* Backport from upstream:

- Make hostbased auth with ECDSA keys work correctly (closes: #633368).
author: Colin Watson <cjwatson@debian.org> 2011-07-17 01:29:56 +0100
committer: Colin Watson <cjwatson@debian.org> 2011-07-17 01:29:56 +0100
commit: 29922445eda8a76d957af24db452a084ffc91bd9 (patch)
tree: e8573993a48c716f6b673b76a4a374fcfcb2aa71
parent: c6b39c8b787eefb1764cc23afeba3797ac89f056 (diff)
4 files changed, 88 insertions, 7 deletions
diff --git a/debian/changelog b/debian/changelog
index 02933e934..7980e1d1f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:5.8p1-5) UNRELEASED; urgency=low
  * Drop openssh-server's dependency on openssh-blacklist to a
    recommendation (closes: #622604).
  * Update Vcs-* fields and README.source for Alioth changes.
+  * Backport from upstream:
+    - Make hostbased auth with ECDSA keys work correctly (closes: #633368).
 -- Colin Watson <cjwatson@debian.org>  Wed, 13 Apr 2011 13:05:43 +0100
diff --git a/debian/patches/hostbased-ecdsa.patch b/debian/patches/hostbased-ecdsa.patch
new file mode 100644
index 000000000..fb618940a
--- /dev/null
+++ b/debian/patches/hostbased-ecdsa.patch
@@ -0,0 +1,71 @@
+Description: Make hostbased auth with ECDSA keys work correctly
+Author: Harv <harvey.eneman@oracle.com>
+Author: Damien Miller <djm@mindrot.org>
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1858
+Bug-Debian: http://bugs.debian.org/633368
+Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6327
+Applied-Upstream: yes
+Forwarded: not-needed
+Last-Update: 2011-07-17
+Index: b/ssh-keysign.c
+===================================================================
+--- a/ssh-keysign.c
+++ b/ssh-keysign.c
+@@ -150,9 +150,10 @@
+ {
+        Buffer b;
+        Options options;
+-       Key *keys[2], *key = NULL;
+#define NUM_KEYTYPES 3
+       Key *keys[NUM_KEYTYPES], *key = NULL;
+        struct passwd *pw;
+-       int key_fd[2], i, found, version = 2, fd;
+       int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
+        u_char *signature, *data;
+        char *host;
+        u_int slen, dlen;
+@@ -165,8 +166,10 @@
+        if (fd > 2)
+                close(fd);
+ 
+-       key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+-       key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+       i = 0;
+       key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+       key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+       key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+ 
+        original_real_uid = getuid();   /* XXX readconf.c needs this */
+        if ((pw = getpwuid(original_real_uid)) == NULL)
+@@ -191,7 +194,11 @@
+                fatal("ssh-keysign not enabled in %s",
+                    _PATH_HOST_CONFIG_FILE);
+ 
+-       if (key_fd[0] == -1 && key_fd[1] == -1)
+       for (i = found = 0; i < NUM_KEYTYPES; i++) {
+               if (key_fd[i] != -1)
+                       found = 1;
+       }
+       if (found == 0)
+                fatal("could not open any host key");
+ 
+        OpenSSL_add_all_algorithms();
+@@ -200,7 +207,7 @@
+        RAND_seed(rnd, sizeof(rnd));
+ 
+        found = 0;
+-       for (i = 0; i < 2; i++) {
+       for (i = 0; i < NUM_KEYTYPES; i++) {
+                keys[i] = NULL;
+                if (key_fd[i] == -1)
+                        continue;
+@@ -230,7 +237,7 @@
+        xfree(host);
+ 
+        found = 0;
+-       for (i = 0; i < 2; i++) {
+       for (i = 0; i < NUM_KEYTYPES; i++) {
+                if (keys[i] != NULL &&
+                    key_equal_public(key, keys[i])) {
+                        found = 1;
diff --git a/debian/patches/series b/debian/patches/series
index 0a21f8ead..01ef70076 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,6 +39,7 @@ doc-hash-tab-completion.patch
 # Miscellaneous bug fixes
 selinux-build-failure.patch
 ssh-add-fifo.patch
+hostbased-ecdsa.patch
 # Debian-specific configuration
 gnome-ssh-askpass2-icon.patch
diff --git a/ssh-keysign.c b/ssh-keysign.c
index d05156005..aa1be91f5 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -150,9 +150,10 @@ main(int argc, char **argv)
 {
        Buffer b;
        Options options;
-        Key *keys[2], *key = NULL;
+#define NUM_KEYTYPES 3
+        Key *keys[NUM_KEYTYPES], *key = NULL;
        struct passwd *pw;
-        int key_fd[2], i, found, version = 2, fd;
+        int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
        u_char *signature, *data;
        char *host;
        u_int slen, dlen;
@@ -165,8 +166,10 @@ main(int argc, char **argv)
        if (fd > 2)
                close(fd);
-        key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
+        i = 0;
-        key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+        key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
+        key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
+        key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
        original_real_uid = getuid();   /* XXX readconf.c needs this */
        if ((pw = getpwuid(original_real_uid)) == NULL)
@@ -191,7 +194,11 @@ main(int argc, char **argv)
                fatal("ssh-keysign not enabled in %s",
                    _PATH_HOST_CONFIG_FILE);
-        if (key_fd[0] == -1 && key_fd[1] == -1)
+        for (i = found = 0; i < NUM_KEYTYPES; i++) {
+                if (key_fd[i] != -1)
+                        found = 1;
+        }
+        if (found == 0)
                fatal("could not open any host key");
        OpenSSL_add_all_algorithms();
@@ -200,7 +207,7 @@ main(int argc, char **argv)
        RAND_seed(rnd, sizeof(rnd));
        found = 0;
-        for (i = 0; i < 2; i++) {
+        for (i = 0; i < NUM_KEYTYPES; i++) {
                keys[i] = NULL;
                if (key_fd[i] == -1)
                        continue;
@@ -230,7 +237,7 @@ main(int argc, char **argv)
        xfree(host);
        found = 0;
-        for (i = 0; i < 2; i++) {
+        for (i = 0; i < NUM_KEYTYPES; i++) {
                if (keys[i] != NULL &&
                    key_equal_public(key, keys[i])) {
                        found = 1;
author	Colin Watson <cjwatson@debian.org>	2011-07-17 01:29:56 +0100
committer	Colin Watson <cjwatson@debian.org>	2011-07-17 01:29:56 +0100
commit	29922445eda8a76d957af24db452a084ffc91bd9 (patch)
tree	e8573993a48c716f6b673b76a4a374fcfcb2aa71
parent	c6b39c8b787eefb1764cc23afeba3797ac89f056 (diff)

diff --git a/debian/changelog b/debian/changelog index 02933e934..7980e1d1f 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:5.8p1-5) UNRELEASED; urgency=low
3	* Drop openssh-server's dependency on openssh-blacklist to a	3	* Drop openssh-server's dependency on openssh-blacklist to a
4	recommendation (closes: #622604).	4	recommendation (closes: #622604).
5	* Update Vcs-* fields and README.source for Alioth changes.	5	* Update Vcs-* fields and README.source for Alioth changes.
		6	* Backport from upstream:
		7	- Make hostbased auth with ECDSA keys work correctly (closes: #633368).
6		8
7	-- Colin Watson <cjwatson@debian.org> Wed, 13 Apr 2011 13:05:43 +0100	9	-- Colin Watson <cjwatson@debian.org> Wed, 13 Apr 2011 13:05:43 +0100
8		10


diff --git a/debian/patches/hostbased-ecdsa.patch b/debian/patches/hostbased-ecdsa.patch new file mode 100644 index 000000000..fb618940a --- /dev/null +++ b/debian/patches/hostbased-ecdsa.patch
@@ -0,0 +1,71 @@
		1	Description: Make hostbased auth with ECDSA keys work correctly
		2	Author: Harv <harvey.eneman@oracle.com>
		3	Author: Damien Miller <djm@mindrot.org>
		4	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1858
		5	Bug-Debian: http://bugs.debian.org/633368
		6	Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6327
		7	Applied-Upstream: yes
		8	Forwarded: not-needed
		9	Last-Update: 2011-07-17
		10
		11	Index: b/ssh-keysign.c
		12	===================================================================
		13	--- a/ssh-keysign.c
		14	+++ b/ssh-keysign.c
		15	@@ -150,9 +150,10 @@
		16	{
		17	Buffer b;
		18	Options options;
		19	- Key keys[2], key = NULL;
		20	+#define NUM_KEYTYPES 3
		21	+ Key keys[NUM_KEYTYPES], key = NULL;
		22	struct passwd *pw;
		23	- int key_fd[2], i, found, version = 2, fd;
		24	+ int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
		25	u_char signature, data;
		26	char *host;
		27	u_int slen, dlen;
		28	@@ -165,8 +166,10 @@
		29	if (fd > 2)
		30	close(fd);
		31
		32	- key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
		33	- key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
		34	+ i = 0;
		35	+ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
		36	+ key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
		37	+ key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
		38
		39	original_real_uid = getuid(); /* XXX readconf.c needs this */
		40	if ((pw = getpwuid(original_real_uid)) == NULL)
		41	@@ -191,7 +194,11 @@
		42	fatal("ssh-keysign not enabled in %s",
		43	_PATH_HOST_CONFIG_FILE);
		44
		45	- if (key_fd[0] == -1 && key_fd[1] == -1)
		46	+ for (i = found = 0; i < NUM_KEYTYPES; i++) {
		47	+ if (key_fd[i] != -1)
		48	+ found = 1;
		49	+ }
		50	+ if (found == 0)
		51	fatal("could not open any host key");
		52
		53	OpenSSL_add_all_algorithms();
		54	@@ -200,7 +207,7 @@
		55	RAND_seed(rnd, sizeof(rnd));
		56
		57	found = 0;
		58	- for (i = 0; i < 2; i++) {
		59	+ for (i = 0; i < NUM_KEYTYPES; i++) {
		60	keys[i] = NULL;
		61	if (key_fd[i] == -1)
		62	continue;
		63	@@ -230,7 +237,7 @@
		64	xfree(host);
		65
		66	found = 0;
		67	- for (i = 0; i < 2; i++) {
		68	+ for (i = 0; i < NUM_KEYTYPES; i++) {
		69	if (keys[i] != NULL &&
		70	key_equal_public(key, keys[i])) {
		71	found = 1;


diff --git a/debian/patches/series b/debian/patches/series index 0a21f8ead..01ef70076 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -39,6 +39,7 @@ doc-hash-tab-completion.patch
39	# Miscellaneous bug fixes	39	# Miscellaneous bug fixes
40	selinux-build-failure.patch	40	selinux-build-failure.patch
41	ssh-add-fifo.patch	41	ssh-add-fifo.patch
		42	hostbased-ecdsa.patch
42		43
43	# Debian-specific configuration	44	# Debian-specific configuration
44	gnome-ssh-askpass2-icon.patch	45	gnome-ssh-askpass2-icon.patch


diff --git a/ssh-keysign.c b/ssh-keysign.c index d05156005..aa1be91f5 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c
@@ -150,9 +150,10 @@ main(int argc, char **argv)
150	{	150	{
151	Buffer b;	151	Buffer b;
152	Options options;	152	Options options;
153	Key keys[2], key = NULL;	153	#define NUM_KEYTYPES 3
		154	Key keys[NUM_KEYTYPES], key = NULL;
154	struct passwd *pw;	155	struct passwd *pw;
155	int key_fd[2], i, found, version = 2, fd;	156	int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
156	u_char signature, data;	157	u_char signature, data;
157	char *host;	158	char *host;
158	u_int slen, dlen;	159	u_int slen, dlen;
@@ -165,8 +166,10 @@ main(int argc, char **argv)
165	if (fd > 2)	166	if (fd > 2)
166	close(fd);	167	close(fd);
167		168
168	key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);	169	i = 0;
169	key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);	170	key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);
		171	key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY);
		172	key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
170		173
171	original_real_uid = getuid(); /* XXX readconf.c needs this */	174	original_real_uid = getuid(); /* XXX readconf.c needs this */
172	if ((pw = getpwuid(original_real_uid)) == NULL)	175	if ((pw = getpwuid(original_real_uid)) == NULL)
@@ -191,7 +194,11 @@ main(int argc, char **argv)
191	fatal("ssh-keysign not enabled in %s",	194	fatal("ssh-keysign not enabled in %s",
192	_PATH_HOST_CONFIG_FILE);	195	_PATH_HOST_CONFIG_FILE);
193		196
194	if (key_fd[0] == -1 && key_fd[1] == -1)	197	for (i = found = 0; i < NUM_KEYTYPES; i++) {
		198	if (key_fd[i] != -1)
		199	found = 1;
		200	}
		201	if (found == 0)
195	fatal("could not open any host key");	202	fatal("could not open any host key");
196		203
197	OpenSSL_add_all_algorithms();	204	OpenSSL_add_all_algorithms();
@@ -200,7 +207,7 @@ main(int argc, char **argv)
200	RAND_seed(rnd, sizeof(rnd));	207	RAND_seed(rnd, sizeof(rnd));
201		208
202	found = 0;	209	found = 0;
203	for (i = 0; i < 2; i++) {	210	for (i = 0; i < NUM_KEYTYPES; i++) {
204	keys[i] = NULL;	211	keys[i] = NULL;
205	if (key_fd[i] == -1)	212	if (key_fd[i] == -1)
206	continue;	213	continue;
@@ -230,7 +237,7 @@ main(int argc, char **argv)
230	xfree(host);	237	xfree(host);
231		238
232	found = 0;	239	found = 0;
233	for (i = 0; i < 2; i++) {	240	for (i = 0; i < NUM_KEYTYPES; i++) {
234	if (keys[i] != NULL &&	241	if (keys[i] != NULL &&
235	key_equal_public(key, keys[i])) {	242	key_equal_public(key, keys[i])) {
236	found = 1;	243	found = 1;