125,13 @@ notify_setup(void)
|
||||
diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
|
||||
--- openssh-6.8p1/serverloop.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/serverloop.c 2015-03-18 17:28:45.616436080 +0100
|
||||
@@ -147,13 +147,13 @@ notify_setup(void)
|
||||
static void
|
||||
notify_parent(void)
|
||||
{
|
||||
@ -112,7 +202,7 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||
FD_SET(notify_pipe[0], readset);
|
||||
}
|
||||
static void
|
||||
@@ -139,8 +139,8 @@ notify_done(fd_set *readset)
|
||||
@@ -161,8 +161,8 @@ notify_done(fd_set *readset)
|
||||
{
|
||||
char c;
|
||||
|
||||
@ -120,34 +210,197 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
|
||||
- while (read(notify_pipe[0], &c, 1) != -1)
|
||||
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
|
||||
+ while (read(notify_pipe[0], &c, 1) >= 0)
|
||||
debug2("%s: reading", __func__);
|
||||
debug2("notify_done: reading");
|
||||
}
|
||||
|
||||
@@ -518,7 +518,7 @@ server_request_tun(void)
|
||||
debug("%s: invalid tun", __func__);
|
||||
goto done;
|
||||
@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea
|
||||
* If we have buffered data, try to write some of that data
|
||||
* to the program.
|
||||
*/
|
||||
- if (fdin != -1 && buffer_len(&stdin_buffer) > 0)
|
||||
+ if (fdin >= 0 && buffer_len(&stdin_buffer) > 0)
|
||||
FD_SET(fdin, *writesetp);
|
||||
}
|
||||
- if (auth_opts->force_tun_device != -1) {
|
||||
+ if (auth_opts->force_tun_device >= 0) {
|
||||
if (tun != SSH_TUNID_ANY &&
|
||||
auth_opts->force_tun_device != (int)tun)
|
||||
notify_prepare(*readsetp);
|
||||
@@ -477,7 +477,7 @@ process_output(fd_set *writeset)
|
||||
int len;
|
||||
|
||||
/* Write buffered data to program stdin. */
|
||||
- if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) {
|
||||
+ if (!compat20 && fdin >= 0 && FD_ISSET(fdin, writeset)) {
|
||||
data = buffer_ptr(&stdin_buffer);
|
||||
dlen = buffer_len(&stdin_buffer);
|
||||
len = write(fdin, data, dlen);
|
||||
@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
set_nonblock(fdin);
|
||||
set_nonblock(fdout);
|
||||
/* we don't have stderr for interactive terminal sessions, see below */
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
set_nonblock(fderr);
|
||||
|
||||
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
|
||||
@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
max_fd = MAX(connection_in, connection_out);
|
||||
max_fd = MAX(max_fd, fdin);
|
||||
max_fd = MAX(max_fd, fdout);
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
max_fd = MAX(max_fd, fderr);
|
||||
#endif
|
||||
|
||||
@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
* If we have received eof, and there is no more pending
|
||||
* input data, cause a real eof by closing fdin.
|
||||
*/
|
||||
- if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) {
|
||||
+ if (stdin_eof && fdin >= 0 && buffer_len(&stdin_buffer) == 0) {
|
||||
if (fdin != fdout)
|
||||
close(fdin);
|
||||
else
|
||||
@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
|
||||
buffer_free(&stderr_buffer);
|
||||
|
||||
/* Close the file descriptors. */
|
||||
- if (fdout != -1)
|
||||
+ if (fdout >= 0)
|
||||
close(fdout);
|
||||
fdout = -1;
|
||||
fdout_eof = 1;
|
||||
- if (fderr != -1)
|
||||
+ if (fderr >= 0)
|
||||
close(fderr);
|
||||
fderr = -1;
|
||||
fderr_eof = 1;
|
||||
- if (fdin != -1)
|
||||
+ if (fdin >= 0)
|
||||
close(fdin);
|
||||
fdin = -1;
|
||||
|
||||
@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
|
||||
|
||||
debug("Window change received.");
|
||||
packet_check_eom();
|
||||
- if (fdin != -1)
|
||||
+ if (fdin >= 0)
|
||||
pty_change_window_size(fdin, row, col, xpixel, ypixel);
|
||||
return 0;
|
||||
}
|
||||
@@ -1043,7 +1043,7 @@ server_request_tun(void)
|
||||
}
|
||||
|
||||
tun = packet_get_int();
|
||||
- if (forced_tun_device != -1) {
|
||||
+ if (forced_tun_device >= 0) {
|
||||
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
|
||||
goto done;
|
||||
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
|
||||
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
|
||||
@@ -224,7 +224,7 @@ killchild(int signo)
|
||||
pid = sshpid;
|
||||
if (pid > 1) {
|
||||
kill(pid, SIGTERM);
|
||||
- waitpid(pid, NULL, 0);
|
||||
+ (void) waitpid(pid, NULL, 0);
|
||||
tun = forced_tun_device;
|
||||
diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
|
||||
--- openssh-6.8p1/sftp.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp.c 2015-03-18 17:21:58.283251456 +0100
|
||||
@@ -223,7 +223,7 @@ killchild(int signo)
|
||||
{
|
||||
if (sshpid > 1) {
|
||||
kill(sshpid, SIGTERM);
|
||||
- waitpid(sshpid, NULL, 0);
|
||||
+ (void) waitpid(sshpid, NULL, 0);
|
||||
}
|
||||
|
||||
_exit(1);
|
||||
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
|
||||
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
|
||||
@@ -335,7 +335,7 @@ local_do_ls(const char *args)
|
||||
|
||||
/* Strip one path (usually the pwd) from the start of another */
|
||||
static char *
|
||||
-path_strip(char *path, char *strip)
|
||||
+path_strip(const char *path, const char *strip)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
|
||||
}
|
||||
|
||||
static char *
|
||||
-make_absolute(char *p, char *pwd)
|
||||
+make_absolute(char *p, const char *pwd)
|
||||
{
|
||||
char *abs_str;
|
||||
|
||||
@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
|
||||
}
|
||||
|
||||
static int
|
||||
-is_dir(char *path)
|
||||
+is_dir(const char *path)
|
||||
{
|
||||
struct stat sb;
|
||||
|
||||
@@ -563,7 +563,7 @@ is_dir(char *path)
|
||||
}
|
||||
|
||||
static int
|
||||
-remote_is_dir(struct sftp_conn *conn, char *path)
|
||||
+remote_is_dir(struct sftp_conn *conn, const char *path)
|
||||
{
|
||||
Attrib *a;
|
||||
|
||||
@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
|
||||
|
||||
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
|
||||
static int
|
||||
-pathname_is_dir(char *pathname)
|
||||
+pathname_is_dir(const char *pathname)
|
||||
{
|
||||
size_t l = strlen(pathname);
|
||||
|
||||
@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
|
||||
}
|
||||
|
||||
static int
|
||||
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag, int resume, int fflag)
|
||||
{
|
||||
char *abs_src = NULL;
|
||||
@@ -669,7 +669,7 @@ out:
|
||||
}
|
||||
|
||||
static int
|
||||
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
|
||||
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
|
||||
int pflag, int rflag, int resume, int fflag)
|
||||
{
|
||||
char *tmp_dst = NULL;
|
||||
@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
|
||||
|
||||
/* sftp ls.1 replacement for directories */
|
||||
static int
|
||||
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
|
||||
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
|
||||
{
|
||||
int n;
|
||||
u_int c = 1, colspace = 0, columns = 1;
|
||||
@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
|
||||
|
||||
/* sftp ls.1 replacement which handles path globs */
|
||||
static int
|
||||
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
|
||||
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
|
||||
int lflag)
|
||||
{
|
||||
char *fname, *lname;
|
||||
@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
|
||||
}
|
||||
|
||||
static int
|
||||
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
|
||||
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
|
||||
{
|
||||
struct sftp_statvfs st;
|
||||
char s_used[FMT_SCALED_STRSIZE];
|
||||
diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
|
||||
--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100
|
||||
@@ -1166,8 +1166,8 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
/* drop */
|
||||
@ -156,14 +409,14 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
|
||||
+ (void) setegid(getgid());
|
||||
+ (void) setgid(getgid());
|
||||
|
||||
platform_disable_tracing(0); /* strict=no */
|
||||
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
|
||||
/* Disable ptrace on Linux without sgid bit */
|
||||
diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
|
||||
--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
|
||||
+++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
|
||||
@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
|
||||
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
|
||||
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
|
||||
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
|
||||
|
||||
privsep_preauth_child(ssh);
|
||||
privsep_preauth_child();
|
||||
setproctitle("%s", "[net]");
|
||||
- if (box != NULL)
|
||||
+ if (box != NULL) {
|
||||
@ -173,13 +426,24 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
}
|
||||
@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so
|
||||
if (num_listen_socks < 0)
|
||||
break;
|
||||
}
|
||||
+
|
||||
+ if (fdset != NULL)
|
||||
+ free(fdset);
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
|
||||
--- openssh-6.8p1/sshkey.c.coverity 2015-03-18 17:21:58.285251452 +0100
|
||||
+++ openssh-6.8p1/sshkey.c 2015-03-18 17:45:32.232705363 +0100
|
||||
@@ -58,6 +58,7 @@
|
||||
#include "digest.h"
|
||||
#define SSHKEY_INTERNAL
|
||||
#include "sshkey.h"
|
||||
+#include "log.h"
|
||||
#include "match.h"
|
||||
|
||||
/* openssh private key file format */
|
||||
|
140
openssh-6.7p1-debian-restore-tcp-wrappers.patch
Normal file
140
openssh-6.7p1-debian-restore-tcp-wrappers.patch
Normal file
@ -0,0 +1,140 @@
|
||||
diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
|
||||
--- openssh/configure.ac.tcp_wrappers 2015-06-24 11:41:04.519293694 +0200
|
||||
+++ openssh/configure.ac 2015-06-24 11:41:04.556293600 +0200
|
||||
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
|
||||
]
|
||||
)
|
||||
|
||||
+# Check whether user wants TCP wrappers support
|
||||
+TCPW_MSG="no"
|
||||
+AC_ARG_WITH([tcp-wrappers],
|
||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ saved_LIBS="$LIBS"
|
||||
+ saved_LDFLAGS="$LDFLAGS"
|
||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
||||
+ if test -n "${withval}" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ if test -d "${withval}/lib"; then
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ else
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test -d "${withval}/include"; then
|
||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
||||
+ else
|
||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ LIBS="-lwrap $LIBS"
|
||||
+ AC_MSG_CHECKING([for libwrap])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <tcpd.h>
|
||||
+int deny_severity = 0, allow_severity = 0;
|
||||
+ ]], [[
|
||||
+ hosts_access(0);
|
||||
+ ]])], [
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE([LIBWRAP], [1],
|
||||
+ [Define if you want
|
||||
+ TCP Wrappers support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
+ TCPW_MSG="yes"
|
||||
+ ], [
|
||||
+ AC_MSG_ERROR([*** libwrap missing])
|
||||
+
|
||||
+ ])
|
||||
+ LIBS="$saved_LIBS"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5034,6 +5090,7 @@ echo " KerberosV support
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
echo " Smartcard support: $SCARD_MSG"
|
||||
echo " S/KEY support: $SKEY_MSG"
|
||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
|
||||
--- openssh/sshd.8.tcp_wrappers 2015-06-24 11:41:04.527293674 +0200
|
||||
+++ openssh/sshd.8 2015-06-24 11:41:04.556293600 +0200
|
||||
@@ -860,6 +860,12 @@ the user's home directory becomes access
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
+.It Pa /etc/hosts.allow
|
||||
+.It Pa /etc/hosts.deny
|
||||
+Access controls that should be enforced by tcp-wrappers are defined here.
|
||||
+Further details are described in
|
||||
+.Xr hosts_access 5 .
|
||||
+.Pp
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
@@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
+.Xr hosts_access 5 ,
|
||||
.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
|
||||
--- openssh/sshd.c.tcp_wrappers 2015-06-24 11:41:04.549293618 +0200
|
||||
+++ openssh/sshd.c 2015-06-24 11:41:53.331169536 +0200
|
||||
@@ -125,6 +125,13 @@
|
||||
#include "version.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+#include <tcpd.h>
|
||||
+#include <syslog.h>
|
||||
+int allow_severity;
|
||||
+int deny_severity;
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
#ifndef O_NOCTTY
|
||||
#define O_NOCTTY 0
|
||||
#endif
|
||||
@@ -2158,6 +2165,24 @@ main(int ac, char **av)
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
+#ifdef LIBWRAP
|
||||
+ allow_severity = options.log_facility|LOG_INFO;
|
||||
+ deny_severity = options.log_facility|LOG_WARNING;
|
||||
+ /* Check whether logins are denied from this host. */
|
||||
+ if (packet_connection_is_on_socket()) {
|
||||
+ struct request_info req;
|
||||
+
|
||||
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
||||
+ fromhost(&req);
|
||||
+
|
||||
+ if (!hosts_access(&req)) {
|
||||
+ debug("Connection refused by tcp wrapper");
|
||||
+ refuse(&req);
|
||||
+ /* NOTREACHED */
|
||||
+ fatal("libwrap refuse returns");
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* LIBWRAP */
|
||||
|
||||
/* Log the connection. */
|
||||
laddr = get_local_ipaddr(sock_in);
|
@ -2,34 +2,34 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
|
||||
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
|
||||
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
|
||||
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
|
||||
SSH_KEYCAT=$(libexecdir)/ssh-keycat
|
||||
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
|
||||
+SSH_CAVS=$(libexecdir)/ssh-cavs
|
||||
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
|
||||
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
|
||||
MANFMT=@MANFMT@
|
||||
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
|
||||
|
||||
.SUFFIXES: .lo
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
||||
|
||||
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
|
||||
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
|
||||
|
||||
XMSS_OBJS=\
|
||||
ssh-xmss.o \
|
||||
LIBOPENSSH_OBJS=\
|
||||
ssh_api.o \
|
||||
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
|
||||
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
|
||||
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o
|
||||
+ $(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
|
||||
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
|
||||
@@ -331,6 +335,8 @@ install-files:
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
|
||||
fi
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
|
||||
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
|
||||
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
|
||||
@ -40,7 +40,7 @@ diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
|
||||
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
|
||||
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
|
||||
@@ -0,0 +1,387 @@
|
||||
@@ -0,0 +1,383 @@
|
||||
+/*
|
||||
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
|
||||
+ *
|
||||
@ -88,12 +88,11 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
+#include <openssl/bn.h>
|
||||
+
|
||||
+#include "xmalloc.h"
|
||||
+#include "sshbuf.h"
|
||||
+#include "sshkey.h"
|
||||
+#include "buffer.h"
|
||||
+#include "key.h"
|
||||
+#include "cipher.h"
|
||||
+#include "kex.h"
|
||||
+#include "packet.h"
|
||||
+#include "digest.h"
|
||||
+
|
||||
+static int bin_char(unsigned char hex)
|
||||
+{
|
||||
@ -208,7 +207,6 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ struct kex kex;
|
||||
+ struct sshbuf *Kb = NULL;
|
||||
+ BIGNUM *Kbn = NULL;
|
||||
+ int mode = 0;
|
||||
+ struct newkeys *ctoskeys;
|
||||
@ -223,17 +221,10 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
+ Kbn = BN_new();
|
||||
+ BN_bin2bn(test->K, test->Klen, Kbn);
|
||||
+ if (!Kbn) {
|
||||
+ printf("cannot convert K into bignum\n");
|
||||
+ printf("cannot convert K into BIGNUM\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ Kb = sshbuf_new();
|
||||
+ if (!Kb) {
|
||||
+ printf("cannot convert K into sshbuf\n");
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ sshbuf_put_bignum2(Kb, Kbn);
|
||||
+
|
||||
+ kex.session_id = test->session_id;
|
||||
+ kex.session_id_len = test->session_id_len;
|
||||
@ -243,16 +234,16 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
+ /* select the right hash based on struct ssh_digest digests */
|
||||
+ switch (test->ik_len) {
|
||||
+ case 20:
|
||||
+ kex.hash_alg = SSH_DIGEST_SHA1;
|
||||
+ kex.hash_alg = 2;
|
||||
+ break;
|
||||
+ case 32:
|
||||
+ kex.hash_alg = SSH_DIGEST_SHA256;
|
||||
+ kex.hash_alg = 3;
|
||||
+ break;
|
||||
+ case 48:
|
||||
+ kex.hash_alg = SSH_DIGEST_SHA384;
|
||||
+ kex.hash_alg = 4;
|
||||
+ break;
|
||||
+ case 64:
|
||||
+ kex.hash_alg = SSH_DIGEST_SHA512;
|
||||
+ kex.hash_alg = 5;
|
||||
+ break;
|
||||
+ default:
|
||||
+ printf("Wrong hash type %u\n", test->ik_len);
|
||||
@ -293,7 +284,7 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ssh->kex = &kex;
|
||||
+ kex_derive_keys(ssh, test->H, test->Hlen, Kb);
|
||||
+ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
|
||||
+
|
||||
+ ctoskeys = kex.newkeys[0];
|
||||
+ stockeys = kex.newkeys[1];
|
||||
@ -326,11 +317,16 @@ diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
|
||||
+ hex, HEXOUTLEN, 0);
|
||||
+ printf("Integrity key (server to client) = %s\n", hex);
|
||||
+
|
||||
+ free(ctoskeys);
|
||||
+ free(stockeys);
|
||||
+
|
||||
+out:
|
||||
+ if (Kbn)
|
||||
+ BN_free(Kbn);
|
||||
+ if (Kb)
|
||||
+ sshbuf_free(Kb);
|
||||
+ if (kex.newkeys[0])
|
||||
+ free(kex.newkeys[0]);
|
||||
+ if (kex.newkeys[1])
|
||||
+ free(kex.newkeys[1]);
|
||||
+ if (ssh)
|
||||
+ ssh_packet_close(ssh);
|
||||
+ return ret;
|
||||
|
2721
openssh-6.7p1-ldap.patch
Normal file
2721
openssh-6.7p1-ldap.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,31 +1,29 @@
|
||||
diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8
|
||||
--- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100
|
||||
+++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200
|
||||
diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8
|
||||
--- openssh-6.8p1/sftp-server.8.sftp-force-mode 2015-03-17 06:49:20.000000000 +0100
|
||||
+++ openssh-6.8p1/sftp-server.8 2015-03-18 13:18:05.898306477 +0100
|
||||
@@ -38,6 +38,7 @@
|
||||
.Op Fl P Ar denied_requests
|
||||
.Op Fl p Ar allowed_requests
|
||||
.Op Fl P Ar blacklisted_requests
|
||||
.Op Fl p Ar whitelisted_requests
|
||||
.Op Fl u Ar umask
|
||||
+.Op Fl m Ar force_file_perms
|
||||
.Ek
|
||||
.Nm
|
||||
.Fl Q Ar protocol_feature
|
||||
@@ -138,6 +139,12 @@ Sets an explicit
|
||||
@@ -138,6 +139,10 @@ Sets an explicit
|
||||
.Xr umask 2
|
||||
to be applied to newly-created files and directories, instead of the
|
||||
user's default mask.
|
||||
+.It Fl m Ar force_file_perms
|
||||
+Sets explicit file permissions to be applied to newly-created files instead
|
||||
+of the default or client requested mode. Numeric values include:
|
||||
+777, 755, 750, 666, 644, 640, etc. Using both -m and -u switches makes the
|
||||
+umask (-u) effective only for newly created directories and explicit mode (-m)
|
||||
+for newly created files.
|
||||
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
|
||||
.El
|
||||
.Pp
|
||||
On some systems,
|
||||
diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
|
||||
--- openssh-7.2p2/sftp-server.c.sftp-force-mode 2016-06-23 16:18:20.446854128 +0200
|
||||
+++ openssh-7.2p2/sftp-server.c 2016-06-23 16:20:37.950766082 +0200
|
||||
@@ -69,6 +69,10 @@ struct sshbuf *oqueue;
|
||||
diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
|
||||
--- openssh-6.8p1/sftp-server.c.sftp-force-mode 2015-03-18 13:18:05.883306513 +0100
|
||||
+++ openssh-6.8p1/sftp-server.c 2015-03-18 13:18:36.697232193 +0100
|
||||
@@ -70,6 +70,10 @@ struct sshbuf *oqueue;
|
||||
/* Version of client */
|
||||
static u_int version;
|
||||
|
||||
@ -36,44 +34,27 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
|
||||
/* SSH2_FXP_INIT received */
|
||||
static int init_done;
|
||||
|
||||
@@ -683,6 +687,7 @@ process_open(u_int32_t id)
|
||||
Attrib a;
|
||||
char *name;
|
||||
int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
|
||||
+ mode_t old_umask = 0;
|
||||
|
||||
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
|
||||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
|
||||
@@ -692,6 +697,10 @@ process_open(u_int32_t id)
|
||||
@@ -693,6 +697,10 @@ process_open(u_int32_t id)
|
||||
debug3("request %u: open flags %d", id, pflags);
|
||||
flags = flags_from_portable(pflags);
|
||||
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
|
||||
+ if (permforce == 1) { /* Force perm if -m is set */
|
||||
+ mode = permforcemode;
|
||||
+ old_umask = umask(0); /* so umask does not interfere */
|
||||
+ (void)umask(0); /* so umask does not interfere */
|
||||
+ }
|
||||
logit("open \"%s\" flags %s mode 0%o",
|
||||
name, string_from_portable(pflags), mode);
|
||||
if (readonly &&
|
||||
@@ -713,6 +722,8 @@ process_open(u_int32_t id)
|
||||
}
|
||||
}
|
||||
}
|
||||
+ if (permforce == 1)
|
||||
+ (void) umask(old_umask); /* restore umask to something sane */
|
||||
if (status != SSH2_FX_OK)
|
||||
send_status(id, status);
|
||||
free(name);
|
||||
@@ -1494,7 +1505,7 @@ sftp_server_usage(void)
|
||||
@@ -1495,7 +1503,7 @@ sftp_server_usage(void)
|
||||
fprintf(stderr,
|
||||
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
|
||||
"[-l log_level]\n\t[-P denied_requests] "
|
||||
- "[-p allowed_requests] [-u umask]\n"
|
||||
+ "[-p allowed_requests] [-u umask] [-m force_file_perms]\n"
|
||||
"[-l log_level]\n\t[-P blacklisted_requests] "
|
||||
- "[-p whitelisted_requests] [-u umask]\n"
|
||||
+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n"
|
||||
" %s -Q protocol_feature\n",
|
||||
__progname, __progname);
|
||||
exit(1);
|
||||
@@ -1520,7 +1531,7 @@ sftp_server_main(int argc, char **argv,
|
||||
@@ -1520,7 +1528,7 @@ sftp_server_main(int argc, char **argv,
|
||||
pw = pwcopy(user_pw);
|
||||
|
||||
while (!skipargs && (ch = getopt(argc, argv,
|
||||
@ -82,7 +63,7 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c
|
||||
switch (ch) {
|
||||
case 'Q':
|
||||
if (strcasecmp(optarg, "requests") != 0) {
|
||||
@@ -1580,6 +1591,15 @@ sftp_server_main(int argc, char **argv,
|
||||
@@ -1580,6 +1588,15 @@ sftp_server_main(int argc, char **argv,
|
||||
fatal("Invalid umask \"%s\"", optarg);
|
||||
(void)umask((mode_t)mask);
|
||||
break;
|
||||
|
25
openssh-6.8p1-memory-problems.patch
Normal file
25
openssh-6.8p1-memory-problems.patch
Normal file
@ -0,0 +1,25 @@
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index ad5869b..0255ed3 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -1910,6 +1910,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
dst->n = src->n; \
|
||||
} while (0)
|
||||
|
||||
+ u_int i;
|
||||
+
|
||||
M_CP_INTOPT(password_authentication);
|
||||
M_CP_INTOPT(gss_authentication);
|
||||
M_CP_INTOPT(rsa_authentication);
|
||||
@@ -1947,8 +1949,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
|
||||
} while(0)
|
||||
#define M_CP_STRARRAYOPT(n, num_n) do {\
|
||||
if (src->num_n != 0) { \
|
||||
+ for (i = 0; i < dst->num_n; i++) \
|
||||
+ free(dst->n[i]); \
|
||||
for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \
|
||||
- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \
|
||||
+ dst->n[dst->num_n] = src->n[dst->num_n]; \
|
||||
} \
|
||||
} while(0)
|
||||
|
@ -3,10 +3,25 @@ diff -up openssh/servconf.c.sshdt openssh/servconf.c
|
||||
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
|
||||
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
dump_cfg_string(sCiphers, o->ciphers);
|
||||
dump_cfg_string(sMacs, o->macs);
|
||||
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
- dump_cfg_string(sBanner, o->banner);
|
||||
+ dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
|
||||
diff -up openssh/ssh.1.sshdt openssh/ssh.1
|
||||
--- openssh/ssh.1.sshdt 2015-06-24 11:42:19.565102807 +0200
|
||||
+++ openssh/ssh.1 2015-06-24 11:42:29.042078701 +0200
|
||||
@@ -441,7 +441,11 @@ For full details of the options listed b
|
||||
.It GatewayPorts
|
||||
.It GlobalKnownHostsFile
|
||||
.It GSSAPIAuthentication
|
||||
+.It GSSAPIKeyExchange
|
||||
+.It GSSAPIClientIdentity
|
||||
.It GSSAPIDelegateCredentials
|
||||
+.It GSSAPIRenewalForcesRekey
|
||||
+.It GSSAPITrustDNS
|
||||
.It HashKnownHosts
|
||||
.It Host
|
||||
.It HostbasedAuthentication
|
||||
|
12
openssh-6.9p1-permit-root-login.patch
Normal file
12
openssh-6.9p1-permit-root-login.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up openssh-7.0p1/sshd_config.root-login openssh-7.0p1/sshd_config
|
||||
--- openssh-7.0p1/sshd_config.root-login 2015-08-12 11:29:12.919269245 +0200
|
||||
+++ openssh-7.0p1/sshd_config 2015-08-12 11:31:03.653096466 +0200
|
||||
@@ -46,7 +46,7 @@ SyslogFacility AUTHPRIV
|
||||
# Authentication:
|
||||
|
||||
#LoginGraceTime 2m
|
||||
-#PermitRootLogin prohibit-password
|
||||
+PermitRootLogin yes
|
||||
#StrictModes yes
|
||||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
42
openssh-6.9p1-scp-progressmeter.patch
Normal file
42
openssh-6.9p1-scp-progressmeter.patch
Normal file
@ -0,0 +1,42 @@
|
||||
diff --git a/progressmeter.c b/progressmeter.c
|
||||
index 319b747..b54738c 100644
|
||||
--- a/progressmeter.c
|
||||
+++ b/progressmeter.c
|
||||
@@ -66,7 +66,8 @@ static void update_progress_meter(int);
|
||||
|
||||
static time_t start; /* start progress */
|
||||
static time_t last_update; /* last progress update */
|
||||
-static const char *file; /* name of the file being transferred */
|
||||
+static char *file; /* name of the file being transferred */
|
||||
+static size_t file_len = 0; /* allocated length of file */
|
||||
static off_t start_pos; /* initial position of transfer */
|
||||
static off_t end_pos; /* ending position of transfer */
|
||||
static off_t cur_pos; /* transfer position as of last refresh */
|
||||
@@ -250,7 +251,11 @@ update_progress_meter(int ignore)
|
||||
start_progress_meter(const char *f, off_t filesize, off_t *ctr)
|
||||
{
|
||||
start = last_update = monotime();
|
||||
- file = f;
|
||||
+ if (strlen(f) > file_len) {
|
||||
+ file_len = strlen(f);
|
||||
+ file = realloc(file, file_len * 4 + 1);
|
||||
+ }
|
||||
+ sanitize_utf8(file, f, file_len);
|
||||
start_pos = *ctr;
|
||||
end_pos = filesize;
|
||||
cur_pos = 0;
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index ac45b05..6978081 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -173,8 +173,8 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
-scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||
- $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
|
||||
+ $(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
32
openssh-6.9p1-seccomp-secondary.patch
Normal file
32
openssh-6.9p1-seccomp-secondary.patch
Normal file
@ -0,0 +1,32 @@
|
||||
diff -up openssh/configure.ac.seccomp openssh/configure.ac
|
||||
diff -up openssh/sandbox-seccomp-filter.c.seccomp openssh/sandbox-seccomp-filter.c
|
||||
--- openssh/sandbox-seccomp-filter.c.seccomp 2015-06-24 11:45:44.001581471 +0200
|
||||
+++ openssh/sandbox-seccomp-filter.c 2015-06-24 11:51:54.032635297 +0200
|
||||
@@ -165,6 +165,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR__newselect
|
||||
SC_ALLOW(_newselect),
|
||||
#endif
|
||||
+#ifdef __NR_pselect6 /* AArch64 */
|
||||
+ SC_ALLOW(pselect6),
|
||||
+#endif
|
||||
#ifdef __NR_poll
|
||||
SC_ALLOW(poll),
|
||||
#endif
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 24378a7..0bed910 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -811,6 +811,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
|
||||
aarch64*-*)
|
||||
seccomp_audit_arch=AUDIT_ARCH_AARCH64
|
||||
;;
|
||||
+ s390x-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_S390X
|
||||
+ ;;
|
||||
+ s390-*)
|
||||
+ seccomp_audit_arch=AUDIT_ARCH_S390
|
||||
+ ;;
|
||||
esac
|
||||
if test "x$seccomp_audit_arch" != "x" ; then
|
||||
AC_MSG_RESULT(["$seccomp_audit_arch"])
|
||||
|
416
openssh-7.0p1-gssKexAlgorithms.patch
Normal file
416
openssh-7.0p1-gssKexAlgorithms.patch
Normal file
@ -0,0 +1,416 @@
|
||||
diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
|
||||
--- openssh-7.0p1/gss-genr.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
||||
+++ openssh-7.0p1/gss-genr.c 2015-08-19 12:28:38.078518839 +0200
|
||||
@@ -78,7 +78,8 @@ ssh_gssapi_oid_table_ok() {
|
||||
*/
|
||||
|
||||
char *
|
||||
-ssh_gssapi_client_mechanisms(const char *host, const char *client) {
|
||||
+ssh_gssapi_client_mechanisms(const char *host, const char *client,
|
||||
+ const char *kex) {
|
||||
gss_OID_set gss_supported;
|
||||
OM_uint32 min_status;
|
||||
|
||||
@@ -86,12 +87,12 @@ ssh_gssapi_client_mechanisms(const char
|
||||
return NULL;
|
||||
|
||||
return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism,
|
||||
- host, client));
|
||||
+ host, client, kex));
|
||||
}
|
||||
|
||||
char *
|
||||
ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check,
|
||||
- const char *host, const char *client) {
|
||||
+ const char *host, const char *client, const char *kex) {
|
||||
Buffer buf;
|
||||
size_t i;
|
||||
int oidpos, enclen;
|
||||
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
char deroid[2];
|
||||
const EVP_MD *evp_md = EVP_md5();
|
||||
EVP_MD_CTX md;
|
||||
+ char *s, *cp, *p;
|
||||
|
||||
if (gss_enc2oid != NULL) {
|
||||
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
|
||||
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
buffer_init(&buf);
|
||||
|
||||
oidpos = 0;
|
||||
+ s = cp = xstrdup(kex);
|
||||
for (i = 0; i < gss_supported->count; i++) {
|
||||
if (gss_supported->elements[i].length < 128 &&
|
||||
(*check)(NULL, &(gss_supported->elements[i]), host, client)) {
|
||||
@@ -131,26 +134,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
|
||||
enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
|
||||
encoded, EVP_MD_size(evp_md) * 2);
|
||||
|
||||
- if (oidpos != 0)
|
||||
- buffer_put_char(&buf, ',');
|
||||
-
|
||||
- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GEX_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
- buffer_put_char(&buf, ',');
|
||||
- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
- buffer_put_char(&buf, ',');
|
||||
- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID,
|
||||
- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1);
|
||||
- buffer_append(&buf, encoded, enclen);
|
||||
+ cp = strncpy(s, kex, strlen(kex));
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (buffer_len(&buf) != 0)
|
||||
+ buffer_put_char(&buf, ',');
|
||||
+ buffer_append(&buf, p,
|
||||
+ strlen(p));
|
||||
+ buffer_append(&buf, encoded, enclen);
|
||||
+ }
|
||||
|
||||
gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
|
||||
gss_enc2oid[oidpos].encoded = encoded;
|
||||
oidpos++;
|
||||
}
|
||||
}
|
||||
+ free(s);
|
||||
gss_enc2oid[oidpos].oid = NULL;
|
||||
gss_enc2oid[oidpos].encoded = NULL;
|
||||
|
||||
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
|
||||
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
|
||||
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200
|
||||
@@ -150,7 +150,7 @@ ssh_gssapi_server_mechanisms() {
|
||||
|
||||
ssh_gssapi_supported_oids(&supported);
|
||||
return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech,
|
||||
- NULL, NULL));
|
||||
+ NULL, NULL, options.gss_kex_algorithms));
|
||||
}
|
||||
|
||||
/* Unprivileged */
|
||||
diff -up openssh-7.0p1/kex.c.gsskexalg openssh-7.0p1/kex.c
|
||||
--- openssh-7.0p1/kex.c.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
||||
+++ openssh-7.0p1/kex.c 2015-08-19 12:30:13.249306371 +0200
|
||||
@@ -50,6 +50,7 @@
|
||||
#include "misc.h"
|
||||
#include "dispatch.h"
|
||||
#include "monitor.h"
|
||||
+#include "xmalloc.h"
|
||||
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@@ -232,6 +232,29 @@ kex_assemble_names(const char *def, char
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* Validate GSS KEX method name list */
|
||||
+int
|
||||
+gss_kex_names_valid(const char *names)
|
||||
+{
|
||||
+ char *s, *cp, *p;
|
||||
+
|
||||
+ if (names == NULL || *names == '\0')
|
||||
+ return 0;
|
||||
+ s = cp = xstrdup(names);
|
||||
+ for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
+ (p = strsep(&cp, ","))) {
|
||||
+ if (strncmp(p, "gss-", 4) != 0
|
||||
+ || kex_alg_by_name(p) == NULL) {
|
||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ free(s);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ debug3("gss kex names ok: [%s]", names);
|
||||
+ free(s);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
/* put algorithm proposal into buffer */
|
||||
int
|
||||
kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX])
|
||||
diff -up openssh-7.0p1/kex.h.gsskexalg openssh-7.0p1/kex.h
|
||||
--- openssh-7.0p1/kex.h.gsskexalg 2015-08-19 12:28:38.078518839 +0200
|
||||
+++ openssh-7.0p1/kex.h 2015-08-19 12:30:52.404218958 +0200
|
||||
@@ -173,6 +173,7 @@ int kex_names_valid(const char *);
|
||||
char *kex_alg_list(char);
|
||||
char *kex_names_cat(const char *, const char *);
|
||||
int kex_assemble_names(const char *, char **);
|
||||
+int gss_kex_names_valid(const char *);
|
||||
|
||||
int kex_new(struct ssh *, char *[PROPOSAL_MAX], struct kex **);
|
||||
int kex_setup(struct ssh *, char *[PROPOSAL_MAX]);
|
||||
diff -up openssh-7.0p1/readconf.c.gsskexalg openssh-7.0p1/readconf.c
|
||||
--- openssh-7.0p1/readconf.c.gsskexalg 2015-08-19 12:28:38.026518955 +0200
|
||||
+++ openssh-7.0p1/readconf.c 2015-08-19 12:31:28.333138747 +0200
|
||||
@@ -61,6 +61,7 @@
|
||||
#include "uidswap.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "ssh-gss.h"
|
||||
|
||||
/* Format of the configuration file:
|
||||
|
||||
@@ -148,7 +149,7 @@ typedef enum {
|
||||
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
|
||||
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
|
||||
oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey,
|
||||
- oGssServerIdentity,
|
||||
+ oGssServerIdentity, oGssKexAlgorithms,
|
||||
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
|
||||
oSendEnv, oControlPath, oControlMaster, oControlPersist,
|
||||
oHashKnownHosts,
|
||||
@@ -200,6 +201,7 @@ static struct {
|
||||
{ "gssapiclientidentity", oGssClientIdentity },
|
||||
{ "gssapiserveridentity", oGssServerIdentity },
|
||||
{ "gssapirenewalforcesrekey", oGssRenewalRekey },
|
||||
+ { "gssapikexalgorithms", oGssKexAlgorithms },
|
||||
#else
|
||||
{ "gssapiauthentication", oUnsupported },
|
||||
{ "gssapikeyexchange", oUnsupported },
|
||||
@@ -207,6 +209,7 @@ static struct {
|
||||
{ "gssapitrustdns", oUnsupported },
|
||||
{ "gssapiclientidentity", oUnsupported },
|
||||
{ "gssapirenewalforcesrekey", oUnsupported },
|
||||
+ { "gssapikexalgorithms", oUnsupported },
|
||||
#endif
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
@@ -929,6 +932,18 @@ parse_time:
|
||||
intptr = &options->gss_renewal_rekey;
|
||||
goto parse_flag;
|
||||
|
||||
+ case oGssKexAlgorithms:
|
||||
+ arg = strdelim(&s);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (!gss_kex_names_valid(arg))
|
||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||
+ filename, linenum, arg ? arg : "<NONE>");
|
||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = xstrdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case oBatchMode:
|
||||
intptr = &options->batch_mode;
|
||||
goto parse_flag;
|
||||
@@ -1638,6 +1653,7 @@ initialize_options(Options * options)
|
||||
options->gss_renewal_rekey = -1;
|
||||
options->gss_client_identity = NULL;
|
||||
options->gss_server_identity = NULL;
|
||||
+ options->gss_kex_algorithms = NULL;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->kbd_interactive_devices = NULL;
|
||||
@@ -1773,6 +1789,10 @@ fill_default_options(Options * options)
|
||||
options->gss_trust_dns = 0;
|
||||
if (options->gss_renewal_rekey == -1)
|
||||
options->gss_renewal_rekey = 0;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||
+#endif
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
diff -up openssh-7.0p1/readconf.h.gsskexalg openssh-7.0p1/readconf.h
|
||||
--- openssh-7.0p1/readconf.h.gsskexalg 2015-08-19 12:28:38.026518955 +0200
|
||||
+++ openssh-7.0p1/readconf.h 2015-08-19 12:28:38.079518836 +0200
|
||||
@@ -51,6 +51,7 @@ typedef struct {
|
||||
int gss_renewal_rekey; /* Credential renewal forces rekey */
|
||||
char *gss_client_identity; /* Principal to initiate GSSAPI with */
|
||||
char *gss_server_identity; /* GSSAPI target principal */
|
||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||
int password_authentication; /* Try password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
|
||||
diff -up openssh-7.0p1/servconf.c.gsskexalg openssh-7.0p1/servconf.c
|
||||
--- openssh-7.0p1/servconf.c.gsskexalg 2015-08-19 12:28:38.074518847 +0200
|
||||
+++ openssh-7.0p1/servconf.c 2015-08-19 12:33:13.599902732 +0200
|
||||
@@ -57,6 +57,7 @@
|
||||
#include "auth.h"
|
||||
#include "myproposal.h"
|
||||
#include "digest.h"
|
||||
+#include "ssh-gss.h"
|
||||
|
||||
static void add_listen_addr(ServerOptions *, char *, int);
|
||||
static void add_one_listen_addr(ServerOptions *, char *, int);
|
||||
@@ -121,6 +122,7 @@ initialize_server_options(ServerOptions
|
||||
options->gss_cleanup_creds = -1;
|
||||
options->gss_strict_acceptor = -1;
|
||||
options->gss_store_rekey = -1;
|
||||
+ options->gss_kex_algorithms = NULL;
|
||||
options->password_authentication = -1;
|
||||
options->kbd_interactive_authentication = -1;
|
||||
options->challenge_response_authentication = -1;
|
||||
@@ -288,6 +290,10 @@ fill_default_server_options(ServerOption
|
||||
options->gss_strict_acceptor = 0;
|
||||
if (options->gss_store_rekey == -1)
|
||||
options->gss_store_rekey = 0;
|
||||
+#ifdef GSSAPI
|
||||
+ if (options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX);
|
||||
+#endif
|
||||
if (options->password_authentication == -1)
|
||||
options->password_authentication = 1;
|
||||
if (options->kbd_interactive_authentication == -1)
|
||||
@@ -427,7 +431,7 @@ typedef enum {
|
||||
sHostKeyAlgorithms,
|
||||
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
|
||||
sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
|
||||
- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
|
||||
+ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel,
|
||||
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
|
||||
sUsePrivilegeSeparation, sAllowAgentForwarding,
|
||||
sHostCertificate,
|
||||
@@ -506,6 +510,7 @@ static struct {
|
||||
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
|
||||
{ "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL },
|
||||
+ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -513,6 +518,7 @@ static struct {
|
||||
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapienablek5users", sUnsupported, SSHCFG_ALL },
|
||||
+ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1273,6 +1279,18 @@ process_server_config_line(ServerOptions
|
||||
intptr = &options->gss_store_rekey;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sGssKexAlgorithms:
|
||||
+ arg = strdelim(&cp);
|
||||
+ if (!arg || *arg == '\0')
|
||||
+ fatal("%.200s line %d: Missing argument.",
|
||||
+ filename, linenum);
|
||||
+ if (!gss_kex_names_valid(arg))
|
||||
+ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.",
|
||||
+ filename, linenum, arg ? arg : "<NONE>");
|
||||
+ if (*activep && options->gss_kex_algorithms == NULL)
|
||||
+ options->gss_kex_algorithms = xstrdup(arg);
|
||||
+ break;
|
||||
+
|
||||
case sPasswordAuthentication:
|
||||
intptr = &options->password_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2304,6 +2322,7 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
|
||||
dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
|
||||
dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
|
||||
+ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms);
|
||||
#endif
|
||||
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
|
||||
dump_cfg_fmtint(sKbdInteractiveAuthentication,
|
||||
diff -up openssh-7.0p1/servconf.h.gsskexalg openssh-7.0p1/servconf.h
|
||||
--- openssh-7.0p1/servconf.h.gsskexalg 2015-08-19 12:28:38.080518834 +0200
|
||||
+++ openssh-7.0p1/servconf.h 2015-08-19 12:34:46.328693944 +0200
|
||||
@@ -122,6 +122,7 @@ typedef struct {
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
|
||||
int gss_store_rekey;
|
||||
+ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */
|
||||
int password_authentication; /* If true, permit password
|
||||
* authentication. */
|
||||
int kbd_interactive_authentication; /* If true, permit */
|
||||
diff -up openssh-7.0p1/ssh.1.gsskexalg openssh-7.0p1/ssh.1
|
||||
--- openssh-7.0p1/ssh.1.gsskexalg 2015-08-19 12:28:38.081518832 +0200
|
||||
+++ openssh-7.0p1/ssh.1 2015-08-19 12:35:31.741591692 +0200
|
||||
@@ -496,6 +496,7 @@ For full details of the options listed b
|
||||
.It GSSAPIDelegateCredentials
|
||||
.It GSSAPIRenewalForcesRekey
|
||||
.It GSSAPITrustDNS
|
||||
+.It GSSAPIKexAlgorithms
|
||||
.It HashKnownHosts
|
||||
.It Host
|
||||
.It HostbasedAuthentication
|
||||
diff -up openssh-7.0p1/ssh_config.5.gsskexalg openssh-7.0p1/ssh_config.5
|
||||
--- openssh-7.0p1/ssh_config.5.gsskexalg 2015-08-19 12:28:38.028518950 +0200
|
||||
+++ openssh-7.0p1/ssh_config.5 2015-08-19 12:28:38.082518830 +0200
|
||||
@@ -786,6 +786,18 @@ command line will be passed untouched to
|
||||
command line will be passed untouched to the GSSAPI library.
|
||||
The default is
|
||||
.Dq no .
|
||||
+.It Cm GSSAPIKexAlgorithms
|
||||
+The list of key exchange algorithms that are offered for GSSAPI
|
||||
+key exchange. Possible values are
|
||||
+.Bd -literal -offset 3n
|
||||
+gss-gex-sha1-,
|
||||
+gss-group1-sha1-,
|
||||
+gss-group14-sha1-
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
diff -up openssh-7.0p1/sshconnect2.c.gsskexalg openssh-7.0p1/sshconnect2.c
|
||||
--- openssh-7.0p1/sshconnect2.c.gsskexalg 2015-08-19 12:28:38.045518912 +0200
|
||||
+++ openssh-7.0p1/sshconnect2.c 2015-08-19 12:28:38.081518832 +0200
|
||||
@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
else
|
||||
gss_host = host;
|
||||
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
if (gss) {
|
||||
debug("Offering GSSAPI proposal: %s", gss);
|
||||
xasprintf(&options.kex_algorithms,
|
||||
--- openssh-7.1p1/sshd_config.5.gsskexalg 2015-12-10 15:32:48.105418092 +0100
|
||||
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:33:47.771279548 +0100
|
||||
@@ -663,6 +663,18 @@ or updated credentials from a compatible
|
||||
For this to work
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
+.It Cm GSSAPIKexAlgorithms
|
||||
+The list of key exchange algorithms that are accepted by GSSAPI
|
||||
+key exchange. Possible values are
|
||||
+.Bd -literal -offset 3n
|
||||
+gss-gex-sha1-,
|
||||
+gss-group1-sha1-,
|
||||
+gss-group14-sha1-
|
||||
+.Ed
|
||||
+.Pp
|
||||
+The default is
|
||||
+.Dq gss-gex-sha1-,gss-group14-sha1- .
|
||||
+This option only applies to protocol version 2 connections using GSSAPI.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
||||
diff -up openssh-7.0p1/ssh-gss.h.gsskexalg openssh-7.0p1/ssh-gss.h
|
||||
--- openssh-7.0p1/ssh-gss.h.gsskexalg 2015-08-19 12:28:38.031518944 +0200
|
||||
+++ openssh-7.0p1/ssh-gss.h 2015-08-19 12:28:38.081518832 +0200
|
||||
@@ -76,6 +76,10 @@ extern char **k5users_allowed_cmds;
|
||||
#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-"
|
||||
#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-"
|
||||
|
||||
+#define GSS_KEX_DEFAULT_KEX \
|
||||
+ KEX_GSS_GEX_SHA1_ID "," \
|
||||
+ KEX_GSS_GRP14_SHA1_ID
|
||||
+
|
||||
typedef struct {
|
||||
char *filename;
|
||||
char *envvar;
|
||||
@@ -147,9 +151,9 @@ int ssh_gssapi_credentials_updated(Gssct
|
||||
/* In the server */
|
||||
typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *,
|
||||
const char *);
|
||||
-char *ssh_gssapi_client_mechanisms(const char *, const char *);
|
||||
+char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *);
|
||||
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *,
|
||||
- const char *);
|
||||
+ const char *, const char *);
|
||||
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
|
||||
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *,
|
||||
const char *);
|
345
openssh-7.0p1-show-more-fingerprints.patch
Normal file
345
openssh-7.0p1-show-more-fingerprints.patch
Normal file
@ -0,0 +1,345 @@
|
||||
From e1d58c44bd911e5ee4dddb6205e16eb9a03cc736 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Fri, 7 Aug 2015 10:18:54 +0200
|
||||
Subject: [PATCH] Possibility tu specify more fingerprint algorithms on client
|
||||
side for smother transition
|
||||
|
||||
---
|
||||
clientloop.c | 8 ++++----
|
||||
readconf.c | 43 +++++++++++++++++++++++++++++--------------
|
||||
readconf.h | 4 +++-
|
||||
ssh_config.5 | 4 ++--
|
||||
sshconnect.c | 48 +++++++++++++++++++++++++++---------------------
|
||||
sshconnect2.c | 6 +++---
|
||||
6 files changed, 68 insertions(+), 45 deletions(-)
|
||||
|
||||
diff --git a/clientloop.c b/clientloop.c
|
||||
index 87ceb3d..4553114 100644
|
||||
--- a/clientloop.c
|
||||
+++ b/clientloop.c
|
||||
@@ -2194,7 +2194,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||
if (ctx->keys_seen[i] != 2)
|
||||
continue;
|
||||
if ((fp = sshkey_fingerprint(ctx->keys[i],
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Learned new hostkey: %s %s",
|
||||
sshkey_type(ctx->keys[i]), fp);
|
||||
@@ -2202,7 +2202,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||
}
|
||||
for (i = 0; i < ctx->nold; i++) {
|
||||
if ((fp = sshkey_fingerprint(ctx->old_keys[i],
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __func__);
|
||||
do_log2(loglevel, "Deprecating obsolete hostkey: %s %s",
|
||||
sshkey_type(ctx->old_keys[i]), fp);
|
||||
@@ -2245,7 +2245,7 @@ update_known_hosts(struct hostkeys_update_ctx *ctx)
|
||||
(r = hostfile_replace_entries(options.user_hostfiles[0],
|
||||
ctx->host_str, ctx->ip_str, ctx->keys, ctx->nkeys,
|
||||
options.hash_known_hosts, 0,
|
||||
- options.fingerprint_hash)) != 0)
|
||||
+ options.fingerprint_hash[0])) != 0)
|
||||
error("%s: hostfile_replace_entries failed: %s",
|
||||
__func__, ssh_err(r));
|
||||
}
|
||||
@@ -2358,7 +2358,7 @@ client_input_hostkeys(void)
|
||||
error("%s: parse key: %s", __func__, ssh_err(r));
|
||||
goto out;
|
||||
}
|
||||
- fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT);
|
||||
debug3("%s: received %s key %s", __func__,
|
||||
sshkey_type(key), fp);
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 1d03bdf..6af4c62 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1471,16 +1471,18 @@ parse_keytypes:
|
||||
goto parse_string;
|
||||
|
||||
case oFingerprintHash:
|
||||
- intptr = &options->fingerprint_hash;
|
||||
- arg = strdelim(&s);
|
||||
- if (!arg || *arg == '\0')
|
||||
- fatal("%.200s line %d: Missing argument.",
|
||||
- filename, linenum);
|
||||
- if ((value = ssh_digest_alg_by_name(arg)) == -1)
|
||||
- fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
|
||||
- filename, linenum, arg);
|
||||
- if (*activep && *intptr == -1)
|
||||
- *intptr = value;
|
||||
+ if (*activep && options->num_fingerprint_hash == 0)
|
||||
+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
|
||||
+ value = ssh_digest_alg_by_name(arg);
|
||||
+ if (value == -1)
|
||||
+ fatal("%s line %d: unknown fingerprints algorithm specs: %s.",
|
||||
+ filename, linenum, arg);
|
||||
+ if (options->num_fingerprint_hash >= SSH_DIGEST_MAX)
|
||||
+ fatal("%s line %d: too many fingerprints algorithm specs.",
|
||||
+ filename, linenum);
|
||||
+ options->fingerprint_hash[
|
||||
+ options->num_fingerprint_hash++] = value;
|
||||
+ }
|
||||
break;
|
||||
|
||||
case oUpdateHostkeys:
|
||||
@@ -1673,7 +1675,7 @@ initialize_options(Options * options)
|
||||
options->canonicalize_fallback_local = -1;
|
||||
options->canonicalize_hostname = -1;
|
||||
options->revoked_host_keys = NULL;
|
||||
- options->fingerprint_hash = -1;
|
||||
+ options->num_fingerprint_hash = 0;
|
||||
options->update_hostkeys = -1;
|
||||
options->hostbased_key_types = NULL;
|
||||
options->pubkey_key_types = NULL;
|
||||
@@ -1851,8 +1853,10 @@ fill_default_options(Options * options)
|
||||
options->canonicalize_fallback_local = 1;
|
||||
if (options->canonicalize_hostname == -1)
|
||||
options->canonicalize_hostname = SSH_CANONICALISE_NO;
|
||||
- if (options->fingerprint_hash == -1)
|
||||
- options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
||||
+ if (options->num_fingerprint_hash == 0) {
|
||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_SHA256;
|
||||
+ options->fingerprint_hash[options->num_fingerprint_hash++] = SSH_DIGEST_MD5;
|
||||
+ }
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||
@@ -2189,6 +2193,17 @@ dump_cfg_strarray(OpCodes code, u_int count, char **vals)
|
||||
}
|
||||
|
||||
static void
|
||||
+dump_cfg_fmtarray(OpCodes code, u_int count, int *vals)
|
||||
+{
|
||||
+ u_int i;
|
||||
+
|
||||
+ printf("%s", lookup_opcode_name(code));
|
||||
+ for (i = 0; i < count; i++)
|
||||
+ printf(" %s", fmt_intarg(code, vals[i]));
|
||||
+ printf("\n");
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
dump_cfg_strarray_oneline(OpCodes code, u_int count, char **vals)
|
||||
{
|
||||
u_int i;
|
||||
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
|
||||
dump_cfg_fmtint(oControlMaster, o->control_master);
|
||||
dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
|
||||
dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
|
||||
- dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
|
||||
dump_cfg_fmtint(oForwardAgent, o->forward_agent);
|
||||
dump_cfg_fmtint(oForwardX11, o->forward_x11);
|
||||
dump_cfg_fmtint(oForwardX11Trusted, o->forward_x11_trusted);
|
||||
@@ -2328,6 +2342,7 @@ dump_client_config(Options *o, const char *host)
|
||||
dump_cfg_strarray_oneline(oGlobalKnownHostsFile, o->num_system_hostfiles, o->system_hostfiles);
|
||||
dump_cfg_strarray_oneline(oUserKnownHostsFile, o->num_user_hostfiles, o->user_hostfiles);
|
||||
dump_cfg_strarray(oSendEnv, o->num_send_env, o->send_env);
|
||||
+ dump_cfg_fmtarray(oFingerprintHash, o->num_fingerprint_hash, o->fingerprint_hash);
|
||||
|
||||
/* Special cases */
|
||||
|
||||
diff --git a/readconf.h b/readconf.h
|
||||
index bb2d552..d817f92 100644
|
||||
--- a/readconf.h
|
||||
+++ b/readconf.h
|
||||
@@ -21,6 +21,7 @@
|
||||
#define MAX_SEND_ENV 256
|
||||
#define SSH_MAX_HOSTS_FILES 32
|
||||
#define MAX_CANON_DOMAINS 32
|
||||
+#define MAX_SSH_DIGESTS 32
|
||||
#define PATH_MAX_SUN (sizeof((struct sockaddr_un *)0)->sun_path)
|
||||
|
||||
struct allowed_cname {
|
||||
@@ -146,7 +147,8 @@ typedef struct {
|
||||
|
||||
char *revoked_host_keys;
|
||||
|
||||
- int fingerprint_hash;
|
||||
+ int num_fingerprint_hash;
|
||||
+ int fingerprint_hash[MAX_SSH_DIGESTS];
|
||||
|
||||
int update_hostkeys; /* one of SSH_UPDATE_HOSTKEYS_* */
|
||||
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 5b0975f..e8e6458 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -647,13 +647,13 @@ or
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm FingerprintHash
|
||||
-Specifies the hash algorithm used when displaying key fingerprints.
|
||||
+Specifies the hash algorithms used when displaying key fingerprints.
|
||||
Valid options are:
|
||||
.Dq md5
|
||||
and
|
||||
.Dq sha256 .
|
||||
The default is
|
||||
-.Dq sha256 .
|
||||
+.Dq "sha256 md5".
|
||||
.It Cm ForwardAgent
|
||||
Specifies whether the connection to the authentication agent (if any)
|
||||
will be forwarded to the remote machine.
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index f41960c..e12932f 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -920,9 +920,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
"of known hosts.", type, ip);
|
||||
} else if (options.visual_host_key) {
|
||||
fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||
ra = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("Host key fingerprint is %s\n%s", fp, ra);
|
||||
@@ -964,12 +964,6 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
else
|
||||
snprintf(msg1, sizeof(msg1), ".");
|
||||
/* The default */
|
||||
- fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
- ra = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
- if (fp == NULL || ra == NULL)
|
||||
- fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
msg2[0] = '\0';
|
||||
if (options.verify_host_key_dns) {
|
||||
if (matching_host_key_dns)
|
||||
@@ -983,16 +977,28 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
}
|
||||
snprintf(msg, sizeof(msg),
|
||||
"The authenticity of host '%.200s (%s)' can't be "
|
||||
- "established%s\n"
|
||||
- "%s key fingerprint is %s.%s%s\n%s"
|
||||
+ "established%s\n", host, ip, msg1);
|
||||
+ for (i = 0; i < options.num_fingerprint_hash; i++) {
|
||||
+ fp = sshkey_fingerprint(host_key,
|
||||
+ options.fingerprint_hash[i], SSH_FP_DEFAULT);
|
||||
+ ra = sshkey_fingerprint(host_key,
|
||||
+ options.fingerprint_hash[i], SSH_FP_RANDOMART);
|
||||
+ if (fp == NULL || ra == NULL)
|
||||
+ fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
+ len = strlen(msg);
|
||||
+ snprintf(msg+len, sizeof(msg)-len,
|
||||
+ "%s key fingerprint is %s.%s%s\n%s",
|
||||
+ type, fp,
|
||||
+ options.visual_host_key ? "\n" : "",
|
||||
+ options.visual_host_key ? ra : "",
|
||||
+ msg2);
|
||||
+ free(ra);
|
||||
+ free(fp);
|
||||
+ }
|
||||
+ len = strlen(msg);
|
||||
+ snprintf(msg+len, sizeof(msg)-len,
|
||||
"Are you sure you want to continue connecting "
|
||||
- "(yes/no)? ",
|
||||
- host, ip, msg1, type, fp,
|
||||
- options.visual_host_key ? "\n" : "",
|
||||
- options.visual_host_key ? ra : "",
|
||||
- msg2);
|
||||
- free(ra);
|
||||
- free(fp);
|
||||
+ "(yes/no)? ");
|
||||
if (!confirm(msg))
|
||||
goto fail;
|
||||
hostkey_trusted = 1; /* user explicitly confirmed */
|
||||
@@ -1241,7 +1247,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
struct sshkey *plain = NULL;
|
||||
|
||||
if ((fp = sshkey_fingerprint(host_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint host key: %s", __func__, ssh_err(r));
|
||||
r = -1;
|
||||
goto out;
|
||||
@@ -1405,9 +1411,9 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
|
||||
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
|
||||
continue;
|
||||
fp = sshkey_fingerprint(found->key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT);
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT);
|
||||
ra = sshkey_fingerprint(found->key,
|
||||
- options.fingerprint_hash, SSH_FP_RANDOMART);
|
||||
+ options.fingerprint_hash[0], SSH_FP_RANDOMART);
|
||||
if (fp == NULL || ra == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
logit("WARNING: %s key found for host %s\n"
|
||||
@@ -1430,7 +1436,7 @@ warn_changed_key(Key *host_key)
|
||||
{
|
||||
char *fp;
|
||||
|
||||
- fp = sshkey_fingerprint(host_key, options.fingerprint_hash,
|
||||
+ fp = sshkey_fingerprint(host_key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT);
|
||||
if (fp == NULL)
|
||||
fatal("%s: sshkey_fingerprint fail", __func__);
|
||||
diff --git a/sshconnect2.c b/sshconnect2.c
|
||||
index 7751031..82ed92e 100644
|
||||
--- a/sshconnect2.c
|
||||
+++ b/sshconnect2.c
|
||||
@@ -589,7 +589,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
|
||||
key->type, pktype);
|
||||
goto done;
|
||||
}
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
goto done;
|
||||
debug2("input_userauth_pk_ok: fp %s", fp);
|
||||
@@ -1009,7 +1009,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
|
||||
int matched, ret = -1, have_sig = 1;
|
||||
char *fp;
|
||||
|
||||
- if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(id->key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
return 0;
|
||||
debug3("%s: %s %s", __func__, key_type(id->key), fp);
|
||||
@@ -1635,7 +1635,7 @@ userauth_hostbased(Authctxt *authctxt)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if ((fp = sshkey_fingerprint(private, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(private, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: sshkey_fingerprint failed", __func__);
|
||||
goto out;
|
||||
diff --git a/ssh-keysign.c b/ssh-keysign.c
|
||||
index 1dca3e2..23bff7d 100644
|
||||
--- a/ssh-keysign.c
|
||||
+++ b/ssh-keysign.c
|
||||
@@ -275,7 +275,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
if (!found) {
|
||||
- if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
|
||||
+ if ((fp = sshkey_fingerprint(key, options.fingerprint_hash[0],
|
||||
SSH_FP_DEFAULT)) == NULL)
|
||||
fatal("%s: sshkey_fingerprint failed", __progname);
|
||||
fatal("no matching hostkey found for key %s %s",
|
||||
|
||||
--
|
||||
2.1.0
|
||||
|
||||
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index de7ace6..f16e606 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -1262,7 +1262,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
|
||||
|
||||
if (sshkey_is_cert(host_key)) {
|
||||
if ((cafp = sshkey_fingerprint(host_key->cert->signature_key,
|
||||
- options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
|
||||
+ options.fingerprint_hash[0], SSH_FP_DEFAULT)) == NULL) {
|
||||
error("%s: fingerprint CA key: %s",
|
||||
__func__, ssh_err(r));
|
||||
r = -1;
|
47
openssh-7.1p1-gssapi-documentation.patch
Normal file
47
openssh-7.1p1-gssapi-documentation.patch
Normal file
@ -0,0 +1,47 @@
|
||||
diff -up openssh-7.1p1/ssh_config.5.gss-docs openssh-7.1p1/ssh_config.5
|
||||
--- openssh-7.1p1/ssh_config.5.gss-docs 2015-12-10 15:28:47.451966457 +0100
|
||||
+++ openssh-7.1p1/ssh_config.5 2015-12-10 15:30:28.070738047 +0100
|
||||
@@ -773,15 +773,26 @@ Note that this option applies to protoco
|
||||
If set to
|
||||
.Dq yes
|
||||
then renewal of the client's GSSAPI credentials will force the rekeying of the
|
||||
-ssh connection. With a compatible server, this can delegate the renewed
|
||||
+ssh connection. With a compatible server, this will delegate the renewed
|
||||
credentials to a session on the server.
|
||||
+.Pp
|
||||
+Checks are made to ensure that credentials are only propagated when the new
|
||||
+credentials match the old ones on the originating client and where the
|
||||
+receiving server still has the old set in its cache.
|
||||
+.Pp
|
||||
The default is
|
||||
.Dq no .
|
||||
+.Pp
|
||||
+For this to work
|
||||
+.Cm GSSAPIKeyExchange
|
||||
+needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPITrustDns
|
||||
Set to
|
||||
-.Dq yes to indicate that the DNS is trusted to securely canonicalize
|
||||
+.Dq yes
|
||||
+to indicate that the DNS is trusted to securely canonicalize
|
||||
the name of the host being connected to. If
|
||||
-.Dq no, the hostname entered on the
|
||||
+.Dq no ,
|
||||
+the hostname entered on the
|
||||
command line will be passed untouched to the GSSAPI library.
|
||||
The default is
|
||||
.Dq no .
|
||||
diff -up openssh-7.1p1/sshd_config.5.gss-docs openssh-7.1p1/sshd_config.5
|
||||
--- openssh-7.1p1/sshd_config.5.gss-docs 2015-12-10 15:28:47.453966452 +0100
|
||||
+++ openssh-7.1p1/sshd_config.5 2015-12-10 15:28:47.461966434 +0100
|
||||
@@ -653,6 +653,10 @@ Controls whether the user's GSSAPI crede
|
||||
successful connection rekeying. This option can be used to accepted renewed
|
||||
or updated credentials from a compatible client. The default is
|
||||
.Dq no .
|
||||
+.Pp
|
||||
+For this to work
|
||||
+.Cm GSSAPIKeyExchange
|
||||
+needs to be enabled in the server and also used by the client.
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a comma-separated pattern list.
|
31
openssh-7.1p1-iutf8.patch
Normal file
31
openssh-7.1p1-iutf8.patch
Normal file
@ -0,0 +1,31 @@
|
||||
diff --git a/PROTOCOL b/PROTOCOL
|
||||
index 131adfe..c828087 100644
|
||||
--- a/PROTOCOL
|
||||
+++ b/PROTOCOL
|
||||
@@ -328,6 +328,11 @@ a server may offer multiple keys of the same type for a period (to
|
||||
give clients an opportunity to learn them using this extension) before
|
||||
removing the deprecated key from those offered.
|
||||
|
||||
+2.6. connection: add IUTF8 terminal mode flag
|
||||
+
|
||||
+OpenSSH supports the IUTF8 terminal mode flag and encodes it in "pty-req"
|
||||
+messages as opcode value 42.
|
||||
+
|
||||
3. SFTP protocol changes
|
||||
|
||||
3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
|
||||
diff --git a/ttymodes.h b/ttymodes.h
|
||||
index 4d848fe..396ae88 100644
|
||||
--- a/ttymodes.h
|
||||
+++ b/ttymodes.h
|
||||
@@ -127,6 +127,9 @@ TTYMODE(IXOFF, c_iflag, 40)
|
||||
#ifdef IMAXBEL
|
||||
TTYMODE(IMAXBEL,c_iflag, 41)
|
||||
#endif /* IMAXBEL */
|
||||
+#ifdef IUTF8
|
||||
+TTYMODE(IUTF8, c_iflag, 42)
|
||||
+#endif /* IUTF8 */
|
||||
|
||||
TTYMODE(ISIG, c_lflag, 50)
|
||||
TTYMODE(ICANON, c_lflag, 51)
|
||||
|
@ -1,21 +1,21 @@
|
||||
diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||
--- openssh-7.4p1/monitor_wrap.c.audit-race 2016-12-23 16:35:52.694685771 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:35:52.697685772 +0100
|
||||
@@ -1107,4 +1107,50 @@ mm_audit_destroy_sensitive_data(const ch
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
|
||||
sshbuf_free(m);
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 89a1762..fe98e08 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -1251,4 +1251,48 @@ mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid)
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m);
|
||||
buffer_free(&m);
|
||||
}
|
||||
+
|
||||
+int mm_forward_audit_messages(int fdin)
|
||||
+{
|
||||
+ u_char buf[4];
|
||||
+ u_int blen, msg_len;
|
||||
+ struct sshbuf *m;
|
||||
+ int r, ret = 0;
|
||||
+ Buffer m;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ debug3("%s: entering", __func__);
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ buffer_init(&m);
|
||||
+ do {
|
||||
+ blen = atomicio(read, fdin, buf, sizeof(buf));
|
||||
+ if (blen == 0) /* closed pipe */
|
||||
@ -29,22 +29,21 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||
+ msg_len = get_u32(buf);
|
||||
+ if (msg_len > 256 * 1024)
|
||||
+ fatal("%s: read: bad msg_len %d", __func__, msg_len);
|
||||
+ sshbuf_reset(m);
|
||||
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to read the the buffer content from the child", __func__);
|
||||
+ buffer_clear(&m);
|
||||
+ buffer_append_space(&m, msg_len);
|
||||
+ if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to read the the buffer conent from the child", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
|
||||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to write the message to the monitor", __func__);
|
||||
+ atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) {
|
||||
+ error("%s: Failed to write the messag to the monitor", __func__);
|
||||
+ ret = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ } while (1);
|
||||
+ sshbuf_free(m);
|
||||
+ buffer_free(&m);
|
||||
+ return ret;
|
||||
+}
|
||||
+void mm_set_monitor_pipe(int fd)
|
||||
@ -52,22 +51,24 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
|
||||
+ pmonitor->m_recvfd = fd;
|
||||
+}
|
||||
#endif /* SSH_AUDIT_EVENTS */
|
||||
diff -up openssh-7.4p1/monitor_wrap.h.audit-race openssh-7.4p1/monitor_wrap.h
|
||||
--- openssh-7.4p1/monitor_wrap.h.audit-race 2016-12-23 16:35:52.694685771 +0100
|
||||
+++ openssh-7.4p1/monitor_wrap.h 2016-12-23 16:35:52.698685772 +0100
|
||||
@@ -83,6 +83,8 @@ void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(struct ssh *, int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void mm_audit_session_key_free_body(struct ssh *, int, pid_t, uid_t);
|
||||
void mm_audit_destroy_sensitive_data(struct ssh *, const char *, pid_t, uid_t);
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index e73134e..fbfe395 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -86,6 +86,8 @@ void mm_audit_unsupported_body(int);
|
||||
void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
|
||||
void mm_audit_session_key_free_body(int, pid_t, uid_t);
|
||||
void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
|
||||
+int mm_forward_audit_messages(int);
|
||||
+void mm_set_monitor_pipe(int);
|
||||
#endif
|
||||
|
||||
struct Session;
|
||||
diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.audit-race 2016-12-23 16:35:52.695685771 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 16:37:26.339730596 +0100
|
||||
@@ -162,6 +162,10 @@ static Session *sessions = NULL;
|
||||
diff --git a/session.c b/session.c
|
||||
index 8949fd1..9afb764 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -159,6 +159,10 @@ static Session *sessions = NULL;
|
||||
login_cap_t *lc;
|
||||
#endif
|
||||
|
||||
@ -78,46 +79,18 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
static int is_child = 0;
|
||||
static int in_chroot = 0;
|
||||
static int have_dev_log = 1;
|
||||
@@ -289,6 +293,8 @@ xauth_valid_string(const char *s)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+void child_destory_sensitive_data(struct ssh *ssh);
|
||||
+
|
||||
#define USE_PIPES 1
|
||||
/*
|
||||
* This is called to fork and execute a command when we have no tty. This
|
||||
@@ -424,6 +430,8 @@ do_exec_no_pty(Session *s, const char *c
|
||||
close(err[0]);
|
||||
#endif
|
||||
|
||||
+ child_destory_sensitive_data(ssh);
|
||||
+
|
||||
/* Do processing for the child (exec command etc). */
|
||||
do_child(ssh, s, command);
|
||||
/* NOTREACHED */
|
||||
@@ -547,6 +555,9 @@ do_exec_pty(Session *s, const char *comm
|
||||
/* Close the extra descriptor for the pseudo tty. */
|
||||
close(ttyfd);
|
||||
|
||||
+ /* Do this early, so we will not block large MOTDs */
|
||||
+ child_destory_sensitive_data(ssh);
|
||||
+
|
||||
/* record login, etc. similar to login(1) */
|
||||
#ifndef HAVE_OSF_SIA
|
||||
do_login(ssh, s, command);
|
||||
@@ -717,6 +728,8 @@ do_exec(Session *s, const char *command)
|
||||
@@ -875,6 +879,8 @@ do_exec(Session *s, const char *command)
|
||||
}
|
||||
if (s->command != NULL && s->ptyfd == -1)
|
||||
s->command_handle = PRIVSEP(audit_run_command(ssh, s->command));
|
||||
s->command_handle = PRIVSEP(audit_run_command(s->command));
|
||||
+ if (pipe(paudit) < 0)
|
||||
+ fatal("pipe: %s", strerror(errno));
|
||||
#endif
|
||||
if (s->ttyfd != -1)
|
||||
ret = do_exec_pty(ssh, s, command);
|
||||
@@ -732,6 +745,20 @@ do_exec(Session *s, const char *command)
|
||||
ret = do_exec_pty(s, command);
|
||||
@@ -890,6 +896,20 @@ do_exec(Session *s, const char *command)
|
||||
*/
|
||||
sshbuf_reset(loginmsg);
|
||||
buffer_clear(&loginmsg);
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ close(paudit[1]);
|
||||
@ -136,13 +109,10 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1538,6 +1565,34 @@ child_close_fds(void)
|
||||
log_redirect_stderr_to(NULL);
|
||||
}
|
||||
@@ -1707,12 +1727,28 @@ do_child(Session *s, const char *command)
|
||||
struct passwd *pw = s->pw;
|
||||
int r = 0;
|
||||
|
||||
+void
|
||||
+child_destory_sensitive_data(struct ssh *ssh)
|
||||
+{
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ int pparent = paudit[1];
|
||||
+ close(paudit[0]);
|
||||
@ -151,37 +121,23 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c
|
||||
+ mm_set_monitor_pipe(pparent);
|
||||
+#endif
|
||||
+
|
||||
+ /* remove hostkey from the child's memory */
|
||||
+ destroy_sensitive_data(ssh, use_privsep);
|
||||
/* remove hostkey from the child's memory */
|
||||
- destroy_sensitive_data(1);
|
||||
- /* Don't audit this - both us and the parent would be talking to the
|
||||
- monitor over a single socket, with no synchronization. */
|
||||
+ destroy_sensitive_data(use_privsep);
|
||||
+ /*
|
||||
+ * We can audit this, because we hacked the pipe to direct the
|
||||
+ * We can audit this, because wer hacked the pipe to direct the
|
||||
+ * messages over postauth child. But this message requires answer
|
||||
+ * which we can't do using one-way pipe.
|
||||
+ */
|
||||
+ packet_destroy_all(ssh, 0, 1);
|
||||
+ /* XXX this will clean the rest but should not audit anymore */
|
||||
+ /* packet_clear_keys(ssh); */
|
||||
+
|
||||
packet_destroy_all(0, 1);
|
||||
|
||||
+#ifdef SSH_AUDIT_EVENTS
|
||||
+ /* Notify parent that we are done */
|
||||
+ close(pparent);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Performs common processing for the child, such as setting up the
|
||||
* environment, closing extra file descriptors, setting the user and group
|
||||
@@ -1554,13 +1608,6 @@ do_child(Session *s, const char *command
|
||||
|
||||
sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
|
||||
|
||||
- /* remove hostkey from the child's memory */
|
||||
- destroy_sensitive_data(ssh, 1);
|
||||
- ssh_packet_clear_keys(ssh);
|
||||
- /* Don't audit this - both us and the parent would be talking to the
|
||||
- monitor over a single socket, with no synchronization. */
|
||||
- packet_destroy_all(ssh, 0, 1);
|
||||
-
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
do_setusercontext(pw);
|
||||
|
2283
openssh-7.2p1-audit.patch
Normal file
2283
openssh-7.2p1-audit.patch
Normal file
File diff suppressed because it is too large
Load Diff
661
openssh-7.2p1-fips.patch
Normal file
661
openssh-7.2p1-fips.patch
Normal file
@ -0,0 +1,661 @@
|
||||
diff -up openssh-7.2p1/cipher.c.fips openssh-7.2p1/cipher.c
|
||||
--- openssh-7.2p1/cipher.c.fips 2016-02-12 18:53:56.083665235 +0100
|
||||
+++ openssh-7.2p1/cipher.c 2016-02-12 18:53:56.090665235 +0100
|
||||
@@ -39,6 +39,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include <string.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[]
|
||||
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
};
|
||||
|
||||
+static const struct sshcipher fips_ciphers[] = {
|
||||
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
|
||||
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
|
||||
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
|
||||
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
|
||||
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
|
||||
+ { "rijndael-cbc@lysator.liu.se",
|
||||
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
|
||||
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
|
||||
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
|
||||
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
|
||||
+#ifdef OPENSSL_HAVE_EVPGCM
|
||||
+ { "aes128-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
|
||||
+ { "aes256-gcm@openssh.com",
|
||||
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
|
||||
+#endif
|
||||
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
|
||||
+};
|
||||
+
|
||||
/*--*/
|
||||
|
||||
/* Returns a comma-separated list of supported ciphers. */
|
||||
@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct sshcipher *c;
|
||||
|
||||
- for (c = ciphers; c->name != NULL; c++) {
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
|
||||
if (c->number != SSH_CIPHER_SSH2)
|
||||
continue;
|
||||
if (auth_only && c->auth_len == 0)
|
||||
@@ -193,7 +215,7 @@ const struct sshcipher *
|
||||
cipher_by_name(const char *name)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (strcmp(c->name, name) == 0)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -203,7 +225,7 @@ const struct sshcipher *
|
||||
cipher_by_number(int id)
|
||||
{
|
||||
const struct sshcipher *c;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (c->number == id)
|
||||
return c;
|
||||
return NULL;
|
||||
@@ -244,7 +266,7 @@ cipher_number(const char *name)
|
||||
const struct sshcipher *c;
|
||||
if (name == NULL)
|
||||
return -1;
|
||||
- for (c = ciphers; c->name != NULL; c++)
|
||||
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
|
||||
if (strcasecmp(c->name, name) == 0)
|
||||
return c->number;
|
||||
return -1;
|
||||
diff -up openssh-7.2p1/cipher-ctr.c.fips openssh-7.2p1/cipher-ctr.c
|
||||
--- openssh-7.2p1/cipher-ctr.c.fips 2016-02-12 18:53:56.013665228 +0100
|
||||
+++ openssh-7.2p1/cipher-ctr.c 2016-02-12 18:53:56.090665235 +0100
|
||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
||||
+ EVP_CIPH_FLAG_FIPS;
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-7.2p1/dh.h.fips openssh-7.2p1/dh.h
|
||||
--- openssh-7.2p1/dh.h.fips 2016-02-12 18:53:56.090665235 +0100
|
||||
+++ openssh-7.2p1/dh.h 2016-02-12 18:54:48.425670204 +0100
|
||||
@@ -49,6 +49,7 @@ u_int dh_estimate(int);
|
||||
* Miniumum increased in light of DH precomputation attacks.
|
||||
*/
|
||||
#define DH_GRP_MIN 2048
|
||||
+#define DH_GRP_MIN_FIPS 2048
|
||||
#define DH_GRP_MAX 8192
|
||||
|
||||
/*
|
||||
diff -up openssh-7.2p1/entropy.c.fips openssh-7.2p1/entropy.c
|
||||
--- openssh-7.2p1/entropy.c.fips 2016-02-12 18:53:56.005665227 +0100
|
||||
+++ openssh-7.2p1/entropy.c 2016-02-12 18:53:56.091665235 +0100
|
||||
@@ -217,6 +217,9 @@ seed_rng(void)
|
||||
fatal("OpenSSL version mismatch. Built against %lx, you "
|
||||
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
|
||||
|
||||
+ /* clean the PRNG status when exiting the program */
|
||||
+ atexit(RAND_cleanup);
|
||||
+
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
if (RAND_status() == 1) {
|
||||
debug3("RNG is ready, skipping seeding");
|
||||
diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
|
||||
--- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100
|
||||
+++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100
|
||||
@@ -35,6 +35,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
+#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
#include "ssh2.h"
|
||||
@@ -121,6 +122,25 @@ static const struct kexalg kexalgs[] = {
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
+static const struct kexalg kexalgs_fips[] = {
|
||||
+ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
+#endif
|
||||
+#ifdef OPENSSL_HAS_ECC
|
||||
+ { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
|
||||
+ NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
|
||||
+ { KEX_ECDH_SHA2_NISTP384, KEX_ECDH_SHA2, NID_secp384r1,
|
||||
+ SSH_DIGEST_SHA384 },
|
||||
+# ifdef OPENSSL_HAS_NISTP521
|
||||
+ { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
|
||||
+ SSH_DIGEST_SHA512 },
|
||||
+# endif
|
||||
+#endif
|
||||
+ { NULL, -1, -1, -1},
|
||||
+};
|
||||
+
|
||||
char *
|
||||
kex_alg_list(char sep)
|
||||
{
|
||||
@@ -148,7 +168,7 @@ kex_alg_by_name(const char *name)
|
||||
{
|
||||
const struct kexalg *k;
|
||||
|
||||
- for (k = kexalgs; k->name != NULL; k++) {
|
||||
+ for (k = (FIPS_mode() ? kexalgs_fips : kexalgs); k->name != NULL; k++) {
|
||||
if (strcmp(k->name, name) == 0)
|
||||
return k;
|
||||
#ifdef GSSAPI
|
||||
@@ -174,7 +194,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
- error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ if (FIPS_mode())
|
||||
+ error("\"%.100s\" is not allowed in FIPS mode", p);
|
||||
+ else
|
||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-7.2p1/kexgexc.c.fips openssh-7.2p1/kexgexc.c
|
||||
--- openssh-7.2p1/kexgexc.c.fips 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kexgexc.c 2016-02-12 18:53:56.091665235 +0100
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
|
||||
|
||||
nbits = dh_estimate(kex->dh_need * 8);
|
||||
|
||||
- kex->min = DH_GRP_MIN;
|
||||
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
|
||||
kex->max = DH_GRP_MAX;
|
||||
kex->nbits = nbits;
|
||||
if (datafellows & SSH_BUG_DHGEX_LARGE)
|
||||
diff -up openssh-7.2p1/kexgexs.c.fips openssh-7.2p1/kexgexs.c
|
||||
--- openssh-7.2p1/kexgexs.c.fips 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/kexgexs.c 2016-02-12 18:53:56.091665235 +0100
|
||||
@@ -83,9 +83,9 @@ input_kex_dh_gex_request(int type, u_int
|
||||
kex->nbits = nbits;
|
||||
kex->min = min;
|
||||
kex->max = max;
|
||||
- min = MAX(DH_GRP_MIN, min);
|
||||
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
|
||||
max = MIN(DH_GRP_MAX, max);
|
||||
- nbits = MAX(DH_GRP_MIN, nbits);
|
||||
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
|
||||
nbits = MIN(DH_GRP_MAX, nbits);
|
||||
|
||||
if (kex->max < kex->min || kex->nbits < kex->min ||
|
||||
diff -up openssh-7.2p1/mac.c.fips openssh-7.2p1/mac.c
|
||||
--- openssh-7.2p1/mac.c.fips 2016-02-12 18:53:56.084665234 +0100
|
||||
+++ openssh-7.2p1/mac.c 2016-02-12 18:53:56.091665235 +0100
|
||||
@@ -27,6 +27,8 @@
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
|
||||
@@ -54,7 +56,7 @@ struct macalg {
|
||||
int etm; /* Encrypt-then-MAC */
|
||||
};
|
||||
|
||||
-static const struct macalg macs[] = {
|
||||
+static const struct macalg all_macs[] = {
|
||||
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
|
||||
@@ -85,6 +87,24 @@ static const struct macalg macs[] = {
|
||||
{ NULL, 0, 0, 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
+static const struct macalg fips_macs[] = {
|
||||
+ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
|
||||
+ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
|
||||
+ { "hmac-sha2-512", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
|
||||
+#endif
|
||||
+
|
||||
+ /* Encrypt-then-MAC variants */
|
||||
+ { "hmac-sha1-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+ { "hmac-sha2-256-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
|
||||
+ { "hmac-sha2-512-etm@openssh.com", SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
|
||||
+#endif
|
||||
+
|
||||
+ { NULL, 0, 0, 0, 0, 0, 0 }
|
||||
+};
|
||||
+
|
||||
/* Returns a list of supported MACs separated by the specified char. */
|
||||
char *
|
||||
mac_alg_list(char sep)
|
||||
@@ -93,7 +113,7 @@ mac_alg_list(char sep)
|
||||
size_t nlen, rlen = 0;
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
||||
if (ret != NULL)
|
||||
ret[rlen++] = sep;
|
||||
nlen = strlen(m->name);
|
||||
@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name
|
||||
{
|
||||
const struct macalg *m;
|
||||
|
||||
- for (m = macs; m->name != NULL; m++) {
|
||||
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
|
||||
if (strcmp(name, m->name) != 0)
|
||||
continue;
|
||||
if (mac != NULL)
|
||||
diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
|
||||
--- openssh-7.2p1/Makefile.in.fips 2016-02-12 18:53:56.085665235 +0100
|
||||
+++ openssh-7.2p1/Makefile.in 2016-02-12 18:53:56.092665235 +0100
|
||||
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
|
||||
$(RANLIB) $@
|
||||
|
||||
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||
|
||||
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||
|
||||
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
|
||||
$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
|
||||
- $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
|
||||
|
||||
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
|
||||
$(LD) -o $@ ssh-cavs.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
|
||||
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
|
||||
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||
+ $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
|
||||
|
||||
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||
diff -up openssh-7.2p1/myproposal.h.fips openssh-7.2p1/myproposal.h
|
||||
--- openssh-7.2p1/myproposal.h.fips 2016-02-12 18:53:56.092665235 +0100
|
||||
+++ openssh-7.2p1/myproposal.h 2016-02-12 18:55:42.137675304 +0100
|
||||
@@ -129,6 +129,28 @@
|
||||
|
||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||
|
||||
+#define KEX_DEFAULT_KEX_FIPS \
|
||||
+ KEX_ECDH_METHODS \
|
||||
+ KEX_SHA256_METHODS \
|
||||
+ "diffie-hellman-group-exchange-sha1," \
|
||||
+ "diffie-hellman-group14-sha1"
|
||||
+#define KEX_FIPS_ENCRYPT \
|
||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
+ "aes128-cbc,3des-cbc," \
|
||||
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se"
|
||||
+#ifdef HAVE_EVP_SHA256
|
||||
+#define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1," \
|
||||
+ "hmac-sha2-256," \
|
||||
+ "hmac-sha2-512," \
|
||||
+ "hmac-sha1-etm@openssh.com," \
|
||||
+ "hmac-sha2-256-etm@openssh.com," \
|
||||
+ "hmac-sha2-512-etm@openssh.com"
|
||||
+#else
|
||||
+#define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1"
|
||||
+#endif
|
||||
+
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
#define KEX_SERVER_KEX \
|
||||
diff -up openssh-7.2p1/readconf.c.fips openssh-7.2p1/readconf.c
|
||||
--- openssh-7.2p1/readconf.c.fips 2016-02-12 18:53:56.073665234 +0100
|
||||
+++ openssh-7.2p1/readconf.c 2016-02-12 18:53:56.092665235 +0100
|
||||
@@ -1969,9 +1969,12 @@ fill_default_options(Options * options)
|
||||
}
|
||||
if (options->update_hostkeys == -1)
|
||||
options->update_hostkeys = 0;
|
||||
- if (kex_assemble_names(KEX_CLIENT_ENCRYPT, &options->ciphers) != 0 ||
|
||||
- kex_assemble_names(KEX_CLIENT_MAC, &options->macs) != 0 ||
|
||||
- kex_assemble_names(KEX_CLIENT_KEX, &options->kex_algorithms) != 0 ||
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
||||
+ : KEX_CLIENT_ENCRYPT), &options->ciphers) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
||||
+ : KEX_CLIENT_MAC), &options->macs) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
||||
+ : KEX_CLIENT_KEX), &options->kex_algorithms) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
&options->hostbased_key_types) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
diff -up openssh-7.2p1/servconf.c.fips openssh-7.2p1/servconf.c
|
||||
--- openssh-7.2p1/servconf.c.fips 2016-02-12 18:53:56.068665233 +0100
|
||||
+++ openssh-7.2p1/servconf.c 2016-02-12 18:56:52.185681954 +0100
|
||||
@@ -188,9 +188,12 @@ option_clear_or_none(const char *o)
|
||||
static void
|
||||
assemble_algorithms(ServerOptions *o)
|
||||
{
|
||||
- if (kex_assemble_names(KEX_SERVER_ENCRYPT, &o->ciphers) != 0 ||
|
||||
- kex_assemble_names(KEX_SERVER_MAC, &o->macs) != 0 ||
|
||||
- kex_assemble_names(KEX_SERVER_KEX, &o->kex_algorithms) != 0 ||
|
||||
+ if (kex_assemble_names((FIPS_mode() ? KEX_FIPS_ENCRYPT
|
||||
+ : KEX_SERVER_ENCRYPT), &o->ciphers) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_FIPS_MAC
|
||||
+ : KEX_SERVER_MAC), &o->macs) != 0 ||
|
||||
+ kex_assemble_names((FIPS_mode() ? KEX_DEFAULT_KEX_FIPS
|
||||
+ : KEX_SERVER_KEX), &o->kex_algorithms) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
&o->hostkeyalgorithms) != 0 ||
|
||||
kex_assemble_names(KEX_DEFAULT_PK_ALG,
|
||||
@@ -2376,8 +2379,10 @@ dump_config(ServerOptions *o)
|
||||
/* string arguments */
|
||||
dump_cfg_string(sPidFile, o->pid_file);
|
||||
dump_cfg_string(sXAuthLocation, o->xauth_location);
|
||||
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
|
||||
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
|
||||
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
|
||||
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
|
||||
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
|
||||
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
|
||||
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
|
||||
dump_cfg_string(sForceCommand, o->adm_forced_command);
|
||||
dump_cfg_string(sChrootDirectory, o->chroot_directory);
|
||||
@@ -2392,8 +2397,8 @@ dump_config(ServerOptions *o)
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
|
||||
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
|
||||
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
|
||||
- dump_cfg_string(sKexAlgorithms,
|
||||
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
|
||||
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
|
||||
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
|
||||
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
|
||||
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
|
||||
dump_cfg_string(sHostKeyAlgorithms, o->hostkeyalgorithms ?
|
||||
diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
|
||||
--- openssh-7.2p1/ssh.c.fips 2016-02-12 11:47:25.000000000 +0100
|
||||
+++ openssh-7.2p1/ssh.c 2016-02-12 18:53:56.093665236 +0100
|
||||
@@ -75,6 +75,8 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -531,6 +533,14 @@ main(int ac, char **av)
|
||||
sanitise_stdfd();
|
||||
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)){
|
||||
+ if (FIPS_mode())
|
||||
+ fatal("FIPS integrity verification test failed.");
|
||||
+ else
|
||||
+ logit("FIPS integrity verification test failed.");
|
||||
+ }
|
||||
|
||||
#ifndef HAVE_SETPROCTITLE
|
||||
/* Prepare for later setproctitle emulation */
|
||||
@@ -608,6 +618,9 @@ main(int ac, char **av)
|
||||
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
|
||||
switch (opt) {
|
||||
case '1':
|
||||
+ if (FIPS_mode()) {
|
||||
+ fatal("Protocol 1 not allowed in the FIPS mode.");
|
||||
+ }
|
||||
options.protocol = SSH_PROTO_1;
|
||||
break;
|
||||
case '2':
|
||||
@@ -952,7 +965,6 @@ main(int ac, char **av)
|
||||
host_arg = xstrdup(host);
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
- OpenSSL_add_all_algorithms();
|
||||
ERR_load_crypto_strings();
|
||||
#endif
|
||||
|
||||
@@ -1126,6 +1138,10 @@ main(int ac, char **av)
|
||||
|
||||
seed_rng();
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
if (options.user == NULL)
|
||||
options.user = xstrdup(pw->pw_name);
|
||||
|
||||
@@ -1206,6 +1222,12 @@ main(int ac, char **av)
|
||||
|
||||
timeout_ms = options.connection_timeout * 1000;
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ options.protocol &= SSH_PROTO_2;
|
||||
+ if (options.protocol == 0)
|
||||
+ fatal("Protocol 2 disabled by configuration but required in the FIPS mode.");
|
||||
+ }
|
||||
+
|
||||
/* Open a connection to the remote host. */
|
||||
if (ssh_connect(host, addrs, &hostaddr, options.port,
|
||||
options.address_family, options.connection_attempts,
|
||||
diff -up openssh-7.2p1/sshconnect2.c.fips openssh-7.2p1/sshconnect2.c
|
||||
--- openssh-7.2p1/sshconnect2.c.fips 2016-02-12 18:53:56.074665234 +0100
|
||||
+++ openssh-7.2p1/sshconnect2.c 2016-02-12 18:53:56.094665236 +0100
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
|
||||
+#include <openssl/fips.h>
|
||||
+
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -171,21 +173,26 @@ ssh_kex2(char *host, struct sockaddr *ho
|
||||
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_keyex) {
|
||||
- /* Add the GSSAPI mechanisms currently supported on this
|
||||
- * client to the key exchange algorithm proposal */
|
||||
- orig = options.kex_algorithms;
|
||||
-
|
||||
- if (options.gss_trust_dns)
|
||||
- gss_host = (char *)get_canonical_hostname(1);
|
||||
- else
|
||||
- gss_host = host;
|
||||
-
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||
- if (gss) {
|
||||
- debug("Offering GSSAPI proposal: %s", gss);
|
||||
- xasprintf(&options.kex_algorithms,
|
||||
- "%s,%s", gss, orig);
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||
+ options.gss_keyex = 0;
|
||||
+ } else {
|
||||
+ /* Add the GSSAPI mechanisms currently supported on this
|
||||
+ * client to the key exchange algorithm proposal */
|
||||
+ orig = options.kex_algorithms;
|
||||
+
|
||||
+ if (options.gss_trust_dns)
|
||||
+ gss_host = (char *)get_canonical_hostname(1);
|
||||
+ else
|
||||
+ gss_host = host;
|
||||
+
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
+ if (gss) {
|
||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||
+ xasprintf(&options.kex_algorithms,
|
||||
+ "%s,%s", gss, orig);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-7.2p1/sshd.c.fips openssh-7.2p1/sshd.c
|
||||
--- openssh-7.2p1/sshd.c.fips 2016-02-12 18:53:56.088665235 +0100
|
||||
+++ openssh-7.2p1/sshd.c 2016-02-12 18:53:56.094665236 +0100
|
||||
@@ -66,6 +66,7 @@
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
+#include <syslog.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@@ -77,6 +78,8 @@
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/fips.h>
|
||||
+#include <fipscheck.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
@@ -1555,6 +1558,18 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
+ SSLeay_add_all_algorithms();
|
||||
+ if (access("/etc/system-fips", F_OK) == 0)
|
||||
+ if (! FIPSCHECK_verify(NULL, NULL)) {
|
||||
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);
|
||||
+ if (FIPS_mode()) {
|
||||
+ syslog(LOG_CRIT, "FIPS integrity verification test failed.");
|
||||
+ cleanup_exit(255);
|
||||
+ }
|
||||
+ else
|
||||
+ syslog(LOG_INFO, "FIPS integrity verification test failed.");
|
||||
+ closelog();
|
||||
+ }
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@@ -1707,7 +1722,7 @@ main(int ac, char **av)
|
||||
else
|
||||
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
|
||||
|
||||
-#ifdef WITH_OPENSSL
|
||||
+#if 0 /* FIPS */
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
|
||||
@@ -1906,6 +1921,10 @@ main(int ac, char **av)
|
||||
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
|
||||
free(fp);
|
||||
}
|
||||
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
|
||||
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
|
||||
+ options.protocol &= ~SSH_PROTO_1;
|
||||
+ }
|
||||
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
|
||||
logit("Disabling protocol version 1. Could not load host key");
|
||||
options.protocol &= ~SSH_PROTO_1;
|
||||
@@ -2074,6 +2093,10 @@ main(int ac, char **av)
|
||||
/* Reinitialize the log (because of the fork above). */
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
if (chdir("/") == -1)
|
||||
@@ -2695,10 +2718,14 @@ do_ssh2_kex(void)
|
||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||
orig = NULL;
|
||||
|
||||
- if (options.gss_keyex)
|
||||
- gss = ssh_gssapi_server_mechanisms();
|
||||
- else
|
||||
- gss = NULL;
|
||||
+ if (options.gss_keyex) {
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||
+ options.gss_keyex = 0;
|
||||
+ } else {
|
||||
+ gss = ssh_gssapi_server_mechanisms();
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
diff -up openssh-7.2p1/sshkey.c.fips openssh-7.2p1/sshkey.c
|
||||
--- openssh-7.2p1/sshkey.c.fips 2016-02-12 18:53:56.089665235 +0100
|
||||
+++ openssh-7.2p1/sshkey.c 2016-02-12 18:53:56.095665236 +0100
|
||||
@@ -35,6 +35,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/pem.h>
|
||||
+#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
#include "crypto_api.h"
|
||||
@@ -1554,6 +1555,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
+ if (FIPS_mode())
|
||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||
index 688b1b1..a3c1541 100644
|
||||
--- a/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_key_allowed2.c
|
||||
@@ -55,6 +55,7 @@
|
||||
#include "secure_filename.h"
|
||||
#include "uidswap.h"
|
||||
#include <unistd.h>
|
||||
+#include <openssl/crypto.h>
|
||||
|
||||
#include "identity.h"
|
||||
|
||||
@@ -104,7 +105,8 @@ pamsshagentauth_check_authkeys_file(FILE * f, char *file, Key * key)
|
||||
found_key = 1;
|
||||
logit("matching key found: file/command %s, line %lu", file,
|
||||
linenum);
|
||||
- fp = sshkey_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
|
||||
+ fp = sshkey_fingerprint(found, FIPS_mode() ? SSH_DIGEST_SHA1 : SSH_DIGEST_MD5,
|
||||
+ SSH_FP_HEX);
|
||||
logit("Found matching %s key: %s",
|
||||
key_type(found), fp);
|
||||
free(fp);
|
2779
openssh-7.2p1-gsskex.patch
Normal file
2779
openssh-7.2p1-gsskex.patch
Normal file
File diff suppressed because it is too large
Load Diff
32
openssh-7.2p2-CVE-2015-8325.patch
Normal file
32
openssh-7.2p2-CVE-2015-8325.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 85bdcd7c92fe7ff133bbc4e10a65c91810f88755 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Miller <djm@mindrot.org>
|
||||
Date: Wed, 13 Apr 2016 10:39:57 +1000
|
||||
Subject: ignore PAM environment vars when UseLogin=yes
|
||||
|
||||
If PAM is configured to read user-specified environment variables
|
||||
and UseLogin=yes in sshd_config, then a hostile local user may
|
||||
attack /bin/login via LD_PRELOAD or similar environment variables
|
||||
set via PAM.
|
||||
|
||||
CVE-2015-8325, found by Shayan Sadigh, via Colin Watson
|
||||
---
|
||||
session.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/session.c b/session.c
|
||||
index 4859245..4653b09 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1322,7 +1322,7 @@ do_setup_env(Session *s, const char *shell)
|
||||
* Pull in any environment variables that may have
|
||||
* been set by PAM.
|
||||
*/
|
||||
- if (options.use_pam) {
|
||||
+ if (options.use_pam && !options.use_login) {
|
||||
char **p;
|
||||
|
||||
p = fetch_pam_child_environment();
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
||||
|
102
openssh-7.2p2-chroot-capabilities.patch
Normal file
102
openssh-7.2p2-chroot-capabilities.patch
Normal file
@ -0,0 +1,102 @@
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index aeef42a..d01e67e 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -4998,6 +4998,37 @@ if test -n "$conf_lastlog_location"; then
|
||||
[Define if you want to specify the path to your lastlog file])
|
||||
fi
|
||||
|
||||
+AC_ARG_WITH(libcap-ng,
|
||||
+ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],,
|
||||
+ with_libcap_ng=auto)
|
||||
+
|
||||
+dnl libcap-ng detection
|
||||
+if test x$with_libcap_ng = xno ; then
|
||||
+ have_libcap_ng=no;
|
||||
+else
|
||||
+ # Start by checking for header file
|
||||
+ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
|
||||
+
|
||||
+ # See if we have libcap-ng library
|
||||
+ AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,)
|
||||
+
|
||||
+ # Check results are usable
|
||||
+ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
|
||||
+ AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
|
||||
+ fi
|
||||
+ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
|
||||
+ AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
|
||||
+ fi
|
||||
+fi
|
||||
+AC_MSG_CHECKING(whether to use libcap-ng)
|
||||
+if test x$CAPNG_LDADD != x ; then
|
||||
+ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lcap-ng"
|
||||
+ AC_MSG_RESULT(yes)
|
||||
+else
|
||||
+ AC_MSG_RESULT(no)
|
||||
+fi
|
||||
+
|
||||
dnl utmp detection
|
||||
AC_MSG_CHECKING([if your system defines UTMP_FILE])
|
||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||
diff --git a/session.c b/session.c
|
||||
index 6cfcba4..80d2806 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -96,6 +96,10 @@
|
||||
#include "monitor_wrap.h"
|
||||
#include "sftp.h"
|
||||
|
||||
+#ifdef HAVE_LIBCAP_NG
|
||||
+#include <cap-ng.h>
|
||||
+#endif
|
||||
+
|
||||
#if defined(KRB5) && defined(USE_AFS)
|
||||
#include <kafs.h>
|
||||
#endif
|
||||
@@ -1586,6 +1590,7 @@ void
|
||||
do_setusercontext(struct passwd *pw)
|
||||
{
|
||||
char *chroot_path, *tmp;
|
||||
+ int dropped_suid = -1;
|
||||
|
||||
platform_setusercontext(pw);
|
||||
|
||||
@@ -1619,10 +1624,24 @@ do_setusercontext(struct passwd *pw)
|
||||
pw->pw_uid);
|
||||
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
|
||||
"u", pw->pw_name, (char *)NULL);
|
||||
+#ifdef HAVE_LIBCAP_NG
|
||||
+ /* drop suid soon, retain SYS_CHROOT capability */
|
||||
+ capng_clear(CAPNG_SELECT_BOTH);
|
||||
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT);
|
||||
+ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0)
|
||||
+ logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid);
|
||||
+#endif
|
||||
#ifdef WITH_SELINUX
|
||||
sshd_selinux_copy_context();
|
||||
#endif
|
||||
safely_chroot(chroot_path, pw->pw_uid);
|
||||
+#ifdef HAVE_LIBCAP_NG
|
||||
+ /* Drop chroot capability. Already used */
|
||||
+ if (dropped_suid == 0) {
|
||||
+ capng_clear(CAPNG_SELECT_BOTH);
|
||||
+ capng_apply(CAPNG_SELECT_BOTH);
|
||||
+ }
|
||||
+#endif
|
||||
free(tmp);
|
||||
free(chroot_path);
|
||||
/* Make sure we don't attempt to chroot again */
|
||||
@@ -1654,8 +1673,9 @@ do_setusercontext(struct passwd *pw)
|
||||
if (!in_chroot && set_id(pw->pw_name) != 0)
|
||||
fatal("set_id(%s) Failed", pw->pw_name);
|
||||
# endif /* USE_LIBIAF */
|
||||
- /* Permanently switch to the desired uid. */
|
||||
- permanently_set_uid(pw);
|
||||
+ /* Permanently switch to the desired uid if not yet done. */
|
||||
+ if (dropped_suid != 0)
|
||||
+ permanently_set_uid(pw);
|
||||
#endif
|
||||
|
||||
#ifdef WITH_SELINUX
|
@ -1,87 +0,0 @@
|
||||
diff --git a/auth-krb5.c b/auth-krb5.c
|
||||
index 2b02a04..19b9364 100644
|
||||
--- a/auth-krb5.c
|
||||
+++ b/auth-krb5.c
|
||||
@@ -375,5 +375,21 @@ cleanup:
|
||||
return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
}
|
||||
}
|
||||
+
|
||||
+/*
|
||||
+ * Reads k5login_directory option from the krb5.conf
|
||||
+ */
|
||||
+krb5_error_code
|
||||
+ssh_krb5_get_k5login_directory(krb5_context ctx, char **k5login_directory) {
|
||||
+ profile_t p;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = krb5_get_profile(ctx, &p);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ return profile_get_string(p, "libdefaults", "k5login_directory", NULL, NULL,
|
||||
+ k5login_directory);
|
||||
+}
|
||||
#endif /* !HEIMDAL */
|
||||
#endif /* KRB5 */
|
||||
diff --git a/auth.h b/auth.h
|
||||
index f9d191c..c432d2f 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -222,6 +222,8 @@ int sys_auth_passwd(Authctxt *, const char *);
|
||||
|
||||
#if defined(KRB5) && !defined(HEIMDAL)
|
||||
krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
||||
+krb5_error_code ssh_krb5_get_k5login_directory(krb5_context ctx,
|
||||
+ char **k5login_directory);
|
||||
#endif
|
||||
|
||||
#endif /* AUTH_H */
|
||||
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
|
||||
index a7c0c5f..df8cc9a 100644
|
||||
--- a/gss-serv-krb5.c
|
||||
+++ b/gss-serv-krb5.c
|
||||
@@ -244,8 +244,27 @@ ssh_gssapi_k5login_exists()
|
||||
{
|
||||
char file[MAXPATHLEN];
|
||||
struct passwd *pw = the_authctxt->pw;
|
||||
+ char *k5login_directory = NULL;
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
|
||||
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
|
||||
+ if (k5login_directory == NULL || ret != 0) {
|
||||
+ /* If not set, the library will look for k5login
|
||||
+ * files in the user's home directory, with the filename .k5login.
|
||||
+ */
|
||||
+ snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||
+ } else {
|
||||
+ /* If set, the library will look for a local user's k5login file
|
||||
+ * within the named directory, with a filename corresponding to the
|
||||
+ * local username.
|
||||
+ */
|
||||
+ snprintf(file, sizeof(file), "%s%s%s", k5login_directory,
|
||||
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
|
||||
+ pw->pw_name);
|
||||
+ }
|
||||
+ debug("%s: Checking existence of file %s", __func__, file);
|
||||
|
||||
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
|
||||
return access(file, F_OK) == 0;
|
||||
}
|
||||
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index 5c4f15b..135e290 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -806,6 +806,10 @@ rlogin/rsh.
|
||||
These files enforce GSSAPI/Kerberos authentication access control.
|
||||
Further details are described in
|
||||
.Xr ksu 1 .
|
||||
+The location of the k5login file depends on the configuration option
|
||||
+.Cm k5login_directory
|
||||
+in the
|
||||
+.Xr krb5.conf 5 .
|
||||
.Pp
|
||||
.It Pa ~/.ssh/
|
||||
This directory is the default location for all user-specific configuration
|
@ -1,52 +0,0 @@
|
||||
Zseries only: Leave the hardware filedescriptors open.
|
||||
|
||||
All filedescriptors above 2 are getting closed when a new
|
||||
sshd process to handle a new client connection is
|
||||
spawned. As the process also chroot into an empty filesystem
|
||||
without any device nodes, there is no chance to reopen the
|
||||
files. This patch filters out the reqired fds in the
|
||||
closefrom function so these are skipped in the close loop.
|
||||
|
||||
Author: Harald Freudenberger <freude@de.ibm.com>
|
||||
|
||||
---
|
||||
openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++
|
||||
1 file changed, 26 insertions(+)
|
||||
|
||||
--- a/openbsd-compat/bsd-closefrom.c
|
||||
+++ b/openbsd-compat/bsd-closefrom.c
|
||||
@@ -82,7 +82,33 @@ closefrom(int lowfd)
|
||||
fd = strtol(dent->d_name, &endp, 10);
|
||||
if (dent->d_name != endp && *endp == '\0' &&
|
||||
fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp))
|
||||
+#ifdef __s390__
|
||||
+ {
|
||||
+ /*
|
||||
+ * the filedescriptors used to communicate with
|
||||
+ * the device drivers to provide hardware support
|
||||
+ * should survive. HF <freude@de.ibm.com>
|
||||
+ */
|
||||
+ char fpath[PATH_MAX], lpath[PATH_MAX];
|
||||
+ len = snprintf(fpath, sizeof(fpath), "%s/%s",
|
||||
+ fdpath, dent->d_name);
|
||||
+ if (len > 0 && (size_t)len <= sizeof(fpath)) {
|
||||
+ len = readlink(fpath, lpath, sizeof(lpath));
|
||||
+ if (len > 0) {
|
||||
+ lpath[len] = 0;
|
||||
+ if (strstr(lpath, "dev/z90crypt")
|
||||
+ || strstr(lpath, "dev/zcrypt")
|
||||
+ || strstr(lpath, "dev/prandom")
|
||||
+ || strstr(lpath, "dev/shm/icastats"))
|
||||
+ fd = -1;
|
||||
+ }
|
||||
+ }
|
||||
+ if (fd >= 0)
|
||||
+ (void) close((int) fd);
|
||||
+ }
|
||||
+#else
|
||||
(void) close((int) fd);
|
||||
+#endif
|
||||
}
|
||||
(void) closedir(dirp);
|
||||
return;
|
||||
|
215
openssh-7.2p2-user-enumeration.patch
Normal file
215
openssh-7.2p2-user-enumeration.patch
Normal file
@ -0,0 +1,215 @@
|
||||
From 9286875a73b2de7736b5e50692739d314cd8d9dc Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@zip.com.au>
|
||||
Date: Fri, 15 Jul 2016 13:32:45 +1000
|
||||
Subject: [PATCH] Determine appropriate salt for invalid users.
|
||||
|
||||
When sshd is processing a non-PAM login for a non-existent user it uses
|
||||
the string from the fakepw structure as the salt for crypt(3)ing the
|
||||
password supplied by the client. That string has a Blowfish prefix, so on
|
||||
systems that don't understand that crypt will fail fast due to an invalid
|
||||
salt, and even on those that do it may have significantly different timing
|
||||
from the hash methods used for real accounts (eg sha512). This allows
|
||||
user enumeration by, eg, sending large password strings. This was noted
|
||||
by EddieEzra.Harari at verint.com (CVE-2016-6210).
|
||||
|
||||
To mitigate, use the same hash algorithm that root uses for hashing
|
||||
passwords for users that do not exist on the system. ok djm@
|
||||
---
|
||||
auth-passwd.c | 12 ++++++++----
|
||||
openbsd-compat/xcrypt.c | 34 ++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 42 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/auth-passwd.c b/auth-passwd.c
|
||||
index 63ccf3c..530b5d4 100644
|
||||
--- a/auth-passwd.c
|
||||
+++ b/auth-passwd.c
|
||||
@@ -193,7 +193,7 @@ int
|
||||
sys_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
struct passwd *pw = authctxt->pw;
|
||||
- char *encrypted_password;
|
||||
+ char *encrypted_password, *salt = NULL;
|
||||
|
||||
/* Just use the supplied fake password if authctxt is invalid */
|
||||
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
|
||||
@@ -202,9 +202,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
|
||||
return (1);
|
||||
|
||||
- /* Encrypt the candidate password using the proper salt. */
|
||||
- encrypted_password = xcrypt(password,
|
||||
- (pw_password[0] && pw_password[1]) ? pw_password : "xx");
|
||||
+ /*
|
||||
+ * Encrypt the candidate password using the proper salt, or pass a
|
||||
+ * NULL and let xcrypt pick one.
|
||||
+ */
|
||||
+ if (authctxt->valid && pw_password[0] && pw_password[1])
|
||||
+ salt = pw_password;
|
||||
+ encrypted_password = xcrypt(password, salt);
|
||||
|
||||
/*
|
||||
* Authentication is accepted if the encrypted passwords
|
||||
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
|
||||
index 8577cbd..8913bb8 100644
|
||||
--- a/openbsd-compat/xcrypt.c
|
||||
+++ b/openbsd-compat/xcrypt.c
|
||||
@@ -25,6 +25,7 @@
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
+#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <pwd.h>
|
||||
|
||||
@@ -62,11 +63,44 @@
|
||||
# define crypt DES_crypt
|
||||
# endif
|
||||
|
||||
+/*
|
||||
+ * Pick an appropriate password encryption type and salt for the running
|
||||
+ * system.
|
||||
+ */
|
||||
+static const char *
|
||||
+pick_salt(void)
|
||||
+{
|
||||
+ struct passwd *pw;
|
||||
+ char *passwd, *p;
|
||||
+ size_t typelen;
|
||||
+ static char salt[32];
|
||||
+
|
||||
+ if (salt[0] != '\0')
|
||||
+ return salt;
|
||||
+ strlcpy(salt, "xx", sizeof(salt));
|
||||
+ if ((pw = getpwuid(0)) == NULL)
|
||||
+ return salt;
|
||||
+ passwd = shadow_pw(pw);
|
||||
+ if (passwd[0] != '$' || (p = strrchr(passwd + 1, '$')) == NULL)
|
||||
+ return salt; /* no $, DES */
|
||||
+ typelen = p - passwd + 1;
|
||||
+ strlcpy(salt, passwd, MIN(typelen, sizeof(salt)));
|
||||
+ explicit_bzero(passwd, strlen(passwd));
|
||||
+ return salt;
|
||||
+}
|
||||
+
|
||||
char *
|
||||
xcrypt(const char *password, const char *salt)
|
||||
{
|
||||
char *crypted;
|
||||
|
||||
+ /*
|
||||
+ * If we don't have a salt we are encrypting a fake password for
|
||||
+ * for timing purposes. Pick an appropriate salt.
|
||||
+ */
|
||||
+ if (salt == NULL)
|
||||
+ salt = pick_salt();
|
||||
+
|
||||
# ifdef HAVE_MD5_PASSWORDS
|
||||
if (is_md5_salt(salt))
|
||||
crypted = md5_crypt(password, salt);
|
||||
|
||||
From 283b97ff33ea2c641161950849931bd578de6946 Mon Sep 17 00:00:00 2001
|
||||
From: Darren Tucker <dtucker@zip.com.au>
|
||||
Date: Fri, 15 Jul 2016 13:49:44 +1000
|
||||
Subject: [PATCH] Mitigate timing of disallowed users PAM logins.
|
||||
|
||||
When sshd decides to not allow a login (eg PermitRootLogin=no) and
|
||||
it's using PAM, it sends a fake password to PAM so that the timing for
|
||||
the failure is not noticeably different whether or not the password
|
||||
is correct. This behaviour can be detected by sending a very long
|
||||
password string which is slower to hash than the fake password.
|
||||
|
||||
Mitigate by constructing an invalid password that is the same length
|
||||
as the one from the client and thus takes the same time to hash.
|
||||
Diff from djm@
|
||||
---
|
||||
auth-pam.c | 35 +++++++++++++++++++++++++++++++----
|
||||
1 file changed, 31 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/auth-pam.c b/auth-pam.c
|
||||
index 451de78..465b5a7 100644
|
||||
--- a/auth-pam.c
|
||||
+++ b/auth-pam.c
|
||||
@@ -232,7 +232,6 @@ static int sshpam_account_status = -1;
|
||||
static char **sshpam_env = NULL;
|
||||
static Authctxt *sshpam_authctxt = NULL;
|
||||
static const char *sshpam_password = NULL;
|
||||
-static char badpw[] = "\b\n\r\177INCORRECT";
|
||||
|
||||
/* Some PAM implementations don't implement this */
|
||||
#ifndef HAVE_PAM_GETENVLIST
|
||||
@@ -795,12 +794,35 @@ sshpam_query(void *ctx, char **name, char **info,
|
||||
return (-1);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Returns a junk password of identical length to that the user supplied.
|
||||
+ * Used to mitigate timing attacks against crypt(3)/PAM stacks that
|
||||
+ * vary processing time in proportion to password length.
|
||||
+ */
|
||||
+static char *
|
||||
+fake_password(const char *wire_password)
|
||||
+{
|
||||
+ const char junk[] = "\b\n\r\177INCORRECT";
|
||||
+ char *ret = NULL;
|
||||
+ size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
|
||||
+
|
||||
+ if (l >= INT_MAX)
|
||||
+ fatal("%s: password length too long: %zu", __func__, l);
|
||||
+
|
||||
+ ret = malloc(l + 1);
|
||||
+ for (i = 0; i < l; i++)
|
||||
+ ret[i] = junk[i % (sizeof(junk) - 1)];
|
||||
+ ret[i] = '\0';
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* XXX - see also comment in auth-chall.c:verify_response */
|
||||
static int
|
||||
sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
{
|
||||
Buffer buffer;
|
||||
struct pam_ctxt *ctxt = ctx;
|
||||
+ char *fake;
|
||||
|
||||
debug2("PAM: %s entering, %u responses", __func__, num);
|
||||
switch (ctxt->pam_done) {
|
||||
@@ -821,8 +843,11 @@ sshpam_respond(void *ctx, u_int num, char **resp)
|
||||
(sshpam_authctxt->pw->pw_uid != 0 ||
|
||||
options.permit_root_login == PERMIT_YES))
|
||||
buffer_put_cstring(&buffer, *resp);
|
||||
- else
|
||||
- buffer_put_cstring(&buffer, badpw);
|
||||
+ else {
|
||||
+ fake = fake_password(*resp);
|
||||
+ buffer_put_cstring(&buffer, fake);
|
||||
+ free(fake);
|
||||
+ }
|
||||
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
|
||||
buffer_free(&buffer);
|
||||
return (-1);
|
||||
@@ -1166,6 +1191,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
{
|
||||
int flags = (options.permit_empty_passwd == 0 ?
|
||||
PAM_DISALLOW_NULL_AUTHTOK : 0);
|
||||
+ char *fake = NULL;
|
||||
|
||||
if (!options.use_pam || sshpam_handle == NULL)
|
||||
fatal("PAM: %s called when PAM disabled or failed to "
|
||||
@@ -1181,7 +1207,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
*/
|
||||
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
|
||||
options.permit_root_login != PERMIT_YES))
|
||||
- sshpam_password = badpw;
|
||||
+ sshpam_password = fake = fake_password(password);
|
||||
|
||||
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
|
||||
(const void *)&passwd_conv);
|
||||
@@ -1191,6 +1217,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
|
||||
|
||||
sshpam_err = pam_authenticate(sshpam_handle, flags);
|
||||
sshpam_password = NULL;
|
||||
+ free(fake);
|
||||
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
|
||||
debug("PAM: password authentication accepted for %.100s",
|
||||
authctxt->user);
|
||||
|
48
openssh-7.3p1-null-deref.patch
Normal file
48
openssh-7.3p1-null-deref.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 28652bca29046f62c7045e933e6b931de1d16737 Mon Sep 17 00:00:00 2001
|
||||
From: "markus@openbsd.org" <markus@openbsd.org>
|
||||
Date: Mon, 19 Sep 2016 19:02:19 +0000
|
||||
Subject: upstream commit
|
||||
|
||||
move inbound NEWKEYS handling to kex layer; otherwise
|
||||
early NEWKEYS causes NULL deref; found by Robert Swiecki/honggfuzz; fixed
|
||||
with & ok djm@
|
||||
|
||||
Upstream-ID: 9a68b882892e9f51dc7bfa9f5a423858af358b2f
|
||||
---
|
||||
kex.c | 4 +++-
|
||||
packet.c | 6 ++----
|
||||
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index f4c130f..8800d40 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -425,6 +425,8 @@ kex_input_newkeys(int type, u_int32_t seq, void *ctxt)
|
||||
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
|
||||
if ((r = sshpkt_get_end(ssh)) != 0)
|
||||
return r;
|
||||
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
|
||||
+ return r;
|
||||
kex->done = 1;
|
||||
sshbuf_reset(kex->peer);
|
||||
/* sshbuf_reset(kex->my); */
|
||||
diff --git a/packet.c b/packet.c
|
||||
index 711091d..fb316ac 100644
|
||||
--- a/packet.c
|
||||
+++ b/packet.c
|
||||
@@ -1907,9 +1907,7 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
|
||||
return r;
|
||||
return SSH_ERR_PROTOCOL_ERROR;
|
||||
}
|
||||
- if (*typep == SSH2_MSG_NEWKEYS)
|
||||
- r = ssh_set_newkeys(ssh, MODE_IN);
|
||||
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
|
||||
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
|
||||
r = ssh_packet_enable_delayed_compress(ssh);
|
||||
else
|
||||
r = 0;
|
||||
--
|
||||
cgit v0.12
|
||||
|
||||
0
|
||||
|
@ -1,213 +0,0 @@
|
||||
diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c
|
||||
--- openssh-7.4p1/channels.c.x11max 2016-12-23 15:46:32.071506625 +0100
|
||||
+++ openssh-7.4p1/channels.c 2016-12-23 15:46:32.139506636 +0100
|
||||
@@ -152,8 +152,8 @@ static int all_opens_permitted = 0;
|
||||
#define FWD_PERMIT_ANY_HOST "*"
|
||||
|
||||
/* -- X11 forwarding */
|
||||
-/* Maximum number of fake X11 displays to try. */
|
||||
-#define MAX_DISPLAYS 1000
|
||||
+/* Minimum port number for X11 forwarding */
|
||||
+#define X11_PORT_MIN 6000
|
||||
|
||||
/* Per-channel callback for pre/post select() actions */
|
||||
typedef void chan_fn(struct ssh *, Channel *c,
|
||||
@@ -4228,7 +4228,7 @@ channel_send_window_changes(void)
|
||||
*/
|
||||
int
|
||||
x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
|
||||
- int x11_use_localhost, int single_connection,
|
||||
+ int x11_use_localhost, int x11_max_displays, int single_connection,
|
||||
u_int *display_numberp, int **chanids)
|
||||
{
|
||||
Channel *nc = NULL;
|
||||
@@ -4240,10 +4241,15 @@ x11_create_display_inet(int x11_display_
|
||||
if (chanids == NULL)
|
||||
return -1;
|
||||
|
||||
+ /* Try to bind ports starting at 6000+X11DisplayOffset */
|
||||
+ x11_max_displays = x11_max_displays + x11_display_offset;
|
||||
+
|
||||
for (display_number = x11_display_offset;
|
||||
- display_number < MAX_DISPLAYS;
|
||||
+ display_number < x11_max_displays;
|
||||
display_number++) {
|
||||
- port = 6000 + display_number;
|
||||
+ port = X11_PORT_MIN + display_number;
|
||||
+ if (port < X11_PORT_MIN) /* overflow */
|
||||
+ break;
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = ssh->chanctxt->IPv4or6;
|
||||
hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
|
||||
@@ -4295,7 +4301,7 @@ x11_create_display_inet(int x11_display_
|
||||
if (num_socks > 0)
|
||||
break;
|
||||
}
|
||||
- if (display_number >= MAX_DISPLAYS) {
|
||||
+ if (display_number >= x11_max_displays || port < X11_PORT_MIN ) {
|
||||
error("Failed to allocate internet-domain X11 display socket.");
|
||||
return -1;
|
||||
}
|
||||
@@ -4441,7 +4447,7 @@ x11_connect_display(void)
|
||||
memset(&hints, 0, sizeof(hints));
|
||||
hints.ai_family = ssh->chanctxt->IPv4or6;
|
||||
hints.ai_socktype = SOCK_STREAM;
|
||||
- snprintf(strport, sizeof strport, "%u", 6000 + display_number);
|
||||
+ snprintf(strport, sizeof strport, "%u", X11_PORT_MIN + display_number);
|
||||
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
|
||||
error("%.100s: unknown host. (%s)", buf,
|
||||
ssh_gai_strerror(gaierr));
|
||||
@@ -4457,7 +4463,7 @@ x11_connect_display(void)
|
||||
/* Connect it to the display. */
|
||||
if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||
debug2("connect %.100s port %u: %.100s", buf,
|
||||
- 6000 + display_number, strerror(errno));
|
||||
+ X11_PORT_MIN + display_number, strerror(errno));
|
||||
close(sock);
|
||||
continue;
|
||||
}
|
||||
@@ -4466,8 +4472,8 @@ x11_connect_display(void)
|
||||
}
|
||||
freeaddrinfo(aitop);
|
||||
if (!ai) {
|
||||
- error("connect %.100s port %u: %.100s", buf,
|
||||
- 6000 + display_number, strerror(errno));
|
||||
+ error("connect %.100s port %u: %.100s", buf,
|
||||
+ X11_PORT_MIN + display_number, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
set_nodelay(sock);
|
||||
diff -up openssh-7.4p1/channels.h.x11max openssh-7.4p1/channels.h
|
||||
--- openssh-7.4p1/channels.h.x11max 2016-12-19 05:59:41.000000000 +0100
|
||||
+++ openssh-7.4p1/channels.h 2016-12-23 15:46:32.139506636 +0100
|
||||
@@ -293,7 +293,7 @@ int permitopen_port(const char *);
|
||||
|
||||
void channel_set_x11_refuse_time(struct ssh *, u_int);
|
||||
int x11_connect_display(struct ssh *);
|
||||
-int x11_create_display_inet(struct ssh *, int, int, int, u_int *, int **);
|
||||
+int x11_create_display_inet(struct ssh *, int, int, int, int, u_int *, int **);
|
||||
void x11_request_forwarding_with_spoofing(struct ssh *, int,
|
||||
const char *, const char *, const char *, int);
|
||||
|
||||
diff -up openssh-7.4p1/servconf.c.x11max openssh-7.4p1/servconf.c
|
||||
--- openssh-7.4p1/servconf.c.x11max 2016-12-23 15:46:32.133506635 +0100
|
||||
+++ openssh-7.4p1/servconf.c 2016-12-23 15:47:27.320519121 +0100
|
||||
@@ -95,6 +95,7 @@ initialize_server_options(ServerOptions
|
||||
options->print_lastlog = -1;
|
||||
options->x11_forwarding = -1;
|
||||
options->x11_display_offset = -1;
|
||||
+ options->x11_max_displays = -1;
|
||||
options->x11_use_localhost = -1;
|
||||
options->permit_tty = -1;
|
||||
options->permit_user_rc = -1;
|
||||
@@ -243,6 +244,8 @@ fill_default_server_options(ServerOption
|
||||
options->x11_forwarding = 0;
|
||||
if (options->x11_display_offset == -1)
|
||||
options->x11_display_offset = 10;
|
||||
+ if (options->x11_max_displays == -1)
|
||||
+ options->x11_max_displays = DEFAULT_MAX_DISPLAYS;
|
||||
if (options->x11_use_localhost == -1)
|
||||
options->x11_use_localhost = 1;
|
||||
if (options->xauth_location == NULL)
|
||||
@@ -419,7 +422,7 @@ typedef enum {
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
- sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
|
||||
+ sX11Forwarding, sX11DisplayOffset, sX11MaxDisplays, sX11UseLocalhost,
|
||||
sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
|
||||
sPermitUserEnvironment, sAllowTcpForwarding, sCompression,
|
||||
sRekeyLimit, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
|
||||
@@ -540,6 +543,7 @@ static struct {
|
||||
{ "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
|
||||
{ "x11forwarding", sX11Forwarding, SSHCFG_ALL },
|
||||
{ "x11displayoffset", sX11DisplayOffset, SSHCFG_ALL },
|
||||
+ { "x11maxdisplays", sX11MaxDisplays, SSHCFG_ALL },
|
||||
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
|
||||
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
|
||||
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
|
||||
@@ -1316,6 +1320,10 @@ process_server_config_line(ServerOptions
|
||||
*intptr = value;
|
||||
break;
|
||||
|
||||
+ case sX11MaxDisplays:
|
||||
+ intptr = &options->x11_max_displays;
|
||||
+ goto parse_int;
|
||||
+
|
||||
case sX11UseLocalhost:
|
||||
intptr = &options->x11_use_localhost;
|
||||
goto parse_flag;
|
||||
@@ -2063,6 +2071,7 @@ copy_set_server_options(ServerOptions *d
|
||||
M_CP_INTOPT(fwd_opts.streamlocal_bind_unlink);
|
||||
M_CP_INTOPT(x11_display_offset);
|
||||
M_CP_INTOPT(x11_forwarding);
|
||||
+ M_CP_INTOPT(x11_max_displays);
|
||||
M_CP_INTOPT(x11_use_localhost);
|
||||
M_CP_INTOPT(permit_tty);
|
||||
M_CP_INTOPT(permit_user_rc);
|
||||
@@ -2315,6 +2324,7 @@ dump_config(ServerOptions *o)
|
||||
#endif
|
||||
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
|
||||
dump_cfg_int(sX11DisplayOffset, o->x11_display_offset);
|
||||
+ dump_cfg_int(sX11MaxDisplays, o->x11_max_displays);
|
||||
dump_cfg_int(sMaxAuthTries, o->max_authtries);
|
||||
dump_cfg_int(sMaxSessions, o->max_sessions);
|
||||
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
|
||||
diff -up openssh-7.4p1/servconf.h.x11max openssh-7.4p1/servconf.h
|
||||
--- openssh-7.4p1/servconf.h.x11max 2016-12-23 15:46:32.133506635 +0100
|
||||
+++ openssh-7.4p1/servconf.h 2016-12-23 15:46:32.140506636 +0100
|
||||
@@ -55,6 +55,7 @@
|
||||
|
||||
#define DEFAULT_AUTH_FAIL_MAX 6 /* Default for MaxAuthTries */
|
||||
#define DEFAULT_SESSIONS_MAX 10 /* Default for MaxSessions */
|
||||
+#define DEFAULT_MAX_DISPLAYS 1000 /* Maximum number of fake X11 displays to try. */
|
||||
|
||||
/* Magic name for internal sftp-server */
|
||||
#define INTERNAL_SFTP_NAME "internal-sftp"
|
||||
@@ -85,6 +86,7 @@ typedef struct {
|
||||
int x11_forwarding; /* If true, permit inet (spoofing) X11 fwd. */
|
||||
int x11_display_offset; /* What DISPLAY number to start
|
||||
* searching at */
|
||||
+ int x11_max_displays; /* Number of displays to search */
|
||||
int x11_use_localhost; /* If true, use localhost for fake X11 server. */
|
||||
char *xauth_location; /* Location of xauth program */
|
||||
int permit_tty; /* If false, deny pty allocation */
|
||||
diff -up openssh-7.4p1/session.c.x11max openssh-7.4p1/session.c
|
||||
--- openssh-7.4p1/session.c.x11max 2016-12-23 15:46:32.136506636 +0100
|
||||
+++ openssh-7.4p1/session.c 2016-12-23 15:46:32.141506636 +0100
|
||||
@@ -2518,8 +2518,9 @@ session_setup_x11fwd(Session *s)
|
||||
return 0;
|
||||
}
|
||||
if (x11_create_display_inet(ssh, options.x11_display_offset,
|
||||
- options.x11_use_localhost, s->single_connection,
|
||||
- &s->display_number, &s->x11_chanids) == -1) {
|
||||
+ options.x11_use_localhost, options.x11_max_displays,
|
||||
+ s->single_connection, &s->display_number,
|
||||
+ &s->x11_chanids) == -1) {
|
||||
debug("x11_create_display_inet failed.");
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-7.4p1/sshd_config.5.x11max openssh-7.4p1/sshd_config.5
|
||||
--- openssh-7.4p1/sshd_config.5.x11max 2016-12-23 15:46:32.134506635 +0100
|
||||
+++ openssh-7.4p1/sshd_config.5 2016-12-23 15:46:32.141506636 +0100
|
||||
@@ -1133,6 +1133,7 @@ Available keywords are
|
||||
.Cm StreamLocalBindUnlink ,
|
||||
.Cm TrustedUserCAKeys ,
|
||||
.Cm X11DisplayOffset ,
|
||||
+.Cm X11MaxDisplays ,
|
||||
.Cm X11Forwarding
|
||||
and
|
||||
.Cm X11UseLocalhost .
|
||||
@@ -1566,6 +1567,12 @@ Specifies the first display number avail
|
||||
X11 forwarding.
|
||||
This prevents sshd from interfering with real X11 servers.
|
||||
The default is 10.
|
||||
+.It Cm X11MaxDisplays
|
||||
+Specifies the maximum number of displays available for
|
||||
+.Xr sshd 8 Ns 's
|
||||
+X11 forwarding.
|
||||
+This prevents sshd from exhausting local ports.
|
||||
+The default is 1000.
|
||||
.It Cm X11Forwarding
|
||||
Specifies whether X11 forwarding is permitted.
|
||||
The argument must be
|
@ -1,98 +0,0 @@
|
||||
commit 0e22b79bfde45a7cf7a2e51a68ec11c4285f3b31
|
||||
Author: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Mon Nov 21 15:04:06 2016 +0100
|
||||
|
||||
systemd stuff
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 2ffc369..162ce92 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -4265,6 +4265,30 @@ AC_ARG_WITH([kerberos5],
|
||||
AC_SUBST([GSSLIBS])
|
||||
AC_SUBST([K5LIBS])
|
||||
|
||||
+# Check whether user wants systemd support
|
||||
+SYSTEMD_MSG="no"
|
||||
+AC_ARG_WITH(systemd,
|
||||
+ [ --with-systemd Enable systemd support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "$PKGCONFIG" != "no"; then
|
||||
+ AC_MSG_CHECKING([for libsystemd])
|
||||
+ if $PKGCONFIG --exists libsystemd; then
|
||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||
+ SYSTEMD_MSG="yes"
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
+
|
||||
# Looking for programs, paths and files
|
||||
|
||||
PRIVSEP_PATH=/var/empty
|
||||
@@ -5097,6 +5121,7 @@ echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
+echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
diff --git a/contrib/sshd.service b/contrib/sshd.service
|
||||
new file mode 100644
|
||||
index 0000000..e0d4923
|
||||
--- /dev/null
|
||||
+++ b/contrib/sshd.service
|
||||
@@ -0,0 +1,16 @@
|
||||
+[Unit]
|
||||
+Description=OpenSSH server daemon
|
||||
+Documentation=man:sshd(8) man:sshd_config(5)
|
||||
+After=network.target
|
||||
+
|
||||
+[Service]
|
||||
+Type=notify
|
||||
+ExecStart=/usr/sbin/sshd -D $OPTIONS
|
||||
+ExecReload=/bin/kill -HUP $MAINPID
|
||||
+KillMode=process
|
||||
+Restart=on-failure
|
||||
+RestartPreventExitStatus=255
|
||||
+
|
||||
+[Install]
|
||||
+WantedBy=multi-user.target
|
||||
+
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 816611c..b8b9d13 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -85,6 +85,10 @@
|
||||
#include <prot.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+#include <systemd/sd-daemon.h>
|
||||
+#endif
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
@@ -1888,6 +1892,11 @@ main(int ac, char **av)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are ready to accept connections */
|
||||
+ sd_notify(0, "READY=1");
|
||||
+#endif
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s);
|
@ -1,86 +0,0 @@
|
||||
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||||
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||||
implementation) which calls the libraries that will communicate with the
|
||||
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||||
this is only need on s390 architecture.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
||||
---
|
||||
sandbox-seccomp-filter.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index ca75cc7..6e7de31 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_exit_group
|
||||
SC_ALLOW(__NR_exit_group),
|
||||
#endif
|
||||
+#if defined(__NR_flock) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_flock),
|
||||
+#endif
|
||||
#ifdef __NR_futex
|
||||
SC_ALLOW(__NR_futex),
|
||||
#endif
|
||||
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_gettimeofday
|
||||
SC_ALLOW(__NR_gettimeofday),
|
||||
#endif
|
||||
+#if defined(__NR_ipc) && defined(__s390__)
|
||||
+ SC_ALLOW(__NR_ipc),
|
||||
+#endif
|
||||
#ifdef __NR_getuid
|
||||
SC_ALLOW(__NR_getuid),
|
||||
#endif
|
||||
--
|
||||
1.9.1
|
||||
|
||||
getuid and geteuid are needed when using an openssl engine that calls a
|
||||
crypto card, e.g. ICA (libica).
|
||||
Those syscalls are also needed by the distros for audit code.
|
||||
|
||||
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
||||
---
|
||||
sandbox-seccomp-filter.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index 6e7de31..e86aa2c 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_getpid
|
||||
SC_ALLOW(__NR_getpid),
|
||||
#endif
|
||||
+#ifdef __NR_getuid
|
||||
+ SC_ALLOW(__NR_getuid),
|
||||
+#endif
|
||||
+#ifdef __NR_getuid32
|
||||
+ SC_ALLOW(__NR_getuid32),
|
||||
+#endif
|
||||
+#ifdef __NR_geteuid
|
||||
+ SC_ALLOW(__NR_geteuid),
|
||||
+#endif
|
||||
+#ifdef __NR_geteuid32
|
||||
+ SC_ALLOW(__NR_geteuid32),
|
||||
+#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
||||
#endif
|
||||
-- 1.9.1
|
||||
1.9.1
|
||||
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
||||
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
||||
+++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100
|
||||
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_geteuid32
|
||||
SC_ALLOW(__NR_geteuid32),
|
||||
#endif
|
||||
+#ifdef __NR_gettid
|
||||
+ SC_ALLOW(__NR_gettid),
|
||||
+#endif
|
||||
#ifdef __NR_getrandom
|
||||
SC_ALLOW(__NR_getrandom),
|
||||
#endif
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,271 +0,0 @@
|
||||
diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
|
||||
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
|
||||
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
|
||||
@@ -72,6 +72,9 @@
|
||||
extern ServerOptions options;
|
||||
extern u_char *session_id2;
|
||||
extern u_int session_id2_len;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
static char *
|
||||
format_key(const struct sshkey *key)
|
||||
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
|
||||
|
||||
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
|
||||
ac, av, &f,
|
||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
|
||||
|
||||
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
|
||||
ac, av, &f,
|
||||
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
|
||||
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
|
||||
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
|
||||
goto out;
|
||||
|
||||
uid_swapped = 1;
|
||||
diff -up openssh/auth.c.refactor openssh/auth.c
|
||||
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200
|
||||
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200
|
||||
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
|
||||
*/
|
||||
pid_t
|
||||
subprocess(const char *tag, struct passwd *pw, const char *command,
|
||||
- int ac, char **av, FILE **child, u_int flags)
|
||||
+ int ac, char **av, FILE **child, u_int flags, int inetd,
|
||||
+ void *the_authctxt)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
struct stat st;
|
||||
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
|
||||
}
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (sshd_selinux_setup_env_variables() < 0) {
|
||||
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
|
||||
error ("failed to copy environment: %s",
|
||||
strerror(errno));
|
||||
_exit(127);
|
||||
diff -up openssh/auth.h.refactor openssh/auth.h
|
||||
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200
|
||||
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200
|
||||
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
|
||||
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */
|
||||
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */
|
||||
pid_t subprocess(const char *, struct passwd *,
|
||||
- const char *, int, char **, FILE **, u_int flags);
|
||||
+ const char *, int, char **, FILE **, u_int flags, int, void *);
|
||||
|
||||
int sys_auth_passwd(struct ssh *, const char *);
|
||||
|
||||
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
|
||||
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
|
||||
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
|
||||
|
||||
int sshd_selinux_enabled(void);
|
||||
void sshd_selinux_copy_context(void);
|
||||
-void sshd_selinux_setup_exec_context(char *);
|
||||
-int sshd_selinux_setup_env_variables(void);
|
||||
+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
|
||||
+int sshd_selinux_setup_env_variables(int inetd, void *);
|
||||
void sshd_selinux_change_privsep_preauth_context(void);
|
||||
#endif
|
||||
|
||||
diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
|
||||
--- openssh/openbsd-compat/port-linux-sshd.c.refactor 2019-04-04 13:19:12.256821887 +0200
|
||||
+++ openssh/openbsd-compat/port-linux-sshd.c 2019-04-04 13:19:12.276822078 +0200
|
||||
@@ -49,11 +49,6 @@
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
-extern ServerOptions options;
|
||||
-extern Authctxt *the_authctxt;
|
||||
-extern int inetd_flag;
|
||||
-extern int rexeced_flag;
|
||||
-
|
||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||
int
|
||||
sshd_selinux_enabled(void)
|
||||
@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
|
||||
}
|
||||
|
||||
static void
|
||||
-ssh_selinux_get_role_level(char **role, const char **level)
|
||||
+ssh_selinux_get_role_level(char **role, const char **level,
|
||||
+ Authctxt *the_authctxt)
|
||||
{
|
||||
*role = NULL;
|
||||
*level = NULL;
|
||||
@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
|
||||
|
||||
/* Return the default security context for the given username */
|
||||
static int
|
||||
-sshd_selinux_getctxbyname(char *pwname,
|
||||
- security_context_t *default_sc, security_context_t *user_sc)
|
||||
+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
|
||||
+ security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
|
||||
{
|
||||
char *sename, *lvl;
|
||||
char *role;
|
||||
@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
int r = 0;
|
||||
context_t con = NULL;
|
||||
|
||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||
|
||||
#ifdef HAVE_GETSEUSERBYNAME
|
||||
if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
|
||||
@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
if (r == 0) {
|
||||
/* If launched from xinetd, we must use current level */
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd) {
|
||||
security_context_t sshdsc=NULL;
|
||||
|
||||
if (getcon_raw(&sshdsc) < 0)
|
||||
@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
|
||||
|
||||
/* Setup environment variables for pam_selinux */
|
||||
static int
|
||||
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
|
||||
+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
|
||||
+ Authctxt *the_authctxt)
|
||||
{
|
||||
const char *reqlvl;
|
||||
char *role;
|
||||
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
|
||||
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
- ssh_selinux_get_role_level(&role, &reqlvl);
|
||||
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
|
||||
|
||||
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
|
||||
|
||||
- if (inetd_flag && !rexeced_flag) {
|
||||
+ if (inetd) {
|
||||
use_current = "1";
|
||||
} else {
|
||||
use_current = "";
|
||||
@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
|
||||
}
|
||||
|
||||
static int
|
||||
-sshd_selinux_setup_pam_variables(void)
|
||||
+sshd_selinux_setup_pam_variables(int inetd,
|
||||
+ int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
|
||||
{
|
||||
- return sshd_selinux_setup_variables(do_pam_putenv);
|
||||
+ return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
|
||||
}
|
||||
|
||||
int
|
||||
-sshd_selinux_setup_env_variables(void)
|
||||
+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
|
||||
{
|
||||
- return sshd_selinux_setup_variables(do_setenv);
|
||||
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
|
||||
+ return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
|
||||
}
|
||||
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
-sshd_selinux_setup_exec_context(char *pwname)
|
||||
+sshd_selinux_setup_exec_context(char *pwname, int inetd,
|
||||
+ int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
|
||||
{
|
||||
security_context_t user_ctx = NULL;
|
||||
int r = 0;
|
||||
security_context_t default_ctx = NULL;
|
||||
+ Authctxt *authctxt = (Authctxt *) the_authctxt;
|
||||
|
||||
if (!sshd_selinux_enabled())
|
||||
return;
|
||||
|
||||
- if (options.use_pam) {
|
||||
+ if (use_pam) {
|
||||
/* do not compute context, just setup environment for pam_selinux */
|
||||
- if (sshd_selinux_setup_pam_variables()) {
|
||||
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
|
||||
switch (security_getenforce()) {
|
||||
case -1:
|
||||
fatal("%s: security_getenforce() failed", __func__);
|
||||
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
|
||||
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
|
||||
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
|
||||
if (r >= 0) {
|
||||
r = setexeccon(user_ctx);
|
||||
if (r < 0) {
|
||||
diff -up openssh/platform.c.refactor openssh/platform.c
|
||||
--- openssh/platform.c.refactor 2019-04-04 13:19:12.204821389 +0200
|
||||
+++ openssh/platform.c 2019-04-04 13:19:12.277822088 +0200
|
||||
@@ -32,6 +32,9 @@
|
||||
|
||||
extern int use_privsep;
|
||||
extern ServerOptions options;
|
||||
+extern int inetd_flag;
|
||||
+extern int rexeced_flag;
|
||||
+extern Authctxt *the_authctxt;
|
||||
|
||||
void
|
||||
platform_pre_listen(void)
|
||||
@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(pw->pw_name,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
}
|
||||
|
||||
diff -up openssh/sshd.c.refactor openssh/sshd.c
|
||||
--- openssh/sshd.c.refactor 2019-04-04 13:19:12.275822068 +0200
|
||||
+++ openssh/sshd.c 2019-04-04 13:19:51.270195262 +0200
|
||||
@@ -158,7 +158,7 @@ int debug_flag = 0;
|
||||
static int test_flag = 0;
|
||||
|
||||
/* Flag indicating that the daemon is being started from inetd. */
|
||||
-static int inetd_flag = 0;
|
||||
+int inetd_flag = 0;
|
||||
|
||||
/* Flag indicating that sshd should not detach and become a daemon. */
|
||||
static int no_daemon_flag = 0;
|
||||
@@ -171,7 +171,7 @@ static char **saved_argv;
|
||||
static int saved_argc;
|
||||
|
||||
/* re-exec */
|
||||
-static int rexeced_flag = 0;
|
||||
+int rexeced_flag = 0;
|
||||
static int rexec_flag = 1;
|
||||
static int rexec_argc = 0;
|
||||
static char **rexec_argv;
|
||||
@@ -2192,7 +2192,9 @@ main(int ac, char **av)
|
||||
}
|
||||
#endif
|
||||
#ifdef WITH_SELINUX
|
||||
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
|
||||
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
|
||||
+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
|
||||
+ options.use_pam);
|
||||
#endif
|
||||
#ifdef USE_PAM
|
||||
if (options.use_pam) {
|
@ -1,457 +0,0 @@
|
||||
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
|
||||
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200
|
||||
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200
|
||||
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
|
||||
aes_ctr.do_cipher = ssh_aes_ctr;
|
||||
#ifndef SSH_OLD_EVP
|
||||
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
|
||||
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
|
||||
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
|
||||
+ EVP_CIPH_FLAG_FIPS;
|
||||
#endif
|
||||
return (&aes_ctr);
|
||||
}
|
||||
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
|
||||
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200
|
||||
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200
|
||||
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max
|
||||
int best, bestcount, which, linenum;
|
||||
struct dhgroup dhg;
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Using arbitrary primes is not allowed in FIPS mode."
|
||||
+ " Falling back to known groups.");
|
||||
+ return (dh_new_group_fallback(max));
|
||||
+ }
|
||||
+
|
||||
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {
|
||||
logit("WARNING: could not open %s (%s), using fixed modulus",
|
||||
_PATH_DH_MODULI, strerror(errno));
|
||||
@@ -489,4 +495,38 @@ dh_estimate(int bits)
|
||||
return 8192;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Compares the received DH parameters with known-good groups,
|
||||
+ * which might be either from group14, group16 or group18.
|
||||
+ */
|
||||
+int
|
||||
+dh_is_known_group(const DH *dh)
|
||||
+{
|
||||
+ const BIGNUM *p, *g;
|
||||
+ const BIGNUM *known_p, *known_g;
|
||||
+ DH *known = NULL;
|
||||
+ int bits = 0, rv = 0;
|
||||
+
|
||||
+ DH_get0_pqg(dh, &p, NULL, &g);
|
||||
+ bits = BN_num_bits(p);
|
||||
+
|
||||
+ if (bits <= 3072) {
|
||||
+ known = dh_new_group14();
|
||||
+ } else if (bits <= 6144) {
|
||||
+ known = dh_new_group16();
|
||||
+ } else {
|
||||
+ known = dh_new_group18();
|
||||
+ }
|
||||
+
|
||||
+ DH_get0_pqg(known, &known_p, NULL, &known_g);
|
||||
+
|
||||
+ if (BN_cmp(g, known_g) == 0 &&
|
||||
+ BN_cmp(p, known_p) == 0) {
|
||||
+ rv = 1;
|
||||
+ }
|
||||
+
|
||||
+ DH_free(known);
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
#endif /* WITH_OPENSSL */
|
||||
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h
|
||||
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200
|
||||
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200
|
||||
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);
|
||||
|
||||
int dh_gen_key(DH *, int);
|
||||
int dh_pub_is_valid(const DH *, const BIGNUM *);
|
||||
+int dh_is_known_group(const DH *);
|
||||
|
||||
u_int dh_estimate(int);
|
||||
|
||||
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
|
||||
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200
|
||||
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200
|
||||
@@ -199,7 +199,10 @@ kex_names_valid(const char *names)
|
||||
for ((p = strsep(&cp, ",")); p && *p != '\0';
|
||||
(p = strsep(&cp, ","))) {
|
||||
if (kex_alg_by_name(p) == NULL) {
|
||||
- error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
+ if (FIPS_mode())
|
||||
+ error("\"%.100s\" is not allowed in FIPS mode", p);
|
||||
+ else
|
||||
+ error("Unsupported KEX algorithm \"%.100s\"", p);
|
||||
free(s);
|
||||
return 0;
|
||||
}
|
||||
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
|
||||
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200
|
||||
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
+#include <openssl/crypto.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32
|
||||
r = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {
|
||||
+ r = SSH_ERR_INVALID_ARGUMENT;
|
||||
+ goto out;
|
||||
+ }
|
||||
p = g = NULL; /* belong to kex->dh now */
|
||||
|
||||
/* generate and send 'e', client DH public key */
|
||||
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
|
||||
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200
|
||||
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200
|
||||
@@ -111,6 +111,20 @@
|
||||
"rsa-sha2-256," \
|
||||
"ssh-rsa"
|
||||
|
||||
+#define KEX_FIPS_PK_ALG \
|
||||
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \
|
||||
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \
|
||||
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \
|
||||
+ "rsa-sha2-512-cert-v01@openssh.com," \
|
||||
+ "rsa-sha2-256-cert-v01@openssh.com," \
|
||||
+ "ssh-rsa-cert-v01@openssh.com," \
|
||||
+ "ecdsa-sha2-nistp256," \
|
||||
+ "ecdsa-sha2-nistp384," \
|
||||
+ "ecdsa-sha2-nistp521," \
|
||||
+ "rsa-sha2-512," \
|
||||
+ "rsa-sha2-256," \
|
||||
+ "ssh-rsa"
|
||||
+
|
||||
#define KEX_SERVER_ENCRYPT \
|
||||
"chacha20-poly1305@openssh.com," \
|
||||
"aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
@@ -134,6 +142,27 @@
|
||||
|
||||
#define KEX_CLIENT_MAC KEX_SERVER_MAC
|
||||
|
||||
+#define KEX_FIPS_ENCRYPT \
|
||||
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
|
||||
+ "aes128-cbc,3des-cbc," \
|
||||
+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
|
||||
+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com"
|
||||
+#define KEX_DEFAULT_KEX_FIPS \
|
||||
+ "ecdh-sha2-nistp256," \
|
||||
+ "ecdh-sha2-nistp384," \
|
||||
+ "ecdh-sha2-nistp521," \
|
||||
+ "diffie-hellman-group-exchange-sha256," \
|
||||
+ "diffie-hellman-group16-sha512," \
|
||||
+ "diffie-hellman-group18-sha512," \
|
||||
+ "diffie-hellman-group14-sha256"
|
||||
+#define KEX_FIPS_MAC \
|
||||
+ "hmac-sha1," \
|
||||
+ "hmac-sha2-256," \
|
||||
+ "hmac-sha2-512," \
|
||||
+ "hmac-sha1-etm@openssh.com," \
|
||||
+ "hmac-sha2-256-etm@openssh.com," \
|
||||
+ "hmac-sha2-512-etm@openssh.com"
|
||||
+
|
||||
/* Not a KEX value, but here so all the algorithm defaults are together */
|
||||
#define SSH_ALLOWED_CA_SIGALGS \
|
||||
"ecdsa-sha2-nistp256," \
|
||||
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
|
||||
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200
|
||||
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200
|
||||
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options)
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||
/* remove unsupported algos from default lists */
|
||||
- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher);
|
||||
- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac);
|
||||
- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex);
|
||||
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher);
|
||||
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac);
|
||||
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex);
|
||||
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||
#define ASSEMBLE(what, defaults, all) \
|
||||
do { \
|
||||
if ((r = kex_assemble_names(&options->what, \
|
||||
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c
|
||||
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200
|
||||
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200
|
||||
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_
|
||||
#ifdef __NR_open
|
||||
SC_DENY(__NR_open, EACCES),
|
||||
#endif
|
||||
+#ifdef __NR_socket
|
||||
+ SC_DENY(__NR_socket, EACCES),
|
||||
+#endif
|
||||
#ifdef __NR_openat
|
||||
SC_DENY(__NR_openat, EACCES),
|
||||
#endif
|
||||
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
|
||||
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200
|
||||
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200
|
||||
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o)
|
||||
all_key = sshkey_alg_list(0, 0, 1, ',');
|
||||
all_sig = sshkey_alg_list(0, 1, 1, ',');
|
||||
/* remove unsupported algos from default lists */
|
||||
- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher);
|
||||
- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac);
|
||||
- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex);
|
||||
- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key);
|
||||
- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig);
|
||||
+ def_cipher = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher);
|
||||
+ def_mac = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac);
|
||||
+ def_kex = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex);
|
||||
+ def_key = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key);
|
||||
+ def_sig = match_filter_allowlist((FIPS_mode() ?
|
||||
+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig);
|
||||
#define ASSEMBLE(what, defaults, all) \
|
||||
do { \
|
||||
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
|
||||
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
|
||||
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200
|
||||
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200
|
||||
@@ -76,6 +76,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
+#include <openssl/crypto.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
@@ -614,6 +626,10 @@ main(int ac, char **av)
|
||||
dump_client_config(&options, host);
|
||||
exit(0);
|
||||
}
|
||||
+
|
||||
+ if (FIPS_mode()) {
|
||||
+ debug("FIPS mode initialized");
|
||||
+ }
|
||||
|
||||
/* Expand SecurityKeyProvider if it refers to an environment variable */
|
||||
if (options.sk_provider != NULL && *options.sk_provider == '$' &&
|
||||
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
|
||||
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200
|
||||
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <vis.h>
|
||||
#endif
|
||||
|
||||
+#include <openssl/crypto.h>
|
||||
+
|
||||
#include "openbsd-compat/sys-queue.h"
|
||||
|
||||
#include "xmalloc.h"
|
||||
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
|
||||
|
||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||
if (options.gss_keyex) {
|
||||
- /* Add the GSSAPI mechanisms currently supported on this
|
||||
- * client to the key exchange algorithm proposal */
|
||||
- orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||
-
|
||||
- if (options.gss_server_identity) {
|
||||
- gss_host = xstrdup(options.gss_server_identity);
|
||||
- } else if (options.gss_trust_dns) {
|
||||
- gss_host = remote_hostname(ssh);
|
||||
- /* Fall back to specified host if we are using proxy command
|
||||
- * and can not use DNS on that socket */
|
||||
- if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||
- free(gss_host);
|
||||
- gss_host = xstrdup(host);
|
||||
- }
|
||||
- } else {
|
||||
- gss_host = xstrdup(host);
|
||||
- }
|
||||
-
|
||||
- gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
- options.gss_client_identity, options.gss_kex_algorithms);
|
||||
- if (gss) {
|
||||
- debug("Offering GSSAPI proposal: %s", gss);
|
||||
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||
- "%s,%s", gss, orig);
|
||||
-
|
||||
- /* If we've got GSSAPI algorithms, then we also support the
|
||||
- * 'null' hostkey, as a last resort */
|
||||
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
- "%s,null", orig);
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||
+ options.gss_keyex = 0;
|
||||
+ } else {
|
||||
+ /* Add the GSSAPI mechanisms currently supported on this
|
||||
+ * client to the key exchange algorithm proposal */
|
||||
+ orig = myproposal[PROPOSAL_KEX_ALGS];
|
||||
+
|
||||
+ if (options.gss_server_identity) {
|
||||
+ gss_host = xstrdup(options.gss_server_identity);
|
||||
+ } else if (options.gss_trust_dns) {
|
||||
+ gss_host = remote_hostname(ssh);
|
||||
+ /* Fall back to specified host if we are using proxy command
|
||||
+ * and can not use DNS on that socket */
|
||||
+ if (strcmp(gss_host, "UNKNOWN") == 0) {
|
||||
+ free(gss_host);
|
||||
+ gss_host = xstrdup(host);
|
||||
+ }
|
||||
+ } else {
|
||||
+ gss_host = xstrdup(host);
|
||||
+ }
|
||||
+
|
||||
+ gss = ssh_gssapi_client_mechanisms(gss_host,
|
||||
+ options.gss_client_identity, options.gss_kex_algorithms);
|
||||
+ if (gss) {
|
||||
+ debug("Offering GSSAPI proposal: %s", gss);
|
||||
+ xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
|
||||
+ "%s,%s", gss, orig);
|
||||
+
|
||||
+ /* If we've got GSSAPI algorithms, then we also support the
|
||||
+ * 'null' hostkey, as a last resort */
|
||||
+ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
|
||||
+ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
|
||||
+ "%s,null", orig);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
#endif
|
||||
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
|
||||
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200
|
||||
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200
|
||||
@@ -66,6 +66,7 @@
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <signal.h>
|
||||
+#include <syslog.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@@ -77,6 +78,7 @@
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/crypto.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
@@ -1529,6 +1532,7 @@ main(int ac, char **av)
|
||||
#endif
|
||||
__progname = ssh_get_progname(av[0]);
|
||||
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
|
||||
saved_argc = ac;
|
||||
rexec_argc = ac;
|
||||
@@ -1992,6 +2007,10 @@ main(int ac, char **av)
|
||||
/* Reinitialize the log (because of the fork above). */
|
||||
log_init(__progname, options.log_level, options.log_facility, log_stderr);
|
||||
|
||||
+ if (FIPS_mode()) {
|
||||
+ debug("FIPS mode initialized");
|
||||
+ }
|
||||
+
|
||||
/* Chdir to the root directory so that the current disk can be
|
||||
unmounted if desired. */
|
||||
if (chdir("/") == -1)
|
||||
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh)
|
||||
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
|
||||
orig = NULL;
|
||||
|
||||
- if (options.gss_keyex)
|
||||
- gss = ssh_gssapi_server_mechanisms();
|
||||
- else
|
||||
- gss = NULL;
|
||||
+ if (options.gss_keyex) {
|
||||
+ if (FIPS_mode()) {
|
||||
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
|
||||
+ options.gss_keyex = 0;
|
||||
+ } else {
|
||||
+ gss = ssh_gssapi_server_mechanisms();
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (gss && orig)
|
||||
xasprintf(&newstr, "%s,%s", gss, orig);
|
||||
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
|
||||
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200
|
||||
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/pem.h>
|
||||
+#include <openssl/crypto.h>
|
||||
#endif
|
||||
|
||||
#include "crypto_api.h"
|
||||
@@ -57,6 +58,7 @@
|
||||
#define SSHKEY_INTERNAL
|
||||
#include "sshkey.h"
|
||||
#include "match.h"
|
||||
+#include "log.h"
|
||||
#include "ssh-sk.h"
|
||||
|
||||
#ifdef WITH_XMSS
|
||||
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA
|
||||
}
|
||||
if (!BN_set_word(f4, RSA_F4) ||
|
||||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
|
||||
+ if (FIPS_mode())
|
||||
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
|
||||
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200
|
||||
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200
|
||||
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na
|
||||
#endif
|
||||
}
|
||||
#ifdef WITH_OPENSSL
|
||||
+ if (FIPS_mode()) {
|
||||
+ if (type == KEY_DSA)
|
||||
+ fatal("DSA keys are not allowed in FIPS mode");
|
||||
+ if (type == KEY_ED25519)
|
||||
+ fatal("ED25519 keys are not allowed in FIPS mode");
|
||||
+ }
|
||||
switch (type) {
|
||||
case KEY_DSA:
|
||||
if (*bitsp != 1024)
|
||||
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw)
|
||||
first = 1;
|
||||
printf("%s: generating new host keys: ", __progname);
|
||||
}
|
||||
+ type = sshkey_type_from_name(key_types[i].key_type);
|
||||
+
|
||||
+ /* Skip the keys that are not supported in FIPS mode */
|
||||
+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) {
|
||||
+ logit("Skipping %s key in FIPS mode",
|
||||
+ key_types[i].key_type_display);
|
||||
+ goto next;
|
||||
+ }
|
||||
+
|
||||
printf("%s ", key_types[i].key_type_display);
|
||||
fflush(stdout);
|
||||
- type = sshkey_type_from_name(key_types[i].key_type);
|
||||
if ((fd = mkstemp(prv_tmp)) == -1) {
|
||||
error("Could not save your private key in %s: %s",
|
||||
prv_tmp, strerror(errno));
|
@ -1,647 +0,0 @@
|
||||
diff --git a/auth-krb5.c b/auth-krb5.c
|
||||
index a5a81ed2..63f877f2 100644
|
||||
--- a/auth-krb5.c
|
||||
+++ b/auth-krb5.c
|
||||
@@ -51,6 +51,7 @@
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <krb5.h>
|
||||
+#include <profile.h>
|
||||
|
||||
extern ServerOptions options;
|
||||
|
||||
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
#endif
|
||||
krb5_error_code problem;
|
||||
krb5_ccache ccache = NULL;
|
||||
- int len;
|
||||
+ char *ticket_name = NULL;
|
||||
char *client, *platform_client;
|
||||
const char *errmsg;
|
||||
|
||||
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
|
||||
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
|
||||
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
if (problem)
|
||||
goto out;
|
||||
|
||||
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
||||
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
|
||||
&creds);
|
||||
if (problem)
|
||||
goto out;
|
||||
#endif
|
||||
|
||||
- authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
+ problem = krb5_cc_get_full_name(authctxt->krb5_ctx,
|
||||
+ authctxt->krb5_fwd_ccache, &ticket_name);
|
||||
|
||||
- len = strlen(authctxt->krb5_ticket_file) + 6;
|
||||
- authctxt->krb5_ccname = xmalloc(len);
|
||||
- snprintf(authctxt->krb5_ccname, len, "FILE:%s",
|
||||
- authctxt->krb5_ticket_file);
|
||||
+ authctxt->krb5_ccname = xstrdup(ticket_name);
|
||||
+ krb5_free_string(authctxt->krb5_ctx, ticket_name);
|
||||
|
||||
#ifdef USE_PAM
|
||||
- if (options.use_pam)
|
||||
+ if (options.use_pam && authctxt->krb5_set_env)
|
||||
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
|
||||
#endif
|
||||
|
||||
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
|
||||
void
|
||||
krb5_cleanup_proc(Authctxt *authctxt)
|
||||
{
|
||||
+ struct stat krb5_ccname_stat;
|
||||
+ char krb5_ccname[128], *krb5_ccname_dir_start, *krb5_ccname_dir_end;
|
||||
+
|
||||
debug("krb5_cleanup_proc called");
|
||||
if (authctxt->krb5_fwd_ccache) {
|
||||
- krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
|
||||
+ krb5_context ctx = authctxt->krb5_ctx;
|
||||
+ krb5_cccol_cursor cursor;
|
||||
+ krb5_ccache ccache;
|
||||
+ int ret;
|
||||
+
|
||||
+ krb5_cc_destroy(ctx, authctxt->krb5_fwd_ccache);
|
||||
authctxt->krb5_fwd_ccache = NULL;
|
||||
+
|
||||
+ ret = krb5_cccol_cursor_new(ctx, &cursor);
|
||||
+ if (ret)
|
||||
+ goto out;
|
||||
+
|
||||
+ ret = krb5_cccol_cursor_next(ctx, cursor, &ccache);
|
||||
+ if (ret == 0 && ccache != NULL) {
|
||||
+ /* There is at least one other ccache in collection
|
||||
+ * we can switch to */
|
||||
+ krb5_cc_switch(ctx, ccache);
|
||||
+ } else if (authctxt->krb5_ccname != NULL) {
|
||||
+ /* Clean up the collection too */
|
||||
+ strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
|
||||
+ krb5_ccname_dir_start = strchr(krb5_ccname, ':') + 1;
|
||||
+ *krb5_ccname_dir_start++ = '\0';
|
||||
+ if (strcmp(krb5_ccname, "DIR") == 0) {
|
||||
+
|
||||
+ strcat(krb5_ccname_dir_start, "/primary");
|
||||
+
|
||||
+ if (stat(krb5_ccname_dir_start, &krb5_ccname_stat) == 0) {
|
||||
+ if (unlink(krb5_ccname_dir_start) == 0) {
|
||||
+ krb5_ccname_dir_end = strrchr(krb5_ccname_dir_start, '/');
|
||||
+ *krb5_ccname_dir_end = '\0';
|
||||
+ if (rmdir(krb5_ccname_dir_start) == -1)
|
||||
+ debug("cache dir '%s' remove failed: %s",
|
||||
+ krb5_ccname_dir_start, strerror(errno));
|
||||
+ }
|
||||
+ else
|
||||
+ debug("cache primary file '%s', remove failed: %s",
|
||||
+ krb5_ccname_dir_start, strerror(errno));
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ krb5_cccol_cursor_free(ctx, &cursor);
|
||||
}
|
||||
+out:
|
||||
if (authctxt->krb5_user) {
|
||||
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
|
||||
authctxt->krb5_user = NULL;
|
||||
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
|
||||
}
|
||||
}
|
||||
|
||||
-#ifndef HEIMDAL
|
||||
+
|
||||
+#if !defined(HEIMDAL)
|
||||
+int
|
||||
+ssh_asprintf_append(char **dsc, const char *fmt, ...) {
|
||||
+ char *src, *old;
|
||||
+ va_list ap;
|
||||
+ int i;
|
||||
+
|
||||
+ va_start(ap, fmt);
|
||||
+ i = vasprintf(&src, fmt, ap);
|
||||
+ va_end(ap);
|
||||
+
|
||||
+ if (i == -1 || src == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
+ old = *dsc;
|
||||
+
|
||||
+ i = asprintf(dsc, "%s%s", *dsc, src);
|
||||
+ if (i == -1 || src == NULL) {
|
||||
+ free(src);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ free(old);
|
||||
+ free(src);
|
||||
+
|
||||
+ return i;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+ssh_krb5_expand_template(char **result, const char *template) {
|
||||
+ char *p_n, *p_o, *r, *tmp_template;
|
||||
+
|
||||
+ debug3("%s: called, template = %s", __func__, template);
|
||||
+ if (template == NULL)
|
||||
+ return -1;
|
||||
+
|
||||
+ tmp_template = p_n = p_o = xstrdup(template);
|
||||
+ r = xstrdup("");
|
||||
+
|
||||
+ while ((p_n = strstr(p_o, "%{")) != NULL) {
|
||||
+
|
||||
+ *p_n++ = '\0';
|
||||
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ if (strncmp(p_n, "{uid}", 5) == 0 || strncmp(p_n, "{euid}", 6) == 0 ||
|
||||
+ strncmp(p_n, "{USERID}", 8) == 0) {
|
||||
+ p_o = strchr(p_n, '}') + 1;
|
||||
+ if (ssh_asprintf_append(&r, "%d", geteuid()) == -1)
|
||||
+ goto cleanup;
|
||||
+ continue;
|
||||
+ }
|
||||
+ else if (strncmp(p_n, "{TEMP}", 6) == 0) {
|
||||
+ p_o = strchr(p_n, '}') + 1;
|
||||
+ if (ssh_asprintf_append(&r, "/tmp") == -1)
|
||||
+ goto cleanup;
|
||||
+ continue;
|
||||
+ } else {
|
||||
+ p_o = strchr(p_n, '}') + 1;
|
||||
+ *p_o = '\0';
|
||||
+ debug("%s: unsupported token %s in %s", __func__, p_n, template);
|
||||
+ /* unknown token, fallback to the default */
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)
|
||||
+ goto cleanup;
|
||||
+
|
||||
+ *result = r;
|
||||
+ free(tmp_template);
|
||||
+ return 0;
|
||||
+
|
||||
+cleanup:
|
||||
+ free(r);
|
||||
+ free(tmp_template);
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
krb5_error_code
|
||||
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
|
||||
- int tmpfd, ret, oerrno;
|
||||
- char ccname[40];
|
||||
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
|
||||
+ profile_t p;
|
||||
+ int ret = 0;
|
||||
+ char *value = NULL;
|
||||
+
|
||||
+ debug3("%s: called", __func__);
|
||||
+ ret = krb5_get_profile(ctx, &p);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ ret = profile_get_string(p, "libdefaults", "default_ccache_name", NULL, NULL, &value);
|
||||
+ if (ret || !value)
|
||||
+ return ret;
|
||||
+
|
||||
+ ret = ssh_krb5_expand_template(ccname, value);
|
||||
+
|
||||
+ debug3("%s: returning with ccname = %s", __func__, *ccname);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+krb5_error_code
|
||||
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
|
||||
+ int tmpfd, ret, oerrno, type_len;
|
||||
+ char *ccname = NULL;
|
||||
mode_t old_umask;
|
||||
+ char *type = NULL, *colon = NULL;
|
||||
|
||||
- ret = snprintf(ccname, sizeof(ccname),
|
||||
- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
||||
- if (ret < 0 || (size_t)ret >= sizeof(ccname))
|
||||
- return ENOMEM;
|
||||
-
|
||||
- old_umask = umask(0177);
|
||||
- tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
- oerrno = errno;
|
||||
- umask(old_umask);
|
||||
- if (tmpfd == -1) {
|
||||
- logit("mkstemp(): %.100s", strerror(oerrno));
|
||||
- return oerrno;
|
||||
- }
|
||||
+ debug3("%s: called", __func__);
|
||||
+ if (need_environment)
|
||||
+ *need_environment = 0;
|
||||
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname);
|
||||
+ if (ret || !ccname || options.kerberos_unique_ccache) {
|
||||
+ /* Otherwise, go with the old method */
|
||||
+ if (ccname)
|
||||
+ free(ccname);
|
||||
+ ccname = NULL;
|
||||
+
|
||||
+ ret = asprintf(&ccname,
|
||||
+ "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
|
||||
+ if (ret < 0)
|
||||
+ return ENOMEM;
|
||||
|
||||
- if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||
+ old_umask = umask(0177);
|
||||
+ tmpfd = mkstemp(ccname + strlen("FILE:"));
|
||||
oerrno = errno;
|
||||
- logit("fchmod(): %.100s", strerror(oerrno));
|
||||
+ umask(old_umask);
|
||||
+ if (tmpfd == -1) {
|
||||
+ logit("mkstemp(): %.100s", strerror(oerrno));
|
||||
+ return oerrno;
|
||||
+ }
|
||||
+
|
||||
+ if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
|
||||
+ oerrno = errno;
|
||||
+ logit("fchmod(): %.100s", strerror(oerrno));
|
||||
+ close(tmpfd);
|
||||
+ return oerrno;
|
||||
+ }
|
||||
+ /* make sure the KRB5CCNAME is set for non-standard location */
|
||||
+ if (need_environment)
|
||||
+ *need_environment = 1;
|
||||
close(tmpfd);
|
||||
- return oerrno;
|
||||
}
|
||||
- close(tmpfd);
|
||||
|
||||
- return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
+ debug3("%s: setting default ccname to %s", __func__, ccname);
|
||||
+ /* set the default with already expanded user IDs */
|
||||
+ ret = krb5_cc_set_default_name(ctx, ccname);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ if ((colon = strstr(ccname, ":")) != NULL) {
|
||||
+ type_len = colon - ccname;
|
||||
+ type = malloc((type_len + 1) * sizeof(char));
|
||||
+ if (type == NULL)
|
||||
+ return ENOMEM;
|
||||
+ strncpy(type, ccname, type_len);
|
||||
+ type[type_len] = 0;
|
||||
+ } else {
|
||||
+ type = strdup(ccname);
|
||||
+ }
|
||||
+
|
||||
+ /* If we have a credential cache from krb5.conf, we need to switch
|
||||
+ * a primary cache for this collection, if it supports that (non-FILE)
|
||||
+ */
|
||||
+ if (krb5_cc_support_switch(ctx, type)) {
|
||||
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
|
||||
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
|
||||
+ free(type);
|
||||
+ if (ret)
|
||||
+ return ret;
|
||||
+
|
||||
+ debug3("%s: calling cc_switch()", __func__);
|
||||
+ return krb5_cc_switch(ctx, *ccache);
|
||||
+ } else {
|
||||
+ /* Otherwise, we can not create a unique ccname here (either
|
||||
+ * it is already unique from above or the type does not support
|
||||
+ * collections
|
||||
+ */
|
||||
+ free(type);
|
||||
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname);
|
||||
+ return (krb5_cc_resolve(ctx, ccname, ccache));
|
||||
+ }
|
||||
}
|
||||
#endif /* !HEIMDAL */
|
||||
#endif /* KRB5 */
|
||||
diff --git a/auth.h b/auth.h
|
||||
index 29491df9..fdab5040 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -82,6 +82,7 @@ struct Authctxt {
|
||||
krb5_principal krb5_user;
|
||||
char *krb5_ticket_file;
|
||||
char *krb5_ccname;
|
||||
+ int krb5_set_env;
|
||||
#endif
|
||||
struct sshbuf *loginmsg;
|
||||
|
||||
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *);
|
||||
int sys_auth_passwd(struct ssh *, const char *);
|
||||
|
||||
#if defined(KRB5) && !defined(HEIMDAL)
|
||||
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
|
||||
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
|
||||
#endif
|
||||
|
||||
#endif /* AUTH_H */
|
||||
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
|
||||
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100
|
||||
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100
|
||||
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
|
||||
/* This writes out any forwarded credentials from the structure populated
|
||||
* during userauth. Called after we have setuid to the user */
|
||||
|
||||
-static void
|
||||
+static int
|
||||
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
|
||||
{
|
||||
krb5_ccache ccache;
|
||||
@@ -276,14 +276,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
OM_uint32 maj_status, min_status;
|
||||
const char *new_ccname, *new_cctype;
|
||||
const char *errmsg;
|
||||
+ int set_env = 0;
|
||||
|
||||
if (client->creds == NULL) {
|
||||
debug("No credentials stored");
|
||||
- return;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
if (ssh_gssapi_krb5_init() == 0)
|
||||
- return;
|
||||
+ return 0;
|
||||
|
||||
#ifdef HEIMDAL
|
||||
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
|
||||
@@ -297,14 +298,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
krb5_get_err_text(krb_context, problem));
|
||||
# endif
|
||||
krb5_free_error_message(krb_context, errmsg);
|
||||
- return;
|
||||
+ return 0;
|
||||
}
|
||||
#else
|
||||
- if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
|
||||
+ if ((problem = ssh_krb5_cc_new_unique(krb_context, &ccache, &set_env)) != 0) {
|
||||
errmsg = krb5_get_error_message(krb_context, problem);
|
||||
- logit("ssh_krb5_cc_gen(): %.100s", errmsg);
|
||||
+ logit("ssh_krb5_cc_new_unique(): %.100s", errmsg);
|
||||
krb5_free_error_message(krb_context, errmsg);
|
||||
- return;
|
||||
+ return 0;
|
||||
}
|
||||
#endif /* #ifdef HEIMDAL */
|
||||
|
||||
@@ -313,7 +314,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
errmsg = krb5_get_error_message(krb_context, problem);
|
||||
logit("krb5_parse_name(): %.100s", errmsg);
|
||||
krb5_free_error_message(krb_context, errmsg);
|
||||
- return;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
|
||||
@@ -322,7 +323,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
krb5_free_error_message(krb_context, errmsg);
|
||||
krb5_free_principal(krb_context, princ);
|
||||
krb5_cc_destroy(krb_context, ccache);
|
||||
- return;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
krb5_free_principal(krb_context, princ);
|
||||
@@ -331,32 +332,21 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
client->creds, ccache))) {
|
||||
logit("gss_krb5_copy_ccache() failed");
|
||||
krb5_cc_destroy(krb_context, ccache);
|
||||
- return;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
new_cctype = krb5_cc_get_type(krb_context, ccache);
|
||||
new_ccname = krb5_cc_get_name(krb_context, ccache);
|
||||
-
|
||||
- client->store.envvar = "KRB5CCNAME";
|
||||
-#ifdef USE_CCAPI
|
||||
- xasprintf(&client->store.envval, "API:%s", new_ccname);
|
||||
- client->store.filename = NULL;
|
||||
-#else
|
||||
- if (new_ccname[0] == ':')
|
||||
- new_ccname++;
|
||||
xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);
|
||||
- if (strcmp(new_cctype, "DIR") == 0) {
|
||||
- char *p;
|
||||
- p = strrchr(client->store.envval, '/');
|
||||
- if (p)
|
||||
- *p = '\0';
|
||||
+
|
||||
+ if (set_env) {
|
||||
+ client->store.envvar = "KRB5CCNAME";
|
||||
}
|
||||
if ((strcmp(new_cctype, "FILE") == 0) || (strcmp(new_cctype, "DIR") == 0))
|
||||
client->store.filename = xstrdup(new_ccname);
|
||||
-#endif
|
||||
|
||||
#ifdef USE_PAM
|
||||
- if (options.use_pam)
|
||||
+ if (options.use_pam && set_env)
|
||||
do_pam_putenv(client->store.envvar, client->store.envval);
|
||||
#endif
|
||||
|
||||
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
|
||||
|
||||
client->store.data = krb_context;
|
||||
|
||||
- return;
|
||||
+ return set_env;
|
||||
}
|
||||
|
||||
int
|
||||
diff --git a/gss-serv.c b/gss-serv.c
|
||||
index 6cae720e..16e55cbc 100644
|
||||
--- a/gss-serv.c
|
||||
+++ b/gss-serv.c
|
||||
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
|
||||
}
|
||||
|
||||
/* As user */
|
||||
-void
|
||||
+int
|
||||
ssh_gssapi_storecreds(void)
|
||||
{
|
||||
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
|
||||
- (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
|
||||
} else
|
||||
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/* This allows GSSAPI methods to do things to the child's environment based
|
||||
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
|
||||
char *envstr;
|
||||
#endif
|
||||
|
||||
- if (gssapi_client.store.filename == NULL &&
|
||||
- gssapi_client.store.envval == NULL &&
|
||||
- gssapi_client.store.envvar == NULL)
|
||||
+ if (gssapi_client.store.envval == NULL)
|
||||
return;
|
||||
|
||||
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
|
||||
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
|
||||
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
|
||||
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
|
||||
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
|
||||
options->kerberos_or_local_passwd = -1;
|
||||
options->kerberos_ticket_cleanup = -1;
|
||||
options->kerberos_get_afs_token = -1;
|
||||
+ options->kerberos_unique_ccache = -1;
|
||||
options->gss_authentication=-1;
|
||||
options->gss_keyex = -1;
|
||||
options->gss_cleanup_creds = -1;
|
||||
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->kerberos_ticket_cleanup = 1;
|
||||
if (options->kerberos_get_afs_token == -1)
|
||||
options->kerberos_get_afs_token = 0;
|
||||
+ if (options->kerberos_unique_ccache == -1)
|
||||
+ options->kerberos_unique_ccache = 0;
|
||||
if (options->gss_authentication == -1)
|
||||
options->gss_authentication = 0;
|
||||
if (options->gss_keyex == -1)
|
||||
@@ -447,7 +450,8 @@ typedef enum {
|
||||
sPermitRootLogin, sLogFacility, sLogLevel,
|
||||
sRhostsRSAAuthentication, sRSAAuthentication,
|
||||
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
|
||||
- sKerberosGetAFSToken, sChallengeResponseAuthentication,
|
||||
+ sKerberosGetAFSToken, sKerberosUniqueCCache,
|
||||
+ sChallengeResponseAuthentication,
|
||||
sPasswordAuthentication, sKbdInteractiveAuthentication,
|
||||
sListenAddress, sAddressFamily,
|
||||
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
|
||||
@@ -526,11 +530,13 @@ static struct {
|
||||
#else
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
+ { "kerberosuniqueccache", sKerberosUniqueCCache, SSHCFG_GLOBAL },
|
||||
#else
|
||||
{ "kerberosauthentication", sUnsupported, SSHCFG_ALL },
|
||||
{ "kerberosorlocalpasswd", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosticketcleanup", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
|
||||
+ { "kerberosuniqueccache", sUnsupported, SSHCFG_GLOBAL },
|
||||
#endif
|
||||
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
||||
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line,
|
||||
intptr = &options->kerberos_get_afs_token;
|
||||
goto parse_flag;
|
||||
|
||||
+ case sKerberosUniqueCCache:
|
||||
+ intptr = &options->kerberos_unique_ccache;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sGssAuthentication:
|
||||
intptr = &options->gss_authentication;
|
||||
goto parse_flag;
|
||||
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o)
|
||||
# ifdef USE_AFS
|
||||
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
|
||||
# endif
|
||||
+ dump_cfg_fmtint(sKerberosUniqueCCache, o->kerberos_unique_ccache);
|
||||
#endif
|
||||
#ifdef GSSAPI
|
||||
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index db8362c6..4fa42d64 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -123,6 +123,8 @@ typedef struct {
|
||||
* file on logout. */
|
||||
int kerberos_get_afs_token; /* If true, try to get AFS token if
|
||||
* authenticated with Kerberos. */
|
||||
+ int kerberos_unique_ccache; /* If true, the acquired ticket will
|
||||
+ * be stored in per-session ccache */
|
||||
int gss_authentication; /* If true, permit GSSAPI authentication */
|
||||
int gss_keyex; /* If true, permit GSSAPI key exchange */
|
||||
int gss_cleanup_creds; /* If true, destroy cred cache on logout */
|
||||
diff --git a/session.c b/session.c
|
||||
index 85df6a27..480a5ead 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
/* Allow any GSSAPI methods that we've used to alter
|
||||
* the child's environment as they see fit
|
||||
*/
|
||||
- ssh_gssapi_do_child(&env, &envsize);
|
||||
+ if (s->authctxt->krb5_set_env)
|
||||
+ ssh_gssapi_do_child(&env, &envsize);
|
||||
#endif
|
||||
|
||||
/* Set basic environment. */
|
||||
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
|
||||
}
|
||||
#endif
|
||||
#ifdef KRB5
|
||||
- if (s->authctxt->krb5_ccname)
|
||||
+ if (s->authctxt->krb5_ccname && s->authctxt->krb5_set_env)
|
||||
child_set_env(&env, &envsize, "KRB5CCNAME",
|
||||
s->authctxt->krb5_ccname);
|
||||
#endif
|
||||
diff --git a/ssh-gss.h b/ssh-gss.h
|
||||
index 6593e422..245178af 100644
|
||||
--- a/ssh-gss.h
|
||||
+++ b/ssh-gss.h
|
||||
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
|
||||
int (*dochild) (ssh_gssapi_client *);
|
||||
int (*userok) (ssh_gssapi_client *, char *);
|
||||
int (*localname) (ssh_gssapi_client *, char **);
|
||||
- void (*storecreds) (ssh_gssapi_client *);
|
||||
+ int (*storecreds) (ssh_gssapi_client *);
|
||||
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
|
||||
} ssh_gssapi_mech;
|
||||
|
||||
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
|
||||
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
|
||||
void ssh_gssapi_do_child(char ***, u_int *);
|
||||
void ssh_gssapi_cleanup_creds(void);
|
||||
-void ssh_gssapi_storecreds(void);
|
||||
+int ssh_gssapi_storecreds(void);
|
||||
const char *ssh_gssapi_displayname(void);
|
||||
|
||||
char *ssh_gssapi_server_mechanisms(void);
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index edbe815c..89514e8a 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
|
||||
#ifdef GSSAPI
|
||||
if (options.gss_authentication) {
|
||||
temporarily_use_uid(authctxt->pw);
|
||||
- ssh_gssapi_storecreds();
|
||||
+ authctxt->krb5_set_env = ssh_gssapi_storecreds();
|
||||
restore_uid();
|
||||
}
|
||||
#endif
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index c0683d4a..2349f477 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
|
||||
file on logout.
|
||||
The default is
|
||||
.Cm yes .
|
||||
+.It Cm KerberosUniqueCCache
|
||||
+Specifies whether to store the acquired tickets in the per-session credential
|
||||
+cache under /tmp/ or whether to use per-user credential cache as configured in
|
||||
+.Pa /etc/krb5.conf .
|
||||
+The default value
|
||||
+.Cm no
|
||||
+can lead to overwriting previous tickets by subseqent connections to the same
|
||||
+user account.
|
||||
.It Cm KexAlgorithms
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
@ -1,117 +0,0 @@
|
||||
diff -up openssh/ssh_config.redhat openssh/ssh_config
|
||||
--- openssh/ssh_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||
+++ openssh/ssh_config 2020-02-13 18:13:39.180641839 +0100
|
||||
@@ -43,3 +43,10 @@
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
# UserKnownHostsFile ~/.ssh/known_hosts.d/%k
|
||||
+#
|
||||
+# This system is following system-wide crypto policy.
|
||||
+# To modify the crypto properties (Ciphers, MACs, ...), create a *.conf
|
||||
+# file under /etc/ssh/ssh_config.d/ which will be automatically
|
||||
+# included below. For more information, see manual page for
|
||||
+# update-crypto-policies(8) and ssh_config(5).
|
||||
+Include /etc/ssh/ssh_config.d/*.conf
|
||||
diff -up openssh/ssh_config_redhat.redhat openssh/ssh_config_redhat
|
||||
--- openssh/ssh_config_redhat.redhat 2020-02-13 18:13:39.180641839 +0100
|
||||
+++ openssh/ssh_config_redhat 2020-02-13 18:13:39.180641839 +0100
|
||||
@@ -0,0 +1,21 @@
|
||||
+# The options here are in the "Match final block" to be applied as the last
|
||||
+# options and could be potentially overwritten by the user configuration
|
||||
+Match final all
|
||||
+ # Follow system-wide Crypto Policy, if defined:
|
||||
+ Include /etc/crypto-policies/back-ends/openssh.config
|
||||
+
|
||||
+ GSSAPIAuthentication yes
|
||||
+
|
||||
+# If this option is set to yes then remote X11 clients will have full access
|
||||
+# to the original X11 display. As virtually no X11 client supports the untrusted
|
||||
+# mode correctly we set this to yes.
|
||||
+ ForwardX11Trusted yes
|
||||
+
|
||||
+# Send locale-related environment variables
|
||||
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+ SendEnv XMODIFIERS
|
||||
+
|
||||
+# Uncomment this if you want to use .local domain
|
||||
+# Host *.local
|
||||
diff -up openssh/sshd_config.0.redhat openssh/sshd_config.0
|
||||
--- openssh/sshd_config.0.redhat 2020-02-12 14:30:04.000000000 +0100
|
||||
+++ openssh/sshd_config.0 2020-02-13 18:13:39.181641855 +0100
|
||||
@@ -970,9 +970,9 @@ DESCRIPTION
|
||||
|
||||
SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
|
||||
- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
|
||||
- default is AUTH.
|
||||
+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
|
||||
+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
+ The default is AUTH.
|
||||
|
||||
TCPKeepAlive
|
||||
Specifies whether the system should send TCP keepalive messages
|
||||
diff -up openssh/sshd_config.5.redhat openssh/sshd_config.5
|
||||
--- openssh/sshd_config.5.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||
+++ openssh/sshd_config.5 2020-02-13 18:13:39.181641855 +0100
|
||||
@@ -1614,7 +1614,7 @@ By default no subsystems are defined.
|
||||
.It Cm SyslogFacility
|
||||
Gives the facility code that is used when logging messages from
|
||||
.Xr sshd 8 .
|
||||
-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
|
||||
+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
|
||||
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
|
||||
The default is AUTH.
|
||||
.It Cm TCPKeepAlive
|
||||
diff -up openssh/sshd_config.redhat openssh/sshd_config
|
||||
--- openssh/sshd_config.redhat 2020-02-11 23:28:35.000000000 +0100
|
||||
+++ openssh/sshd_config 2020-02-13 18:20:16.349913681 +0100
|
||||
@@ -10,6 +10,14 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
+# To modify the system-wide sshd configuration, create a *.conf file under
|
||||
+# /etc/ssh/sshd_config.d/ which will be automatically included below
|
||||
+Include /etc/ssh/sshd_config.d/*.conf
|
||||
+
|
||||
+# If you want to change the port on a SELinux system, you have to tell
|
||||
+# SELinux about this change.
|
||||
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
||||
+#
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
diff -up openssh/sshd_config_redhat.redhat openssh/sshd_config_redhat
|
||||
--- openssh/sshd_config_redhat.redhat 2020-02-13 18:14:02.268006439 +0100
|
||||
+++ openssh/sshd_config_redhat 2020-02-13 18:19:20.765035947 +0100
|
||||
@@ -0,0 +1,28 @@
|
||||
+# This system is following system-wide crypto policy. The changes to
|
||||
+# crypto properties (Ciphers, MACs, ...) will not have any effect in
|
||||
+# this or following included files. To override some configuration option,
|
||||
+# write it before this block or include it before this file.
|
||||
+# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
|
||||
+Include /etc/crypto-policies/back-ends/opensshserver.config
|
||||
+
|
||||
+SyslogFacility AUTHPRIV
|
||||
+
|
||||
+ChallengeResponseAuthentication no
|
||||
+
|
||||
+GSSAPIAuthentication yes
|
||||
+GSSAPICleanupCredentials no
|
||||
+
|
||||
+UsePAM yes
|
||||
+
|
||||
+X11Forwarding yes
|
||||
+
|
||||
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
|
||||
+# as it is more configurable and versatile than the built-in version.
|
||||
+PrintMotd no
|
||||
+
|
||||
+# Accept locale-related environment variables
|
||||
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
||||
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
||||
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
||||
+AcceptEnv XMODIFIERS
|
||||
+
|
@ -1,16 +0,0 @@
|
||||
diff --git a/scp.c b/scp.c
|
||||
index 60682c68..9344806e 100644
|
||||
--- a/scp.c
|
||||
+++ b/scp.c
|
||||
@@ -714,7 +714,9 @@ toremote(int argc, char **argv)
|
||||
addargs(&alist, "%s", host);
|
||||
addargs(&alist, "%s", cmd);
|
||||
addargs(&alist, "%s", src);
|
||||
- addargs(&alist, "%s%s%s:%s",
|
||||
+ addargs(&alist,
|
||||
+ /* IPv6 address needs to be enclosed with sqare brackets */
|
||||
+ strchr(host, ':') != NULL ? "%s%s[%s]:%s" : "%s%s%s:%s",
|
||||
tuser ? tuser : "", tuser ? "@" : "",
|
||||
thost, targ);
|
||||
if (do_local_cmd(&alist) != 0)
|
||||
|
@ -1,27 +0,0 @@
|
||||
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 29 Sep 2020 10:02:45 +0000
|
||||
Subject: [PATCH] Fail hard on the first failed attempt to write the
|
||||
authorized_keys_file
|
||||
|
||||
---
|
||||
ssh-copy-id | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||
index 392f64f..e69a23f 100755
|
||||
--- a/contrib/ssh-copy-id
|
||||
+++ b/contrib/ssh-copy-id
|
||||
@@ -251,7 +251,7 @@ installkeys_sh() {
|
||||
cd;
|
||||
umask 077;
|
||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
||||
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
|
||||
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
||||
cat >> ${AUTH_KEY_FILE} ||
|
||||
exit 1;
|
||||
if type restorecon >/dev/null 2>&1; then
|
||||
--
|
||||
GitLab
|
||||
|
||||
|
@ -1,502 +0,0 @@
|
||||
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
|
||||
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100
|
||||
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100
|
||||
@@ -359,17 +359,17 @@ or
|
||||
.Qq *.c.example.com
|
||||
domains.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies which algorithms are allowed for signing of certificates
|
||||
by certificate authorities (CAs).
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
-.Pp
|
||||
.Xr ssh 1
|
||||
will not accept host certificates signed using algorithms other than those
|
||||
specified.
|
||||
+.Pp
|
||||
.It Cm CertificateFile
|
||||
Specifies a file from which the user's certificate is read.
|
||||
A corresponding private key must be provided separately in order
|
||||
@@ -424,20 +424,25 @@ If the option is set to
|
||||
.Cm no ,
|
||||
the check will not be executed.
|
||||
.It Cm Ciphers
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the ciphers allowed and their order of preference.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified ciphers will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified ciphers will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified ciphers (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified ciphers will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Bd -literal -offset indent
|
||||
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com
|
||||
chacha20-poly1305@openssh.com
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-chacha20-poly1305@openssh.com,
|
||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClearAllForwardings
|
||||
@@ -812,6 +810,11 @@ command line will be passed untouched to
|
||||
The default is
|
||||
.Dq no .
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
The list of key exchange algorithms that are offered for GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
@@ -824,10 +827,8 @@ gss-nistp256-sha256-,
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
.Pp
|
||||
-The default is
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
+.Pp
|
||||
.It Cm HashKnownHosts
|
||||
Indicates that
|
||||
.Xr ssh 1
|
||||
@@ -1149,29 +1150,25 @@ it may be zero or more of:
|
||||
and
|
||||
.Cm pam .
|
||||
.It Cm KexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified methods will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified methods will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified methods (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified methods will be placed at the head of the
|
||||
-default set.
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
-diffie-hellman-group-exchange-sha256,
|
||||
-diffie-hellman-group16-sha512,
|
||||
-diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q kex .
|
||||
@@ -1231,37 +1228,33 @@ The default is INFO.
|
||||
DEBUG and DEBUG1 are equivalent.
|
||||
DEBUG2 and DEBUG3 each specify higher levels of verbose output.
|
||||
.It Cm MACs
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the MAC (message authentication code) algorithms
|
||||
in order of preference.
|
||||
The MAC algorithm is used for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified algorithms will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The algorithms that contain
|
||||
.Qq -etm
|
||||
calculate the MAC after encryption (encrypt-then-mac).
|
||||
These are considered safer and their use recommended.
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||
-hmac-sha1-etm@openssh.com,
|
||||
-umac-64@openssh.com,umac-128@openssh.com,
|
||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm NoHostAuthenticationForLocalhost
|
||||
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
|
||||
The default is
|
||||
.Cm no .
|
||||
.It Cm PubkeyAcceptedKeyTypes
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the key types that will be used for public key authentication
|
||||
as a comma-separated list of patterns.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the key types after it will be appended to the default
|
||||
-instead of replacing it.
|
||||
+character, then the key types after it will be appended to the built-in
|
||||
+openssh default instead of replacing it.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified key types (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified key types will be placed at the head of the
|
||||
-default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
||||
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
|
||||
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100
|
||||
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100
|
||||
@@ -375,16 +375,16 @@ If the argument is
|
||||
then no banner is displayed.
|
||||
By default, no banner is displayed.
|
||||
.It Cm CASignatureAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies which algorithms are allowed for signing of certificates
|
||||
by certificate authorities (CAs).
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
-.Pp
|
||||
Certificates signed using other algorithms will not be accepted for
|
||||
public key or host-based authentication.
|
||||
+.Pp
|
||||
.It Cm ChallengeResponseAuthentication
|
||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||
PAM or through authentication styles supported in
|
||||
@@ -446,20 +446,25 @@ The default is
|
||||
indicating not to
|
||||
.Xr chroot 2 .
|
||||
.It Cm Ciphers
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the ciphers allowed.
|
||||
Multiple ciphers must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified ciphers will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified ciphers will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified ciphers (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified ciphers will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The supported ciphers are:
|
||||
.Pp
|
||||
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com
|
||||
chacha20-poly1305@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-chacha20-poly1305@openssh.com,
|
||||
-aes128-ctr,aes192-ctr,aes256-ctr,
|
||||
-aes128-gcm@openssh.com,aes256-gcm@openssh.com
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available ciphers may also be obtained using
|
||||
.Qq ssh -Q cipher .
|
||||
.It Cm ClientAliveCountMax
|
||||
@@ -681,22 +679,24 @@ For this to work
|
||||
.Cm GSSAPIKeyExchange
|
||||
needs to be enabled in the server and also used by the client.
|
||||
.It Cm GSSAPIKexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
The list of key exchange algorithms that are accepted by GSSAPI
|
||||
key exchange. Possible values are
|
||||
.Bd -literal -offset 3n
|
||||
-gss-gex-sha1-,
|
||||
-gss-group1-sha1-,
|
||||
-gss-group14-sha1-,
|
||||
-gss-group14-sha256-,
|
||||
-gss-group16-sha512-,
|
||||
-gss-nistp256-sha256-,
|
||||
+gss-gex-sha1-
|
||||
+gss-group1-sha1-
|
||||
+gss-group14-sha1-
|
||||
+gss-group14-sha256-
|
||||
+gss-group16-sha512-
|
||||
+gss-nistp256-sha256-
|
||||
gss-curve25519-sha256-
|
||||
.Ed
|
||||
-.Pp
|
||||
-The default is
|
||||
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
|
||||
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
|
||||
This option only applies to connections using GSSAPI.
|
||||
+.Pp
|
||||
.It Cm HostbasedAcceptedKeyTypes
|
||||
Specifies the key types that will be accepted for hostbased authentication
|
||||
as a list of comma-separated patterns.
|
||||
@@ -793,25 +793,13 @@ is specified, the location of the socket
|
||||
.Ev SSH_AUTH_SOCK
|
||||
environment variable.
|
||||
.It Cm HostKeyAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the host key algorithms
|
||||
that the server offers.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q HostKeyAlgorithms .
|
||||
.It Cm IgnoreRhosts
|
||||
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm KexAlgorithms
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available KEX (Key Exchange) algorithms.
|
||||
Multiple algorithms must be comma-separated.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified methods will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified methods will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified methods (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified methods will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
The supported algorithms are:
|
||||
.Pp
|
||||
.Bl -item -compact -offset indent
|
||||
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
|
||||
sntrup4591761x25519-sha512@tinyssh.org
|
||||
.El
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-curve25519-sha256,curve25519-sha256@libssh.org,
|
||||
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
|
||||
-diffie-hellman-group-exchange-sha256,
|
||||
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
|
||||
-diffie-hellman-group14-sha256
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available key exchange algorithms may also be obtained using
|
||||
.Qq ssh -Q KexAlgorithms .
|
||||
.It Cm ListenAddress
|
||||
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
|
||||
DEBUG2 and DEBUG3 each specify higher levels of debugging output.
|
||||
Logging with a DEBUG level violates the privacy of users and is not recommended.
|
||||
.It Cm MACs
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the available MAC (message authentication code) algorithms.
|
||||
The MAC algorithm is used for data integrity protection.
|
||||
Multiple algorithms must be comma-separated.
|
||||
If the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified algorithms will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified algorithms will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified algorithms (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified algorithms will be placed at the head of the
|
||||
-default set.
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The algorithms that contain
|
||||
.Qq -etm
|
||||
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com
|
||||
umac-128-etm@openssh.com
|
||||
.El
|
||||
.Pp
|
||||
-The default is:
|
||||
-.Bd -literal -offset indent
|
||||
-umac-64-etm@openssh.com,umac-128-etm@openssh.com,
|
||||
-hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
|
||||
-hmac-sha1-etm@openssh.com,
|
||||
-umac-64@openssh.com,umac-128@openssh.com,
|
||||
-hmac-sha2-256,hmac-sha2-512,hmac-sha1
|
||||
-.Ed
|
||||
-.Pp
|
||||
The list of available MAC algorithms may also be obtained using
|
||||
.Qq ssh -Q mac .
|
||||
.It Cm Match
|
||||
@@ -1480,36 +1460,25 @@ or equivalent.)
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm PubkeyAcceptedKeyTypes
|
||||
+The default is handled system-wide by
|
||||
+.Xr crypto-policies 7 .
|
||||
+To see the defaults and how to modify this default, see manual page
|
||||
+.Xr update-crypto-policies 8 .
|
||||
+.Pp
|
||||
Specifies the key types that will be accepted for public key authentication
|
||||
as a list of comma-separated patterns.
|
||||
Alternately if the specified list begins with a
|
||||
.Sq +
|
||||
-character, then the specified key types will be appended to the default set
|
||||
-instead of replacing them.
|
||||
+character, then the specified key types will be appended to the built-in
|
||||
+openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq -
|
||||
character, then the specified key types (including wildcards) will be removed
|
||||
-from the default set instead of replacing them.
|
||||
+from the built-in openssh default set instead of replacing them.
|
||||
If the specified list begins with a
|
||||
.Sq ^
|
||||
character, then the specified key types will be placed at the head of the
|
||||
-default set.
|
||||
-The default for this option is:
|
||||
-.Bd -literal -offset 3n
|
||||
-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp384-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp521-cert-v01@openssh.com,
|
||||
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
|
||||
-ssh-ed25519-cert-v01@openssh.com,
|
||||
-sk-ssh-ed25519-cert-v01@openssh.com,
|
||||
-rsa-sha2-512-cert-v01@openssh.com,
|
||||
-rsa-sha2-256-cert-v01@openssh.com,
|
||||
-ssh-rsa-cert-v01@openssh.com,
|
||||
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
|
||||
-sk-ecdsa-sha2-nistp256@openssh.com,
|
||||
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
|
||||
-rsa-sha2-512,rsa-sha2-256,ssh-rsa
|
||||
-.Ed
|
||||
+built-in openssh default set.
|
||||
.Pp
|
||||
The list of available key types may also be obtained using
|
||||
.Qq ssh -Q PubkeyAcceptedKeyTypes .
|
File diff suppressed because it is too large
Load Diff
@ -1,720 +0,0 @@
|
||||
From ed7ec0cdf577ffbb0b15145340cf51596ca3eb89 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 14 May 2019 10:45:45 +0200
|
||||
Subject: [PATCH] Use high-level OpenSSL API for signatures
|
||||
|
||||
---
|
||||
digest-openssl.c | 16 ++++
|
||||
digest.h | 6 ++
|
||||
ssh-dss.c | 65 ++++++++++------
|
||||
ssh-ecdsa.c | 69 ++++++++++-------
|
||||
ssh-rsa.c | 193 +++++++++--------------------------------------
|
||||
sshkey.c | 77 +++++++++++++++++++
|
||||
sshkey.h | 4 +
|
||||
7 files changed, 221 insertions(+), 209 deletions(-)
|
||||
|
||||
diff --git a/digest-openssl.c b/digest-openssl.c
|
||||
index da7ed72bc..6a21d8adb 100644
|
||||
--- a/digest-openssl.c
|
||||
+++ b/digest-openssl.c
|
||||
@@ -63,6 +63,22 @@ const struct ssh_digest digests[] = {
|
||||
{ -1, NULL, 0, NULL },
|
||||
};
|
||||
|
||||
+const EVP_MD *
|
||||
+ssh_digest_to_md(int digest_type)
|
||||
+{
|
||||
+ switch (digest_type) {
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ return EVP_sha1();
|
||||
+ case SSH_DIGEST_SHA256:
|
||||
+ return EVP_sha256();
|
||||
+ case SSH_DIGEST_SHA384:
|
||||
+ return EVP_sha384();
|
||||
+ case SSH_DIGEST_SHA512:
|
||||
+ return EVP_sha512();
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
static const struct ssh_digest *
|
||||
ssh_digest_by_alg(int alg)
|
||||
{
|
||||
diff --git a/digest.h b/digest.h
|
||||
index 274574d0e..c7ceeb36f 100644
|
||||
--- a/digest.h
|
||||
+++ b/digest.h
|
||||
@@ -32,6 +32,12 @@
|
||||
struct sshbuf;
|
||||
struct ssh_digest_ctx;
|
||||
|
||||
+#ifdef WITH_OPENSSL
|
||||
+#include <openssl/evp.h>
|
||||
+/* Converts internal digest representation to the OpenSSL one */
|
||||
+const EVP_MD *ssh_digest_to_md(int digest_type);
|
||||
+#endif
|
||||
+
|
||||
/* Looks up a digest algorithm by name */
|
||||
int ssh_digest_alg_by_name(const char *name);
|
||||
|
||||
diff --git a/ssh-dss.c b/ssh-dss.c
|
||||
index a23c383dc..ea45e7275 100644
|
||||
--- a/ssh-dss.c
|
||||
+++ b/ssh-dss.c
|
||||
@@ -52,11 +52,15 @@ int
|
||||
ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
const u_char *data, size_t datalen, u_int compat)
|
||||
{
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
DSA_SIG *sig = NULL;
|
||||
const BIGNUM *sig_r, *sig_s;
|
||||
- u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
|
||||
- size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
|
||||
+ u_char sigblob[SIGBLOB_LEN];
|
||||
+ size_t rlen, slen;
|
||||
+ int len;
|
||||
struct sshbuf *b = NULL;
|
||||
+ u_char *sigb = NULL;
|
||||
+ const u_char *psig = NULL;
|
||||
int ret = SSH_ERR_INVALID_ARGUMENT;
|
||||
|
||||
if (lenp != NULL)
|
||||
@@ -67,17 +71,24 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
if (key == NULL || key->dsa == NULL ||
|
||||
sshkey_type_plain(key->type) != KEY_DSA)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
- if (dlen == 0)
|
||||
- return SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
|
||||
- digest, sizeof(digest))) != 0)
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ ret = sshkey_calculate_signature(pkey, SSH_DIGEST_SHA1, &sigb, &len,
|
||||
+ data, datalen);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
+ if (ret < 0) {
|
||||
goto out;
|
||||
+ }
|
||||
|
||||
- if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
|
||||
+ psig = sigb;
|
||||
+ if ((sig = d2i_DSA_SIG(NULL, &psig, len)) == NULL) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
+ free(sigb);
|
||||
+ sigb = NULL;
|
||||
|
||||
DSA_SIG_get0(sig, &sig_r, &sig_s);
|
||||
rlen = BN_num_bytes(sig_r);
|
||||
@@ -110,7 +121,7 @@ ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
*lenp = len;
|
||||
ret = 0;
|
||||
out:
|
||||
- explicit_bzero(digest, sizeof(digest));
|
||||
+ free(sigb);
|
||||
DSA_SIG_free(sig);
|
||||
sshbuf_free(b);
|
||||
return ret;
|
||||
@@ -121,20 +132,20 @@ ssh_dss_verify(const struct sshkey *key,
|
||||
const u_char *signature, size_t signaturelen,
|
||||
const u_char *data, size_t datalen, u_int compat)
|
||||
{
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
DSA_SIG *sig = NULL;
|
||||
BIGNUM *sig_r = NULL, *sig_s = NULL;
|
||||
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
|
||||
- size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
|
||||
+ u_char *sigblob = NULL;
|
||||
+ size_t len, slen;
|
||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||
struct sshbuf *b = NULL;
|
||||
char *ktype = NULL;
|
||||
+ u_char *sigb = NULL, *psig = NULL;
|
||||
|
||||
if (key == NULL || key->dsa == NULL ||
|
||||
sshkey_type_plain(key->type) != KEY_DSA ||
|
||||
signature == NULL || signaturelen == 0)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
- if (dlen == 0)
|
||||
- return SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
/* fetch signature */
|
||||
if ((b = sshbuf_from(signature, signaturelen)) == NULL)
|
||||
@@ -176,25 +187,31 @@ ssh_dss_verify(const struct sshkey *key,
|
||||
}
|
||||
sig_r = sig_s = NULL; /* transferred */
|
||||
|
||||
- /* sha1 the data */
|
||||
- if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
|
||||
- digest, sizeof(digest))) != 0)
|
||||
+ if ((slen = i2d_DSA_SIG(sig, NULL)) == 0) {
|
||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
-
|
||||
- switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
|
||||
- case 1:
|
||||
- ret = 0;
|
||||
- break;
|
||||
- case 0:
|
||||
- ret = SSH_ERR_SIGNATURE_INVALID;
|
||||
+ }
|
||||
+ if ((sigb = malloc(slen)) == NULL) {
|
||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
- default:
|
||||
+ }
|
||||
+ psig = sigb;
|
||||
+ if ((slen = i2d_DSA_SIG(sig, &psig)) == 0) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_DSA(pkey, key->dsa) != 1) {
|
||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ ret = sshkey_verify_signature(pkey, SSH_DIGEST_SHA1, data, datalen,
|
||||
+ sigb, slen);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
+
|
||||
out:
|
||||
- explicit_bzero(digest, sizeof(digest));
|
||||
+ free(sigb);
|
||||
DSA_SIG_free(sig);
|
||||
BN_clear_free(sig_r);
|
||||
BN_clear_free(sig_s);
|
||||
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
|
||||
index 599c7199d..b036796e8 100644
|
||||
--- a/ssh-ecdsa.c
|
||||
+++ b/ssh-ecdsa.c
|
||||
@@ -50,11 +50,13 @@ int
|
||||
ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
const u_char *data, size_t datalen, u_int compat)
|
||||
{
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
ECDSA_SIG *sig = NULL;
|
||||
+ unsigned char *sigb = NULL;
|
||||
+ const unsigned char *psig;
|
||||
const BIGNUM *sig_r, *sig_s;
|
||||
int hash_alg;
|
||||
- u_char digest[SSH_DIGEST_MAX_LENGTH];
|
||||
- size_t len, dlen;
|
||||
+ int len;
|
||||
struct sshbuf *b = NULL, *bb = NULL;
|
||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
@@ -67,18 +69,24 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
sshkey_type_plain(key->type) != KEY_ECDSA)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
|
||||
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
|
||||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
|
||||
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||
- digest, sizeof(digest))) != 0)
|
||||
+
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sigb, &len, data,
|
||||
+ datalen);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
+ if (ret < 0) {
|
||||
goto out;
|
||||
+ }
|
||||
|
||||
- if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
|
||||
+ psig = sigb;
|
||||
+ if ((sig = d2i_ECDSA_SIG(NULL, &psig, len)) == NULL) {
|
||||
ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
}
|
||||
-
|
||||
if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
|
||||
ret = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
@@ -102,7 +110,7 @@ ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
*lenp = len;
|
||||
ret = 0;
|
||||
out:
|
||||
- explicit_bzero(digest, sizeof(digest));
|
||||
+ free(sigb);
|
||||
sshbuf_free(b);
|
||||
sshbuf_free(bb);
|
||||
ECDSA_SIG_free(sig);
|
||||
@@ -115,22 +123,21 @@ ssh_ecdsa_verify(const struct sshkey *key,
|
||||
const u_char *signature, size_t signaturelen,
|
||||
const u_char *data, size_t datalen, u_int compat)
|
||||
{
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
ECDSA_SIG *sig = NULL;
|
||||
BIGNUM *sig_r = NULL, *sig_s = NULL;
|
||||
- int hash_alg;
|
||||
- u_char digest[SSH_DIGEST_MAX_LENGTH];
|
||||
- size_t dlen;
|
||||
+ int hash_alg, len;
|
||||
int ret = SSH_ERR_INTERNAL_ERROR;
|
||||
struct sshbuf *b = NULL, *sigbuf = NULL;
|
||||
char *ktype = NULL;
|
||||
+ unsigned char *sigb = NULL, *psig = NULL;
|
||||
|
||||
if (key == NULL || key->ecdsa == NULL ||
|
||||
sshkey_type_plain(key->type) != KEY_ECDSA ||
|
||||
signature == NULL || signaturelen == 0)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
|
||||
- if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
|
||||
- (dlen = ssh_digest_bytes(hash_alg)) == 0)
|
||||
+ if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1)
|
||||
return SSH_ERR_INTERNAL_ERROR;
|
||||
|
||||
/* fetch signature */
|
||||
@@ -166,28 +173,36 @@ ssh_ecdsa_verify(const struct sshkey *key,
|
||||
}
|
||||
sig_r = sig_s = NULL; /* transferred */
|
||||
|
||||
- if (sshbuf_len(sigbuf) != 0) {
|
||||
- ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
|
||||
+ /* Figure out the length */
|
||||
+ if ((len = i2d_ECDSA_SIG(sig, NULL)) == 0) {
|
||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ if ((sigb = malloc(len)) == NULL) {
|
||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||
- digest, sizeof(digest))) != 0)
|
||||
+ psig = sigb;
|
||||
+ if ((len = i2d_ECDSA_SIG(sig, &psig)) == 0) {
|
||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
goto out;
|
||||
+ }
|
||||
|
||||
- switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
|
||||
- case 1:
|
||||
- ret = 0;
|
||||
- break;
|
||||
- case 0:
|
||||
- ret = SSH_ERR_SIGNATURE_INVALID;
|
||||
+ if (sshbuf_len(sigbuf) != 0) {
|
||||
+ ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
|
||||
goto out;
|
||||
- default:
|
||||
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa) != 1) {
|
||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen, sigb, len);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
|
||||
out:
|
||||
- explicit_bzero(digest, sizeof(digest));
|
||||
+ free(sigb);
|
||||
sshbuf_free(sigbuf);
|
||||
sshbuf_free(b);
|
||||
ECDSA_SIG_free(sig);
|
||||
diff --git a/ssh-rsa.c b/ssh-rsa.c
|
||||
index 9b14f9a9a..8ef3a6aca 100644
|
||||
--- a/ssh-rsa.c
|
||||
+++ b/ssh-rsa.c
|
||||
@@ -37,7 +37,7 @@
|
||||
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
|
||||
-static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
|
||||
+static int openssh_RSA_verify(int, const u_char *, size_t, u_char *, size_t, EVP_PKEY *);
|
||||
|
||||
static const char *
|
||||
rsa_hash_alg_ident(int hash_alg)
|
||||
@@ -90,21 +90,6 @@ rsa_hash_id_from_keyname(const char *alg)
|
||||
return -1;
|
||||
}
|
||||
|
||||
-static int
|
||||
-rsa_hash_alg_nid(int type)
|
||||
-{
|
||||
- switch (type) {
|
||||
- case SSH_DIGEST_SHA1:
|
||||
- return NID_sha1;
|
||||
- case SSH_DIGEST_SHA256:
|
||||
- return NID_sha256;
|
||||
- case SSH_DIGEST_SHA512:
|
||||
- return NID_sha512;
|
||||
- default:
|
||||
- return -1;
|
||||
- }
|
||||
-}
|
||||
-
|
||||
int
|
||||
ssh_rsa_complete_crt_parameters(struct sshkey *key, const BIGNUM *iqmp)
|
||||
{
|
||||
@@ -164,11 +149,10 @@ int
|
||||
ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
const u_char *data, size_t datalen, const char *alg_ident)
|
||||
{
|
||||
- const BIGNUM *rsa_n;
|
||||
- u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
|
||||
- size_t slen = 0;
|
||||
- u_int dlen, len;
|
||||
- int nid, hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
+ u_char *sig = NULL;
|
||||
+ int len, slen = 0;
|
||||
+ int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
||||
struct sshbuf *b = NULL;
|
||||
|
||||
if (lenp != NULL)
|
||||
@@ -180,33 +164,24 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
hash_alg = SSH_DIGEST_SHA1;
|
||||
else
|
||||
hash_alg = rsa_hash_id_from_keyname(alg_ident);
|
||||
+
|
||||
if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
|
||||
sshkey_type_plain(key->type) != KEY_RSA)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
|
||||
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||
- return SSH_ERR_KEY_LENGTH;
|
||||
slen = RSA_size(key->rsa);
|
||||
- if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
||||
- return SSH_ERR_INVALID_ARGUMENT;
|
||||
-
|
||||
- /* hash the data */
|
||||
- nid = rsa_hash_alg_nid(hash_alg);
|
||||
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
|
||||
- return SSH_ERR_INTERNAL_ERROR;
|
||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||
- digest, sizeof(digest))) != 0)
|
||||
- goto out;
|
||||
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||
+ return SSH_ERR_KEY_LENGTH;
|
||||
|
||||
- if ((sig = malloc(slen)) == NULL) {
|
||||
- ret = SSH_ERR_ALLOC_FAIL;
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1)
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ ret = sshkey_calculate_signature(pkey, hash_alg, &sig, &len, data,
|
||||
+ datalen);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
+ if (ret < 0) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
|
||||
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
- goto out;
|
||||
- }
|
||||
if (len < slen) {
|
||||
size_t diff = slen - len;
|
||||
memmove(sig + diff, sig, len);
|
||||
@@ -215,6 +190,7 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
ret = SSH_ERR_INTERNAL_ERROR;
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
/* encode signature */
|
||||
if ((b = sshbuf_new()) == NULL) {
|
||||
ret = SSH_ERR_ALLOC_FAIL;
|
||||
@@ -235,7 +211,6 @@ ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
|
||||
*lenp = len;
|
||||
ret = 0;
|
||||
out:
|
||||
- explicit_bzero(digest, sizeof(digest));
|
||||
freezero(sig, slen);
|
||||
sshbuf_free(b);
|
||||
return ret;
|
||||
@@ -246,10 +221,10 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||
const u_char *sig, size_t siglen, const u_char *data, size_t datalen,
|
||||
const char *alg)
|
||||
{
|
||||
- const BIGNUM *rsa_n;
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
char *sigtype = NULL;
|
||||
int hash_alg, want_alg, ret = SSH_ERR_INTERNAL_ERROR;
|
||||
- size_t len = 0, diff, modlen, dlen;
|
||||
+ size_t len = 0, diff, modlen;
|
||||
struct sshbuf *b = NULL;
|
||||
u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
|
||||
|
||||
@@ -257,8 +232,7 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||
sshkey_type_plain(key->type) != KEY_RSA ||
|
||||
sig == NULL || siglen == 0)
|
||||
return SSH_ERR_INVALID_ARGUMENT;
|
||||
- RSA_get0_key(key->rsa, &rsa_n, NULL, NULL);
|
||||
- if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||
+ if (RSA_bits(key->rsa) < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
||||
return SSH_ERR_KEY_LENGTH;
|
||||
|
||||
if ((b = sshbuf_from(sig, siglen)) == NULL)
|
||||
@@ -310,16 +284,15 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||
explicit_bzero(sigblob, diff);
|
||||
len = modlen;
|
||||
}
|
||||
- if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
|
||||
- ret = SSH_ERR_INTERNAL_ERROR;
|
||||
+
|
||||
+ if ((pkey = EVP_PKEY_new()) == NULL ||
|
||||
+ EVP_PKEY_set1_RSA(pkey, key->rsa) != 1) {
|
||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||
goto out;
|
||||
}
|
||||
- if ((ret = ssh_digest_memory(hash_alg, data, datalen,
|
||||
- digest, sizeof(digest))) != 0)
|
||||
- goto out;
|
||||
+ ret = openssh_RSA_verify(hash_alg, data, datalen, sigblob, len, pkey);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
|
||||
- ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
|
||||
- key->rsa);
|
||||
out:
|
||||
freezero(sigblob, len);
|
||||
free(sigtype);
|
||||
@@ -328,122 +301,26 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * See:
|
||||
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-1/
|
||||
- * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1.asn
|
||||
- */
|
||||
-
|
||||
-/*
|
||||
- * id-sha1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
|
||||
- * oiw(14) secsig(3) algorithms(2) 26 }
|
||||
- */
|
||||
-static const u_char id_sha1[] = {
|
||||
- 0x30, 0x21, /* type Sequence, length 0x21 (33) */
|
||||
- 0x30, 0x09, /* type Sequence, length 0x09 */
|
||||
- 0x06, 0x05, /* type OID, length 0x05 */
|
||||
- 0x2b, 0x0e, 0x03, 0x02, 0x1a, /* id-sha1 OID */
|
||||
- 0x05, 0x00, /* NULL */
|
||||
- 0x04, 0x14 /* Octet string, length 0x14 (20), followed by sha1 hash */
|
||||
-};
|
||||
-
|
||||
-/*
|
||||
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
|
||||
- * id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
|
||||
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
|
||||
- * id-sha256(1) }
|
||||
- */
|
||||
-static const u_char id_sha256[] = {
|
||||
- 0x30, 0x31, /* type Sequence, length 0x31 (49) */
|
||||
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
|
||||
- 0x06, 0x09, /* type OID, length 0x09 */
|
||||
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, /* id-sha256 */
|
||||
- 0x05, 0x00, /* NULL */
|
||||
- 0x04, 0x20 /* Octet string, length 0x20 (32), followed by sha256 hash */
|
||||
-};
|
||||
-
|
||||
-/*
|
||||
- * See http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html
|
||||
- * id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
|
||||
- * organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2)
|
||||
- * id-sha256(3) }
|
||||
- */
|
||||
-static const u_char id_sha512[] = {
|
||||
- 0x30, 0x51, /* type Sequence, length 0x51 (81) */
|
||||
- 0x30, 0x0d, /* type Sequence, length 0x0d (13) */
|
||||
- 0x06, 0x09, /* type OID, length 0x09 */
|
||||
- 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, /* id-sha512 */
|
||||
- 0x05, 0x00, /* NULL */
|
||||
- 0x04, 0x40 /* Octet string, length 0x40 (64), followed by sha512 hash */
|
||||
-};
|
||||
-
|
||||
static int
|
||||
-rsa_hash_alg_oid(int hash_alg, const u_char **oidp, size_t *oidlenp)
|
||||
+openssh_RSA_verify(int hash_alg, const u_char *data, size_t datalen,
|
||||
+ u_char *sigbuf, size_t siglen, EVP_PKEY *pkey)
|
||||
{
|
||||
- switch (hash_alg) {
|
||||
- case SSH_DIGEST_SHA1:
|
||||
- *oidp = id_sha1;
|
||||
- *oidlenp = sizeof(id_sha1);
|
||||
- break;
|
||||
- case SSH_DIGEST_SHA256:
|
||||
- *oidp = id_sha256;
|
||||
- *oidlenp = sizeof(id_sha256);
|
||||
- break;
|
||||
- case SSH_DIGEST_SHA512:
|
||||
- *oidp = id_sha512;
|
||||
- *oidlenp = sizeof(id_sha512);
|
||||
- break;
|
||||
- default:
|
||||
- return SSH_ERR_INVALID_ARGUMENT;
|
||||
- }
|
||||
- return 0;
|
||||
-}
|
||||
+ size_t rsasize = 0;
|
||||
+ const RSA *rsa;
|
||||
+ int ret;
|
||||
|
||||
-static int
|
||||
-openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
|
||||
- u_char *sigbuf, size_t siglen, RSA *rsa)
|
||||
-{
|
||||
- size_t rsasize = 0, oidlen = 0, hlen = 0;
|
||||
- int ret, len, oidmatch, hashmatch;
|
||||
- const u_char *oid = NULL;
|
||||
- u_char *decrypted = NULL;
|
||||
-
|
||||
- if ((ret = rsa_hash_alg_oid(hash_alg, &oid, &oidlen)) != 0)
|
||||
- return ret;
|
||||
- ret = SSH_ERR_INTERNAL_ERROR;
|
||||
- hlen = ssh_digest_bytes(hash_alg);
|
||||
- if (hashlen != hlen) {
|
||||
- ret = SSH_ERR_INVALID_ARGUMENT;
|
||||
- goto done;
|
||||
- }
|
||||
+ rsa = EVP_PKEY_get0_RSA(pkey);
|
||||
rsasize = RSA_size(rsa);
|
||||
if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
|
||||
siglen == 0 || siglen > rsasize) {
|
||||
ret = SSH_ERR_INVALID_ARGUMENT;
|
||||
goto done;
|
||||
}
|
||||
- if ((decrypted = malloc(rsasize)) == NULL) {
|
||||
- ret = SSH_ERR_ALLOC_FAIL;
|
||||
- goto done;
|
||||
- }
|
||||
- if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
|
||||
- RSA_PKCS1_PADDING)) < 0) {
|
||||
- ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
- goto done;
|
||||
- }
|
||||
- if (len < 0 || (size_t)len != hlen + oidlen) {
|
||||
- ret = SSH_ERR_INVALID_FORMAT;
|
||||
- goto done;
|
||||
- }
|
||||
- oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
|
||||
- hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
|
||||
- if (!oidmatch || !hashmatch) {
|
||||
- ret = SSH_ERR_SIGNATURE_INVALID;
|
||||
- goto done;
|
||||
- }
|
||||
- ret = 0;
|
||||
+
|
||||
+ ret = sshkey_verify_signature(pkey, hash_alg, data, datalen,
|
||||
+ sigbuf, siglen);
|
||||
+
|
||||
done:
|
||||
- freezero(decrypted, rsasize);
|
||||
return ret;
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
diff --git a/sshkey.c b/sshkey.c
|
||||
index ad1957762..b95ed0b10 100644
|
||||
--- a/sshkey.c
|
||||
+++ b/sshkey.c
|
||||
@@ -358,6 +358,83 @@ sshkey_type_plain(int type)
|
||||
}
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
+int
|
||||
+sshkey_calculate_signature(EVP_PKEY *pkey, int hash_alg, u_char **sigp,
|
||||
+ int *lenp, const u_char *data, size_t datalen)
|
||||
+{
|
||||
+ EVP_MD_CTX *ctx = NULL;
|
||||
+ u_char *sig = NULL;
|
||||
+ int ret, slen, len;
|
||||
+
|
||||
+ if (sigp == NULL || lenp == NULL) {
|
||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||
+ }
|
||||
+
|
||||
+ slen = EVP_PKEY_size(pkey);
|
||||
+ if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
|
||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||
+
|
||||
+ len = slen;
|
||||
+ if ((sig = malloc(slen)) == NULL) {
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ }
|
||||
+
|
||||
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
||||
+ ret = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto error;
|
||||
+ }
|
||||
+ if (EVP_SignInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||
+ EVP_SignUpdate(ctx, data, datalen) <= 0 ||
|
||||
+ EVP_SignFinal(ctx, sig, &len, pkey) <= 0) {
|
||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ *sigp = sig;
|
||||
+ *lenp = len;
|
||||
+ /* Now owned by the caller */
|
||||
+ sig = NULL;
|
||||
+ ret = 0;
|
||||
+
|
||||
+error:
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
+ free(sig);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+sshkey_verify_signature(EVP_PKEY *pkey, int hash_alg, const u_char *data,
|
||||
+ size_t datalen, u_char *sigbuf, int siglen)
|
||||
+{
|
||||
+ EVP_MD_CTX *ctx = NULL;
|
||||
+ int ret;
|
||||
+
|
||||
+ if ((ctx = EVP_MD_CTX_new()) == NULL) {
|
||||
+ return SSH_ERR_ALLOC_FAIL;
|
||||
+ }
|
||||
+ if (EVP_VerifyInit_ex(ctx, ssh_digest_to_md(hash_alg), NULL) <= 0 ||
|
||||
+ EVP_VerifyUpdate(ctx, data, datalen) <= 0) {
|
||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ ret = EVP_VerifyFinal(ctx, sigbuf, siglen, pkey);
|
||||
+ switch (ret) {
|
||||
+ case 1:
|
||||
+ ret = 0;
|
||||
+ break;
|
||||
+ case 0:
|
||||
+ ret = SSH_ERR_SIGNATURE_INVALID;
|
||||
+ break;
|
||||
+ default:
|
||||
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ EVP_MD_CTX_free(ctx);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* XXX: these are really begging for a table-driven approach */
|
||||
int
|
||||
sshkey_curve_name_to_nid(const char *name)
|
||||
diff --git a/sshkey.h b/sshkey.h
|
||||
index a91e60436..270901a87 100644
|
||||
--- a/sshkey.h
|
||||
+++ b/sshkey.h
|
||||
@@ -179,6 +179,10 @@ const char *sshkey_ssh_name(const struct sshkey *);
|
||||
const char *sshkey_ssh_name_plain(const struct sshkey *);
|
||||
int sshkey_names_valid2(const char *, int);
|
||||
char *sshkey_alg_list(int, int, int, char);
|
||||
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
|
||||
+ int *, const u_char *, size_t);
|
||||
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
|
||||
+ size_t, u_char *, int);
|
||||
|
||||
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
|
||||
int sshkey_fromb(struct sshbuf *, struct sshkey **);
|
||||
|
@ -1,137 +0,0 @@
|
||||
commit 2c3ef499bfffce3cfd315edeebf202850ba4e00a
|
||||
Author: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue Apr 16 15:35:18 2019 +0200
|
||||
|
||||
Use the new OpenSSL KDF
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 2a455e4e..e01c3d43 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -2712,6 +2712,7 @@ if test "x$openssl" = "xyes" ; then
|
||||
HMAC_CTX_init \
|
||||
RSA_generate_key_ex \
|
||||
RSA_get_default_method \
|
||||
+ EVP_KDF_CTX_new_id \
|
||||
])
|
||||
|
||||
# OpenSSL_add_all_algorithms may be a macro.
|
||||
diff --git a/kex.c b/kex.c
|
||||
index b6f041f4..1fbce2bb 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -38,6 +38,9 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/dh.h>
|
||||
+# ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
||||
+# include <openssl/kdf.h>
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#include "ssh.h"
|
||||
@@ -942,6 +945,95 @@ kex_choose_conf(struct ssh *ssh)
|
||||
return r;
|
||||
}
|
||||
|
||||
+#ifdef HAVE_EVP_KDF_CTX_NEW_ID
|
||||
+static const EVP_MD *
|
||||
+digest_to_md(int digest_type)
|
||||
+{
|
||||
+ switch (digest_type) {
|
||||
+ case SSH_DIGEST_SHA1:
|
||||
+ return EVP_sha1();
|
||||
+ case SSH_DIGEST_SHA256:
|
||||
+ return EVP_sha256();
|
||||
+ case SSH_DIGEST_SHA384:
|
||||
+ return EVP_sha384();
|
||||
+ case SSH_DIGEST_SHA512:
|
||||
+ return EVP_sha512();
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
+ const struct sshbuf *shared_secret, u_char **keyp)
|
||||
+{
|
||||
+ struct kex *kex = ssh->kex;
|
||||
+ EVP_KDF_CTX *ctx = NULL;
|
||||
+ u_char *key = NULL;
|
||||
+ int r, key_len;
|
||||
+
|
||||
+ if ((key_len = ssh_digest_bytes(kex->hash_alg)) == 0)
|
||||
+ return SSH_ERR_INVALID_ARGUMENT;
|
||||
+ key_len = ROUNDUP(need, key_len);
|
||||
+ if ((key = calloc(1, key_len)) == NULL) {
|
||||
+ r = SSH_ERR_ALLOC_FAIL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ ctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
|
||||
+ if (!ctx) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, digest_to_md(kex->hash_alg));
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY,
|
||||
+ sshbuf_ptr(shared_secret), sshbuf_len(shared_secret));
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, hash, hashlen);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, id);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
|
||||
+ kex->session_id, kex->session_id_len);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ r = EVP_KDF_derive(ctx, key, key_len);
|
||||
+ if (r != 1) {
|
||||
+ r = SSH_ERR_LIBCRYPTO_ERROR;
|
||||
+ goto out;
|
||||
+ }
|
||||
+#ifdef DEBUG_KEX
|
||||
+ fprintf(stderr, "key '%c'== ", id);
|
||||
+ dump_digest("key", key, key_len);
|
||||
+#endif
|
||||
+ *keyp = key;
|
||||
+ key = NULL;
|
||||
+ r = 0;
|
||||
+
|
||||
+out:
|
||||
+ free (key);
|
||||
+ EVP_KDF_CTX_free(ctx);
|
||||
+ if (r < 0) {
|
||||
+ return r;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+#else
|
||||
static int
|
||||
derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
const struct sshbuf *shared_secret, u_char **keyp)
|
||||
@@ -1004,6 +1096,7 @@ derive_key(struct ssh *ssh, int id, u_int need, u_char *hash, u_int hashlen,
|
||||
ssh_digest_free(hashctx);
|
||||
return r;
|
||||
}
|
||||
+#endif /* HAVE_OPENSSL_EVP_KDF_CTX_NEW_ID */
|
||||
|
||||
#define NKEYS 6
|
||||
int
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,40 +0,0 @@
|
||||
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
|
||||
index dca158de..afdcb1d2 100644
|
||||
--- a/regress/misc/sk-dummy/sk-dummy.c
|
||||
+++ b/regress/misc/sk-dummy/sk-dummy.c
|
||||
@@ -71,7 +71,7 @@ skdebug(const char *func, const char *fmt, ...)
|
||||
#endif
|
||||
}
|
||||
|
||||
-uint32_t
|
||||
+uint32_t __attribute__((visibility("default")))
|
||||
sk_api_version(void)
|
||||
{
|
||||
return SSH_SK_VERSION_MAJOR;
|
||||
@@ -220,7 +220,7 @@ check_options(struct sk_option **options)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int
|
||||
+int __attribute__((visibility("default")))
|
||||
sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
|
||||
const char *application, uint8_t flags, const char *pin,
|
||||
struct sk_option **options, struct sk_enroll_response **enroll_response)
|
||||
@@ -467,7 +467,7 @@ sig_ed25519(const uint8_t *message, size_t message_len,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-int
|
||||
+int __attribute__((visibility("default")))
|
||||
sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
|
||||
const char *application, const uint8_t *key_handle, size_t key_handle_len,
|
||||
uint8_t flags, const char *pin, struct sk_option **options,
|
||||
@@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-int
|
||||
+int __attribute__((visibility("default")))
|
||||
sk_load_resident_keys(const char *pin, struct sk_option **options,
|
||||
struct sk_resident_key ***rks, size_t *nrks)
|
||||
{
|
@ -1,30 +0,0 @@
|
||||
diff --git a/channels.c b/channels.c
|
||||
--- a/channels.c
|
||||
+++ b/channels.c
|
||||
@@ -3933,16 +3933,26 @@ x11_create_display_inet(int x11_display_
|
||||
if (ai->ai_family == AF_INET6)
|
||||
sock_set_v6only(sock);
|
||||
if (x11_use_localhost)
|
||||
set_reuseaddr(sock);
|
||||
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
|
||||
debug2("%s: bind port %d: %.100s", __func__,
|
||||
port, strerror(errno));
|
||||
close(sock);
|
||||
+
|
||||
+ /* do not remove successfully opened
|
||||
+ * sockets if the request failed because
|
||||
+ * the protocol IPv4/6 is not available
|
||||
+ * (e.g. IPv6 may be disabled while being
|
||||
+ * supported)
|
||||
+ */
|
||||
+ if (EADDRNOTAVAIL == errno)
|
||||
+ continue;
|
||||
+
|
||||
for (n = 0; n < num_socks; n++)
|
||||
close(socks[n]);
|
||||
num_socks = 0;
|
||||
break;
|
||||
}
|
||||
socks[num_socks++] = sock;
|
||||
if (num_socks == NUM_SOCKS)
|
||||
break;
|
@ -1,57 +0,0 @@
|
||||
--- compat.h.orig 2020-10-05 10:09:02.953505129 -0700
|
||||
+++ compat.h 2020-10-05 10:10:17.587733113 -0700
|
||||
@@ -34,7 +34,7 @@
|
||||
|
||||
#define SSH_BUG_UTF8TTYMODE 0x00000001
|
||||
#define SSH_BUG_SIGTYPE 0x00000002
|
||||
-/* #define unused 0x00000004 */
|
||||
+#define SSH_BUG_SIGTYPE74 0x00000004
|
||||
/* #define unused 0x00000008 */
|
||||
#define SSH_OLD_SESSIONID 0x00000010
|
||||
/* #define unused 0x00000020 */
|
||||
--- compat.c.orig 2020-10-05 10:25:02.088720562 -0700
|
||||
+++ compat.c 2020-10-05 10:13:11.637282492 -0700
|
||||
@@ -65,11 +65,12 @@
|
||||
{ "OpenSSH_6.5*,"
|
||||
"OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD|
|
||||
SSH_BUG_SIGTYPE},
|
||||
+ { "OpenSSH_7.4*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE|
|
||||
+ SSH_BUG_SIGTYPE74},
|
||||
{ "OpenSSH_7.0*,"
|
||||
"OpenSSH_7.1*,"
|
||||
"OpenSSH_7.2*,"
|
||||
"OpenSSH_7.3*,"
|
||||
- "OpenSSH_7.4*,"
|
||||
"OpenSSH_7.5*,"
|
||||
"OpenSSH_7.6*,"
|
||||
"OpenSSH_7.7*", SSH_NEW_OPENSSH|SSH_BUG_SIGTYPE},
|
||||
--- sshconnect2.c.orig 2020-09-26 07:26:37.618010545 -0700
|
||||
+++ sshconnect2.c 2020-10-05 10:47:22.116315148 -0700
|
||||
@@ -1305,6 +1305,26 @@
|
||||
break;
|
||||
}
|
||||
free(oallowed);
|
||||
+ /*
|
||||
+ * OpenSSH 7.4 supports SHA2 sig types, but fails to indicate its
|
||||
+ * support. For that release, check the local policy against the
|
||||
+ * SHA2 signature types.
|
||||
+ */
|
||||
+ if (alg == NULL &&
|
||||
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
|
||||
+ oallowed = allowed = xstrdup(options.pubkey_key_types);
|
||||
+ while ((cp = strsep(&allowed, ",")) != NULL) {
|
||||
+ if (sshkey_type_from_name(cp) != key->type)
|
||||
+ continue;
|
||||
+ tmp = match_list(sshkey_sigalg_by_name(cp), "rsa-sha2-256,rsa-sha2-512", NULL);
|
||||
+ if (tmp != NULL)
|
||||
+ alg = xstrdup(cp);
|
||||
+ free(tmp);
|
||||
+ if (alg != NULL)
|
||||
+ break;
|
||||
+ }
|
||||
+ free(oallowed);
|
||||
+ }
|
||||
return alg;
|
||||
}
|
||||
|
||||
|
@ -1,14 +0,0 @@
|
||||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||||
index e0768c06..5065ae7e 100644
|
||||
--- a/sandbox-seccomp-filter.c
|
||||
+++ b/sandbox-seccomp-filter.c
|
||||
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
|
||||
#ifdef __NR_pselect6
|
||||
SC_ALLOW(__NR_pselect6),
|
||||
#endif
|
||||
+#ifdef __NR_pselect6_time64
|
||||
+ SC_ALLOW(__NR_pselect6_time64),
|
||||
+#endif
|
||||
#ifdef __NR_read
|
||||
SC_ALLOW(__NR_read),
|
||||
#endif
|
@ -1,130 +0,0 @@
|
||||
From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
|
||||
From: Oleg <Fallmay@users.noreply.github.com>
|
||||
Date: Thu, 1 Oct 2020 12:09:08 +0300
|
||||
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
|
||||
|
||||
---
|
||||
contrib/ssh-copy-id | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||
index 392f64f94..a76907717 100644
|
||||
--- a/contrib/ssh-copy-id
|
||||
+++ b/contrib/ssh-copy-id
|
||||
@@ -247,7 +247,7 @@ installkeys_sh() {
|
||||
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
|
||||
# the cat adds the keys we're getting via STDIN
|
||||
# and if available restorecon is used to restore the SELinux context
|
||||
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
|
||||
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
||||
cd;
|
||||
umask 077;
|
||||
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
||||
@@ -258,6 +258,7 @@ installkeys_sh() {
|
||||
restorecon -F .ssh ${AUTH_KEY_FILE};
|
||||
fi
|
||||
EOF
|
||||
+ )
|
||||
|
||||
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
|
||||
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
|
||||
|
||||
From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Sat, 3 Oct 2020 00:20:07 +0200
|
||||
Subject: [PATCH] un-nest $() to make ksh cheerful
|
||||
|
||||
---
|
||||
ssh-copy-id | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
|
||||
From: Philip Hands <phil@hands.com>
|
||||
Date: Fri, 2 Oct 2020 21:30:10 +0200
|
||||
Subject: [PATCH] ksh doesn't grok 'local'
|
||||
|
||||
and AFAICT it's not actually doing anything useful in the code, so let's
|
||||
see how things go without it.
|
||||
---
|
||||
ssh-copy-id | 11 +++++------
|
||||
1 file changed, 5 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||
index a769077..11c9463 100755
|
||||
--- a/contrib/ssh-copy-id
|
||||
+++ b/contrib/ssh-copy-id
|
||||
@@ -76,7 +76,7 @@ quote() {
|
||||
}
|
||||
|
||||
use_id_file() {
|
||||
- local L_ID_FILE="$1"
|
||||
+ L_ID_FILE="$1"
|
||||
|
||||
if [ -z "$L_ID_FILE" ] ; then
|
||||
printf '%s: ERROR: no ID file found\n' "$0"
|
||||
@@ -94,7 +94,7 @@ use_id_file() {
|
||||
# check that the files are readable
|
||||
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
|
||||
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
|
||||
- local L_PRIVMSG=""
|
||||
+ L_PRIVMSG=""
|
||||
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
|
||||
printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
|
||||
exit 1
|
||||
@@ -169,7 +169,7 @@ fi
|
||||
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
|
||||
# and has the side effect of setting $NEW_IDS
|
||||
populate_new_ids() {
|
||||
- local L_SUCCESS="$1"
|
||||
+ L_SUCCESS="$1"
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
if [ "$FORCED" ] ; then
|
||||
@@ -181,13 +181,12 @@ populate_new_ids() {
|
||||
eval set -- "$SSH_OPTS"
|
||||
|
||||
umask 0177
|
||||
- local L_TMP_ID_FILE
|
||||
L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
||||
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
||||
printf '%s: ERROR: mktemp failed\n' "$0" >&2
|
||||
exit 1
|
||||
fi
|
||||
- local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
||||
+ L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
|
||||
# shellcheck disable=SC2064
|
||||
trap "$L_CLEANUP" EXIT TERM INT QUIT
|
||||
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
||||
@@ -237,7 +236,7 @@ populate_new_ids() {
|
||||
# produce a one-liner to add the keys to remote authorized_keys file
|
||||
# optionally takes an alternative path for authorized_keys
|
||||
installkeys_sh() {
|
||||
- local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
||||
+ AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
||||
|
||||
# In setting INSTALLKEYS_SH:
|
||||
# the tr puts it all on one line (to placate tcsh)
|
||||
--
|
||||
|
||||
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
|
||||
index 11c9463..ee3f637 100755
|
||||
--- a/contrib/ssh-copy-id
|
||||
+++ b/contrib/ssh-copy-id
|
||||
@@ -237,6 +237,7 @@ populate_new_ids() {
|
||||
# optionally takes an alternative path for authorized_keys
|
||||
installkeys_sh() {
|
||||
AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
|
||||
+ AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
|
||||
|
||||
# In setting INSTALLKEYS_SH:
|
||||
# the tr puts it all on one line (to placate tcsh)
|
||||
@@ -249,7 +250,7 @@ installkeys_sh() {
|
||||
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
|
||||
cd;
|
||||
umask 077;
|
||||
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
|
||||
+ mkdir -p "${AUTH_KEY_DIR}" &&
|
||||
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
|
||||
cat >> ${AUTH_KEY_FILE} ||
|
||||
exit 1;
|
||||
--
|
@ -1,21 +0,0 @@
|
||||
# I do not know about any better place where to put profile files
|
||||
addFilter(r'openssh-askpass.x86_64: W: non-conffile-in-etc /etc/profile.d/gnome-ssh-askpass.c?sh')
|
||||
|
||||
# The ssh-keysign is not supposed to have standard permissions
|
||||
addFilter(r'openssh.x86_64: E: non-standard-executable-perm /usr/libexec/openssh/ssh-keysign 2555')
|
||||
addFilter(r'openssh.x86_64: E: setgid-binary /usr/libexec/openssh/ssh-keysign ssh_keys 2555')
|
||||
addFilter(r'openssh.x86_64: W: non-standard-gid /usr/libexec/openssh/ssh-keysign ssh_keys')
|
||||
|
||||
# The -cavs subpackage is internal without documentation
|
||||
# The -askpass is not intended to be used directly so it is missing documentation
|
||||
addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
|
||||
|
||||
# sshd config and sysconfig is not supposed to be world readable
|
||||
addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
|
||||
|
||||
# The /var/empty/sshd is supposed to have the given permissions
|
||||
addFilter(r'non-standard-dir-perm /var/empty/sshd 711')
|
||||
addFilter(r'non-standard-dir-in-var empty')
|
||||
|
||||
# Spelling false-positives
|
||||
addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')
|
806
openssh.spec
806
openssh.spec
File diff suppressed because it is too large
Load Diff
@ -9,6 +9,7 @@ buffer.c
|
||||
cleanup.c
|
||||
cipher.h
|
||||
compat.h
|
||||
defines.h
|
||||
entropy.c
|
||||
entropy.h
|
||||
fatal.c
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,20 +0,0 @@
|
||||
diff --git a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
||||
--- a/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
||||
+++ b/pam_ssh_agent_auth-0.10.2/pam_user_authorized_keys.c
|
||||
@@ -158,11 +158,12 @@ parse_authorized_key_file(const char *user,
|
||||
int
|
||||
pam_user_key_allowed(const char *ruser, struct sshkey * key)
|
||||
{
|
||||
+ struct passwd *pw;
|
||||
return
|
||||
- pamsshagentauth_user_key_allowed2(getpwuid(authorized_keys_file_allowed_owner_uid),
|
||||
- key, authorized_keys_file)
|
||||
- || pamsshagentauth_user_key_allowed2(getpwuid(0), key,
|
||||
- authorized_keys_file)
|
||||
+ ( (pw = getpwuid(authorized_keys_file_allowed_owner_uid)) &&
|
||||
+ pamsshagentauth_user_key_allowed2(pw, key, authorized_keys_file))
|
||||
+ || ((pw = getpwuid(0)) &&
|
||||
+ pamsshagentauth_user_key_allowed2(pw, key, authorized_keys_file))
|
||||
|| pamsshagentauth_user_key_command_allowed2(authorized_keys_command,
|
||||
authorized_keys_command_user,
|
||||
getpwnam(ruser), key);
|
@ -1,37 +0,0 @@
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-seteuid 2017-02-07 15:41:53.172334151 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 15:41:53.174334149 +0100
|
||||
@@ -238,17 +238,26 @@ ssh_get_authentication_socket_for_uid(ui
|
||||
}
|
||||
|
||||
errno = 0;
|
||||
- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
|
||||
- above, we will temporarily drop UID to the caller */
|
||||
- if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
||||
+ /* To ensure a race condition is not used to circumvent the stat
|
||||
+ above, we will temporarily drop UID to the caller */
|
||||
+ if (seteuid(uid) == -1) {
|
||||
close(sock);
|
||||
- if(errno == EACCES)
|
||||
- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
||||
+ error("seteuid(%lu) failed with error: %s",
|
||||
+ (unsigned long) uid, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
+ if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
||||
+ close(sock);
|
||||
+ sock = -1;
|
||||
+ if(errno == EACCES)
|
||||
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
||||
+ }
|
||||
|
||||
- seteuid(0); /* we now continue the regularly scheduled programming */
|
||||
-
|
||||
+ /* we now continue the regularly scheduled programming */
|
||||
+ if (0 != seteuid(0)) {
|
||||
+ fatal("setuid(0) failed with error: %s", strerror(errno));
|
||||
+ return -1;
|
||||
+ }
|
||||
return sock;
|
||||
}
|
||||
|
27
pam_ssh_agent_auth-0.9.2-seteuid.patch
Normal file
27
pam_ssh_agent_auth-0.9.2-seteuid.patch
Normal file
@ -0,0 +1,27 @@
|
||||
diff -up pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c
|
||||
--- pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c.seteuid 2010-09-08 08:54:29.000000000 +0200
|
||||
+++ pam_ssh_agent_auth-0.9.2/iterate_ssh_agent_keys.c 2010-11-22 08:38:05.000000000 +0100
|
||||
@@ -131,13 +131,18 @@ ssh_get_authentication_socket_for_uid(ui
|
||||
}
|
||||
|
||||
errno = 0;
|
||||
- seteuid(uid); /* To ensure a race condition is not used to circumvent the stat
|
||||
- above, we will temporarily drop UID to the caller */
|
||||
+ /* To ensure a race condition is not used to circumvent the stat
|
||||
+ above, we will temporarily drop UID to the caller */
|
||||
+ if (seteuid(uid) == -1) {
|
||||
+ close(sock);
|
||||
+ error("seteuid(%lu) failed", (unsigned long) uid);
|
||||
+ return -1;
|
||||
+ }
|
||||
if (connect(sock, (struct sockaddr *)&sunaddr, sizeof sunaddr) < 0) {
|
||||
close(sock);
|
||||
- if(errno == EACCES)
|
||||
- fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
||||
- return -1;
|
||||
+ sock = -1;
|
||||
+ if(errno == EACCES)
|
||||
+ fatal("MAJOR SECURITY WARNING: uid %lu made a deliberate and malicious attempt to open an agent socket owned by another user", (unsigned long) uid);
|
||||
}
|
||||
|
||||
seteuid(0); /* we now continue the regularly scheduled programming */
|
@ -1,42 +1,41 @@
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/identity.h
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/identity.h.psaa-agent 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/identity.h 2017-09-27 14:25:49.421739027 +0200
|
||||
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h
|
||||
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h.psaa-agent 2014-03-31 19:35:16.000000000 +0200
|
||||
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/identity.h 2016-01-22 15:47:15.999919059 +0100
|
||||
@@ -38,6 +38,12 @@
|
||||
typedef struct identity Identity;
|
||||
typedef struct idlist Idlist;
|
||||
|
||||
+typedef struct {
|
||||
+ int fd;
|
||||
+ struct sshbuf *identities;
|
||||
+ Buffer identities;
|
||||
+ int howmany;
|
||||
+} AuthenticationConnection;
|
||||
+
|
||||
struct identity {
|
||||
TAILQ_ENTRY(identity) next;
|
||||
AuthenticationConnection *ac; /* set if agent supports key */
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-09-27 14:25:49.421739027 +0200
|
||||
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
|
||||
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-agent 2016-01-22 15:47:15.998919060 +0100
|
||||
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:53:38.427768239 +0100
|
||||
@@ -39,6 +39,7 @@
|
||||
#include "sshbuf.h"
|
||||
#include "sshkey.h"
|
||||
#include "buffer.h"
|
||||
#include "key.h"
|
||||
#include "authfd.h"
|
||||
+#include "ssherr.h"
|
||||
#include <stdio.h>
|
||||
#include <openssl/evp.h>
|
||||
#include "ssh2.h"
|
||||
@@ -291,36 +292,43 @@ pamsshagentauth_find_authorized_keys(con
|
||||
@@ -285,36 +286,43 @@ pamsshagentauth_find_authorized_keys(con
|
||||
{
|
||||
struct sshbuf *session_id2 = NULL;
|
||||
Buffer session_id2 = { 0 };
|
||||
Identity *id;
|
||||
- struct sshkey *key;
|
||||
- Key *key;
|
||||
AuthenticationConnection *ac;
|
||||
- char *comment;
|
||||
uint8_t retval = 0;
|
||||
uid_t uid = getpwnam(ruser)->pw_uid;
|
||||
+ struct ssh_identitylist *idlist;
|
||||
+ int r;
|
||||
+ unsigned int i;
|
||||
+ int r, i;
|
||||
|
||||
OpenSSL_add_all_digests();
|
||||
pamsshagentauth_session_id2_gen(&session_id2, user, ruser, servicename);
|
||||
@ -44,23 +43,23 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||
if ((ac = ssh_get_authentication_connection_for_uid(uid))) {
|
||||
verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||
- for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
||||
- {
|
||||
- if(key != NULL) {
|
||||
+ if ((r = ssh_fetch_identitylist(ac->fd, &idlist)) != 0) {
|
||||
+ if ((r = ssh_fetch_identitylist(ac->fd, 2,
|
||||
+ &idlist)) != 0) {
|
||||
+ if (r != SSH_ERR_AGENT_NO_IDENTITIES)
|
||||
+ fprintf(stderr, "error fetching identities for "
|
||||
+ "protocol %d: %s\n", 2, ssh_err(r));
|
||||
+ } else {
|
||||
+ for (i = 0; i < idlist->nkeys; i++)
|
||||
+ {
|
||||
+ if (idlist->keys[i] != NULL) {
|
||||
{
|
||||
- if(key != NULL) {
|
||||
+ if(idlist->keys[i] != NULL) {
|
||||
id = xcalloc(1, sizeof(*id));
|
||||
- id->key = key;
|
||||
- id->filename = comment;
|
||||
+ id->key = idlist->keys[i];
|
||||
+ id->filename = idlist->comments[i];
|
||||
id->ac = ac;
|
||||
if(userauth_pubkey_from_id(ruser, id, session_id2)) {
|
||||
if(userauth_pubkey_from_id(ruser, id, &session_id2)) {
|
||||
retval = 1;
|
||||
}
|
||||
- free(id->filename);
|
||||
@ -68,29 +67,53 @@ diff -up openssh/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-agent o
|
||||
free(id);
|
||||
if(retval == 1)
|
||||
break;
|
||||
- }
|
||||
- }
|
||||
+ }
|
||||
+ }
|
||||
- sshbuf_free(session_id2);
|
||||
}
|
||||
}
|
||||
buffer_free(&session_id2);
|
||||
- ssh_close_authentication_connection(ac);
|
||||
+ sshbuf_free(session_id2);
|
||||
+ ssh_free_identitylist(idlist);
|
||||
+ }
|
||||
+ ssh_close_authentication_socket(ac->fd);
|
||||
+ free(ac);
|
||||
+ }
|
||||
}
|
||||
else {
|
||||
verbose("No ssh-agent could be contacted");
|
||||
diff -up openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c
|
||||
--- openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c.psaa-agent 2017-09-27 14:25:49.420739021 +0200
|
||||
+++ openssh/pam_ssh_agent_auth-0.10.3/userauth_pubkey_from_id.c 2017-09-27 14:25:49.422739032 +0200
|
||||
@@ -84,7 +85,7 @@ userauth_pubkey_from_id(const char *ruse
|
||||
(r = sshbuf_put_string(b, pkblob, blen)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c.psaa-agent 2016-01-22 15:47:15.995919061 +0100
|
||||
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c 2016-01-22 16:06:20.611464261 +0100
|
||||
@@ -55,10 +55,11 @@ extern uint8_t session_id_len;
|
||||
int
|
||||
userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
||||
{
|
||||
- Buffer b = { 0 };
|
||||
+ Buffer b;
|
||||
char *pkalg = NULL;
|
||||
u_char *pkblob = NULL, *sig = NULL;
|
||||
- u_int blen = 0, slen = 0;
|
||||
+ u_int blen = 0;
|
||||
+ size_t slen = 0;
|
||||
int authenticated = 0;
|
||||
|
||||
- if (ssh_agent_sign(id->ac, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b)) != 0)
|
||||
+ if (ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, sshbuf_ptr(b), sshbuf_len(b), NULL, 0) != 0)
|
||||
pkalg = (char *) key_ssh_name(id->key);
|
||||
@@ -82,7 +83,7 @@ userauth_pubkey_from_id(const char *ruse
|
||||
buffer_put_cstring(&b, pkalg);
|
||||
buffer_put_string(&b, pkblob, blen);
|
||||
|
||||
- if(ssh_agent_sign(id->ac, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b)) != 0)
|
||||
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
diff --git a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||
--- a/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||
+++ b/pam_ssh_agent_auth-0.10.2/userauth_pubkey_from_id.c
|
||||
@@ -85,7 +85,7 @@ userauth_pubkey_from_id(const char *ruser, Identity * id, Buffer * session_id2)
|
||||
buffer_put_cstring(&b, pkalg);
|
||||
buffer_put_string(&b, pkblob, blen);
|
||||
|
||||
- if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), 0) != 0)
|
||||
+ if(ssh_agent_sign(id->ac->fd, id->key, &sig, &slen, buffer_ptr(&b), buffer_len(&b), NULL, 0) != 0)
|
||||
goto user_auth_clean_exit;
|
||||
|
||||
/* test for correct signature */
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-build 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c 2017-02-07 14:29:41.626116675 +0100
|
||||
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c
|
||||
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c.psaa-build 2016-01-22 14:59:18.943919791 +0100
|
||||
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/iterate_ssh_agent_keys.c 2016-01-22 15:16:12.534599318 +0100
|
||||
@@ -43,12 +43,31 @@
|
||||
#include <openssl/evp.h>
|
||||
#include "ssh2.h"
|
||||
@ -42,7 +42,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-b
|
||||
uint8_t i = 0;
|
||||
uint32_t rnd = 0;
|
||||
uint8_t cookie_len;
|
||||
@@ -112,7 +131,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
@@ -110,7 +129,7 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
if (i % 4 == 0) {
|
||||
rnd = pamsshagentauth_arc4random();
|
||||
}
|
||||
@ -51,7 +51,7 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-b
|
||||
rnd >>= 8;
|
||||
}
|
||||
|
||||
@@ -177,6 +196,86 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
@@ -142,6 +161,86 @@ pamsshagentauth_session_id2_gen(Buffer *
|
||||
}
|
||||
|
||||
int
|
||||
@ -147,41 +147,39 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/iterate_ssh_agent_keys.c.psaa-b
|
||||
pamsshagentauth_verbose("Contacted ssh-agent of user %s (%u)", ruser, uid);
|
||||
for (key = ssh_get_first_identity(ac, &comment, 2); key != NULL; key = ssh_get_next_identity(ac, &comment, 2))
|
||||
{
|
||||
diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in
|
||||
--- openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build 2016-11-13 04:24:32.000000000 +0100
|
||||
+++ openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in 2017-02-07 14:40:14.407566921 +0100
|
||||
diff -up openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in
|
||||
--- openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in.psaa-build 2014-03-31 19:35:17.000000000 +0200
|
||||
+++ openssh-7.1p2/pam_ssh_agent_auth-0.10.2/Makefile.in 2016-01-22 15:20:16.479521651 +0100
|
||||
@@ -52,7 +52,7 @@ PATHS=
|
||||
CC=@CC@
|
||||
LD=@LD@
|
||||
CFLAGS=@CFLAGS@
|
||||
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
+CPPFLAGS=-I.. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
+CPPFLAGS=-I.. -I$(srcdir) -I/usr/include/nss3 -I/usr/include/nspr4 @CPPFLAGS@ $(PATHS) @DEFS@
|
||||
LIBS=@LIBS@
|
||||
AR=@AR@
|
||||
AWK=@AWK@
|
||||
@@ -61,8 +61,8 @@ INSTALL=@INSTALL@
|
||||
@@ -61,7 +61,7 @@ INSTALL=@INSTALL@
|
||||
PERL=@PERL@
|
||||
SED=@SED@
|
||||
ENT=@ENT@
|
||||
-LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||
-LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
||||
+LDFLAGS=-L.. -L../openbsd-compat/ @LDFLAGS@
|
||||
+LDFLAGS_SHARED =-Wl,-z,defs @LDFLAGS_SHARED@
|
||||
LDFLAGS_SHARED = @LDFLAGS_SHARED@
|
||||
EXEEXT=@EXEEXT@
|
||||
|
||||
INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
|
||||
@@ -74,7 +74,7 @@ SSHOBJS=xmalloc.o atomicio.o authfd.o bu
|
||||
@@ -72,7 +72,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
|
||||
|
||||
ED25519OBJS=ed25519-donna/ed25519.o
|
||||
SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o uidswap.o
|
||||
|
||||
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o
|
||||
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o userauth_pubkey_from_pam.o secure_filename.o
|
||||
-PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o
|
||||
+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o get_command_line.o secure_filename.o
|
||||
|
||||
|
||||
MANPAGES_IN = pam_ssh_agent_auth.pod
|
||||
@@ -94,13 +94,13 @@ $(PAM_MODULES): Makefile.in config.h
|
||||
@@ -91,13 +91,13 @@ $(PAM_MODULES): Makefile.in config.h
|
||||
.c.o:
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
|
||||
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||
|
||||
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
|
||||
+LIBCOMPAT=../openbsd-compat/libopenbsd-compat.a
|
||||
@ -189,10 +187,10 @@ diff -up openssh-7.4p1/pam_ssh_agent_auth-0.10.3/Makefile.in.psaa-build openssh-
|
||||
(cd openbsd-compat && $(MAKE))
|
||||
always:
|
||||
|
||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(ED25519OBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o ../uidswap.o ../ssh-sk-client.o
|
||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) ../ssh-sk-client.o $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o ../uidswap.o $(LIBS) -lpam
|
||||
-pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||
- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam
|
||||
+pam_ssh_agent_auth.so: $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
|
||||
+ $(LD) $(LDFLAGS_SHARED) -o $@ $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat pam_ssh_agent_auth.o $(LIBS) -lpam -lnss3
|
||||
|
||||
$(MANPAGES): $(MANPAGES_IN)
|
||||
pod2man --section=8 --release=v0.10.3 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
||||
pod2man --section=8 --release=v0.10.2 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
|
||||
|
6
sources
6
sources
@ -1,4 +1,2 @@
|
||||
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
|
||||
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
|
||||
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
|
||||
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
|
||||
a212baca7ce11d596bd8dcb222859ace pam_ssh_agent_auth-0.10.2.tar.bz2
|
||||
13009a9156510d8f27e752659075cced openssh-7.2p2.tar.gz
|
||||
|
186
sshd-keygen
186
sshd-keygen
@ -1,40 +1,168 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Create the host keys for the OpenSSH server.
|
||||
KEYTYPE=$1
|
||||
case $KEYTYPE in
|
||||
"dsa") ;& # disabled in FIPS
|
||||
"ed25519")
|
||||
FIPS=/proc/sys/crypto/fips_enabled
|
||||
if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
|
||||
exit 0
|
||||
fi ;;
|
||||
"rsa") ;; # always ok
|
||||
"ecdsa") ;;
|
||||
*) # wrong argument
|
||||
exit 12 ;;
|
||||
esac
|
||||
KEY=/etc/ssh/ssh_host_${KEYTYPE}_key
|
||||
#
|
||||
# The creation is controlled by the $AUTOCREATE_SERVER_KEYS environment
|
||||
# variable.
|
||||
AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
||||
|
||||
if [ -f /etc/rc.d/init.d/functions ]; then
|
||||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
else
|
||||
# minimal implimantation of success and failure function
|
||||
success()
|
||||
{
|
||||
echo -en $"[ OK ]\r"
|
||||
return 0
|
||||
}
|
||||
failure()
|
||||
{
|
||||
echo -en $"[FAILED]\r"
|
||||
return 1
|
||||
}
|
||||
fi
|
||||
|
||||
# Some functions to make the below more readable
|
||||
KEYGEN=/usr/bin/ssh-keygen
|
||||
if [[ ! -x $KEYGEN ]]; then
|
||||
exit 13
|
||||
fi
|
||||
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
|
||||
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
# remove old keys
|
||||
rm -f $KEY{,.pub}
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
# create new keys
|
||||
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
|
||||
fips_enabled() {
|
||||
if [ -r /proc/sys/crypto/fips_enabled ]; then
|
||||
cat /proc/sys/crypto/fips_enabled
|
||||
else
|
||||
echo 0
|
||||
fi
|
||||
}
|
||||
|
||||
do_rsa1_keygen() {
|
||||
if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
|
||||
echo -n $"Generating SSH1 RSA host key: "
|
||||
rm -f $RSA1_KEY
|
||||
if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $RSA1_KEY
|
||||
chmod 640 $RSA1_KEY
|
||||
chmod 644 $RSA1_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA1_KEY{,.pub}
|
||||
fi
|
||||
success $"RSA1 key generation"
|
||||
echo
|
||||
else
|
||||
failure $"RSA1 key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
do_rsa_keygen() {
|
||||
if [ ! -s $RSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 RSA host key: "
|
||||
rm -f $RSA_KEY
|
||||
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $RSA_KEY
|
||||
chmod 640 $RSA_KEY
|
||||
chmod 644 $RSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $RSA_KEY{,.pub}
|
||||
fi
|
||||
success $"RSA key generation"
|
||||
echo
|
||||
else
|
||||
failure $"RSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
do_dsa_keygen() {
|
||||
if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
|
||||
echo -n $"Generating SSH2 DSA host key: "
|
||||
rm -f $DSA_KEY
|
||||
if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $DSA_KEY
|
||||
chmod 640 $DSA_KEY
|
||||
chmod 644 $DSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $DSA_KEY{,.pub}
|
||||
fi
|
||||
success $"DSA key generation"
|
||||
echo
|
||||
else
|
||||
failure $"DSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
do_ecdsa_keygen() {
|
||||
if [ ! -s $ECDSA_KEY ]; then
|
||||
echo -n $"Generating SSH2 ECDSA host key: "
|
||||
rm -f $ECDSA_KEY
|
||||
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $ECDSA_KEY
|
||||
chmod 640 $ECDSA_KEY
|
||||
chmod 644 $ECDSA_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $ECDSA_KEY{,.pub}
|
||||
fi
|
||||
success $"ECDSA key generation"
|
||||
echo
|
||||
else
|
||||
failure $"ECDSA key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
do_ed25519_keygen() {
|
||||
if [ ! -s $ED25519_KEY -a `fips_enabled` -eq 0 ]; then
|
||||
echo -n $"Generating SSH2 ED25519 host key: "
|
||||
rm -f $ED25519_KEY
|
||||
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >&/dev/null; then
|
||||
chgrp ssh_keys $ED25519_KEY
|
||||
chmod 640 $ED25519_KEY
|
||||
chmod 644 $ED25519_KEY.pub
|
||||
if [ -x /sbin/restorecon ]; then
|
||||
/sbin/restorecon $ED25519_KEY{,.pub}
|
||||
fi
|
||||
success $"ED25519 key generation"
|
||||
echo
|
||||
else
|
||||
failure $"ED25519 key generation"
|
||||
echo
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "x${AUTOCREATE_SERVER_KEYS}" == "xNO" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# sanitize permissions
|
||||
/usr/bin/chgrp ssh_keys $KEY
|
||||
/usr/bin/chmod 640 $KEY
|
||||
/usr/bin/chmod 644 $KEY.pub
|
||||
if [[ -x /usr/sbin/restorecon ]]; then
|
||||
/usr/sbin/restorecon $KEY{,.pub}
|
||||
fi
|
||||
# legacy options
|
||||
case $AUTOCREATE_SERVER_KEYS in
|
||||
NODSA) AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519";;
|
||||
RSAONLY) AUTOCREATE_SERVER_KEYS="RSA";;
|
||||
YES) AUTOCREATE_SERVER_KEYS="DSA RSA ECDSA ED25519";;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
for KEY in $AUTOCREATE_SERVER_KEYS; do
|
||||
case $KEY in
|
||||
DSA) do_dsa_keygen;;
|
||||
RSA) do_rsa_keygen;;
|
||||
ECDSA) do_ecdsa_keygen;;
|
||||
ED25519) do_ed25519_keygen;;
|
||||
esac
|
||||
done
|
||||
|
11
sshd-keygen.service
Normal file
11
sshd-keygen.service
Normal file
@ -0,0 +1,11 @@
|
||||
[Unit]
|
||||
Description=OpenSSH Server Key Generation
|
||||
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
|
||||
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
|
||||
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
|
||||
PartOf=sshd.service sshd.socket
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/sbin/sshd-keygen
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
@ -1,5 +0,0 @@
|
||||
[Unit]
|
||||
Wants=sshd-keygen@rsa.service
|
||||
Wants=sshd-keygen@ecdsa.service
|
||||
Wants=sshd-keygen@ed25519.service
|
||||
PartOf=sshd.service
|
@ -1,11 +0,0 @@
|
||||
[Unit]
|
||||
Description=OpenSSH %i Server Key Generation
|
||||
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_%i_key
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=-/etc/sysconfig/sshd
|
||||
ExecStart=/usr/libexec/openssh/sshd-keygen %i
|
||||
|
||||
[Install]
|
||||
WantedBy=sshd-keygen.target
|
184
sshd.init
Executable file
184
sshd.init
Executable file
@ -0,0 +1,184 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# sshd Start up the OpenSSH server daemon
|
||||
#
|
||||
# chkconfig: 2345 55 25
|
||||
# description: SSH is a protocol for secure remote shell access. \
|
||||
# This service starts up the OpenSSH server daemon.
|
||||
#
|
||||
# processname: sshd
|
||||
# config: /etc/ssh/ssh_host_key
|
||||
# config: /etc/ssh/ssh_host_key.pub
|
||||
# config: /etc/ssh/ssh_random_seed
|
||||
# config: /etc/ssh/sshd_config
|
||||
# pidfile: /var/run/sshd.pid
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides: sshd
|
||||
# Required-Start: $local_fs $network $syslog
|
||||
# Required-Stop: $local_fs $syslog
|
||||
# Should-Start: $syslog
|
||||
# Should-Stop: $network $syslog
|
||||
# Default-Start: 2 3 4 5
|
||||
# Default-Stop: 0 1 6
|
||||
# Short-Description: Start up the OpenSSH server daemon
|
||||
# Description: SSH is a protocol for secure remote shell access.
|
||||
# This service starts up the OpenSSH server daemon.
|
||||
### END INIT INFO
|
||||
|
||||
# source function library
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
# pull in sysconfig settings
|
||||
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||
|
||||
RETVAL=0
|
||||
prog="sshd"
|
||||
lockfile=/var/lock/subsys/$prog
|
||||
|
||||
# Some functions to make the below more readable
|
||||
SSHD=/usr/sbin/sshd
|
||||
XPID_FILE=/var/run/sshd.pid
|
||||
PID_FILE=/var/run/sshd-s.pid
|
||||
|
||||
runlevel=$(set -- $(runlevel); eval "echo \$$#" )
|
||||
|
||||
do_restart_sanity_check()
|
||||
{
|
||||
$SSHD -t
|
||||
RETVAL=$?
|
||||
if [ $RETVAL -ne 0 ]; then
|
||||
failure $"Configuration file or keys are invalid"
|
||||
echo
|
||||
fi
|
||||
}
|
||||
|
||||
start()
|
||||
{
|
||||
[ -x $SSHD ] || exit 5
|
||||
[ -f /etc/ssh/sshd_config ] || exit 6
|
||||
# Create keys if necessary
|
||||
/usr/sbin/sshd-keygen
|
||||
|
||||
echo -n $"Starting $prog: "
|
||||
$SSHD $OPTIONS && success || failure
|
||||
RETVAL=$?
|
||||
[ $RETVAL -eq 0 ] && touch $lockfile
|
||||
[ $RETVAL -eq 0 ] && cp -f $XPID_FILE $PID_FILE
|
||||
echo
|
||||
return $RETVAL
|
||||
}
|
||||
|
||||
stop()
|
||||
{
|
||||
|
||||
echo -n $"Stopping $prog: "
|
||||
if [ ! -f "$PID_FILE" ]; then
|
||||
# not running; per LSB standards this is "ok"
|
||||
action $"Stopping $prog: " /bin/true
|
||||
return 0
|
||||
fi
|
||||
PID=`cat "$PID_FILE"`
|
||||
if [ -n "$PID" ]; then
|
||||
/bin/kill "$PID" >/dev/null 2>&1
|
||||
RETVAL=$?
|
||||
if [ $RETVAL -eq 0 ]; then
|
||||
RETVAL=1
|
||||
action $"Stopping $prog: " /bin/false
|
||||
else
|
||||
action $"Stopping $prog: " /bin/true
|
||||
fi
|
||||
else
|
||||
# failed to read pidfile
|
||||
action $"Stopping $prog: " /bin/false
|
||||
RETVAL=4
|
||||
fi
|
||||
# if we are in halt or reboot runlevel kill all running sessions
|
||||
# so the TCP connections are closed cleanly
|
||||
if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
|
||||
trap '' TERM
|
||||
killall $prog 2>/dev/null
|
||||
trap TERM
|
||||
fi
|
||||
[ $RETVAL -eq 0 ] && rm -f $lockfile
|
||||
rm -f "$PID_FILE"
|
||||
return $RETVAL
|
||||
}
|
||||
|
||||
reload()
|
||||
{
|
||||
echo -n $"Reloading $prog: "
|
||||
if [ -n "`pidfileofproc $SSHD`" ] ; then
|
||||
killproc $SSHD -HUP
|
||||
else
|
||||
failure $"Reloading $prog"
|
||||
fi
|
||||
RETVAL=$?
|
||||
echo
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
force_reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
rh_status() {
|
||||
status -p $PID_FILE openssh-daemon
|
||||
}
|
||||
|
||||
rh_status_q() {
|
||||
rh_status >/dev/null 2>&1
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
rh_status_q && exit 0
|
||||
start
|
||||
;;
|
||||
stop)
|
||||
if ! rh_status_q; then
|
||||
rm -f $lockfile
|
||||
exit 0
|
||||
fi
|
||||
stop
|
||||
;;
|
||||
restart)
|
||||
restart
|
||||
;;
|
||||
reload)
|
||||
rh_status_q || exit 7
|
||||
reload
|
||||
;;
|
||||
force-reload)
|
||||
force_reload
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
rh_status_q || exit 0
|
||||
if [ -f $lockfile ] ; then
|
||||
do_restart_sanity_check
|
||||
if [ $RETVAL -eq 0 ] ; then
|
||||
stop
|
||||
# avoid race
|
||||
sleep 3
|
||||
start
|
||||
else
|
||||
RETVAL=6
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
rh_status
|
||||
RETVAL=$?
|
||||
if [ $RETVAL -eq 3 -a -f $lockfile ] ; then
|
||||
RETVAL=2
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"
|
||||
RETVAL=2
|
||||
esac
|
||||
exit $RETVAL
|
7
sshd.pam
7
sshd.pam
@ -1,7 +1,9 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_sepermit.so
|
||||
auth substack password-auth
|
||||
auth include postlogin
|
||||
account required pam_sepermit.so
|
||||
# Used with polkit to reauthorize users in remote sessions
|
||||
-auth optional pam_reauthorize.so prepare
|
||||
account required pam_nologin.so
|
||||
account include password-auth
|
||||
password include password-auth
|
||||
@ -12,6 +14,7 @@ session required pam_loginuid.so
|
||||
session required pam_selinux.so open env_params
|
||||
session required pam_namespace.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session optional pam_motd.so
|
||||
session include password-auth
|
||||
session include postlogin
|
||||
# Used with polkit to reauthorize users in remote sessions
|
||||
-session optional pam_reauthorize.so prepare
|
||||
|
@ -1,13 +1,14 @@
|
||||
[Unit]
|
||||
Description=OpenSSH server daemon
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
After=network.target sshd-keygen.target
|
||||
Wants=sshd-keygen.target
|
||||
After=network.target sshd-keygen.service
|
||||
Wants=sshd-keygen.service
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
Type=forking
|
||||
PIDFile=/var/run/sshd.pid
|
||||
EnvironmentFile=-/etc/sysconfig/sshd
|
||||
ExecStart=/usr/sbin/sshd -D $OPTIONS
|
||||
ExecStart=/usr/sbin/sshd $OPTIONS
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
KillMode=process
|
||||
Restart=on-failure
|
||||
|
@ -1,7 +1,15 @@
|
||||
# Configuration file for the sshd service.
|
||||
|
||||
# The server keys are automatically generated if they are missing.
|
||||
# To change the automatic creation, adjust sshd.service options for
|
||||
# example using systemctl enable sshd-keygen@dsa.service to allow creation
|
||||
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
|
||||
# creation.
|
||||
# To change the automatic creation uncomment and change the appropriate
|
||||
# line. Accepted key types are: DSA RSA ECDSA ED25519.
|
||||
# The default is "RSA ECDSA ED25519"
|
||||
|
||||
# AUTOCREATE_SERVER_KEYS=""
|
||||
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
|
||||
|
||||
# Do not change this option unless you have hardware random
|
||||
# generator and you REALLY know what you are doing
|
||||
|
||||
SSH_USE_STRONG_RNG=0
|
||||
# SSH_USE_STRONG_RNG=1
|
||||
|
@ -1,8 +1,8 @@
|
||||
[Unit]
|
||||
Description=OpenSSH per-connection server daemon
|
||||
Documentation=man:sshd(8) man:sshd_config(5)
|
||||
Wants=sshd-keygen.target
|
||||
After=sshd-keygen.target
|
||||
Wants=sshd-keygen.service
|
||||
After=sshd-keygen.service
|
||||
|
||||
[Service]
|
||||
EnvironmentFile=-/etc/sysconfig/sshd
|
||||
|
@ -1,64 +0,0 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||
# Description: This is a basic sanity test for pam_ssh_agent_auth
|
||||
# Author: Jakub Jelen <jjelen@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2015 Red Hat, Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation, either version 2 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE pam_save_ssh_var.c
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
|
||||
-include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Jakub Jelen <jjelen@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: This is basic sanity test for pam_ssh_agent_auth" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 5m" >> $(METADATA)
|
||||
@echo "RunFor: openssh" >> $(METADATA)
|
||||
@echo "Requires: openssh pam_ssh_agent_auth pam-devel expect" >> $(METADATA)
|
||||
@echo "RhtsRequires: library(distribution/fips)" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2+" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
@ -1,7 +0,0 @@
|
||||
PURPOSE of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||
Description: This is basic sanity test for pam_ssh_agent_auth
|
||||
Author: Jakub Jelen <jjelen@redhat.com>
|
||||
|
||||
Created as a response to rhbz#1251777 and previous one rhbz#1225106.
|
||||
The code of pam module is outdated and compiled with current openssh
|
||||
version which went through quite enough refactoring.
|
@ -1,73 +0,0 @@
|
||||
/*
|
||||
This simple pam module saves the content of SSH_USER_AUTH variable to /tmp/SSH_USER_AUTH
|
||||
file.
|
||||
|
||||
Setup:
|
||||
- gcc -fPIC -DPIC -shared -rdynamic -o pam_save_ssh_var.o pam_save_ssh_var.c
|
||||
- copy pam_save_ssh_var.o to /lib/security resp. /lib64/security
|
||||
- add to /etc/pam.d/sshd
|
||||
auth requisite pam_save_ssh_var.o
|
||||
*/
|
||||
|
||||
/* Define which PAM interfaces we provide */
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_PASSWORD
|
||||
#define PAM_SM_SESSION
|
||||
|
||||
/* Include PAM headers */
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
int save_ssh_var(pam_handle_t *pamh, const char *phase) {
|
||||
FILE *fp;
|
||||
const char *var;
|
||||
|
||||
fp = fopen("/tmp/SSH_USER_AUTH","a");
|
||||
fprintf(fp, "BEGIN (%s)\n", phase);
|
||||
var = pam_getenv(pamh, "SSH_USER_AUTH");
|
||||
if (var != NULL) {
|
||||
fprintf(fp, "SSH_USER_AUTH: '%s'\n", var);
|
||||
}
|
||||
fprintf(fp, "END (%s)\n", phase);
|
||||
fclose(fp);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* PAM entry point for session creation */
|
||||
int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||
return(PAM_IGNORE);
|
||||
}
|
||||
|
||||
/* PAM entry point for session cleanup */
|
||||
int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||
return(PAM_IGNORE);
|
||||
}
|
||||
|
||||
/* PAM entry point for accounting */
|
||||
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||
return(PAM_IGNORE);
|
||||
}
|
||||
|
||||
/* PAM entry point for authentication verification */
|
||||
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||
save_ssh_var(pamh, "auth");
|
||||
return(PAM_IGNORE);
|
||||
}
|
||||
|
||||
/*
|
||||
PAM entry point for setting user credentials (that is, to actually
|
||||
establish the authenticated user's credentials to the service provider)
|
||||
*/
|
||||
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||
return(PAM_IGNORE);
|
||||
}
|
||||
|
||||
/* PAM entry point for authentication token (password) changes */
|
||||
int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) {
|
||||
return(PAM_IGNORE);
|
||||
}
|
||||
|
@ -1,184 +0,0 @@
|
||||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/openssh/Sanity/pam_ssh_agent_auth
|
||||
# Description: This is a basic sanity test for pam_ssh_agent_auth
|
||||
# Author: Jakub Jelen <jjelen@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2015 Red Hat, Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation, either version 2 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="openssh"
|
||||
PAM_SUDO="/etc/pam.d/sudo"
|
||||
PAM_SSHD="/etc/pam.d/sshd"
|
||||
PAM_MODULE="pam_save_ssh_var"
|
||||
SUDOERS_CFG="/etc/sudoers.d/01_pam_ssh_auth"
|
||||
SSHD_CFG="/etc/ssh/sshd_config"
|
||||
USER="testuser$RANDOM"
|
||||
PASS="testpassxy4re.3298fhdsaf"
|
||||
AUTH_KEYS="/etc/security/authorized_keys"
|
||||
AK_COMMAND_BIN="/root/ak.sh"
|
||||
AK_COMMAND_KEYS="/root/akeys"
|
||||
declare -a KEYS=("rsa" "ecdsa")
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm $PACKAGE
|
||||
rlAssertRpm pam_ssh_agent_auth
|
||||
rlImport distribution/fips
|
||||
rlServiceStart sshd
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "cp ${PAM_MODULE}.c $TmpDir/"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlFileBackup --clean $PAM_SUDO /etc/sudoers /etc/sudoers.d/ /etc/security/ $AUTH_KEYS
|
||||
rlRun "sed -i '1 a\
|
||||
auth sufficient pam_ssh_agent_auth.so file=$AUTH_KEYS' $PAM_SUDO"
|
||||
rlRun "echo 'Defaults env_keep += \"SSH_AUTH_SOCK\"' > $SUDOERS_CFG"
|
||||
rlRun "echo 'Defaults !requiretty' >> $SUDOERS_CFG"
|
||||
grep '^%wheel' /etc/sudoers || \
|
||||
rlRun "echo '%wheel ALL=(ALL) ALL' >> $SUDOERS_CFG"
|
||||
rlRun "useradd $USER -G wheel"
|
||||
rlRun "echo $PASS |passwd --stdin $USER"
|
||||
rlPhaseEnd
|
||||
|
||||
if ! fipsIsEnabled; then
|
||||
KEYS+=("dsa")
|
||||
fi
|
||||
|
||||
for KEY in "${KEYS[@]}"; do
|
||||
rlPhaseStartTest "Test with key type $KEY"
|
||||
rlRun "su $USER -c 'ssh-keygen -t $KEY -f ~/.ssh/my_id_$KEY -N \"\"'" 0
|
||||
|
||||
# Without authorized_keys, the authentication should fail
|
||||
rlRun -s "su $USER -c 'eval \`ssh-agent\`; sudo id; ssh-agent -k'" 0
|
||||
rlAssertNotGrep "uid=0(root) gid=0(root)" $rlRun_LOG
|
||||
|
||||
# Append the keys only to make sure we can match also the non-first line
|
||||
rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >> $AUTH_KEYS"
|
||||
rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
|
||||
rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
done
|
||||
|
||||
if rlIsRHEL '<6.8' || ( rlIsRHEL '<7.3' && rlIsRHEL 7 ) ; then
|
||||
: # not available
|
||||
else
|
||||
rlPhaseStartSetup "Setup for authorized_keys_command"
|
||||
rlFileBackup --namespace ak_command $PAM_SUDO
|
||||
rlRun "rm -f $AUTH_KEYS"
|
||||
cat >$AK_COMMAND_BIN <<_EOF
|
||||
#!/bin/bash
|
||||
cat $AK_COMMAND_KEYS
|
||||
_EOF
|
||||
rlRun "chmod +x $AK_COMMAND_BIN"
|
||||
rlRun "sed -i 's|.*pam_ssh_agent_auth.*|auth sufficient pam_ssh_agent_auth.so authorized_keys_command=$AK_COMMAND_BIN authorized_keys_command_user=root|' $PAM_SUDO"
|
||||
rlRun "cat $PAM_SUDO"
|
||||
rlPhaseEnd
|
||||
|
||||
for KEY in "${KEYS[@]}"; do
|
||||
rlPhaseStartTest "Test authorized_keys_command with key type $KEY (bz1299555, bz1317858)"
|
||||
rlRun "cat ~$USER/.ssh/my_id_${KEY}.pub >$AK_COMMAND_KEYS"
|
||||
rlRun -s "su $USER -c 'eval \`ssh-agent\`; ssh-add ~/.ssh/my_id_$KEY; sudo id; ssh-agent -k'"
|
||||
rlAssertGrep "uid=0(root) gid=0(root)" $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
done
|
||||
|
||||
rlPhaseStartCleanup "Cleanup for authorized_keys_command"
|
||||
rlFileRestore --namespace ak_command
|
||||
rlRun "rm -f $AK_COMMAND_BIN $AK_COMMAND_KEYS"
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
if rlIsRHEL '>=7.3'; then # not in Fedora anymore
|
||||
rlPhaseStartTest "bz1312304 - Exposing information about succesful auth"
|
||||
rlRun "rlFileBackup --namespace exposing $PAM_SSHD"
|
||||
rlRun "rlFileBackup --namespace exposing $SSHD_CFG"
|
||||
rlRun "rlFileBackup --namespace exposing /root/.ssh/"
|
||||
rlRun "rm -f ~/.ssh/id_rsa*"
|
||||
rlRun "ssh-keygen -f ~/.ssh/id_rsa -N \"\"" 0
|
||||
rlRun "ssh-keyscan localhost >~/.ssh/known_hosts" 0
|
||||
USER_AK_FILE=~$USER/.ssh/authorized_keys
|
||||
rlRun "cat ~/.ssh/id_rsa.pub >$USER_AK_FILE"
|
||||
rlRun "chown $USER:$USER $USER_AK_FILE"
|
||||
rlRun "chmod 0600 $USER_AK_FILE"
|
||||
rlRun "gcc -fPIC -DPIC -shared -rdynamic -o $PAM_MODULE.o $PAM_MODULE.c"
|
||||
rlRun "test -d /lib64/security && cp $PAM_MODULE.o /lib64/security/" 0,1
|
||||
rlRun "test -d /lib/security && cp $PAM_MODULE.o /lib/security/" 0,1
|
||||
rlRun "sed -i '1 i auth optional $PAM_MODULE.o' $PAM_SSHD"
|
||||
|
||||
# pam-and-env should expose information to both PAM and environmental variable;
|
||||
# we will be testing only env variable here for the time being,
|
||||
rlRun "echo 'ExposeAuthenticationMethods pam-and-env' >>$SSHD_CFG"
|
||||
rlRun "sed -i '/^ChallengeResponseAuthentication/ d' $SSHD_CFG"
|
||||
rlRun "service sshd restart"
|
||||
rlWaitForSocket 22 -t 5
|
||||
rlRun -s "ssh -i ~/.ssh/id_rsa $USER@localhost \"env|grep SSH_USER_AUTH\"" 0 \
|
||||
"Environment variable SSH_USER_AUTH is set"
|
||||
rlAssertGrep "^SSH_USER_AUTH=publickey:" $rlRun_LOG
|
||||
rlRun "rm -f $rlRun_LOG"
|
||||
|
||||
# pam-only should expose information only to PAM and not to environment variable
|
||||
rlRun "sed -i 's/pam-and-env/pam-only/' $SSHD_CFG"
|
||||
rlRun "echo 'AuthenticationMethods publickey,keyboard-interactive:pam' >>$SSHD_CFG"
|
||||
rlRun "service sshd restart"
|
||||
rlWaitForSocket 22 -t 5
|
||||
ssh_with_pass() {
|
||||
ssh_args=("-i /root/.ssh/id_rsa")
|
||||
ssh_args+=("$USER@localhost")
|
||||
cat >ssh.exp <<_EOF
|
||||
#!/usr/bin/expect -f
|
||||
|
||||
set timeout 5
|
||||
spawn ssh ${ssh_args[*]} "echo CONNECTED; env|grep SSH_USER_AUTH"
|
||||
expect {
|
||||
-re {.*[Pp]assword.*} { send -- "$PASS\r"; exp_continue }
|
||||
timeout { exit 1 }
|
||||
eof { exit 0 }
|
||||
}
|
||||
_EOF
|
||||
rlRun -s "expect -f ssh.exp"
|
||||
}
|
||||
#rlRun -s "ssh ${ssh_args[*]} \"echo CONNECTED; env|grep SSH_USER_AUTH\"" 1 \
|
||||
#"Environment variable SSH_USER_AUTH is NOT set"
|
||||
rlRun "ssh_with_pass"
|
||||
rlRun "grep -q CONNECTED $rlRun_LOG" 0 "Connection was successful"
|
||||
rlAssertGrep "^SSH_USER_AUTH: 'publickey:" /tmp/SSH_USER_AUTH
|
||||
rlRun "cat /tmp/SSH_USER_AUTH"
|
||||
rlRun "rm -f $rlRun_LOG /tmp/SSH_USER_AUTH"
|
||||
for pm in /lib64/security/$PAM_MODULE.o /lib/security/$PAM_MODULE.o; do
|
||||
rlRun "test -e $pm && rm -f $pm" 0,1
|
||||
done
|
||||
rlRun "rlFileRestore --namespace exposing"
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlRun "userdel -fr $USER"
|
||||
rlFileRestore
|
||||
rlServiceRestore sshd
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
@ -1,63 +0,0 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/openssh/Sanity/port-forwarding
|
||||
# Description: Testing port forwarding (ideally all possibilities: -L, -R, -D)
|
||||
# Author: Stanislav Zidek <szidek@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2015 Red Hat, Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation, either version 2 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/openssh/Sanity/port-forwarding
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
|
||||
-include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Stanislav Zidek <szidek@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Testing port forwarding (ideally all possibilities: -L, -R, -D)" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 5m" >> $(METADATA)
|
||||
@echo "RunFor: openssh" >> $(METADATA)
|
||||
@echo "Requires: openssh net-tools nc" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2+" >> $(METADATA)
|
||||
@echo "Confidential: yes" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
@ -1,3 +0,0 @@
|
||||
PURPOSE of /CoreOS/openssh/Sanity/port-forwarding
|
||||
Description: Testing port forwarding (ideally all possibilities: -L, -R, -D)
|
||||
Author: Stanislav Zidek <szidek@redhat.com>
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user