From 68580f4a03088e52e1d680389a35655c85613c7a Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Sun, 9 Feb 2014 16:10:03 +0000 Subject: Mention ssh-keygen in ssh fingerprint changed warning Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2015-09-08 Patch-Name: mention-ssh-keygen-on-keychange.patch --- sshconnect.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/sshconnect.c b/sshconnect.c index 8adc94307..4aff104b8 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1078,9 +1078,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, error("%s. This could either mean that", key_msg); error("DNS SPOOFING is happening or the IP address for the host"); error("and its host key have changed at the same time."); - if (ip_status != HOST_NEW) + if (ip_status != HOST_NEW) { error("Offending key for IP in %s:%lu", ip_found->file, ip_found->line); + error(" remove with:"); + error(" ssh-keygen -f \"%s\" -R %s", + ip_found->file, ip); + } } /* The host key has changed. */ warn_changed_key(host_key); @@ -1088,6 +1092,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, user_hostfiles[0]); error("Offending %s key in %s:%lu", key_type(host_found->key), host_found->file, host_found->line); + error(" remove with:"); + error(" ssh-keygen -f \"%s\" -R %s", host_found->file, host); /* * If strict host key checking is in use, the user will have -- cgit v1.2.3 From d0d72d370d0f02c220401029af04065c88055a4c Mon Sep 17 00:00:00 2001 From: Matthew Vernon Date: Sun, 9 Feb 2014 16:10:05 +0000 Subject: Include the Debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: package-versioning.patch --- sshconnect.c | 4 ++-- sshd.c | 2 +- version.h | 7 ++++++- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/sshconnect.c b/sshconnect.c index 4aff104b8..2999061b3 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -524,10 +524,10 @@ send_client_banner(int connection_out, int minor1) /* Send our own protocol version identification. */ if (compat20) { xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); } else { xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); + PROTOCOL_MAJOR_1, minor1, SSH_RELEASE); } if (roaming_atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) diff --git a/sshd.c b/sshd.c index 9ff9e8ba6..96e75c6d7 100644 --- a/sshd.c +++ b/sshd.c @@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in, int sock_out) } xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", - major, minor, SSH_VERSION, + major, minor, SSH_RELEASE, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); diff --git a/version.h b/version.h index b58fbe1eb..bff2b3bbb 100644 --- a/version.h +++ b/version.h @@ -3,4 +3,9 @@ #define SSH_VERSION "OpenSSH_6.9" #define SSH_PORTABLE "p1" -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE +#ifdef SSH_EXTRAVERSION +#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION +#else +#define SSH_RELEASE SSH_RELEASE_MINIMUM +#endif -- cgit v1.2.3 From 781bef6cb1a423864072a07c08c9ae95c554b07a Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Sun, 9 Feb 2014 16:10:06 +0000 Subject: Add DebianBanner server configuration option Setting this to "no" causes sshd to omit the Debian revision from its initial protocol handshake, for those scared by package-versioning.patch. Bug-Debian: http://bugs.debian.org/562048 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-banner.patch --- servconf.c | 9 +++++++++ servconf.h | 2 ++ sshd.c | 3 ++- sshd_config.5 | 5 +++++ 4 files changed, 18 insertions(+), 1 deletion(-) diff --git a/servconf.c b/servconf.c index 8a5bd7b3e..fe3e31157 100644 --- a/servconf.c +++ b/servconf.c @@ -169,6 +169,7 @@ initialize_server_options(ServerOptions *options) options->ip_qos_bulk = -1; options->version_addendum = NULL; options->fingerprint_hash = -1; + options->debian_banner = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ @@ -347,6 +348,8 @@ fill_default_server_options(ServerOptions *options) options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; + if (options->debian_banner == -1) + options->debian_banner = 1; /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_NOSANDBOX; @@ -419,6 +422,7 @@ typedef enum { sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, sAllowStreamLocalForwarding, sFingerprintHash, + sDebianBanner, sDeprecated, sUnsupported } ServerOpCodes; @@ -565,6 +569,7 @@ static struct { { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, + { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -1850,6 +1855,10 @@ process_server_config_line(ServerOptions *options, char *line, options->fingerprint_hash = value; break; + case sDebianBanner: + intptr = &options->debian_banner; + goto parse_int; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --git a/servconf.h b/servconf.h index b99b27067..ba7b73947 100644 --- a/servconf.h +++ b/servconf.h @@ -196,6 +196,8 @@ typedef struct { char *auth_methods[MAX_AUTH_METHODS]; int fingerprint_hash; + + int debian_banner; } ServerOptions; /* Information about the incoming connection as used by Match */ diff --git a/sshd.c b/sshd.c index 96e75c6d7..7886d0eac 100644 --- a/sshd.c +++ b/sshd.c @@ -442,7 +442,8 @@ sshd_exchange_identification(int sock_in, int sock_out) } xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", - major, minor, SSH_RELEASE, + major, minor, + options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); diff --git a/sshd_config.5 b/sshd_config.5 index 1269bbd40..a5afbc37e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -528,6 +528,11 @@ or .Dq no . The default is .Dq delayed . +.It Cm DebianBanner +Specifies whether the distribution-specified extra version suffix is +included during initial protocol handshake. +The default is +.Dq yes . .It Cm DenyGroups This keyword can be followed by a list of group name patterns, separated by spaces. -- cgit v1.2.3 From 3b192a5f7a31dc247e546067fcca5fd3eb1d4b01 Mon Sep 17 00:00:00 2001 From: Tomas Pospisek Date: Sun, 9 Feb 2014 16:10:07 +0000 Subject: Install authorized_keys(5) as a symlink to sshd(8) Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 Bug-Debian: http://bugs.debian.org/441817 Last-Update: 2013-09-14 Patch-Name: authorized-keys-man-symlink.patch --- Makefile.in | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile.in b/Makefile.in index c406aecef..37cb02332 100644 --- a/Makefile.in +++ b/Makefile.in @@ -325,6 +325,7 @@ install-files: $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 + ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5 $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -- cgit v1.2.3 From 5919db7dc21a34c31be70170728c2838ff59b740 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:08 +0000 Subject: Fix picky lintian errors about slogin symlinks Apparently this breaks some SVR4 packaging systems, so upstream can't win either way and opted to keep the status quo. We need this patch anyway. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1728 Last-Update: 2013-09-14 Patch-Name: lintian-symlink-pickiness.patch --- Makefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.in b/Makefile.in index 37cb02332..f52f90389 100644 --- a/Makefile.in +++ b/Makefile.in @@ -331,9 +331,9 @@ install-files: $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin + ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 + ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 install-sysconf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ -- cgit v1.2.3 From 5399167019a01a47c5208b0f8a6f0600b9af3bd5 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:09 +0000 Subject: Adjust various OpenBSD-specific references in manual pages No single bug reference for this patch, but history includes: http://bugs.debian.org/154434 (login.conf(5)) http://bugs.debian.org/513417 (/etc/rc) http://bugs.debian.org/530692 (ssl(8)) https://bugs.launchpad.net/bugs/456660 (ssl(8)) Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: openbsd-docs.patch --- moduli.5 | 4 ++-- ssh-keygen.1 | 12 ++++-------- ssh.1 | 4 ++++ sshd.8 | 5 ++--- sshd_config.5 | 3 +-- 5 files changed, 13 insertions(+), 15 deletions(-) diff --git a/moduli.5 b/moduli.5 index ef0de0850..149846c8c 100644 --- a/moduli.5 +++ b/moduli.5 @@ -21,7 +21,7 @@ .Nd Diffie-Hellman moduli .Sh DESCRIPTION The -.Pa /etc/moduli +.Pa /etc/ssh/moduli file contains prime numbers and generators for use by .Xr sshd 8 in the Diffie-Hellman Group Exchange key exchange method. @@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough Diffie-Hellman output to sufficiently key the selected symmetric cipher. .Xr sshd 8 then randomly selects a modulus from -.Fa /etc/moduli +.Fa /etc/ssh/moduli that best meets the size requirement. .Sh SEE ALSO .Xr ssh-keygen 1 , diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9b93666c9..19bed1e34 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -174,9 +174,7 @@ key in .Pa ~/.ssh/id_ed25519 or .Pa ~/.ssh/id_rsa . -Additionally, the system administrator may use this to generate host keys, -as seen in -.Pa /etc/rc . +Additionally, the system administrator may use this to generate host keys. .Pp Normally this program generates the key and asks for a file in which to store the private key. @@ -223,9 +221,7 @@ For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. -This is used by -.Pa /etc/rc -to generate new host keys. +This is used by system administration scripts to generate new host keys. .It Fl a Ar rounds When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 2 key when the @@ -638,7 +634,7 @@ option. Valid generator values are 2, 3, and 5. .Pp Screened DH groups may be installed in -.Pa /etc/moduli . +.Pa /etc/ssh/moduli . It is important that this file contains moduli of a range of bit lengths and that both ends of a connection share common moduli. .Sh CERTIFICATES @@ -837,7 +833,7 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. .Pp -.It Pa /etc/moduli +.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format is described in .Xr moduli 5 . diff --git a/ssh.1 b/ssh.1 index c84196fd2..c3e12669b 100644 --- a/ssh.1 +++ b/ssh.1 @@ -766,6 +766,10 @@ Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. The HISTORY section of .Xr ssl 8 +(on non-OpenBSD systems, see +.nh +http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) +.hy contains a brief discussion of the DSA and RSA algorithms. .Pp The file diff --git a/sshd.8 b/sshd.8 index 5afd10f27..2f4d4f3c4 100644 --- a/sshd.8 +++ b/sshd.8 @@ -67,7 +67,7 @@ over an insecure network. .Nm listens for connections from clients. It is normally started at boot from -.Pa /etc/rc . +.Pa /etc/init.d/ssh . It forks a new daemon for each incoming connection. The forked daemons handle @@ -864,7 +864,7 @@ This file is for host-based authentication (see .Xr ssh 1 ) . It should only be writable by root. .Pp -.It Pa /etc/moduli +.It Pa /etc/ssh/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". The file format is described in .Xr moduli 5 . @@ -963,7 +963,6 @@ The content of this file is not sensitive; it can be world-readable. .Xr ssh-keyscan 1 , .Xr chroot 2 , .Xr hosts_access 5 , -.Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , .Xr inetd 8 , diff --git a/sshd_config.5 b/sshd_config.5 index a5afbc37e..355b44544 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -374,8 +374,7 @@ This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via -PAM or through authentication styles supported in -.Xr login.conf 5 ) +PAM). The default is .Dq yes . .It Cm ChrootDirectory -- cgit v1.2.3 From e3a11cda4f8bc5da2388c9446ed8bc1a18acd2e6 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:10 +0000 Subject: ssh(1): Refer to ssh-argv0(1) Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks to ssh with the name of the host you want to connect to. Debian ships an ssh-argv0 script restoring this feature; this patch refers to its manual page from ssh(1). Bug-Debian: http://bugs.debian.org/111341 Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: ssh-argv0.patch --- ssh.1 | 1 + 1 file changed, 1 insertion(+) diff --git a/ssh.1 b/ssh.1 index c3e12669b..217886319 100644 --- a/ssh.1 +++ b/ssh.1 @@ -1487,6 +1487,7 @@ if an error occurred. .Xr sftp 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , +.Xr ssh-argv0 1 , .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , .Xr tun 4 , -- cgit v1.2.3 From d5510eadce4e2b22e9c341120e759c1f7da9175d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:11 +0000 Subject: Document that HashKnownHosts may break tab-completion Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 Bug-Debian: http://bugs.debian.org/430154 Last-Update: 2013-09-14 Patch-Name: doc-hash-tab-completion.patch --- ssh_config.5 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ssh_config.5 b/ssh_config.5 index 1d0c52b0b..acd581bf5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -802,6 +802,9 @@ Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using .Xr ssh-keygen 1 . +Use of this option may break facilities such as tab-completion that rely +on being able to read unhashed host names from +.Pa ~/.ssh/known_hosts . .It Cm HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. -- cgit v1.2.3 From 99babbe6caea4ebf504fc3378012e0d6889a554e Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:12 +0000 Subject: Refer to ssh's Upstart job as well as its init script Forwarded: not-needed Last-Update: 2013-09-14 Patch-Name: doc-upstart.patch --- sshd.8 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sshd.8 b/sshd.8 index 2f4d4f3c4..42f1520b4 100644 --- a/sshd.8 +++ b/sshd.8 @@ -67,7 +67,10 @@ over an insecure network. .Nm listens for connections from clients. It is normally started at boot from -.Pa /etc/init.d/ssh . +.Pa /etc/init.d/ssh +(or +.Pa /etc/init/ssh.conf +on systems using the Upstart init daemon). It forks a new daemon for each incoming connection. The forked daemons handle -- cgit v1.2.3 From 991a1f68f57fd602f65b4ac936daf2695be33b21 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:13 +0000 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) Bug-Debian: http://bugs.debian.org/711623 Forwarded: no Last-Update: 2013-06-08 Patch-Name: ssh-agent-setgid.patch --- ssh-agent.1 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ssh-agent.1 b/ssh-agent.1 index d0aa712f1..2a940d9ff 100644 --- a/ssh-agent.1 +++ b/ssh-agent.1 @@ -186,6 +186,21 @@ environment variable holds the agent's process ID. .Pp The agent exits automatically when the command given on the command line terminates. +.Pp +In Debian, +.Nm +is installed with the set-group-id bit set, to prevent +.Xr ptrace 2 +attacks retrieving private key material. +This has the side-effect of causing the run-time linker to remove certain +environment variables which might have security implications for set-id +programs, including +.Ev LD_PRELOAD , +.Ev LD_LIBRARY_PATH , +and +.Ev TMPDIR . +If you need to set any of these environment variables, you will need to do +so in the program executed by ssh-agent. .Sh FILES .Bl -tag -width Ds .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt -- cgit v1.2.3 From 0ca693a1acb3b62c1f7d7c1e776d3c160d7c3e84 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Sun, 9 Feb 2014 16:10:14 +0000 Subject: Don't check the status field of the OpenSSL version There is no reason to check the version of OpenSSL (in Debian). If it's not compatible the soname will change. OpenSSH seems to want to do a check for the soname based on the version number, but wants to keep the status of the release the same. Remove that check on the status since it doesn't tell you anything about how compatible that version is. Author: Colin Watson Bug-Debian: https://bugs.debian.org/93581 Bug-Debian: https://bugs.debian.org/664383 Bug-Debian: https://bugs.debian.org/732940 Forwarded: not-needed Last-Update: 2014-10-07 Patch-Name: no-openssl-version-status.patch --- openbsd-compat/openssl-compat.c | 6 +++--- openbsd-compat/regress/opensslvertest.c | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 63a660c7a..3f62403ce 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -36,7 +36,7 @@ /* * OpenSSL version numbers: MNNFFPPS: major minor fix patch status * We match major, minor, fix and status (not patch) for <1.0.0. - * After that, we acceptable compatible fix versions (so we + * After that, we accept compatible fix and status versions (so we * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed * within a patch series. */ @@ -57,10 +57,10 @@ ssh_compatible_openssl(long headerver, long libver) } /* - * For versions >= 1.0.0, major,minor,status must match and library + * For versions >= 1.0.0, major,minor must match and library * fix version must be equal to or newer than the header. */ - mask = 0xfff0000fL; /* major,minor,status */ + mask = 0xfff00000L; /* major,minor */ hfix = (headerver & 0x000ff000) >> 12; lfix = (libver & 0x000ff000) >> 12; if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c index 5d019b598..58474873d 100644 --- a/openbsd-compat/regress/opensslvertest.c +++ b/openbsd-compat/regress/opensslvertest.c @@ -35,6 +35,7 @@ struct version_test { /* built with 1.0.1b release headers */ { 0x1000101fL, 0x1000101fL, 1},/* exact match */ + { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */ { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ -- cgit v1.2.3 From 2ed0a5ba5af7955d4c5a0c6ff2cf9eabd8f3e3ab Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Sun, 9 Feb 2014 16:10:16 +0000 Subject: Give the ssh-askpass-gnome window a default icon Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 Last-Update: 2010-02-28 Patch-Name: gnome-ssh-askpass2-icon.patch --- contrib/gnome-ssh-askpass2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c index 9d97c30c0..04b3a110e 100644 --- a/contrib/gnome-ssh-askpass2.c +++ b/contrib/gnome-ssh-askpass2.c @@ -209,6 +209,8 @@ main(int argc, char **argv) gtk_init(&argc, &argv); + gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL); + if (argc > 1) { message = g_strjoinv(" ", argv + 1); } else { -- cgit v1.2.3 From ef16932c23264c749f4b02af34dbd62a2075c04f Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:17 +0000 Subject: Support synchronisation with service supervisor using SIGSTOP Author: Robie Basak Forwarded: no Last-Update: 2014-04-14 Patch-Name: sigstop.patch --- sshd.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/sshd.c b/sshd.c index 7886d0eac..cc8ecaff4 100644 --- a/sshd.c +++ b/sshd.c @@ -2038,6 +2038,16 @@ main(int ac, char **av) } } + if (getenv("SSH_SIGSTOP")) { + /* Tell service supervisor that we are ready. */ + kill(getpid(), SIGSTOP); + /* The service supervisor only ever expects a single + * STOP signal, so do not ever signal it again, even + * in the case of a re-exec or future children. + */ + unsetenv("SSH_SIGSTOP"); + } + /* Accept a connection and return in a forked child */ server_accept_loop(&sock_in, &sock_out, &newsock, config_s); -- cgit v1.2.3 From c2ef7b500926be2f7d875d63ec72781b50d69294 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:18 +0000 Subject: Various Debian-specific configuration changes ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause fewer problems with existing setups (http://bugs.debian.org/237021). ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). ssh: Enable HashKnownHosts by default to try to limit the spread of ssh worms. ssh: Enable GSSAPIAuthentication and disable GSSAPIDelegateCredentials by default. sshd: Refer to /usr/share/doc/openssh-server/README.Debian.gz alongside PermitRootLogin default. Document all of this, along with several sshd defaults set in debian/openssh-server.postinst. Author: Russ Allbery Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: debian-config.patch --- readconf.c | 2 +- ssh.1 | 21 +++++++++++++++++++++ ssh_config | 7 ++++++- ssh_config.5 | 19 ++++++++++++++++++- sshd_config | 3 ++- sshd_config.5 | 25 +++++++++++++++++++++++++ 6 files changed, 73 insertions(+), 4 deletions(-) diff --git a/readconf.c b/readconf.c index 5f6c37fe4..f0769b574 100644 --- a/readconf.c +++ b/readconf.c @@ -1748,7 +1748,7 @@ fill_default_options(Options * options) if (options->forward_x11 == -1) options->forward_x11 = 0; if (options->forward_x11_trusted == -1) - options->forward_x11_trusted = 0; + options->forward_x11_trusted = 1; if (options->forward_x11_timeout == -1) options->forward_x11_timeout = 1200; if (options->exit_on_forward_failure == -1) diff --git a/ssh.1 b/ssh.1 index 217886319..e2cce49d3 100644 --- a/ssh.1 +++ b/ssh.1 @@ -670,12 +670,33 @@ option and the directive in .Xr ssh_config 5 for more information. +.Pp +(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension +restrictions by default, because too many programs currently crash in this +mode. +Set the +.Cm ForwardX11Trusted +option to +.Dq no +to restore the upstream behaviour. +This may change in future depending on client-side improvements.) .It Fl x Disables X11 forwarding. .It Fl Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls. +.Pp +(Debian-specific: This option does nothing in the default configuration: it +is equivalent to +.Dq Cm ForwardX11Trusted No yes , +which is the default as described above. +Set the +.Cm ForwardX11Trusted +option to +.Dq no +to restore the upstream behaviour. +This may change in future depending on client-side improvements.) .It Fl y Send log information using the .Xr syslog 3 diff --git a/ssh_config b/ssh_config index 228e5abce..c9386aadd 100644 --- a/ssh_config +++ b/ssh_config @@ -17,9 +17,10 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. -# Host * +Host * # ForwardAgent no # ForwardX11 no +# ForwardX11Trusted yes # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes @@ -48,3 +49,7 @@ # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com # RekeyLimit 1G 1h + SendEnv LANG LC_* + HashKnownHosts yes + GSSAPIAuthentication yes + GSSAPIDelegateCredentials no diff --git a/ssh_config.5 b/ssh_config.5 index acd581bf5..844d1a0f5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -74,6 +74,22 @@ Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. .Pp +Note that the Debian +.Ic openssh-client +package sets several options as standard in +.Pa /etc/ssh/ssh_config +which are not the default in +.Xr ssh 1 : +.Pp +.Bl -bullet -offset indent -compact +.It +.Cm SendEnv No LANG LC_* +.It +.Cm HashKnownHosts No yes +.It +.Cm GSSAPIAuthentication No yes +.El +.Pp The configuration file has the following format: .Pp Empty lines and lines starting with @@ -716,7 +732,8 @@ token used for the session will be set to expire after 20 minutes. Remote clients will be refused access after this time. .Pp The default is -.Dq no . +.Dq yes +(Debian-specific). .Pp See the X11 SECURITY extension specification for full details on the restrictions imposed on untrusted clients. diff --git a/sshd_config b/sshd_config index 1dfd0f156..23a338fa3 100644 --- a/sshd_config +++ b/sshd_config @@ -41,7 +41,8 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin no +# See /usr/share/doc/openssh-server/README.Debian.gz. +#PermitRootLogin without-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 diff --git a/sshd_config.5 b/sshd_config.5 index 355b44544..eb6bff85f 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes .Pq \&" in order to represent arguments containing spaces. .Pp +Note that the Debian +.Ic openssh-server +package sets several options as standard in +.Pa /etc/ssh/sshd_config +which are not the default in +.Xr sshd 8 . +The exact list depends on whether the package was installed fresh or +upgraded from various possible previous versions, but includes at least the +following: +.Pp +.Bl -bullet -offset indent -compact +.It +.Cm ChallengeResponseAuthentication No no +.It +.Cm X11Forwarding No yes +.It +.Cm PrintMotd No no +.It +.Cm AcceptEnv No LANG LC_* +.It +.Cm Subsystem No sftp /usr/lib/openssh/sftp-server +.It +.Cm UsePAM No yes +.El +.Pp The possible keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): -- cgit v1.2.3 From 7c2583f26ff8eb848c53255a88574f923edaf94d Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 30 Jul 2015 23:09:15 +0000 Subject: Fix pty permissions Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6f941396b6835ad18018845f515b0c4fe20be21a Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-fix-pty-permissions.patch --- sshpty.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sshpty.c b/sshpty.c index 0e32b392b..e89efb74a 100644 --- a/sshpty.c +++ b/sshpty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshpty.c,v 1.29 2014/09/03 18:55:07 djm Exp $ */ +/* $OpenBSD: sshpty.c,v 1.30 2015/07/30 23:09:15 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -197,7 +197,7 @@ pty_setowner(struct passwd *pw, const char *tty, const char *role) /* Determine the group to make the owner of the tty. */ grp = getgrnam("tty"); gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid; - mode = (grp != NULL) ? 0622 : 0600; + mode = (grp != NULL) ? 0620 : 0600; /* * Change owner and mode of the tty as required. -- cgit v1.2.3 From 7de26a97986c8032bf1869347a2ceaee1d64f857 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 11 Aug 2015 13:33:24 +1000 Subject: Don't resend username to PAM; it already has it. Pointed out by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=d4697fe9a28dab7255c60433e4dd23cf7fce8a8b Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-do-not-resend-username-to-pam.patch --- monitor.c | 2 -- monitor_wrap.c | 1 - 2 files changed, 3 deletions(-) diff --git a/monitor.c b/monitor.c index 12ed6fd00..870a6b9e1 100644 --- a/monitor.c +++ b/monitor.c @@ -1143,9 +1143,7 @@ extern KbdintDevice sshpam_device; int mm_answer_pam_init_ctx(int sock, Buffer *m) { - debug3("%s", __func__); - authctxt->user = buffer_get_string(m, NULL); sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); sshpam_authok = NULL; buffer_clear(m); diff --git a/monitor_wrap.c b/monitor_wrap.c index 2a0fe9bf6..e2fcf75ff 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -632,7 +632,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) debug3("%s", __func__); buffer_init(&m); - buffer_put_cstring(&m, authctxt->user); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); -- cgit v1.2.3 From 5811884269955979919121440a57a7475a4f9eac Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 11 Aug 2015 13:34:12 +1000 Subject: set sshpam_ctxt to NULL after free Avoids use-after-free in monitor when privsep child is compromised. Reported by Moritz Jodeit; ok dtucker@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5e75f5198769056089fb06c4d738ab0e5abc66f7 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-pam-use-after-free.patch --- monitor.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/monitor.c b/monitor.c index 870a6b9e1..e8541b4fa 100644 --- a/monitor.c +++ b/monitor.c @@ -1225,14 +1225,16 @@ mm_answer_pam_respond(int sock, Buffer *m) int mm_answer_pam_free_ctx(int sock, Buffer *m) { + int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; debug3("%s", __func__); (sshpam_device.free_ctx)(sshpam_ctxt); + sshpam_ctxt = sshpam_authok = NULL; buffer_clear(m); mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); auth_method = "keyboard-interactive"; auth_submethod = "pam"; - return (sshpam_authok == sshpam_ctxt); + return r; } #endif -- cgit v1.2.3 From e1c118c1cd5b0c691e6d080c87c440c262fc6b12 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Sat, 18 Jul 2015 07:57:14 +0000 Subject: only query each keyboard-interactive device once per authentication request regardless of how many times it is listed ok markus@ Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=5b64f85bb811246c59ebab70aed331f26ba37b18 Forwarded: not-needed Last-Update: 2015-08-19 Patch-Name: backport-kbdint-duplicates.patch --- auth2-chall.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/auth2-chall.c b/auth2-chall.c index ddabe1a90..4aff09d80 100644 --- a/auth2-chall.c +++ b/auth2-chall.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */ +/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. * Copyright (c) 2001 Per Allansson. All rights reserved. @@ -83,6 +83,7 @@ struct KbdintAuthctxt void *ctxt; KbdintDevice *device; u_int nreq; + u_int devices_done; }; #ifdef USE_PAM @@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) if (len == 0) break; for (i = 0; devices[i]; i++) { - if (!auth2_method_allowed(authctxt, + if ((kbdintctxt->devices_done & (1 << i)) != 0 || + !auth2_method_allowed(authctxt, "keyboard-interactive", devices[i]->name)) continue; - if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) + if (strncmp(kbdintctxt->devices, devices[i]->name, + len) == 0) { kbdintctxt->device = devices[i]; + kbdintctxt->devices_done |= 1 << i; + } } t = kbdintctxt->devices; kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; -- cgit v1.2.3 From fb43a1fa9d049900efd76861b9496a9585ba4759 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 10 Aug 2015 11:13:44 +1000 Subject: let principals-command.sh work for noexec /var/run Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=55b263fb7cfeacb81aaf1c2036e0394c881637da Forwarded: not-needed Last-Update: 2015-08-20 Patch-Name: backport-regress-principals-command-noexec.patch --- regress/principals-command.sh | 222 +++++++++++++++++++++--------------------- 1 file changed, 113 insertions(+), 109 deletions(-) diff --git a/regress/principals-command.sh b/regress/principals-command.sh index 90064373d..b90a8cf2c 100644 --- a/regress/principals-command.sh +++ b/regress/principals-command.sh @@ -14,15 +14,15 @@ fi # Establish a AuthorizedPrincipalsCommand in /var/run where it will have # acceptable directory permissions. -PRINCIPALS_COMMAND="/var/run/principals_command_${LOGNAME}" -cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_COMMAND'" +PRINCIPALS_CMD="/var/run/principals_command_${LOGNAME}" +cat << _EOF | $SUDO sh -c "cat > '$PRINCIPALS_CMD'" #!/bin/sh test "x\$1" != "x${LOGNAME}" && exit 1 test -f "$OBJ/authorized_principals_${LOGNAME}" && exec cat "$OBJ/authorized_principals_${LOGNAME}" _EOF test $? -eq 0 || fatal "couldn't prepare principals command" -$SUDO chmod 0755 "$PRINCIPALS_COMMAND" +$SUDO chmod 0755 "$PRINCIPALS_CMD" # Create a CA key and a user certificate. ${SSHKEYGEN} -q -N '' -t ed25519 -f $OBJ/user_ca_key || \ @@ -33,109 +33,113 @@ ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \ -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key || \ fatal "couldn't sign cert_user_key" -# Test explicitly-specified principals -for privsep in yes no ; do - _prefix="privsep $privsep" - - # Setup for AuthorizedPrincipalsCommand - rm -f $OBJ/authorized_keys_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" - echo "AuthorizedKeysFile none" - echo "AuthorizedPrincipalsCommand $PRINCIPALS_COMMAND %u" - echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" - echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" - ) > $OBJ/sshd_proxy - - # XXX test missing command - # XXX test failing command - - # Empty authorized_principals - verbose "$tid: ${_prefix} empty authorized_principals" - echo > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Wrong authorized_principals - verbose "$tid: ${_prefix} wrong authorized_principals" - echo gregorsamsa > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct authorized_principals - verbose "$tid: ${_prefix} correct authorized_principals" - echo mekmitasdigoat > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # authorized_principals with bad key option - verbose "$tid: ${_prefix} authorized_principals bad key opt" - echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # authorized_principals with command=false - verbose "$tid: ${_prefix} authorized_principals command=false" - echo 'command="false" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - - # authorized_principals with command=true - verbose "$tid: ${_prefix} authorized_principals command=true" - echo 'command="true" mekmitasdigoat' > \ - $OBJ/authorized_principals_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi - - # Setup for principals= key option - rm -f $OBJ/authorized_principals_$USER - ( - cat $OBJ/sshd_proxy_bak - echo "UsePrivilegeSeparation $privsep" - ) > $OBJ/sshd_proxy - - # Wrong principals list - verbose "$tid: ${_prefix} wrong principals key option" - ( - printf 'cert-authority,principals="gregorsamsa" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -eq 0 ]; then - fail "ssh cert connect succeeded unexpectedly" - fi - - # Correct principals list - verbose "$tid: ${_prefix} correct principals key option" - ( - printf 'cert-authority,principals="mekmitasdigoat" ' - cat $OBJ/user_ca_key.pub - ) > $OBJ/authorized_keys_$USER - ${SSH} -2i $OBJ/cert_user_key \ - -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 - if [ $? -ne 0 ]; then - fail "ssh cert connect failed" - fi -done +if [ -x $PRINCIPALS_CMD ]; then + # Test explicitly-specified principals + for privsep in yes no ; do + _prefix="privsep $privsep" + + # Setup for AuthorizedPrincipalsCommand + rm -f $OBJ/authorized_keys_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + echo "AuthorizedKeysFile none" + echo "AuthorizedPrincipalsCommand $PRINCIPALS_CMD %u" + echo "AuthorizedPrincipalsCommandUser ${LOGNAME}" + echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" + ) > $OBJ/sshd_proxy + + # XXX test missing command + # XXX test failing command + + # Empty authorized_principals + verbose "$tid: ${_prefix} empty authorized_principals" + echo > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Wrong authorized_principals + verbose "$tid: ${_prefix} wrong authorized_principals" + echo gregorsamsa > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct authorized_principals + verbose "$tid: ${_prefix} correct authorized_principals" + echo mekmitasdigoat > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # authorized_principals with bad key option + verbose "$tid: ${_prefix} authorized_principals bad key opt" + echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=false + verbose "$tid: ${_prefix} authorized_principals command=false" + echo 'command="false" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # authorized_principals with command=true + verbose "$tid: ${_prefix} authorized_principals command=true" + echo 'command="true" mekmitasdigoat' > \ + $OBJ/authorized_principals_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + + # Setup for principals= key option + rm -f $OBJ/authorized_principals_$USER + ( + cat $OBJ/sshd_proxy_bak + echo "UsePrivilegeSeparation $privsep" + ) > $OBJ/sshd_proxy + + # Wrong principals list + verbose "$tid: ${_prefix} wrong principals key option" + ( + printf 'cert-authority,principals="gregorsamsa" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -eq 0 ]; then + fail "ssh cert connect succeeded unexpectedly" + fi + + # Correct principals list + verbose "$tid: ${_prefix} correct principals key option" + ( + printf 'cert-authority,principals="mekmitasdigoat" ' + cat $OBJ/user_ca_key.pub + ) > $OBJ/authorized_keys_$USER + ${SSH} -2i $OBJ/cert_user_key \ + -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh cert connect failed" + fi + done +else + echo "SKIPPED: $PRINCIPALS_COMMAND not executable " \ + "(/var/run mounted noexec?)" +fi -- cgit v1.2.3