diff options
author | Colin Watson <cjwatson@debian.org> | 2019-10-09 22:59:48 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-10-09 23:39:39 +0100 |
commit | 767ee84d3465b6d244a9108de5c167a9ab866df9 (patch) | |
tree | 69b14ef6a62d7f133298a21d2ad6046f130b7801 /debian/patches | |
parent | ddeaf9ee7d5c6612b88f1c4a83fc6fbccb93bf60 (diff) | |
parent | efef12825b9582c1710da3b7e50135870963d4f4 (diff) |
New upstream release (8.1p1)
Diffstat (limited to 'debian/patches')
31 files changed, 217 insertions, 421 deletions
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index d70269813..01f1bf35c 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From df7d113a48bd33e42754ee5e83d3cda84cc219f9 Mon Sep 17 00:00:00 2001 | 1 | From 7febe5a4b6bcb94d887ac1fe22e8a1742ffb609f Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch | |||
13 | 1 file changed, 1 insertion(+) | 13 | 1 file changed, 1 insertion(+) |
14 | 14 | ||
15 | diff --git a/Makefile.in b/Makefile.in | 15 | diff --git a/Makefile.in b/Makefile.in |
16 | index c31821acc..0960a6a03 100644 | 16 | index ab29e4f05..9b8a42c1e 100644 |
17 | --- a/Makefile.in | 17 | --- a/Makefile.in |
18 | +++ b/Makefile.in | 18 | +++ b/Makefile.in |
19 | @@ -357,6 +357,7 @@ install-files: | 19 | @@ -362,6 +362,7 @@ install-files: |
20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch index 3eaac8054..25c16526b 100644 --- a/debian/patches/conch-old-privkey-format.patch +++ b/debian/patches/conch-old-privkey-format.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a20835ce2f9899305421bc478ba29d6524e89433 Mon Sep 17 00:00:00 2001 | 1 | From 46352085d71fe406537828a1cee3c2ce896eccb9 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 | 3 | Date: Thu, 30 Aug 2018 00:58:56 +0100 |
4 | Subject: Work around conch interoperability failure | 4 | Subject: Work around conch interoperability failure |
@@ -8,7 +8,7 @@ Twisted Conch fails to read private keys in the new format | |||
8 | can be fixed in Twisted. | 8 | can be fixed in Twisted. |
9 | 9 | ||
10 | Forwarded: not-needed | 10 | Forwarded: not-needed |
11 | Last-Update: 2019-06-14 | 11 | Last-Update: 2019-10-09 |
12 | 12 | ||
13 | Patch-Name: conch-old-privkey-format.patch | 13 | Patch-Name: conch-old-privkey-format.patch |
14 | --- | 14 | --- |
@@ -18,20 +18,20 @@ Patch-Name: conch-old-privkey-format.patch | |||
18 | 3 files changed, 14 insertions(+), 2 deletions(-) | 18 | 3 files changed, 14 insertions(+), 2 deletions(-) |
19 | 19 | ||
20 | diff --git a/regress/Makefile b/regress/Makefile | 20 | diff --git a/regress/Makefile b/regress/Makefile |
21 | index 781400fd0..491a3a46a 100644 | 21 | index 34c47e8cb..17e0a06e8 100644 |
22 | --- a/regress/Makefile | 22 | --- a/regress/Makefile |
23 | +++ b/regress/Makefile | 23 | +++ b/regress/Makefile |
24 | @@ -114,7 +114,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | 24 | @@ -119,7 +119,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ |
25 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | 25 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ |
26 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ | 26 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ |
27 | sftp-server.sh sftp.log ssh-log-wrapper.sh \ | 27 | sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ |
28 | - ssh-rsa_oldfmt \ | 28 | - ssh-rsa_oldfmt \ |
29 | + ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \ | 29 | + ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \ |
30 | ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ | 30 | ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ |
31 | ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ | 31 | ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ |
32 | sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ | 32 | sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ |
33 | diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh | 33 | diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh |
34 | index 51e3b705f..fa24552b0 100644 | 34 | index 6678813a2..6ff5da20b 100644 |
35 | --- a/regress/conch-ciphers.sh | 35 | --- a/regress/conch-ciphers.sh |
36 | +++ b/regress/conch-ciphers.sh | 36 | +++ b/regress/conch-ciphers.sh |
37 | @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ | 37 | @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ |
@@ -44,10 +44,10 @@ index 51e3b705f..fa24552b0 100644 | |||
44 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} | 44 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} |
45 | if [ $? -ne 0 ]; then | 45 | if [ $? -ne 0 ]; then |
46 | diff --git a/regress/test-exec.sh b/regress/test-exec.sh | 46 | diff --git a/regress/test-exec.sh b/regress/test-exec.sh |
47 | index efde6a173..83c7d02e6 100644 | 47 | index 508b93284..5e48bfbe3 100644 |
48 | --- a/regress/test-exec.sh | 48 | --- a/regress/test-exec.sh |
49 | +++ b/regress/test-exec.sh | 49 | +++ b/regress/test-exec.sh |
50 | @@ -500,6 +500,18 @@ REGRESS_INTEROP_CONCH=no | 50 | @@ -510,6 +510,18 @@ REGRESS_INTEROP_CONCH=no |
51 | if test -x "$CONCH" ; then | 51 | if test -x "$CONCH" ; then |
52 | REGRESS_INTEROP_CONCH=yes | 52 | REGRESS_INTEROP_CONCH=yes |
53 | fi | 53 | fi |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index d28573ed4..acf995e27 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0a938d856d024bfff79fac63e65df382ffa444a4 Mon Sep 17 00:00:00 2001 | 1 | From 4eb06adf69f21f387e4f2d29dad01b2ca1303094 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -22,10 +22,10 @@ Patch-Name: debian-banner.patch | |||
22 | 7 files changed, 23 insertions(+), 5 deletions(-) | 22 | 7 files changed, 23 insertions(+), 5 deletions(-) |
23 | 23 | ||
24 | diff --git a/kex.c b/kex.c | 24 | diff --git a/kex.c b/kex.c |
25 | index be354206d..bbb7a2340 100644 | 25 | index 65ed6af02..f450bc2c7 100644 |
26 | --- a/kex.c | 26 | --- a/kex.c |
27 | +++ b/kex.c | 27 | +++ b/kex.c |
28 | @@ -1168,7 +1168,7 @@ send_error(struct ssh *ssh, char *msg) | 28 | @@ -1221,7 +1221,7 @@ send_error(struct ssh *ssh, char *msg) |
29 | */ | 29 | */ |
30 | int | 30 | int |
31 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 31 | kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
@@ -34,7 +34,7 @@ index be354206d..bbb7a2340 100644 | |||
34 | { | 34 | { |
35 | int remote_major, remote_minor, mismatch; | 35 | int remote_major, remote_minor, mismatch; |
36 | size_t len, i, n; | 36 | size_t len, i, n; |
37 | @@ -1186,7 +1186,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 37 | @@ -1239,7 +1239,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
38 | if (version_addendum != NULL && *version_addendum == '\0') | 38 | if (version_addendum != NULL && *version_addendum == '\0') |
39 | version_addendum = NULL; | 39 | version_addendum = NULL; |
40 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", | 40 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
@@ -45,10 +45,10 @@ index be354206d..bbb7a2340 100644 | |||
45 | version_addendum == NULL ? "" : version_addendum)) != 0) { | 45 | version_addendum == NULL ? "" : version_addendum)) != 0) { |
46 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); | 46 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); |
47 | diff --git a/kex.h b/kex.h | 47 | diff --git a/kex.h b/kex.h |
48 | index 2d5f1d4ed..39f67bbc1 100644 | 48 | index fe7141414..938dca03b 100644 |
49 | --- a/kex.h | 49 | --- a/kex.h |
50 | +++ b/kex.h | 50 | +++ b/kex.h |
51 | @@ -195,7 +195,7 @@ char *kex_names_cat(const char *, const char *); | 51 | @@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *); |
52 | int kex_assemble_names(char **, const char *, const char *); | 52 | int kex_assemble_names(char **, const char *, const char *); |
53 | int kex_gss_names_valid(const char *); | 53 | int kex_gss_names_valid(const char *); |
54 | 54 | ||
@@ -58,7 +58,7 @@ index 2d5f1d4ed..39f67bbc1 100644 | |||
58 | struct kex *kex_new(void); | 58 | struct kex *kex_new(void); |
59 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); | 59 | int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); |
60 | diff --git a/servconf.c b/servconf.c | 60 | diff --git a/servconf.c b/servconf.c |
61 | index c01e0690e..8d2bced52 100644 | 61 | index 73b93c636..5576098a5 100644 |
62 | --- a/servconf.c | 62 | --- a/servconf.c |
63 | +++ b/servconf.c | 63 | +++ b/servconf.c |
64 | @@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options) | 64 | @@ -184,6 +184,7 @@ initialize_server_options(ServerOptions *options) |
@@ -94,7 +94,7 @@ index c01e0690e..8d2bced52 100644 | |||
94 | { NULL, sBadOption, 0 } | 94 | { NULL, sBadOption, 0 } |
95 | }; | 95 | }; |
96 | 96 | ||
97 | @@ -2211,6 +2216,10 @@ process_server_config_line(ServerOptions *options, char *line, | 97 | @@ -2217,6 +2222,10 @@ process_server_config_line(ServerOptions *options, char *line, |
98 | *charptr = xstrdup(arg); | 98 | *charptr = xstrdup(arg); |
99 | break; | 99 | break; |
100 | 100 | ||
@@ -106,7 +106,7 @@ index c01e0690e..8d2bced52 100644 | |||
106 | case sIgnore: | 106 | case sIgnore: |
107 | case sUnsupported: | 107 | case sUnsupported: |
108 | diff --git a/servconf.h b/servconf.h | 108 | diff --git a/servconf.h b/servconf.h |
109 | index a476d5220..986093ffa 100644 | 109 | index 29329ba1f..d5ad19065 100644 |
110 | --- a/servconf.h | 110 | --- a/servconf.h |
111 | +++ b/servconf.h | 111 | +++ b/servconf.h |
112 | @@ -214,6 +214,8 @@ typedef struct { | 112 | @@ -214,6 +214,8 @@ typedef struct { |
@@ -119,10 +119,10 @@ index a476d5220..986093ffa 100644 | |||
119 | 119 | ||
120 | /* Information about the incoming connection as used by Match */ | 120 | /* Information about the incoming connection as used by Match */ |
121 | diff --git a/sshconnect.c b/sshconnect.c | 121 | diff --git a/sshconnect.c b/sshconnect.c |
122 | index 0b6f6af4b..1183ffe0e 100644 | 122 | index 41e75a275..27daef74f 100644 |
123 | --- a/sshconnect.c | 123 | --- a/sshconnect.c |
124 | +++ b/sshconnect.c | 124 | +++ b/sshconnect.c |
125 | @@ -1287,7 +1287,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, | 125 | @@ -1291,7 +1291,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost, |
126 | lowercase(host); | 126 | lowercase(host); |
127 | 127 | ||
128 | /* Exchange protocol version identification strings with the server. */ | 128 | /* Exchange protocol version identification strings with the server. */ |
@@ -132,10 +132,10 @@ index 0b6f6af4b..1183ffe0e 100644 | |||
132 | 132 | ||
133 | /* Put the connection into non-blocking mode. */ | 133 | /* Put the connection into non-blocking mode. */ |
134 | diff --git a/sshd.c b/sshd.c | 134 | diff --git a/sshd.c b/sshd.c |
135 | index e3e96426e..1e7ece588 100644 | 135 | index ea8beacb4..4e8ff0662 100644 |
136 | --- a/sshd.c | 136 | --- a/sshd.c |
137 | +++ b/sshd.c | 137 | +++ b/sshd.c |
138 | @@ -2160,7 +2160,8 @@ main(int ac, char **av) | 138 | @@ -2165,7 +2165,8 @@ main(int ac, char **av) |
139 | if (!debug_flag) | 139 | if (!debug_flag) |
140 | alarm(options.login_grace_time); | 140 | alarm(options.login_grace_time); |
141 | 141 | ||
@@ -146,10 +146,10 @@ index e3e96426e..1e7ece588 100644 | |||
146 | 146 | ||
147 | ssh_packet_set_nonblocking(ssh); | 147 | ssh_packet_set_nonblocking(ssh); |
148 | diff --git a/sshd_config.5 b/sshd_config.5 | 148 | diff --git a/sshd_config.5 b/sshd_config.5 |
149 | index 2ef671d1b..addea54a0 100644 | 149 | index eec224158..46537f177 100644 |
150 | --- a/sshd_config.5 | 150 | --- a/sshd_config.5 |
151 | +++ b/sshd_config.5 | 151 | +++ b/sshd_config.5 |
152 | @@ -543,6 +543,11 @@ or | 152 | @@ -545,6 +545,11 @@ or |
153 | .Cm no . | 153 | .Cm no . |
154 | The default is | 154 | The default is |
155 | .Cm yes . | 155 | .Cm yes . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 2a28586b0..fe1e3f550 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d9eede9b2c86ddaccb35477f2904bfbdf223ffd4 Mon Sep 17 00:00:00 2001 | 1 | From 7abde40896668ce9debfe056c7dabc6a70ef7da4 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -39,10 +39,10 @@ Patch-Name: debian-config.patch | |||
39 | 6 files changed, 77 insertions(+), 9 deletions(-) | 39 | 6 files changed, 77 insertions(+), 9 deletions(-) |
40 | 40 | ||
41 | diff --git a/readconf.c b/readconf.c | 41 | diff --git a/readconf.c b/readconf.c |
42 | index cd60007f8..f35bde6e6 100644 | 42 | index 16d2729dd..253574ce0 100644 |
43 | --- a/readconf.c | 43 | --- a/readconf.c |
44 | +++ b/readconf.c | 44 | +++ b/readconf.c |
45 | @@ -2028,7 +2028,7 @@ fill_default_options(Options * options) | 45 | @@ -2037,7 +2037,7 @@ fill_default_options(Options * options) |
46 | if (options->forward_x11 == -1) | 46 | if (options->forward_x11 == -1) |
47 | options->forward_x11 = 0; | 47 | options->forward_x11 = 0; |
48 | if (options->forward_x11_trusted == -1) | 48 | if (options->forward_x11_trusted == -1) |
@@ -52,7 +52,7 @@ index cd60007f8..f35bde6e6 100644 | |||
52 | options->forward_x11_timeout = 1200; | 52 | options->forward_x11_timeout = 1200; |
53 | /* | 53 | /* |
54 | diff --git a/ssh.1 b/ssh.1 | 54 | diff --git a/ssh.1 b/ssh.1 |
55 | index 8d2b08a29..4e298cb56 100644 | 55 | index 24530e511..fd495da2c 100644 |
56 | --- a/ssh.1 | 56 | --- a/ssh.1 |
57 | +++ b/ssh.1 | 57 | +++ b/ssh.1 |
58 | @@ -795,6 +795,16 @@ directive in | 58 | @@ -795,6 +795,16 @@ directive in |
@@ -114,7 +114,7 @@ index 1ff999b68..6dd6ecf87 100644 | |||
114 | + HashKnownHosts yes | 114 | + HashKnownHosts yes |
115 | + GSSAPIAuthentication yes | 115 | + GSSAPIAuthentication yes |
116 | diff --git a/ssh_config.5 b/ssh_config.5 | 116 | diff --git a/ssh_config.5 b/ssh_config.5 |
117 | index 39535c4f8..a27631ae9 100644 | 117 | index 4b42aab9d..d27655e15 100644 |
118 | --- a/ssh_config.5 | 118 | --- a/ssh_config.5 |
119 | +++ b/ssh_config.5 | 119 | +++ b/ssh_config.5 |
120 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | 120 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more |
@@ -140,7 +140,7 @@ index 39535c4f8..a27631ae9 100644 | |||
140 | The file contains keyword-argument pairs, one per line. | 140 | The file contains keyword-argument pairs, one per line. |
141 | Lines starting with | 141 | Lines starting with |
142 | .Ql # | 142 | .Ql # |
143 | @@ -717,11 +733,12 @@ elapsed. | 143 | @@ -721,11 +737,12 @@ elapsed. |
144 | .It Cm ForwardX11Trusted | 144 | .It Cm ForwardX11Trusted |
145 | If this option is set to | 145 | If this option is set to |
146 | .Cm yes , | 146 | .Cm yes , |
@@ -204,7 +204,7 @@ index 2c48105f8..ed8272f6d 100644 | |||
204 | # Example of overriding settings on a per-user basis | 204 | # Example of overriding settings on a per-user basis |
205 | #Match User anoncvs | 205 | #Match User anoncvs |
206 | diff --git a/sshd_config.5 b/sshd_config.5 | 206 | diff --git a/sshd_config.5 b/sshd_config.5 |
207 | index f995e4ab0..c0c4ebd66 100644 | 207 | index 270805060..02e29cb6f 100644 |
208 | --- a/sshd_config.5 | 208 | --- a/sshd_config.5 |
209 | +++ b/sshd_config.5 | 209 | +++ b/sshd_config.5 |
210 | @@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes | 210 | @@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index e3e362ee3..6e8f0ae2f 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6397deaa7d0951552afa7dbd6898d6172850378a Mon Sep 17 00:00:00 2001 | 1 | From 6220be7f65137290fbe3ad71b83667e71e4ccd03 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch | |||
18 | 3 files changed, 21 insertions(+), 6 deletions(-) | 18 | 3 files changed, 21 insertions(+), 6 deletions(-) |
19 | 19 | ||
20 | diff --git a/dns.c b/dns.c | 20 | diff --git a/dns.c b/dns.c |
21 | index ff1a2c41c..82ec97199 100644 | 21 | index e4f9bf830..9c9fe6413 100644 |
22 | --- a/dns.c | 22 | --- a/dns.c |
23 | +++ b/dns.c | 23 | +++ b/dns.c |
24 | @@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 24 | @@ -210,6 +210,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
25 | { | 25 | { |
26 | u_int counter; | 26 | u_int counter; |
27 | int result; | 27 | int result; |
@@ -29,7 +29,7 @@ index ff1a2c41c..82ec97199 100644 | |||
29 | struct rrsetinfo *fingerprints = NULL; | 29 | struct rrsetinfo *fingerprints = NULL; |
30 | 30 | ||
31 | u_int8_t hostkey_algorithm; | 31 | u_int8_t hostkey_algorithm; |
32 | @@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 32 | @@ -233,8 +234,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
33 | return -1; | 33 | return -1; |
34 | } | 34 | } |
35 | 35 | ||
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 162776395..d5ddbbd26 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 63f45f055fe3b0b1edd31a94b7627ee4e40647e8 Mon Sep 17 00:00:00 2001 | 1 | From 944653642de12f09baa546011429fb69ffc0065a Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index bd1e9311d..39535c4f8 100644 | 16 | index 2c74b57c0..4b42aab9d 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -836,6 +836,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -840,6 +840,9 @@ Note that existing names and addresses in known hosts files |
20 | will not be converted automatically, | 20 | will not be converted automatically, |
21 | but may be manually hashed using | 21 | but may be manually hashed using |
22 | .Xr ssh-keygen 1 . | 22 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/fix-interop-tests.patch b/debian/patches/fix-interop-tests.patch deleted file mode 100644 index e00842290..000000000 --- a/debian/patches/fix-interop-tests.patch +++ /dev/null | |||
@@ -1,71 +0,0 @@ | |||
1 | From 42519a0f32765726ccd18a14aa6e877413a69662 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Fri, 14 Jun 2019 11:57:15 +0100 | ||
4 | Subject: Fix interop tests for recent regress changes | ||
5 | |||
6 | A recent regress change (2a9b3a2ce411d16cda9c79ab713c55f65b0ec257 in | ||
7 | portable) broke the PuTTY and Twisted Conch interop tests, because the | ||
8 | key they want to use is now called ssh-rsa rather than rsa. Fix them. | ||
9 | |||
10 | Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3020 | ||
11 | Last-Update: 2019-06-14 | ||
12 | |||
13 | Patch-Name: fix-interop-tests.patch | ||
14 | --- | ||
15 | regress/Makefile | 5 +++-- | ||
16 | regress/conch-ciphers.sh | 2 +- | ||
17 | regress/test-exec.sh | 10 +++++----- | ||
18 | 3 files changed, 9 insertions(+), 8 deletions(-) | ||
19 | |||
20 | diff --git a/regress/Makefile b/regress/Makefile | ||
21 | index 925edf71a..781400fd0 100644 | ||
22 | --- a/regress/Makefile | ||
23 | +++ b/regress/Makefile | ||
24 | @@ -113,8 +113,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ | ||
25 | rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ | ||
26 | rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ | ||
27 | scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ | ||
28 | - sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ | ||
29 | - ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ | ||
30 | + sftp-server.sh sftp.log ssh-log-wrapper.sh \ | ||
31 | + ssh-rsa_oldfmt \ | ||
32 | + ssh.log ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ | ||
33 | ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \ | ||
34 | sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \ | ||
35 | sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \ | ||
36 | diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh | ||
37 | index 199d863a0..51e3b705f 100644 | ||
38 | --- a/regress/conch-ciphers.sh | ||
39 | +++ b/regress/conch-ciphers.sh | ||
40 | @@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ | ||
41 | rm -f ${COPY} | ||
42 | # XXX the 2nd "cat" seems to be needed because of buggy FD handling | ||
43 | # in conch | ||
44 | - ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ | ||
45 | + ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \ | ||
46 | --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ | ||
47 | 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} | ||
48 | if [ $? -ne 0 ]; then | ||
49 | diff --git a/regress/test-exec.sh b/regress/test-exec.sh | ||
50 | index b8e2009de..efde6a173 100644 | ||
51 | --- a/regress/test-exec.sh | ||
52 | +++ b/regress/test-exec.sh | ||
53 | @@ -527,13 +527,13 @@ if test "$REGRESS_INTEROP_PUTTY" = "yes" ; then | ||
54 | >> $OBJ/authorized_keys_$USER | ||
55 | |||
56 | # Convert rsa2 host key to PuTTY format | ||
57 | - cp $OBJ/rsa $OBJ/rsa_oldfmt | ||
58 | - ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null | ||
59 | - ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/rsa_oldfmt > \ | ||
60 | + cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt | ||
61 | + ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null | ||
62 | + ${SRC}/ssh2putty.sh 127.0.0.1 $PORT $OBJ/ssh-rsa_oldfmt > \ | ||
63 | ${OBJ}/.putty/sshhostkeys | ||
64 | - ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/rsa_oldfmt >> \ | ||
65 | + ${SRC}/ssh2putty.sh 127.0.0.1 22 $OBJ/ssh-rsa_oldfmt >> \ | ||
66 | ${OBJ}/.putty/sshhostkeys | ||
67 | - rm -f $OBJ/rsa_oldfmt | ||
68 | + rm -f $OBJ/ssh-rsa_oldfmt | ||
69 | |||
70 | # Setup proxied session | ||
71 | mkdir -p ${OBJ}/.putty/sessions | ||
diff --git a/debian/patches/fix-utimensat-test.patch b/debian/patches/fix-utimensat-test.patch deleted file mode 100644 index 56b6fcdbf..000000000 --- a/debian/patches/fix-utimensat-test.patch +++ /dev/null | |||
@@ -1,58 +0,0 @@ | |||
1 | From 61d2706623ed144ee9cbd212d13eeba202a7ce26 Mon Sep 17 00:00:00 2001 | ||
2 | From: Darren Tucker <dtucker@dtucker.net> | ||
3 | Date: Fri, 7 Jun 2019 23:47:37 +1000 | ||
4 | Subject: Update utimensat test. | ||
5 | |||
6 | POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW should | ||
7 | update the symlink and not the destination. The compat code doesn't | ||
8 | have a way to do this, so where possible it fails instead of following a | ||
9 | symlink when explicitly asked not to. Instead of checking for an explicit | ||
10 | failure, check that it does not update the destination, which both the | ||
11 | real and compat implementations should honour. | ||
12 | |||
13 | Inspired by github pull req #125 from chutzpah at gentoo.org. | ||
14 | |||
15 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=182898192d4b720e4faeafd5b39c2cfb3b92aa21 | ||
16 | Last-Update: 2019-06-09 | ||
17 | |||
18 | Patch-Name: fix-utimensat-test.patch | ||
19 | --- | ||
20 | openbsd-compat/regress/utimensattest.c | 20 +++++++++++++++++--- | ||
21 | 1 file changed, 17 insertions(+), 3 deletions(-) | ||
22 | |||
23 | diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c | ||
24 | index a7bc7634b..b29cef2f1 100644 | ||
25 | --- a/openbsd-compat/regress/utimensattest.c | ||
26 | +++ b/openbsd-compat/regress/utimensattest.c | ||
27 | @@ -83,14 +83,28 @@ main(void) | ||
28 | fail("mtim.tv_nsec", 45678000, sb.st_mtim.tv_nsec); | ||
29 | #endif | ||
30 | |||
31 | + /* | ||
32 | + * POSIX specifies that when given a symlink, AT_SYMLINK_NOFOLLOW | ||
33 | + * should update the symlink and not the destination. The compat | ||
34 | + * code doesn't have a way to do this, so where possible it fails | ||
35 | + * with ENOSYS instead of following a symlink when explicitly asked | ||
36 | + * not to. Here we just test that it does not update the destination. | ||
37 | + */ | ||
38 | if (rename(TMPFILE, TMPFILE2) == -1) | ||
39 | fail("rename", 0, 0); | ||
40 | if (symlink(TMPFILE2, TMPFILE) == -1) | ||
41 | fail("symlink", 0, 0); | ||
42 | + ts[0].tv_sec = 11223344; | ||
43 | + ts[1].tv_sec = 55667788; | ||
44 | + (void)utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW); | ||
45 | + if (stat(TMPFILE2, &sb) == -1) | ||
46 | + fail("stat", 0, 0 ); | ||
47 | + if (sb.st_atime == 11223344) | ||
48 | + fail("utimensat symlink st_atime", 0, 0 ); | ||
49 | + if (sb.st_mtime == 55667788) | ||
50 | + fail("utimensat symlink st_mtime", 0, 0 ); | ||
51 | |||
52 | - if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1) | ||
53 | - fail("utimensat followed symlink", 0, 0); | ||
54 | - | ||
55 | + /* Clean up */ | ||
56 | if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0)) | ||
57 | fail("unlink", 0, 0); | ||
58 | exit(0); | ||
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index 405b1b884..89c2a9864 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 734ffc23e368f9b0df085b4f191d66e21ed52d12 Mon Sep 17 00:00:00 2001 | 1 | From 4360244ab2ed367bdb2c836292e761c589355950 Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index 45d131d27..b858f4915 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7ce79be85036c4b36937f1b1ba85f6094068412c Mon Sep 17 00:00:00 2001 | 1 | From 9da806e67101afdc0d3a1d304659927acf18f5c5 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -18,7 +18,7 @@ security history. | |||
18 | 18 | ||
19 | Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master | 19 | Origin: other, https://github.com/openssh-gsskex/openssh-gsskex/commits/debian/master |
20 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 20 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
21 | Last-Updated: 2019-06-05 | 21 | Last-Updated: 2019-10-09 |
22 | 22 | ||
23 | Patch-Name: gssapi.patch | 23 | Patch-Name: gssapi.patch |
24 | --- | 24 | --- |
@@ -67,7 +67,7 @@ Patch-Name: gssapi.patch | |||
67 | create mode 100644 kexgsss.c | 67 | create mode 100644 kexgsss.c |
68 | 68 | ||
69 | diff --git a/Makefile.in b/Makefile.in | 69 | diff --git a/Makefile.in b/Makefile.in |
70 | index 6f001bb36..c31821acc 100644 | 70 | index adb1977e2..ab29e4f05 100644 |
71 | --- a/Makefile.in | 71 | --- a/Makefile.in |
72 | +++ b/Makefile.in | 72 | +++ b/Makefile.in |
73 | @@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 73 | @@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
@@ -85,7 +85,7 @@ index 6f001bb36..c31821acc 100644 | |||
85 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ | 85 | - auth2-gss.o gss-serv.o gss-serv-krb5.o \ |
86 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ | 86 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ |
87 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 87 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
88 | sftp-server.o sftp-common.o \ | 88 | sftp-server.o sftp-common.o sftp-realpath.o \ |
89 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 89 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
90 | diff --git a/auth-krb5.c b/auth-krb5.c | 90 | diff --git a/auth-krb5.c b/auth-krb5.c |
91 | index 3096f1c8e..204752e1b 100644 | 91 | index 3096f1c8e..204752e1b 100644 |
@@ -139,7 +139,7 @@ index 3096f1c8e..204752e1b 100644 | |||
139 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 139 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
140 | } | 140 | } |
141 | diff --git a/auth.c b/auth.c | 141 | diff --git a/auth.c b/auth.c |
142 | index 8696f258e..f7a23afba 100644 | 142 | index ca450f4e4..47c27773c 100644 |
143 | --- a/auth.c | 143 | --- a/auth.c |
144 | +++ b/auth.c | 144 | +++ b/auth.c |
145 | @@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) | 145 | @@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) |
@@ -179,7 +179,7 @@ index 8696f258e..f7a23afba 100644 | |||
179 | - fromlen = sizeof(from); | 179 | - fromlen = sizeof(from); |
180 | - memset(&from, 0, sizeof(from)); | 180 | - memset(&from, 0, sizeof(from)); |
181 | - if (getpeername(ssh_packet_get_connection_in(ssh), | 181 | - if (getpeername(ssh_packet_get_connection_in(ssh), |
182 | - (struct sockaddr *)&from, &fromlen) < 0) { | 182 | - (struct sockaddr *)&from, &fromlen) == -1) { |
183 | - debug("getpeername failed: %.100s", strerror(errno)); | 183 | - debug("getpeername failed: %.100s", strerror(errno)); |
184 | - return strdup(ntop); | 184 | - return strdup(ntop); |
185 | - } | 185 | - } |
@@ -348,10 +348,10 @@ index 9351e0428..d6446c0cf 100644 | |||
348 | "gssapi-with-mic", | 348 | "gssapi-with-mic", |
349 | userauth_gssapi, | 349 | userauth_gssapi, |
350 | diff --git a/auth2.c b/auth2.c | 350 | diff --git a/auth2.c b/auth2.c |
351 | index 16ae1a363..7417eafa4 100644 | 351 | index 0e7762242..1c217268c 100644 |
352 | --- a/auth2.c | 352 | --- a/auth2.c |
353 | +++ b/auth2.c | 353 | +++ b/auth2.c |
354 | @@ -75,6 +75,7 @@ extern Authmethod method_passwd; | 354 | @@ -73,6 +73,7 @@ extern Authmethod method_passwd; |
355 | extern Authmethod method_kbdint; | 355 | extern Authmethod method_kbdint; |
356 | extern Authmethod method_hostbased; | 356 | extern Authmethod method_hostbased; |
357 | #ifdef GSSAPI | 357 | #ifdef GSSAPI |
@@ -359,7 +359,7 @@ index 16ae1a363..7417eafa4 100644 | |||
359 | extern Authmethod method_gssapi; | 359 | extern Authmethod method_gssapi; |
360 | #endif | 360 | #endif |
361 | 361 | ||
362 | @@ -82,6 +83,7 @@ Authmethod *authmethods[] = { | 362 | @@ -80,6 +81,7 @@ Authmethod *authmethods[] = { |
363 | &method_none, | 363 | &method_none, |
364 | &method_pubkey, | 364 | &method_pubkey, |
365 | #ifdef GSSAPI | 365 | #ifdef GSSAPI |
@@ -368,7 +368,7 @@ index 16ae1a363..7417eafa4 100644 | |||
368 | #endif | 368 | #endif |
369 | &method_passwd, | 369 | &method_passwd, |
370 | diff --git a/canohost.c b/canohost.c | 370 | diff --git a/canohost.c b/canohost.c |
371 | index f71a08568..404731d24 100644 | 371 | index abea9c6e6..9a00fc2cf 100644 |
372 | --- a/canohost.c | 372 | --- a/canohost.c |
373 | +++ b/canohost.c | 373 | +++ b/canohost.c |
374 | @@ -35,6 +35,99 @@ | 374 | @@ -35,6 +35,99 @@ |
@@ -398,7 +398,7 @@ index f71a08568..404731d24 100644 | |||
398 | + fromlen = sizeof(from); | 398 | + fromlen = sizeof(from); |
399 | + memset(&from, 0, sizeof(from)); | 399 | + memset(&from, 0, sizeof(from)); |
400 | + if (getpeername(ssh_packet_get_connection_in(ssh), | 400 | + if (getpeername(ssh_packet_get_connection_in(ssh), |
401 | + (struct sockaddr *)&from, &fromlen) < 0) { | 401 | + (struct sockaddr *)&from, &fromlen) == -1) { |
402 | + debug("getpeername failed: %.100s", strerror(errno)); | 402 | + debug("getpeername failed: %.100s", strerror(errno)); |
403 | + return strdup(ntop); | 403 | + return strdup(ntop); |
404 | + } | 404 | + } |
@@ -486,7 +486,7 @@ index 26d62855a..0cadc9f18 100644 | |||
486 | int get_peer_port(int); | 486 | int get_peer_port(int); |
487 | char *get_local_ipaddr(int); | 487 | char *get_local_ipaddr(int); |
488 | diff --git a/clientloop.c b/clientloop.c | 488 | diff --git a/clientloop.c b/clientloop.c |
489 | index 086c0dfe8..9b90c64f3 100644 | 489 | index b5a1f7038..9def2a1a9 100644 |
490 | --- a/clientloop.c | 490 | --- a/clientloop.c |
491 | +++ b/clientloop.c | 491 | +++ b/clientloop.c |
492 | @@ -112,6 +112,10 @@ | 492 | @@ -112,6 +112,10 @@ |
@@ -500,7 +500,7 @@ index 086c0dfe8..9b90c64f3 100644 | |||
500 | /* import options */ | 500 | /* import options */ |
501 | extern Options options; | 501 | extern Options options; |
502 | 502 | ||
503 | @@ -1374,9 +1378,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, | 503 | @@ -1373,9 +1377,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, |
504 | break; | 504 | break; |
505 | 505 | ||
506 | /* Do channel operations unless rekeying in progress. */ | 506 | /* Do channel operations unless rekeying in progress. */ |
@@ -521,10 +521,10 @@ index 086c0dfe8..9b90c64f3 100644 | |||
521 | client_process_net_input(ssh, readset); | 521 | client_process_net_input(ssh, readset); |
522 | 522 | ||
523 | diff --git a/configure.ac b/configure.ac | 523 | diff --git a/configure.ac b/configure.ac |
524 | index 30be6c182..2869f7042 100644 | 524 | index 3e93c0276..1c2512314 100644 |
525 | --- a/configure.ac | 525 | --- a/configure.ac |
526 | +++ b/configure.ac | 526 | +++ b/configure.ac |
527 | @@ -665,6 +665,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 527 | @@ -666,6 +666,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
528 | [Use tunnel device compatibility to OpenBSD]) | 528 | [Use tunnel device compatibility to OpenBSD]) |
529 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], | 529 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
530 | [Prepend the address family to IP tunnel traffic]) | 530 | [Prepend the address family to IP tunnel traffic]) |
@@ -1339,19 +1339,19 @@ index ab3a15f0f..1d47870e7 100644 | |||
1339 | 1339 | ||
1340 | /* Privileged */ | 1340 | /* Privileged */ |
1341 | diff --git a/hmac.c b/hmac.c | 1341 | diff --git a/hmac.c b/hmac.c |
1342 | index 1c879640c..a29f32c5c 100644 | 1342 | index 32688876d..a79e8569c 100644 |
1343 | --- a/hmac.c | 1343 | --- a/hmac.c |
1344 | +++ b/hmac.c | 1344 | +++ b/hmac.c |
1345 | @@ -19,6 +19,7 @@ | 1345 | @@ -21,6 +21,7 @@ |
1346 | 1346 | ||
1347 | #include <sys/types.h> | 1347 | #include <stdlib.h> |
1348 | #include <string.h> | 1348 | #include <string.h> |
1349 | +#include <stdlib.h> | 1349 | +#include <stdlib.h> |
1350 | 1350 | ||
1351 | #include "sshbuf.h" | 1351 | #include "sshbuf.h" |
1352 | #include "digest.h" | 1352 | #include "digest.h" |
1353 | diff --git a/kex.c b/kex.c | 1353 | diff --git a/kex.c b/kex.c |
1354 | index 34808b5c3..a2a4794e8 100644 | 1354 | index 49d701568..e09355dbd 100644 |
1355 | --- a/kex.c | 1355 | --- a/kex.c |
1356 | +++ b/kex.c | 1356 | +++ b/kex.c |
1357 | @@ -55,11 +55,16 @@ | 1357 | @@ -55,11 +55,16 @@ |
@@ -1373,7 +1373,7 @@ index 34808b5c3..a2a4794e8 100644 | |||
1373 | static int kex_input_newkeys(int, u_int32_t, struct ssh *); | 1373 | static int kex_input_newkeys(int, u_int32_t, struct ssh *); |
1374 | @@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = { | 1374 | @@ -113,15 +118,28 @@ static const struct kexalg kexalgs[] = { |
1375 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ | 1375 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
1376 | { NULL, -1, -1, -1}, | 1376 | { NULL, 0, -1, -1}, |
1377 | }; | 1377 | }; |
1378 | +static const struct kexalg gss_kexalgs[] = { | 1378 | +static const struct kexalg gss_kexalgs[] = { |
1379 | +#ifdef GSSAPI | 1379 | +#ifdef GSSAPI |
@@ -1386,7 +1386,7 @@ index 34808b5c3..a2a4794e8 100644 | |||
1386 | + NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, | 1386 | + NID_X9_62_prime256v1, SSH_DIGEST_SHA256 }, |
1387 | + { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, | 1387 | + { KEX_GSS_C25519_SHA256_ID, KEX_GSS_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
1388 | +#endif | 1388 | +#endif |
1389 | + { NULL, -1, -1, -1 }, | 1389 | + { NULL, 0, -1, -1 }, |
1390 | +}; | 1390 | +}; |
1391 | 1391 | ||
1392 | -char * | 1392 | -char * |
@@ -1433,7 +1433,7 @@ index 34808b5c3..a2a4794e8 100644 | |||
1433 | return NULL; | 1433 | return NULL; |
1434 | } | 1434 | } |
1435 | 1435 | ||
1436 | @@ -301,6 +335,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) | 1436 | @@ -313,6 +347,29 @@ kex_assemble_names(char **listp, const char *def, const char *all) |
1437 | return r; | 1437 | return r; |
1438 | } | 1438 | } |
1439 | 1439 | ||
@@ -1463,7 +1463,7 @@ index 34808b5c3..a2a4794e8 100644 | |||
1463 | /* put algorithm proposal into buffer */ | 1463 | /* put algorithm proposal into buffer */ |
1464 | int | 1464 | int |
1465 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) | 1465 | kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) |
1466 | @@ -657,6 +714,9 @@ kex_free(struct kex *kex) | 1466 | @@ -696,6 +753,9 @@ kex_free(struct kex *kex) |
1467 | sshbuf_free(kex->server_version); | 1467 | sshbuf_free(kex->server_version); |
1468 | sshbuf_free(kex->client_pub); | 1468 | sshbuf_free(kex->client_pub); |
1469 | free(kex->session_id); | 1469 | free(kex->session_id); |
@@ -1474,10 +1474,10 @@ index 34808b5c3..a2a4794e8 100644 | |||
1474 | free(kex->hostkey_alg); | 1474 | free(kex->hostkey_alg); |
1475 | free(kex->name); | 1475 | free(kex->name); |
1476 | diff --git a/kex.h b/kex.h | 1476 | diff --git a/kex.h b/kex.h |
1477 | index 6d446d1cc..2d5f1d4ed 100644 | 1477 | index a5ae6ac05..fe7141414 100644 |
1478 | --- a/kex.h | 1478 | --- a/kex.h |
1479 | +++ b/kex.h | 1479 | +++ b/kex.h |
1480 | @@ -103,6 +103,15 @@ enum kex_exchange { | 1480 | @@ -102,6 +102,15 @@ enum kex_exchange { |
1481 | KEX_ECDH_SHA2, | 1481 | KEX_ECDH_SHA2, |
1482 | KEX_C25519_SHA256, | 1482 | KEX_C25519_SHA256, |
1483 | KEX_KEM_SNTRUP4591761X25519_SHA512, | 1483 | KEX_KEM_SNTRUP4591761X25519_SHA512, |
@@ -1493,7 +1493,7 @@ index 6d446d1cc..2d5f1d4ed 100644 | |||
1493 | KEX_MAX | 1493 | KEX_MAX |
1494 | }; | 1494 | }; |
1495 | 1495 | ||
1496 | @@ -154,6 +163,12 @@ struct kex { | 1496 | @@ -153,6 +162,12 @@ struct kex { |
1497 | u_int flags; | 1497 | u_int flags; |
1498 | int hash_alg; | 1498 | int hash_alg; |
1499 | int ec_nid; | 1499 | int ec_nid; |
@@ -1506,7 +1506,7 @@ index 6d446d1cc..2d5f1d4ed 100644 | |||
1506 | char *failed_choice; | 1506 | char *failed_choice; |
1507 | int (*verify_host_key)(struct sshkey *, struct ssh *); | 1507 | int (*verify_host_key)(struct sshkey *, struct ssh *); |
1508 | struct sshkey *(*load_host_public_key)(int, int, struct ssh *); | 1508 | struct sshkey *(*load_host_public_key)(int, int, struct ssh *); |
1509 | @@ -175,8 +190,10 @@ struct kex { | 1509 | @@ -174,8 +189,10 @@ struct kex { |
1510 | 1510 | ||
1511 | int kex_names_valid(const char *); | 1511 | int kex_names_valid(const char *); |
1512 | char *kex_alg_list(char); | 1512 | char *kex_alg_list(char); |
@@ -1517,7 +1517,7 @@ index 6d446d1cc..2d5f1d4ed 100644 | |||
1517 | 1517 | ||
1518 | int kex_exchange_identification(struct ssh *, int, const char *); | 1518 | int kex_exchange_identification(struct ssh *, int, const char *); |
1519 | 1519 | ||
1520 | @@ -203,6 +220,12 @@ int kexgex_client(struct ssh *); | 1520 | @@ -202,6 +219,12 @@ int kexgex_client(struct ssh *); |
1521 | int kexgex_server(struct ssh *); | 1521 | int kexgex_server(struct ssh *); |
1522 | int kex_gen_client(struct ssh *); | 1522 | int kex_gen_client(struct ssh *); |
1523 | int kex_gen_server(struct ssh *); | 1523 | int kex_gen_server(struct ssh *); |
@@ -1530,7 +1530,7 @@ index 6d446d1cc..2d5f1d4ed 100644 | |||
1530 | 1530 | ||
1531 | int kex_dh_keypair(struct kex *); | 1531 | int kex_dh_keypair(struct kex *); |
1532 | int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, | 1532 | int kex_dh_enc(struct kex *, const struct sshbuf *, struct sshbuf **, |
1533 | @@ -235,6 +258,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *, | 1533 | @@ -234,6 +257,12 @@ int kexgex_hash(int, const struct sshbuf *, const struct sshbuf *, |
1534 | const BIGNUM *, const u_char *, size_t, | 1534 | const BIGNUM *, const u_char *, size_t, |
1535 | u_char *, size_t *); | 1535 | u_char *, size_t *); |
1536 | 1536 | ||
@@ -1572,10 +1572,10 @@ index 67133e339..edaa46762 100644 | |||
1572 | break; | 1572 | break; |
1573 | case KEX_DH_GRP18_SHA512: | 1573 | case KEX_DH_GRP18_SHA512: |
1574 | diff --git a/kexgen.c b/kexgen.c | 1574 | diff --git a/kexgen.c b/kexgen.c |
1575 | index 2abbb9ef6..569dc83f3 100644 | 1575 | index bb996b504..d353ed8b0 100644 |
1576 | --- a/kexgen.c | 1576 | --- a/kexgen.c |
1577 | +++ b/kexgen.c | 1577 | +++ b/kexgen.c |
1578 | @@ -43,7 +43,7 @@ | 1578 | @@ -44,7 +44,7 @@ |
1579 | static int input_kex_gen_init(int, u_int32_t, struct ssh *); | 1579 | static int input_kex_gen_init(int, u_int32_t, struct ssh *); |
1580 | static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); | 1580 | static int input_kex_gen_reply(int type, u_int32_t seq, struct ssh *ssh); |
1581 | 1581 | ||
@@ -2677,11 +2677,11 @@ index 000000000..60bc02deb | |||
2677 | +} | 2677 | +} |
2678 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ | 2678 | +#endif /* defined(GSSAPI) && defined(WITH_OPENSSL) */ |
2679 | diff --git a/mac.c b/mac.c | 2679 | diff --git a/mac.c b/mac.c |
2680 | index 51dc11d76..3d11eba62 100644 | 2680 | index f3dda6692..de346ed20 100644 |
2681 | --- a/mac.c | 2681 | --- a/mac.c |
2682 | +++ b/mac.c | 2682 | +++ b/mac.c |
2683 | @@ -29,6 +29,7 @@ | 2683 | @@ -30,6 +30,7 @@ |
2684 | 2684 | #include <stdlib.h> | |
2685 | #include <string.h> | 2685 | #include <string.h> |
2686 | #include <stdio.h> | 2686 | #include <stdio.h> |
2687 | +#include <stdlib.h> | 2687 | +#include <stdlib.h> |
@@ -2689,7 +2689,7 @@ index 51dc11d76..3d11eba62 100644 | |||
2689 | #include "digest.h" | 2689 | #include "digest.h" |
2690 | #include "hmac.h" | 2690 | #include "hmac.h" |
2691 | diff --git a/monitor.c b/monitor.c | 2691 | diff --git a/monitor.c b/monitor.c |
2692 | index 60e529444..0766d6ef5 100644 | 2692 | index 00af44f98..bead9e204 100644 |
2693 | --- a/monitor.c | 2693 | --- a/monitor.c |
2694 | +++ b/monitor.c | 2694 | +++ b/monitor.c |
2695 | @@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); | 2695 | @@ -147,6 +147,8 @@ int mm_answer_gss_setup_ctx(struct ssh *, int, struct sshbuf *); |
@@ -2936,7 +2936,7 @@ index 683e5e071..2b1a2d590 100644 | |||
2936 | 2936 | ||
2937 | struct ssh; | 2937 | struct ssh; |
2938 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2938 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2939 | index 186e8f022..8e4c1c1f8 100644 | 2939 | index 4169b7604..fdca39a6a 100644 |
2940 | --- a/monitor_wrap.c | 2940 | --- a/monitor_wrap.c |
2941 | +++ b/monitor_wrap.c | 2941 | +++ b/monitor_wrap.c |
2942 | @@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2942 | @@ -978,13 +978,15 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
@@ -3015,10 +3015,10 @@ index 186e8f022..8e4c1c1f8 100644 | |||
3015 | + | 3015 | + |
3016 | #endif /* GSSAPI */ | 3016 | #endif /* GSSAPI */ |
3017 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 3017 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
3018 | index fdebb3aa4..69164a8c0 100644 | 3018 | index 191277f3a..92dda574b 100644 |
3019 | --- a/monitor_wrap.h | 3019 | --- a/monitor_wrap.h |
3020 | +++ b/monitor_wrap.h | 3020 | +++ b/monitor_wrap.h |
3021 | @@ -61,8 +61,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, | 3021 | @@ -63,8 +63,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, |
3022 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 3022 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
3023 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | 3023 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, |
3024 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 3024 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
@@ -3031,7 +3031,7 @@ index fdebb3aa4..69164a8c0 100644 | |||
3031 | 3031 | ||
3032 | #ifdef USE_PAM | 3032 | #ifdef USE_PAM |
3033 | diff --git a/readconf.c b/readconf.c | 3033 | diff --git a/readconf.c b/readconf.c |
3034 | index ec497e79f..4d699e5f1 100644 | 3034 | index f78b4d6fe..3c68d1a88 100644 |
3035 | --- a/readconf.c | 3035 | --- a/readconf.c |
3036 | +++ b/readconf.c | 3036 | +++ b/readconf.c |
3037 | @@ -67,6 +67,7 @@ | 3037 | @@ -67,6 +67,7 @@ |
@@ -3074,7 +3074,7 @@ index ec497e79f..4d699e5f1 100644 | |||
3074 | #endif | 3074 | #endif |
3075 | #ifdef ENABLE_PKCS11 | 3075 | #ifdef ENABLE_PKCS11 |
3076 | { "pkcs11provider", oPKCS11Provider }, | 3076 | { "pkcs11provider", oPKCS11Provider }, |
3077 | @@ -983,10 +998,42 @@ parse_time: | 3077 | @@ -988,10 +1003,42 @@ parse_time: |
3078 | intptr = &options->gss_authentication; | 3078 | intptr = &options->gss_authentication; |
3079 | goto parse_flag; | 3079 | goto parse_flag; |
3080 | 3080 | ||
@@ -3117,7 +3117,7 @@ index ec497e79f..4d699e5f1 100644 | |||
3117 | case oBatchMode: | 3117 | case oBatchMode: |
3118 | intptr = &options->batch_mode; | 3118 | intptr = &options->batch_mode; |
3119 | goto parse_flag; | 3119 | goto parse_flag; |
3120 | @@ -1854,7 +1901,13 @@ initialize_options(Options * options) | 3120 | @@ -1863,7 +1910,13 @@ initialize_options(Options * options) |
3121 | options->pubkey_authentication = -1; | 3121 | options->pubkey_authentication = -1; |
3122 | options->challenge_response_authentication = -1; | 3122 | options->challenge_response_authentication = -1; |
3123 | options->gss_authentication = -1; | 3123 | options->gss_authentication = -1; |
@@ -3131,7 +3131,7 @@ index ec497e79f..4d699e5f1 100644 | |||
3131 | options->password_authentication = -1; | 3131 | options->password_authentication = -1; |
3132 | options->kbd_interactive_authentication = -1; | 3132 | options->kbd_interactive_authentication = -1; |
3133 | options->kbd_interactive_devices = NULL; | 3133 | options->kbd_interactive_devices = NULL; |
3134 | @@ -2000,8 +2053,18 @@ fill_default_options(Options * options) | 3134 | @@ -2009,8 +2062,18 @@ fill_default_options(Options * options) |
3135 | options->challenge_response_authentication = 1; | 3135 | options->challenge_response_authentication = 1; |
3136 | if (options->gss_authentication == -1) | 3136 | if (options->gss_authentication == -1) |
3137 | options->gss_authentication = 0; | 3137 | options->gss_authentication = 0; |
@@ -3150,7 +3150,7 @@ index ec497e79f..4d699e5f1 100644 | |||
3150 | if (options->password_authentication == -1) | 3150 | if (options->password_authentication == -1) |
3151 | options->password_authentication = 1; | 3151 | options->password_authentication = 1; |
3152 | if (options->kbd_interactive_authentication == -1) | 3152 | if (options->kbd_interactive_authentication == -1) |
3153 | @@ -2616,7 +2679,14 @@ dump_client_config(Options *o, const char *host) | 3153 | @@ -2625,7 +2688,14 @@ dump_client_config(Options *o, const char *host) |
3154 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); | 3154 | dump_cfg_fmtint(oGatewayPorts, o->fwd_opts.gateway_ports); |
3155 | #ifdef GSSAPI | 3155 | #ifdef GSSAPI |
3156 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); | 3156 | dump_cfg_fmtint(oGssAuthentication, o->gss_authentication); |
@@ -3184,7 +3184,7 @@ index 8e36bf32a..0bff6d80a 100644 | |||
3184 | * authentication. */ | 3184 | * authentication. */ |
3185 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 3185 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
3186 | diff --git a/servconf.c b/servconf.c | 3186 | diff --git a/servconf.c b/servconf.c |
3187 | index ffac5d2c7..ffdad31e7 100644 | 3187 | index e76f9c39e..f63eb0b94 100644 |
3188 | --- a/servconf.c | 3188 | --- a/servconf.c |
3189 | +++ b/servconf.c | 3189 | +++ b/servconf.c |
3190 | @@ -64,6 +64,7 @@ | 3190 | @@ -64,6 +64,7 @@ |
@@ -3257,7 +3257,7 @@ index ffac5d2c7..ffdad31e7 100644 | |||
3257 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 3257 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
3258 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 3258 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
3259 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 3259 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
3260 | @@ -1485,6 +1508,10 @@ process_server_config_line(ServerOptions *options, char *line, | 3260 | @@ -1488,6 +1511,10 @@ process_server_config_line(ServerOptions *options, char *line, |
3261 | intptr = &options->gss_authentication; | 3261 | intptr = &options->gss_authentication; |
3262 | goto parse_flag; | 3262 | goto parse_flag; |
3263 | 3263 | ||
@@ -3268,7 +3268,7 @@ index ffac5d2c7..ffdad31e7 100644 | |||
3268 | case sGssCleanupCreds: | 3268 | case sGssCleanupCreds: |
3269 | intptr = &options->gss_cleanup_creds; | 3269 | intptr = &options->gss_cleanup_creds; |
3270 | goto parse_flag; | 3270 | goto parse_flag; |
3271 | @@ -1493,6 +1520,22 @@ process_server_config_line(ServerOptions *options, char *line, | 3271 | @@ -1496,6 +1523,22 @@ process_server_config_line(ServerOptions *options, char *line, |
3272 | intptr = &options->gss_strict_acceptor; | 3272 | intptr = &options->gss_strict_acceptor; |
3273 | goto parse_flag; | 3273 | goto parse_flag; |
3274 | 3274 | ||
@@ -3291,7 +3291,7 @@ index ffac5d2c7..ffdad31e7 100644 | |||
3291 | case sPasswordAuthentication: | 3291 | case sPasswordAuthentication: |
3292 | intptr = &options->password_authentication; | 3292 | intptr = &options->password_authentication; |
3293 | goto parse_flag; | 3293 | goto parse_flag; |
3294 | @@ -2579,6 +2622,10 @@ dump_config(ServerOptions *o) | 3294 | @@ -2585,6 +2628,10 @@ dump_config(ServerOptions *o) |
3295 | #ifdef GSSAPI | 3295 | #ifdef GSSAPI |
3296 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 3296 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
3297 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); | 3297 | dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); |
@@ -3303,7 +3303,7 @@ index ffac5d2c7..ffdad31e7 100644 | |||
3303 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 3303 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
3304 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 3304 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
3305 | diff --git a/servconf.h b/servconf.h | 3305 | diff --git a/servconf.h b/servconf.h |
3306 | index 54e0a8d8d..a476d5220 100644 | 3306 | index 5483da051..29329ba1f 100644 |
3307 | --- a/servconf.h | 3307 | --- a/servconf.h |
3308 | +++ b/servconf.h | 3308 | +++ b/servconf.h |
3309 | @@ -126,8 +126,11 @@ typedef struct { | 3309 | @@ -126,8 +126,11 @@ typedef struct { |
@@ -3319,7 +3319,7 @@ index 54e0a8d8d..a476d5220 100644 | |||
3319 | * authentication. */ | 3319 | * authentication. */ |
3320 | int kbd_interactive_authentication; /* If true, permit */ | 3320 | int kbd_interactive_authentication; /* If true, permit */ |
3321 | diff --git a/session.c b/session.c | 3321 | diff --git a/session.c b/session.c |
3322 | index ac06b08e9..ac3d9d19d 100644 | 3322 | index 8f5d7e0a4..f1a47f766 100644 |
3323 | --- a/session.c | 3323 | --- a/session.c |
3324 | +++ b/session.c | 3324 | +++ b/session.c |
3325 | @@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) | 3325 | @@ -2674,13 +2674,19 @@ do_cleanup(struct ssh *ssh, Authctxt *authctxt) |
@@ -3465,7 +3465,7 @@ index 36180d07a..70dd36658 100644 | |||
3465 | 3465 | ||
3466 | #endif /* _SSH_GSS_H */ | 3466 | #endif /* _SSH_GSS_H */ |
3467 | diff --git a/ssh.1 b/ssh.1 | 3467 | diff --git a/ssh.1 b/ssh.1 |
3468 | index 9480eba8d..a1c7d2305 100644 | 3468 | index 424d6c3e8..26940ad55 100644 |
3469 | --- a/ssh.1 | 3469 | --- a/ssh.1 |
3470 | +++ b/ssh.1 | 3470 | +++ b/ssh.1 |
3471 | @@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see | 3471 | @@ -497,7 +497,13 @@ For full details of the options listed below, and their possible values, see |
@@ -3492,7 +3492,7 @@ index 9480eba8d..a1c7d2305 100644 | |||
3492 | (key types), | 3492 | (key types), |
3493 | .Ar key-cert | 3493 | .Ar key-cert |
3494 | diff --git a/ssh.c b/ssh.c | 3494 | diff --git a/ssh.c b/ssh.c |
3495 | index 91e7c3511..42be7d88f 100644 | 3495 | index ee51823cd..2da9f5d0d 100644 |
3496 | --- a/ssh.c | 3496 | --- a/ssh.c |
3497 | +++ b/ssh.c | 3497 | +++ b/ssh.c |
3498 | @@ -736,6 +736,8 @@ main(int ac, char **av) | 3498 | @@ -736,6 +736,8 @@ main(int ac, char **av) |
@@ -3527,10 +3527,10 @@ index 5e8ef548b..1ff999b68 100644 | |||
3527 | # CheckHostIP yes | 3527 | # CheckHostIP yes |
3528 | # AddressFamily any | 3528 | # AddressFamily any |
3529 | diff --git a/ssh_config.5 b/ssh_config.5 | 3529 | diff --git a/ssh_config.5 b/ssh_config.5 |
3530 | index 412629637..c3c8b274a 100644 | 3530 | index 02a87892d..f4668673b 100644 |
3531 | --- a/ssh_config.5 | 3531 | --- a/ssh_config.5 |
3532 | +++ b/ssh_config.5 | 3532 | +++ b/ssh_config.5 |
3533 | @@ -754,10 +754,67 @@ The default is | 3533 | @@ -758,10 +758,67 @@ The default is |
3534 | Specifies whether user authentication based on GSSAPI is allowed. | 3534 | Specifies whether user authentication based on GSSAPI is allowed. |
3535 | The default is | 3535 | The default is |
3536 | .Cm no . | 3536 | .Cm no . |
@@ -3599,7 +3599,7 @@ index 412629637..c3c8b274a 100644 | |||
3599 | Indicates that | 3599 | Indicates that |
3600 | .Xr ssh 1 | 3600 | .Xr ssh 1 |
3601 | diff --git a/sshconnect2.c b/sshconnect2.c | 3601 | diff --git a/sshconnect2.c b/sshconnect2.c |
3602 | index dffee90b1..4020371ae 100644 | 3602 | index 87fa70a40..a4ec75ca1 100644 |
3603 | --- a/sshconnect2.c | 3603 | --- a/sshconnect2.c |
3604 | +++ b/sshconnect2.c | 3604 | +++ b/sshconnect2.c |
3605 | @@ -78,8 +78,6 @@ | 3605 | @@ -78,8 +78,6 @@ |
@@ -3726,7 +3726,7 @@ index dffee90b1..4020371ae 100644 | |||
3726 | {"gssapi-with-mic", | 3726 | {"gssapi-with-mic", |
3727 | userauth_gssapi, | 3727 | userauth_gssapi, |
3728 | userauth_gssapi_cleanup, | 3728 | userauth_gssapi_cleanup, |
3729 | @@ -698,12 +766,25 @@ userauth_gssapi(struct ssh *ssh) | 3729 | @@ -697,12 +765,25 @@ userauth_gssapi(struct ssh *ssh) |
3730 | OM_uint32 min; | 3730 | OM_uint32 min; |
3731 | int r, ok = 0; | 3731 | int r, ok = 0; |
3732 | gss_OID mech = NULL; | 3732 | gss_OID mech = NULL; |
@@ -3753,7 +3753,7 @@ index dffee90b1..4020371ae 100644 | |||
3753 | 3753 | ||
3754 | /* Check to see whether the mechanism is usable before we offer it */ | 3754 | /* Check to see whether the mechanism is usable before we offer it */ |
3755 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && | 3755 | while (authctxt->mech_tried < authctxt->gss_supported_mechs->count && |
3756 | @@ -712,13 +793,15 @@ userauth_gssapi(struct ssh *ssh) | 3756 | @@ -711,13 +792,15 @@ userauth_gssapi(struct ssh *ssh) |
3757 | elements[authctxt->mech_tried]; | 3757 | elements[authctxt->mech_tried]; |
3758 | /* My DER encoding requires length<128 */ | 3758 | /* My DER encoding requires length<128 */ |
3759 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, | 3759 | if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, |
@@ -3770,7 +3770,7 @@ index dffee90b1..4020371ae 100644 | |||
3770 | if (!ok || mech == NULL) | 3770 | if (!ok || mech == NULL) |
3771 | return 0; | 3771 | return 0; |
3772 | 3772 | ||
3773 | @@ -958,6 +1041,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) | 3773 | @@ -957,6 +1040,55 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) |
3774 | free(lang); | 3774 | free(lang); |
3775 | return r; | 3775 | return r; |
3776 | } | 3776 | } |
@@ -3827,7 +3827,7 @@ index dffee90b1..4020371ae 100644 | |||
3827 | 3827 | ||
3828 | static int | 3828 | static int |
3829 | diff --git a/sshd.c b/sshd.c | 3829 | diff --git a/sshd.c b/sshd.c |
3830 | index cbd3bce91..98680721b 100644 | 3830 | index 11571c010..3a5c1ea78 100644 |
3831 | --- a/sshd.c | 3831 | --- a/sshd.c |
3832 | +++ b/sshd.c | 3832 | +++ b/sshd.c |
3833 | @@ -123,6 +123,10 @@ | 3833 | @@ -123,6 +123,10 @@ |
@@ -3852,7 +3852,7 @@ index cbd3bce91..98680721b 100644 | |||
3852 | sshpkt_fatal(ssh, r, "%s: send", __func__); | 3852 | sshpkt_fatal(ssh, r, "%s: send", __func__); |
3853 | sshbuf_free(buf); | 3853 | sshbuf_free(buf); |
3854 | } | 3854 | } |
3855 | @@ -1769,7 +1773,8 @@ main(int ac, char **av) | 3855 | @@ -1773,7 +1777,8 @@ main(int ac, char **av) |
3856 | free(fp); | 3856 | free(fp); |
3857 | } | 3857 | } |
3858 | accumulate_host_timing_secret(cfg, NULL); | 3858 | accumulate_host_timing_secret(cfg, NULL); |
@@ -3862,7 +3862,7 @@ index cbd3bce91..98680721b 100644 | |||
3862 | logit("sshd: no hostkeys available -- exiting."); | 3862 | logit("sshd: no hostkeys available -- exiting."); |
3863 | exit(1); | 3863 | exit(1); |
3864 | } | 3864 | } |
3865 | @@ -2064,6 +2069,60 @@ main(int ac, char **av) | 3865 | @@ -2069,6 +2074,60 @@ main(int ac, char **av) |
3866 | rdomain == NULL ? "" : "\""); | 3866 | rdomain == NULL ? "" : "\""); |
3867 | free(laddr); | 3867 | free(laddr); |
3868 | 3868 | ||
@@ -3923,7 +3923,7 @@ index cbd3bce91..98680721b 100644 | |||
3923 | /* | 3923 | /* |
3924 | * We don't want to listen forever unless the other side | 3924 | * We don't want to listen forever unless the other side |
3925 | * successfully authenticates itself. So we set up an alarm which is | 3925 | * successfully authenticates itself. So we set up an alarm which is |
3926 | @@ -2260,6 +2319,48 @@ do_ssh2_kex(struct ssh *ssh) | 3926 | @@ -2265,6 +2324,48 @@ do_ssh2_kex(struct ssh *ssh) |
3927 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 3927 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3928 | list_hostkey_types()); | 3928 | list_hostkey_types()); |
3929 | 3929 | ||
@@ -3972,7 +3972,7 @@ index cbd3bce91..98680721b 100644 | |||
3972 | /* start key exchange */ | 3972 | /* start key exchange */ |
3973 | if ((r = kex_setup(ssh, myproposal)) != 0) | 3973 | if ((r = kex_setup(ssh, myproposal)) != 0) |
3974 | fatal("kex_setup: %s", ssh_err(r)); | 3974 | fatal("kex_setup: %s", ssh_err(r)); |
3975 | @@ -2275,7 +2376,18 @@ do_ssh2_kex(struct ssh *ssh) | 3975 | @@ -2280,7 +2381,18 @@ do_ssh2_kex(struct ssh *ssh) |
3976 | # ifdef OPENSSL_HAS_ECC | 3976 | # ifdef OPENSSL_HAS_ECC |
3977 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; | 3977 | kex->kex[KEX_ECDH_SHA2] = kex_gen_server; |
3978 | # endif | 3978 | # endif |
@@ -4006,10 +4006,10 @@ index 19b7c91a1..2c48105f8 100644 | |||
4006 | # Set this to 'yes' to enable PAM authentication, account processing, | 4006 | # Set this to 'yes' to enable PAM authentication, account processing, |
4007 | # and session processing. If this is enabled, PAM authentication will | 4007 | # and session processing. If this is enabled, PAM authentication will |
4008 | diff --git a/sshd_config.5 b/sshd_config.5 | 4008 | diff --git a/sshd_config.5 b/sshd_config.5 |
4009 | index b224f2929..2baa6622b 100644 | 4009 | index 9486f2a1c..cec3c3c4e 100644 |
4010 | --- a/sshd_config.5 | 4010 | --- a/sshd_config.5 |
4011 | +++ b/sshd_config.5 | 4011 | +++ b/sshd_config.5 |
4012 | @@ -653,6 +653,11 @@ Specifies whether to automatically destroy the user's credentials cache | 4012 | @@ -655,6 +655,11 @@ Specifies whether to automatically destroy the user's credentials cache |
4013 | on logout. | 4013 | on logout. |
4014 | The default is | 4014 | The default is |
4015 | .Cm yes . | 4015 | .Cm yes . |
@@ -4021,7 +4021,7 @@ index b224f2929..2baa6622b 100644 | |||
4021 | .It Cm GSSAPIStrictAcceptorCheck | 4021 | .It Cm GSSAPIStrictAcceptorCheck |
4022 | Determines whether to be strict about the identity of the GSSAPI acceptor | 4022 | Determines whether to be strict about the identity of the GSSAPI acceptor |
4023 | a client authenticates against. | 4023 | a client authenticates against. |
4024 | @@ -667,6 +672,31 @@ machine's default store. | 4024 | @@ -669,6 +674,31 @@ machine's default store. |
4025 | This facility is provided to assist with operation on multi homed machines. | 4025 | This facility is provided to assist with operation on multi homed machines. |
4026 | The default is | 4026 | The default is |
4027 | .Cm yes . | 4027 | .Cm yes . |
@@ -4054,10 +4054,10 @@ index b224f2929..2baa6622b 100644 | |||
4054 | Specifies the key types that will be accepted for hostbased authentication | 4054 | Specifies the key types that will be accepted for hostbased authentication |
4055 | as a list of comma-separated patterns. | 4055 | as a list of comma-separated patterns. |
4056 | diff --git a/sshkey.c b/sshkey.c | 4056 | diff --git a/sshkey.c b/sshkey.c |
4057 | index ad1957762..789cd61ef 100644 | 4057 | index ef90563b3..4d2048b6a 100644 |
4058 | --- a/sshkey.c | 4058 | --- a/sshkey.c |
4059 | +++ b/sshkey.c | 4059 | +++ b/sshkey.c |
4060 | @@ -135,6 +135,7 @@ static const struct keytype keytypes[] = { | 4060 | @@ -145,6 +145,7 @@ static const struct keytype keytypes[] = { |
4061 | # endif /* OPENSSL_HAS_NISTP521 */ | 4061 | # endif /* OPENSSL_HAS_NISTP521 */ |
4062 | # endif /* OPENSSL_HAS_ECC */ | 4062 | # endif /* OPENSSL_HAS_ECC */ |
4063 | #endif /* WITH_OPENSSL */ | 4063 | #endif /* WITH_OPENSSL */ |
@@ -4065,7 +4065,7 @@ index ad1957762..789cd61ef 100644 | |||
4065 | { NULL, NULL, NULL, -1, -1, 0, 0 } | 4065 | { NULL, NULL, NULL, -1, -1, 0, 0 } |
4066 | }; | 4066 | }; |
4067 | 4067 | ||
4068 | @@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) | 4068 | @@ -233,7 +234,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) |
4069 | const struct keytype *kt; | 4069 | const struct keytype *kt; |
4070 | 4070 | ||
4071 | for (kt = keytypes; kt->type != -1; kt++) { | 4071 | for (kt = keytypes; kt->type != -1; kt++) { |
@@ -4075,7 +4075,7 @@ index ad1957762..789cd61ef 100644 | |||
4075 | if (!include_sigonly && kt->sigonly) | 4075 | if (!include_sigonly && kt->sigonly) |
4076 | continue; | 4076 | continue; |
4077 | diff --git a/sshkey.h b/sshkey.h | 4077 | diff --git a/sshkey.h b/sshkey.h |
4078 | index a91e60436..c11106c93 100644 | 4078 | index 1119a7b07..1bf30d055 100644 |
4079 | --- a/sshkey.h | 4079 | --- a/sshkey.h |
4080 | +++ b/sshkey.h | 4080 | +++ b/sshkey.h |
4081 | @@ -65,6 +65,7 @@ enum sshkey_types { | 4081 | @@ -65,6 +65,7 @@ enum sshkey_types { |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index fbfe6a1fb..2f7ac943d 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4d8dd12bab7bbc954815d7953a0c86ce1687bd34 Mon Sep 17 00:00:00 2001 | 1 | From 26d9fe60e31c78018bdfd49bba1196ea7c44405d Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -26,7 +26,7 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index 29f3bd98d..3d0b6ff90 100644 | 29 | index a7fb7ca15..09787c0e5 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -177,6 +177,7 @@ typedef enum { | 32 | @@ -177,6 +177,7 @@ typedef enum { |
@@ -46,7 +46,7 @@ index 29f3bd98d..3d0b6ff90 100644 | |||
46 | 46 | ||
47 | { NULL, oBadOption } | 47 | { NULL, oBadOption } |
48 | }; | 48 | }; |
49 | @@ -1440,6 +1443,8 @@ parse_keytypes: | 49 | @@ -1449,6 +1452,8 @@ parse_keytypes: |
50 | goto parse_flag; | 50 | goto parse_flag; |
51 | 51 | ||
52 | case oServerAliveInterval: | 52 | case oServerAliveInterval: |
@@ -55,7 +55,7 @@ index 29f3bd98d..3d0b6ff90 100644 | |||
55 | intptr = &options->server_alive_interval; | 55 | intptr = &options->server_alive_interval; |
56 | goto parse_time; | 56 | goto parse_time; |
57 | 57 | ||
58 | @@ -2133,8 +2138,13 @@ fill_default_options(Options * options) | 58 | @@ -2142,8 +2147,13 @@ fill_default_options(Options * options) |
59 | options->rekey_interval = 0; | 59 | options->rekey_interval = 0; |
60 | if (options->verify_host_key_dns == -1) | 60 | if (options->verify_host_key_dns == -1) |
61 | options->verify_host_key_dns = 0; | 61 | options->verify_host_key_dns = 0; |
@@ -72,7 +72,7 @@ index 29f3bd98d..3d0b6ff90 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index c3c8b274a..250c92d04 100644 | 75 | index f4668673b..bc04d8d02 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -265,8 +265,12 @@ Valid arguments are | 78 | @@ -265,8 +265,12 @@ Valid arguments are |
@@ -89,7 +89,7 @@ index c3c8b274a..250c92d04 100644 | |||
89 | The argument must be | 89 | The argument must be |
90 | .Cm yes | 90 | .Cm yes |
91 | or | 91 | or |
92 | @@ -1535,7 +1539,14 @@ from the server, | 92 | @@ -1557,7 +1561,14 @@ from the server, |
93 | will send a message through the encrypted | 93 | will send a message through the encrypted |
94 | channel to request a response from the server. | 94 | channel to request a response from the server. |
95 | The default | 95 | The default |
@@ -105,7 +105,7 @@ index c3c8b274a..250c92d04 100644 | |||
105 | .It Cm SetEnv | 105 | .It Cm SetEnv |
106 | Directly specify one or more environment variables and their contents to | 106 | Directly specify one or more environment variables and their contents to |
107 | be sent to the server. | 107 | be sent to the server. |
108 | @@ -1615,6 +1626,12 @@ Specifies whether the system should send TCP keepalive messages to the | 108 | @@ -1637,6 +1648,12 @@ Specifies whether the system should send TCP keepalive messages to the |
109 | other side. | 109 | other side. |
110 | If they are sent, death of the connection or crash of one | 110 | If they are sent, death of the connection or crash of one |
111 | of the machines will be properly noticed. | 111 | of the machines will be properly noticed. |
@@ -119,10 +119,10 @@ index c3c8b274a..250c92d04 100644 | |||
119 | connections will die if the route is down temporarily, and some people | 119 | connections will die if the route is down temporarily, and some people |
120 | find it annoying. | 120 | find it annoying. |
121 | diff --git a/sshd_config.5 b/sshd_config.5 | 121 | diff --git a/sshd_config.5 b/sshd_config.5 |
122 | index 2baa6622b..2ef671d1b 100644 | 122 | index cec3c3c4e..eec224158 100644 |
123 | --- a/sshd_config.5 | 123 | --- a/sshd_config.5 |
124 | +++ b/sshd_config.5 | 124 | +++ b/sshd_config.5 |
125 | @@ -1597,6 +1597,9 @@ This avoids infinitely hanging sessions. | 125 | @@ -1615,6 +1615,9 @@ This avoids infinitely hanging sessions. |
126 | .Pp | 126 | .Pp |
127 | To disable TCP keepalive messages, the value should be set to | 127 | To disable TCP keepalive messages, the value should be set to |
128 | .Cm no . | 128 | .Cm no . |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index f429530a7..639b216d6 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f9185fc3df5af5f724bca35a957f60309af1d89e Mon Sep 17 00:00:00 2001 | 1 | From fdcf8c0343564121a89be817386c5feabd40c609 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -14,10 +14,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
14 | 1 file changed, 8 insertions(+), 1 deletion(-) | 14 | 1 file changed, 8 insertions(+), 1 deletion(-) |
15 | 15 | ||
16 | diff --git a/sshconnect.c b/sshconnect.c | 16 | diff --git a/sshconnect.c b/sshconnect.c |
17 | index 103d84e38..0b6f6af4b 100644 | 17 | index 644057bc4..41e75a275 100644 |
18 | --- a/sshconnect.c | 18 | --- a/sshconnect.c |
19 | +++ b/sshconnect.c | 19 | +++ b/sshconnect.c |
20 | @@ -986,9 +986,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 20 | @@ -990,9 +990,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
21 | error("%s. This could either mean that", key_msg); | 21 | error("%s. This could either mean that", key_msg); |
22 | error("DNS SPOOFING is happening or the IP address for the host"); | 22 | error("DNS SPOOFING is happening or the IP address for the host"); |
23 | error("and its host key have changed at the same time."); | 23 | error("and its host key have changed at the same time."); |
@@ -32,7 +32,7 @@ index 103d84e38..0b6f6af4b 100644 | |||
32 | } | 32 | } |
33 | /* The host key has changed. */ | 33 | /* The host key has changed. */ |
34 | warn_changed_key(host_key); | 34 | warn_changed_key(host_key); |
35 | @@ -997,6 +1001,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 35 | @@ -1001,6 +1005,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
36 | error("Offending %s key in %s:%lu", | 36 | error("Offending %s key in %s:%lu", |
37 | sshkey_type(host_found->key), | 37 | sshkey_type(host_found->key), |
38 | host_found->file, host_found->line); | 38 | host_found->file, host_found->line); |
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch index d67e00ffc..9b5baee08 100644 --- a/debian/patches/no-openssl-version-status.patch +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4cf082890d12604fcd28e7387b5eb4a5fb09695e Mon Sep 17 00:00:00 2001 | 1 | From ed88eee326ca80e1e0fdb6f9ef0346f6d5e021a8 Mon Sep 17 00:00:00 2001 |
2 | From: Kurt Roeckx <kurt@roeckx.be> | 2 | From: Kurt Roeckx <kurt@roeckx.be> |
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 |
4 | Subject: Don't check the status field of the OpenSSL version | 4 | Subject: Don't check the status field of the OpenSSL version |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index b4ecb41eb..46e1f8712 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b3a38ffd3427b5404210f841c8e29c2df21e1825 Mon Sep 17 00:00:00 2001 | 1 | From 8fb8f70b0534897791c61f2757e97bd13385944e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -44,10 +44,10 @@ index ef0de0850..149846c8c 100644 | |||
44 | .Sh SEE ALSO | 44 | .Sh SEE ALSO |
45 | .Xr ssh-keygen 1 , | 45 | .Xr ssh-keygen 1 , |
46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 | 46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
47 | index 124456577..9b877b860 100644 | 47 | index 957d2f0f0..143a2349f 100644 |
48 | --- a/ssh-keygen.1 | 48 | --- a/ssh-keygen.1 |
49 | +++ b/ssh-keygen.1 | 49 | +++ b/ssh-keygen.1 |
50 | @@ -178,9 +178,7 @@ key in | 50 | @@ -191,9 +191,7 @@ key in |
51 | .Pa ~/.ssh/id_ed25519 | 51 | .Pa ~/.ssh/id_ed25519 |
52 | or | 52 | or |
53 | .Pa ~/.ssh/id_rsa . | 53 | .Pa ~/.ssh/id_rsa . |
@@ -58,7 +58,7 @@ index 124456577..9b877b860 100644 | |||
58 | .Pp | 58 | .Pp |
59 | Normally this program generates the key and asks for a file in which | 59 | Normally this program generates the key and asks for a file in which |
60 | to store the private key. | 60 | to store the private key. |
61 | @@ -243,9 +241,7 @@ If | 61 | @@ -256,9 +254,7 @@ If |
62 | .Fl f | 62 | .Fl f |
63 | has also been specified, its argument is used as a prefix to the | 63 | has also been specified, its argument is used as a prefix to the |
64 | default path for the resulting host key files. | 64 | default path for the resulting host key files. |
@@ -67,9 +67,9 @@ index 124456577..9b877b860 100644 | |||
67 | -to generate new host keys. | 67 | -to generate new host keys. |
68 | +This is used by system administration scripts to generate new host keys. | 68 | +This is used by system administration scripts to generate new host keys. |
69 | .It Fl a Ar rounds | 69 | .It Fl a Ar rounds |
70 | When saving a private key this option specifies the number of KDF | 70 | When saving a private key, this option specifies the number of KDF |
71 | (key derivation function) rounds used. | 71 | (key derivation function) rounds used. |
72 | @@ -703,7 +699,7 @@ option. | 72 | @@ -798,7 +794,7 @@ option. |
73 | Valid generator values are 2, 3, and 5. | 73 | Valid generator values are 2, 3, and 5. |
74 | .Pp | 74 | .Pp |
75 | Screened DH groups may be installed in | 75 | Screened DH groups may be installed in |
@@ -78,7 +78,7 @@ index 124456577..9b877b860 100644 | |||
78 | It is important that this file contains moduli of a range of bit lengths and | 78 | It is important that this file contains moduli of a range of bit lengths and |
79 | that both ends of a connection share common moduli. | 79 | that both ends of a connection share common moduli. |
80 | .Sh CERTIFICATES | 80 | .Sh CERTIFICATES |
81 | @@ -903,7 +899,7 @@ on all machines | 81 | @@ -1049,7 +1045,7 @@ on all machines |
82 | where the user wishes to log in using public key authentication. | 82 | where the user wishes to log in using public key authentication. |
83 | There is no need to keep the contents of this file secret. | 83 | There is no need to keep the contents of this file secret. |
84 | .Pp | 84 | .Pp |
@@ -88,7 +88,7 @@ index 124456577..9b877b860 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index 64ead5f57..e4aeae7b4 100644 | 91 | index 20e4c4efa..4923031f4 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -873,6 +873,10 @@ implements public key authentication protocol automatically, | 94 | @@ -873,6 +873,10 @@ implements public key authentication protocol automatically, |
@@ -133,10 +133,10 @@ index 57a7fd66b..4abc01d66 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index addea54a0..f995e4ab0 100644 | 136 | index 46537f177..270805060 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -395,8 +395,7 @@ Certificates signed using other algorithms will not be accepted for | 139 | @@ -393,8 +393,7 @@ Certificates signed using other algorithms will not be accepted for |
140 | public key or host-based authentication. | 140 | public key or host-based authentication. |
141 | .It Cm ChallengeResponseAuthentication | 141 | .It Cm ChallengeResponseAuthentication |
142 | Specifies whether challenge-response authentication is allowed (e.g. via | 142 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 55e4cc930..7a811f9af 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0085b2106eb5307ebdae9601471d8387961b2e83 Mon Sep 17 00:00:00 2001 | 1 | From 6a8dfab1a067a52b004594fadb3a90578a8cc094 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -18,10 +18,10 @@ Patch-Name: package-versioning.patch | |||
18 | 2 files changed, 7 insertions(+), 2 deletions(-) | 18 | 2 files changed, 7 insertions(+), 2 deletions(-) |
19 | 19 | ||
20 | diff --git a/kex.c b/kex.c | 20 | diff --git a/kex.c b/kex.c |
21 | index a2a4794e8..be354206d 100644 | 21 | index e09355dbd..65ed6af02 100644 |
22 | --- a/kex.c | 22 | --- a/kex.c |
23 | +++ b/kex.c | 23 | +++ b/kex.c |
24 | @@ -1186,7 +1186,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, | 24 | @@ -1239,7 +1239,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
25 | if (version_addendum != NULL && *version_addendum == '\0') | 25 | if (version_addendum != NULL && *version_addendum == '\0') |
26 | version_addendum = NULL; | 26 | version_addendum = NULL; |
27 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", | 27 | if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
@@ -31,11 +31,11 @@ index a2a4794e8..be354206d 100644 | |||
31 | version_addendum == NULL ? "" : version_addendum)) != 0) { | 31 | version_addendum == NULL ? "" : version_addendum)) != 0) { |
32 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); | 32 | error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); |
33 | diff --git a/version.h b/version.h | 33 | diff --git a/version.h b/version.h |
34 | index 806ead9a6..599c859e6 100644 | 34 | index 6b3fadf89..a24017eca 100644 |
35 | --- a/version.h | 35 | --- a/version.h |
36 | +++ b/version.h | 36 | +++ b/version.h |
37 | @@ -3,4 +3,9 @@ | 37 | @@ -3,4 +3,9 @@ |
38 | #define SSH_VERSION "OpenSSH_8.0" | 38 | #define SSH_VERSION "OpenSSH_8.1" |
39 | 39 | ||
40 | #define SSH_PORTABLE "p1" | 40 | #define SSH_PORTABLE "p1" |
41 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 41 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch index dcbe38501..ea5ea0396 100644 --- a/debian/patches/restore-authorized_keys2.patch +++ b/debian/patches/restore-authorized_keys2.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 4eb4bf18caacd2fe12dbdde381347629dd8b3c95 Mon Sep 17 00:00:00 2001 | 1 | From f0c916d8008c30809fef44469bee1b74426a3071 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 | 3 | Date: Sun, 5 Mar 2017 02:02:11 +0000 |
4 | Subject: Restore reading authorized_keys2 by default | 4 | Subject: Restore reading authorized_keys2 by default |
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch index 0472ea7d0..222a996f1 100644 --- a/debian/patches/restore-tcp-wrappers.patch +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0f9f44654708e4fde2f52c52f717d061b5e458fa Mon Sep 17 00:00:00 2001 | 1 | From 57c1dd662f9259f58a47801e2d4b0f84e973441d Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | 3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 |
4 | Subject: Restore TCP wrappers support | 4 | Subject: Restore TCP wrappers support |
@@ -28,10 +28,10 @@ Patch-Name: restore-tcp-wrappers.patch | |||
28 | 3 files changed, 89 insertions(+) | 28 | 3 files changed, 89 insertions(+) |
29 | 29 | ||
30 | diff --git a/configure.ac b/configure.ac | 30 | diff --git a/configure.ac b/configure.ac |
31 | index 2869f7042..ce16e7758 100644 | 31 | index 1c2512314..e894db9fc 100644 |
32 | --- a/configure.ac | 32 | --- a/configure.ac |
33 | +++ b/configure.ac | 33 | +++ b/configure.ac |
34 | @@ -1518,6 +1518,62 @@ else | 34 | @@ -1521,6 +1521,62 @@ else |
35 | AC_MSG_RESULT([no]) | 35 | AC_MSG_RESULT([no]) |
36 | fi | 36 | fi |
37 | 37 | ||
@@ -94,7 +94,7 @@ index 2869f7042..ce16e7758 100644 | |||
94 | # Check whether user wants to use ldns | 94 | # Check whether user wants to use ldns |
95 | LDNS_MSG="no" | 95 | LDNS_MSG="no" |
96 | AC_ARG_WITH(ldns, | 96 | AC_ARG_WITH(ldns, |
97 | @@ -5269,6 +5325,7 @@ echo " PAM support: $PAM_MSG" | 97 | @@ -5242,6 +5298,7 @@ echo " PAM support: $PAM_MSG" |
98 | echo " OSF SIA support: $SIA_MSG" | 98 | echo " OSF SIA support: $SIA_MSG" |
99 | echo " KerberosV support: $KRB5_MSG" | 99 | echo " KerberosV support: $KRB5_MSG" |
100 | echo " SELinux support: $SELINUX_MSG" | 100 | echo " SELinux support: $SELINUX_MSG" |
@@ -128,7 +128,7 @@ index fb133c14b..57a7fd66b 100644 | |||
128 | .Xr moduli 5 , | 128 | .Xr moduli 5 , |
129 | .Xr sshd_config 5 , | 129 | .Xr sshd_config 5 , |
130 | diff --git a/sshd.c b/sshd.c | 130 | diff --git a/sshd.c b/sshd.c |
131 | index 98680721b..46870d3b5 100644 | 131 | index 3a5c1ea78..4e32fd10d 100644 |
132 | --- a/sshd.c | 132 | --- a/sshd.c |
133 | +++ b/sshd.c | 133 | +++ b/sshd.c |
134 | @@ -127,6 +127,13 @@ | 134 | @@ -127,6 +127,13 @@ |
@@ -145,7 +145,7 @@ index 98680721b..46870d3b5 100644 | |||
145 | /* Re-exec fds */ | 145 | /* Re-exec fds */ |
146 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 146 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
147 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 147 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
148 | @@ -2057,6 +2064,24 @@ main(int ac, char **av) | 148 | @@ -2062,6 +2069,24 @@ main(int ac, char **av) |
149 | #ifdef SSH_AUDIT_EVENTS | 149 | #ifdef SSH_AUDIT_EVENTS |
150 | audit_connection_from(remote_ip, remote_port); | 150 | audit_connection_from(remote_ip, remote_port); |
151 | #endif | 151 | #endif |
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch index d524dc34f..34743f555 100644 --- a/debian/patches/revert-ipqos-defaults.patch +++ b/debian/patches/revert-ipqos-defaults.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From f08fbfbaad10ae0bd9f057de8e18071e588146a6 Mon Sep 17 00:00:00 2001 | 1 | From efef12825b9582c1710da3b7e50135870963d4f4 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 | 3 | Date: Mon, 8 Apr 2019 10:46:29 +0100 |
4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP | 4 | Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP |
@@ -24,10 +24,10 @@ Patch-Name: revert-ipqos-defaults.patch | |||
24 | 4 files changed, 8 insertions(+), 12 deletions(-) | 24 | 4 files changed, 8 insertions(+), 12 deletions(-) |
25 | 25 | ||
26 | diff --git a/readconf.c b/readconf.c | 26 | diff --git a/readconf.c b/readconf.c |
27 | index f35bde6e6..2ba312441 100644 | 27 | index 253574ce0..9812b8d98 100644 |
28 | --- a/readconf.c | 28 | --- a/readconf.c |
29 | +++ b/readconf.c | 29 | +++ b/readconf.c |
30 | @@ -2165,9 +2165,9 @@ fill_default_options(Options * options) | 30 | @@ -2174,9 +2174,9 @@ fill_default_options(Options * options) |
31 | if (options->visual_host_key == -1) | 31 | if (options->visual_host_key == -1) |
32 | options->visual_host_key = 0; | 32 | options->visual_host_key = 0; |
33 | if (options->ip_qos_interactive == -1) | 33 | if (options->ip_qos_interactive == -1) |
@@ -40,7 +40,7 @@ index f35bde6e6..2ba312441 100644 | |||
40 | options->request_tty = REQUEST_TTY_AUTO; | 40 | options->request_tty = REQUEST_TTY_AUTO; |
41 | if (options->proxy_use_fdpass == -1) | 41 | if (options->proxy_use_fdpass == -1) |
42 | diff --git a/servconf.c b/servconf.c | 42 | diff --git a/servconf.c b/servconf.c |
43 | index 8d2bced52..365e6ff1e 100644 | 43 | index 5576098a5..4464d51a5 100644 |
44 | --- a/servconf.c | 44 | --- a/servconf.c |
45 | +++ b/servconf.c | 45 | +++ b/servconf.c |
46 | @@ -423,9 +423,9 @@ fill_default_server_options(ServerOptions *options) | 46 | @@ -423,9 +423,9 @@ fill_default_server_options(ServerOptions *options) |
@@ -56,10 +56,10 @@ index 8d2bced52..365e6ff1e 100644 | |||
56 | options->version_addendum = xstrdup(""); | 56 | options->version_addendum = xstrdup(""); |
57 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) | 57 | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
58 | diff --git a/ssh_config.5 b/ssh_config.5 | 58 | diff --git a/ssh_config.5 b/ssh_config.5 |
59 | index a27631ae9..a9f6d906f 100644 | 59 | index d27655e15..b71d5ede9 100644 |
60 | --- a/ssh_config.5 | 60 | --- a/ssh_config.5 |
61 | +++ b/ssh_config.5 | 61 | +++ b/ssh_config.5 |
62 | @@ -1098,11 +1098,9 @@ If one argument is specified, it is used as the packet class unconditionally. | 62 | @@ -1110,11 +1110,9 @@ If one argument is specified, it is used as the packet class unconditionally. |
63 | If two values are specified, the first is automatically selected for | 63 | If two values are specified, the first is automatically selected for |
64 | interactive sessions and the second for non-interactive sessions. | 64 | interactive sessions and the second for non-interactive sessions. |
65 | The default is | 65 | The default is |
@@ -74,10 +74,10 @@ index a27631ae9..a9f6d906f 100644 | |||
74 | .It Cm KbdInteractiveAuthentication | 74 | .It Cm KbdInteractiveAuthentication |
75 | Specifies whether to use keyboard-interactive authentication. | 75 | Specifies whether to use keyboard-interactive authentication. |
76 | diff --git a/sshd_config.5 b/sshd_config.5 | 76 | diff --git a/sshd_config.5 b/sshd_config.5 |
77 | index c0c4ebd66..e5380f5dc 100644 | 77 | index 02e29cb6f..ba533af9e 100644 |
78 | --- a/sshd_config.5 | 78 | --- a/sshd_config.5 |
79 | +++ b/sshd_config.5 | 79 | +++ b/sshd_config.5 |
80 | @@ -886,11 +886,9 @@ If one argument is specified, it is used as the packet class unconditionally. | 80 | @@ -892,11 +892,9 @@ If one argument is specified, it is used as the packet class unconditionally. |
81 | If two values are specified, the first is automatically selected for | 81 | If two values are specified, the first is automatically selected for |
82 | interactive sessions and the second for non-interactive sessions. | 82 | interactive sessions and the second for non-interactive sessions. |
83 | The default is | 83 | The default is |
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index d4561d053..e69c9c46e 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 08821a1b464a0d0d62f735d6bf1e6305faf73fa1 Mon Sep 17 00:00:00 2001 | 1 | From 2d8e679834c81fc381d02974986e08cafe3efa29 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch | |||
17 | 1 file changed, 10 insertions(+), 2 deletions(-) | 17 | 1 file changed, 10 insertions(+), 2 deletions(-) |
18 | 18 | ||
19 | diff --git a/scp.c b/scp.c | 19 | diff --git a/scp.c b/scp.c |
20 | index 80bc0e8b1..a2dc410bd 100644 | 20 | index 0348d0673..5a7a92a7e 100644 |
21 | --- a/scp.c | 21 | --- a/scp.c |
22 | +++ b/scp.c | 22 | +++ b/scp.c |
23 | @@ -199,8 +199,16 @@ do_local_cmd(arglist *a) | 23 | @@ -199,8 +199,16 @@ do_local_cmd(arglist *a) |
diff --git a/debian/patches/seccomp-handle-shm.patch b/debian/patches/seccomp-handle-shm.patch deleted file mode 100644 index 7ad068190..000000000 --- a/debian/patches/seccomp-handle-shm.patch +++ /dev/null | |||
@@ -1,38 +0,0 @@ | |||
1 | From ceefaa8ee80b63c0890d24c42369dc51880f53ea Mon Sep 17 00:00:00 2001 | ||
2 | From: Lonnie Abelbeck <lonnie@abelbeck.com> | ||
3 | Date: Tue, 1 Oct 2019 09:05:09 -0500 | ||
4 | Subject: Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. | ||
5 | |||
6 | New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt | ||
7 | in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. | ||
8 | |||
9 | Bug: https://github.com/openssh/openssh-portable/pull/149 | ||
10 | Bug-Debian: https://bugs.debian.org/941663 | ||
11 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602 | ||
12 | Last-Update: 2019-10-05 | ||
13 | |||
14 | Patch-Name: seccomp-handle-shm.patch | ||
15 | --- | ||
16 | sandbox-seccomp-filter.c | 9 +++++++++ | ||
17 | 1 file changed, 9 insertions(+) | ||
18 | |||
19 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
20 | index ef4de8c65..e8f31555e 100644 | ||
21 | --- a/sandbox-seccomp-filter.c | ||
22 | +++ b/sandbox-seccomp-filter.c | ||
23 | @@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = { | ||
24 | #ifdef __NR_stat64 | ||
25 | SC_DENY(__NR_stat64, EACCES), | ||
26 | #endif | ||
27 | +#ifdef __NR_shmget | ||
28 | + SC_DENY(__NR_shmget, EACCES), | ||
29 | +#endif | ||
30 | +#ifdef __NR_shmat | ||
31 | + SC_DENY(__NR_shmat, EACCES), | ||
32 | +#endif | ||
33 | +#ifdef __NR_shmdt | ||
34 | + SC_DENY(__NR_shmdt, EACCES), | ||
35 | +#endif | ||
36 | |||
37 | /* Syscalls to permit */ | ||
38 | #ifdef __NR_brk | ||
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch index cec741d2b..aaefa9ed4 100644 --- a/debian/patches/seccomp-s390-flock-ipc.patch +++ b/debian/patches/seccomp-s390-flock-ipc.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a85bb8a31b789276d5edb0c34023ce833a402b00 Mon Sep 17 00:00:00 2001 | 1 | From cfc30ca51eba79f9f725c22528e3bfec036aa927 Mon Sep 17 00:00:00 2001 |
2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | 2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> |
3 | Date: Tue, 9 May 2017 10:53:04 -0300 | 3 | Date: Tue, 9 May 2017 10:53:04 -0300 |
4 | Subject: Allow flock and ipc syscall for s390 architecture | 4 | Subject: Allow flock and ipc syscall for s390 architecture |
@@ -22,10 +22,10 @@ Patch-Name: seccomp-s390-flock-ipc.patch | |||
22 | 1 file changed, 6 insertions(+) | 22 | 1 file changed, 6 insertions(+) |
23 | 23 | ||
24 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | 24 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c |
25 | index 5edbc6946..d4bc20828 100644 | 25 | index b5cda70bb..2f6b0d55b 100644 |
26 | --- a/sandbox-seccomp-filter.c | 26 | --- a/sandbox-seccomp-filter.c |
27 | +++ b/sandbox-seccomp-filter.c | 27 | +++ b/sandbox-seccomp-filter.c |
28 | @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { | 28 | @@ -194,6 +194,9 @@ static const struct sock_filter preauth_insns[] = { |
29 | #ifdef __NR_exit_group | 29 | #ifdef __NR_exit_group |
30 | SC_ALLOW(__NR_exit_group), | 30 | SC_ALLOW(__NR_exit_group), |
31 | #endif | 31 | #endif |
@@ -35,7 +35,7 @@ index 5edbc6946..d4bc20828 100644 | |||
35 | #ifdef __NR_futex | 35 | #ifdef __NR_futex |
36 | SC_ALLOW(__NR_futex), | 36 | SC_ALLOW(__NR_futex), |
37 | #endif | 37 | #endif |
38 | @@ -193,6 +196,9 @@ static const struct sock_filter preauth_insns[] = { | 38 | @@ -221,6 +224,9 @@ static const struct sock_filter preauth_insns[] = { |
39 | #ifdef __NR_getuid32 | 39 | #ifdef __NR_getuid32 |
40 | SC_ALLOW(__NR_getuid32), | 40 | SC_ALLOW(__NR_getuid32), |
41 | #endif | 41 | #endif |
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch deleted file mode 100644 index 257ea7e79..000000000 --- a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch +++ /dev/null | |||
@@ -1,33 +0,0 @@ | |||
1 | From d38283cc4cba6bf7685a16898a3b9d3a6cecf661 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
3 | Date: Tue, 9 May 2017 13:33:30 -0300 | ||
4 | Subject: Enable specific ioctl call for EP11 crypto card (s390) | ||
5 | |||
6 | The EP11 crypto card needs to make an ioctl call, which receives an | ||
7 | specific argument. This crypto card is for s390 only. | ||
8 | |||
9 | Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
10 | |||
11 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
12 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
13 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 | ||
14 | Last-Update: 2017-08-28 | ||
15 | |||
16 | Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch | ||
17 | --- | ||
18 | sandbox-seccomp-filter.c | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
22 | index d4bc20828..ef4de8c65 100644 | ||
23 | --- a/sandbox-seccomp-filter.c | ||
24 | +++ b/sandbox-seccomp-filter.c | ||
25 | @@ -256,6 +256,8 @@ static const struct sock_filter preauth_insns[] = { | ||
26 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), | ||
27 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), | ||
28 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), | ||
29 | + /* Allow ioctls for EP11 crypto card on s390 */ | ||
30 | + SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), | ||
31 | #endif | ||
32 | #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) | ||
33 | /* | ||
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 5ab339ac9..02d740fe3 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 21e3ff3ab4791d3c94bd775da66cde29797fcb36 Mon Sep 17 00:00:00 2001 | 1 | From 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -31,10 +31,10 @@ Patch-Name: selinux-role.patch | |||
31 | 15 files changed, 99 insertions(+), 32 deletions(-) | 31 | 15 files changed, 99 insertions(+), 32 deletions(-) |
32 | 32 | ||
33 | diff --git a/auth.h b/auth.h | 33 | diff --git a/auth.h b/auth.h |
34 | index bf393e755..8f13bdf48 100644 | 34 | index becc672b5..5da9fe75f 100644 |
35 | --- a/auth.h | 35 | --- a/auth.h |
36 | +++ b/auth.h | 36 | +++ b/auth.h |
37 | @@ -65,6 +65,7 @@ struct Authctxt { | 37 | @@ -63,6 +63,7 @@ struct Authctxt { |
38 | char *service; | 38 | char *service; |
39 | struct passwd *pw; /* set if 'valid' */ | 39 | struct passwd *pw; /* set if 'valid' */ |
40 | char *style; | 40 | char *style; |
@@ -43,10 +43,10 @@ index bf393e755..8f13bdf48 100644 | |||
43 | /* Method lists for multiple authentication */ | 43 | /* Method lists for multiple authentication */ |
44 | char **auth_methods; /* modified from server config */ | 44 | char **auth_methods; /* modified from server config */ |
45 | diff --git a/auth2.c b/auth2.c | 45 | diff --git a/auth2.c b/auth2.c |
46 | index 7417eafa4..d60e7f1f2 100644 | 46 | index 1c217268c..92a6bcaf4 100644 |
47 | --- a/auth2.c | 47 | --- a/auth2.c |
48 | +++ b/auth2.c | 48 | +++ b/auth2.c |
49 | @@ -267,7 +267,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 49 | @@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
50 | { | 50 | { |
51 | Authctxt *authctxt = ssh->authctxt; | 51 | Authctxt *authctxt = ssh->authctxt; |
52 | Authmethod *m = NULL; | 52 | Authmethod *m = NULL; |
@@ -55,7 +55,7 @@ index 7417eafa4..d60e7f1f2 100644 | |||
55 | int r, authenticated = 0; | 55 | int r, authenticated = 0; |
56 | double tstart = monotime_double(); | 56 | double tstart = monotime_double(); |
57 | 57 | ||
58 | @@ -281,8 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 58 | @@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
59 | debug("userauth-request for user %s service %s method %s", user, service, method); | 59 | debug("userauth-request for user %s service %s method %s", user, service, method); |
60 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 60 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
61 | 61 | ||
@@ -69,7 +69,7 @@ index 7417eafa4..d60e7f1f2 100644 | |||
69 | 69 | ||
70 | if (authctxt->attempt++ == 0) { | 70 | if (authctxt->attempt++ == 0) { |
71 | /* setup auth context */ | 71 | /* setup auth context */ |
72 | @@ -309,8 +314,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 72 | @@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
73 | use_privsep ? " [net]" : ""); | 73 | use_privsep ? " [net]" : ""); |
74 | authctxt->service = xstrdup(service); | 74 | authctxt->service = xstrdup(service); |
75 | authctxt->style = style ? xstrdup(style) : NULL; | 75 | authctxt->style = style ? xstrdup(style) : NULL; |
@@ -81,7 +81,7 @@ index 7417eafa4..d60e7f1f2 100644 | |||
81 | if (auth2_setup_methods_lists(authctxt) != 0) | 81 | if (auth2_setup_methods_lists(authctxt) != 0) |
82 | ssh_packet_disconnect(ssh, | 82 | ssh_packet_disconnect(ssh, |
83 | diff --git a/monitor.c b/monitor.c | 83 | diff --git a/monitor.c b/monitor.c |
84 | index 0766d6ef5..5f84e880d 100644 | 84 | index bead9e204..04db44c9c 100644 |
85 | --- a/monitor.c | 85 | --- a/monitor.c |
86 | +++ b/monitor.c | 86 | +++ b/monitor.c |
87 | @@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); | 87 | @@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); |
@@ -177,7 +177,7 @@ index 2b1a2d590..4d87284aa 100644 | |||
177 | 177 | ||
178 | struct ssh; | 178 | struct ssh; |
179 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 179 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
180 | index 8e4c1c1f8..6b3a6251c 100644 | 180 | index fdca39a6a..933ce9a3d 100644 |
181 | --- a/monitor_wrap.c | 181 | --- a/monitor_wrap.c |
182 | +++ b/monitor_wrap.c | 182 | +++ b/monitor_wrap.c |
183 | @@ -364,10 +364,10 @@ mm_auth2_read_banner(void) | 183 | @@ -364,10 +364,10 @@ mm_auth2_read_banner(void) |
@@ -231,11 +231,11 @@ index 8e4c1c1f8..6b3a6251c 100644 | |||
231 | int | 231 | int |
232 | mm_auth_password(struct ssh *ssh, char *password) | 232 | mm_auth_password(struct ssh *ssh, char *password) |
233 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 233 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
234 | index 69164a8c0..3d0e32d48 100644 | 234 | index 92dda574b..0f09dba09 100644 |
235 | --- a/monitor_wrap.h | 235 | --- a/monitor_wrap.h |
236 | +++ b/monitor_wrap.h | 236 | +++ b/monitor_wrap.h |
237 | @@ -44,7 +44,8 @@ int mm_is_monitor(void); | 237 | @@ -46,7 +46,8 @@ DH *mm_choose_dh(int, int, int); |
238 | DH *mm_choose_dh(int, int, int); | 238 | #endif |
239 | int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, | 239 | int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, |
240 | const u_char *, size_t, const char *, u_int compat); | 240 | const u_char *, size_t, const char *, u_int compat); |
241 | -void mm_inform_authserv(char *, char *); | 241 | -void mm_inform_authserv(char *, char *); |
@@ -328,10 +328,10 @@ index 3c22a854d..c88129428 100644 | |||
328 | void ssh_selinux_setfscreatecon(const char *); | 328 | void ssh_selinux_setfscreatecon(const char *); |
329 | #endif | 329 | #endif |
330 | diff --git a/platform.c b/platform.c | 330 | diff --git a/platform.c b/platform.c |
331 | index 41acc9370..35654ea51 100644 | 331 | index 44ba71dc5..2defe9425 100644 |
332 | --- a/platform.c | 332 | --- a/platform.c |
333 | +++ b/platform.c | 333 | +++ b/platform.c |
334 | @@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) | 334 | @@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) |
335 | * called if sshd is running as root. | 335 | * called if sshd is running as root. |
336 | */ | 336 | */ |
337 | void | 337 | void |
@@ -340,7 +340,7 @@ index 41acc9370..35654ea51 100644 | |||
340 | { | 340 | { |
341 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 341 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
342 | /* | 342 | /* |
343 | @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) | 343 | @@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) |
344 | } | 344 | } |
345 | #endif /* HAVE_SETPCRED */ | 345 | #endif /* HAVE_SETPCRED */ |
346 | #ifdef WITH_SELINUX | 346 | #ifdef WITH_SELINUX |
@@ -363,7 +363,7 @@ index ea4f9c584..60d72ffe7 100644 | |||
363 | char *platform_krb5_get_principal_name(const char *); | 363 | char *platform_krb5_get_principal_name(const char *); |
364 | int platform_sys_dir_uid(uid_t); | 364 | int platform_sys_dir_uid(uid_t); |
365 | diff --git a/session.c b/session.c | 365 | diff --git a/session.c b/session.c |
366 | index ac3d9d19d..d87ea4d44 100644 | 366 | index f1a47f766..df7d7cf55 100644 |
367 | --- a/session.c | 367 | --- a/session.c |
368 | +++ b/session.c | 368 | +++ b/session.c |
369 | @@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid) | 369 | @@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid) |
@@ -425,7 +425,7 @@ index ce59dabd9..675c91146 100644 | |||
425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); | 425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); |
426 | 426 | ||
427 | diff --git a/sshd.c b/sshd.c | 427 | diff --git a/sshd.c b/sshd.c |
428 | index 46870d3b5..e3e96426e 100644 | 428 | index 4e32fd10d..ea8beacb4 100644 |
429 | --- a/sshd.c | 429 | --- a/sshd.c |
430 | +++ b/sshd.c | 430 | +++ b/sshd.c |
431 | @@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) | 431 | @@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) |
@@ -438,7 +438,7 @@ index 46870d3b5..e3e96426e 100644 | |||
438 | skip: | 438 | skip: |
439 | /* It is safe now to apply the key state */ | 439 | /* It is safe now to apply the key state */ |
440 | diff --git a/sshpty.c b/sshpty.c | 440 | diff --git a/sshpty.c b/sshpty.c |
441 | index 4da84d05f..676ade50e 100644 | 441 | index bce09e255..308449b37 100644 |
442 | --- a/sshpty.c | 442 | --- a/sshpty.c |
443 | +++ b/sshpty.c | 443 | +++ b/sshpty.c |
444 | @@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, | 444 | @@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, |
@@ -450,7 +450,7 @@ index 4da84d05f..676ade50e 100644 | |||
450 | { | 450 | { |
451 | struct group *grp; | 451 | struct group *grp; |
452 | gid_t gid; | 452 | gid_t gid; |
453 | @@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty) | 453 | @@ -186,7 +186,7 @@ pty_setowner(struct passwd *pw, const char *tty) |
454 | strerror(errno)); | 454 | strerror(errno)); |
455 | 455 | ||
456 | #ifdef WITH_SELINUX | 456 | #ifdef WITH_SELINUX |
diff --git a/debian/patches/series b/debian/patches/series index 4af8d8861..74cdd2ce3 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -22,9 +22,5 @@ systemd-readiness.patch | |||
22 | debian-config.patch | 22 | debian-config.patch |
23 | restore-authorized_keys2.patch | 23 | restore-authorized_keys2.patch |
24 | seccomp-s390-flock-ipc.patch | 24 | seccomp-s390-flock-ipc.patch |
25 | seccomp-s390-ioctl-ep11-crypto.patch | ||
26 | fix-interop-tests.patch | ||
27 | conch-old-privkey-format.patch | 25 | conch-old-privkey-format.patch |
28 | revert-ipqos-defaults.patch | 26 | revert-ipqos-defaults.patch |
29 | fix-utimensat-test.patch | ||
30 | seccomp-handle-shm.patch | ||
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index e6a21fb79..d7f69011e 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 2cbb28cbd60e1c5c13a8457ad77a62c7787ba4a8 Mon Sep 17 00:00:00 2001 | 1 | From 5d1aab0eb6baeb044516660a0bde36cba2a3f9c2 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index fdcdcd855..103d84e38 100644 | 19 | index 6230dad32..644057bc4 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -257,7 +257,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, | 22 | @@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg, |
23 | /* Execute the proxy command. Note that we gave up any | 23 | /* Execute the proxy command. Note that we gave up any |
24 | extra privileges above. */ | 24 | extra privileges above. */ |
25 | signal(SIGPIPE, SIG_DFL); | 25 | signal(SIGPIPE, SIG_DFL); |
@@ -28,7 +28,7 @@ index fdcdcd855..103d84e38 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1382,7 +1382,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | signal(SIGPIPE, SIG_DFL); | 33 | signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index cbc781435..0dd4c662e 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 22d2b4adcb38771adba96e326749cc67ee33d172 Mon Sep 17 00:00:00 2001 | 1 | From a8b5ec5c28805f0ab6b1b05474531521ac42eb12 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 5b6c0ce4a..af95ce67e 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From a3f10aefc2ed6ea656f5e57985400f86f56c40f6 Mon Sep 17 00:00:00 2001 | 1 | From e9f961ffa4e4e73ed22103b5697147d135d88b4f Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,7 +18,7 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index e4aeae7b4..8d2b08a29 100644 | 21 | index 4923031f4..24530e511 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1584,6 +1584,7 @@ if an error occurred. | 24 | @@ -1584,6 +1584,7 @@ if an error occurred. |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index 8adc301fc..5c2b58257 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0138f331a73d692f4543477ce7f64f9ede7d6b08 Mon Sep 17 00:00:00 2001 | 1 | From 42c820f76fddf2f2e537dbe10842aa39f6154059 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,7 +17,7 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 4d699e5f1..29f3bd98d 100644 | 20 | index 3c68d1a88..a7fb7ca15 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -192,6 +192,7 @@ static struct { | 23 | @@ -192,6 +192,7 @@ static struct { |
@@ -29,7 +29,7 @@ index 4d699e5f1..29f3bd98d 100644 | |||
29 | { "useroaming", oDeprecated }, | 29 | { "useroaming", oDeprecated }, |
30 | { "usersh", oDeprecated }, | 30 | { "usersh", oDeprecated }, |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index ffdad31e7..c01e0690e 100644 | 32 | index f63eb0b94..73b93c636 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -621,6 +621,7 @@ static struct { | 35 | @@ -621,6 +621,7 @@ static struct { |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index dd242d80a..2e4e5bbec 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e9dd9cd95fe8fe2da9b114a1546a90634b3ce4be Mon Sep 17 00:00:00 2001 | 1 | From 3d1a993f484e9043e57af3ae37b7c9c608d5a5f1 Mon Sep 17 00:00:00 2001 |
2 | From: Natalie Amery <nmamery@chiark.greenend.org.uk> | 2 | From: Natalie Amery <nmamery@chiark.greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index d9c2d136c..1749af6d1 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 42be7d88f..86f143341 100644 | 36 | index 2da9f5d0d..7b482dcb0 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -1265,7 +1265,7 @@ main(int ac, char **av) | 39 | @@ -1268,7 +1268,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch index c3b8f9f86..7fb76cf3d 100644 --- a/debian/patches/systemd-readiness.patch +++ b/debian/patches/systemd-readiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d23f57ff1e85ded1298886968c9949282c4cba08 Mon Sep 17 00:00:00 2001 | 1 | From ab765b2bd55062a704f09da8f8c1c4ad1d6630a7 Mon Sep 17 00:00:00 2001 |
2 | From: Michael Biebl <biebl@debian.org> | 2 | From: Michael Biebl <biebl@debian.org> |
3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 | 3 | Date: Mon, 21 Dec 2015 16:08:47 +0000 |
4 | Subject: Add systemd readiness notification support | 4 | Subject: Add systemd readiness notification support |
@@ -14,10 +14,10 @@ Patch-Name: systemd-readiness.patch | |||
14 | 2 files changed, 33 insertions(+) | 14 | 2 files changed, 33 insertions(+) |
15 | 15 | ||
16 | diff --git a/configure.ac b/configure.ac | 16 | diff --git a/configure.ac b/configure.ac |
17 | index ce16e7758..de140f578 100644 | 17 | index e894db9fc..c119d6fd1 100644 |
18 | --- a/configure.ac | 18 | --- a/configure.ac |
19 | +++ b/configure.ac | 19 | +++ b/configure.ac |
20 | @@ -4526,6 +4526,29 @@ AC_ARG_WITH([kerberos5], | 20 | @@ -4499,6 +4499,29 @@ AC_ARG_WITH([kerberos5], |
21 | AC_SUBST([GSSLIBS]) | 21 | AC_SUBST([GSSLIBS]) |
22 | AC_SUBST([K5LIBS]) | 22 | AC_SUBST([K5LIBS]) |
23 | 23 | ||
@@ -47,7 +47,7 @@ index ce16e7758..de140f578 100644 | |||
47 | # Looking for programs, paths and files | 47 | # Looking for programs, paths and files |
48 | 48 | ||
49 | PRIVSEP_PATH=/var/empty | 49 | PRIVSEP_PATH=/var/empty |
50 | @@ -5332,6 +5355,7 @@ echo " libldns support: $LDNS_MSG" | 50 | @@ -5305,6 +5328,7 @@ echo " libldns support: $LDNS_MSG" |
51 | echo " Solaris process contract support: $SPC_MSG" | 51 | echo " Solaris process contract support: $SPC_MSG" |
52 | echo " Solaris project support: $SP_MSG" | 52 | echo " Solaris project support: $SP_MSG" |
53 | echo " Solaris privilege support: $SPP_MSG" | 53 | echo " Solaris privilege support: $SPP_MSG" |
@@ -56,7 +56,7 @@ index ce16e7758..de140f578 100644 | |||
56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 56 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
57 | echo " BSD Auth support: $BSD_AUTH_MSG" | 57 | echo " BSD Auth support: $BSD_AUTH_MSG" |
58 | diff --git a/sshd.c b/sshd.c | 58 | diff --git a/sshd.c b/sshd.c |
59 | index 1e7ece588..48162b629 100644 | 59 | index 4e8ff0662..5e7679a33 100644 |
60 | --- a/sshd.c | 60 | --- a/sshd.c |
61 | +++ b/sshd.c | 61 | +++ b/sshd.c |
62 | @@ -85,6 +85,10 @@ | 62 | @@ -85,6 +85,10 @@ |
@@ -70,7 +70,7 @@ index 1e7ece588..48162b629 100644 | |||
70 | #include "xmalloc.h" | 70 | #include "xmalloc.h" |
71 | #include "ssh.h" | 71 | #include "ssh.h" |
72 | #include "ssh2.h" | 72 | #include "ssh2.h" |
73 | @@ -1946,6 +1950,11 @@ main(int ac, char **av) | 73 | @@ -1951,6 +1955,11 @@ main(int ac, char **av) |
74 | } | 74 | } |
75 | } | 75 | } |
76 | 76 | ||
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 05ea5f486..9a1b434fa 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 0fc2ac6707abe076cd6b444f73c478eeda54b25f Mon Sep 17 00:00:00 2001 | 1 | From 19f1d075a06f4d3c9b440d7272272569d8bb0a17 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -13,7 +13,7 @@ default. | |||
13 | 13 | ||
14 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 | 14 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 |
15 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 | 15 | Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 |
16 | Last-Update: 2019-06-05 | 16 | Last-Update: 2019-10-09 |
17 | 17 | ||
18 | Patch-Name: user-group-modes.patch | 18 | Patch-Name: user-group-modes.patch |
19 | --- | 19 | --- |
@@ -27,10 +27,10 @@ Patch-Name: user-group-modes.patch | |||
27 | 7 files changed, 63 insertions(+), 13 deletions(-) | 27 | 7 files changed, 63 insertions(+), 13 deletions(-) |
28 | 28 | ||
29 | diff --git a/auth-rhosts.c b/auth-rhosts.c | 29 | diff --git a/auth-rhosts.c b/auth-rhosts.c |
30 | index 57296e1f6..546aa0495 100644 | 30 | index 7a10210b6..587f53721 100644 |
31 | --- a/auth-rhosts.c | 31 | --- a/auth-rhosts.c |
32 | +++ b/auth-rhosts.c | 32 | +++ b/auth-rhosts.c |
33 | @@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | 33 | @@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
34 | return 0; | 34 | return 0; |
35 | } | 35 | } |
36 | if (options.strict_modes && | 36 | if (options.strict_modes && |
@@ -40,7 +40,7 @@ index 57296e1f6..546aa0495 100644 | |||
40 | logit("Rhosts authentication refused for %.100s: " | 40 | logit("Rhosts authentication refused for %.100s: " |
41 | "bad ownership or modes for home directory.", pw->pw_name); | 41 | "bad ownership or modes for home directory.", pw->pw_name); |
42 | auth_debug_add("Rhosts authentication refused for %.100s: " | 42 | auth_debug_add("Rhosts authentication refused for %.100s: " |
43 | @@ -288,8 +287,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, | 43 | @@ -287,8 +286,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, |
44 | * allowing access to their account by anyone. | 44 | * allowing access to their account by anyone. |
45 | */ | 45 | */ |
46 | if (options.strict_modes && | 46 | if (options.strict_modes && |
@@ -51,7 +51,7 @@ index 57296e1f6..546aa0495 100644 | |||
51 | pw->pw_name, buf); | 51 | pw->pw_name, buf); |
52 | auth_debug_add("Bad file modes for %.200s", buf); | 52 | auth_debug_add("Bad file modes for %.200s", buf); |
53 | diff --git a/auth.c b/auth.c | 53 | diff --git a/auth.c b/auth.c |
54 | index f7a23afba..8ffd77662 100644 | 54 | index 47c27773c..fc0c05bae 100644 |
55 | --- a/auth.c | 55 | --- a/auth.c |
56 | +++ b/auth.c | 56 | +++ b/auth.c |
57 | @@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, | 57 | @@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, |
@@ -65,7 +65,7 @@ index f7a23afba..8ffd77662 100644 | |||
65 | "bad owner or modes for %.200s", | 65 | "bad owner or modes for %.200s", |
66 | pw->pw_name, user_hostfile); | 66 | pw->pw_name, user_hostfile); |
67 | diff --git a/misc.c b/misc.c | 67 | diff --git a/misc.c b/misc.c |
68 | index 009e02bc5..634b5060a 100644 | 68 | index 88833d7ff..42eeb425a 100644 |
69 | --- a/misc.c | 69 | --- a/misc.c |
70 | +++ b/misc.c | 70 | +++ b/misc.c |
71 | @@ -59,8 +59,9 @@ | 71 | @@ -59,8 +59,9 @@ |
@@ -79,7 +79,7 @@ index 009e02bc5..634b5060a 100644 | |||
79 | #ifdef SSH_TUN_OPENBSD | 79 | #ifdef SSH_TUN_OPENBSD |
80 | #include <net/if.h> | 80 | #include <net/if.h> |
81 | #endif | 81 | #endif |
82 | @@ -1103,6 +1104,55 @@ percent_expand(const char *string, ...) | 82 | @@ -1112,6 +1113,55 @@ percent_expand(const char *string, ...) |
83 | #undef EXPAND_MAX_KEYS | 83 | #undef EXPAND_MAX_KEYS |
84 | } | 84 | } |
85 | 85 | ||
@@ -135,7 +135,7 @@ index 009e02bc5..634b5060a 100644 | |||
135 | int | 135 | int |
136 | tun_open(int tun, int mode, char **ifname) | 136 | tun_open(int tun, int mode, char **ifname) |
137 | { | 137 | { |
138 | @@ -1860,8 +1910,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | 138 | @@ -1869,8 +1919,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, |
139 | snprintf(err, errlen, "%s is not a regular file", buf); | 139 | snprintf(err, errlen, "%s is not a regular file", buf); |
140 | return -1; | 140 | return -1; |
141 | } | 141 | } |
@@ -145,10 +145,10 @@ index 009e02bc5..634b5060a 100644 | |||
145 | snprintf(err, errlen, "bad ownership or modes for file %s", | 145 | snprintf(err, errlen, "bad ownership or modes for file %s", |
146 | buf); | 146 | buf); |
147 | return -1; | 147 | return -1; |
148 | @@ -1876,8 +1925,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, | 148 | @@ -1885,8 +1934,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, |
149 | strlcpy(buf, cp, sizeof(buf)); | 149 | strlcpy(buf, cp, sizeof(buf)); |
150 | 150 | ||
151 | if (stat(buf, &st) < 0 || | 151 | if (stat(buf, &st) == -1 || |
152 | - (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || | 152 | - (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || |
153 | - (st.st_mode & 022) != 0) { | 153 | - (st.st_mode & 022) != 0) { |
154 | + !secure_permissions(&st, uid)) { | 154 | + !secure_permissions(&st, uid)) { |
@@ -156,10 +156,10 @@ index 009e02bc5..634b5060a 100644 | |||
156 | "bad ownership or modes for directory %s", buf); | 156 | "bad ownership or modes for directory %s", buf); |
157 | return -1; | 157 | return -1; |
158 | diff --git a/misc.h b/misc.h | 158 | diff --git a/misc.h b/misc.h |
159 | index 5b4325aba..a4bdee187 100644 | 159 | index bcc34f980..869895d3a 100644 |
160 | --- a/misc.h | 160 | --- a/misc.h |
161 | +++ b/misc.h | 161 | +++ b/misc.h |
162 | @@ -175,6 +175,8 @@ int safe_path_fd(int, const char *, struct passwd *, | 162 | @@ -181,6 +181,8 @@ int opt_match(const char **opts, const char *term); |
163 | char *read_passphrase(const char *, int); | 163 | char *read_passphrase(const char *, int); |
164 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 164 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
165 | 165 | ||
@@ -169,10 +169,10 @@ index 5b4325aba..a4bdee187 100644 | |||
169 | #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) | 169 | #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) |
170 | #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) | 170 | #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) |
171 | diff --git a/readconf.c b/readconf.c | 171 | diff --git a/readconf.c b/readconf.c |
172 | index 3d0b6ff90..cd60007f8 100644 | 172 | index 09787c0e5..16d2729dd 100644 |
173 | --- a/readconf.c | 173 | --- a/readconf.c |
174 | +++ b/readconf.c | 174 | +++ b/readconf.c |
175 | @@ -1846,8 +1846,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, | 175 | @@ -1855,8 +1855,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, |
176 | 176 | ||
177 | if (fstat(fileno(f), &sb) == -1) | 177 | if (fstat(fileno(f), &sb) == -1) |
178 | fatal("fstat %s: %s", filename, strerror(errno)); | 178 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -183,7 +183,7 @@ index 3d0b6ff90..cd60007f8 100644 | |||
183 | } | 183 | } |
184 | 184 | ||
185 | diff --git a/ssh.1 b/ssh.1 | 185 | diff --git a/ssh.1 b/ssh.1 |
186 | index a1c7d2305..64ead5f57 100644 | 186 | index 26940ad55..20e4c4efa 100644 |
187 | --- a/ssh.1 | 187 | --- a/ssh.1 |
188 | +++ b/ssh.1 | 188 | +++ b/ssh.1 |
189 | @@ -1484,6 +1484,8 @@ The file format and configuration options are described in | 189 | @@ -1484,6 +1484,8 @@ The file format and configuration options are described in |
@@ -196,10 +196,10 @@ index a1c7d2305..64ead5f57 100644 | |||
196 | .It Pa ~/.ssh/environment | 196 | .It Pa ~/.ssh/environment |
197 | Contains additional definitions for environment variables; see | 197 | Contains additional definitions for environment variables; see |
198 | diff --git a/ssh_config.5 b/ssh_config.5 | 198 | diff --git a/ssh_config.5 b/ssh_config.5 |
199 | index 250c92d04..bd1e9311d 100644 | 199 | index bc04d8d02..2c74b57c0 100644 |
200 | --- a/ssh_config.5 | 200 | --- a/ssh_config.5 |
201 | +++ b/ssh_config.5 | 201 | +++ b/ssh_config.5 |
202 | @@ -1885,6 +1885,8 @@ The format of this file is described above. | 202 | @@ -1907,6 +1907,8 @@ The format of this file is described above. |
203 | This file is used by the SSH client. | 203 | This file is used by the SSH client. |
204 | Because of the potential for abuse, this file must have strict permissions: | 204 | Because of the potential for abuse, this file must have strict permissions: |
205 | read/write for the user, and not writable by others. | 205 | read/write for the user, and not writable by others. |