From 29922445eda8a76d957af24db452a084ffc91bd9 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 17 Jul 2011 01:29:56 +0100 Subject: * Backport from upstream: - Make hostbased auth with ECDSA keys work correctly (closes: #633368). --- debian/changelog | 2 + debian/patches/hostbased-ecdsa.patch | 71 ++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 74 insertions(+) create mode 100644 debian/patches/hostbased-ecdsa.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 02933e934..7980e1d1f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ openssh (1:5.8p1-5) UNRELEASED; urgency=low * Drop openssh-server's dependency on openssh-blacklist to a recommendation (closes: #622604). * Update Vcs-* fields and README.source for Alioth changes. + * Backport from upstream: + - Make hostbased auth with ECDSA keys work correctly (closes: #633368). -- Colin Watson Wed, 13 Apr 2011 13:05:43 +0100 diff --git a/debian/patches/hostbased-ecdsa.patch b/debian/patches/hostbased-ecdsa.patch new file mode 100644 index 000000000..fb618940a --- /dev/null +++ b/debian/patches/hostbased-ecdsa.patch @@ -0,0 +1,71 @@ +Description: Make hostbased auth with ECDSA keys work correctly +Author: Harv +Author: Damien Miller +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1858 +Bug-Debian: http://bugs.debian.org/633368 +Origin: upstream, http://bazaar.launchpad.net/~vcs-imports/openssh/main/revision/6327 +Applied-Upstream: yes +Forwarded: not-needed +Last-Update: 2011-07-17 + +Index: b/ssh-keysign.c +=================================================================== +--- a/ssh-keysign.c ++++ b/ssh-keysign.c +@@ -150,9 +150,10 @@ + { + Buffer b; + Options options; +- Key *keys[2], *key = NULL; ++#define NUM_KEYTYPES 3 ++ Key *keys[NUM_KEYTYPES], *key = NULL; + struct passwd *pw; +- int key_fd[2], i, found, version = 2, fd; ++ int key_fd[NUM_KEYTYPES], i, found, version = 2, fd; + u_char *signature, *data; + char *host; + u_int slen, dlen; +@@ -165,8 +166,10 @@ + if (fd > 2) + close(fd); + +- key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); +- key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); ++ i = 0; ++ key_fd[i++] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY); ++ key_fd[i++] = open(_PATH_HOST_ECDSA_KEY_FILE, O_RDONLY); ++ key_fd[i++] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY); + + original_real_uid = getuid(); /* XXX readconf.c needs this */ + if ((pw = getpwuid(original_real_uid)) == NULL) +@@ -191,7 +194,11 @@ + fatal("ssh-keysign not enabled in %s", + _PATH_HOST_CONFIG_FILE); + +- if (key_fd[0] == -1 && key_fd[1] == -1) ++ for (i = found = 0; i < NUM_KEYTYPES; i++) { ++ if (key_fd[i] != -1) ++ found = 1; ++ } ++ if (found == 0) + fatal("could not open any host key"); + + OpenSSL_add_all_algorithms(); +@@ -200,7 +207,7 @@ + RAND_seed(rnd, sizeof(rnd)); + + found = 0; +- for (i = 0; i < 2; i++) { ++ for (i = 0; i < NUM_KEYTYPES; i++) { + keys[i] = NULL; + if (key_fd[i] == -1) + continue; +@@ -230,7 +237,7 @@ + xfree(host); + + found = 0; +- for (i = 0; i < 2; i++) { ++ for (i = 0; i < NUM_KEYTYPES; i++) { + if (keys[i] != NULL && + key_equal_public(key, keys[i])) { + found = 1; diff --git a/debian/patches/series b/debian/patches/series index 0a21f8ead..01ef70076 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -39,6 +39,7 @@ doc-hash-tab-completion.patch # Miscellaneous bug fixes selinux-build-failure.patch ssh-add-fifo.patch +hostbased-ecdsa.patch # Debian-specific configuration gnome-ssh-askpass2-icon.patch -- cgit v1.2.3