diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 13:33:15 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:27:30 +0100 |
commit | f0b009aea83e9ff3a50be30f51012099a5143c16 (patch) | |
tree | 3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /debian/patches | |
parent | 47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff) | |
parent | 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff) |
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7):
- sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour* are
disabled by default. The full set of algorithms remains available if
configured explicitly via the Ciphers and MACs sshd_config options.
- ssh(1), sshd(8): Add support for Unix domain socket forwarding. A
remote TCP port may be forwarded to a local Unix domain socket and
vice versa or both ends may be a Unix domain socket (closes: #236718).
- ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519
key types.
- sftp(1): Allow resumption of interrupted uploads.
- ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is
the same as the one sent during initial key exchange.
- sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses
when GatewayPorts=no; allows client to choose address family.
- sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option.
- ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that
expands to a unique identifer based on a hash of the tuple of (local
host, remote user, hostname, port). Helps avoid exceeding miserly
pathname limits for Unix domain sockets in multiplexing control paths.
- sshd(8): Make the "Too many authentication failures" message include
the user, source address, port and protocol in a format similar to the
authentication success / failure messages.
- Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It considers time spent suspended, thereby ensuring
timeouts (e.g. for expiring agent keys) fire correctly (closes:
#734553).
- Use prctl() to prevent sftp-server from accessing
/proc/self/{mem,maps}.
* Restore TCP wrappers support, removed upstream in 6.7. It is true that
dropping this reduces preauth attack surface in sshd. On the other
hand, this support seems to be quite widely used, and abruptly dropping
it (from the perspective of users who don't read openssh-unix-dev) could
easily cause more serious problems in practice. It's not entirely clear
what the right long-term answer for Debian is, but it at least probably
doesn't involve dropping this feature shortly before a freeze.
* Replace patch to disable OpenSSL version check with an updated version
of Kurt Roeckx's patch from #732940 to just avoid checking the status
field.
Diffstat (limited to 'debian/patches')
33 files changed, 593 insertions, 643 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 8d26d7b6f..84a14cfb8 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 283322f493ee7dc75511f6cf9e9b88e536de0874 Mon Sep 17 00:00:00 2001 | 1 | From 1ecd5db58295874d8b9a7ce98fe1880ab08fbcaf Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch | |||
16 | 4 files changed, 32 insertions(+), 9 deletions(-) | 16 | 4 files changed, 32 insertions(+), 9 deletions(-) |
17 | 17 | ||
18 | diff --git a/auth-options.c b/auth-options.c | 18 | diff --git a/auth-options.c b/auth-options.c |
19 | index fa209ea..df61330 100644 | 19 | index f3d9c9d..d4d22d7 100644 |
20 | --- a/auth-options.c | 20 | --- a/auth-options.c |
21 | +++ b/auth-options.c | 21 | +++ b/auth-options.c |
22 | @@ -54,9 +54,20 @@ int forced_tun_device = -1; | 22 | @@ -54,9 +54,20 @@ int forced_tun_device = -1; |
@@ -58,7 +58,7 @@ index fa209ea..df61330 100644 | |||
58 | auth_debug_add("Your host '%.200s' is not " | 58 | auth_debug_add("Your host '%.200s' is not " |
59 | "permitted to use this key for login.", | 59 | "permitted to use this key for login.", |
60 | remote_host); | 60 | remote_host); |
61 | @@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | 61 | @@ -511,11 +525,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, |
62 | break; | 62 | break; |
63 | case 0: | 63 | case 0: |
64 | /* no match */ | 64 | /* no match */ |
@@ -91,10 +91,10 @@ index 7455c94..a3f0a02 100644 | |||
91 | void auth_clear_options(void); | 91 | void auth_clear_options(void); |
92 | int auth_cert_options(Key *, struct passwd *); | 92 | int auth_cert_options(Key *, struct passwd *); |
93 | diff --git a/auth-rsa.c b/auth-rsa.c | 93 | diff --git a/auth-rsa.c b/auth-rsa.c |
94 | index 5dad6c3..260ce2f 100644 | 94 | index e9f4ede..5d7bdcb 100644 |
95 | --- a/auth-rsa.c | 95 | --- a/auth-rsa.c |
96 | +++ b/auth-rsa.c | 96 | +++ b/auth-rsa.c |
97 | @@ -178,6 +178,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, | 97 | @@ -179,6 +179,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, |
98 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) | 98 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
99 | return 0; | 99 | return 0; |
100 | 100 | ||
@@ -104,10 +104,10 @@ index 5dad6c3..260ce2f 100644 | |||
104 | * Go though the accepted keys, looking for the current key. If | 104 | * Go though the accepted keys, looking for the current key. If |
105 | * found, perform a challenge-response dialog to verify that the | 105 | * found, perform a challenge-response dialog to verify that the |
106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c | 106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
107 | index 0fd27bb..7c56927 100644 | 107 | index f3ca965..f78b046 100644 |
108 | --- a/auth2-pubkey.c | 108 | --- a/auth2-pubkey.c |
109 | +++ b/auth2-pubkey.c | 109 | +++ b/auth2-pubkey.c |
110 | @@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) | 110 | @@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) |
111 | restore_uid(); | 111 | restore_uid(); |
112 | return 0; | 112 | return 0; |
113 | } | 113 | } |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 74bfb46e6..6afb0420b 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 71448da5ce75ba50bcb10dbbd3b8c7633f633e8f Mon Sep 17 00:00:00 2001 | 1 | From 19b0441502c07401dd6d418f8f81cc7f1a44ccb1 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch | |||
13 | 1 file changed, 1 insertion(+) | 13 | 1 file changed, 1 insertion(+) |
14 | 14 | ||
15 | diff --git a/Makefile.in b/Makefile.in | 15 | diff --git a/Makefile.in b/Makefile.in |
16 | index 3d96c05..feee0b2 100644 | 16 | index c4cb8ea..a4402e9 100644 |
17 | --- a/Makefile.in | 17 | --- a/Makefile.in |
18 | +++ b/Makefile.in | 18 | +++ b/Makefile.in |
19 | @@ -287,6 +287,7 @@ install-files: | 19 | @@ -309,6 +309,7 @@ install-files: |
20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch index e3ff4d7e4..e50c77f62 100644 --- a/debian/patches/consolekit.patch +++ b/debian/patches/consolekit.patch | |||
@@ -1,33 +1,33 @@ | |||
1 | From 7a26d16efb4ee303c8d66ee82caf9d0686f4a074 Mon Sep 17 00:00:00 2001 | 1 | From f51fe0c55e54c12db952624e980d18f39c41e581 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 |
4 | Subject: Add support for registering ConsoleKit sessions on login | 4 | Subject: Add support for registering ConsoleKit sessions on login |
5 | 5 | ||
6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 | 6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 |
7 | Last-Updated: 2014-03-20 | 7 | Last-Updated: 2014-10-07 |
8 | 8 | ||
9 | Patch-Name: consolekit.patch | 9 | Patch-Name: consolekit.patch |
10 | --- | 10 | --- |
11 | Makefile.in | 3 +- | 11 | Makefile.in | 3 +- |
12 | configure | 132 +++++++++++++++++++++++++++++++ | 12 | configure | 132 +++++++++++++++++++++++++++++++ |
13 | configure.ac | 25 ++++++ | 13 | configure.ac | 25 ++++++ |
14 | consolekit.c | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 14 | consolekit.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
15 | consolekit.h | 24 ++++++ | 15 | consolekit.h | 24 ++++++ |
16 | monitor.c | 42 ++++++++++ | 16 | monitor.c | 42 ++++++++++ |
17 | monitor.h | 2 + | 17 | monitor.h | 2 + |
18 | monitor_wrap.c | 30 ++++++++ | 18 | monitor_wrap.c | 30 +++++++ |
19 | monitor_wrap.h | 4 + | 19 | monitor_wrap.h | 4 + |
20 | session.c | 13 ++++ | 20 | session.c | 13 ++++ |
21 | session.h | 6 ++ | 21 | session.h | 6 ++ |
22 | 11 files changed, 520 insertions(+), 1 deletion(-) | 22 | 11 files changed, 521 insertions(+), 1 deletion(-) |
23 | create mode 100644 consolekit.c | 23 | create mode 100644 consolekit.c |
24 | create mode 100644 consolekit.h | 24 | create mode 100644 consolekit.h |
25 | 25 | ||
26 | diff --git a/Makefile.in b/Makefile.in | 26 | diff --git a/Makefile.in b/Makefile.in |
27 | index ee1d2c3..3d96c05 100644 | 27 | index 086d8dd..c4cb8ea 100644 |
28 | --- a/Makefile.in | 28 | --- a/Makefile.in |
29 | +++ b/Makefile.in | 29 | +++ b/Makefile.in |
30 | @@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 30 | @@ -107,7 +107,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
31 | sftp-server.o sftp-common.o \ | 31 | sftp-server.o sftp-common.o \ |
32 | roaming_common.o roaming_serv.o \ | 32 | roaming_common.o roaming_serv.o \ |
33 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 33 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
@@ -38,10 +38,10 @@ index ee1d2c3..3d96c05 100644 | |||
38 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 38 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
39 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 39 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
40 | diff --git a/configure b/configure | 40 | diff --git a/configure b/configure |
41 | index b6b5b6d..e2f12cd 100755 | 41 | index ea5f200..7be478a 100755 |
42 | --- a/configure | 42 | --- a/configure |
43 | +++ b/configure | 43 | +++ b/configure |
44 | @@ -740,6 +740,7 @@ with_privsep_user | 44 | @@ -739,6 +739,7 @@ with_privsep_user |
45 | with_sandbox | 45 | with_sandbox |
46 | with_selinux | 46 | with_selinux |
47 | with_kerberos5 | 47 | with_kerberos5 |
@@ -49,7 +49,7 @@ index b6b5b6d..e2f12cd 100755 | |||
49 | with_privsep_path | 49 | with_privsep_path |
50 | with_xauth | 50 | with_xauth |
51 | enable_strip | 51 | enable_strip |
52 | @@ -1432,6 +1433,7 @@ Optional Packages: | 52 | @@ -1430,6 +1431,7 @@ Optional Packages: |
53 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) | 53 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) |
54 | --with-selinux Enable SELinux support | 54 | --with-selinux Enable SELinux support |
55 | --with-kerberos5=PATH Enable Kerberos 5 support | 55 | --with-kerberos5=PATH Enable Kerberos 5 support |
@@ -57,7 +57,7 @@ index b6b5b6d..e2f12cd 100755 | |||
57 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) | 57 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) |
58 | --with-xauth=PATH Specify path to xauth program | 58 | --with-xauth=PATH Specify path to xauth program |
59 | --with-maildir=/path/to/mail Specify your system mail directory | 59 | --with-maildir=/path/to/mail Specify your system mail directory |
60 | @@ -17217,6 +17219,135 @@ fi | 60 | @@ -17211,6 +17213,135 @@ fi |
61 | 61 | ||
62 | 62 | ||
63 | 63 | ||
@@ -193,7 +193,7 @@ index b6b5b6d..e2f12cd 100755 | |||
193 | # Looking for programs, paths and files | 193 | # Looking for programs, paths and files |
194 | 194 | ||
195 | PRIVSEP_PATH=/var/empty | 195 | PRIVSEP_PATH=/var/empty |
196 | @@ -19746,6 +19877,7 @@ echo " MD5 password support: $MD5_MSG" | 196 | @@ -19739,6 +19870,7 @@ echo " MD5 password support: $MD5_MSG" |
197 | echo " libedit support: $LIBEDIT_MSG" | 197 | echo " libedit support: $LIBEDIT_MSG" |
198 | echo " Solaris process contract support: $SPC_MSG" | 198 | echo " Solaris process contract support: $SPC_MSG" |
199 | echo " Solaris project support: $SP_MSG" | 199 | echo " Solaris project support: $SP_MSG" |
@@ -202,10 +202,10 @@ index b6b5b6d..e2f12cd 100755 | |||
202 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 202 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
203 | echo " BSD Auth support: $BSD_AUTH_MSG" | 203 | echo " BSD Auth support: $BSD_AUTH_MSG" |
204 | diff --git a/configure.ac b/configure.ac | 204 | diff --git a/configure.ac b/configure.ac |
205 | index d235fb0..8669271 100644 | 205 | index 7f160f1..f5c65c5 100644 |
206 | --- a/configure.ac | 206 | --- a/configure.ac |
207 | +++ b/configure.ac | 207 | +++ b/configure.ac |
208 | @@ -4072,6 +4072,30 @@ AC_ARG_WITH([kerberos5], | 208 | @@ -4113,6 +4113,30 @@ AC_ARG_WITH([kerberos5], |
209 | AC_SUBST([GSSLIBS]) | 209 | AC_SUBST([GSSLIBS]) |
210 | AC_SUBST([K5LIBS]) | 210 | AC_SUBST([K5LIBS]) |
211 | 211 | ||
@@ -236,7 +236,7 @@ index d235fb0..8669271 100644 | |||
236 | # Looking for programs, paths and files | 236 | # Looking for programs, paths and files |
237 | 237 | ||
238 | PRIVSEP_PATH=/var/empty | 238 | PRIVSEP_PATH=/var/empty |
239 | @@ -4873,6 +4897,7 @@ echo " MD5 password support: $MD5_MSG" | 239 | @@ -4914,6 +4938,7 @@ echo " MD5 password support: $MD5_MSG" |
240 | echo " libedit support: $LIBEDIT_MSG" | 240 | echo " libedit support: $LIBEDIT_MSG" |
241 | echo " Solaris process contract support: $SPC_MSG" | 241 | echo " Solaris process contract support: $SPC_MSG" |
242 | echo " Solaris project support: $SP_MSG" | 242 | echo " Solaris project support: $SP_MSG" |
@@ -246,10 +246,10 @@ index d235fb0..8669271 100644 | |||
246 | echo " BSD Auth support: $BSD_AUTH_MSG" | 246 | echo " BSD Auth support: $BSD_AUTH_MSG" |
247 | diff --git a/consolekit.c b/consolekit.c | 247 | diff --git a/consolekit.c b/consolekit.c |
248 | new file mode 100644 | 248 | new file mode 100644 |
249 | index 0000000..f1039e6 | 249 | index 0000000..0266f06 |
250 | --- /dev/null | 250 | --- /dev/null |
251 | +++ b/consolekit.c | 251 | +++ b/consolekit.c |
252 | @@ -0,0 +1,240 @@ | 252 | @@ -0,0 +1,241 @@ |
253 | +/* | 253 | +/* |
254 | + * Copyright (c) 2008 Colin Watson. All rights reserved. | 254 | + * Copyright (c) 2008 Colin Watson. All rights reserved. |
255 | + * | 255 | + * |
@@ -305,6 +305,7 @@ index 0000000..f1039e6 | |||
305 | +#include "hostfile.h" | 305 | +#include "hostfile.h" |
306 | +#include "auth.h" | 306 | +#include "auth.h" |
307 | +#include "log.h" | 307 | +#include "log.h" |
308 | +#include "misc.h" | ||
308 | +#include "servconf.h" | 309 | +#include "servconf.h" |
309 | +#include "canohost.h" | 310 | +#include "canohost.h" |
310 | +#include "session.h" | 311 | +#include "session.h" |
@@ -521,10 +522,10 @@ index 0000000..8ce3716 | |||
521 | + | 522 | + |
522 | +#endif /* USE_CONSOLEKIT */ | 523 | +#endif /* USE_CONSOLEKIT */ |
523 | diff --git a/monitor.c b/monitor.c | 524 | diff --git a/monitor.c b/monitor.c |
524 | index 11eac63..7c105e6 100644 | 525 | index 94b194d..cc15ce4 100644 |
525 | --- a/monitor.c | 526 | --- a/monitor.c |
526 | +++ b/monitor.c | 527 | +++ b/monitor.c |
527 | @@ -97,6 +97,9 @@ | 528 | @@ -100,6 +100,9 @@ |
528 | #include "ssh2.h" | 529 | #include "ssh2.h" |
529 | #include "roaming.h" | 530 | #include "roaming.h" |
530 | #include "authfd.h" | 531 | #include "authfd.h" |
@@ -534,7 +535,7 @@ index 11eac63..7c105e6 100644 | |||
534 | 535 | ||
535 | #ifdef GSSAPI | 536 | #ifdef GSSAPI |
536 | static Gssctxt *gsscontext = NULL; | 537 | static Gssctxt *gsscontext = NULL; |
537 | @@ -187,6 +190,10 @@ int mm_answer_audit_command(int, Buffer *); | 538 | @@ -190,6 +193,10 @@ int mm_answer_audit_command(int, Buffer *); |
538 | 539 | ||
539 | static int monitor_read_log(struct monitor *); | 540 | static int monitor_read_log(struct monitor *); |
540 | 541 | ||
@@ -543,9 +544,9 @@ index 11eac63..7c105e6 100644 | |||
543 | +#endif | 544 | +#endif |
544 | + | 545 | + |
545 | static Authctxt *authctxt; | 546 | static Authctxt *authctxt; |
546 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | ||
547 | 547 | ||
548 | @@ -272,6 +279,9 @@ struct mon_table mon_dispatch_postauth20[] = { | 548 | #ifdef WITH_SSH1 |
549 | @@ -282,6 +289,9 @@ struct mon_table mon_dispatch_postauth20[] = { | ||
549 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 550 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
550 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, | 551 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, |
551 | #endif | 552 | #endif |
@@ -555,17 +556,17 @@ index 11eac63..7c105e6 100644 | |||
555 | {0, 0, NULL} | 556 | {0, 0, NULL} |
556 | }; | 557 | }; |
557 | 558 | ||
558 | @@ -314,6 +324,9 @@ struct mon_table mon_dispatch_postauth15[] = { | 559 | @@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = { |
559 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 560 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
560 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, | 561 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, |
561 | #endif | 562 | #endif |
562 | +#ifdef USE_CONSOLEKIT | 563 | +#ifdef USE_CONSOLEKIT |
563 | + {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, | 564 | + {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, |
564 | +#endif | 565 | +#endif |
566 | #endif /* WITH_SSH1 */ | ||
565 | {0, 0, NULL} | 567 | {0, 0, NULL} |
566 | }; | 568 | }; |
567 | 569 | @@ -509,6 +522,9 @@ monitor_child_postauth(struct monitor *pmonitor) | |
568 | @@ -492,6 +505,9 @@ monitor_child_postauth(struct monitor *pmonitor) | ||
569 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 570 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
570 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); | 571 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); |
571 | } | 572 | } |
@@ -575,7 +576,7 @@ index 11eac63..7c105e6 100644 | |||
575 | 576 | ||
576 | for (;;) | 577 | for (;;) |
577 | monitor_read(pmonitor, mon_dispatch, NULL); | 578 | monitor_read(pmonitor, mon_dispatch, NULL); |
578 | @@ -2269,3 +2285,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { | 579 | @@ -2296,3 +2312,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { |
579 | 580 | ||
580 | #endif /* GSSAPI */ | 581 | #endif /* GSSAPI */ |
581 | 582 | ||
@@ -619,10 +620,10 @@ index 4d5e8fa..10ba59e 100644 | |||
619 | 620 | ||
620 | struct mm_master; | 621 | struct mm_master; |
621 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 622 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
622 | index f75dc9d..a8fb07b 100644 | 623 | index 6dc890a..4c57d4d 100644 |
623 | --- a/monitor_wrap.c | 624 | --- a/monitor_wrap.c |
624 | +++ b/monitor_wrap.c | 625 | +++ b/monitor_wrap.c |
625 | @@ -1353,3 +1353,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) | 626 | @@ -1363,3 +1363,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) |
626 | 627 | ||
627 | #endif /* GSSAPI */ | 628 | #endif /* GSSAPI */ |
628 | 629 | ||
@@ -670,10 +671,10 @@ index 9c2ee49..00e93fe 100644 | |||
670 | + | 671 | + |
671 | #endif /* _MM_WRAP_H_ */ | 672 | #endif /* _MM_WRAP_H_ */ |
672 | diff --git a/session.c b/session.c | 673 | diff --git a/session.c b/session.c |
673 | index 6848df4..9d43fc3 100644 | 674 | index 6f389ac..6250c20 100644 |
674 | --- a/session.c | 675 | --- a/session.c |
675 | +++ b/session.c | 676 | +++ b/session.c |
676 | @@ -92,6 +92,7 @@ | 677 | @@ -93,6 +93,7 @@ |
677 | #include "kex.h" | 678 | #include "kex.h" |
678 | #include "monitor_wrap.h" | 679 | #include "monitor_wrap.h" |
679 | #include "sftp.h" | 680 | #include "sftp.h" |
@@ -681,7 +682,7 @@ index 6848df4..9d43fc3 100644 | |||
681 | 682 | ||
682 | #if defined(KRB5) && defined(USE_AFS) | 683 | #if defined(KRB5) && defined(USE_AFS) |
683 | #include <kafs.h> | 684 | #include <kafs.h> |
684 | @@ -1160,6 +1161,9 @@ do_setup_env(Session *s, const char *shell) | 685 | @@ -1143,6 +1144,9 @@ do_setup_env(Session *s, const char *shell) |
685 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 686 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
686 | char *path = NULL; | 687 | char *path = NULL; |
687 | #endif | 688 | #endif |
@@ -691,7 +692,7 @@ index 6848df4..9d43fc3 100644 | |||
691 | 692 | ||
692 | /* Initialize the environment. */ | 693 | /* Initialize the environment. */ |
693 | envsize = 100; | 694 | envsize = 100; |
694 | @@ -1304,6 +1308,11 @@ do_setup_env(Session *s, const char *shell) | 695 | @@ -1287,6 +1291,11 @@ do_setup_env(Session *s, const char *shell) |
695 | child_set_env(&env, &envsize, "KRB5CCNAME", | 696 | child_set_env(&env, &envsize, "KRB5CCNAME", |
696 | s->authctxt->krb5_ccname); | 697 | s->authctxt->krb5_ccname); |
697 | #endif | 698 | #endif |
@@ -703,7 +704,7 @@ index 6848df4..9d43fc3 100644 | |||
703 | #ifdef USE_PAM | 704 | #ifdef USE_PAM |
704 | /* | 705 | /* |
705 | * Pull in any environment variables that may have | 706 | * Pull in any environment variables that may have |
706 | @@ -2353,6 +2362,10 @@ session_pty_cleanup2(Session *s) | 707 | @@ -2350,6 +2359,10 @@ session_pty_cleanup2(Session *s) |
707 | 708 | ||
708 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); | 709 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); |
709 | 710 | ||
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch deleted file mode 100644 index ccb66048d..000000000 --- a/debian/patches/curve25519-sha256-bignum-encoding.patch +++ /dev/null | |||
@@ -1,161 +0,0 @@ | |||
1 | From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Sun, 20 Apr 2014 13:47:45 +1000 | ||
4 | Subject: bad bignum encoding for curve25519-sha256@libssh.org | ||
5 | |||
6 | Hi, | ||
7 | |||
8 | So I screwed up when writing the support for the curve25519 KEX method | ||
9 | that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left | ||
10 | leading zero bytes where they should have been skipped. The impact of | ||
11 | this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a | ||
12 | peer that implements curve25519-sha256@libssh.org properly about 0.2% | ||
13 | of the time (one in every 512ish connections). | ||
14 | |||
15 | We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 | ||
16 | key exchange for previous versions, but I'd recommend distributors | ||
17 | of OpenSSH apply this patch so the affected code doesn't become | ||
18 | too entrenched in LTS releases. | ||
19 | |||
20 | The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as | ||
21 | to distinguish itself from the incorrect versions so the compatibility | ||
22 | code to disable the affected KEX isn't activated. | ||
23 | |||
24 | I've committed this on the 6.6 branch too. | ||
25 | |||
26 | Apologies for the hassle. | ||
27 | |||
28 | -d | ||
29 | |||
30 | Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html | ||
31 | Forwarded: not-needed | ||
32 | Last-Update: 2014-04-21 | ||
33 | |||
34 | Patch-Name: curve25519-sha256-bignum-encoding.patch | ||
35 | --- | ||
36 | bufaux.c | 5 ++++- | ||
37 | compat.c | 17 ++++++++++++++++- | ||
38 | compat.h | 2 ++ | ||
39 | sshconnect2.c | 2 ++ | ||
40 | sshd.c | 3 +++ | ||
41 | version.h | 2 +- | ||
42 | 6 files changed, 28 insertions(+), 3 deletions(-) | ||
43 | |||
44 | diff --git a/bufaux.c b/bufaux.c | ||
45 | index e24b5fc..f6a6f2a 100644 | ||
46 | --- a/bufaux.c | ||
47 | +++ b/bufaux.c | ||
48 | @@ -1,4 +1,4 @@ | ||
49 | -/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ | ||
50 | +/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ | ||
51 | /* | ||
52 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
53 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
54 | @@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) | ||
55 | |||
56 | if (l > 8 * 1024) | ||
57 | fatal("%s: length %u too long", __func__, l); | ||
58 | + /* Skip leading zero bytes */ | ||
59 | + for (; l > 0 && *s == 0; l--, s++) | ||
60 | + ; | ||
61 | p = buf = xmalloc(l + 1); | ||
62 | /* | ||
63 | * If most significant bit is set then prepend a zero byte to | ||
64 | diff --git a/compat.c b/compat.c | ||
65 | index 9d9fabe..2709dc5 100644 | ||
66 | --- a/compat.c | ||
67 | +++ b/compat.c | ||
68 | @@ -95,6 +95,9 @@ compat_datafellows(const char *version) | ||
69 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, | ||
70 | { "OpenSSH_4*", 0 }, | ||
71 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, | ||
72 | + { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, | ||
73 | + { "OpenSSH_6.5*," | ||
74 | + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, | ||
75 | { "OpenSSH*", SSH_NEW_OPENSSH }, | ||
76 | { "*MindTerm*", 0 }, | ||
77 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| | ||
78 | @@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) | ||
79 | return cipher_prop; | ||
80 | } | ||
81 | |||
82 | - | ||
83 | char * | ||
84 | compat_pkalg_proposal(char *pkalg_prop) | ||
85 | { | ||
86 | @@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) | ||
87 | return pkalg_prop; | ||
88 | } | ||
89 | |||
90 | +char * | ||
91 | +compat_kex_proposal(char *kex_prop) | ||
92 | +{ | ||
93 | + if (!(datafellows & SSH_BUG_CURVE25519PAD)) | ||
94 | + return kex_prop; | ||
95 | + debug2("%s: original KEX proposal: %s", __func__, kex_prop); | ||
96 | + kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); | ||
97 | + debug2("%s: compat KEX proposal: %s", __func__, kex_prop); | ||
98 | + if (*kex_prop == '\0') | ||
99 | + fatal("No supported key exchange algorithms found"); | ||
100 | + return kex_prop; | ||
101 | +} | ||
102 | + | ||
103 | diff --git a/compat.h b/compat.h | ||
104 | index b174fa1..a6c3f3d 100644 | ||
105 | --- a/compat.h | ||
106 | +++ b/compat.h | ||
107 | @@ -59,6 +59,7 @@ | ||
108 | #define SSH_BUG_RFWD_ADDR 0x02000000 | ||
109 | #define SSH_NEW_OPENSSH 0x04000000 | ||
110 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 | ||
111 | +#define SSH_BUG_CURVE25519PAD 0x10000000 | ||
112 | |||
113 | void enable_compat13(void); | ||
114 | void enable_compat20(void); | ||
115 | @@ -66,6 +67,7 @@ void compat_datafellows(const char *); | ||
116 | int proto_spec(const char *); | ||
117 | char *compat_cipher_proposal(char *); | ||
118 | char *compat_pkalg_proposal(char *); | ||
119 | +char *compat_kex_proposal(char *); | ||
120 | |||
121 | extern int compat13; | ||
122 | extern int compat20; | ||
123 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
124 | index 66cb035..1a4e551 100644 | ||
125 | --- a/sshconnect2.c | ||
126 | +++ b/sshconnect2.c | ||
127 | @@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | ||
128 | } | ||
129 | if (options.kex_algorithms != NULL) | ||
130 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
131 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
132 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
133 | |||
134 | #ifdef GSSAPI | ||
135 | /* If we've got GSSAPI algorithms, then we also support the | ||
136 | diff --git a/sshd.c b/sshd.c | ||
137 | index 0964491..fe78d7b 100644 | ||
138 | --- a/sshd.c | ||
139 | +++ b/sshd.c | ||
140 | @@ -2534,6 +2534,9 @@ do_ssh2_kex(void) | ||
141 | if (options.kex_algorithms != NULL) | ||
142 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
143 | |||
144 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
145 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
146 | + | ||
147 | if (options.rekey_limit || options.rekey_interval) | ||
148 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | ||
149 | (time_t)options.rekey_interval); | ||
150 | diff --git a/version.h b/version.h | ||
151 | index a97c337..0659576 100644 | ||
152 | --- a/version.h | ||
153 | +++ b/version.h | ||
154 | @@ -1,6 +1,6 @@ | ||
155 | /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ | ||
156 | |||
157 | -#define SSH_VERSION "OpenSSH_6.6" | ||
158 | +#define SSH_VERSION "OpenSSH_6.6.1" | ||
159 | |||
160 | #define SSH_PORTABLE "p1" | ||
161 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | ||
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 49219cf93..ab64cbed5 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9fcad888f4dbf0ecc0c7e87b6ef0f8d88d7ac3ec Mon Sep 17 00:00:00 2001 | 1 | From 114c8a8fb488cbe39507edb75c51198a4b9e8b24 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch. | |||
8 | 8 | ||
9 | Bug-Debian: http://bugs.debian.org/562048 | 9 | Bug-Debian: http://bugs.debian.org/562048 |
10 | Forwarded: not-needed | 10 | Forwarded: not-needed |
11 | Last-Update: 2013-09-14 | 11 | Last-Update: 2014-10-07 |
12 | 12 | ||
13 | Patch-Name: debian-banner.patch | 13 | Patch-Name: debian-banner.patch |
14 | --- | 14 | --- |
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch | |||
19 | 4 files changed, 18 insertions(+), 1 deletion(-) | 19 | 4 files changed, 18 insertions(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/servconf.c b/servconf.c | 21 | diff --git a/servconf.c b/servconf.c |
22 | index 90de888..37fd2de 100644 | 22 | index a252487..6c7741a 100644 |
23 | --- a/servconf.c | 23 | --- a/servconf.c |
24 | +++ b/servconf.c | 24 | +++ b/servconf.c |
25 | @@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options) | 25 | @@ -160,6 +160,7 @@ initialize_server_options(ServerOptions *options) |
26 | options->ip_qos_interactive = -1; | 26 | options->ip_qos_interactive = -1; |
27 | options->ip_qos_bulk = -1; | 27 | options->ip_qos_bulk = -1; |
28 | options->version_addendum = NULL; | 28 | options->version_addendum = NULL; |
@@ -30,34 +30,34 @@ index 90de888..37fd2de 100644 | |||
30 | } | 30 | } |
31 | 31 | ||
32 | void | 32 | void |
33 | @@ -309,6 +310,8 @@ fill_default_server_options(ServerOptions *options) | 33 | @@ -321,6 +322,8 @@ fill_default_server_options(ServerOptions *options) |
34 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 34 | options->fwd_opts.streamlocal_bind_mask = 0177; |
35 | if (options->version_addendum == NULL) | 35 | if (options->fwd_opts.streamlocal_bind_unlink == -1) |
36 | options->version_addendum = xstrdup(""); | 36 | options->fwd_opts.streamlocal_bind_unlink = 0; |
37 | + if (options->debian_banner == -1) | 37 | + if (options->debian_banner == -1) |
38 | + options->debian_banner = 1; | 38 | + options->debian_banner = 1; |
39 | /* Turn privilege separation on by default */ | 39 | /* Turn privilege separation on by default */ |
40 | if (use_privsep == -1) | 40 | if (use_privsep == -1) |
41 | use_privsep = PRIVSEP_NOSANDBOX; | 41 | use_privsep = PRIVSEP_NOSANDBOX; |
42 | @@ -359,6 +362,7 @@ typedef enum { | 42 | @@ -373,6 +376,7 @@ typedef enum { |
43 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 43 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
44 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 44 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
45 | sAuthenticationMethods, sHostKeyAgent, | 45 | sAllowStreamLocalForwarding, |
46 | + sDebianBanner, | 46 | + sDebianBanner, |
47 | sDeprecated, sUnsupported | 47 | sDeprecated, sUnsupported |
48 | } ServerOpCodes; | 48 | } ServerOpCodes; |
49 | 49 | ||
50 | @@ -496,6 +500,7 @@ static struct { | 50 | @@ -514,6 +518,7 @@ static struct { |
51 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, | 51 | { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, |
52 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 52 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, |
53 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | 53 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
55 | { NULL, sBadOption, 0 } | 55 | { NULL, sBadOption, 0 } |
56 | }; | 56 | }; |
57 | 57 | ||
58 | @@ -1654,6 +1659,10 @@ process_server_config_line(ServerOptions *options, char *line, | 58 | @@ -1697,6 +1702,10 @@ process_server_config_line(ServerOptions *options, char *line, |
59 | } | 59 | intptr = &options->fwd_opts.streamlocal_bind_unlink; |
60 | return 0; | 60 | goto parse_flag; |
61 | 61 | ||
62 | + case sDebianBanner: | 62 | + case sDebianBanner: |
63 | + intptr = &options->debian_banner; | 63 | + intptr = &options->debian_banner; |
@@ -67,10 +67,10 @@ index 90de888..37fd2de 100644 | |||
67 | logit("%s line %d: Deprecated option %s", | 67 | logit("%s line %d: Deprecated option %s", |
68 | filename, linenum, arg); | 68 | filename, linenum, arg); |
69 | diff --git a/servconf.h b/servconf.h | 69 | diff --git a/servconf.h b/servconf.h |
70 | index c922eb5..dcd1c2a 100644 | 70 | index f8265a8..fa48804 100644 |
71 | --- a/servconf.h | 71 | --- a/servconf.h |
72 | +++ b/servconf.h | 72 | +++ b/servconf.h |
73 | @@ -186,6 +186,8 @@ typedef struct { | 73 | @@ -188,6 +188,8 @@ typedef struct { |
74 | 74 | ||
75 | u_int num_auth_methods; | 75 | u_int num_auth_methods; |
76 | char *auth_methods[MAX_AUTH_METHODS]; | 76 | char *auth_methods[MAX_AUTH_METHODS]; |
@@ -80,10 +80,10 @@ index c922eb5..dcd1c2a 100644 | |||
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index af9b8f1..665c0b9 100644 | 83 | index 1710e71..87331c1 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | 86 | @@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) |
87 | } | 87 | } |
88 | 88 | ||
89 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 89 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -94,10 +94,10 @@ index af9b8f1..665c0b9 100644 | |||
94 | options.version_addendum, newline); | 94 | options.version_addendum, newline); |
95 | 95 | ||
96 | diff --git a/sshd_config.5 b/sshd_config.5 | 96 | diff --git a/sshd_config.5 b/sshd_config.5 |
97 | index 2164d58..8f078f6 100644 | 97 | index 2843048..58997d3 100644 |
98 | --- a/sshd_config.5 | 98 | --- a/sshd_config.5 |
99 | +++ b/sshd_config.5 | 99 | +++ b/sshd_config.5 |
100 | @@ -413,6 +413,11 @@ or | 100 | @@ -447,6 +447,11 @@ or |
101 | .Dq no . | 101 | .Dq no . |
102 | The default is | 102 | The default is |
103 | .Dq delayed . | 103 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 9ada04a10..661d30ca8 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From df5c8d109fb3d9ec16a487107a44300ed3006849 Mon Sep 17 00:00:00 2001 | 1 | From 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch | |||
34 | 5 files changed, 51 insertions(+), 3 deletions(-) | 34 | 5 files changed, 51 insertions(+), 3 deletions(-) |
35 | 35 | ||
36 | diff --git a/readconf.c b/readconf.c | 36 | diff --git a/readconf.c b/readconf.c |
37 | index 32c4b42..5429fc2 100644 | 37 | index 0648867..29338b6 100644 |
38 | --- a/readconf.c | 38 | --- a/readconf.c |
39 | +++ b/readconf.c | 39 | +++ b/readconf.c |
40 | @@ -1640,7 +1640,7 @@ fill_default_options(Options * options) | 40 | @@ -1681,7 +1681,7 @@ fill_default_options(Options * options) |
41 | if (options->forward_x11 == -1) | 41 | if (options->forward_x11 == -1) |
42 | options->forward_x11 = 0; | 42 | options->forward_x11 = 0; |
43 | if (options->forward_x11_trusted == -1) | 43 | if (options->forward_x11_trusted == -1) |
@@ -71,7 +71,7 @@ index 228e5ab..c9386aa 100644 | |||
71 | + GSSAPIAuthentication yes | 71 | + GSSAPIAuthentication yes |
72 | + GSSAPIDelegateCredentials no | 72 | + GSSAPIDelegateCredentials no |
73 | diff --git a/ssh_config.5 b/ssh_config.5 | 73 | diff --git a/ssh_config.5 b/ssh_config.5 |
74 | index 1d500e9..22e6372 100644 | 74 | index a1005ba..da3c177 100644 |
75 | --- a/ssh_config.5 | 75 | --- a/ssh_config.5 |
76 | +++ b/ssh_config.5 | 76 | +++ b/ssh_config.5 |
77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | 77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more |
@@ -97,7 +97,7 @@ index 1d500e9..22e6372 100644 | |||
97 | The configuration file has the following format: | 97 | The configuration file has the following format: |
98 | .Pp | 98 | .Pp |
99 | Empty lines and lines starting with | 99 | Empty lines and lines starting with |
100 | @@ -654,7 +670,8 @@ token used for the session will be set to expire after 20 minutes. | 100 | @@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes. |
101 | Remote clients will be refused access after this time. | 101 | Remote clients will be refused access after this time. |
102 | .Pp | 102 | .Pp |
103 | The default is | 103 | The default is |
@@ -120,7 +120,7 @@ index d9b8594..4db32f5 100644 | |||
120 | #StrictModes yes | 120 | #StrictModes yes |
121 | #MaxAuthTries 6 | 121 | #MaxAuthTries 6 |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index 908e0bb..90fd3f4 100644 | 123 | index 7396b23..7aa7b47 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | 126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index bc89c50fc..0212ea841 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 912129ba92bea401d8cdeadc7aa7084fbf7625a1 Mon Sep 17 00:00:00 2001 | 1 | From 4ac9937c1d9f1901ab0694114d76e59a138aae96 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch | |||
18 | 3 files changed, 21 insertions(+), 6 deletions(-) | 18 | 3 files changed, 21 insertions(+), 6 deletions(-) |
19 | 19 | ||
20 | diff --git a/dns.c b/dns.c | 20 | diff --git a/dns.c b/dns.c |
21 | index 630b97a..478c3d9 100644 | 21 | index c4d073c..e5872c1 100644 |
22 | --- a/dns.c | 22 | --- a/dns.c |
23 | +++ b/dns.c | 23 | +++ b/dns.c |
24 | @@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 24 | @@ -203,6 +203,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
25 | { | 25 | { |
26 | u_int counter; | 26 | u_int counter; |
27 | int result; | 27 | int result; |
@@ -29,7 +29,7 @@ index 630b97a..478c3d9 100644 | |||
29 | struct rrsetinfo *fingerprints = NULL; | 29 | struct rrsetinfo *fingerprints = NULL; |
30 | 30 | ||
31 | u_int8_t hostkey_algorithm; | 31 | u_int8_t hostkey_algorithm; |
32 | @@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 32 | @@ -226,8 +227,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
33 | return -1; | 33 | return -1; |
34 | } | 34 | } |
35 | 35 | ||
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 16c40b05f..8e6cfa575 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1d108ef62050b4368e24e1efada16ec88c177fb8 Mon Sep 17 00:00:00 2001 | 1 | From 2fd0b3814e27d584efa6df92845a7354e7c2de6c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index 4bf7cbb..1d500e9 100644 | 16 | index d68b45a..a1005ba 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -740,6 +740,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -759,6 +759,9 @@ Note that existing names and addresses in known hosts files |
20 | will not be converted automatically, | 20 | will not be converted automatically, |
21 | but may be manually hashed using | 21 | but may be manually hashed using |
22 | .Xr ssh-keygen 1 . | 22 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index da8fc7ed4..c1ce1bcae 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 111de26347496af3f6ed04849fd29bc4bf1c2cea Mon Sep 17 00:00:00 2001 | 1 | From 252e76b3ad6e83a798e479a2beba5be7000ff85e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
@@ -12,10 +12,10 @@ Patch-Name: doc-upstart.patch | |||
12 | 1 file changed, 4 insertions(+), 1 deletion(-) | 12 | 1 file changed, 4 insertions(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/sshd.8 b/sshd.8 | 14 | diff --git a/sshd.8 b/sshd.8 |
15 | index b016e90..cba168a 100644 | 15 | index 3538208..f8f9eac 100644 |
16 | --- a/sshd.8 | 16 | --- a/sshd.8 |
17 | +++ b/sshd.8 | 17 | +++ b/sshd.8 |
18 | @@ -70,7 +70,10 @@ over an insecure network. | 18 | @@ -67,7 +67,10 @@ over an insecure network. |
19 | .Nm | 19 | .Nm |
20 | listens for connections from clients. | 20 | listens for connections from clients. |
21 | It is normally started at boot from | 21 | It is normally started at boot from |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index dab518f65..84fe03acc 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b7df8fdb32f3d33b70ff8733cb0c39417e367534 Mon Sep 17 00:00:00 2001 | 1 | From 1195b028cb9f402633cfdcae6ec34bf63b4ab771 Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index d8439bf03..e8cbc1083 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd Mon Sep 17 00:00:00 2001 | 1 | From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2014-03-19 | 20 | Last-Updated: 2014-10-07 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -36,9 +36,7 @@ Patch-Name: gssapi.patch | |||
36 | kex.c | 16 +++ | 36 | kex.c | 16 +++ |
37 | kex.h | 14 +++ | 37 | kex.h | 14 +++ |
38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
39 | kexgsss.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++ | 39 | kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++ |
40 | key.c | 3 +- | ||
41 | key.h | 1 + | ||
42 | monitor.c | 108 +++++++++++++++++- | 40 | monitor.c | 108 +++++++++++++++++- |
43 | monitor.h | 3 + | 41 | monitor.h | 3 + |
44 | monitor_wrap.c | 47 +++++++- | 42 | monitor_wrap.c | 47 +++++++- |
@@ -54,7 +52,9 @@ Patch-Name: gssapi.patch | |||
54 | sshd.c | 110 ++++++++++++++++++ | 52 | sshd.c | 110 ++++++++++++++++++ |
55 | sshd_config | 2 + | 53 | sshd_config | 2 + |
56 | sshd_config.5 | 28 +++++ | 54 | sshd_config.5 | 28 +++++ |
57 | 33 files changed, 2051 insertions(+), 59 deletions(-) | 55 | sshkey.c | 3 +- |
56 | sshkey.h | 1 + | ||
57 | 33 files changed, 2052 insertions(+), 59 deletions(-) | ||
58 | create mode 100644 ChangeLog.gssapi | 58 | create mode 100644 ChangeLog.gssapi |
59 | create mode 100644 kexgssc.c | 59 | create mode 100644 kexgssc.c |
60 | create mode 100644 kexgsss.c | 60 | create mode 100644 kexgsss.c |
@@ -179,10 +179,10 @@ index 0000000..f117a33 | |||
179 | + (from jbasney AT ncsa.uiuc.edu) | 179 | + (from jbasney AT ncsa.uiuc.edu) |
180 | + <gssapi-with-mic support is Bugzilla #1008> | 180 | + <gssapi-with-mic support is Bugzilla #1008> |
181 | diff --git a/Makefile.in b/Makefile.in | 181 | diff --git a/Makefile.in b/Makefile.in |
182 | index 28a8ec4..ee1d2c3 100644 | 182 | index 06be3d5..086d8dd 100644 |
183 | --- a/Makefile.in | 183 | --- a/Makefile.in |
184 | +++ b/Makefile.in | 184 | +++ b/Makefile.in |
185 | @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 185 | @@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
@@ -190,7 +190,7 @@ index 28a8ec4..ee1d2c3 100644 | |||
190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ | 191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ |
192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | 192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ |
193 | @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 193 | @@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
196 | kexc25519s.o auth-krb5.o \ | 196 | kexc25519s.o auth-krb5.o \ |
@@ -200,10 +200,10 @@ index 28a8ec4..ee1d2c3 100644 | |||
200 | sftp-server.o sftp-common.o \ | 200 | sftp-server.o sftp-common.o \ |
201 | roaming_common.o roaming_serv.o \ | 201 | roaming_common.o roaming_serv.o \ |
202 | diff --git a/auth-krb5.c b/auth-krb5.c | 202 | diff --git a/auth-krb5.c b/auth-krb5.c |
203 | index 6c62bdf..69a1a53 100644 | 203 | index 0089b18..ec47869 100644 |
204 | --- a/auth-krb5.c | 204 | --- a/auth-krb5.c |
205 | +++ b/auth-krb5.c | 205 | +++ b/auth-krb5.c |
206 | @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | 206 | @@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) |
207 | 207 | ||
208 | len = strlen(authctxt->krb5_ticket_file) + 6; | 208 | len = strlen(authctxt->krb5_ticket_file) + 6; |
209 | authctxt->krb5_ccname = xmalloc(len); | 209 | authctxt->krb5_ccname = xmalloc(len); |
@@ -217,7 +217,7 @@ index 6c62bdf..69a1a53 100644 | |||
217 | 217 | ||
218 | #ifdef USE_PAM | 218 | #ifdef USE_PAM |
219 | if (options.use_pam) | 219 | if (options.use_pam) |
220 | @@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) | 220 | @@ -241,15 +246,22 @@ krb5_cleanup_proc(Authctxt *authctxt) |
221 | #ifndef HEIMDAL | 221 | #ifndef HEIMDAL |
222 | krb5_error_code | 222 | krb5_error_code |
223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
@@ -242,7 +242,7 @@ index 6c62bdf..69a1a53 100644 | |||
242 | old_umask = umask(0177); | 242 | old_umask = umask(0177); |
243 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 243 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
244 | oerrno = errno; | 244 | oerrno = errno; |
245 | @@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 245 | @@ -266,6 +278,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
246 | return oerrno; | 246 | return oerrno; |
247 | } | 247 | } |
248 | close(tmpfd); | 248 | close(tmpfd); |
@@ -251,7 +251,7 @@ index 6c62bdf..69a1a53 100644 | |||
251 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 251 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
252 | } | 252 | } |
253 | diff --git a/auth2-gss.c b/auth2-gss.c | 253 | diff --git a/auth2-gss.c b/auth2-gss.c |
254 | index c28a705..3ff2d72 100644 | 254 | index 447f896..284f364 100644 |
255 | --- a/auth2-gss.c | 255 | --- a/auth2-gss.c |
256 | +++ b/auth2-gss.c | 256 | +++ b/auth2-gss.c |
257 | @@ -1,7 +1,7 @@ | 257 | @@ -1,7 +1,7 @@ |
@@ -263,7 +263,7 @@ index c28a705..3ff2d72 100644 | |||
263 | * | 263 | * |
264 | * Redistribution and use in source and binary forms, with or without | 264 | * Redistribution and use in source and binary forms, with or without |
265 | * modification, are permitted provided that the following conditions | 265 | * modification, are permitted provided that the following conditions |
266 | @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 266 | @@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
268 | static void input_gssapi_errtok(int, u_int32_t, void *); | 268 | static void input_gssapi_errtok(int, u_int32_t, void *); |
269 | 269 | ||
@@ -304,7 +304,7 @@ index c28a705..3ff2d72 100644 | |||
304 | /* | 304 | /* |
305 | * We only support those mechanisms that we know about (ie ones that we know | 305 | * We only support those mechanisms that we know about (ie ones that we know |
306 | * how to check local user kuserok and the like) | 306 | * how to check local user kuserok and the like) |
307 | @@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 307 | @@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) |
308 | 308 | ||
309 | packet_check_eom(); | 309 | packet_check_eom(); |
310 | 310 | ||
@@ -314,7 +314,7 @@ index c28a705..3ff2d72 100644 | |||
314 | 314 | ||
315 | authctxt->postponed = 0; | 315 | authctxt->postponed = 0; |
316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
317 | @@ -270,7 +305,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 317 | @@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
318 | gssbuf.length = buffer_len(&b); | 318 | gssbuf.length = buffer_len(&b); |
319 | 319 | ||
320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -324,7 +324,7 @@ index c28a705..3ff2d72 100644 | |||
324 | else | 324 | else |
325 | logit("GSSAPI MIC check failed"); | 325 | logit("GSSAPI MIC check failed"); |
326 | 326 | ||
327 | @@ -285,6 +321,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 327 | @@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
329 | } | 329 | } |
330 | 330 | ||
@@ -338,10 +338,10 @@ index c28a705..3ff2d72 100644 | |||
338 | "gssapi-with-mic", | 338 | "gssapi-with-mic", |
339 | userauth_gssapi, | 339 | userauth_gssapi, |
340 | diff --git a/auth2.c b/auth2.c | 340 | diff --git a/auth2.c b/auth2.c |
341 | index a5490c0..fbe3e1b 100644 | 341 | index d9b440a..2f0d565 100644 |
342 | --- a/auth2.c | 342 | --- a/auth2.c |
343 | +++ b/auth2.c | 343 | +++ b/auth2.c |
344 | @@ -69,6 +69,7 @@ extern Authmethod method_passwd; | 344 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
345 | extern Authmethod method_kbdint; | 345 | extern Authmethod method_kbdint; |
346 | extern Authmethod method_hostbased; | 346 | extern Authmethod method_hostbased; |
347 | #ifdef GSSAPI | 347 | #ifdef GSSAPI |
@@ -349,7 +349,7 @@ index a5490c0..fbe3e1b 100644 | |||
349 | extern Authmethod method_gssapi; | 349 | extern Authmethod method_gssapi; |
350 | #endif | 350 | #endif |
351 | 351 | ||
352 | @@ -76,6 +77,7 @@ Authmethod *authmethods[] = { | 352 | @@ -77,6 +78,7 @@ Authmethod *authmethods[] = { |
353 | &method_none, | 353 | &method_none, |
354 | &method_pubkey, | 354 | &method_pubkey, |
355 | #ifdef GSSAPI | 355 | #ifdef GSSAPI |
@@ -358,7 +358,7 @@ index a5490c0..fbe3e1b 100644 | |||
358 | #endif | 358 | #endif |
359 | &method_passwd, | 359 | &method_passwd, |
360 | diff --git a/clientloop.c b/clientloop.c | 360 | diff --git a/clientloop.c b/clientloop.c |
361 | index 59ad3a2..6d8cd7d 100644 | 361 | index 397c965..f9175e3 100644 |
362 | --- a/clientloop.c | 362 | --- a/clientloop.c |
363 | +++ b/clientloop.c | 363 | +++ b/clientloop.c |
364 | @@ -111,6 +111,10 @@ | 364 | @@ -111,6 +111,10 @@ |
@@ -372,7 +372,7 @@ index 59ad3a2..6d8cd7d 100644 | |||
372 | /* import options */ | 372 | /* import options */ |
373 | extern Options options; | 373 | extern Options options; |
374 | 374 | ||
375 | @@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 375 | @@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
376 | /* Do channel operations unless rekeying in progress. */ | 376 | /* Do channel operations unless rekeying in progress. */ |
377 | if (!rekeying) { | 377 | if (!rekeying) { |
378 | channel_after_select(readset, writeset); | 378 | channel_after_select(readset, writeset); |
@@ -389,7 +389,7 @@ index 59ad3a2..6d8cd7d 100644 | |||
389 | debug("need rekeying"); | 389 | debug("need rekeying"); |
390 | xxx_kex->done = 0; | 390 | xxx_kex->done = 0; |
391 | diff --git a/config.h.in b/config.h.in | 391 | diff --git a/config.h.in b/config.h.in |
392 | index 0401ad1..6bc422c 100644 | 392 | index 16d6206..a9a8b7a 100644 |
393 | --- a/config.h.in | 393 | --- a/config.h.in |
394 | +++ b/config.h.in | 394 | +++ b/config.h.in |
395 | @@ -1622,6 +1622,9 @@ | 395 | @@ -1622,6 +1622,9 @@ |
@@ -413,10 +413,10 @@ index 0401ad1..6bc422c 100644 | |||
413 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 413 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
414 | 414 | ||
415 | diff --git a/configure b/configure | 415 | diff --git a/configure b/configure |
416 | index d690393..b6b5b6d 100755 | 416 | index 6815388..ea5f200 100755 |
417 | --- a/configure | 417 | --- a/configure |
418 | +++ b/configure | 418 | +++ b/configure |
419 | @@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h | 419 | @@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h |
420 | 420 | ||
421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
422 | 422 | ||
@@ -481,7 +481,7 @@ index d690393..b6b5b6d 100755 | |||
481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | 481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" |
482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | 482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : |
483 | diff --git a/configure.ac b/configure.ac | 483 | diff --git a/configure.ac b/configure.ac |
484 | index 7c6ce08..d235fb0 100644 | 484 | index 67c4486..90e81e1 100644 |
485 | --- a/configure.ac | 485 | --- a/configure.ac |
486 | +++ b/configure.ac | 486 | +++ b/configure.ac |
487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
@@ -866,7 +866,7 @@ index b39281b..1e569ad 100644 | |||
866 | + | 866 | + |
867 | #endif /* GSSAPI */ | 867 | #endif /* GSSAPI */ |
868 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c | 868 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c |
869 | index 759fa10..e678a27 100644 | 869 | index 795992d..fd8b371 100644 |
870 | --- a/gss-serv-krb5.c | 870 | --- a/gss-serv-krb5.c |
871 | +++ b/gss-serv-krb5.c | 871 | +++ b/gss-serv-krb5.c |
872 | @@ -1,7 +1,7 @@ | 872 | @@ -1,7 +1,7 @@ |
@@ -878,7 +878,7 @@ index 759fa10..e678a27 100644 | |||
878 | * | 878 | * |
879 | * Redistribution and use in source and binary forms, with or without | 879 | * Redistribution and use in source and binary forms, with or without |
880 | * modification, are permitted provided that the following conditions | 880 | * modification, are permitted provided that the following conditions |
881 | @@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 881 | @@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
882 | krb5_error_code problem; | 882 | krb5_error_code problem; |
883 | krb5_principal princ; | 883 | krb5_principal princ; |
884 | OM_uint32 maj_status, min_status; | 884 | OM_uint32 maj_status, min_status; |
@@ -888,7 +888,7 @@ index 759fa10..e678a27 100644 | |||
888 | 888 | ||
889 | if (client->creds == NULL) { | 889 | if (client->creds == NULL) { |
890 | debug("No credentials stored"); | 890 | debug("No credentials stored"); |
891 | @@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 891 | @@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
892 | return; | 892 | return; |
893 | } | 893 | } |
894 | 894 | ||
@@ -909,7 +909,7 @@ index 759fa10..e678a27 100644 | |||
909 | 909 | ||
910 | #ifdef USE_PAM | 910 | #ifdef USE_PAM |
911 | if (options.use_pam) | 911 | if (options.use_pam) |
912 | @@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 912 | @@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
913 | return; | 913 | return; |
914 | } | 914 | } |
915 | 915 | ||
@@ -981,7 +981,7 @@ index 759fa10..e678a27 100644 | |||
981 | ssh_gssapi_mech gssapi_kerberos_mech = { | 981 | ssh_gssapi_mech gssapi_kerberos_mech = { |
982 | "toWM5Slw5Ew8Mqkay+al2g==", | 982 | "toWM5Slw5Ew8Mqkay+al2g==", |
983 | "Kerberos", | 983 | "Kerberos", |
984 | @@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { | 984 | @@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { |
985 | NULL, | 985 | NULL, |
986 | &ssh_gssapi_krb5_userok, | 986 | &ssh_gssapi_krb5_userok, |
987 | NULL, | 987 | NULL, |
@@ -992,11 +992,11 @@ index 759fa10..e678a27 100644 | |||
992 | 992 | ||
993 | #endif /* KRB5 */ | 993 | #endif /* KRB5 */ |
994 | diff --git a/gss-serv.c b/gss-serv.c | 994 | diff --git a/gss-serv.c b/gss-serv.c |
995 | index e61b37b..c33463b 100644 | 995 | index 5c59924..50fa438 100644 |
996 | --- a/gss-serv.c | 996 | --- a/gss-serv.c |
997 | +++ b/gss-serv.c | 997 | +++ b/gss-serv.c |
998 | @@ -1,7 +1,7 @@ | 998 | @@ -1,7 +1,7 @@ |
999 | /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ | 999 | /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ |
1000 | 1000 | ||
1001 | /* | 1001 | /* |
1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1029,7 +1029,7 @@ index e61b37b..c33463b 100644 | |||
1029 | #ifdef KRB5 | 1029 | #ifdef KRB5 |
1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | 1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
1032 | char lname[MAXHOSTNAMELEN]; | 1032 | char lname[NI_MAXHOST]; |
1033 | gss_OID_set oidset; | 1033 | gss_OID_set oidset; |
1034 | 1034 | ||
1035 | - gss_create_empty_oid_set(&status, &oidset); | 1035 | - gss_create_empty_oid_set(&status, &oidset); |
@@ -1038,11 +1038,11 @@ index e61b37b..c33463b 100644 | |||
1038 | + gss_create_empty_oid_set(&status, &oidset); | 1038 | + gss_create_empty_oid_set(&status, &oidset); |
1039 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | 1039 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); |
1040 | 1040 | ||
1041 | - if (gethostname(lname, MAXHOSTNAMELEN)) { | 1041 | - if (gethostname(lname, sizeof(lname))) { |
1042 | - gss_release_oid_set(&status, &oidset); | 1042 | - gss_release_oid_set(&status, &oidset); |
1043 | - return (-1); | 1043 | - return (-1); |
1044 | - } | 1044 | - } |
1045 | + if (gethostname(lname, MAXHOSTNAMELEN)) { | 1045 | + if (gethostname(lname, sizeof(lname))) { |
1046 | + gss_release_oid_set(&status, &oidset); | 1046 | + gss_release_oid_set(&status, &oidset); |
1047 | + return (-1); | 1047 | + return (-1); |
1048 | + } | 1048 | + } |
@@ -1310,10 +1310,10 @@ index e61b37b..c33463b 100644 | |||
1310 | 1310 | ||
1311 | #endif | 1311 | #endif |
1312 | diff --git a/kex.c b/kex.c | 1312 | diff --git a/kex.c b/kex.c |
1313 | index 74e2b86..d114ee3 100644 | 1313 | index a173e70..891852b 100644 |
1314 | --- a/kex.c | 1314 | --- a/kex.c |
1315 | +++ b/kex.c | 1315 | +++ b/kex.c |
1316 | @@ -51,6 +51,10 @@ | 1316 | @@ -53,6 +53,10 @@ |
1317 | #include "roaming.h" | 1317 | #include "roaming.h" |
1318 | #include "digest.h" | 1318 | #include "digest.h" |
1319 | 1319 | ||
@@ -1324,8 +1324,8 @@ index 74e2b86..d114ee3 100644 | |||
1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1325 | # if defined(HAVE_EVP_SHA256) | 1325 | # if defined(HAVE_EVP_SHA256) |
1326 | # define evp_ssh_sha256 EVP_sha256 | 1326 | # define evp_ssh_sha256 EVP_sha256 |
1327 | @@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = { | 1327 | @@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = { |
1328 | #endif | 1328 | #endif /* HAVE_EVP_SHA256 */ |
1329 | { NULL, -1, -1, -1}, | 1329 | { NULL, -1, -1, -1}, |
1330 | }; | 1330 | }; |
1331 | +static const struct kexalg kexalg_prefixes[] = { | 1331 | +static const struct kexalg kexalg_prefixes[] = { |
@@ -1339,7 +1339,7 @@ index 74e2b86..d114ee3 100644 | |||
1339 | 1339 | ||
1340 | char * | 1340 | char * |
1341 | kex_alg_list(char sep) | 1341 | kex_alg_list(char sep) |
1342 | @@ -120,6 +132,10 @@ kex_alg_by_name(const char *name) | 1342 | @@ -124,6 +136,10 @@ kex_alg_by_name(const char *name) |
1343 | if (strcmp(k->name, name) == 0) | 1343 | if (strcmp(k->name, name) == 0) |
1344 | return k; | 1344 | return k; |
1345 | } | 1345 | } |
@@ -1351,7 +1351,7 @@ index 74e2b86..d114ee3 100644 | |||
1351 | } | 1351 | } |
1352 | 1352 | ||
1353 | diff --git a/kex.h b/kex.h | 1353 | diff --git a/kex.h b/kex.h |
1354 | index c85680e..ea698c4 100644 | 1354 | index 4c40ec8..c179a4d 100644 |
1355 | --- a/kex.h | 1355 | --- a/kex.h |
1356 | +++ b/kex.h | 1356 | +++ b/kex.h |
1357 | @@ -76,6 +76,9 @@ enum kex_exchange { | 1357 | @@ -76,6 +76,9 @@ enum kex_exchange { |
@@ -1729,10 +1729,10 @@ index 0000000..92a31c5 | |||
1729 | +#endif /* GSSAPI */ | 1729 | +#endif /* GSSAPI */ |
1730 | diff --git a/kexgsss.c b/kexgsss.c | 1730 | diff --git a/kexgsss.c b/kexgsss.c |
1731 | new file mode 100644 | 1731 | new file mode 100644 |
1732 | index 0000000..8095259 | 1732 | index 0000000..6a0ece8 |
1733 | --- /dev/null | 1733 | --- /dev/null |
1734 | +++ b/kexgsss.c | 1734 | +++ b/kexgsss.c |
1735 | @@ -0,0 +1,289 @@ | 1735 | @@ -0,0 +1,290 @@ |
1736 | +/* | 1736 | +/* |
1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1738 | + * | 1738 | + * |
@@ -1777,6 +1777,7 @@ index 0000000..8095259 | |||
1777 | +#include "dh.h" | 1777 | +#include "dh.h" |
1778 | +#include "ssh-gss.h" | 1778 | +#include "ssh-gss.h" |
1779 | +#include "monitor_wrap.h" | 1779 | +#include "monitor_wrap.h" |
1780 | +#include "misc.h" | ||
1780 | +#include "servconf.h" | 1781 | +#include "servconf.h" |
1781 | + | 1782 | + |
1782 | +extern ServerOptions options; | 1783 | +extern ServerOptions options; |
@@ -2022,44 +2023,11 @@ index 0000000..8095259 | |||
2022 | + ssh_gssapi_rekey_creds(); | 2023 | + ssh_gssapi_rekey_creds(); |
2023 | +} | 2024 | +} |
2024 | +#endif /* GSSAPI */ | 2025 | +#endif /* GSSAPI */ |
2025 | diff --git a/key.c b/key.c | ||
2026 | index 168e1b7..3d640e7 100644 | ||
2027 | --- a/key.c | ||
2028 | +++ b/key.c | ||
2029 | @@ -985,6 +985,7 @@ static const struct keytype keytypes[] = { | ||
2030 | KEY_DSA_CERT_V00, 0, 1 }, | ||
2031 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | ||
2032 | KEY_ED25519_CERT, 0, 1 }, | ||
2033 | + { "null", "null", KEY_NULL, 0, 0 }, | ||
2034 | { NULL, NULL, -1, -1, 0 } | ||
2035 | }; | ||
2036 | |||
2037 | @@ -1063,7 +1064,7 @@ key_alg_list(int certs_only, int plain_only) | ||
2038 | const struct keytype *kt; | ||
2039 | |||
2040 | for (kt = keytypes; kt->type != -1; kt++) { | ||
2041 | - if (kt->name == NULL) | ||
2042 | + if (kt->name == NULL || kt->type == KEY_NULL) | ||
2043 | continue; | ||
2044 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
2045 | continue; | ||
2046 | diff --git a/key.h b/key.h | ||
2047 | index d8ad13d..c8aeba2 100644 | ||
2048 | --- a/key.h | ||
2049 | +++ b/key.h | ||
2050 | @@ -46,6 +46,7 @@ enum types { | ||
2051 | KEY_ED25519_CERT, | ||
2052 | KEY_RSA_CERT_V00, | ||
2053 | KEY_DSA_CERT_V00, | ||
2054 | + KEY_NULL, | ||
2055 | KEY_UNSPEC | ||
2056 | }; | ||
2057 | enum fp_type { | ||
2058 | diff --git a/monitor.c b/monitor.c | 2026 | diff --git a/monitor.c b/monitor.c |
2059 | index 531c4f9..2918814 100644 | 2027 | index dbe29f1..b0896ef 100644 |
2060 | --- a/monitor.c | 2028 | --- a/monitor.c |
2061 | +++ b/monitor.c | 2029 | +++ b/monitor.c |
2062 | @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 2030 | @@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2063 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2031 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2064 | int mm_answer_gss_userok(int, Buffer *); | 2032 | int mm_answer_gss_userok(int, Buffer *); |
2065 | int mm_answer_gss_checkmic(int, Buffer *); | 2033 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2068,7 +2036,7 @@ index 531c4f9..2918814 100644 | |||
2068 | #endif | 2036 | #endif |
2069 | 2037 | ||
2070 | #ifdef SSH_AUDIT_EVENTS | 2038 | #ifdef SSH_AUDIT_EVENTS |
2071 | @@ -247,11 +249,18 @@ struct mon_table mon_dispatch_proto20[] = { | 2039 | @@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2072 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2040 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2073 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2041 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2074 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2042 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2084,10 +2052,10 @@ index 531c4f9..2918814 100644 | |||
2084 | + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | 2052 | + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, |
2085 | + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | 2053 | + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, |
2086 | +#endif | 2054 | +#endif |
2055 | #ifdef WITH_OPENSSL | ||
2087 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2056 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2088 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2057 | #endif |
2089 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2058 | @@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2090 | @@ -360,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | ||
2091 | /* Permit requests for moduli and signatures */ | 2059 | /* Permit requests for moduli and signatures */ |
2092 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2060 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2093 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2061 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2098,7 +2066,7 @@ index 531c4f9..2918814 100644 | |||
2098 | } else { | 2066 | } else { |
2099 | mon_dispatch = mon_dispatch_proto15; | 2067 | mon_dispatch = mon_dispatch_proto15; |
2100 | 2068 | ||
2101 | @@ -465,6 +478,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2069 | @@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2102 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2070 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2103 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2071 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2104 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2072 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2109,9 +2077,9 @@ index 531c4f9..2918814 100644 | |||
2109 | } else { | 2077 | } else { |
2110 | mon_dispatch = mon_dispatch_postauth15; | 2078 | mon_dispatch = mon_dispatch_postauth15; |
2111 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2079 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2112 | @@ -1834,6 +1851,13 @@ mm_get_kex(Buffer *m) | 2080 | @@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m) |
2113 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
2114 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2081 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
2082 | #endif | ||
2115 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2083 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
2116 | +#ifdef GSSAPI | 2084 | +#ifdef GSSAPI |
2117 | + if (options.gss_keyex) { | 2085 | + if (options.gss_keyex) { |
@@ -2123,7 +2091,7 @@ index 531c4f9..2918814 100644 | |||
2123 | kex->server = 1; | 2091 | kex->server = 1; |
2124 | kex->hostkey_type = buffer_get_int(m); | 2092 | kex->hostkey_type = buffer_get_int(m); |
2125 | kex->kex_type = buffer_get_int(m); | 2093 | kex->kex_type = buffer_get_int(m); |
2126 | @@ -2041,6 +2065,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2094 | @@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2127 | OM_uint32 major; | 2095 | OM_uint32 major; |
2128 | u_int len; | 2096 | u_int len; |
2129 | 2097 | ||
@@ -2133,7 +2101,7 @@ index 531c4f9..2918814 100644 | |||
2133 | goid.elements = buffer_get_string(m, &len); | 2101 | goid.elements = buffer_get_string(m, &len); |
2134 | goid.length = len; | 2102 | goid.length = len; |
2135 | 2103 | ||
2136 | @@ -2068,6 +2095,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2104 | @@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2137 | OM_uint32 flags = 0; /* GSI needs this */ | 2105 | OM_uint32 flags = 0; /* GSI needs this */ |
2138 | u_int len; | 2106 | u_int len; |
2139 | 2107 | ||
@@ -2143,7 +2111,7 @@ index 531c4f9..2918814 100644 | |||
2143 | in.value = buffer_get_string(m, &len); | 2111 | in.value = buffer_get_string(m, &len); |
2144 | in.length = len; | 2112 | in.length = len; |
2145 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2113 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2146 | @@ -2085,6 +2115,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2114 | @@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2147 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2115 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2148 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2116 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2149 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2117 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2151,7 +2119,7 @@ index 531c4f9..2918814 100644 | |||
2151 | } | 2119 | } |
2152 | return (0); | 2120 | return (0); |
2153 | } | 2121 | } |
2154 | @@ -2096,6 +2127,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2122 | @@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2155 | OM_uint32 ret; | 2123 | OM_uint32 ret; |
2156 | u_int len; | 2124 | u_int len; |
2157 | 2125 | ||
@@ -2161,7 +2129,7 @@ index 531c4f9..2918814 100644 | |||
2161 | gssbuf.value = buffer_get_string(m, &len); | 2129 | gssbuf.value = buffer_get_string(m, &len); |
2162 | gssbuf.length = len; | 2130 | gssbuf.length = len; |
2163 | mic.value = buffer_get_string(m, &len); | 2131 | mic.value = buffer_get_string(m, &len); |
2164 | @@ -2122,7 +2156,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2132 | @@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2165 | { | 2133 | { |
2166 | int authenticated; | 2134 | int authenticated; |
2167 | 2135 | ||
@@ -2174,7 +2142,7 @@ index 531c4f9..2918814 100644 | |||
2174 | 2142 | ||
2175 | buffer_clear(m); | 2143 | buffer_clear(m); |
2176 | buffer_put_int(m, authenticated); | 2144 | buffer_put_int(m, authenticated); |
2177 | @@ -2135,5 +2173,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2145 | @@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2178 | /* Monitor loop will terminate if authenticated */ | 2146 | /* Monitor loop will terminate if authenticated */ |
2179 | return (authenticated); | 2147 | return (authenticated); |
2180 | } | 2148 | } |
@@ -2263,10 +2231,10 @@ index 5bc41b5..7f32b0c 100644 | |||
2263 | 2231 | ||
2264 | struct mm_master; | 2232 | struct mm_master; |
2265 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2233 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2266 | index 1a47e41..60b987d 100644 | 2234 | index 45dc169..e476f0d 100644 |
2267 | --- a/monitor_wrap.c | 2235 | --- a/monitor_wrap.c |
2268 | +++ b/monitor_wrap.c | 2236 | +++ b/monitor_wrap.c |
2269 | @@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2237 | @@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2270 | } | 2238 | } |
2271 | 2239 | ||
2272 | int | 2240 | int |
@@ -2275,7 +2243,7 @@ index 1a47e41..60b987d 100644 | |||
2275 | { | 2243 | { |
2276 | Buffer m; | 2244 | Buffer m; |
2277 | int authenticated = 0; | 2245 | int authenticated = 0; |
2278 | @@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user) | 2246 | @@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user) |
2279 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2247 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2280 | return (authenticated); | 2248 | return (authenticated); |
2281 | } | 2249 | } |
@@ -2343,10 +2311,10 @@ index 18c2501..a4e9d24 100644 | |||
2343 | 2311 | ||
2344 | #ifdef USE_PAM | 2312 | #ifdef USE_PAM |
2345 | diff --git a/readconf.c b/readconf.c | 2313 | diff --git a/readconf.c b/readconf.c |
2346 | index dc884c9..7613ff2 100644 | 2314 | index 7948ce1..9127e93 100644 |
2347 | --- a/readconf.c | 2315 | --- a/readconf.c |
2348 | +++ b/readconf.c | 2316 | +++ b/readconf.c |
2349 | @@ -141,6 +141,8 @@ typedef enum { | 2317 | @@ -142,6 +142,8 @@ typedef enum { |
2350 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2318 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2351 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2319 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2352 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2320 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2355,7 +2323,7 @@ index dc884c9..7613ff2 100644 | |||
2355 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2323 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2356 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2324 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2357 | oHashKnownHosts, | 2325 | oHashKnownHosts, |
2358 | @@ -183,10 +185,19 @@ static struct { | 2326 | @@ -185,10 +187,19 @@ static struct { |
2359 | { "afstokenpassing", oUnsupported }, | 2327 | { "afstokenpassing", oUnsupported }, |
2360 | #if defined(GSSAPI) | 2328 | #if defined(GSSAPI) |
2361 | { "gssapiauthentication", oGssAuthentication }, | 2329 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2375,7 +2343,7 @@ index dc884c9..7613ff2 100644 | |||
2375 | #endif | 2343 | #endif |
2376 | { "fallbacktorsh", oDeprecated }, | 2344 | { "fallbacktorsh", oDeprecated }, |
2377 | { "usersh", oDeprecated }, | 2345 | { "usersh", oDeprecated }, |
2378 | @@ -841,10 +852,30 @@ parse_time: | 2346 | @@ -865,10 +876,30 @@ parse_time: |
2379 | intptr = &options->gss_authentication; | 2347 | intptr = &options->gss_authentication; |
2380 | goto parse_flag; | 2348 | goto parse_flag; |
2381 | 2349 | ||
@@ -2406,7 +2374,7 @@ index dc884c9..7613ff2 100644 | |||
2406 | case oBatchMode: | 2374 | case oBatchMode: |
2407 | intptr = &options->batch_mode; | 2375 | intptr = &options->batch_mode; |
2408 | goto parse_flag; | 2376 | goto parse_flag; |
2409 | @@ -1497,7 +1528,12 @@ initialize_options(Options * options) | 2377 | @@ -1538,7 +1569,12 @@ initialize_options(Options * options) |
2410 | options->pubkey_authentication = -1; | 2378 | options->pubkey_authentication = -1; |
2411 | options->challenge_response_authentication = -1; | 2379 | options->challenge_response_authentication = -1; |
2412 | options->gss_authentication = -1; | 2380 | options->gss_authentication = -1; |
@@ -2419,7 +2387,7 @@ index dc884c9..7613ff2 100644 | |||
2419 | options->password_authentication = -1; | 2387 | options->password_authentication = -1; |
2420 | options->kbd_interactive_authentication = -1; | 2388 | options->kbd_interactive_authentication = -1; |
2421 | options->kbd_interactive_devices = NULL; | 2389 | options->kbd_interactive_devices = NULL; |
2422 | @@ -1616,8 +1652,14 @@ fill_default_options(Options * options) | 2390 | @@ -1661,8 +1697,14 @@ fill_default_options(Options * options) |
2423 | options->challenge_response_authentication = 1; | 2391 | options->challenge_response_authentication = 1; |
2424 | if (options->gss_authentication == -1) | 2392 | if (options->gss_authentication == -1) |
2425 | options->gss_authentication = 0; | 2393 | options->gss_authentication = 0; |
@@ -2435,10 +2403,10 @@ index dc884c9..7613ff2 100644 | |||
2435 | options->password_authentication = 1; | 2403 | options->password_authentication = 1; |
2436 | if (options->kbd_interactive_authentication == -1) | 2404 | if (options->kbd_interactive_authentication == -1) |
2437 | diff --git a/readconf.h b/readconf.h | 2405 | diff --git a/readconf.h b/readconf.h |
2438 | index 75e3f8f..5cc97f0 100644 | 2406 | index 0b9cb77..0e29889 100644 |
2439 | --- a/readconf.h | 2407 | --- a/readconf.h |
2440 | +++ b/readconf.h | 2408 | +++ b/readconf.h |
2441 | @@ -54,7 +54,12 @@ typedef struct { | 2409 | @@ -45,7 +45,12 @@ typedef struct { |
2442 | int challenge_response_authentication; | 2410 | int challenge_response_authentication; |
2443 | /* Try S/Key or TIS, authentication. */ | 2411 | /* Try S/Key or TIS, authentication. */ |
2444 | int gss_authentication; /* Try GSS authentication */ | 2412 | int gss_authentication; /* Try GSS authentication */ |
@@ -2452,10 +2420,10 @@ index 75e3f8f..5cc97f0 100644 | |||
2452 | * authentication. */ | 2420 | * authentication. */ |
2453 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2421 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2454 | diff --git a/servconf.c b/servconf.c | 2422 | diff --git a/servconf.c b/servconf.c |
2455 | index 7ba65d5..0083cf8 100644 | 2423 | index b7f3294..cb3c831 100644 |
2456 | --- a/servconf.c | 2424 | --- a/servconf.c |
2457 | +++ b/servconf.c | 2425 | +++ b/servconf.c |
2458 | @@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) | 2426 | @@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options) |
2459 | options->kerberos_ticket_cleanup = -1; | 2427 | options->kerberos_ticket_cleanup = -1; |
2460 | options->kerberos_get_afs_token = -1; | 2428 | options->kerberos_get_afs_token = -1; |
2461 | options->gss_authentication=-1; | 2429 | options->gss_authentication=-1; |
@@ -2466,7 +2434,7 @@ index 7ba65d5..0083cf8 100644 | |||
2466 | options->password_authentication = -1; | 2434 | options->password_authentication = -1; |
2467 | options->kbd_interactive_authentication = -1; | 2435 | options->kbd_interactive_authentication = -1; |
2468 | options->challenge_response_authentication = -1; | 2436 | options->challenge_response_authentication = -1; |
2469 | @@ -244,8 +247,14 @@ fill_default_server_options(ServerOptions *options) | 2437 | @@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options) |
2470 | options->kerberos_get_afs_token = 0; | 2438 | options->kerberos_get_afs_token = 0; |
2471 | if (options->gss_authentication == -1) | 2439 | if (options->gss_authentication == -1) |
2472 | options->gss_authentication = 0; | 2440 | options->gss_authentication = 0; |
@@ -2481,7 +2449,7 @@ index 7ba65d5..0083cf8 100644 | |||
2481 | if (options->password_authentication == -1) | 2449 | if (options->password_authentication == -1) |
2482 | options->password_authentication = 1; | 2450 | options->password_authentication = 1; |
2483 | if (options->kbd_interactive_authentication == -1) | 2451 | if (options->kbd_interactive_authentication == -1) |
2484 | @@ -340,7 +349,9 @@ typedef enum { | 2452 | @@ -352,7 +361,9 @@ typedef enum { |
2485 | sBanner, sUseDNS, sHostbasedAuthentication, | 2453 | sBanner, sUseDNS, sHostbasedAuthentication, |
2486 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2454 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2487 | sClientAliveCountMax, sAuthorizedKeysFile, | 2455 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2492,7 +2460,7 @@ index 7ba65d5..0083cf8 100644 | |||
2492 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2460 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2493 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2461 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2494 | sHostCertificate, | 2462 | sHostCertificate, |
2495 | @@ -407,10 +418,20 @@ static struct { | 2463 | @@ -421,10 +432,20 @@ static struct { |
2496 | #ifdef GSSAPI | 2464 | #ifdef GSSAPI |
2497 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2465 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2498 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2466 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2513,7 +2481,7 @@ index 7ba65d5..0083cf8 100644 | |||
2513 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2481 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2514 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2482 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2515 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2483 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2516 | @@ -1086,10 +1107,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2484 | @@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line, |
2517 | intptr = &options->gss_authentication; | 2485 | intptr = &options->gss_authentication; |
2518 | goto parse_flag; | 2486 | goto parse_flag; |
2519 | 2487 | ||
@@ -2536,7 +2504,7 @@ index 7ba65d5..0083cf8 100644 | |||
2536 | case sPasswordAuthentication: | 2504 | case sPasswordAuthentication: |
2537 | intptr = &options->password_authentication; | 2505 | intptr = &options->password_authentication; |
2538 | goto parse_flag; | 2506 | goto parse_flag; |
2539 | @@ -1995,7 +2028,10 @@ dump_config(ServerOptions *o) | 2507 | @@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o) |
2540 | #endif | 2508 | #endif |
2541 | #ifdef GSSAPI | 2509 | #ifdef GSSAPI |
2542 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2510 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2548,10 +2516,10 @@ index 7ba65d5..0083cf8 100644 | |||
2548 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2516 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2549 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2517 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2550 | diff --git a/servconf.h b/servconf.h | 2518 | diff --git a/servconf.h b/servconf.h |
2551 | index 752d1c5..c922eb5 100644 | 2519 | index 766db3a..f8265a8 100644 |
2552 | --- a/servconf.h | 2520 | --- a/servconf.h |
2553 | +++ b/servconf.h | 2521 | +++ b/servconf.h |
2554 | @@ -112,7 +112,10 @@ typedef struct { | 2522 | @@ -113,7 +113,10 @@ typedef struct { |
2555 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2523 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2556 | * authenticated with Kerberos. */ | 2524 | * authenticated with Kerberos. */ |
2557 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2525 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2679,10 +2647,10 @@ index 03a228f..228e5ab 100644 | |||
2679 | # CheckHostIP yes | 2647 | # CheckHostIP yes |
2680 | # AddressFamily any | 2648 | # AddressFamily any |
2681 | diff --git a/ssh_config.5 b/ssh_config.5 | 2649 | diff --git a/ssh_config.5 b/ssh_config.5 |
2682 | index b580392..e7accd6 100644 | 2650 | index f9ede7a..e6649ac 100644 |
2683 | --- a/ssh_config.5 | 2651 | --- a/ssh_config.5 |
2684 | +++ b/ssh_config.5 | 2652 | +++ b/ssh_config.5 |
2685 | @@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2653 | @@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2686 | The default is | 2654 | The default is |
2687 | .Dq no . | 2655 | .Dq no . |
2688 | Note that this option applies to protocol version 2 only. | 2656 | Note that this option applies to protocol version 2 only. |
@@ -2728,11 +2696,11 @@ index b580392..e7accd6 100644 | |||
2728 | Indicates that | 2696 | Indicates that |
2729 | .Xr ssh 1 | 2697 | .Xr ssh 1 |
2730 | diff --git a/sshconnect2.c b/sshconnect2.c | 2698 | diff --git a/sshconnect2.c b/sshconnect2.c |
2731 | index 7f4ff41..66cb035 100644 | 2699 | index 68f7f4f..7b478f1 100644 |
2732 | --- a/sshconnect2.c | 2700 | --- a/sshconnect2.c |
2733 | +++ b/sshconnect2.c | 2701 | +++ b/sshconnect2.c |
2734 | @@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2702 | @@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2735 | { | 2703 | char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; |
2736 | Kex *kex; | 2704 | Kex *kex; |
2737 | 2705 | ||
2738 | +#ifdef GSSAPI | 2706 | +#ifdef GSSAPI |
@@ -2766,9 +2734,9 @@ index 7f4ff41..66cb035 100644 | |||
2766 | if (options.ciphers == (char *)-1) { | 2734 | if (options.ciphers == (char *)-1) { |
2767 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2735 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2768 | options.ciphers = NULL; | 2736 | options.ciphers = NULL; |
2769 | @@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2737 | @@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2770 | if (options.kex_algorithms != NULL) | 2738 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
2771 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2739 | myproposal[PROPOSAL_KEX_ALGS]); |
2772 | 2740 | ||
2773 | +#ifdef GSSAPI | 2741 | +#ifdef GSSAPI |
2774 | + /* If we've got GSSAPI algorithms, then we also support the | 2742 | + /* If we've got GSSAPI algorithms, then we also support the |
@@ -2784,9 +2752,9 @@ index 7f4ff41..66cb035 100644 | |||
2784 | if (options.rekey_limit || options.rekey_interval) | 2752 | if (options.rekey_limit || options.rekey_interval) |
2785 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2753 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2786 | (time_t)options.rekey_interval); | 2754 | (time_t)options.rekey_interval); |
2787 | @@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2755 | @@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2788 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | ||
2789 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2756 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
2757 | #endif | ||
2790 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2758 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
2791 | +#ifdef GSSAPI | 2759 | +#ifdef GSSAPI |
2792 | + if (options.gss_keyex) { | 2760 | + if (options.gss_keyex) { |
@@ -2815,7 +2783,7 @@ index 7f4ff41..66cb035 100644 | |||
2815 | xxx_kex = kex; | 2783 | xxx_kex = kex; |
2816 | 2784 | ||
2817 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2785 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2818 | @@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | 2786 | @@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); |
2819 | void input_gssapi_hash(int type, u_int32_t, void *); | 2787 | void input_gssapi_hash(int type, u_int32_t, void *); |
2820 | void input_gssapi_error(int, u_int32_t, void *); | 2788 | void input_gssapi_error(int, u_int32_t, void *); |
2821 | void input_gssapi_errtok(int, u_int32_t, void *); | 2789 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2823,7 +2791,7 @@ index 7f4ff41..66cb035 100644 | |||
2823 | #endif | 2791 | #endif |
2824 | 2792 | ||
2825 | void userauth(Authctxt *, char *); | 2793 | void userauth(Authctxt *, char *); |
2826 | @@ -316,6 +373,11 @@ static char *authmethods_get(void); | 2794 | @@ -321,6 +378,11 @@ static char *authmethods_get(void); |
2827 | 2795 | ||
2828 | Authmethod authmethods[] = { | 2796 | Authmethod authmethods[] = { |
2829 | #ifdef GSSAPI | 2797 | #ifdef GSSAPI |
@@ -2835,7 +2803,7 @@ index 7f4ff41..66cb035 100644 | |||
2835 | {"gssapi-with-mic", | 2803 | {"gssapi-with-mic", |
2836 | userauth_gssapi, | 2804 | userauth_gssapi, |
2837 | NULL, | 2805 | NULL, |
2838 | @@ -612,19 +674,31 @@ userauth_gssapi(Authctxt *authctxt) | 2806 | @@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) |
2839 | static u_int mech = 0; | 2807 | static u_int mech = 0; |
2840 | OM_uint32 min; | 2808 | OM_uint32 min; |
2841 | int ok = 0; | 2809 | int ok = 0; |
@@ -2869,7 +2837,7 @@ index 7f4ff41..66cb035 100644 | |||
2869 | ok = 1; /* Mechanism works */ | 2837 | ok = 1; /* Mechanism works */ |
2870 | } else { | 2838 | } else { |
2871 | mech++; | 2839 | mech++; |
2872 | @@ -721,8 +795,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2840 | @@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2873 | { | 2841 | { |
2874 | Authctxt *authctxt = ctxt; | 2842 | Authctxt *authctxt = ctxt; |
2875 | Gssctxt *gssctxt; | 2843 | Gssctxt *gssctxt; |
@@ -2880,7 +2848,7 @@ index 7f4ff41..66cb035 100644 | |||
2880 | 2848 | ||
2881 | if (authctxt == NULL) | 2849 | if (authctxt == NULL) |
2882 | fatal("input_gssapi_response: no authentication context"); | 2850 | fatal("input_gssapi_response: no authentication context"); |
2883 | @@ -831,6 +905,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2851 | @@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2884 | free(msg); | 2852 | free(msg); |
2885 | free(lang); | 2853 | free(lang); |
2886 | } | 2854 | } |
@@ -2930,10 +2898,10 @@ index 7f4ff41..66cb035 100644 | |||
2930 | 2898 | ||
2931 | int | 2899 | int |
2932 | diff --git a/sshd.c b/sshd.c | 2900 | diff --git a/sshd.c b/sshd.c |
2933 | index 7523de9..d787fea 100644 | 2901 | index 481d001..e6706a8 100644 |
2934 | --- a/sshd.c | 2902 | --- a/sshd.c |
2935 | +++ b/sshd.c | 2903 | +++ b/sshd.c |
2936 | @@ -122,6 +122,10 @@ | 2904 | @@ -123,6 +123,10 @@ |
2937 | #include "ssh-sandbox.h" | 2905 | #include "ssh-sandbox.h" |
2938 | #include "version.h" | 2906 | #include "version.h" |
2939 | 2907 | ||
@@ -2941,10 +2909,10 @@ index 7523de9..d787fea 100644 | |||
2941 | +#include <Security/AuthSession.h> | 2909 | +#include <Security/AuthSession.h> |
2942 | +#endif | 2910 | +#endif |
2943 | + | 2911 | + |
2944 | #ifdef LIBWRAP | 2912 | #ifndef O_NOCTTY |
2945 | #include <tcpd.h> | 2913 | #define O_NOCTTY 0 |
2946 | #include <syslog.h> | 2914 | #endif |
2947 | @@ -1728,10 +1732,13 @@ main(int ac, char **av) | 2915 | @@ -1745,10 +1749,13 @@ main(int ac, char **av) |
2948 | logit("Disabling protocol version 1. Could not load host key"); | 2916 | logit("Disabling protocol version 1. Could not load host key"); |
2949 | options.protocol &= ~SSH_PROTO_1; | 2917 | options.protocol &= ~SSH_PROTO_1; |
2950 | } | 2918 | } |
@@ -2958,7 +2926,7 @@ index 7523de9..d787fea 100644 | |||
2958 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2926 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2959 | logit("sshd: no hostkeys available -- exiting."); | 2927 | logit("sshd: no hostkeys available -- exiting."); |
2960 | exit(1); | 2928 | exit(1); |
2961 | @@ -2058,6 +2065,60 @@ main(int ac, char **av) | 2929 | @@ -2060,6 +2067,60 @@ main(int ac, char **av) |
2962 | remote_ip, remote_port, | 2930 | remote_ip, remote_port, |
2963 | get_local_ipaddr(sock_in), get_local_port()); | 2931 | get_local_ipaddr(sock_in), get_local_port()); |
2964 | 2932 | ||
@@ -3019,7 +2987,7 @@ index 7523de9..d787fea 100644 | |||
3019 | /* | 2987 | /* |
3020 | * We don't want to listen forever unless the other side | 2988 | * We don't want to listen forever unless the other side |
3021 | * successfully authenticates itself. So we set up an alarm which is | 2989 | * successfully authenticates itself. So we set up an alarm which is |
3022 | @@ -2469,6 +2530,48 @@ do_ssh2_kex(void) | 2990 | @@ -2482,6 +2543,48 @@ do_ssh2_kex(void) |
3023 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2991 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3024 | list_hostkey_types()); | 2992 | list_hostkey_types()); |
3025 | 2993 | ||
@@ -3067,10 +3035,10 @@ index 7523de9..d787fea 100644 | |||
3067 | + | 3035 | + |
3068 | /* start key exchange */ | 3036 | /* start key exchange */ |
3069 | kex = kex_setup(myproposal); | 3037 | kex = kex_setup(myproposal); |
3070 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3038 | #ifdef WITH_OPENSSL |
3071 | @@ -2477,6 +2580,13 @@ do_ssh2_kex(void) | 3039 | @@ -2492,6 +2595,13 @@ do_ssh2_kex(void) |
3072 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
3073 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3040 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
3041 | #endif | ||
3074 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 3042 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
3075 | +#ifdef GSSAPI | 3043 | +#ifdef GSSAPI |
3076 | + if (options.gss_keyex) { | 3044 | + if (options.gss_keyex) { |
@@ -3096,10 +3064,10 @@ index e9045bc..d9b8594 100644 | |||
3096 | # Set this to 'yes' to enable PAM authentication, account processing, | 3064 | # Set this to 'yes' to enable PAM authentication, account processing, |
3097 | # and session processing. If this is enabled, PAM authentication will | 3065 | # and session processing. If this is enabled, PAM authentication will |
3098 | diff --git a/sshd_config.5 b/sshd_config.5 | 3066 | diff --git a/sshd_config.5 b/sshd_config.5 |
3099 | index ce71efe..ceed88a 100644 | 3067 | index fd44abe..c8b43da 100644 |
3100 | --- a/sshd_config.5 | 3068 | --- a/sshd_config.5 |
3101 | +++ b/sshd_config.5 | 3069 | +++ b/sshd_config.5 |
3102 | @@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 3070 | @@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3103 | The default is | 3071 | The default is |
3104 | .Dq no . | 3072 | .Dq no . |
3105 | Note that this option applies to protocol version 2 only. | 3073 | Note that this option applies to protocol version 2 only. |
@@ -3140,3 +3108,36 @@ index ce71efe..ceed88a 100644 | |||
3140 | .It Cm HostbasedAuthentication | 3108 | .It Cm HostbasedAuthentication |
3141 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 3109 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
3142 | with successful public key client host authentication is allowed | 3110 | with successful public key client host authentication is allowed |
3111 | diff --git a/sshkey.c b/sshkey.c | ||
3112 | index fdd0c8a..1a96eae 100644 | ||
3113 | --- a/sshkey.c | ||
3114 | +++ b/sshkey.c | ||
3115 | @@ -110,6 +110,7 @@ static const struct keytype keytypes[] = { | ||
3116 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | ||
3117 | KEY_DSA_CERT_V00, 0, 1 }, | ||
3118 | #endif /* WITH_OPENSSL */ | ||
3119 | + { "null", "null", KEY_NULL, 0, 0 }, | ||
3120 | { NULL, NULL, -1, -1, 0 } | ||
3121 | }; | ||
3122 | |||
3123 | @@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only) | ||
3124 | const struct keytype *kt; | ||
3125 | |||
3126 | for (kt = keytypes; kt->type != -1; kt++) { | ||
3127 | - if (kt->name == NULL) | ||
3128 | + if (kt->name == NULL || kt->type == KEY_NULL) | ||
3129 | continue; | ||
3130 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
3131 | continue; | ||
3132 | diff --git a/sshkey.h b/sshkey.h | ||
3133 | index 450b30c..b573e7f 100644 | ||
3134 | --- a/sshkey.h | ||
3135 | +++ b/sshkey.h | ||
3136 | @@ -64,6 +64,7 @@ enum sshkey_types { | ||
3137 | KEY_ED25519_CERT, | ||
3138 | KEY_RSA_CERT_V00, | ||
3139 | KEY_DSA_CERT_V00, | ||
3140 | + KEY_NULL, | ||
3141 | KEY_UNSPEC | ||
3142 | }; | ||
3143 | |||
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch index e79f4990f..de43f2a80 100644 --- a/debian/patches/helpful-wait-terminate.patch +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ef912859a4300360164292abe47b5516c8ee4a13 Mon Sep 17 00:00:00 2001 | 1 | From aca34215fc0e85d6b49e04f0a3cd0db79732125e Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 |
4 | Subject: Mention ~& when waiting for forwarded connections to terminate | 4 | Subject: Mention ~& when waiting for forwarded connections to terminate |
@@ -12,7 +12,7 @@ Patch-Name: helpful-wait-terminate.patch | |||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | 12 | 1 file changed, 1 insertion(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/serverloop.c b/serverloop.c | 14 | diff --git a/serverloop.c b/serverloop.c |
15 | index 2f8e3a0..441d73b 100644 | 15 | index e92f9e2..813e5bf 100644 |
16 | --- a/serverloop.c | 16 | --- a/serverloop.c |
17 | +++ b/serverloop.c | 17 | +++ b/serverloop.c |
18 | @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) | 18 | @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 680701f3d..15acabc0e 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 81540b7886fdc73c7be304706ea33d6d87b5fc81 Mon Sep 17 00:00:00 2001 | 1 | From bd3abc2f732da3a61e4158b915480808957a4357 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -16,7 +16,7 @@ keepalives. | |||
16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> | 16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> |
17 | Author: Matthew Vernon <matthew@debian.org> | 17 | Author: Matthew Vernon <matthew@debian.org> |
18 | Author: Colin Watson <cjwatson@debian.org> | 18 | Author: Colin Watson <cjwatson@debian.org> |
19 | Last-Update: 2013-09-14 | 19 | Last-Update: 2014-10-07 |
20 | 20 | ||
21 | Patch-Name: keepalive-extensions.patch | 21 | Patch-Name: keepalive-extensions.patch |
22 | --- | 22 | --- |
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index bcd8cad..6409937 100644 | 29 | index bc879eb..337818c 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -151,6 +151,7 @@ typedef enum { | 32 | @@ -153,6 +153,7 @@ typedef enum { |
33 | oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, | ||
34 | oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, | 33 | oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, |
35 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, | 34 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, |
35 | oStreamLocalBindMask, oStreamLocalBindUnlink, | ||
36 | + oProtocolKeepAlives, oSetupTimeOut, | 36 | + oProtocolKeepAlives, oSetupTimeOut, |
37 | oIgnoredUnknownOption, oDeprecated, oUnsupported | 37 | oIgnoredUnknownOption, oDeprecated, oUnsupported |
38 | } OpCodes; | 38 | } OpCodes; |
39 | 39 | ||
40 | @@ -274,6 +275,8 @@ static struct { | 40 | @@ -278,6 +279,8 @@ static struct { |
41 | { "canonicalizemaxdots", oCanonicalizeMaxDots }, | 41 | { "streamlocalbindmask", oStreamLocalBindMask }, |
42 | { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, | 42 | { "streamlocalbindunlink", oStreamLocalBindUnlink }, |
43 | { "ignoreunknown", oIgnoreUnknown }, | 43 | { "ignoreunknown", oIgnoreUnknown }, |
44 | + { "protocolkeepalives", oProtocolKeepAlives }, | 44 | + { "protocolkeepalives", oProtocolKeepAlives }, |
45 | + { "setuptimeout", oSetupTimeOut }, | 45 | + { "setuptimeout", oSetupTimeOut }, |
46 | 46 | ||
47 | { NULL, oBadOption } | 47 | { NULL, oBadOption } |
48 | }; | 48 | }; |
49 | @@ -1247,6 +1250,8 @@ parse_int: | 49 | @@ -1271,6 +1274,8 @@ parse_int: |
50 | goto parse_flag; | 50 | goto parse_flag; |
51 | 51 | ||
52 | case oServerAliveInterval: | 52 | case oServerAliveInterval: |
@@ -55,7 +55,7 @@ index bcd8cad..6409937 100644 | |||
55 | intptr = &options->server_alive_interval; | 55 | intptr = &options->server_alive_interval; |
56 | goto parse_time; | 56 | goto parse_time; |
57 | 57 | ||
58 | @@ -1746,8 +1751,13 @@ fill_default_options(Options * options) | 58 | @@ -1791,8 +1796,13 @@ fill_default_options(Options * options) |
59 | options->rekey_interval = 0; | 59 | options->rekey_interval = 0; |
60 | if (options->verify_host_key_dns == -1) | 60 | if (options->verify_host_key_dns == -1) |
61 | options->verify_host_key_dns = 0; | 61 | options->verify_host_key_dns = 0; |
@@ -72,7 +72,7 @@ index bcd8cad..6409937 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index 473971e..3172fd4 100644 | 75 | index 01f1f7f..ea92ea8 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -205,8 +205,12 @@ Valid arguments are | 78 | @@ -205,8 +205,12 @@ Valid arguments are |
@@ -89,7 +89,7 @@ index 473971e..3172fd4 100644 | |||
89 | The argument must be | 89 | The argument must be |
90 | .Dq yes | 90 | .Dq yes |
91 | or | 91 | or |
92 | @@ -1305,8 +1309,15 @@ from the server, | 92 | @@ -1336,8 +1340,15 @@ from the server, |
93 | will send a message through the encrypted | 93 | will send a message through the encrypted |
94 | channel to request a response from the server. | 94 | channel to request a response from the server. |
95 | The default | 95 | The default |
@@ -103,10 +103,10 @@ index 473971e..3172fd4 100644 | |||
103 | +and | 103 | +and |
104 | +.Cm SetupTimeOut | 104 | +.Cm SetupTimeOut |
105 | +are Debian-specific compatibility aliases for this option. | 105 | +are Debian-specific compatibility aliases for this option. |
106 | .It Cm StrictHostKeyChecking | 106 | .It Cm StreamLocalBindMask |
107 | If this flag is set to | 107 | Sets the octal file creation mode mask |
108 | .Dq yes , | 108 | .Pq umask |
109 | @@ -1345,6 +1356,12 @@ Specifies whether the system should send TCP keepalive messages to the | 109 | @@ -1403,6 +1414,12 @@ Specifies whether the system should send TCP keepalive messages to the |
110 | other side. | 110 | other side. |
111 | If they are sent, death of the connection or crash of one | 111 | If they are sent, death of the connection or crash of one |
112 | of the machines will be properly noticed. | 112 | of the machines will be properly noticed. |
@@ -120,10 +120,10 @@ index 473971e..3172fd4 100644 | |||
120 | connections will die if the route is down temporarily, and some people | 120 | connections will die if the route is down temporarily, and some people |
121 | find it annoying. | 121 | find it annoying. |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index ceed88a..2164d58 100644 | 123 | index c8b43da..2843048 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -1183,6 +1183,9 @@ This avoids infinitely hanging sessions. | 126 | @@ -1307,6 +1307,9 @@ This avoids infinitely hanging sessions. |
127 | .Pp | 127 | .Pp |
128 | To disable TCP keepalive messages, the value should be set to | 128 | To disable TCP keepalive messages, the value should be set to |
129 | .Dq no . | 129 | .Dq no . |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index 09e09ecf8..81b924e35 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From eb567100ef178f4395c95cc1f37b921e02c3dd5b Mon Sep 17 00:00:00 2001 | 1 | From 248d3bb8de371b55aaf3a8f544c15f3a25eb7339 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 |
4 | Subject: Fix picky lintian errors about slogin symlinks | 4 | Subject: Fix picky lintian errors about slogin symlinks |
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch | |||
15 | 1 file changed, 2 insertions(+), 2 deletions(-) | 15 | 1 file changed, 2 insertions(+), 2 deletions(-) |
16 | 16 | ||
17 | diff --git a/Makefile.in b/Makefile.in | 17 | diff --git a/Makefile.in b/Makefile.in |
18 | index feee0b2..7d192bb 100644 | 18 | index a4402e9..4eab574 100644 |
19 | --- a/Makefile.in | 19 | --- a/Makefile.in |
20 | +++ b/Makefile.in | 20 | +++ b/Makefile.in |
21 | @@ -293,9 +293,9 @@ install-files: | 21 | @@ -315,9 +315,9 @@ install-files: |
22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
24 | -rm -f $(DESTDIR)$(bindir)/slogin | 24 | -rm -f $(DESTDIR)$(bindir)/slogin |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index e00b6c345..f90c7e2b1 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8ab8f1465980856291f215c7b7184a4456398fb4 Mon Sep 17 00:00:00 2001 | 1 | From 064453886f4c3d8ac0b0c8d015ad614c8bce3b42 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
13 | 1 file changed, 6 insertions(+), 1 deletion(-) | 13 | 1 file changed, 6 insertions(+), 1 deletion(-) |
14 | 14 | ||
15 | diff --git a/sshconnect.c b/sshconnect.c | 15 | diff --git a/sshconnect.c b/sshconnect.c |
16 | index 9e02837..e0a5db9 100644 | 16 | index 26116d2..ab83d0c 100644 |
17 | --- a/sshconnect.c | 17 | --- a/sshconnect.c |
18 | +++ b/sshconnect.c | 18 | +++ b/sshconnect.c |
19 | @@ -1065,9 +1065,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 19 | @@ -1066,9 +1066,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
20 | error("%s. This could either mean that", key_msg); | 20 | error("%s. This could either mean that", key_msg); |
21 | error("DNS SPOOFING is happening or the IP address for the host"); | 21 | error("DNS SPOOFING is happening or the IP address for the host"); |
22 | error("and its host key have changed at the same time."); | 22 | error("and its host key have changed at the same time."); |
@@ -30,7 +30,7 @@ index 9e02837..e0a5db9 100644 | |||
30 | } | 30 | } |
31 | /* The host key has changed. */ | 31 | /* The host key has changed. */ |
32 | warn_changed_key(host_key); | 32 | warn_changed_key(host_key); |
33 | @@ -1075,6 +1078,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 33 | @@ -1076,6 +1079,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
34 | user_hostfiles[0]); | 34 | user_hostfiles[0]); |
35 | error("Offending %s key in %s:%lu", key_type(host_found->key), | 35 | error("Offending %s key in %s:%lu", key_type(host_found->key), |
36 | host_found->file, host_found->line); | 36 | host_found->file, host_found->line); |
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch deleted file mode 100644 index 56fa46aac..000000000 --- a/debian/patches/no-openssl-version-check.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From 20690ea4b33e8ff81fea287492270df3a7029777 Mon Sep 17 00:00:00 2001 | ||
2 | From: Philip Hands <phil@hands.com> | ||
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | ||
4 | Subject: Disable OpenSSL version check | ||
5 | |||
6 | OpenSSL's SONAME is sufficient nowadays. | ||
7 | |||
8 | Author: Colin Watson <cjwatson@debian.org> | ||
9 | Bug-Debian: http://bugs.debian.org/93581 | ||
10 | Bug-Debian: http://bugs.debian.org/664383 | ||
11 | Forwarded: not-needed | ||
12 | Last-Update: 2013-12-23 | ||
13 | |||
14 | Patch-Name: no-openssl-version-check.patch | ||
15 | --- | ||
16 | entropy.c | 12 ------------ | ||
17 | 1 file changed, 12 deletions(-) | ||
18 | |||
19 | diff --git a/entropy.c b/entropy.c | ||
20 | index 2d483b3..2aee2d9 100644 | ||
21 | --- a/entropy.c | ||
22 | +++ b/entropy.c | ||
23 | @@ -209,18 +209,6 @@ seed_rng(void) | ||
24 | #ifndef OPENSSL_PRNG_ONLY | ||
25 | unsigned char buf[RANDOM_SEED_SIZE]; | ||
26 | #endif | ||
27 | - /* | ||
28 | - * OpenSSL version numbers: MNNFFPPS: major minor fix patch status | ||
29 | - * We match major, minor, fix and status (not patch) for <1.0.0. | ||
30 | - * After that, we acceptable compatible fix versions (so we | ||
31 | - * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed | ||
32 | - * within a patch series. | ||
33 | - */ | ||
34 | - u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; | ||
35 | - if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || | ||
36 | - (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) | ||
37 | - fatal("OpenSSL version mismatch. Built against %lx, you " | ||
38 | - "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); | ||
39 | |||
40 | #ifndef OPENSSL_PRNG_ONLY | ||
41 | if (RAND_status() == 1) { | ||
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch new file mode 100644 index 000000000..dfcef83b0 --- /dev/null +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 37fd625165d0df302e441d9cad9bcc742378eef5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kurt Roeckx <kurt@roeckx.be> | ||
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | ||
4 | Subject: Don't check the status field of the OpenSSL version | ||
5 | |||
6 | There is no reason to check the version of OpenSSL (in Debian). If it's | ||
7 | not compatible the soname will change. OpenSSH seems to want to do a | ||
8 | check for the soname based on the version number, but wants to keep the | ||
9 | status of the release the same. Remove that check on the status since | ||
10 | it doesn't tell you anything about how compatible that version is. | ||
11 | |||
12 | Author: Colin Watson <cjwatson@debian.org> | ||
13 | Bug-Debian: https://bugs.debian.org/93581 | ||
14 | Bug-Debian: https://bugs.debian.org/664383 | ||
15 | Bug-Debian: https://bugs.debian.org/732940 | ||
16 | Forwarded: not-needed | ||
17 | Last-Update: 2014-10-07 | ||
18 | |||
19 | Patch-Name: no-openssl-version-status.patch | ||
20 | --- | ||
21 | openbsd-compat/openssl-compat.c | 6 +++--- | ||
22 | openbsd-compat/regress/opensslvertest.c | 1 + | ||
23 | 2 files changed, 4 insertions(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c | ||
26 | index 36570e4..defd5fb 100644 | ||
27 | --- a/openbsd-compat/openssl-compat.c | ||
28 | +++ b/openbsd-compat/openssl-compat.c | ||
29 | @@ -34,7 +34,7 @@ | ||
30 | /* | ||
31 | * OpenSSL version numbers: MNNFFPPS: major minor fix patch status | ||
32 | * We match major, minor, fix and status (not patch) for <1.0.0. | ||
33 | - * After that, we acceptable compatible fix versions (so we | ||
34 | + * After that, we accept compatible fix and status versions (so we | ||
35 | * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed | ||
36 | * within a patch series. | ||
37 | */ | ||
38 | @@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver) | ||
39 | } | ||
40 | |||
41 | /* | ||
42 | - * For versions >= 1.0.0, major,minor,status must match and library | ||
43 | + * For versions >= 1.0.0, major,minor must match and library | ||
44 | * fix version must be equal to or newer than the header. | ||
45 | */ | ||
46 | - mask = 0xfff0000fL; /* major,minor,status */ | ||
47 | + mask = 0xfff00000L; /* major,minor */ | ||
48 | hfix = (headerver & 0x000ff000) >> 12; | ||
49 | lfix = (libver & 0x000ff000) >> 12; | ||
50 | if ( (headerver & mask) == (libver & mask) && lfix >= hfix) | ||
51 | diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c | ||
52 | index 5d019b5..5847487 100644 | ||
53 | --- a/openbsd-compat/regress/opensslvertest.c | ||
54 | +++ b/openbsd-compat/regress/opensslvertest.c | ||
55 | @@ -35,6 +35,7 @@ struct version_test { | ||
56 | |||
57 | /* built with 1.0.1b release headers */ | ||
58 | { 0x1000101fL, 0x1000101fL, 1},/* exact match */ | ||
59 | + { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */ | ||
60 | { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ | ||
61 | { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ | ||
62 | { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ | ||
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index 9a34a4182..37ad675d4 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ec9bfd62211fdf5a3004ef2045c2eb3baccfd375 Mon Sep 17 00:00:00 2001 | 1 | From 0b9407d3023938b02bccf7dd1874a871d0cc8eb5 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -10,7 +10,7 @@ No single bug reference for this patch, but history includes: | |||
10 | https://bugs.launchpad.net/bugs/456660 (ssl(8)) | 10 | https://bugs.launchpad.net/bugs/456660 (ssl(8)) |
11 | 11 | ||
12 | Forwarded: not-needed | 12 | Forwarded: not-needed |
13 | Last-Update: 2013-09-14 | 13 | Last-Update: 2014-10-07 |
14 | 14 | ||
15 | Patch-Name: openbsd-docs.patch | 15 | Patch-Name: openbsd-docs.patch |
16 | --- | 16 | --- |
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644 | |||
44 | .Sh SEE ALSO | 44 | .Sh SEE ALSO |
45 | .Xr ssh-keygen 1 , | 45 | .Xr ssh-keygen 1 , |
46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 | 46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
47 | index 12e00d4..a71de74 100644 | 47 | index 723a016..79b948c 100644 |
48 | --- a/ssh-keygen.1 | 48 | --- a/ssh-keygen.1 |
49 | +++ b/ssh-keygen.1 | 49 | +++ b/ssh-keygen.1 |
50 | @@ -172,9 +172,7 @@ key in | 50 | @@ -172,9 +172,7 @@ key in |
@@ -88,10 +88,10 @@ index 12e00d4..a71de74 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index ff5e6ac..67b4f44 100644 | 91 | index 7f6ab77..de178cd 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -763,6 +763,10 @@ Protocol 1 is restricted to using only RSA keys, | 94 | @@ -753,6 +753,10 @@ Protocol 1 is restricted to using only RSA keys, |
95 | but protocol 2 may use any. | 95 | but protocol 2 may use any. |
96 | The HISTORY section of | 96 | The HISTORY section of |
97 | .Xr ssl 8 | 97 | .Xr ssl 8 |
@@ -103,10 +103,10 @@ index ff5e6ac..67b4f44 100644 | |||
103 | .Pp | 103 | .Pp |
104 | The file | 104 | The file |
105 | diff --git a/sshd.8 b/sshd.8 | 105 | diff --git a/sshd.8 b/sshd.8 |
106 | index e6a900b..b016e90 100644 | 106 | index eaeac45..3538208 100644 |
107 | --- a/sshd.8 | 107 | --- a/sshd.8 |
108 | +++ b/sshd.8 | 108 | +++ b/sshd.8 |
109 | @@ -70,7 +70,7 @@ over an insecure network. | 109 | @@ -67,7 +67,7 @@ over an insecure network. |
110 | .Nm | 110 | .Nm |
111 | listens for connections from clients. | 111 | listens for connections from clients. |
112 | It is normally started at boot from | 112 | It is normally started at boot from |
@@ -133,14 +133,14 @@ index e6a900b..b016e90 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index 8f078f6..908e0bb 100644 | 136 | index 58997d3..7396b23 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -283,8 +283,7 @@ This option is only available for protocol version 2. | 139 | @@ -303,8 +303,7 @@ This option is only available for protocol version 2. |
140 | By default, no banner is displayed. | 140 | By default, no banner is displayed. |
141 | .It Cm ChallengeResponseAuthentication | 141 | .It Cm ChallengeResponseAuthentication |
142 | Specifies whether challenge-response authentication is allowed (e.g. via | 142 | Specifies whether challenge-response authentication is allowed (e.g. via |
143 | -PAM or though authentication styles supported in | 143 | -PAM or through authentication styles supported in |
144 | -.Xr login.conf 5 ) | 144 | -.Xr login.conf 5 ) |
145 | +PAM). | 145 | +PAM). |
146 | The default is | 146 | The default is |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index c9c20d1c0..07a28af9a 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6de70b95f5005447ae23532d4f3ee41a9338479f Mon Sep 17 00:00:00 2001 | 1 | From 8679c96f74ee7dbea6c15c764b036fbab7372740 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch | |||
19 | 3 files changed, 9 insertions(+), 4 deletions(-) | 19 | 3 files changed, 9 insertions(+), 4 deletions(-) |
20 | 20 | ||
21 | diff --git a/sshconnect.c b/sshconnect.c | 21 | diff --git a/sshconnect.c b/sshconnect.c |
22 | index e0a5db9..87c3770 100644 | 22 | index ab83d0c..563405e 100644 |
23 | --- a/sshconnect.c | 23 | --- a/sshconnect.c |
24 | +++ b/sshconnect.c | 24 | +++ b/sshconnect.c |
25 | @@ -520,10 +520,10 @@ send_client_banner(int connection_out, int minor1) | 25 | @@ -521,10 +521,10 @@ send_client_banner(int connection_out, int minor1) |
26 | /* Send our own protocol version identification. */ | 26 | /* Send our own protocol version identification. */ |
27 | if (compat20) { | 27 | if (compat20) { |
28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", | 28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", |
@@ -36,10 +36,10 @@ index e0a5db9..87c3770 100644 | |||
36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | 36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, |
37 | strlen(client_version_string)) != strlen(client_version_string)) | 37 | strlen(client_version_string)) != strlen(client_version_string)) |
38 | diff --git a/sshd.c b/sshd.c | 38 | diff --git a/sshd.c b/sshd.c |
39 | index e343d90..af9b8f1 100644 | 39 | index 48a14dd..1710e71 100644 |
40 | --- a/sshd.c | 40 | --- a/sshd.c |
41 | +++ b/sshd.c | 41 | +++ b/sshd.c |
42 | @@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out) | 42 | @@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) |
43 | } | 43 | } |
44 | 44 | ||
45 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 45 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -49,11 +49,11 @@ index e343d90..af9b8f1 100644 | |||
49 | options.version_addendum, newline); | 49 | options.version_addendum, newline); |
50 | 50 | ||
51 | diff --git a/version.h b/version.h | 51 | diff --git a/version.h b/version.h |
52 | index a1579ac..a97c337 100644 | 52 | index cc8a079..0fee7c3 100644 |
53 | --- a/version.h | 53 | --- a/version.h |
54 | +++ b/version.h | 54 | +++ b/version.h |
55 | @@ -3,4 +3,9 @@ | 55 | @@ -3,4 +3,9 @@ |
56 | #define SSH_VERSION "OpenSSH_6.6" | 56 | #define SSH_VERSION "OpenSSH_6.7" |
57 | 57 | ||
58 | #define SSH_PORTABLE "p1" | 58 | #define SSH_PORTABLE "p1" |
59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 075b59823..6d9a2f9c0 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9875e47079abff55f8d2c1e958e9d50de6eae7ec Mon Sep 17 00:00:00 2001 | 1 | From dc028c5992b4b14cca380b6ad2115fcc6907a8b7 Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch | |||
22 | 1 file changed, 4 insertions(+), 2 deletions(-) | 22 | 1 file changed, 4 insertions(+), 2 deletions(-) |
23 | 23 | ||
24 | diff --git a/clientloop.c b/clientloop.c | 24 | diff --git a/clientloop.c b/clientloop.c |
25 | index 73a800c..4bc5b57 100644 | 25 | index 046ca8b..0180774 100644 |
26 | --- a/clientloop.c | 26 | --- a/clientloop.c |
27 | +++ b/clientloop.c | 27 | +++ b/clientloop.c |
28 | @@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 28 | @@ -1705,8 +1705,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
29 | exit_status = 0; | 29 | exit_status = 0; |
30 | } | 30 | } |
31 | 31 | ||
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch new file mode 100644 index 000000000..c590f52ce --- /dev/null +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | From b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | ||
4 | Subject: Restore TCP wrappers support | ||
5 | |||
6 | Support for TCP wrappers was dropped in OpenSSH 6.7. See this message | ||
7 | and thread: | ||
8 | |||
9 | https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html | ||
10 | |||
11 | It is true that this reduces preauth attack surface in sshd. On the | ||
12 | other hand, this support seems to be quite widely used, and abruptly | ||
13 | dropping it (from the perspective of users who don't read | ||
14 | openssh-unix-dev) could easily cause more serious problems in practice. | ||
15 | |||
16 | It's not entirely clear what the right long-term answer for Debian is, | ||
17 | but it at least probably doesn't involve dropping this feature shortly | ||
18 | before a freeze. | ||
19 | |||
20 | Forwarded: not-needed | ||
21 | Last-Update: 2014-10-07 | ||
22 | |||
23 | Patch-Name: restore-tcp-wrappers.patch | ||
24 | --- | ||
25 | configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
26 | sshd.8 | 7 +++++++ | ||
27 | sshd.c | 25 +++++++++++++++++++++++++ | ||
28 | 3 files changed, 89 insertions(+) | ||
29 | |||
30 | diff --git a/configure.ac b/configure.ac | ||
31 | index 90e81e1..7f160f1 100644 | ||
32 | --- a/configure.ac | ||
33 | +++ b/configure.ac | ||
34 | @@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey], | ||
35 | ] | ||
36 | ) | ||
37 | |||
38 | +# Check whether user wants TCP wrappers support | ||
39 | +TCPW_MSG="no" | ||
40 | +AC_ARG_WITH([tcp-wrappers], | ||
41 | + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
42 | + [ | ||
43 | + if test "x$withval" != "xno" ; then | ||
44 | + saved_LIBS="$LIBS" | ||
45 | + saved_LDFLAGS="$LDFLAGS" | ||
46 | + saved_CPPFLAGS="$CPPFLAGS" | ||
47 | + if test -n "${withval}" && \ | ||
48 | + test "x${withval}" != "xyes"; then | ||
49 | + if test -d "${withval}/lib"; then | ||
50 | + if test -n "${need_dash_r}"; then | ||
51 | + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
52 | + else | ||
53 | + LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
54 | + fi | ||
55 | + else | ||
56 | + if test -n "${need_dash_r}"; then | ||
57 | + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
58 | + else | ||
59 | + LDFLAGS="-L${withval} ${LDFLAGS}" | ||
60 | + fi | ||
61 | + fi | ||
62 | + if test -d "${withval}/include"; then | ||
63 | + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
64 | + else | ||
65 | + CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
66 | + fi | ||
67 | + fi | ||
68 | + LIBS="-lwrap $LIBS" | ||
69 | + AC_MSG_CHECKING([for libwrap]) | ||
70 | + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
71 | +#include <sys/types.h> | ||
72 | +#include <sys/socket.h> | ||
73 | +#include <netinet/in.h> | ||
74 | +#include <tcpd.h> | ||
75 | +int deny_severity = 0, allow_severity = 0; | ||
76 | + ]], [[ | ||
77 | + hosts_access(0); | ||
78 | + ]])], [ | ||
79 | + AC_MSG_RESULT([yes]) | ||
80 | + AC_DEFINE([LIBWRAP], [1], | ||
81 | + [Define if you want | ||
82 | + TCP Wrappers support]) | ||
83 | + SSHDLIBS="$SSHDLIBS -lwrap" | ||
84 | + TCPW_MSG="yes" | ||
85 | + ], [ | ||
86 | + AC_MSG_ERROR([*** libwrap missing]) | ||
87 | + | ||
88 | + ]) | ||
89 | + LIBS="$saved_LIBS" | ||
90 | + fi | ||
91 | + ] | ||
92 | +) | ||
93 | + | ||
94 | # Check whether user wants to use ldns | ||
95 | LDNS_MSG="no" | ||
96 | AC_ARG_WITH(ldns, | ||
97 | @@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG" | ||
98 | echo " SELinux support: $SELINUX_MSG" | ||
99 | echo " Smartcard support: $SCARD_MSG" | ||
100 | echo " S/KEY support: $SKEY_MSG" | ||
101 | +echo " TCP Wrappers support: $TCPW_MSG" | ||
102 | echo " MD5 password support: $MD5_MSG" | ||
103 | echo " libedit support: $LIBEDIT_MSG" | ||
104 | echo " Solaris process contract support: $SPC_MSG" | ||
105 | diff --git a/sshd.8 b/sshd.8 | ||
106 | index 01459d6..eaeac45 100644 | ||
107 | --- a/sshd.8 | ||
108 | +++ b/sshd.8 | ||
109 | @@ -851,6 +851,12 @@ the user's home directory becomes accessible. | ||
110 | This file should be writable only by the user, and need not be | ||
111 | readable by anyone else. | ||
112 | .Pp | ||
113 | +.It Pa /etc/hosts.allow | ||
114 | +.It Pa /etc/hosts.deny | ||
115 | +Access controls that should be enforced by tcp-wrappers are defined here. | ||
116 | +Further details are described in | ||
117 | +.Xr hosts_access 5 . | ||
118 | +.Pp | ||
119 | .It Pa /etc/hosts.equiv | ||
120 | This file is for host-based authentication (see | ||
121 | .Xr ssh 1 ) . | ||
122 | @@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. | ||
123 | .Xr ssh-keygen 1 , | ||
124 | .Xr ssh-keyscan 1 , | ||
125 | .Xr chroot 2 , | ||
126 | +.Xr hosts_access 5 , | ||
127 | .Xr login.conf 5 , | ||
128 | .Xr moduli 5 , | ||
129 | .Xr sshd_config 5 , | ||
130 | diff --git a/sshd.c b/sshd.c | ||
131 | index e6706a8..3a6be65 100644 | ||
132 | --- a/sshd.c | ||
133 | +++ b/sshd.c | ||
134 | @@ -127,6 +127,13 @@ | ||
135 | #include <Security/AuthSession.h> | ||
136 | #endif | ||
137 | |||
138 | +#ifdef LIBWRAP | ||
139 | +#include <tcpd.h> | ||
140 | +#include <syslog.h> | ||
141 | +int allow_severity; | ||
142 | +int deny_severity; | ||
143 | +#endif /* LIBWRAP */ | ||
144 | + | ||
145 | #ifndef O_NOCTTY | ||
146 | #define O_NOCTTY 0 | ||
147 | #endif | ||
148 | @@ -2061,6 +2068,24 @@ main(int ac, char **av) | ||
149 | #ifdef SSH_AUDIT_EVENTS | ||
150 | audit_connection_from(remote_ip, remote_port); | ||
151 | #endif | ||
152 | +#ifdef LIBWRAP | ||
153 | + allow_severity = options.log_facility|LOG_INFO; | ||
154 | + deny_severity = options.log_facility|LOG_WARNING; | ||
155 | + /* Check whether logins are denied from this host. */ | ||
156 | + if (packet_connection_is_on_socket()) { | ||
157 | + struct request_info req; | ||
158 | + | ||
159 | + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
160 | + fromhost(&req); | ||
161 | + | ||
162 | + if (!hosts_access(&req)) { | ||
163 | + debug("Connection refused by tcp wrapper"); | ||
164 | + refuse(&req); | ||
165 | + /* NOTREACHED */ | ||
166 | + fatal("libwrap refuse returns"); | ||
167 | + } | ||
168 | + } | ||
169 | +#endif /* LIBWRAP */ | ||
170 | |||
171 | /* Log the connection. */ | ||
172 | verbose("Connection from %s port %d on %s port %d", | ||
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index ff037a43a..ee006da93 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8ab204ee192e655d5a8f4d599adb3d99eeabedc6 Mon Sep 17 00:00:00 2001 | 1 | From fd174c13c46191abdb33c0a45545573a8e06b061 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch | |||
17 | 1 file changed, 10 insertions(+), 2 deletions(-) | 17 | 1 file changed, 10 insertions(+), 2 deletions(-) |
18 | 18 | ||
19 | diff --git a/scp.c b/scp.c | 19 | diff --git a/scp.c b/scp.c |
20 | index 18d3b1d..0669d02 100644 | 20 | index 1ec3b70..a1b318b 100644 |
21 | --- a/scp.c | 21 | --- a/scp.c |
22 | +++ b/scp.c | 22 | +++ b/scp.c |
23 | @@ -189,8 +189,16 @@ do_local_cmd(arglist *a) | 23 | @@ -189,8 +189,16 @@ do_local_cmd(arglist *a) |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index e0ca12fb0..1fa0bf928 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ae32d626ed3d15cfd7f432358b63c005961921df Mon Sep 17 00:00:00 2001 | 1 | From c9638aa44d787849cea1ae273f0908c6313fd19b Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch | |||
32 | 16 files changed, 104 insertions(+), 31 deletions(-) | 32 | 16 files changed, 104 insertions(+), 31 deletions(-) |
33 | 33 | ||
34 | diff --git a/auth.h b/auth.h | 34 | diff --git a/auth.h b/auth.h |
35 | index 124e597..79e4ea5 100644 | 35 | index d081c94..f099e98 100644 |
36 | --- a/auth.h | 36 | --- a/auth.h |
37 | +++ b/auth.h | 37 | +++ b/auth.h |
38 | @@ -59,6 +59,7 @@ struct Authctxt { | 38 | @@ -59,6 +59,7 @@ struct Authctxt { |
@@ -44,10 +44,10 @@ index 124e597..79e4ea5 100644 | |||
44 | char *info; /* Extra info for next auth_log */ | 44 | char *info; /* Extra info for next auth_log */ |
45 | #ifdef BSD_AUTH | 45 | #ifdef BSD_AUTH |
46 | diff --git a/auth1.c b/auth1.c | 46 | diff --git a/auth1.c b/auth1.c |
47 | index 0f870b3..c707390 100644 | 47 | index 5038828..52b17db 100644 |
48 | --- a/auth1.c | 48 | --- a/auth1.c |
49 | +++ b/auth1.c | 49 | +++ b/auth1.c |
50 | @@ -380,7 +380,7 @@ void | 50 | @@ -381,7 +381,7 @@ void |
51 | do_authentication(Authctxt *authctxt) | 51 | do_authentication(Authctxt *authctxt) |
52 | { | 52 | { |
53 | u_int ulen; | 53 | u_int ulen; |
@@ -56,7 +56,7 @@ index 0f870b3..c707390 100644 | |||
56 | 56 | ||
57 | /* Get the name of the user that we wish to log in as. */ | 57 | /* Get the name of the user that we wish to log in as. */ |
58 | packet_read_expect(SSH_CMSG_USER); | 58 | packet_read_expect(SSH_CMSG_USER); |
59 | @@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt) | 59 | @@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt) |
60 | user = packet_get_cstring(&ulen); | 60 | user = packet_get_cstring(&ulen); |
61 | packet_check_eom(); | 61 | packet_check_eom(); |
62 | 62 | ||
@@ -75,10 +75,10 @@ index 0f870b3..c707390 100644 | |||
75 | /* Verify that the user is a valid user. */ | 75 | /* Verify that the user is a valid user. */ |
76 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | 76 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
77 | diff --git a/auth2.c b/auth2.c | 77 | diff --git a/auth2.c b/auth2.c |
78 | index fbe3e1b..70f2925 100644 | 78 | index 2f0d565..fa1a588 100644 |
79 | --- a/auth2.c | 79 | --- a/auth2.c |
80 | +++ b/auth2.c | 80 | +++ b/auth2.c |
81 | @@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 81 | @@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
82 | { | 82 | { |
83 | Authctxt *authctxt = ctxt; | 83 | Authctxt *authctxt = ctxt; |
84 | Authmethod *m = NULL; | 84 | Authmethod *m = NULL; |
@@ -87,7 +87,7 @@ index fbe3e1b..70f2925 100644 | |||
87 | int authenticated = 0; | 87 | int authenticated = 0; |
88 | 88 | ||
89 | if (authctxt == NULL) | 89 | if (authctxt == NULL) |
90 | @@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 90 | @@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
91 | debug("userauth-request for user %s service %s method %s", user, service, method); | 91 | debug("userauth-request for user %s service %s method %s", user, service, method); |
92 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 92 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
93 | 93 | ||
@@ -101,7 +101,7 @@ index fbe3e1b..70f2925 100644 | |||
101 | 101 | ||
102 | if (authctxt->attempt++ == 0) { | 102 | if (authctxt->attempt++ == 0) { |
103 | /* setup auth context */ | 103 | /* setup auth context */ |
104 | @@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 104 | @@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
105 | use_privsep ? " [net]" : ""); | 105 | use_privsep ? " [net]" : ""); |
106 | authctxt->service = xstrdup(service); | 106 | authctxt->service = xstrdup(service); |
107 | authctxt->style = style ? xstrdup(style) : NULL; | 107 | authctxt->style = style ? xstrdup(style) : NULL; |
@@ -113,10 +113,10 @@ index fbe3e1b..70f2925 100644 | |||
113 | if (auth2_setup_methods_lists(authctxt) != 0) | 113 | if (auth2_setup_methods_lists(authctxt) != 0) |
114 | packet_disconnect("no authentication methods enabled"); | 114 | packet_disconnect("no authentication methods enabled"); |
115 | diff --git a/monitor.c b/monitor.c | 115 | diff --git a/monitor.c b/monitor.c |
116 | index 2918814..11eac63 100644 | 116 | index b0896ef..94b194d 100644 |
117 | --- a/monitor.c | 117 | --- a/monitor.c |
118 | +++ b/monitor.c | 118 | +++ b/monitor.c |
119 | @@ -145,6 +145,7 @@ int mm_answer_sign(int, Buffer *); | 119 | @@ -148,6 +148,7 @@ int mm_answer_sign(int, Buffer *); |
120 | int mm_answer_pwnamallow(int, Buffer *); | 120 | int mm_answer_pwnamallow(int, Buffer *); |
121 | int mm_answer_auth2_read_banner(int, Buffer *); | 121 | int mm_answer_auth2_read_banner(int, Buffer *); |
122 | int mm_answer_authserv(int, Buffer *); | 122 | int mm_answer_authserv(int, Buffer *); |
@@ -124,7 +124,7 @@ index 2918814..11eac63 100644 | |||
124 | int mm_answer_authpassword(int, Buffer *); | 124 | int mm_answer_authpassword(int, Buffer *); |
125 | int mm_answer_bsdauthquery(int, Buffer *); | 125 | int mm_answer_bsdauthquery(int, Buffer *); |
126 | int mm_answer_bsdauthrespond(int, Buffer *); | 126 | int mm_answer_bsdauthrespond(int, Buffer *); |
127 | @@ -221,6 +222,7 @@ struct mon_table mon_dispatch_proto20[] = { | 127 | @@ -229,6 +230,7 @@ struct mon_table mon_dispatch_proto20[] = { |
128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -132,7 +132,7 @@ index 2918814..11eac63 100644 | |||
132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
134 | #ifdef USE_PAM | 134 | #ifdef USE_PAM |
135 | @@ -822,6 +824,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | 135 | @@ -841,6 +843,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) |
136 | else { | 136 | else { |
137 | /* Allow service/style information on the auth context */ | 137 | /* Allow service/style information on the auth context */ |
138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -140,7 +140,7 @@ index 2918814..11eac63 100644 | |||
140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
141 | } | 141 | } |
142 | #ifdef USE_PAM | 142 | #ifdef USE_PAM |
143 | @@ -852,14 +855,37 @@ mm_answer_authserv(int sock, Buffer *m) | 143 | @@ -871,14 +874,37 @@ mm_answer_authserv(int sock, Buffer *m) |
144 | 144 | ||
145 | authctxt->service = buffer_get_string(m, NULL); | 145 | authctxt->service = buffer_get_string(m, NULL); |
146 | authctxt->style = buffer_get_string(m, NULL); | 146 | authctxt->style = buffer_get_string(m, NULL); |
@@ -180,7 +180,7 @@ index 2918814..11eac63 100644 | |||
180 | return (0); | 180 | return (0); |
181 | } | 181 | } |
182 | 182 | ||
183 | @@ -1464,7 +1490,7 @@ mm_answer_pty(int sock, Buffer *m) | 183 | @@ -1485,7 +1511,7 @@ mm_answer_pty(int sock, Buffer *m) |
184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
185 | if (res == 0) | 185 | if (res == 0) |
186 | goto error; | 186 | goto error; |
@@ -203,10 +203,10 @@ index 7f32b0c..4d5e8fa 100644 | |||
203 | 203 | ||
204 | struct mm_master; | 204 | struct mm_master; |
205 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 205 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
206 | index 60b987d..f75dc9d 100644 | 206 | index e476f0d..6dc890a 100644 |
207 | --- a/monitor_wrap.c | 207 | --- a/monitor_wrap.c |
208 | +++ b/monitor_wrap.c | 208 | +++ b/monitor_wrap.c |
209 | @@ -318,10 +318,10 @@ mm_auth2_read_banner(void) | 209 | @@ -324,10 +324,10 @@ mm_auth2_read_banner(void) |
210 | return (banner); | 210 | return (banner); |
211 | } | 211 | } |
212 | 212 | ||
@@ -219,7 +219,7 @@ index 60b987d..f75dc9d 100644 | |||
219 | { | 219 | { |
220 | Buffer m; | 220 | Buffer m; |
221 | 221 | ||
222 | @@ -330,12 +330,30 @@ mm_inform_authserv(char *service, char *style) | 222 | @@ -336,12 +336,30 @@ mm_inform_authserv(char *service, char *style) |
223 | buffer_init(&m); | 223 | buffer_init(&m); |
224 | buffer_put_cstring(&m, service); | 224 | buffer_put_cstring(&m, service); |
225 | buffer_put_cstring(&m, style ? style : ""); | 225 | buffer_put_cstring(&m, style ? style : ""); |
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644 | |||
361 | void ssh_selinux_setfscreatecon(const char *); | 361 | void ssh_selinux_setfscreatecon(const char *); |
362 | #endif | 362 | #endif |
363 | diff --git a/platform.c b/platform.c | 363 | diff --git a/platform.c b/platform.c |
364 | index 30fc609..4aab9a9 100644 | 364 | index ee313da..f35ec39 100644 |
365 | --- a/platform.c | 365 | --- a/platform.c |
366 | +++ b/platform.c | 366 | +++ b/platform.c |
367 | @@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) | 367 | @@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) |
368 | * called if sshd is running as root. | 368 | * called if sshd is running as root. |
369 | */ | 369 | */ |
370 | void | 370 | void |
@@ -373,7 +373,7 @@ index 30fc609..4aab9a9 100644 | |||
373 | { | 373 | { |
374 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 374 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
375 | /* | 375 | /* |
376 | @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) | 376 | @@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) |
377 | } | 377 | } |
378 | #endif /* HAVE_SETPCRED */ | 378 | #endif /* HAVE_SETPCRED */ |
379 | #ifdef WITH_SELINUX | 379 | #ifdef WITH_SELINUX |
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644 | |||
396 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
397 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
398 | diff --git a/session.c b/session.c | 398 | diff --git a/session.c b/session.c |
399 | index 2bcf818..6848df4 100644 | 399 | index 3e96557..6f389ac 100644 |
400 | --- a/session.c | 400 | --- a/session.c |
401 | +++ b/session.c | 401 | +++ b/session.c |
402 | @@ -1502,7 +1502,7 @@ safely_chroot(const char *path, uid_t uid) | 402 | @@ -1486,7 +1486,7 @@ safely_chroot(const char *path, uid_t uid) |
403 | 403 | ||
404 | /* Set login name, uid, gid, and groups. */ | 404 | /* Set login name, uid, gid, and groups. */ |
405 | void | 405 | void |
@@ -407,8 +407,8 @@ index 2bcf818..6848df4 100644 | |||
407 | +do_setusercontext(struct passwd *pw, const char *role) | 407 | +do_setusercontext(struct passwd *pw, const char *role) |
408 | { | 408 | { |
409 | char *chroot_path, *tmp; | 409 | char *chroot_path, *tmp; |
410 | 410 | #ifdef USE_LIBIAF | |
411 | @@ -1530,7 +1530,7 @@ do_setusercontext(struct passwd *pw) | 411 | @@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw) |
412 | endgrent(); | 412 | endgrent(); |
413 | #endif | 413 | #endif |
414 | 414 | ||
@@ -417,7 +417,7 @@ index 2bcf818..6848df4 100644 | |||
417 | 417 | ||
418 | if (options.chroot_directory != NULL && | 418 | if (options.chroot_directory != NULL && |
419 | strcasecmp(options.chroot_directory, "none") != 0) { | 419 | strcasecmp(options.chroot_directory, "none") != 0) { |
420 | @@ -1679,7 +1679,7 @@ do_child(Session *s, const char *command) | 420 | @@ -1676,7 +1676,7 @@ do_child(Session *s, const char *command) |
421 | 421 | ||
422 | /* Force a password change */ | 422 | /* Force a password change */ |
423 | if (s->authctxt->force_pwchange) { | 423 | if (s->authctxt->force_pwchange) { |
@@ -426,7 +426,7 @@ index 2bcf818..6848df4 100644 | |||
426 | child_close_fds(); | 426 | child_close_fds(); |
427 | do_pwchange(s); | 427 | do_pwchange(s); |
428 | exit(1); | 428 | exit(1); |
429 | @@ -1706,7 +1706,7 @@ do_child(Session *s, const char *command) | 429 | @@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command) |
430 | /* When PAM is enabled we rely on it to do the nologin check */ | 430 | /* When PAM is enabled we rely on it to do the nologin check */ |
431 | if (!options.use_pam) | 431 | if (!options.use_pam) |
432 | do_nologin(pw); | 432 | do_nologin(pw); |
@@ -435,7 +435,7 @@ index 2bcf818..6848df4 100644 | |||
435 | /* | 435 | /* |
436 | * PAM session modules in do_setusercontext may have | 436 | * PAM session modules in do_setusercontext may have |
437 | * generated messages, so if this in an interactive | 437 | * generated messages, so if this in an interactive |
438 | @@ -2117,7 +2117,7 @@ session_pty_req(Session *s) | 438 | @@ -2114,7 +2114,7 @@ session_pty_req(Session *s) |
439 | tty_parse_modes(s->ttyfd, &n_bytes); | 439 | tty_parse_modes(s->ttyfd, &n_bytes); |
440 | 440 | ||
441 | if (!use_privsep) | 441 | if (!use_privsep) |
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644 | |||
458 | const char *value); | 458 | const char *value); |
459 | 459 | ||
460 | diff --git a/sshd.c b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
461 | index d787fea..e343d90 100644 | 461 | index 3a6be65..48a14dd 100644 |
462 | --- a/sshd.c | 462 | --- a/sshd.c |
463 | +++ b/sshd.c | 463 | +++ b/sshd.c |
464 | @@ -769,7 +769,7 @@ privsep_postauth(Authctxt *authctxt) | 464 | @@ -772,7 +772,7 @@ privsep_postauth(Authctxt *authctxt) |
465 | explicit_bzero(rnd, sizeof(rnd)); | 465 | explicit_bzero(rnd, sizeof(rnd)); |
466 | 466 | ||
467 | /* Drop privileges */ | 467 | /* Drop privileges */ |
@@ -471,10 +471,10 @@ index d787fea..e343d90 100644 | |||
471 | skip: | 471 | skip: |
472 | /* It is safe now to apply the key state */ | 472 | /* It is safe now to apply the key state */ |
473 | diff --git a/sshpty.c b/sshpty.c | 473 | diff --git a/sshpty.c b/sshpty.c |
474 | index bbbc0fe..8cc26a2 100644 | 474 | index a2059b7..3512ec8 100644 |
475 | --- a/sshpty.c | 475 | --- a/sshpty.c |
476 | +++ b/sshpty.c | 476 | +++ b/sshpty.c |
477 | @@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, | 477 | @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, |
478 | } | 478 | } |
479 | 479 | ||
480 | void | 480 | void |
@@ -483,7 +483,7 @@ index bbbc0fe..8cc26a2 100644 | |||
483 | { | 483 | { |
484 | struct group *grp; | 484 | struct group *grp; |
485 | gid_t gid; | 485 | gid_t gid; |
486 | @@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty) | 486 | @@ -214,7 +214,7 @@ pty_setowner(struct passwd *pw, const char *tty) |
487 | strerror(errno)); | 487 | strerror(errno)); |
488 | 488 | ||
489 | #ifdef WITH_SELINUX | 489 | #ifdef WITH_SELINUX |
diff --git a/debian/patches/series b/debian/patches/series index c554b34ca..bbc7a5fb4 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -1,4 +1,5 @@ | |||
1 | gssapi.patch | 1 | gssapi.patch |
2 | restore-tcp-wrappers.patch | ||
2 | selinux-role.patch | 3 | selinux-role.patch |
3 | ssh-vulnkey-compat.patch | 4 | ssh-vulnkey-compat.patch |
4 | ssh1-keepalive.patch | 5 | ssh1-keepalive.patch |
@@ -22,9 +23,7 @@ ssh-argv0.patch | |||
22 | doc-hash-tab-completion.patch | 23 | doc-hash-tab-completion.patch |
23 | doc-upstart.patch | 24 | doc-upstart.patch |
24 | ssh-agent-setgid.patch | 25 | ssh-agent-setgid.patch |
25 | no-openssl-version-check.patch | 26 | no-openssl-version-status.patch |
26 | gnome-ssh-askpass2-icon.patch | 27 | gnome-ssh-askpass2-icon.patch |
27 | sigstop.patch | 28 | sigstop.patch |
28 | debian-config.patch | 29 | debian-config.patch |
29 | sshfp_with_server_cert_upstr | ||
30 | curve25519-sha256-bignum-encoding.patch | ||
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 48c16d2a2..07e20f03d 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6103c29d855e82c098e88ee12f05a6eb41f659ce Mon Sep 17 00:00:00 2001 | 1 | From 66377fbb52584b41bd7f6f19116107fbbad41058 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index 573d7a8..9e02837 100644 | 19 | index ac09eae..26116d2 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -227,7 +227,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) | 22 | @@ -228,7 +228,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) |
23 | /* Execute the proxy command. Note that we gave up any | 23 | /* Execute the proxy command. Note that we gave up any |
24 | extra privileges above. */ | 24 | extra privileges above. */ |
25 | signal(SIGPIPE, SIG_DFL); | 25 | signal(SIGPIPE, SIG_DFL); |
@@ -28,7 +28,7 @@ index 573d7a8..9e02837 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1416,7 +1416,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | signal(SIGPIPE, SIG_DFL); | 33 | signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index 6a15e0dc5..1eaa7758b 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cfeaa0ba2ce2859573f7e980be09ef05511f56a2 Mon Sep 17 00:00:00 2001 | 1 | From 689f465c66059e527974c6d4ea8e95f04d5abab7 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch | |||
13 | 1 file changed, 10 insertions(+) | 13 | 1 file changed, 10 insertions(+) |
14 | 14 | ||
15 | diff --git a/sshd.c b/sshd.c | 15 | diff --git a/sshd.c b/sshd.c |
16 | index 665c0b9..0964491 100644 | 16 | index 87331c1..23d5a64 100644 |
17 | --- a/sshd.c | 17 | --- a/sshd.c |
18 | +++ b/sshd.c | 18 | +++ b/sshd.c |
19 | @@ -1931,6 +1931,16 @@ main(int ac, char **av) | 19 | @@ -1958,6 +1958,16 @@ main(int ac, char **av) |
20 | } | 20 | } |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index af23075b3..9c3ddc86e 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d53483ab71ac2a9195c8f171da5a5dcf54ec16ec Mon Sep 17 00:00:00 2001 | 1 | From 78dd041bb6ad29ceb35f05b539b09ccf761eaee2 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch | |||
13 | 1 file changed, 15 insertions(+) | 13 | 1 file changed, 15 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh-agent.1 b/ssh-agent.1 | 15 | diff --git a/ssh-agent.1 b/ssh-agent.1 |
16 | index 281ecbd..38fd540 100644 | 16 | index a1e634f..f2c4080 100644 |
17 | --- a/ssh-agent.1 | 17 | --- a/ssh-agent.1 |
18 | +++ b/ssh-agent.1 | 18 | +++ b/ssh-agent.1 |
19 | @@ -183,6 +183,21 @@ environment variable holds the agent's process ID. | 19 | @@ -172,6 +172,21 @@ environment variable holds the agent's process ID. |
20 | .Pp | 20 | .Pp |
21 | The agent exits automatically when the command given on the command | 21 | The agent exits automatically when the command given on the command |
22 | line terminates. | 22 | line terminates. |
@@ -37,4 +37,4 @@ index 281ecbd..38fd540 100644 | |||
37 | +so in the program executed by ssh-agent. | 37 | +so in the program executed by ssh-agent. |
38 | .Sh FILES | 38 | .Sh FILES |
39 | .Bl -tag -width Ds | 39 | .Bl -tag -width Ds |
40 | .It Pa ~/.ssh/identity | 40 | .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index d456facea..0ccf7c42b 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d4ac61d918775f629eff9a389d0f7bb0f8426b48 Mon Sep 17 00:00:00 2001 | 1 | From cbd5cb03866f6df50c82d26588b73135d05bf245 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index 67b4f44..9868025 100644 | 21 | index de178cd..2606b15 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1468,6 +1468,7 @@ if an error occurred. | 24 | @@ -1458,6 +1458,7 @@ if an error occurred. |
25 | .Xr sftp 1 , | 25 | .Xr sftp 1 , |
26 | .Xr ssh-add 1 , | 26 | .Xr ssh-add 1 , |
27 | .Xr ssh-agent 1 , | 27 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index fa738b084..427ee6be1 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d422205e757aaf23e8e0e787f842ef37f6a170a2 Mon Sep 17 00:00:00 2001 | 1 | From e6836d7c98c75d3252de56c2f3ea07e12c817e00 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 7613ff2..bcd8cad 100644 | 20 | index 9127e93..bc879eb 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -172,6 +172,7 @@ static struct { | 23 | @@ -174,6 +174,7 @@ static struct { |
24 | { "passwordauthentication", oPasswordAuthentication }, | 24 | { "passwordauthentication", oPasswordAuthentication }, |
25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
@@ -29,10 +29,10 @@ index 7613ff2..bcd8cad 100644 | |||
29 | { "pubkeyauthentication", oPubkeyAuthentication }, | 29 | { "pubkeyauthentication", oPubkeyAuthentication }, |
30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index 0083cf8..90de888 100644 | 32 | index cb3c831..a252487 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -448,6 +448,7 @@ static struct { | 35 | @@ -462,6 +462,7 @@ static struct { |
36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index ded7c122a..2e5fa306d 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 789d58ed3df120c7b80d07fb2d259c216194a29c Mon Sep 17 00:00:00 2001 | 1 | From cbbc8577950b93090171c7394bcdeb68b7c3cd0c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 |
4 | Subject: Partial server keep-alive implementation for SSH1 | 4 | Subject: Partial server keep-alive implementation for SSH1 |
@@ -13,7 +13,7 @@ Patch-Name: ssh1-keepalive.patch | |||
13 | 2 files changed, 19 insertions(+), 11 deletions(-) | 13 | 2 files changed, 19 insertions(+), 11 deletions(-) |
14 | 14 | ||
15 | diff --git a/clientloop.c b/clientloop.c | 15 | diff --git a/clientloop.c b/clientloop.c |
16 | index 6d8cd7d..73a800c 100644 | 16 | index f9175e3..046ca8b 100644 |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) | 19 | @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) |
@@ -57,10 +57,10 @@ index 6d8cd7d..73a800c 100644 | |||
57 | server_alive_time = now + options.server_alive_interval; | 57 | server_alive_time = now + options.server_alive_interval; |
58 | } | 58 | } |
59 | diff --git a/ssh_config.5 b/ssh_config.5 | 59 | diff --git a/ssh_config.5 b/ssh_config.5 |
60 | index e7accd6..473971e 100644 | 60 | index e6649ac..01f1f7f 100644 |
61 | --- a/ssh_config.5 | 61 | --- a/ssh_config.5 |
62 | +++ b/ssh_config.5 | 62 | +++ b/ssh_config.5 |
63 | @@ -1294,7 +1294,10 @@ If, for example, | 63 | @@ -1325,7 +1325,10 @@ If, for example, |
64 | .Cm ServerAliveCountMax | 64 | .Cm ServerAliveCountMax |
65 | is left at the default, if the server becomes unresponsive, | 65 | is left at the default, if the server becomes unresponsive, |
66 | ssh will disconnect after approximately 45 seconds. | 66 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr deleted file mode 100644 index b453081c5..000000000 --- a/debian/patches/sshfp_with_server_cert_upstr +++ /dev/null | |||
@@ -1,83 +0,0 @@ | |||
1 | From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthew Vernon <mcv21@cam.ac.uk> | ||
3 | Date: Wed, 26 Mar 2014 15:32:23 +0000 | ||
4 | Subject: Attempt SSHFP lookup even if server presents a certificate | ||
5 | |||
6 | If an ssh server presents a certificate to the client, then the client | ||
7 | does not check the DNS for SSHFP records. This means that a malicious | ||
8 | server can essentially disable DNS-host-key-checking, which means the | ||
9 | client will fall back to asking the user (who will just say "yes" to | ||
10 | the fingerprint, sadly). | ||
11 | |||
12 | This patch is by Damien Miller (of openssh upstream). It's simpler | ||
13 | than the patch by Mark Wooding which I applied yesterday; a copy is | ||
14 | taken of the proffered key/cert, the key extracted from the cert (if | ||
15 | necessary), and then the DNS consulted. | ||
16 | |||
17 | Signed-off-by: Matthew Vernon <matthew@debian.org> | ||
18 | Bug-Debian: http://bugs.debian.org/742513 | ||
19 | Patch-Name: sshfp_with_server_cert_upstr | ||
20 | --- | ||
21 | sshconnect.c | 42 ++++++++++++++++++++++++++---------------- | ||
22 | 1 file changed, 26 insertions(+), 16 deletions(-) | ||
23 | |||
24 | diff --git a/sshconnect.c b/sshconnect.c | ||
25 | index 87c3770..324f5e0 100644 | ||
26 | --- a/sshconnect.c | ||
27 | +++ b/sshconnect.c | ||
28 | @@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | ||
29 | { | ||
30 | int flags = 0; | ||
31 | char *fp; | ||
32 | + Key *plain = NULL; | ||
33 | |||
34 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | ||
35 | debug("Server host key: %s %s", key_type(host_key), fp); | ||
36 | free(fp); | ||
37 | |||
38 | - /* XXX certs are not yet supported for DNS */ | ||
39 | - if (!key_is_cert(host_key) && options.verify_host_key_dns && | ||
40 | - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { | ||
41 | - if (flags & DNS_VERIFY_FOUND) { | ||
42 | - | ||
43 | - if (options.verify_host_key_dns == 1 && | ||
44 | - flags & DNS_VERIFY_MATCH && | ||
45 | - flags & DNS_VERIFY_SECURE) | ||
46 | - return 0; | ||
47 | - | ||
48 | - if (flags & DNS_VERIFY_MATCH) { | ||
49 | - matching_host_key_dns = 1; | ||
50 | - } else { | ||
51 | - warn_changed_key(host_key); | ||
52 | - error("Update the SSHFP RR in DNS with the new " | ||
53 | - "host key to get rid of this message."); | ||
54 | + if (options.verify_host_key_dns) { | ||
55 | + /* | ||
56 | + * XXX certs are not yet supported for DNS, so downgrade | ||
57 | + * them and try the plain key. | ||
58 | + */ | ||
59 | + plain = key_from_private(host_key); | ||
60 | + if (key_is_cert(plain)) | ||
61 | + key_drop_cert(plain); | ||
62 | + if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { | ||
63 | + if (flags & DNS_VERIFY_FOUND) { | ||
64 | + if (options.verify_host_key_dns == 1 && | ||
65 | + flags & DNS_VERIFY_MATCH && | ||
66 | + flags & DNS_VERIFY_SECURE) { | ||
67 | + key_free(plain); | ||
68 | + return 0; | ||
69 | + } | ||
70 | + if (flags & DNS_VERIFY_MATCH) { | ||
71 | + matching_host_key_dns = 1; | ||
72 | + } else { | ||
73 | + warn_changed_key(plain); | ||
74 | + error("Update the SSHFP RR in DNS " | ||
75 | + "with the new host key to get rid " | ||
76 | + "of this message."); | ||
77 | + } | ||
78 | } | ||
79 | } | ||
80 | + key_free(plain); | ||
81 | } | ||
82 | |||
83 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | ||
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 7cbd3a7e3..bfc236927 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b8ed36cdf2dbebc01e52e83eece4bb1d78607e84 Mon Sep 17 00:00:00 2001 | 1 | From 69f7c00e04d1baa01a9038eeb764cfed0830fb19 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 1e6cb90..3e63708 100644 | 36 | index 26e9681..5bce695 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -965,7 +965,7 @@ main(int ac, char **av) | 39 | @@ -989,7 +989,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 3cdb9d8a1..e4e4657f3 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 77638f6662ecd8500e1b97e537233b1277ca829f Mon Sep 17 00:00:00 2001 | 1 | From 28ea747089f695e58a476a2849133402d4f86b92 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -28,7 +28,7 @@ Patch-Name: user-group-modes.patch | |||
28 | 8 files changed, 82 insertions(+), 29 deletions(-) | 28 | 8 files changed, 82 insertions(+), 29 deletions(-) |
29 | 29 | ||
30 | diff --git a/auth-rhosts.c b/auth-rhosts.c | 30 | diff --git a/auth-rhosts.c b/auth-rhosts.c |
31 | index 06ae7f0..f202787 100644 | 31 | index b5bedee..11fcca6 100644 |
32 | --- a/auth-rhosts.c | 32 | --- a/auth-rhosts.c |
33 | +++ b/auth-rhosts.c | 33 | +++ b/auth-rhosts.c |
34 | @@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam | 34 | @@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam |
@@ -52,10 +52,10 @@ index 06ae7f0..f202787 100644 | |||
52 | pw->pw_name, buf); | 52 | pw->pw_name, buf); |
53 | auth_debug_add("Bad file modes for %.200s", buf); | 53 | auth_debug_add("Bad file modes for %.200s", buf); |
54 | diff --git a/auth.c b/auth.c | 54 | diff --git a/auth.c b/auth.c |
55 | index 9a36f1d..0c45f09 100644 | 55 | index 5e60682..18de51a 100644 |
56 | --- a/auth.c | 56 | --- a/auth.c |
57 | +++ b/auth.c | 57 | +++ b/auth.c |
58 | @@ -407,8 +407,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | 58 | @@ -421,8 +421,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
60 | if (options.strict_modes && | 60 | if (options.strict_modes && |
61 | (stat(user_hostfile, &st) == 0) && | 61 | (stat(user_hostfile, &st) == 0) && |
@@ -65,7 +65,7 @@ index 9a36f1d..0c45f09 100644 | |||
65 | logit("Authentication refused for %.100s: " | 65 | logit("Authentication refused for %.100s: " |
66 | "bad owner or modes for %.200s", | 66 | "bad owner or modes for %.200s", |
67 | pw->pw_name, user_hostfile); | 67 | pw->pw_name, user_hostfile); |
68 | @@ -470,8 +469,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 68 | @@ -484,8 +483,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
69 | snprintf(err, errlen, "%s is not a regular file", buf); | 69 | snprintf(err, errlen, "%s is not a regular file", buf); |
70 | return -1; | 70 | return -1; |
71 | } | 71 | } |
@@ -75,7 +75,7 @@ index 9a36f1d..0c45f09 100644 | |||
75 | snprintf(err, errlen, "bad ownership or modes for file %s", | 75 | snprintf(err, errlen, "bad ownership or modes for file %s", |
76 | buf); | 76 | buf); |
77 | return -1; | 77 | return -1; |
78 | @@ -486,8 +484,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 78 | @@ -500,8 +498,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
79 | strlcpy(buf, cp, sizeof(buf)); | 79 | strlcpy(buf, cp, sizeof(buf)); |
80 | 80 | ||
81 | if (stat(buf, &st) < 0 || | 81 | if (stat(buf, &st) < 0 || |
@@ -86,10 +86,10 @@ index 9a36f1d..0c45f09 100644 | |||
86 | "bad ownership or modes for directory %s", buf); | 86 | "bad ownership or modes for directory %s", buf); |
87 | return -1; | 87 | return -1; |
88 | diff --git a/misc.c b/misc.c | 88 | diff --git a/misc.c b/misc.c |
89 | index e4c8c32..4e756b0 100644 | 89 | index 94b05b0..c25ccd8 100644 |
90 | --- a/misc.c | 90 | --- a/misc.c |
91 | +++ b/misc.c | 91 | +++ b/misc.c |
92 | @@ -49,8 +49,9 @@ | 92 | @@ -50,8 +50,9 @@ |
93 | #include <netdb.h> | 93 | #include <netdb.h> |
94 | #ifdef HAVE_PATHS_H | 94 | #ifdef HAVE_PATHS_H |
95 | # include <paths.h> | 95 | # include <paths.h> |
@@ -100,7 +100,7 @@ index e4c8c32..4e756b0 100644 | |||
100 | #ifdef SSH_TUN_OPENBSD | 100 | #ifdef SSH_TUN_OPENBSD |
101 | #include <net/if.h> | 101 | #include <net/if.h> |
102 | #endif | 102 | #endif |
103 | @@ -59,6 +60,7 @@ | 103 | @@ -60,6 +61,7 @@ |
104 | #include "misc.h" | 104 | #include "misc.h" |
105 | #include "log.h" | 105 | #include "log.h" |
106 | #include "ssh.h" | 106 | #include "ssh.h" |
@@ -108,7 +108,7 @@ index e4c8c32..4e756b0 100644 | |||
108 | 108 | ||
109 | /* remove newline at end of string */ | 109 | /* remove newline at end of string */ |
110 | char * | 110 | char * |
111 | @@ -643,6 +645,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, | 111 | @@ -644,6 +646,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, |
112 | return -1; | 112 | return -1; |
113 | } | 113 | } |
114 | 114 | ||
@@ -181,10 +181,10 @@ index e4c8c32..4e756b0 100644 | |||
181 | tun_open(int tun, int mode) | 181 | tun_open(int tun, int mode) |
182 | { | 182 | { |
183 | diff --git a/misc.h b/misc.h | 183 | diff --git a/misc.h b/misc.h |
184 | index d4df619..ceb173b 100644 | 184 | index 374c33c..89e1f75 100644 |
185 | --- a/misc.h | 185 | --- a/misc.h |
186 | +++ b/misc.h | 186 | +++ b/misc.h |
187 | @@ -106,4 +106,6 @@ char *read_passphrase(const char *, int); | 187 | @@ -135,4 +135,6 @@ char *read_passphrase(const char *, int); |
188 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 188 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
189 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 189 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
190 | 190 | ||
@@ -192,10 +192,10 @@ index d4df619..ceb173b 100644 | |||
192 | + | 192 | + |
193 | #endif /* _MISC_H */ | 193 | #endif /* _MISC_H */ |
194 | diff --git a/platform.c b/platform.c | 194 | diff --git a/platform.c b/platform.c |
195 | index 4aab9a9..f99de7f 100644 | 195 | index f35ec39..9a23e6e 100644 |
196 | --- a/platform.c | 196 | --- a/platform.c |
197 | +++ b/platform.c | 197 | +++ b/platform.c |
198 | @@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name) | 198 | @@ -197,19 +197,3 @@ platform_krb5_get_principal_name(const char *pw_name) |
199 | return NULL; | 199 | return NULL; |
200 | #endif | 200 | #endif |
201 | } | 201 | } |
@@ -216,10 +216,10 @@ index 4aab9a9..f99de7f 100644 | |||
216 | - return 0; | 216 | - return 0; |
217 | -} | 217 | -} |
218 | diff --git a/readconf.c b/readconf.c | 218 | diff --git a/readconf.c b/readconf.c |
219 | index 6409937..32c4b42 100644 | 219 | index 337818c..0648867 100644 |
220 | --- a/readconf.c | 220 | --- a/readconf.c |
221 | +++ b/readconf.c | 221 | +++ b/readconf.c |
222 | @@ -37,6 +37,8 @@ | 222 | @@ -38,6 +38,8 @@ |
223 | #include <stdio.h> | 223 | #include <stdio.h> |
224 | #include <string.h> | 224 | #include <string.h> |
225 | #include <unistd.h> | 225 | #include <unistd.h> |
@@ -228,7 +228,7 @@ index 6409937..32c4b42 100644 | |||
228 | #ifdef HAVE_UTIL_H | 228 | #ifdef HAVE_UTIL_H |
229 | #include <util.h> | 229 | #include <util.h> |
230 | #endif | 230 | #endif |
231 | @@ -1477,8 +1479,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, | 231 | @@ -1516,8 +1518,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, |
232 | 232 | ||
233 | if (fstat(fileno(f), &sb) == -1) | 233 | if (fstat(fileno(f), &sb) == -1) |
234 | fatal("fstat %s: %s", filename, strerror(errno)); | 234 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -239,10 +239,10 @@ index 6409937..32c4b42 100644 | |||
239 | } | 239 | } |
240 | 240 | ||
241 | diff --git a/ssh.1 b/ssh.1 | 241 | diff --git a/ssh.1 b/ssh.1 |
242 | index 27794e2..ff5e6ac 100644 | 242 | index fa5cfb2..7f6ab77 100644 |
243 | --- a/ssh.1 | 243 | --- a/ssh.1 |
244 | +++ b/ssh.1 | 244 | +++ b/ssh.1 |
245 | @@ -1352,6 +1352,8 @@ The file format and configuration options are described in | 245 | @@ -1342,6 +1342,8 @@ The file format and configuration options are described in |
246 | .Xr ssh_config 5 . | 246 | .Xr ssh_config 5 . |
247 | Because of the potential for abuse, this file must have strict permissions: | 247 | Because of the potential for abuse, this file must have strict permissions: |
248 | read/write for the user, and not writable by others. | 248 | read/write for the user, and not writable by others. |
@@ -252,10 +252,10 @@ index 27794e2..ff5e6ac 100644 | |||
252 | .It Pa ~/.ssh/environment | 252 | .It Pa ~/.ssh/environment |
253 | Contains additional definitions for environment variables; see | 253 | Contains additional definitions for environment variables; see |
254 | diff --git a/ssh_config.5 b/ssh_config.5 | 254 | diff --git a/ssh_config.5 b/ssh_config.5 |
255 | index 3172fd4..4bf7cbb 100644 | 255 | index ea92ea8..d68b45a 100644 |
256 | --- a/ssh_config.5 | 256 | --- a/ssh_config.5 |
257 | +++ b/ssh_config.5 | 257 | +++ b/ssh_config.5 |
258 | @@ -1529,6 +1529,8 @@ The format of this file is described above. | 258 | @@ -1587,6 +1587,8 @@ The format of this file is described above. |
259 | This file is used by the SSH client. | 259 | This file is used by the SSH client. |
260 | Because of the potential for abuse, this file must have strict permissions: | 260 | Because of the potential for abuse, this file must have strict permissions: |
261 | read/write for the user, and not accessible by others. | 261 | read/write for the user, and not accessible by others. |