diff options
Diffstat (limited to 'debian/patches/ssh-vulnkey.patch')
| -rw-r--r-- | debian/patches/ssh-vulnkey.patch | 121 |
1 files changed, 59 insertions, 62 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index f3e08b06d..4245319c3 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
| @@ -14,47 +14,45 @@ Index: b/Makefile.in | |||
| 14 | =================================================================== | 14 | =================================================================== |
| 15 | --- a/Makefile.in | 15 | --- a/Makefile.in |
| 16 | +++ b/Makefile.in | 16 | +++ b/Makefile.in |
| 17 | @@ -27,6 +27,7 @@ | 17 | @@ -26,6 +26,7 @@ |
| 18 | SFTP_SERVER=$(libexecdir)/sftp-server | ||
| 18 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | 19 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign |
| 19 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | 20 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |
| 20 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | ||
| 21 | +SSH_DATADIR=$(datadir)/ssh | 21 | +SSH_DATADIR=$(datadir)/ssh |
| 22 | PRIVSEP_PATH=@PRIVSEP_PATH@ | 22 | PRIVSEP_PATH=@PRIVSEP_PATH@ |
| 23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | 23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |
| 24 | STRIP_OPT=@STRIP_OPT@ | 24 | STRIP_OPT=@STRIP_OPT@ |
| 25 | @@ -39,7 +40,8 @@ | 25 | @@ -38,6 +39,7 @@ |
| 26 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ | 26 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ |
| 27 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ | 27 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ |
| 28 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ | 28 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ |
| 29 | - -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" | 29 | + -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \ |
| 30 | + -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" \ | ||
| 31 | + -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" | ||
| 32 | 30 | ||
| 33 | CC=@CC@ | 31 | CC=@CC@ |
| 34 | LD=@LD@ | 32 | LD=@LD@ |
| 35 | @@ -64,7 +66,7 @@ | 33 | @@ -59,7 +61,7 @@ |
| 36 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | 34 | EXEEXT=@EXEEXT@ |
| 37 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ | 35 | MANFMT=@MANFMT@ |
| 38 | 36 | ||
| 39 | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) | 37 | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) |
| 40 | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) | 38 | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) |
| 41 | 39 | ||
| 42 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 40 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
| 43 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | 41 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ |
| 44 | @@ -97,8 +99,8 @@ | 42 | @@ -93,8 +95,8 @@ |
| 45 | sftp-server.o sftp-common.o \ | 43 | roaming_common.o roaming_serv.o \ |
| 46 | roaming_common.o roaming_serv.o | 44 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o |
| 47 | 45 | ||
| 48 | -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 46 | -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
| 49 | -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 47 | -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
| 50 | +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out | 48 | +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out |
| 51 | +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 | 49 | +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 |
| 52 | MANTYPE = @MANTYPE@ | 50 | MANTYPE = @MANTYPE@ |
| 53 | 51 | ||
| 54 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out | 52 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out |
| 55 | @@ -179,6 +181,9 @@ | 53 | @@ -171,6 +173,9 @@ |
| 56 | ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o | 54 | sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o |
| 57 | $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 55 | $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) |
| 58 | 56 | ||
| 59 | +ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o | 57 | +ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o |
| 60 | + $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 58 | + $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
| @@ -62,7 +60,7 @@ Index: b/Makefile.in | |||
| 62 | # test driver for the loginrec code - not built by default | 60 | # test driver for the loginrec code - not built by default |
| 63 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o | 61 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o |
| 64 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) | 62 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) |
| 65 | @@ -273,6 +278,7 @@ | 63 | @@ -259,6 +264,7 @@ |
| 66 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | 64 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |
| 67 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 65 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
| 68 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 66 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
| @@ -70,7 +68,7 @@ Index: b/Makefile.in | |||
| 70 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | 68 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
| 71 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | 69 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
| 72 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | 70 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
| 73 | @@ -290,6 +296,7 @@ | 71 | @@ -273,6 +279,7 @@ |
| 74 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 72 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
| 75 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 73 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
| 76 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 74 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
| @@ -78,7 +76,7 @@ Index: b/Makefile.in | |||
| 78 | -rm -f $(DESTDIR)$(bindir)/slogin | 76 | -rm -f $(DESTDIR)$(bindir)/slogin |
| 79 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | 77 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin |
| 80 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 78 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
| 81 | @@ -379,6 +386,7 @@ | 79 | @@ -354,6 +361,7 @@ |
| 82 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) | 80 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) |
| 83 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) | 81 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) |
| 84 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) | 82 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
| @@ -86,14 +84,14 @@ Index: b/Makefile.in | |||
| 86 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 84 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
| 87 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) | 85 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
| 88 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 86 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
| 89 | @@ -392,6 +400,7 @@ | 87 | @@ -366,6 +374,7 @@ |
| 90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 | 88 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 |
| 91 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 | 89 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 |
| 92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 | 90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 |
| 93 | + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | 91 | + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 |
| 94 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
| 95 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 | ||
| 96 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 93 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
| 94 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | ||
| 97 | Index: b/auth-rh-rsa.c | 95 | Index: b/auth-rh-rsa.c |
| 98 | =================================================================== | 96 | =================================================================== |
| 99 | --- a/auth-rh-rsa.c | 97 | --- a/auth-rh-rsa.c |
| @@ -111,7 +109,7 @@ Index: b/auth-rsa.c | |||
| 111 | =================================================================== | 109 | =================================================================== |
| 112 | --- a/auth-rsa.c | 110 | --- a/auth-rsa.c |
| 113 | +++ b/auth-rsa.c | 111 | +++ b/auth-rsa.c |
| 114 | @@ -247,7 +247,7 @@ | 112 | @@ -233,7 +233,7 @@ |
| 115 | file, linenum, BN_num_bits(key->rsa->n), bits); | 113 | file, linenum, BN_num_bits(key->rsa->n), bits); |
| 116 | 114 | ||
| 117 | /* Never accept a revoked key */ | 115 | /* Never accept a revoked key */ |
| @@ -132,7 +130,7 @@ Index: b/auth.c | |||
| 132 | #include "auth.h" | 130 | #include "auth.h" |
| 133 | #include "auth-options.h" | 131 | #include "auth-options.h" |
| 134 | #include "canohost.h" | 132 | #include "canohost.h" |
| 135 | @@ -621,10 +622,34 @@ | 133 | @@ -606,10 +607,34 @@ |
| 136 | 134 | ||
| 137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 135 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
| 138 | int | 136 | int |
| @@ -172,7 +170,7 @@ Index: b/auth.h | |||
| 172 | =================================================================== | 170 | =================================================================== |
| 173 | --- a/auth.h | 171 | --- a/auth.h |
| 174 | +++ b/auth.h | 172 | +++ b/auth.h |
| 175 | @@ -175,7 +175,7 @@ | 173 | @@ -174,7 +174,7 @@ |
| 176 | 174 | ||
| 177 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 175 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
| 178 | FILE *auth_openprincipals(const char *, struct passwd *, int); | 176 | FILE *auth_openprincipals(const char *, struct passwd *, int); |
| @@ -199,7 +197,7 @@ Index: b/auth2-pubkey.c | |||
| 199 | --- a/auth2-pubkey.c | 197 | --- a/auth2-pubkey.c |
| 200 | +++ b/auth2-pubkey.c | 198 | +++ b/auth2-pubkey.c |
| 201 | @@ -439,9 +439,10 @@ | 199 | @@ -439,9 +439,10 @@ |
| 202 | int success; | 200 | u_int success, i; |
| 203 | char *file; | 201 | char *file; |
| 204 | 202 | ||
| 205 | - if (auth_key_is_revoked(key)) | 203 | - if (auth_key_is_revoked(key)) |
| @@ -221,9 +219,9 @@ Index: b/authfile.c | |||
| 221 | #include "atomicio.h" | 219 | #include "atomicio.h" |
| 222 | +#include "pathnames.h" | 220 | +#include "pathnames.h" |
| 223 | 221 | ||
| 224 | /* Version identification string for SSH v1 identity files. */ | 222 | #define MAX_KEY_FILE_SIZE (1024 * 1024) |
| 225 | static const char authfile_id_string[] = | 223 | |
| 226 | @@ -906,3 +907,140 @@ | 224 | @@ -944,3 +945,140 @@ |
| 227 | return ret; | 225 | return ret; |
| 228 | } | 226 | } |
| 229 | 227 | ||
| @@ -368,7 +366,7 @@ Index: b/authfile.h | |||
| 368 | =================================================================== | 366 | =================================================================== |
| 369 | --- a/authfile.h | 367 | --- a/authfile.h |
| 370 | +++ b/authfile.h | 368 | +++ b/authfile.h |
| 371 | @@ -26,4 +26,6 @@ | 369 | @@ -28,4 +28,6 @@ |
| 372 | int key_perm_ok(int, const char *); | 370 | int key_perm_ok(int, const char *); |
| 373 | int key_in_file(Key *, const char *, int); | 371 | int key_in_file(Key *, const char *, int); |
| 374 | 372 | ||
| @@ -420,7 +418,7 @@ Index: b/readconf.c | |||
| 420 | { "rsaauthentication", oRSAAuthentication }, | 418 | { "rsaauthentication", oRSAAuthentication }, |
| 421 | { "pubkeyauthentication", oPubkeyAuthentication }, | 419 | { "pubkeyauthentication", oPubkeyAuthentication }, |
| 422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 420 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
| 423 | @@ -486,6 +488,10 @@ | 421 | @@ -489,6 +491,10 @@ |
| 424 | intptr = &options->challenge_response_authentication; | 422 | intptr = &options->challenge_response_authentication; |
| 425 | goto parse_flag; | 423 | goto parse_flag; |
| 426 | 424 | ||
| @@ -431,7 +429,7 @@ Index: b/readconf.c | |||
| 431 | case oGssAuthentication: | 429 | case oGssAuthentication: |
| 432 | intptr = &options->gss_authentication; | 430 | intptr = &options->gss_authentication; |
| 433 | goto parse_flag; | 431 | goto parse_flag; |
| 434 | @@ -1134,6 +1140,7 @@ | 432 | @@ -1180,6 +1186,7 @@ |
| 435 | options->kbd_interactive_devices = NULL; | 433 | options->kbd_interactive_devices = NULL; |
| 436 | options->rhosts_rsa_authentication = -1; | 434 | options->rhosts_rsa_authentication = -1; |
| 437 | options->hostbased_authentication = -1; | 435 | options->hostbased_authentication = -1; |
| @@ -439,7 +437,7 @@ Index: b/readconf.c | |||
| 439 | options->batch_mode = -1; | 437 | options->batch_mode = -1; |
| 440 | options->check_host_ip = -1; | 438 | options->check_host_ip = -1; |
| 441 | options->strict_host_key_checking = -1; | 439 | options->strict_host_key_checking = -1; |
| 442 | @@ -1245,6 +1252,8 @@ | 440 | @@ -1290,6 +1297,8 @@ |
| 443 | options->rhosts_rsa_authentication = 0; | 441 | options->rhosts_rsa_authentication = 0; |
| 444 | if (options->hostbased_authentication == -1) | 442 | if (options->hostbased_authentication == -1) |
| 445 | options->hostbased_authentication = 0; | 443 | options->hostbased_authentication = 0; |
| @@ -452,7 +450,7 @@ Index: b/readconf.h | |||
| 452 | =================================================================== | 450 | =================================================================== |
| 453 | --- a/readconf.h | 451 | --- a/readconf.h |
| 454 | +++ b/readconf.h | 452 | +++ b/readconf.h |
| 455 | @@ -57,6 +57,7 @@ | 453 | @@ -58,6 +58,7 @@ |
| 456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 454 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
| 457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 455 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
| 458 | int zero_knowledge_password_authentication; /* Try jpake */ | 456 | int zero_knowledge_password_authentication; /* Try jpake */ |
| @@ -472,7 +470,7 @@ Index: b/servconf.c | |||
| 472 | options->permit_empty_passwd = -1; | 470 | options->permit_empty_passwd = -1; |
| 473 | options->permit_user_env = -1; | 471 | options->permit_user_env = -1; |
| 474 | options->use_login = -1; | 472 | options->use_login = -1; |
| 475 | @@ -243,6 +244,8 @@ | 473 | @@ -242,6 +243,8 @@ |
| 476 | options->kbd_interactive_authentication = 0; | 474 | options->kbd_interactive_authentication = 0; |
| 477 | if (options->challenge_response_authentication == -1) | 475 | if (options->challenge_response_authentication == -1) |
| 478 | options->challenge_response_authentication = 1; | 476 | options->challenge_response_authentication = 1; |
| @@ -481,7 +479,7 @@ Index: b/servconf.c | |||
| 481 | if (options->permit_empty_passwd == -1) | 479 | if (options->permit_empty_passwd == -1) |
| 482 | options->permit_empty_passwd = 0; | 480 | options->permit_empty_passwd = 0; |
| 483 | if (options->permit_user_env == -1) | 481 | if (options->permit_user_env == -1) |
| 484 | @@ -322,7 +325,7 @@ | 482 | @@ -318,7 +321,7 @@ |
| 485 | sListenAddress, sAddressFamily, | 483 | sListenAddress, sAddressFamily, |
| 486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 484 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
| 487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 485 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
| @@ -490,7 +488,7 @@ Index: b/servconf.c | |||
| 490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 488 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
| 491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 489 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
| 492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 490 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
| 493 | @@ -432,6 +435,7 @@ | 491 | @@ -428,6 +431,7 @@ |
| 494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 492 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
| 495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 493 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
| 496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 494 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
| @@ -498,7 +496,7 @@ Index: b/servconf.c | |||
| 498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 496 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
| 499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 497 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
| 500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 498 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
| 501 | @@ -1029,6 +1033,10 @@ | 499 | @@ -1047,6 +1051,10 @@ |
| 502 | intptr = &options->tcp_keep_alive; | 500 | intptr = &options->tcp_keep_alive; |
| 503 | goto parse_flag; | 501 | goto parse_flag; |
| 504 | 502 | ||
| @@ -509,7 +507,7 @@ Index: b/servconf.c | |||
| 509 | case sEmptyPasswd: | 507 | case sEmptyPasswd: |
| 510 | intptr = &options->permit_empty_passwd; | 508 | intptr = &options->permit_empty_passwd; |
| 511 | goto parse_flag; | 509 | goto parse_flag; |
| 512 | @@ -1757,6 +1765,7 @@ | 510 | @@ -1773,6 +1781,7 @@ |
| 513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 511 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
| 514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 512 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
| 515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 513 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
| @@ -521,7 +519,7 @@ Index: b/servconf.h | |||
| 521 | =================================================================== | 519 | =================================================================== |
| 522 | --- a/servconf.h | 520 | --- a/servconf.h |
| 523 | +++ b/servconf.h | 521 | +++ b/servconf.h |
| 524 | @@ -107,6 +107,7 @@ | 522 | @@ -113,6 +113,7 @@ |
| 525 | int challenge_response_authentication; | 523 | int challenge_response_authentication; |
| 526 | int zero_knowledge_password_authentication; | 524 | int zero_knowledge_password_authentication; |
| 527 | /* If true, permit jpake auth */ | 525 | /* If true, permit jpake auth */ |
| @@ -564,10 +562,10 @@ Index: b/ssh-add.c | |||
| 564 | + char *comment = NULL, *fp; | 562 | + char *comment = NULL, *fp; |
| 565 | char msg[1024], *certpath; | 563 | char msg[1024], *certpath; |
| 566 | int fd, perms_ok, ret = -1; | 564 | int fd, perms_ok, ret = -1; |
| 567 | 565 | Buffer keyblob; | |
| 568 | @@ -187,6 +187,14 @@ | 566 | @@ -218,6 +218,14 @@ |
| 569 | "Bad passphrase, try again for %.200s: ", comment); | 567 | } else { |
| 570 | } | 568 | fprintf(stderr, "Could not add identity: %s\n", filename); |
| 571 | } | 569 | } |
| 572 | + if (blacklisted_key(private, &fp) == 1) { | 570 | + if (blacklisted_key(private, &fp) == 1) { |
| 573 | + fprintf(stderr, "Public key %s blacklisted (see " | 571 | + fprintf(stderr, "Public key %s blacklisted (see " |
| @@ -578,13 +576,13 @@ Index: b/ssh-add.c | |||
| 578 | + return -1; | 576 | + return -1; |
| 579 | + } | 577 | + } |
| 580 | 578 | ||
| 581 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, | 579 | |
| 582 | confirm)) { | 580 | /* Now try to add the certificate flavour too */ |
| 583 | Index: b/ssh-keygen.1 | 581 | Index: b/ssh-keygen.1 |
| 584 | =================================================================== | 582 | =================================================================== |
| 585 | --- a/ssh-keygen.1 | 583 | --- a/ssh-keygen.1 |
| 586 | +++ b/ssh-keygen.1 | 584 | +++ b/ssh-keygen.1 |
| 587 | @@ -659,6 +659,7 @@ | 585 | @@ -670,6 +670,7 @@ |
| 588 | .Xr ssh 1 , | 586 | .Xr ssh 1 , |
| 589 | .Xr ssh-add 1 , | 587 | .Xr ssh-add 1 , |
| 590 | .Xr ssh-agent 1 , | 588 | .Xr ssh-agent 1 , |
| @@ -843,7 +841,7 @@ Index: b/ssh-vulnkey.c | |||
| 843 | =================================================================== | 841 | =================================================================== |
| 844 | --- /dev/null | 842 | --- /dev/null |
| 845 | +++ b/ssh-vulnkey.c | 843 | +++ b/ssh-vulnkey.c |
| 846 | @@ -0,0 +1,388 @@ | 844 | @@ -0,0 +1,387 @@ |
| 847 | +/* | 845 | +/* |
| 848 | + * Copyright (c) 2008 Canonical Ltd. All rights reserved. | 846 | + * Copyright (c) 2008 Canonical Ltd. All rights reserved. |
| 849 | + * | 847 | + * |
| @@ -1157,7 +1155,6 @@ Index: b/ssh-vulnkey.c | |||
| 1157 | + /* We don't need the RNG ourselves, but symbol references here allow | 1155 | + /* We don't need the RNG ourselves, but symbol references here allow |
| 1158 | + * ld to link us properly. | 1156 | + * ld to link us properly. |
| 1159 | + */ | 1157 | + */ |
| 1160 | + init_rng(); | ||
| 1161 | + seed_rng(); | 1158 | + seed_rng(); |
| 1162 | + | 1159 | + |
| 1163 | + while ((opt = getopt(argc, argv, "ahqv")) != -1) { | 1160 | + while ((opt = getopt(argc, argv, "ahqv")) != -1) { |
| @@ -1236,7 +1233,7 @@ Index: b/ssh.1 | |||
| 1236 | =================================================================== | 1233 | =================================================================== |
| 1237 | --- a/ssh.1 | 1234 | --- a/ssh.1 |
| 1238 | +++ b/ssh.1 | 1235 | +++ b/ssh.1 |
| 1239 | @@ -1402,6 +1402,7 @@ | 1236 | @@ -1407,6 +1407,7 @@ |
| 1240 | .Xr ssh-agent 1 , | 1237 | .Xr ssh-agent 1 , |
| 1241 | .Xr ssh-keygen 1 , | 1238 | .Xr ssh-keygen 1 , |
| 1242 | .Xr ssh-keyscan 1 , | 1239 | .Xr ssh-keyscan 1 , |
| @@ -1248,7 +1245,7 @@ Index: b/ssh.c | |||
| 1248 | =================================================================== | 1245 | =================================================================== |
| 1249 | --- a/ssh.c | 1246 | --- a/ssh.c |
| 1250 | +++ b/ssh.c | 1247 | +++ b/ssh.c |
| 1251 | @@ -1445,7 +1445,7 @@ | 1248 | @@ -1476,7 +1476,7 @@ |
| 1252 | static void | 1249 | static void |
| 1253 | load_public_identity_files(void) | 1250 | load_public_identity_files(void) |
| 1254 | { | 1251 | { |
| @@ -1257,7 +1254,7 @@ Index: b/ssh.c | |||
| 1257 | char *pwdir = NULL, *pwname = NULL; | 1254 | char *pwdir = NULL, *pwname = NULL; |
| 1258 | int i = 0; | 1255 | int i = 0; |
| 1259 | Key *public; | 1256 | Key *public; |
| 1260 | @@ -1502,6 +1502,22 @@ | 1257 | @@ -1533,6 +1533,22 @@ |
| 1261 | public = key_load_public(filename, NULL); | 1258 | public = key_load_public(filename, NULL); |
| 1262 | debug("identity file %s type %d", filename, | 1259 | debug("identity file %s type %d", filename, |
| 1263 | public ? public->type : -1); | 1260 | public ? public->type : -1); |
| @@ -1284,7 +1281,7 @@ Index: b/ssh_config.5 | |||
| 1284 | =================================================================== | 1281 | =================================================================== |
| 1285 | --- a/ssh_config.5 | 1282 | --- a/ssh_config.5 |
| 1286 | +++ b/ssh_config.5 | 1283 | +++ b/ssh_config.5 |
| 1287 | @@ -1146,6 +1146,23 @@ | 1284 | @@ -1188,6 +1188,23 @@ |
| 1288 | .Dq any . | 1285 | .Dq any . |
| 1289 | The default is | 1286 | The default is |
| 1290 | .Dq any:any . | 1287 | .Dq any:any . |
| @@ -1312,7 +1309,7 @@ Index: b/sshconnect2.c | |||
| 1312 | =================================================================== | 1309 | =================================================================== |
| 1313 | --- a/sshconnect2.c | 1310 | --- a/sshconnect2.c |
| 1314 | +++ b/sshconnect2.c | 1311 | +++ b/sshconnect2.c |
| 1315 | @@ -1488,6 +1488,8 @@ | 1312 | @@ -1489,6 +1489,8 @@ |
| 1316 | 1313 | ||
| 1317 | /* list of keys stored in the filesystem */ | 1314 | /* list of keys stored in the filesystem */ |
| 1318 | for (i = 0; i < options.num_identity_files; i++) { | 1315 | for (i = 0; i < options.num_identity_files; i++) { |
| @@ -1321,7 +1318,7 @@ Index: b/sshconnect2.c | |||
| 1321 | key = options.identity_keys[i]; | 1318 | key = options.identity_keys[i]; |
| 1322 | if (key && key->type == KEY_RSA1) | 1319 | if (key && key->type == KEY_RSA1) |
| 1323 | continue; | 1320 | continue; |
| 1324 | @@ -1581,7 +1583,7 @@ | 1321 | @@ -1582,7 +1584,7 @@ |
| 1325 | debug("Offering %s public key: %s", key_type(id->key), | 1322 | debug("Offering %s public key: %s", key_type(id->key), |
| 1326 | id->filename); | 1323 | id->filename); |
| 1327 | sent = send_pubkey_test(authctxt, id); | 1324 | sent = send_pubkey_test(authctxt, id); |
| @@ -1334,7 +1331,7 @@ Index: b/sshd.8 | |||
| 1334 | =================================================================== | 1331 | =================================================================== |
| 1335 | --- a/sshd.8 | 1332 | --- a/sshd.8 |
| 1336 | +++ b/sshd.8 | 1333 | +++ b/sshd.8 |
| 1337 | @@ -945,6 +945,7 @@ | 1334 | @@ -948,6 +948,7 @@ |
| 1338 | .Xr ssh-agent 1 , | 1335 | .Xr ssh-agent 1 , |
| 1339 | .Xr ssh-keygen 1 , | 1336 | .Xr ssh-keygen 1 , |
| 1340 | .Xr ssh-keyscan 1 , | 1337 | .Xr ssh-keyscan 1 , |
| @@ -1346,7 +1343,7 @@ Index: b/sshd.c | |||
| 1346 | =================================================================== | 1343 | =================================================================== |
| 1347 | --- a/sshd.c | 1344 | --- a/sshd.c |
| 1348 | +++ b/sshd.c | 1345 | +++ b/sshd.c |
| 1349 | @@ -1576,6 +1576,11 @@ | 1346 | @@ -1598,6 +1598,11 @@ |
| 1350 | sensitive_data.host_keys[i] = NULL; | 1347 | sensitive_data.host_keys[i] = NULL; |
| 1351 | continue; | 1348 | continue; |
| 1352 | } | 1349 | } |
| @@ -1362,7 +1359,7 @@ Index: b/sshd_config.5 | |||
| 1362 | =================================================================== | 1359 | =================================================================== |
| 1363 | --- a/sshd_config.5 | 1360 | --- a/sshd_config.5 |
| 1364 | +++ b/sshd_config.5 | 1361 | +++ b/sshd_config.5 |
| 1365 | @@ -792,6 +792,20 @@ | 1362 | @@ -795,6 +795,20 @@ |
| 1366 | Specifies whether password authentication is allowed. | 1363 | Specifies whether password authentication is allowed. |
| 1367 | The default is | 1364 | The default is |
| 1368 | .Dq yes . | 1365 | .Dq yes . |