Merge 6.7p1.

* New upstream release (http://www.openssh.com/txt/release-6.7): - sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket (closes: #236718). - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. - sftp(1): Allow resumption of interrupted uploads. - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. - sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. - sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages. - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly (closes: #734553). - Use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps}. * Restore TCP wrappers support, removed upstream in 6.7. It is true that dropping this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. * Replace patch to disable OpenSSL version check with an updated version of Kurt Roeckx's patch from #732940 to just avoid checking the status field.
author: Colin Watson <cjwatson@debian.org> 2014-10-07 13:33:15 +0100
committer: Colin Watson <cjwatson@debian.org> 2014-10-07 14:27:30 +0100
commit: f0b009aea83e9ff3a50be30f51012099a5143c16 (patch)
tree: 3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /debian/patches/restore-tcp-wrappers.patch
parent: 47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff)
parent: 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff)
1 files changed, 172 insertions, 0 deletions
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch
new file mode 100644
index 000000000..c590f52ce
--- /dev/null
+++ b/debian/patches/restore-tcp-wrappers.patch
@@ -0,0 +1,172 @@
+From b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Tue, 7 Oct 2014 13:22:41 +0100
+Subject: Restore TCP wrappers support
+Support for TCP wrappers was dropped in OpenSSH 6.7.  See this message
+and thread:
+  https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
+It is true that this reduces preauth attack surface in sshd.  On the
+other hand, this support seems to be quite widely used, and abruptly
+dropping it (from the perspective of users who don't read
+openssh-unix-dev) could easily cause more serious problems in practice.
+It's not entirely clear what the right long-term answer for Debian is,
+but it at least probably doesn't involve dropping this feature shortly
+before a freeze.
+Forwarded: not-needed
+Last-Update: 2014-10-07
+Patch-Name: restore-tcp-wrappers.patch
+---
+ configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ sshd.8       |  7 +++++++
+ sshd.c       | 25 +++++++++++++++++++++++++
+ 3 files changed, 89 insertions(+)
+diff --git a/configure.ac b/configure.ac
+index 90e81e1..7f160f1 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
+        ]
+ )
+ 
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+       [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+       [
+               if test "x$withval" != "xno" ; then
+                       saved_LIBS="$LIBS"
+                       saved_LDFLAGS="$LDFLAGS"
+                       saved_CPPFLAGS="$CPPFLAGS"
+                       if test -n "${withval}" && \
+                           test "x${withval}" != "xyes"; then
+                               if test -d "${withval}/lib"; then
+                                       if test -n "${need_dash_r}"; then
+                                               LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+                                       else
+                                               LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+                                       fi
+                               else
+                                       if test -n "${need_dash_r}"; then
+                                               LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+                                       else
+                                               LDFLAGS="-L${withval} ${LDFLAGS}"
+                                       fi
+                               fi
+                               if test -d "${withval}/include"; then
+                                       CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+                               else
+                                       CPPFLAGS="-I${withval} ${CPPFLAGS}"
+                               fi
+                       fi
+                       LIBS="-lwrap $LIBS"
+                       AC_MSG_CHECKING([for libwrap])
+                       AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+                               ]], [[
+       hosts_access(0);
+                               ]])], [
+                                       AC_MSG_RESULT([yes])
+                                       AC_DEFINE([LIBWRAP], [1],
+                                               [Define if you want
+                                               TCP Wrappers support])
+                                       SSHDLIBS="$SSHDLIBS -lwrap"
+                                       TCPW_MSG="yes"
+                               ], [
+                                       AC_MSG_ERROR([*** libwrap missing])
+                               
+                       ])
+                       LIBS="$saved_LIBS"
+               fi
+       ]
+)
+
+ # Check whether user wants to use ldns
+ LDNS_MSG="no"
+ AC_ARG_WITH(ldns,
+@@ -4853,6 +4909,7 @@ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+echo "              TCP Wrappers support: $TCPW_MSG"
+ echo "              MD5 password support: $MD5_MSG"
+ echo "                   libedit support: $LIBEDIT_MSG"
+ echo "  Solaris process contract support: $SPC_MSG"
+diff --git a/sshd.8 b/sshd.8
+index 01459d6..eaeac45 100644
+--- a/sshd.8
+++ b/sshd.8
+@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
+ This file should be writable only by the user, and need not be
+ readable by anyone else.
+ .Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
+ .It Pa /etc/hosts.equiv
+ This file is for host-based authentication (see
+ .Xr ssh 1 ) .
+@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
+ .Xr ssh-keygen 1 ,
+ .Xr ssh-keyscan 1 ,
+ .Xr chroot 2 ,
+.Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+ .Xr moduli 5 ,
+ .Xr sshd_config 5 ,
+diff --git a/sshd.c b/sshd.c
+index e6706a8..3a6be65 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -127,6 +127,13 @@
+ #include <Security/AuthSession.h>
+ #endif
+ 
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
+ #ifndef O_NOCTTY
+ #define O_NOCTTY       0
+ #endif
+@@ -2061,6 +2068,24 @@ main(int ac, char **av)
+ #ifdef SSH_AUDIT_EVENTS
+        audit_connection_from(remote_ip, remote_port);
+ #endif
+#ifdef LIBWRAP
+       allow_severity = options.log_facility|LOG_INFO;
+       deny_severity = options.log_facility|LOG_WARNING;
+       /* Check whether logins are denied from this host. */
+       if (packet_connection_is_on_socket()) {
+               struct request_info req;
+
+               request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+               fromhost(&req);
+
+               if (!hosts_access(&req)) {
+                       debug("Connection refused by tcp wrapper");
+                       refuse(&req);
+                       /* NOTREACHED */
+                       fatal("libwrap refuse returns");
+               }
+       }
+#endif /* LIBWRAP */
+ 
+        /* Log the connection. */
+        verbose("Connection from %s port %d on %s port %d",
author	Colin Watson <cjwatson@debian.org>	2014-10-07 13:33:15 +0100
committer	Colin Watson <cjwatson@debian.org>	2014-10-07 14:27:30 +0100
commit	f0b009aea83e9ff3a50be30f51012099a5143c16 (patch)
tree	3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /debian/patches/restore-tcp-wrappers.patch
parent	47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff)
parent	762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff)

diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch new file mode 100644 index 000000000..c590f52ce --- /dev/null +++ b/debian/patches/restore-tcp-wrappers.patch
@@ -0,0 +1,172 @@
	1	From b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a Mon Sep 17 00:00:00 2001
	2	From: Colin Watson <cjwatson@debian.org>
	3	Date: Tue, 7 Oct 2014 13:22:41 +0100
	4	Subject: Restore TCP wrappers support
	5
	6	Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
	7	and thread:
	8
	9	https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
	10
	11	It is true that this reduces preauth attack surface in sshd. On the
	12	other hand, this support seems to be quite widely used, and abruptly
	13	dropping it (from the perspective of users who don't read
	14	openssh-unix-dev) could easily cause more serious problems in practice.
	15
	16	It's not entirely clear what the right long-term answer for Debian is,
	17	but it at least probably doesn't involve dropping this feature shortly
	18	before a freeze.
	19
	20	Forwarded: not-needed
	21	Last-Update: 2014-10-07
	22
	23	Patch-Name: restore-tcp-wrappers.patch
	24	---
	25	configure.ac \| 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
	26	sshd.8 \| 7 +++++++
	27	sshd.c \| 25 +++++++++++++++++++++++++
	28	3 files changed, 89 insertions(+)
	29
	30	diff --git a/configure.ac b/configure.ac
	31	index 90e81e1..7f160f1 100644
	32	--- a/configure.ac
	33	+++ b/configure.ac
	34	@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
	35	]
	36	)
	37
	38	+# Check whether user wants TCP wrappers support
	39	+TCPW_MSG="no"
	40	+AC_ARG_WITH([tcp-wrappers],
	41	+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
	42	+ [
	43	+ if test "x$withval" != "xno" ; then
	44	+ saved_LIBS="$LIBS"
	45	+ saved_LDFLAGS="$LDFLAGS"
	46	+ saved_CPPFLAGS="$CPPFLAGS"
	47	+ if test -n "${withval}" && \
	48	+ test "x${withval}" != "xyes"; then
	49	+ if test -d "${withval}/lib"; then
	50	+ if test -n "${need_dash_r}"; then
	51	+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
	52	+ else
	53	+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
	54	+ fi
	55	+ else
	56	+ if test -n "${need_dash_r}"; then
	57	+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
	58	+ else
	59	+ LDFLAGS="-L${withval} ${LDFLAGS}"
	60	+ fi
	61	+ fi
	62	+ if test -d "${withval}/include"; then
	63	+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
	64	+ else
	65	+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
	66	+ fi
	67	+ fi
	68	+ LIBS="-lwrap $LIBS"
	69	+ AC_MSG_CHECKING([for libwrap])
	70	+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
	71	+#include <sys/types.h>
	72	+#include <sys/socket.h>
	73	+#include <netinet/in.h>
	74	+#include <tcpd.h>
	75	+int deny_severity = 0, allow_severity = 0;
	76	+ ]], [[
	77	+ hosts_access(0);
	78	+ ]])], [
	79	+ AC_MSG_RESULT([yes])
	80	+ AC_DEFINE([LIBWRAP], [1],
	81	+ [Define if you want
	82	+ TCP Wrappers support])
	83	+ SSHDLIBS="$SSHDLIBS -lwrap"
	84	+ TCPW_MSG="yes"
	85	+ ], [
	86	+ AC_MSG_ERROR([*** libwrap missing])
	87	+
	88	+ ])
	89	+ LIBS="$saved_LIBS"
	90	+ fi
	91	+ ]
	92	+)
	93	+
	94	# Check whether user wants to use ldns
	95	LDNS_MSG="no"
	96	AC_ARG_WITH(ldns,
	97	@@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG"
	98	echo " SELinux support: $SELINUX_MSG"
	99	echo " Smartcard support: $SCARD_MSG"
	100	echo " S/KEY support: $SKEY_MSG"
	101	+echo " TCP Wrappers support: $TCPW_MSG"
	102	echo " MD5 password support: $MD5_MSG"
	103	echo " libedit support: $LIBEDIT_MSG"
	104	echo " Solaris process contract support: $SPC_MSG"
	105	diff --git a/sshd.8 b/sshd.8
	106	index 01459d6..eaeac45 100644
	107	--- a/sshd.8
	108	+++ b/sshd.8
	109	@@ -851,6 +851,12 @@ the user's home directory becomes accessible.
	110	This file should be writable only by the user, and need not be
	111	readable by anyone else.
	112	.Pp
	113	+.It Pa /etc/hosts.allow
	114	+.It Pa /etc/hosts.deny
	115	+Access controls that should be enforced by tcp-wrappers are defined here.
	116	+Further details are described in
	117	+.Xr hosts_access 5 .
	118	+.Pp
	119	.It Pa /etc/hosts.equiv
	120	This file is for host-based authentication (see
	121	.Xr ssh 1 ) .
	122	@@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable.
	123	.Xr ssh-keygen 1 ,
	124	.Xr ssh-keyscan 1 ,
	125	.Xr chroot 2 ,
	126	+.Xr hosts_access 5 ,
	127	.Xr login.conf 5 ,
	128	.Xr moduli 5 ,
	129	.Xr sshd_config 5 ,
	130	diff --git a/sshd.c b/sshd.c
	131	index e6706a8..3a6be65 100644
	132	--- a/sshd.c
	133	+++ b/sshd.c
	134	@@ -127,6 +127,13 @@
	135	#include <Security/AuthSession.h>
	136	#endif
	137
	138	+#ifdef LIBWRAP
	139	+#include <tcpd.h>
	140	+#include <syslog.h>
	141	+int allow_severity;
	142	+int deny_severity;
	143	+#endif /* LIBWRAP */
	144	+
	145	#ifndef O_NOCTTY
	146	#define O_NOCTTY 0
	147	#endif
	148	@@ -2061,6 +2068,24 @@ main(int ac, char **av)
	149	#ifdef SSH_AUDIT_EVENTS
	150	audit_connection_from(remote_ip, remote_port);
	151	#endif
	152	+#ifdef LIBWRAP
	153	+ allow_severity = options.log_facility\|LOG_INFO;
	154	+ deny_severity = options.log_facility\|LOG_WARNING;
	155	+ /* Check whether logins are denied from this host. */
	156	+ if (packet_connection_is_on_socket()) {
	157	+ struct request_info req;
	158	+
	159	+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
	160	+ fromhost(&req);
	161	+
	162	+ if (!hosts_access(&req)) {
	163	+ debug("Connection refused by tcp wrapper");
	164	+ refuse(&req);
	165	+ /* NOTREACHED */
	166	+ fatal("libwrap refuse returns");
	167	+ }
	168	+ }
	169	+#endif /* LIBWRAP */
	170
	171	/* Log the connection. */
	172	verbose("Connection from %s port %d on %s port %d",