diff options
Diffstat (limited to 'debian/patches')
23 files changed, 331 insertions, 430 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 7aea6690d..da940d9fa 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -83,9 +83,9 @@ Index: b/auth-rsa.c | |||
83 | =================================================================== | 83 | =================================================================== |
84 | --- a/auth-rsa.c | 84 | --- a/auth-rsa.c |
85 | +++ b/auth-rsa.c | 85 | +++ b/auth-rsa.c |
86 | @@ -193,6 +193,8 @@ | 86 | @@ -175,6 +175,8 @@ |
87 | 87 | if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL) | |
88 | key = key_new(KEY_RSA1); | 88 | return 0; |
89 | 89 | ||
90 | + auth_start_parse_options(); | 90 | + auth_start_parse_options(); |
91 | + | 91 | + |
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch index 13b3b6561..a9ca85407 100644 --- a/debian/patches/authorized-keys-man-symlink.patch +++ b/debian/patches/authorized-keys-man-symlink.patch | |||
@@ -8,11 +8,11 @@ Index: b/Makefile.in | |||
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/Makefile.in | 9 | --- a/Makefile.in |
10 | +++ b/Makefile.in | 10 | +++ b/Makefile.in |
11 | @@ -289,6 +289,7 @@ | 11 | @@ -275,6 +275,7 @@ |
12 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 | 12 | $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 |
13 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 | 13 | $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 |
14 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 14 | $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
15 | + ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5 | 15 | + ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5 |
16 | if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \ | 16 | $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 |
17 | $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ | 17 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
18 | fi | 18 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch index 32251397d..57ca35e87 100644 --- a/debian/patches/debian-banner.patch +++ b/debian/patches/debian-banner.patch | |||
@@ -10,7 +10,7 @@ Index: b/servconf.c | |||
10 | =================================================================== | 10 | =================================================================== |
11 | --- a/servconf.c | 11 | --- a/servconf.c |
12 | +++ b/servconf.c | 12 | +++ b/servconf.c |
13 | @@ -143,6 +143,7 @@ | 13 | @@ -142,6 +142,7 @@ |
14 | options->authorized_principals_file = NULL; | 14 | options->authorized_principals_file = NULL; |
15 | options->ip_qos_interactive = -1; | 15 | options->ip_qos_interactive = -1; |
16 | options->ip_qos_bulk = -1; | 16 | options->ip_qos_bulk = -1; |
@@ -18,7 +18,7 @@ Index: b/servconf.c | |||
18 | } | 18 | } |
19 | 19 | ||
20 | void | 20 | void |
21 | @@ -293,6 +294,8 @@ | 21 | @@ -289,6 +290,8 @@ |
22 | options->ip_qos_interactive = IPTOS_LOWDELAY; | 22 | options->ip_qos_interactive = IPTOS_LOWDELAY; |
23 | if (options->ip_qos_bulk == -1) | 23 | if (options->ip_qos_bulk == -1) |
24 | options->ip_qos_bulk = IPTOS_THROUGHPUT; | 24 | options->ip_qos_bulk = IPTOS_THROUGHPUT; |
@@ -27,7 +27,7 @@ Index: b/servconf.c | |||
27 | 27 | ||
28 | /* Turn privilege separation on by default */ | 28 | /* Turn privilege separation on by default */ |
29 | if (use_privsep == -1) | 29 | if (use_privsep == -1) |
30 | @@ -342,6 +345,7 @@ | 30 | @@ -338,6 +341,7 @@ |
31 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 31 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
32 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, | 32 | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
33 | sKexAlgorithms, sIPQoS, | 33 | sKexAlgorithms, sIPQoS, |
@@ -35,7 +35,7 @@ Index: b/servconf.c | |||
35 | sDeprecated, sUnsupported | 35 | sDeprecated, sUnsupported |
36 | } ServerOpCodes; | 36 | } ServerOpCodes; |
37 | 37 | ||
38 | @@ -477,6 +481,7 @@ | 38 | @@ -473,6 +477,7 @@ |
39 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, | 39 | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
40 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, | 40 | { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
41 | { "ipqos", sIPQoS, SSHCFG_ALL }, | 41 | { "ipqos", sIPQoS, SSHCFG_ALL }, |
@@ -43,7 +43,7 @@ Index: b/servconf.c | |||
43 | { NULL, sBadOption, 0 } | 43 | { NULL, sBadOption, 0 } |
44 | }; | 44 | }; |
45 | 45 | ||
46 | @@ -1439,6 +1444,10 @@ | 46 | @@ -1436,6 +1441,10 @@ |
47 | } | 47 | } |
48 | break; | 48 | break; |
49 | 49 | ||
@@ -58,7 +58,7 @@ Index: b/servconf.h | |||
58 | =================================================================== | 58 | =================================================================== |
59 | --- a/servconf.h | 59 | --- a/servconf.h |
60 | +++ b/servconf.h | 60 | +++ b/servconf.h |
61 | @@ -160,6 +160,8 @@ | 61 | @@ -166,6 +166,8 @@ |
62 | 62 | ||
63 | int num_permitted_opens; | 63 | int num_permitted_opens; |
64 | 64 | ||
@@ -71,7 +71,7 @@ Index: b/sshd.c | |||
71 | =================================================================== | 71 | =================================================================== |
72 | --- a/sshd.c | 72 | --- a/sshd.c |
73 | +++ b/sshd.c | 73 | +++ b/sshd.c |
74 | @@ -422,7 +422,8 @@ | 74 | @@ -423,7 +423,8 @@ |
75 | minor = PROTOCOL_MINOR_1; | 75 | minor = PROTOCOL_MINOR_1; |
76 | } | 76 | } |
77 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | 77 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, |
@@ -85,7 +85,7 @@ Index: b/sshd_config.5 | |||
85 | =================================================================== | 85 | =================================================================== |
86 | --- a/sshd_config.5 | 86 | --- a/sshd_config.5 |
87 | +++ b/sshd_config.5 | 87 | +++ b/sshd_config.5 |
88 | @@ -339,6 +339,11 @@ | 88 | @@ -340,6 +340,11 @@ |
89 | .Dq no . | 89 | .Dq no . |
90 | The default is | 90 | The default is |
91 | .Dq delayed . | 91 | .Dq delayed . |
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch index e804aa526..74aa53ecc 100644 --- a/debian/patches/debian-config.patch +++ b/debian/patches/debian-config.patch | |||
@@ -24,7 +24,7 @@ Index: b/readconf.c | |||
24 | =================================================================== | 24 | =================================================================== |
25 | --- a/readconf.c | 25 | --- a/readconf.c |
26 | +++ b/readconf.c | 26 | +++ b/readconf.c |
27 | @@ -1223,7 +1223,7 @@ | 27 | @@ -1268,7 +1268,7 @@ |
28 | if (options->forward_x11 == -1) | 28 | if (options->forward_x11 == -1) |
29 | options->forward_x11 = 0; | 29 | options->forward_x11 = 0; |
30 | if (options->forward_x11_trusted == -1) | 30 | if (options->forward_x11_trusted == -1) |
@@ -84,7 +84,7 @@ Index: b/ssh_config.5 | |||
84 | The configuration file has the following format: | 84 | The configuration file has the following format: |
85 | .Pp | 85 | .Pp |
86 | Empty lines and lines starting with | 86 | Empty lines and lines starting with |
87 | @@ -482,7 +498,8 @@ | 87 | @@ -499,7 +515,8 @@ |
88 | Remote clients will be refused access after this time. | 88 | Remote clients will be refused access after this time. |
89 | .Pp | 89 | .Pp |
90 | The default is | 90 | The default is |
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch index 5cf8aa46b..cec6f6639 100644 --- a/debian/patches/doc-hash-tab-completion.patch +++ b/debian/patches/doc-hash-tab-completion.patch | |||
@@ -8,7 +8,7 @@ Index: b/ssh_config.5 | |||
8 | =================================================================== | 8 | =================================================================== |
9 | --- a/ssh_config.5 | 9 | --- a/ssh_config.5 |
10 | +++ b/ssh_config.5 | 10 | +++ b/ssh_config.5 |
11 | @@ -566,6 +566,9 @@ | 11 | @@ -585,6 +585,9 @@ |
12 | will not be converted automatically, | 12 | will not be converted automatically, |
13 | but may be manually hashed using | 13 | but may be manually hashed using |
14 | .Xr ssh-keygen 1 . | 14 | .Xr ssh-keygen 1 . |
diff --git a/debian/patches/gssapi-autoconf.patch b/debian/patches/gssapi-autoconf.patch deleted file mode 100644 index 51d8a8e72..000000000 --- a/debian/patches/gssapi-autoconf.patch +++ /dev/null | |||
@@ -1,29 +0,0 @@ | |||
1 | Description: Update config.h.in following GSSAPI patch | ||
2 | Author: Colin Watson <cjwatson@debian.org> | ||
3 | Forwarded: not-needed | ||
4 | Last-Updated: 2010-02-27 | ||
5 | |||
6 | Index: b/config.h.in | ||
7 | =================================================================== | ||
8 | --- a/config.h.in | ||
9 | +++ b/config.h.in | ||
10 | @@ -1417,6 +1417,9 @@ | ||
11 | /* Use btmp to log bad logins */ | ||
12 | #undef USE_BTMP | ||
13 | |||
14 | +/* platform uses an in-memory credentials cache */ | ||
15 | +#undef USE_CCAPI | ||
16 | + | ||
17 | /* Use libedit for sftp */ | ||
18 | #undef USE_LIBEDIT | ||
19 | |||
20 | @@ -1432,6 +1435,9 @@ | ||
21 | /* Use PIPES instead of a socketpair() */ | ||
22 | #undef USE_PIPES | ||
23 | |||
24 | +/* platform has the Security Authorization Session API */ | ||
25 | +#undef USE_SECURITY_SESSION_API | ||
26 | + | ||
27 | /* Define if you have Solaris process contracts */ | ||
28 | #undef USE_SOLARIS_PROCESS_CONTRACTS | ||
29 | |||
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index c123bf7b9..dc293683e 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -137,7 +137,7 @@ Index: b/Makefile.in | |||
137 | =================================================================== | 137 | =================================================================== |
138 | --- a/Makefile.in | 138 | --- a/Makefile.in |
139 | +++ b/Makefile.in | 139 | +++ b/Makefile.in |
140 | @@ -75,6 +75,7 @@ | 140 | @@ -70,6 +70,7 @@ |
141 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ | 141 | atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ |
142 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ | 142 | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
143 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ | 143 | kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ |
@@ -145,7 +145,7 @@ Index: b/Makefile.in | |||
145 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ | 145 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o jpake.o \ |
146 | schnorr.o ssh-pkcs11.o | 146 | schnorr.o ssh-pkcs11.o |
147 | 147 | ||
148 | @@ -91,7 +92,7 @@ | 148 | @@ -86,7 +87,7 @@ |
149 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ | 149 | auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \ |
150 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ | 150 | monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ |
151 | auth-krb5.o \ | 151 | auth-krb5.o \ |
@@ -153,7 +153,7 @@ Index: b/Makefile.in | |||
153 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ | 153 | + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o\ |
154 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ | 154 | loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ |
155 | sftp-server.o sftp-common.o \ | 155 | sftp-server.o sftp-common.o \ |
156 | roaming_common.o roaming_serv.o | 156 | roaming_common.o roaming_serv.o \ |
157 | Index: b/auth-krb5.c | 157 | Index: b/auth-krb5.c |
158 | =================================================================== | 158 | =================================================================== |
159 | --- a/auth-krb5.c | 159 | --- a/auth-krb5.c |
@@ -205,24 +205,12 @@ Index: b/auth-krb5.c | |||
205 | 205 | ||
206 | return (krb5_cc_resolve(ctx, ccname, ccache)); | 206 | return (krb5_cc_resolve(ctx, ccname, ccache)); |
207 | } | 207 | } |
208 | Index: b/auth.h | ||
209 | =================================================================== | ||
210 | --- a/auth.h | ||
211 | +++ b/auth.h | ||
212 | @@ -53,6 +53,7 @@ | ||
213 | int valid; /* user exists and is allowed to login */ | ||
214 | int attempt; | ||
215 | int failures; | ||
216 | + int server_caused_failure; | ||
217 | int force_pwchange; | ||
218 | char *user; /* username sent by the client */ | ||
219 | char *service; | ||
220 | Index: b/auth2-gss.c | 208 | Index: b/auth2-gss.c |
221 | =================================================================== | 209 | =================================================================== |
222 | --- a/auth2-gss.c | 210 | --- a/auth2-gss.c |
223 | +++ b/auth2-gss.c | 211 | +++ b/auth2-gss.c |
224 | @@ -1,7 +1,7 @@ | 212 | @@ -1,7 +1,7 @@ |
225 | /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */ | 213 | /* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ |
226 | 214 | ||
227 | /* | 215 | /* |
228 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 216 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -271,23 +259,7 @@ Index: b/auth2-gss.c | |||
271 | /* | 259 | /* |
272 | * We only support those mechanisms that we know about (ie ones that we know | 260 | * We only support those mechanisms that we know about (ie ones that we know |
273 | * how to check local user kuserok and the like) | 261 | * how to check local user kuserok and the like) |
274 | @@ -102,6 +136,7 @@ | 262 | @@ -244,7 +278,8 @@ |
275 | |||
276 | if (!present) { | ||
277 | xfree(doid); | ||
278 | + authctxt->server_caused_failure = 1; | ||
279 | return (0); | ||
280 | } | ||
281 | |||
282 | @@ -109,6 +144,7 @@ | ||
283 | if (ctxt != NULL) | ||
284 | ssh_gssapi_delete_ctx(&ctxt); | ||
285 | xfree(doid); | ||
286 | + authctxt->server_caused_failure = 1; | ||
287 | return (0); | ||
288 | } | ||
289 | |||
290 | @@ -242,7 +278,8 @@ | ||
291 | 263 | ||
292 | packet_check_eom(); | 264 | packet_check_eom(); |
293 | 265 | ||
@@ -297,7 +269,7 @@ Index: b/auth2-gss.c | |||
297 | 269 | ||
298 | authctxt->postponed = 0; | 270 | authctxt->postponed = 0; |
299 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); | 271 | dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); |
300 | @@ -277,7 +314,8 @@ | 272 | @@ -279,7 +314,8 @@ |
301 | gssbuf.length = buffer_len(&b); | 273 | gssbuf.length = buffer_len(&b); |
302 | 274 | ||
303 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) | 275 | if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) |
@@ -307,7 +279,7 @@ Index: b/auth2-gss.c | |||
307 | else | 279 | else |
308 | logit("GSSAPI MIC check failed"); | 280 | logit("GSSAPI MIC check failed"); |
309 | 281 | ||
310 | @@ -292,6 +330,12 @@ | 282 | @@ -294,6 +330,12 @@ |
311 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); | 283 | userauth_finish(authctxt, authenticated, "gssapi-with-mic"); |
312 | } | 284 | } |
313 | 285 | ||
@@ -340,24 +312,6 @@ Index: b/auth2.c | |||
340 | &method_gssapi, | 312 | &method_gssapi, |
341 | #endif | 313 | #endif |
342 | #ifdef JPAKE | 314 | #ifdef JPAKE |
343 | @@ -274,6 +276,7 @@ | ||
344 | #endif | ||
345 | |||
346 | authctxt->postponed = 0; | ||
347 | + authctxt->server_caused_failure = 0; | ||
348 | |||
349 | /* try to authenticate user */ | ||
350 | m = authmethod_lookup(method); | ||
351 | @@ -346,7 +349,8 @@ | ||
352 | } else { | ||
353 | |||
354 | /* Allow initial try of "none" auth without failure penalty */ | ||
355 | - if (authctxt->attempt > 1 || strcmp(method, "none") != 0) | ||
356 | + if (!authctxt->server_caused_failure && | ||
357 | + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) | ||
358 | authctxt->failures++; | ||
359 | if (authctxt->failures >= options.max_authtries) { | ||
360 | #ifdef SSH_AUDIT_EVENTS | ||
361 | Index: b/clientloop.c | 315 | Index: b/clientloop.c |
362 | =================================================================== | 316 | =================================================================== |
363 | --- a/clientloop.c | 317 | --- a/clientloop.c |
@@ -373,7 +327,7 @@ Index: b/clientloop.c | |||
373 | /* import options */ | 327 | /* import options */ |
374 | extern Options options; | 328 | extern Options options; |
375 | 329 | ||
376 | @@ -1483,6 +1487,15 @@ | 330 | @@ -1508,6 +1512,15 @@ |
377 | /* Do channel operations unless rekeying in progress. */ | 331 | /* Do channel operations unless rekeying in progress. */ |
378 | if (!rekeying) { | 332 | if (!rekeying) { |
379 | channel_after_select(readset, writeset); | 333 | channel_after_select(readset, writeset); |
@@ -389,41 +343,133 @@ Index: b/clientloop.c | |||
389 | if (need_rekeying || packet_need_rekeying()) { | 343 | if (need_rekeying || packet_need_rekeying()) { |
390 | debug("need rekeying"); | 344 | debug("need rekeying"); |
391 | xxx_kex->done = 0; | 345 | xxx_kex->done = 0; |
346 | Index: b/config.h.in | ||
347 | =================================================================== | ||
348 | --- a/config.h.in | ||
349 | +++ b/config.h.in | ||
350 | @@ -1441,6 +1441,9 @@ | ||
351 | /* Use btmp to log bad logins */ | ||
352 | #undef USE_BTMP | ||
353 | |||
354 | +/* platform uses an in-memory credentials cache */ | ||
355 | +#undef USE_CCAPI | ||
356 | + | ||
357 | /* Use libedit for sftp */ | ||
358 | #undef USE_LIBEDIT | ||
359 | |||
360 | @@ -1456,6 +1459,9 @@ | ||
361 | /* Use PIPES instead of a socketpair() */ | ||
362 | #undef USE_PIPES | ||
363 | |||
364 | +/* platform has the Security Authorization Session API */ | ||
365 | +#undef USE_SECURITY_SESSION_API | ||
366 | + | ||
367 | /* Define if you have Solaris process contracts */ | ||
368 | #undef USE_SOLARIS_PROCESS_CONTRACTS | ||
369 | |||
370 | Index: b/configure | ||
371 | =================================================================== | ||
372 | --- a/configure | ||
373 | +++ b/configure | ||
374 | @@ -6521,6 +6521,63 @@ | ||
375 | |||
376 | $as_echo "#define SSH_TUN_PREPEND_AF 1" >>confdefs.h | ||
377 | |||
378 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have the Security Authorization Session API" >&5 | ||
379 | +$as_echo_n "checking if we have the Security Authorization Session API... " >&6; } | ||
380 | + cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
381 | +/* end confdefs.h. */ | ||
382 | +#include <Security/AuthSession.h> | ||
383 | +int | ||
384 | +main () | ||
385 | +{ | ||
386 | +SessionCreate(0, 0); | ||
387 | + ; | ||
388 | + return 0; | ||
389 | +} | ||
390 | +_ACEOF | ||
391 | +if ac_fn_c_try_compile "$LINENO"; then : | ||
392 | + ac_cv_use_security_session_api="yes" | ||
393 | + | ||
394 | +$as_echo "#define USE_SECURITY_SESSION_API 1" >>confdefs.h | ||
395 | + | ||
396 | + LIBS="$LIBS -framework Security" | ||
397 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
398 | +$as_echo "yes" >&6; } | ||
399 | +else | ||
400 | + ac_cv_use_security_session_api="no" | ||
401 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
402 | +$as_echo "no" >&6; } | ||
403 | +fi | ||
404 | +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
405 | + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we have an in-memory credentials cache" >&5 | ||
406 | +$as_echo_n "checking if we have an in-memory credentials cache... " >&6; } | ||
407 | + cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
408 | +/* end confdefs.h. */ | ||
409 | +#include <Kerberos/Kerberos.h> | ||
410 | +int | ||
411 | +main () | ||
412 | +{ | ||
413 | +cc_context_t c; | ||
414 | + (void) cc_initialize (&c, 0, NULL, NULL); | ||
415 | + ; | ||
416 | + return 0; | ||
417 | +} | ||
418 | +_ACEOF | ||
419 | +if ac_fn_c_try_compile "$LINENO"; then : | ||
420 | + | ||
421 | +$as_echo "#define USE_CCAPI 1" >>confdefs.h | ||
422 | + | ||
423 | + LIBS="$LIBS -framework Security" | ||
424 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | ||
425 | +$as_echo "yes" >&6; } | ||
426 | + if test "x$ac_cv_use_security_session_api" = "xno"; then | ||
427 | + as_fn_error $? "*** Need a security framework to use the credentials cache API ***" "$LINENO" 5 | ||
428 | + fi | ||
429 | +else | ||
430 | + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | ||
431 | +$as_echo "no" >&6; } | ||
432 | + | ||
433 | +fi | ||
434 | +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
435 | |||
436 | ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default" | ||
437 | if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then : | ||
392 | Index: b/configure.ac | 438 | Index: b/configure.ac |
393 | =================================================================== | 439 | =================================================================== |
394 | --- a/configure.ac | 440 | --- a/configure.ac |
395 | +++ b/configure.ac | 441 | +++ b/configure.ac |
396 | @@ -514,6 +514,30 @@ | 442 | @@ -515,6 +515,30 @@ |
397 | [Use tunnel device compatibility to OpenBSD]) | 443 | [Use tunnel device compatibility to OpenBSD]) |
398 | AC_DEFINE(SSH_TUN_PREPEND_AF, 1, | 444 | AC_DEFINE([SSH_TUN_PREPEND_AF], [1], |
399 | [Prepend the address family to IP tunnel traffic]) | 445 | [Prepend the address family to IP tunnel traffic]) |
400 | + AC_MSG_CHECKING(if we have the Security Authorization Session API) | 446 | + AC_MSG_CHECKING([if we have the Security Authorization Session API]) |
401 | + AC_TRY_COMPILE([#include <Security/AuthSession.h>], | 447 | + AC_TRY_COMPILE([#include <Security/AuthSession.h>], |
402 | + [SessionCreate(0, 0);], | 448 | + [SessionCreate(0, 0);], |
403 | + [ac_cv_use_security_session_api="yes" | 449 | + [ac_cv_use_security_session_api="yes" |
404 | + AC_DEFINE(USE_SECURITY_SESSION_API, 1, | 450 | + AC_DEFINE([USE_SECURITY_SESSION_API], [1], |
405 | + [platform has the Security Authorization Session API]) | 451 | + [platform has the Security Authorization Session API]) |
406 | + LIBS="$LIBS -framework Security" | 452 | + LIBS="$LIBS -framework Security" |
407 | + AC_MSG_RESULT(yes)], | 453 | + AC_MSG_RESULT([yes])], |
408 | + [ac_cv_use_security_session_api="no" | 454 | + [ac_cv_use_security_session_api="no" |
409 | + AC_MSG_RESULT(no)]) | 455 | + AC_MSG_RESULT([no])]) |
410 | + AC_MSG_CHECKING(if we have an in-memory credentials cache) | 456 | + AC_MSG_CHECKING([if we have an in-memory credentials cache]) |
411 | + AC_TRY_COMPILE( | 457 | + AC_TRY_COMPILE( |
412 | + [#include <Kerberos/Kerberos.h>], | 458 | + [#include <Kerberos/Kerberos.h>], |
413 | + [cc_context_t c; | 459 | + [cc_context_t c; |
414 | + (void) cc_initialize (&c, 0, NULL, NULL);], | 460 | + (void) cc_initialize (&c, 0, NULL, NULL);], |
415 | + [AC_DEFINE(USE_CCAPI, 1, | 461 | + [AC_DEFINE([USE_CCAPI], [1], |
416 | + [platform uses an in-memory credentials cache]) | 462 | + [platform uses an in-memory credentials cache]) |
417 | + LIBS="$LIBS -framework Security" | 463 | + LIBS="$LIBS -framework Security" |
418 | + AC_MSG_RESULT(yes) | 464 | + AC_MSG_RESULT([yes]) |
419 | + if test "x$ac_cv_use_security_session_api" = "xno"; then | 465 | + if test "x$ac_cv_use_security_session_api" = "xno"; then |
420 | + AC_MSG_ERROR(*** Need a security framework to use the credentials cache API ***) | 466 | + AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***]) |
421 | + fi], | 467 | + fi], |
422 | + [AC_MSG_RESULT(no)] | 468 | + [AC_MSG_RESULT([no])] |
423 | + ) | 469 | + ) |
424 | m4_pattern_allow(AU_IPv) | 470 | m4_pattern_allow([AU_IPv]) |
425 | AC_CHECK_DECL(AU_IPv4, [], | 471 | AC_CHECK_DECL([AU_IPv4], [], |
426 | AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records]) | 472 | AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) |
427 | Index: b/gss-genr.c | 473 | Index: b/gss-genr.c |
428 | =================================================================== | 474 | =================================================================== |
429 | --- a/gss-genr.c | 475 | --- a/gss-genr.c |
@@ -904,7 +950,7 @@ Index: b/gss-serv.c | |||
904 | --- a/gss-serv.c | 950 | --- a/gss-serv.c |
905 | +++ b/gss-serv.c | 951 | +++ b/gss-serv.c |
906 | @@ -1,7 +1,7 @@ | 952 | @@ -1,7 +1,7 @@ |
907 | /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */ | 953 | /* $OpenBSD: gss-serv.c,v 1.23 2011/08/01 19:18:15 markus Exp $ */ |
908 | 954 | ||
909 | /* | 955 | /* |
910 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. | 956 | - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. |
@@ -1023,7 +1069,7 @@ Index: b/gss-serv.c | |||
1023 | 1069 | ||
1024 | while (supported_mechs[i]->name != NULL) { | 1070 | while (supported_mechs[i]->name != NULL) { |
1025 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, | 1071 | if (GSS_ERROR(gss_test_oid_set_member(&min_status, |
1026 | @@ -247,8 +284,48 @@ | 1072 | @@ -249,8 +286,48 @@ |
1027 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) | 1073 | ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) |
1028 | { | 1074 | { |
1029 | int i = 0; | 1075 | int i = 0; |
@@ -1073,7 +1119,7 @@ Index: b/gss-serv.c | |||
1073 | 1119 | ||
1074 | client->mech = NULL; | 1120 | client->mech = NULL; |
1075 | 1121 | ||
1076 | @@ -263,6 +340,13 @@ | 1122 | @@ -265,6 +342,13 @@ |
1077 | if (client->mech == NULL) | 1123 | if (client->mech == NULL) |
1078 | return GSS_S_FAILURE; | 1124 | return GSS_S_FAILURE; |
1079 | 1125 | ||
@@ -1087,7 +1133,7 @@ Index: b/gss-serv.c | |||
1087 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, | 1133 | if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, |
1088 | &client->displayname, NULL))) { | 1134 | &client->displayname, NULL))) { |
1089 | ssh_gssapi_error(ctx); | 1135 | ssh_gssapi_error(ctx); |
1090 | @@ -280,6 +364,8 @@ | 1136 | @@ -282,6 +366,8 @@ |
1091 | return (ctx->major); | 1137 | return (ctx->major); |
1092 | } | 1138 | } |
1093 | 1139 | ||
@@ -1096,7 +1142,7 @@ Index: b/gss-serv.c | |||
1096 | /* We can't copy this structure, so we just move the pointer to it */ | 1142 | /* We can't copy this structure, so we just move the pointer to it */ |
1097 | client->creds = ctx->client_creds; | 1143 | client->creds = ctx->client_creds; |
1098 | ctx->client_creds = GSS_C_NO_CREDENTIAL; | 1144 | ctx->client_creds = GSS_C_NO_CREDENTIAL; |
1099 | @@ -327,7 +413,7 @@ | 1145 | @@ -329,7 +415,7 @@ |
1100 | 1146 | ||
1101 | /* Privileged */ | 1147 | /* Privileged */ |
1102 | int | 1148 | int |
@@ -1105,7 +1151,7 @@ Index: b/gss-serv.c | |||
1105 | { | 1151 | { |
1106 | OM_uint32 lmin; | 1152 | OM_uint32 lmin; |
1107 | 1153 | ||
1108 | @@ -337,9 +423,11 @@ | 1154 | @@ -339,9 +425,11 @@ |
1109 | return 0; | 1155 | return 0; |
1110 | } | 1156 | } |
1111 | if (gssapi_client.mech && gssapi_client.mech->userok) | 1157 | if (gssapi_client.mech && gssapi_client.mech->userok) |
@@ -1119,7 +1165,7 @@ Index: b/gss-serv.c | |||
1119 | /* Destroy delegated credentials if userok fails */ | 1165 | /* Destroy delegated credentials if userok fails */ |
1120 | gss_release_buffer(&lmin, &gssapi_client.displayname); | 1166 | gss_release_buffer(&lmin, &gssapi_client.displayname); |
1121 | gss_release_buffer(&lmin, &gssapi_client.exportedname); | 1167 | gss_release_buffer(&lmin, &gssapi_client.exportedname); |
1122 | @@ -352,14 +440,90 @@ | 1168 | @@ -354,14 +442,90 @@ |
1123 | return (0); | 1169 | return (0); |
1124 | } | 1170 | } |
1125 | 1171 | ||
@@ -1961,7 +2007,7 @@ Index: b/monitor.c | |||
1961 | =================================================================== | 2007 | =================================================================== |
1962 | --- a/monitor.c | 2008 | --- a/monitor.c |
1963 | +++ b/monitor.c | 2009 | +++ b/monitor.c |
1964 | @@ -172,6 +172,8 @@ | 2010 | @@ -180,6 +180,8 @@ |
1965 | int mm_answer_gss_accept_ctx(int, Buffer *); | 2011 | int mm_answer_gss_accept_ctx(int, Buffer *); |
1966 | int mm_answer_gss_userok(int, Buffer *); | 2012 | int mm_answer_gss_userok(int, Buffer *); |
1967 | int mm_answer_gss_checkmic(int, Buffer *); | 2013 | int mm_answer_gss_checkmic(int, Buffer *); |
@@ -1970,7 +2016,7 @@ Index: b/monitor.c | |||
1970 | #endif | 2016 | #endif |
1971 | 2017 | ||
1972 | #ifdef SSH_AUDIT_EVENTS | 2018 | #ifdef SSH_AUDIT_EVENTS |
1973 | @@ -241,6 +243,7 @@ | 2019 | @@ -251,6 +253,7 @@ |
1974 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 2020 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
1975 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 2021 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
1976 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | 2022 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, |
@@ -1978,7 +2024,7 @@ Index: b/monitor.c | |||
1978 | #endif | 2024 | #endif |
1979 | #ifdef JPAKE | 2025 | #ifdef JPAKE |
1980 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, | 2026 | {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata}, |
1981 | @@ -253,6 +256,12 @@ | 2027 | @@ -263,6 +266,12 @@ |
1982 | }; | 2028 | }; |
1983 | 2029 | ||
1984 | struct mon_table mon_dispatch_postauth20[] = { | 2030 | struct mon_table mon_dispatch_postauth20[] = { |
@@ -1991,7 +2037,7 @@ Index: b/monitor.c | |||
1991 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, | 2037 | {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, |
1992 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, | 2038 | {MONITOR_REQ_SIGN, 0, mm_answer_sign}, |
1993 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, | 2039 | {MONITOR_REQ_PTY, 0, mm_answer_pty}, |
1994 | @@ -357,6 +366,10 @@ | 2040 | @@ -371,6 +380,10 @@ |
1995 | /* Permit requests for moduli and signatures */ | 2041 | /* Permit requests for moduli and signatures */ |
1996 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2042 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
1997 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2043 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
@@ -2002,7 +2048,7 @@ Index: b/monitor.c | |||
2002 | } else { | 2048 | } else { |
2003 | mon_dispatch = mon_dispatch_proto15; | 2049 | mon_dispatch = mon_dispatch_proto15; |
2004 | 2050 | ||
2005 | @@ -443,6 +456,10 @@ | 2051 | @@ -468,6 +481,10 @@ |
2006 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); | 2052 | monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); |
2007 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); | 2053 | monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); |
2008 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2054 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
@@ -2013,7 +2059,7 @@ Index: b/monitor.c | |||
2013 | } else { | 2059 | } else { |
2014 | mon_dispatch = mon_dispatch_postauth15; | 2060 | mon_dispatch = mon_dispatch_postauth15; |
2015 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); | 2061 | monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); |
2016 | @@ -1692,6 +1709,13 @@ | 2062 | @@ -1802,6 +1819,13 @@ |
2017 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 2063 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2018 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 2064 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2019 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 2065 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -2027,7 +2073,7 @@ Index: b/monitor.c | |||
2027 | kex->server = 1; | 2073 | kex->server = 1; |
2028 | kex->hostkey_type = buffer_get_int(m); | 2074 | kex->hostkey_type = buffer_get_int(m); |
2029 | kex->kex_type = buffer_get_int(m); | 2075 | kex->kex_type = buffer_get_int(m); |
2030 | @@ -1898,6 +1922,9 @@ | 2076 | @@ -2008,6 +2032,9 @@ |
2031 | OM_uint32 major; | 2077 | OM_uint32 major; |
2032 | u_int len; | 2078 | u_int len; |
2033 | 2079 | ||
@@ -2037,7 +2083,7 @@ Index: b/monitor.c | |||
2037 | goid.elements = buffer_get_string(m, &len); | 2083 | goid.elements = buffer_get_string(m, &len); |
2038 | goid.length = len; | 2084 | goid.length = len; |
2039 | 2085 | ||
2040 | @@ -1925,6 +1952,9 @@ | 2086 | @@ -2035,6 +2062,9 @@ |
2041 | OM_uint32 flags = 0; /* GSI needs this */ | 2087 | OM_uint32 flags = 0; /* GSI needs this */ |
2042 | u_int len; | 2088 | u_int len; |
2043 | 2089 | ||
@@ -2047,7 +2093,7 @@ Index: b/monitor.c | |||
2047 | in.value = buffer_get_string(m, &len); | 2093 | in.value = buffer_get_string(m, &len); |
2048 | in.length = len; | 2094 | in.length = len; |
2049 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); | 2095 | major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); |
2050 | @@ -1942,6 +1972,7 @@ | 2096 | @@ -2052,6 +2082,7 @@ |
2051 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 2097 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
2052 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 2098 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
2053 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | 2099 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); |
@@ -2055,7 +2101,7 @@ Index: b/monitor.c | |||
2055 | } | 2101 | } |
2056 | return (0); | 2102 | return (0); |
2057 | } | 2103 | } |
2058 | @@ -1953,6 +1984,9 @@ | 2104 | @@ -2063,6 +2094,9 @@ |
2059 | OM_uint32 ret; | 2105 | OM_uint32 ret; |
2060 | u_int len; | 2106 | u_int len; |
2061 | 2107 | ||
@@ -2065,7 +2111,7 @@ Index: b/monitor.c | |||
2065 | gssbuf.value = buffer_get_string(m, &len); | 2111 | gssbuf.value = buffer_get_string(m, &len); |
2066 | gssbuf.length = len; | 2112 | gssbuf.length = len; |
2067 | mic.value = buffer_get_string(m, &len); | 2113 | mic.value = buffer_get_string(m, &len); |
2068 | @@ -1979,7 +2013,11 @@ | 2114 | @@ -2089,7 +2123,11 @@ |
2069 | { | 2115 | { |
2070 | int authenticated; | 2116 | int authenticated; |
2071 | 2117 | ||
@@ -2078,7 +2124,7 @@ Index: b/monitor.c | |||
2078 | 2124 | ||
2079 | buffer_clear(m); | 2125 | buffer_clear(m); |
2080 | buffer_put_int(m, authenticated); | 2126 | buffer_put_int(m, authenticated); |
2081 | @@ -1992,6 +2030,74 @@ | 2127 | @@ -2102,6 +2140,74 @@ |
2082 | /* Monitor loop will terminate if authenticated */ | 2128 | /* Monitor loop will terminate if authenticated */ |
2083 | return (authenticated); | 2129 | return (authenticated); |
2084 | } | 2130 | } |
@@ -2170,7 +2216,7 @@ Index: b/monitor_wrap.c | |||
2170 | =================================================================== | 2216 | =================================================================== |
2171 | --- a/monitor_wrap.c | 2217 | --- a/monitor_wrap.c |
2172 | +++ b/monitor_wrap.c | 2218 | +++ b/monitor_wrap.c |
2173 | @@ -1232,7 +1232,7 @@ | 2219 | @@ -1270,7 +1270,7 @@ |
2174 | } | 2220 | } |
2175 | 2221 | ||
2176 | int | 2222 | int |
@@ -2179,7 +2225,7 @@ Index: b/monitor_wrap.c | |||
2179 | { | 2225 | { |
2180 | Buffer m; | 2226 | Buffer m; |
2181 | int authenticated = 0; | 2227 | int authenticated = 0; |
2182 | @@ -1249,6 +1249,51 @@ | 2228 | @@ -1287,6 +1287,51 @@ |
2183 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); | 2229 | debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); |
2184 | return (authenticated); | 2230 | return (authenticated); |
2185 | } | 2231 | } |
@@ -2235,7 +2281,7 @@ Index: b/monitor_wrap.h | |||
2235 | =================================================================== | 2281 | =================================================================== |
2236 | --- a/monitor_wrap.h | 2282 | --- a/monitor_wrap.h |
2237 | +++ b/monitor_wrap.h | 2283 | +++ b/monitor_wrap.h |
2238 | @@ -57,8 +57,10 @@ | 2284 | @@ -58,8 +58,10 @@ |
2239 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); | 2285 | OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); |
2240 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, | 2286 | OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, |
2241 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); | 2287 | gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); |
@@ -2280,7 +2326,7 @@ Index: b/readconf.c | |||
2280 | #endif | 2326 | #endif |
2281 | { "fallbacktorsh", oDeprecated }, | 2327 | { "fallbacktorsh", oDeprecated }, |
2282 | { "usersh", oDeprecated }, | 2328 | { "usersh", oDeprecated }, |
2283 | @@ -479,10 +490,30 @@ | 2329 | @@ -482,10 +493,30 @@ |
2284 | intptr = &options->gss_authentication; | 2330 | intptr = &options->gss_authentication; |
2285 | goto parse_flag; | 2331 | goto parse_flag; |
2286 | 2332 | ||
@@ -2311,7 +2357,7 @@ Index: b/readconf.c | |||
2311 | case oBatchMode: | 2357 | case oBatchMode: |
2312 | intptr = &options->batch_mode; | 2358 | intptr = &options->batch_mode; |
2313 | goto parse_flag; | 2359 | goto parse_flag; |
2314 | @@ -1092,7 +1123,12 @@ | 2360 | @@ -1138,7 +1169,12 @@ |
2315 | options->pubkey_authentication = -1; | 2361 | options->pubkey_authentication = -1; |
2316 | options->challenge_response_authentication = -1; | 2362 | options->challenge_response_authentication = -1; |
2317 | options->gss_authentication = -1; | 2363 | options->gss_authentication = -1; |
@@ -2324,7 +2370,7 @@ Index: b/readconf.c | |||
2324 | options->password_authentication = -1; | 2370 | options->password_authentication = -1; |
2325 | options->kbd_interactive_authentication = -1; | 2371 | options->kbd_interactive_authentication = -1; |
2326 | options->kbd_interactive_devices = NULL; | 2372 | options->kbd_interactive_devices = NULL; |
2327 | @@ -1193,8 +1229,14 @@ | 2373 | @@ -1238,8 +1274,14 @@ |
2328 | options->challenge_response_authentication = 1; | 2374 | options->challenge_response_authentication = 1; |
2329 | if (options->gss_authentication == -1) | 2375 | if (options->gss_authentication == -1) |
2330 | options->gss_authentication = 0; | 2376 | options->gss_authentication = 0; |
@@ -2343,7 +2389,7 @@ Index: b/readconf.h | |||
2343 | =================================================================== | 2389 | =================================================================== |
2344 | --- a/readconf.h | 2390 | --- a/readconf.h |
2345 | +++ b/readconf.h | 2391 | +++ b/readconf.h |
2346 | @@ -46,7 +46,12 @@ | 2392 | @@ -47,7 +47,12 @@ |
2347 | int challenge_response_authentication; | 2393 | int challenge_response_authentication; |
2348 | /* Try S/Key or TIS, authentication. */ | 2394 | /* Try S/Key or TIS, authentication. */ |
2349 | int gss_authentication; /* Try GSS authentication */ | 2395 | int gss_authentication; /* Try GSS authentication */ |
@@ -2371,7 +2417,7 @@ Index: b/servconf.c | |||
2371 | options->password_authentication = -1; | 2417 | options->password_authentication = -1; |
2372 | options->kbd_interactive_authentication = -1; | 2418 | options->kbd_interactive_authentication = -1; |
2373 | options->challenge_response_authentication = -1; | 2419 | options->challenge_response_authentication = -1; |
2374 | @@ -226,8 +229,14 @@ | 2420 | @@ -225,8 +228,14 @@ |
2375 | options->kerberos_get_afs_token = 0; | 2421 | options->kerberos_get_afs_token = 0; |
2376 | if (options->gss_authentication == -1) | 2422 | if (options->gss_authentication == -1) |
2377 | options->gss_authentication = 0; | 2423 | options->gss_authentication = 0; |
@@ -2386,10 +2432,10 @@ Index: b/servconf.c | |||
2386 | if (options->password_authentication == -1) | 2432 | if (options->password_authentication == -1) |
2387 | options->password_authentication = 1; | 2433 | options->password_authentication = 1; |
2388 | if (options->kbd_interactive_authentication == -1) | 2434 | if (options->kbd_interactive_authentication == -1) |
2389 | @@ -322,7 +331,9 @@ | 2435 | @@ -318,7 +327,9 @@ |
2390 | sBanner, sUseDNS, sHostbasedAuthentication, | 2436 | sBanner, sUseDNS, sHostbasedAuthentication, |
2391 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, | 2437 | sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, |
2392 | sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, | 2438 | sClientAliveCountMax, sAuthorizedKeysFile, |
2393 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, | 2439 | - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, |
2394 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 2440 | + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
2395 | + sGssKeyEx, sGssStoreRekey, | 2441 | + sGssKeyEx, sGssStoreRekey, |
@@ -2397,7 +2443,7 @@ Index: b/servconf.c | |||
2397 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, | 2443 | sMatch, sPermitOpen, sForceCommand, sChrootDirectory, |
2398 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 2444 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
2399 | sZeroKnowledgePasswordAuthentication, sHostCertificate, | 2445 | sZeroKnowledgePasswordAuthentication, sHostCertificate, |
2400 | @@ -386,10 +397,20 @@ | 2446 | @@ -382,10 +393,20 @@ |
2401 | #ifdef GSSAPI | 2447 | #ifdef GSSAPI |
2402 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, | 2448 | { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, |
2403 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, | 2449 | { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, |
@@ -2418,7 +2464,7 @@ Index: b/servconf.c | |||
2418 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, | 2464 | { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, |
2419 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, | 2465 | { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, |
2420 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, | 2466 | { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, |
2421 | @@ -944,10 +965,22 @@ | 2467 | @@ -962,10 +983,22 @@ |
2422 | intptr = &options->gss_authentication; | 2468 | intptr = &options->gss_authentication; |
2423 | goto parse_flag; | 2469 | goto parse_flag; |
2424 | 2470 | ||
@@ -2441,7 +2487,7 @@ Index: b/servconf.c | |||
2441 | case sPasswordAuthentication: | 2487 | case sPasswordAuthentication: |
2442 | intptr = &options->password_authentication; | 2488 | intptr = &options->password_authentication; |
2443 | goto parse_flag; | 2489 | goto parse_flag; |
2444 | @@ -1704,7 +1737,10 @@ | 2490 | @@ -1720,7 +1753,10 @@ |
2445 | #endif | 2491 | #endif |
2446 | #ifdef GSSAPI | 2492 | #ifdef GSSAPI |
2447 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); | 2493 | dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); |
@@ -2456,7 +2502,7 @@ Index: b/servconf.h | |||
2456 | =================================================================== | 2502 | =================================================================== |
2457 | --- a/servconf.h | 2503 | --- a/servconf.h |
2458 | +++ b/servconf.h | 2504 | +++ b/servconf.h |
2459 | @@ -97,7 +97,10 @@ | 2505 | @@ -103,7 +103,10 @@ |
2460 | int kerberos_get_afs_token; /* If true, try to get AFS token if | 2506 | int kerberos_get_afs_token; /* If true, try to get AFS token if |
2461 | * authenticated with Kerberos. */ | 2507 | * authenticated with Kerberos. */ |
2462 | int gss_authentication; /* If true, permit GSSAPI authentication */ | 2508 | int gss_authentication; /* If true, permit GSSAPI authentication */ |
@@ -2585,7 +2631,7 @@ Index: b/ssh_config.5 | |||
2585 | =================================================================== | 2631 | =================================================================== |
2586 | --- a/ssh_config.5 | 2632 | --- a/ssh_config.5 |
2587 | +++ b/ssh_config.5 | 2633 | +++ b/ssh_config.5 |
2588 | @@ -508,11 +508,43 @@ | 2634 | @@ -527,11 +527,43 @@ |
2589 | The default is | 2635 | The default is |
2590 | .Dq no . | 2636 | .Dq no . |
2591 | Note that this option applies to protocol version 2 only. | 2637 | Note that this option applies to protocol version 2 only. |
@@ -2634,7 +2680,7 @@ Index: b/sshconnect2.c | |||
2634 | =================================================================== | 2680 | =================================================================== |
2635 | --- a/sshconnect2.c | 2681 | --- a/sshconnect2.c |
2636 | +++ b/sshconnect2.c | 2682 | +++ b/sshconnect2.c |
2637 | @@ -159,9 +159,34 @@ | 2683 | @@ -160,9 +160,34 @@ |
2638 | { | 2684 | { |
2639 | Kex *kex; | 2685 | Kex *kex; |
2640 | 2686 | ||
@@ -2669,7 +2715,7 @@ Index: b/sshconnect2.c | |||
2669 | if (options.ciphers == (char *)-1) { | 2715 | if (options.ciphers == (char *)-1) { |
2670 | logit("No valid ciphers for protocol version 2 given, using defaults."); | 2716 | logit("No valid ciphers for protocol version 2 given, using defaults."); |
2671 | options.ciphers = NULL; | 2717 | options.ciphers = NULL; |
2672 | @@ -196,6 +221,17 @@ | 2718 | @@ -197,6 +222,17 @@ |
2673 | if (options.kex_algorithms != NULL) | 2719 | if (options.kex_algorithms != NULL) |
2674 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; | 2720 | myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; |
2675 | 2721 | ||
@@ -2687,7 +2733,7 @@ Index: b/sshconnect2.c | |||
2687 | if (options.rekey_limit) | 2733 | if (options.rekey_limit) |
2688 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); | 2734 | packet_set_rekey_limit((u_int32_t)options.rekey_limit); |
2689 | 2735 | ||
2690 | @@ -206,10 +242,30 @@ | 2736 | @@ -207,10 +243,30 @@ |
2691 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; | 2737 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; |
2692 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; | 2738 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_client; |
2693 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; | 2739 | kex->kex[KEX_ECDH_SHA2] = kexecdh_client; |
@@ -2718,7 +2764,7 @@ Index: b/sshconnect2.c | |||
2718 | xxx_kex = kex; | 2764 | xxx_kex = kex; |
2719 | 2765 | ||
2720 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); | 2766 | dispatch_run(DISPATCH_BLOCK, &kex->done, kex); |
2721 | @@ -304,6 +360,7 @@ | 2767 | @@ -305,6 +361,7 @@ |
2722 | void input_gssapi_hash(int type, u_int32_t, void *); | 2768 | void input_gssapi_hash(int type, u_int32_t, void *); |
2723 | void input_gssapi_error(int, u_int32_t, void *); | 2769 | void input_gssapi_error(int, u_int32_t, void *); |
2724 | void input_gssapi_errtok(int, u_int32_t, void *); | 2770 | void input_gssapi_errtok(int, u_int32_t, void *); |
@@ -2726,7 +2772,7 @@ Index: b/sshconnect2.c | |||
2726 | #endif | 2772 | #endif |
2727 | 2773 | ||
2728 | void userauth(Authctxt *, char *); | 2774 | void userauth(Authctxt *, char *); |
2729 | @@ -319,6 +376,11 @@ | 2775 | @@ -320,6 +377,11 @@ |
2730 | 2776 | ||
2731 | Authmethod authmethods[] = { | 2777 | Authmethod authmethods[] = { |
2732 | #ifdef GSSAPI | 2778 | #ifdef GSSAPI |
@@ -2738,7 +2784,7 @@ Index: b/sshconnect2.c | |||
2738 | {"gssapi-with-mic", | 2784 | {"gssapi-with-mic", |
2739 | userauth_gssapi, | 2785 | userauth_gssapi, |
2740 | NULL, | 2786 | NULL, |
2741 | @@ -625,19 +687,31 @@ | 2787 | @@ -626,19 +688,31 @@ |
2742 | static u_int mech = 0; | 2788 | static u_int mech = 0; |
2743 | OM_uint32 min; | 2789 | OM_uint32 min; |
2744 | int ok = 0; | 2790 | int ok = 0; |
@@ -2772,7 +2818,7 @@ Index: b/sshconnect2.c | |||
2772 | ok = 1; /* Mechanism works */ | 2818 | ok = 1; /* Mechanism works */ |
2773 | } else { | 2819 | } else { |
2774 | mech++; | 2820 | mech++; |
2775 | @@ -734,8 +808,8 @@ | 2821 | @@ -735,8 +809,8 @@ |
2776 | { | 2822 | { |
2777 | Authctxt *authctxt = ctxt; | 2823 | Authctxt *authctxt = ctxt; |
2778 | Gssctxt *gssctxt; | 2824 | Gssctxt *gssctxt; |
@@ -2783,7 +2829,7 @@ Index: b/sshconnect2.c | |||
2783 | 2829 | ||
2784 | if (authctxt == NULL) | 2830 | if (authctxt == NULL) |
2785 | fatal("input_gssapi_response: no authentication context"); | 2831 | fatal("input_gssapi_response: no authentication context"); |
2786 | @@ -845,6 +919,48 @@ | 2832 | @@ -846,6 +920,48 @@ |
2787 | xfree(msg); | 2833 | xfree(msg); |
2788 | xfree(lang); | 2834 | xfree(lang); |
2789 | } | 2835 | } |
@@ -2836,8 +2882,8 @@ Index: b/sshd.c | |||
2836 | =================================================================== | 2882 | =================================================================== |
2837 | --- a/sshd.c | 2883 | --- a/sshd.c |
2838 | +++ b/sshd.c | 2884 | +++ b/sshd.c |
2839 | @@ -120,6 +120,10 @@ | 2885 | @@ -121,6 +121,10 @@ |
2840 | #include "roaming.h" | 2886 | #include "ssh-sandbox.h" |
2841 | #include "version.h" | 2887 | #include "version.h" |
2842 | 2888 | ||
2843 | +#ifdef USE_SECURITY_SESSION_API | 2889 | +#ifdef USE_SECURITY_SESSION_API |
@@ -2847,7 +2893,7 @@ Index: b/sshd.c | |||
2847 | #ifdef LIBWRAP | 2893 | #ifdef LIBWRAP |
2848 | #include <tcpd.h> | 2894 | #include <tcpd.h> |
2849 | #include <syslog.h> | 2895 | #include <syslog.h> |
2850 | @@ -1590,10 +1594,13 @@ | 2896 | @@ -1612,10 +1616,13 @@ |
2851 | logit("Disabling protocol version 1. Could not load host key"); | 2897 | logit("Disabling protocol version 1. Could not load host key"); |
2852 | options.protocol &= ~SSH_PROTO_1; | 2898 | options.protocol &= ~SSH_PROTO_1; |
2853 | } | 2899 | } |
@@ -2861,7 +2907,7 @@ Index: b/sshd.c | |||
2861 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { | 2907 | if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { |
2862 | logit("sshd: no hostkeys available -- exiting."); | 2908 | logit("sshd: no hostkeys available -- exiting."); |
2863 | exit(1); | 2909 | exit(1); |
2864 | @@ -1922,6 +1929,60 @@ | 2910 | @@ -1944,6 +1951,60 @@ |
2865 | /* Log the connection. */ | 2911 | /* Log the connection. */ |
2866 | verbose("Connection from %.500s port %d", remote_ip, remote_port); | 2912 | verbose("Connection from %.500s port %d", remote_ip, remote_port); |
2867 | 2913 | ||
@@ -2922,7 +2968,7 @@ Index: b/sshd.c | |||
2922 | /* | 2968 | /* |
2923 | * We don't want to listen forever unless the other side | 2969 | * We don't want to listen forever unless the other side |
2924 | * successfully authenticates itself. So we set up an alarm which is | 2970 | * successfully authenticates itself. So we set up an alarm which is |
2925 | @@ -2303,6 +2364,48 @@ | 2971 | @@ -2325,6 +2386,48 @@ |
2926 | 2972 | ||
2927 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); | 2973 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types(); |
2928 | 2974 | ||
@@ -2971,7 +3017,7 @@ Index: b/sshd.c | |||
2971 | /* start key exchange */ | 3017 | /* start key exchange */ |
2972 | kex = kex_setup(myproposal); | 3018 | kex = kex_setup(myproposal); |
2973 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; | 3019 | kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server; |
2974 | @@ -2310,6 +2413,13 @@ | 3020 | @@ -2332,6 +2435,13 @@ |
2975 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; | 3021 | kex->kex[KEX_DH_GEX_SHA1] = kexgex_server; |
2976 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; | 3022 | kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; |
2977 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; | 3023 | kex->kex[KEX_ECDH_SHA2] = kexecdh_server; |
@@ -2989,7 +3035,7 @@ Index: b/sshd_config | |||
2989 | =================================================================== | 3035 | =================================================================== |
2990 | --- a/sshd_config | 3036 | --- a/sshd_config |
2991 | +++ b/sshd_config | 3037 | +++ b/sshd_config |
2992 | @@ -72,6 +72,8 @@ | 3038 | @@ -75,6 +75,8 @@ |
2993 | # GSSAPI options | 3039 | # GSSAPI options |
2994 | #GSSAPIAuthentication no | 3040 | #GSSAPIAuthentication no |
2995 | #GSSAPICleanupCredentials yes | 3041 | #GSSAPICleanupCredentials yes |
@@ -3002,7 +3048,7 @@ Index: b/sshd_config.5 | |||
3002 | =================================================================== | 3048 | =================================================================== |
3003 | --- a/sshd_config.5 | 3049 | --- a/sshd_config.5 |
3004 | +++ b/sshd_config.5 | 3050 | +++ b/sshd_config.5 |
3005 | @@ -423,12 +423,40 @@ | 3051 | @@ -424,12 +424,40 @@ |
3006 | The default is | 3052 | The default is |
3007 | .Dq no . | 3053 | .Dq no . |
3008 | Note that this option applies to protocol version 2 only. | 3054 | Note that this option applies to protocol version 2 only. |
diff --git a/debian/patches/hostbased-ecdsa.patch b/debian/patches/hostbased-ecdsa.patch deleted file mode 100644 index fb618940a..000000000 --- a/debian/patches/hostbased-ecdsa.patch +++ /dev/null | |||
@@ -1,71 +0,0 @@ | |||
1 | Description: Make hostbased auth with ECDSA keys work correctly | ||
2 | Author: Harv <harvey.eneman@oracle.com> | ||
3 | Author: Damien Miller <djm@mindrot.org> | ||
4 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1858 | ||
5 | Bug-Debian: http://bugs.debian.org/633368 | ||
6 | Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6327 | ||
7 | Applied-Upstream: yes | ||
8 | Forwarded: not-needed | ||
9 | Last-Update: 2011-07-17 | ||
10 | |||
11 | Index: b/ssh-keysign.c | ||
12 | =================================================================== | ||
13 | --- a/ssh-keysign.c | ||
14 | +++ b/ssh-keysign.c | ||
15 | @@ -150,9 +150,10 @@ | ||
16 | { | ||
17 | Buffer b; | ||
18 | Options options; | ||
19 | - Key *keys[2], *key = NULL; | ||
20 | +#define NUM_KEYTYPES 3 | ||
21 | + Key *keys[NUM_KEYTYPES], *key = NULL; | ||
22 | struct passwd *pw; | ||
23 | - int key_fd[2], i, found, version = 2, fd; | ||
24 | + int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; | ||
25 | u_char *signature, *data; | ||
26 | char *host; | ||
27 | u_int slen, dlen; | ||
28 | @@ -165,8 +166,10 @@ | ||
29 | if (fd > 2) | ||
30 | close(fd); | ||
31 | |||
32 | - key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); | ||
33 | - key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); | ||
34 | + i = 0; | ||
35 | + key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); | ||
36 | + key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); | ||
37 | + key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); | ||
38 | |||
39 | original_real_uid = getuid(); /* XXX readconf.c needs this */ | ||
40 | if ((pw = getpwuid(original_real_uid)) == NULL) | ||
41 | @@ -191,7 +194,11 @@ | ||
42 | fatal("ssh-keysign not enabled in %s", | ||
43 | _PATH_HOST_CONFIG_FILE); | ||
44 | |||
45 | - if (key_fd[0] == -1 && key_fd[1] == -1) | ||
46 | + for (i = found = 0; i < NUM_KEYTYPES; i++) { | ||
47 | + if (key_fd[i] != -1) | ||
48 | + found = 1; | ||
49 | + } | ||
50 | + if (found == 0) | ||
51 | fatal("could not open any host key"); | ||
52 | |||
53 | OpenSSL_add_all_algorithms(); | ||
54 | @@ -200,7 +207,7 @@ | ||
55 | RAND_seed(rnd, sizeof(rnd)); | ||
56 | |||
57 | found = 0; | ||
58 | - for (i = 0; i < 2; i++) { | ||
59 | + for (i = 0; i < NUM_KEYTYPES; i++) { | ||
60 | keys[i] = NULL; | ||
61 | if (key_fd[i] == -1) | ||
62 | continue; | ||
63 | @@ -230,7 +237,7 @@ | ||
64 | xfree(host); | ||
65 | |||
66 | found = 0; | ||
67 | - for (i = 0; i < 2; i++) { | ||
68 | + for (i = 0; i < NUM_KEYTYPES; i++) { | ||
69 | if (keys[i] != NULL && | ||
70 | key_equal_public(key, keys[i])) { | ||
71 | found = 1; | ||
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch index 89011cfb7..d8362de70 100644 --- a/debian/patches/keepalive-extensions.patch +++ b/debian/patches/keepalive-extensions.patch | |||
@@ -21,21 +21,21 @@ Index: b/readconf.c | |||
21 | @@ -138,6 +138,7 @@ | 21 | @@ -138,6 +138,7 @@ |
22 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, | 22 | oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, |
23 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, | 23 | oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication, |
24 | oKexAlgorithms, oIPQoS, | 24 | oKexAlgorithms, oIPQoS, oRequestTTY, |
25 | + oProtocolKeepAlives, oSetupTimeOut, | 25 | + oProtocolKeepAlives, oSetupTimeOut, |
26 | oDeprecated, oUnsupported | 26 | oDeprecated, oUnsupported |
27 | } OpCodes; | 27 | } OpCodes; |
28 | 28 | ||
29 | @@ -258,6 +259,8 @@ | 29 | @@ -259,6 +260,8 @@ |
30 | #endif | ||
31 | { "kexalgorithms", oKexAlgorithms }, | 30 | { "kexalgorithms", oKexAlgorithms }, |
32 | { "ipqos", oIPQoS }, | 31 | { "ipqos", oIPQoS }, |
32 | { "requesttty", oRequestTTY }, | ||
33 | + { "protocolkeepalives", oProtocolKeepAlives }, | 33 | + { "protocolkeepalives", oProtocolKeepAlives }, |
34 | + { "setuptimeout", oSetupTimeOut }, | 34 | + { "setuptimeout", oSetupTimeOut }, |
35 | 35 | ||
36 | { NULL, oBadOption } | 36 | { NULL, oBadOption } |
37 | }; | 37 | }; |
38 | @@ -888,6 +891,8 @@ | 38 | @@ -914,6 +917,8 @@ |
39 | goto parse_flag; | 39 | goto parse_flag; |
40 | 40 | ||
41 | case oServerAliveInterval: | 41 | case oServerAliveInterval: |
@@ -44,7 +44,7 @@ Index: b/readconf.c | |||
44 | intptr = &options->server_alive_interval; | 44 | intptr = &options->server_alive_interval; |
45 | goto parse_time; | 45 | goto parse_time; |
46 | 46 | ||
47 | @@ -1336,8 +1341,13 @@ | 47 | @@ -1385,8 +1390,13 @@ |
48 | options->rekey_limit = 0; | 48 | options->rekey_limit = 0; |
49 | if (options->verify_host_key_dns == -1) | 49 | if (options->verify_host_key_dns == -1) |
50 | options->verify_host_key_dns = 0; | 50 | options->verify_host_key_dns = 0; |
@@ -64,7 +64,7 @@ Index: b/ssh_config.5 | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/ssh_config.5 | 65 | --- a/ssh_config.5 |
66 | +++ b/ssh_config.5 | 66 | +++ b/ssh_config.5 |
67 | @@ -127,8 +127,12 @@ | 67 | @@ -136,8 +136,12 @@ |
68 | If set to | 68 | If set to |
69 | .Dq yes , | 69 | .Dq yes , |
70 | passphrase/password querying will be disabled. | 70 | passphrase/password querying will be disabled. |
@@ -78,7 +78,7 @@ Index: b/ssh_config.5 | |||
78 | The argument must be | 78 | The argument must be |
79 | .Dq yes | 79 | .Dq yes |
80 | or | 80 | or |
81 | @@ -1058,8 +1062,15 @@ | 81 | @@ -1100,8 +1104,15 @@ |
82 | will send a message through the encrypted | 82 | will send a message through the encrypted |
83 | channel to request a response from the server. | 83 | channel to request a response from the server. |
84 | The default | 84 | The default |
@@ -95,7 +95,7 @@ Index: b/ssh_config.5 | |||
95 | .It Cm StrictHostKeyChecking | 95 | .It Cm StrictHostKeyChecking |
96 | If this flag is set to | 96 | If this flag is set to |
97 | .Dq yes , | 97 | .Dq yes , |
98 | @@ -1098,6 +1109,12 @@ | 98 | @@ -1140,6 +1151,12 @@ |
99 | other side. | 99 | other side. |
100 | If they are sent, death of the connection or crash of one | 100 | If they are sent, death of the connection or crash of one |
101 | of the machines will be properly noticed. | 101 | of the machines will be properly noticed. |
@@ -112,7 +112,7 @@ Index: b/sshd_config.5 | |||
112 | =================================================================== | 112 | =================================================================== |
113 | --- a/sshd_config.5 | 113 | --- a/sshd_config.5 |
114 | +++ b/sshd_config.5 | 114 | +++ b/sshd_config.5 |
115 | @@ -1034,6 +1034,9 @@ | 115 | @@ -1037,6 +1037,9 @@ |
116 | .Pp | 116 | .Pp |
117 | To disable TCP keepalive messages, the value should be set to | 117 | To disable TCP keepalive messages, the value should be set to |
118 | .Dq no . | 118 | .Dq no . |
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch index 6e161f451..7ee91cce8 100644 --- a/debian/patches/lintian-symlink-pickiness.patch +++ b/debian/patches/lintian-symlink-pickiness.patch | |||
@@ -9,7 +9,7 @@ Index: b/Makefile.in | |||
9 | =================================================================== | 9 | =================================================================== |
10 | --- a/Makefile.in | 10 | --- a/Makefile.in |
11 | +++ b/Makefile.in | 11 | +++ b/Makefile.in |
12 | @@ -299,9 +299,9 @@ | 12 | @@ -282,9 +282,9 @@ |
13 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 13 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
14 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | 14 | $(INSTALL) -m 644 ssh-vulnkey.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 |
15 | -rm -f $(DESTDIR)$(bindir)/slogin | 15 | -rm -f $(DESTDIR)$(bindir)/slogin |
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch index fc07e8861..bda5f0c24 100644 --- a/debian/patches/openbsd-docs.patch +++ b/debian/patches/openbsd-docs.patch | |||
@@ -13,28 +13,28 @@ Index: b/moduli.5 | |||
13 | --- a/moduli.5 | 13 | --- a/moduli.5 |
14 | +++ b/moduli.5 | 14 | +++ b/moduli.5 |
15 | @@ -21,7 +21,7 @@ | 15 | @@ -21,7 +21,7 @@ |
16 | .Nd Diffie Hellman moduli | 16 | .Nd Diffie-Hellman moduli |
17 | .Sh DESCRIPTION | 17 | .Sh DESCRIPTION |
18 | The | 18 | The |
19 | -.Pa /etc/moduli | 19 | -.Pa /etc/moduli |
20 | +.Pa /etc/ssh/moduli | 20 | +.Pa /etc/ssh/moduli |
21 | file contains prime numbers and generators for use by | 21 | file contains prime numbers and generators for use by |
22 | .Xr sshd 8 | 22 | .Xr sshd 8 |
23 | in the Diffie-Hellman Group Exchange key exchange method. | 23 | in the Diffie-Hellman Group Exchange key exchange method. |
24 | @@ -111,7 +111,7 @@ | 24 | @@ -110,7 +110,7 @@ |
25 | Diffie Hellman output to sufficiently key the selected symmetric cipher. | 25 | Diffie-Hellman output to sufficiently key the selected symmetric cipher. |
26 | .Xr sshd 8 | 26 | .Xr sshd 8 |
27 | then randomly selects a modulus from | 27 | then randomly selects a modulus from |
28 | -.Fa /etc/moduli | 28 | -.Fa /etc/moduli |
29 | +.Fa /etc/ssh/moduli | 29 | +.Fa /etc/ssh/moduli |
30 | that best meets the size requirement. | 30 | that best meets the size requirement. |
31 | .Pp | ||
32 | .Sh SEE ALSO | 31 | .Sh SEE ALSO |
32 | .Xr ssh-keygen 1 , | ||
33 | Index: b/ssh-keygen.1 | 33 | Index: b/ssh-keygen.1 |
34 | =================================================================== | 34 | =================================================================== |
35 | --- a/ssh-keygen.1 | 35 | --- a/ssh-keygen.1 |
36 | +++ b/ssh-keygen.1 | 36 | +++ b/ssh-keygen.1 |
37 | @@ -147,9 +147,7 @@ | 37 | @@ -149,9 +149,7 @@ |
38 | .Pa ~/.ssh/id_dsa | 38 | .Pa ~/.ssh/id_dsa |
39 | or | 39 | or |
40 | .Pa ~/.ssh/id_rsa . | 40 | .Pa ~/.ssh/id_rsa . |
@@ -45,22 +45,40 @@ Index: b/ssh-keygen.1 | |||
45 | .Pp | 45 | .Pp |
46 | Normally this program generates the key and asks for a file in which | 46 | Normally this program generates the key and asks for a file in which |
47 | to store the private key. | 47 | to store the private key. |
48 | @@ -393,9 +391,7 @@ | 48 | @@ -197,9 +195,7 @@ |
49 | .It Fl q | 49 | For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys |
50 | Silence | 50 | do not exist, generate the host keys with the default key file path, |
51 | .Nm ssh-keygen . | 51 | an empty passphrase, default bits for the key type, and default comment. |
52 | -Used by | 52 | -This is used by |
53 | -.Pa /etc/rc | 53 | -.Pa /etc/rc |
54 | -when creating a new key. | 54 | -to generate new host keys. |
55 | +Used by system administration scripts when creating a new key. | 55 | +This is used by system administration scripts to generate new host keys. |
56 | .It Fl R Ar hostname | 56 | .It Fl a Ar trials |
57 | Removes all keys belonging to | 57 | Specifies the number of primality tests to perform when screening DH-GEX |
58 | .Ar hostname | 58 | candidates using the |
59 | @@ -535,7 +531,7 @@ | ||
60 | Valid generator values are 2, 3, and 5. | ||
61 | .Pp | ||
62 | Screened DH groups may be installed in | ||
63 | -.Pa /etc/moduli . | ||
64 | +.Pa /etc/ssh/moduli . | ||
65 | It is important that this file contains moduli of a range of bit lengths and | ||
66 | that both ends of a connection share common moduli. | ||
67 | .Sh CERTIFICATES | ||
68 | @@ -661,7 +657,7 @@ | ||
69 | where the user wishes to log in using public key authentication. | ||
70 | There is no need to keep the contents of this file secret. | ||
71 | .Pp | ||
72 | -.It Pa /etc/moduli | ||
73 | +.It Pa /etc/ssh/moduli | ||
74 | Contains Diffie-Hellman groups used for DH-GEX. | ||
75 | The file format is described in | ||
76 | .Xr moduli 5 . | ||
59 | Index: b/ssh.1 | 77 | Index: b/ssh.1 |
60 | =================================================================== | 78 | =================================================================== |
61 | --- a/ssh.1 | 79 | --- a/ssh.1 |
62 | +++ b/ssh.1 | 80 | +++ b/ssh.1 |
63 | @@ -726,6 +726,10 @@ | 81 | @@ -731,6 +731,10 @@ |
64 | .Sx HISTORY | 82 | .Sx HISTORY |
65 | section of | 83 | section of |
66 | .Xr ssl 8 | 84 | .Xr ssl 8 |
@@ -84,7 +102,7 @@ Index: b/sshd.8 | |||
84 | It forks a new | 102 | It forks a new |
85 | daemon for each incoming connection. | 103 | daemon for each incoming connection. |
86 | The forked daemons handle | 104 | The forked daemons handle |
87 | @@ -850,7 +850,7 @@ | 105 | @@ -853,7 +853,7 @@ |
88 | .Xr ssh 1 ) . | 106 | .Xr ssh 1 ) . |
89 | It should only be writable by root. | 107 | It should only be writable by root. |
90 | .Pp | 108 | .Pp |
@@ -93,7 +111,7 @@ Index: b/sshd.8 | |||
93 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". | 111 | Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". |
94 | The file format is described in | 112 | The file format is described in |
95 | .Xr moduli 5 . | 113 | .Xr moduli 5 . |
96 | @@ -948,7 +948,6 @@ | 114 | @@ -951,7 +951,6 @@ |
97 | .Xr ssh-vulnkey 1 , | 115 | .Xr ssh-vulnkey 1 , |
98 | .Xr chroot 2 , | 116 | .Xr chroot 2 , |
99 | .Xr hosts_access 5 , | 117 | .Xr hosts_access 5 , |
@@ -105,7 +123,7 @@ Index: b/sshd_config.5 | |||
105 | =================================================================== | 123 | =================================================================== |
106 | --- a/sshd_config.5 | 124 | --- a/sshd_config.5 |
107 | +++ b/sshd_config.5 | 125 | +++ b/sshd_config.5 |
108 | @@ -221,8 +221,7 @@ | 126 | @@ -222,8 +222,7 @@ |
109 | By default, no banner is displayed. | 127 | By default, no banner is displayed. |
110 | .It Cm ChallengeResponseAuthentication | 128 | .It Cm ChallengeResponseAuthentication |
111 | Specifies whether challenge-response authentication is allowed (e.g. via | 129 | Specifies whether challenge-response authentication is allowed (e.g. via |
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch index 0bcc7ed3b..6dd0cf78d 100644 --- a/debian/patches/package-versioning.patch +++ b/debian/patches/package-versioning.patch | |||
@@ -24,7 +24,7 @@ Index: b/sshd.c | |||
24 | =================================================================== | 24 | =================================================================== |
25 | --- a/sshd.c | 25 | --- a/sshd.c |
26 | +++ b/sshd.c | 26 | +++ b/sshd.c |
27 | @@ -422,7 +422,7 @@ | 27 | @@ -423,7 +423,7 @@ |
28 | minor = PROTOCOL_MINOR_1; | 28 | minor = PROTOCOL_MINOR_1; |
29 | } | 29 | } |
30 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, | 30 | snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor, |
@@ -38,9 +38,9 @@ Index: b/version.h | |||
38 | --- a/version.h | 38 | --- a/version.h |
39 | +++ b/version.h | 39 | +++ b/version.h |
40 | @@ -3,4 +3,9 @@ | 40 | @@ -3,4 +3,9 @@ |
41 | #define SSH_VERSION "OpenSSH_5.8" | 41 | #define SSH_VERSION "OpenSSH_5.9" |
42 | 42 | ||
43 | #define SSH_PORTABLE "p1" | 43 | #define SSH_PORTABLE "p2" |
44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE | 44 | -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
45 | +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE | 45 | +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE |
46 | +#ifdef SSH_EXTRAVERSION | 46 | +#ifdef SSH_EXTRAVERSION |
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch index f8bc5fd4e..ff41f094d 100644 --- a/debian/patches/quieter-signals.patch +++ b/debian/patches/quieter-signals.patch | |||
@@ -16,7 +16,7 @@ Index: b/clientloop.c | |||
16 | =================================================================== | 16 | =================================================================== |
17 | --- a/clientloop.c | 17 | --- a/clientloop.c |
18 | +++ b/clientloop.c | 18 | +++ b/clientloop.c |
19 | @@ -1594,8 +1594,10 @@ | 19 | @@ -1619,8 +1619,10 @@ |
20 | exit_status = 0; | 20 | exit_status = 0; |
21 | } | 21 | } |
22 | 22 | ||
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch deleted file mode 100644 index 6c99e3f38..000000000 --- a/debian/patches/selinux-build-failure.patch +++ /dev/null | |||
@@ -1,19 +0,0 @@ | |||
1 | Description: Fix SELinux build failure | ||
2 | Origin: other, https://bugzilla.mindrot.org/attachment.cgi?id=1991&action=diff | ||
3 | Author: Leonardo Chiqitto <leonardo@ngdn.org> | ||
4 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1851 | ||
5 | Last-Update: 2011-02-05 | ||
6 | |||
7 | Index: b/openbsd-compat/port-linux.c | ||
8 | =================================================================== | ||
9 | --- a/openbsd-compat/port-linux.c | ||
10 | +++ b/openbsd-compat/port-linux.c | ||
11 | @@ -226,7 +226,7 @@ | ||
12 | |||
13 | if (!ssh_selinux_enabled()) | ||
14 | return; | ||
15 | - if (path == NULL) | ||
16 | + if (path == NULL) { | ||
17 | setfscreatecon(NULL); | ||
18 | return; | ||
19 | } | ||
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 70364f9d5..b14402199 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -92,7 +92,7 @@ Index: b/monitor.c | |||
92 | =================================================================== | 92 | =================================================================== |
93 | --- a/monitor.c | 93 | --- a/monitor.c |
94 | +++ b/monitor.c | 94 | +++ b/monitor.c |
95 | @@ -137,6 +137,7 @@ | 95 | @@ -145,6 +145,7 @@ |
96 | int mm_answer_pwnamallow(int, Buffer *); | 96 | int mm_answer_pwnamallow(int, Buffer *); |
97 | int mm_answer_auth2_read_banner(int, Buffer *); | 97 | int mm_answer_auth2_read_banner(int, Buffer *); |
98 | int mm_answer_authserv(int, Buffer *); | 98 | int mm_answer_authserv(int, Buffer *); |
@@ -100,7 +100,7 @@ Index: b/monitor.c | |||
100 | int mm_answer_authpassword(int, Buffer *); | 100 | int mm_answer_authpassword(int, Buffer *); |
101 | int mm_answer_bsdauthquery(int, Buffer *); | 101 | int mm_answer_bsdauthquery(int, Buffer *); |
102 | int mm_answer_bsdauthrespond(int, Buffer *); | 102 | int mm_answer_bsdauthrespond(int, Buffer *); |
103 | @@ -215,6 +216,7 @@ | 103 | @@ -225,6 +226,7 @@ |
104 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 104 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
105 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 105 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
106 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 106 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -108,15 +108,15 @@ Index: b/monitor.c | |||
108 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 108 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
109 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 109 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
110 | #ifdef USE_PAM | 110 | #ifdef USE_PAM |
111 | @@ -699,6 +701,7 @@ | 111 | @@ -810,6 +812,7 @@ |
112 | else { | 112 | else { |
113 | /* Allow service/style information on the auth context */ | 113 | /* Allow service/style information on the auth context */ |
114 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 114 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
115 | + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | 115 | + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); |
116 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 116 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
117 | } | 117 | } |
118 | 118 | #ifdef USE_PAM | |
119 | @@ -732,14 +735,37 @@ | 119 | @@ -842,14 +845,37 @@ |
120 | 120 | ||
121 | authctxt->service = buffer_get_string(m, NULL); | 121 | authctxt->service = buffer_get_string(m, NULL); |
122 | authctxt->style = buffer_get_string(m, NULL); | 122 | authctxt->style = buffer_get_string(m, NULL); |
@@ -156,7 +156,7 @@ Index: b/monitor.c | |||
156 | return (0); | 156 | return (0); |
157 | } | 157 | } |
158 | 158 | ||
159 | @@ -1327,7 +1353,7 @@ | 159 | @@ -1437,7 +1463,7 @@ |
160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
161 | if (res == 0) | 161 | if (res == 0) |
162 | goto error; | 162 | goto error; |
@@ -182,7 +182,7 @@ Index: b/monitor_wrap.c | |||
182 | =================================================================== | 182 | =================================================================== |
183 | --- a/monitor_wrap.c | 183 | --- a/monitor_wrap.c |
184 | +++ b/monitor_wrap.c | 184 | +++ b/monitor_wrap.c |
185 | @@ -280,10 +280,10 @@ | 185 | @@ -318,10 +318,10 @@ |
186 | return (banner); | 186 | return (banner); |
187 | } | 187 | } |
188 | 188 | ||
@@ -195,7 +195,7 @@ Index: b/monitor_wrap.c | |||
195 | { | 195 | { |
196 | Buffer m; | 196 | Buffer m; |
197 | 197 | ||
198 | @@ -292,11 +292,29 @@ | 198 | @@ -330,11 +330,29 @@ |
199 | buffer_init(&m); | 199 | buffer_init(&m); |
200 | buffer_put_cstring(&m, service); | 200 | buffer_put_cstring(&m, service); |
201 | buffer_put_cstring(&m, style ? style : ""); | 201 | buffer_put_cstring(&m, style ? style : ""); |
@@ -229,7 +229,7 @@ Index: b/monitor_wrap.h | |||
229 | =================================================================== | 229 | =================================================================== |
230 | --- a/monitor_wrap.h | 230 | --- a/monitor_wrap.h |
231 | +++ b/monitor_wrap.h | 231 | +++ b/monitor_wrap.h |
232 | @@ -40,7 +40,8 @@ | 232 | @@ -41,7 +41,8 @@ |
233 | int mm_is_monitor(void); | 233 | int mm_is_monitor(void); |
234 | DH *mm_choose_dh(int, int, int); | 234 | DH *mm_choose_dh(int, int, int); |
235 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | 235 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); |
@@ -256,7 +256,7 @@ Index: b/openbsd-compat/port-linux.c | |||
256 | #include "log.h" | 256 | #include "log.h" |
257 | #include "xmalloc.h" | 257 | #include "xmalloc.h" |
258 | #include "port-linux.h" | 258 | #include "port-linux.h" |
259 | @@ -54,9 +60,9 @@ | 259 | @@ -58,9 +64,9 @@ |
260 | 260 | ||
261 | /* Return the default security context for the given username */ | 261 | /* Return the default security context for the given username */ |
262 | static security_context_t | 262 | static security_context_t |
@@ -268,7 +268,7 @@ Index: b/openbsd-compat/port-linux.c | |||
268 | char *sename = NULL, *lvl = NULL; | 268 | char *sename = NULL, *lvl = NULL; |
269 | int r; | 269 | int r; |
270 | 270 | ||
271 | @@ -69,9 +75,16 @@ | 271 | @@ -73,9 +79,16 @@ |
272 | #endif | 272 | #endif |
273 | 273 | ||
274 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 274 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
@@ -287,7 +287,7 @@ Index: b/openbsd-compat/port-linux.c | |||
287 | #endif | 287 | #endif |
288 | 288 | ||
289 | if (r != 0) { | 289 | if (r != 0) { |
290 | @@ -102,7 +115,7 @@ | 290 | @@ -106,7 +119,7 @@ |
291 | 291 | ||
292 | /* Set the execution context to the default for the specified user */ | 292 | /* Set the execution context to the default for the specified user */ |
293 | void | 293 | void |
@@ -296,7 +296,7 @@ Index: b/openbsd-compat/port-linux.c | |||
296 | { | 296 | { |
297 | security_context_t user_ctx = NULL; | 297 | security_context_t user_ctx = NULL; |
298 | 298 | ||
299 | @@ -111,7 +124,7 @@ | 299 | @@ -115,7 +128,7 @@ |
300 | 300 | ||
301 | debug3("%s: setting execution context", __func__); | 301 | debug3("%s: setting execution context", __func__); |
302 | 302 | ||
@@ -305,7 +305,7 @@ Index: b/openbsd-compat/port-linux.c | |||
305 | if (setexeccon(user_ctx) != 0) { | 305 | if (setexeccon(user_ctx) != 0) { |
306 | switch (security_getenforce()) { | 306 | switch (security_getenforce()) { |
307 | case -1: | 307 | case -1: |
308 | @@ -133,7 +146,7 @@ | 308 | @@ -137,7 +150,7 @@ |
309 | 309 | ||
310 | /* Set the TTY context for the specified user */ | 310 | /* Set the TTY context for the specified user */ |
311 | void | 311 | void |
@@ -314,7 +314,7 @@ Index: b/openbsd-compat/port-linux.c | |||
314 | { | 314 | { |
315 | security_context_t new_tty_ctx = NULL; | 315 | security_context_t new_tty_ctx = NULL; |
316 | security_context_t user_ctx = NULL; | 316 | security_context_t user_ctx = NULL; |
317 | @@ -144,7 +157,7 @@ | 317 | @@ -148,7 +161,7 @@ |
318 | 318 | ||
319 | debug3("%s: setting TTY context on %s", __func__, tty); | 319 | debug3("%s: setting TTY context on %s", __func__, tty); |
320 | 320 | ||
@@ -377,7 +377,7 @@ Index: b/session.c | |||
377 | =================================================================== | 377 | =================================================================== |
378 | --- a/session.c | 378 | --- a/session.c |
379 | +++ b/session.c | 379 | +++ b/session.c |
380 | @@ -1467,7 +1467,7 @@ | 380 | @@ -1471,7 +1471,7 @@ |
381 | 381 | ||
382 | /* Set login name, uid, gid, and groups. */ | 382 | /* Set login name, uid, gid, and groups. */ |
383 | void | 383 | void |
@@ -386,7 +386,7 @@ Index: b/session.c | |||
386 | { | 386 | { |
387 | char *chroot_path, *tmp; | 387 | char *chroot_path, *tmp; |
388 | 388 | ||
389 | @@ -1495,7 +1495,7 @@ | 389 | @@ -1499,7 +1499,7 @@ |
390 | endgrent(); | 390 | endgrent(); |
391 | #endif | 391 | #endif |
392 | 392 | ||
@@ -395,7 +395,7 @@ Index: b/session.c | |||
395 | 395 | ||
396 | if (options.chroot_directory != NULL && | 396 | if (options.chroot_directory != NULL && |
397 | strcasecmp(options.chroot_directory, "none") != 0) { | 397 | strcasecmp(options.chroot_directory, "none") != 0) { |
398 | @@ -1618,7 +1618,7 @@ | 398 | @@ -1625,7 +1625,7 @@ |
399 | 399 | ||
400 | /* Force a password change */ | 400 | /* Force a password change */ |
401 | if (s->authctxt->force_pwchange) { | 401 | if (s->authctxt->force_pwchange) { |
@@ -404,7 +404,7 @@ Index: b/session.c | |||
404 | child_close_fds(); | 404 | child_close_fds(); |
405 | do_pwchange(s); | 405 | do_pwchange(s); |
406 | exit(1); | 406 | exit(1); |
407 | @@ -1645,7 +1645,7 @@ | 407 | @@ -1652,7 +1652,7 @@ |
408 | /* When PAM is enabled we rely on it to do the nologin check */ | 408 | /* When PAM is enabled we rely on it to do the nologin check */ |
409 | if (!options.use_pam) | 409 | if (!options.use_pam) |
410 | do_nologin(pw); | 410 | do_nologin(pw); |
@@ -413,7 +413,7 @@ Index: b/session.c | |||
413 | /* | 413 | /* |
414 | * PAM session modules in do_setusercontext may have | 414 | * PAM session modules in do_setusercontext may have |
415 | * generated messages, so if this in an interactive | 415 | * generated messages, so if this in an interactive |
416 | @@ -2057,7 +2057,7 @@ | 416 | @@ -2064,7 +2064,7 @@ |
417 | tty_parse_modes(s->ttyfd, &n_bytes); | 417 | tty_parse_modes(s->ttyfd, &n_bytes); |
418 | 418 | ||
419 | if (!use_privsep) | 419 | if (!use_privsep) |
@@ -439,7 +439,7 @@ Index: b/sshd.c | |||
439 | =================================================================== | 439 | =================================================================== |
440 | --- a/sshd.c | 440 | --- a/sshd.c |
441 | +++ b/sshd.c | 441 | +++ b/sshd.c |
442 | @@ -707,7 +707,7 @@ | 442 | @@ -730,7 +730,7 @@ |
443 | RAND_seed(rnd, sizeof(rnd)); | 443 | RAND_seed(rnd, sizeof(rnd)); |
444 | 444 | ||
445 | /* Drop privileges */ | 445 | /* Drop privileges */ |
diff --git a/debian/patches/series b/debian/patches/series index 3450e4c55..2be7cf10a 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -1,6 +1,5 @@ | |||
1 | # GSSAPI | 1 | # GSSAPI |
2 | gssapi.patch | 2 | gssapi.patch |
3 | gssapi-autoconf.patch | ||
4 | 3 | ||
5 | # SELinux | 4 | # SELinux |
6 | selinux-role.patch | 5 | selinux-role.patch |
@@ -37,9 +36,6 @@ ssh-argv0.patch | |||
37 | doc-hash-tab-completion.patch | 36 | doc-hash-tab-completion.patch |
38 | 37 | ||
39 | # Miscellaneous bug fixes | 38 | # Miscellaneous bug fixes |
40 | selinux-build-failure.patch | ||
41 | ssh-add-fifo.patch | ||
42 | hostbased-ecdsa.patch | ||
43 | auth-log-verbosity.patch | 39 | auth-log-verbosity.patch |
44 | 40 | ||
45 | # Debian-specific configuration | 41 | # Debian-specific configuration |
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch index 5100d8ec7..8c549128b 100644 --- a/debian/patches/shell-path.patch +++ b/debian/patches/shell-path.patch | |||
@@ -19,7 +19,7 @@ Index: b/sshconnect.c | |||
19 | perror(argv[0]); | 19 | perror(argv[0]); |
20 | exit(1); | 20 | exit(1); |
21 | } | 21 | } |
22 | @@ -1274,7 +1274,7 @@ | 22 | @@ -1273,7 +1273,7 @@ |
23 | if (pid == 0) { | 23 | if (pid == 0) { |
24 | signal(SIGPIPE, SIG_DFL); | 24 | signal(SIGPIPE, SIG_DFL); |
25 | debug3("Executing %s -c \"%s\"", shell, args); | 25 | debug3("Executing %s -c \"%s\"", shell, args); |
diff --git a/debian/patches/ssh-add-fifo.patch b/debian/patches/ssh-add-fifo.patch deleted file mode 100644 index deac58e75..000000000 --- a/debian/patches/ssh-add-fifo.patch +++ /dev/null | |||
@@ -1,37 +0,0 @@ | |||
1 | Description: Allow ssh-add to read from FIFOs | ||
2 | Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> | ||
3 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1869 | ||
4 | Bug-Debian: http://bugs.debian.org/614897 | ||
5 | Origin: other, https://bugzilla.mindrot.org/attachment.cgi?id=2002&action=diff | ||
6 | Forwarded: yes | ||
7 | Last-Update: 2011-03-18 | ||
8 | |||
9 | Index: b/authfile.c | ||
10 | =================================================================== | ||
11 | --- a/authfile.c | ||
12 | +++ b/authfile.c | ||
13 | @@ -317,7 +317,7 @@ | ||
14 | static int | ||
15 | key_load_file(int fd, const char *filename, Buffer *blob) | ||
16 | { | ||
17 | - size_t len; | ||
18 | + size_t len, readcount; | ||
19 | u_char *cp; | ||
20 | struct stat st; | ||
21 | |||
22 | @@ -337,11 +337,14 @@ | ||
23 | return 0; | ||
24 | } | ||
25 | len = (size_t)st.st_size; /* truncated */ | ||
26 | + if (0 == len && S_ISFIFO(st.st_mode)) | ||
27 | + len = 8192; /* we will try reading up to 8KiB from a FIFO */ | ||
28 | |||
29 | buffer_init(blob); | ||
30 | cp = buffer_append_space(blob, len); | ||
31 | |||
32 | - if (atomicio(read, fd, cp, len) != len) { | ||
33 | + readcount = atomicio(read, fd, cp, len); | ||
34 | + if (readcount != len && !(readcount > 0 && S_ISFIFO(st.st_mode))) { | ||
35 | debug("%s: read from key file %.200s%sfailed: %.100s", __func__, | ||
36 | filename == NULL ? "" : filename, | ||
37 | filename == NULL ? "" : " ", | ||
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch index 43d9d4d44..a7750ed23 100644 --- a/debian/patches/ssh-argv0.patch +++ b/debian/patches/ssh-argv0.patch | |||
@@ -11,7 +11,7 @@ Index: b/ssh.1 | |||
11 | =================================================================== | 11 | =================================================================== |
12 | --- a/ssh.1 | 12 | --- a/ssh.1 |
13 | +++ b/ssh.1 | 13 | +++ b/ssh.1 |
14 | @@ -1406,6 +1406,7 @@ | 14 | @@ -1411,6 +1411,7 @@ |
15 | .Xr sftp 1 , | 15 | .Xr sftp 1 , |
16 | .Xr ssh-add 1 , | 16 | .Xr ssh-add 1 , |
17 | .Xr ssh-agent 1 , | 17 | .Xr ssh-agent 1 , |
diff --git a/debian/patches/ssh-vulnkey.patch b/debian/patches/ssh-vulnkey.patch index f3e08b06d..4245319c3 100644 --- a/debian/patches/ssh-vulnkey.patch +++ b/debian/patches/ssh-vulnkey.patch | |||
@@ -14,47 +14,45 @@ Index: b/Makefile.in | |||
14 | =================================================================== | 14 | =================================================================== |
15 | --- a/Makefile.in | 15 | --- a/Makefile.in |
16 | +++ b/Makefile.in | 16 | +++ b/Makefile.in |
17 | @@ -27,6 +27,7 @@ | 17 | @@ -26,6 +26,7 @@ |
18 | SFTP_SERVER=$(libexecdir)/sftp-server | ||
18 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | 19 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign |
19 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | 20 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |
20 | RAND_HELPER=$(libexecdir)/ssh-rand-helper | ||
21 | +SSH_DATADIR=$(datadir)/ssh | 21 | +SSH_DATADIR=$(datadir)/ssh |
22 | PRIVSEP_PATH=@PRIVSEP_PATH@ | 22 | PRIVSEP_PATH=@PRIVSEP_PATH@ |
23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ | 23 | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |
24 | STRIP_OPT=@STRIP_OPT@ | 24 | STRIP_OPT=@STRIP_OPT@ |
25 | @@ -39,7 +40,8 @@ | 25 | @@ -38,6 +39,7 @@ |
26 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ | 26 | -D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \ |
27 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ | 27 | -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ |
28 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ | 28 | -D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\" \ |
29 | - -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" | 29 | + -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" \ |
30 | + -DSSH_RAND_HELPER=\"$(RAND_HELPER)\" \ | ||
31 | + -D_PATH_SSH_DATADIR=\"$(SSH_DATADIR)\" | ||
32 | 30 | ||
33 | CC=@CC@ | 31 | CC=@CC@ |
34 | LD=@LD@ | 32 | LD=@LD@ |
35 | @@ -64,7 +66,7 @@ | 33 | @@ -59,7 +61,7 @@ |
36 | INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ | 34 | EXEEXT=@EXEEXT@ |
37 | INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ | 35 | MANFMT=@MANFMT@ |
38 | 36 | ||
39 | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) | 37 | -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) |
40 | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) | 38 | +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-vulnkey$(EXEEXT) |
41 | 39 | ||
42 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 40 | LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
43 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ | 41 | canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ |
44 | @@ -97,8 +99,8 @@ | 42 | @@ -93,8 +95,8 @@ |
45 | sftp-server.o sftp-common.o \ | 43 | roaming_common.o roaming_serv.o \ |
46 | roaming_common.o roaming_serv.o | 44 | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o |
47 | 45 | ||
48 | -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out | 46 | -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out |
49 | -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 | 47 | -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 |
50 | +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out | 48 | +MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out |
51 | +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 | 49 | +MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 |
52 | MANTYPE = @MANTYPE@ | 50 | MANTYPE = @MANTYPE@ |
53 | 51 | ||
54 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out | 52 | CONFIGFILES=sshd_config.out ssh_config.out moduli.out |
55 | @@ -179,6 +181,9 @@ | 53 | @@ -171,6 +173,9 @@ |
56 | ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o | 54 | sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o |
57 | $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 55 | $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) |
58 | 56 | ||
59 | +ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o | 57 | +ssh-vulnkey$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-vulnkey.o |
60 | + $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) | 58 | + $(LD) -o $@ ssh-vulnkey.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
@@ -62,7 +60,7 @@ Index: b/Makefile.in | |||
62 | # test driver for the loginrec code - not built by default | 60 | # test driver for the loginrec code - not built by default |
63 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o | 61 | logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o |
64 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) | 62 | $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) |
65 | @@ -273,6 +278,7 @@ | 63 | @@ -259,6 +264,7 @@ |
66 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) | 64 | $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) |
67 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 65 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
68 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 66 | $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
@@ -70,7 +68,7 @@ Index: b/Makefile.in | |||
70 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 | 68 | $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 |
71 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 | 69 | $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 |
72 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 | 70 | $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 |
73 | @@ -290,6 +296,7 @@ | 71 | @@ -273,6 +279,7 @@ |
74 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 72 | $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
75 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | 73 | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
76 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 | 74 | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
@@ -78,7 +76,7 @@ Index: b/Makefile.in | |||
78 | -rm -f $(DESTDIR)$(bindir)/slogin | 76 | -rm -f $(DESTDIR)$(bindir)/slogin |
79 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin | 77 | ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin |
80 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 | 78 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 |
81 | @@ -379,6 +386,7 @@ | 79 | @@ -354,6 +361,7 @@ |
82 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) | 80 | -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) |
83 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) | 81 | -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) |
84 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) | 82 | -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) |
@@ -86,14 +84,14 @@ Index: b/Makefile.in | |||
86 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) | 84 | -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) |
87 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) | 85 | -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) |
88 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) | 86 | -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) |
89 | @@ -392,6 +400,7 @@ | 87 | @@ -366,6 +374,7 @@ |
90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 | 88 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 |
91 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 | 89 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 |
92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 | 90 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 |
93 | + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 | 91 | + -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-vulnkey.1 |
94 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 | 92 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 |
95 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 | ||
96 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 | 93 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 |
94 | -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 | ||
97 | Index: b/auth-rh-rsa.c | 95 | Index: b/auth-rh-rsa.c |
98 | =================================================================== | 96 | =================================================================== |
99 | --- a/auth-rh-rsa.c | 97 | --- a/auth-rh-rsa.c |
@@ -111,7 +109,7 @@ Index: b/auth-rsa.c | |||
111 | =================================================================== | 109 | =================================================================== |
112 | --- a/auth-rsa.c | 110 | --- a/auth-rsa.c |
113 | +++ b/auth-rsa.c | 111 | +++ b/auth-rsa.c |
114 | @@ -247,7 +247,7 @@ | 112 | @@ -233,7 +233,7 @@ |
115 | file, linenum, BN_num_bits(key->rsa->n), bits); | 113 | file, linenum, BN_num_bits(key->rsa->n), bits); |
116 | 114 | ||
117 | /* Never accept a revoked key */ | 115 | /* Never accept a revoked key */ |
@@ -132,7 +130,7 @@ Index: b/auth.c | |||
132 | #include "auth.h" | 130 | #include "auth.h" |
133 | #include "auth-options.h" | 131 | #include "auth-options.h" |
134 | #include "canohost.h" | 132 | #include "canohost.h" |
135 | @@ -621,10 +622,34 @@ | 133 | @@ -606,10 +607,34 @@ |
136 | 134 | ||
137 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ | 135 | /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */ |
138 | int | 136 | int |
@@ -172,7 +170,7 @@ Index: b/auth.h | |||
172 | =================================================================== | 170 | =================================================================== |
173 | --- a/auth.h | 171 | --- a/auth.h |
174 | +++ b/auth.h | 172 | +++ b/auth.h |
175 | @@ -175,7 +175,7 @@ | 173 | @@ -174,7 +174,7 @@ |
176 | 174 | ||
177 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 175 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
178 | FILE *auth_openprincipals(const char *, struct passwd *, int); | 176 | FILE *auth_openprincipals(const char *, struct passwd *, int); |
@@ -199,7 +197,7 @@ Index: b/auth2-pubkey.c | |||
199 | --- a/auth2-pubkey.c | 197 | --- a/auth2-pubkey.c |
200 | +++ b/auth2-pubkey.c | 198 | +++ b/auth2-pubkey.c |
201 | @@ -439,9 +439,10 @@ | 199 | @@ -439,9 +439,10 @@ |
202 | int success; | 200 | u_int success, i; |
203 | char *file; | 201 | char *file; |
204 | 202 | ||
205 | - if (auth_key_is_revoked(key)) | 203 | - if (auth_key_is_revoked(key)) |
@@ -221,9 +219,9 @@ Index: b/authfile.c | |||
221 | #include "atomicio.h" | 219 | #include "atomicio.h" |
222 | +#include "pathnames.h" | 220 | +#include "pathnames.h" |
223 | 221 | ||
224 | /* Version identification string for SSH v1 identity files. */ | 222 | #define MAX_KEY_FILE_SIZE (1024 * 1024) |
225 | static const char authfile_id_string[] = | 223 | |
226 | @@ -906,3 +907,140 @@ | 224 | @@ -944,3 +945,140 @@ |
227 | return ret; | 225 | return ret; |
228 | } | 226 | } |
229 | 227 | ||
@@ -368,7 +366,7 @@ Index: b/authfile.h | |||
368 | =================================================================== | 366 | =================================================================== |
369 | --- a/authfile.h | 367 | --- a/authfile.h |
370 | +++ b/authfile.h | 368 | +++ b/authfile.h |
371 | @@ -26,4 +26,6 @@ | 369 | @@ -28,4 +28,6 @@ |
372 | int key_perm_ok(int, const char *); | 370 | int key_perm_ok(int, const char *); |
373 | int key_in_file(Key *, const char *, int); | 371 | int key_in_file(Key *, const char *, int); |
374 | 372 | ||
@@ -420,7 +418,7 @@ Index: b/readconf.c | |||
420 | { "rsaauthentication", oRSAAuthentication }, | 418 | { "rsaauthentication", oRSAAuthentication }, |
421 | { "pubkeyauthentication", oPubkeyAuthentication }, | 419 | { "pubkeyauthentication", oPubkeyAuthentication }, |
422 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ | 420 | { "dsaauthentication", oPubkeyAuthentication }, /* alias */ |
423 | @@ -486,6 +488,10 @@ | 421 | @@ -489,6 +491,10 @@ |
424 | intptr = &options->challenge_response_authentication; | 422 | intptr = &options->challenge_response_authentication; |
425 | goto parse_flag; | 423 | goto parse_flag; |
426 | 424 | ||
@@ -431,7 +429,7 @@ Index: b/readconf.c | |||
431 | case oGssAuthentication: | 429 | case oGssAuthentication: |
432 | intptr = &options->gss_authentication; | 430 | intptr = &options->gss_authentication; |
433 | goto parse_flag; | 431 | goto parse_flag; |
434 | @@ -1134,6 +1140,7 @@ | 432 | @@ -1180,6 +1186,7 @@ |
435 | options->kbd_interactive_devices = NULL; | 433 | options->kbd_interactive_devices = NULL; |
436 | options->rhosts_rsa_authentication = -1; | 434 | options->rhosts_rsa_authentication = -1; |
437 | options->hostbased_authentication = -1; | 435 | options->hostbased_authentication = -1; |
@@ -439,7 +437,7 @@ Index: b/readconf.c | |||
439 | options->batch_mode = -1; | 437 | options->batch_mode = -1; |
440 | options->check_host_ip = -1; | 438 | options->check_host_ip = -1; |
441 | options->strict_host_key_checking = -1; | 439 | options->strict_host_key_checking = -1; |
442 | @@ -1245,6 +1252,8 @@ | 440 | @@ -1290,6 +1297,8 @@ |
443 | options->rhosts_rsa_authentication = 0; | 441 | options->rhosts_rsa_authentication = 0; |
444 | if (options->hostbased_authentication == -1) | 442 | if (options->hostbased_authentication == -1) |
445 | options->hostbased_authentication = 0; | 443 | options->hostbased_authentication = 0; |
@@ -452,7 +450,7 @@ Index: b/readconf.h | |||
452 | =================================================================== | 450 | =================================================================== |
453 | --- a/readconf.h | 451 | --- a/readconf.h |
454 | +++ b/readconf.h | 452 | +++ b/readconf.h |
455 | @@ -57,6 +57,7 @@ | 453 | @@ -58,6 +58,7 @@ |
456 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ | 454 | int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
457 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ | 455 | char *kbd_interactive_devices; /* Keyboard-interactive auth devices. */ |
458 | int zero_knowledge_password_authentication; /* Try jpake */ | 456 | int zero_knowledge_password_authentication; /* Try jpake */ |
@@ -472,7 +470,7 @@ Index: b/servconf.c | |||
472 | options->permit_empty_passwd = -1; | 470 | options->permit_empty_passwd = -1; |
473 | options->permit_user_env = -1; | 471 | options->permit_user_env = -1; |
474 | options->use_login = -1; | 472 | options->use_login = -1; |
475 | @@ -243,6 +244,8 @@ | 473 | @@ -242,6 +243,8 @@ |
476 | options->kbd_interactive_authentication = 0; | 474 | options->kbd_interactive_authentication = 0; |
477 | if (options->challenge_response_authentication == -1) | 475 | if (options->challenge_response_authentication == -1) |
478 | options->challenge_response_authentication = 1; | 476 | options->challenge_response_authentication = 1; |
@@ -481,7 +479,7 @@ Index: b/servconf.c | |||
481 | if (options->permit_empty_passwd == -1) | 479 | if (options->permit_empty_passwd == -1) |
482 | options->permit_empty_passwd = 0; | 480 | options->permit_empty_passwd = 0; |
483 | if (options->permit_user_env == -1) | 481 | if (options->permit_user_env == -1) |
484 | @@ -322,7 +325,7 @@ | 482 | @@ -318,7 +321,7 @@ |
485 | sListenAddress, sAddressFamily, | 483 | sListenAddress, sAddressFamily, |
486 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, | 484 | sPrintMotd, sPrintLastLog, sIgnoreRhosts, |
487 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, | 485 | sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, |
@@ -490,7 +488,7 @@ Index: b/servconf.c | |||
490 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, | 488 | sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, |
491 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, | 489 | sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, |
492 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, | 490 | sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, |
493 | @@ -432,6 +435,7 @@ | 491 | @@ -428,6 +431,7 @@ |
494 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, | 492 | { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, |
495 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, | 493 | { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, |
496 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, | 494 | { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, |
@@ -498,7 +496,7 @@ Index: b/servconf.c | |||
498 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, | 496 | { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, |
499 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, | 497 | { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, |
500 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, | 498 | { "uselogin", sUseLogin, SSHCFG_GLOBAL }, |
501 | @@ -1029,6 +1033,10 @@ | 499 | @@ -1047,6 +1051,10 @@ |
502 | intptr = &options->tcp_keep_alive; | 500 | intptr = &options->tcp_keep_alive; |
503 | goto parse_flag; | 501 | goto parse_flag; |
504 | 502 | ||
@@ -509,7 +507,7 @@ Index: b/servconf.c | |||
509 | case sEmptyPasswd: | 507 | case sEmptyPasswd: |
510 | intptr = &options->permit_empty_passwd; | 508 | intptr = &options->permit_empty_passwd; |
511 | goto parse_flag; | 509 | goto parse_flag; |
512 | @@ -1757,6 +1765,7 @@ | 510 | @@ -1773,6 +1781,7 @@ |
513 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); | 511 | dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost); |
514 | dump_cfg_fmtint(sStrictModes, o->strict_modes); | 512 | dump_cfg_fmtint(sStrictModes, o->strict_modes); |
515 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); | 513 | dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive); |
@@ -521,7 +519,7 @@ Index: b/servconf.h | |||
521 | =================================================================== | 519 | =================================================================== |
522 | --- a/servconf.h | 520 | --- a/servconf.h |
523 | +++ b/servconf.h | 521 | +++ b/servconf.h |
524 | @@ -107,6 +107,7 @@ | 522 | @@ -113,6 +113,7 @@ |
525 | int challenge_response_authentication; | 523 | int challenge_response_authentication; |
526 | int zero_knowledge_password_authentication; | 524 | int zero_knowledge_password_authentication; |
527 | /* If true, permit jpake auth */ | 525 | /* If true, permit jpake auth */ |
@@ -564,10 +562,10 @@ Index: b/ssh-add.c | |||
564 | + char *comment = NULL, *fp; | 562 | + char *comment = NULL, *fp; |
565 | char msg[1024], *certpath; | 563 | char msg[1024], *certpath; |
566 | int fd, perms_ok, ret = -1; | 564 | int fd, perms_ok, ret = -1; |
567 | 565 | Buffer keyblob; | |
568 | @@ -187,6 +187,14 @@ | 566 | @@ -218,6 +218,14 @@ |
569 | "Bad passphrase, try again for %.200s: ", comment); | 567 | } else { |
570 | } | 568 | fprintf(stderr, "Could not add identity: %s\n", filename); |
571 | } | 569 | } |
572 | + if (blacklisted_key(private, &fp) == 1) { | 570 | + if (blacklisted_key(private, &fp) == 1) { |
573 | + fprintf(stderr, "Public key %s blacklisted (see " | 571 | + fprintf(stderr, "Public key %s blacklisted (see " |
@@ -578,13 +576,13 @@ Index: b/ssh-add.c | |||
578 | + return -1; | 576 | + return -1; |
579 | + } | 577 | + } |
580 | 578 | ||
581 | if (ssh_add_identity_constrained(ac, private, comment, lifetime, | 579 | |
582 | confirm)) { | 580 | /* Now try to add the certificate flavour too */ |
583 | Index: b/ssh-keygen.1 | 581 | Index: b/ssh-keygen.1 |
584 | =================================================================== | 582 | =================================================================== |
585 | --- a/ssh-keygen.1 | 583 | --- a/ssh-keygen.1 |
586 | +++ b/ssh-keygen.1 | 584 | +++ b/ssh-keygen.1 |
587 | @@ -659,6 +659,7 @@ | 585 | @@ -670,6 +670,7 @@ |
588 | .Xr ssh 1 , | 586 | .Xr ssh 1 , |
589 | .Xr ssh-add 1 , | 587 | .Xr ssh-add 1 , |
590 | .Xr ssh-agent 1 , | 588 | .Xr ssh-agent 1 , |
@@ -843,7 +841,7 @@ Index: b/ssh-vulnkey.c | |||
843 | =================================================================== | 841 | =================================================================== |
844 | --- /dev/null | 842 | --- /dev/null |
845 | +++ b/ssh-vulnkey.c | 843 | +++ b/ssh-vulnkey.c |
846 | @@ -0,0 +1,388 @@ | 844 | @@ -0,0 +1,387 @@ |
847 | +/* | 845 | +/* |
848 | + * Copyright (c) 2008 Canonical Ltd. All rights reserved. | 846 | + * Copyright (c) 2008 Canonical Ltd. All rights reserved. |
849 | + * | 847 | + * |
@@ -1157,7 +1155,6 @@ Index: b/ssh-vulnkey.c | |||
1157 | + /* We don't need the RNG ourselves, but symbol references here allow | 1155 | + /* We don't need the RNG ourselves, but symbol references here allow |
1158 | + * ld to link us properly. | 1156 | + * ld to link us properly. |
1159 | + */ | 1157 | + */ |
1160 | + init_rng(); | ||
1161 | + seed_rng(); | 1158 | + seed_rng(); |
1162 | + | 1159 | + |
1163 | + while ((opt = getopt(argc, argv, "ahqv")) != -1) { | 1160 | + while ((opt = getopt(argc, argv, "ahqv")) != -1) { |
@@ -1236,7 +1233,7 @@ Index: b/ssh.1 | |||
1236 | =================================================================== | 1233 | =================================================================== |
1237 | --- a/ssh.1 | 1234 | --- a/ssh.1 |
1238 | +++ b/ssh.1 | 1235 | +++ b/ssh.1 |
1239 | @@ -1402,6 +1402,7 @@ | 1236 | @@ -1407,6 +1407,7 @@ |
1240 | .Xr ssh-agent 1 , | 1237 | .Xr ssh-agent 1 , |
1241 | .Xr ssh-keygen 1 , | 1238 | .Xr ssh-keygen 1 , |
1242 | .Xr ssh-keyscan 1 , | 1239 | .Xr ssh-keyscan 1 , |
@@ -1248,7 +1245,7 @@ Index: b/ssh.c | |||
1248 | =================================================================== | 1245 | =================================================================== |
1249 | --- a/ssh.c | 1246 | --- a/ssh.c |
1250 | +++ b/ssh.c | 1247 | +++ b/ssh.c |
1251 | @@ -1445,7 +1445,7 @@ | 1248 | @@ -1476,7 +1476,7 @@ |
1252 | static void | 1249 | static void |
1253 | load_public_identity_files(void) | 1250 | load_public_identity_files(void) |
1254 | { | 1251 | { |
@@ -1257,7 +1254,7 @@ Index: b/ssh.c | |||
1257 | char *pwdir = NULL, *pwname = NULL; | 1254 | char *pwdir = NULL, *pwname = NULL; |
1258 | int i = 0; | 1255 | int i = 0; |
1259 | Key *public; | 1256 | Key *public; |
1260 | @@ -1502,6 +1502,22 @@ | 1257 | @@ -1533,6 +1533,22 @@ |
1261 | public = key_load_public(filename, NULL); | 1258 | public = key_load_public(filename, NULL); |
1262 | debug("identity file %s type %d", filename, | 1259 | debug("identity file %s type %d", filename, |
1263 | public ? public->type : -1); | 1260 | public ? public->type : -1); |
@@ -1284,7 +1281,7 @@ Index: b/ssh_config.5 | |||
1284 | =================================================================== | 1281 | =================================================================== |
1285 | --- a/ssh_config.5 | 1282 | --- a/ssh_config.5 |
1286 | +++ b/ssh_config.5 | 1283 | +++ b/ssh_config.5 |
1287 | @@ -1146,6 +1146,23 @@ | 1284 | @@ -1188,6 +1188,23 @@ |
1288 | .Dq any . | 1285 | .Dq any . |
1289 | The default is | 1286 | The default is |
1290 | .Dq any:any . | 1287 | .Dq any:any . |
@@ -1312,7 +1309,7 @@ Index: b/sshconnect2.c | |||
1312 | =================================================================== | 1309 | =================================================================== |
1313 | --- a/sshconnect2.c | 1310 | --- a/sshconnect2.c |
1314 | +++ b/sshconnect2.c | 1311 | +++ b/sshconnect2.c |
1315 | @@ -1488,6 +1488,8 @@ | 1312 | @@ -1489,6 +1489,8 @@ |
1316 | 1313 | ||
1317 | /* list of keys stored in the filesystem */ | 1314 | /* list of keys stored in the filesystem */ |
1318 | for (i = 0; i < options.num_identity_files; i++) { | 1315 | for (i = 0; i < options.num_identity_files; i++) { |
@@ -1321,7 +1318,7 @@ Index: b/sshconnect2.c | |||
1321 | key = options.identity_keys[i]; | 1318 | key = options.identity_keys[i]; |
1322 | if (key && key->type == KEY_RSA1) | 1319 | if (key && key->type == KEY_RSA1) |
1323 | continue; | 1320 | continue; |
1324 | @@ -1581,7 +1583,7 @@ | 1321 | @@ -1582,7 +1584,7 @@ |
1325 | debug("Offering %s public key: %s", key_type(id->key), | 1322 | debug("Offering %s public key: %s", key_type(id->key), |
1326 | id->filename); | 1323 | id->filename); |
1327 | sent = send_pubkey_test(authctxt, id); | 1324 | sent = send_pubkey_test(authctxt, id); |
@@ -1334,7 +1331,7 @@ Index: b/sshd.8 | |||
1334 | =================================================================== | 1331 | =================================================================== |
1335 | --- a/sshd.8 | 1332 | --- a/sshd.8 |
1336 | +++ b/sshd.8 | 1333 | +++ b/sshd.8 |
1337 | @@ -945,6 +945,7 @@ | 1334 | @@ -948,6 +948,7 @@ |
1338 | .Xr ssh-agent 1 , | 1335 | .Xr ssh-agent 1 , |
1339 | .Xr ssh-keygen 1 , | 1336 | .Xr ssh-keygen 1 , |
1340 | .Xr ssh-keyscan 1 , | 1337 | .Xr ssh-keyscan 1 , |
@@ -1346,7 +1343,7 @@ Index: b/sshd.c | |||
1346 | =================================================================== | 1343 | =================================================================== |
1347 | --- a/sshd.c | 1344 | --- a/sshd.c |
1348 | +++ b/sshd.c | 1345 | +++ b/sshd.c |
1349 | @@ -1576,6 +1576,11 @@ | 1346 | @@ -1598,6 +1598,11 @@ |
1350 | sensitive_data.host_keys[i] = NULL; | 1347 | sensitive_data.host_keys[i] = NULL; |
1351 | continue; | 1348 | continue; |
1352 | } | 1349 | } |
@@ -1362,7 +1359,7 @@ Index: b/sshd_config.5 | |||
1362 | =================================================================== | 1359 | =================================================================== |
1363 | --- a/sshd_config.5 | 1360 | --- a/sshd_config.5 |
1364 | +++ b/sshd_config.5 | 1361 | +++ b/sshd_config.5 |
1365 | @@ -792,6 +792,20 @@ | 1362 | @@ -795,6 +795,20 @@ |
1366 | Specifies whether password authentication is allowed. | 1363 | Specifies whether password authentication is allowed. |
1367 | The default is | 1364 | The default is |
1368 | .Dq yes . | 1365 | .Dq yes . |
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch index 5f1caddc9..d5a7fe07a 100644 --- a/debian/patches/ssh1-keepalive.patch +++ b/debian/patches/ssh1-keepalive.patch | |||
@@ -7,7 +7,7 @@ Index: b/clientloop.c | |||
7 | =================================================================== | 7 | =================================================================== |
8 | --- a/clientloop.c | 8 | --- a/clientloop.c |
9 | +++ b/clientloop.c | 9 | +++ b/clientloop.c |
10 | @@ -547,16 +547,21 @@ | 10 | @@ -545,16 +545,21 @@ |
11 | static void | 11 | static void |
12 | server_alive_check(void) | 12 | server_alive_check(void) |
13 | { | 13 | { |
@@ -38,7 +38,7 @@ Index: b/clientloop.c | |||
38 | } | 38 | } |
39 | 39 | ||
40 | /* | 40 | /* |
41 | @@ -616,7 +621,7 @@ | 41 | @@ -614,7 +619,7 @@ |
42 | */ | 42 | */ |
43 | 43 | ||
44 | timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ | 44 | timeout_secs = INT_MAX; /* we use INT_MAX to mean no timeout */ |
@@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -1047,7 +1047,10 @@ | 54 | @@ -1089,7 +1089,10 @@ |
55 | .Cm ServerAliveCountMax | 55 | .Cm ServerAliveCountMax |
56 | is left at the default, if the server becomes unresponsive, | 56 | is left at the default, if the server becomes unresponsive, |
57 | ssh will disconnect after approximately 45 seconds. | 57 | ssh will disconnect after approximately 45 seconds. |
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch index 9b560217f..90ddca4ad 100644 --- a/debian/patches/syslog-level-silent.patch +++ b/debian/patches/syslog-level-silent.patch | |||
@@ -14,7 +14,7 @@ Index: b/log.c | |||
14 | =================================================================== | 14 | =================================================================== |
15 | --- a/log.c | 15 | --- a/log.c |
16 | +++ b/log.c | 16 | +++ b/log.c |
17 | @@ -90,6 +90,7 @@ | 17 | @@ -92,6 +92,7 @@ |
18 | LogLevel val; | 18 | LogLevel val; |
19 | } log_levels[] = | 19 | } log_levels[] = |
20 | { | 20 | { |
@@ -26,10 +26,10 @@ Index: b/ssh.c | |||
26 | =================================================================== | 26 | =================================================================== |
27 | --- a/ssh.c | 27 | --- a/ssh.c |
28 | +++ b/ssh.c | 28 | +++ b/ssh.c |
29 | @@ -641,7 +641,7 @@ | 29 | @@ -678,7 +678,7 @@ |
30 | tty_flag = 0; | ||
31 | /* Do not allocate a tty if stdin is not a tty. */ | 30 | /* Do not allocate a tty if stdin is not a tty. */ |
32 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && !force_tty_flag) { | 31 | if ((!isatty(fileno(stdin)) || stdin_null_flag) && |
32 | options.request_tty != REQUEST_TTY_FORCE) { | ||
33 | - if (tty_flag) | 33 | - if (tty_flag) |
34 | + if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) | 34 | + if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) |
35 | logit("Pseudo-terminal will not be allocated because " | 35 | logit("Pseudo-terminal will not be allocated because " |
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch index fe2d99be0..01ba05526 100644 --- a/debian/patches/user-group-modes.patch +++ b/debian/patches/user-group-modes.patch | |||
@@ -24,7 +24,7 @@ Index: b/readconf.c | |||
24 | 24 | ||
25 | #include "xmalloc.h" | 25 | #include "xmalloc.h" |
26 | #include "ssh.h" | 26 | #include "ssh.h" |
27 | @@ -1085,8 +1087,7 @@ | 27 | @@ -1131,8 +1133,7 @@ |
28 | 28 | ||
29 | if (fstat(fileno(f), &sb) == -1) | 29 | if (fstat(fileno(f), &sb) == -1) |
30 | fatal("fstat %s: %s", filename, strerror(errno)); | 30 | fatal("fstat %s: %s", filename, strerror(errno)); |
@@ -38,7 +38,7 @@ Index: b/ssh.1 | |||
38 | =================================================================== | 38 | =================================================================== |
39 | --- a/ssh.1 | 39 | --- a/ssh.1 |
40 | +++ b/ssh.1 | 40 | +++ b/ssh.1 |
41 | @@ -1293,6 +1293,8 @@ | 41 | @@ -1298,6 +1298,8 @@ |
42 | .Xr ssh_config 5 . | 42 | .Xr ssh_config 5 . |
43 | Because of the potential for abuse, this file must have strict permissions: | 43 | Because of the potential for abuse, this file must have strict permissions: |
44 | read/write for the user, and not accessible by others. | 44 | read/write for the user, and not accessible by others. |
@@ -51,7 +51,7 @@ Index: b/ssh_config.5 | |||
51 | =================================================================== | 51 | =================================================================== |
52 | --- a/ssh_config.5 | 52 | --- a/ssh_config.5 |
53 | +++ b/ssh_config.5 | 53 | +++ b/ssh_config.5 |
54 | @@ -1299,6 +1299,8 @@ | 54 | @@ -1343,6 +1343,8 @@ |
55 | This file is used by the SSH client. | 55 | This file is used by the SSH client. |
56 | Because of the potential for abuse, this file must have strict permissions: | 56 | Because of the potential for abuse, this file must have strict permissions: |
57 | read/write for the user, and not accessible by others. | 57 | read/write for the user, and not accessible by others. |
@@ -64,7 +64,7 @@ Index: b/auth.c | |||
64 | =================================================================== | 64 | =================================================================== |
65 | --- a/auth.c | 65 | --- a/auth.c |
66 | +++ b/auth.c | 66 | +++ b/auth.c |
67 | @@ -392,8 +392,7 @@ | 67 | @@ -380,8 +380,7 @@ |
68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); | 68 | user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); |
69 | if (options.strict_modes && | 69 | if (options.strict_modes && |
70 | (stat(user_hostfile, &st) == 0) && | 70 | (stat(user_hostfile, &st) == 0) && |
@@ -74,7 +74,7 @@ Index: b/auth.c | |||
74 | logit("Authentication refused for %.100s: " | 74 | logit("Authentication refused for %.100s: " |
75 | "bad owner or modes for %.200s", | 75 | "bad owner or modes for %.200s", |
76 | pw->pw_name, user_hostfile); | 76 | pw->pw_name, user_hostfile); |
77 | @@ -454,8 +453,7 @@ | 77 | @@ -442,8 +441,7 @@ |
78 | 78 | ||
79 | /* check the open file to avoid races */ | 79 | /* check the open file to avoid races */ |
80 | if (fstat(fileno(f), &st) < 0 || | 80 | if (fstat(fileno(f), &st) < 0 || |
@@ -84,9 +84,9 @@ Index: b/auth.c | |||
84 | snprintf(err, errlen, "bad ownership or modes for file %s", | 84 | snprintf(err, errlen, "bad ownership or modes for file %s", |
85 | buf); | 85 | buf); |
86 | return -1; | 86 | return -1; |
87 | @@ -471,8 +469,7 @@ | 87 | @@ -458,8 +456,7 @@ |
88 | strlcpy(buf, cp, sizeof(buf)); | ||
88 | 89 | ||
89 | debug3("secure_filename: checking '%s'", buf); | ||
90 | if (stat(buf, &st) < 0 || | 90 | if (stat(buf, &st) < 0 || |
91 | - (st.st_uid != 0 && st.st_uid != uid) || | 91 | - (st.st_uid != 0 && st.st_uid != uid) || |
92 | - (st.st_mode & 022) != 0) { | 92 | - (st.st_mode & 022) != 0) { |
@@ -169,7 +169,7 @@ Index: b/misc.h | |||
169 | =================================================================== | 169 | =================================================================== |
170 | --- a/misc.h | 170 | --- a/misc.h |
171 | +++ b/misc.h | 171 | +++ b/misc.h |
172 | @@ -102,4 +102,6 @@ | 172 | @@ -103,4 +103,6 @@ |
173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); | 173 | int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); |
174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); | 174 | int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); |
175 | 175 | ||