summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2015-08-20 10:02:21 +0100
committerColin Watson <cjwatson@debian.org>2015-08-20 10:35:52 +0100
commitb06b9dabb90d7e2c7361f1db0bf1c59a2322506a (patch)
tree0322a33cf5ab900ec1bdca6e9ad9a1321b908786 /debian
parent2fb3683b54735e3b99706f0c44dbc9a062ff6987 (diff)
parent4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec (diff)
Let principals-command.sh work for noexec /var/run.
Diffstat (limited to 'debian')
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog4
-rw-r--r--debian/patches/backport-regress-principals-command-noexec.patch257
-rw-r--r--debian/patches/series1
4 files changed, 263 insertions, 3 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 8d8bd30fa..a4ea9396d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package 1# see git-dpm(1) from git-dpm package
25c0c1192be30b7c0e60d96b5e6739c4ad49f087b 24c2916a2d9c0445b41e34805ddfbd7e323cbe6ec
35c0c1192be30b7c0e60d96b5e6739c4ad49f087b 34c2916a2d9c0445b41e34805ddfbd7e323cbe6ec
4544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 4544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
5544df7a04ae5b5c1fc30be7c445ad685d7a02dc9 5544df7a04ae5b5c1fc30be7c445ad685d7a02dc9
6openssh_6.9p1.orig.tar.gz 6openssh_6.9p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index d98a173ea..13bb8da42 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -131,7 +131,8 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
131 - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648). 131 - sshd(8): Format UsePAM setting when using sshd -T (closes: #767648).
132 - moduli(5): Update DH-GEX moduli (closes: #787037). 132 - moduli(5): Update DH-GEX moduli (closes: #787037).
133 * There are some things I want to fix before upgrading to 7.0p1, though I 133 * There are some things I want to fix before upgrading to 7.0p1, though I
134 intend to do that soon. In the meantime, backport security patches: 134 intend to do that soon. In the meantime, backport some patches, mainly
135 to fix security issues:
135 - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be 136 - SECURITY: sshd(8): OpenSSH 6.8 and 6.9 incorrectly set TTYs to be
136 world-writable. Local attackers may be able to write arbitrary 137 world-writable. Local attackers may be able to write arbitrary
137 messages to logged-in users, including terminal escape sequences. 138 messages to logged-in users, including terminal escape sequences.
@@ -152,6 +153,7 @@ openssh (1:6.9p1-1) UNRELEASED; urgency=medium
152 times in a single pass. The LoginGraceTime timeout in sshd(8) and any 153 times in a single pass. The LoginGraceTime timeout in sshd(8) and any
153 authentication failure delays implemented by the authentication 154 authentication failure delays implemented by the authentication
154 mechanism itself were still applied. Found by Kingcope. 155 mechanism itself were still applied. Found by Kingcope.
156 - Let principals-command.sh work for noexec /var/run.
155 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the 157 * Thanks to Jakub Jelen of Red Hat for Fedora's rebased version of the
156 GSSAPI key exchange patch. 158 GSSAPI key exchange patch.
157 * Document the Debian-specific change to the default value of 159 * Document the Debian-specific change to the default value of
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch
new file mode 100644
index 000000000..5d5f2d16e
--- /dev/null
+++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
1From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Mon, 10 Aug 2015 11:13:44 +1000
4Subject: let principals-command.sh work for noexec /var/run
5
6Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
7Forwarded: not-needed
8Last-Update: 2015-08-20
9
10Patch-Name: backport-regress-principals-command-noexec.patch
11---
12 regress/principals-command.sh | 222 +++++++++++++++++++++---------------------
13 1 file changed, 113 insertions(+), 109 deletions(-)
14
15diff --git a/regress/principals-command.sh b/regress/principals-command.sh
16index 9006437..b90a8cf 100644
17--- a/regress/principals-command.sh
18+++ b/regress/principals-command.sh
19@@ -14,15 +14,15 @@ fi
20
21 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
22 # acceptable directory permissions.
23-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
24-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
25+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
26+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
27 #!/bin/sh
28 test "x\$1" != "x${LOGNAME}" && exit 1
29 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
30 exec cat "$OBJ/authorized_principals_${LOGNAME}"
31 _EOF
32 test $? -eq 0 || fatal "couldn't prepare principals command"
33-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
34+$SUDO chmod 0755 "$PRINCIPALS_CMD"
35
36 # Create a CA key and a user certificate.
37 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
38@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
39 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
40 fatal "couldn't sign cert_user_key"
41
42-# Test explicitly-specified principals
43-for privsep in yes no ; do
44- _prefix="privsep $privsep"
45-
46- # Setup for AuthorizedPrincipalsCommand
47- rm -f $OBJ/authorized_keys_$USER
48- (
49- cat $OBJ/sshd_proxy_bak
50- echo "UsePrivilegeSeparation $privsep"
51- echo "AuthorizedKeysFile none"
52- echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
53- echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
54- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
55- ) > $OBJ/sshd_proxy
56-
57- # XXX test missing command
58- # XXX test failing command
59-
60- # Empty authorized_principals
61- verbose "$tid: ${_prefix} empty authorized_principals"
62- echo > $OBJ/authorized_principals_$USER
63- ${SSH} -2i $OBJ/cert_user_key \
64- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
65- if [ $? -eq 0 ]; then
66- fail "ssh cert connect succeeded unexpectedly"
67- fi
68-
69- # Wrong authorized_principals
70- verbose "$tid: ${_prefix} wrong authorized_principals"
71- echo gregorsamsa > $OBJ/authorized_principals_$USER
72- ${SSH} -2i $OBJ/cert_user_key \
73- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
74- if [ $? -eq 0 ]; then
75- fail "ssh cert connect succeeded unexpectedly"
76- fi
77-
78- # Correct authorized_principals
79- verbose "$tid: ${_prefix} correct authorized_principals"
80- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
81- ${SSH} -2i $OBJ/cert_user_key \
82- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
83- if [ $? -ne 0 ]; then
84- fail "ssh cert connect failed"
85- fi
86-
87- # authorized_principals with bad key option
88- verbose "$tid: ${_prefix} authorized_principals bad key opt"
89- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
90- ${SSH} -2i $OBJ/cert_user_key \
91- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92- if [ $? -eq 0 ]; then
93- fail "ssh cert connect succeeded unexpectedly"
94- fi
95-
96- # authorized_principals with command=false
97- verbose "$tid: ${_prefix} authorized_principals command=false"
98- echo 'command="false" mekmitasdigoat' > \
99- $OBJ/authorized_principals_$USER
100- ${SSH} -2i $OBJ/cert_user_key \
101- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
102- if [ $? -eq 0 ]; then
103- fail "ssh cert connect succeeded unexpectedly"
104- fi
105-
106-
107- # authorized_principals with command=true
108- verbose "$tid: ${_prefix} authorized_principals command=true"
109- echo 'command="true" mekmitasdigoat' > \
110- $OBJ/authorized_principals_$USER
111- ${SSH} -2i $OBJ/cert_user_key \
112- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
113- if [ $? -ne 0 ]; then
114- fail "ssh cert connect failed"
115- fi
116-
117- # Setup for principals= key option
118- rm -f $OBJ/authorized_principals_$USER
119- (
120- cat $OBJ/sshd_proxy_bak
121- echo "UsePrivilegeSeparation $privsep"
122- ) > $OBJ/sshd_proxy
123-
124- # Wrong principals list
125- verbose "$tid: ${_prefix} wrong principals key option"
126- (
127- printf 'cert-authority,principals="gregorsamsa" '
128- cat $OBJ/user_ca_key.pub
129- ) > $OBJ/authorized_keys_$USER
130- ${SSH} -2i $OBJ/cert_user_key \
131- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
132- if [ $? -eq 0 ]; then
133- fail "ssh cert connect succeeded unexpectedly"
134- fi
135-
136- # Correct principals list
137- verbose "$tid: ${_prefix} correct principals key option"
138- (
139- printf 'cert-authority,principals="mekmitasdigoat" '
140- cat $OBJ/user_ca_key.pub
141- ) > $OBJ/authorized_keys_$USER
142- ${SSH} -2i $OBJ/cert_user_key \
143- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
144- if [ $? -ne 0 ]; then
145- fail "ssh cert connect failed"
146- fi
147-done
148+if [ -x $PRINCIPALS_CMD ]; then
149+ # Test explicitly-specified principals
150+ for privsep in yes no ; do
151+ _prefix="privsep $privsep"
152+
153+ # Setup for AuthorizedPrincipalsCommand
154+ rm -f $OBJ/authorized_keys_$USER
155+ (
156+ cat $OBJ/sshd_proxy_bak
157+ echo "UsePrivilegeSeparation $privsep"
158+ echo "AuthorizedKeysFile none"
159+ echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
160+ echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
161+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
162+ ) > $OBJ/sshd_proxy
163+
164+ # XXX test missing command
165+ # XXX test failing command
166+
167+ # Empty authorized_principals
168+ verbose "$tid: ${_prefix} empty authorized_principals"
169+ echo > $OBJ/authorized_principals_$USER
170+ ${SSH} -2i $OBJ/cert_user_key \
171+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
172+ if [ $? -eq 0 ]; then
173+ fail "ssh cert connect succeeded unexpectedly"
174+ fi
175+
176+ # Wrong authorized_principals
177+ verbose "$tid: ${_prefix} wrong authorized_principals"
178+ echo gregorsamsa > $OBJ/authorized_principals_$USER
179+ ${SSH} -2i $OBJ/cert_user_key \
180+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
181+ if [ $? -eq 0 ]; then
182+ fail "ssh cert connect succeeded unexpectedly"
183+ fi
184+
185+ # Correct authorized_principals
186+ verbose "$tid: ${_prefix} correct authorized_principals"
187+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
188+ ${SSH} -2i $OBJ/cert_user_key \
189+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
190+ if [ $? -ne 0 ]; then
191+ fail "ssh cert connect failed"
192+ fi
193+
194+ # authorized_principals with bad key option
195+ verbose "$tid: ${_prefix} authorized_principals bad key opt"
196+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
197+ ${SSH} -2i $OBJ/cert_user_key \
198+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
199+ if [ $? -eq 0 ]; then
200+ fail "ssh cert connect succeeded unexpectedly"
201+ fi
202+
203+ # authorized_principals with command=false
204+ verbose "$tid: ${_prefix} authorized_principals command=false"
205+ echo 'command="false" mekmitasdigoat' > \
206+ $OBJ/authorized_principals_$USER
207+ ${SSH} -2i $OBJ/cert_user_key \
208+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
209+ if [ $? -eq 0 ]; then
210+ fail "ssh cert connect succeeded unexpectedly"
211+ fi
212+
213+ # authorized_principals with command=true
214+ verbose "$tid: ${_prefix} authorized_principals command=true"
215+ echo 'command="true" mekmitasdigoat' > \
216+ $OBJ/authorized_principals_$USER
217+ ${SSH} -2i $OBJ/cert_user_key \
218+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
219+ if [ $? -ne 0 ]; then
220+ fail "ssh cert connect failed"
221+ fi
222+
223+ # Setup for principals= key option
224+ rm -f $OBJ/authorized_principals_$USER
225+ (
226+ cat $OBJ/sshd_proxy_bak
227+ echo "UsePrivilegeSeparation $privsep"
228+ ) > $OBJ/sshd_proxy
229+
230+ # Wrong principals list
231+ verbose "$tid: ${_prefix} wrong principals key option"
232+ (
233+ printf 'cert-authority,principals="gregorsamsa" '
234+ cat $OBJ/user_ca_key.pub
235+ ) > $OBJ/authorized_keys_$USER
236+ ${SSH} -2i $OBJ/cert_user_key \
237+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
238+ if [ $? -eq 0 ]; then
239+ fail "ssh cert connect succeeded unexpectedly"
240+ fi
241+
242+ # Correct principals list
243+ verbose "$tid: ${_prefix} correct principals key option"
244+ (
245+ printf 'cert-authority,principals="mekmitasdigoat" '
246+ cat $OBJ/user_ca_key.pub
247+ ) > $OBJ/authorized_keys_$USER
248+ ${SSH} -2i $OBJ/cert_user_key \
249+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
250+ if [ $? -ne 0 ]; then
251+ fail "ssh cert connect failed"
252+ fi
253+ done
254+else
255+ echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
256+ "(/var/run mounted noexec?)"
257+fi
diff --git a/debian/patches/series b/debian/patches/series
index 188ec8abc..15c939708 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch
31backport-do-not-resend-username-to-pam.patch 31backport-do-not-resend-username-to-pam.patch
32backport-pam-use-after-free.patch 32backport-pam-use-after-free.patch
33backport-kbdint-duplicates.patch 33backport-kbdint-duplicates.patch
34backport-regress-principals-command-noexec.patch