1 files changed, 20 insertions, 20 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 02d740fe3..63e44af55 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff Mon Sep 17 00:00:00 2001
+From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
 Bug-Debian: http://bugs.debian.org/394795
-Last-Update: 2019-06-05
+Last-Update: 2020-02-21
 Patch-Name: selinux-role.patch
 ---
@@ -81,10 +81,10 @@ index 1c217268c..92a6bcaf4 100644
                if (auth2_setup_methods_lists(authctxt) != 0)
                        ssh_packet_disconnect(ssh,
 diff --git a/monitor.c b/monitor.c
-index bead9e204..04db44c9c 100644
+index ebf76c7f9..947fdfadc 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
+@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
 int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
 int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
 int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@@ -92,7 +92,7 @@ index bead9e204..04db44c9c 100644
 int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
 int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
 int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -197,6 +198,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -198,6 +199,7 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index bead9e204..04db44c9c 100644
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -819,6 +821,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -820,6 +822,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
 
        /* Allow service/style information on the auth context */
        monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index bead9e204..04db44c9c 100644
        monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 
 #ifdef USE_PAM
-@@ -852,16 +855,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -853,16 +856,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
        monitor_permit_authentications(1);
 
        if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
@@ -154,7 +154,7 @@ index bead9e204..04db44c9c 100644
        return (0);
 }
 
-@@ -1528,7 +1557,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -177,7 +177,7 @@ index 2b1a2d590..4d87284aa 100644
 
 struct ssh;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index fdca39a6a..933ce9a3d 100644
+index 6edb509a3..b49c268d3 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
 @@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
@@ -231,13 +231,13 @@ index fdca39a6a..933ce9a3d 100644
 int
 mm_auth_password(struct ssh *ssh, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 92dda574b..0f09dba09 100644
+index 485590c18..370b08e17 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -46,7 +46,8 @@ DH *mm_choose_dh(int, int, int);
+@@ -47,7 +47,8 @@ DH *mm_choose_dh(int, int, int);
 #endif
 int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
-     const u_char *, size_t, const char *, u_int compat);
+     const u_char *, size_t, const char *, const char *, u_int compat);
 -void mm_inform_authserv(char *, char *);
 +void mm_inform_authserv(char *, char *, char *);
 +void mm_inform_authrole(char *);
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index f1a47f766..df7d7cf55 100644
+index 06a33442a..871799590 100644
 --- a/session.c
 +++ b/session.c
-@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -375,7 +375,7 @@ index f1a47f766..df7d7cf55 100644
 {
        char uidstr[32], *chroot_path, *tmp;
 
-@@ -1384,7 +1384,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
                endgrent();
 #endif
 
@@ -384,7 +384,7 @@ index f1a47f766..df7d7cf55 100644
 
                if (!in_chroot && options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1525,7 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1529,7 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -393,7 +393,7 @@ index f1a47f766..df7d7cf55 100644
                child_close_fds(ssh);
                do_pwchange(s);
                exit(1);
-@@ -1543,7 +1543,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
        /* When PAM is enabled we rely on it to do the nologin check */
        if (!options.use_pam)
                do_nologin(pw);
@@ -402,7 +402,7 @@ index f1a47f766..df7d7cf55 100644
        /*
         * PAM session modules in do_setusercontext may have
         * generated messages, so if this in an interactive
-@@ -1942,7 +1942,7 @@ session_pty_req(struct ssh *ssh, Session *s)
+@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh *ssh, Session *s)
                sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 
        if (!use_privsep)
@@ -425,10 +425,10 @@ index ce59dabd9..675c91146 100644
 const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
 
 diff --git a/sshd.c b/sshd.c
-index 4e32fd10d..ea8beacb4 100644
+index 62dc55cf2..65916fc6d 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
+@@ -595,7 +595,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
        reseed_prngs();
 
        /* Drop privileges */

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 02d740fe3..63e44af55 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1	From 3131e3bb3c56a6c6ee8cb9d68f542af04cd9e8ff Mon Sep 17 00:00:00 2001	1	From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001
2	From: Manoj Srivastava <srivasta@debian.org>	2	From: Manoj Srivastava <srivasta@debian.org>
3	Date: Sun, 9 Feb 2014 16:09:49 +0000	3	Date: Sun, 9 Feb 2014 16:09:49 +0000
4	Subject: Handle SELinux authorisation roles	4	Subject: Handle SELinux authorisation roles
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better.
9		9
10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641	10	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
11	Bug-Debian: http://bugs.debian.org/394795	11	Bug-Debian: http://bugs.debian.org/394795
12	Last-Update: 2019-06-05	12	Last-Update: 2020-02-21
13		13
14	Patch-Name: selinux-role.patch	14	Patch-Name: selinux-role.patch
15	---	15	---
@@ -81,10 +81,10 @@ index 1c217268c..92a6bcaf4 100644
81	if (auth2_setup_methods_lists(authctxt) != 0)	81	if (auth2_setup_methods_lists(authctxt) != 0)
82	ssh_packet_disconnect(ssh,	82	ssh_packet_disconnect(ssh,
83	diff --git a/monitor.c b/monitor.c	83	diff --git a/monitor.c b/monitor.c
84	index bead9e204..04db44c9c 100644	84	index ebf76c7f9..947fdfadc 100644
85	--- a/monitor.c	85	--- a/monitor.c
86	+++ b/monitor.c	86	+++ b/monitor.c
87	@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh , int, struct sshbuf );	87	@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh , int, struct sshbuf );
88	int mm_answer_pwnamallow(struct ssh , int, struct sshbuf );	88	int mm_answer_pwnamallow(struct ssh , int, struct sshbuf );
89	int mm_answer_auth2_read_banner(struct ssh , int, struct sshbuf );	89	int mm_answer_auth2_read_banner(struct ssh , int, struct sshbuf );
90	int mm_answer_authserv(struct ssh , int, struct sshbuf );	90	int mm_answer_authserv(struct ssh , int, struct sshbuf );
@@ -92,7 +92,7 @@ index bead9e204..04db44c9c 100644
92	int mm_answer_authpassword(struct ssh , int, struct sshbuf );	92	int mm_answer_authpassword(struct ssh , int, struct sshbuf );
93	int mm_answer_bsdauthquery(struct ssh , int, struct sshbuf );	93	int mm_answer_bsdauthquery(struct ssh , int, struct sshbuf );
94	int mm_answer_bsdauthrespond(struct ssh , int, struct sshbuf );	94	int mm_answer_bsdauthrespond(struct ssh , int, struct sshbuf );
95	@@ -197,6 +198,7 @@ struct mon_table mon_dispatch_proto20[] = {	95	@@ -198,6 +199,7 @@ struct mon_table mon_dispatch_proto20[] = {
96	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	96	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
97	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	97	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
98	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	98	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -100,7 +100,7 @@ index bead9e204..04db44c9c 100644
100	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	100	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
101	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	101	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
102	#ifdef USE_PAM	102	#ifdef USE_PAM
103	@@ -819,6 +821,7 @@ mm_answer_pwnamallow(struct ssh ssh, int sock, struct sshbuf m)	103	@@ -820,6 +822,7 @@ mm_answer_pwnamallow(struct ssh ssh, int sock, struct sshbuf m)
104		104
105	/* Allow service/style information on the auth context */	105	/* Allow service/style information on the auth context */
106	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	106	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -108,7 +108,7 @@ index bead9e204..04db44c9c 100644
108	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	108	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
109		109
110	#ifdef USE_PAM	110	#ifdef USE_PAM
111	@@ -852,16 +855,42 @@ mm_answer_authserv(struct ssh ssh, int sock, struct sshbuf m)	111	@@ -853,16 +856,42 @@ mm_answer_authserv(struct ssh ssh, int sock, struct sshbuf m)
112	monitor_permit_authentications(1);	112	monitor_permit_authentications(1);
113		113
114	if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 \|\|	114	if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 \|\|
@@ -154,7 +154,7 @@ index bead9e204..04db44c9c 100644
154	return (0);	154	return (0);
155	}	155	}
156		156
157	@@ -1528,7 +1557,7 @@ mm_answer_pty(struct ssh ssh, int sock, struct sshbuf m)	157	@@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh ssh, int sock, struct sshbuf m)
158	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));	158	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
159	if (res == 0)	159	if (res == 0)
160	goto error;	160	goto error;
@@ -177,7 +177,7 @@ index 2b1a2d590..4d87284aa 100644
177		177
178	struct ssh;	178	struct ssh;
179	diff --git a/monitor_wrap.c b/monitor_wrap.c	179	diff --git a/monitor_wrap.c b/monitor_wrap.c
180	index fdca39a6a..933ce9a3d 100644	180	index 6edb509a3..b49c268d3 100644
181	--- a/monitor_wrap.c	181	--- a/monitor_wrap.c
182	+++ b/monitor_wrap.c	182	+++ b/monitor_wrap.c
183	@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)	183	@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
@@ -231,13 +231,13 @@ index fdca39a6a..933ce9a3d 100644
231	int	231	int
232	mm_auth_password(struct ssh ssh, char password)	232	mm_auth_password(struct ssh ssh, char password)
233	diff --git a/monitor_wrap.h b/monitor_wrap.h	233	diff --git a/monitor_wrap.h b/monitor_wrap.h
234	index 92dda574b..0f09dba09 100644	234	index 485590c18..370b08e17 100644
235	--- a/monitor_wrap.h	235	--- a/monitor_wrap.h
236	+++ b/monitor_wrap.h	236	+++ b/monitor_wrap.h
237	@@ -46,7 +46,8 @@ DH *mm_choose_dh(int, int, int);	237	@@ -47,7 +47,8 @@ DH *mm_choose_dh(int, int, int);
238	#endif	238	#endif
239	int mm_sshkey_sign(struct ssh , struct sshkey , u_char *, size_t ,	239	int mm_sshkey_sign(struct ssh , struct sshkey , u_char *, size_t ,
240	const u_char , size_t, const char , u_int compat);	240	const u_char , size_t, const char , const char *, u_int compat);
241	-void mm_inform_authserv(char , char );	241	-void mm_inform_authserv(char , char );
242	+void mm_inform_authserv(char , char , char *);	242	+void mm_inform_authserv(char , char , char *);
243	+void mm_inform_authrole(char *);	243	+void mm_inform_authrole(char *);
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644
363	char platform_krb5_get_principal_name(const char );	363	char platform_krb5_get_principal_name(const char );
364	int platform_sys_dir_uid(uid_t);	364	int platform_sys_dir_uid(uid_t);
365	diff --git a/session.c b/session.c	365	diff --git a/session.c b/session.c
366	index f1a47f766..df7d7cf55 100644	366	index 06a33442a..871799590 100644
367	--- a/session.c	367	--- a/session.c
368	+++ b/session.c	368	+++ b/session.c
369	@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)	369	@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
370		370
371	/* Set login name, uid, gid, and groups. */	371	/* Set login name, uid, gid, and groups. */
372	void	372	void
@@ -375,7 +375,7 @@ index f1a47f766..df7d7cf55 100644
375	{	375	{
376	char uidstr[32], chroot_path, tmp;	376	char uidstr[32], chroot_path, tmp;
377		377
378	@@ -1384,7 +1384,7 @@ do_setusercontext(struct passwd *pw)	378	@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
379	endgrent();	379	endgrent();
380	#endif	380	#endif
381		381
@@ -384,7 +384,7 @@ index f1a47f766..df7d7cf55 100644
384		384
385	if (!in_chroot && options.chroot_directory != NULL &&	385	if (!in_chroot && options.chroot_directory != NULL &&
386	strcasecmp(options.chroot_directory, "none") != 0) {	386	strcasecmp(options.chroot_directory, "none") != 0) {
387	@@ -1525,7 +1525,7 @@ do_child(struct ssh ssh, Session s, const char *command)	387	@@ -1529,7 +1529,7 @@ do_child(struct ssh ssh, Session s, const char *command)
388		388
389	/* Force a password change */	389	/* Force a password change */
390	if (s->authctxt->force_pwchange) {	390	if (s->authctxt->force_pwchange) {
@@ -393,7 +393,7 @@ index f1a47f766..df7d7cf55 100644
393	child_close_fds(ssh);	393	child_close_fds(ssh);
394	do_pwchange(s);	394	do_pwchange(s);
395	exit(1);	395	exit(1);
396	@@ -1543,7 +1543,7 @@ do_child(struct ssh ssh, Session s, const char *command)	396	@@ -1547,7 +1547,7 @@ do_child(struct ssh ssh, Session s, const char *command)
397	/* When PAM is enabled we rely on it to do the nologin check */	397	/* When PAM is enabled we rely on it to do the nologin check */
398	if (!options.use_pam)	398	if (!options.use_pam)
399	do_nologin(pw);	399	do_nologin(pw);
@@ -402,7 +402,7 @@ index f1a47f766..df7d7cf55 100644
402	/*	402	/*
403	* PAM session modules in do_setusercontext may have	403	* PAM session modules in do_setusercontext may have
404	* generated messages, so if this in an interactive	404	* generated messages, so if this in an interactive
405	@@ -1942,7 +1942,7 @@ session_pty_req(struct ssh ssh, Session s)	405	@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh ssh, Session s)
406	sshpkt_fatal(ssh, r, "%s: parse packet", __func__);	406	sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
407		407
408	if (!use_privsep)	408	if (!use_privsep)
@@ -425,10 +425,10 @@ index ce59dabd9..675c91146 100644
425	const char session_get_remote_name_or_ip(struct ssh , u_int, int);	425	const char session_get_remote_name_or_ip(struct ssh , u_int, int);
426		426
427	diff --git a/sshd.c b/sshd.c	427	diff --git a/sshd.c b/sshd.c
428	index 4e32fd10d..ea8beacb4 100644	428	index 62dc55cf2..65916fc6d 100644
429	--- a/sshd.c	429	--- a/sshd.c
430	+++ b/sshd.c	430	+++ b/sshd.c
431	@@ -594,7 +594,7 @@ privsep_postauth(struct ssh ssh, Authctxt authctxt)	431	@@ -595,7 +595,7 @@ privsep_postauth(struct ssh ssh, Authctxt authctxt)
432	reseed_prngs();	432	reseed_prngs();
433		433
434	/* Drop privileges */	434	/* Drop privileges */