packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update openssh version to 9.6p1

Browse Source
This commit is contained in:
yangl777 2024-12-09 06:17:22 +00:00
parent 7bf431dcb1
commit d38f4b68ea
32 changed files with 1671 additions and 2541 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

220
backport-CVE-2021-36368-added-option-to-disable-trivial-auth.patch
View File

@ -1,220 +0,0 @@
Conflict:NA
Reference:https://github.com/openssh/openssh-portable/pull/258/files
---
readconf.c | 11 ++++++++++-
readconf.h | 2 ++
scp.1 | 1 +
sftp.1 | 1 +
ssh.1 | 1 +
ssh_config | 1 +
ssh_config.5 | 7 +++++++
sshconnect2.c | 13 ++++++++++++-
8 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/readconf.c b/readconf.c
index d25f983..45c1c22 100644
--- a/readconf.c
+++ b/readconf.c
@@ -157,7 +157,7 @@ typedef enum {
oLogFacility, oLogLevel, oLogVerbose, oCiphers, oMacs,
oPubkeyAuthentication,
oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
- oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
+ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oDisableTrivialAuth,
oHostKeyAlgorithms, oBindAddress, oBindInterface, oPKCS11Provider,
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -250,6 +250,7 @@ static struct {
{ "pubkeyauthentication", oPubkeyAuthentication },
{ "dsaauthentication", oPubkeyAuthentication }, /* alias */
{ "hostbasedauthentication", oHostbasedAuthentication },
+ { "disabletrivialauth", oDisableTrivialAuth},
{ "identityfile", oIdentityFile },
{ "identityfile2", oIdentityFile }, /* obsolete */
{ "identitiesonly", oIdentitiesOnly },
@@ -1124,6 +1125,10 @@ parse_time:
intptr = &options->hostbased_authentication;
goto parse_flag;
+ case oDisableTrivialAuth:
+ intptr = &options->disable_trivial_auth;
+ goto parse_flag;
+
case oGssAuthentication:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2392,6 +2397,7 @@ initialize_options(Options * options)
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
options->hostbased_authentication = -1;
+ options->disable_trivial_auth = -1;
options->batch_mode = -1;
options->check_host_ip = -1;
options->strict_host_key_checking = -1;
@@ -2562,6 +2568,8 @@ fill_default_options(Options * options)
options->kbd_interactive_authentication = 1;
if (options->hostbased_authentication == -1)
options->hostbased_authentication = 0;
+ if (options->disable_trivial_auth == -1)
+ options->disable_trivial_auth = 0;
if (options->batch_mode == -1)
options->batch_mode = 0;
if (options->check_host_ip == -1)
@@ -3362,6 +3370,7 @@ dump_client_config(Options *o, const char *host)
#endif /* GSSAPI */
dump_cfg_fmtint(oHashKnownHosts, o->hash_known_hosts);
dump_cfg_fmtint(oHostbasedAuthentication, o->hostbased_authentication);
+ dump_cfg_fmtint(oDisableTrivialAuth, o->disable_trivial_auth);
dump_cfg_fmtint(oIdentitiesOnly, o->identities_only);
dump_cfg_fmtint(oKbdInteractiveAuthentication, o->kbd_interactive_authentication);
dump_cfg_fmtint(oNoHostAuthenticationForLocalhost, o->no_host_authentication_for_localhost);
diff --git a/readconf.h b/readconf.h
index 00895ad..b391bd6 100644
--- a/readconf.h
+++ b/readconf.h
@@ -38,6 +38,8 @@ typedef struct {
struct ForwardOptions fwd_opts; /* forwarding options */
int pubkey_authentication; /* Try ssh2 pubkey authentication. */
int hostbased_authentication; /* ssh2's rhosts_rsa */
+
+ int disable_trivial_auth; /* disable trivial authentications */
int gss_authentication; /* Try GSS authentication */
int gss_keyex; /* Try GSS key exchange */
int gss_deleg_creds; /* Delegate GSS credentials */
diff --git a/scp.1 b/scp.1
index 874c5c2..e1f8191 100644
--- a/scp.1
+++ b/scp.1
@@ -187,6 +187,7 @@ For full details of the options listed below, and their possible values, see
.It Host
.It HostbasedAcceptedAlgorithms
.It HostbasedAuthentication
+.It DisableTrivialAuth
.It HostKeyAlgorithms
.It HostKeyAlias
.It Hostname
diff --git a/sftp.1 b/sftp.1
index 7eebeea..89b6773 100644
--- a/sftp.1
+++ b/sftp.1
@@ -247,6 +247,7 @@ For full details of the options listed below, and their possible values, see
.It Host
.It HostbasedAcceptedAlgorithms
.It HostbasedAuthentication
+.It DisableTrivialAuth
.It HostKeyAlgorithms
.It HostKeyAlias
.It Hostname
diff --git a/ssh.1 b/ssh.1
index 975ab39..1cb8d5c 100644
--- a/ssh.1
+++ b/ssh.1
@@ -541,6 +541,7 @@ For full details of the options listed below, and their possible values, see
.It Host
.It HostbasedAcceptedAlgorithms
.It HostbasedAuthentication
+.It DisableTrivialAuth
.It HostKeyAlgorithms
.It HostKeyAlias
.It Hostname
diff --git a/ssh_config b/ssh_config
index b3a4922..169f30c 100644
--- a/ssh_config
+++ b/ssh_config
@@ -22,6 +22,7 @@
# ForwardX11 no
# PasswordAuthentication yes
# HostbasedAuthentication no
+# DisableTrivialAuth no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
diff --git a/ssh_config.5 b/ssh_config.5
index 6735401..fd82e05 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -955,6 +955,13 @@ The argument must be
or
.Cm no
(the default).
+.It Cm DisableTrivialAuth
+Disables trivial or incomplete authentications.
+The argument must be
+.Cm yes
+or
+.Cm no
+(the default).
.It Cm HostKeyAlgorithms
Specifies the host key signature algorithms
that the client wants to use in order of preference.
diff --git a/sshconnect2.c b/sshconnect2.c
index e90eb89..150d419 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -403,6 +403,7 @@ struct identity {
TAILQ_HEAD(idlist, identity);
struct cauthctxt {
+ int is_trivial_auth;
const char *server_user;
const char *local_user;
const char *host;
@@ -531,6 +532,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
/* setup authentication context */
memset(&authctxt, 0, sizeof(authctxt));
authctxt.server_user = server_user;
+ authctxt.is_trivial_auth = 1;
authctxt.local_user = local_user;
authctxt.host = host;
authctxt.service = "ssh-connection"; /* service name */
@@ -570,6 +572,10 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
+ if (authctxt.is_trivial_auth == 1 && options.disable_trivial_auth == 1) {
+ fatal("Trivial authentication disabled.");
+ }
+ debug("Authentication succeeded (%s).", authctxt.method->name);
if (ssh_packet_connection_is_on_socket(ssh)) {
verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
@@ -968,6 +974,7 @@ process_gssapi_token(struct ssh *ssh, gss_buffer_t recv_tok)
fatal_fr(r, "send %u packet", type);
gss_release_buffer(&ms, &send_tok);
+ authctxt->is_trivial_auth = 0;
}
if (status == GSS_S_COMPLETE) {
@@ -1213,6 +1220,7 @@ static int
userauth_passwd(struct ssh *ssh)
{
Authctxt *authctxt = (Authctxt *)ssh->authctxt;
+ authctxt->is_trivial_auth = 0;
char *password, *prompt = NULL;
const char *host = options.host_key_alias ? options.host_key_alias :
authctxt->host;
@@ -2023,8 +2031,10 @@ userauth_pubkey(struct ssh *ssh)
id->isprivate = 0;
}
}
- if (sent)
+ if (sent) {
+ authctxt->is_trivial_auth = 0;
return (sent);
+ }
}
return (0);
}
@@ -2105,6 +2115,7 @@ input_userauth_info_req(int type, u_int32_t seq, struct ssh *ssh)
debug2_f("num_prompts %d", num_prompts);
for (i = 0; i < num_prompts; i++) {
+ authctxt->is_trivial_auth = 0;
if ((r = sshpkt_get_cstring(ssh, &prompt, NULL)) != 0 ||
(r = sshpkt_get_u8(ssh, &echo)) != 0)
goto out;
--
2.27.0

499
backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch
View File

@ -1,499 +0,0 @@
From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:45:17 +0000
Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
Reference:https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
---
PROTOCOL | 28 +++++++++++++-
kex.c | 84 ++++++++++++++++++++++++++--------------
kex.h | 3 +-
packet.c | 103 +++++++++++++++++++++++++++++---------------------
packet.h | 3 +-
sshconnect2.c | 12 ++----
6 files changed, 148 insertions(+), 85 deletions(-)
diff --git a/PROTOCOL b/PROTOCOL
index d453c779b..ded935eb6 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -137,6 +137,32 @@ than as a named global or channel request to allow pings with very
This is identical to curve25519-sha256 as later published in RFC8731.
+1.9 transport: strict key exchange extension
+
+OpenSSH supports a number of transport-layer hardening measures under
+a "strict KEX" feature. This feature is signalled similarly to the
+RFC8308 ext-info feature: by including a additional algorithm in the
+initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
+"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
+may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
+are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
+if they are present in subsequent SSH2_MSG_KEXINIT packets.
+
+When an endpoint that supports this extension observes this algorithm
+name in a peer's KEXINIT packet, it MUST make the following changes to
+the the protocol:
+
+a) During initial KEX, terminate the connection if any unexpected or
+ out-of-sequence packet is received. This includes terminating the
+ connection if the first packet received is not SSH2_MSG_KEXINIT.
+ Unexpected packets for the purpose of strict KEX include messages
+ that are otherwise valid at any time during the connection such as
+ SSH2_MSG_DEBUG and SSH2_MSG_IGNORE.
+b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the
+ packet sequence number to zero. This behaviour persists for the
+ duration of the connection (i.e. not just the first
+ SSH2_MSG_NEWKEYS).
+
2. Connection protocol changes
2.1. connection: Channel write close extension "eow@openssh.com"
@@ -745,4 +771,4 @@ master instance and later clients.
OpenSSH extends the usual agent protocol. These changes are documented
in the PROTOCOL.agent file.
-$OpenBSD: PROTOCOL,v 1.48 2022/11/07 01:53:01 dtucker Exp $
+$OpenBSD: PROTOCOL,v 1.50 2023/12/18 14:45:17 djm Exp $
diff --git a/kex.c b/kex.c
index aa5e792dd..d478ff6e7 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */
+/* $OpenBSD: kex.c,v 1.183 2023/12/18 14:45:17 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -65,7 +65,7 @@
#endif
/* prototype */
-static int kex_choose_conf(struct ssh *);
+static int kex_choose_conf(struct ssh *, uint32_t seq);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
static const char * const proposal_names[PROPOSAL_MAX] = {
@@ -177,6 +177,18 @@ kex_names_valid(const char *names)
return 1;
}
+/* returns non-zero if proposal contains any algorithm from algs */
+static int
+has_any_alg(const char *proposal, const char *algs)
+{
+ char *cp;
+
+ if ((cp = match_list(proposal, algs, NULL)) == NULL)
+ return 0;
+ free(cp);
+ return 1;
+}
+
/*
* Concatenate algorithm names, avoiding duplicates in the process.
* Caller must free returned string.
@@ -184,7 +196,7 @@ kex_names_valid(const char *names)
char *
kex_names_cat(const char *a, const char *b)
{
- char *ret = NULL, *tmp = NULL, *cp, *p, *m;
+ char *ret = NULL, *tmp = NULL, *cp, *p;
size_t len;
if (a == NULL || *a == '\0')
@@ -201,10 +213,8 @@ kex_names_cat(const char *a, const char *b)
}
strlcpy(ret, a, len);
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
- if ((m = match_list(ret, p, NULL)) != NULL) {
- free(m);
+ if (has_any_alg(ret, p))
continue; /* Algorithm already present */
- }
if (strlcat(ret, ",", len) >= len ||
strlcat(ret, p, len) >= len) {
free(tmp);
@@ -334,15 +344,23 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT };
const char **defprop = ssh->kex->server ? defpropserver : defpropclient;
u_int i;
+ char *cp;
if (prop == NULL)
fatal_f("proposal missing");
+ /* Append EXT_INFO signalling to KexAlgorithms */
+ if (kexalgos == NULL)
+ kexalgos = defprop[PROPOSAL_KEX_ALGS];
+ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
+ "kex-strict-s-v00@openssh.com" :
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
+ fatal_f("kex_names_cat");
+
for (i = 0; i < PROPOSAL_MAX; i++) {
switch(i) {
case PROPOSAL_KEX_ALGS:
- prop[i] = compat_kex_proposal(ssh,
- kexalgos ? kexalgos : defprop[i]);
+ prop[i] = compat_kex_proposal(ssh, cp);
break;
case PROPOSAL_ENC_ALGS_CTOS:
case PROPOSAL_ENC_ALGS_STOC:
@@ -363,6 +381,7 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
prop[i] = xstrdup(defprop[i]);
}
}
+ free(cp);
}
void
@@ -466,7 +485,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
{
int r;
- error("kex protocol error: type %d seq %u", type, seq);
+ /* If in strict mode, any unexpected message is an error */
+ if ((ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict) {
+ ssh_packet_disconnect(ssh, "strict KEX violation: "
+ "unexpected packet type %u (seqnr %u)", type, seq);
+ }
+ error_f("type %u seq %u", type, seq);
if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
@@ -563,7 +587,7 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
if (ninfo >= 1024) {
error("SSH2_MSG_EXT_INFO with too many entries, expected "
"<=1024, received %u", ninfo);
- return SSH_ERR_INVALID_FORMAT;
+ return dispatch_protocol_error(type, seq, ssh);
}
for (i = 0; i < ninfo; i++) {
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
@@ -681,7 +705,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
error_f("no kex");
return SSH_ERR_INTERNAL_ERROR;
}
- ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_protocol_error);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
@@ -717,7 +741,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
if (!(kex->flags & KEX_INIT_SENT))
if ((r = kex_send_kexinit(ssh)) != 0)
return r;
- if ((r = kex_choose_conf(ssh)) != 0)
+ if ((r = kex_choose_conf(ssh, seq)) != 0)
return r;
if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
@@ -981,20 +1005,14 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
return (1);
}
-/* returns non-zero if proposal contains any algorithm from algs */
static int
-has_any_alg(const char *proposal, const char *algs)
+kexalgs_contains(char **peer, const char *ext)
{
- char *cp;
-
- if ((cp = match_list(proposal, algs, NULL)) == NULL)
- return 0;
- free(cp);
- return 1;
+ return has_any_alg(peer[PROPOSAL_KEX_ALGS], ext);
}
static int
-kex_choose_conf(struct ssh *ssh)
+kex_choose_conf(struct ssh *ssh, uint32_t seq)
{
struct kex *kex = ssh->kex;
struct newkeys *newkeys;
@@ -1019,13 +1037,23 @@ kex_choose_conf(struct ssh *ssh)
sprop=peer;
}
- /* Check whether client supports ext_info_c */
- if (kex->server && (kex->flags & KEX_INITIAL)) {
- char *ext;
-
- ext = match_list("ext-info-c", peer[PROPOSAL_KEX_ALGS], NULL);
- kex->ext_info_c = (ext != NULL);
- free(ext);
+ /* Check whether peer supports ext_info/kex_strict */
+ if ((kex->flags & KEX_INITIAL) != 0) {
+ if (kex->server) {
+ kex->ext_info_c = kexalgs_contains(peer, "ext-info-c");
+ kex->kex_strict = kexalgs_contains(peer,
+ "kex-strict-c-v00@openssh.com");
+ } else {
+ kex->kex_strict = kexalgs_contains(peer,
+ "kex-strict-s-v00@openssh.com");
+ }
+ if (kex->kex_strict) {
+ debug3_f("will use strict KEX ordering");
+ if (seq != 0)
+ ssh_packet_disconnect(ssh,
+ "strict KEX violation: "
+ "KEXINIT was not the first packet");
+ }
}
/* Check whether client supports rsa-sha2 algorithms */
diff --git a/kex.h b/kex.h
index 5f7ef784e..272ebb43d 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.118 2023/03/06 12:14:48 dtucker Exp $ */
+/* $OpenBSD: kex.h,v 1.120 2023/12/18 14:45:17 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -149,6 +149,7 @@ struct kex {
u_int kex_type;
char *server_sig_algs;
int ext_info_c;
+ int kex_strict;
struct sshbuf *my;
struct sshbuf *peer;
struct sshbuf *client_version;
diff --git a/packet.c b/packet.c
index 52017defb..beb214f99 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.309 2023/03/03 10:23:42 dtucker Exp $ */
+/* $OpenBSD: packet.c,v 1.313 2023/12/18 14:45:17 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1207,8 +1207,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
sshbuf_dump(state->output, stderr);
#endif
/* increment sequence number for outgoing packets */
- if (++state->p_send.seqnr == 0)
+ if (++state->p_send.seqnr == 0) {
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
+ ssh_packet_disconnect(ssh, "outgoing sequence number "
+ "wrapped during initial key exchange");
+ }
logit("outgoing seqnr wraps around");
+ }
if (++state->p_send.packets == 0)
if (!(ssh->compat & SSH_BUG_NOREKEY))
return SSH_ERR_NEED_REKEY;
@@ -1216,6 +1221,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
state->p_send.bytes += len;
sshbuf_reset(state->outgoing_packet);
+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
+ debug_f("resetting send seqnr %u", state->p_send.seqnr);
+ state->p_send.seqnr = 0;
+ }
+
if (type == SSH2_MSG_NEWKEYS)
r = ssh_set_newkeys(ssh, MODE_OUT);
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
@@ -1344,8 +1354,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
/* Stay in the loop until we have received a complete packet. */
for (;;) {
/* Try to read a packet from the buffer. */
- r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);
- if (r != 0)
+ if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)
break;
/* If we got a packet, return it. */
if (*typep != SSH_MSG_NONE)
@@ -1629,10 +1615,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
goto out;
}
+
if (seqnr_p != NULL)
*seqnr_p = state->p_read.seqnr;
- if (++state->p_read.seqnr == 0)
+ if (++state->p_read.seqnr == 0) {
+ if ((ssh->kex->flags & KEX_INITIAL) != 0) {
+ ssh_packet_disconnect(ssh, "incoming sequence number "
+ "wrapped during initial key exchange");
+ }
logit("incoming seqnr wraps around");
+ }
if (++state->p_read.packets == 0)
if (!(ssh->compat & SSH_BUG_NOREKEY))
return SSH_ERR_NEED_REKEY;
@@ -1698,6 +1690,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
#endif
/* reset for next packet */
state->packlen = 0;
+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
+ debug_f("resetting read seqnr %u", state->p_read.seqnr);
+ state->p_read.seqnr = 0;
+ }
if ((r = ssh_packet_check_rekey(ssh)) != 0)
return r;
@@ -1720,10 +1716,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
if (r != 0)
return r;
- if (*typep) {
- state->keep_alive_timeouts = 0;
- DBG(debug("received packet type %d", *typep));
+ if (*typep == 0) {
+ /* no message ready */
+ return 0;
}
+ state->keep_alive_timeouts = 0;
+ DBG(debug("received packet type %d", *typep));
+
+ /* Always process disconnect messages */
+ if (*typep == SSH2_MSG_DISCONNECT) {
+ if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
+ (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
+ return r;
+ /* Ignore normal client exit notifications */
+ do_log2(ssh->state->server_side &&
+ reason == SSH2_DISCONNECT_BY_APPLICATION ?
+ SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
+ "Received disconnect from %s port %d:"
+ "%u: %.400s", ssh_remote_ipaddr(ssh),
+ ssh_remote_port(ssh), reason, msg);
+ free(msg);
+ return SSH_ERR_DISCONNECTED;
+ }
+
+ /*
+ * Do not implicitly handle any messages here during initial
+ * KEX when in strict mode. They will be need to be allowed
+ * explicitly by the KEX dispatch table or they will generate
+ * protocol errors.
+ */
+ if (ssh->kex != NULL &&
+ (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)
+ return 0;
+ /* Implicitly handle transport-level messages */
switch (*typep) {
case SSH2_MSG_IGNORE:
debug3("Received SSH2_MSG_IGNORE");
@@ -1738,19 +1763,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
debug("Remote: %.900s", msg);
free(msg);
break;
- case SSH2_MSG_DISCONNECT:
- if ((r = sshpkt_get_u32(ssh, &reason)) != 0 ||
- (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)
- return r;
- /* Ignore normal client exit notifications */
- do_log2(ssh->state->server_side &&
- reason == SSH2_DISCONNECT_BY_APPLICATION ?
- SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,
- "Received disconnect from %s port %d:"
- "%u: %.400s", ssh_remote_ipaddr(ssh),
- ssh_remote_port(ssh), reason, msg);
- free(msg);
- return SSH_ERR_DISCONNECTED;
case SSH2_MSG_UNIMPLEMENTED:
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
return r;
@@ -2242,6 +2254,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
(r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
+ (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 ||
(r = sshbuf_put_stringb(m, kex->my)) != 0 ||
(r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
(r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
@@ -2404,6 +2417,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
+ (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 ||
(r = sshbuf_get_stringb(m, kex->my)) != 0 ||
(r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
(r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
@@ -2732,6 +2746,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
diff --git a/packet.h b/packet.h
index 11925a27d..b2bc3215d 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.h,v 1.94 2022/01/22 00:49:34 djm Exp $ */
+/* $OpenBSD: packet.h,v 1.96 2023/12/18 14:45:17 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/sshconnect2.c b/sshconnect2.c
index df6caf817..0cccbcc43 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.366 2023/03/09 07:11:05 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.370 2023/12/18 14:45:17 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -358,7 +358,6 @@ struct cauthmethod {
};
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
-static int input_userauth_ext_info(int, u_int32_t, struct ssh *);
static int input_userauth_success(int, u_int32_t, struct ssh *);
static int input_userauth_failure(int, u_int32_t, struct ssh *);
static int input_userauth_banner(int, u_int32_t, struct ssh *);
@@ -472,7 +471,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
ssh->authctxt = &authctxt;
ssh_dispatch_init(ssh, &input_userauth_error);
- ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &input_userauth_ext_info);
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, kex_input_ext_info);
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
pubkey_cleanup(ssh);
@@ -531,12 +530,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
return r;
}
-static int
-input_userauth_ext_info(int type, u_int32_t seqnr, struct ssh *ssh)
-{
- return kex_input_ext_info(type, seqnr, ssh);
-}
-
void
userauth(struct ssh *ssh, char *authlist)
{
@@ -615,6 +608,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
free(authctxt->methoddata);
authctxt->methoddata = NULL;
authctxt->success = 1; /* break out */
+ ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, dispatch_protocol_error);
return 0;
}
--
2.23.0

174
backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch
View File

@ -1,174 +0,0 @@
From 881d9c6af9da4257c69c327c4e2f1508b2fa754b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:46:12 +0000
Subject: [PATCH] upstream: apply destination constraints to all p11 keys
Previously applied only to the first key returned from each token.
ok markus@
OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
Reference:https://github.com/openssh/openssh-portable/commit/881d9c6af9da4257c69c327c4e2f1508b2fa754b
---
ssh-agent.c | 105 +++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 100 insertions(+), 5 deletions(-)
diff --git a/ssh-agent.c b/ssh-agent.c
index f52861163..1d4c321eb 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.297 2023/03/09 21:06:24 jcs Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.301 2023/12/18 14:46:12 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -247,6 +247,91 @@ free_dest_constraints(struct dest_constraint *dcs, size_t ndcs)
free(dcs);
}
+static void
+dup_dest_constraint_hop(const struct dest_constraint_hop *dch,
+ struct dest_constraint_hop *out)
+{
+ u_int i;
+ int r;
+
+ out->user = dch->user == NULL ? NULL : xstrdup(dch->user);
+ out->hostname = dch->hostname == NULL ? NULL : xstrdup(dch->hostname);
+ out->is_ca = dch->is_ca;
+ out->nkeys = dch->nkeys;
+ out->keys = out->nkeys == 0 ? NULL :
+ xcalloc(out->nkeys, sizeof(*out->keys));
+ out->key_is_ca = out->nkeys == 0 ? NULL :
+ xcalloc(out->nkeys, sizeof(*out->key_is_ca));
+ for (i = 0; i < dch->nkeys; i++) {
+ if (dch->keys[i] != NULL &&
+ (r = sshkey_from_private(dch->keys[i],
+ &(out->keys[i]))) != 0)
+ fatal_fr(r, "copy key");
+ out->key_is_ca[i] = dch->key_is_ca[i];
+ }
+}
+
+static struct dest_constraint *
+dup_dest_constraints(const struct dest_constraint *dcs, size_t ndcs)
+{
+ size_t i;
+ struct dest_constraint *ret;
+
+ if (ndcs == 0)
+ return NULL;
+ ret = xcalloc(ndcs, sizeof(*ret));
+ for (i = 0; i < ndcs; i++) {
+ dup_dest_constraint_hop(&dcs[i].from, &ret[i].from);
+ dup_dest_constraint_hop(&dcs[i].to, &ret[i].to);
+ }
+ return ret;
+}
+
+#ifdef DEBUG_CONSTRAINTS
+static void
+dump_dest_constraint_hop(const struct dest_constraint_hop *dch)
+{
+ u_int i;
+ char *fp;
+
+ debug_f("user %s hostname %s is_ca %d nkeys %u",
+ dch->user == NULL ? "(null)" : dch->user,
+ dch->hostname == NULL ? "(null)" : dch->hostname,
+ dch->is_ca, dch->nkeys);
+ for (i = 0; i < dch->nkeys; i++) {
+ fp = NULL;
+ if (dch->keys[i] != NULL &&
+ (fp = sshkey_fingerprint(dch->keys[i],
+ SSH_FP_HASH_DEFAULT, SSH_FP_DEFAULT)) == NULL)
+ fatal_f("fingerprint failed");
+ debug_f("key %u/%u: %s%s%s key_is_ca %d", i, dch->nkeys,
+ dch->keys[i] == NULL ? "" : sshkey_ssh_name(dch->keys[i]),
+ dch->keys[i] == NULL ? "" : " ",
+ dch->keys[i] == NULL ? "none" : fp,
+ dch->key_is_ca[i]);
+ free(fp);
+ }
+}
+#endif /* DEBUG_CONSTRAINTS */
+
+static void
+dump_dest_constraints(const char *context,
+ const struct dest_constraint *dcs, size_t ndcs)
+{
+#ifdef DEBUG_CONSTRAINTS
+ size_t i;
+
+ debug_f("%s: %zu constraints", context, ndcs);
+ for (i = 0; i < ndcs; i++) {
+ debug_f("constraint %zu / %zu: from: ", i, ndcs);
+ dump_dest_constraint_hop(&dcs[i].from);
+ debug_f("constraint %zu / %zu: to: ", i, ndcs);
+ dump_dest_constraint_hop(&dcs[i].to);
+ }
+ debug_f("done for %s", context);
+#endif /* DEBUG_CONSTRAINTS */
+}
+
static void
free_identity(Identity *id)
{
@@ -518,13 +603,22 @@ process_request_identities(SocketEntry *e)
Identity *id;
struct sshbuf *msg, *keys;
int r;
- u_int nentries = 0;
+ u_int i = 0, nentries = 0;
+ char *fp;
debug2_f("entering");
if ((msg = sshbuf_new()) == NULL || (keys = sshbuf_new()) == NULL)
fatal_f("sshbuf_new failed");
TAILQ_FOREACH(id, &idtab->idlist, next) {
+ if ((fp = sshkey_fingerprint(id->key, SSH_FP_HASH_DEFAULT,
+ SSH_FP_DEFAULT)) == NULL)
+ fatal_f("fingerprint failed");
+ debug_f("key %u / %u: %s %s", i++, idtab->nentries,
+ sshkey_ssh_name(id->key), fp);
+ dump_dest_constraints(__func__,
+ id->dest_constraints, id->ndest_constraints);
+ free(fp);
/* identity not visible, don't include in response */
if (identity_permitted(id, e, NULL, NULL, NULL) != 0)
continue;
@@ -1224,6 +1318,7 @@ process_add_identity(SocketEntry *e)
sshbuf_reset(e->request);
goto out;
}
+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
if (sk_provider != NULL) {
if (!sshkey_is_sk(k)) {
@@ -1403,6 +1498,7 @@ process_add_smartcard_key(SocketEntry *e)
error_f("failed to parse constraints");
goto send;
}
+ dump_dest_constraints(__func__, dest_constraints, ndest_constraints);
if (e->nsession_ids != 0 && !remote_add_provider) {
verbose("failed PKCS#11 add of \"%.100s\": remote addition of "
"providers is disabled", provider);
@@ -1438,10 +1534,9 @@ process_add_smartcard_key(SocketEntry *e)
}
id->death = death;
id->confirm = confirm;
- id->dest_constraints = dest_constraints;
+ id->dest_constraints = dup_dest_constraints(
+ dest_constraints, ndest_constraints);
id->ndest_constraints = ndest_constraints;
- dest_constraints = NULL; /* transferred */
- ndest_constraints = 0;
TAILQ_INSERT_TAIL(&idtab->idlist, id, next);
idtab->nentries++;
success = 1;
--
2.33.0

100
backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
View File

@ -1,100 +0,0 @@
From 7ef3787c84b6b524501211b11a26c742f829af1a Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:47:44 +0000
Subject: [PATCH] upstream: ban user/hostnames with most shell metacharacters
This makes ssh(1) refuse user or host names provided on the
commandline that contain most shell metacharacters.
Some programs that invoke ssh(1) using untrusted data do not filter
metacharacters in arguments they supply. This could create
interactions with user-specified ProxyCommand and other directives
that allow shell injection attacks to occur.
It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
but getting this stuff right can be tricky, so this should prevent
most obvious ways of creating risky situations. It however is not
and cannot be perfect: ssh(1) has no practical way of interpreting
what shell quoting rules are in use and how they interact with the
user's specified ProxyCommand.
To allow configurations that use strange user or hostnames to
continue to work, this strictness is applied only to names coming
from the commandline. Names specified using User or Hostname
directives in ssh_config(5) are not affected.
feedback/ok millert@ markus@ dtucker@ deraadt@
OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
Reference:https://anongit.mindrot.org/openssh.git/commit?id=7ef3787c84b6b524501211b11a26c742f829af1a
---
ssh.c | 41 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 40 insertions(+), 1 deletion(-)
diff --git a/ssh.c b/ssh.c
index 35c48e62d..48d93ddf2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.585 2023/02/10 04:40:28 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -626,6 +626,41 @@ ssh_conn_info_free(struct ssh_conn_info *cinfo)
free(cinfo);
}
+static int
+valid_hostname(const char *s)
+{
+ size_t i;
+
+ if (*s == '-')
+ return 0;
+ for (i = 0; s[i] != 0; i++) {
+ if (strchr("'`\"$\\;&<>|(){}", s[i]) != NULL ||
+ isspace((u_char)s[i]) || iscntrl((u_char)s[i]))
+ return 0;
+ }
+ return 1;
+}
+
+static int
+valid_ruser(const char *s)
+{
+ size_t i;
+
+ if (*s == '-')
+ return 0;
+ for (i = 0; s[i] != 0; i++) {
+ if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ return 0;
+ /* Disallow '-' after whitespace */
+ if (isspace((u_char)s[i]) && s[i + 1] == '-')
+ return 0;
+ /* Disallow \ in last position */
+ if (s[i] == '\\' && s[i + 1] == '\0')
+ return 0;
+ }
+ return 1;
+}
+
/*
* Main program for the ssh client.
*/
@@ -1118,6 +1153,10 @@ main(int ac, char **av)
if (!host)
usage();
+ if (!valid_hostname(host))
+ fatal("hostname contains invalid characters");
+ if (options.user != NULL && !valid_ruser(options.user))
+ fatal("remote username contains invalid characters");
options.host_arg = xstrdup(host);
/* Initialize the command to execute on remote host. */
--
2.23.0

33
backport-openssh-6.6p1-keyperm.patch
View File

@ -1,33 +0,0 @@
diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c
--- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100
+++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-6.6p1-keyperm.patch
Conflict:NA
@@ -31,6 +31,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <grp.h>
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen
#ifdef HAVE_CYGWIN
if (check_ntsec(filename))
#endif
+
if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
+ if (st.st_mode & 040) {
+ struct group *gr;
+
+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) {
+ /* The only additional bit is read
+ * for ssh_keys group, which is fine */
+ if ((st.st_mode & 077) == 040 ) {
+ return 0;
+ }
+ }
+ }
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @");
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");

42
backport-upstream-Make-sure-sftp_get_limits-only-returns-0-if.patch
View File

@ -1,42 +0,0 @@
From 676377ce67807a24e08a54cd60ec832946cc6cae Mon Sep 17 00:00:00 2001
From: "tobhe@openbsd.org" <tobhe@openbsd.org>
Date: Mon, 13 Nov 2023 09:18:19 +0000
Subject: [PATCH] upstream: Make sure sftp_get_limits() only returns 0 if
'limits'
was initialized. This fixes a potential uninitialized use of 'limits' in
sftp_init() if sftp_get_limits() returned early because of an unexpected
message type.
ok djm@
OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
Reference:https://github.com/openssh/openssh-portable/commit/676377ce67807a24e08a54cd60ec832946cc6cae
Conflict:2de990142(Rename do_limits to sftp_get_limits)
---
sftp-client.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sftp-client.c b/sftp-client.c
index 2598029f7..5cc8bb539 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.169 2023/03/08 04:43:12 guenther Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.175 2023/11/13 09:18:19 tobhe Exp $ */
/*
* Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
*
@@ -656,7 +656,7 @@ do_limits(struct sftp_conn *conn, struct sftp_limits *limits)
/* Disable the limits extension */
conn->exts &= ~SFTP_EXT_LIMITS;
sshbuf_free(msg);
- return 0;
+ return -1;
}
memset(limits, 0, sizeof(*limits));
--
2.33.0

41
backport-upstream-fix-memory-leak-in-mux-proxy-mode-when-requ.patch
View File

@ -1,41 +0,0 @@
From c47e1c9c7911f38b2fc2fb01b1f6ae3a3121a838 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 6 Mar 2024 02:59:59 +0000
Subject: [PATCH] upstream: fix memory leak in mux proxy mode when requesting
forwarding.
found by RASU JSC, reported by Maks Mishin in GHPR#467
OpenBSD-Commit-ID: 97d96a166b1ad4b8d229864a553e3e56d3116860
Reference:https://github.com/openssh/openssh-portable/commit/c47e1c9c7911f38b2fc2fb01b1f6ae3a3121a838
Conflict:NA
---
channels.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/channels.c b/channels.c
index 6862556be..ece8d30d6 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.430 2023/03/10 03:01:51 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.437 2024/03/06 02:59:59 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3245,9 +3245,8 @@ channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
goto out;
}
/* Record that connection to this host/port is permitted. */
- permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
- listen_host, NULL, (int)listen_port, downstream);
- listen_host = NULL;
+ permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>",
+ -1, listen_host, NULL, (int)listen_port, downstream);
break;
case SSH2_MSG_CHANNEL_CLOSE:
if (have < 4)
--
2.33.0

51
backport-upstream-make-parsing-user-host-consistently-look-for-the-last-in.patch
View File

@ -1,23 +1,37 @@
From a8ad7a2952111c6ce32949a775df94286550af6b Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 6 Sep 2024 02:30:44 +0000
Subject: [PATCH] upstream: make parsing user@host consistently look for the
last '@' in the string rather than the first. This makes it possible to
use usernames that contain '@' characters.
Subject: upstream: make parsing user@host consistently look for the last '@'
in
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit/a8ad7a2952111c6ce32949a775df94286550af6b
the string rather than the first. This makes it possible to use usernames
that contain '@' characters.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Prompted by Max Zettlmeißl; feedback/ok millert@
OpenBSD-Commit-ID: 0b16eec246cda15469ebdcf3b1e2479810e394c5
---
match.c | 6 +++---
ssh-add.c | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
match.c | 8 ++++----
ssh-add.c | 4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/match.c b/match.c
index 3ac854d..b9a8225 100644
index d6af2561..3ef53693 100644
--- a/match.c
+++ b/match.c
@@ -241,17 +241,17 @@ match_user(const char *user, const char *host, const char *ipaddr,
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.44 2023/04/06 03:19:32 djm Exp $ */
+/* $OpenBSD: match.c,v 1.45 2024/09/06 02:30:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -241,7 +241,7 @@ match_user(const char *user, const char *host, const char *ipaddr,
/* test mode */
if (user == NULL && host == NULL && ipaddr == NULL) {
@ -26,7 +40,9 @@ index 3ac854d..b9a8225 100644
match_host_and_ip(NULL, NULL, p + 1) < 0)
return -1;
return 0;
}
@@ -250,11 +250,11 @@ match_user(const char *user, const char *host, const char *ipaddr,
if (user == NULL)
return 0; /* shouldn't happen */
- if ((p = strchr(pattern, '@')) == NULL)
+ if (strrchr(pattern, '@') == NULL)
@ -39,10 +55,16 @@ index 3ac854d..b9a8225 100644
if ((ret = match_pattern(user, pat)) == 1)
diff --git a/ssh-add.c b/ssh-add.c
index 8cba0a7..2b081d6 100644
index e532d5ce..0035cb84 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -712,7 +712,7 @@ parse_dest_constraint_hop(const char *s, struct dest_constraint_hop *dch,
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.169 2023/12/18 14:46:56 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.173 2024/09/06 02:30:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -696,7 +696,7 @@ parse_dest_constraint_hop(const char *s, struct dest_constraint_hop *dch,
memset(dch, '\0', sizeof(*dch));
os = xstrdup(s);
@ -52,5 +74,4 @@ index 8cba0a7..2b081d6 100644
else {
*host++ = '\0';
--
2.43.0
cgit v1.2.3

39
backport-upstream-set-errno-EAFNOSUPPORT-when-filtering-addre.patch
View File

@ -1,39 +0,0 @@
From c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 20 Nov 2023 02:50:00 +0000
Subject: [PATCH] upstream: set errno=EAFNOSUPPORT when filtering addresses
that don't
match AddressFamily; yields slightly better error message if no address
matches. bz#3526
OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
Reference:https://github.com/openssh/openssh-portable/commit/c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6
Conflict:NA
---
sshconnect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
index ff3d3501f..bd077c75c 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.364 2023/11/15 23:03:38 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.365 2023/11/20 02:50:00 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -485,7 +485,7 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
ai->ai_family != options.address_family) {
debug2_f("skipping address [%s]:%s: "
"wrong address family", ntop, strport);
- errno = 0;
+ errno = EAFNOSUPPORT;
continue;
}
--
2.33.0

46
backport-upstream-when-connecting-via-socket-the-default-case.patch
View File

@ -1,46 +0,0 @@
From 26f3f3bbc69196d908cad6558c8c7dc5beb8d74a Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 15 Nov 2023 23:03:38 +0000
Subject: [PATCH] upstream: when connecting via socket (the default case),
filter
addresses by AddressFamily if one was specified. Fixes the case where, if
CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
dtucker
OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
Reference:https://github.com/openssh/openssh-portable/commit/26f3f3bbc69196d908cad6558c8c7dc5beb8d74a
Conflict:NA
---
sshconnect.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sshconnect.c b/sshconnect.c
index e6012f01e..ff3d3501f 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.363 2023/03/10 07:17:08 dtucker Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.364 2023/11/15 23:03:38 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -481,6 +481,14 @@ ssh_connect_direct(struct ssh *ssh, const char *host, struct addrinfo *aitop,
errno = oerrno;
continue;
}
+ if (options.address_family != AF_UNSPEC &&
+ ai->ai_family != options.address_family) {
+ debug2_f("skipping address [%s]:%s: "
+ "wrong address family", ntop, strport);
+ errno = 0;
+ continue;
+ }
+
debug("Connecting to %.200s [%.100s] port %s.",
host, ntop, strport);
--
2.33.0

44
backport-upstream-when-invoking-KnownHostsCommand-to-determin.patch
View File

@ -1,44 +0,0 @@
From aa7b21708511a6d4aed3839fc9f6e82e849dd4a1 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 13 Dec 2023 03:28:19 +0000
Subject: [PATCH] upstream: when invoking KnownHostsCommand to determine the
order of
host key algorithms to request, ensure that the hostname passed to the
command is decorated with the port number for ports other than 22.
This matches the behaviour of KnownHostsCommand when invoked to look
up the actual host key.
bz3643, ok dtucker@
OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
Reference:https://github.com/openssh/openssh-portable/commit/aa7b21708511a6d4aed3839fc9f6e82e849dd4a1
Conflict:NA
---
sshconnect2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshconnect2.c b/sshconnect2.c
index 5831a00c6..df6caf817 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.370 2023/12/18 14:45:17 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.369 2023/12/13 03:28:19 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -140,7 +140,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port,
}
if (options.known_hosts_command != NULL) {
load_hostkeys_command(hostkeys, options.known_hosts_command,
- "ORDER", cinfo, NULL, host);
+ "ORDER", cinfo, NULL, hostname);
}
/*
* If a plain public key exists that matches the type of the best
--
2.33.0

22
openssh-6.6.1p1-selinux-contexts.patch
View File

@ -93,19 +93,17 @@ index 8f32464..18a2ca4 100644
#endif
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 22ea8ef..1fc963d 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
strlcpy(newctx + len, newname, newlen - len);
if ((cx = index(cx + 1, ':')))
strlcat(newctx, cx, newlen);
- debug3("%s: setting context from '%s' to '%s'", __func__,
+ debug_f("setting context from '%s' to '%s'",
oldctx, newctx);
--- a/openbsd-compat/port-linux.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/openbsd-compat/port-linux.c (date 1703108053912)
@@ -207,7 +207,7 @@
xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx,
newname, cx2 == NULL ? "" : cx2);
- debug3_f("setting context from '%s' to '%s'", oldctx, newctx);
+ debug_f("setting context from '%s' to '%s'", oldctx, newctx);
if (setcon(newctx) < 0)
do_log2(log_level, "%s: setcon %s from %s failed with %s",
__func__, newctx, oldctx, strerror(errno));
do_log2_f(log_level, "setcon %s from %s failed with %s",
newctx, oldctx, strerror(errno));
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index cb51f99..8b7cda2 100644
--- a/openbsd-compat/port-linux.h

102
openssh-6.7p1-coverity.patch
View File

@ -17,17 +17,6 @@ diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
return oerrno;
}
/* make sure the KRB5CCNAME is set for non-standard location */
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
return r;
}
/* success */
+ sshbuf_free(b);
return 0;
}
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@ -42,32 +31,9 @@ diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 &&
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
default:
fatal_f("Unexpected KEX type %d", kex->kex_type);
}
- if (r != 0)
+ if (r != 0) {
+ ssh_gssapi_delete_ctx(&ctxt);
return r;
+ }
token_ptr = GSS_C_NO_BUFFER;
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
sshkey_free(key);
sshbuf_free(copy);
sshbuf_free(sect);
+ /* coverity[leaked_storage : FALSE] */
return r;
}
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
@ -164,23 +130,6 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
return (0);
error:
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error_f("cannot allocate fds for pty");
- if (tmp1 > 0)
+ if (tmp1 >= 0)
close(tmp1);
- if (tmp2 > 0)
- close(tmp2);
+ /*DEAD CODE if (tmp2 >= 0)
+ close(tmp2);*/
return 0;
}
close(tmp1);
diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/openbsd-compat/bindresvport.c
--- openssh-7.4p1/openbsd-compat/bindresvport.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/openbsd-compat/bindresvport.c 2016-12-23 16:40:26.901788691 +0100
@ -234,23 +183,6 @@ diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
goto out;
}
free(arg2);
diff -up openssh-8.7p1/scp.c.coverity openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.coverity 2021-08-30 16:23:35.389741329 +0200
+++ openssh-8.7p1/scp.c 2021-08-30 16:27:04.854555296 +0200
@@ -186,11 +186,11 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid, NULL, 0);
+ (void) waitpid(do_cmd_pid, NULL, 0);
}
if (do_cmd_pid2 > 1) {
kill(do_cmd_pid2, signo ? signo : SIGTERM);
- waitpid(do_cmd_pid2, NULL, 0);
+ (void) waitpid(do_cmd_pid2, NULL, 0);
}
if (signo)
diff -up openssh-7.4p1/servconf.c.coverity openssh-7.4p1/servconf.c
--- openssh-7.4p1/servconf.c.coverity 2016-12-23 16:40:26.896788690 +0100
+++ openssh-7.4p1/servconf.c 2016-12-23 16:40:26.901788691 +0100
@ -278,18 +210,6 @@ diff -up openssh-8.7p1/serverloop.c.coverity openssh-8.7p1/serverloop.c
if (tun != SSH_TUNID_ANY &&
auth_opts->force_tun_device != (int)tun)
goto done;
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@@ -224,7 +224,7 @@ killchild(int signo)
pid = sshpid;
if (pid > 1) {
kill(pid, SIGTERM);
- waitpid(pid, NULL, 0);
+ (void) waitpid(pid, NULL, 0);
}
_exit(1);
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
@ -301,28 +221,6 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
return NULL;
}
/* validate also provider from URI */
@@ -1220,8 +1220,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
- setegid(getgid());
- setgid(getgid());
+ (void) setegid(getgid());
+ (void) setgid(getgid());
platform_disable_tracing(0); /* strict=no */
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
close(muxserver_sock);
muxserver_sock = -1;
options.control_master = SSHCTL_MASTER_NO;
+ /* coverity[leaked_handle: FALSE]*/
muxclient(options.control_path);
/* muxclient() doesn't return on success. */
fatal("Failed to connect to new control master");
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100

24
openssh-7.2p2-x11.patch
View File

@ -1,21 +1,23 @@
diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
--- openssh-7.2p2/channels.c.x11 2016-03-09 19:04:48.000000000 +0100
+++ openssh-7.2p2/channels.c 2016-06-03 10:42:04.775164520 +0200
@@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_
diff --git a/channels.c b/channels.c
--- a/channels.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/channels.c (date 1703026069921)
@@ -5075,11 +5075,13 @@
}
static int
-connect_local_xsocket_path(const char *pathname)
+connect_local_xsocket_path(const char *pathname, int len)
{
int sock;
struct sockaddr_un addr;
+ if (len <= 0)
+ return -1;
+ if (len <= 0)
+ return -1;
sock = socket(AF_UNIX, SOCK_STREAM, 0);
if (sock == -1)
if (sock == -1) {
error("socket: %.100s", strerror(errno));
@@ -5087,11 +5089,12 @@
}
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
@ -29,8 +31,8 @@ diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c
- error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
return -1;
}
@@ -4012,8 +4015,18 @@ static int
@@ -5099,8 +5102,18 @@
connect_local_xsocket(u_int dnr)
{
char buf[1024];

1215
backport-openssh-7.7p1-fips.patch → openssh-7.7p1-fips.patch
View File

File diff suppressed because it is too large Load Diff

10
openssh-7.8p1-role-mls.patch
View File

@ -23,7 +23,7 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32
@@ -314,8 +314,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
@ -34,12 +34,12 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
+ if (use_privsep) {
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+ mm_inform_authrole(role);
+#endif
+ }
+ }
userauth_banner(ssh);
if (auth2_setup_methods_lists(authctxt) != 0)
ssh_packet_disconnect(ssh,
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200

146
openssh-8.0p1-gssapi-keyex.patch
View File

@ -144,8 +144,8 @@ index 9351e042..d6446c0c 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */
/* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */
/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -160,7 +160,7 @@ index 9351e042..d6446c0c 100644
+ * The 'gssapi_keyex' userauth mechanism.
+ */
+static int
+userauth_gsskeyex(struct ssh *ssh)
+userauth_gsskeyex(struct ssh *ssh, const char *method)
+{
+ Authctxt *authctxt = ssh->authctxt;
+ int r, authenticated = 0;
@ -221,19 +221,20 @@ index 9351e042..d6446c0c 100644
else
logit("GSSAPI MIC check failed");
@@ -326,6 +370,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
@@ -326,6 +370,13 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh)
return 0;
}
+Authmethod method_gsskeyex = {
+ "gssapi-keyex",
+ NULL,
+ userauth_gsskeyex,
+ &options.gss_authentication
+};
+
Authmethod method_gssapi = {
"gssapi-with-mic",
NULL,
NULL,
diff --git a/auth2.c b/auth2.c
index 0e776224..1c217268 100644
--- a/auth2.c
@ -400,8 +401,8 @@ index ebd0dbca..1bdac6a4 100644
+#endif
+
/* Buffer input from the connection. */
if (conn_in_ready)
client_process_net_input(ssh);
if (conn_in_ready)
client_process_net_input(ssh);
diff --git a/configure.ac b/configure.ac
index b689db4b..efafb6bd 100644
--- a/configure.ac
@ -1252,7 +1253,7 @@ index ab3a15f0..6ce56e92 100644
+
+ return ok;
}
/* Privileged */
diff --git a/kex.c b/kex.c
index ce85f043..574c7609 100644
@ -1267,7 +1268,7 @@ index ce85f043..574c7609 100644
+#endif
+
/* prototype */
static int kex_choose_conf(struct ssh *);
static int kex_choose_conf(struct ssh *, uint32_t seq);
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
@@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
@ -1368,8 +1369,8 @@ index ce85f043..574c7609 100644
+#ifdef GSSAPI
+ free(kex->gss_host);
+#endif /* GSSAPI */
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
sshbuf_free(kex->initial_sig);
sshkey_free(kex->initial_hostkey);
free(kex->failed_choice);
diff --git a/kex.h b/kex.h
index a5ae6ac0..fe714141 100644
@ -1487,7 +1488,7 @@ new file mode 100644
index 00000000..f6e1405e
--- /dev/null
+++ b/kexgssc.c
@@ -0,0 +1,600 @@
@@ -0,0 +1,612 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@ -1588,8 +1589,10 @@ index 00000000..f6e1405e
+ default:
+ fatal_f("Unexpected KEX type %d", kex->kex_type);
+ }
+ if (r != 0)
+ if (r != 0) {
+ ssh_gssapi_delete_ctx(&ctxt);
+ return r;
+ }
+
+ token_ptr = GSS_C_NO_BUFFER;
+
@ -1652,11 +1655,16 @@ index 00000000..f6e1405e
+ do {
+ type = ssh_packet_read(ssh);
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+ u_char *tmp = NULL;
+ size_t tmp_len = 0;
+
+ debug("Received KEXGSS_HOSTKEY");
+ if (server_host_key_blob)
+ fatal("Server host key received more than once");
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
+ fatal("Failed to read server host key: %s", ssh_err(r));
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
+ fatal("sshbuf_from failed");
+ }
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+
@ -1943,11 +1951,16 @@ index 00000000..f6e1405e
+ do {
+ type = ssh_packet_read(ssh);
+ if (type == SSH2_MSG_KEXGSS_HOSTKEY) {
+ u_char *tmp = NULL;
+ size_t tmp_len = 0;
+
+ debug("Received KEXGSS_HOSTKEY");
+ if (server_host_key_blob)
+ fatal("Server host key received more than once");
+ if ((r = sshpkt_getb_froms(ssh, &server_host_key_blob)) != 0)
+ if ((r = sshpkt_get_string(ssh, &tmp, &tmp_len)) != 0)
+ fatal("sshpkt failed: %s", ssh_err(r));
+ if ((server_host_key_blob = sshbuf_from(tmp, tmp_len)) == NULL)
+ fatal("sshbuf_from failed");
+ }
+ } while (type == SSH2_MSG_KEXGSS_HOSTKEY);
+
@ -2093,7 +2106,7 @@ new file mode 100644
index 00000000..60bc02de
--- /dev/null
+++ b/kexgsss.c
@@ -0,0 +1,474 @@
@@ -0,0 +1,482 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@ -2160,7 +2173,7 @@ index 00000000..60bc02de
+ */
+
+ OM_uint32 ret_flags = 0;
+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
+ gss_buffer_desc gssbuf = {0, NULL}, recv_tok, msg_tok;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL;
+ struct sshbuf *shared_secret = NULL;
@ -2200,7 +2213,7 @@ index 00000000..60bc02de
+ type = ssh_packet_read(ssh);
+ switch(type) {
+ case SSH2_MSG_KEXGSS_INIT:
+ if (client_pubkey != NULL)
+ if (gssbuf.value != NULL)
+ fatal("Received KEXGSS_INIT after initialising");
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
+ &recv_tok)) != 0 ||
@ -2231,6 +2244,31 @@ index 00000000..60bc02de
+ goto out;
+
+ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */
+
+ /* Calculate the hash early so we can free the
+ * client_pubkey, which has reference to the parent
+ * buffer state->incoming_packet
+ */
+ hashlen = sizeof(hash);
+ if ((r = kex_gen_hash(
+ kex->hash_alg,
+ kex->client_version,
+ kex->server_version,
+ kex->peer,
+ kex->my,
+ empty,
+ client_pubkey,
+ server_pubkey,
+ shared_secret,
+ hash, &hashlen)) != 0)
+ goto out;
+
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
+ sshbuf_free(client_pubkey);
+ client_pubkey = NULL;
+
+ break;
+ case SSH2_MSG_KEXGSS_CONTINUE:
+ if ((r = ssh_gssapi_sshpkt_get_buffer_desc(ssh,
@ -2252,7 +2290,7 @@ index 00000000..60bc02de
+ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0)
+ fatal("Zero length token output when incomplete");
+
+ if (client_pubkey == NULL)
+ if (gssbuf.value == NULL)
+ fatal("No client public key");
+
+ if (maj_status & GSS_S_CONTINUE_NEEDED) {
@ -2281,23 +2319,6 @@ index 00000000..60bc02de
+ if (!(ret_flags & GSS_C_INTEG_FLAG))
+ fatal("Integrity flag wasn't set");
+
+ hashlen = sizeof(hash);
+ if ((r = kex_gen_hash(
+ kex->hash_alg,
+ kex->client_version,
+ kex->server_version,
+ kex->peer,
+ kex->my,
+ empty,
+ client_pubkey,
+ server_pubkey,
+ shared_secret,
+ hash, &hashlen)) != 0)
+ goto out;
+
+ gssbuf.value = hash;
+ gssbuf.length = hashlen;
+
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt, &gssbuf, &msg_tok))))
+ fatal("Couldn't get MIC");
+
@ -3379,7 +3400,7 @@ index 60de6087..db5c65bc 100644
.It HashKnownHosts
.It Host
.It HostbasedAcceptedAlgorithms
@@ -579,6 +585,8 @@ flag),
@@ -624,6 +624,8 @@
(supported message integrity codes),
.Ar kex
(key exchange algorithms),
@ -3387,7 +3408,7 @@ index 60de6087..db5c65bc 100644
+(GSSAPI key exchange algorithms),
.Ar key
(key types),
.Ar key-cert
.Ar key-ca-sign
diff --git a/ssh.c b/ssh.c
index 15aee569..110cf9c1 100644
--- a/ssh.c
@ -3423,7 +3444,7 @@ index 5e8ef548..1ff999b6 100644
+# GSSAPIKeyExchange no
+# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# CheckHostIP no
# AddressFamily any
diff --git a/ssh_config.5 b/ssh_config.5
index 06a32d31..3f490697 100644
@ -3584,7 +3605,7 @@ index af00fb30..03bc87eb 100644
+# endif
+#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
ssh->kex->verify_host_key=&verify_host_key_callback;
+#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -4007,3 +4028,48 @@ index 71a3fddc..37a43a67 100644
KEY_UNSPEC
};
diff --git a/packet.h b/packet.h
--- a/packet.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/packet.h (date 1703172586447)
@@ -124,6 +124,7 @@
int ssh_packet_send2(struct ssh *);
int ssh_packet_read(struct ssh *);
+int ssh_packet_read_expect(struct ssh *, u_int type);
int ssh_packet_read_poll(struct ssh *);
int ssh_packet_read_poll2(struct ssh *, u_char *, u_int32_t *seqnr_p);
int ssh_packet_process_incoming(struct ssh *, const char *buf, u_int len);
diff --git a/packet.c b/packet.c
--- a/packet.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/packet.c (date 1703172586447)
@@ -1425,6 +1416,29 @@
return type;
}
+/*
+ * Waits until a packet has been received, verifies that its type matches
+ * that given, and gives a fatal error and exits if there is a mismatch.
+ */
+
+int
+ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)
+{
+ int r;
+ u_char type;
+
+ if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)
+ return r;
+ if (type != expected_type) {
+ if ((r = sshpkt_disconnect(ssh,
+ "Protocol error: expected packet type %d, got %d",
+ expected_type, type)) != 0)
+ return r;
+ return SSH_ERR_PROTOCOL_ERROR;
+ }
+ return 0;
+}
+
static int
ssh_packet_read_poll2_mux(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
{

595
openssh-8.0p1-pkcs11-uri.patch
View File

File diff suppressed because it is too large Load Diff

22
openssh-8.7p1-minrsabits.patch
View File

@ -1,23 +1,21 @@
diff --git a/readconf.c b/readconf.c
index 7f26c680..42be690b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -320,6 +320,7 @@ static struct {
--- a/readconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/readconf.c (date 1703169891147)
@@ -326,6 +326,7 @@
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
{ "requiredrsasize", oRequiredRSASize },
{ "requiredrsasize", oRequiredRSASize },
+ { "rsaminsize", oRequiredRSASize }, /* alias */
{ "enableescapecommandline", oEnableEscapeCommandline },
{ NULL, oBadOption }
{ "obscurekeystroketiming", oObscureKeystrokeTiming },
{ "channeltimeout", oChannelTimeout },
diff --git a/servconf.c b/servconf.c
index 29df0463..423772b1 100644
--- a/servconf.c
+++ b/servconf.c
@@ -676,6 +680,7 @@ static struct {
--- a/servconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/servconf.c (date 1703169891148)
@@ -691,6 +691,7 @@
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
{ "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },
+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */
{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },
{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },

167
openssh-8.7p1-recursive-scp.patch
View File

@ -1,28 +1,28 @@
diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c
--- openssh-8.7p1/scp.c.scp-sftpdirs 2022-02-07 12:31:07.407740407 +0100
+++ openssh-8.7p1/scp.c 2022-02-07 12:31:07.409740424 +0100
@@ -1324,7 +1324,7 @@ source_sftp(int argc, char *src, char *t
diff --git a/scp.c b/scp.c
--- a/scp.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/scp.c (date 1703111453316)
@@ -1372,7 +1372,7 @@
if (src_is_dir && iamrecursive) {
if (upload_dir(conn, src, abs_dst, pflag,
if (sftp_upload_dir(conn, src, abs_dst, pflag,
- SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {
+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {
error("failed to upload directory %s to %s", src, targ);
errs = 1;
}
diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
--- openssh-8.7p1/sftp-client.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp-client.c 2022-02-07 12:47:59.117516131 +0100
@@ -971,7 +971,7 @@ do_fsetstat(struct sftp_conn *conn, cons
error("failed to upload directory %s to %s", src, targ);
errs = 1;
}
diff --git a/sftp-client.c b/sftp-client.c
--- a/sftp-client.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/sftp-client.c (date 1703169614263)
@@ -1003,7 +1003,7 @@
/* Implements both the realpath and expand-path operations */
static char *
-do_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
+do_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
-sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand)
+sftp_realpath_expand(struct sftp_conn *conn, const char *path, int expand, int create_dir)
{
struct sshbuf *msg;
u_int expected_id, count, id;
@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con
@@ -1049,11 +1049,43 @@
if ((r = sshbuf_get_u32(msg, &status)) != 0 ||
(r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)
fatal_fr(r, "parse status");
@ -33,7 +33,7 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
- return NULL;
+ if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) {
+ memset(&a, '\0', sizeof(a));
+ if ((r = do_mkdir(conn, path, &a, 0)) != 0) {
+ if ((r = sftp_mkdir(conn, path, &a, 0)) != 0) {
+ sshbuf_free(msg);
+ return NULL;
+ }
@ -71,111 +71,112 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c
} else if (type != SSH2_FXP_NAME)
fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",
SSH2_FXP_NAME, type);
@@ -1039,9 +1067,9 @@ do_realpath_expand(struct sftp_conn *con
@@ -1078,9 +1110,9 @@
}
char *
-do_realpath(struct sftp_conn *conn, const char *path)
+do_realpath(struct sftp_conn *conn, const char *path, int create_dir)
-sftp_realpath(struct sftp_conn *conn, const char *path)
+sftp_realpath(struct sftp_conn *conn, const char *path, int create_dir)
{
- return do_realpath_expand(conn, path, 0);
+ return do_realpath_expand(conn, path, 0, create_dir);
- return sftp_realpath_expand(conn, path, 0);
+ return sftp_realpath_expand(conn, path, 0, create_dir);
}
int
@@ -1055,9 +1083,9 @@ do_expand_path(struct sftp_conn *conn, c
@@ -1094,9 +1126,9 @@
{
if (!can_expand_path(conn)) {
if (!sftp_can_expand_path(conn)) {
debug3_f("no server support, fallback to realpath");
- return do_realpath_expand(conn, path, 0);
+ return do_realpath_expand(conn, path, 0, 0);
- return sftp_realpath_expand(conn, path, 0);
+ return sftp_realpath_expand(conn, path, 0, 0);
}
- return do_realpath_expand(conn, path, 1);
+ return do_realpath_expand(conn, path, 1, 0);
- return sftp_realpath_expand(conn, path, 1);
+ return sftp_realpath_expand(conn, path, 1, 0);
}
int
@@ -1807,7 +1835,7 @@ download_dir(struct sftp_conn *conn, con
@@ -2016,7 +2048,7 @@
char *src_canon;
int ret;
- if ((src_canon = do_realpath(conn, src)) == NULL) {
+ if ((src_canon = do_realpath(conn, src, 0)) == NULL) {
error("download \"%s\": path canonicalization failed", src);
return -1;
}
@@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co
- if ((src_canon = sftp_realpath(conn, src)) == NULL) {
+ if ((src_canon = sftp_realpath(conn, src, 0)) == NULL) {
error("download \"%s\": path canonicalization failed", src);
return -1;
}
@@ -2365,12 +2397,12 @@
int
upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
sftp_upload_dir(struct sftp_conn *conn, const char *src, const char *dst,
int preserve_flag, int print_flag, int resume, int fsync_flag,
- int follow_link_flag, int inplace_flag)
+ int follow_link_flag, int inplace_flag, int create_dir)
{
char *dst_canon;
int ret;
- if ((dst_canon = do_realpath(conn, dst)) == NULL) {
+ if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {
error("upload \"%s\": path canonicalization failed", dst);
return -1;
}
@@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st
- if ((dst_canon = sftp_realpath(conn, dst)) == NULL) {
+ if ((dst_canon = sftp_realpath(conn, dst, create_dir)) == NULL) {
error("upload \"%s\": path canonicalization failed", dst);
return -1;
}
@@ -2825,7 +2857,7 @@
char *from_path_canon;
int ret;
- if ((from_path_canon = do_realpath(from, from_path)) == NULL) {
+ if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {
error("crossload \"%s\": path canonicalization failed",
from_path);
return -1;
diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h
--- openssh-8.7p1/sftp-client.h.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp-client.h 2022-02-07 12:31:07.410740433 +0100
@@ -111,7 +111,7 @@ int do_fsetstat(struct sftp_conn *, cons
int do_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a);
- if ((from_path_canon = sftp_realpath(from, from_path)) == NULL) {
+ if ((from_path_canon = sftp_realpath(from, from_path, 0)) == NULL) {
error("crossload \"%s\": path canonicalization failed",
from_path);
return -1;
diff --git a/sftp-client.h b/sftp-client.h
--- a/sftp-client.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/sftp-client.h (date 1703111691284)
@@ -111,7 +111,7 @@
int sftp_lsetstat(struct sftp_conn *conn, const char *path, Attrib *a);
/* Canonicalise 'path' - caller must free result */
-char *do_realpath(struct sftp_conn *, const char *);
+char *do_realpath(struct sftp_conn *, const char *, int);
-char *sftp_realpath(struct sftp_conn *, const char *);
+char *sftp_realpath(struct sftp_conn *, const char *, int);
/* Canonicalisation with tilde expansion (requires server extension) */
char *do_expand_path(struct sftp_conn *, const char *);
@@ -159,7 +159,7 @@ int do_upload(struct sftp_conn *, const
char *sftp_expand_path(struct sftp_conn *, const char *);
@@ -163,7 +163,7 @@
* times if 'pflag' is set
*/
int upload_dir(struct sftp_conn *, const char *, const char *,
int sftp_upload_dir(struct sftp_conn *, const char *, const char *,
- int, int, int, int, int, int);
+ int, int, int, int, int, int, int);
/*
* Download a 'from_path' from the 'from' connection and upload it to
diff -up openssh-8.7p1/sftp.c.scp-sftpdirs openssh-8.7p1/sftp.c
--- openssh-8.7p1/sftp.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200
+++ openssh-8.7p1/sftp.c 2022-02-07 12:31:07.411740442 +0100
@@ -760,7 +760,7 @@ process_put(struct sftp_conn *conn, cons
if (globpath_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
if (upload_dir(conn, g.gl_pathv[i], abs_dst,
diff --git a/sftp.c b/sftp.c
--- a/sftp.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/sftp.c (date 1703168795365)
@@ -807,7 +807,7 @@
(rflag || global_rflag)) {
if (sftp_upload_dir(conn, g.gl_pathv[i], abs_dst,
pflag || global_pflag, 1, resume,
- fflag || global_fflag, 0, 0) == -1)
+ fflag || global_fflag, 0, 0, 0) == -1)
err = -1;
} else {
if (do_upload(conn, g.gl_pathv[i], abs_dst,
@@ -1577,7 +1577,7 @@ parse_dispatch_command(struct sftp_conn
if (sftp_upload(conn, g.gl_pathv[i], abs_dst,
@@ -1642,7 +1642,7 @@
if (path1 == NULL || *path1 == '\0')
path1 = xstrdup(startdir);
path1 = make_absolute(path1, *pwd);
- if ((tmp = do_realpath(conn, path1)) == NULL) {
+ if ((tmp = do_realpath(conn, path1, 0)) == NULL) {
path1 = sftp_make_absolute(path1, *pwd);
- if ((tmp = sftp_realpath(conn, path1)) == NULL) {
+ if ((tmp = sftp_realpath(conn, path1, 0)) == NULL) {
err = 1;
break;
}
@@ -2160,7 +2160,7 @@ interactive_loop(struct sftp_conn *conn,
@@ -2247,7 +2247,7 @@
}
#endif /* USE_LIBEDIT */
- remote_path = do_realpath(conn, ".");
+ remote_path = do_realpath(conn, ".", 0);
if (remote_path == NULL)
- if ((remote_path = sftp_realpath(conn, ".")) == NULL)
+ if ((remote_path = sftp_realpath(conn, ".", 0)) == NULL)
fatal("Need cwd");
startdir = xstrdup(remote_path);

119
openssh-9.0p1-audit-log.patch Normal file
View File

@ -0,0 +1,119 @@
diff -up openssh-9.0p1/audit-bsm.c.patch openssh-9.0p1/audit-bsm.c
--- openssh-9.0p1/audit-bsm.c.patch 2022-10-24 15:02:16.544858331 +0200
+++ openssh-9.0p1/audit-bsm.c 2022-10-24 14:51:43.685766639 +0200
@@ -405,7 +405,7 @@ audit_session_close(struct logininfo *li
}
int
-audit_keyusage(struct ssh *ssh, int host_user, char *fp, int rv)
+audit_keyusage(struct ssh *ssh, int host_user, char *key_fp, const struct sshkey_cert *cert, const char *issuer_fp, int rv)
{
/* not implemented */
}
diff -up openssh-9.0p1/audit.c.patch openssh-9.0p1/audit.c
--- openssh-9.0p1/audit.c.patch 2022-10-24 15:02:16.544858331 +0200
+++ openssh-9.0p1/audit.c 2022-10-24 15:20:38.854548226 +0200
@@ -116,12 +116,22 @@ audit_event_lookup(ssh_audit_event_t ev)
void
audit_key(struct ssh *ssh, int host_user, int *rv, const struct sshkey *key)
{
- char *fp;
+ char *key_fp = NULL;
+ char *issuer_fp = NULL;
+ struct sshkey_cert *cert = NULL;
- fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
- if (audit_keyusage(ssh, host_user, fp, (*rv == 0)) == 0)
+ key_fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
+ if (sshkey_is_cert(key) && key->cert != NULL && key->cert->signature_key != NULL) {
+ cert = key->cert;
+ issuer_fp = sshkey_fingerprint(cert->signature_key,
+ options.fingerprint_hash, SSH_FP_DEFAULT);
+ }
+ if (audit_keyusage(ssh, host_user, key_fp, cert, issuer_fp, (*rv == 0)) == 0)
*rv = -SSH_ERR_INTERNAL_ERROR;
- free(fp);
+ if (key_fp)
+ free(key_fp);
+ if (issuer_fp)
+ free(issuer_fp);
}
void
diff -up openssh-9.0p1/audit.h.patch openssh-9.0p1/audit.h
--- openssh-9.0p1/audit.h.patch 2022-10-24 15:02:16.544858331 +0200
+++ openssh-9.0p1/audit.h 2022-10-24 14:58:20.887565518 +0200
@@ -64,7 +64,7 @@ void audit_session_close(struct logininf
int audit_run_command(struct ssh *, const char *);
void audit_end_command(struct ssh *, int, const char *);
ssh_audit_event_t audit_classify_auth(const char *);
-int audit_keyusage(struct ssh *, int, char *, int);
+int audit_keyusage(struct ssh *, int, const char *, const struct sshkey_cert *, const char *, int);
void audit_key(struct ssh *, int, int *, const struct sshkey *);
void audit_unsupported(struct ssh *, int);
void audit_kex(struct ssh *, int, char *, char *, char *, char *);
diff -up openssh-9.0p1/audit-linux.c.patch openssh-9.0p1/audit-linux.c
--- openssh-9.0p1/audit-linux.c.patch 2022-10-24 15:02:16.544858331 +0200
+++ openssh-9.0p1/audit-linux.c 2022-10-24 15:21:58.165303951 +0200
@@ -137,10 +137,12 @@ fatal_report:
}
int
-audit_keyusage(struct ssh *ssh, int host_user, char *fp, int rv)
+audit_keyusage(struct ssh *ssh, int host_user, const char *key_fp, const struct sshkey_cert *cert, const char *issuer_fp, int rv)
{
char buf[AUDIT_LOG_SIZE];
int audit_fd, rc, saved_errno;
+ const char *rip;
+ u_int i;
audit_fd = audit_open();
if (audit_fd < 0) {
@@ -150,14 +152,44 @@ audit_keyusage(struct ssh *ssh, int host
else
return 0; /* Must prevent login */
}
+ rip = ssh_remote_ipaddr(ssh);
snprintf(buf, sizeof(buf), "%s_auth grantors=auth-key", host_user ? "pubkey" : "hostbased");
rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
- buf, audit_username(), -1, NULL, ssh_remote_ipaddr(ssh), NULL, rv);
+ buf, audit_username(), -1, NULL, rip, NULL, rv);
if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
goto out;
- snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", fp);
+ snprintf(buf, sizeof(buf), "op=negotiate kind=auth-key fp=%s", key_fp);
rc = audit_log_user_message(audit_fd, AUDIT_CRYPTO_KEY_USER, buf, NULL,
- ssh_remote_ipaddr(ssh), NULL, rv);
+ rip, NULL, rv);
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
+ goto out;
+
+ if (cert) {
+ char *pbuf;
+
+ pbuf = audit_encode_nv_string("key_id", cert->key_id, 0);
+ if (pbuf == NULL)
+ goto out;
+ snprintf(buf, sizeof(buf), "cert %s cert_serial=%llu cert_issuer_alg=\"%s\" cert_issuer_fp=\"%s\"",
+ pbuf, (unsigned long long)cert->serial, sshkey_type(cert->signature_key), issuer_fp);
+ free(pbuf);
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
+ buf, audit_username(), -1, NULL, rip, NULL, rv);
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
+ goto out;
+
+ for (i = 0; cert->principals != NULL && i < cert->nprincipals; i++) {
+ pbuf = audit_encode_nv_string("cert_principal", cert->principals[i], 0);
+ if (pbuf == NULL)
+ goto out;
+ snprintf(buf, sizeof(buf), "principal %s", pbuf);
+ free(pbuf);
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
+ buf, audit_username(), -1, NULL, rip, NULL, rv);
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
+ goto out;
+ }
+ }
out:
saved_errno = errno;
audit_close(audit_fd);

85
openssh-9.3p1-merged-openssl-evp.patch
View File

@ -252,6 +252,16 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
#include <string.h>
@@ -44,6 +44,9 @@
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
+#ifdef ENABLE_PKCS11
+#include "ssh-pkcs11.h"
+#endif
#include "openbsd-compat/openssl-compat.h"
@@ -126,19 +128,29 @@
static int
ssh_ecdsa_generate(struct sshkey *k, int bits)
@ -521,14 +531,6 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
#endif
#include "crypto_api.h"
@@ -57,6 +59,7 @@
#define SSHKEY_INTERNAL
#include "sshkey.h"
#include "match.h"
+#include "log.h"
#include "ssh-sk.h"
#ifdef WITH_XMSS
@@ -575,6 +577,86 @@
}
@ -657,15 +659,15 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
# ifdef OPENSSL_HAS_ECC
# include <openssl/ec.h>
# include <openssl/ecdsa.h>
@@ -268,6 +271,10 @@
@@ -266,6 +266,10 @@
const char *sshkey_ssh_name_plain(const struct sshkey *);
int sshkey_names_valid2(const char *, int);
int sshkey_names_valid2(const char *, int, int);
char *sshkey_alg_list(int, int, int, char);
+int sshkey_calculate_signature(EVP_PKEY*, int, u_char **,
+ int *, const u_char *, size_t);
+int sshkey_verify_signature(EVP_PKEY *, int, const u_char *,
+ size_t, u_char *, int);
int sshkey_from_blob(const u_char *, size_t, struct sshkey **);
int sshkey_fromb(struct sshbuf *, struct sshkey **);
@@ -324,6 +331,13 @@
@ -693,11 +695,11 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
#if !defined(WITH_OPENSSL)
# undef RSA
# undef DSA
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.c openssh-9.3p1-patched/ssh-pkcs11.c
--- openssh-9.3p1/ssh-pkcs11.c 2023-06-06 15:53:36.592443989 +0200
+++ openssh-9.3p1-patched/ssh-pkcs11.c 2023-06-06 15:52:25.626551768 +0200
@@ -777,8 +777,24 @@
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
--- a/ssh-pkcs11.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/ssh-pkcs11.c (date 1703110934679)
@@ -620,8 +620,24 @@
return (0);
}
+
@ -709,7 +711,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
+ return 0;
+}
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
+int
+is_rsa_pkcs11(RSA *rsa)
+{
@ -718,16 +720,16 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
+ return 0;
+}
+
/* remove trailing spaces */
static void
rmspace(u_char *buf, size_t len)
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c
--- openssh-9.3p1/ssh-pkcs11-client.c 2023-06-06 15:53:36.591443976 +0200
+++ openssh-9.3p1-patched/ssh-pkcs11-client.c 2023-06-06 15:52:25.626551768 +0200
@@ -225,8 +225,36 @@
static RSA_METHOD *helper_rsa;
#if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)
static EC_KEY_METHOD *helper_ecdsa;
/* remove trailing spaces. Note, that this does NOT guarantee the buffer
* will be null terminated if there are no trailing spaces! */
static char *
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
--- a/ssh-pkcs11-client.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/ssh-pkcs11-client.c (date 1703110830967)
@@ -402,8 +402,36 @@
if (helper->nrsa == 0 && helper->nec == 0)
helper_terminate(helper);
}
+
+int
+is_ecdsa_pkcs11(EC_KEY *ecdsa)
@ -742,8 +744,8 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
+ return 1;
+ return 0;
+}
#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */
#endif /* defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) */
+int
+is_rsa_pkcs11(RSA *rsa)
+{
@ -760,14 +762,15 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
+
/* redirect private key crypto operations to the ssh-pkcs11-helper */
static void
wrap_key(struct sshkey *k)
diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.h openssh-9.3p1-patched/ssh-pkcs11.h
--- openssh-9.3p1/ssh-pkcs11.h 2023-06-06 15:53:36.592443989 +0200
+++ openssh-9.3p1-patched/ssh-pkcs11.h 2023-06-06 15:52:25.626551768 +0200
@@ -39,6 +39,11 @@
u_int32_t *);
#endif
wrap_key(struct helper *helper, struct sshkey *k)
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
--- a/ssh-pkcs11.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
+++ b/ssh-pkcs11.h (date 1703111023334)
@@ -38,6 +38,12 @@
/* Only available in ssh-pkcs11-client.c so far */
int pkcs11_make_cert(const struct sshkey *,
const struct sshkey *, struct sshkey **);
+
+#ifdef HAVE_EC_KEY_METHOD_NEW
+int is_ecdsa_pkcs11(EC_KEY *ecdsa);
+#endif
@ -788,7 +791,13 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x
#include <stdarg.h>
#include <string.h>
@@ -36,7 +38,7 @@
@@ -36,10 +36,13 @@
#include "sshkey.h"
#include "digest.h"
#include "log.h"
+#ifdef ENABLE_PKCS11
+#include "ssh-pkcs11.h"
+#endif
#include "openbsd-compat/openssl-compat.h"

BIN
openssh-9.3p2.tar.gz
View File

Binary file not shown.

16
openssh-9.3p2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmS3g5wACgkQKj9BTnNg
YLrMYw//evjl0mlSnycb85tWASdBWQh28xQCouuqYhDhY+8kt6YpEx34r4zuXvL3
pEN/F1ancNXwvlRPct/tF3OEQVpKHZqiRyfWuHHURSBLaGf9V1b+gQgfM4lEQNtH
8PqRj+ur8E2GMGxvxuDKPcfduCTFrjbPJ/0OCgquuEteSM6dgcClT7q5SKKpTVSa
jV0PaXeYgnaa+u+4GsH01oUteyJNmhvEa4T+fC1RDrct1DiieUQNkaw3pwMqYXA5
8PldGatn/npNM5ZFW4uxTjbib2yJXNIEhUIzo2A00XWRG3jIArtRJwJ6ZSBahUE4
PyasPMhJVIxIaKy5OL4s4FAd1goe2hBlPzmDhUJOhpFniLIZ9dS5AGaX4i2TjsZl
iaIwtE2VLIn3peKZPvm7SCBqyBoiPKC0BfHmVOYs8c1W5Q30jE+kCcTDrJhHl32/
kN5khCHIg6bUc3JzFZM7Ib0tshNP5AY0pyduSEF7SPOB5Zz2E+EwkDmkrnw9FoMh
LCvSERDkBdxWD7okUdb0ARr564lShRjd2UTFZqv3Py4nVfvnP19RgCfakNg0CZ3w
VoLytn8OQ/joAx4GMWox6g5ieYqeQ2kLzXYfXObTlDIjxirFeiBYPh6Ln5oGl81/
jx/172HqCzRDgUogtZ/BTwiLDEzTHG7YS5RDIUYkqEGkkjjj6gg=
=yVD2
-----END PGP SIGNATURE-----

BIN
openssh-9.6p1.tar.gz Normal file
View File

Binary file not shown.

16
openssh-9.6p1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEcWi5g4FaXu9ZpK39Kj9BTnNgYLoFAmWAXvAACgkQKj9BTnNg
YLrypA/6A1O8e80XnzVWIFhXkbv/biGL10Q5ZMvjQvND6mbkphNWZ4G4QOEh0nBG
rseD3Fce7me9pfeLYVhaNXO9R3OYAXxjbWfQwI7FpBU4QUCnbH53PG32B6ESq7pl
0vlDqdqI7aBAyMpp+8WFD+EvHWUVA77JtfU4MFw7myKJacrVrDUygDaZkJKOhqKf
N1Nurz4YppdQ5zIK1ElL0jlRJXm08flLFRg8fD5/5rwabpUbZIY9b5qZzGKgnR7I
sxUBlDkfLnvKIlKzUXbRvOHazvFAHYH1ltJZGlJUc/+H/ZaPigWf4IR+E1FB9c2O
zxaZhlbwGKyD+p7l08F9n8T21taxpBCW1Uxkx7MLTz8k9huPNpdX5l8VM4Gotmn8
I4V3Fevyx+M3XJYeKtkspa51h0GqF3gNFPLxW7ERGaIuqwoxuHxIEKwYE+JPmQag
UDma5LDrSrasa8Rw8g5urGE48PeDQ5muPy8Bi9eIGZU5JLqX6TNgz7QDDs/dQsHB
iny4wQOLmdIA78IGttiCo0rqikEvFtFDFR4mCUTC8K0nQKzWwGewO3gRTcHttzyU
xMalxw+wt9cUJ8gb1E9p7OeMUuXdaHMmem8/PcFCar/vKx1mdV/On6evnp3P8yQA
la8WnbcP0+zJg0GGwGszpFlOMjWCDB0kUTBCT+MR+IWbj/pVZVA=
=G9YA
-----END PGP SIGNATURE-----

329
openssh.spec
View File

@ -6,10 +6,10 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 6
%global openssh_release 1
Name: openssh
Version: 9.3p2
Version: 9.6p1
Release: %{openssh_release}
URL: http://www.openssh.com/portable.html
License: BSD
@ -32,88 +32,83 @@ Source13: sshd-keygen.target
Source14: ssh-agent.service
Source15: ssh-agent.socket
Source16: ssh-keygen-bash-completion.sh
Source17: ssh-host-keys-migration.sh
Source18: ssh-host-keys-migration.service
Patch0: openssh-6.7p1-coverity.patch
Patch1: openssh-7.6p1-audit.patch
Patch2: openssh-7.1p2-audit-race-condition.patch
Patch3: pam_ssh_agent_auth-0.9.3-build.patch
Patch4: pam_ssh_agent_auth-0.10.3-seteuid.patch
Patch5: pam_ssh_agent_auth-0.9.2-visibility.patch
Patch6: pam_ssh_agent_auth-0.9.3-agent_structure.patch
Patch7: pam_ssh_agent_auth-0.10.2-compat.patch
Patch8: pam_ssh_agent_auth-0.10.2-dereference.patch
Patch9: pam_ssh_agent_auth-0.10.4-rsasha2.patch
Patch10: pam_ssh_agent-configure-c99.patch
Patch11: openssh-7.8p1-role-mls.patch
Patch12: openssh-6.6p1-privsep-selinux.patch
Patch3: openssh-9.0p1-audit-log.patch
Patch4: pam_ssh_agent_auth-0.9.3-build.patch
Patch5: pam_ssh_agent_auth-0.10.3-seteuid.patch
Patch6: pam_ssh_agent_auth-0.9.2-visibility.patch
Patch7: pam_ssh_agent_auth-0.9.3-agent_structure.patch
Patch8: pam_ssh_agent_auth-0.10.2-compat.patch
Patch9: pam_ssh_agent_auth-0.10.2-dereference.patch
Patch10: pam_ssh_agent_auth-0.10.4-rsasha2.patch
Patch11: pam_ssh_agent-configure-c99.patch
Patch12: openssh-7.8p1-role-mls.patch
Patch13: openssh-6.6p1-privsep-selinux.patch
Patch14: openssh-6.6p1-keycat.patch
Patch15: openssh-6.6p1-allow-ip-opts.patch
Patch17: openssh-5.9p1-ipv6man.patch
Patch18: openssh-5.8p2-sigpipe.patch
Patch19: openssh-7.2p2-x11.patch
Patch21: openssh-5.1p1-askpass-progress.patch
Patch22: openssh-4.3p2-askpass-grab-info.patch
Patch23: openssh-7.7p1.patch
Patch24: openssh-7.8p1-UsePAM-warning.patch
Patch28: openssh-8.0p1-gssapi-keyex.patch
Patch29: openssh-6.6p1-force_krb.patch
Patch30: openssh-6.6p1-GSSAPIEnablek5users.patch
Patch31: openssh-7.7p1-gssapi-new-unique.patch
Patch32: openssh-7.2p2-k5login_directory.patch
Patch33: openssh-6.6p1-kuserok.patch
Patch34: openssh-6.4p1-fromto-remote.patch
Patch35: openssh-6.6.1p1-selinux-contexts.patch
Patch36: openssh-6.6.1p1-log-in-chroot.patch
Patch37: openssh-6.6.1p1-scp-non-existing-directory.patch
Patch38: openssh-6.8p1-sshdT-output.patch
Patch39: openssh-6.7p1-sftp-force-permission.patch
Patch40: openssh-7.2p2-s390-closefrom.patch
Patch41: openssh-7.3p1-x11-max-displays.patch
Patch42: openssh-7.4p1-systemd.patch
Patch43: openssh-7.6p1-cleanup-selinux.patch
Patch44: openssh-7.5p1-sandbox.patch
Patch45: openssh-8.0p1-pkcs11-uri.patch
Patch46: openssh-7.8p1-scp-ipv6.patch
Patch48: openssh-8.0p1-crypto-policies.patch
Patch49: openssh-9.3p1-merged-openssl-evp.patch
Patch50: openssh-8.0p1-openssl-kdf.patch
Patch51: openssh-8.2p1-visibility.patch
Patch52: openssh-8.2p1-x11-without-ipv6.patch
Patch53: openssh-8.0p1-keygen-strip-doseol.patch
Patch54: openssh-8.0p1-preserve-pam-errors.patch
Patch55: openssh-8.7p1-scp-kill-switch.patch
Patch56: openssh-8.7p1-recursive-scp.patch
Patch57: openssh-8.7p1-minrsabits.patch
Patch58: openssh-8.7p1-ibmca.patch
Patch60: openssh-8.7p1-ssh-manpage.patch
Patch61: openssh-8.7p1-negotiate-supported-algs.patch
Patch66: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch67: bugfix-openssh-add-option-check-username-splash.patch
Patch68: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
Patch69: bugfix-openssh-fix-sftpserver.patch
Patch70: set-sshd-config.patch
Patch71: feature-add-SMx-support.patch
Patch72: add-loongarch.patch
Patch73: openssh-Add-sw64-architecture.patch
Patch74: add-strict-scp-check-for-CVE-2020-15778.patch
Patch75: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch77: set-ssh-config.patch
Patch78: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch
Patch79: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Patch80: backport-fix-CVE-2024-6387.patch
Patch81: backport-CVE-2023-51384-upstream-apply-destination-constraints-to-all-p11-ke.patch
Patch82: backport-upstream-Make-sure-sftp_get_limits-only-returns-0-if.patch
Patch83: backport-upstream-when-connecting-via-socket-the-default-case.patch
Patch84: backport-upstream-set-errno-EAFNOSUPPORT-when-filtering-addre.patch
Patch85: backport-upstream-when-invoking-KnownHostsCommand-to-determin.patch
Patch86: backport-upstream-ensure-key_fd-is-filled-when-DSA-is-disable.patch
Patch87: backport-upstream-fix-memory-leak-in-mux-proxy-mode-when-requ.patch
Patch88: backport-openssh-7.7p1-fips.patch
Patch89: backport-CVE-2021-36368-added-option-to-disable-trivial-auth.patch
Patch90: backport-upstream-Fix-proxy-multiplexing-O-proxy-bug.patch
Patch91: backport-openssh-6.6p1-keyperm.patch
Patch92: backport-upstream-make-parsing-user-host-consistently-look-for-the-last-in.patch
Patch93: backport-upstream-Do-not-apply-authorized_keys-options-when-signature.patch
Patch94: backport-upstream-some-extra-paranoia.patch
Patch16: openssh-5.9p1-ipv6man.patch
Patch17: openssh-5.8p2-sigpipe.patch
Patch18: openssh-7.2p2-x11.patch
Patch19: openssh-7.7p1-fips.patch
Patch20: openssh-5.1p1-askpass-progress.patch
Patch21: openssh-4.3p2-askpass-grab-info.patch
Patch22: openssh-7.7p1.patch
Patch23: openssh-7.8p1-UsePAM-warning.patch
Patch24: openssh-8.0p1-gssapi-keyex.patch
Patch25: openssh-6.6p1-force_krb.patch
Patch26: openssh-6.6p1-GSSAPIEnablek5users.patch
Patch27: openssh-7.7p1-gssapi-new-unique.patch
Patch28: openssh-7.2p2-k5login_directory.patch
Patch29: openssh-6.6p1-kuserok.patch
Patch30: openssh-6.4p1-fromto-remote.patch
Patch31: openssh-6.6.1p1-selinux-contexts.patch
Patch32: openssh-6.6.1p1-log-in-chroot.patch
Patch33: openssh-6.6.1p1-scp-non-existing-directory.patch
Patch34: openssh-6.8p1-sshdT-output.patch
Patch35: openssh-6.7p1-sftp-force-permission.patch
Patch36: openssh-7.2p2-s390-closefrom.patch
Patch37: openssh-7.3p1-x11-max-displays.patch
Patch38: openssh-7.4p1-systemd.patch
Patch39: openssh-7.6p1-cleanup-selinux.patch
Patch40: openssh-7.5p1-sandbox.patch
Patch41: openssh-8.0p1-pkcs11-uri.patch
Patch42: openssh-7.8p1-scp-ipv6.patch
Patch43: openssh-8.0p1-crypto-policies.patch
Patch44: openssh-9.3p1-merged-openssl-evp.patch
Patch45: openssh-8.0p1-openssl-kdf.patch
Patch46: openssh-8.2p1-visibility.patch
Patch47: openssh-8.2p1-x11-without-ipv6.patch
Patch48: openssh-8.0p1-keygen-strip-doseol.patch
Patch49: openssh-8.0p1-preserve-pam-errors.patch
Patch50: openssh-8.7p1-scp-kill-switch.patch
Patch51: openssh-8.7p1-recursive-scp.patch
Patch52: openssh-8.7p1-minrsabits.patch
Patch53: openssh-8.7p1-ibmca.patch
Patch54: openssh-8.7p1-ssh-manpage.patch
Patch55: openssh-8.7p1-negotiate-supported-algs.patch
Patch56: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch57: bugfix-openssh-add-option-check-username-splash.patch
Patch58: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
Patch59: bugfix-openssh-fix-sftpserver.patch
Patch60: set-sshd-config.patch
Patch61: feature-add-SMx-support.patch
Patch62: add-loongarch.patch
Patch63: openssh-Add-sw64-architecture.patch
Patch64: add-strict-scp-check-for-CVE-2020-15778.patch
Patch65: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch66: set-ssh-config.patch
Patch67: backport-fix-CVE-2024-6387.patch
Patch68: backport-upstream-ensure-key_fd-is-filled-when-DSA-is-disable.patch
Patch69: backport-upstream-Fix-proxy-multiplexing-O-proxy-bug.patch
Patch70: backport-upstream-make-parsing-user-host-consistently-look-for-the-last-in.patch
Patch71: backport-upstream-Do-not-apply-authorized_keys-options-when-signature.patch
Patch72: backport-upstream-some-extra-paranoia.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -190,93 +185,84 @@ instance. The module is most useful for su and sudo service stacks.
%setup -q -a 3
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
%patch3 -p2 -b .psaa-build
%patch4 -p2 -b .psaa-seteuid
%patch5 -p2 -b .psaa-visibility
%patch7 -p2 -b .psaa-compat
%patch6 -p2 -b .psaa-agent
%patch8 -p2 -b .psaa-deref
%patch9 -p2 -b .rsasha2
%patch10 -p1 -b .psaa-configure-c99
%patch -P 4 -p2 -b .psaa-build
%patch -P 5 -p2 -b .psaa-seteuid
%patch -P 6 -p2 -b .psaa-visibility
%patch -P 8 -p2 -b .psaa-compat
%patch -P 7 -p2 -b .psaa-agent
%patch -P 9 -p2 -b .psaa-deref
%patch -P 10 -p2 -b .rsasha2
%patch -P 11 -p1 -b .psaa-configure-c99
# Remove duplicate headers and library files
rm -f $(cat %{SOURCE4})
popd
%patch11 -p1 -b .role-mls
%patch12 -p1 -b .privsep-selinux
%patch14 -p1 -b .keycat
%patch15 -p1 -b .ip-opts
%patch17 -p1 -b .ipv6man
%patch18 -p1 -b .sigpipe
%patch19 -p1 -b .x11
%patch21 -p1 -b .progress
%patch22 -p1 -b .grab-info
%patch23 -p1
%patch24 -p1 -b .log-usepam-no
%patch28 -p1 -b .gsskex
%patch29 -p1 -b .force_krb
%patch31 -p1 -b .ccache_name
%patch32 -p1 -b .k5login
%patch33 -p1 -b .kuserok
%patch34 -p1 -b .fromto-remote
%patch35 -p1 -b .contexts
%patch36 -p1 -b .log-in-chroot
%patch37 -p1 -b .scp
%patch30 -p1 -b .GSSAPIEnablek5users
%patch38 -p1 -b .sshdt
%patch39 -p1 -b .sftp-force-mode
%patch40 -p1 -b .s390-dev
%patch41 -p1 -b .x11max
%patch42 -p1 -b .systemd
%patch43 -p1 -b .refactor
%patch44 -p1 -b .sandbox
%patch45 -p1 -b .pkcs11-uri
%patch46 -p1 -b .scp-ipv6
%patch48 -p1 -b .crypto-policies
%patch49 -p1 -b .openssl-evp
%patch50 -p1 -b .openssl-kdf
%patch51 -p1 -b .visibility
%patch52 -p1 -b .x11-ipv6
%patch53 -p1 -b .keygen-strip-doseol
%patch54 -p1 -b .preserve-pam-errors
%patch55 -p1 -b .kill-scp
%patch56 -p1 -b .scp-sftpdirs
%patch57 -p1 -b .minrsabits
%patch58 -p1 -b .ibmca
%patch60 -p1 -b .ssh-manpage
%patch61 -p1 -b .negotiate-supported-algs
%patch1 -p1 -b .audit
%patch2 -p1 -b .audit-race
%patch0 -p1 -b .coverity
%patch -P 12 -p1 -b .role-mls
%patch -P 13 -p1 -b .privsep-selinux
%patch -P 14 -p1 -b .keycat
%patch -P 15 -p1 -b .ip-opts
%patch -P 16 -p1 -b .ipv6man
%patch -P 17 -p1 -b .sigpipe
%patch -P 18 -p1 -b .x11
%patch -P 20 -p1 -b .progress
%patch -P 21 -p1 -b .grab-info
%patch -P 22 -p1
%patch -P 23 -p1 -b .log-usepam-no
%patch -P 24 -p1 -b .gsskex
%patch -P 25 -p1 -b .force_krb
%patch -P 27 -p1 -b .ccache_name
%patch -P 28 -p1 -b .k5login
%patch -P 29 -p1 -b .kuserok
%patch -P 30 -p1 -b .fromto-remote
%patch -P 31 -p1 -b .contexts
%patch -P 32 -p1 -b .log-in-chroot
%patch -P 33 -p1 -b .scp
%patch -P 26 -p1 -b .GSSAPIEnablek5users
%patch -P 34 -p1 -b .sshdt
%patch -P 35 -p1 -b .sftp-force-mode
%patch -P 36 -p1 -b .s390-dev
%patch -P 37 -p1 -b .x11max
%patch -P 38 -p1 -b .systemd
%patch -P 39 -p1 -b .refactor
%patch -P 40 -p1 -b .sandbox
%patch -P 41 -p1 -b .pkcs11-uri
%patch -P 42 -p1 -b .scp-ipv6
%patch -P 43 -p1 -b .crypto-policies
%patch -P 44 -p1 -b .openssl-evp
%patch -P 45 -p1 -b .openssl-kdf
%patch -P 46 -p1 -b .visibility
%patch -P 47 -p1 -b .x11-ipv6
%patch -P 48 -p1 -b .keygen-strip-doseol
%patch -P 49 -p1 -b .preserve-pam-errors
%patch -P 50 -p1 -b .kill-scp
%patch -P 51 -p1 -b .scp-sftpdirs
%patch -P 52 -p1 -b .minrsabits
%patch -P 53 -p1 -b .ibmca
%patch -P 1 -p1 -b .audit
%patch -P 2 -p1 -b .audit-race
%patch -P 3 -p1 -b .audit-log
%patch -P 19 -p1 -b .fips
%patch -P 54 -p1 -b .ssh-manpage
%patch -P 55 -p1 -b .negotiate-supported-algs
%patch -P 0 -p1 -b .coverity
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch81 -p1
%patch82 -p1
%patch83 -p1
%patch84 -p1
%patch85 -p1
%patch86 -p1
%patch87 -p1
%patch88 -p1
%patch89 -p1
%patch90 -p1
%patch91 -p1
%patch92 -p1
%patch93 -p1
%patch94 -p1
%patch -P 56 -p1
%patch -P 57 -p1
%patch -P 58 -p1
%patch -P 59 -p1
%patch -P 60 -p1
%patch -P 61 -p1
%patch -P 62 -p1
%patch -P 63 -p1
%patch -P 64 -p1
%patch -P 65 -p1
%patch -P 66 -p1
%patch -P 67 -p1
%patch -P 68 -p1
%patch -P 69 -p1
%patch -P 70 -p1
%patch -P 71 -p1
%patch -P 72 -p1
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -390,6 +376,10 @@ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE12} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/etc/bash_completion.d/ssh-keygen-bash-completion.sh
install -m744 %{SOURCE17} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/ssh-host-keys-migration.sh
install -m644 %{SOURCE18} $RPM_BUILD_ROOT/%{_unitdir}/ssh-host-keys-migration.service
install -d $RPM_BUILD_ROOT/%{_localstatedir}/lib
touch $RPM_BUILD_ROOT/%{_localstatedir}/lib/.ssh-host-keys-migration
ln -s gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
@ -412,6 +402,14 @@ getent passwd sshd >/dev/null || \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
%post server
if [ $1 -gt 1 ]; then
# In the case of an upgrade (never true on OSTree systems) run the migration
# script for Fedora 38 to remove group ownership for host keys.
%{_libexecdir}/openssh/ssh-host-keys-migration.sh
# Prevent the systemd unit that performs the same service (useful for
# OSTree systems) from running.
touch /var/lib/.ssh-host-keys-migration
fi
%systemd_post sshd.service sshd.socket
%preun server
@ -466,6 +464,9 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
%attr(0644,root,root) %{_unitdir}/ssh-host-keys-migration.service
%attr(0744,root,root) %{_libexecdir}/openssh/ssh-host-keys-migration.sh
%ghost %attr(0644,root,root) %{_localstatedir}/lib/.ssh-host-keys-migration
%files keycat
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-keycat
@ -493,6 +494,12 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Mon Dec 09 2024 yanglu <yanglu72@h-partners.com> - 9.6p1-1
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:update openssh version to 9.6p1
* Tue Oct 29 2024 bitianyuan <bitianyuan@huawei.com> - 9.3p2-6
- Type:bugfix
- ID:NA

14
ssh-host-keys-migration.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Update OpenSSH host key permissions
Before=sshd.service
After=ssh-keygen.target
ConditionPathExists=!/var/lib/.ssh-host-keys-migration
[Service]
Type=oneshot
ExecStart=-/usr/libexec/openssh/ssh-host-keys-migration.sh
ExecStart=touch /var/lib/.ssh-host-keys-migration
RemainAfterExit=yes
[Install]
WantedBy=sshd.service

34
ssh-host-keys-migration.sh Normal file
View File

@ -0,0 +1,34 @@
#!/usr/bin/bash
set -eu -o pipefail
#
# Example output looks like:
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
# It is required that your private key files are NOT accessible by others.
# This private key will be ignored.
# sshd: no hostkeys available -- exiting.
#
output="$(sshd -T 2>&1 || true)" # expected to fail
while read line; do
if [[ $line =~ ^Permissions\ [0-9]+\ for\ \'(.*)\'\ are\ too\ open. ]]; then
keyfile=${BASH_REMATCH[1]}
echo $line
echo -e "\t-> changing permissions on $keyfile"
chmod --verbose g-r $keyfile
chown --verbose root:root $keyfile
fi
done <<< "$output"

5
sshd-keygen
View File

@ -30,9 +30,8 @@ if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
fi
# sanitize permissions
/usr/bin/chgrp ssh_keys $KEY
/usr/bin/chmod 400 $KEY
/usr/bin/chmod 400 $KEY.pub
/usr/bin/chmod 600 $KEY
/usr/bin/chmod 644 $KEY.pub
if [[ -x /usr/sbin/restorecon ]]; then
/usr/sbin/restorecon $KEY{,.pub}
fi

1
sshd.service
View File

@ -3,6 +3,7 @@ Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target
Wants=ssh-host-keys-migration.service
[Service]
Type=notify

1
sshd@.service
View File

@ -3,6 +3,7 @@ Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5)
Wants=sshd-keygen.target
After=sshd-keygen.target
Wants=ssh-host-keys-migration.service
[Service]
EnvironmentFile=-/etc/sysconfig/sshd