mirror of https://gitee.com/openkylin/openssh.git
changed debian/source/format to native
This commit is contained in:
parent
f70d7ae8c1
commit
2d0df78df5
|
@ -1,26 +0,0 @@
|
|||
From b0cb3badf4d423f8ea7bf950e55ca72878cc224b Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
|
||||
Date: Sun, 9 Feb 2014 16:10:07 +0000
|
||||
Subject: Install authorized_keys(5) as a symlink to sshd(8)
|
||||
|
||||
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
|
||||
Bug-Debian: http://bugs.debian.org/441817
|
||||
Last-Update: 2013-09-14
|
||||
|
||||
Patch-Name: authorized-keys-man-symlink.patch
|
||||
---
|
||||
Makefile.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index b68c1710f..bff1db49b 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -402,6 +402,7 @@ install-files:
|
||||
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
|
||||
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
||||
+ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5
|
||||
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
|
@ -1,68 +0,0 @@
|
|||
From 39d3bb41ec288e8ba2384c65248440603f65349c Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Thu, 30 Aug 2018 00:58:56 +0100
|
||||
Subject: Work around conch interoperability failure
|
||||
|
||||
Twisted Conch fails to read private keys in the new format
|
||||
(https://twistedmatrix.com/trac/ticket/9515). Work around this until it
|
||||
can be fixed in Twisted.
|
||||
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2019-10-09
|
||||
|
||||
Patch-Name: conch-old-privkey-format.patch
|
||||
---
|
||||
regress/Makefile | 2 +-
|
||||
regress/conch-ciphers.sh | 2 +-
|
||||
regress/test-exec.sh | 12 ++++++++++++
|
||||
3 files changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/regress/Makefile b/regress/Makefile
|
||||
index 774c10d41..01e257a94 100644
|
||||
--- a/regress/Makefile
|
||||
+++ b/regress/Makefile
|
||||
@@ -120,7 +120,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
|
||||
rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
|
||||
scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
|
||||
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
|
||||
- ssh-rsa_oldfmt \
|
||||
+ ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \
|
||||
ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
|
||||
ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
|
||||
sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
|
||||
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
|
||||
index 6678813a2..6ff5da20b 100644
|
||||
--- a/regress/conch-ciphers.sh
|
||||
+++ b/regress/conch-ciphers.sh
|
||||
@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
|
||||
rm -f ${COPY}
|
||||
# XXX the 2nd "cat" seems to be needed because of buggy FD handling
|
||||
# in conch
|
||||
- ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \
|
||||
+ ${CONCH} --identity $OBJ/ssh-rsa_oldfmt --port $PORT --user $USER -e none \
|
||||
--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
|
||||
127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
|
||||
if [ $? -ne 0 ]; then
|
||||
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
|
||||
index f5e3ee6f5..a3a40719f 100644
|
||||
--- a/regress/test-exec.sh
|
||||
+++ b/regress/test-exec.sh
|
||||
@@ -573,6 +573,18 @@ REGRESS_INTEROP_CONCH=no
|
||||
if test -x "$CONCH" ; then
|
||||
REGRESS_INTEROP_CONCH=yes
|
||||
fi
|
||||
+case "$SCRIPT" in
|
||||
+*conch*) ;;
|
||||
+*) REGRESS_INTEROP_CONCH=no
|
||||
+esac
|
||||
+
|
||||
+if test "$REGRESS_INTEROP_CONCH" = "yes" ; then
|
||||
+ # Convert rsa key to old format to work around
|
||||
+ # https://twistedmatrix.com/trac/ticket/9515
|
||||
+ cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
|
||||
+ cp $OBJ/ssh-rsa.pub $OBJ/ssh-rsa_oldfmt.pub
|
||||
+ ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
|
||||
+fi
|
||||
|
||||
# If PuTTY is present and we are running a PuTTY test, prepare keys and
|
||||
# configuration
|
|
@ -1,163 +0,0 @@
|
|||
From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <kees@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:06 +0000
|
||||
Subject: Add DebianBanner server configuration option
|
||||
|
||||
Setting this to "no" causes sshd to omit the Debian revision from its
|
||||
initial protocol handshake, for those scared by package-versioning.patch.
|
||||
|
||||
Bug-Debian: http://bugs.debian.org/562048
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2020-02-21
|
||||
|
||||
Patch-Name: debian-banner.patch
|
||||
---
|
||||
kex.c | 5 +++--
|
||||
kex.h | 2 +-
|
||||
servconf.c | 9 +++++++++
|
||||
servconf.h | 2 ++
|
||||
sshconnect.c | 2 +-
|
||||
sshd.c | 3 ++-
|
||||
sshd_config.5 | 5 +++++
|
||||
7 files changed, 23 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index f638942d3..2abfbb95a 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
|
||||
*/
|
||||
int
|
||||
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
||||
- const char *version_addendum)
|
||||
+ int debian_banner, const char *version_addendum)
|
||||
{
|
||||
int remote_major, remote_minor, mismatch;
|
||||
size_t len, i, n;
|
||||
@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
||||
if (version_addendum != NULL && *version_addendum == '\0')
|
||||
version_addendum = NULL;
|
||||
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
|
||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
|
||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
|
||||
+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
|
||||
version_addendum == NULL ? "" : " ",
|
||||
version_addendum == NULL ? "" : version_addendum)) != 0) {
|
||||
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
|
||||
diff --git a/kex.h b/kex.h
|
||||
index fe7141414..938dca03b 100644
|
||||
--- a/kex.h
|
||||
+++ b/kex.h
|
||||
@@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *);
|
||||
int kex_assemble_names(char **, const char *, const char *);
|
||||
int kex_gss_names_valid(const char *);
|
||||
|
||||
-int kex_exchange_identification(struct ssh *, int, const char *);
|
||||
+int kex_exchange_identification(struct ssh *, int, int, const char *);
|
||||
|
||||
struct kex *kex_new(void);
|
||||
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index bf3cd84a4..7bbc25c2e 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
|
||||
options->fingerprint_hash = -1;
|
||||
options->disable_forwarding = -1;
|
||||
options->expose_userauth_info = -1;
|
||||
+ options->debian_banner = -1;
|
||||
}
|
||||
|
||||
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
|
||||
@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
|
||||
options->expose_userauth_info = 0;
|
||||
if (options->sk_provider == NULL)
|
||||
options->sk_provider = xstrdup("internal");
|
||||
+ if (options->debian_banner == -1)
|
||||
+ options->debian_banner = 1;
|
||||
|
||||
assemble_algorithms(options);
|
||||
|
||||
@@ -556,6 +559,7 @@ typedef enum {
|
||||
sStreamLocalBindMask, sStreamLocalBindUnlink,
|
||||
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
|
||||
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
|
||||
+ sDebianBanner,
|
||||
sDeprecated, sIgnore, sUnsupported
|
||||
} ServerOpCodes;
|
||||
|
||||
@@ -719,6 +723,7 @@ static struct {
|
||||
{ "rdomain", sRDomain, SSHCFG_ALL },
|
||||
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
|
||||
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
|
||||
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
|
||||
{ NULL, sBadOption, 0 }
|
||||
};
|
||||
|
||||
@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
||||
*charptr = xstrdup(arg);
|
||||
break;
|
||||
|
||||
+ case sDebianBanner:
|
||||
+ intptr = &options->debian_banner;
|
||||
+ goto parse_flag;
|
||||
+
|
||||
case sDeprecated:
|
||||
case sIgnore:
|
||||
case sUnsupported:
|
||||
diff --git a/servconf.h b/servconf.h
|
||||
index 3f47ea25e..3fa05fcac 100644
|
||||
--- a/servconf.h
|
||||
+++ b/servconf.h
|
||||
@@ -221,6 +221,8 @@ typedef struct {
|
||||
int expose_userauth_info;
|
||||
u_int64_t timing_secret;
|
||||
char *sk_provider;
|
||||
+
|
||||
+ int debian_banner;
|
||||
} ServerOptions;
|
||||
|
||||
/* Information about the incoming connection as used by Match */
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index b796d3c8a..9f2412e0d 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
|
||||
lowercase(host);
|
||||
|
||||
/* Exchange protocol version identification strings with the server. */
|
||||
- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
|
||||
+ if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
|
||||
cleanup_exit(255); /* error already logged */
|
||||
|
||||
/* Put the connection into non-blocking mode. */
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 65916fc6d..da876a900 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -2187,7 +2187,8 @@ main(int ac, char **av)
|
||||
if (!debug_flag)
|
||||
alarm(options.login_grace_time);
|
||||
|
||||
- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
|
||||
+ if (kex_exchange_identification(ssh, -1, options.debian_banner,
|
||||
+ options.version_addendum) != 0)
|
||||
cleanup_exit(255); /* error already logged */
|
||||
|
||||
ssh_packet_set_nonblocking(ssh);
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index ebd09f891..c926f584c 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -542,6 +542,11 @@ or
|
||||
.Cm no .
|
||||
The default is
|
||||
.Cm yes .
|
||||
+.It Cm DebianBanner
|
||||
+Specifies whether the distribution-specified extra version suffix is
|
||||
+included during initial protocol handshake.
|
||||
+The default is
|
||||
+.Cm yes .
|
||||
.It Cm DenyGroups
|
||||
This keyword can be followed by a list of group name patterns, separated
|
||||
by spaces.
|
|
@ -1,270 +0,0 @@
|
|||
From 8086961f9f4ad834e9c3b09b6e2c80273be1c506 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:18 +0000
|
||||
Subject: Various Debian-specific configuration changes
|
||||
|
||||
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
|
||||
fewer problems with existing setups (http://bugs.debian.org/237021).
|
||||
|
||||
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
|
||||
|
||||
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
|
||||
worms.
|
||||
|
||||
ssh: Enable GSSAPIAuthentication by default.
|
||||
|
||||
ssh: Include /etc/ssh/ssh_config.d/*.conf.
|
||||
|
||||
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
|
||||
PrintMotd.
|
||||
|
||||
sshd: Enable X11Forwarding.
|
||||
|
||||
sshd: Set 'AcceptEnv LANG LC_*' by default.
|
||||
|
||||
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
|
||||
|
||||
sshd: Include /etc/ssh/sshd_config.d/*.conf.
|
||||
|
||||
Document all of this.
|
||||
|
||||
Author: Russ Allbery <rra@debian.org>
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2020-02-21
|
||||
|
||||
Patch-Name: debian-config.patch
|
||||
---
|
||||
readconf.c | 2 +-
|
||||
ssh.1 | 24 ++++++++++++++++++++++++
|
||||
ssh_config | 8 +++++++-
|
||||
ssh_config.5 | 26 +++++++++++++++++++++++++-
|
||||
sshd_config | 18 ++++++++++++------
|
||||
sshd_config.5 | 29 +++++++++++++++++++++++++++++
|
||||
6 files changed, 98 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 7f251dd4a..e82024678 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -2087,7 +2087,7 @@ fill_default_options(Options * options)
|
||||
if (options->forward_x11 == -1)
|
||||
options->forward_x11 = 0;
|
||||
if (options->forward_x11_trusted == -1)
|
||||
- options->forward_x11_trusted = 0;
|
||||
+ options->forward_x11_trusted = 1;
|
||||
if (options->forward_x11_timeout == -1)
|
||||
options->forward_x11_timeout = 1200;
|
||||
/*
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index b33a8049f..a8967c2f8 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -809,6 +809,16 @@ directive in
|
||||
.Xr ssh_config 5
|
||||
for more information.
|
||||
.Pp
|
||||
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
|
||||
+restrictions by default, because too many programs currently crash in this
|
||||
+mode.
|
||||
+Set the
|
||||
+.Cm ForwardX11Trusted
|
||||
+option to
|
||||
+.Dq no
|
||||
+to restore the upstream behaviour.
|
||||
+This may change in future depending on client-side improvements.)
|
||||
+.Pp
|
||||
.It Fl x
|
||||
Disables X11 forwarding.
|
||||
.Pp
|
||||
@@ -817,6 +827,20 @@ Enables trusted X11 forwarding.
|
||||
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
|
||||
controls.
|
||||
.Pp
|
||||
+(Debian-specific: In the default configuration, this option is equivalent to
|
||||
+.Fl X ,
|
||||
+since
|
||||
+.Cm ForwardX11Trusted
|
||||
+defaults to
|
||||
+.Dq yes
|
||||
+as described above.
|
||||
+Set the
|
||||
+.Cm ForwardX11Trusted
|
||||
+option to
|
||||
+.Dq no
|
||||
+to restore the upstream behaviour.
|
||||
+This may change in future depending on client-side improvements.)
|
||||
+.Pp
|
||||
.It Fl y
|
||||
Send log information using the
|
||||
.Xr syslog 3
|
||||
diff --git a/ssh_config b/ssh_config
|
||||
index 1ff999b68..8a55237b9 100644
|
||||
--- a/ssh_config
|
||||
+++ b/ssh_config
|
||||
@@ -17,9 +17,12 @@
|
||||
# list of available options, their meanings and defaults, please see the
|
||||
# ssh_config(5) man page.
|
||||
|
||||
-# Host *
|
||||
+Include /etc/ssh/ssh_config.d/*.conf
|
||||
+
|
||||
+Host *
|
||||
# ForwardAgent no
|
||||
# ForwardX11 no
|
||||
+# ForwardX11Trusted yes
|
||||
# PasswordAuthentication yes
|
||||
# HostbasedAuthentication no
|
||||
# GSSAPIAuthentication no
|
||||
@@ -45,3 +48,6 @@
|
||||
# VisualHostKey no
|
||||
# ProxyCommand ssh -q -W %h:%p gateway.example.com
|
||||
# RekeyLimit 1G 1h
|
||||
+ SendEnv LANG LC_*
|
||||
+ HashKnownHosts yes
|
||||
+ GSSAPIAuthentication yes
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index c6eaa63e7..34dc2d51b 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
|
||||
host-specific declarations should be given near the beginning of the
|
||||
file, and general defaults at the end.
|
||||
.Pp
|
||||
+Note that the Debian
|
||||
+.Ic openssh-client
|
||||
+package sets several options as standard in
|
||||
+.Pa /etc/ssh/ssh_config
|
||||
+which are not the default in
|
||||
+.Xr ssh 1 :
|
||||
+.Pp
|
||||
+.Bl -bullet -offset indent -compact
|
||||
+.It
|
||||
+.Cm Include /etc/ssh/ssh_config.d/*.conf
|
||||
+.It
|
||||
+.Cm SendEnv No LANG LC_*
|
||||
+.It
|
||||
+.Cm HashKnownHosts No yes
|
||||
+.It
|
||||
+.Cm GSSAPIAuthentication No yes
|
||||
+.El
|
||||
+.Pp
|
||||
+.Pa /etc/ssh/ssh_config.d/*.conf
|
||||
+files are included at the start of the system-wide configuration file, so
|
||||
+options set there will override those in
|
||||
+.Pa /etc/ssh/ssh_config.
|
||||
+.Pp
|
||||
The file contains keyword-argument pairs, one per line.
|
||||
Lines starting with
|
||||
.Ql #
|
||||
@@ -729,11 +752,12 @@ elapsed.
|
||||
.It Cm ForwardX11Trusted
|
||||
If this option is set to
|
||||
.Cm yes ,
|
||||
+(the Debian-specific default),
|
||||
remote X11 clients will have full access to the original X11 display.
|
||||
.Pp
|
||||
If this option is set to
|
||||
.Cm no
|
||||
-(the default),
|
||||
+(the upstream default),
|
||||
remote X11 clients will be considered untrusted and prevented
|
||||
from stealing or tampering with data belonging to trusted X11
|
||||
clients.
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 2c48105f8..459c1b230 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -10,6 +10,8 @@
|
||||
# possible, but leave them commented. Uncommented options override the
|
||||
# default value.
|
||||
|
||||
+Include /etc/ssh/sshd_config.d/*.conf
|
||||
+
|
||||
#Port 22
|
||||
#AddressFamily any
|
||||
#ListenAddress 0.0.0.0
|
||||
@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
#PasswordAuthentication yes
|
||||
#PermitEmptyPasswords no
|
||||
|
||||
-# Change to no to disable s/key passwords
|
||||
-#ChallengeResponseAuthentication yes
|
||||
+# Change to yes to enable challenge-response passwords (beware issues with
|
||||
+# some PAM modules and threads)
|
||||
+ChallengeResponseAuthentication no
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
-#UsePAM no
|
||||
+UsePAM yes
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
#AllowTcpForwarding yes
|
||||
#GatewayPorts no
|
||||
-#X11Forwarding no
|
||||
+X11Forwarding yes
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
-#PrintMotd yes
|
||||
+PrintMotd no
|
||||
#PrintLastLog yes
|
||||
#TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
+# Allow client to pass locale environment variables
|
||||
+AcceptEnv LANG LC_*
|
||||
+
|
||||
# override default of no subsystems
|
||||
-Subsystem sftp /usr/libexec/sftp-server
|
||||
+Subsystem sftp /usr/lib/openssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index 25f4b8117..e8271be74 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
|
||||
.Pq \&"
|
||||
in order to represent arguments containing spaces.
|
||||
.Pp
|
||||
+Note that the Debian
|
||||
+.Ic openssh-server
|
||||
+package sets several options as standard in
|
||||
+.Pa /etc/ssh/sshd_config
|
||||
+which are not the default in
|
||||
+.Xr sshd 8 :
|
||||
+.Pp
|
||||
+.Bl -bullet -offset indent -compact
|
||||
+.It
|
||||
+.Cm Include /etc/ssh/sshd_config.d/*.conf
|
||||
+.It
|
||||
+.Cm ChallengeResponseAuthentication No no
|
||||
+.It
|
||||
+.Cm X11Forwarding No yes
|
||||
+.It
|
||||
+.Cm PrintMotd No no
|
||||
+.It
|
||||
+.Cm AcceptEnv No LANG LC_*
|
||||
+.It
|
||||
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
|
||||
+.It
|
||||
+.Cm UsePAM No yes
|
||||
+.El
|
||||
+.Pp
|
||||
+.Pa /etc/ssh/sshd_config.d/*.conf
|
||||
+files are included at the start of the configuration file, so options set
|
||||
+there will override those in
|
||||
+.Pa /etc/ssh/sshd_config.
|
||||
+.Pp
|
||||
The possible
|
||||
keywords and their meanings are as follows (note that
|
||||
keywords are case-insensitive and arguments are case-sensitive):
|
|
@ -1,94 +0,0 @@
|
|||
From 74c1c0ef7689ea68dc8263f73c00ff8675f9f0fe Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:01 +0000
|
||||
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
|
||||
|
||||
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
|
||||
|
||||
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
|
||||
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
|
||||
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
|
||||
Last-Update: 2010-04-06
|
||||
|
||||
Patch-Name: dnssec-sshfp.patch
|
||||
---
|
||||
dns.c | 14 +++++++++++++-
|
||||
openbsd-compat/getrrsetbyname.c | 10 +++++-----
|
||||
openbsd-compat/getrrsetbyname.h | 3 +++
|
||||
3 files changed, 21 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/dns.c b/dns.c
|
||||
index e4f9bf830..9c9fe6413 100644
|
||||
--- a/dns.c
|
||||
+++ b/dns.c
|
||||
@@ -210,6 +210,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
|
||||
{
|
||||
u_int counter;
|
||||
int result;
|
||||
+ unsigned int rrset_flags = 0;
|
||||
struct rrsetinfo *fingerprints = NULL;
|
||||
|
||||
u_int8_t hostkey_algorithm;
|
||||
@@ -233,8 +234,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * Original getrrsetbyname function, found on OpenBSD for example,
|
||||
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
|
||||
+ * DNS response is set by "options edns0" in resolv.conf.
|
||||
+ *
|
||||
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
|
||||
+ */
|
||||
+#ifndef HAVE_GETRRSETBYNAME
|
||||
+ rrset_flags |= RRSET_FORCE_EDNS0;
|
||||
+#endif
|
||||
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
|
||||
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
|
||||
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
|
||||
+
|
||||
if (result) {
|
||||
verbose("DNS lookup error: %s", dns_result_totext(result));
|
||||
return -1;
|
||||
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
|
||||
index dc6fe0533..e061a290a 100644
|
||||
--- a/openbsd-compat/getrrsetbyname.c
|
||||
+++ b/openbsd-compat/getrrsetbyname.c
|
||||
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- /* don't allow flags yet, unimplemented */
|
||||
- if (flags) {
|
||||
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
|
||||
+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
|
||||
result = ERRSET_INVAL;
|
||||
goto fail;
|
||||
}
|
||||
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
|
||||
#endif /* DEBUG */
|
||||
|
||||
#ifdef RES_USE_DNSSEC
|
||||
- /* turn on DNSSEC if EDNS0 is configured */
|
||||
- if (_resp->options & RES_USE_EDNS0)
|
||||
- _resp->options |= RES_USE_DNSSEC;
|
||||
+ /* turn on DNSSEC if required */
|
||||
+ if (flags & RRSET_FORCE_EDNS0)
|
||||
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
|
||||
#endif /* RES_USE_DNSEC */
|
||||
|
||||
/* make query */
|
||||
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
|
||||
index 1283f5506..dbbc85a2a 100644
|
||||
--- a/openbsd-compat/getrrsetbyname.h
|
||||
+++ b/openbsd-compat/getrrsetbyname.h
|
||||
@@ -72,6 +72,9 @@
|
||||
#ifndef RRSET_VALIDATED
|
||||
# define RRSET_VALIDATED 1
|
||||
#endif
|
||||
+#ifndef RRSET_FORCE_EDNS0
|
||||
+# define RRSET_FORCE_EDNS0 0x0001
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* Return codes for getrrsetbyname()
|
|
@ -1,28 +0,0 @@
|
|||
From a14ddfc3f607b0bf29046bfb4b26a6d827fa58c7 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:11 +0000
|
||||
Subject: Document that HashKnownHosts may break tab-completion
|
||||
|
||||
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
|
||||
Bug-Debian: http://bugs.debian.org/430154
|
||||
Last-Update: 2013-09-14
|
||||
|
||||
Patch-Name: doc-hash-tab-completion.patch
|
||||
---
|
||||
ssh_config.5 | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index e61a0fd43..c6eaa63e7 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files
|
||||
will not be converted automatically,
|
||||
but may be manually hashed using
|
||||
.Xr ssh-keygen 1 .
|
||||
+Use of this option may break facilities such as tab-completion that rely
|
||||
+on being able to read unhashed host names from
|
||||
+.Pa ~/.ssh/known_hosts .
|
||||
.It Cm HostbasedAuthentication
|
||||
Specifies whether to try rhosts based authentication with public key
|
||||
authentication.
|
|
@ -1,26 +0,0 @@
|
|||
From 63da84c3570afb4fa6bab38fdac3e9af45d0ec54 Mon Sep 17 00:00:00 2001
|
||||
From: Vincent Untz <vuntz@ubuntu.com>
|
||||
Date: Sun, 9 Feb 2014 16:10:16 +0000
|
||||
Subject: Give the ssh-askpass-gnome window a default icon
|
||||
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
|
||||
Last-Update: 2010-02-28
|
||||
|
||||
Patch-Name: gnome-ssh-askpass2-icon.patch
|
||||
---
|
||||
contrib/gnome-ssh-askpass2.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
|
||||
index bc83a2d67..88cdfaeff 100644
|
||||
--- a/contrib/gnome-ssh-askpass2.c
|
||||
+++ b/contrib/gnome-ssh-askpass2.c
|
||||
@@ -233,6 +233,8 @@ main(int argc, char **argv)
|
||||
|
||||
gtk_init(&argc, &argv);
|
||||
|
||||
+ gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL);
|
||||
+
|
||||
if (argc > 1) {
|
||||
message = g_strjoinv(" ", argv + 1);
|
||||
} else {
|
File diff suppressed because it is too large
Load Diff
|
@ -1,135 +0,0 @@
|
|||
From 3558be2914c0127489faae40ce2eae66142c3287 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Kettlewell <rjk@greenend.org.uk>
|
||||
Date: Sun, 9 Feb 2014 16:09:52 +0000
|
||||
Subject: Various keepalive extensions
|
||||
|
||||
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
|
||||
in previous versions of Debian's OpenSSH package but since superseded by
|
||||
ServerAliveInterval. (We're probably stuck with this bit for
|
||||
compatibility.)
|
||||
|
||||
In batch mode, default ServerAliveInterval to five minutes.
|
||||
|
||||
Adjust documentation to match and to give some more advice on use of
|
||||
keepalives.
|
||||
|
||||
Author: Ian Jackson <ian@chiark.greenend.org.uk>
|
||||
Author: Matthew Vernon <matthew@debian.org>
|
||||
Author: Colin Watson <cjwatson@debian.org>
|
||||
Last-Update: 2020-02-21
|
||||
|
||||
Patch-Name: keepalive-extensions.patch
|
||||
---
|
||||
readconf.c | 14 ++++++++++++--
|
||||
ssh_config.5 | 21 +++++++++++++++++++--
|
||||
sshd_config.5 | 3 +++
|
||||
3 files changed, 34 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 0fc996871..2399208f8 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -176,6 +176,7 @@ typedef enum {
|
||||
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
|
||||
oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
|
||||
oSecurityKeyProvider,
|
||||
+ oProtocolKeepAlives, oSetupTimeOut,
|
||||
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
|
||||
} OpCodes;
|
||||
|
||||
@@ -326,6 +327,8 @@ static struct {
|
||||
{ "ignoreunknown", oIgnoreUnknown },
|
||||
{ "proxyjump", oProxyJump },
|
||||
{ "securitykeyprovider", oSecurityKeyProvider },
|
||||
+ { "protocolkeepalives", oProtocolKeepAlives },
|
||||
+ { "setuptimeout", oSetupTimeOut },
|
||||
|
||||
{ NULL, oBadOption }
|
||||
};
|
||||
@@ -1495,6 +1498,8 @@ parse_keytypes:
|
||||
goto parse_flag;
|
||||
|
||||
case oServerAliveInterval:
|
||||
+ case oProtocolKeepAlives: /* Debian-specific compatibility alias */
|
||||
+ case oSetupTimeOut: /* Debian-specific compatibility alias */
|
||||
intptr = &options->server_alive_interval;
|
||||
goto parse_time;
|
||||
|
||||
@@ -2198,8 +2203,13 @@ fill_default_options(Options * options)
|
||||
options->rekey_interval = 0;
|
||||
if (options->verify_host_key_dns == -1)
|
||||
options->verify_host_key_dns = 0;
|
||||
- if (options->server_alive_interval == -1)
|
||||
- options->server_alive_interval = 0;
|
||||
+ if (options->server_alive_interval == -1) {
|
||||
+ /* in batch mode, default is 5mins */
|
||||
+ if (options->batch_mode == 1)
|
||||
+ options->server_alive_interval = 300;
|
||||
+ else
|
||||
+ options->server_alive_interval = 0;
|
||||
+ }
|
||||
if (options->server_alive_count_max == -1)
|
||||
options->server_alive_count_max = 3;
|
||||
if (options->control_master == -1)
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 3f4906972..3079db19b 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -266,9 +266,13 @@ If set to
|
||||
.Cm yes ,
|
||||
user interaction such as password prompts and host key confirmation requests
|
||||
will be disabled.
|
||||
+In addition, the
|
||||
+.Cm ServerAliveInterval
|
||||
+option will be set to 300 seconds by default (Debian-specific).
|
||||
This option is useful in scripts and other batch jobs where no user
|
||||
is present to interact with
|
||||
-.Xr ssh 1 .
|
||||
+.Xr ssh 1 ,
|
||||
+and where it is desirable to detect a broken network swiftly.
|
||||
The argument must be
|
||||
.Cm yes
|
||||
or
|
||||
@@ -1593,7 +1597,14 @@ from the server,
|
||||
will send a message through the encrypted
|
||||
channel to request a response from the server.
|
||||
The default
|
||||
-is 0, indicating that these messages will not be sent to the server.
|
||||
+is 0, indicating that these messages will not be sent to the server,
|
||||
+or 300 if the
|
||||
+.Cm BatchMode
|
||||
+option is set (Debian-specific).
|
||||
+.Cm ProtocolKeepAlives
|
||||
+and
|
||||
+.Cm SetupTimeOut
|
||||
+are Debian-specific compatibility aliases for this option.
|
||||
.It Cm SetEnv
|
||||
Directly specify one or more environment variables and their contents to
|
||||
be sent to the server.
|
||||
@@ -1673,6 +1684,12 @@ Specifies whether the system should send TCP keepalive messages to the
|
||||
other side.
|
||||
If they are sent, death of the connection or crash of one
|
||||
of the machines will be properly noticed.
|
||||
+This option only uses TCP keepalives (as opposed to using ssh level
|
||||
+keepalives), so takes a long time to notice when the connection dies.
|
||||
+As such, you probably want
|
||||
+the
|
||||
+.Cm ServerAliveInterval
|
||||
+option as well.
|
||||
However, this means that
|
||||
connections will die if the route is down temporarily, and some people
|
||||
find it annoying.
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index f6b41a2f8..ebd09f891 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -1668,6 +1668,9 @@ This avoids infinitely hanging sessions.
|
||||
.Pp
|
||||
To disable TCP keepalive messages, the value should be set to
|
||||
.Cm no .
|
||||
+.Pp
|
||||
+This option was formerly called
|
||||
+.Cm KeepAlive .
|
||||
.It Cm TrustedUserCAKeys
|
||||
Specifies a file containing public keys of certificate authorities that are
|
||||
trusted to sign user certificates for authentication, or
|
|
@ -1,44 +0,0 @@
|
|||
From c18e3c8125fc4553951705a1da8c86395d219bb1 Mon Sep 17 00:00:00 2001
|
||||
From: Scott Moser <smoser@ubuntu.com>
|
||||
Date: Sun, 9 Feb 2014 16:10:03 +0000
|
||||
Subject: Mention ssh-keygen in ssh fingerprint changed warning
|
||||
|
||||
Author: Chris Lamb <lamby@debian.org>
|
||||
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
|
||||
Last-Update: 2017-08-22
|
||||
|
||||
Patch-Name: mention-ssh-keygen-on-keychange.patch
|
||||
---
|
||||
sshconnect.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index 4a5d4a003..b796d3c8a 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
error("%s. This could either mean that", key_msg);
|
||||
error("DNS SPOOFING is happening or the IP address for the host");
|
||||
error("and its host key have changed at the same time.");
|
||||
- if (ip_status != HOST_NEW)
|
||||
+ if (ip_status != HOST_NEW) {
|
||||
error("Offending key for IP in %s:%lu",
|
||||
ip_found->file, ip_found->line);
|
||||
+ error(" remove with:");
|
||||
+ error(" ssh-keygen -f \"%s\" -R \"%s\"",
|
||||
+ ip_found->file, ip);
|
||||
+ }
|
||||
}
|
||||
/* The host key has changed. */
|
||||
warn_changed_key(host_key);
|
||||
@@ -1002,6 +1006,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
|
||||
error("Offending %s key in %s:%lu",
|
||||
sshkey_type(host_found->key),
|
||||
host_found->file, host_found->line);
|
||||
+ error(" remove with:");
|
||||
+ error(" ssh-keygen -f \"%s\" -R \"%s\"",
|
||||
+ host_found->file, host);
|
||||
|
||||
/*
|
||||
* If strict host key checking is in use, the user will have
|
|
@ -1,62 +0,0 @@
|
|||
From ba0377ab3e6b68f7ab747f500991a0445c7f4086 Mon Sep 17 00:00:00 2001
|
||||
From: Kurt Roeckx <kurt@roeckx.be>
|
||||
Date: Sun, 9 Feb 2014 16:10:14 +0000
|
||||
Subject: Don't check the status field of the OpenSSL version
|
||||
|
||||
There is no reason to check the version of OpenSSL (in Debian). If it's
|
||||
not compatible the soname will change. OpenSSH seems to want to do a
|
||||
check for the soname based on the version number, but wants to keep the
|
||||
status of the release the same. Remove that check on the status since
|
||||
it doesn't tell you anything about how compatible that version is.
|
||||
|
||||
Author: Colin Watson <cjwatson@debian.org>
|
||||
Bug-Debian: https://bugs.debian.org/93581
|
||||
Bug-Debian: https://bugs.debian.org/664383
|
||||
Bug-Debian: https://bugs.debian.org/732940
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2014-10-07
|
||||
|
||||
Patch-Name: no-openssl-version-status.patch
|
||||
---
|
||||
openbsd-compat/openssl-compat.c | 6 +++---
|
||||
openbsd-compat/regress/opensslvertest.c | 1 +
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
|
||||
index a37ca61bf..c1749210d 100644
|
||||
--- a/openbsd-compat/openssl-compat.c
|
||||
+++ b/openbsd-compat/openssl-compat.c
|
||||
@@ -34,7 +34,7 @@
|
||||
/*
|
||||
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
|
||||
* We match major, minor, fix and status (not patch) for <1.0.0.
|
||||
- * After that, we acceptable compatible fix versions (so we
|
||||
+ * After that, we accept compatible fix and status versions (so we
|
||||
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
|
||||
* within a patch series.
|
||||
*/
|
||||
@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver)
|
||||
}
|
||||
|
||||
/*
|
||||
- * For versions >= 1.0.0, major,minor,status must match and library
|
||||
+ * For versions >= 1.0.0, major,minor must match and library
|
||||
* fix version must be equal to or newer than the header.
|
||||
*/
|
||||
- mask = 0xfff0000fL; /* major,minor,status */
|
||||
+ mask = 0xfff00000L; /* major,minor */
|
||||
hfix = (headerver & 0x000ff000) >> 12;
|
||||
lfix = (libver & 0x000ff000) >> 12;
|
||||
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
|
||||
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
|
||||
index 5d019b598..58474873d 100644
|
||||
--- a/openbsd-compat/regress/opensslvertest.c
|
||||
+++ b/openbsd-compat/regress/opensslvertest.c
|
||||
@@ -35,6 +35,7 @@ struct version_test {
|
||||
|
||||
/* built with 1.0.1b release headers */
|
||||
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
|
||||
+ { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
|
||||
{ 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
|
||||
{ 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
|
||||
{ 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
|
|
@ -1,148 +0,0 @@
|
|||
From 39fe318a4b572deeb3f7d03e55d319c0ab112a28 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:09 +0000
|
||||
Subject: Adjust various OpenBSD-specific references in manual pages
|
||||
|
||||
No single bug reference for this patch, but history includes:
|
||||
http://bugs.debian.org/154434 (login.conf(5))
|
||||
http://bugs.debian.org/513417 (/etc/rc)
|
||||
http://bugs.debian.org/530692 (ssl(8))
|
||||
https://bugs.launchpad.net/bugs/456660 (ssl(8))
|
||||
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2017-10-04
|
||||
|
||||
Patch-Name: openbsd-docs.patch
|
||||
---
|
||||
moduli.5 | 4 ++--
|
||||
ssh-keygen.1 | 12 ++++--------
|
||||
ssh.1 | 4 ++++
|
||||
sshd.8 | 5 ++---
|
||||
sshd_config.5 | 3 +--
|
||||
5 files changed, 13 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/moduli.5 b/moduli.5
|
||||
index ef0de0850..149846c8c 100644
|
||||
--- a/moduli.5
|
||||
+++ b/moduli.5
|
||||
@@ -21,7 +21,7 @@
|
||||
.Nd Diffie-Hellman moduli
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
-.Pa /etc/moduli
|
||||
+.Pa /etc/ssh/moduli
|
||||
file contains prime numbers and generators for use by
|
||||
.Xr sshd 8
|
||||
in the Diffie-Hellman Group Exchange key exchange method.
|
||||
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
|
||||
Diffie-Hellman output to sufficiently key the selected symmetric cipher.
|
||||
.Xr sshd 8
|
||||
then randomly selects a modulus from
|
||||
-.Fa /etc/moduli
|
||||
+.Fa /etc/ssh/moduli
|
||||
that best meets the size requirement.
|
||||
.Sh SEE ALSO
|
||||
.Xr ssh-keygen 1 ,
|
||||
diff --git a/ssh-keygen.1 b/ssh-keygen.1
|
||||
index 7af564297..d6a7870e0 100644
|
||||
--- a/ssh-keygen.1
|
||||
+++ b/ssh-keygen.1
|
||||
@@ -196,9 +196,7 @@ key in
|
||||
.Pa ~/.ssh/id_ed25519_sk
|
||||
or
|
||||
.Pa ~/.ssh/id_rsa .
|
||||
-Additionally, the system administrator may use this to generate host keys,
|
||||
-as seen in
|
||||
-.Pa /etc/rc .
|
||||
+Additionally, the system administrator may use this to generate host keys.
|
||||
.Pp
|
||||
Normally this program generates the key and asks for a file in which
|
||||
to store the private key.
|
||||
@@ -261,9 +259,7 @@ If
|
||||
.Fl f
|
||||
has also been specified, its argument is used as a prefix to the
|
||||
default path for the resulting host key files.
|
||||
-This is used by
|
||||
-.Pa /etc/rc
|
||||
-to generate new host keys.
|
||||
+This is used by system administration scripts to generate new host keys.
|
||||
.It Fl a Ar rounds
|
||||
When saving a private key, this option specifies the number of KDF
|
||||
(key derivation function) rounds used.
|
||||
@@ -783,7 +779,7 @@ option.
|
||||
Valid generator values are 2, 3, and 5.
|
||||
.Pp
|
||||
Screened DH groups may be installed in
|
||||
-.Pa /etc/moduli .
|
||||
+.Pa /etc/ssh/moduli .
|
||||
It is important that this file contains moduli of a range of bit lengths and
|
||||
that both ends of a connection share common moduli.
|
||||
.Pp
|
||||
@@ -1154,7 +1150,7 @@ on all machines
|
||||
where the user wishes to log in using public key authentication.
|
||||
There is no need to keep the contents of this file secret.
|
||||
.Pp
|
||||
-.It Pa /etc/moduli
|
||||
+.It Pa /etc/ssh/moduli
|
||||
Contains Diffie-Hellman groups used for DH-GEX.
|
||||
The file format is described in
|
||||
.Xr moduli 5 .
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index cf991e4ee..17b0e984f 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -887,6 +887,10 @@ implements public key authentication protocol automatically,
|
||||
using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
|
||||
The HISTORY section of
|
||||
.Xr ssl 8
|
||||
+(on non-OpenBSD systems, see
|
||||
+.nh
|
||||
+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
|
||||
+.hy
|
||||
contains a brief discussion of the DSA and RSA algorithms.
|
||||
.Pp
|
||||
The file
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index 730520231..5ce0ea4fa 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -65,7 +65,7 @@ over an insecure network.
|
||||
.Nm
|
||||
listens for connections from clients.
|
||||
It is normally started at boot from
|
||||
-.Pa /etc/rc .
|
||||
+.Pa /etc/init.d/ssh .
|
||||
It forks a new
|
||||
daemon for each incoming connection.
|
||||
The forked daemons handle
|
||||
@@ -904,7 +904,7 @@ This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
It should only be writable by root.
|
||||
.Pp
|
||||
-.It Pa /etc/moduli
|
||||
+.It Pa /etc/ssh/moduli
|
||||
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
|
||||
key exchange method.
|
||||
The file format is described in
|
||||
@@ -1002,7 +1002,6 @@ The content of this file is not sensitive; it can be world-readable.
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
.Xr hosts_access 5 ,
|
||||
-.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
.Xr inetd 8 ,
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index c926f584c..25f4b8117 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -387,8 +387,7 @@ Certificates signed using other algorithms will not be accepted for
|
||||
public key or host-based authentication.
|
||||
.It Cm ChallengeResponseAuthentication
|
||||
Specifies whether challenge-response authentication is allowed (e.g. via
|
||||
-PAM or through authentication styles supported in
|
||||
-.Xr login.conf 5 )
|
||||
+PAM).
|
||||
The default is
|
||||
.Cm yes .
|
||||
.It Cm ChrootDirectory
|
|
@ -1,47 +0,0 @@
|
|||
From a4f868858c3395cacb59c58786b501317b9a3d03 Mon Sep 17 00:00:00 2001
|
||||
From: Matthew Vernon <matthew@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:05 +0000
|
||||
Subject: Include the Debian version in our identification
|
||||
|
||||
This makes it easier to audit networks for versions patched against security
|
||||
vulnerabilities. It has little detrimental effect, as attackers will
|
||||
generally just try attacks rather than bothering to scan for
|
||||
vulnerable-looking version strings. (However, see debian-banner.patch.)
|
||||
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2019-06-05
|
||||
|
||||
Patch-Name: package-versioning.patch
|
||||
---
|
||||
kex.c | 2 +-
|
||||
version.h | 7 ++++++-
|
||||
2 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/kex.c b/kex.c
|
||||
index 574c76093..f638942d3 100644
|
||||
--- a/kex.c
|
||||
+++ b/kex.c
|
||||
@@ -1244,7 +1244,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
|
||||
if (version_addendum != NULL && *version_addendum == '\0')
|
||||
version_addendum = NULL;
|
||||
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
|
||||
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
|
||||
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
|
||||
version_addendum == NULL ? "" : " ",
|
||||
version_addendum == NULL ? "" : version_addendum)) != 0) {
|
||||
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
|
||||
diff --git a/version.h b/version.h
|
||||
index c2affcb2a..d79126cc3 100644
|
||||
--- a/version.h
|
||||
+++ b/version.h
|
||||
@@ -3,4 +3,9 @@
|
||||
#define SSH_VERSION "OpenSSH_8.2"
|
||||
|
||||
#define SSH_PORTABLE "p1"
|
||||
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
|
||||
+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
|
||||
+#ifdef SSH_EXTRAVERSION
|
||||
+#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
|
||||
+#else
|
||||
+#define SSH_RELEASE SSH_RELEASE_MINIMUM
|
||||
+#endif
|
|
@ -1,35 +0,0 @@
|
|||
From 58390cbd5e07df92729b794beb491f7352b26993 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 5 Mar 2017 02:02:11 +0000
|
||||
Subject: Restore reading authorized_keys2 by default
|
||||
|
||||
Upstream seems to intend to gradually phase this out, so don't assume
|
||||
that this will remain the default forever. However, we were late in
|
||||
adopting the upstream sshd_config changes, so it makes sense to extend
|
||||
the grace period.
|
||||
|
||||
Bug-Debian: https://bugs.debian.org/852320
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2017-03-05
|
||||
|
||||
Patch-Name: restore-authorized_keys2.patch
|
||||
---
|
||||
sshd_config | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/sshd_config b/sshd_config
|
||||
index 459c1b230..dc0db5706 100644
|
||||
--- a/sshd_config
|
||||
+++ b/sshd_config
|
||||
@@ -38,9 +38,8 @@ Include /etc/ssh/sshd_config.d/*.conf
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
-# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
-AuthorizedKeysFile .ssh/authorized_keys
|
||||
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
|
||||
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
|
@ -1,172 +0,0 @@
|
|||
From 31d42cd8624f29508f772447e617ab043a6487d9 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Tue, 7 Oct 2014 13:22:41 +0100
|
||||
Subject: Restore TCP wrappers support
|
||||
|
||||
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
|
||||
and thread:
|
||||
|
||||
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
|
||||
|
||||
It is true that this reduces preauth attack surface in sshd. On the
|
||||
other hand, this support seems to be quite widely used, and abruptly
|
||||
dropping it (from the perspective of users who don't read
|
||||
openssh-unix-dev) could easily cause more serious problems in practice.
|
||||
|
||||
It's not entirely clear what the right long-term answer for Debian is,
|
||||
but it at least probably doesn't involve dropping this feature shortly
|
||||
before a freeze.
|
||||
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2019-06-05
|
||||
|
||||
Patch-Name: restore-tcp-wrappers.patch
|
||||
---
|
||||
configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
sshd.8 | 7 +++++++
|
||||
sshd.c | 25 +++++++++++++++++++++++
|
||||
3 files changed, 89 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index efafb6bd8..cee7cbc51 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1556,6 +1556,62 @@ else
|
||||
AC_MSG_RESULT([no])
|
||||
fi
|
||||
|
||||
+# Check whether user wants TCP wrappers support
|
||||
+TCPW_MSG="no"
|
||||
+AC_ARG_WITH([tcp-wrappers],
|
||||
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
|
||||
+ [
|
||||
+ if test "x$withval" != "xno" ; then
|
||||
+ saved_LIBS="$LIBS"
|
||||
+ saved_LDFLAGS="$LDFLAGS"
|
||||
+ saved_CPPFLAGS="$CPPFLAGS"
|
||||
+ if test -n "${withval}" && \
|
||||
+ test "x${withval}" != "xyes"; then
|
||||
+ if test -d "${withval}/lib"; then
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
|
||||
+ fi
|
||||
+ else
|
||||
+ if test -n "${need_dash_r}"; then
|
||||
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
|
||||
+ else
|
||||
+ LDFLAGS="-L${withval} ${LDFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test -d "${withval}/include"; then
|
||||
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
|
||||
+ else
|
||||
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ LIBS="-lwrap $LIBS"
|
||||
+ AC_MSG_CHECKING([for libwrap])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <netinet/in.h>
|
||||
+#include <tcpd.h>
|
||||
+int deny_severity = 0, allow_severity = 0;
|
||||
+ ]], [[
|
||||
+ hosts_access(0);
|
||||
+ ]])], [
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE([LIBWRAP], [1],
|
||||
+ [Define if you want
|
||||
+ TCP Wrappers support])
|
||||
+ SSHDLIBS="$SSHDLIBS -lwrap"
|
||||
+ TCPW_MSG="yes"
|
||||
+ ], [
|
||||
+ AC_MSG_ERROR([*** libwrap missing])
|
||||
+
|
||||
+ ])
|
||||
+ LIBS="$saved_LIBS"
|
||||
+ fi
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Check whether user wants to use ldns
|
||||
LDNS_MSG="no"
|
||||
AC_ARG_WITH(ldns,
|
||||
@@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG"
|
||||
echo " OSF SIA support: $SIA_MSG"
|
||||
echo " KerberosV support: $KRB5_MSG"
|
||||
echo " SELinux support: $SELINUX_MSG"
|
||||
+echo " TCP Wrappers support: $TCPW_MSG"
|
||||
echo " MD5 password support: $MD5_MSG"
|
||||
echo " libedit support: $LIBEDIT_MSG"
|
||||
echo " libldns support: $LDNS_MSG"
|
||||
diff --git a/sshd.8 b/sshd.8
|
||||
index c5f8987d2..730520231 100644
|
||||
--- a/sshd.8
|
||||
+++ b/sshd.8
|
||||
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
|
||||
This file should be writable only by the user, and need not be
|
||||
readable by anyone else.
|
||||
.Pp
|
||||
+.It Pa /etc/hosts.allow
|
||||
+.It Pa /etc/hosts.deny
|
||||
+Access controls that should be enforced by tcp-wrappers are defined here.
|
||||
+Further details are described in
|
||||
+.Xr hosts_access 5 .
|
||||
+.Pp
|
||||
.It Pa /etc/hosts.equiv
|
||||
This file is for host-based authentication (see
|
||||
.Xr ssh 1 ) .
|
||||
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr chroot 2 ,
|
||||
+.Xr hosts_access 5 ,
|
||||
.Xr login.conf 5 ,
|
||||
.Xr moduli 5 ,
|
||||
.Xr sshd_config 5 ,
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index d92f03aaf..62dc55cf2 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -124,6 +124,13 @@
|
||||
#include "ssherr.h"
|
||||
#include "sk-api.h"
|
||||
|
||||
+#ifdef LIBWRAP
|
||||
+#include <tcpd.h>
|
||||
+#include <syslog.h>
|
||||
+int allow_severity;
|
||||
+int deny_severity;
|
||||
+#endif /* LIBWRAP */
|
||||
+
|
||||
/* Re-exec fds */
|
||||
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
|
||||
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
|
||||
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
|
||||
#ifdef SSH_AUDIT_EVENTS
|
||||
audit_connection_from(remote_ip, remote_port);
|
||||
#endif
|
||||
+#ifdef LIBWRAP
|
||||
+ allow_severity = options.log_facility|LOG_INFO;
|
||||
+ deny_severity = options.log_facility|LOG_WARNING;
|
||||
+ /* Check whether logins are denied from this host. */
|
||||
+ if (ssh_packet_connection_is_on_socket(ssh)) {
|
||||
+ struct request_info req;
|
||||
+
|
||||
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
|
||||
+ fromhost(&req);
|
||||
+
|
||||
+ if (!hosts_access(&req)) {
|
||||
+ debug("Connection refused by tcp wrapper");
|
||||
+ refuse(&req);
|
||||
+ /* NOTREACHED */
|
||||
+ fatal("libwrap refuse returns");
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* LIBWRAP */
|
||||
|
||||
rdomain = ssh_packet_rdomain_in(ssh);
|
||||
|
|
@ -1,93 +0,0 @@
|
|||
From 86fe78ef4686485394b464cf9d3393ce27b33979 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Mon, 8 Apr 2019 10:46:29 +0100
|
||||
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
|
||||
AF21 for"
|
||||
|
||||
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
|
||||
|
||||
The IPQoS default changes have some unfortunate interactions with
|
||||
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
|
||||
temporarily reverting them until those have been fixed.
|
||||
|
||||
Bug-Debian: https://bugs.debian.org/923879
|
||||
Bug-Debian: https://bugs.debian.org/926229
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
|
||||
Last-Update: 2019-04-08
|
||||
|
||||
Patch-Name: revert-ipqos-defaults.patch
|
||||
---
|
||||
readconf.c | 4 ++--
|
||||
servconf.c | 4 ++--
|
||||
ssh_config.5 | 6 ++----
|
||||
sshd_config.5 | 6 ++----
|
||||
4 files changed, 8 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index e82024678..1b9494d7c 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -2230,9 +2230,9 @@ fill_default_options(Options * options)
|
||||
if (options->visual_host_key == -1)
|
||||
options->visual_host_key = 0;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->request_tty == -1)
|
||||
options->request_tty = REQUEST_TTY_AUTO;
|
||||
if (options->proxy_use_fdpass == -1)
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 7bbc25c2e..470ad3619 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options)
|
||||
if (options->permit_tun == -1)
|
||||
options->permit_tun = SSH_TUNMODE_NO;
|
||||
if (options->ip_qos_interactive == -1)
|
||||
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
|
||||
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
|
||||
if (options->ip_qos_bulk == -1)
|
||||
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
|
||||
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
|
||||
if (options->version_addendum == NULL)
|
||||
options->version_addendum = xstrdup("");
|
||||
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 34dc2d51b..91beb6f50 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally.
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to use keyboard-interactive authentication.
|
||||
diff --git a/sshd_config.5 b/sshd_config.5
|
||||
index e8271be74..d25b2f3d5 100644
|
||||
--- a/sshd_config.5
|
||||
+++ b/sshd_config.5
|
||||
@@ -914,11 +914,9 @@ If one argument is specified, it is used as the packet class unconditionally.
|
||||
If two values are specified, the first is automatically selected for
|
||||
interactive sessions and the second for non-interactive sessions.
|
||||
The default is
|
||||
-.Cm af21
|
||||
-(Low-Latency Data)
|
||||
+.Cm lowdelay
|
||||
for interactive sessions and
|
||||
-.Cm cs1
|
||||
-(Lower Effort)
|
||||
+.Cm throughput
|
||||
for non-interactive sessions.
|
||||
.It Cm KbdInteractiveAuthentication
|
||||
Specifies whether to allow keyboard-interactive authentication.
|
|
@ -1,41 +0,0 @@
|
|||
From 5166a6af68da4778c7e2c2d117bb56361c7aa361 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
|
||||
Date: Sun, 9 Feb 2014 16:09:59 +0000
|
||||
Subject: Adjust scp quoting in verbose mode
|
||||
|
||||
Tweak scp's reporting of filenames in verbose mode to be a bit less
|
||||
confusing with spaces.
|
||||
|
||||
This should be revised to mimic real shell quoting.
|
||||
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
|
||||
Last-Update: 2010-02-27
|
||||
|
||||
Patch-Name: scp-quoting.patch
|
||||
---
|
||||
scp.c | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/scp.c b/scp.c
|
||||
index 6901e0c94..9b64aa5f4 100644
|
||||
--- a/scp.c
|
||||
+++ b/scp.c
|
||||
@@ -201,8 +201,16 @@ do_local_cmd(arglist *a)
|
||||
|
||||
if (verbose_mode) {
|
||||
fprintf(stderr, "Executing:");
|
||||
- for (i = 0; i < a->num; i++)
|
||||
- fmprintf(stderr, " %s", a->list[i]);
|
||||
+ for (i = 0; i < a->num; i++) {
|
||||
+ if (i == 0)
|
||||
+ fmprintf(stderr, " %s", a->list[i]);
|
||||
+ else
|
||||
+ /*
|
||||
+ * TODO: misbehaves if a->list[i] contains a
|
||||
+ * single quote
|
||||
+ */
|
||||
+ fmprintf(stderr, " '%s'", a->list[i]);
|
||||
+ }
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
if ((pid = fork()) == -1)
|
|
@ -1,472 +0,0 @@
|
|||
From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001
|
||||
From: Manoj Srivastava <srivasta@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:09:49 +0000
|
||||
Subject: Handle SELinux authorisation roles
|
||||
|
||||
Rejected upstream due to discomfort with magic usernames; a better approach
|
||||
will need an SSH protocol change. In the meantime, this came from Debian's
|
||||
SELinux maintainer, so we'll keep it until we have something better.
|
||||
|
||||
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
|
||||
Bug-Debian: http://bugs.debian.org/394795
|
||||
Last-Update: 2020-02-21
|
||||
|
||||
Patch-Name: selinux-role.patch
|
||||
---
|
||||
auth.h | 1 +
|
||||
auth2.c | 10 ++++++++--
|
||||
monitor.c | 37 +++++++++++++++++++++++++++++++++----
|
||||
monitor.h | 2 ++
|
||||
monitor_wrap.c | 27 ++++++++++++++++++++++++---
|
||||
monitor_wrap.h | 3 ++-
|
||||
openbsd-compat/port-linux.c | 21 ++++++++++++++-------
|
||||
openbsd-compat/port-linux.h | 4 ++--
|
||||
platform.c | 4 ++--
|
||||
platform.h | 2 +-
|
||||
session.c | 10 +++++-----
|
||||
session.h | 2 +-
|
||||
sshd.c | 2 +-
|
||||
sshpty.c | 4 ++--
|
||||
sshpty.h | 2 +-
|
||||
15 files changed, 99 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/auth.h b/auth.h
|
||||
index becc672b5..5da9fe75f 100644
|
||||
--- a/auth.h
|
||||
+++ b/auth.h
|
||||
@@ -63,6 +63,7 @@ struct Authctxt {
|
||||
char *service;
|
||||
struct passwd *pw; /* set if 'valid' */
|
||||
char *style;
|
||||
+ char *role;
|
||||
|
||||
/* Method lists for multiple authentication */
|
||||
char **auth_methods; /* modified from server config */
|
||||
diff --git a/auth2.c b/auth2.c
|
||||
index 1c217268c..92a6bcaf4 100644
|
||||
--- a/auth2.c
|
||||
+++ b/auth2.c
|
||||
@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
|
||||
{
|
||||
Authctxt *authctxt = ssh->authctxt;
|
||||
Authmethod *m = NULL;
|
||||
- char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
|
||||
+ char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL;
|
||||
int r, authenticated = 0;
|
||||
double tstart = monotime_double();
|
||||
|
||||
@@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
|
||||
debug("userauth-request for user %s service %s method %s", user, service, method);
|
||||
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
|
||||
|
||||
+ if ((role = strchr(user, '/')) != NULL)
|
||||
+ *role++ = 0;
|
||||
+
|
||||
if ((style = strchr(user, ':')) != NULL)
|
||||
*style++ = 0;
|
||||
+ else if (role && (style = strchr(role, ':')) != NULL)
|
||||
+ *style++ = '\0';
|
||||
|
||||
if (authctxt->attempt++ == 0) {
|
||||
/* setup auth context */
|
||||
@@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
|
||||
use_privsep ? " [net]" : "");
|
||||
authctxt->service = xstrdup(service);
|
||||
authctxt->style = style ? xstrdup(style) : NULL;
|
||||
+ authctxt->role = role ? xstrdup(role) : NULL;
|
||||
if (use_privsep)
|
||||
- mm_inform_authserv(service, style);
|
||||
+ mm_inform_authserv(service, style, role);
|
||||
userauth_banner(ssh);
|
||||
if (auth2_setup_methods_lists(authctxt) != 0)
|
||||
ssh_packet_disconnect(ssh,
|
||||
diff --git a/monitor.c b/monitor.c
|
||||
index ebf76c7f9..947fdfadc 100644
|
||||
--- a/monitor.c
|
||||
+++ b/monitor.c
|
||||
@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
|
||||
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
|
||||
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
|
||||
@@ -198,6 +199,7 @@ struct mon_table mon_dispatch_proto20[] = {
|
||||
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
|
||||
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
|
||||
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
|
||||
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
|
||||
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
|
||||
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
|
||||
#ifdef USE_PAM
|
||||
@@ -820,6 +822,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
|
||||
/* Allow service/style information on the auth context */
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
|
||||
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
|
||||
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
|
||||
|
||||
#ifdef USE_PAM
|
||||
@@ -853,16 +856,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
monitor_permit_authentications(1);
|
||||
|
||||
if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
|
||||
- (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0)
|
||||
+ (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 ||
|
||||
+ (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
- debug3("%s: service=%s, style=%s",
|
||||
- __func__, authctxt->service, authctxt->style);
|
||||
+ debug3("%s: service=%s, style=%s, role=%s",
|
||||
+ __func__, authctxt->service, authctxt->style, authctxt->role);
|
||||
|
||||
if (strlen(authctxt->style) == 0) {
|
||||
free(authctxt->style);
|
||||
authctxt->style = NULL;
|
||||
}
|
||||
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ free(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+
|
||||
+ return (0);
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
+{
|
||||
+ int r;
|
||||
+
|
||||
+ monitor_permit_authentications(1);
|
||||
+
|
||||
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+ debug3("%s: role=%s",
|
||||
+ __func__, authctxt->role);
|
||||
+
|
||||
+ if (strlen(authctxt->role) == 0) {
|
||||
+ free(authctxt->role);
|
||||
+ authctxt->role = NULL;
|
||||
+ }
|
||||
+
|
||||
return (0);
|
||||
}
|
||||
|
||||
@@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
|
||||
res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
|
||||
if (res == 0)
|
||||
goto error;
|
||||
- pty_setowner(authctxt->pw, s->tty);
|
||||
+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
|
||||
|
||||
if ((r = sshbuf_put_u32(m, 1)) != 0 ||
|
||||
(r = sshbuf_put_cstring(m, s->tty)) != 0)
|
||||
diff --git a/monitor.h b/monitor.h
|
||||
index 2b1a2d590..4d87284aa 100644
|
||||
--- a/monitor.h
|
||||
+++ b/monitor.h
|
||||
@@ -65,6 +65,8 @@ enum monitor_reqtype {
|
||||
|
||||
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
|
||||
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
|
||||
+
|
||||
+ MONITOR_REQ_AUTHROLE = 154,
|
||||
};
|
||||
|
||||
struct ssh;
|
||||
diff --git a/monitor_wrap.c b/monitor_wrap.c
|
||||
index 6edb509a3..b49c268d3 100644
|
||||
--- a/monitor_wrap.c
|
||||
+++ b/monitor_wrap.c
|
||||
@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
|
||||
return (banner);
|
||||
}
|
||||
|
||||
-/* Inform the privileged process about service and style */
|
||||
+/* Inform the privileged process about service, style, and role */
|
||||
|
||||
void
|
||||
-mm_inform_authserv(char *service, char *style)
|
||||
+mm_inform_authserv(char *service, char *style, char *role)
|
||||
{
|
||||
struct sshbuf *m;
|
||||
int r;
|
||||
@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
|
||||
if ((m = sshbuf_new()) == NULL)
|
||||
fatal("%s: sshbuf_new failed", __func__);
|
||||
if ((r = sshbuf_put_cstring(m, service)) != 0 ||
|
||||
- (r = sshbuf_put_cstring(m, style ? style : "")) != 0)
|
||||
+ (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
|
||||
+ (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
|
||||
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
|
||||
@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
|
||||
sshbuf_free(m);
|
||||
}
|
||||
|
||||
+/* Inform the privileged process about role */
|
||||
+
|
||||
+void
|
||||
+mm_inform_authrole(char *role)
|
||||
+{
|
||||
+ struct sshbuf *m;
|
||||
+ int r;
|
||||
+
|
||||
+ debug3("%s entering", __func__);
|
||||
+
|
||||
+ if ((m = sshbuf_new()) == NULL)
|
||||
+ fatal("%s: sshbuf_new failed", __func__);
|
||||
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
|
||||
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
||||
+
|
||||
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
|
||||
+
|
||||
+ sshbuf_free(m);
|
||||
+}
|
||||
+
|
||||
/* Do the password authentication */
|
||||
int
|
||||
mm_auth_password(struct ssh *ssh, char *password)
|
||||
diff --git a/monitor_wrap.h b/monitor_wrap.h
|
||||
index 485590c18..370b08e17 100644
|
||||
--- a/monitor_wrap.h
|
||||
+++ b/monitor_wrap.h
|
||||
@@ -47,7 +47,8 @@ DH *mm_choose_dh(int, int, int);
|
||||
#endif
|
||||
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
|
||||
const u_char *, size_t, const char *, const char *, u_int compat);
|
||||
-void mm_inform_authserv(char *, char *);
|
||||
+void mm_inform_authserv(char *, char *, char *);
|
||||
+void mm_inform_authrole(char *);
|
||||
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
|
||||
char *mm_auth2_read_banner(void);
|
||||
int mm_auth_password(struct ssh *, char *);
|
||||
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
||||
index 622988822..3e6e07670 100644
|
||||
--- a/openbsd-compat/port-linux.c
|
||||
+++ b/openbsd-compat/port-linux.c
|
||||
@@ -56,7 +56,7 @@ ssh_selinux_enabled(void)
|
||||
|
||||
/* Return the default security context for the given username */
|
||||
static security_context_t
|
||||
-ssh_selinux_getctxbyname(char *pwname)
|
||||
+ssh_selinux_getctxbyname(char *pwname, const char *role)
|
||||
{
|
||||
security_context_t sc = NULL;
|
||||
char *sename = NULL, *lvl = NULL;
|
||||
@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
|
||||
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
|
||||
+ if (role != NULL && role[0])
|
||||
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
|
||||
+ &sc);
|
||||
+ else
|
||||
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
|
||||
#else
|
||||
- r = get_default_context(sename, NULL, &sc);
|
||||
+ if (role != NULL && role[0])
|
||||
+ r = get_default_context_with_role(sename, role, NULL, &sc);
|
||||
+ else
|
||||
+ r = get_default_context(sename, NULL, &sc);
|
||||
#endif
|
||||
|
||||
if (r != 0) {
|
||||
@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname)
|
||||
|
||||
/* Set the execution context to the default for the specified user */
|
||||
void
|
||||
-ssh_selinux_setup_exec_context(char *pwname)
|
||||
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
|
||||
{
|
||||
security_context_t user_ctx = NULL;
|
||||
|
||||
@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname)
|
||||
|
||||
debug3("%s: setting execution context", __func__);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
|
||||
if (setexeccon(user_ctx) != 0) {
|
||||
switch (security_getenforce()) {
|
||||
case -1:
|
||||
@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname)
|
||||
|
||||
/* Set the TTY context for the specified user */
|
||||
void
|
||||
-ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
|
||||
{
|
||||
security_context_t new_tty_ctx = NULL;
|
||||
security_context_t user_ctx = NULL;
|
||||
@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
|
||||
|
||||
debug3("%s: setting TTY context on %s", __func__, tty);
|
||||
|
||||
- user_ctx = ssh_selinux_getctxbyname(pwname);
|
||||
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
|
||||
|
||||
/* XXX: should these calls fatal() upon failure in enforcing mode? */
|
||||
|
||||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
||||
index 3c22a854d..c88129428 100644
|
||||
--- a/openbsd-compat/port-linux.h
|
||||
+++ b/openbsd-compat/port-linux.h
|
||||
@@ -19,8 +19,8 @@
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
int ssh_selinux_enabled(void);
|
||||
-void ssh_selinux_setup_pty(char *, const char *);
|
||||
-void ssh_selinux_setup_exec_context(char *);
|
||||
+void ssh_selinux_setup_pty(char *, const char *, const char *);
|
||||
+void ssh_selinux_setup_exec_context(char *, const char *);
|
||||
void ssh_selinux_change_context(const char *);
|
||||
void ssh_selinux_setfscreatecon(const char *);
|
||||
#endif
|
||||
diff --git a/platform.c b/platform.c
|
||||
index 44ba71dc5..2defe9425 100644
|
||||
--- a/platform.c
|
||||
+++ b/platform.c
|
||||
@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
|
||||
* called if sshd is running as root.
|
||||
*/
|
||||
void
|
||||
-platform_setusercontext_post_groups(struct passwd *pw)
|
||||
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
|
||||
{
|
||||
#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
|
||||
/*
|
||||
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
|
||||
}
|
||||
#endif /* HAVE_SETPCRED */
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_exec_context(pw->pw_name);
|
||||
+ ssh_selinux_setup_exec_context(pw->pw_name, role);
|
||||
#endif
|
||||
}
|
||||
|
||||
diff --git a/platform.h b/platform.h
|
||||
index ea4f9c584..60d72ffe7 100644
|
||||
--- a/platform.h
|
||||
+++ b/platform.h
|
||||
@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
|
||||
void platform_post_fork_child(void);
|
||||
int platform_privileged_uidswap(void);
|
||||
void platform_setusercontext(struct passwd *);
|
||||
-void platform_setusercontext_post_groups(struct passwd *);
|
||||
+void platform_setusercontext_post_groups(struct passwd *, const char *);
|
||||
char *platform_get_krb5_client(const char *);
|
||||
char *platform_krb5_get_principal_name(const char *);
|
||||
int platform_sys_dir_uid(uid_t);
|
||||
diff --git a/session.c b/session.c
|
||||
index 06a33442a..871799590 100644
|
||||
--- a/session.c
|
||||
+++ b/session.c
|
||||
@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
|
||||
|
||||
/* Set login name, uid, gid, and groups. */
|
||||
void
|
||||
-do_setusercontext(struct passwd *pw)
|
||||
+do_setusercontext(struct passwd *pw, const char *role)
|
||||
{
|
||||
char uidstr[32], *chroot_path, *tmp;
|
||||
|
||||
@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
|
||||
endgrent();
|
||||
#endif
|
||||
|
||||
- platform_setusercontext_post_groups(pw);
|
||||
+ platform_setusercontext_post_groups(pw, role);
|
||||
|
||||
if (!in_chroot && options.chroot_directory != NULL &&
|
||||
strcasecmp(options.chroot_directory, "none") != 0) {
|
||||
@@ -1529,7 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
|
||||
/* Force a password change */
|
||||
if (s->authctxt->force_pwchange) {
|
||||
- do_setusercontext(pw);
|
||||
+ do_setusercontext(pw, s->authctxt->role);
|
||||
child_close_fds(ssh);
|
||||
do_pwchange(s);
|
||||
exit(1);
|
||||
@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
|
||||
/* When PAM is enabled we rely on it to do the nologin check */
|
||||
if (!options.use_pam)
|
||||
do_nologin(pw);
|
||||
- do_setusercontext(pw);
|
||||
+ do_setusercontext(pw, s->authctxt->role);
|
||||
/*
|
||||
* PAM session modules in do_setusercontext may have
|
||||
* generated messages, so if this in an interactive
|
||||
@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh *ssh, Session *s)
|
||||
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
|
||||
|
||||
if (!use_privsep)
|
||||
- pty_setowner(s->pw, s->tty);
|
||||
+ pty_setowner(s->pw, s->tty, s->authctxt->role);
|
||||
|
||||
/* Set window size from the packet. */
|
||||
pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
|
||||
diff --git a/session.h b/session.h
|
||||
index ce59dabd9..675c91146 100644
|
||||
--- a/session.h
|
||||
+++ b/session.h
|
||||
@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
|
||||
Session *session_new(void);
|
||||
Session *session_by_tty(char *);
|
||||
void session_close(struct ssh *, Session *);
|
||||
-void do_setusercontext(struct passwd *);
|
||||
+void do_setusercontext(struct passwd *, const char *);
|
||||
|
||||
const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
|
||||
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index 62dc55cf2..65916fc6d 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -595,7 +595,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
reseed_prngs();
|
||||
|
||||
/* Drop privileges */
|
||||
- do_setusercontext(authctxt->pw);
|
||||
+ do_setusercontext(authctxt->pw, authctxt->role);
|
||||
|
||||
skip:
|
||||
/* It is safe now to apply the key state */
|
||||
diff --git a/sshpty.c b/sshpty.c
|
||||
index bce09e255..308449b37 100644
|
||||
--- a/sshpty.c
|
||||
+++ b/sshpty.c
|
||||
@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
|
||||
}
|
||||
|
||||
void
|
||||
-pty_setowner(struct passwd *pw, const char *tty)
|
||||
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
|
||||
{
|
||||
struct group *grp;
|
||||
gid_t gid;
|
||||
@@ -186,7 +186,7 @@ pty_setowner(struct passwd *pw, const char *tty)
|
||||
strerror(errno));
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- ssh_selinux_setup_pty(pw->pw_name, tty);
|
||||
+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
|
||||
#endif
|
||||
|
||||
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
|
||||
diff --git a/sshpty.h b/sshpty.h
|
||||
index 9ec7e9a15..de7e000ae 100644
|
||||
--- a/sshpty.h
|
||||
+++ b/sshpty.h
|
||||
@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
|
||||
void pty_release(const char *);
|
||||
void pty_make_controlling_tty(int *, const char *);
|
||||
void pty_change_window_size(int, u_int, u_int, u_int, u_int);
|
||||
-void pty_setowner(struct passwd *, const char *);
|
||||
+void pty_setowner(struct passwd *, const char *, const char *);
|
||||
void disconnect_controlling_tty(void);
|
|
@ -1,25 +0,0 @@
|
|||
gssapi.patch
|
||||
restore-tcp-wrappers.patch
|
||||
selinux-role.patch
|
||||
ssh-vulnkey-compat.patch
|
||||
keepalive-extensions.patch
|
||||
syslog-level-silent.patch
|
||||
user-group-modes.patch
|
||||
scp-quoting.patch
|
||||
shell-path.patch
|
||||
dnssec-sshfp.patch
|
||||
mention-ssh-keygen-on-keychange.patch
|
||||
package-versioning.patch
|
||||
debian-banner.patch
|
||||
authorized-keys-man-symlink.patch
|
||||
openbsd-docs.patch
|
||||
ssh-argv0.patch
|
||||
doc-hash-tab-completion.patch
|
||||
ssh-agent-setgid.patch
|
||||
no-openssl-version-status.patch
|
||||
gnome-ssh-askpass2-icon.patch
|
||||
systemd-readiness.patch
|
||||
debian-config.patch
|
||||
restore-authorized_keys2.patch
|
||||
conch-old-privkey-format.patch
|
||||
revert-ipqos-defaults.patch
|
|
@ -1,39 +0,0 @@
|
|||
From c19bcc02b07b450d585d0fd10ccd96174aeb3b7c Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:00 +0000
|
||||
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
|
||||
|
||||
There's some debate on the upstream bug about whether POSIX requires this.
|
||||
I (Colin Watson) agree with Vincent and think it does.
|
||||
|
||||
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
|
||||
Bug-Debian: http://bugs.debian.org/492728
|
||||
Last-Update: 2020-02-21
|
||||
|
||||
Patch-Name: shell-path.patch
|
||||
---
|
||||
sshconnect.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/sshconnect.c b/sshconnect.c
|
||||
index 4711af782..4a5d4a003 100644
|
||||
--- a/sshconnect.c
|
||||
+++ b/sshconnect.c
|
||||
@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
|
||||
/* Execute the proxy command. Note that we gave up any
|
||||
extra privileges above. */
|
||||
ssh_signal(SIGPIPE, SIG_DFL);
|
||||
- execv(argv[0], argv);
|
||||
+ execvp(argv[0], argv);
|
||||
perror(argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
@@ -1388,7 +1388,7 @@ ssh_local_cmd(const char *args)
|
||||
if (pid == 0) {
|
||||
ssh_signal(SIGPIPE, SIG_DFL);
|
||||
debug3("Executing %s -c \"%s\"", shell, args);
|
||||
- execl(shell, shell, "-c", args, (char *)NULL);
|
||||
+ execlp(shell, shell, "-c", args, (char *)NULL);
|
||||
error("Couldn't execute %s -c \"%s\": %s",
|
||||
shell, args, strerror(errno));
|
||||
_exit(1);
|
|
@ -1,40 +0,0 @@
|
|||
From ad09303388f0172ab6e028aaf27d87cf873d123d Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:13 +0000
|
||||
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
|
||||
|
||||
Bug-Debian: http://bugs.debian.org/711623
|
||||
Forwarded: no
|
||||
Last-Update: 2020-02-21
|
||||
|
||||
Patch-Name: ssh-agent-setgid.patch
|
||||
---
|
||||
ssh-agent.1 | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/ssh-agent.1 b/ssh-agent.1
|
||||
index fff0db6bc..99e4f6d2e 100644
|
||||
--- a/ssh-agent.1
|
||||
+++ b/ssh-agent.1
|
||||
@@ -201,6 +201,21 @@ socket and stores its pathname in this variable.
|
||||
It is accessible only to the current user,
|
||||
but is easily abused by root or another instance of the same user.
|
||||
.El
|
||||
+.Pp
|
||||
+In Debian,
|
||||
+.Nm
|
||||
+is installed with the set-group-id bit set, to prevent
|
||||
+.Xr ptrace 2
|
||||
+attacks retrieving private key material.
|
||||
+This has the side-effect of causing the run-time linker to remove certain
|
||||
+environment variables which might have security implications for set-id
|
||||
+programs, including
|
||||
+.Ev LD_PRELOAD ,
|
||||
+.Ev LD_LIBRARY_PATH ,
|
||||
+and
|
||||
+.Ev TMPDIR .
|
||||
+If you need to set any of these environment variables, you will need to do
|
||||
+so in the program executed by ssh-agent.
|
||||
.Sh FILES
|
||||
.Bl -tag -width Ds
|
||||
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
|
|
@ -1,31 +0,0 @@
|
|||
From 4b1e0000a099f988553ccc4b274e1790b5114c12 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:10:10 +0000
|
||||
Subject: ssh(1): Refer to ssh-argv0(1)
|
||||
|
||||
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
|
||||
to ssh with the name of the host you want to connect to. Debian ships an
|
||||
ssh-argv0 script restoring this feature; this patch refers to its manual
|
||||
page from ssh(1).
|
||||
|
||||
Bug-Debian: http://bugs.debian.org/111341
|
||||
Forwarded: not-needed
|
||||
Last-Update: 2013-09-14
|
||||
|
||||
Patch-Name: ssh-argv0.patch
|
||||
---
|
||||
ssh.1 | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index 17b0e984f..b33a8049f 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1610,6 +1610,7 @@ if an error occurred.
|
||||
.Xr sftp 1 ,
|
||||
.Xr ssh-add 1 ,
|
||||
.Xr ssh-agent 1 ,
|
||||
+.Xr ssh-argv0 1 ,
|
||||
.Xr ssh-keygen 1 ,
|
||||
.Xr ssh-keyscan 1 ,
|
||||
.Xr tun 4 ,
|
|
@ -1,42 +0,0 @@
|
|||
From 11d571f137c76d8c2e38b1c1a537b04cc279f8e3 Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@ubuntu.com>
|
||||
Date: Sun, 9 Feb 2014 16:09:50 +0000
|
||||
Subject: Accept obsolete ssh-vulnkey configuration options
|
||||
|
||||
These options were used as part of Debian's response to CVE-2008-0166.
|
||||
Nearly six years later, we no longer need to continue carrying the bulk
|
||||
of that patch, but we do need to avoid failing when the associated
|
||||
configuration options are still present.
|
||||
|
||||
Last-Update: 2014-02-09
|
||||
|
||||
Patch-Name: ssh-vulnkey-compat.patch
|
||||
---
|
||||
readconf.c | 1 +
|
||||
servconf.c | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index da8022dd0..0fc996871 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -191,6 +191,7 @@ static struct {
|
||||
{ "fallbacktorsh", oDeprecated },
|
||||
{ "globalknownhostsfile2", oDeprecated },
|
||||
{ "rhostsauthentication", oDeprecated },
|
||||
+ { "useblacklistedkeys", oDeprecated },
|
||||
{ "userknownhostsfile2", oDeprecated },
|
||||
{ "useroaming", oDeprecated },
|
||||
{ "usersh", oDeprecated },
|
||||
diff --git a/servconf.c b/servconf.c
|
||||
index 191575a16..bf3cd84a4 100644
|
||||
--- a/servconf.c
|
||||
+++ b/servconf.c
|
||||
@@ -656,6 +656,7 @@ static struct {
|
||||
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
|
||||
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
|
||||
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
|
||||
+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL },
|
||||
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
|
||||
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
|
||||
{ "uselogin", sDeprecated, SSHCFG_GLOBAL },
|
|
@ -1,47 +0,0 @@
|
|||
From 387c2c1954773733bae9fca21a92db62c31180bd Mon Sep 17 00:00:00 2001
|
||||
From: Natalie Amery <nmamery@chiark.greenend.org.uk>
|
||||
Date: Sun, 9 Feb 2014 16:09:54 +0000
|
||||
Subject: "LogLevel SILENT" compatibility
|
||||
|
||||
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
|
||||
match the behaviour of non-free SSH, in which -q does not suppress fatal
|
||||
errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
|
||||
complained, so we've dropped most of it. The parts that remain are basic
|
||||
configuration file compatibility, and an adjustment to "Pseudo-terminal will
|
||||
not be allocated ..." which should be split out into a separate patch.
|
||||
|
||||
Author: Matthew Vernon <matthew@debian.org>
|
||||
Author: Colin Watson <cjwatson@debian.org>
|
||||
Last-Update: 2013-09-14
|
||||
|
||||
Patch-Name: syslog-level-silent.patch
|
||||
---
|
||||
log.c | 1 +
|
||||
ssh.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/log.c b/log.c
|
||||
index d9c2d136c..1749af6d1 100644
|
||||
--- a/log.c
|
||||
+++ b/log.c
|
||||
@@ -93,6 +93,7 @@ static struct {
|
||||
LogLevel val;
|
||||
} log_levels[] =
|
||||
{
|
||||
+ { "SILENT", SYSLOG_LEVEL_QUIET }, /* compatibility */
|
||||
{ "QUIET", SYSLOG_LEVEL_QUIET },
|
||||
{ "FATAL", SYSLOG_LEVEL_FATAL },
|
||||
{ "ERROR", SYSLOG_LEVEL_ERROR },
|
||||
diff --git a/ssh.c b/ssh.c
|
||||
index 110cf9c19..6138fd4d3 100644
|
||||
--- a/ssh.c
|
||||
+++ b/ssh.c
|
||||
@@ -1305,7 +1305,7 @@ main(int ac, char **av)
|
||||
/* Do not allocate a tty if stdin is not a tty. */
|
||||
if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
|
||||
options.request_tty != REQUEST_TTY_FORCE) {
|
||||
- if (tty_flag)
|
||||
+ if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
|
||||
logit("Pseudo-terminal will not be allocated because "
|
||||
"stdin is not a terminal.");
|
||||
tty_flag = 0;
|
|
@ -1,84 +0,0 @@
|
|||
From a208834b2d1811dac7054d7fdcdd04672f8b19f6 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Biebl <biebl@debian.org>
|
||||
Date: Mon, 21 Dec 2015 16:08:47 +0000
|
||||
Subject: Add systemd readiness notification support
|
||||
|
||||
Bug-Debian: https://bugs.debian.org/778913
|
||||
Forwarded: no
|
||||
Last-Update: 2017-08-22
|
||||
|
||||
Patch-Name: systemd-readiness.patch
|
||||
---
|
||||
configure.ac | 24 ++++++++++++++++++++++++
|
||||
sshd.c | 9 +++++++++
|
||||
2 files changed, 33 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index cee7cbc51..5db3013de 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -4664,6 +4664,29 @@ AC_ARG_WITH([kerberos5],
|
||||
AC_SUBST([GSSLIBS])
|
||||
AC_SUBST([K5LIBS])
|
||||
|
||||
+# Check whether user wants systemd support
|
||||
+SYSTEMD_MSG="no"
|
||||
+AC_ARG_WITH(systemd,
|
||||
+ [ --with-systemd Enable systemd support],
|
||||
+ [ if test "x$withval" != "xno" ; then
|
||||
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
|
||||
+ if test "$PKGCONFIG" != "no"; then
|
||||
+ AC_MSG_CHECKING([for libsystemd])
|
||||
+ if $PKGCONFIG --exists libsystemd; then
|
||||
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
|
||||
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
|
||||
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
|
||||
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
|
||||
+ AC_MSG_RESULT([yes])
|
||||
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
|
||||
+ SYSTEMD_MSG="yes"
|
||||
+ else
|
||||
+ AC_MSG_RESULT([no])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi ]
|
||||
+)
|
||||
+
|
||||
# Looking for programs, paths and files
|
||||
|
||||
PRIVSEP_PATH=/var/empty
|
||||
@@ -5476,6 +5499,7 @@ echo " libldns support: $LDNS_MSG"
|
||||
echo " Solaris process contract support: $SPC_MSG"
|
||||
echo " Solaris project support: $SP_MSG"
|
||||
echo " Solaris privilege support: $SPP_MSG"
|
||||
+echo " systemd support: $SYSTEMD_MSG"
|
||||
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
|
||||
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
|
||||
echo " BSD Auth support: $BSD_AUTH_MSG"
|
||||
diff --git a/sshd.c b/sshd.c
|
||||
index da876a900..c069505a0 100644
|
||||
--- a/sshd.c
|
||||
+++ b/sshd.c
|
||||
@@ -85,6 +85,10 @@
|
||||
#include <prot.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+#include <systemd/sd-daemon.h>
|
||||
+#endif
|
||||
+
|
||||
#include "xmalloc.h"
|
||||
#include "ssh.h"
|
||||
#include "ssh2.h"
|
||||
@@ -2027,6 +2031,11 @@ main(int ac, char **av)
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_SYSTEMD
|
||||
+ /* Signal systemd that we are ready to accept connections */
|
||||
+ sd_notify(0, "READY=1");
|
||||
+#endif
|
||||
+
|
||||
/* Accept a connection and return in a forked child */
|
||||
server_accept_loop(&sock_in, &sock_out,
|
||||
&newsock, config_s);
|
|
@ -1,210 +0,0 @@
|
|||
From 3309e464e5ae6c940ddd584eed4d2d403f4c168c Mon Sep 17 00:00:00 2001
|
||||
From: Colin Watson <cjwatson@debian.org>
|
||||
Date: Sun, 9 Feb 2014 16:09:58 +0000
|
||||
Subject: Allow harmless group-writability
|
||||
|
||||
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
|
||||
group-writable, provided that the group in question contains only the file's
|
||||
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
|
||||
about the contents of gr->gr_mem). Given that per-user groups and umask 002
|
||||
are the default setup in Debian (for good reasons - this makes operating in
|
||||
setgid directories with other groups much easier), we need to permit this by
|
||||
default.
|
||||
|
||||
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
|
||||
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
|
||||
Last-Update: 2019-10-09
|
||||
|
||||
Patch-Name: user-group-modes.patch
|
||||
---
|
||||
auth-rhosts.c | 6 ++----
|
||||
auth.c | 3 +--
|
||||
misc.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-----
|
||||
misc.h | 2 ++
|
||||
readconf.c | 3 +--
|
||||
ssh.1 | 2 ++
|
||||
ssh_config.5 | 2 ++
|
||||
7 files changed, 63 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/auth-rhosts.c b/auth-rhosts.c
|
||||
index 7a10210b6..587f53721 100644
|
||||
--- a/auth-rhosts.c
|
||||
+++ b/auth-rhosts.c
|
||||
@@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
|
||||
return 0;
|
||||
}
|
||||
if (options.strict_modes &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
- (st.st_mode & 022) != 0)) {
|
||||
+ !secure_permissions(&st, pw->pw_uid)) {
|
||||
logit("Rhosts authentication refused for %.100s: "
|
||||
"bad ownership or modes for home directory.", pw->pw_name);
|
||||
auth_debug_add("Rhosts authentication refused for %.100s: "
|
||||
@@ -287,8 +286,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
|
||||
* allowing access to their account by anyone.
|
||||
*/
|
||||
if (options.strict_modes &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
- (st.st_mode & 022) != 0)) {
|
||||
+ !secure_permissions(&st, pw->pw_uid)) {
|
||||
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
|
||||
pw->pw_name, buf);
|
||||
auth_debug_add("Bad file modes for %.200s", buf);
|
||||
diff --git a/auth.c b/auth.c
|
||||
index 687c57b42..aed3c13ac 100644
|
||||
--- a/auth.c
|
||||
+++ b/auth.c
|
||||
@@ -474,8 +474,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
|
||||
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
|
||||
if (options.strict_modes &&
|
||||
(stat(user_hostfile, &st) == 0) &&
|
||||
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
|
||||
- (st.st_mode & 022) != 0)) {
|
||||
+ !secure_permissions(&st, pw->pw_uid)) {
|
||||
logit("Authentication refused for %.100s: "
|
||||
"bad owner or modes for %.200s",
|
||||
pw->pw_name, user_hostfile);
|
||||
diff --git a/misc.c b/misc.c
|
||||
index 3a31d5c18..073d3be19 100644
|
||||
--- a/misc.c
|
||||
+++ b/misc.c
|
||||
@@ -61,8 +61,9 @@
|
||||
#include <netdb.h>
|
||||
#ifdef HAVE_PATHS_H
|
||||
# include <paths.h>
|
||||
-#include <pwd.h>
|
||||
#endif
|
||||
+#include <pwd.h>
|
||||
+#include <grp.h>
|
||||
#ifdef SSH_TUN_OPENBSD
|
||||
#include <net/if.h>
|
||||
#endif
|
||||
@@ -1124,6 +1125,55 @@ percent_expand(const char *string, ...)
|
||||
#undef EXPAND_MAX_KEYS
|
||||
}
|
||||
|
||||
+int
|
||||
+secure_permissions(struct stat *st, uid_t uid)
|
||||
+{
|
||||
+ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
|
||||
+ return 0;
|
||||
+ if ((st->st_mode & 002) != 0)
|
||||
+ return 0;
|
||||
+ if ((st->st_mode & 020) != 0) {
|
||||
+ /* If the file is group-writable, the group in question must
|
||||
+ * have exactly one member, namely the file's owner.
|
||||
+ * (Zero-member groups are typically used by setgid
|
||||
+ * binaries, and are unlikely to be suitable.)
|
||||
+ */
|
||||
+ struct passwd *pw;
|
||||
+ struct group *gr;
|
||||
+ int members = 0;
|
||||
+
|
||||
+ gr = getgrgid(st->st_gid);
|
||||
+ if (!gr)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Check primary group memberships. */
|
||||
+ while ((pw = getpwent()) != NULL) {
|
||||
+ if (pw->pw_gid == gr->gr_gid) {
|
||||
+ ++members;
|
||||
+ if (pw->pw_uid != uid)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ }
|
||||
+ endpwent();
|
||||
+
|
||||
+ pw = getpwuid(st->st_uid);
|
||||
+ if (!pw)
|
||||
+ return 0;
|
||||
+
|
||||
+ /* Check supplementary group memberships. */
|
||||
+ if (gr->gr_mem[0]) {
|
||||
+ ++members;
|
||||
+ if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
|
||||
+ gr->gr_mem[1])
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (!members)
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
int
|
||||
tun_open(int tun, int mode, char **ifname)
|
||||
{
|
||||
@@ -1909,8 +1959,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
|
||||
snprintf(err, errlen, "%s is not a regular file", buf);
|
||||
return -1;
|
||||
}
|
||||
- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
|
||||
- (stp->st_mode & 022) != 0) {
|
||||
+ if (!secure_permissions(stp, uid)) {
|
||||
snprintf(err, errlen, "bad ownership or modes for file %s",
|
||||
buf);
|
||||
return -1;
|
||||
@@ -1925,8 +1974,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
|
||||
strlcpy(buf, cp, sizeof(buf));
|
||||
|
||||
if (stat(buf, &st) == -1 ||
|
||||
- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
|
||||
- (st.st_mode & 022) != 0) {
|
||||
+ !secure_permissions(&st, uid)) {
|
||||
snprintf(err, errlen,
|
||||
"bad ownership or modes for directory %s", buf);
|
||||
return -1;
|
||||
diff --git a/misc.h b/misc.h
|
||||
index 4a05db2da..5db594b91 100644
|
||||
--- a/misc.h
|
||||
+++ b/misc.h
|
||||
@@ -188,6 +188,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
|
||||
__attribute__((format(printf, 2, 3)));
|
||||
void notify_complete(struct notifier_ctx *);
|
||||
|
||||
+int secure_permissions(struct stat *st, uid_t uid);
|
||||
+
|
||||
#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
|
||||
#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
|
||||
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
|
||||
diff --git a/readconf.c b/readconf.c
|
||||
index 2399208f8..7f251dd4a 100644
|
||||
--- a/readconf.c
|
||||
+++ b/readconf.c
|
||||
@@ -1902,8 +1902,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
|
||||
|
||||
if (fstat(fileno(f), &sb) == -1)
|
||||
fatal("fstat %s: %s", filename, strerror(errno));
|
||||
- if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
|
||||
- (sb.st_mode & 022) != 0))
|
||||
+ if (!secure_permissions(&sb, getuid()))
|
||||
fatal("Bad owner or permissions on %s", filename);
|
||||
}
|
||||
|
||||
diff --git a/ssh.1 b/ssh.1
|
||||
index db5c65bc7..cf991e4ee 100644
|
||||
--- a/ssh.1
|
||||
+++ b/ssh.1
|
||||
@@ -1506,6 +1506,8 @@ The file format and configuration options are described in
|
||||
.Xr ssh_config 5 .
|
||||
Because of the potential for abuse, this file must have strict permissions:
|
||||
read/write for the user, and not writable by others.
|
||||
+It may be group-writable provided that the group in question contains only
|
||||
+the user.
|
||||
.Pp
|
||||
.It Pa ~/.ssh/environment
|
||||
Contains additional definitions for environment variables; see
|
||||
diff --git a/ssh_config.5 b/ssh_config.5
|
||||
index 3079db19b..e61a0fd43 100644
|
||||
--- a/ssh_config.5
|
||||
+++ b/ssh_config.5
|
||||
@@ -1952,6 +1952,8 @@ The format of this file is described above.
|
||||
This file is used by the SSH client.
|
||||
Because of the potential for abuse, this file must have strict permissions:
|
||||
read/write for the user, and not writable by others.
|
||||
+It may be group-writable provided that the group in question contains only
|
||||
+the user.
|
||||
.It Pa /etc/ssh/ssh_config
|
||||
Systemwide configuration file.
|
||||
This file provides defaults for those
|
|
@ -1 +1 @@
|
|||
3.0 (quilt)
|
||||
3.0 (native)
|
||||
|
|
Loading…
Reference in New Issue