diff --git a/CVE-2020-12062-1.patch b/CVE-2020-12062-1.patch deleted file mode 100644 index 7c1ae1e1130771dc4541111545b871d041616c87..0000000000000000000000000000000000000000 --- a/CVE-2020-12062-1.patch +++ /dev/null @@ -1,202 +0,0 @@ -From aad87b88fc2536b1ea023213729aaf4eaabe1894 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Fri, 1 May 2020 06:31:42 +0000 -Subject: [PATCH] upstream: when receving a file in sink(), be careful to send - at - -most a single error response after the file has been opened. Otherwise the -source() and sink() can become desyncronised. Reported by Daniel Goujot, -Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache. - -ok deraadt@ markus@ - -OpenBSD-Commit-ID: 6c14d233c97349cb811a8f7921ded3ae7d9e0035 ---- - scp.c | 96 ++++++++++++++++++++++++++++++++++++----------------------- - 1 file changed, 59 insertions(+), 37 deletions(-) - -diff --git a/scp.c b/scp.c -index 812ab5301..439025980 100644 ---- a/scp.c -+++ b/scp.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: scp.c,v 1.207 2020/01/23 07:10:22 dtucker Exp $ */ -+/* $OpenBSD: scp.c,v 1.209 2020/05/01 06:31:42 djm Exp $ */ - /* - * scp - secure remote copy. This is basically patched BSD rcp which - * uses ssh to do the data transfer (instead of using rcmd). -@@ -374,6 +374,7 @@ BUF *allocbuf(BUF *, int, int); - void lostconn(int); - int okname(char *); - void run_err(const char *,...); -+int note_err(const char *,...); - void verifydir(char *); - - struct passwd *pwd; -@@ -1231,9 +1232,6 @@ sink(int argc, char **argv, const char *src) - { - static BUF buffer; - struct stat stb; -- enum { -- YES, NO, DISPLAYED -- } wrerr; - BUF *bp; - off_t i; - size_t j, count; -@@ -1241,7 +1239,7 @@ sink(int argc, char **argv, const char *src) - mode_t mode, omode, mask; - off_t size, statbytes; - unsigned long long ull; -- int setimes, targisdir, wrerrno = 0; -+ int setimes, targisdir, wrerr; - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; - char **patterns = NULL; - size_t n, npatterns = 0; -@@ -1450,8 +1448,13 @@ bad: run_err("%s: %s", np, strerror(errno)); - continue; - } - cp = bp->buf; -- wrerr = NO; -+ wrerr = 0; - -+ /* -+ * NB. do not use run_err() unless immediately followed by -+ * exit() below as it may send a spurious reply that might -+ * desyncronise us from the peer. Use note_err() instead. -+ */ - statbytes = 0; - if (showprogress) - start_progress_meter(curfile, size, &statbytes); -@@ -1476,11 +1479,12 @@ bad: run_err("%s: %s", np, strerror(errno)); - - if (count == bp->cnt) { - /* Keep reading so we stay sync'd up. */ -- if (wrerr == NO) { -+ if (!wrerr) { - if (atomicio(vwrite, ofd, bp->buf, - count) != count) { -- wrerr = YES; -- wrerrno = errno; -+ note_err("%s: %s", np, -+ strerror(errno)); -+ wrerr = 1; - } - } - count = 0; -@@ -1488,16 +1492,14 @@ bad: run_err("%s: %s", np, strerror(errno)); - } - } - unset_nonblock(remin); -- if (count != 0 && wrerr == NO && -+ if (count != 0 && !wrerr && - atomicio(vwrite, ofd, bp->buf, count) != count) { -- wrerr = YES; -- wrerrno = errno; -- } -- if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) && -- ftruncate(ofd, size) != 0) { -- run_err("%s: truncate: %s", np, strerror(errno)); -- wrerr = DISPLAYED; -+ note_err("%s: %s", np, strerror(errno)); -+ wrerr = 1; - } -+ if (!wrerr && (!exists || S_ISREG(stb.st_mode)) && -+ ftruncate(ofd, size) != 0) -+ note_err("%s: truncate: %s", np, strerror(errno)); - if (pflag) { - if (exists || omode != mode) - #ifdef HAVE_FCHMOD -@@ -1505,9 +1507,8 @@ bad: run_err("%s: %s", np, strerror(errno)); - #else /* HAVE_FCHMOD */ - if (chmod(np, omode)) { - #endif /* HAVE_FCHMOD */ -- run_err("%s: set mode: %s", -+ note_err("%s: set mode: %s", - np, strerror(errno)); -- wrerr = DISPLAYED; - } - } else { - if (!exists && omode != mode) -@@ -1516,36 +1517,25 @@ bad: run_err("%s: %s", np, strerror(errno)); - #else /* HAVE_FCHMOD */ - if (chmod(np, omode & ~mask)) { - #endif /* HAVE_FCHMOD */ -- run_err("%s: set mode: %s", -+ note_err("%s: set mode: %s", - np, strerror(errno)); -- wrerr = DISPLAYED; - } - } -- if (close(ofd) == -1) { -- wrerr = YES; -- wrerrno = errno; -- } -+ if (close(ofd) == -1) -+ note_err(np, "%s: close: %s", np, strerror(errno)); - (void) response(); - if (showprogress) - stop_progress_meter(); -- if (setimes && wrerr == NO) { -+ if (setimes && !wrerr) { - setimes = 0; - if (utimes(np, tv) == -1) { -- run_err("%s: set times: %s", -+ note_err("%s: set times: %s", - np, strerror(errno)); -- wrerr = DISPLAYED; - } - } -- switch (wrerr) { -- case YES: -- run_err("%s: %s", np, strerror(wrerrno)); -- break; -- case NO: -+ /* If no error was noted then signal success for this file */ -+ if (note_err(NULL) == 0) - (void) atomicio(vwrite, remout, "", 1); -- break; -- case DISPLAYED: -- break; -- } - } - done: - for (n = 0; n < npatterns; n++) -@@ -1633,6 +1623,38 @@ run_err(const char *fmt,...) - } - } - -+/* -+ * Notes a sink error for sending at the end of a file transfer. Returns 0 if -+ * no error has been noted or -1 otherwise. Use note_err(NULL) to flush -+ * any active error at the end of the transfer. -+ */ -+int -+note_err(const char *fmt, ...) -+{ -+ static char *emsg; -+ va_list ap; -+ -+ /* Replay any previously-noted error */ -+ if (fmt == NULL) { -+ if (emsg == NULL) -+ return 0; -+ run_err("%s", emsg); -+ free(emsg); -+ emsg = NULL; -+ return -1; -+ } -+ -+ errs++; -+ /* Prefer first-noted error */ -+ if (emsg != NULL) -+ return -1; -+ -+ va_start(ap, fmt); -+ vasnmprintf(&emsg, INT_MAX, NULL, fmt, ap); -+ va_end(ap); -+ return -1; -+} -+ - void - verifydir(char *cp) - { diff --git a/CVE-2020-12062-2.patch b/CVE-2020-12062-2.patch deleted file mode 100644 index 2e7caa80835996d40bb4e12edea7c047a5dfdd8a..0000000000000000000000000000000000000000 --- a/CVE-2020-12062-2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 955854cafca88e0cdcd3d09ca1ad4ada465364a1 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Wed, 6 May 2020 20:57:38 +0000 -Subject: [PATCH] upstream: another case where a utimes() failure could make - scp send - -a desynchronising error; reminded by Aymeric Vincent ok deraadt markus - -OpenBSD-Commit-ID: 2ea611d34d8ff6d703a7a8bf858aa5dbfbfa7381 ---- - scp.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/scp.c b/scp.c -index 439025980..b4492a062 100644 ---- a/scp.c -+++ b/scp.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: scp.c,v 1.209 2020/05/01 06:31:42 djm Exp $ */ -+/* $OpenBSD: scp.c,v 1.210 2020/05/06 20:57:38 djm Exp $ */ - /* - * scp - secure remote copy. This is basically patched BSD rcp which - * uses ssh to do the data transfer (instead of using rcmd). -@@ -1427,9 +1427,7 @@ sink(int argc, char **argv, const char *src) - sink(1, vect, src); - if (setimes) { - setimes = 0; -- if (utimes(vect[0], tv) == -1) -- run_err("%s: set times: %s", -- vect[0], strerror(errno)); -+ (void) utimes(vect[0], tv); - } - if (mod_flag) - (void) chmod(vect[0], mode); diff --git a/CVE-2020-14145.patch b/CVE-2020-14145.patch deleted file mode 100644 index 76fb3e843b640c07525ef6932c6c15f6e54cd065..0000000000000000000000000000000000000000 --- a/CVE-2020-14145.patch +++ /dev/null @@ -1,92 +0,0 @@ -From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Fri, 18 Sep 2020 05:23:03 +0000 -Subject: upstream: tweak the client hostkey preference ordering algorithm to - -prefer the default ordering if the user has a key that matches the -best-preference default algorithm. - -feedback and ok markus@ - -OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f ---- - sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 38 insertions(+), 3 deletions(-) - -diff --git a/sshconnect2.c b/sshconnect2.c -index 347e348c..f64aae66 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshconnect2.c,v 1.320 2020/02/06 22:48:23 djm Exp $ */ -+/* $OpenBSD: sshconnect2.c,v 1.326 2020/09/18 05:23:03 djm Exp $ */ - /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. - * Copyright (c) 2008 Damien Miller. All rights reserved. -@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) - return 0; - } - -+/* Returns the first item from a comma-separated algorithm list */ -+static char * -+first_alg(const char *algs) -+{ -+ char *ret, *cp; -+ -+ ret = xstrdup(algs); -+ if ((cp = strchr(ret, ',')) != NULL) -+ *cp = '\0'; -+ return ret; -+} -+ - static char * - order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) - { -- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; -+ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; -+ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; - size_t maxlen; -- struct hostkeys *hostkeys; -+ struct hostkeys *hostkeys = NULL; - int ktype; - u_int i; - -@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) - for (i = 0; i < options.num_system_hostfiles; i++) - load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); - -+ /* -+ * If a plain public key exists that matches the type of the best -+ * preference HostkeyAlgorithms, then use the whole list as is. -+ * Note that we ignore whether the best preference algorithm is a -+ * certificate type, as sshconnect.c will downgrade certs to -+ * plain keys if necessary. -+ */ -+ best = first_alg(options.hostkeyalgorithms); -+ if (lookup_key_in_hostkeys_by_type(hostkeys, -+ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { -+ debug3("%s: have matching best-preference key type %s, " -+ "using HostkeyAlgorithms verbatim", __func__, best); -+ ret = xstrdup(options.hostkeyalgorithms); -+ goto out; -+ } -+ -+ /* -+ * Otherwise, prefer the host key algorithms that match known keys -+ * while keeping the ordering of HostkeyAlgorithms as much as possible. -+ */ - oavail = avail = xstrdup(options.hostkeyalgorithms); - maxlen = strlen(avail) + 1; - first = xmalloc(maxlen); -@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) - if (*first != '\0') - debug3("%s: prefer hostkeyalgs: %s", __func__, first); - -+ out: -+ free(best); - free(first); - free(last); - free(hostname); --- -cgit v1.2.3 - diff --git a/openssh-5.1p1-askpass-progress.patch b/openssh-5.1p1-askpass-progress.patch index 21f6502390f93801bdca3f1e21730de0d8b18282..e0ecb80d7513132d88e854f3d1c7800c703fb39d 100644 --- a/openssh-5.1p1-askpass-progress.patch +++ b/openssh-5.1p1-askpass-progress.patch @@ -2,15 +2,15 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr --- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:16.545211926 +0100 @@ -53,6 +53,7 @@ - #include #include + #include +#include #include #include - + #include @@ -81,14 +82,25 @@ ok_dialog(GtkWidget *entry, gpointer dia - gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK); + return 1; } +static void @@ -34,39 +34,44 @@ diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.progress openssh-7.4p1/contr - GtkWidget *parent_window, *dialog, *entry; + GtkWidget *parent_window, *dialog, *entry, *progress, *hbox; GdkGrabStatus status; + GdkColor fg, bg; + int fg_set = 0, bg_set = 0; +@@ -104,14 +116,19 @@ passphrase_dialog(char *message) + gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg); - grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL); -@@ -104,16 +116,37 @@ passphrase_dialog(char *message) - gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE); - - if (prompt_type == PROMPT_ENTRY) { + if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) { + hbox = gtk_hbox_new(FALSE, 0); + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, + FALSE, 0); + gtk_widget_show(hbox); + entry = gtk_entry_new(); + if (fg_set) + gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg); + if (bg_set) + gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg); gtk_box_pack_start( - GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))), - entry, FALSE, FALSE, 0); -+ GTK_BOX(hbox), entry, -+ TRUE, FALSE, 0); ++ GTK_BOX(hbox), entry, TRUE, FALSE, 0); + gtk_entry_set_width_chars(GTK_ENTRY(entry), 2); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_widget_grab_focus(entry); - gtk_widget_show(entry); - /* Make close dialog */ - g_signal_connect(G_OBJECT(entry), "activate", - G_CALLBACK(ok_dialog), dialog); + if (prompt_type == PROMPT_ENTRY) { +@@ -130,6 +145,22 @@ passphrase_dialog(char *message) + g_signal_connect(G_OBJECT(entry), "key_press_event", + G_CALLBACK(check_none), dialog); + } + + hbox = gtk_hbox_new(FALSE, 0); -+ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE, -+ FALSE, 8); ++ gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), ++ hbox, FALSE, FALSE, 8); + gtk_widget_show(hbox); + + progress = gtk_progress_bar_new(); + -+ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally"); ++ gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), ++ "Passphrase length hidden intentionally"); + gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE, + TRUE, 5); + gtk_widget_show(progress); diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index 12602424031b2991fe9ed3b1882af0dfa16cc628..664e11a8a2daa6efb7443be4e81028977f546fa2 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -2,14 +2,14 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c --- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100 @@ -250,6 +250,11 @@ debug3(const char *fmt,...) - void - log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) + log_init(const char *av0, LogLevel level, SyslogFacility facility, + int on_stderr) { + log_init_handler(av0, level, facility, on_stderr, 1); +} + +void -+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) { ++log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; #endif @@ -30,10 +30,10 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h --- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 +++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100 @@ -49,6 +49,7 @@ typedef enum { - typedef void (log_handler_fn)(LogLevel, const char *, void *); + const char *, void *); - void log_init(char *, LogLevel, SyslogFacility, int); -+void log_init_handler(char *, LogLevel, SyslogFacility, int, int); + void log_init(const char *, LogLevel, SyslogFacility, int); ++void log_init_handler(const char *, LogLevel, SyslogFacility, int, int); LogLevel log_level_get(void); int log_change_level(LogLevel); int log_is_on_stderr(void); @@ -59,14 +59,14 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c ssh_signal(SIGHUP, &monitor_child_handler); ssh_signal(SIGTERM, &monitor_child_handler); @@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito + /* Log it */ if (log_level_name(level) == NULL) - fatal("%s: invalid log level %u (corrupted message?)", - __func__, level); -- do_log2(level, "%s [preauth]", msg); -+ do_log2(level, "%s [%s]", msg, pmonitor->m_state); + fatal_f("invalid log level %u (corrupted message?)", level); +- sshlog(file, func, line, 0, level, NULL, "%s [preauth]", msg); ++ sshlog(file, func, line, 0, level, NULL, "%s [%s]", msg, pmonitor->m_state); sshbuf_free(logmsg); - free(msg); + free(file); @@ -1719,13 +1723,28 @@ monitor_init(void) mon = xcalloc(1, sizeof(*mon)); monitor_openfds(mon, 1); @@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c + xasprintf(&dev_log_path, "%s/dev/log", chroot_dir); + + if (stat(dev_log_path, &dev_log_stat) != 0) { -+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir); ++ debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir); + do_logfds = 1; + } + free(dev_log_path); @@ -145,9 +145,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c session_type, tty == NULL ? "" : " on ", @@ -1486,14 +1492,6 @@ child_close_fds(void) - * descriptors left by system functions. They will be closed later. - */ - endpwent(); + + /* Stop directing logs to a high-numbered fd before we close it */ + log_redirect_stderr_to(NULL); - - /* - * Close any extra open file descriptors so that we don't have them diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch index 3a7193e817c05d6b82b1e10feb7f978346629e35..fa9d5914de1250f852dd63ceda625ecafeeed748 100644 --- a/openssh-6.6.1p1-selinux-contexts.patch +++ b/openssh-6.6.1p1-selinux-contexts.patch @@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644 + + contexts_path = selinux_openssh_contexts_path(); + if (contexts_path == NULL) { -+ debug3("%s: Failed to get the path to SELinux context", __func__); ++ debug3_f("Failed to get the path to SELinux context"); + return; + } + + if ((contexts_file = fopen(contexts_path, "r")) == NULL) { -+ debug("%s: Failed to open SELinux context file", __func__); ++ debug_f("Failed to open SELinux context file"); + return; + } + + if (fstat(fileno(contexts_file), &sb) != 0 || + sb.st_uid != 0 || (sb.st_mode & 022) != 0) { -+ logit("%s: SELinux context file needs to be owned by root" -+ " and not writable by anyone else", __func__); ++ logit_f("SELinux context file needs to be owned by root" ++ " and not writable by anyone else"); + fclose(contexts_file); + return; + } @@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644 + if (arg && strcmp(arg, "privsep_preauth") == 0) { + arg = strdelim(&cp); + if (!arg || *arg == '\0') { -+ debug("%s: privsep_preauth is empty", __func__); ++ debug_f("privsep_preauth is empty"); + fclose(contexts_file); + return; + } @@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644 + fclose(contexts_file); + + if (preauth_context == NULL) { -+ debug("%s: Unable to find 'privsep_preauth' option in" -+ " SELinux context file", __func__); ++ debug_f("Unable to find 'privsep_preauth' option in" ++ " SELinux context file"); + return; + } + @@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644 if ((cx = index(cx + 1, ':'))) strlcat(newctx, cx, newlen); - debug3("%s: setting context from '%s' to '%s'", __func__, -+ debug("%s: setting context from '%s' to '%s'", __func__, ++ debug_f("setting context from '%s' to '%s'", oldctx, newctx); if (setcon(newctx) < 0) - switchlog("%s: setcon %s from %s failed with %s", __func__, + do_log2(log_level, "%s: setcon %s from %s failed with %s", + __func__, newctx, oldctx, strerror(errno)); diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index cb51f99..8b7cda2 100644 --- a/openbsd-compat/port-linux.h diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index 01ea15612c219fd1dd67d4ebeb8553b5bde4d1cb..6ee2535dc1842ef01e1ecd7efd9c1b88ab9d82f5 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -418,7 +421,7 @@ typedef enum { - sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, - sHostKeyAlgorithms, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms, + sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index 5fc9b9ed4200db798631af792f74996c0ab7400f..2aa14bd44e420e4e5a87f56dc6df9da1d935e5cd 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -1,10 +1,10 @@ -diff -up openssh/auth.c.keycat openssh/misc.c ---- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200 -+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200 -@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw +diff -up openssh/misc.c.keycat openssh/misc.c +--- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200 ++++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200 +@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw + error("%s: dup2: %s", tag, strerror(errno)); _exit(1); } - +#ifdef WITH_SELINUX + if (sshd_selinux_setup_env_variables() < 0) { + error ("failed to copy environment: %s", @@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c + _exit(127); + } +#endif -+ - execve(av[0], av, child_env); - error("%s exec \"%s\": %s", tag, command, strerror(errno)); - _exit(127); + if (env != NULL) + execve(av[0], av, env); + else diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat --- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200 +++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200 @@ -36,16 +35,16 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in --- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200 +++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200 @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server + ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass + SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign - SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper - SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper +SSH_KEYCAT=$(libexecdir)/ssh-keycat SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper PRIVSEP_PATH=@PRIVSEP_PATH@ @@ -52,6 +52,7 @@ K5LIBS=@K5LIBS@ + K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ - SSHLIBS=@SSHLIBS@ SSHDLIBS=@SSHDLIBS@ +KEYCATLIBS=@KEYCATLIBS@ LIBEDIT=@LIBEDIT@ @@ -55,25 +54,25 @@ diff -up openssh/Makefile.in.keycat openssh/Makefile.in .SUFFIXES: .lo --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) XMSS_OBJS=\ ssh-xmss.o \ @@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) - ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o - $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LDAPLIBS) + ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(SKHELPER_OBJS) + $(LD) -o $@ $(SKHELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) $(LIBFIDO2) +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o -+ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(KEYCATLIBS) $(LIBS) ++ $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -321,6 +325,7 @@ install-files: - $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ - $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ - fi + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) @@ -466,16 +465,16 @@ index 3bbccfd..6481f1f 100644 esac fi @@ -4042,6 +4044,7 @@ AC_ARG_WITH([selinux], + fi ] ) - AC_SUBST([SSHLIBS]) AC_SUBST([SSHDLIBS]) +AC_SUBST([KEYCATLIBS]) # Check whether user wants Kerberos 5 support KRB5_MSG="no" @@ -5031,6 +5034,9 @@ fi - if test ! -z "${SSHLIBS}"; then - echo " +for ssh: ${SSHLIBS}" + if test ! -z "${SSHDLIBS}"; then + echo " +for sshd: ${SSHDLIBS}" fi +if test ! -z "${KEYCATLIBS}"; then +echo " +for ssh-keycat: ${KEYCATLIBS}" diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index 8428c1c8eca9b9b0b26fca2407e0c1991626a2c6..407ff4cdb3b4a6457820220c2db5681c0035d37c 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -193,7 +193,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -399,7 +402,7 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sKerberosUniqueCCache, @@ -217,7 +217,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, @@ -1644,6 +1649,10 @@ process_server_config_line(ServerOptions - *activep = (inc_flags & SSHCFG_NEVERMATCH) ? 0 : value; + *inc_flags &= ~SSHCFG_MATCH_ONLY; break; + case sKerberosUseKuserok: diff --git a/openssh-6.6p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch index 3d4c2874ba6270e29b5b8e7d129c830516f192a7..8047fc339447d01fe0a419fb9180bdd0bece663b 100644 --- a/openssh-6.6p1-privsep-selinux.patch +++ b/openssh-6.6p1-privsep-selinux.patch @@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh- --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100 @@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw - debug3("%s: done", __func__); + debug3_f("done"); } +void @@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh- + return; + + if (getexeccon((security_context_t *)&ctx) != 0) { -+ logit("%s: getexeccon failed with %s", __func__, strerror(errno)); ++ logit_f("getexeccon failed with %s", strerror(errno)); + return; + } + if (ctx != NULL) { + /* unset exec context before we will lose this capabililty */ + if (setexeccon(NULL) != 0) -+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno)); ++ fatal_f("setexeccon failed with %s", strerror(errno)); + if (setcon(ctx) != 0) -+ fatal("%s: setcon failed with %s", __func__, strerror(errno)); ++ fatal_f("setcon failed with %s", strerror(errno)); + freecon(ctx); + } +} diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 3f34464f51a09454c49053ce9e4eb769a6d1693b..5b75dda6d942c81ec792c97f9f636ec895baaa77 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -34,7 +34,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c @@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || (tmp2 = dup(pmonitor->m_recvfd)) == -1) { - error("%s: cannot allocate fds for pty", __func__); + error_f("cannot allocate fds for pty"); - if (tmp1 > 0) + if (tmp1 >= 0) close(tmp1); @@ -120,11 +120,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c - while (read(notify_pipe[0], &c, 1) != -1) + if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) + while (read(notify_pipe[0], &c, 1) >= 0) - debug2("%s: reading", __func__); + debug2_f("reading"); } @@ -518,7 +518,7 @@ server_request_tun(void) - debug("%s: invalid tun", __func__); + debug_f("invalid tun"); goto done; } - if (auth_opts->force_tun_device != -1) { diff --git a/openssh-6.7p1-sftp-force-permission.patch b/openssh-6.7p1-sftp-force-permission.patch index 2d6e7304370b8f879cadeffceb2a9a4206df095f..1cfa309425c786b2cec52f51aac9a0ef16fc3d62 100644 --- a/openssh-6.7p1-sftp-force-permission.patch +++ b/openssh-6.7p1-sftp-force-permission.patch @@ -2,21 +2,23 @@ diff -up openssh-7.2p2/sftp-server.8.sftp-force-mode openssh-7.2p2/sftp-server.8 --- openssh-7.2p2/sftp-server.8.sftp-force-mode 2016-03-09 19:04:48.000000000 +0100 +++ openssh-7.2p2/sftp-server.8 2016-06-23 16:18:20.463854117 +0200 @@ -38,6 +38,7 @@ - .Op Fl P Ar blacklisted_requests - .Op Fl p Ar whitelisted_requests + .Op Fl P Ar denied_requests + .Op Fl p Ar allowed_requests .Op Fl u Ar umask +.Op Fl m Ar force_file_perms .Ek .Nm .Fl Q Ar protocol_feature -@@ -138,6 +139,10 @@ Sets an explicit +@@ -138,6 +139,12 @@ Sets an explicit .Xr umask 2 to be applied to newly-created files and directories, instead of the user's default mask. +.It Fl m Ar force_file_perms +Sets explicit file permissions to be applied to newly-created files instead +of the default or client requested mode. Numeric values include: -+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set. ++777, 755, 750, 666, 644, 640, etc. Using both -m and -u switches makes the ++umask (-u) effective only for newly created directories and explicit mode (-m) ++for newly created files. .El .Pp On some systems, @@ -65,9 +67,9 @@ diff -up openssh-7.2p2/sftp-server.c.sftp-force-mode openssh-7.2p2/sftp-server.c @@ -1494,7 +1505,7 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-P blacklisted_requests] " -- "[-p whitelisted_requests] [-u umask]\n" -+ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n" + "[-l log_level]\n\t[-P denied_requests] " +- "[-p allowed_requests] [-u umask]\n" ++ "[-p allowed_requests] [-u umask] [-m force_file_perms]\n" " %s -Q protocol_feature\n", __progname, __progname); exit(1); diff --git a/openssh-7.1p2-audit-race-condition.patch b/openssh-7.1p2-audit-race-condition.patch index 9c9a6804735d4f6d762d1ec28de4a1b25c8f9e71..b5895f7a35a63ec27f875ae09c54320fa740e0c1 100644 --- a/openssh-7.1p2-audit-race-condition.patch +++ b/openssh-7.1p2-audit-race-condition.patch @@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c + struct sshbuf *m; + int r, ret = 0; + -+ debug3("%s: entering", __func__); ++ debug3_f("entering"); + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + do { + blen = atomicio(read, fdin, buf, sizeof(buf)); + if (blen == 0) /* closed pipe */ + break; + if (blen != sizeof(buf)) { -+ error("%s: Failed to read the buffer from child", __func__); ++ error_f("Failed to read the buffer from child"); + ret = -1; + break; + } + + msg_len = get_u32(buf); + if (msg_len > 256 * 1024) -+ fatal("%s: read: bad msg_len %d", __func__, msg_len); ++ fatal_f("read: bad msg_len %d", msg_len); + sshbuf_reset(m); + if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) { -+ error("%s: Failed to read the the buffer content from the child", __func__); ++ error_f("Failed to read the the buffer content from the child"); + ret = -1; + break; + } + if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || + atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) { -+ error("%s: Failed to write the message to the monitor", __func__); ++ error_f("Failed to write the message to the monitor"); + ret = -1; + break; + } @@ -137,7 +137,7 @@ diff -up openssh-7.4p1/session.c.audit-race openssh-7.4p1/session.c } @@ -1538,6 +1565,34 @@ child_close_fds(void) - endpwent(); + log_redirect_stderr_to(NULL); } +void diff --git a/openssh-7.2p2-k5login_directory.patch b/openssh-7.2p2-k5login_directory.patch index 242294a2cdb82184f344ce395bbe93e95394316c..80e7678e91446df8d10b336c4e330206a96b3def 100644 --- a/openssh-7.2p2-k5login_directory.patch +++ b/openssh-7.2p2-k5login_directory.patch @@ -49,7 +49,7 @@ index a7c0c5f..df8cc9a 100644 + int ret = 0; + + ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory); -+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret); ++ debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret); + if (k5login_directory == NULL || ret != 0) { + /* If not set, the library will look for k5login + * files in the user's home directory, with the filename .k5login. @@ -64,7 +64,7 @@ index a7c0c5f..df8cc9a 100644 + k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "", + pw->pw_name); + } -+ debug("%s: Checking existence of file %s", __func__, file); ++ debug_f("Checking existence of file %s", file); - snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir); return access(file, F_OK) == 0; diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index 024d9905475dd11bbc0f3e7085ae1f3fd08ab961..85d06501b86e850ec378d7ffd46980a9eb7eff76 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -883,8 +883,8 @@ diff -up openssh/cipher.c.audit openssh/cipher.c - if (cc == NULL) + if (cc == NULL || cc->cipher == NULL) return; - if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) - explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx)); + if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) { + chachapoly_free(cc->cp_ctx); diff -up openssh/cipher.h.audit openssh/cipher.h --- openssh/cipher.h.audit 2019-03-27 23:26:14.000000000 +0100 +++ openssh/cipher.h 2019-04-03 17:02:20.714886050 +0200 @@ -943,7 +943,7 @@ diff -up openssh/kex.c.audit openssh/kex.c return SSH_ERR_NO_CIPHER_ALG_MATCH; + } if ((enc->cipher = cipher_by_name(name)) == NULL) { - error("%s: unsupported cipher %s", __func__, name); + error_f("unsupported cipher %s", name); free(name); @@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma { @@ -957,7 +957,7 @@ diff -up openssh/kex.c.audit openssh/kex.c return SSH_ERR_NO_MAC_ALG_MATCH; + } if (mac_setup(mac, name) < 0) { - error("%s: unsupported MAC %s", __func__, name); + error_f("unsupported MAC %s", name); free(name); @@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma } @@ -1094,7 +1094,7 @@ diff -up openssh/Makefile.in.audit openssh/Makefile.in --- openssh/Makefile.in.audit 2019-04-03 17:02:20.705885965 +0200 +++ openssh/Makefile.in 2019-04-03 17:02:20.715886060 +0200 @@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ + kexsntrup761x25519.o sntrup761.o kexgen.o \ kexgssc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ - sshbuf-io.o @@ -1158,8 +1158,8 @@ diff -up openssh/monitor.c.audit openssh/monitor.c {0, 0, NULL} }; @@ -1445,8 +1462,10 @@ mm_answer_keyverify(struct ssh *ssh, int - size_t signaturelen, datalen, bloblen; - int r, ret, req_presence = 0, valid_data = 0, encoded_ret; + int r, ret, req_presence = 0, req_verify = 0, valid_data = 0; + int encoded_ret; struct sshkey_sig_details *sig_details = NULL; + int type = 0; @@ -1172,15 +1172,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c @@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) - fatal("%s: bad key, not previously allowed", __func__); + fatal_f("bad key, not previously allowed"); + if (type != key_blobtype) -+ fatal("%s: bad key type", __func__); ++ fatal_f("bad key type"); /* Empty signature algorithm means NULL. */ if (*sigalg == '\0') { -@@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int +@@ -1470,27 +1491,30 @@ mm_answer_keyverify(struct ssh *ssh, int case MM_USERKEY: - valid_data = monitor_valid_userblob(data, datalen); + valid_data = monitor_valid_userblob(ssh, data, datalen); auth_method = "publickey"; + ret = user_key_verify(ssh, key, signature, signaturelen, data, + datalen, sigalg, ssh->compat, &sig_details); @@ -1198,15 +1198,17 @@ diff -up openssh/monitor.c.audit openssh/monitor.c break; } if (!valid_data) - fatal("%s: bad signature data blob", __func__); + fatal_f("bad %s signature data blob", + key_blobtype == MM_USERKEY ? "userkey" : + (key_blobtype == MM_HOSTKEY ? "hostkey" : "unknown")); if ((fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) - fatal("%s: sshkey_fingerprint failed", __func__); + fatal_f("sshkey_fingerprint failed"); - ret = sshkey_verify(key, signature, signaturelen, data, datalen, - sigalg, ssh->compat, &sig_details); - debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key, + debug3_f("%s %p signature %s%s%s", auth_method, key, (ret == 0) ? "verified" : "unverified", (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); @@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session @@ -1216,14 +1218,14 @@ diff -up openssh/monitor.c.audit openssh/monitor.c -mm_session_close(Session *s) +mm_session_close(struct ssh *ssh, Session *s) { - debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); + debug3_f("session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) { - debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); + debug3_f("tty %s ptyfd %d", s->tty, s->ptyfd); session_pty_cleanup2(s); } +#ifdef SSH_AUDIT_EVENTS + if (s->command != NULL) { -+ debug3("%s: command %d", __func__, s->command_handle); ++ debug3_f("command %d", s->command_handle); + session_end_command2(ssh, s); + } +#endif @@ -1237,11 +1239,11 @@ diff -up openssh/monitor.c.audit openssh/monitor.c - mm_session_close(s); + mm_session_close(ssh, s); if ((r = sshbuf_put_u32(m, 0)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "assemble 0"); mm_request_send(sock, MONITOR_ANS_PTY, m); @@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse tty"); if ((s = session_by_tty(tty)) != NULL) - mm_session_close(s); + mm_session_close(ssh, s); @@ -1271,7 +1273,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c - audit_run_command(cmd); + s = session_new(); + if (s == NULL) -+ fatal("%s: error allocating a session", __func__); ++ fatal_f("error allocating a session"); + s->command = cmd; +#ifdef SSH_AUDIT_EVENTS + s->command_handle = audit_run_command(ssh, cmd); @@ -1293,15 +1295,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c + u_char *cmd = NULL; + Session *s; + -+ debug3("%s entering", __func__); ++ debug3_f("entering"); + if ((r = sshbuf_get_u32(m, &handle)) != 0 || + (r = sshbuf_get_string(m, &cmd, &len)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + s = session_by_id(handle); + if (s == NULL || s->ttyfd != -1 || s->command == NULL || + strcmp(s->command, cmd) != 0) -+ fatal("%s: invalid handle", __func__); ++ fatal_f("invalid handle"); + mm_session_close(ssh, s); free(cmd); return (0); @@ -1311,13 +1313,13 @@ diff -up openssh/monitor.c.audit openssh/monitor.c mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor) { + struct sshbuf *m; - debug3("%s: Waiting for new keys", __func__); + debug3_f("Waiting for new keys"); if ((child_state = sshbuf_new()) == NULL) @@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, child_state); - debug3("%s: GOT new keys", __func__); + debug3_f("GOT new keys"); + +#ifdef SSH_AUDIT_EVENTS + m = sshbuf_new(); @@ -1345,7 +1347,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c + int what, r; + + if ((r = sshbuf_get_u32(m, &what)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + audit_unsupported_body(ssh, what); + @@ -1370,10 +1372,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c + (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 || + (r = sshbuf_get_u64(m, &tmp)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + pid = (pid_t) tmp; + if ((r = sshbuf_get_u64(m, &tmp)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + uid = (pid_t) tmp; + + audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid); @@ -1398,10 +1400,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c + + if ((r = sshbuf_get_u32(m, &ctos)) != 0 || + (r = sshbuf_get_u64(m, &tmp)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + pid = (pid_t) tmp; + if ((r = sshbuf_get_u64(m, &tmp)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + uid = (uid_t) tmp; + + audit_session_key_free_body(ssh, ctos, pid, uid); @@ -1423,10 +1425,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c + + if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 || + (r = sshbuf_get_u64(m, &tmp)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + pid = (pid_t) tmp; + if ((r = sshbuf_get_u64(m, &tmp)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + uid = (uid_t) tmp; + + audit_destroy_sensitive_data(ssh, fp, pid, uid); @@ -1470,7 +1472,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c @@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke *sig_detailsp = NULL; if ((m = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); - if ((r = sshkey_puts(key, m)) != 0 || + if ((r = sshbuf_put_u32(m, type)) != 0 || + (r = sshkey_puts(key, m)) != 0 || @@ -1522,7 +1524,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m); + + if ((r = sshbuf_get_u32(m, &handle)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + sshbuf_free(m); + + return (handle); @@ -1534,13 +1536,13 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + int r; + struct sshbuf *m; + -+ debug3("%s entering command %s", __func__, command); ++ debug3_f("entering command %s", command); + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_u32(m, handle)) != 0 || + (r = sshbuf_put_cstring(m, command)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m); sshbuf_free(m); @@ -1558,9 +1560,9 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + struct sshbuf *m; + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_u32(m, what)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED, @@ -1577,7 +1579,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + struct sshbuf *m; + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_u32(m, ctos)) != 0 || + (r = sshbuf_put_cstring(m, cipher)) != 0 || + (r = sshbuf_put_cstring(m, (mac ? mac : ""))) != 0 || @@ -1585,7 +1587,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + (r = sshbuf_put_cstring(m, fps)) != 0 || + (r = sshbuf_put_u64(m, pid)) != 0 || + (r = sshbuf_put_u64(m, uid)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX, @@ -1601,11 +1603,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + struct sshbuf *m; + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_u32(m, ctos)) != 0 || + (r = sshbuf_put_u64(m, pid)) != 0 || + (r = sshbuf_put_u64(m, uid)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, @@ -1620,11 +1622,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c + struct sshbuf *m; + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_cstring(m, fp)) != 0 || + (r = sshbuf_put_u64(m, pid)) != 0 || + (r = sshbuf_put_u64(m, uid)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m); + sshbuf_free(m); @@ -1738,7 +1740,7 @@ diff -up openssh/packet.c.audit openssh/packet.c state->newkeys[mode] = NULL; } /* note that both bytes and the seqnr are not reset */ -@@ -2167,6 +2183,71 @@ ssh_packet_get_output(struct ssh *ssh) +@@ -2167,6 +2183,72 @@ ssh_packet_get_output(struct ssh *ssh) return (void *)ssh->state->output; } @@ -1769,6 +1771,7 @@ diff -up openssh/packet.c.audit openssh/packet.c + + cipher_free(state->receive_context); + cipher_free(state->send_context); ++ state->send_context = state->receive_context = NULL; + + sshbuf_free(state->input); + state->input = NULL; @@ -1902,7 +1905,7 @@ diff -up openssh/session.c.audit openssh/session.c + if (s->used) + return s; + } -+ debug("%s: unknown id %d", __func__, id); ++ debug_f("unknown id %d", id); + session_dump(); + return NULL; +} @@ -2114,7 +2117,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c sshkey_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -400,14 +437,26 @@ destroy_sensitive_data(void) +@@ -400,20 +437,38 @@ destroy_sensitive_data(void) /* Demote private to public keys for network child */ void @@ -2141,9 +2144,8 @@ diff -up openssh/sshd.c.audit openssh/sshd.c + fp = NULL; if ((r = sshkey_from_private( sensitive_data.host_keys[i], &tmp)) != 0) - fatal("could not demote host %s key: %s", -@@ -415,6 +464,12 @@ demote_sensitive_data(void) - ssh_err(r)); + fatal_r(r, "could not demote host %s key", + sshkey_type(sensitive_data.host_keys[i])); sshkey_free(sensitive_data.host_keys[i]); sensitive_data.host_keys[i] = tmp; + if (fp != NULL) { @@ -2253,7 +2255,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c do_cleanup(the_active_state, the_authctxt); if (use_privsep && privsep_is_preauth && @@ -2414,9 +2482,16 @@ cleanup_exit(int i) - pmonitor->m_pid, strerror(errno)); + } } } + is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0; diff --git a/openssh-7.6p1-cleanup-selinux.patch b/openssh-7.6p1-cleanup-selinux.patch index 08cd349efe1e3ca98834ede2311b8e3e9ce9ca0e..f7cd50fe548dc9feafe88431f15f5110ecafd53b 100644 --- a/openssh-7.6p1-cleanup-selinux.patch +++ b/openssh-7.6p1-cleanup-selinux.patch @@ -2,9 +2,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c --- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200 +++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200 @@ -72,6 +72,9 @@ + + /* import */ extern ServerOptions options; - extern u_char *session_id2; - extern u_int session_id2_len; +extern int inetd_flag; +extern int rexeced_flag; +extern Authctxt *the_authctxt; @@ -12,59 +12,59 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c static char * format_key(const struct sshkey *key) @@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh - - if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command, + if ((pid = subprocess("AuthorizedPrincipalsCommand", command, ac, av, &f, -- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) -+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, +- runas_pw, temporarily_use_uid, restore_uid)) == 0) ++ runas_pw, temporarily_use_uid, restore_uid, + (inetd_flag && !rexeced_flag), the_authctxt)) == 0) goto out; uid_swapped = 1; @@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss - - if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command, + if ((pid = subprocess("AuthorizedKeysCommand", command, ac, av, &f, -- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) -+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, +- runas_pw, temporarily_use_uid, restore_uid)) == 0) ++ runas_pw, temporarily_use_uid, restore_uid, + (inetd_flag && !rexeced_flag), the_authctxt)) == 0) goto out; uid_swapped = 1; -diff -up openssh/auth.c.refactor openssh/auth.c ---- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200 -+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200 +diff -up openssh/misc.c.refactor openssh/misc.c +--- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200 ++++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200 @@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh * - */ pid_t - subprocess(const char *tag, struct passwd *pw, const char *command, -- int ac, char **av, FILE **child, u_int flags) -+ int ac, char **av, FILE **child, u_int flags, int inetd, -+ void *the_authctxt) + subprocess(const char *tag, const char *command, + int ac, char **av, FILE **child, u_int flags, +- struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs) ++ struct passwd *pw, privdrop_fn *drop_privs, ++ privrestore_fn *restore_privs, int inetd, void *the_authctxt) { FILE *f = NULL; struct stat st; @@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw + _exit(1); } - #ifdef WITH_SELINUX - if (sshd_selinux_setup_env_variables() < 0) { + if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) { error ("failed to copy environment: %s", strerror(errno)); _exit(127); -diff -up openssh/auth.h.refactor openssh/auth.h ---- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200 -+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200 +diff -up openssh/misc.h.refactor openssh/misc.h +--- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200 ++++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200 @@ -235,7 +235,7 @@ struct passwd *fakepw(void); - #define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */ - #define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */ - pid_t subprocess(const char *, struct passwd *, -- const char *, int, char **, FILE **, u_int flags); -+ const char *, int, char **, FILE **, u_int flags, int, void *); - - int sys_auth_passwd(struct ssh *, const char *); - + #define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */ + #define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */ + pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int, +- struct passwd *, privdrop_fn *, privrestore_fn *); ++ struct passwd *, privdrop_fn *, privrestore_fn *, int, void *); + + typedef struct arglist arglist; + struct arglist { diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h --- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200 +++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200 @@ -145,7 +145,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa char *role; @@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it - debug3("%s: setting execution context", __func__); + debug3_f("setting execution context"); - ssh_selinux_get_role_level(&role, &reqlvl); + ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt); @@ -203,10 +203,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa + if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) { switch (security_getenforce()) { case -1: - fatal("%s: security_getenforce() failed", __func__); + fatal_f("security_getenforce() failed"); @@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw - debug3("%s: setting execution context", __func__); + debug3_f("setting execution context"); - r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); + r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt); @@ -269,3 +269,15 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c #endif #ifdef USE_PAM if (options.use_pam) { +diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c +--- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100 ++++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100 +@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h + + if ((pid = subprocess(tag, command, ac, av, &f, + SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH| +- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0) ++ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0) + goto out; + + load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1); diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index 9500cc35a560cc40616a7ad3db73a9d9ec7edad8..f199fb21ae024b115c8bbdf480882a88ea754f82 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -114,50 +114,6 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c p = g = NULL; /* belong to kex->dh now */ /* generate and send 'e', client DH public key */ -diff -up openssh-8.0p1/Makefile.in.fips openssh-8.0p1/Makefile.in ---- openssh-8.0p1/Makefile.in.fips 2019-07-23 14:55:45.396526350 +0200 -+++ openssh-8.0p1/Makefile.in 2019-07-23 14:55:45.402526411 +0200 -@@ -180,25 +180,25 @@ libssh.a: $(LIBSSH_OBJS) - $(RANLIB) $@ - - ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) -- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS) -+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS) - - sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - - scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) - $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS) -- $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS) -- $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS) -- $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSIGN_OBJS) -- $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ $(LD) -o $@ $(SSHKEYSIGN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) - - ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a $(P11HELPER_OBJS) - $(LD) -o $@ $(P11HELPER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -216,7 +216,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a - $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) -- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) - - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) - $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h --- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200 +++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200 @@ -209,7 +165,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h + /* Not a KEX value, but here so all the algorithm defaults are together */ #define SSH_ALLOWED_CA_SIGALGS \ - "ecdsa-sha2-nistp256," \ + "ssh-ed25519," \ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c --- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200 +++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200 @@ -217,20 +173,20 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); /* remove unsupported algos from default lists */ -- def_cipher = match_filter_whitelist(KEX_CLIENT_ENCRYPT, all_cipher); -- def_mac = match_filter_whitelist(KEX_CLIENT_MAC, all_mac); -- def_kex = match_filter_whitelist(KEX_CLIENT_KEX, all_kex); -- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); -- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); -+ def_cipher = match_filter_whitelist((FIPS_mode() ? +- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher); +- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac); +- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex); +- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); -+ def_mac = match_filter_whitelist((FIPS_mode() ? ++ def_mac = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); -+ def_kex = match_filter_whitelist((FIPS_mode() ? ++ def_kex = match_filter_allowlist((FIPS_mode() ? + KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); -+ def_key = match_filter_whitelist((FIPS_mode() ? ++ def_key = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); -+ def_sig = match_filter_whitelist((FIPS_mode() ? ++ def_sig = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); #define ASSEMBLE(what, defaults, all) \ do { \ @@ -255,20 +211,20 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c all_key = sshkey_alg_list(0, 0, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ','); /* remove unsupported algos from default lists */ -- def_cipher = match_filter_whitelist(KEX_SERVER_ENCRYPT, all_cipher); -- def_mac = match_filter_whitelist(KEX_SERVER_MAC, all_mac); -- def_kex = match_filter_whitelist(KEX_SERVER_KEX, all_kex); -- def_key = match_filter_whitelist(KEX_DEFAULT_PK_ALG, all_key); -- def_sig = match_filter_whitelist(SSH_ALLOWED_CA_SIGALGS, all_sig); -+ def_cipher = match_filter_whitelist((FIPS_mode() ? +- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher); +- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac); +- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex); +- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); +- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); ++ def_cipher = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); -+ def_mac = match_filter_whitelist((FIPS_mode() ? ++ def_mac = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); -+ def_kex = match_filter_whitelist((FIPS_mode() ? ++ def_kex = match_filter_allowlist((FIPS_mode() ? + KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); -+ def_key = match_filter_whitelist((FIPS_mode() ? ++ def_key = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); -+ def_sig = match_filter_whitelist((FIPS_mode() ? ++ def_sig = match_filter_allowlist((FIPS_mode() ? + KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); #define ASSEMBLE(what, defaults, all) \ do { \ @@ -276,43 +232,25 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c --- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200 +++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200 -@@ -76,6 +76,8 @@ +@@ -76,6 +76,7 @@ #include #include #endif +#include -+#include #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -600,6 +602,16 @@ main(int ac, char **av) - sanitise_stdfd(); - - __progname = ssh_get_progname(av[0]); -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ SSLeay_add_all_algorithms(); -+#endif -+ if (access("/etc/system-fips", F_OK) == 0) -+ if (! FIPSCHECK_verify(NULL, NULL)){ -+ if (FIPS_mode()) -+ fatal("FIPS integrity verification test failed."); -+ else -+ logit("FIPS integrity verification test failed."); -+ } - - #ifndef HAVE_SETPROCTITLE - /* Prepare for later setproctitle emulation */ @@ -614,6 +626,10 @@ main(int ac, char **av) - - seed_rng(); - + dump_client_config(&options, host); + exit(0); + } ++ + if (FIPS_mode()) { + debug("FIPS mode initialized"); + } -+ - /* - * Discard other fds that are hanging around. These can cause problem - * with backgrounded ssh processes started by ControlPersist. + + /* Expand SecurityKeyProvider if it refers to an environment variable */ + if (options.sk_provider != NULL && *options.sk_provider == '$' && diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c --- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200 +++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200 @@ -325,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -198,29 +203,34 @@ ssh_kex2(struct ssh *ssh, char *host, st +@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st #if defined(GSSAPI) && defined(WITH_OPENSSL) if (options.gss_keyex) { @@ -333,12 +271,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c - * client to the key exchange algorithm proposal */ - orig = myproposal[PROPOSAL_KEX_ALGS]; - -- if (options.gss_server_identity) +- if (options.gss_server_identity) { - gss_host = xstrdup(options.gss_server_identity); -- else if (options.gss_trust_dns) +- } else if (options.gss_trust_dns) { - gss_host = remote_hostname(ssh); -- else +- /* Fall back to specified host if we are using proxy command +- * and can not use DNS on that socket */ +- if (strcmp(gss_host, "UNKNOWN") == 0) { +- free(gss_host); +- gss_host = xstrdup(host); +- } +- } else { - gss_host = xstrdup(host); +- } - - gss = ssh_gssapi_client_mechanisms(gss_host, - options.gss_client_identity, options.gss_kex_algorithms); @@ -360,12 +305,19 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c + * client to the key exchange algorithm proposal */ + orig = myproposal[PROPOSAL_KEX_ALGS]; + -+ if (options.gss_server_identity) ++ if (options.gss_server_identity) { + gss_host = xstrdup(options.gss_server_identity); -+ else if (options.gss_trust_dns) ++ } else if (options.gss_trust_dns) { + gss_host = remote_hostname(ssh); -+ else ++ /* Fall back to specified host if we are using proxy command ++ * and can not use DNS on that socket */ ++ if (strcmp(gss_host, "UNKNOWN") == 0) { ++ free(gss_host); ++ gss_host = xstrdup(host); ++ } ++ } else { + gss_host = xstrdup(host); ++ } + + gss = ssh_gssapi_client_mechanisms(gss_host, + options.gss_client_identity, options.gss_kex_algorithms); @@ -394,31 +346,19 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c #include #include #include -@@ -77,6 +78,8 @@ +@@ -77,6 +78,7 @@ #include #include #include +#include -+#include #include "openbsd-compat/openssl-compat.h" #endif -@@ -1529,6 +1532,18 @@ main(int ac, char **av) +@@ -1529,6 +1532,7 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); + OpenSSL_add_all_algorithms(); -+ if (access("/etc/system-fips", F_OK) == 0) -+ if (! FIPSCHECK_verify(NULL, NULL)) { -+ openlog(__progname, LOG_PID, LOG_AUTHPRIV); -+ if (FIPS_mode()) { -+ syslog(LOG_CRIT, "FIPS integrity verification test failed."); -+ cleanup_exit(255); -+ } -+ else -+ syslog(LOG_INFO, "FIPS integrity verification test failed."); -+ closelog(); -+ } /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; @@ -476,7 +416,7 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c if (!BN_set_word(f4, RSA_F4) || !RSA_generate_key_ex(private, bits, f4, NULL)) { + if (FIPS_mode()) -+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); ++ logit_f("the key length might be unsupported by FIPS mode approved key generation method"); ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } @@ -513,5 +453,5 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c fflush(stdout); - type = sshkey_type_from_name(key_types[i].key_type); if ((fd = mkstemp(prv_tmp)) == -1) { - error("Could not save your public key in %s: %s", - prv_tmp, strerror(errno)); + error("Could not save your private key in %s: %s", + prv_tmp, strerror(errno)); diff --git a/openssh-7.7p1-gssapi-new-unique.patch b/openssh-7.7p1-gssapi-new-unique.patch index 93862494d5276810796a4f526f380aa4aa1481c8..3b9ef3ac75ff2d3e4e0a9778241b8a71b5eef44d 100644 --- a/openssh-7.7p1-gssapi-new-unique.patch +++ b/openssh-7.7p1-gssapi-new-unique.patch @@ -151,7 +151,7 @@ index a5a81ed2..63f877f2 100644 +ssh_krb5_expand_template(char **result, const char *template) { + char *p_n, *p_o, *r, *tmp_template; + -+ debug3("%s: called, template = %s", __func__, template); ++ debug3_f("called, template = %s", template); + if (template == NULL) + return -1; + @@ -179,7 +179,7 @@ index a5a81ed2..63f877f2 100644 + } else { + p_o = strchr(p_n, '}') + 1; + *p_o = '\0'; -+ debug("%s: unsupported token %s in %s", __func__, p_n, template); ++ debug_f("unsupported token %s in %s", p_n, template); + /* unknown token, fallback to the default */ + goto cleanup; + } @@ -207,7 +207,7 @@ index a5a81ed2..63f877f2 100644 + int ret = 0; + char *value = NULL; + -+ debug3("%s: called", __func__); ++ debug3_f("called"); + ret = krb5_get_profile(ctx, &p); + if (ret) + return ret; @@ -218,7 +218,7 @@ index a5a81ed2..63f877f2 100644 + + ret = ssh_krb5_expand_template(ccname, value); + -+ debug3("%s: returning with ccname = %s", __func__, *ccname); ++ debug3_f("returning with ccname = %s", *ccname); + return ret; +} + @@ -242,7 +242,7 @@ index a5a81ed2..63f877f2 100644 - logit("mkstemp(): %.100s", strerror(oerrno)); - return oerrno; - } -+ debug3("%s: called", __func__); ++ debug3_f("called"); + if (need_environment) + *need_environment = 0; + ret = ssh_krb5_get_cctemplate(ctx, &ccname); @@ -283,7 +283,7 @@ index a5a81ed2..63f877f2 100644 - close(tmpfd); - return (krb5_cc_resolve(ctx, ccname, ccache)); -+ debug3("%s: setting default ccname to %s", __func__, ccname); ++ debug3_f("setting default ccname to %s", ccname); + /* set the default with already expanded user IDs */ + ret = krb5_cc_set_default_name(ctx, ccname); + if (ret) @@ -304,13 +304,13 @@ index a5a81ed2..63f877f2 100644 + * a primary cache for this collection, if it supports that (non-FILE) + */ + if (krb5_cc_support_switch(ctx, type)) { -+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname); ++ debug3_f("calling cc_new_unique(%s)", ccname); + ret = krb5_cc_new_unique(ctx, type, NULL, ccache); + free(type); + if (ret) + return ret; + -+ debug3("%s: calling cc_switch()", __func__); ++ debug3_f("calling cc_switch()"); + return krb5_cc_switch(ctx, *ccache); + } else { + /* Otherwise, we can not create a unique ccname here (either @@ -318,7 +318,7 @@ index a5a81ed2..63f877f2 100644 + * collections + */ + free(type); -+ debug3("%s: calling cc_resolve(%s)", __func__, ccname); ++ debug3_f("calling cc_resolve(%s)", ccname); + return (krb5_cc_resolve(ctx, ccname, ccache)); + } } @@ -480,7 +480,7 @@ index 6cae720e..16e55cbc 100644 + return 0; } - /* This allows GSSAPI methods to do things to the childs environment based + /* This allows GSSAPI methods to do things to the child's environment based @@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() { char *envstr; #endif @@ -513,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c options->gss_authentication = 0; if (options->gss_keyex == -1) @@ -447,7 +450,8 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, + sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, sChallengeResponseAuthentication, @@ -574,7 +574,7 @@ index 85df6a27..480a5ead 100644 +++ b/session.c @@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) /* Allow any GSSAPI methods that we've used to alter - * the childs environment as they see fit + * the child's environment as they see fit */ - ssh_gssapi_do_child(&env, &envsize); + if (s->authctxt->krb5_set_env) diff --git a/openssh-7.8p1-role-mls.patch b/openssh-7.8p1-role-mls.patch index fb7ce7c71770e394caa30522b2d446f161ecb5e0..a6c3bae270f3d72266783f23b208a6559e4246fa 100644 --- a/openssh-7.8p1-role-mls.patch +++ b/openssh-7.8p1-role-mls.patch @@ -52,7 +52,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c gss_buffer_desc mic, gssbuf; const char *displayname; @@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); mic.value = p; mic.length = len; - ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, @@ -63,7 +63,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c +#endif + micuser = authctxt->user; + ssh_gssapi_buildmic(b, micuser, authctxt->service, - "gssapi-with-mic"); + "gssapi-with-mic", ssh->kex->session_id); if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) @@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple @@ -80,7 +80,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c +++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 @@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh) /* reconstruct packet */ - if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || + if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || +#ifdef WITH_SELINUX + (authctxt->role @@ -154,20 +154,6 @@ diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -diff -up openssh/configure.ac.role-mls openssh/configure.ac ---- openssh/configure.ac.role-mls 2018-08-20 07:57:29.000000000 +0200 -+++ openssh/configure.ac 2018-08-22 11:14:56.820430957 +0200 -@@ -4241,10 +4241,7 @@ AC_ARG_WITH([selinux], - LIBS="$LIBS -lselinux" - ], - AC_MSG_ERROR([SELinux support requires libselinux library])) -- SSHLIBS="$SSHLIBS $LIBSELINUX" -- SSHDLIBS="$SSHDLIBS $LIBSELINUX" - AC_CHECK_FUNCS([getseuserbyname get_default_context_with_level]) -- LIBS="$save_LIBS" - fi ] - ) - AC_SUBST([SSHLIBS]) diff -up openssh/misc.c.role-mls openssh/misc.c --- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200 +++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200 @@ -238,8 +224,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c + monitor_permit_authentications(1); + + if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); -+ debug3("%s: role=%s", __func__, authctxt->role); ++ fatal_f("buffer error: %s", ssh_err(r)); ++ debug3_f("role=%s", authctxt->role); + + if (strlen(authctxt->role) == 0) { + free(authctxt->role); @@ -265,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c @@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse userstyle"); + if ((s = strchr(cp, '/')) != NULL) + *s = '\0'; xasprintf(&userstyle, "%s%s%s", authctxt->user, @@ -283,7 +269,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c @@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse userstyle"); + if ((s = strchr(p, '/')) != NULL) + *s = '\0'; xasprintf(&userstyle, "%s%s%s", authctxt->user, @@ -319,12 +305,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c + int r; + struct sshbuf *m; + -+ debug3("%s entering", __func__); ++ debug3_f("entering"); + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_f("buffer error: %s", ssh_err(r)); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); + + sshbuf_free(m); @@ -338,8 +324,8 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h --- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200 +++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 @@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); - int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, - const u_char *, size_t, const char *, const char *, u_int compat); + const u_char *, size_t, const char *, const char *, + const char *, u_int compat); void mm_inform_authserv(char *, char *); +#ifdef WITH_SELINUX +void mm_inform_authrole(char *); @@ -371,7 +357,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por -void -ssh_selinux_setup_exec_context(char *pwname) -{ -- security_context_t user_ctx = NULL; +- char *user_ctx = NULL; - - if (!ssh_selinux_enabled()) - return; @@ -407,7 +393,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por - user_ctx = ssh_selinux_getctxbyname(pwname); + if (getexeccon(&user_ctx) != 0) { -+ error("%s: getexeccon: %s", __func__, strerror(errno)); ++ error_f("getexeccon: %s", strerror(errno)); + goto out; + } + @@ -432,7 +418,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c --- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 -@@ -0,0 +1,425 @@ +@@ -0,0 +1,421 @@ +/* + * Copyright (c) 2005 Daniel Walsh + * Copyright (c) 2014 Petr Lautrbach @@ -544,7 +530,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa + access_vector_t bit; + security_class_t class; + -+ debug("%s: src:%s dst:%s", __func__, src, dst); ++ debug_f("src:%s dst:%s", src, dst); + class = string_to_security_class("context"); + if (!class) { + error("string_to_security_class failed to translate security class context"); @@ -706,7 +692,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa + /* we actually don't change level */ + reqlvl = ""; + -+ debug("%s: current connection level '%s'", __func__, reqlvl); ++ debug_f("current connection level '%s'", reqlvl); + + } + @@ -734,8 +720,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa + } + } + if (r != 0) { -+ error("%s: Failed to get default SELinux security " -+ "context for %s", __func__, pwname); ++ error_f("Failed to get default SELinux security " ++ "context for %s", pwname); + } + +#ifdef HAVE_GETSEUSERBYNAME @@ -760,7 +746,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa + char *use_current; + int rv; + -+ debug3("%s: setting execution context", __func__); ++ debug3_f("setting execution context"); + + ssh_selinux_get_role_level(&role, &reqlvl); + @@ -797,32 +783,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa + if (sshd_selinux_setup_pam_variables()) { + switch (security_getenforce()) { + case -1: -+ fatal("%s: security_getenforce() failed", __func__); ++ fatal_f("security_getenforce() failed"); + case 0: -+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", -+ __func__); ++ error_f("SELinux PAM variable setup failure. Continuing in permissive mode."); + break; + default: -+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.", -+ __func__); ++ fatal_f("SELinux PAM variable setup failure. Aborting connection."); + } + } + return; + } + -+ debug3("%s: setting execution context", __func__); ++ debug3_f("setting execution context"); + + r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); + if (r >= 0) { + r = setexeccon(user_ctx); + if (r < 0) { -+ error("%s: Failed to set SELinux execution context %s for %s", -+ __func__, user_ctx, pwname); ++ error_f("Failed to set SELinux execution context %s for %s", ++ user_ctx, pwname); + } +#ifdef HAVE_SETKEYCREATECON + else if (setkeycreatecon(user_ctx) < 0) { -+ error("%s: Failed to set SELinux keyring creation context %s for %s", -+ __func__, user_ctx, pwname); ++ error_f("Failed to set SELinux keyring creation context %s for %s", ++ user_ctx, pwname); + } +#endif + } @@ -837,14 +821,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa + if (r < 0) { + switch (security_getenforce()) { + case -1: -+ fatal("%s: security_getenforce() failed", __func__); ++ fatal_f("security_getenforce() failed"); + case 0: -+ error("%s: SELinux failure. Continuing in permissive mode.", -+ __func__); ++ error_f("ELinux failure. Continuing in permissive mode."); + break; + default: -+ fatal("%s: SELinux failure. Aborting connection.", -+ __func__); ++ fatal_f("SELinux failure. Aborting connection."); + } + } + if (user_ctx != NULL && user_ctx != default_ctx) @@ -852,7 +834,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa + if (default_ctx != NULL) + freecon(default_ctx); + -+ debug3("%s: done", __func__); ++ debug3_f("done"); +} + +#endif diff --git a/openssh-8.0p1-crypto-policies.patch b/openssh-8.0p1-crypto-policies.patch index 89bd369aff3e29dd98e3ecb61aeaf87f3c516809..813b7ac3d2df910454666b810d08bccd3d8fbbe3 100644 --- a/openssh-8.0p1-crypto-policies.patch +++ b/openssh-8.0p1-crypto-policies.patch @@ -1,29 +1,57 @@ -diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 ---- openssh/ssh_config.5.crypto-policies 2020-02-07 15:05:55.665451715 +0100 -+++ openssh/ssh_config.5 2020-02-07 15:07:11.632641922 +0100 -@@ -361,15 +361,15 @@ domains. +diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5 +--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100 ++++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100 +@@ -359,14 +359,13 @@ or + .Qq *.c.example.com + domains. .It Cm CASignatureAlgorithms ++The default is handled system-wide by ++.Xr crypto-policies 7 . ++To see the defaults and how to modify this default, see manual page ++.Xr update-crypto-policies 8 . ++.Pp Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). -The default is: -.Bd -literal -offset indent --ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, +-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed -.Pp .Xr ssh 1 will not accept host certificates signed using algorithms other than those specified. -+.Pp +@@ -424,20 +424,25 @@ If the option is set to + (the default), + the check will not be executed. + .It Cm Ciphers +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp - .It Cm CertificateFile - Specifies a file from which the user's certificate is read. - A corresponding private key must be provided separately in order -@@ -453,12 +453,10 @@ aes256-gcm@openssh.com + Specifies the ciphers allowed and their order of preference. + Multiple ciphers must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified ciphers will be appended to the default set +-instead of replacing them. ++character, then the specified ciphers will be appended to the built-in ++openssh default set instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified ciphers (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified ciphers will be placed at the head of the +-default set. ++built-in openssh default set. + .Pp + The supported ciphers are: + .Bd -literal -offset indent +@@ -453,13 +458,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .Ed .Pp @@ -33,30 +61,60 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 -aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com -.Ed +-.Pp + The list of available ciphers may also be obtained using + .Qq ssh -Q cipher . + .It Cm ClearAllForwardings +@@ -812,6 +810,11 @@ command line will be passed untouched to + The default is + .Dq no . + .It Cm GSSAPIKexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available ciphers may also be obtained using - .Qq ssh -Q cipher . -@@ -824,8 +822,10 @@ gss-nistp256-sha256-, ++.Pp + The list of key exchange algorithms that are offered for GSSAPI + key exchange. Possible values are + .Bd -literal -offset 3n +@@ -824,10 +827,8 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp -The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. ++.Pp + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +@@ -1149,29 +1150,25 @@ it may be zero or more of: + and + .Cm pam . + .It Cm KexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that -@@ -1162,15 +1162,10 @@ If the specified list begins with a ++.Pp + Specifies the available KEX (Key Exchange) algorithms. + Multiple algorithms must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified methods will be appended to the default set +-instead of replacing them. ++character, then the specified methods will be appended to the built-in ++openssh default set instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified methods (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a .Sq ^ character, then the specified methods will be placed at the head of the - default set. +-default set. -The default is: -.Bd -literal -offset indent -curve25519-sha256,curve25519-sha256@libssh.org, @@ -66,14 +124,42 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 -diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 -.Ed ++built-in openssh default set. + .Pp + The list of available key exchange algorithms may also be obtained using + .Qq ssh -Q kex . +@@ -1231,37 +1228,33 @@ The default is INFO. + file. + This option is intended for debugging and no overrides are enabled by default. + .It Cm MACs +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . ++.Pp + Specifies the MAC (message authentication code) algorithms + in order of preference. + The MAC algorithm is used for data integrity protection. + Multiple algorithms must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified algorithms will be appended to the default set +-instead of replacing them. ++character, then the specified algorithms will be appended to the built-in ++openssh default set instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified algorithms (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified algorithms will be placed at the head of the +-default set. ++built-in openssh default set. .Pp - The list of available key exchange algorithms may also be obtained using - .Qq ssh -Q kex . -@@ -1252,14 +1247,10 @@ The algorithms that contain + The algorithms that contain + .Qq -etm calculate the MAC after encryption (encrypt-then-mac). These are considered safer and their use recommended. .Pp @@ -85,65 +171,111 @@ diff -up openssh/ssh_config.5.crypto-policies openssh/ssh_config.5 -umac-64@openssh.com,umac-128@openssh.com, -hmac-sha2-256,hmac-sha2-512,hmac-sha1 -.Ed +-.Pp + The list of available MAC algorithms may also be obtained using + .Qq ssh -Q mac . + .It Cm NoHostAuthenticationForLocalhost +@@ -1394,37 +1387,25 @@ instead of continuing to execute and pas + The default is + .Cm no . + .It Cm PubkeyAcceptedAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available MAC algorithms may also be obtained using - .Qq ssh -Q mac . -@@ -1407,22 +1398,10 @@ If the specified list begins with a ++.Pp + Specifies the signature algorithms that will be used for public key + authentication as a comma-separated list of patterns. + If the specified list begins with a + .Sq + +-character, then the algorithms after it will be appended to the default +-instead of replacing it. ++character, then the algorithms after it will be appended to the built-in ++openssh default instead of replacing it. + If the specified list begins with a + .Sq - + character, then the specified algorithms (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a .Sq ^ - character, then the specified key types will be placed at the head of the - default set. + character, then the specified algorithms will be placed at the head of the +-default set. -The default for this option is: -.Bd -literal -offset 3n +-ssh-ed25519-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com, --sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, --ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com, +-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, +-ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --ssh-ed25519,sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed ++built-in openssh default set. + .Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q PubkeyAcceptedAlgorithms . +diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5 +--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100 ++++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100 +@@ -375,14 +375,13 @@ If the argument is + then no banner is displayed. + By default, no banner is displayed. + .It Cm CASignatureAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available key types may also be obtained using - .Qq ssh -Q PubkeyAcceptedKeyTypes . -diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 ---- openssh/sshd_config.5.crypto-policies 2020-02-07 15:05:55.639451308 +0100 -+++ openssh/sshd_config.5 2020-02-07 15:05:55.672451825 +0100 -@@ -377,14 +377,14 @@ By default, no banner is displayed. - .It Cm CASignatureAlgorithms ++.Pp Specifies which algorithms are allowed for signing of certificates by certificate authorities (CAs). -The default is: -.Bd -literal -offset indent --ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, --ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa +-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384, +-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed -.Pp Certificates signed using other algorithms will not be accepted for public key or host-based authentication. -+.Pp + .It Cm ChallengeResponseAuthentication +@@ -446,20 +446,25 @@ The default is + indicating not to + .Xr chroot 2 . + .It Cm Ciphers +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . +.Pp - .It Cm ChallengeResponseAuthentication - Specifies whether challenge-response authentication is allowed (e.g. via - PAM or through authentication styles supported in -@@ -486,12 +486,10 @@ aes256-gcm@openssh.com + Specifies the ciphers allowed. + Multiple ciphers must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified ciphers will be appended to the default set +-instead of replacing them. ++character, then the specified ciphers will be appended to the built-in ++openssh default set instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified ciphers (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified ciphers will be placed at the head of the +-default set. ++built-in openssh default set. + .Pp + The supported ciphers are: + .Pp +@@ -486,13 +491,6 @@ aes256-gcm@openssh.com chacha20-poly1305@openssh.com .El .Pp @@ -153,55 +285,107 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -aes128-ctr,aes192-ctr,aes256-ctr, -aes128-gcm@openssh.com,aes256-gcm@openssh.com -.Ed +-.Pp + The list of available ciphers may also be obtained using + .Qq ssh -Q cipher . + .It Cm ClientAliveCountMax +@@ -681,21 +679,22 @@ For this to work + .Cm GSSAPIKeyExchange + needs to be enabled in the server and also used by the client. + .It Cm GSSAPIKexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available ciphers may also be obtained using - .Qq ssh -Q cipher . -@@ -693,8 +691,10 @@ gss-nistp256-sha256-, ++.Pp + The list of key exchange algorithms that are accepted by GSSAPI + key exchange. Possible values are + .Bd -literal -offset 3n +-gss-gex-sha1-, +-gss-group1-sha1-, +-gss-group14-sha1-, +-gss-group14-sha256-, +-gss-group16-sha512-, +-gss-nistp256-sha256-, ++gss-gex-sha1- ++gss-group1-sha1- ++gss-group14-sha1- ++gss-group14-sha256- ++gss-group16-sha512- ++gss-nistp256-sha256- gss-curve25519-sha256- .Ed - .Pp +-.Pp -The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. + .It Cm HostbasedAcceptedAlgorithms + Specifies the signature algorithms that will be accepted for hostbased +@@ -793,26 +793,13 @@ is specified, the location of the socket + .Ev SSH_AUTH_SOCK + environment variable. + .It Cm HostKeyAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HostbasedAcceptedKeyTypes - Specifies the key types that will be accepted for hostbased authentication -@@ -794,22 +794,10 @@ environment variable. - .It Cm HostKeyAlgorithms - Specifies the host key algorithms ++.Pp + Specifies the host key signature algorithms that the server offers. -The default for this option is: -.Bd -literal -offset 3n +-ssh-ed25519-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com, --sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, --ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com, +-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, +-ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --ssh-ed25519,sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed +-.Pp + The list of available signature algorithms may also be obtained using + .Qq ssh -Q HostKeyAlgorithms . + .It Cm IgnoreRhosts +@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi + The default is + .Cm yes . + .It Cm KexAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . ++.Pp + Specifies the available KEX (Key Exchange) algorithms. + Multiple algorithms must be comma-separated. + Alternately if the specified list begins with a + .Sq + +-character, then the specified methods will be appended to the default set +-instead of replacing them. ++character, then the specified methods will be appended to the built-in ++openssh default set instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified methods (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified methods will be placed at the head of the +-default set. ++built-in openssh default set. + The supported algorithms are: .Pp - The list of available key types may also be obtained using - .Qq ssh -Q HostKeyAlgorithms . -@@ -987,14 +975,10 @@ ecdh-sha2-nistp521 - sntrup4591761x25519-sha512@tinyssh.org + .Bl -item -compact -offset indent +@@ -988,15 +981,6 @@ ecdh-sha2-nistp521 + sntrup761x25519-sha512@openssh.com .El .Pp -The default is: @@ -212,14 +396,42 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 -.Ed +-.Pp + The list of available key exchange algorithms may also be obtained using + .Qq ssh -Q KexAlgorithms . + .It Cm ListenAddress +@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent. + file. + This option is intended for debugging and no overrides are enabled by default. + .It Cm MACs +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . ++.Pp + Specifies the available MAC (message authentication code) algorithms. + The MAC algorithm is used for data integrity protection. + Multiple algorithms must be comma-separated. + If the specified list begins with a + .Sq + +-character, then the specified algorithms will be appended to the default set +-instead of replacing them. ++character, then the specified algorithms will be appended to the built-in ++openssh default set instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified algorithms (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a + .Sq ^ + character, then the specified algorithms will be placed at the head of the +-default set. ++built-in openssh default set. .Pp - The list of available key exchange algorithms may also be obtained using - .Qq ssh -Q KexAlgorithms . -@@ -1121,14 +1105,10 @@ umac-64-etm@openssh.com + The algorithms that contain + .Qq -etm +@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com umac-128-etm@openssh.com .El .Pp @@ -231,37 +443,54 @@ diff -up openssh/sshd_config.5.crypto-policies openssh/sshd_config.5 -umac-64@openssh.com,umac-128@openssh.com, -hmac-sha2-256,hmac-sha2-512,hmac-sha1 -.Ed +-.Pp + The list of available MAC algorithms may also be obtained using + .Qq ssh -Q mac . + .It Cm Match +@@ -1480,37 +1460,25 @@ or equivalent.) + The default is + .Cm yes . + .It Cm PubkeyAcceptedAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . +To see the defaults and how to modify this default, see manual page +.Xr update-crypto-policies 8 . - .Pp - The list of available MAC algorithms may also be obtained using - .Qq ssh -Q mac . -@@ -1492,22 +1472,10 @@ If the specified list begins with a ++.Pp + Specifies the signature algorithms that will be accepted for public key + authentication as a list of comma-separated patterns. + Alternately if the specified list begins with a + .Sq + +-character, then the specified algorithms will be appended to the default set +-instead of replacing them. ++character, then the specified algorithms will be appended to the built-in ++openssh default set instead of replacing them. + If the specified list begins with a + .Sq - + character, then the specified algorithms (including wildcards) will be removed +-from the default set instead of replacing them. ++from the built-in openssh default set instead of replacing them. + If the specified list begins with a .Sq ^ - character, then the specified key types will be placed at the head of the - default set. + character, then the specified algorithms will be placed at the head of the +-default set. -The default for this option is: -.Bd -literal -offset 3n +-ssh-ed25519-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com, --sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, --ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com, +-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com, +-ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, +-sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --ssh-ed25519,sk-ssh-ed25519@openssh.com, -rsa-sha2-512,rsa-sha2-256,ssh-rsa -.Ed -+The default is handled system-wide by -+.Xr crypto-policies 7 . -+To see the defaults and how to modify this default, see manual page -+.Xr update-crypto-policies 8 . ++built-in openssh default set. .Pp - The list of available key types may also be obtained using - .Qq ssh -Q PubkeyAcceptedKeyTypes . + The list of available signature algorithms may also be obtained using + .Qq ssh -Q PubkeyAcceptedAlgorithms . diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index 9e7ea7256c981c6f609b0e0b55d2e86a59e86213..2c29486c5c87cdfb3042998ba51152fad2334f28 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -5,7 +5,7 @@ index e7549470..b68c1710 100644 @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexgexc.o kexgexs.o \ - sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ + kexsntrup761x25519.o sntrup761.o kexgen.o \ + kexgssc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ sshbuf-io.o @@ -17,7 +17,7 @@ index e7549470..b68c1710 100644 - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ - sftp-server.o sftp-common.o \ + srclimit.o sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ diff --git a/auth.c b/auth.c index 086b8ebb..687c57b4 100644 @@ -138,7 +138,7 @@ index 9351e042..d6446c0c 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,7 +1,7 @@ - /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ + /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -165,19 +165,19 @@ index 9351e042..d6446c0c 100644 + + if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || + (r = sshpkt_get_end(ssh)) != 0) -+ fatal("%s: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "parsing"); + + if ((b = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + + mic.value = p; + mic.length = len; + + ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, -+ "gssapi-keyex"); ++ "gssapi-keyex", ssh->kex->session_id); + + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) -+ fatal("%s: sshbuf_mutable_ptr failed", __func__); ++ fatal_f("sshbuf_mutable_ptr failed"); + gssbuf.length = sshbuf_len(b); + + /* gss_kex_context is NULL with privsep, so we can't check it here */ @@ -197,7 +197,7 @@ index 9351e042..d6446c0c 100644 * how to check local user kuserok and the like) @@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) if ((r = sshpkt_get_end(ssh)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse packet"); - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, @@ -441,7 +441,7 @@ index d56257b4..763a63ff 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,7 +1,7 @@ - /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */ + /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */ /* - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. @@ -449,7 +449,7 @@ index d56257b4..763a63ff 100644 * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -41,12 +41,36 @@ +@@ -41,9 +41,33 @@ #include "sshbuf.h" #include "log.h" #include "ssh2.h" @@ -461,9 +461,6 @@ index d56257b4..763a63ff 100644 #include "ssh-gss.h" - extern u_char *session_id2; - extern u_int session_id2_len; - +typedef struct { + char *encoded; + gss_OID oid; @@ -486,7 +483,7 @@ index d56257b4..763a63ff 100644 /* sshbuf_get for gss_buffer_desc */ int ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) -@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) +@@ -62,6 +86,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) return 0; } @@ -548,7 +545,7 @@ index d56257b4..763a63ff 100644 + (gss_supported->count + 1)); + + if ((buf = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + + oidpos = 0; + s = cp = xstrdup(kex); @@ -565,8 +562,7 @@ index d56257b4..763a63ff 100644 + gss_supported->elements[i].elements, + gss_supported->elements[i].length)) != 0 || + (r = ssh_digest_final(md, digest, sizeof(digest))) != 0) -+ fatal("%s: digest failed: %s", __func__, -+ ssh_err(r)); ++ fatal_fr(r, "digest failed"); + ssh_digest_free(md); + md = NULL; + @@ -581,12 +577,10 @@ index d56257b4..763a63ff 100644 + (p = strsep(&cp, ","))) { + if (sshbuf_len(buf) != 0 && + (r = sshbuf_put_u8(buf, ',')) != 0) -+ fatal("%s: sshbuf_put_u8 error: %s", -+ __func__, ssh_err(r)); ++ fatal_fr(r, "sshbuf_put_u8 error"); + if ((r = sshbuf_put(buf, p, strlen(p))) != 0 || + (r = sshbuf_put(buf, encoded, enclen)) != 0) -+ fatal("%s: sshbuf_put error: %s", -+ __func__, ssh_err(r)); ++ fatal_fr(r, "sshbuf_put error"); + } + + gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); @@ -599,7 +593,7 @@ index d56257b4..763a63ff 100644 + gss_enc2oid[oidpos].encoded = NULL; + + if ((mechs = sshbuf_dup_string(buf)) == NULL) -+ fatal("%s: sshbuf_dup_string failed", __func__); ++ fatal_f("sshbuf_dup_string failed"); + + sshbuf_free(buf); + @@ -721,7 +715,7 @@ index d56257b4..763a63ff 100644 + void ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, - const char *context) + const char *context, const struct sshbuf *session_id) @@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, } @@ -964,7 +958,7 @@ index ab3a15f0..6ce56e92 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,7 +1,7 @@ - /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ + /* $OpenBSD: gss-serv.c,v 1.32 2020/03/13 03:17:07 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -1123,10 +1117,10 @@ index ab3a15f0..6ce56e92 100644 + + if (gssapi_client.store.data != NULL) { + if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) { -+ debug("%s: krb5_cc_resolve(): %.100s", __func__, ++ debug_f("krb5_cc_resolve(): %.100s", + krb5_get_err_text(gssapi_client.store.data, problem)); + } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) { -+ debug("%s: krb5_cc_destroy(): %.100s", __func__, ++ debug_f("krb5_cc_destroy(): %.100s", + krb5_get_err_text(gssapi_client.store.data, problem)); + } else { + krb5_free_context(gssapi_client.store.data); @@ -1375,7 +1369,7 @@ index ce85f043..574c7609 100644 @@ -698,6 +755,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->server_version); sshbuf_free(kex->client_pub); - free(kex->session_id); + sshbuf_free(kex->session_id); +#ifdef GSSAPI + free(kex->gss_host); +#endif /* GSSAPI */ @@ -1389,7 +1383,7 @@ index a5ae6ac0..fe714141 100644 @@ -102,6 +102,15 @@ enum kex_exchange { KEX_ECDH_SHA2, KEX_C25519_SHA256, - KEX_KEM_SNTRUP4591761X25519_SHA512, + KEX_KEM_SNTRUP761X25519_SHA512, +#ifdef GSSAPI + KEX_GSS_GRP1_SHA1, + KEX_GSS_GRP14_SHA1, @@ -1498,7 +1492,7 @@ new file mode 100644 index 00000000..f6e1405e --- /dev/null +++ b/kexgssc.c -@@ -0,0 +1,606 @@ +@@ -0,0 +1,599 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1597,7 +1591,7 @@ index 00000000..f6e1405e + r = kex_c25519_keypair(kex); + break; + default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); ++ fatal_f("Unexpected KEX type %d", kex->kex_type); + } + if (r != 0) + return r; @@ -1785,7 +1779,7 @@ index 00000000..f6e1405e + server_blob, + shared_secret, + hash, &hashlen)) != 0) -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); ++ fatal_f("Unexpected KEX type %d", kex->kex_type); + + gssbuf.value = hash; + gssbuf.length = hashlen; @@ -2074,13 +2068,6 @@ index 00000000..f6e1405e + + gss_release_buffer(&min_status, &msg_tok); + -+ /* save session id */ -+ if (kex->session_id == NULL) { -+ kex->session_id_len = hashlen; -+ kex->session_id = xmalloc(kex->session_id_len); -+ memcpy(kex->session_id, hash, kex->session_id_len); -+ } -+ + if (kex->gss_deleg_creds) + ssh_gssapi_credentials_updated(ctxt); + @@ -2202,12 +2189,12 @@ index 00000000..60bc02de + free(mechs); + } + -+ debug2("%s: Identifying %s", __func__, kex->name); ++ debug2_f("Identifying %s", kex->name); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); + if (oid == GSS_C_NO_OID) + fatal("Unknown gssapi mechanism"); + -+ debug2("%s: Acquiring credentials", __func__); ++ debug2_f("Acquiring credentials"); + + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + fatal("Unable to acquire credentials for the server"); @@ -2242,7 +2229,7 @@ index 00000000..60bc02de + &shared_secret); + break; + default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); ++ fatal_f("Unexpected KEX type %d", kex->kex_type); + } + if (r != 0) + goto out; @@ -2398,12 +2385,12 @@ index 00000000..60bc02de + if ((mechs = ssh_gssapi_server_mechanisms())) + free(mechs); + -+ debug2("%s: Identifying %s", __func__, kex->name); ++ debug2_f("Identifying %s", kex->name); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); + if (oid == GSS_C_NO_OID) + fatal("Unknown gssapi mechanism"); + -+ debug2("%s: Acquiring credentials", __func__); ++ debug2_f("Acquiring credentials"); + + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + fatal("Unable to acquire credentials for the server"); @@ -2641,44 +2628,44 @@ index 2ce89fe9..ebf76c7f 100644 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); @@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor) # ifdef OPENSSL_HAS_ECC - kex->kex[KEX_ECDH_SHA2] = kex_gen_server; + kex->kex[KEX_ECDH_SHA2] = kex_gen_server; # endif +# ifdef GSSAPI -+ if (options.gss_keyex) { -+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; -+ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server; -+ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server; -+ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server; -+ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server; -+ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server; -+ } ++ if (options.gss_keyex) { ++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server; ++ kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server; ++ kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server; ++ kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server; ++ kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server; ++ } +# endif #endif /* WITH_OPENSSL */ - kex->kex[KEX_C25519_SHA256] = kex_gen_server; - kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; + kex->kex[KEX_C25519_SHA256] = kex_gen_server; + kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; @@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) u_char *p; int r; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); if ((r = sshbuf_get_string(m, &p, &len)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "parse"); @@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) OM_uint32 flags = 0; /* GSI needs this */ int r; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "ssh_gssapi_get_buffer_desc"); @@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); @@ -2692,9 +2679,9 @@ index 2ce89fe9..ebf76c7f 100644 int r; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) @@ -2707,13 +2694,13 @@ index 2ce89fe9..ebf76c7f 100644 const char *displayname; - if (!options.gss_authentication) -- fatal("%s: GSSAPI authentication not enabled", __func__); +- fatal_f("GSSAPI authentication not enabled"); + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); + if ((r = sshbuf_get_u32(m, &kex)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + authenticated = authctxt->valid && + ssh_gssapi_userok(authctxt->user, authctxt->pw, kex); @@ -2721,7 +2708,7 @@ index 2ce89fe9..ebf76c7f 100644 sshbuf_reset(m); if ((r = sshbuf_put_u32(m, authenticated)) != 0) @@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) - debug3("%s: sending result %d", __func__, authenticated); + debug3_f("sending result %d", authenticated); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); - auth_method = "gssapi-with-mic"; @@ -2733,7 +2720,7 @@ index 2ce89fe9..ebf76c7f 100644 if ((displayname = ssh_gssapi_displayname()) != NULL) auth2_record_info(authctxt, "%s", displayname); -@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1921,5 +1958,84 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -2749,16 +2736,15 @@ index 2ce89fe9..ebf76c7f 100644 + int r; + + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); + + if ((r = sshbuf_get_string(m, &p, &len)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + data.value = p; + data.length = len; + /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */ + if (data.length != 20 && data.length != 32 && data.length != 64) -+ fatal("%s: data length incorrect: %d", __func__, -+ (int) data.length); ++ fatal_f("data length incorrect: %d", (int) data.length); + + /* Save the session ID on the first time around */ + if (session_id2_len == 0) { @@ -2774,7 +2760,7 @@ index 2ce89fe9..ebf76c7f 100644 + + if ((r = sshbuf_put_u32(m, major)) != 0 || + (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); + @@ -2795,12 +2781,12 @@ index 2ce89fe9..ebf76c7f 100644 + int r, ok; + + if (!options.gss_authentication && !options.gss_keyex) -+ fatal("%s: GSSAPI not enabled", __func__); ++ fatal_f("GSSAPI not enabled"); + + if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 || + (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 || + (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + ok = ssh_gssapi_update_creds(&store); + @@ -2810,7 +2796,7 @@ index 2ce89fe9..ebf76c7f 100644 + + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, ok)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); + @@ -2847,14 +2833,14 @@ index 001a8fa1..6edb509a 100644 int r, authenticated = 0; if ((m = sshbuf_new()) == NULL) - fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_u32(m, kex)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); mm_request_receive_expect(pmonitor->m_recvfd, @@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user) - debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); + debug3_f("user %sauthenticated", authenticated ? "" : "not "); return (authenticated); } + @@ -2866,16 +2852,16 @@ index 001a8fa1..6edb509a 100644 + int r; + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + if ((r = sshbuf_put_string(m, data->value, data->length)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m); + + if ((r = sshbuf_get_u32(m, &major)) != 0 || + (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + sshbuf_free(m); + @@ -2889,7 +2875,7 @@ index 001a8fa1..6edb509a 100644 + int r, ok; + + if ((m = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + + if ((r = sshbuf_put_cstring(m, + store->filename ? store->filename : "")) != 0 || @@ -2897,13 +2883,13 @@ index 001a8fa1..6edb509a 100644 + store->envvar ? store->envvar : "")) != 0 || + (r = sshbuf_put_cstring(m, + store->envval ? store->envval : "")) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m); + + if ((r = sshbuf_get_u32(m, &ok)) != 0) -+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "buffer error"); + + sshbuf_free(m); + @@ -3124,7 +3110,7 @@ index 70f5f73f..191575a1 100644 options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) @@ -531,6 +543,7 @@ typedef enum { - sHostKeyAlgorithms, + sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey, @@ -3246,14 +3232,14 @@ index 36180d07..70dd3665 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -1,6 +1,6 @@ - /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */ + /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions -@@ -61,10 +61,30 @@ +@@ -61,10 +61,34 @@ #define SSH_GSS_OIDTYPE 0x06 @@ -3273,8 +3259,12 @@ index 36180d07..70dd3665 100644 +#define KEX_GSS_C25519_SHA256_ID "gss-curve25519-sha256-" + +#define GSS_KEX_DEFAULT_KEX \ -+ KEX_GSS_GEX_SHA1_ID "," \ -+ KEX_GSS_GRP14_SHA1_ID ++ KEX_GSS_GRP14_SHA256_ID "," \ ++ KEX_GSS_GRP16_SHA512_ID "," \ ++ KEX_GSS_NISTP256_SHA256_ID "," \ ++ KEX_GSS_C25519_SHA256_ID "," \ ++ KEX_GSS_GRP14_SHA1_ID "," \ ++ KEX_GSS_GEX_SHA1_ID + typedef struct { char *filename; @@ -3328,7 +3318,7 @@ index 36180d07..70dd3665 100644 @@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); void ssh_gssapi_buildmic(struct sshbuf *, const char *, - const char *, const char *); + const char *, const char *, const struct sshbuf *); -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); +OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); @@ -3378,7 +3368,7 @@ index 60de6087..db5c65bc 100644 +.It GSSAPITrustDns .It HashKnownHosts .It Host - .It HostbasedAuthentication + .It HostbasedAcceptedAlgorithms @@ -579,6 +585,8 @@ flag), (supported message integrity codes), .Ar kex @@ -3429,7 +3419,7 @@ diff --git a/ssh_config.5 b/ssh_config.5 index 06a32d31..3f490697 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -766,10 +766,67 @@ The default is +@@ -766,10 +766,68 @@ The default is Specifies whether user authentication based on GSSAPI is allowed. The default is .Cm no . @@ -3492,8 +3482,9 @@ index 06a32d31..3f490697 100644 +.Ed +.Pp +The default is -+.Dq gss-gex-sha1-,gss-group14-sha1- . -+This option only applies to protocol version 2 connections using GSSAPI. ++.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, ++gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . ++This option only applies to connections using GSSAPI. .It Cm HashKnownHosts Indicates that .Xr ssh 1 @@ -3521,9 +3512,9 @@ index af00fb30..03bc87eb 100644 + xxx_host = host; xxx_hostaddr = hostaddr; - -@@ -206,6 +209,35 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) - compat_pkalg_proposal(options.hostkeyalgorithms); + xxx_conn_info = cinfo; +@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) + compat_pkalg_proposal(ssh, options.hostkeyalgorithms); } +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3532,12 +3523,19 @@ index af00fb30..03bc87eb 100644 + * client to the key exchange algorithm proposal */ + orig = myproposal[PROPOSAL_KEX_ALGS]; + -+ if (options.gss_server_identity) ++ if (options.gss_server_identity) { + gss_host = xstrdup(options.gss_server_identity); -+ else if (options.gss_trust_dns) ++ } else if (options.gss_trust_dns) { + gss_host = remote_hostname(ssh); -+ else ++ /* Fall back to specified host if we are using proxy command ++ * and can not use DNS on that socket */ ++ if (strcmp(gss_host, "UNKNOWN") == 0) { ++ free(gss_host); ++ gss_host = xstrdup(host); ++ } ++ } else { + gss_host = xstrdup(host); ++ } + + gss = ssh_gssapi_client_mechanisms(gss_host, + options.gss_client_identity, options.gss_kex_algorithms); @@ -3576,7 +3574,7 @@ index af00fb30..03bc87eb 100644 +# endif +#endif /* WITH_OPENSSL */ ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; - ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; + ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client; ssh->kex->verify_host_key=&verify_host_key_callback; +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3592,7 +3590,7 @@ index af00fb30..03bc87eb 100644 /* remove ext-info from the KEX proposals for rekeying */ myproposal[PROPOSAL_KEX_ALGS] = - compat_kex_proposal(options.kex_algorithms); + compat_kex_proposal(ssh, options.kex_algorithms); +#if defined(GSSAPI) && defined(WITH_OPENSSL) + /* repair myproposal after it was crumpled by the */ + /* ext-info removal above */ @@ -3604,7 +3602,7 @@ index af00fb30..03bc87eb 100644 + } +#endif if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) - fatal("kex_prop2buf: %s", ssh_err(r)); + fatal_r(r, "kex_prop2buf"); @@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); static int input_gssapi_token(int type, u_int32_t, struct ssh *); @@ -3626,18 +3624,25 @@ index af00fb30..03bc87eb 100644 {"gssapi-with-mic", userauth_gssapi, userauth_gssapi_cleanup, -@@ -716,12 +784,25 @@ userauth_gssapi(struct ssh *ssh) +@@ -716,12 +784,32 @@ userauth_gssapi(struct ssh *ssh) OM_uint32 min; int r, ok = 0; gss_OID mech = NULL; -+ char *gss_host; ++ char *gss_host = NULL; + -+ if (options.gss_server_identity) ++ if (options.gss_server_identity) { + gss_host = xstrdup(options.gss_server_identity); -+ else if (options.gss_trust_dns) ++ } else if (options.gss_trust_dns) { + gss_host = remote_hostname(ssh); -+ else ++ /* Fall back to specified host if we are using proxy command ++ * and can not use DNS on that socket */ ++ if (strcmp(gss_host, "UNKNOWN") == 0) { ++ free(gss_host); ++ gss_host = xstrdup(authctxt->host); ++ } ++ } else { + gss_host = xstrdup(authctxt->host); ++ } /* Try one GSSAPI method at a time, rather than sending them all at * once. */ @@ -3695,13 +3700,13 @@ index af00fb30..03bc87eb 100644 + } + + if ((b = sshbuf_new()) == NULL) -+ fatal("%s: sshbuf_new failed", __func__); ++ fatal_f("sshbuf_new failed"); + + ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service, -+ "gssapi-keyex"); ++ "gssapi-keyex", ssh->kex->session_id); + + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) -+ fatal("%s: sshbuf_mutable_ptr failed", __func__); ++ fatal_f("sshbuf_mutable_ptr failed"); + gssbuf.length = sshbuf_len(b); + + if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { @@ -3715,7 +3720,7 @@ index af00fb30..03bc87eb 100644 + (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 || + (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 || + (r = sshpkt_send(ssh)) != 0) -+ fatal("%s: %s", __func__, ssh_err(r)); ++ fatal_fr(r, "parsing"); + + sshbuf_free(b); + gss_release_buffer(&ms, &mic); @@ -3732,11 +3737,11 @@ index 60b2aaf7..d92f03aa 100644 +++ b/sshd.c @@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) } - debug3("%s: sent %u hostkeys", __func__, nkeys); + debug3_f("sent %u hostkeys", nkeys); if (nkeys == 0) -- fatal("%s: no hostkeys", __func__); +- fatal_f("no hostkeys"); - if ((r = sshpkt_send(ssh)) != 0) -+ debug3("%s: no hostkeys", __func__); ++ debug3_f("no hostkeys"); + else if ((r = sshpkt_send(ssh)) != 0) sshpkt_fatal(ssh, r, "%s: send", __func__); sshbuf_free(buf); @@ -3753,7 +3758,7 @@ index 60b2aaf7..d92f03aa 100644 } @@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( - list_hostkey_types()); + ssh, list_hostkey_types()); +#if defined(GSSAPI) && defined(WITH_OPENSSL) + { @@ -3799,7 +3804,7 @@ index 60b2aaf7..d92f03aa 100644 + /* start key exchange */ if ((r = kex_setup(ssh, myproposal)) != 0) - fatal("kex_setup: %s", ssh_err(r)); + fatal_r(r, "kex_setup"); @@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; @@ -3818,7 +3823,7 @@ index 60b2aaf7..d92f03aa 100644 +# endif +#endif /* WITH_OPENSSL */ kex->kex[KEX_C25519_SHA256] = kex_gen_server; - kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; + kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server; kex->load_host_public_key=&get_hostkey_public_by_type; diff --git a/sshd_config b/sshd_config index 19b7c91a..2c48105f 100644 @@ -3849,7 +3854,7 @@ index 70ccea44..f6b41a2f 100644 .It Cm GSSAPIStrictAcceptorCheck Determines whether to be strict about the identity of the GSSAPI acceptor a client authenticates against. -@@ -660,6 +665,31 @@ machine's default store. +@@ -660,6 +665,32 @@ machine's default store. This facility is provided to assist with operation on multi homed machines. The default is .Cm yes . @@ -3876,11 +3881,12 @@ index 70ccea44..f6b41a2f 100644 +.Ed +.Pp +The default is -+.Dq gss-gex-sha1-,gss-group14-sha1- . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HostbasedAcceptedKeyTypes - Specifies the key types that will be accepted for hostbased authentication - as a list of comma-separated patterns. ++.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, ++gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . ++This option only applies to connections using GSSAPI. + .It Cm HostbasedAcceptedAlgorithms + Specifies the signature algorithms that will be accepted for hostbased + authentication as a list of comma-separated patterns. diff --git a/sshkey.c b/sshkey.c index 57995ee6..fd5b7724 100644 --- a/sshkey.c diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index 712f703bdb88f29ef9eabdcb55a8b5065104fa29..748ab48c7680f5fc20cc2659f0ec6fd594367146 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -48,7 +48,7 @@ index e7549470..4511f82a 100644 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - ssh-pkcs11.o smult_curve25519_ref.o \ + ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \ - poly1305.o chacha.o cipher-chachapoly.o \ + poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ ssh-ed25519.o digest-openssl.o digest-libc.o \ hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ @@ -289,6 +289,8 @@ clean: regressclean @@ -57,26 +57,26 @@ index e7549470..4511f82a 100644 rm -f regress/unittests/utf8/test_utf8$(EXEEXT) + rm -f regress/unittests/pkcs11/*.o + rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT) - rm -f regress/misc/kexfuzz/*.o - rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT) rm -f regress/misc/sk-dummy/*.o + rm -f regress/misc/sk-dummy/*.lo + rm -f regress/misc/sk-dummy/sk-dummy.so @@ -322,6 +324,8 @@ distclean: regressclean rm -f regress/unittests/match/test_match rm -f regress/unittests/utf8/*.o rm -f regress/unittests/utf8/test_utf8 + rm -f regress/unittests/pkcs11/*.o + rm -f regress/unittests/pkcs11/test_pkcs11 - rm -f regress/misc/kexfuzz/*.o - rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT) (cd openbsd-compat && $(MAKE) distclean) + if test -d pkg ; then \ + rm -fr pkg ; \ @@ -490,6 +494,7 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/kex $(MKDIR_P) `pwd`/regress/unittests/match $(MKDIR_P) `pwd`/regress/unittests/utf8 + $(MKDIR_P) `pwd`/regress/unittests/pkcs11 - $(MKDIR_P) `pwd`/regress/misc/kexfuzz $(MKDIR_P) `pwd`/regress/misc/sk-dummy [ -f `pwd`/regress/Makefile ] || \ + ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile @@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \ regress/unittests/test_helper/libtest_helper.a \ -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) @@ -91,17 +91,17 @@ index e7549470..4511f82a 100644 + regress/unittests/test_helper/libtest_helper.a \ + -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) + - MISC_KEX_FUZZ_OBJS=\ - regress/misc/kexfuzz/kexfuzz.o \ - $(SKOBJS) + # These all need to be compiled -fPIC, so they are treated differently. + SK_DUMMY_OBJS=\ + regress/misc/sk-dummy/sk-dummy.lo \ @@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \ regress/unittests/kex/test_kex$(EXEEXT) \ regress/unittests/match/test_match$(EXEEXT) \ regress/unittests/utf8/test_utf8$(EXEEXT) \ + regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \ - regress/misc/kexfuzz/kexfuzz$(EXEEXT) tests: file-tests t-exec interop-tests unit + echo all tests passed diff --git a/configure.ac b/configure.ac index b689db4b..98d3ce4f 100644 --- a/configure.ac @@ -568,8 +568,8 @@ index 4e56e110..2690ebeb 100644 REGRESS_FAIL_EARLY?= yes SUBDIR= test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion --SUBDIR+=authopt misc -+SUBDIR+=authopt misc pkcs11 +-SUBDIR+=authopt misc sshsig ++SUBDIR+=authopt misc sshsig pkcs11 .include diff --git a/regress/unittests/pkcs11/tests.c b/regress/unittests/pkcs11/tests.c @@ -807,7 +807,7 @@ index 00000000..b637cb13 +} + +void -+check_encode(char *source, size_t len, char *whitelist, char *expect) ++check_encode(char *source, size_t len, char *allow_list, char *expect) +{ + char *buf = NULL; + struct sshbuf *b; @@ -816,7 +816,7 @@ index 00000000..b637cb13 + TEST_START(buf); + free(buf); + -+ b = percent_encode(source, len, whitelist); ++ b = percent_encode(source, len, allow_list); + ASSERT_STRING_EQ(sshbuf_ptr(b), expect); + sshbuf_free(b); + TEST_DONE(); @@ -841,14 +841,14 @@ index 00000000..b637cb13 +static void +test_percent_encode(void) +{ -+ /* Without whitelist encodes everything (for CKA_ID) */ ++ /* Without allow list encodes everything (for CKA_ID) */ + check_encode("A*", 2, "", "%41%2A"); + check_encode("\x00", 1, "", "%00"); + check_encode("\x7F", 1, "", "%7F"); + check_encode("\x80", 1, "", "%80"); + check_encode("\xff", 1, "", "%FF"); + -+ /* Default whitelist encodes anything but safe letters */ ++ /* Default allow list encodes anything but safe letters */ + check_encode("test" "\x00" "0alpha", 11, PKCS11_URI_WHITELIST, + "test%000alpha"); + check_encode(" ", 1, PKCS11_URI_WHITELIST, @@ -920,9 +920,9 @@ index 8057eb1f..0c470e32 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -67,6 +67,7 @@ - #include "ssherr.h" #include "digest.h" #include "ssh-sk.h" + #include "sk-api.h" +#include "ssh-pkcs11-uri.h" /* argv0 */ @@ -1045,9 +1045,9 @@ index 7eb6f0dc..27d8e4af 100644 + return NULL; + } + free(module_path); -+ if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) { ++ if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) { + verbose("refusing PKCS#11 provider \"%.100s\": " -+ "not whitelisted", canonical_provider); ++ "not allowed", canonical_provider); + pkcs11_uri_cleanup(uri); + return NULL; + } @@ -1075,31 +1075,31 @@ index 7eb6f0dc..27d8e4af 100644 + char *provider = NULL, *pin = NULL, *sane_uri = NULL; char **comments = NULL; int r, i, count = 0, success = 0, confirm = 0; - u_int seconds; + u_int seconds = 0; @@ -681,33 +743,28 @@ process_add_smartcard_key(SocketEntry *e) - goto send; - } + error_f("failed to parse constraints"); + goto send; } - if (realpath(provider, canonical_provider) == NULL) { - verbose("failed PKCS#11 add of \"%.100s\": realpath: %s", - provider, strerror(errno)); - goto send; - } -- if (match_pattern_list(canonical_provider, provider_whitelist, 0) != 1) { +- if (match_pattern_list(canonical_provider, allowed_providers, 0) != 1) { - verbose("refusing PKCS#11 add of \"%.100s\": " -- "provider not whitelisted", canonical_provider); +- "provider not allowed", canonical_provider); + + sane_uri = sanitize_pkcs11_provider(provider); + if (sane_uri == NULL) goto send; - } -- debug("%s: add %.100s", __func__, canonical_provider); +- debug_f("add %.100s", canonical_provider); + if (lifetime && !death) death = monotime() + lifetime; - count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments); -+ debug("%s: add %.100s", __func__, sane_uri); ++ debug_f("add %.100s", sane_uri); + count = pkcs11_add_provider(sane_uri, pin, &keys, &comments); for (i = 0; i < count; i++) { k = keys[i]; @@ -1147,8 +1147,8 @@ index 7eb6f0dc..27d8e4af 100644 goto send; - } -- debug("%s: remove %.100s", __func__, canonical_provider); -+ debug("%s: remove %.100s", __func__, sane_uri); +- debug_f("remove %.100s", canonical_provider); ++ debug_f("remove %.100s", sane_uri); for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) { nxt = TAILQ_NEXT(id, next); /* Skip file--based keys */ @@ -1165,7 +1165,7 @@ index 7eb6f0dc..27d8e4af 100644 + if (pkcs11_del_provider(sane_uri) == 0) success = 1; else - error("%s: pkcs11_del_provider failed", __func__); + error_f("pkcs11_del_provider failed"); send: free(provider); + free(sane_uri); @@ -1198,7 +1198,7 @@ index 8a0ffef5..ead8a562 100644 u_int nkeys, i; struct sshbuf *msg; -+ debug("%s: called, name = %s", __func__, name); ++ debug_f("called, name = %s", name); + if (fd < 0 && pkcs11_start_helper() < 0) return (-1); @@ -1207,7 +1207,7 @@ index 8a0ffef5..ead8a562 100644 *keysp = xcalloc(nkeys, sizeof(struct sshkey *)); if (labelsp) *labelsp = xcalloc(nkeys, sizeof(char *)); -+ debug("%s: nkeys = %u", __func__, nkeys); ++ debug_f("nkeys = %u", nkeys); for (i = 0; i < nkeys; i++) { /* XXX clean up properly instead of fatal() */ if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 || @@ -1216,7 +1216,7 @@ new file mode 100644 index 00000000..e1a7b4e0 --- /dev/null +++ b/ssh-pkcs11-uri.c -@@ -0,0 +1,421 @@ +@@ -0,0 +1,419 @@ +/* + * Copyright (c) 2017 Red Hat + * @@ -1342,7 +1342,7 @@ index 00000000..e1a7b4e0 +} + +struct sshbuf * -+percent_encode(const char *data, size_t length, const char *whitelist) ++percent_encode(const char *data, size_t length, const char *allow_list) +{ + struct sshbuf *b = NULL; + char tmp[4], *cp; @@ -1351,7 +1351,7 @@ index 00000000..e1a7b4e0 + if ((b = sshbuf_new()) == NULL) + return NULL; + for (i = 0; i < length; i++) { -+ cp = strchr(whitelist, data[i]); ++ cp = strchr(allow_list, data[i]); + /* if c is specified as '\0' pointer to terminator is returned !! */ + if (cp != NULL && *cp != '\0') { + if (sshbuf_put(b, &data[i], 1) != 0) @@ -1468,6 +1468,10 @@ index 00000000..e1a7b4e0 +void +pkcs11_uri_cleanup(struct pkcs11_uri *pkcs11) +{ ++ if (pkcs11 == NULL) { ++ return; ++ } ++ + free(pkcs11->id); + free(pkcs11->module_path); + free(pkcs11->token); @@ -1489,13 +1493,12 @@ index 00000000..e1a7b4e0 + size_t scheme_len = strlen(PKCS11_URI_SCHEME); + if (strlen(uri) < scheme_len || /* empty URI matches everything */ + strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) { -+ error("%s: The '%s' does not look like PKCS#11 URI", -+ __func__, uri); ++ error_f("The '%s' does not look like PKCS#11 URI", uri); + return -1; + } + + if (pkcs11 == NULL) { -+ error("%s: Bad arguments. The pkcs11 can't be null", __func__); ++ error_f("Bad arguments. The pkcs11 can't be null"); + return -1; + } + @@ -1506,7 +1509,7 @@ index 00000000..e1a7b4e0 + /* everything before ? */ + tok = strtok_r(str1, "?", &saveptr1); + if (tok == NULL) { -+ error("%s: pk11-path expected, got EOF", __func__); ++ error_f("pk11-path expected, got EOF"); + rv = -1; + goto out; + } @@ -1532,35 +1535,32 @@ index 00000000..e1a7b4e0 + case pId: + /* CKA_ID */ + if (pkcs11->id != NULL) { -+ verbose("%s: The id already set in the PKCS#11 URI", -+ __func__); ++ verbose_f("The id already set in the PKCS#11 URI"); + rv = -1; + goto out; + } + len = percent_decode(arg, &pkcs11->id); + if (len <= 0) { -+ verbose("%s: Failed to percent-decode CKA_ID: %s", -+ __func__, arg); ++ verbose_f("Failed to percent-decode CKA_ID: %s", arg); + rv = -1; + goto out; + } else + pkcs11->id_len = len; -+ debug3("%s: Setting CKA_ID = %s from PKCS#11 URI", -+ __func__, arg); ++ debug3_f("Setting CKA_ID = %s from PKCS#11 URI", arg); + break; + case pToken: + /* CK_TOKEN_INFO -> label */ + charptr = &pkcs11->token; + parse_string: + if (*charptr != NULL) { -+ verbose("%s: The %s already set in the PKCS#11 URI", -+ keywords[opcode].name, __func__); ++ verbose_f("The %s already set in the PKCS#11 URI", ++ keywords[opcode].name); + rv = -1; + goto out; + } + percent_decode(arg, charptr); -+ debug3("%s: Setting %s = %s from PKCS#11 URI", -+ __func__, keywords[opcode].name, *charptr); ++ debug3_f("Setting %s = %s from PKCS#11 URI", ++ keywords[opcode].name, *charptr); + break; + + case pObject: @@ -1580,8 +1580,7 @@ index 00000000..e1a7b4e0 + + default: + /* Unrecognized attribute in the URI path SHOULD be error */ -+ verbose("%s: Unknown part of path in PKCS#11 URI: %s", -+ __func__, tok); ++ verbose_f("Unknown part of path in PKCS#11 URI: %s", tok); + } + } + @@ -1604,32 +1603,31 @@ index 00000000..e1a7b4e0 + case pModulePath: + /* module-path is PKCS11Provider */ + if (pkcs11->module_path != NULL) { -+ verbose("%s: Multiple module-path attributes are" -+ "not supported the PKCS#11 URI", __func__); ++ verbose_f("Multiple module-path attributes are" ++ "not supported the PKCS#11 URI"); + rv = -1; + goto out; + } + percent_decode(arg, &pkcs11->module_path); -+ debug3("%s: Setting PKCS11Provider = %s from PKCS#11 URI", -+ __func__, pkcs11->module_path); ++ debug3_f("Setting PKCS11Provider = %s from PKCS#11 URI", ++ pkcs11->module_path); + break; + + case pPinValue: + /* pin-value */ + if (pkcs11->pin != NULL) { -+ verbose("%s: Multiple pin-value attributes are" -+ "not supported the PKCS#11 URI", __func__); ++ verbose_f("Multiple pin-value attributes are" ++ "not supported the PKCS#11 URI"); + rv = -1; + goto out; + } + percent_decode(arg, &pkcs11->pin); -+ debug3("%s: Setting PIN from PKCS#11 URI", __func__); ++ debug3_f("Setting PIN from PKCS#11 URI"); + break; + + default: + /* Unrecognized attribute in the URI query SHOULD be ignored */ -+ verbose("%s: Unknown part of query in PKCS#11 URI: %s", -+ __func__, tok); ++ verbose_f("Unknown part of query in PKCS#11 URI: %s", tok); + } + } +out: @@ -1723,7 +1721,7 @@ index a302c79c..879fe917 100644 }; int pkcs11_interactive = 0; -@@ -106,26 +114,63 @@ pkcs11_init(int interactive) +@@ -106,26 +114,61 @@ pkcs11_init(int interactive) * this is called when a provider gets unregistered. */ static void @@ -1736,8 +1734,7 @@ index a302c79c..879fe917 100644 - debug("pkcs11_provider_finalize: %p refcount %d valid %d", - p, p->refcount, p->valid); - if (!p->valid) -+ debug("%s: %p refcount %d valid %d", __func__, -+ m, m->refcount, m->valid); ++ debug_f("%p refcount %d valid %d", m, m->refcount, m->valid); + if (!m->valid) return; - for (i = 0; i < p->nslots; i++) { @@ -1765,11 +1762,11 @@ index a302c79c..879fe917 100644 +static void +pkcs11_module_unref(struct pkcs11_module *m) +{ -+ debug("%s: %p refcount %d", __func__, m, m->refcount); ++ debug_f("%p refcount %d", m, m->refcount); + if (--m->refcount <= 0) { + pkcs11_module_finalize(m); + if (m->valid) -+ error("%s: %p still valid", __func__, m); ++ error_f("%p still valid", m); + free(m->slotlist); + free(m->slotinfo); + free(m->module_path); @@ -1786,8 +1783,7 @@ index a302c79c..879fe917 100644 +static void +pkcs11_provider_finalize(struct pkcs11_provider *p) +{ -+ debug("%s: %p refcount %d valid %d", __func__, -+ p, p->refcount, p->valid); ++ debug_f("%p refcount %d valid %d", p, p->refcount, p->valid); + if (!p->valid) + return; + pkcs11_module_unref(p->module); @@ -1803,7 +1799,7 @@ index a302c79c..879fe917 100644 pkcs11_provider_unref(struct pkcs11_provider *p) { - debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount); -+ debug("%s: %p refcount %d", __func__, p, p->refcount); ++ debug_f("%p refcount %d", p, p->refcount); if (--p->refcount <= 0) { - if (p->valid) - error("pkcs11_provider_unref: %p still valid", p); @@ -1849,7 +1845,7 @@ index a302c79c..879fe917 100644 + int rv; + struct pkcs11_uri *uri; + -+ debug("%s: called, provider_id = %s", __func__, provider_id); ++ debug_f("called, provider_id = %s", provider_id); + + uri = pkcs11_uri_init(); + if (uri == NULL) @@ -1877,7 +1873,7 @@ index a302c79c..879fe917 100644 + char *provider_uri = pkcs11_uri_get(uri); - if ((p = pkcs11_provider_lookup(provider_id)) != NULL) { -+ debug3("%s(%s): called", __func__, provider_uri); ++ debug3_f("called with provider %s", provider_uri); + + if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) { TAILQ_REMOVE(&pkcs11_providers, p, next); @@ -1973,7 +1969,7 @@ index a302c79c..879fe917 100644 si->token.label); - if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) { + if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) { - debug("%s: no pin specified", __func__); + debug_f("no pin specified"); return (-1); /* bail out */ } } @@ -2155,12 +2151,13 @@ index a302c79c..879fe917 100644 if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); return (NULL); -@@ -717,18 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -717,19 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + * ensure that none of the others are zero length. * XXX assumes CKA_ID is always first. */ - if (key_attr[1].ulValueLen == 0 || +- if (key_attr[1].ulValueLen == 0 || - key_attr[2].ulValueLen == 0) { -+ key_attr[2].ulValueLen == 0 || ++ if (key_attr[2].ulValueLen == 0 || + key_attr[3].ulValueLen == 0) { error("invalid attribute length"); return (NULL); @@ -2255,12 +2252,13 @@ index a302c79c..879fe917 100644 if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); return (NULL); -@@ -838,18 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -838,19 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + * ensure that none of the others are zero length. * XXX assumes CKA_ID is always first. */ - if (key_attr[1].ulValueLen == 0 || +- if (key_attr[1].ulValueLen == 0 || - key_attr[2].ulValueLen == 0) { -+ key_attr[2].ulValueLen == 0 || ++ if (key_attr[2].ulValueLen == 0 || + key_attr[3].ulValueLen == 0) { error("invalid attribute length"); return (NULL); @@ -2290,7 +2288,7 @@ index a302c79c..879fe917 100644 error("BN_bin2bn failed"); goto fail; @@ -871,7 +1032,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, - fatal("%s: set key", __func__); + fatal_f("set key"); rsa_n = rsa_e = NULL; /* transferred */ - if (pkcs11_rsa_wrap(p, slotidx, &key_attr[0], rsa)) @@ -2502,7 +2500,7 @@ index a302c79c..879fe917 100644 int ret = -1; struct pkcs11_provider *p = NULL; void *handle = NULL; -@@ -1484,165 +1670,301 @@ pkcs11_register_provider(char *provider_id, char *pin, +@@ -1484,164 +1670,298 @@ pkcs11_register_provider(char *provider_id, char *pin, CK_FUNCTION_LIST *f = NULL; CK_TOKEN_INFO *token; CK_ULONG i; @@ -2516,7 +2514,7 @@ index a302c79c..879fe917 100644 +#ifdef PKCS11_DEFAULT_PROVIDER + provider_module = strdup(PKCS11_DEFAULT_PROVIDER); +#else -+ error("%s: No module path provided", __func__); ++ error_f("No module path provided"); goto fail; - *providerp = NULL; - @@ -2530,16 +2528,14 @@ index a302c79c..879fe917 100644 + } - if (pkcs11_provider_lookup(provider_id) != NULL) { -- debug("%s: provider already registered: %s", -- __func__, provider_id); +- debug_f("provider already registered: %s", provider_id); - goto fail; + p = xcalloc(1, sizeof(*p)); + p->name = pkcs11_uri_get(uri); + + if ((m = pkcs11_provider_lookup_module(provider_module)) != NULL + && m->valid) { -+ debug("%s: provider module already initialized: %s", -+ __func__, provider_module); ++ debug_f("provider module already initialized: %s", provider_module); + free(provider_module); + /* Skip the initialization of PKCS#11 module */ + m->refcount++; @@ -2599,8 +2595,8 @@ index a302c79c..879fe917 100644 + rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID)); + if (uri->lib_manuf != NULL && + strcmp(uri->lib_manuf, m->info.manufacturerID)) { -+ debug("%s: Skipping provider %s not matching library_manufacturer", -+ __func__, m->info.manufacturerID); ++ debug_f("Skipping provider %s not matching library_manufacturer", ++ m->info.manufacturerID); + goto fail; + } + rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription)); @@ -2628,9 +2624,8 @@ index a302c79c..879fe917 100644 } - if (p->nslots == 0) { + if (m->nslots == 0) { - debug("%s: provider %s returned no slots", __func__, -- provider_id); -+ provider_module); +- debug_f("provider %s returned no slots", provider_id); ++ debug_f("provider %s returned no slots", provider_module); ret = -SSH_PKCS11_ERR_NO_SLOTS; goto fail; } @@ -2657,8 +2652,8 @@ index a302c79c..879fe917 100644 + if ((rv = f->C_GetTokenInfo(m->slotlist[i], token)) != CKR_OK) { error("C_GetTokenInfo for provider %s slot %lu " -- "failed: %lu", provider_id, (unsigned long)i, rv); -+ "failed: %lu", provider_module, (unsigned long)i, rv); +- "failed: %lu", provider_id, (u_long)i, rv); ++ "failed: %lu", provider_module, (u_long)i, rv); + token->flags = 0; continue; } @@ -2722,29 +2717,30 @@ index a302c79c..879fe917 100644 + } + + provider_uri = pkcs11_uri_get(uri); ++ if (pin == NULL && uri->pin != NULL) { ++ pin = uri->pin; ++ } + nkeys = 0; + for (i = 0; i < p->module->nslots; i++) { + token = &p->module->slotinfo[i].token; if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) { - debug2("%s: ignoring uninitialised token in " - "provider %s slot %lu", __func__, -- provider_id, (unsigned long)i); -+ provider_uri, (unsigned long)i); + debug2_f("ignoring uninitialised token in " +- "provider %s slot %lu", provider_id, (u_long)i); ++ "provider %s slot %lu", provider_uri, (u_long)i); + continue; + } + if (uri->token != NULL && + strcmp(token->label, uri->token) != 0) { -+ debug2("%s: ignoring token not matching label (%s) " -+ "specified by PKCS#11 URI in slot %lu", __func__, ++ debug2_f("ignoring token not matching label (%s) " ++ "specified by PKCS#11 URI in slot %lu", + token->label, (unsigned long)i); + continue; + } + if (uri->manuf != NULL && + strcmp(token->manufacturerID, uri->manuf) != 0) { -+ debug2("%s: ignoring token not matching requrested " ++ debug2_f("ignoring token not matching requrested " + "manufacturerID (%s) specified by PKCS#11 URI in " -+ "slot %lu", __func__, -+ token->manufacturerID, (unsigned long)i); ++ "slot %lu", token->manufacturerID, (unsigned long)i); continue; } - rmspace(token->label, sizeof(token->label)); @@ -2757,9 +2753,6 @@ index a302c79c..879fe917 100644 + provider_uri, (unsigned long)i, token->label, token->manufacturerID, token->model, token->serialNumber, token->flags); -+ if (pin == NULL && uri->pin != NULL) { -+ pin = uri->pin; -+ } /* - * open session, login with pin and retrieve public - * keys (if keyp is provided) @@ -2783,8 +2776,7 @@ index a302c79c..879fe917 100644 * expose keys. */ - if (pkcs11_login_slot(p, &p->slotinfo[i], -+ debug3("%s: Trying to login as there were no keys found", -+ __func__); ++ debug3_f("Trying to login as there were no keys found"); + if (pkcs11_login_slot(p, &p->module->slotinfo[i], CKU_USER) < 0) { error("login failed"); @@ -2796,8 +2788,8 @@ index a302c79c..879fe917 100644 + pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri); + } + if (nkeys == 0 && uri->object != NULL) { -+ debug3("%s: No keys found. Retrying without label (%s) ", -+ __func__, uri->object); ++ debug3_f("No keys found. Retrying without label (%s) ", ++ uri->object); + /* Try once more without the label filter */ + char *label = uri->object; + uri->object = NULL; /* XXX clone uri? */ @@ -2805,8 +2797,8 @@ index a302c79c..879fe917 100644 + pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri); + uri->object = label; } -+ pin = NULL; /* Will be cleaned up with URI */ } ++ pin = NULL; /* Will be cleaned up with URI */ /* now owned by caller */ *providerp = p; @@ -2830,6 +2822,8 @@ index a302c79c..879fe917 100644 } - if (handle) - dlclose(handle); + if (ret > 0) + ret = -1; return (ret); } @@ -2844,7 +2838,7 @@ index a302c79c..879fe917 100644 + struct pkcs11_uri *uri = NULL; + int r; + -+ debug("%s: called, provider_id = %s", __func__, provider_id); ++ debug_f("called, provider_id = %s", provider_id); + + uri = pkcs11_uri_init(); + if (uri == NULL) @@ -2870,12 +2864,11 @@ index a302c79c..879fe917 100644 +pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin, + struct sshkey ***keyp, char ***labelsp) { -- struct pkcs11_provider *p = NULL; + struct pkcs11_provider *p = NULL; int nkeys; -+ struct pkcs11_provider *p = NULL; + char *provider_uri = pkcs11_uri_get(uri); + -+ debug("%s: called, provider_uri = %s", __func__, provider_uri); ++ debug_f("called, provider_uri = %s", provider_uri); - nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp, - &p, CKU_USER); @@ -2884,11 +2877,11 @@ index a302c79c..879fe917 100644 /* no keys found or some other error, de-register provider */ if (nkeys <= 0 && p != NULL) { @@ -1652,7 +1974,37 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp, + pkcs11_provider_unref(p); } if (nkeys == 0) - debug("%s: provider %s returned no keys", __func__, -- provider_id); -+ provider_uri); +- debug_f("provider %s returned no keys", provider_id); ++ debug_f("provider %s returned no keys", provider_uri); + + free(provider_uri); + return nkeys; @@ -2922,26 +2915,6 @@ index a302c79c..879fe917 100644 return (nkeys); } -@@ -1674,7 +2026,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label, - - if ((p = pkcs11_provider_lookup(provider_id)) != NULL) - debug("%s: provider \"%s\" available", __func__, provider_id); -- else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, NULL, -+ else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL, - &p, CKU_SO)) < 0) { - debug("%s: could not register provider %s", __func__, - provider_id); -@@ -1746,8 +2098,8 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx, - - if ((p = pkcs11_provider_lookup(provider_id)) != NULL) { - debug("%s: using provider \"%s\"", __func__, provider_id); -- } else if (pkcs11_register_provider(provider_id, pin, NULL, NULL, &p, -- CKU_SO) < 0) { -+ } else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL, -+ &p, CKU_SO)) < 0) { - debug("%s: could not register provider %s", __func__, - provider_id); - goto out; diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h index 81f1d7c5..feaf74de 100644 --- a/ssh-pkcs11.h @@ -2987,7 +2960,7 @@ index 15aee569..976844cb 100644 + pkcs11_terminate(); skip_connect: - exit_status = ssh_session2(ssh, pw); + exit_status = ssh_session2(ssh, cinfo); @@ -2076,6 +2085,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) options.escape_char : SSH_ESCAPECHAR_NONE, id); } @@ -3033,7 +3006,7 @@ index 15aee569..976844cb 100644 + /* Loads all IdentityFile and CertificateFile keys */ static void - load_public_identity_files(struct passwd *pw) + load_public_identity_files(const struct ssh_conn_info *cinfo) @@ -2090,11 +2138,6 @@ load_public_identity_files(struct passwd *pw) char *certificate_files[SSH_MAX_CERTIFICATE_FILES]; struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES]; @@ -3109,9 +3082,9 @@ index 15aee569..976844cb 100644 + } +#endif /* ENABLE_PKCS11 */ + cp = tilde_expand_filename(name, getuid()); - filename = percent_expand(cp, "d", pw->pw_dir, - "u", pw->pw_name, "l", thishost, "h", host, - "r", options.user, (char *)NULL); + filename = default_client_percent_dollar_expand(cp, cinfo); + free(cp); + check_load(sshkey_load_public(filename, &public, NULL), diff --git a/ssh_config.5 b/ssh_config.5 index 06a32d31..4b2763bd 100644 --- a/ssh_config.5 diff --git a/openssh-8.2p1-visibility.patch b/openssh-8.2p1-visibility.patch index 2f0b191c7c091f5bc7922dc96b91ca433459714f..89c35ef64de14194be1c4622c3cf77d3f98dcb6a 100644 --- a/openssh-8.2p1-visibility.patch +++ b/openssh-8.2p1-visibility.patch @@ -26,7 +26,7 @@ index dca158de..afdcb1d2 100644 -int +int __attribute__((visibility("default"))) - sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, + sk_sign(uint32_t alg, const uint8_t *data, size_t datalen, const char *application, const uint8_t *key_handle, size_t key_handle_len, uint8_t flags, const char *pin, struct sk_option **options, @@ -518,7 +518,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len, diff --git a/openssh-8.2p1.tar.gz b/openssh-8.2p1.tar.gz deleted file mode 100644 index 056b7af039a5e9ededcf29b824a1657cf98f9cf6..0000000000000000000000000000000000000000 Binary files a/openssh-8.2p1.tar.gz and /dev/null differ diff --git a/openssh-8.2p1.tar.gz.asc b/openssh-8.2p1.tar.gz.asc deleted file mode 100644 index a28fad95614e976c0b0de0ed27019a55e617e031..0000000000000000000000000000000000000000 --- a/openssh-8.2p1.tar.gz.asc +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQHDBAABCgAdFiEEWcIRjtIG2SfmZ+vj0+X1a22SDTAFAl5F7e8ACgkQ0+X1a22S -DTBoGQx+Lw7zBdx+GFg4T5uDbpN3zXcscEvPRfKCP07WGVnQsSOqbfa9v0coSnAK -thE0R1iVr/uwFQ+MsgUWFWUQ4yWmKCiIFrnmuX8rqtN3NJBa2PG2mUGi/eAYsctW -ZFPT2B9Is264TWi94/p1dQaDM7tFxqtsLePvq+hPY5IFOu5y5bpEMFCXFHC1TNko -nY3dP2ij3IVjeBSEfotjbE04EUaoOlLh8g65vZV1vQDSIMHoqZ9cWmdtdonK8BNf -ql2JU5RM5+NJk69quQM6RruDfJ6W0XelDaO286u33Loyl1mDAXXT6z8ooSipryHF -OcM2FYUgI42GLfrmpqOsUD0z6GHcUpHWD30wlQkPwX7VWRWQlXORUnVwRTF94TFs -nMOvFOWn7oCn5SVwZXBWitgZ6DGzVdsi1E7WZZZlSbxFgXMFYqCqKL1+dSlcN66l -lRlC/kldYgeRV+OwCM0MPHok77A8W+nwNxWMj56HNnUMJXm3rZTs1MKmKKLfksEr -PlC6zMmFgClq6RayKqHwp14bwAxqsg== -=t8DJ ------END PGP SIGNATURE----- diff --git a/openssh-8.5p1.tar.gz b/openssh-8.5p1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..7b245d8411bf4b9aec6190f3ad23ffad8f5587de Binary files /dev/null and b/openssh-8.5p1.tar.gz differ diff --git a/openssh-8.5p1.tar.gz.asc b/openssh-8.5p1.tar.gz.asc new file mode 100644 index 0000000000000000000000000000000000000000..b4bba50b0b8b016fd879a823b73e3bbef44d9794 --- /dev/null +++ b/openssh-8.5p1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmA+KhcACgkQKj9BTnNg +YLrjww//RK2Sx9pdtk9HcRT5tbVaeR/JKUbI+lc1Y7Mdgf3wMQbd79TPNBgXuPxu +lMNEELsB8Jdp4SzVw5Hd03XgT1Vbk394dqdBb0qIauDsIOr9lnl8PnbXnVDTdp42 +wUODH6l9R67LgSUQAnmrg62nh+qrWyVh1L3FhgMpxUO6E/q4I9lG7KWStGzC+yRX +vDbu9YUCALkKSM4G4QT2pe7qqex4Cbh7CD4UF5CJga2wQECd114WJpQPCUkbr7vk +4jVaNEA189VIqHx+pUT+ww7czYb4is8wYcsvJoHIivkFV4CnPoIj90F314ES5QlL +u221lwHqjwLArqYCoQxTGFDsg8/ev+yNG4Gpq41uYvLvWIgSDI3wt89kuFkYXqRL +HQgu6U2ij+jiBnFnwq6WLl0UCCKG+djS8SPT9O/x9jONuoUiyZ9ddL3KyLc4vfBJ +bAXJZBB1VEjs5MgFSU72vzBIswAvg8TPyLAGhUXHwiBPqd1zsHpOcPZKMpnO0z/+ +Gq+Kb3CnFSpB7uNvpkdvsQKCwfseKYYlByrz/noiUwbls42twF0Me01+SK8MFSxH +aLRFumWW7Rr4I3sF68wQQGYOr5aMi3W9UyEVwAWfUauAVKUm6fmgkFC6Kw7S4A1q +Pr5MzYIGZNr8u31mpL9FFC548aVJfX7qAv/HI5tIi8BvXNxBJOk= +=lwBE +-----END PGP SIGNATURE----- diff --git a/openssh.spec b/openssh.spec index d1ee182c0b96b4a25c6fa5b7794efbbf96ecd285..90d8fab00f12e5971ed0760c43e1c80214f453a6 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,17 +6,17 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 10 +%global openssh_release 1 Name: openssh -Version: 8.2p1 +Version: 8.5p1 Release: %{openssh_release} URL: http://www.openssh.com/portable.html License: BSD Summary: An open source implementation of SSH protocol version 2 -Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc +Source0: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source1: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pam Source4: http://prdownloads.sourceforge.net/pamsshagentauth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.tar.bz2 Source5: pam_ssh_agent-rmheaders @@ -27,8 +27,9 @@ Source10: sshd.socket Source11: sshd.service Source12: sshd-keygen@.service Source13: sshd-keygen -Source14: sshd.tmpfiles +Source14: ssh-agent.service Source15: sshd-keygen.target + Patch0: openssh-6.7p1-coverity.patch Patch1: openssh-7.6p1-audit.patch Patch2: openssh-7.1p2-audit-race-condition.patch @@ -40,7 +41,6 @@ Patch7: pam_ssh_agent_auth-0.10.2-compat.patch Patch8: pam_ssh_agent_auth-0.10.2-dereference.patch Patch9: openssh-7.8p1-role-mls.patch Patch10: openssh-6.6p1-privsep-selinux.patch -Patch11: openssh-6.7p1-ldap.patch Patch12: openssh-6.6p1-keycat.patch Patch13: openssh-6.6p1-allow-ip-opts.patch Patch14: openssh-6.6p1-keyperm.patch @@ -50,11 +50,8 @@ Patch17: openssh-7.2p2-x11.patch Patch18: openssh-7.7p1-fips.patch Patch19: openssh-5.1p1-askpass-progress.patch Patch20: openssh-4.3p2-askpass-grab-info.patch -Patch21: openssh-7.7p1.patch Patch22: openssh-7.8p1-UsePAM-warning.patch Patch23: openssh-6.3p1-ctr-evp-fast.patch -Patch24: openssh-6.6p1-ctr-cavstest.patch -Patch25: openssh-6.7p1-kdf-cavs.patch Patch26: openssh-8.0p1-gssapi-keyex.patch Patch27: openssh-6.6p1-force_krb.patch Patch28: openssh-6.6p1-GSSAPIEnablek5users.patch @@ -74,7 +71,6 @@ Patch41: openssh-7.6p1-cleanup-selinux.patch Patch42: openssh-7.5p1-sandbox.patch Patch43: openssh-8.0p1-pkcs11-uri.patch Patch44: openssh-7.8p1-scp-ipv6.patch -Patch45: openssh-7.9p1-ssh-copy-id.patch Patch46: openssh-8.0p1-crypto-policies.patch Patch47: openssh-8.0p1-openssl-evp.patch Patch48: openssh-8.0p1-openssl-kdf.patch @@ -86,20 +82,19 @@ Patch53: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch Patch54: bugfix-openssh-fix-sftpserver.patch Patch55: bugfix-debug3-to-verbose-in-command.patch Patch56: set-sshd-config.patch -Patch57: CVE-2020-12062-1.patch -Patch58: CVE-2020-12062-2.patch -Patch59: upstream-expose-vasnmprintf.patch -Patch60: CVE-2020-14145.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 Requires: openssh-server = %{version}-%{release} %{name}-help -BuildRequires: gtk2-devel libX11-devel openldap-devel autoconf automake perl-interpreter perl-generators +BuildRequires: gtk2-devel libX11-devel autoconf automake perl-interpreter perl-generators BuildRequires: zlib-devel audit-libs-devel >= 2.0.5 util-linux groff pam-devel fipscheck-devel >= 1.3.0 BuildRequires: openssl-devel >= 0.9.8j perl-podlators systemd-devel gcc p11-kit-devel krb5-devel BuildRequires: libedit-devel ncurses-devel libselinux-devel >= 2.3-5 audit-libs >= 1.0.8 xauth gnupg2 +Obsoletes: openssh-ldap < 8.5p1-1 +Obsoletes: openssh-cavs < 8.5p1-1 + Recommends: p11-kit %package clients @@ -117,10 +112,6 @@ Requires: fipscheck-lib%{_isa} >= 1.3.0 Requires: crypto-policies >= 20180306-1 %{?systemd_requires} -%package ldap -Summary: A LDAP support for open source SSH server daemon -Requires: openssh = %{version}-%{release} - %package keycat Summary: A mls keycat backend for openssh Requires: openssh = %{version}-%{release} @@ -131,14 +122,10 @@ Requires: openssh = %{version}-%{release} Obsoletes: openssh-askpass-gnome Provides: openssh-askpass-gnome -%package cavs -Summary: CAVS tests for FIPS validation -Requires: openssh = %{version}-%{release} - %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: 0.10.3 -Release: 9.%{openssh_release} +Release: 10.%{openssh_release} License: BSD %description @@ -158,10 +145,6 @@ into and executing commands on a remote machine. This package contains the secure shell daemon (sshd). The sshd daemon allows SSH clients to securely connect to your SSH server. -%description ldap -OpenSSH LDAP backend is a way how to distribute the authorized tokens -among the servers in the network. - %description keycat OpenSSH mls keycat is backend for using the authorized keys in the openssh in the mls mode. @@ -171,10 +154,6 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. -%description cavs -This package contains test binaries and scripts to make FIPS validation -easier. Now contains CTR and KDF CAVS test driver. - %description -n pam_ssh_agent_auth Provides PAM module for the use of authentication with ssh-agent. Through the use of the\ forwarding of ssh-agent connection it also allows to authenticate with remote ssh-agent \ @@ -198,7 +177,6 @@ popd %patch9 -p1 -b .role-mls %patch10 -p1 -b .privsep-selinux -%patch11 -p1 -b .ldap %patch12 -p1 -b .keycat %patch13 -p1 -b .ip-opts %patch14 -p1 -b .keyperm @@ -207,11 +185,8 @@ popd %patch17 -p1 -b .x11 %patch19 -p1 -b .progress %patch20 -p1 -b .grab-info -%patch21 -p1 %patch22 -p1 -b .log-usepam-no %patch23 -p1 -b .evp-ctr -%patch24 -p1 -b .ctr-cavs -%patch25 -p1 -b .kdf-cavs %patch26 -p1 -b .gsskex %patch27 -p1 -b .force_krb %patch29 -p1 -b .ccache_name @@ -231,7 +206,6 @@ popd %patch42 -p1 -b .sandbox %patch43 -p1 -b .pkcs11-uri %patch44 -p1 -b .scp-ipv6 -%patch45 -p1 -b .ssh-copy-id %patch46 -p1 -b .crypto-policies %patch47 -p1 -b .openssl-evp %patch48 -p1 -b .openssl-kdf @@ -243,15 +217,11 @@ popd %patch50 -p1 %patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch54 -p1 +#%patch52 -p1 +#%patch53 -p1 +#%patch54 -p1 %patch55 -p1 %patch56 -p1 -%patch57 -p1 -%patch58 -p1 -%patch59 -p1 -%patch60 -p1 autoreconf pushd pam_ssh_agent_auth-0.10.3 @@ -291,11 +261,11 @@ fi --sysconfdir=%{_sysconfdir}/ssh --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh --with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ - --with-privsep-path=%{_var}/empty/sshd --disable-strip \ + --with-privsep-path=%{_datadir}/empty.sshd --disable-strip \ --without-zlib-version-check --with-ssl-engine --with-ipaddr-display \ --with-pie=no --without-hardening --with-systemd --with-default-pkcs11-provider=yes \ - --with-ldap --with-pam --with-selinux --with-audit=linux --with-sandbox=seccomp_filter \ - --with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-libedit + --with-pam --with-selinux --with-audit=linux --with-sandbox=seccomp_filter \ + --with-kerberos5${krb5_prefix:+=${krb5_prefix}} --with-libedit --with-security-key-buildin=yes make gtk2=yes @@ -332,14 +302,10 @@ make tests %install mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh -mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh -mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd %make_install -rm -f $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ldap.conf - install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/sysconfig/ install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh @@ -347,18 +313,20 @@ install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd -install -m644 ssh_config_redhat $RPM_BUILD_ROOT/etc/ssh/ssh_config.d/05-redhat.conf install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target +install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir} +install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass +install -d -m711 $RPM_BUILD_ROOT/%{_datadir}/empty.sshd ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/ @@ -378,7 +346,7 @@ getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : getent passwd sshd >/dev/null || \ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ - -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : + -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || : %post server %systemd_post sshd.service sshd.socket @@ -403,7 +371,6 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_libdir}/fipscheck/ssh.hmac %attr(0755,root,root) %{_bindir}/scp %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config.d/05-redhat.conf %attr(0755,root,root) %{_bindir}/ssh-agent %attr(0755,root,root) %{_bindir}/ssh-add %attr(0755,root,root) %{_bindir}/ssh-keyscan @@ -411,9 +378,10 @@ getent passwd sshd >/dev/null || \ %attr(0755,root,root) %{_bindir}/ssh-copy-id %attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper +%attr(0644,root,root) %{_userunitdir}/ssh-agent.service %files server -%dir %attr(0711,root,root) %{_var}/empty/sshd +%dir %attr(0711,root,root) %{_datadir}/empty.sshd %attr(0755,root,root) %{_sbindir}/sshd %attr(0644,root,root) %{_libdir}/fipscheck/sshd.hmac %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server @@ -428,10 +396,6 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_unitdir}/sshd-keygen.target %attr(0644,root,root) %{_tmpfilesdir}/openssh.conf -%files ldap -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper - %files keycat %attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat %attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat @@ -441,19 +405,13 @@ getent passwd sshd >/dev/null || \ %attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass -%files cavs -%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl - %files -n pam_ssh_agent_auth %license pam_ssh_agent_auth-0.10.3/OPENSSH_LICENSE %attr(0755,root,root) %{_libdir}/security/pam_ssh_agent_auth.so %attr(0644,root,root) %{_mandir}/man8/pam_ssh_agent_auth.8* %files help -%doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO openssh-lpk-openldap.schema -%doc openssh-lpk-sun.schema ldap.conf openssh-lpk-openldap.ldif openssh-lpk-sun.ldif HOWTO.ssh-keycat HOWTO.ldap-keys +%doc ChangeLog OVERVIEW PROTOCOL* README README.privsep README.tun README.dns TODO HOWTO.ssh-keycat %attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0644,root,root) %{_mandir}/man1/ssh*.1* %attr(0644,root,root) %{_mandir}/man1/sftp.1* @@ -464,6 +422,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Mon Apr 19 2021 majun - 8.5P1-1 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:update to openssh-8.5p1 + * Tue Jan 12 2021 yuboyun - 8.2P1-10 - Type:cves - ID:CVE-2020-14145 diff --git a/set-sshd-config.patch b/set-sshd-config.patch index 9fe193dd40280007afb428bfb951047733b8ece9..3cbffdddb3292e9beef33d7d62f214f4fd9fc27a 100644 --- a/set-sshd-config.patch +++ b/set-sshd-config.patch @@ -1,17 +1,36 @@ -From 8f2d1c4f30dd88e36ed4c9b5771c92c878378125 Mon Sep 17 00:00:00 2001 -From: m00525086 -Date: Thu, 16 Apr 2020 19:25:27 +0800 -Subject: [PATCH] sshd_config +From d3864e7b4928c949964ad5b95d1cad0734720928 Mon Sep 17 00:00:00 2001 +From: majun +Date: Mon, 19 Apr 2021 17:27:37 +0800 +Subject: [PATCH] config --- - sshd_config | 28 ++++++++++++++++++---------- - 1 file changed, 18 insertions(+), 10 deletions(-) + ssh_config | 10 ++++++++++ + sshd_config | 30 +++++++++++++++++++----------- + 2 files changed, 29 insertions(+), 11 deletions(-) +diff --git a/ssh_config b/ssh_config +index 52aae86..811fc77 100644 +--- a/ssh_config ++++ b/ssh_config +@@ -46,3 +46,13 @@ + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h + # UserKnownHostsFile ~/.ssh/known_hosts.d/%k ++Match final all ++ Include /etc/crypto-policies/back-ends/openssh.config ++ GSSAPIAuthentication yes ++ ForwardX11Trusted yes ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE ++ SendEnv XMODIFIERS ++ ++Include /etc/ssh/ssh_config.d/*.conf diff --git a/sshd_config b/sshd_config -index b121450..e8e6299 100644 +index bd799ba..49ca5f1 100644 --- a/sshd_config +++ b/sshd_config -@@ -19,21 +19,22 @@ +@@ -15,21 +15,23 @@ #ListenAddress 0.0.0.0 #ListenAddress :: @@ -33,24 +52,26 @@ index b121450..e8e6299 100644 # Authentication: #LoginGraceTime 2m --#PermitRootLogin prohibit-password + #PermitRootLogin prohibit-password +PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -@@ -60,9 +61,11 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -54,11 +56,11 @@ AuthorizedKeysFile .ssh/authorized_keys + #IgnoreRhosts yes + # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no +-#PasswordAuthentication yes +PasswordAuthentication yes + #PermitEmptyPasswords no # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes +-#ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no -@@ -72,8 +75,8 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -68,8 +70,8 @@ AuthorizedKeysFile .ssh/authorized_keys #KerberosUseKuserok yes # GSSAPI options @@ -61,7 +82,7 @@ index b121450..e8e6299 100644 #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no -@@ -89,16 +92,16 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -85,16 +87,16 @@ AuthorizedKeysFile .ssh/authorized_keys # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in openEuler and may cause several # problems. @@ -72,7 +93,7 @@ index b121450..e8e6299 100644 #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no -+X11Forwarding yes ++X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes @@ -81,7 +102,7 @@ index b121450..e8e6299 100644 #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no -@@ -115,6 +118,11 @@ AuthorizedKeysFile .ssh/authorized_keys +@@ -111,8 +113,13 @@ AuthorizedKeysFile .ssh/authorized_keys # no default banner path #Banner none @@ -91,14 +112,16 @@ index b121450..e8e6299 100644 +AcceptEnv XMODIFIERS + # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server - -@@ -129,4 +137,4 @@ Subsystem sftp /usr/libexec/sftp-server +-Subsystem sftp /usr/libexec/sftp-server ++Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH - # To modify the system-wide ssh configuration, create a *.conf file under - # /etc/ssh/sshd_config.d/ which will be automatically included below --Include /etc/ssh/sshd_config.d/*.conf -+#Include /etc/ssh/sshd_config.d/*.conf + # Example of overriding settings on a per-user basis + #Match User anoncvs +@@ -120,3 +127,4 @@ Subsystem sftp /usr/libexec/sftp-server + # AllowTcpForwarding no + # PermitTTY no + # ForceCommand cvs server ++ -- -2.19.1 +1.8.3.1 diff --git a/ssh-agent.service b/ssh-agent.service new file mode 100644 index 0000000000000000000000000000000000000000..c2150227fb5b25343f853eb3ee907e58f488b397 --- /dev/null +++ b/ssh-agent.service @@ -0,0 +1,14 @@ +# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket" +# set in environment, handled for example in plasma via +# /etc/xdg/plasma-workspace/env/ssh-agent.sh +[Unit] +ConditionEnvironment=!SSH_AGENT_PID +Description=OpenSSH key agent +Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1) + +[Service] +Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket +ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK +PassEnvironment=SSH_AGENT_PID +SuccessExitStatus=2 +Type=forking diff --git a/upstream-expose-vasnmprintf.patch b/upstream-expose-vasnmprintf.patch deleted file mode 100644 index 002bb1159d44dab04af1ee6e2c565ebb46fc4d8b..0000000000000000000000000000000000000000 --- a/upstream-expose-vasnmprintf.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 31909696c4620c431dd55f6cd15db65c4e9b98da Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Fri, 1 May 2020 06:28:52 +0000 -Subject: [PATCH] upstream: expose vasnmprintf(); ok (as part of other commit) - markus - -deraadt - -OpenBSD-Commit-ID: 2e80cea441c599631a870fd40307d2ade5a7f9b5 ---- - utf8.c | 5 ++--- - utf8.h | 3 ++- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/utf8.c b/utf8.c -index f83401996..7f63b25ae 100644 ---- a/utf8.c -+++ b/utf8.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: utf8.c,v 1.8 2018/08/21 13:56:27 schwarze Exp $ */ -+/* $OpenBSD: utf8.c,v 1.11 2020/05/01 06:28:52 djm Exp $ */ - /* - * Copyright (c) 2016 Ingo Schwarze - * -@@ -43,7 +43,6 @@ - - static int dangerous_locale(void); - static int grow_dst(char **, size_t *, size_t, char **, size_t); --static int vasnmprintf(char **, size_t, int *, const char *, va_list); - - - /* -@@ -101,7 +100,7 @@ grow_dst(char **dst, size_t *sz, size_t maxsz, char **dp, size_t need) - * written is returned in *wp. - */ - --static int -+int - vasnmprintf(char **str, size_t maxsz, int *wp, const char *fmt, va_list ap) - { - char *src; /* Source string returned from vasprintf. */ -diff --git a/utf8.h b/utf8.h -index 20a11dc59..9d6d9a32c 100644 ---- a/utf8.h -+++ b/utf8.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: utf8.h,v 1.1 2016/05/25 23:48:45 schwarze Exp $ */ -+/* $OpenBSD: utf8.h,v 1.3 2020/05/01 06:28:52 djm Exp $ */ - /* - * Copyright (c) 2016 Ingo Schwarze - * -@@ -15,6 +15,7 @@ - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -+int vasnmprintf(char **, size_t, int *, const char *, va_list); - int mprintf(const char *, ...) - __attribute__((format(printf, 1, 2))); - int fmprintf(FILE *, const char *, ...)