summaryrefslogtreecommitdiff
path: root/debian/patches/ssh-vulnkey.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/ssh-vulnkey.patch')
-rw-r--r--debian/patches/ssh-vulnkey.patch60
1 files changed, 30 insertions, 30 deletions
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch
index af56dc031..ecb6e0c64 100644
--- a/debian/patches/ssh-vulnkey.patch
+++ b/debian/patches/ssh-vulnkey.patch
@@ -132,7 +132,7 @@ Index: b/auth.c
132 #include "auth.h" 132 #include "auth.h"
133 #include "auth-options.h" 133 #include "auth-options.h"
134 #include "canohost.h" 134 #include "canohost.h"
135@@ -593,10 +594,34 @@ 135@@ -615,10 +616,34 @@
136 136
137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ 137 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
138 int 138 int
@@ -172,10 +172,10 @@ Index: b/auth.h
172=================================================================== 172===================================================================
173--- a/auth.h 173--- a/auth.h
174+++ b/auth.h 174+++ b/auth.h
175@@ -173,7 +173,7 @@ 175@@ -175,7 +175,7 @@
176 char *authorized_keys_file2(struct passwd *);
177 176
178 FILE *auth_openkeyfile(const char *, struct passwd *, int); 177 FILE *auth_openkeyfile(const char *, struct passwd *, int);
178 FILE *auth_openprincipals(const char *, struct passwd *, int);
179-int auth_key_is_revoked(Key *); 179-int auth_key_is_revoked(Key *);
180+int auth_key_is_revoked(Key *, int); 180+int auth_key_is_revoked(Key *, int);
181 181
@@ -185,9 +185,9 @@ Index: b/auth2-hostbased.c
185=================================================================== 185===================================================================
186--- a/auth2-hostbased.c 186--- a/auth2-hostbased.c
187+++ b/auth2-hostbased.c 187+++ b/auth2-hostbased.c
188@@ -145,7 +145,7 @@ 188@@ -146,7 +146,7 @@
189 HostStatus host_status;
190 int len; 189 int len;
190 char *fp;
191 191
192- if (auth_key_is_revoked(key)) 192- if (auth_key_is_revoked(key))
193+ if (auth_key_is_revoked(key, 0)) 193+ if (auth_key_is_revoked(key, 0))
@@ -198,7 +198,7 @@ Index: b/auth2-pubkey.c
198=================================================================== 198===================================================================
199--- a/auth2-pubkey.c 199--- a/auth2-pubkey.c
200+++ b/auth2-pubkey.c 200+++ b/auth2-pubkey.c
201@@ -328,9 +328,10 @@ 201@@ -439,9 +439,10 @@
202 int success; 202 int success;
203 char *file; 203 char *file;
204 204
@@ -223,7 +223,7 @@ Index: b/authfile.c
223 223
224 /* Version identification string for SSH v1 identity files. */ 224 /* Version identification string for SSH v1 identity files. */
225 static const char authfile_id_string[] = 225 static const char authfile_id_string[] =
226@@ -754,3 +755,140 @@ 226@@ -814,3 +815,140 @@
227 return ret; 227 return ret;
228 } 228 }
229 229
@@ -368,7 +368,7 @@ Index: b/authfile.h
368=================================================================== 368===================================================================
369--- a/authfile.h 369--- a/authfile.h
370+++ b/authfile.h 370+++ b/authfile.h
371@@ -24,4 +24,6 @@ 371@@ -26,4 +26,6 @@
372 int key_perm_ok(int, const char *); 372 int key_perm_ok(int, const char *);
373 int key_in_file(Key *, const char *, int); 373 int key_in_file(Key *, const char *, int);
374 374
@@ -412,7 +412,7 @@ Index: b/readconf.c
412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider, 412 oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
413 oClearAllForwardings, oNoHostAuthenticationForLocalhost, 413 oClearAllForwardings, oNoHostAuthenticationForLocalhost,
414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, 414 oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
415@@ -152,6 +153,7 @@ 415@@ -154,6 +155,7 @@
416 { "passwordauthentication", oPasswordAuthentication }, 416 { "passwordauthentication", oPasswordAuthentication },
417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, 417 { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
418 { "kbdinteractivedevices", oKbdInteractiveDevices }, 418 { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -420,7 +420,7 @@ Index: b/readconf.c
420 { "rsaauthentication", oRSAAuthentication }, 420 { "rsaauthentication", oRSAAuthentication },
421 { "pubkeyauthentication", oPubkeyAuthentication }, 421 { "pubkeyauthentication", oPubkeyAuthentication },
422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */ 422 { "dsaauthentication", oPubkeyAuthentication }, /* alias */
423@@ -461,6 +463,10 @@ 423@@ -479,6 +481,10 @@
424 intptr = &options->challenge_response_authentication; 424 intptr = &options->challenge_response_authentication;
425 goto parse_flag; 425 goto parse_flag;
426 426
@@ -431,7 +431,7 @@ Index: b/readconf.c
431 case oGssAuthentication: 431 case oGssAuthentication:
432 intptr = &options->gss_authentication; 432 intptr = &options->gss_authentication;
433 goto parse_flag; 433 goto parse_flag;
434@@ -1050,6 +1056,7 @@ 434@@ -1093,6 +1099,7 @@
435 options->kbd_interactive_devices = NULL; 435 options->kbd_interactive_devices = NULL;
436 options->rhosts_rsa_authentication = -1; 436 options->rhosts_rsa_authentication = -1;
437 options->hostbased_authentication = -1; 437 options->hostbased_authentication = -1;
@@ -439,7 +439,7 @@ Index: b/readconf.c
439 options->batch_mode = -1; 439 options->batch_mode = -1;
440 options->check_host_ip = -1; 440 options->check_host_ip = -1;
441 options->strict_host_key_checking = -1; 441 options->strict_host_key_checking = -1;
442@@ -1152,6 +1159,8 @@ 442@@ -1201,6 +1208,8 @@
443 options->rhosts_rsa_authentication = 0; 443 options->rhosts_rsa_authentication = 0;
444 if (options->hostbased_authentication == -1) 444 if (options->hostbased_authentication == -1)
445 options->hostbased_authentication = 0; 445 options->hostbased_authentication = 0;
@@ -452,7 +452,7 @@ Index: b/readconf.h
452=================================================================== 452===================================================================
453--- a/readconf.h 453--- a/readconf.h
454+++ b/readconf.h 454+++ b/readconf.h
455@@ -54,6 +54,7 @@ 455@@ -56,6 +56,7 @@
456 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ 456 int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
457 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ 457 char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
458 int zero_knowledge_password_authentication; /* Try jpake */ 458 int zero_knowledge_password_authentication; /* Try jpake */
@@ -472,7 +472,7 @@ Index: b/servconf.c
472 options->permit_empty_passwd = -1; 472 options->permit_empty_passwd = -1;
473 options->permit_user_env = -1; 473 options->permit_user_env = -1;
474 options->use_login = -1; 474 options->use_login = -1;
475@@ -231,6 +232,8 @@ 475@@ -232,6 +233,8 @@
476 options->kbd_interactive_authentication = 0; 476 options->kbd_interactive_authentication = 0;
477 if (options->challenge_response_authentication == -1) 477 if (options->challenge_response_authentication == -1)
478 options->challenge_response_authentication = 1; 478 options->challenge_response_authentication = 1;
@@ -481,7 +481,7 @@ Index: b/servconf.c
481 if (options->permit_empty_passwd == -1) 481 if (options->permit_empty_passwd == -1)
482 options->permit_empty_passwd = 0; 482 options->permit_empty_passwd = 0;
483 if (options->permit_user_env == -1) 483 if (options->permit_user_env == -1)
484@@ -306,7 +309,7 @@ 484@@ -307,7 +310,7 @@
485 sListenAddress, sAddressFamily, 485 sListenAddress, sAddressFamily,
486 sPrintMotd, sPrintLastLog, sIgnoreRhosts, 486 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, 487 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
@@ -490,7 +490,7 @@ Index: b/servconf.c
490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, 490 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, 491 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, 492 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
493@@ -415,6 +418,7 @@ 493@@ -416,6 +419,7 @@
494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, 494 { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, 495 { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, 496 { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
@@ -498,7 +498,7 @@ Index: b/servconf.c
498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, 498 { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, 499 { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
500 { "uselogin", sUseLogin, SSHCFG_GLOBAL }, 500 { "uselogin", sUseLogin, SSHCFG_GLOBAL },
501@@ -1009,6 +1013,10 @@ 501@@ -1011,6 +1015,10 @@
502 intptr = &options->tcp_keep_alive; 502 intptr = &options->tcp_keep_alive;
503 goto parse_flag; 503 goto parse_flag;
504 504
@@ -509,7 +509,7 @@ Index: b/servconf.c
509 case sEmptyPasswd: 509 case sEmptyPasswd:
510 intptr = &options->permit_empty_passwd; 510 intptr = &options->permit_empty_passwd;
511 goto parse_flag; 511 goto parse_flag;
512@@ -1697,6 +1705,7 @@ 512@@ -1708,6 +1716,7 @@
513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); 513 dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
514 dump_cfg_fmtint(sStrictModes, o->strict_modes); 514 dump_cfg_fmtint(sStrictModes, o->strict_modes);
515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); 515 dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
@@ -584,7 +584,7 @@ Index: b/ssh-keygen.1
584=================================================================== 584===================================================================
585--- a/ssh-keygen.1 585--- a/ssh-keygen.1
586+++ b/ssh-keygen.1 586+++ b/ssh-keygen.1
587@@ -628,6 +628,7 @@ 587@@ -669,6 +669,7 @@
588 .Xr ssh 1 , 588 .Xr ssh 1 ,
589 .Xr ssh-add 1 , 589 .Xr ssh-add 1 ,
590 .Xr ssh-agent 1 , 590 .Xr ssh-agent 1 ,
@@ -1236,7 +1236,7 @@ Index: b/ssh.1
1236=================================================================== 1236===================================================================
1237--- a/ssh.1 1237--- a/ssh.1
1238+++ b/ssh.1 1238+++ b/ssh.1
1239@@ -1426,6 +1426,7 @@ 1239@@ -1392,6 +1392,7 @@
1240 .Xr ssh-agent 1 , 1240 .Xr ssh-agent 1 ,
1241 .Xr ssh-keygen 1 , 1241 .Xr ssh-keygen 1 ,
1242 .Xr ssh-keyscan 1 , 1242 .Xr ssh-keyscan 1 ,
@@ -1248,7 +1248,7 @@ Index: b/ssh.c
1248=================================================================== 1248===================================================================
1249--- a/ssh.c 1249--- a/ssh.c
1250+++ b/ssh.c 1250+++ b/ssh.c
1251@@ -1301,7 +1301,7 @@ 1251@@ -1422,7 +1422,7 @@
1252 static void 1252 static void
1253 load_public_identity_files(void) 1253 load_public_identity_files(void)
1254 { 1254 {
@@ -1257,7 +1257,7 @@ Index: b/ssh.c
1257 char *pwdir = NULL, *pwname = NULL; 1257 char *pwdir = NULL, *pwname = NULL;
1258 int i = 0; 1258 int i = 0;
1259 Key *public; 1259 Key *public;
1260@@ -1358,6 +1358,22 @@ 1260@@ -1479,6 +1479,22 @@
1261 public = key_load_public(filename, NULL); 1261 public = key_load_public(filename, NULL);
1262 debug("identity file %s type %d", filename, 1262 debug("identity file %s type %d", filename,
1263 public ? public->type : -1); 1263 public ? public->type : -1);
@@ -1284,7 +1284,7 @@ Index: b/ssh_config.5
1284=================================================================== 1284===================================================================
1285--- a/ssh_config.5 1285--- a/ssh_config.5
1286+++ b/ssh_config.5 1286+++ b/ssh_config.5
1287@@ -1051,6 +1051,23 @@ 1287@@ -1082,6 +1082,23 @@
1288 .Dq any . 1288 .Dq any .
1289 The default is 1289 The default is
1290 .Dq any:any . 1290 .Dq any:any .
@@ -1312,7 +1312,7 @@ Index: b/sshconnect2.c
1312=================================================================== 1312===================================================================
1313--- a/sshconnect2.c 1313--- a/sshconnect2.c
1314+++ b/sshconnect2.c 1314+++ b/sshconnect2.c
1315@@ -1418,6 +1418,8 @@ 1315@@ -1421,6 +1421,8 @@
1316 1316
1317 /* list of keys stored in the filesystem */ 1317 /* list of keys stored in the filesystem */
1318 for (i = 0; i < options.num_identity_files; i++) { 1318 for (i = 0; i < options.num_identity_files; i++) {
@@ -1321,9 +1321,9 @@ Index: b/sshconnect2.c
1321 key = options.identity_keys[i]; 1321 key = options.identity_keys[i];
1322 if (key && key->type == KEY_RSA1) 1322 if (key && key->type == KEY_RSA1)
1323 continue; 1323 continue;
1324@@ -1510,7 +1512,7 @@ 1324@@ -1514,7 +1516,7 @@
1325 if (id->key && id->key->type != KEY_RSA1) { 1325 debug("Offering %s public key: %s", key_type(id->key),
1326 debug("Offering public key: %s", id->filename); 1326 id->filename);
1327 sent = send_pubkey_test(authctxt, id); 1327 sent = send_pubkey_test(authctxt, id);
1328- } else if (id->key == NULL) { 1328- } else if (id->key == NULL) {
1329+ } else if (id->key == NULL && id->filename) { 1329+ } else if (id->key == NULL && id->filename) {
@@ -1334,7 +1334,7 @@ Index: b/sshd.8
1334=================================================================== 1334===================================================================
1335--- a/sshd.8 1335--- a/sshd.8
1336+++ b/sshd.8 1336+++ b/sshd.8
1337@@ -928,6 +928,7 @@ 1337@@ -938,6 +938,7 @@
1338 .Xr ssh-agent 1 , 1338 .Xr ssh-agent 1 ,
1339 .Xr ssh-keygen 1 , 1339 .Xr ssh-keygen 1 ,
1340 .Xr ssh-keyscan 1 , 1340 .Xr ssh-keyscan 1 ,
@@ -1346,7 +1346,7 @@ Index: b/sshd.c
1346=================================================================== 1346===================================================================
1347--- a/sshd.c 1347--- a/sshd.c
1348+++ b/sshd.c 1348+++ b/sshd.c
1349@@ -1564,6 +1564,11 @@ 1349@@ -1573,6 +1573,11 @@
1350 sensitive_data.host_keys[i] = NULL; 1350 sensitive_data.host_keys[i] = NULL;
1351 continue; 1351 continue;
1352 } 1352 }
@@ -1362,7 +1362,7 @@ Index: b/sshd_config.5
1362=================================================================== 1362===================================================================
1363--- a/sshd_config.5 1363--- a/sshd_config.5
1364+++ b/sshd_config.5 1364+++ b/sshd_config.5
1365@@ -694,6 +694,20 @@ 1365@@ -743,6 +743,20 @@
1366 Specifies whether password authentication is allowed. 1366 Specifies whether password authentication is allowed.
1367 The default is 1367 The default is
1368 .Dq yes . 1368 .Dq yes .