diff options
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/backport-regress-principals-command-noexec.patch | 257 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 258 insertions, 0 deletions
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch new file mode 100644 index 000000000..5d5f2d16e --- /dev/null +++ b/debian/patches/backport-regress-principals-command-noexec.patch | |||
@@ -0,0 +1,257 @@ | |||
1 | From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Mon, 10 Aug 2015 11:13:44 +1000 | ||
4 | Subject: let principals-command.sh work for noexec /var/run | ||
5 | |||
6 | Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da | ||
7 | Forwarded: not-needed | ||
8 | Last-Update: 2015-08-20 | ||
9 | |||
10 | Patch-Name: backport-regress-principals-command-noexec.patch | ||
11 | --- | ||
12 | regress/principals-command.sh | 222 +++++++++++++++++++++--------------------- | ||
13 | 1 file changed, 113 insertions(+), 109 deletions(-) | ||
14 | |||
15 | diff --git a/regress/principals-command.sh b/regress/principals-command.sh | ||
16 | index 9006437..b90a8cf 100644 | ||
17 | --- a/regress/principals-command.sh | ||
18 | +++ b/regress/principals-command.sh | ||
19 | @@ -14,15 +14,15 @@ fi | ||
20 | |||
21 | # Establish a AuthorizedPrincipalsCommand in /var/run where it will have | ||
22 | # acceptable directory permissions. | ||
23 | -PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" | ||
24 | -cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" | ||
25 | +PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" | ||
26 | +cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" | ||
27 | #!/bin/sh | ||
28 | test "x\$1" != "x${LOGNAME}" && exit 1 | ||
29 | test -f "$OBJ/authorized_principals_${LOGNAME}" && | ||
30 | exec cat "$OBJ/authorized_principals_${LOGNAME}" | ||
31 | _EOF | ||
32 | test $? -eq 0 || fatal "couldn't prepare principals command" | ||
33 | -$SUDO chmod 0755 "$PRINCIPALS_COMMAND" | ||
34 | +$SUDO chmod 0755 "$PRINCIPALS_CMD" | ||
35 | |||
36 | # Create a CA key and a user certificate. | ||
37 | ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ | ||
38 | @@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ | ||
39 | -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ | ||
40 | fatal "couldn't sign cert_user_key" | ||
41 | |||
42 | -# Test explicitly-specified principals | ||
43 | -for privsep in yes no ; do | ||
44 | - _prefix="privsep $privsep" | ||
45 | - | ||
46 | - # Setup for AuthorizedPrincipalsCommand | ||
47 | - rm -f $OBJ/authorized_keys_$USER | ||
48 | - ( | ||
49 | - cat $OBJ/sshd_proxy_bak | ||
50 | - echo "UsePrivilegeSeparation $privsep" | ||
51 | - echo "AuthorizedKeysFile none" | ||
52 | - echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" | ||
53 | - echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | ||
54 | - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
55 | - ) > $OBJ/sshd_proxy | ||
56 | - | ||
57 | - # XXX test missing command | ||
58 | - # XXX test failing command | ||
59 | - | ||
60 | - # Empty authorized_principals | ||
61 | - verbose "$tid: ${_prefix} empty authorized_principals" | ||
62 | - echo > $OBJ/authorized_principals_$USER | ||
63 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
64 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
65 | - if [ $? -eq 0 ]; then | ||
66 | - fail "ssh cert connect succeeded unexpectedly" | ||
67 | - fi | ||
68 | - | ||
69 | - # Wrong authorized_principals | ||
70 | - verbose "$tid: ${_prefix} wrong authorized_principals" | ||
71 | - echo gregorsamsa > $OBJ/authorized_principals_$USER | ||
72 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
73 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
74 | - if [ $? -eq 0 ]; then | ||
75 | - fail "ssh cert connect succeeded unexpectedly" | ||
76 | - fi | ||
77 | - | ||
78 | - # Correct authorized_principals | ||
79 | - verbose "$tid: ${_prefix} correct authorized_principals" | ||
80 | - echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
81 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
82 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
83 | - if [ $? -ne 0 ]; then | ||
84 | - fail "ssh cert connect failed" | ||
85 | - fi | ||
86 | - | ||
87 | - # authorized_principals with bad key option | ||
88 | - verbose "$tid: ${_prefix} authorized_principals bad key opt" | ||
89 | - echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | ||
90 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
91 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
92 | - if [ $? -eq 0 ]; then | ||
93 | - fail "ssh cert connect succeeded unexpectedly" | ||
94 | - fi | ||
95 | - | ||
96 | - # authorized_principals with command=false | ||
97 | - verbose "$tid: ${_prefix} authorized_principals command=false" | ||
98 | - echo 'command="false" mekmitasdigoat' > \ | ||
99 | - $OBJ/authorized_principals_$USER | ||
100 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
101 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
102 | - if [ $? -eq 0 ]; then | ||
103 | - fail "ssh cert connect succeeded unexpectedly" | ||
104 | - fi | ||
105 | - | ||
106 | - | ||
107 | - # authorized_principals with command=true | ||
108 | - verbose "$tid: ${_prefix} authorized_principals command=true" | ||
109 | - echo 'command="true" mekmitasdigoat' > \ | ||
110 | - $OBJ/authorized_principals_$USER | ||
111 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
112 | - -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | ||
113 | - if [ $? -ne 0 ]; then | ||
114 | - fail "ssh cert connect failed" | ||
115 | - fi | ||
116 | - | ||
117 | - # Setup for principals= key option | ||
118 | - rm -f $OBJ/authorized_principals_$USER | ||
119 | - ( | ||
120 | - cat $OBJ/sshd_proxy_bak | ||
121 | - echo "UsePrivilegeSeparation $privsep" | ||
122 | - ) > $OBJ/sshd_proxy | ||
123 | - | ||
124 | - # Wrong principals list | ||
125 | - verbose "$tid: ${_prefix} wrong principals key option" | ||
126 | - ( | ||
127 | - printf 'cert-authority,principals="gregorsamsa" ' | ||
128 | - cat $OBJ/user_ca_key.pub | ||
129 | - ) > $OBJ/authorized_keys_$USER | ||
130 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
131 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
132 | - if [ $? -eq 0 ]; then | ||
133 | - fail "ssh cert connect succeeded unexpectedly" | ||
134 | - fi | ||
135 | - | ||
136 | - # Correct principals list | ||
137 | - verbose "$tid: ${_prefix} correct principals key option" | ||
138 | - ( | ||
139 | - printf 'cert-authority,principals="mekmitasdigoat" ' | ||
140 | - cat $OBJ/user_ca_key.pub | ||
141 | - ) > $OBJ/authorized_keys_$USER | ||
142 | - ${SSH} -2i $OBJ/cert_user_key \ | ||
143 | - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
144 | - if [ $? -ne 0 ]; then | ||
145 | - fail "ssh cert connect failed" | ||
146 | - fi | ||
147 | -done | ||
148 | +if [ -x $PRINCIPALS_CMD ]; then | ||
149 | + # Test explicitly-specified principals | ||
150 | + for privsep in yes no ; do | ||
151 | + _prefix="privsep $privsep" | ||
152 | + | ||
153 | + # Setup for AuthorizedPrincipalsCommand | ||
154 | + rm -f $OBJ/authorized_keys_$USER | ||
155 | + ( | ||
156 | + cat $OBJ/sshd_proxy_bak | ||
157 | + echo "UsePrivilegeSeparation $privsep" | ||
158 | + echo "AuthorizedKeysFile none" | ||
159 | + echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" | ||
160 | + echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" | ||
161 | + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" | ||
162 | + ) > $OBJ/sshd_proxy | ||
163 | + | ||
164 | + # XXX test missing command | ||
165 | + # XXX test failing command | ||
166 | + | ||
167 | + # Empty authorized_principals | ||
168 | + verbose "$tid: ${_prefix} empty authorized_principals" | ||
169 | + echo > $OBJ/authorized_principals_$USER | ||
170 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
171 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
172 | + if [ $? -eq 0 ]; then | ||
173 | + fail "ssh cert connect succeeded unexpectedly" | ||
174 | + fi | ||
175 | + | ||
176 | + # Wrong authorized_principals | ||
177 | + verbose "$tid: ${_prefix} wrong authorized_principals" | ||
178 | + echo gregorsamsa > $OBJ/authorized_principals_$USER | ||
179 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
180 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
181 | + if [ $? -eq 0 ]; then | ||
182 | + fail "ssh cert connect succeeded unexpectedly" | ||
183 | + fi | ||
184 | + | ||
185 | + # Correct authorized_principals | ||
186 | + verbose "$tid: ${_prefix} correct authorized_principals" | ||
187 | + echo mekmitasdigoat > $OBJ/authorized_principals_$USER | ||
188 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
189 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
190 | + if [ $? -ne 0 ]; then | ||
191 | + fail "ssh cert connect failed" | ||
192 | + fi | ||
193 | + | ||
194 | + # authorized_principals with bad key option | ||
195 | + verbose "$tid: ${_prefix} authorized_principals bad key opt" | ||
196 | + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER | ||
197 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
198 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
199 | + if [ $? -eq 0 ]; then | ||
200 | + fail "ssh cert connect succeeded unexpectedly" | ||
201 | + fi | ||
202 | + | ||
203 | + # authorized_principals with command=false | ||
204 | + verbose "$tid: ${_prefix} authorized_principals command=false" | ||
205 | + echo 'command="false" mekmitasdigoat' > \ | ||
206 | + $OBJ/authorized_principals_$USER | ||
207 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
208 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
209 | + if [ $? -eq 0 ]; then | ||
210 | + fail "ssh cert connect succeeded unexpectedly" | ||
211 | + fi | ||
212 | + | ||
213 | + # authorized_principals with command=true | ||
214 | + verbose "$tid: ${_prefix} authorized_principals command=true" | ||
215 | + echo 'command="true" mekmitasdigoat' > \ | ||
216 | + $OBJ/authorized_principals_$USER | ||
217 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
218 | + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 | ||
219 | + if [ $? -ne 0 ]; then | ||
220 | + fail "ssh cert connect failed" | ||
221 | + fi | ||
222 | + | ||
223 | + # Setup for principals= key option | ||
224 | + rm -f $OBJ/authorized_principals_$USER | ||
225 | + ( | ||
226 | + cat $OBJ/sshd_proxy_bak | ||
227 | + echo "UsePrivilegeSeparation $privsep" | ||
228 | + ) > $OBJ/sshd_proxy | ||
229 | + | ||
230 | + # Wrong principals list | ||
231 | + verbose "$tid: ${_prefix} wrong principals key option" | ||
232 | + ( | ||
233 | + printf 'cert-authority,principals="gregorsamsa" ' | ||
234 | + cat $OBJ/user_ca_key.pub | ||
235 | + ) > $OBJ/authorized_keys_$USER | ||
236 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
237 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
238 | + if [ $? -eq 0 ]; then | ||
239 | + fail "ssh cert connect succeeded unexpectedly" | ||
240 | + fi | ||
241 | + | ||
242 | + # Correct principals list | ||
243 | + verbose "$tid: ${_prefix} correct principals key option" | ||
244 | + ( | ||
245 | + printf 'cert-authority,principals="mekmitasdigoat" ' | ||
246 | + cat $OBJ/user_ca_key.pub | ||
247 | + ) > $OBJ/authorized_keys_$USER | ||
248 | + ${SSH} -2i $OBJ/cert_user_key \ | ||
249 | + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 | ||
250 | + if [ $? -ne 0 ]; then | ||
251 | + fail "ssh cert connect failed" | ||
252 | + fi | ||
253 | + done | ||
254 | +else | ||
255 | + echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ | ||
256 | + "(/var/run mounted noexec?)" | ||
257 | +fi | ||
diff --git a/debian/patches/series b/debian/patches/series index 188ec8abc..15c939708 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch | |||
31 | backport-do-not-resend-username-to-pam.patch | 31 | backport-do-not-resend-username-to-pam.patch |
32 | backport-pam-use-after-free.patch | 32 | backport-pam-use-after-free.patch |
33 | backport-kbdint-duplicates.patch | 33 | backport-kbdint-duplicates.patch |
34 | backport-regress-principals-command-noexec.patch | ||