summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/backport-regress-principals-command-noexec.patch257
-rw-r--r--debian/patches/series1
2 files changed, 258 insertions, 0 deletions
diff --git a/debian/patches/backport-regress-principals-command-noexec.patch b/debian/patches/backport-regress-principals-command-noexec.patch
new file mode 100644
index 000000000..5d5f2d16e
--- /dev/null
+++ b/debian/patches/backport-regress-principals-command-noexec.patch
@@ -0,0 +1,257 @@
1From 4c2916a2d9c0445b41e34805ddfbd7e323cbe6ec Mon Sep 17 00:00:00 2001
2From: Damien Miller <djm@mindrot.org>
3Date: Mon, 10 Aug 2015 11:13:44 +1000
4Subject: let principals-command.sh work for noexec /var/run
5
6Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da
7Forwarded: not-needed
8Last-Update: 2015-08-20
9
10Patch-Name: backport-regress-principals-command-noexec.patch
11---
12 regress/principals-command.sh | 222 +++++++++++++++++++++---------------------
13 1 file changed, 113 insertions(+), 109 deletions(-)
14
15diff --git a/regress/principals-command.sh b/regress/principals-command.sh
16index 9006437..b90a8cf 100644
17--- a/regress/principals-command.sh
18+++ b/regress/principals-command.sh
19@@ -14,15 +14,15 @@ fi
20
21 # Establish a AuthorizedPrincipalsCommand in /var/run where it will have
22 # acceptable directory permissions.
23-PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}"
24-cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'"
25+PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}"
26+cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'"
27 #!/bin/sh
28 test "x\$1" != "x${LOGNAME}" && exit 1
29 test -f "$OBJ/authorized_principals_${LOGNAME}" &&
30 exec cat "$OBJ/authorized_principals_${LOGNAME}"
31 _EOF
32 test $? -eq 0 || fatal "couldn't prepare principals command"
33-$SUDO chmod 0755 "$PRINCIPALS_COMMAND"
34+$SUDO chmod 0755 "$PRINCIPALS_CMD"
35
36 # Create a CA key and a user certificate.
37 ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \
38@@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
39 -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \
40 fatal "couldn't sign cert_user_key"
41
42-# Test explicitly-specified principals
43-for privsep in yes no ; do
44- _prefix="privsep $privsep"
45-
46- # Setup for AuthorizedPrincipalsCommand
47- rm -f $OBJ/authorized_keys_$USER
48- (
49- cat $OBJ/sshd_proxy_bak
50- echo "UsePrivilegeSeparation $privsep"
51- echo "AuthorizedKeysFile none"
52- echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u"
53- echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
54- echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
55- ) > $OBJ/sshd_proxy
56-
57- # XXX test missing command
58- # XXX test failing command
59-
60- # Empty authorized_principals
61- verbose "$tid: ${_prefix} empty authorized_principals"
62- echo > $OBJ/authorized_principals_$USER
63- ${SSH} -2i $OBJ/cert_user_key \
64- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
65- if [ $? -eq 0 ]; then
66- fail "ssh cert connect succeeded unexpectedly"
67- fi
68-
69- # Wrong authorized_principals
70- verbose "$tid: ${_prefix} wrong authorized_principals"
71- echo gregorsamsa > $OBJ/authorized_principals_$USER
72- ${SSH} -2i $OBJ/cert_user_key \
73- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
74- if [ $? -eq 0 ]; then
75- fail "ssh cert connect succeeded unexpectedly"
76- fi
77-
78- # Correct authorized_principals
79- verbose "$tid: ${_prefix} correct authorized_principals"
80- echo mekmitasdigoat > $OBJ/authorized_principals_$USER
81- ${SSH} -2i $OBJ/cert_user_key \
82- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
83- if [ $? -ne 0 ]; then
84- fail "ssh cert connect failed"
85- fi
86-
87- # authorized_principals with bad key option
88- verbose "$tid: ${_prefix} authorized_principals bad key opt"
89- echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
90- ${SSH} -2i $OBJ/cert_user_key \
91- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
92- if [ $? -eq 0 ]; then
93- fail "ssh cert connect succeeded unexpectedly"
94- fi
95-
96- # authorized_principals with command=false
97- verbose "$tid: ${_prefix} authorized_principals command=false"
98- echo 'command="false" mekmitasdigoat' > \
99- $OBJ/authorized_principals_$USER
100- ${SSH} -2i $OBJ/cert_user_key \
101- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
102- if [ $? -eq 0 ]; then
103- fail "ssh cert connect succeeded unexpectedly"
104- fi
105-
106-
107- # authorized_principals with command=true
108- verbose "$tid: ${_prefix} authorized_principals command=true"
109- echo 'command="true" mekmitasdigoat' > \
110- $OBJ/authorized_principals_$USER
111- ${SSH} -2i $OBJ/cert_user_key \
112- -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
113- if [ $? -ne 0 ]; then
114- fail "ssh cert connect failed"
115- fi
116-
117- # Setup for principals= key option
118- rm -f $OBJ/authorized_principals_$USER
119- (
120- cat $OBJ/sshd_proxy_bak
121- echo "UsePrivilegeSeparation $privsep"
122- ) > $OBJ/sshd_proxy
123-
124- # Wrong principals list
125- verbose "$tid: ${_prefix} wrong principals key option"
126- (
127- printf 'cert-authority,principals="gregorsamsa" '
128- cat $OBJ/user_ca_key.pub
129- ) > $OBJ/authorized_keys_$USER
130- ${SSH} -2i $OBJ/cert_user_key \
131- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
132- if [ $? -eq 0 ]; then
133- fail "ssh cert connect succeeded unexpectedly"
134- fi
135-
136- # Correct principals list
137- verbose "$tid: ${_prefix} correct principals key option"
138- (
139- printf 'cert-authority,principals="mekmitasdigoat" '
140- cat $OBJ/user_ca_key.pub
141- ) > $OBJ/authorized_keys_$USER
142- ${SSH} -2i $OBJ/cert_user_key \
143- -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
144- if [ $? -ne 0 ]; then
145- fail "ssh cert connect failed"
146- fi
147-done
148+if [ -x $PRINCIPALS_CMD ]; then
149+ # Test explicitly-specified principals
150+ for privsep in yes no ; do
151+ _prefix="privsep $privsep"
152+
153+ # Setup for AuthorizedPrincipalsCommand
154+ rm -f $OBJ/authorized_keys_$USER
155+ (
156+ cat $OBJ/sshd_proxy_bak
157+ echo "UsePrivilegeSeparation $privsep"
158+ echo "AuthorizedKeysFile none"
159+ echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u"
160+ echo "AuthorizedPrincipalsCommandUser ${LOGNAME}"
161+ echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
162+ ) > $OBJ/sshd_proxy
163+
164+ # XXX test missing command
165+ # XXX test failing command
166+
167+ # Empty authorized_principals
168+ verbose "$tid: ${_prefix} empty authorized_principals"
169+ echo > $OBJ/authorized_principals_$USER
170+ ${SSH} -2i $OBJ/cert_user_key \
171+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
172+ if [ $? -eq 0 ]; then
173+ fail "ssh cert connect succeeded unexpectedly"
174+ fi
175+
176+ # Wrong authorized_principals
177+ verbose "$tid: ${_prefix} wrong authorized_principals"
178+ echo gregorsamsa > $OBJ/authorized_principals_$USER
179+ ${SSH} -2i $OBJ/cert_user_key \
180+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
181+ if [ $? -eq 0 ]; then
182+ fail "ssh cert connect succeeded unexpectedly"
183+ fi
184+
185+ # Correct authorized_principals
186+ verbose "$tid: ${_prefix} correct authorized_principals"
187+ echo mekmitasdigoat > $OBJ/authorized_principals_$USER
188+ ${SSH} -2i $OBJ/cert_user_key \
189+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
190+ if [ $? -ne 0 ]; then
191+ fail "ssh cert connect failed"
192+ fi
193+
194+ # authorized_principals with bad key option
195+ verbose "$tid: ${_prefix} authorized_principals bad key opt"
196+ echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
197+ ${SSH} -2i $OBJ/cert_user_key \
198+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
199+ if [ $? -eq 0 ]; then
200+ fail "ssh cert connect succeeded unexpectedly"
201+ fi
202+
203+ # authorized_principals with command=false
204+ verbose "$tid: ${_prefix} authorized_principals command=false"
205+ echo 'command="false" mekmitasdigoat' > \
206+ $OBJ/authorized_principals_$USER
207+ ${SSH} -2i $OBJ/cert_user_key \
208+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
209+ if [ $? -eq 0 ]; then
210+ fail "ssh cert connect succeeded unexpectedly"
211+ fi
212+
213+ # authorized_principals with command=true
214+ verbose "$tid: ${_prefix} authorized_principals command=true"
215+ echo 'command="true" mekmitasdigoat' > \
216+ $OBJ/authorized_principals_$USER
217+ ${SSH} -2i $OBJ/cert_user_key \
218+ -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
219+ if [ $? -ne 0 ]; then
220+ fail "ssh cert connect failed"
221+ fi
222+
223+ # Setup for principals= key option
224+ rm -f $OBJ/authorized_principals_$USER
225+ (
226+ cat $OBJ/sshd_proxy_bak
227+ echo "UsePrivilegeSeparation $privsep"
228+ ) > $OBJ/sshd_proxy
229+
230+ # Wrong principals list
231+ verbose "$tid: ${_prefix} wrong principals key option"
232+ (
233+ printf 'cert-authority,principals="gregorsamsa" '
234+ cat $OBJ/user_ca_key.pub
235+ ) > $OBJ/authorized_keys_$USER
236+ ${SSH} -2i $OBJ/cert_user_key \
237+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
238+ if [ $? -eq 0 ]; then
239+ fail "ssh cert connect succeeded unexpectedly"
240+ fi
241+
242+ # Correct principals list
243+ verbose "$tid: ${_prefix} correct principals key option"
244+ (
245+ printf 'cert-authority,principals="mekmitasdigoat" '
246+ cat $OBJ/user_ca_key.pub
247+ ) > $OBJ/authorized_keys_$USER
248+ ${SSH} -2i $OBJ/cert_user_key \
249+ -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
250+ if [ $? -ne 0 ]; then
251+ fail "ssh cert connect failed"
252+ fi
253+ done
254+else
255+ echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \
256+ "(/var/run mounted noexec?)"
257+fi
diff --git a/debian/patches/series b/debian/patches/series
index 188ec8abc..15c939708 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ backport-fix-pty-permissions.patch
31backport-do-not-resend-username-to-pam.patch 31backport-do-not-resend-username-to-pam.patch
32backport-pam-use-after-free.patch 32backport-pam-use-after-free.patch
33backport-kbdint-duplicates.patch 33backport-kbdint-duplicates.patch
34backport-regress-principals-command-noexec.patch