diff options
Diffstat (limited to 'debian/patches/ssh-vulnkey.patch')
| -rw-r--r-- | debian/patches/ssh-vulnkey.patch | 60 |
1 files changed, 30 insertions, 30 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index af56dc031..ecb6e0c64 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
| @@ -132,7 +132,7 @@ Index: b/auth.c | |||
| 132 | #include "auth.h" | 132 | #include "auth.h" |
| 133 | #include "auth-options.h" | 133 | #include "auth-options.h" |
| 134 | #include "canohost.h" | 134 | #include "canohost.h" |
| 135 | @@ -593,10 +594,34 @@ | 135 | @@ -615,10 +616,34 @@ |
| 136 | 136 | ||
| 137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
| 138 | int | 138 | int |
| @@ -172,10 +172,10 @@ Index: b/auth.h | |||
| 172 | =================================================================== | 172 | =================================================================== |
| 173 | --- a/auth.h | 173 | --- a/auth.h |
| 174 | +++ b/auth.h | 174 | +++ b/auth.h |
| 175 | @@ -173,7 +173,7 @@ | 175 | @@ -175,7 +175,7 @@ |
| 176 | char *authorized_keys_file2(struct passwd *); | ||
| 177 | 176 | ||
| 178 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 177 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
| 178 | FILE *auth_openprincipals(const char *, struct passwd *, int); | ||
| 179 | -int auth_key_is_revoked(Key *); | 179 | -int auth_key_is_revoked(Key *); |
| 180 | +int auth_key_is_revoked(Key *, int); | 180 | +int auth_key_is_revoked(Key *, int); |
| 181 | 181 | ||
| @@ -185,9 +185,9 @@ Index: b/auth2-hostbased.c | |||
| 185 | =================================================================== | 185 | =================================================================== |
| 186 | --- a/auth2-hostbased.c | 186 | --- a/auth2-hostbased.c |
| 187 | +++ b/auth2-hostbased.c | 187 | +++ b/auth2-hostbased.c |
| 188 | @@ -145,7 +145,7 @@ | 188 | @@ -146,7 +146,7 @@ |
| 189 | HostStatus host_status; | ||
| 190 | int len; | 189 | int len; |
| 190 | char *fp; | ||
| 191 | 191 | ||
| 192 | - if (auth_key_is_revoked(key)) | 192 | - if (auth_key_is_revoked(key)) |
| 193 | + if (auth_key_is_revoked(key, 0)) | 193 | + if (auth_key_is_revoked(key, 0)) |
| @@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c | |||
| 198 | =================================================================== | 198 | =================================================================== |
| 199 | --- a/auth2-pubkey.c | 199 | --- a/auth2-pubkey.c |
| 200 | +++ b/auth2-pubkey.c | 200 | +++ b/auth2-pubkey.c |
| 201 | @@ -328,9 +328,10 @@ | 201 | @@ -439,9 +439,10 @@ |
| 202 | int success; | 202 | int success; |
| 203 | char *file; | 203 | char *file; |
| 204 | 204 | ||
| @@ -223,7 +223,7 @@ Index: b/authfile.c | |||
| 223 | 223 | ||
| 224 | /* Version identification string for SSH v1 identity files. */ | 224 | /* Version identification string for SSH v1 identity files. */ |
| 225 | static const char authfile_id_string[] = | 225 | static const char authfile_id_string[] = |
| 226 | @@ -754,3 +755,140 @@ | 226 | @@ -814,3 +815,140 @@ |
| 227 | return ret; | 227 | return ret; |
| 228 | } | 228 | } |
| 229 | 229 | ||
| @@ -368,7 +368,7 @@ Index: b/authfile.h | |||
| 368 | =================================================================== | 368 | =================================================================== |
| 369 | --- a/authfile.h | 369 | --- a/authfile.h |
| 370 | +++ b/authfile.h | 370 | +++ b/authfile.h |
| 371 | @@ -24,4 +24,6 @@ | 371 | @@ -26,4 +26,6 @@ |
| 372 | int key_perm_ok(int, const char *); | 372 | int key_perm_ok(int, const char *); |
| 373 | int key_in_file(Key *, const char *, int); | 373 | int key_in_file(Key *, const char *, int); |
| 374 | 374 | ||
| @@ -412,7 +412,7 @@ Index: b/readconf.c | |||
| 412 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, | 412 | oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, |
| 413 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 413 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
| 414 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 414 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
| 415 | @@ -152,6 +153,7 @@ | 415 | @@ -154,6 +155,7 @@ |
| 416 | { "passwordauthentication", oPasswordAuthentication }, | 416 | { "passwordauthentication", oPasswordAuthentication }, |
| 417 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 417 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
| 418 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 418 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
| @@ -420,7 +420,7 @@ Index: b/readconf.c | |||
| 420 | { "rsaauthentication", oRSAAuthentication }, | 420 | { "rsaauthentication", oRSAAuthentication }, |
| 421 | { "pubkeyauthentication", oPubkeyAuthentication }, | 421 | { "pubkeyauthentication", oPubkeyAuthentication }, |
| 422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
| 423 | @@ -461,6 +463,10 @@ | 423 | @@ -479,6 +481,10 @@ |
| 424 | intptr = &options->challenge_response_authentication; | 424 | intptr = &options->challenge_response_authentication; |
| 425 | goto parse_flag; | 425 | goto parse_flag; |
| 426 | 426 | ||
| @@ -431,7 +431,7 @@ Index: b/readconf.c | |||
| 431 | case oGssAuthentication: | 431 | case oGssAuthentication: |
| 432 | intptr = &options->gss_authentication; | 432 | intptr = &options->gss_authentication; |
| 433 | goto parse_flag; | 433 | goto parse_flag; |
| 434 | @@ -1050,6 +1056,7 @@ | 434 | @@ -1093,6 +1099,7 @@ |
| 435 | options->kbd_interactive_devices = NULL; | 435 | options->kbd_interactive_devices = NULL; |
| 436 | options->rhosts_rsa_authentication = -1; | 436 | options->rhosts_rsa_authentication = -1; |
| 437 | options->hostbased_authentication = -1; | 437 | options->hostbased_authentication = -1; |
| @@ -439,7 +439,7 @@ Index: b/readconf.c | |||
| 439 | options->batch_mode = -1; | 439 | options->batch_mode = -1; |
| 440 | options->check_host_ip = -1; | 440 | options->check_host_ip = -1; |
| 441 | options->strict_host_key_checking = -1; | 441 | options->strict_host_key_checking = -1; |
| 442 | @@ -1152,6 +1159,8 @@ | 442 | @@ -1201,6 +1208,8 @@ |
| 443 | options->rhosts_rsa_authentication = 0; | 443 | options->rhosts_rsa_authentication = 0; |
| 444 | if (options->hostbased_authentication == -1) | 444 | if (options->hostbased_authentication == -1) |
| 445 | options->hostbased_authentication = 0; | 445 | options->hostbased_authentication = 0; |
| @@ -452,7 +452,7 @@ Index: b/readconf.h | |||
| 452 | =================================================================== | 452 | =================================================================== |
| 453 | --- a/readconf.h | 453 | --- a/readconf.h |
| 454 | +++ b/readconf.h | 454 | +++ b/readconf.h |
| 455 | @@ -54,6 +54,7 @@ | 455 | @@ -56,6 +56,7 @@ |
| 456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
| 457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
| 458 | int zero_knowledge_password_authentication; /* Try jpake */ | 458 | int zero_knowledge_password_authentication; /* Try jpake */ |
| @@ -472,7 +472,7 @@ Index: b/servconf.c | |||
| 472 | options->permit_empty_passwd = -1; | 472 | options->permit_empty_passwd = -1; |
| 473 | options->permit_user_env = -1; | 473 | options->permit_user_env = -1; |
| 474 | options->use_login = -1; | 474 | options->use_login = -1; |
| 475 | @@ -231,6 +232,8 @@ | 475 | @@ -232,6 +233,8 @@ |
| 476 | options->kbd_interactive_authentication = 0; | 476 | options->kbd_interactive_authentication = 0; |
| 477 | if (options->challenge_response_authentication == -1) | 477 | if (options->challenge_response_authentication == -1) |
| 478 | options->challenge_response_authentication = 1; | 478 | options->challenge_response_authentication = 1; |
| @@ -481,7 +481,7 @@ Index: b/servconf.c | |||
| 481 | if (options->permit_empty_passwd == -1) | 481 | if (options->permit_empty_passwd == -1) |
| 482 | options->permit_empty_passwd = 0; | 482 | options->permit_empty_passwd = 0; |
| 483 | if (options->permit_user_env == -1) | 483 | if (options->permit_user_env == -1) |
| 484 | @@ -306,7 +309,7 @@ | 484 | @@ -307,7 +310,7 @@ |
| 485 | sListenAddress, sAddressFamily, | 485 | sListenAddress, sAddressFamily, |
| 486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
| 487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
| @@ -490,7 +490,7 @@ Index: b/servconf.c | |||
| 490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
| 491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
| 492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
| 493 | @@ -415,6 +418,7 @@ | 493 | @@ -416,6 +419,7 @@ |
| 494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
| 495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
| 496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
| @@ -498,7 +498,7 @@ Index: b/servconf.c | |||
| 498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
| 499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
| 500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
| 501 | @@ -1009,6 +1013,10 @@ | 501 | @@ -1011,6 +1015,10 @@ |
| 502 | intptr = &options->tcp_keep_alive; | 502 | intptr = &options->tcp_keep_alive; |
| 503 | goto parse_flag; | 503 | goto parse_flag; |
| 504 | 504 | ||
| @@ -509,7 +509,7 @@ Index: b/servconf.c | |||
| 509 | case sEmptyPasswd: | 509 | case sEmptyPasswd: |
| 510 | intptr = &options->permit_empty_passwd; | 510 | intptr = &options->permit_empty_passwd; |
| 511 | goto parse_flag; | 511 | goto parse_flag; |
| 512 | @@ -1697,6 +1705,7 @@ | 512 | @@ -1708,6 +1716,7 @@ |
| 513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
| 514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
| 515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
| @@ -584,7 +584,7 @@ Index: b/ssh-keygen.1 | |||
| 584 | =================================================================== | 584 | =================================================================== |
| 585 | --- a/ssh-keygen.1 | 585 | --- a/ssh-keygen.1 |
| 586 | +++ b/ssh-keygen.1 | 586 | +++ b/ssh-keygen.1 |
| 587 | @@ -628,6 +628,7 @@ | 587 | @@ -669,6 +669,7 @@ |
| 588 | .Xr ssh 1 , | 588 | .Xr ssh 1 , |
| 589 | .Xr ssh-add 1 , | 589 | .Xr ssh-add 1 , |
| 590 | .Xr ssh-agent 1 , | 590 | .Xr ssh-agent 1 , |
| @@ -1236,7 +1236,7 @@ Index: b/ssh.1 | |||
| 1236 | =================================================================== | 1236 | =================================================================== |
| 1237 | --- a/ssh.1 | 1237 | --- a/ssh.1 |
| 1238 | +++ b/ssh.1 | 1238 | +++ b/ssh.1 |
| 1239 | @@ -1426,6 +1426,7 @@ | 1239 | @@ -1392,6 +1392,7 @@ |
| 1240 | .Xr ssh-agent 1 , | 1240 | .Xr ssh-agent 1 , |
| 1241 | .Xr ssh-keygen 1 , | 1241 | .Xr ssh-keygen 1 , |
| 1242 | .Xr ssh-keyscan 1 , | 1242 | .Xr ssh-keyscan 1 , |
| @@ -1248,7 +1248,7 @@ Index: b/ssh.c | |||
| 1248 | =================================================================== | 1248 | =================================================================== |
| 1249 | --- a/ssh.c | 1249 | --- a/ssh.c |
| 1250 | +++ b/ssh.c | 1250 | +++ b/ssh.c |
| 1251 | @@ -1301,7 +1301,7 @@ | 1251 | @@ -1422,7 +1422,7 @@ |
| 1252 | static void | 1252 | static void |
| 1253 | load_public_identity_files(void) | 1253 | load_public_identity_files(void) |
| 1254 | { | 1254 | { |
| @@ -1257,7 +1257,7 @@ Index: b/ssh.c | |||
| 1257 | char *pwdir = NULL, *pwname = NULL; | 1257 | char *pwdir = NULL, *pwname = NULL; |
| 1258 | int i = 0; | 1258 | int i = 0; |
| 1259 | Key *public; | 1259 | Key *public; |
| 1260 | @@ -1358,6 +1358,22 @@ | 1260 | @@ -1479,6 +1479,22 @@ |
| 1261 | public = key_load_public(filename, NULL); | 1261 | public = key_load_public(filename, NULL); |
| 1262 | debug("identity file %s type %d", filename, | 1262 | debug("identity file %s type %d", filename, |
| 1263 | public ? public->type : -1); | 1263 | public ? public->type : -1); |
| @@ -1284,7 +1284,7 @@ Index: b/ssh_config.5 | |||
| 1284 | =================================================================== | 1284 | =================================================================== |
| 1285 | --- a/ssh_config.5 | 1285 | --- a/ssh_config.5 |
| 1286 | +++ b/ssh_config.5 | 1286 | +++ b/ssh_config.5 |
| 1287 | @@ -1051,6 +1051,23 @@ | 1287 | @@ -1082,6 +1082,23 @@ |
| 1288 | .Dq any . | 1288 | .Dq any . |
| 1289 | The default is | 1289 | The default is |
| 1290 | .Dq any:any . | 1290 | .Dq any:any . |
| @@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c | |||
| 1312 | =================================================================== | 1312 | =================================================================== |
| 1313 | --- a/sshconnect2.c | 1313 | --- a/sshconnect2.c |
| 1314 | +++ b/sshconnect2.c | 1314 | +++ b/sshconnect2.c |
| 1315 | @@ -1418,6 +1418,8 @@ | 1315 | @@ -1421,6 +1421,8 @@ |
| 1316 | 1316 | ||
| 1317 | /* list of keys stored in the filesystem */ | 1317 | /* list of keys stored in the filesystem */ |
| 1318 | for (i = 0; i < options.num_identity_files; i++) { | 1318 | for (i = 0; i < options.num_identity_files; i++) { |
| @@ -1321,9 +1321,9 @@ Index: b/sshconnect2.c | |||
| 1321 | key = options.identity_keys[i]; | 1321 | key = options.identity_keys[i]; |
| 1322 | if (key && key->type == KEY_RSA1) | 1322 | if (key && key->type == KEY_RSA1) |
| 1323 | continue; | 1323 | continue; |
| 1324 | @@ -1510,7 +1512,7 @@ | 1324 | @@ -1514,7 +1516,7 @@ |
| 1325 | if (id->key && id->key->type != KEY_RSA1) { | 1325 | debug("Offering %s public key: %s", key_type(id->key), |
| 1326 | debug("Offering public key: %s", id->filename); | 1326 | id->filename); |
| 1327 | sent = send_pubkey_test(authctxt, id); | 1327 | sent = send_pubkey_test(authctxt, id); |
| 1328 | - } else if (id->key == NULL) { | 1328 | - } else if (id->key == NULL) { |
| 1329 | + } else if (id->key == NULL && id->filename) { | 1329 | + } else if (id->key == NULL && id->filename) { |
| @@ -1334,7 +1334,7 @@ Index: b/sshd.8 | |||
| 1334 | =================================================================== | 1334 | =================================================================== |
| 1335 | --- a/sshd.8 | 1335 | --- a/sshd.8 |
| 1336 | +++ b/sshd.8 | 1336 | +++ b/sshd.8 |
| 1337 | @@ -928,6 +928,7 @@ | 1337 | @@ -938,6 +938,7 @@ |
| 1338 | .Xr ssh-agent 1 , | 1338 | .Xr ssh-agent 1 , |
| 1339 | .Xr ssh-keygen 1 , | 1339 | .Xr ssh-keygen 1 , |
| 1340 | .Xr ssh-keyscan 1 , | 1340 | .Xr ssh-keyscan 1 , |
| @@ -1346,7 +1346,7 @@ Index: b/sshd.c | |||
| 1346 | =================================================================== | 1346 | =================================================================== |
| 1347 | --- a/sshd.c | 1347 | --- a/sshd.c |
| 1348 | +++ b/sshd.c | 1348 | +++ b/sshd.c |
| 1349 | @@ -1564,6 +1564,11 @@ | 1349 | @@ -1573,6 +1573,11 @@ |
| 1350 | sensitive_data.host_keys[i] = NULL; | 1350 | sensitive_data.host_keys[i] = NULL; |
| 1351 | continue; | 1351 | continue; |
| 1352 | } | 1352 | } |
| @@ -1362,7 +1362,7 @@ Index: b/sshd_config.5 | |||
| 1362 | =================================================================== | 1362 | =================================================================== |
| 1363 | --- a/sshd_config.5 | 1363 | --- a/sshd_config.5 |
| 1364 | +++ b/sshd_config.5 | 1364 | +++ b/sshd_config.5 |
| 1365 | @@ -694,6 +694,20 @@ | 1365 | @@ -743,6 +743,20 @@ |
| 1366 | Specifies whether password authentication is allowed. | 1366 | Specifies whether password authentication is allowed. |
| 1367 | The default is | 1367 | The default is |
| 1368 | .Dq yes . | 1368 | .Dq yes . |