From ecac7e1f7add6b28874959a11f2238d149dc2c07 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Thu, 20 Sep 2018 03:30:44 +0000 Subject: upstream: add CASignatureAlgorithms option for the client, allowing it to specify which signature algorithms may be used by CAs when signing certificates. Useful if you want to ban RSA/SHA1; ok markus@ OpenBSD-Commit-ID: 9159e5e9f67504829bf53ff222057307a6e3230f --- sshconnect.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'sshconnect.c') diff --git a/sshconnect.c b/sshconnect.c index 78813c164..6d819279e 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.304 2018/07/27 05:34:42 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.305 2018/09/20 03:30:44 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -734,19 +734,28 @@ confirm(const char *prompt) } static int -check_host_cert(const char *host, const struct sshkey *host_key) +check_host_cert(const char *host, const struct sshkey *key) { const char *reason; + int r; - if (sshkey_cert_check_authority(host_key, 1, 0, host, &reason) != 0) { + if (sshkey_cert_check_authority(key, 1, 0, host, &reason) != 0) { error("%s", reason); return 0; } - if (sshbuf_len(host_key->cert->critical) != 0) { + if (sshbuf_len(key->cert->critical) != 0) { error("Certificate for %s contains unsupported " "critical options(s)", host); return 0; } + if ((r = sshkey_check_cert_sigtype(key, + options.ca_sign_algorithms)) != 0) { + logit("%s: certificate signature algorithm %s: %s", __func__, + (key->cert == NULL || key->cert->signature_type == NULL) ? + "(null)" : key->cert->signature_type, ssh_err(r)); + return 0; + } + return 1; } -- cgit v1.2.3 From cabad6b7182cd6eaa8b760718200a316e7f578ed Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 9 Feb 2014 16:10:00 +0000 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand There's some debate on the upstream bug about whether POSIX requires this. I (Colin Watson) agree with Vincent and think it does. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 Bug-Debian: http://bugs.debian.org/492728 Last-Update: 2013-09-14 Patch-Name: shell-path.patch --- sshconnect.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sshconnect.c') diff --git a/sshconnect.c b/sshconnect.c index 6d819279e..700ea6c3c 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -229,7 +229,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, /* Execute the proxy command. Note that we gave up any extra privileges above. */ signal(SIGPIPE, SIG_DFL); - execv(argv[0], argv); + execvp(argv[0], argv); perror(argv[0]); exit(1); } @@ -1534,7 +1534,7 @@ ssh_local_cmd(const char *args) if (pid == 0) { signal(SIGPIPE, SIG_DFL); debug3("Executing %s -c \"%s\"", shell, args); - execl(shell, shell, "-c", args, (char *)NULL); + execlp(shell, shell, "-c", args, (char *)NULL); error("Couldn't execute %s -c \"%s\": %s", shell, args, strerror(errno)); _exit(1); -- cgit v1.2.3 From bb8bb2621914ad600202e38d5b9b4f4544b191e5 Mon Sep 17 00:00:00 2001 From: Scott Moser Date: Sun, 9 Feb 2014 16:10:03 +0000 Subject: Mention ssh-keygen in ssh fingerprint changed warning Author: Chris Lamb Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 Last-Update: 2017-08-22 Patch-Name: mention-ssh-keygen-on-keychange.patch --- sshconnect.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'sshconnect.c') diff --git a/sshconnect.c b/sshconnect.c index 700ea6c3c..158e8146f 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1121,9 +1121,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, error("%s. This could either mean that", key_msg); error("DNS SPOOFING is happening or the IP address for the host"); error("and its host key have changed at the same time."); - if (ip_status != HOST_NEW) + if (ip_status != HOST_NEW) { error("Offending key for IP in %s:%lu", ip_found->file, ip_found->line); + error(" remove with:"); + error(" ssh-keygen -f \"%s\" -R \"%s\"", + ip_found->file, ip); + } } /* The host key has changed. */ warn_changed_key(host_key); @@ -1132,6 +1136,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, error("Offending %s key in %s:%lu", sshkey_type(host_found->key), host_found->file, host_found->line); + error(" remove with:"); + error(" ssh-keygen -f \"%s\" -R \"%s\"", + host_found->file, host); /* * If strict host key checking is in use, the user will have -- cgit v1.2.3 From b258a00bedcf29200b394c671c6deb1e53157f32 Mon Sep 17 00:00:00 2001 From: Matthew Vernon Date: Sun, 9 Feb 2014 16:10:05 +0000 Subject: Include the Debian version in our identification This makes it easier to audit networks for versions patched against security vulnerabilities. It has little detrimental effect, as attackers will generally just try attacks rather than bothering to scan for vulnerable-looking version strings. (However, see debian-banner.patch.) Forwarded: not-needed Last-Update: 2017-10-04 Patch-Name: package-versioning.patch --- sshconnect.c | 2 +- sshd.c | 2 +- version.h | 7 ++++++- 3 files changed, 8 insertions(+), 3 deletions(-) (limited to 'sshconnect.c') diff --git a/sshconnect.c b/sshconnect.c index 158e8146f..b9418e277 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -609,7 +609,7 @@ send_client_banner(int connection_out, int minor1) { /* Send our own protocol version identification. */ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); if (atomicio(vwrite, connection_out, client_version_string, strlen(client_version_string)) != strlen(client_version_string)) fatal("write: %.100s", strerror(errno)); diff --git a/sshd.c b/sshd.c index 2bc6679e5..9481272fc 100644 --- a/sshd.c +++ b/sshd.c @@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) char remote_version[256]; /* Must be at least as big as buf. */ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, *options.version_addendum == '\0' ? "" : " ", options.version_addendum); diff --git a/version.h b/version.h index 422dfbc3a..5e1ce0426 100644 --- a/version.h +++ b/version.h @@ -3,4 +3,9 @@ #define SSH_VERSION "OpenSSH_7.9" #define SSH_PORTABLE "p1" -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE +#ifdef SSH_EXTRAVERSION +#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION +#else +#define SSH_RELEASE SSH_RELEASE_MINIMUM +#endif -- cgit v1.2.3