diff options
Diffstat (limited to 'debian/patches')
33 files changed, 593 insertions, 643 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 8d26d7b6f..84a14cfb8 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 283322f493ee7dc75511f6cf9e9b88e536de0874 Mon Sep 17 00:00:00 2001 | 1 | From 1ecd5db58295874d8b9a7ce98fe1880ab08fbcaf Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:02 +0000 |
4 | Subject: Quieten logs when multiple from= restrictions are used | 4 | Subject: Quieten logs when multiple from= restrictions are used |
@@ -16,7 +16,7 @@ Patch-Name: auth-log-verbosity.patch | |||
16 | 4 files changed, 32 insertions(+), 9 deletions(-) | 16 | 4 files changed, 32 insertions(+), 9 deletions(-) |
17 | 17 | ||
18 | diff --git a/auth-options.c b/auth-options.c | 18 | diff --git a/auth-options.c b/auth-options.c |
19 | index fa209ea..df61330 100644 | 19 | index f3d9c9d..d4d22d7 100644 |
20 | --- a/auth-options.c | 20 | --- a/auth-options.c |
21 | +++ b/auth-options.c | 21 | +++ b/auth-options.c |
22 | @@ -54,9 +54,20 @@ int forced_tun_device = -1; | 22 | @@ -54,9 +54,20 @@ int forced_tun_device = -1; |
@@ -58,7 +58,7 @@ index fa209ea..df61330 100644 | |||
58 | auth_debug_add("Your host '%.200s' is not " | 58 | auth_debug_add("Your host '%.200s' is not " |
59 | "permitted to use this key for login.", | 59 | "permitted to use this key for login.", |
60 | remote_host); | 60 | remote_host); |
61 | @@ -510,11 +524,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, | 61 | @@ -511,11 +525,14 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw, |
62 | break; | 62 | break; |
63 | case 0: | 63 | case 0: |
64 | /* no match */ | 64 | /* no match */ |
@@ -91,10 +91,10 @@ index 7455c94..a3f0a02 100644 | |||
91 | void auth_clear_options(void); | 91 | void auth_clear_options(void); |
92 | int auth_cert_options(Key *, struct passwd *); | 92 | int auth_cert_options(Key *, struct passwd *); |
93 | diff --git a/auth-rsa.c b/auth-rsa.c | 93 | diff --git a/auth-rsa.c b/auth-rsa.c |
94 | index 5dad6c3..260ce2f 100644 | 94 | index e9f4ede..5d7bdcb 100644 |
95 | --- a/auth-rsa.c | 95 | --- a/auth-rsa.c |
96 | +++ b/auth-rsa.c | 96 | +++ b/auth-rsa.c |
97 | @@ -178,6 +178,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, | 97 | @@ -179,6 +179,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, |
98 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) | 98 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) |
99 | return 0; | 99 | return 0; |
100 | 100 | ||
@@ -104,10 +104,10 @@ index 5dad6c3..260ce2f 100644 | |||
104 | * Go though the accepted keys, looking for the current key. If | 104 | * Go though the accepted keys, looking for the current key. If |
105 | * found, perform a challenge-response dialog to verify that the | 105 | * found, perform a challenge-response dialog to verify that the |
106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c | 106 | diff --git a/auth2-pubkey.c b/auth2-pubkey.c |
107 | index 0fd27bb..7c56927 100644 | 107 | index f3ca965..f78b046 100644 |
108 | --- a/auth2-pubkey.c | 108 | --- a/auth2-pubkey.c |
109 | +++ b/auth2-pubkey.c | 109 | +++ b/auth2-pubkey.c |
110 | @@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert) | 110 | @@ -263,6 +263,7 @@ match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert) |
111 | restore_uid(); | 111 | restore_uid(); |
112 | return 0; | 112 | return 0; |
113 | } | 113 | } |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 74bfb46e6..6afb0420b 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 71448da5ce75ba50bcb10dbbd3b8c7633f633e8f Mon Sep 17 00:00:00 2001 | 1 | From 19b0441502c07401dd6d418f8f81cc7f1a44ccb1 Mon Sep 17 00:00:00 2001 |
2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> | 2 | From: Tomas Pospisek <tpo_deb@sourcepole.ch> |
3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:07 +0000 |
4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) | 4 | Subject: Install authorized_keys(5) as a symlink to sshd(8) |
@@ -13,10 +13,10 @@ Patch-Name: authorized-keys-man-symlink.patch | |||
13 | 1 file changed, 1 insertion(+) | 13 | 1 file changed, 1 insertion(+) |
14 | 14 | ||
15 | diff --git a/Makefile.in b/Makefile.in | 15 | diff --git a/Makefile.in b/Makefile.in |
16 | index 3d96c05..feee0b2 100644 | 16 | index c4cb8ea..a4402e9 100644 |
17 | --- a/Makefile.in | 17 | --- a/Makefile.in |
18 | +++ b/Makefile.in | 18 | +++ b/Makefile.in |
19 | @@ -287,6 +287,7 @@ install-files: | 19 | @@ -309,6 +309,7 @@ install-files: |
20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 20 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 21 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 22 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch index e3ff4d7e4..e50c77f62 100644 --- a/debian/patches/consolekit.patch +++ b/debian/patches/consolekit.patch | |||
@@ -1,33 +1,33 @@ | |||
1 | From 7a26d16efb4ee303c8d66ee82caf9d0686f4a074 Mon Sep 17 00:00:00 2001 | 1 | From f51fe0c55e54c12db952624e980d18f39c41e581 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:57 +0000 |
4 | Subject: Add support for registering ConsoleKit sessions on login | 4 | Subject: Add support for registering ConsoleKit sessions on login |
5 | 5 | ||
6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 | 6 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450 |
7 | Last-Updated: 2014-03-20 | 7 | Last-Updated: 2014-10-07 |
8 | 8 | ||
9 | Patch-Name: consolekit.patch | 9 | Patch-Name: consolekit.patch |
10 | --- | 10 | --- |
11 | Makefile.in | 3 +- | 11 | Makefile.in | 3 +- |
12 | configure | 132 +++++++++++++++++++++++++++++++ | 12 | configure | 132 +++++++++++++++++++++++++++++++ |
13 | configure.ac | 25 ++++++ | 13 | configure.ac | 25 ++++++ |
14 | consolekit.c | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 14 | consolekit.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
15 | consolekit.h | 24 ++++++ | 15 | consolekit.h | 24 ++++++ |
16 | monitor.c | 42 ++++++++++ | 16 | monitor.c | 42 ++++++++++ |
17 | monitor.h | 2 + | 17 | monitor.h | 2 + |
18 | monitor_wrap.c | 30 ++++++++ | 18 | monitor_wrap.c | 30 +++++++ |
19 | monitor_wrap.h | 4 + | 19 | monitor_wrap.h | 4 + |
20 | session.c | 13 ++++ | 20 | session.c | 13 ++++ |
21 | session.h | 6 ++ | 21 | session.h | 6 ++ |
22 | 11 files changed, 520 insertions(+), 1 deletion(-) | 22 | 11 files changed, 521 insertions(+), 1 deletion(-) |
23 | create mode 100644 consolekit.c | 23 | create mode 100644 consolekit.c |
24 | create mode 100644 consolekit.h | 24 | create mode 100644 consolekit.h |
25 | 25 | ||
26 | diff --git a/Makefile.in b/Makefile.in | 26 | diff --git a/Makefile.in b/Makefile.in |
27 | index ee1d2c3..3d96c05 100644 | 27 | index 086d8dd..c4cb8ea 100644 |
28 | --- a/Makefile.in | 28 | --- a/Makefile.in |
29 | +++ b/Makefile.in | 29 | +++ b/Makefile.in |
30 | @@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 30 | @@ -107,7 +107,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
31 | sftp-server.o sftp-common.o \ | 31 | sftp-server.o sftp-common.o \ |
32 | roaming_common.o roaming_serv.o \ | 32 | roaming_common.o roaming_serv.o \ |
33 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ | 33 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
@@ -38,10 +38,10 @@ index ee1d2c3..3d96c05 100644 | |||
38 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 38 | MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
39 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 39 | MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
40 | diff --git a/configure b/configure | 40 | diff --git a/configure b/configure |
41 | index b6b5b6d..e2f12cd 100755 | 41 | index ea5f200..7be478a 100755 |
42 | --- a/configure | 42 | --- a/configure |
43 | +++ b/configure | 43 | +++ b/configure |
44 | @@ -740,6 +740,7 @@ with_privsep_user | 44 | @@ -739,6 +739,7 @@ with_privsep_user |
45 | with_sandbox | 45 | with_sandbox |
46 | with_selinux | 46 | with_selinux |
47 | with_kerberos5 | 47 | with_kerberos5 |
@@ -49,7 +49,7 @@ index b6b5b6d..e2f12cd 100755 | |||
49 | with_privsep_path | 49 | with_privsep_path |
50 | with_xauth | 50 | with_xauth |
51 | enable_strip | 51 | enable_strip |
52 | @@ -1432,6 +1433,7 @@ Optional Packages: | 52 | @@ -1430,6 +1431,7 @@ Optional Packages: |
53 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) | 53 | --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum) |
54 | --with-selinux Enable SELinux support | 54 | --with-selinux Enable SELinux support |
55 | --with-kerberos5=PATH Enable Kerberos 5 support | 55 | --with-kerberos5=PATH Enable Kerberos 5 support |
@@ -57,7 +57,7 @@ index b6b5b6d..e2f12cd 100755 | |||
57 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) | 57 | --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty) |
58 | --with-xauth=PATH Specify path to xauth program | 58 | --with-xauth=PATH Specify path to xauth program |
59 | --with-maildir=/path/to/mail Specify your system mail directory | 59 | --with-maildir=/path/to/mail Specify your system mail directory |
60 | @@ -17217,6 +17219,135 @@ fi | 60 | @@ -17211,6 +17213,135 @@ fi |
61 | 61 | ||
62 | 62 | ||
63 | 63 | ||
@@ -193,7 +193,7 @@ index b6b5b6d..e2f12cd 100755 | |||
193 | # Looking for programs, paths and files | 193 | # Looking for programs, paths and files |
194 | 194 | ||
195 | PRIVSEP_PATH=/var/empty | 195 | PRIVSEP_PATH=/var/empty |
196 | @@ -19746,6 +19877,7 @@ echo " MD5 password support: $MD5_MSG" | 196 | @@ -19739,6 +19870,7 @@ echo " MD5 password support: $MD5_MSG" |
197 | echo " libedit support: $LIBEDIT_MSG" | 197 | echo " libedit support: $LIBEDIT_MSG" |
198 | echo " Solaris process contract support: $SPC_MSG" | 198 | echo " Solaris process contract support: $SPC_MSG" |
199 | echo " Solaris project support: $SP_MSG" | 199 | echo " Solaris project support: $SP_MSG" |
@@ -202,10 +202,10 @@ index b6b5b6d..e2f12cd 100755 | |||
202 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | 202 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" |
203 | echo " BSD Auth support: $BSD_AUTH_MSG" | 203 | echo " BSD Auth support: $BSD_AUTH_MSG" |
204 | diff --git a/configure.ac b/configure.ac | 204 | diff --git a/configure.ac b/configure.ac |
205 | index d235fb0..8669271 100644 | 205 | index 7f160f1..f5c65c5 100644 |
206 | --- a/configure.ac | 206 | --- a/configure.ac |
207 | +++ b/configure.ac | 207 | +++ b/configure.ac |
208 | @@ -4072,6 +4072,30 @@ AC_ARG_WITH([kerberos5], | 208 | @@ -4113,6 +4113,30 @@ AC_ARG_WITH([kerberos5], |
209 | AC_SUBST([GSSLIBS]) | 209 | AC_SUBST([GSSLIBS]) |
210 | AC_SUBST([K5LIBS]) | 210 | AC_SUBST([K5LIBS]) |
211 | 211 | ||
@@ -236,7 +236,7 @@ index d235fb0..8669271 100644 | |||
236 | # Looking for programs, paths and files | 236 | # Looking for programs, paths and files |
237 | 237 | ||
238 | PRIVSEP_PATH=/var/empty | 238 | PRIVSEP_PATH=/var/empty |
239 | @@ -4873,6 +4897,7 @@ echo " MD5 password support: $MD5_MSG" | 239 | @@ -4914,6 +4938,7 @@ echo " MD5 password support: $MD5_MSG" |
240 | echo " libedit support: $LIBEDIT_MSG" | 240 | echo " libedit support: $LIBEDIT_MSG" |
241 | echo " Solaris process contract support: $SPC_MSG" | 241 | echo " Solaris process contract support: $SPC_MSG" |
242 | echo " Solaris project support: $SP_MSG" | 242 | echo " Solaris project support: $SP_MSG" |
@@ -246,10 +246,10 @@ index d235fb0..8669271 100644 | |||
246 | echo " BSD Auth support: $BSD_AUTH_MSG" | 246 | echo " BSD Auth support: $BSD_AUTH_MSG" |
247 | diff --git a/consolekit.c b/consolekit.c | 247 | diff --git a/consolekit.c b/consolekit.c |
248 | new file mode 100644 | 248 | new file mode 100644 |
249 | index 0000000..f1039e6 | 249 | index 0000000..0266f06 |
250 | --- /dev/null | 250 | --- /dev/null |
251 | +++ b/consolekit.c | 251 | +++ b/consolekit.c |
252 | @@ -0,0 +1,240 @@ | 252 | @@ -0,0 +1,241 @@ |
253 | +/* | 253 | +/* |
254 | + * Copyright (c) 2008 Colin Watson. All rights reserved. | 254 | + * Copyright (c) 2008 Colin Watson. All rights reserved. |
255 | + * | 255 | + * |
@@ -305,6 +305,7 @@ index 0000000..f1039e6 | |||
305 | +#include "hostfile.h" | 305 | +#include "hostfile.h" |
306 | +#include "auth.h" | 306 | +#include "auth.h" |
307 | +#include "log.h" | 307 | +#include "log.h" |
308 | +#include "misc.h" | ||
308 | +#include "servconf.h" | 309 | +#include "servconf.h" |
309 | +#include "canohost.h" | 310 | +#include "canohost.h" |
310 | +#include "session.h" | 311 | +#include "session.h" |
@@ -521,10 +522,10 @@ index 0000000..8ce3716 | |||
521 | + | 522 | + |
522 | +#endif /* USE_CONSOLEKIT */ | 523 | +#endif /* USE_CONSOLEKIT */ |
523 | diff --git a/monitor.c b/monitor.c | 524 | diff --git a/monitor.c b/monitor.c |
524 | index 11eac63..7c105e6 100644 | 525 | index 94b194d..cc15ce4 100644 |
525 | --- a/monitor.c | 526 | --- a/monitor.c |
526 | +++ b/monitor.c | 527 | +++ b/monitor.c |
527 | @@ -97,6 +97,9 @@ | 528 | @@ -100,6 +100,9 @@ |
528 | #include "ssh2.h" | 529 | #include "ssh2.h" |
529 | #include "roaming.h" | 530 | #include "roaming.h" |
530 | #include "authfd.h" | 531 | #include "authfd.h" |
@@ -534,7 +535,7 @@ index 11eac63..7c105e6 100644 | |||
534 | 535 | ||
535 | #ifdef GSSAPI | 536 | #ifdef GSSAPI |
536 | static Gssctxt *gsscontext = NULL; | 537 | static Gssctxt *gsscontext = NULL; |
537 | @@ -187,6 +190,10 @@ int mm_answer_audit_command(int, Buffer *); | 538 | @@ -190,6 +193,10 @@ int mm_answer_audit_command(int, Buffer *); |
538 | 539 | ||
539 | static int monitor_read_log(struct monitor *); | 540 | static int monitor_read_log(struct monitor *); |
540 | 541 | ||
@@ -543,9 +544,9 @@ index 11eac63..7c105e6 100644 | |||
543 | +#endif | 544 | +#endif |
544 | + | 545 | + |
545 | static Authctxt *authctxt; | 546 | static Authctxt *authctxt; |
546 | static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ | ||
547 | 547 | ||
548 | @@ -272,6 +279,9 @@ struct mon_table mon_dispatch_postauth20[] = { | 548 | #ifdef WITH_SSH1 |
549 | @@ -282,6 +289,9 @@ struct mon_table mon_dispatch_postauth20[] = { | ||
549 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 550 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
550 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, | 551 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, |
551 | #endif | 552 | #endif |
@@ -555,17 +556,17 @@ index 11eac63..7c105e6 100644 | |||
555 | {0, 0, NULL} | 556 | {0, 0, NULL} |
556 | }; | 557 | }; |
557 | 558 | ||
558 | @@ -314,6 +324,9 @@ struct mon_table mon_dispatch_postauth15[] = { | 559 | @@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = { |
559 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, | 560 | {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, |
560 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, | 561 | {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, |
561 | #endif | 562 | #endif |
562 | +#ifdef USE_CONSOLEKIT | 563 | +#ifdef USE_CONSOLEKIT |
563 | + {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, | 564 | + {MONITOR_REQ_CONSOLEKIT_REGISTER, 0, mm_answer_consolekit_register}, |
564 | +#endif | 565 | +#endif |
566 | #endif /* WITH_SSH1 */ | ||
565 | {0, 0, NULL} | 567 | {0, 0, NULL} |
566 | }; | 568 | }; |
567 | 569 | @@ -509,6 +522,9 @@ monitor_child_postauth(struct monitor *pmonitor) | |
568 | @@ -492,6 +505,9 @@ monitor_child_postauth(struct monitor *pmonitor) | ||
569 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); | 570 | monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); |
570 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); | 571 | monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1); |
571 | } | 572 | } |
@@ -575,7 +576,7 @@ index 11eac63..7c105e6 100644 | |||
575 | 576 | ||
576 | for (;;) | 577 | for (;;) |
577 | monitor_read(pmonitor, mon_dispatch, NULL); | 578 | monitor_read(pmonitor, mon_dispatch, NULL); |
578 | @@ -2269,3 +2285,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { | 579 | @@ -2296,3 +2312,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { |
579 | 580 | ||
580 | #endif /* GSSAPI */ | 581 | #endif /* GSSAPI */ |
581 | 582 | ||
@@ -619,10 +620,10 @@ index 4d5e8fa..10ba59e 100644 | |||
619 | 620 | ||
620 | struct mm_master; | 621 | struct mm_master; |
621 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 622 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
622 | index f75dc9d..a8fb07b 100644 | 623 | index 6dc890a..4c57d4d 100644 |
623 | --- a/monitor_wrap.c | 624 | --- a/monitor_wrap.c |
624 | +++ b/monitor_wrap.c | 625 | +++ b/monitor_wrap.c |
625 | @@ -1353,3 +1353,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) | 626 | @@ -1363,3 +1363,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) |
626 | 627 | ||
627 | #endif /* GSSAPI */ | 628 | #endif /* GSSAPI */ |
628 | 629 | ||
@@ -670,10 +671,10 @@ index 9c2ee49..00e93fe 100644 | |||
670 | + | 671 | + |
671 | #endif /* _MM_WRAP_H_ */ | 672 | #endif /* _MM_WRAP_H_ */ |
672 | diff --git a/session.c b/session.c | 673 | diff --git a/session.c b/session.c |
673 | index 6848df4..9d43fc3 100644 | 674 | index 6f389ac..6250c20 100644 |
674 | --- a/session.c | 675 | --- a/session.c |
675 | +++ b/session.c | 676 | +++ b/session.c |
676 | @@ -92,6 +92,7 @@ | 677 | @@ -93,6 +93,7 @@ |
677 | #include "kex.h" | 678 | #include "kex.h" |
678 | #include "monitor_wrap.h" | 679 | #include "monitor_wrap.h" |
679 | #include "sftp.h" | 680 | #include "sftp.h" |
@@ -681,7 +682,7 @@ index 6848df4..9d43fc3 100644 | |||
681 | 682 | ||
682 | #if defined(KRB5) && defined(USE_AFS) | 683 | #if defined(KRB5) && defined(USE_AFS) |
683 | #include <kafs.h> | 684 | #include <kafs.h> |
684 | @@ -1160,6 +1161,9 @@ do_setup_env(Session *s, const char *shell) | 685 | @@ -1143,6 +1144,9 @@ do_setup_env(Session *s, const char *shell) |
685 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 686 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
686 | char *path = NULL; | 687 | char *path = NULL; |
687 | #endif | 688 | #endif |
@@ -691,7 +692,7 @@ index 6848df4..9d43fc3 100644 | |||
691 | 692 | ||
692 | /* Initialize the environment. */ | 693 | /* Initialize the environment. */ |
693 | envsize = 100; | 694 | envsize = 100; |
694 | @@ -1304,6 +1308,11 @@ do_setup_env(Session *s, const char *shell) | 695 | @@ -1287,6 +1291,11 @@ do_setup_env(Session *s, const char *shell) |
695 | child_set_env(&env, &envsize, "KRB5CCNAME", | 696 | child_set_env(&env, &envsize, "KRB5CCNAME", |
696 | s->authctxt->krb5_ccname); | 697 | s->authctxt->krb5_ccname); |
697 | #endif | 698 | #endif |
@@ -703,7 +704,7 @@ index 6848df4..9d43fc3 100644 | |||
703 | #ifdef USE_PAM | 704 | #ifdef USE_PAM |
704 | /* | 705 | /* |
705 | * Pull in any environment variables that may have | 706 | * Pull in any environment variables that may have |
706 | @@ -2353,6 +2362,10 @@ session_pty_cleanup2(Session *s) | 707 | @@ -2350,6 +2359,10 @@ session_pty_cleanup2(Session *s) |
707 | 708 | ||
708 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); | 709 | debug("session_pty_cleanup: session %d release %s", s->self, s->tty); |
709 | 710 | ||
diff --git a/debian/patches/curve25519-sha256-bignum-encoding.patch b/debian/patches/curve25519-sha256-bignum-encoding.patch deleted file mode 100644 index ccb66048d..000000000 --- a/debian/patches/curve25519-sha256-bignum-encoding.patch +++ /dev/null | |||
@@ -1,161 +0,0 @@ | |||
1 | From 02883061577ec43ff8d0e8f0cf486bc5131db507 Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Sun, 20 Apr 2014 13:47:45 +1000 | ||
4 | Subject: bad bignum encoding for curve25519-sha256@libssh.org | ||
5 | |||
6 | Hi, | ||
7 | |||
8 | So I screwed up when writing the support for the curve25519 KEX method | ||
9 | that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left | ||
10 | leading zero bytes where they should have been skipped. The impact of | ||
11 | this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a | ||
12 | peer that implements curve25519-sha256@libssh.org properly about 0.2% | ||
13 | of the time (one in every 512ish connections). | ||
14 | |||
15 | We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 | ||
16 | key exchange for previous versions, but I'd recommend distributors | ||
17 | of OpenSSH apply this patch so the affected code doesn't become | ||
18 | too entrenched in LTS releases. | ||
19 | |||
20 | The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as | ||
21 | to distinguish itself from the incorrect versions so the compatibility | ||
22 | code to disable the affected KEX isn't activated. | ||
23 | |||
24 | I've committed this on the 6.6 branch too. | ||
25 | |||
26 | Apologies for the hassle. | ||
27 | |||
28 | -d | ||
29 | |||
30 | Origin: upstream, https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html | ||
31 | Forwarded: not-needed | ||
32 | Last-Update: 2014-04-21 | ||
33 | |||
34 | Patch-Name: curve25519-sha256-bignum-encoding.patch | ||
35 | --- | ||
36 | bufaux.c | 5 ++++- | ||
37 | compat.c | 17 ++++++++++++++++- | ||
38 | compat.h | 2 ++ | ||
39 | sshconnect2.c | 2 ++ | ||
40 | sshd.c | 3 +++ | ||
41 | version.h | 2 +- | ||
42 | 6 files changed, 28 insertions(+), 3 deletions(-) | ||
43 | |||
44 | diff --git a/bufaux.c b/bufaux.c | ||
45 | index e24b5fc..f6a6f2a 100644 | ||
46 | --- a/bufaux.c | ||
47 | +++ b/bufaux.c | ||
48 | @@ -1,4 +1,4 @@ | ||
49 | -/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ | ||
50 | +/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ | ||
51 | /* | ||
52 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
53 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
54 | @@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) | ||
55 | |||
56 | if (l > 8 * 1024) | ||
57 | fatal("%s: length %u too long", __func__, l); | ||
58 | + /* Skip leading zero bytes */ | ||
59 | + for (; l > 0 && *s == 0; l--, s++) | ||
60 | + ; | ||
61 | p = buf = xmalloc(l + 1); | ||
62 | /* | ||
63 | * If most significant bit is set then prepend a zero byte to | ||
64 | diff --git a/compat.c b/compat.c | ||
65 | index 9d9fabe..2709dc5 100644 | ||
66 | --- a/compat.c | ||
67 | +++ b/compat.c | ||
68 | @@ -95,6 +95,9 @@ compat_datafellows(const char *version) | ||
69 | { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, | ||
70 | { "OpenSSH_4*", 0 }, | ||
71 | { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, | ||
72 | + { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, | ||
73 | + { "OpenSSH_6.5*," | ||
74 | + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, | ||
75 | { "OpenSSH*", SSH_NEW_OPENSSH }, | ||
76 | { "*MindTerm*", 0 }, | ||
77 | { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| | ||
78 | @@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) | ||
79 | return cipher_prop; | ||
80 | } | ||
81 | |||
82 | - | ||
83 | char * | ||
84 | compat_pkalg_proposal(char *pkalg_prop) | ||
85 | { | ||
86 | @@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) | ||
87 | return pkalg_prop; | ||
88 | } | ||
89 | |||
90 | +char * | ||
91 | +compat_kex_proposal(char *kex_prop) | ||
92 | +{ | ||
93 | + if (!(datafellows & SSH_BUG_CURVE25519PAD)) | ||
94 | + return kex_prop; | ||
95 | + debug2("%s: original KEX proposal: %s", __func__, kex_prop); | ||
96 | + kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); | ||
97 | + debug2("%s: compat KEX proposal: %s", __func__, kex_prop); | ||
98 | + if (*kex_prop == '\0') | ||
99 | + fatal("No supported key exchange algorithms found"); | ||
100 | + return kex_prop; | ||
101 | +} | ||
102 | + | ||
103 | diff --git a/compat.h b/compat.h | ||
104 | index b174fa1..a6c3f3d 100644 | ||
105 | --- a/compat.h | ||
106 | +++ b/compat.h | ||
107 | @@ -59,6 +59,7 @@ | ||
108 | #define SSH_BUG_RFWD_ADDR 0x02000000 | ||
109 | #define SSH_NEW_OPENSSH 0x04000000 | ||
110 | #define SSH_BUG_DYNAMIC_RPORT 0x08000000 | ||
111 | +#define SSH_BUG_CURVE25519PAD 0x10000000 | ||
112 | |||
113 | void enable_compat13(void); | ||
114 | void enable_compat20(void); | ||
115 | @@ -66,6 +67,7 @@ void compat_datafellows(const char *); | ||
116 | int proto_spec(const char *); | ||
117 | char *compat_cipher_proposal(char *); | ||
118 | char *compat_pkalg_proposal(char *); | ||
119 | +char *compat_kex_proposal(char *); | ||
120 | |||
121 | extern int compat13; | ||
122 | extern int compat20; | ||
123 | diff --git a/sshconnect2.c b/sshconnect2.c | ||
124 | index 66cb035..1a4e551 100644 | ||
125 | --- a/sshconnect2.c | ||
126 | +++ b/sshconnect2.c | ||
127 | @@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | ||
128 | } | ||
129 | if (options.kex_algorithms != NULL) | ||
130 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
131 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
132 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
133 | |||
134 | #ifdef GSSAPI | ||
135 | /* If we've got GSSAPI algorithms, then we also support the | ||
136 | diff --git a/sshd.c b/sshd.c | ||
137 | index 0964491..fe78d7b 100644 | ||
138 | --- a/sshd.c | ||
139 | +++ b/sshd.c | ||
140 | @@ -2534,6 +2534,9 @@ do_ssh2_kex(void) | ||
141 | if (options.kex_algorithms != NULL) | ||
142 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | ||
143 | |||
144 | + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( | ||
145 | + myproposal[PROPOSAL_KEX_ALGS]); | ||
146 | + | ||
147 | if (options.rekey_limit || options.rekey_interval) | ||
148 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | ||
149 | (time_t)options.rekey_interval); | ||
150 | diff --git a/version.h b/version.h | ||
151 | index a97c337..0659576 100644 | ||
152 | --- a/version.h | ||
153 | +++ b/version.h | ||
154 | @@ -1,6 +1,6 @@ | ||
155 | /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ | ||
156 | |||
157 | -#define SSH_VERSION "OpenSSH_6.6" | ||
158 | +#define SSH_VERSION "OpenSSH_6.6.1" | ||
159 | |||
160 | #define SSH_PORTABLE "p1" | ||
161 | #define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | ||
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 49219cf93..ab64cbed5 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9fcad888f4dbf0ecc0c7e87b6ef0f8d88d7ac3ec Mon Sep 17 00:00:00 2001 | 1 | From 114c8a8fb488cbe39507edb75c51198a4b9e8b24 Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <kees@debian.org> | 2 | From: Kees Cook <kees@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:06 +0000 |
4 | Subject: Add DebianBanner server configuration option | 4 | Subject: Add DebianBanner server configuration option |
@@ -8,7 +8,7 @@ initial protocol handshake, for those scared by package-versioning.patch. | |||
8 | 8 | ||
9 | Bug-Debian: http://bugs.debian.org/562048 | 9 | Bug-Debian: http://bugs.debian.org/562048 |
10 | Forwarded: not-needed | 10 | Forwarded: not-needed |
11 | Last-Update: 2013-09-14 | 11 | Last-Update: 2014-10-07 |
12 | 12 | ||
13 | Patch-Name: debian-banner.patch | 13 | Patch-Name: debian-banner.patch |
14 | --- | 14 | --- |
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch | |||
19 | 4 files changed, 18 insertions(+), 1 deletion(-) | 19 | 4 files changed, 18 insertions(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/servconf.c b/servconf.c | 21 | diff --git a/servconf.c b/servconf.c |
22 | index 90de888..37fd2de 100644 | 22 | index a252487..6c7741a 100644 |
23 | --- a/servconf.c | 23 | --- a/servconf.c |
24 | +++ b/servconf.c | 24 | +++ b/servconf.c |
25 | @@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options) | 25 | @@ -160,6 +160,7 @@ initialize_server_options(ServerOptions *options) |
26 | options->ip_qos_interactive = -1; | 26 | options->ip_qos_interactive = -1; |
27 | options->ip_qos_bulk = -1; | 27 | options->ip_qos_bulk = -1; |
28 | options->version_addendum = NULL; | 28 | options->version_addendum = NULL; |
@@ -30,34 +30,34 @@ index 90de888..37fd2de 100644 | |||
30 | } | 30 | } |
31 | 31 | ||
32 | void | 32 | void |
33 | @@ -309,6 +310,8 @@ fill_default_server_options(ServerOptions *options) | 33 | @@ -321,6 +322,8 @@ fill_default_server_options(ServerOptions *options) |
34 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 34 | options->fwd_opts.streamlocal_bind_mask = 0177; |
35 | if (options->version_addendum == NULL) | 35 | if (options->fwd_opts.streamlocal_bind_unlink == -1) |
36 | options->version_addendum = xstrdup(""); | 36 | options->fwd_opts.streamlocal_bind_unlink = 0; |
37 | + if (options->debian_banner == -1) | 37 | + if (options->debian_banner == -1) |
38 | + options->debian_banner = 1; | 38 | + options->debian_banner = 1; |
39 | /* Turn privilege separation on by default */ | 39 | /* Turn privilege separation on by default */ |
40 | if (use_privsep == -1) | 40 | if (use_privsep == -1) |
41 | use_privsep = PRIVSEP_NOSANDBOX; | 41 | use_privsep = PRIVSEP_NOSANDBOX; |
42 | @@ -359,6 +362,7 @@ typedef enum { | 42 | @@ -373,6 +376,7 @@ typedef enum { |
43 | sKexAlgorithms, sIPQoS, sVersionAddendum, | 43 | sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, |
44 | sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, | 44 | sStreamLocalBindMask, sStreamLocalBindUnlink, |
45 | sAuthenticationMethods, sHostKeyAgent, | 45 | sAllowStreamLocalForwarding, |
46 | + sDebianBanner, | 46 | + sDebianBanner, |
47 | sDeprecated, sUnsupported | 47 | sDeprecated, sUnsupported |
48 | } ServerOpCodes; | 48 | } ServerOpCodes; |
49 | 49 | ||
50 | @@ -496,6 +500,7 @@ static struct { | 50 | @@ -514,6 +518,7 @@ static struct { |
51 | { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, | 51 | { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, |
52 | { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, | 52 | { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, |
53 | { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, | 53 | { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, |
54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, | 54 | + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, |
55 | { NULL, sBadOption, 0 } | 55 | { NULL, sBadOption, 0 } |
56 | }; | 56 | }; |
57 | 57 | ||
58 | @@ -1654,6 +1659,10 @@ process_server_config_line(ServerOptions *options, char *line, | 58 | @@ -1697,6 +1702,10 @@ process_server_config_line(ServerOptions *options, char *line, |
59 | } | 59 | intptr = &options->fwd_opts.streamlocal_bind_unlink; |
60 | return 0; | 60 | goto parse_flag; |
61 | 61 | ||
62 | + case sDebianBanner: | 62 | + case sDebianBanner: |
63 | + intptr = &options->debian_banner; | 63 | + intptr = &options->debian_banner; |
@@ -67,10 +67,10 @@ index 90de888..37fd2de 100644 | |||
67 | logit("%s line %d: Deprecated option %s", | 67 | logit("%s line %d: Deprecated option %s", |
68 | filename, linenum, arg); | 68 | filename, linenum, arg); |
69 | diff --git a/servconf.h b/servconf.h | 69 | diff --git a/servconf.h b/servconf.h |
70 | index c922eb5..dcd1c2a 100644 | 70 | index f8265a8..fa48804 100644 |
71 | --- a/servconf.h | 71 | --- a/servconf.h |
72 | +++ b/servconf.h | 72 | +++ b/servconf.h |
73 | @@ -186,6 +186,8 @@ typedef struct { | 73 | @@ -188,6 +188,8 @@ typedef struct { |
74 | 74 | ||
75 | u_int num_auth_methods; | 75 | u_int num_auth_methods; |
76 | char *auth_methods[MAX_AUTH_METHODS]; | 76 | char *auth_methods[MAX_AUTH_METHODS]; |
@@ -80,10 +80,10 @@ index c922eb5..dcd1c2a 100644 | |||
80 | 80 | ||
81 | /* Information about the incoming connection as used by Match */ | 81 | /* Information about the incoming connection as used by Match */ |
82 | diff --git a/sshd.c b/sshd.c | 82 | diff --git a/sshd.c b/sshd.c |
83 | index af9b8f1..665c0b9 100644 | 83 | index 1710e71..87331c1 100644 |
84 | --- a/sshd.c | 84 | --- a/sshd.c |
85 | +++ b/sshd.c | 85 | +++ b/sshd.c |
86 | @@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out) | 86 | @@ -443,7 +443,8 @@ sshd_exchange_identification(int sock_in, int sock_out) |
87 | } | 87 | } |
88 | 88 | ||
89 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 89 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -94,10 +94,10 @@ index af9b8f1..665c0b9 100644 | |||
94 | options.version_addendum, newline); | 94 | options.version_addendum, newline); |
95 | 95 | ||
96 | diff --git a/sshd_config.5 b/sshd_config.5 | 96 | diff --git a/sshd_config.5 b/sshd_config.5 |
97 | index 2164d58..8f078f6 100644 | 97 | index 2843048..58997d3 100644 |
98 | --- a/sshd_config.5 | 98 | --- a/sshd_config.5 |
99 | +++ b/sshd_config.5 | 99 | +++ b/sshd_config.5 |
100 | @@ -413,6 +413,11 @@ or | 100 | @@ -447,6 +447,11 @@ or |
101 | .Dq no . | 101 | .Dq no . |
102 | The default is | 102 | The default is |
103 | .Dq delayed . | 103 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index 9ada04a10..661d30ca8 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From df5c8d109fb3d9ec16a487107a44300ed3006849 Mon Sep 17 00:00:00 2001 | 1 | From 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:18 +0000 |
4 | Subject: Various Debian-specific configuration changes | 4 | Subject: Various Debian-specific configuration changes |
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch | |||
34 | 5 files changed, 51 insertions(+), 3 deletions(-) | 34 | 5 files changed, 51 insertions(+), 3 deletions(-) |
35 | 35 | ||
36 | diff --git a/readconf.c b/readconf.c | 36 | diff --git a/readconf.c b/readconf.c |
37 | index 32c4b42..5429fc2 100644 | 37 | index 0648867..29338b6 100644 |
38 | --- a/readconf.c | 38 | --- a/readconf.c |
39 | +++ b/readconf.c | 39 | +++ b/readconf.c |
40 | @@ -1640,7 +1640,7 @@ fill_default_options(Options * options) | 40 | @@ -1681,7 +1681,7 @@ fill_default_options(Options * options) |
41 | if (options->forward_x11 == -1) | 41 | if (options->forward_x11 == -1) |
42 | options->forward_x11 = 0; | 42 | options->forward_x11 = 0; |
43 | if (options->forward_x11_trusted == -1) | 43 | if (options->forward_x11_trusted == -1) |
@@ -71,7 +71,7 @@ index 228e5ab..c9386aa 100644 | |||
71 | + GSSAPIAuthentication yes | 71 | + GSSAPIAuthentication yes |
72 | + GSSAPIDelegateCredentials no | 72 | + GSSAPIDelegateCredentials no |
73 | diff --git a/ssh_config.5 b/ssh_config.5 | 73 | diff --git a/ssh_config.5 b/ssh_config.5 |
74 | index 1d500e9..22e6372 100644 | 74 | index a1005ba..da3c177 100644 |
75 | --- a/ssh_config.5 | 75 | --- a/ssh_config.5 |
76 | +++ b/ssh_config.5 | 76 | +++ b/ssh_config.5 |
77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more | 77 | @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more |
@@ -97,7 +97,7 @@ index 1d500e9..22e6372 100644 | |||
97 | The configuration file has the following format: | 97 | The configuration file has the following format: |
98 | .Pp | 98 | .Pp |
99 | Empty lines and lines starting with | 99 | Empty lines and lines starting with |
100 | @@ -654,7 +670,8 @@ token used for the session will be set to expire after 20 minutes. | 100 | @@ -673,7 +689,8 @@ token used for the session will be set to expire after 20 minutes. |
101 | Remote clients will be refused access after this time. | 101 | Remote clients will be refused access after this time. |
102 | .Pp | 102 | .Pp |
103 | The default is | 103 | The default is |
@@ -120,7 +120,7 @@ index d9b8594..4db32f5 100644 | |||
120 | #StrictModes yes | 120 | #StrictModes yes |
121 | #MaxAuthTries 6 | 121 | #MaxAuthTries 6 |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index 908e0bb..90fd3f4 100644 | 123 | index 7396b23..7aa7b47 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes | 126 | @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes |
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch index bc89c50fc..0212ea841 100644 --- a/debian/patches/dnssec-sshfp.patch +++ b/debian/patches/dnssec-sshfp.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 912129ba92bea401d8cdeadc7aa7084fbf7625a1 Mon Sep 17 00:00:00 2001 | 1 | From 4ac9937c1d9f1901ab0694114d76e59a138aae96 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:01 +0000 |
4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf | 4 | Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf |
@@ -18,10 +18,10 @@ Patch-Name: dnssec-sshfp.patch | |||
18 | 3 files changed, 21 insertions(+), 6 deletions(-) | 18 | 3 files changed, 21 insertions(+), 6 deletions(-) |
19 | 19 | ||
20 | diff --git a/dns.c b/dns.c | 20 | diff --git a/dns.c b/dns.c |
21 | index 630b97a..478c3d9 100644 | 21 | index c4d073c..e5872c1 100644 |
22 | --- a/dns.c | 22 | --- a/dns.c |
23 | +++ b/dns.c | 23 | +++ b/dns.c |
24 | @@ -196,6 +196,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 24 | @@ -203,6 +203,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
25 | { | 25 | { |
26 | u_int counter; | 26 | u_int counter; |
27 | int result; | 27 | int result; |
@@ -29,7 +29,7 @@ index 630b97a..478c3d9 100644 | |||
29 | struct rrsetinfo *fingerprints = NULL; | 29 | struct rrsetinfo *fingerprints = NULL; |
30 | 30 | ||
31 | u_int8_t hostkey_algorithm; | 31 | u_int8_t hostkey_algorithm; |
32 | @@ -219,8 +220,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, | 32 | @@ -226,8 +227,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, |
33 | return -1; | 33 | return -1; |
34 | } | 34 | } |
35 | 35 | ||
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 16c40b05f..8e6cfa575 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 1d108ef62050b4368e24e1efada16ec88c177fb8 Mon Sep 17 00:00:00 2001 | 1 | From 2fd0b3814e27d584efa6df92845a7354e7c2de6c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:11 +0000 |
4 | Subject: Document that HashKnownHosts may break tab-completion | 4 | Subject: Document that HashKnownHosts may break tab-completion |
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch | |||
13 | 1 file changed, 3 insertions(+) | 13 | 1 file changed, 3 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh_config.5 b/ssh_config.5 | 15 | diff --git a/ssh_config.5 b/ssh_config.5 |
16 | index 4bf7cbb..1d500e9 100644 | 16 | index d68b45a..a1005ba 100644 |
17 | --- a/ssh_config.5 | 17 | --- a/ssh_config.5 |
18 | +++ b/ssh_config.5 | 18 | +++ b/ssh_config.5 |
19 | @@ -740,6 +740,9 @@ Note that existing names and addresses in known hosts files | 19 | @@ -759,6 +759,9 @@ Note that existing names and addresses in known hosts files |
20 | will not be converted automatically, | 20 | will not be converted automatically, |
21 | but may be manually hashed using | 21 | but may be manually hashed using |
22 | .Xr ssh-keygen 1 . | 22 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch index da8fc7ed4..c1ce1bcae 100644 --- a/debian/patches/doc-upstart.patch +++ b/debian/patches/doc-upstart.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 111de26347496af3f6ed04849fd29bc4bf1c2cea Mon Sep 17 00:00:00 2001 | 1 | From 252e76b3ad6e83a798e479a2beba5be7000ff85e Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:12 +0000 |
4 | Subject: Refer to ssh's Upstart job as well as its init script | 4 | Subject: Refer to ssh's Upstart job as well as its init script |
@@ -12,10 +12,10 @@ Patch-Name: doc-upstart.patch | |||
12 | 1 file changed, 4 insertions(+), 1 deletion(-) | 12 | 1 file changed, 4 insertions(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/sshd.8 b/sshd.8 | 14 | diff --git a/sshd.8 b/sshd.8 |
15 | index b016e90..cba168a 100644 | 15 | index 3538208..f8f9eac 100644 |
16 | --- a/sshd.8 | 16 | --- a/sshd.8 |
17 | +++ b/sshd.8 | 17 | +++ b/sshd.8 |
18 | @@ -70,7 +70,10 @@ over an insecure network. | 18 | @@ -67,7 +67,10 @@ over an insecure network. |
19 | .Nm | 19 | .Nm |
20 | listens for connections from clients. | 20 | listens for connections from clients. |
21 | It is normally started at boot from | 21 | It is normally started at boot from |
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch index dab518f65..84fe03acc 100644 --- a/debian/patches/gnome-ssh-askpass2-icon.patch +++ b/debian/patches/gnome-ssh-askpass2-icon.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b7df8fdb32f3d33b70ff8733cb0c39417e367534 Mon Sep 17 00:00:00 2001 | 1 | From 1195b028cb9f402633cfdcae6ec34bf63b4ab771 Mon Sep 17 00:00:00 2001 |
2 | From: Vincent Untz <vuntz@ubuntu.com> | 2 | From: Vincent Untz <vuntz@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:16 +0000 |
4 | Subject: Give the ssh-askpass-gnome window a default icon | 4 | Subject: Give the ssh-askpass-gnome window a default icon |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index d8439bf03..e8cbc1083 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd Mon Sep 17 00:00:00 2001 | 1 | From 1c1b6fa17982eb622e2c4e8f4a279f2113f57413 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Wilkinson <simon@sxw.org.uk> | 2 | From: Simon Wilkinson <simon@sxw.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:48 +0000 |
4 | Subject: GSSAPI key exchange support | 4 | Subject: GSSAPI key exchange support |
@@ -17,7 +17,7 @@ have it merged into the main openssh package rather than having separate | |||
17 | security history. | 17 | security history. |
18 | 18 | ||
19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 | 19 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 |
20 | Last-Updated: 2014-03-19 | 20 | Last-Updated: 2014-10-07 |
21 | 21 | ||
22 | Patch-Name: gssapi.patch | 22 | Patch-Name: gssapi.patch |
23 | --- | 23 | --- |
@@ -36,9 +36,7 @@ Patch-Name: gssapi.patch | |||
36 | kex.c | 16 +++ | 36 | kex.c | 16 +++ |
37 | kex.h | 14 +++ | 37 | kex.h | 14 +++ |
38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ | 38 | kexgssc.c | 332 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
39 | kexgsss.c | 289 ++++++++++++++++++++++++++++++++++++++++++++++++ | 39 | kexgsss.c | 290 ++++++++++++++++++++++++++++++++++++++++++++++++ |
40 | key.c | 3 +- | ||
41 | key.h | 1 + | ||
42 | monitor.c | 108 +++++++++++++++++- | 40 | monitor.c | 108 +++++++++++++++++- |
43 | monitor.h | 3 + | 41 | monitor.h | 3 + |
44 | monitor_wrap.c | 47 +++++++- | 42 | monitor_wrap.c | 47 +++++++- |
@@ -54,7 +52,9 @@ Patch-Name: gssapi.patch | |||
54 | sshd.c | 110 ++++++++++++++++++ | 52 | sshd.c | 110 ++++++++++++++++++ |
55 | sshd_config | 2 + | 53 | sshd_config | 2 + |
56 | sshd_config.5 | 28 +++++ | 54 | sshd_config.5 | 28 +++++ |
57 | 33 files changed, 2051 insertions(+), 59 deletions(-) | 55 | sshkey.c | 3 +- |
56 | sshkey.h | 1 + | ||
57 | 33 files changed, 2052 insertions(+), 59 deletions(-) | ||
58 | create mode 100644 ChangeLog.gssapi | 58 | create mode 100644 ChangeLog.gssapi |
59 | create mode 100644 kexgssc.c | 59 | create mode 100644 kexgssc.c |
60 | create mode 100644 kexgsss.c | 60 | create mode 100644 kexgsss.c |
@@ -179,10 +179,10 @@ index 0000000..f117a33 | |||
179 | + (from jbasney AT ncsa.uiuc.edu) | 179 | + (from jbasney AT ncsa.uiuc.edu) |
180 | + <gssapi-with-mic support is Bugzilla #1008> | 180 | + <gssapi-with-mic support is Bugzilla #1008> |
181 | diff --git a/Makefile.in b/Makefile.in | 181 | diff --git a/Makefile.in b/Makefile.in |
182 | index 28a8ec4..ee1d2c3 100644 | 182 | index 06be3d5..086d8dd 100644 |
183 | --- a/Makefile.in | 183 | --- a/Makefile.in |
184 | +++ b/Makefile.in | 184 | +++ b/Makefile.in |
185 | @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 185 | @@ -82,6 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 186 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 187 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 188 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
@@ -190,7 +190,7 @@ index 28a8ec4..ee1d2c3 100644 | |||
190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 190 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ | 191 | ssh-pkcs11.o krl.o smult_curve25519_ref.o \ |
192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | 192 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ |
193 | @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ | 193 | @@ -101,7 +102,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ | 194 | auth2-none.o auth2-passwd.o auth2-pubkey.o \ |
195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 195 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
196 | kexc25519s.o auth-krb5.o \ | 196 | kexc25519s.o auth-krb5.o \ |
@@ -200,10 +200,10 @@ index 28a8ec4..ee1d2c3 100644 | |||
200 | sftp-server.o sftp-common.o \ | 200 | sftp-server.o sftp-common.o \ |
201 | roaming_common.o roaming_serv.o \ | 201 | roaming_common.o roaming_serv.o \ |
202 | diff --git a/auth-krb5.c b/auth-krb5.c | 202 | diff --git a/auth-krb5.c b/auth-krb5.c |
203 | index 6c62bdf..69a1a53 100644 | 203 | index 0089b18..ec47869 100644 |
204 | --- a/auth-krb5.c | 204 | --- a/auth-krb5.c |
205 | +++ b/auth-krb5.c | 205 | +++ b/auth-krb5.c |
206 | @@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) | 206 | @@ -183,8 +183,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) |
207 | 207 | ||
208 | len = strlen(authctxt->krb5_ticket_file) + 6; | 208 | len = strlen(authctxt->krb5_ticket_file) + 6; |
209 | authctxt->krb5_ccname = xmalloc(len); | 209 | authctxt->krb5_ccname = xmalloc(len); |
@@ -217,7 +217,7 @@ index 6c62bdf..69a1a53 100644 | |||
217 | 217 | ||
218 | #ifdef USE_PAM | 218 | #ifdef USE_PAM |
219 | if (options.use_pam) | 219 | if (options.use_pam) |
220 | @@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) | 220 | @@ -241,15 +246,22 @@ krb5_cleanup_proc(Authctxt *authctxt) |
221 | #ifndef HEIMDAL | 221 | #ifndef HEIMDAL |
222 | krb5_error_code | 222 | krb5_error_code |
223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 223 | ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
@@ -242,7 +242,7 @@ index 6c62bdf..69a1a53 100644 | |||
242 | old_umask = umask(0177); | 242 | old_umask = umask(0177); |
243 | tmpfd = mkstemp(ccname + strlen("FILE:")); | 243 | tmpfd = mkstemp(ccname + strlen("FILE:")); |
244 | oerrno = errno; | 244 | oerrno = errno; |
245 | @@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { | 245 | @@ -266,6 +278,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { |
246 | return oerrno; | 246 | return oerrno; |
247 | } | 247 | } |
248 | close(tmpfd); | 248 | close(tmpfd); |
@@ -251,7 +251,7 @@ index 6c62bdf..69a1a53 100644 | |||
251 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 251 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
252 | } | 252 | } |
253 | diff --git a/auth2-gss.c b/auth2-gss.c | 253 | diff --git a/auth2-gss.c b/auth2-gss.c |
254 | index c28a705..3ff2d72 100644 | 254 | index 447f896..284f364 100644 |
255 | --- a/auth2-gss.c | 255 | --- a/auth2-gss.c |
256 | +++ b/auth2-gss.c | 256 | +++ b/auth2-gss.c |
257 | @@ -1,7 +1,7 @@ | 257 | @@ -1,7 +1,7 @@ |
@@ -263,7 +263,7 @@ index c28a705..3ff2d72 100644 | |||
263 | * | 263 | * |
264 | * Redistribution and use in source and binary forms, with or without | 264 | * Redistribution and use in source and binary forms, with or without |
265 | * modification, are permitted provided that the following conditions | 265 | * modification, are permitted provided that the following conditions |
266 | @@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); | 266 | @@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); |
267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); | 267 | static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); |
268 | static void input_gssapi_errtok(int, u_int32_t, void *); | 268 | static void input_gssapi_errtok(int, u_int32_t, void *); |
269 | 269 | ||
@@ -304,7 +304,7 @@ index c28a705..3ff2d72 100644 | |||
304 | /* | 304 | /* |
305 | * We only support those mechanisms that we know about (ie ones that we know | 305 | * We only support those mechanisms that we know about (ie ones that we know |
306 | * how to check local user kuserok and the like) | 306 | * how to check local user kuserok and the like) |
307 | @@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) | 307 | @@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) |
308 | 308 | ||
309 | packet_check_eom(); | 309 | packet_check_eom(); |
310 | 310 | ||
@@ -314,7 +314,7 @@ index c28a705..3ff2d72 100644 | |||
314 | 314 | ||
315 | authctxt->postponed = 0; | 315 | authctxt->postponed = 0; |
316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 316 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
317 | @@ -270,7 +305,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 317 | @@ -271,7 +306,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
318 | gssbuf.length = buffer_len(&b); | 318 | gssbuf.length = buffer_len(&b); |
319 | 319 | ||
320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 320 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -324,7 +324,7 @@ index c28a705..3ff2d72 100644 | |||
324 | else | 324 | else |
325 | logit("GSSAPI MIC check failed"); | 325 | logit("GSSAPI MIC check failed"); |
326 | 326 | ||
327 | @@ -285,6 +321,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) | 327 | @@ -286,6 +322,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) |
328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); | 328 | userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); |
329 | } | 329 | } |
330 | 330 | ||
@@ -338,10 +338,10 @@ index c28a705..3ff2d72 100644 | |||
338 | "gssapi-with-mic", | 338 | "gssapi-with-mic", |
339 | userauth_gssapi, | 339 | userauth_gssapi, |
340 | diff --git a/auth2.c b/auth2.c | 340 | diff --git a/auth2.c b/auth2.c |
341 | index a5490c0..fbe3e1b 100644 | 341 | index d9b440a..2f0d565 100644 |
342 | --- a/auth2.c | 342 | --- a/auth2.c |
343 | +++ b/auth2.c | 343 | +++ b/auth2.c |
344 | @@ -69,6 +69,7 @@ extern Authmethod method_passwd; | 344 | @@ -70,6 +70,7 @@ extern Authmethod method_passwd; |
345 | extern Authmethod method_kbdint; | 345 | extern Authmethod method_kbdint; |
346 | extern Authmethod method_hostbased; | 346 | extern Authmethod method_hostbased; |
347 | #ifdef GSSAPI | 347 | #ifdef GSSAPI |
@@ -349,7 +349,7 @@ index a5490c0..fbe3e1b 100644 | |||
349 | extern Authmethod method_gssapi; | 349 | extern Authmethod method_gssapi; |
350 | #endif | 350 | #endif |
351 | 351 | ||
352 | @@ -76,6 +77,7 @@ Authmethod *authmethods[] = { | 352 | @@ -77,6 +78,7 @@ Authmethod *authmethods[] = { |
353 | &method_none, | 353 | &method_none, |
354 | &method_pubkey, | 354 | &method_pubkey, |
355 | #ifdef GSSAPI | 355 | #ifdef GSSAPI |
@@ -358,7 +358,7 @@ index a5490c0..fbe3e1b 100644 | |||
358 | #endif | 358 | #endif |
359 | &method_passwd, | 359 | &method_passwd, |
360 | diff --git a/clientloop.c b/clientloop.c | 360 | diff --git a/clientloop.c b/clientloop.c |
361 | index 59ad3a2..6d8cd7d 100644 | 361 | index 397c965..f9175e3 100644 |
362 | --- a/clientloop.c | 362 | --- a/clientloop.c |
363 | +++ b/clientloop.c | 363 | +++ b/clientloop.c |
364 | @@ -111,6 +111,10 @@ | 364 | @@ -111,6 +111,10 @@ |
@@ -372,7 +372,7 @@ index 59ad3a2..6d8cd7d 100644 | |||
372 | /* import options */ | 372 | /* import options */ |
373 | extern Options options; | 373 | extern Options options; |
374 | 374 | ||
375 | @@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 375 | @@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
376 | /* Do channel operations unless rekeying in progress. */ | 376 | /* Do channel operations unless rekeying in progress. */ |
377 | if (!rekeying) { | 377 | if (!rekeying) { |
378 | channel_after_select(readset, writeset); | 378 | channel_after_select(readset, writeset); |
@@ -389,7 +389,7 @@ index 59ad3a2..6d8cd7d 100644 | |||
389 | debug("need rekeying"); | 389 | debug("need rekeying"); |
390 | xxx_kex->done = 0; | 390 | xxx_kex->done = 0; |
391 | diff --git a/config.h.in b/config.h.in | 391 | diff --git a/config.h.in b/config.h.in |
392 | index 0401ad1..6bc422c 100644 | 392 | index 16d6206..a9a8b7a 100644 |
393 | --- a/config.h.in | 393 | --- a/config.h.in |
394 | +++ b/config.h.in | 394 | +++ b/config.h.in |
395 | @@ -1622,6 +1622,9 @@ | 395 | @@ -1622,6 +1622,9 @@ |
@@ -413,10 +413,10 @@ index 0401ad1..6bc422c 100644 | |||
413 | #undef USE_SOLARIS_PROCESS_CONTRACTS | 413 | #undef USE_SOLARIS_PROCESS_CONTRACTS |
414 | 414 | ||
415 | diff --git a/configure b/configure | 415 | diff --git a/configure b/configure |
416 | index d690393..b6b5b6d 100755 | 416 | index 6815388..ea5f200 100755 |
417 | --- a/configure | 417 | --- a/configure |
418 | +++ b/configure | 418 | +++ b/configure |
419 | @@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h | 419 | @@ -7168,6 +7168,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h |
420 | 420 | ||
421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | 421 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h |
422 | 422 | ||
@@ -481,7 +481,7 @@ index d690393..b6b5b6d 100755 | |||
481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | 481 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" |
482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | 482 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : |
483 | diff --git a/configure.ac b/configure.ac | 483 | diff --git a/configure.ac b/configure.ac |
484 | index 7c6ce08..d235fb0 100644 | 484 | index 67c4486..90e81e1 100644 |
485 | --- a/configure.ac | 485 | --- a/configure.ac |
486 | +++ b/configure.ac | 486 | +++ b/configure.ac |
487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | 487 | @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) |
@@ -866,7 +866,7 @@ index b39281b..1e569ad 100644 | |||
866 | + | 866 | + |
867 | #endif /* GSSAPI */ | 867 | #endif /* GSSAPI */ |
868 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c | 868 | diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c |
869 | index 759fa10..e678a27 100644 | 869 | index 795992d..fd8b371 100644 |
870 | --- a/gss-serv-krb5.c | 870 | --- a/gss-serv-krb5.c |
871 | +++ b/gss-serv-krb5.c | 871 | +++ b/gss-serv-krb5.c |
872 | @@ -1,7 +1,7 @@ | 872 | @@ -1,7 +1,7 @@ |
@@ -878,7 +878,7 @@ index 759fa10..e678a27 100644 | |||
878 | * | 878 | * |
879 | * Redistribution and use in source and binary forms, with or without | 879 | * Redistribution and use in source and binary forms, with or without |
880 | * modification, are permitted provided that the following conditions | 880 | * modification, are permitted provided that the following conditions |
881 | @@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 881 | @@ -121,8 +121,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
882 | krb5_error_code problem; | 882 | krb5_error_code problem; |
883 | krb5_principal princ; | 883 | krb5_principal princ; |
884 | OM_uint32 maj_status, min_status; | 884 | OM_uint32 maj_status, min_status; |
@@ -888,7 +888,7 @@ index 759fa10..e678a27 100644 | |||
888 | 888 | ||
889 | if (client->creds == NULL) { | 889 | if (client->creds == NULL) { |
890 | debug("No credentials stored"); | 890 | debug("No credentials stored"); |
891 | @@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 891 | @@ -181,11 +181,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
892 | return; | 892 | return; |
893 | } | 893 | } |
894 | 894 | ||
@@ -909,7 +909,7 @@ index 759fa10..e678a27 100644 | |||
909 | 909 | ||
910 | #ifdef USE_PAM | 910 | #ifdef USE_PAM |
911 | if (options.use_pam) | 911 | if (options.use_pam) |
912 | @@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) | 912 | @@ -197,6 +202,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) |
913 | return; | 913 | return; |
914 | } | 914 | } |
915 | 915 | ||
@@ -981,7 +981,7 @@ index 759fa10..e678a27 100644 | |||
981 | ssh_gssapi_mech gssapi_kerberos_mech = { | 981 | ssh_gssapi_mech gssapi_kerberos_mech = { |
982 | "toWM5Slw5Ew8Mqkay+al2g==", | 982 | "toWM5Slw5Ew8Mqkay+al2g==", |
983 | "Kerberos", | 983 | "Kerberos", |
984 | @@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { | 984 | @@ -204,7 +274,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { |
985 | NULL, | 985 | NULL, |
986 | &ssh_gssapi_krb5_userok, | 986 | &ssh_gssapi_krb5_userok, |
987 | NULL, | 987 | NULL, |
@@ -992,11 +992,11 @@ index 759fa10..e678a27 100644 | |||
992 | 992 | ||
993 | #endif /* KRB5 */ | 993 | #endif /* KRB5 */ |
994 | diff --git a/gss-serv.c b/gss-serv.c | 994 | diff --git a/gss-serv.c b/gss-serv.c |
995 | index e61b37b..c33463b 100644 | 995 | index 5c59924..50fa438 100644 |
996 | --- a/gss-serv.c | 996 | --- a/gss-serv.c |
997 | +++ b/gss-serv.c | 997 | +++ b/gss-serv.c |
998 | @@ -1,7 +1,7 @@ | 998 | @@ -1,7 +1,7 @@ |
999 | /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */ | 999 | /* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */ |
1000 | 1000 | ||
1001 | /* | 1001 | /* |
1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 1002 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1029,7 +1029,7 @@ index e61b37b..c33463b 100644 | |||
1029 | #ifdef KRB5 | 1029 | #ifdef KRB5 |
1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 1030 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) | 1031 | @@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) |
1032 | char lname[MAXHOSTNAMELEN]; | 1032 | char lname[NI_MAXHOST]; |
1033 | gss_OID_set oidset; | 1033 | gss_OID_set oidset; |
1034 | 1034 | ||
1035 | - gss_create_empty_oid_set(&status, &oidset); | 1035 | - gss_create_empty_oid_set(&status, &oidset); |
@@ -1038,11 +1038,11 @@ index e61b37b..c33463b 100644 | |||
1038 | + gss_create_empty_oid_set(&status, &oidset); | 1038 | + gss_create_empty_oid_set(&status, &oidset); |
1039 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); | 1039 | + gss_add_oid_set_member(&status, ctx->oid, &oidset); |
1040 | 1040 | ||
1041 | - if (gethostname(lname, MAXHOSTNAMELEN)) { | 1041 | - if (gethostname(lname, sizeof(lname))) { |
1042 | - gss_release_oid_set(&status, &oidset); | 1042 | - gss_release_oid_set(&status, &oidset); |
1043 | - return (-1); | 1043 | - return (-1); |
1044 | - } | 1044 | - } |
1045 | + if (gethostname(lname, MAXHOSTNAMELEN)) { | 1045 | + if (gethostname(lname, sizeof(lname))) { |
1046 | + gss_release_oid_set(&status, &oidset); | 1046 | + gss_release_oid_set(&status, &oidset); |
1047 | + return (-1); | 1047 | + return (-1); |
1048 | + } | 1048 | + } |
@@ -1310,10 +1310,10 @@ index e61b37b..c33463b 100644 | |||
1310 | 1310 | ||
1311 | #endif | 1311 | #endif |
1312 | diff --git a/kex.c b/kex.c | 1312 | diff --git a/kex.c b/kex.c |
1313 | index 74e2b86..d114ee3 100644 | 1313 | index a173e70..891852b 100644 |
1314 | --- a/kex.c | 1314 | --- a/kex.c |
1315 | +++ b/kex.c | 1315 | +++ b/kex.c |
1316 | @@ -51,6 +51,10 @@ | 1316 | @@ -53,6 +53,10 @@ |
1317 | #include "roaming.h" | 1317 | #include "roaming.h" |
1318 | #include "digest.h" | 1318 | #include "digest.h" |
1319 | 1319 | ||
@@ -1324,8 +1324,8 @@ index 74e2b86..d114ee3 100644 | |||
1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L | 1324 | #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
1325 | # if defined(HAVE_EVP_SHA256) | 1325 | # if defined(HAVE_EVP_SHA256) |
1326 | # define evp_ssh_sha256 EVP_sha256 | 1326 | # define evp_ssh_sha256 EVP_sha256 |
1327 | @@ -92,6 +96,14 @@ static const struct kexalg kexalgs[] = { | 1327 | @@ -96,6 +100,14 @@ static const struct kexalg kexalgs[] = { |
1328 | #endif | 1328 | #endif /* HAVE_EVP_SHA256 */ |
1329 | { NULL, -1, -1, -1}, | 1329 | { NULL, -1, -1, -1}, |
1330 | }; | 1330 | }; |
1331 | +static const struct kexalg kexalg_prefixes[] = { | 1331 | +static const struct kexalg kexalg_prefixes[] = { |
@@ -1339,7 +1339,7 @@ index 74e2b86..d114ee3 100644 | |||
1339 | 1339 | ||
1340 | char * | 1340 | char * |
1341 | kex_alg_list(char sep) | 1341 | kex_alg_list(char sep) |
1342 | @@ -120,6 +132,10 @@ kex_alg_by_name(const char *name) | 1342 | @@ -124,6 +136,10 @@ kex_alg_by_name(const char *name) |
1343 | if (strcmp(k->name, name) == 0) | 1343 | if (strcmp(k->name, name) == 0) |
1344 | return k; | 1344 | return k; |
1345 | } | 1345 | } |
@@ -1351,7 +1351,7 @@ index 74e2b86..d114ee3 100644 | |||
1351 | } | 1351 | } |
1352 | 1352 | ||
1353 | diff --git a/kex.h b/kex.h | 1353 | diff --git a/kex.h b/kex.h |
1354 | index c85680e..ea698c4 100644 | 1354 | index 4c40ec8..c179a4d 100644 |
1355 | --- a/kex.h | 1355 | --- a/kex.h |
1356 | +++ b/kex.h | 1356 | +++ b/kex.h |
1357 | @@ -76,6 +76,9 @@ enum kex_exchange { | 1357 | @@ -76,6 +76,9 @@ enum kex_exchange { |
@@ -1729,10 +1729,10 @@ index 0000000..92a31c5 | |||
1729 | +#endif /* GSSAPI */ | 1729 | +#endif /* GSSAPI */ |
1730 | diff --git a/kexgsss.c b/kexgsss.c | 1730 | diff --git a/kexgsss.c b/kexgsss.c |
1731 | new file mode 100644 | 1731 | new file mode 100644 |
1732 | index 0000000..8095259 | 1732 | index 0000000..6a0ece8 |
1733 | --- /dev/null | 1733 | --- /dev/null |
1734 | +++ b/kexgsss.c | 1734 | +++ b/kexgsss.c |
1735 | @@ -0,0 +1,289 @@ | 1735 | @@ -0,0 +1,290 @@ |
1736 | +/* | 1736 | +/* |
1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. | 1737 | + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. |
1738 | + * | 1738 | + * |
@@ -1777,6 +1777,7 @@ index 0000000..8095259 | |||
1777 | +#include "dh.h" | 1777 | +#include "dh.h" |
1778 | +#include "ssh-gss.h" | 1778 | +#include "ssh-gss.h" |
1779 | +#include "monitor_wrap.h" | 1779 | +#include "monitor_wrap.h" |
1780 | +#include "misc.h" | ||
1780 | +#include "servconf.h" | 1781 | +#include "servconf.h" |
1781 | + | 1782 | + |
1782 | +extern ServerOptions options; | 1783 | +extern ServerOptions options; |
@@ -2022,44 +2023,11 @@ index 0000000..8095259 | |||
2022 | + ssh_gssapi_rekey_creds(); | 2023 | + ssh_gssapi_rekey_creds(); |
2023 | +} | 2024 | +} |
2024 | +#endif /* GSSAPI */ | 2025 | +#endif /* GSSAPI */ |
2025 | diff --git a/key.c b/key.c | ||
2026 | index 168e1b7..3d640e7 100644 | ||
2027 | --- a/key.c | ||
2028 | +++ b/key.c | ||
2029 | @@ -985,6 +985,7 @@ static const struct keytype keytypes[] = { | ||
2030 | KEY_DSA_CERT_V00, 0, 1 }, | ||
2031 | { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", | ||
2032 | KEY_ED25519_CERT, 0, 1 }, | ||
2033 | + { "null", "null", KEY_NULL, 0, 0 }, | ||
2034 | { NULL, NULL, -1, -1, 0 } | ||
2035 | }; | ||
2036 | |||
2037 | @@ -1063,7 +1064,7 @@ key_alg_list(int certs_only, int plain_only) | ||
2038 | const struct keytype *kt; | ||
2039 | |||
2040 | for (kt = keytypes; kt->type != -1; kt++) { | ||
2041 | - if (kt->name == NULL) | ||
2042 | + if (kt->name == NULL || kt->type == KEY_NULL) | ||
2043 | continue; | ||
2044 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
2045 | continue; | ||
2046 | diff --git a/key.h b/key.h | ||
2047 | index d8ad13d..c8aeba2 100644 | ||
2048 | --- a/key.h | ||
2049 | +++ b/key.h | ||
2050 | @@ -46,6 +46,7 @@ enum types { | ||
2051 | KEY_ED25519_CERT, | ||
2052 | KEY_RSA_CERT_V00, | ||
2053 | KEY_DSA_CERT_V00, | ||
2054 | + KEY_NULL, | ||
2055 | KEY_UNSPEC | ||
2056 | }; | ||
2057 | enum fp_type { | ||
2058 | diff --git a/monitor.c b/monitor.c | 2026 | diff --git a/monitor.c b/monitor.c |
2059 | index 531c4f9..2918814 100644 | 2027 | index dbe29f1..b0896ef 100644 |
2060 | --- a/monitor.c | 2028 | --- a/monitor.c |
2061 | +++ b/monitor.c | 2029 | +++ b/monitor.c |
2062 | @@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); | 2030 | @@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); |
2063 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2031 | int mm_answer_gss_accept_ctx(int, Buffer *); |
2064 | int mm_answer_gss_userok(int, Buffer *); | 2032 | int mm_answer_gss_userok(int, Buffer *); |
2065 | int mm_answer_gss_checkmic(int, Buffer *); | 2033 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -2068,7 +2036,7 @@ index 531c4f9..2918814 100644 | |||
2068 | #endif | 2036 | #endif |
2069 | 2037 | ||
2070 | #ifdef SSH_AUDIT_EVENTS | 2038 | #ifdef SSH_AUDIT_EVENTS |
2071 | @@ -247,11 +249,18 @@ struct mon_table mon_dispatch_proto20[] = { | 2039 | @@ -255,11 +257,18 @@ struct mon_table mon_dispatch_proto20[] = { |
2072 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2040 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
2073 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2041 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
2074 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2042 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -2084,10 +2052,10 @@ index 531c4f9..2918814 100644 | |||
2084 | + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, | 2052 | + {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, |
2085 | + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, | 2053 | + {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, |
2086 | +#endif | 2054 | +#endif |
2055 | #ifdef WITH_OPENSSL | ||
2087 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2056 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
2088 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2057 | #endif |
2089 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2058 | @@ -374,6 +383,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
2090 | @@ -360,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | ||
2091 | /* Permit requests for moduli and signatures */ | 2059 | /* Permit requests for moduli and signatures */ |
2092 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2060 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2093 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2061 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2098,7 +2066,7 @@ index 531c4f9..2918814 100644 | |||
2098 | } else { | 2066 | } else { |
2099 | mon_dispatch = mon_dispatch_proto15; | 2067 | mon_dispatch = mon_dispatch_proto15; |
2100 | 2068 | ||
2101 | @@ -465,6 +478,10 @@ monitor_child_postauth(struct monitor *pmonitor) | 2069 | @@ -482,6 +495,10 @@ monitor_child_postauth(struct monitor *pmonitor) |
2102 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2070 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2103 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2071 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2104 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2072 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2109,9 +2077,9 @@ index 531c4f9..2918814 100644 | |||
2109 | } else { | 2077 | } else { |
2110 | mon_dispatch = mon_dispatch_postauth15; | 2078 | mon_dispatch = mon_dispatch_postauth15; |
2111 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2079 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2112 | @@ -1834,6 +1851,13 @@ mm_get_kex(Buffer *m) | 2080 | @@ -1861,6 +1878,13 @@ mm_get_kex(Buffer *m) |
2113 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
2114 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2081 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
2082 | #endif | ||
2115 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 2083 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
2116 | +#ifdef GSSAPI | 2084 | +#ifdef GSSAPI |
2117 | + if (options.gss_keyex) { | 2085 | + if (options.gss_keyex) { |
@@ -2123,7 +2091,7 @@ index 531c4f9..2918814 100644 | |||
2123 | kex->server = 1; | 2091 | kex->server = 1; |
2124 | kex->hostkey_type = buffer_get_int(m); | 2092 | kex->hostkey_type = buffer_get_int(m); |
2125 | kex->kex_type = buffer_get_int(m); | 2093 | kex->kex_type = buffer_get_int(m); |
2126 | @@ -2041,6 +2065,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) | 2094 | @@ -2068,6 +2092,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) |
2127 | OM_uint32 major; | 2095 | OM_uint32 major; |
2128 | u_int len; | 2096 | u_int len; |
2129 | 2097 | ||
@@ -2133,7 +2101,7 @@ index 531c4f9..2918814 100644 | |||
2133 | goid.elements = buffer_get_string(m, &len); | 2101 | goid.elements = buffer_get_string(m, &len); |
2134 | goid.length = len; | 2102 | goid.length = len; |
2135 | 2103 | ||
2136 | @@ -2068,6 +2095,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2104 | @@ -2095,6 +2122,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2137 | OM_uint32 flags = 0; /* GSI needs this */ | 2105 | OM_uint32 flags = 0; /* GSI needs this */ |
2138 | u_int len; | 2106 | u_int len; |
2139 | 2107 | ||
@@ -2143,7 +2111,7 @@ index 531c4f9..2918814 100644 | |||
2143 | in.value = buffer_get_string(m, &len); | 2111 | in.value = buffer_get_string(m, &len); |
2144 | in.length = len; | 2112 | in.length = len; |
2145 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2113 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2146 | @@ -2085,6 +2115,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) | 2114 | @@ -2112,6 +2142,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) |
2147 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2115 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2148 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2116 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2149 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2117 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2151,7 +2119,7 @@ index 531c4f9..2918814 100644 | |||
2151 | } | 2119 | } |
2152 | return (0); | 2120 | return (0); |
2153 | } | 2121 | } |
2154 | @@ -2096,6 +2127,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) | 2122 | @@ -2123,6 +2154,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) |
2155 | OM_uint32 ret; | 2123 | OM_uint32 ret; |
2156 | u_int len; | 2124 | u_int len; |
2157 | 2125 | ||
@@ -2161,7 +2129,7 @@ index 531c4f9..2918814 100644 | |||
2161 | gssbuf.value = buffer_get_string(m, &len); | 2129 | gssbuf.value = buffer_get_string(m, &len); |
2162 | gssbuf.length = len; | 2130 | gssbuf.length = len; |
2163 | mic.value = buffer_get_string(m, &len); | 2131 | mic.value = buffer_get_string(m, &len); |
2164 | @@ -2122,7 +2156,11 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2132 | @@ -2149,7 +2183,11 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2165 | { | 2133 | { |
2166 | int authenticated; | 2134 | int authenticated; |
2167 | 2135 | ||
@@ -2174,7 +2142,7 @@ index 531c4f9..2918814 100644 | |||
2174 | 2142 | ||
2175 | buffer_clear(m); | 2143 | buffer_clear(m); |
2176 | buffer_put_int(m, authenticated); | 2144 | buffer_put_int(m, authenticated); |
2177 | @@ -2135,5 +2173,73 @@ mm_answer_gss_userok(int sock, Buffer *m) | 2145 | @@ -2162,5 +2200,73 @@ mm_answer_gss_userok(int sock, Buffer *m) |
2178 | /* Monitor loop will terminate if authenticated */ | 2146 | /* Monitor loop will terminate if authenticated */ |
2179 | return (authenticated); | 2147 | return (authenticated); |
2180 | } | 2148 | } |
@@ -2263,10 +2231,10 @@ index 5bc41b5..7f32b0c 100644 | |||
2263 | 2231 | ||
2264 | struct mm_master; | 2232 | struct mm_master; |
2265 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 2233 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
2266 | index 1a47e41..60b987d 100644 | 2234 | index 45dc169..e476f0d 100644 |
2267 | --- a/monitor_wrap.c | 2235 | --- a/monitor_wrap.c |
2268 | +++ b/monitor_wrap.c | 2236 | +++ b/monitor_wrap.c |
2269 | @@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) | 2237 | @@ -1281,7 +1281,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) |
2270 | } | 2238 | } |
2271 | 2239 | ||
2272 | int | 2240 | int |
@@ -2275,7 +2243,7 @@ index 1a47e41..60b987d 100644 | |||
2275 | { | 2243 | { |
2276 | Buffer m; | 2244 | Buffer m; |
2277 | int authenticated = 0; | 2245 | int authenticated = 0; |
2278 | @@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user) | 2246 | @@ -1298,5 +1298,50 @@ mm_ssh_gssapi_userok(char *user) |
2279 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2247 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2280 | return (authenticated); | 2248 | return (authenticated); |
2281 | } | 2249 | } |
@@ -2343,10 +2311,10 @@ index 18c2501..a4e9d24 100644 | |||
2343 | 2311 | ||
2344 | #ifdef USE_PAM | 2312 | #ifdef USE_PAM |
2345 | diff --git a/readconf.c b/readconf.c | 2313 | diff --git a/readconf.c b/readconf.c |
2346 | index dc884c9..7613ff2 100644 | 2314 | index 7948ce1..9127e93 100644 |
2347 | --- a/readconf.c | 2315 | --- a/readconf.c |
2348 | +++ b/readconf.c | 2316 | +++ b/readconf.c |
2349 | @@ -141,6 +141,8 @@ typedef enum { | 2317 | @@ -142,6 +142,8 @@ typedef enum { |
2350 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, | 2318 | oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
2351 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, | 2319 | oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
2352 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, | 2320 | oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
@@ -2355,7 +2323,7 @@ index dc884c9..7613ff2 100644 | |||
2355 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, | 2323 | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
2356 | oSendEnv, oControlPath, oControlMaster, oControlPersist, | 2324 | oSendEnv, oControlPath, oControlMaster, oControlPersist, |
2357 | oHashKnownHosts, | 2325 | oHashKnownHosts, |
2358 | @@ -183,10 +185,19 @@ static struct { | 2326 | @@ -185,10 +187,19 @@ static struct { |
2359 | { "afstokenpassing", oUnsupported }, | 2327 | { "afstokenpassing", oUnsupported }, |
2360 | #if defined(GSSAPI) | 2328 | #if defined(GSSAPI) |
2361 | { "gssapiauthentication", oGssAuthentication }, | 2329 | { "gssapiauthentication", oGssAuthentication }, |
@@ -2375,7 +2343,7 @@ index dc884c9..7613ff2 100644 | |||
2375 | #endif | 2343 | #endif |
2376 | { "fallbacktorsh", oDeprecated }, | 2344 | { "fallbacktorsh", oDeprecated }, |
2377 | { "usersh", oDeprecated }, | 2345 | { "usersh", oDeprecated }, |
2378 | @@ -841,10 +852,30 @@ parse_time: | 2346 | @@ -865,10 +876,30 @@ parse_time: |
2379 | intptr = &options->gss_authentication; | 2347 | intptr = &options->gss_authentication; |
2380 | goto parse_flag; | 2348 | goto parse_flag; |
2381 | 2349 | ||
@@ -2406,7 +2374,7 @@ index dc884c9..7613ff2 100644 | |||
2406 | case oBatchMode: | 2374 | case oBatchMode: |
2407 | intptr = &options->batch_mode; | 2375 | intptr = &options->batch_mode; |
2408 | goto parse_flag; | 2376 | goto parse_flag; |
2409 | @@ -1497,7 +1528,12 @@ initialize_options(Options * options) | 2377 | @@ -1538,7 +1569,12 @@ initialize_options(Options * options) |
2410 | options->pubkey_authentication = -1; | 2378 | options->pubkey_authentication = -1; |
2411 | options->challenge_response_authentication = -1; | 2379 | options->challenge_response_authentication = -1; |
2412 | options->gss_authentication = -1; | 2380 | options->gss_authentication = -1; |
@@ -2419,7 +2387,7 @@ index dc884c9..7613ff2 100644 | |||
2419 | options->password_authentication = -1; | 2387 | options->password_authentication = -1; |
2420 | options->kbd_interactive_authentication = -1; | 2388 | options->kbd_interactive_authentication = -1; |
2421 | options->kbd_interactive_devices = NULL; | 2389 | options->kbd_interactive_devices = NULL; |
2422 | @@ -1616,8 +1652,14 @@ fill_default_options(Options * options) | 2390 | @@ -1661,8 +1697,14 @@ fill_default_options(Options * options) |
2423 | options->challenge_response_authentication = 1; | 2391 | options->challenge_response_authentication = 1; |
2424 | if (options->gss_authentication == -1) | 2392 | if (options->gss_authentication == -1) |
2425 | options->gss_authentication = 0; | 2393 | options->gss_authentication = 0; |
@@ -2435,10 +2403,10 @@ index dc884c9..7613ff2 100644 | |||
2435 | options->password_authentication = 1; | 2403 | options->password_authentication = 1; |
2436 | if (options->kbd_interactive_authentication == -1) | 2404 | if (options->kbd_interactive_authentication == -1) |
2437 | diff --git a/readconf.h b/readconf.h | 2405 | diff --git a/readconf.h b/readconf.h |
2438 | index 75e3f8f..5cc97f0 100644 | 2406 | index 0b9cb77..0e29889 100644 |
2439 | --- a/readconf.h | 2407 | --- a/readconf.h |
2440 | +++ b/readconf.h | 2408 | +++ b/readconf.h |
2441 | @@ -54,7 +54,12 @@ typedef struct { | 2409 | @@ -45,7 +45,12 @@ typedef struct { |
2442 | int challenge_response_authentication; | 2410 | int challenge_response_authentication; |
2443 | /* Try S/Key or TIS, authentication. */ | 2411 | /* Try S/Key or TIS, authentication. */ |
2444 | int gss_authentication; /* Try GSS authentication */ | 2412 | int gss_authentication; /* Try GSS authentication */ |
@@ -2452,10 +2420,10 @@ index 75e3f8f..5cc97f0 100644 | |||
2452 | * authentication. */ | 2420 | * authentication. */ |
2453 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 2421 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
2454 | diff --git a/servconf.c b/servconf.c | 2422 | diff --git a/servconf.c b/servconf.c |
2455 | index 7ba65d5..0083cf8 100644 | 2423 | index b7f3294..cb3c831 100644 |
2456 | --- a/servconf.c | 2424 | --- a/servconf.c |
2457 | +++ b/servconf.c | 2425 | +++ b/servconf.c |
2458 | @@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options) | 2426 | @@ -109,7 +109,10 @@ initialize_server_options(ServerOptions *options) |
2459 | options->kerberos_ticket_cleanup = -1; | 2427 | options->kerberos_ticket_cleanup = -1; |
2460 | options->kerberos_get_afs_token = -1; | 2428 | options->kerberos_get_afs_token = -1; |
2461 | options->gss_authentication=-1; | 2429 | options->gss_authentication=-1; |
@@ -2466,7 +2434,7 @@ index 7ba65d5..0083cf8 100644 | |||
2466 | options->password_authentication = -1; | 2434 | options->password_authentication = -1; |
2467 | options->kbd_interactive_authentication = -1; | 2435 | options->kbd_interactive_authentication = -1; |
2468 | options->challenge_response_authentication = -1; | 2436 | options->challenge_response_authentication = -1; |
2469 | @@ -244,8 +247,14 @@ fill_default_server_options(ServerOptions *options) | 2437 | @@ -250,8 +253,14 @@ fill_default_server_options(ServerOptions *options) |
2470 | options->kerberos_get_afs_token = 0; | 2438 | options->kerberos_get_afs_token = 0; |
2471 | if (options->gss_authentication == -1) | 2439 | if (options->gss_authentication == -1) |
2472 | options->gss_authentication = 0; | 2440 | options->gss_authentication = 0; |
@@ -2481,7 +2449,7 @@ index 7ba65d5..0083cf8 100644 | |||
2481 | if (options->password_authentication == -1) | 2449 | if (options->password_authentication == -1) |
2482 | options->password_authentication = 1; | 2450 | options->password_authentication = 1; |
2483 | if (options->kbd_interactive_authentication == -1) | 2451 | if (options->kbd_interactive_authentication == -1) |
2484 | @@ -340,7 +349,9 @@ typedef enum { | 2452 | @@ -352,7 +361,9 @@ typedef enum { |
2485 | sBanner, sUseDNS, sHostbasedAuthentication, | 2453 | sBanner, sUseDNS, sHostbasedAuthentication, |
2486 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2454 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2487 | sClientAliveCountMax, sAuthorizedKeysFile, | 2455 | sClientAliveCountMax, sAuthorizedKeysFile, |
@@ -2492,7 +2460,7 @@ index 7ba65d5..0083cf8 100644 | |||
2492 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2460 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2493 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2461 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2494 | sHostCertificate, | 2462 | sHostCertificate, |
2495 | @@ -407,10 +418,20 @@ static struct { | 2463 | @@ -421,10 +432,20 @@ static struct { |
2496 | #ifdef GSSAPI | 2464 | #ifdef GSSAPI |
2497 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2465 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2498 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2466 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2513,7 +2481,7 @@ index 7ba65d5..0083cf8 100644 | |||
2513 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2481 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2514 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2482 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2515 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2483 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2516 | @@ -1086,10 +1107,22 @@ process_server_config_line(ServerOptions *options, char *line, | 2484 | @@ -1104,10 +1125,22 @@ process_server_config_line(ServerOptions *options, char *line, |
2517 | intptr = &options->gss_authentication; | 2485 | intptr = &options->gss_authentication; |
2518 | goto parse_flag; | 2486 | goto parse_flag; |
2519 | 2487 | ||
@@ -2536,7 +2504,7 @@ index 7ba65d5..0083cf8 100644 | |||
2536 | case sPasswordAuthentication: | 2504 | case sPasswordAuthentication: |
2537 | intptr = &options->password_authentication; | 2505 | intptr = &options->password_authentication; |
2538 | goto parse_flag; | 2506 | goto parse_flag; |
2539 | @@ -1995,7 +2028,10 @@ dump_config(ServerOptions *o) | 2507 | @@ -2042,7 +2075,10 @@ dump_config(ServerOptions *o) |
2540 | #endif | 2508 | #endif |
2541 | #ifdef GSSAPI | 2509 | #ifdef GSSAPI |
2542 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2510 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2548,10 +2516,10 @@ index 7ba65d5..0083cf8 100644 | |||
2548 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); | 2516 | dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); |
2549 | dump_cfg_fmtint(sKbdInteractiveAuthentication, | 2517 | dump_cfg_fmtint(sKbdInteractiveAuthentication, |
2550 | diff --git a/servconf.h b/servconf.h | 2518 | diff --git a/servconf.h b/servconf.h |
2551 | index 752d1c5..c922eb5 100644 | 2519 | index 766db3a..f8265a8 100644 |
2552 | --- a/servconf.h | 2520 | --- a/servconf.h |
2553 | +++ b/servconf.h | 2521 | +++ b/servconf.h |
2554 | @@ -112,7 +112,10 @@ typedef struct { | 2522 | @@ -113,7 +113,10 @@ typedef struct { |
2555 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2523 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2556 | * authenticated with Kerberos. */ | 2524 | * authenticated with Kerberos. */ |
2557 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2525 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2679,10 +2647,10 @@ index 03a228f..228e5ab 100644 | |||
2679 | # CheckHostIP yes | 2647 | # CheckHostIP yes |
2680 | # AddressFamily any | 2648 | # AddressFamily any |
2681 | diff --git a/ssh_config.5 b/ssh_config.5 | 2649 | diff --git a/ssh_config.5 b/ssh_config.5 |
2682 | index b580392..e7accd6 100644 | 2650 | index f9ede7a..e6649ac 100644 |
2683 | --- a/ssh_config.5 | 2651 | --- a/ssh_config.5 |
2684 | +++ b/ssh_config.5 | 2652 | +++ b/ssh_config.5 |
2685 | @@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed. | 2653 | @@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. |
2686 | The default is | 2654 | The default is |
2687 | .Dq no . | 2655 | .Dq no . |
2688 | Note that this option applies to protocol version 2 only. | 2656 | Note that this option applies to protocol version 2 only. |
@@ -2728,11 +2696,11 @@ index b580392..e7accd6 100644 | |||
2728 | Indicates that | 2696 | Indicates that |
2729 | .Xr ssh 1 | 2697 | .Xr ssh 1 |
2730 | diff --git a/sshconnect2.c b/sshconnect2.c | 2698 | diff --git a/sshconnect2.c b/sshconnect2.c |
2731 | index 7f4ff41..66cb035 100644 | 2699 | index 68f7f4f..7b478f1 100644 |
2732 | --- a/sshconnect2.c | 2700 | --- a/sshconnect2.c |
2733 | +++ b/sshconnect2.c | 2701 | +++ b/sshconnect2.c |
2734 | @@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2702 | @@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2735 | { | 2703 | char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; |
2736 | Kex *kex; | 2704 | Kex *kex; |
2737 | 2705 | ||
2738 | +#ifdef GSSAPI | 2706 | +#ifdef GSSAPI |
@@ -2766,9 +2734,9 @@ index 7f4ff41..66cb035 100644 | |||
2766 | if (options.ciphers == (char *)-1) { | 2734 | if (options.ciphers == (char *)-1) { |
2767 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2735 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2768 | options.ciphers = NULL; | 2736 | options.ciphers = NULL; |
2769 | @@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2737 | @@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2770 | if (options.kex_algorithms != NULL) | 2738 | myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( |
2771 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2739 | myproposal[PROPOSAL_KEX_ALGS]); |
2772 | 2740 | ||
2773 | +#ifdef GSSAPI | 2741 | +#ifdef GSSAPI |
2774 | + /* If we've got GSSAPI algorithms, then we also support the | 2742 | + /* If we've got GSSAPI algorithms, then we also support the |
@@ -2784,9 +2752,9 @@ index 7f4ff41..66cb035 100644 | |||
2784 | if (options.rekey_limit || options.rekey_interval) | 2752 | if (options.rekey_limit || options.rekey_interval) |
2785 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, | 2753 | packet_set_rekey_limits((u_int32_t)options.rekey_limit, |
2786 | (time_t)options.rekey_interval); | 2754 | (time_t)options.rekey_interval); |
2787 | @@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) | 2755 | @@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) |
2788 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | ||
2789 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2756 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
2757 | #endif | ||
2790 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; | 2758 | kex->kex[KEX_C25519_SHA256] = kexc25519_client; |
2791 | +#ifdef GSSAPI | 2759 | +#ifdef GSSAPI |
2792 | + if (options.gss_keyex) { | 2760 | + if (options.gss_keyex) { |
@@ -2815,7 +2783,7 @@ index 7f4ff41..66cb035 100644 | |||
2815 | xxx_kex = kex; | 2783 | xxx_kex = kex; |
2816 | 2784 | ||
2817 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2785 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2818 | @@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *); | 2786 | @@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); |
2819 | void input_gssapi_hash(int type, u_int32_t, void *); | 2787 | void input_gssapi_hash(int type, u_int32_t, void *); |
2820 | void input_gssapi_error(int, u_int32_t, void *); | 2788 | void input_gssapi_error(int, u_int32_t, void *); |
2821 | void input_gssapi_errtok(int, u_int32_t, void *); | 2789 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2823,7 +2791,7 @@ index 7f4ff41..66cb035 100644 | |||
2823 | #endif | 2791 | #endif |
2824 | 2792 | ||
2825 | void userauth(Authctxt *, char *); | 2793 | void userauth(Authctxt *, char *); |
2826 | @@ -316,6 +373,11 @@ static char *authmethods_get(void); | 2794 | @@ -321,6 +378,11 @@ static char *authmethods_get(void); |
2827 | 2795 | ||
2828 | Authmethod authmethods[] = { | 2796 | Authmethod authmethods[] = { |
2829 | #ifdef GSSAPI | 2797 | #ifdef GSSAPI |
@@ -2835,7 +2803,7 @@ index 7f4ff41..66cb035 100644 | |||
2835 | {"gssapi-with-mic", | 2803 | {"gssapi-with-mic", |
2836 | userauth_gssapi, | 2804 | userauth_gssapi, |
2837 | NULL, | 2805 | NULL, |
2838 | @@ -612,19 +674,31 @@ userauth_gssapi(Authctxt *authctxt) | 2806 | @@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) |
2839 | static u_int mech = 0; | 2807 | static u_int mech = 0; |
2840 | OM_uint32 min; | 2808 | OM_uint32 min; |
2841 | int ok = 0; | 2809 | int ok = 0; |
@@ -2869,7 +2837,7 @@ index 7f4ff41..66cb035 100644 | |||
2869 | ok = 1; /* Mechanism works */ | 2837 | ok = 1; /* Mechanism works */ |
2870 | } else { | 2838 | } else { |
2871 | mech++; | 2839 | mech++; |
2872 | @@ -721,8 +795,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) | 2840 | @@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) |
2873 | { | 2841 | { |
2874 | Authctxt *authctxt = ctxt; | 2842 | Authctxt *authctxt = ctxt; |
2875 | Gssctxt *gssctxt; | 2843 | Gssctxt *gssctxt; |
@@ -2880,7 +2848,7 @@ index 7f4ff41..66cb035 100644 | |||
2880 | 2848 | ||
2881 | if (authctxt == NULL) | 2849 | if (authctxt == NULL) |
2882 | fatal("input_gssapi_response: no authentication context"); | 2850 | fatal("input_gssapi_response: no authentication context"); |
2883 | @@ -831,6 +905,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) | 2851 | @@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) |
2884 | free(msg); | 2852 | free(msg); |
2885 | free(lang); | 2853 | free(lang); |
2886 | } | 2854 | } |
@@ -2930,10 +2898,10 @@ index 7f4ff41..66cb035 100644 | |||
2930 | 2898 | ||
2931 | int | 2899 | int |
2932 | diff --git a/sshd.c b/sshd.c | 2900 | diff --git a/sshd.c b/sshd.c |
2933 | index 7523de9..d787fea 100644 | 2901 | index 481d001..e6706a8 100644 |
2934 | --- a/sshd.c | 2902 | --- a/sshd.c |
2935 | +++ b/sshd.c | 2903 | +++ b/sshd.c |
2936 | @@ -122,6 +122,10 @@ | 2904 | @@ -123,6 +123,10 @@ |
2937 | #include "ssh-sandbox.h" | 2905 | #include "ssh-sandbox.h" |
2938 | #include "version.h" | 2906 | #include "version.h" |
2939 | 2907 | ||
@@ -2941,10 +2909,10 @@ index 7523de9..d787fea 100644 | |||
2941 | +#include <Security/AuthSession.h> | 2909 | +#include <Security/AuthSession.h> |
2942 | +#endif | 2910 | +#endif |
2943 | + | 2911 | + |
2944 | #ifdef LIBWRAP | 2912 | #ifndef O_NOCTTY |
2945 | #include <tcpd.h> | 2913 | #define O_NOCTTY 0 |
2946 | #include <syslog.h> | 2914 | #endif |
2947 | @@ -1728,10 +1732,13 @@ main(int ac, char **av) | 2915 | @@ -1745,10 +1749,13 @@ main(int ac, char **av) |
2948 | logit("Disabling protocol version 1. Could not load host key"); | 2916 | logit("Disabling protocol version 1. Could not load host key"); |
2949 | options.protocol &= ~SSH_PROTO_1; | 2917 | options.protocol &= ~SSH_PROTO_1; |
2950 | } | 2918 | } |
@@ -2958,7 +2926,7 @@ index 7523de9..d787fea 100644 | |||
2958 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2926 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2959 | logit("sshd: no hostkeys available -- exiting."); | 2927 | logit("sshd: no hostkeys available -- exiting."); |
2960 | exit(1); | 2928 | exit(1); |
2961 | @@ -2058,6 +2065,60 @@ main(int ac, char **av) | 2929 | @@ -2060,6 +2067,60 @@ main(int ac, char **av) |
2962 | remote_ip, remote_port, | 2930 | remote_ip, remote_port, |
2963 | get_local_ipaddr(sock_in), get_local_port()); | 2931 | get_local_ipaddr(sock_in), get_local_port()); |
2964 | 2932 | ||
@@ -3019,7 +2987,7 @@ index 7523de9..d787fea 100644 | |||
3019 | /* | 2987 | /* |
3020 | * We don't want to listen forever unless the other side | 2988 | * We don't want to listen forever unless the other side |
3021 | * successfully authenticates itself. So we set up an alarm which is | 2989 | * successfully authenticates itself. So we set up an alarm which is |
3022 | @@ -2469,6 +2530,48 @@ do_ssh2_kex(void) | 2990 | @@ -2482,6 +2543,48 @@ do_ssh2_kex(void) |
3023 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( | 2991 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( |
3024 | list_hostkey_types()); | 2992 | list_hostkey_types()); |
3025 | 2993 | ||
@@ -3067,10 +3035,10 @@ index 7523de9..d787fea 100644 | |||
3067 | + | 3035 | + |
3068 | /* start key exchange */ | 3036 | /* start key exchange */ |
3069 | kex = kex_setup(myproposal); | 3037 | kex = kex_setup(myproposal); |
3070 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3038 | #ifdef WITH_OPENSSL |
3071 | @@ -2477,6 +2580,13 @@ do_ssh2_kex(void) | 3039 | @@ -2492,6 +2595,13 @@ do_ssh2_kex(void) |
3072 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | ||
3073 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3040 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
3041 | #endif | ||
3074 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; | 3042 | kex->kex[KEX_C25519_SHA256] = kexc25519_server; |
3075 | +#ifdef GSSAPI | 3043 | +#ifdef GSSAPI |
3076 | + if (options.gss_keyex) { | 3044 | + if (options.gss_keyex) { |
@@ -3096,10 +3064,10 @@ index e9045bc..d9b8594 100644 | |||
3096 | # Set this to 'yes' to enable PAM authentication, account processing, | 3064 | # Set this to 'yes' to enable PAM authentication, account processing, |
3097 | # and session processing. If this is enabled, PAM authentication will | 3065 | # and session processing. If this is enabled, PAM authentication will |
3098 | diff --git a/sshd_config.5 b/sshd_config.5 | 3066 | diff --git a/sshd_config.5 b/sshd_config.5 |
3099 | index ce71efe..ceed88a 100644 | 3067 | index fd44abe..c8b43da 100644 |
3100 | --- a/sshd_config.5 | 3068 | --- a/sshd_config.5 |
3101 | +++ b/sshd_config.5 | 3069 | +++ b/sshd_config.5 |
3102 | @@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed. | 3070 | @@ -527,12 +527,40 @@ Specifies whether user authentication based on GSSAPI is allowed. |
3103 | The default is | 3071 | The default is |
3104 | .Dq no . | 3072 | .Dq no . |
3105 | Note that this option applies to protocol version 2 only. | 3073 | Note that this option applies to protocol version 2 only. |
@@ -3140,3 +3108,36 @@ index ce71efe..ceed88a 100644 | |||
3140 | .It Cm HostbasedAuthentication | 3108 | .It Cm HostbasedAuthentication |
3141 | Specifies whether rhosts or /etc/hosts.equiv authentication together | 3109 | Specifies whether rhosts or /etc/hosts.equiv authentication together |
3142 | with successful public key client host authentication is allowed | 3110 | with successful public key client host authentication is allowed |
3111 | diff --git a/sshkey.c b/sshkey.c | ||
3112 | index fdd0c8a..1a96eae 100644 | ||
3113 | --- a/sshkey.c | ||
3114 | +++ b/sshkey.c | ||
3115 | @@ -110,6 +110,7 @@ static const struct keytype keytypes[] = { | ||
3116 | { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00", | ||
3117 | KEY_DSA_CERT_V00, 0, 1 }, | ||
3118 | #endif /* WITH_OPENSSL */ | ||
3119 | + { "null", "null", KEY_NULL, 0, 0 }, | ||
3120 | { NULL, NULL, -1, -1, 0 } | ||
3121 | }; | ||
3122 | |||
3123 | @@ -198,7 +199,7 @@ key_alg_list(int certs_only, int plain_only) | ||
3124 | const struct keytype *kt; | ||
3125 | |||
3126 | for (kt = keytypes; kt->type != -1; kt++) { | ||
3127 | - if (kt->name == NULL) | ||
3128 | + if (kt->name == NULL || kt->type == KEY_NULL) | ||
3129 | continue; | ||
3130 | if ((certs_only && !kt->cert) || (plain_only && kt->cert)) | ||
3131 | continue; | ||
3132 | diff --git a/sshkey.h b/sshkey.h | ||
3133 | index 450b30c..b573e7f 100644 | ||
3134 | --- a/sshkey.h | ||
3135 | +++ b/sshkey.h | ||
3136 | @@ -64,6 +64,7 @@ enum sshkey_types { | ||
3137 | KEY_ED25519_CERT, | ||
3138 | KEY_RSA_CERT_V00, | ||
3139 | KEY_DSA_CERT_V00, | ||
3140 | + KEY_NULL, | ||
3141 | KEY_UNSPEC | ||
3142 | }; | ||
3143 | |||
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch index e79f4990f..de43f2a80 100644 --- a/debian/patches/helpful-wait-terminate.patch +++ b/debian/patches/helpful-wait-terminate.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ef912859a4300360164292abe47b5516c8ee4a13 Mon Sep 17 00:00:00 2001 | 1 | From aca34215fc0e85d6b49e04f0a3cd0db79732125e Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:56 +0000 |
4 | Subject: Mention ~& when waiting for forwarded connections to terminate | 4 | Subject: Mention ~& when waiting for forwarded connections to terminate |
@@ -12,7 +12,7 @@ Patch-Name: helpful-wait-terminate.patch | |||
12 | 1 file changed, 1 insertion(+), 1 deletion(-) | 12 | 1 file changed, 1 insertion(+), 1 deletion(-) |
13 | 13 | ||
14 | diff --git a/serverloop.c b/serverloop.c | 14 | diff --git a/serverloop.c b/serverloop.c |
15 | index 2f8e3a0..441d73b 100644 | 15 | index e92f9e2..813e5bf 100644 |
16 | --- a/serverloop.c | 16 | --- a/serverloop.c |
17 | +++ b/serverloop.c | 17 | +++ b/serverloop.c |
18 | @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) | 18 | @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) |
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 680701f3d..15acabc0e 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 81540b7886fdc73c7be304706ea33d6d87b5fc81 Mon Sep 17 00:00:00 2001 | 1 | From bd3abc2f732da3a61e4158b915480808957a4357 Mon Sep 17 00:00:00 2001 |
2 | From: Richard Kettlewell <rjk@greenend.org.uk> | 2 | From: Richard Kettlewell <rjk@greenend.org.uk> |
3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:52 +0000 |
4 | Subject: Various keepalive extensions | 4 | Subject: Various keepalive extensions |
@@ -16,7 +16,7 @@ keepalives. | |||
16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> | 16 | Author: Ian Jackson <ian@chiark.greenend.org.uk> |
17 | Author: Matthew Vernon <matthew@debian.org> | 17 | Author: Matthew Vernon <matthew@debian.org> |
18 | Author: Colin Watson <cjwatson@debian.org> | 18 | Author: Colin Watson <cjwatson@debian.org> |
19 | Last-Update: 2013-09-14 | 19 | Last-Update: 2014-10-07 |
20 | 20 | ||
21 | Patch-Name: keepalive-extensions.patch | 21 | Patch-Name: keepalive-extensions.patch |
22 | --- | 22 | --- |
@@ -26,27 +26,27 @@ Patch-Name: keepalive-extensions.patch | |||
26 | 3 files changed, 34 insertions(+), 4 deletions(-) | 26 | 3 files changed, 34 insertions(+), 4 deletions(-) |
27 | 27 | ||
28 | diff --git a/readconf.c b/readconf.c | 28 | diff --git a/readconf.c b/readconf.c |
29 | index bcd8cad..6409937 100644 | 29 | index bc879eb..337818c 100644 |
30 | --- a/readconf.c | 30 | --- a/readconf.c |
31 | +++ b/readconf.c | 31 | +++ b/readconf.c |
32 | @@ -151,6 +151,7 @@ typedef enum { | 32 | @@ -153,6 +153,7 @@ typedef enum { |
33 | oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, | ||
34 | oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, | 33 | oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, |
35 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, | 34 | oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, |
35 | oStreamLocalBindMask, oStreamLocalBindUnlink, | ||
36 | + oProtocolKeepAlives, oSetupTimeOut, | 36 | + oProtocolKeepAlives, oSetupTimeOut, |
37 | oIgnoredUnknownOption, oDeprecated, oUnsupported | 37 | oIgnoredUnknownOption, oDeprecated, oUnsupported |
38 | } OpCodes; | 38 | } OpCodes; |
39 | 39 | ||
40 | @@ -274,6 +275,8 @@ static struct { | 40 | @@ -278,6 +279,8 @@ static struct { |
41 | { "canonicalizemaxdots", oCanonicalizeMaxDots }, | 41 | { "streamlocalbindmask", oStreamLocalBindMask }, |
42 | { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, | 42 | { "streamlocalbindunlink", oStreamLocalBindUnlink }, |
43 | { "ignoreunknown", oIgnoreUnknown }, | 43 | { "ignoreunknown", oIgnoreUnknown }, |
44 | + { "protocolkeepalives", oProtocolKeepAlives }, | 44 | + { "protocolkeepalives", oProtocolKeepAlives }, |
45 | + { "setuptimeout", oSetupTimeOut }, | 45 | + { "setuptimeout", oSetupTimeOut }, |
46 | 46 | ||
47 | { NULL, oBadOption } | 47 | { NULL, oBadOption } |
48 | }; | 48 | }; |
49 | @@ -1247,6 +1250,8 @@ parse_int: | 49 | @@ -1271,6 +1274,8 @@ parse_int: |
50 | goto parse_flag; | 50 | goto parse_flag; |
51 | 51 | ||
52 | case oServerAliveInterval: | 52 | case oServerAliveInterval: |
@@ -55,7 +55,7 @@ index bcd8cad..6409937 100644 | |||
55 | intptr = &options->server_alive_interval; | 55 | intptr = &options->server_alive_interval; |
56 | goto parse_time; | 56 | goto parse_time; |
57 | 57 | ||
58 | @@ -1746,8 +1751,13 @@ fill_default_options(Options * options) | 58 | @@ -1791,8 +1796,13 @@ fill_default_options(Options * options) |
59 | options->rekey_interval = 0; | 59 | options->rekey_interval = 0; |
60 | if (options->verify_host_key_dns == -1) | 60 | if (options->verify_host_key_dns == -1) |
61 | options->verify_host_key_dns = 0; | 61 | options->verify_host_key_dns = 0; |
@@ -72,7 +72,7 @@ index bcd8cad..6409937 100644 | |||
72 | options->server_alive_count_max = 3; | 72 | options->server_alive_count_max = 3; |
73 | if (options->control_master == -1) | 73 | if (options->control_master == -1) |
74 | diff --git a/ssh_config.5 b/ssh_config.5 | 74 | diff --git a/ssh_config.5 b/ssh_config.5 |
75 | index 473971e..3172fd4 100644 | 75 | index 01f1f7f..ea92ea8 100644 |
76 | --- a/ssh_config.5 | 76 | --- a/ssh_config.5 |
77 | +++ b/ssh_config.5 | 77 | +++ b/ssh_config.5 |
78 | @@ -205,8 +205,12 @@ Valid arguments are | 78 | @@ -205,8 +205,12 @@ Valid arguments are |
@@ -89,7 +89,7 @@ index 473971e..3172fd4 100644 | |||
89 | The argument must be | 89 | The argument must be |
90 | .Dq yes | 90 | .Dq yes |
91 | or | 91 | or |
92 | @@ -1305,8 +1309,15 @@ from the server, | 92 | @@ -1336,8 +1340,15 @@ from the server, |
93 | will send a message through the encrypted | 93 | will send a message through the encrypted |
94 | channel to request a response from the server. | 94 | channel to request a response from the server. |
95 | The default | 95 | The default |
@@ -103,10 +103,10 @@ index 473971e..3172fd4 100644 | |||
103 | +and | 103 | +and |
104 | +.Cm SetupTimeOut | 104 | +.Cm SetupTimeOut |
105 | +are Debian-specific compatibility aliases for this option. | 105 | +are Debian-specific compatibility aliases for this option. |
106 | .It Cm StrictHostKeyChecking | 106 | .It Cm StreamLocalBindMask |
107 | If this flag is set to | 107 | Sets the octal file creation mode mask |
108 | .Dq yes , | 108 | .Pq umask |
109 | @@ -1345,6 +1356,12 @@ Specifies whether the system should send TCP keepalive messages to the | 109 | @@ -1403,6 +1414,12 @@ Specifies whether the system should send TCP keepalive messages to the |
110 | other side. | 110 | other side. |
111 | If they are sent, death of the connection or crash of one | 111 | If they are sent, death of the connection or crash of one |
112 | of the machines will be properly noticed. | 112 | of the machines will be properly noticed. |
@@ -120,10 +120,10 @@ index 473971e..3172fd4 100644 | |||
120 | connections will die if the route is down temporarily, and some people | 120 | connections will die if the route is down temporarily, and some people |
121 | find it annoying. | 121 | find it annoying. |
122 | diff --git a/sshd_config.5 b/sshd_config.5 | 122 | diff --git a/sshd_config.5 b/sshd_config.5 |
123 | index ceed88a..2164d58 100644 | 123 | index c8b43da..2843048 100644 |
124 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
125 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
126 | @@ -1183,6 +1183,9 @@ This avoids infinitely hanging sessions. | 126 | @@ -1307,6 +1307,9 @@ This avoids infinitely hanging sessions. |
127 | .Pp | 127 | .Pp |
128 | To disable TCP keepalive messages, the value should be set to | 128 | To disable TCP keepalive messages, the value should be set to |
129 | .Dq no . | 129 | .Dq no . |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index 09e09ecf8..81b924e35 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From eb567100ef178f4395c95cc1f37b921e02c3dd5b Mon Sep 17 00:00:00 2001 | 1 | From 248d3bb8de371b55aaf3a8f544c15f3a25eb7339 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:08 +0000 |
4 | Subject: Fix picky lintian errors about slogin symlinks | 4 | Subject: Fix picky lintian errors about slogin symlinks |
@@ -15,10 +15,10 @@ Patch-Name: lintian-symlink-pickiness.patch | |||
15 | 1 file changed, 2 insertions(+), 2 deletions(-) | 15 | 1 file changed, 2 insertions(+), 2 deletions(-) |
16 | 16 | ||
17 | diff --git a/Makefile.in b/Makefile.in | 17 | diff --git a/Makefile.in b/Makefile.in |
18 | index feee0b2..7d192bb 100644 | 18 | index a4402e9..4eab574 100644 |
19 | --- a/Makefile.in | 19 | --- a/Makefile.in |
20 | +++ b/Makefile.in | 20 | +++ b/Makefile.in |
21 | @@ -293,9 +293,9 @@ install-files: | 21 | @@ -315,9 +315,9 @@ install-files: |
22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 22 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 23 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
24 | -rm -f $(DESTDIR)$(bindir)/slogin | 24 | -rm -f $(DESTDIR)$(bindir)/slogin |
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch index e00b6c345..f90c7e2b1 100644 --- a/debian/patches/mention-ssh-keygen-on-keychange.patch +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8ab8f1465980856291f215c7b7184a4456398fb4 Mon Sep 17 00:00:00 2001 | 1 | From 064453886f4c3d8ac0b0c8d015ad614c8bce3b42 Mon Sep 17 00:00:00 2001 |
2 | From: Scott Moser <smoser@ubuntu.com> | 2 | From: Scott Moser <smoser@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:03 +0000 |
4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning | 4 | Subject: Mention ssh-keygen in ssh fingerprint changed warning |
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch | |||
13 | 1 file changed, 6 insertions(+), 1 deletion(-) | 13 | 1 file changed, 6 insertions(+), 1 deletion(-) |
14 | 14 | ||
15 | diff --git a/sshconnect.c b/sshconnect.c | 15 | diff --git a/sshconnect.c b/sshconnect.c |
16 | index 9e02837..e0a5db9 100644 | 16 | index 26116d2..ab83d0c 100644 |
17 | --- a/sshconnect.c | 17 | --- a/sshconnect.c |
18 | +++ b/sshconnect.c | 18 | +++ b/sshconnect.c |
19 | @@ -1065,9 +1065,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 19 | @@ -1066,9 +1066,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
20 | error("%s. This could either mean that", key_msg); | 20 | error("%s. This could either mean that", key_msg); |
21 | error("DNS SPOOFING is happening or the IP address for the host"); | 21 | error("DNS SPOOFING is happening or the IP address for the host"); |
22 | error("and its host key have changed at the same time."); | 22 | error("and its host key have changed at the same time."); |
@@ -30,7 +30,7 @@ index 9e02837..e0a5db9 100644 | |||
30 | } | 30 | } |
31 | /* The host key has changed. */ | 31 | /* The host key has changed. */ |
32 | warn_changed_key(host_key); | 32 | warn_changed_key(host_key); |
33 | @@ -1075,6 +1078,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, | 33 | @@ -1076,6 +1079,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, |
34 | user_hostfiles[0]); | 34 | user_hostfiles[0]); |
35 | error("Offending %s key in %s:%lu", key_type(host_found->key), | 35 | error("Offending %s key in %s:%lu", key_type(host_found->key), |
36 | host_found->file, host_found->line); | 36 | host_found->file, host_found->line); |
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch deleted file mode 100644 index 56fa46aac..000000000 --- a/debian/patches/no-openssl-version-check.patch +++ /dev/null | |||
@@ -1,41 +0,0 @@ | |||
1 | From 20690ea4b33e8ff81fea287492270df3a7029777 Mon Sep 17 00:00:00 2001 | ||
2 | From: Philip Hands <phil@hands.com> | ||
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | ||
4 | Subject: Disable OpenSSL version check | ||
5 | |||
6 | OpenSSL's SONAME is sufficient nowadays. | ||
7 | |||
8 | Author: Colin Watson <cjwatson@debian.org> | ||
9 | Bug-Debian: http://bugs.debian.org/93581 | ||
10 | Bug-Debian: http://bugs.debian.org/664383 | ||
11 | Forwarded: not-needed | ||
12 | Last-Update: 2013-12-23 | ||
13 | |||
14 | Patch-Name: no-openssl-version-check.patch | ||
15 | --- | ||
16 | entropy.c | 12 ------------ | ||
17 | 1 file changed, 12 deletions(-) | ||
18 | |||
19 | diff --git a/entropy.c b/entropy.c | ||
20 | index 2d483b3..2aee2d9 100644 | ||
21 | --- a/entropy.c | ||
22 | +++ b/entropy.c | ||
23 | @@ -209,18 +209,6 @@ seed_rng(void) | ||
24 | #ifndef OPENSSL_PRNG_ONLY | ||
25 | unsigned char buf[RANDOM_SEED_SIZE]; | ||
26 | #endif | ||
27 | - /* | ||
28 | - * OpenSSL version numbers: MNNFFPPS: major minor fix patch status | ||
29 | - * We match major, minor, fix and status (not patch) for <1.0.0. | ||
30 | - * After that, we acceptable compatible fix versions (so we | ||
31 | - * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed | ||
32 | - * within a patch series. | ||
33 | - */ | ||
34 | - u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L; | ||
35 | - if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) || | ||
36 | - (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12)) | ||
37 | - fatal("OpenSSL version mismatch. Built against %lx, you " | ||
38 | - "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); | ||
39 | |||
40 | #ifndef OPENSSL_PRNG_ONLY | ||
41 | if (RAND_status() == 1) { | ||
diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch new file mode 100644 index 000000000..dfcef83b0 --- /dev/null +++ b/debian/patches/no-openssl-version-status.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 37fd625165d0df302e441d9cad9bcc742378eef5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Kurt Roeckx <kurt@roeckx.be> | ||
3 | Date: Sun, 9 Feb 2014 16:10:14 +0000 | ||
4 | Subject: Don't check the status field of the OpenSSL version | ||
5 | |||
6 | There is no reason to check the version of OpenSSL (in Debian). If it's | ||
7 | not compatible the soname will change. OpenSSH seems to want to do a | ||
8 | check for the soname based on the version number, but wants to keep the | ||
9 | status of the release the same. Remove that check on the status since | ||
10 | it doesn't tell you anything about how compatible that version is. | ||
11 | |||
12 | Author: Colin Watson <cjwatson@debian.org> | ||
13 | Bug-Debian: https://bugs.debian.org/93581 | ||
14 | Bug-Debian: https://bugs.debian.org/664383 | ||
15 | Bug-Debian: https://bugs.debian.org/732940 | ||
16 | Forwarded: not-needed | ||
17 | Last-Update: 2014-10-07 | ||
18 | |||
19 | Patch-Name: no-openssl-version-status.patch | ||
20 | --- | ||
21 | openbsd-compat/openssl-compat.c | 6 +++--- | ||
22 | openbsd-compat/regress/opensslvertest.c | 1 + | ||
23 | 2 files changed, 4 insertions(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c | ||
26 | index 36570e4..defd5fb 100644 | ||
27 | --- a/openbsd-compat/openssl-compat.c | ||
28 | +++ b/openbsd-compat/openssl-compat.c | ||
29 | @@ -34,7 +34,7 @@ | ||
30 | /* | ||
31 | * OpenSSL version numbers: MNNFFPPS: major minor fix patch status | ||
32 | * We match major, minor, fix and status (not patch) for <1.0.0. | ||
33 | - * After that, we acceptable compatible fix versions (so we | ||
34 | + * After that, we accept compatible fix and status versions (so we | ||
35 | * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed | ||
36 | * within a patch series. | ||
37 | */ | ||
38 | @@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver) | ||
39 | } | ||
40 | |||
41 | /* | ||
42 | - * For versions >= 1.0.0, major,minor,status must match and library | ||
43 | + * For versions >= 1.0.0, major,minor must match and library | ||
44 | * fix version must be equal to or newer than the header. | ||
45 | */ | ||
46 | - mask = 0xfff0000fL; /* major,minor,status */ | ||
47 | + mask = 0xfff00000L; /* major,minor */ | ||
48 | hfix = (headerver & 0x000ff000) >> 12; | ||
49 | lfix = (libver & 0x000ff000) >> 12; | ||
50 | if ( (headerver & mask) == (libver & mask) && lfix >= hfix) | ||
51 | diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c | ||
52 | index 5d019b5..5847487 100644 | ||
53 | --- a/openbsd-compat/regress/opensslvertest.c | ||
54 | +++ b/openbsd-compat/regress/opensslvertest.c | ||
55 | @@ -35,6 +35,7 @@ struct version_test { | ||
56 | |||
57 | /* built with 1.0.1b release headers */ | ||
58 | { 0x1000101fL, 0x1000101fL, 1},/* exact match */ | ||
59 | + { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */ | ||
60 | { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ | ||
61 | { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ | ||
62 | { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ | ||
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index 9a34a4182..37ad675d4 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ec9bfd62211fdf5a3004ef2045c2eb3baccfd375 Mon Sep 17 00:00:00 2001 | 1 | From 0b9407d3023938b02bccf7dd1874a871d0cc8eb5 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:09 +0000 |
4 | Subject: Adjust various OpenBSD-specific references in manual pages | 4 | Subject: Adjust various OpenBSD-specific references in manual pages |
@@ -10,7 +10,7 @@ No single bug reference for this patch, but history includes: | |||
10 | https://bugs.launchpad.net/bugs/456660 (ssl(8)) | 10 | https://bugs.launchpad.net/bugs/456660 (ssl(8)) |
11 | 11 | ||
12 | Forwarded: not-needed | 12 | Forwarded: not-needed |
13 | Last-Update: 2013-09-14 | 13 | Last-Update: 2014-10-07 |
14 | 14 | ||
15 | Patch-Name: openbsd-docs.patch | 15 | Patch-Name: openbsd-docs.patch |
16 | --- | 16 | --- |
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644 | |||
44 | .Sh SEE ALSO | 44 | .Sh SEE ALSO |
45 | .Xr ssh-keygen 1 , | 45 | .Xr ssh-keygen 1 , |
46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 | 46 | diff --git a/ssh-keygen.1 b/ssh-keygen.1 |
47 | index 12e00d4..a71de74 100644 | 47 | index 723a016..79b948c 100644 |
48 | --- a/ssh-keygen.1 | 48 | --- a/ssh-keygen.1 |
49 | +++ b/ssh-keygen.1 | 49 | +++ b/ssh-keygen.1 |
50 | @@ -172,9 +172,7 @@ key in | 50 | @@ -172,9 +172,7 @@ key in |
@@ -88,10 +88,10 @@ index 12e00d4..a71de74 100644 | |||
88 | The file format is described in | 88 | The file format is described in |
89 | .Xr moduli 5 . | 89 | .Xr moduli 5 . |
90 | diff --git a/ssh.1 b/ssh.1 | 90 | diff --git a/ssh.1 b/ssh.1 |
91 | index ff5e6ac..67b4f44 100644 | 91 | index 7f6ab77..de178cd 100644 |
92 | --- a/ssh.1 | 92 | --- a/ssh.1 |
93 | +++ b/ssh.1 | 93 | +++ b/ssh.1 |
94 | @@ -763,6 +763,10 @@ Protocol 1 is restricted to using only RSA keys, | 94 | @@ -753,6 +753,10 @@ Protocol 1 is restricted to using only RSA keys, |
95 | but protocol 2 may use any. | 95 | but protocol 2 may use any. |
96 | The HISTORY section of | 96 | The HISTORY section of |
97 | .Xr ssl 8 | 97 | .Xr ssl 8 |
@@ -103,10 +103,10 @@ index ff5e6ac..67b4f44 100644 | |||
103 | .Pp | 103 | .Pp |
104 | The file | 104 | The file |
105 | diff --git a/sshd.8 b/sshd.8 | 105 | diff --git a/sshd.8 b/sshd.8 |
106 | index e6a900b..b016e90 100644 | 106 | index eaeac45..3538208 100644 |
107 | --- a/sshd.8 | 107 | --- a/sshd.8 |
108 | +++ b/sshd.8 | 108 | +++ b/sshd.8 |
109 | @@ -70,7 +70,7 @@ over an insecure network. | 109 | @@ -67,7 +67,7 @@ over an insecure network. |
110 | .Nm | 110 | .Nm |
111 | listens for connections from clients. | 111 | listens for connections from clients. |
112 | It is normally started at boot from | 112 | It is normally started at boot from |
@@ -133,14 +133,14 @@ index e6a900b..b016e90 100644 | |||
133 | .Xr sshd_config 5 , | 133 | .Xr sshd_config 5 , |
134 | .Xr inetd 8 , | 134 | .Xr inetd 8 , |
135 | diff --git a/sshd_config.5 b/sshd_config.5 | 135 | diff --git a/sshd_config.5 b/sshd_config.5 |
136 | index 8f078f6..908e0bb 100644 | 136 | index 58997d3..7396b23 100644 |
137 | --- a/sshd_config.5 | 137 | --- a/sshd_config.5 |
138 | +++ b/sshd_config.5 | 138 | +++ b/sshd_config.5 |
139 | @@ -283,8 +283,7 @@ This option is only available for protocol version 2. | 139 | @@ -303,8 +303,7 @@ This option is only available for protocol version 2. |
140 | By default, no banner is displayed. | 140 | By default, no banner is displayed. |
141 | .It Cm ChallengeResponseAuthentication | 141 | .It Cm ChallengeResponseAuthentication |
142 | Specifies whether challenge-response authentication is allowed (e.g. via | 142 | Specifies whether challenge-response authentication is allowed (e.g. via |
143 | -PAM or though authentication styles supported in | 143 | -PAM or through authentication styles supported in |
144 | -.Xr login.conf 5 ) | 144 | -.Xr login.conf 5 ) |
145 | +PAM). | 145 | +PAM). |
146 | The default is | 146 | The default is |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index c9c20d1c0..07a28af9a 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6de70b95f5005447ae23532d4f3ee41a9338479f Mon Sep 17 00:00:00 2001 | 1 | From 8679c96f74ee7dbea6c15c764b036fbab7372740 Mon Sep 17 00:00:00 2001 |
2 | From: Matthew Vernon <matthew@debian.org> | 2 | From: Matthew Vernon <matthew@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:05 +0000 |
4 | Subject: Include the Debian version in our identification | 4 | Subject: Include the Debian version in our identification |
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch | |||
19 | 3 files changed, 9 insertions(+), 4 deletions(-) | 19 | 3 files changed, 9 insertions(+), 4 deletions(-) |
20 | 20 | ||
21 | diff --git a/sshconnect.c b/sshconnect.c | 21 | diff --git a/sshconnect.c b/sshconnect.c |
22 | index e0a5db9..87c3770 100644 | 22 | index ab83d0c..563405e 100644 |
23 | --- a/sshconnect.c | 23 | --- a/sshconnect.c |
24 | +++ b/sshconnect.c | 24 | +++ b/sshconnect.c |
25 | @@ -520,10 +520,10 @@ send_client_banner(int connection_out, int minor1) | 25 | @@ -521,10 +521,10 @@ send_client_banner(int connection_out, int minor1) |
26 | /* Send our own protocol version identification. */ | 26 | /* Send our own protocol version identification. */ |
27 | if (compat20) { | 27 | if (compat20) { |
28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", | 28 | xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", |
@@ -36,10 +36,10 @@ index e0a5db9..87c3770 100644 | |||
36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, | 36 | if (roaming_atomicio(vwrite, connection_out, client_version_string, |
37 | strlen(client_version_string)) != strlen(client_version_string)) | 37 | strlen(client_version_string)) != strlen(client_version_string)) |
38 | diff --git a/sshd.c b/sshd.c | 38 | diff --git a/sshd.c b/sshd.c |
39 | index e343d90..af9b8f1 100644 | 39 | index 48a14dd..1710e71 100644 |
40 | --- a/sshd.c | 40 | --- a/sshd.c |
41 | +++ b/sshd.c | 41 | +++ b/sshd.c |
42 | @@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out) | 42 | @@ -443,7 +443,7 @@ sshd_exchange_identification(int sock_in, int sock_out) |
43 | } | 43 | } |
44 | 44 | ||
45 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", | 45 | xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", |
@@ -49,11 +49,11 @@ index e343d90..af9b8f1 100644 | |||
49 | options.version_addendum, newline); | 49 | options.version_addendum, newline); |
50 | 50 | ||
51 | diff --git a/version.h b/version.h | 51 | diff --git a/version.h b/version.h |
52 | index a1579ac..a97c337 100644 | 52 | index cc8a079..0fee7c3 100644 |
53 | --- a/version.h | 53 | --- a/version.h |
54 | +++ b/version.h | 54 | +++ b/version.h |
55 | @@ -3,4 +3,9 @@ | 55 | @@ -3,4 +3,9 @@ |
56 | #define SSH_VERSION "OpenSSH_6.6" | 56 | #define SSH_VERSION "OpenSSH_6.7" |
57 | 57 | ||
58 | #define SSH_PORTABLE "p1" | 58 | #define SSH_PORTABLE "p1" |
59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 59 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index 075b59823..6d9a2f9c0 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 9875e47079abff55f8d2c1e958e9d50de6eae7ec Mon Sep 17 00:00:00 2001 | 1 | From dc028c5992b4b14cca380b6ad2115fcc6907a8b7 Mon Sep 17 00:00:00 2001 |
2 | From: Peter Samuelson <peter@p12n.org> | 2 | From: Peter Samuelson <peter@p12n.org> |
3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:55 +0000 |
4 | Subject: Reduce severity of "Killed by signal %d" | 4 | Subject: Reduce severity of "Killed by signal %d" |
@@ -22,10 +22,10 @@ Patch-Name: quieter-signals.patch | |||
22 | 1 file changed, 4 insertions(+), 2 deletions(-) | 22 | 1 file changed, 4 insertions(+), 2 deletions(-) |
23 | 23 | ||
24 | diff --git a/clientloop.c b/clientloop.c | 24 | diff --git a/clientloop.c b/clientloop.c |
25 | index 73a800c..4bc5b57 100644 | 25 | index 046ca8b..0180774 100644 |
26 | --- a/clientloop.c | 26 | --- a/clientloop.c |
27 | +++ b/clientloop.c | 27 | +++ b/clientloop.c |
28 | @@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) | 28 | @@ -1705,8 +1705,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) |
29 | exit_status = 0; | 29 | exit_status = 0; |
30 | } | 30 | } |
31 | 31 | ||
diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch new file mode 100644 index 000000000..c590f52ce --- /dev/null +++ b/debian/patches/restore-tcp-wrappers.patch | |||
@@ -0,0 +1,172 @@ | |||
1 | From b25d6dd3b6b5a2cb93723586c56d6fa0277ea56a Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Watson <cjwatson@debian.org> | ||
3 | Date: Tue, 7 Oct 2014 13:22:41 +0100 | ||
4 | Subject: Restore TCP wrappers support | ||
5 | |||
6 | Support for TCP wrappers was dropped in OpenSSH 6.7. See this message | ||
7 | and thread: | ||
8 | |||
9 | https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html | ||
10 | |||
11 | It is true that this reduces preauth attack surface in sshd. On the | ||
12 | other hand, this support seems to be quite widely used, and abruptly | ||
13 | dropping it (from the perspective of users who don't read | ||
14 | openssh-unix-dev) could easily cause more serious problems in practice. | ||
15 | |||
16 | It's not entirely clear what the right long-term answer for Debian is, | ||
17 | but it at least probably doesn't involve dropping this feature shortly | ||
18 | before a freeze. | ||
19 | |||
20 | Forwarded: not-needed | ||
21 | Last-Update: 2014-10-07 | ||
22 | |||
23 | Patch-Name: restore-tcp-wrappers.patch | ||
24 | --- | ||
25 | configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ | ||
26 | sshd.8 | 7 +++++++ | ||
27 | sshd.c | 25 +++++++++++++++++++++++++ | ||
28 | 3 files changed, 89 insertions(+) | ||
29 | |||
30 | diff --git a/configure.ac b/configure.ac | ||
31 | index 90e81e1..7f160f1 100644 | ||
32 | --- a/configure.ac | ||
33 | +++ b/configure.ac | ||
34 | @@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey], | ||
35 | ] | ||
36 | ) | ||
37 | |||
38 | +# Check whether user wants TCP wrappers support | ||
39 | +TCPW_MSG="no" | ||
40 | +AC_ARG_WITH([tcp-wrappers], | ||
41 | + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | ||
42 | + [ | ||
43 | + if test "x$withval" != "xno" ; then | ||
44 | + saved_LIBS="$LIBS" | ||
45 | + saved_LDFLAGS="$LDFLAGS" | ||
46 | + saved_CPPFLAGS="$CPPFLAGS" | ||
47 | + if test -n "${withval}" && \ | ||
48 | + test "x${withval}" != "xyes"; then | ||
49 | + if test -d "${withval}/lib"; then | ||
50 | + if test -n "${need_dash_r}"; then | ||
51 | + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" | ||
52 | + else | ||
53 | + LDFLAGS="-L${withval}/lib ${LDFLAGS}" | ||
54 | + fi | ||
55 | + else | ||
56 | + if test -n "${need_dash_r}"; then | ||
57 | + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" | ||
58 | + else | ||
59 | + LDFLAGS="-L${withval} ${LDFLAGS}" | ||
60 | + fi | ||
61 | + fi | ||
62 | + if test -d "${withval}/include"; then | ||
63 | + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" | ||
64 | + else | ||
65 | + CPPFLAGS="-I${withval} ${CPPFLAGS}" | ||
66 | + fi | ||
67 | + fi | ||
68 | + LIBS="-lwrap $LIBS" | ||
69 | + AC_MSG_CHECKING([for libwrap]) | ||
70 | + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ | ||
71 | +#include <sys/types.h> | ||
72 | +#include <sys/socket.h> | ||
73 | +#include <netinet/in.h> | ||
74 | +#include <tcpd.h> | ||
75 | +int deny_severity = 0, allow_severity = 0; | ||
76 | + ]], [[ | ||
77 | + hosts_access(0); | ||
78 | + ]])], [ | ||
79 | + AC_MSG_RESULT([yes]) | ||
80 | + AC_DEFINE([LIBWRAP], [1], | ||
81 | + [Define if you want | ||
82 | + TCP Wrappers support]) | ||
83 | + SSHDLIBS="$SSHDLIBS -lwrap" | ||
84 | + TCPW_MSG="yes" | ||
85 | + ], [ | ||
86 | + AC_MSG_ERROR([*** libwrap missing]) | ||
87 | + | ||
88 | + ]) | ||
89 | + LIBS="$saved_LIBS" | ||
90 | + fi | ||
91 | + ] | ||
92 | +) | ||
93 | + | ||
94 | # Check whether user wants to use ldns | ||
95 | LDNS_MSG="no" | ||
96 | AC_ARG_WITH(ldns, | ||
97 | @@ -4853,6 +4909,7 @@ echo " KerberosV support: $KRB5_MSG" | ||
98 | echo " SELinux support: $SELINUX_MSG" | ||
99 | echo " Smartcard support: $SCARD_MSG" | ||
100 | echo " S/KEY support: $SKEY_MSG" | ||
101 | +echo " TCP Wrappers support: $TCPW_MSG" | ||
102 | echo " MD5 password support: $MD5_MSG" | ||
103 | echo " libedit support: $LIBEDIT_MSG" | ||
104 | echo " Solaris process contract support: $SPC_MSG" | ||
105 | diff --git a/sshd.8 b/sshd.8 | ||
106 | index 01459d6..eaeac45 100644 | ||
107 | --- a/sshd.8 | ||
108 | +++ b/sshd.8 | ||
109 | @@ -851,6 +851,12 @@ the user's home directory becomes accessible. | ||
110 | This file should be writable only by the user, and need not be | ||
111 | readable by anyone else. | ||
112 | .Pp | ||
113 | +.It Pa /etc/hosts.allow | ||
114 | +.It Pa /etc/hosts.deny | ||
115 | +Access controls that should be enforced by tcp-wrappers are defined here. | ||
116 | +Further details are described in | ||
117 | +.Xr hosts_access 5 . | ||
118 | +.Pp | ||
119 | .It Pa /etc/hosts.equiv | ||
120 | This file is for host-based authentication (see | ||
121 | .Xr ssh 1 ) . | ||
122 | @@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. | ||
123 | .Xr ssh-keygen 1 , | ||
124 | .Xr ssh-keyscan 1 , | ||
125 | .Xr chroot 2 , | ||
126 | +.Xr hosts_access 5 , | ||
127 | .Xr login.conf 5 , | ||
128 | .Xr moduli 5 , | ||
129 | .Xr sshd_config 5 , | ||
130 | diff --git a/sshd.c b/sshd.c | ||
131 | index e6706a8..3a6be65 100644 | ||
132 | --- a/sshd.c | ||
133 | +++ b/sshd.c | ||
134 | @@ -127,6 +127,13 @@ | ||
135 | #include <Security/AuthSession.h> | ||
136 | #endif | ||
137 | |||
138 | +#ifdef LIBWRAP | ||
139 | +#include <tcpd.h> | ||
140 | +#include <syslog.h> | ||
141 | +int allow_severity; | ||
142 | +int deny_severity; | ||
143 | +#endif /* LIBWRAP */ | ||
144 | + | ||
145 | #ifndef O_NOCTTY | ||
146 | #define O_NOCTTY 0 | ||
147 | #endif | ||
148 | @@ -2061,6 +2068,24 @@ main(int ac, char **av) | ||
149 | #ifdef SSH_AUDIT_EVENTS | ||
150 | audit_connection_from(remote_ip, remote_port); | ||
151 | #endif | ||
152 | +#ifdef LIBWRAP | ||
153 | + allow_severity = options.log_facility|LOG_INFO; | ||
154 | + deny_severity = options.log_facility|LOG_WARNING; | ||
155 | + /* Check whether logins are denied from this host. */ | ||
156 | + if (packet_connection_is_on_socket()) { | ||
157 | + struct request_info req; | ||
158 | + | ||
159 | + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | ||
160 | + fromhost(&req); | ||
161 | + | ||
162 | + if (!hosts_access(&req)) { | ||
163 | + debug("Connection refused by tcp wrapper"); | ||
164 | + refuse(&req); | ||
165 | + /* NOTREACHED */ | ||
166 | + fatal("libwrap refuse returns"); | ||
167 | + } | ||
168 | + } | ||
169 | +#endif /* LIBWRAP */ | ||
170 | |||
171 | /* Log the connection. */ | ||
172 | verbose("Connection from %s port %d on %s port %d", | ||
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch index ff037a43a..ee006da93 100644 --- a/debian/patches/scp-quoting.patch +++ b/debian/patches/scp-quoting.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 8ab204ee192e655d5a8f4d599adb3d99eeabedc6 Mon Sep 17 00:00:00 2001 | 1 | From fd174c13c46191abdb33c0a45545573a8e06b061 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> | 2 | From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:59 +0000 |
4 | Subject: Adjust scp quoting in verbose mode | 4 | Subject: Adjust scp quoting in verbose mode |
@@ -17,7 +17,7 @@ Patch-Name: scp-quoting.patch | |||
17 | 1 file changed, 10 insertions(+), 2 deletions(-) | 17 | 1 file changed, 10 insertions(+), 2 deletions(-) |
18 | 18 | ||
19 | diff --git a/scp.c b/scp.c | 19 | diff --git a/scp.c b/scp.c |
20 | index 18d3b1d..0669d02 100644 | 20 | index 1ec3b70..a1b318b 100644 |
21 | --- a/scp.c | 21 | --- a/scp.c |
22 | +++ b/scp.c | 22 | +++ b/scp.c |
23 | @@ -189,8 +189,16 @@ do_local_cmd(arglist *a) | 23 | @@ -189,8 +189,16 @@ do_local_cmd(arglist *a) |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index e0ca12fb0..1fa0bf928 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From ae32d626ed3d15cfd7f432358b63c005961921df Mon Sep 17 00:00:00 2001 | 1 | From c9638aa44d787849cea1ae273f0908c6313fd19b Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch | |||
32 | 16 files changed, 104 insertions(+), 31 deletions(-) | 32 | 16 files changed, 104 insertions(+), 31 deletions(-) |
33 | 33 | ||
34 | diff --git a/auth.h b/auth.h | 34 | diff --git a/auth.h b/auth.h |
35 | index 124e597..79e4ea5 100644 | 35 | index d081c94..f099e98 100644 |
36 | --- a/auth.h | 36 | --- a/auth.h |
37 | +++ b/auth.h | 37 | +++ b/auth.h |
38 | @@ -59,6 +59,7 @@ struct Authctxt { | 38 | @@ -59,6 +59,7 @@ struct Authctxt { |
@@ -44,10 +44,10 @@ index 124e597..79e4ea5 100644 | |||
44 | char *info; /* Extra info for next auth_log */ | 44 | char *info; /* Extra info for next auth_log */ |
45 | #ifdef BSD_AUTH | 45 | #ifdef BSD_AUTH |
46 | diff --git a/auth1.c b/auth1.c | 46 | diff --git a/auth1.c b/auth1.c |
47 | index 0f870b3..c707390 100644 | 47 | index 5038828..52b17db 100644 |
48 | --- a/auth1.c | 48 | --- a/auth1.c |
49 | +++ b/auth1.c | 49 | +++ b/auth1.c |
50 | @@ -380,7 +380,7 @@ void | 50 | @@ -381,7 +381,7 @@ void |
51 | do_authentication(Authctxt *authctxt) | 51 | do_authentication(Authctxt *authctxt) |
52 | { | 52 | { |
53 | u_int ulen; | 53 | u_int ulen; |
@@ -56,7 +56,7 @@ index 0f870b3..c707390 100644 | |||
56 | 56 | ||
57 | /* Get the name of the user that we wish to log in as. */ | 57 | /* Get the name of the user that we wish to log in as. */ |
58 | packet_read_expect(SSH_CMSG_USER); | 58 | packet_read_expect(SSH_CMSG_USER); |
59 | @@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt) | 59 | @@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt) |
60 | user = packet_get_cstring(&ulen); | 60 | user = packet_get_cstring(&ulen); |
61 | packet_check_eom(); | 61 | packet_check_eom(); |
62 | 62 | ||
@@ -75,10 +75,10 @@ index 0f870b3..c707390 100644 | |||
75 | /* Verify that the user is a valid user. */ | 75 | /* Verify that the user is a valid user. */ |
76 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | 76 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) |
77 | diff --git a/auth2.c b/auth2.c | 77 | diff --git a/auth2.c b/auth2.c |
78 | index fbe3e1b..70f2925 100644 | 78 | index 2f0d565..fa1a588 100644 |
79 | --- a/auth2.c | 79 | --- a/auth2.c |
80 | +++ b/auth2.c | 80 | +++ b/auth2.c |
81 | @@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 81 | @@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
82 | { | 82 | { |
83 | Authctxt *authctxt = ctxt; | 83 | Authctxt *authctxt = ctxt; |
84 | Authmethod *m = NULL; | 84 | Authmethod *m = NULL; |
@@ -87,7 +87,7 @@ index fbe3e1b..70f2925 100644 | |||
87 | int authenticated = 0; | 87 | int authenticated = 0; |
88 | 88 | ||
89 | if (authctxt == NULL) | 89 | if (authctxt == NULL) |
90 | @@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 90 | @@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
91 | debug("userauth-request for user %s service %s method %s", user, service, method); | 91 | debug("userauth-request for user %s service %s method %s", user, service, method); |
92 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 92 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
93 | 93 | ||
@@ -101,7 +101,7 @@ index fbe3e1b..70f2925 100644 | |||
101 | 101 | ||
102 | if (authctxt->attempt++ == 0) { | 102 | if (authctxt->attempt++ == 0) { |
103 | /* setup auth context */ | 103 | /* setup auth context */ |
104 | @@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 104 | @@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) |
105 | use_privsep ? " [net]" : ""); | 105 | use_privsep ? " [net]" : ""); |
106 | authctxt->service = xstrdup(service); | 106 | authctxt->service = xstrdup(service); |
107 | authctxt->style = style ? xstrdup(style) : NULL; | 107 | authctxt->style = style ? xstrdup(style) : NULL; |
@@ -113,10 +113,10 @@ index fbe3e1b..70f2925 100644 | |||
113 | if (auth2_setup_methods_lists(authctxt) != 0) | 113 | if (auth2_setup_methods_lists(authctxt) != 0) |
114 | packet_disconnect("no authentication methods enabled"); | 114 | packet_disconnect("no authentication methods enabled"); |
115 | diff --git a/monitor.c b/monitor.c | 115 | diff --git a/monitor.c b/monitor.c |
116 | index 2918814..11eac63 100644 | 116 | index b0896ef..94b194d 100644 |
117 | --- a/monitor.c | 117 | --- a/monitor.c |
118 | +++ b/monitor.c | 118 | +++ b/monitor.c |
119 | @@ -145,6 +145,7 @@ int mm_answer_sign(int, Buffer *); | 119 | @@ -148,6 +148,7 @@ int mm_answer_sign(int, Buffer *); |
120 | int mm_answer_pwnamallow(int, Buffer *); | 120 | int mm_answer_pwnamallow(int, Buffer *); |
121 | int mm_answer_auth2_read_banner(int, Buffer *); | 121 | int mm_answer_auth2_read_banner(int, Buffer *); |
122 | int mm_answer_authserv(int, Buffer *); | 122 | int mm_answer_authserv(int, Buffer *); |
@@ -124,7 +124,7 @@ index 2918814..11eac63 100644 | |||
124 | int mm_answer_authpassword(int, Buffer *); | 124 | int mm_answer_authpassword(int, Buffer *); |
125 | int mm_answer_bsdauthquery(int, Buffer *); | 125 | int mm_answer_bsdauthquery(int, Buffer *); |
126 | int mm_answer_bsdauthrespond(int, Buffer *); | 126 | int mm_answer_bsdauthrespond(int, Buffer *); |
127 | @@ -221,6 +222,7 @@ struct mon_table mon_dispatch_proto20[] = { | 127 | @@ -229,6 +230,7 @@ struct mon_table mon_dispatch_proto20[] = { |
128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -132,7 +132,7 @@ index 2918814..11eac63 100644 | |||
132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
134 | #ifdef USE_PAM | 134 | #ifdef USE_PAM |
135 | @@ -822,6 +824,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | 135 | @@ -841,6 +843,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) |
136 | else { | 136 | else { |
137 | /* Allow service/style information on the auth context */ | 137 | /* Allow service/style information on the auth context */ |
138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -140,7 +140,7 @@ index 2918814..11eac63 100644 | |||
140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
141 | } | 141 | } |
142 | #ifdef USE_PAM | 142 | #ifdef USE_PAM |
143 | @@ -852,14 +855,37 @@ mm_answer_authserv(int sock, Buffer *m) | 143 | @@ -871,14 +874,37 @@ mm_answer_authserv(int sock, Buffer *m) |
144 | 144 | ||
145 | authctxt->service = buffer_get_string(m, NULL); | 145 | authctxt->service = buffer_get_string(m, NULL); |
146 | authctxt->style = buffer_get_string(m, NULL); | 146 | authctxt->style = buffer_get_string(m, NULL); |
@@ -180,7 +180,7 @@ index 2918814..11eac63 100644 | |||
180 | return (0); | 180 | return (0); |
181 | } | 181 | } |
182 | 182 | ||
183 | @@ -1464,7 +1490,7 @@ mm_answer_pty(int sock, Buffer *m) | 183 | @@ -1485,7 +1511,7 @@ mm_answer_pty(int sock, Buffer *m) |
184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
185 | if (res == 0) | 185 | if (res == 0) |
186 | goto error; | 186 | goto error; |
@@ -203,10 +203,10 @@ index 7f32b0c..4d5e8fa 100644 | |||
203 | 203 | ||
204 | struct mm_master; | 204 | struct mm_master; |
205 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 205 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
206 | index 60b987d..f75dc9d 100644 | 206 | index e476f0d..6dc890a 100644 |
207 | --- a/monitor_wrap.c | 207 | --- a/monitor_wrap.c |
208 | +++ b/monitor_wrap.c | 208 | +++ b/monitor_wrap.c |
209 | @@ -318,10 +318,10 @@ mm_auth2_read_banner(void) | 209 | @@ -324,10 +324,10 @@ mm_auth2_read_banner(void) |
210 | return (banner); | 210 | return (banner); |
211 | } | 211 | } |
212 | 212 | ||
@@ -219,7 +219,7 @@ index 60b987d..f75dc9d 100644 | |||
219 | { | 219 | { |
220 | Buffer m; | 220 | Buffer m; |
221 | 221 | ||
222 | @@ -330,12 +330,30 @@ mm_inform_authserv(char *service, char *style) | 222 | @@ -336,12 +336,30 @@ mm_inform_authserv(char *service, char *style) |
223 | buffer_init(&m); | 223 | buffer_init(&m); |
224 | buffer_put_cstring(&m, service); | 224 | buffer_put_cstring(&m, service); |
225 | buffer_put_cstring(&m, style ? style : ""); | 225 | buffer_put_cstring(&m, style ? style : ""); |
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644 | |||
361 | void ssh_selinux_setfscreatecon(const char *); | 361 | void ssh_selinux_setfscreatecon(const char *); |
362 | #endif | 362 | #endif |
363 | diff --git a/platform.c b/platform.c | 363 | diff --git a/platform.c b/platform.c |
364 | index 30fc609..4aab9a9 100644 | 364 | index ee313da..f35ec39 100644 |
365 | --- a/platform.c | 365 | --- a/platform.c |
366 | +++ b/platform.c | 366 | +++ b/platform.c |
367 | @@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) | 367 | @@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) |
368 | * called if sshd is running as root. | 368 | * called if sshd is running as root. |
369 | */ | 369 | */ |
370 | void | 370 | void |
@@ -373,7 +373,7 @@ index 30fc609..4aab9a9 100644 | |||
373 | { | 373 | { |
374 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 374 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
375 | /* | 375 | /* |
376 | @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) | 376 | @@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) |
377 | } | 377 | } |
378 | #endif /* HAVE_SETPCRED */ | 378 | #endif /* HAVE_SETPCRED */ |
379 | #ifdef WITH_SELINUX | 379 | #ifdef WITH_SELINUX |
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644 | |||
396 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
397 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
398 | diff --git a/session.c b/session.c | 398 | diff --git a/session.c b/session.c |
399 | index 2bcf818..6848df4 100644 | 399 | index 3e96557..6f389ac 100644 |
400 | --- a/session.c | 400 | --- a/session.c |
401 | +++ b/session.c | 401 | +++ b/session.c |
402 | @@ -1502,7 +1502,7 @@ safely_chroot(const char *path, uid_t uid) | 402 | @@ -1486,7 +1486,7 @@ safely_chroot(const char *path, uid_t uid) |
403 | 403 | ||
404 | /* Set login name, uid, gid, and groups. */ | 404 | /* Set login name, uid, gid, and groups. */ |
405 | void | 405 | void |
@@ -407,8 +407,8 @@ index 2bcf818..6848df4 100644 | |||
407 | +do_setusercontext(struct passwd *pw, const char *role) | 407 | +do_setusercontext(struct passwd *pw, const char *role) |
408 | { | 408 | { |
409 | char *chroot_path, *tmp; | 409 | char *chroot_path, *tmp; |
410 | 410 | #ifdef USE_LIBIAF | |
411 | @@ -1530,7 +1530,7 @@ do_setusercontext(struct passwd *pw) | 411 | @@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw) |
412 | endgrent(); | 412 | endgrent(); |
413 | #endif | 413 | #endif |
414 | 414 | ||
@@ -417,7 +417,7 @@ index 2bcf818..6848df4 100644 | |||
417 | 417 | ||
418 | if (options.chroot_directory != NULL && | 418 | if (options.chroot_directory != NULL && |
419 | strcasecmp(options.chroot_directory, "none") != 0) { | 419 | strcasecmp(options.chroot_directory, "none") != 0) { |
420 | @@ -1679,7 +1679,7 @@ do_child(Session *s, const char *command) | 420 | @@ -1676,7 +1676,7 @@ do_child(Session *s, const char *command) |
421 | 421 | ||
422 | /* Force a password change */ | 422 | /* Force a password change */ |
423 | if (s->authctxt->force_pwchange) { | 423 | if (s->authctxt->force_pwchange) { |
@@ -426,7 +426,7 @@ index 2bcf818..6848df4 100644 | |||
426 | child_close_fds(); | 426 | child_close_fds(); |
427 | do_pwchange(s); | 427 | do_pwchange(s); |
428 | exit(1); | 428 | exit(1); |
429 | @@ -1706,7 +1706,7 @@ do_child(Session *s, const char *command) | 429 | @@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command) |
430 | /* When PAM is enabled we rely on it to do the nologin check */ | 430 | /* When PAM is enabled we rely on it to do the nologin check */ |
431 | if (!options.use_pam) | 431 | if (!options.use_pam) |
432 | do_nologin(pw); | 432 | do_nologin(pw); |
@@ -435,7 +435,7 @@ index 2bcf818..6848df4 100644 | |||
435 | /* | 435 | /* |
436 | * PAM session modules in do_setusercontext may have | 436 | * PAM session modules in do_setusercontext may have |
437 | * generated messages, so if this in an interactive | 437 | * generated messages, so if this in an interactive |
438 | @@ -2117,7 +2117,7 @@ session_pty_req(Session *s) | 438 | @@ -2114,7 +2114,7 @@ session_pty_req(Session *s) |
439 | tty_parse_modes(s->ttyfd, &n_bytes); | 439 | tty_parse_modes(s->ttyfd, &n_bytes); |
440 | 440 | ||
441 | if (!use_privsep) | 441 | if (!use_privsep) |
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644 | |||
458 | const char *value); | 458 | const char *value); |
459 | 459 | ||
460 | diff --git a/sshd.c b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
461 | index d787fea..e343d90 100644 | 461 | index 3a6be65..48a14dd 100644 |
462 | --- a/sshd.c | 462 | --- a/sshd.c |
463 | +++ b/sshd.c | 463 | +++ b/sshd.c |
464 | @@ -769,7 +769,7 @@ privsep_postauth(Authctxt *authctxt) | 464 | @@ -772,7 +772,7 @@ privsep_postauth(Authctxt *authctxt) |
465 | explicit_bzero(rnd, sizeof(rnd)); | 465 | explicit_bzero(rnd, sizeof(rnd)); |
466 | 466 | ||
467 | /* Drop privileges */ | 467 | /* Drop privileges */ |
@@ -471,10 +471,10 @@ index d787fea..e343d90 100644 | |||
471 | skip: | 471 | skip: |
472 | /* It is safe now to apply the key state */ | 472 | /* It is safe now to apply the key state */ |
473 | diff --git a/sshpty.c b/sshpty.c | 473 | diff --git a/sshpty.c b/sshpty.c |
474 | index bbbc0fe..8cc26a2 100644 | 474 | index a2059b7..3512ec8 100644 |
475 | --- a/sshpty.c | 475 | --- a/sshpty.c |
476 | +++ b/sshpty.c | 476 | +++ b/sshpty.c |
477 | @@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, | 477 | @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, |
478 | } | 478 | } |
479 | 479 | ||
480 | void | 480 | void |
@@ -483,7 +483,7 @@ index bbbc0fe..8cc26a2 100644 | |||
483 | { | 483 | { |
484 | struct group *grp; | 484 | struct group *grp; |
485 | gid_t gid; | 485 | gid_t gid; |
486 | @@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty) | 486 | @@ -214,7 +214,7 @@ pty_setowner(struct passwd *pw, const char *tty) |
487 | strerror(errno)); | 487 | strerror(errno)); |
488 | 488 | ||
489 | #ifdef WITH_SELINUX | 489 | #ifdef WITH_SELINUX |
diff --git a/debian/patches/series b/debian/patches/series index c554b34ca..bbc7a5fb4 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -1,4 +1,5 @@ | |||
1 | gssapi.patch | 1 | gssapi.patch |
2 | restore-tcp-wrappers.patch | ||
2 | selinux-role.patch | 3 | selinux-role.patch |
3 | ssh-vulnkey-compat.patch | 4 | ssh-vulnkey-compat.patch |
4 | ssh1-keepalive.patch | 5 | ssh1-keepalive.patch |
@@ -22,9 +23,7 @@ ssh-argv0.patch | |||
22 | doc-hash-tab-completion.patch | 23 | doc-hash-tab-completion.patch |
23 | doc-upstart.patch | 24 | doc-upstart.patch |
24 | ssh-agent-setgid.patch | 25 | ssh-agent-setgid.patch |
25 | no-openssl-version-check.patch | 26 | no-openssl-version-status.patch |
26 | gnome-ssh-askpass2-icon.patch | 27 | gnome-ssh-askpass2-icon.patch |
27 | sigstop.patch | 28 | sigstop.patch |
28 | debian-config.patch | 29 | debian-config.patch |
29 | sshfp_with_server_cert_upstr | ||
30 | curve25519-sha256-bignum-encoding.patch | ||
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 48c16d2a2..07e20f03d 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 6103c29d855e82c098e88ee12f05a6eb41f659ce Mon Sep 17 00:00:00 2001 | 1 | From 66377fbb52584b41bd7f6f19116107fbbad41058 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:00 +0000 |
4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand | 4 | Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand |
@@ -16,10 +16,10 @@ Patch-Name: shell-path.patch | |||
16 | 1 file changed, 2 insertions(+), 2 deletions(-) | 16 | 1 file changed, 2 insertions(+), 2 deletions(-) |
17 | 17 | ||
18 | diff --git a/sshconnect.c b/sshconnect.c | 18 | diff --git a/sshconnect.c b/sshconnect.c |
19 | index 573d7a8..9e02837 100644 | 19 | index ac09eae..26116d2 100644 |
20 | --- a/sshconnect.c | 20 | --- a/sshconnect.c |
21 | +++ b/sshconnect.c | 21 | +++ b/sshconnect.c |
22 | @@ -227,7 +227,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) | 22 | @@ -228,7 +228,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) |
23 | /* Execute the proxy command. Note that we gave up any | 23 | /* Execute the proxy command. Note that we gave up any |
24 | extra privileges above. */ | 24 | extra privileges above. */ |
25 | signal(SIGPIPE, SIG_DFL); | 25 | signal(SIGPIPE, SIG_DFL); |
@@ -28,7 +28,7 @@ index 573d7a8..9e02837 100644 | |||
28 | perror(argv[0]); | 28 | perror(argv[0]); |
29 | exit(1); | 29 | exit(1); |
30 | } | 30 | } |
31 | @@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args) | 31 | @@ -1416,7 +1416,7 @@ ssh_local_cmd(const char *args) |
32 | if (pid == 0) { | 32 | if (pid == 0) { |
33 | signal(SIGPIPE, SIG_DFL); | 33 | signal(SIGPIPE, SIG_DFL); |
34 | debug3("Executing %s -c \"%s\"", shell, args); | 34 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch index 6a15e0dc5..1eaa7758b 100644 --- a/debian/patches/sigstop.patch +++ b/debian/patches/sigstop.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From cfeaa0ba2ce2859573f7e980be09ef05511f56a2 Mon Sep 17 00:00:00 2001 | 1 | From 689f465c66059e527974c6d4ea8e95f04d5abab7 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:17 +0000 |
4 | Subject: Support synchronisation with service supervisor using SIGSTOP | 4 | Subject: Support synchronisation with service supervisor using SIGSTOP |
@@ -13,10 +13,10 @@ Patch-Name: sigstop.patch | |||
13 | 1 file changed, 10 insertions(+) | 13 | 1 file changed, 10 insertions(+) |
14 | 14 | ||
15 | diff --git a/sshd.c b/sshd.c | 15 | diff --git a/sshd.c b/sshd.c |
16 | index 665c0b9..0964491 100644 | 16 | index 87331c1..23d5a64 100644 |
17 | --- a/sshd.c | 17 | --- a/sshd.c |
18 | +++ b/sshd.c | 18 | +++ b/sshd.c |
19 | @@ -1931,6 +1931,16 @@ main(int ac, char **av) | 19 | @@ -1958,6 +1958,16 @@ main(int ac, char **av) |
20 | } | 20 | } |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch index af23075b3..9c3ddc86e 100644 --- a/debian/patches/ssh-agent-setgid.patch +++ b/debian/patches/ssh-agent-setgid.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d53483ab71ac2a9195c8f171da5a5dcf54ec16ec Mon Sep 17 00:00:00 2001 | 1 | From 78dd041bb6ad29ceb35f05b539b09ccf761eaee2 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:13 +0000 |
4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) | 4 | Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) |
@@ -13,10 +13,10 @@ Patch-Name: ssh-agent-setgid.patch | |||
13 | 1 file changed, 15 insertions(+) | 13 | 1 file changed, 15 insertions(+) |
14 | 14 | ||
15 | diff --git a/ssh-agent.1 b/ssh-agent.1 | 15 | diff --git a/ssh-agent.1 b/ssh-agent.1 |
16 | index 281ecbd..38fd540 100644 | 16 | index a1e634f..f2c4080 100644 |
17 | --- a/ssh-agent.1 | 17 | --- a/ssh-agent.1 |
18 | +++ b/ssh-agent.1 | 18 | +++ b/ssh-agent.1 |
19 | @@ -183,6 +183,21 @@ environment variable holds the agent's process ID. | 19 | @@ -172,6 +172,21 @@ environment variable holds the agent's process ID. |
20 | .Pp | 20 | .Pp |
21 | The agent exits automatically when the command given on the command | 21 | The agent exits automatically when the command given on the command |
22 | line terminates. | 22 | line terminates. |
@@ -37,4 +37,4 @@ index 281ecbd..38fd540 100644 | |||
37 | +so in the program executed by ssh-agent. | 37 | +so in the program executed by ssh-agent. |
38 | .Sh FILES | 38 | .Sh FILES |
39 | .Bl -tag -width Ds | 39 | .Bl -tag -width Ds |
40 | .It Pa ~/.ssh/identity | 40 | .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt |
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index d456facea..0ccf7c42b 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d4ac61d918775f629eff9a389d0f7bb0f8426b48 Mon Sep 17 00:00:00 2001 | 1 | From cbd5cb03866f6df50c82d26588b73135d05bf245 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 | 3 | Date: Sun, 9 Feb 2014 16:10:10 +0000 |
4 | Subject: ssh(1): Refer to ssh-argv0(1) | 4 | Subject: ssh(1): Refer to ssh-argv0(1) |
@@ -18,10 +18,10 @@ Patch-Name: ssh-argv0.patch | |||
18 | 1 file changed, 1 insertion(+) | 18 | 1 file changed, 1 insertion(+) |
19 | 19 | ||
20 | diff --git a/ssh.1 b/ssh.1 | 20 | diff --git a/ssh.1 b/ssh.1 |
21 | index 67b4f44..9868025 100644 | 21 | index de178cd..2606b15 100644 |
22 | --- a/ssh.1 | 22 | --- a/ssh.1 |
23 | +++ b/ssh.1 | 23 | +++ b/ssh.1 |
24 | @@ -1468,6 +1468,7 @@ if an error occurred. | 24 | @@ -1458,6 +1458,7 @@ if an error occurred. |
25 | .Xr sftp 1 , | 25 | .Xr sftp 1 , |
26 | .Xr ssh-add 1 , | 26 | .Xr ssh-add 1 , |
27 | .Xr ssh-agent 1 , | 27 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch index fa738b084..427ee6be1 100644 --- a/debian/patches/ssh-vulnkey-compat.patch +++ b/debian/patches/ssh-vulnkey-compat.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From d422205e757aaf23e8e0e787f842ef37f6a170a2 Mon Sep 17 00:00:00 2001 | 1 | From e6836d7c98c75d3252de56c2f3ea07e12c817e00 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@ubuntu.com> | 2 | From: Colin Watson <cjwatson@ubuntu.com> |
3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:50 +0000 |
4 | Subject: Accept obsolete ssh-vulnkey configuration options | 4 | Subject: Accept obsolete ssh-vulnkey configuration options |
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch | |||
17 | 2 files changed, 2 insertions(+) | 17 | 2 files changed, 2 insertions(+) |
18 | 18 | ||
19 | diff --git a/readconf.c b/readconf.c | 19 | diff --git a/readconf.c b/readconf.c |
20 | index 7613ff2..bcd8cad 100644 | 20 | index 9127e93..bc879eb 100644 |
21 | --- a/readconf.c | 21 | --- a/readconf.c |
22 | +++ b/readconf.c | 22 | +++ b/readconf.c |
23 | @@ -172,6 +172,7 @@ static struct { | 23 | @@ -174,6 +174,7 @@ static struct { |
24 | { "passwordauthentication", oPasswordAuthentication }, | 24 | { "passwordauthentication", oPasswordAuthentication }, |
25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, | 25 | { "kbdinteractiveauthentication", oKbdInteractiveAuthentication }, |
26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, | 26 | { "kbdinteractivedevices", oKbdInteractiveDevices }, |
@@ -29,10 +29,10 @@ index 7613ff2..bcd8cad 100644 | |||
29 | { "pubkeyauthentication", oPubkeyAuthentication }, | 29 | { "pubkeyauthentication", oPubkeyAuthentication }, |
30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 30 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
31 | diff --git a/servconf.c b/servconf.c | 31 | diff --git a/servconf.c b/servconf.c |
32 | index 0083cf8..90de888 100644 | 32 | index cb3c831..a252487 100644 |
33 | --- a/servconf.c | 33 | --- a/servconf.c |
34 | +++ b/servconf.c | 34 | +++ b/servconf.c |
35 | @@ -448,6 +448,7 @@ static struct { | 35 | @@ -462,6 +462,7 @@ static struct { |
36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 36 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 37 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 38 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index ded7c122a..2e5fa306d 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 789d58ed3df120c7b80d07fb2d259c216194a29c Mon Sep 17 00:00:00 2001 | 1 | From cbbc8577950b93090171c7394bcdeb68b7c3cd0c Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:51 +0000 |
4 | Subject: Partial server keep-alive implementation for SSH1 | 4 | Subject: Partial server keep-alive implementation for SSH1 |
@@ -13,7 +13,7 @@ Patch-Name: ssh1-keepalive.patch | |||
13 | 2 files changed, 19 insertions(+), 11 deletions(-) | 13 | 2 files changed, 19 insertions(+), 11 deletions(-) |
14 | 14 | ||
15 | diff --git a/clientloop.c b/clientloop.c | 15 | diff --git a/clientloop.c b/clientloop.c |
16 | index 6d8cd7d..73a800c 100644 | 16 | index f9175e3..046ca8b 100644 |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) | 19 | @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt) |
@@ -57,10 +57,10 @@ index 6d8cd7d..73a800c 100644 | |||
57 | server_alive_time = now + options.server_alive_interval; | 57 | server_alive_time = now + options.server_alive_interval; |
58 | } | 58 | } |
59 | diff --git a/ssh_config.5 b/ssh_config.5 | 59 | diff --git a/ssh_config.5 b/ssh_config.5 |
60 | index e7accd6..473971e 100644 | 60 | index e6649ac..01f1f7f 100644 |
61 | --- a/ssh_config.5 | 61 | --- a/ssh_config.5 |
62 | +++ b/ssh_config.5 | 62 | +++ b/ssh_config.5 |
63 | @@ -1294,7 +1294,10 @@ If, for example, | 63 | @@ -1325,7 +1325,10 @@ If, for example, |
64 | .Cm ServerAliveCountMax | 64 | .Cm ServerAliveCountMax |
65 | is left at the default, if the server becomes unresponsive, | 65 | is left at the default, if the server becomes unresponsive, |
66 | ssh will disconnect after approximately 45 seconds. | 66 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/sshfp_with_server_cert_upstr b/debian/patches/sshfp_with_server_cert_upstr deleted file mode 100644 index b453081c5..000000000 --- a/debian/patches/sshfp_with_server_cert_upstr +++ /dev/null | |||
@@ -1,83 +0,0 @@ | |||
1 | From 08a63152deb5deda168aaef870bdb9f56425acb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthew Vernon <mcv21@cam.ac.uk> | ||
3 | Date: Wed, 26 Mar 2014 15:32:23 +0000 | ||
4 | Subject: Attempt SSHFP lookup even if server presents a certificate | ||
5 | |||
6 | If an ssh server presents a certificate to the client, then the client | ||
7 | does not check the DNS for SSHFP records. This means that a malicious | ||
8 | server can essentially disable DNS-host-key-checking, which means the | ||
9 | client will fall back to asking the user (who will just say "yes" to | ||
10 | the fingerprint, sadly). | ||
11 | |||
12 | This patch is by Damien Miller (of openssh upstream). It's simpler | ||
13 | than the patch by Mark Wooding which I applied yesterday; a copy is | ||
14 | taken of the proffered key/cert, the key extracted from the cert (if | ||
15 | necessary), and then the DNS consulted. | ||
16 | |||
17 | Signed-off-by: Matthew Vernon <matthew@debian.org> | ||
18 | Bug-Debian: http://bugs.debian.org/742513 | ||
19 | Patch-Name: sshfp_with_server_cert_upstr | ||
20 | --- | ||
21 | sshconnect.c | 42 ++++++++++++++++++++++++++---------------- | ||
22 | 1 file changed, 26 insertions(+), 16 deletions(-) | ||
23 | |||
24 | diff --git a/sshconnect.c b/sshconnect.c | ||
25 | index 87c3770..324f5e0 100644 | ||
26 | --- a/sshconnect.c | ||
27 | +++ b/sshconnect.c | ||
28 | @@ -1224,29 +1224,39 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) | ||
29 | { | ||
30 | int flags = 0; | ||
31 | char *fp; | ||
32 | + Key *plain = NULL; | ||
33 | |||
34 | fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); | ||
35 | debug("Server host key: %s %s", key_type(host_key), fp); | ||
36 | free(fp); | ||
37 | |||
38 | - /* XXX certs are not yet supported for DNS */ | ||
39 | - if (!key_is_cert(host_key) && options.verify_host_key_dns && | ||
40 | - verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { | ||
41 | - if (flags & DNS_VERIFY_FOUND) { | ||
42 | - | ||
43 | - if (options.verify_host_key_dns == 1 && | ||
44 | - flags & DNS_VERIFY_MATCH && | ||
45 | - flags & DNS_VERIFY_SECURE) | ||
46 | - return 0; | ||
47 | - | ||
48 | - if (flags & DNS_VERIFY_MATCH) { | ||
49 | - matching_host_key_dns = 1; | ||
50 | - } else { | ||
51 | - warn_changed_key(host_key); | ||
52 | - error("Update the SSHFP RR in DNS with the new " | ||
53 | - "host key to get rid of this message."); | ||
54 | + if (options.verify_host_key_dns) { | ||
55 | + /* | ||
56 | + * XXX certs are not yet supported for DNS, so downgrade | ||
57 | + * them and try the plain key. | ||
58 | + */ | ||
59 | + plain = key_from_private(host_key); | ||
60 | + if (key_is_cert(plain)) | ||
61 | + key_drop_cert(plain); | ||
62 | + if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) { | ||
63 | + if (flags & DNS_VERIFY_FOUND) { | ||
64 | + if (options.verify_host_key_dns == 1 && | ||
65 | + flags & DNS_VERIFY_MATCH && | ||
66 | + flags & DNS_VERIFY_SECURE) { | ||
67 | + key_free(plain); | ||
68 | + return 0; | ||
69 | + } | ||
70 | + if (flags & DNS_VERIFY_MATCH) { | ||
71 | + matching_host_key_dns = 1; | ||
72 | + } else { | ||
73 | + warn_changed_key(plain); | ||
74 | + error("Update the SSHFP RR in DNS " | ||
75 | + "with the new host key to get rid " | ||
76 | + "of this message."); | ||
77 | + } | ||
78 | } | ||
79 | } | ||
80 | + key_free(plain); | ||
81 | } | ||
82 | |||
83 | return check_host_key(host, hostaddr, options.port, host_key, RDRW, | ||
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 7cbd3a7e3..bfc236927 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From b8ed36cdf2dbebc01e52e83eece4bb1d78607e84 Mon Sep 17 00:00:00 2001 | 1 | From 69f7c00e04d1baa01a9038eeb764cfed0830fb19 Mon Sep 17 00:00:00 2001 |
2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> | 2 | From: Jonathan David Amery <jdamery@ysolde.ucam.org> |
3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:54 +0000 |
4 | Subject: "LogLevel SILENT" compatibility | 4 | Subject: "LogLevel SILENT" compatibility |
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644 | |||
33 | { "FATAL", SYSLOG_LEVEL_FATAL }, | 33 | { "FATAL", SYSLOG_LEVEL_FATAL }, |
34 | { "ERROR", SYSLOG_LEVEL_ERROR }, | 34 | { "ERROR", SYSLOG_LEVEL_ERROR }, |
35 | diff --git a/ssh.c b/ssh.c | 35 | diff --git a/ssh.c b/ssh.c |
36 | index 1e6cb90..3e63708 100644 | 36 | index 26e9681..5bce695 100644 |
37 | --- a/ssh.c | 37 | --- a/ssh.c |
38 | +++ b/ssh.c | 38 | +++ b/ssh.c |
39 | @@ -965,7 +965,7 @@ main(int ac, char **av) | 39 | @@ -989,7 +989,7 @@ main(int ac, char **av) |
40 | /* Do not allocate a tty if stdin is not a tty. */ | 40 | /* Do not allocate a tty if stdin is not a tty. */ |
41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && | 41 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
42 | options.request_tty != REQUEST_TTY_FORCE) { | 42 | options.request_tty != REQUEST_TTY_FORCE) { |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index 3cdb9d8a1..e4e4657f3 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 77638f6662ecd8500e1b97e537233b1277ca829f Mon Sep 17 00:00:00 2001 | 1 | From 28ea747089f695e58a476a2849133402d4f86b92 Mon Sep 17 00:00:00 2001 |
2 | From: Colin Watson <cjwatson@debian.org> | 2 | From: Colin Watson <cjwatson@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:58 +0000 |
4 | Subject: Allow harmless group-writability | 4 | Subject: Allow harmless group-writability |
@@ -28,7 +28,7 @@ Patch-Name: user-group-modes.patch | |||
28 | 8 files changed, 82 insertions(+), 29 deletions(-) | 28 | 8 files changed, 82 insertions(+), 29 deletions(-) |
29 | 29 | ||
30 | diff --git a/auth-rhosts.c b/auth-rhosts.c | 30 | diff --git a/auth-rhosts.c b/auth-rhosts.c |
31 | index 06ae7f0..f202787 100644 | 31 | index b5bedee..11fcca6 100644 |
32 | --- a/auth-rhosts.c | 32 | --- a/auth-rhosts.c |
33 | +++ b/auth-rhosts.c | 33 | +++ b/auth-rhosts.c |
34 | @@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam | 34 | @@ -256,8 +256,7 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam |
@@ -52,10 +52,10 @@ index 06ae7f0..f202787 100644 | |||
52 | pw->pw_name, buf); | 52 | pw->pw_name, buf); |
53 | auth_debug_add("Bad file modes for %.200s", buf); | 53 | auth_debug_add("Bad file modes for %.200s", buf); |
54 | diff --git a/auth.c b/auth.c | 54 | diff --git a/auth.c b/auth.c |
55 | index 9a36f1d..0c45f09 100644 | 55 | index 5e60682..18de51a 100644 |
56 | --- a/auth.c | 56 | --- a/auth.c |
57 | +++ b/auth.c | 57 | +++ b/auth.c |
58 | @@ -407,8 +407,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | 58 | @@ -421,8 +421,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, |
59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 59 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
60 | if (options.strict_modes && | 60 | if (options.strict_modes && |
61 | (stat(user_hostfile, &st) == 0) && | 61 | (stat(user_hostfile, &st) == 0) && |
@@ -65,7 +65,7 @@ index 9a36f1d..0c45f09 100644 | |||
65 | logit("Authentication refused for %.100s: " | 65 | logit("Authentication refused for %.100s: " |
66 | "bad owner or modes for %.200s", | 66 | "bad owner or modes for %.200s", |
67 | pw->pw_name, user_hostfile); | 67 | pw->pw_name, user_hostfile); |
68 | @@ -470,8 +469,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 68 | @@ -484,8 +483,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
69 | snprintf(err, errlen, "%s is not a regular file", buf); | 69 | snprintf(err, errlen, "%s is not a regular file", buf); |
70 | return -1; | 70 | return -1; |
71 | } | 71 | } |
@@ -75,7 +75,7 @@ index 9a36f1d..0c45f09 100644 | |||
75 | snprintf(err, errlen, "bad ownership or modes for file %s", | 75 | snprintf(err, errlen, "bad ownership or modes for file %s", |
76 | buf); | 76 | buf); |
77 | return -1; | 77 | return -1; |
78 | @@ -486,8 +484,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, | 78 | @@ -500,8 +498,7 @@ auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, |
79 | strlcpy(buf, cp, sizeof(buf)); | 79 | strlcpy(buf, cp, sizeof(buf)); |
80 | 80 | ||
81 | if (stat(buf, &st) < 0 || | 81 | if (stat(buf, &st) < 0 || |
@@ -86,10 +86,10 @@ index 9a36f1d..0c45f09 100644 | |||
86 | "bad ownership or modes for directory %s", buf); | 86 | "bad ownership or modes for directory %s", buf); |
87 | return -1; | 87 | return -1; |
88 | diff --git a/misc.c b/misc.c | 88 | diff --git a/misc.c b/misc.c |
89 | index e4c8c32..4e756b0 100644 | 89 | index 94b05b0..c25ccd8 100644 |
90 | --- a/misc.c | 90 | --- a/misc.c |
91 | +++ b/misc.c | 91 | +++ b/misc.c |
92 | @@ -49,8 +49,9 @@ | 92 | @@ -50,8 +50,9 @@ |
93 | #include <netdb.h> | 93 | #include <netdb.h> |
94 | #ifdef HAVE_PATHS_H | 94 | #ifdef HAVE_PATHS_H |
95 | # include <paths.h> | 95 | # include <paths.h> |
@@ -100,7 +100,7 @@ index e4c8c32..4e756b0 100644 | |||
100 | #ifdef SSH_TUN_OPENBSD | 100 | #ifdef SSH_TUN_OPENBSD |
101 | #include <net/if.h> | 101 | #include <net/if.h> |
102 | #endif | 102 | #endif |
103 | @@ -59,6 +60,7 @@ | 103 | @@ -60,6 +61,7 @@ |
104 | #include "misc.h" | 104 | #include "misc.h" |
105 | #include "log.h" | 105 | #include "log.h" |
106 | #include "ssh.h" | 106 | #include "ssh.h" |
@@ -108,7 +108,7 @@ index e4c8c32..4e756b0 100644 | |||
108 | 108 | ||
109 | /* remove newline at end of string */ | 109 | /* remove newline at end of string */ |
110 | char * | 110 | char * |
111 | @@ -643,6 +645,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, | 111 | @@ -644,6 +646,71 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, |
112 | return -1; | 112 | return -1; |
113 | } | 113 | } |
114 | 114 | ||
@@ -181,10 +181,10 @@ index e4c8c32..4e756b0 100644 | |||
181 | tun_open(int tun, int mode) | 181 | tun_open(int tun, int mode) |
182 | { | 182 | { |
183 | diff --git a/misc.h b/misc.h | 183 | diff --git a/misc.h b/misc.h |
184 | index d4df619..ceb173b 100644 | 184 | index 374c33c..89e1f75 100644 |
185 | --- a/misc.h | 185 | --- a/misc.h |
186 | +++ b/misc.h | 186 | +++ b/misc.h |
187 | @@ -106,4 +106,6 @@ char *read_passphrase(const char *, int); | 187 | @@ -135,4 +135,6 @@ char *read_passphrase(const char *, int); |
188 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 188 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
189 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 189 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
190 | 190 | ||
@@ -192,10 +192,10 @@ index d4df619..ceb173b 100644 | |||
192 | + | 192 | + |
193 | #endif /* _MISC_H */ | 193 | #endif /* _MISC_H */ |
194 | diff --git a/platform.c b/platform.c | 194 | diff --git a/platform.c b/platform.c |
195 | index 4aab9a9..f99de7f 100644 | 195 | index f35ec39..9a23e6e 100644 |
196 | --- a/platform.c | 196 | --- a/platform.c |
197 | +++ b/platform.c | 197 | +++ b/platform.c |
198 | @@ -196,19 +196,3 @@ platform_krb5_get_principal_name(const char *pw_name) | 198 | @@ -197,19 +197,3 @@ platform_krb5_get_principal_name(const char *pw_name) |
199 | return NULL; | 199 | return NULL; |
200 | #endif | 200 | #endif |
201 | } | 201 | } |
@@ -216,10 +216,10 @@ index 4aab9a9..f99de7f 100644 | |||
216 | - return 0; | 216 | - return 0; |
217 | -} | 217 | -} |
218 | diff --git a/readconf.c b/readconf.c | 218 | diff --git a/readconf.c b/readconf.c |
219 | index 6409937..32c4b42 100644 | 219 | index 337818c..0648867 100644 |
220 | --- a/readconf.c | 220 | --- a/readconf.c |
221 | +++ b/readconf.c | 221 | +++ b/readconf.c |
222 | @@ -37,6 +37,8 @@ | 222 | @@ -38,6 +38,8 @@ |
223 | #include <stdio.h> | 223 | #include <stdio.h> |
224 | #include <string.h> | 224 | #include <string.h> |
225 | #include <unistd.h> | 225 | #include <unistd.h> |
@@ -228,7 +228,7 @@ index 6409937..32c4b42 100644 | |||
228 | #ifdef HAVE_UTIL_H | 228 | #ifdef HAVE_UTIL_H |
229 | #include <util.h> | 229 | #include <util.h> |
230 | #endif | 230 | #endif |
231 | @@ -1477,8 +1479,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, | 231 | @@ -1516,8 +1518,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host, |
232 | 232 | ||
233 | if (fstat(fileno(f), &sb) == -1) | 233 | if (fstat(fileno(f), &sb) == -1) |
234 | fatal("fstat %s: %s", filename, strerror(errno)); | 234 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -239,10 +239,10 @@ index 6409937..32c4b42 100644 | |||
239 | } | 239 | } |
240 | 240 | ||
241 | diff --git a/ssh.1 b/ssh.1 | 241 | diff --git a/ssh.1 b/ssh.1 |
242 | index 27794e2..ff5e6ac 100644 | 242 | index fa5cfb2..7f6ab77 100644 |
243 | --- a/ssh.1 | 243 | --- a/ssh.1 |
244 | +++ b/ssh.1 | 244 | +++ b/ssh.1 |
245 | @@ -1352,6 +1352,8 @@ The file format and configuration options are described in | 245 | @@ -1342,6 +1342,8 @@ The file format and configuration options are described in |
246 | .Xr ssh_config 5 . | 246 | .Xr ssh_config 5 . |
247 | Because of the potential for abuse, this file must have strict permissions: | 247 | Because of the potential for abuse, this file must have strict permissions: |
248 | read/write for the user, and not writable by others. | 248 | read/write for the user, and not writable by others. |
@@ -252,10 +252,10 @@ index 27794e2..ff5e6ac 100644 | |||
252 | .It Pa ~/.ssh/environment | 252 | .It Pa ~/.ssh/environment |
253 | Contains additional definitions for environment variables; see | 253 | Contains additional definitions for environment variables; see |
254 | diff --git a/ssh_config.5 b/ssh_config.5 | 254 | diff --git a/ssh_config.5 b/ssh_config.5 |
255 | index 3172fd4..4bf7cbb 100644 | 255 | index ea92ea8..d68b45a 100644 |
256 | --- a/ssh_config.5 | 256 | --- a/ssh_config.5 |
257 | +++ b/ssh_config.5 | 257 | +++ b/ssh_config.5 |
258 | @@ -1529,6 +1529,8 @@ The format of this file is described above. | 258 | @@ -1587,6 +1587,8 @@ The format of this file is described above. |
259 | This file is used by the SSH client. | 259 | This file is used by the SSH client. |
260 | Because of the potential for abuse, this file must have strict permissions: | 260 | Because of the potential for abuse, this file must have strict permissions: |
261 | read/write for the user, and not accessible by others. | 261 | read/write for the user, and not accessible by others. |