diff --git a/SOURCES/openssh-5.8p1-glob.patch b/SOURCES/openssh-5.8p1-glob.patch index cb45cd1..4b1d8a7 100644 --- a/SOURCES/openssh-5.8p1-glob.patch +++ b/SOURCES/openssh-5.8p1-glob.patch @@ -8,3 +8,18 @@ diff -up openssh-5.8p1/sftp-glob.c.glob openssh-5.8p1/sftp-glob.c - return(glob(pattern, flags | GLOB_ALTDIRFUNC, errfunc, pglob)); + return(glob(pattern, flags | GLOB_LIMIT | GLOB_ALTDIRFUNC, errfunc, pglob)); } +diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c +index 742b4b9..acae399 100644 +--- a/openbsd-compat/glob.c ++++ b/openbsd-compat/glob.c +@@ -130,8 +130,8 @@ typedef char Char; + #define M_CLASS META(':') + #define ismeta(c) (((c)&M_QUOTE) != 0) + +-#define GLOB_LIMIT_MALLOC 65536 +-#define GLOB_LIMIT_STAT 128 ++#define GLOB_LIMIT_MALLOC 65536*64 ++#define GLOB_LIMIT_STAT 128*64 + #define GLOB_LIMIT_READDIR 16384 + + /* Limit of recursion during matching attempts. */ diff --git a/SOURCES/openssh-6.6p1-allowGroups-documentation.patch b/SOURCES/openssh-6.6p1-allowGroups-documentation.patch new file mode 100644 index 0000000..9da6a1d --- /dev/null +++ b/SOURCES/openssh-6.6p1-allowGroups-documentation.patch @@ -0,0 +1,40 @@ +diff --git a/sshd_config.5 b/sshd_config.5 +index 2320128..6244e68 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -120,6 +120,8 @@ The allow/deny directives are processed in the following order: + .Cm DenyGroups , + and finally + .Cm AllowGroups . ++All of the specified user and group tests must succeed, before user ++is allowed to log in. + .Pp + See PATTERNS in + .Xr ssh_config 5 +@@ -160,6 +162,8 @@ The allow/deny directives are processed in the following order: + .Cm DenyGroups , + and finally + .Cm AllowGroups . ++All of the specified user and group tests must succeed, before user ++is allowed to log in. + .Pp + See PATTERNS in + .Xr ssh_config 5 +@@ -430,6 +434,8 @@ The allow/deny directives are processed in the following order: + .Cm DenyGroups , + and finally + .Cm AllowGroups . ++All of the specified user and group tests must succeed, before user ++is allowed to log in. + .Pp + See PATTERNS in + .Xr ssh_config 5 +@@ -449,6 +455,8 @@ The allow/deny directives are processed in the following order: + .Cm DenyGroups , + and finally + .Cm AllowGroups . ++All of the specified user and group tests must succeed, before user ++is allowed to log in. + .Pp + See PATTERNS in + .Xr ssh_config 5 diff --git a/SOURCES/openssh-6.6p1-audit.patch b/SOURCES/openssh-6.6p1-audit.patch index f7720c4..dd0c06e 100644 --- a/SOURCES/openssh-6.6p1-audit.patch +++ b/SOURCES/openssh-6.6p1-audit.patch @@ -1040,7 +1040,7 @@ index bce2ab8..bc3e53e 100644 } choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], -@@ -702,3 +718,34 @@ dump_digest(char *msg, u_char *digest, int len) +@@ -702,3 +718,53 @@ dump_digest(char *msg, u_char *digest, int len) fprintf(stderr, "\n"); } #endif @@ -1070,20 +1070,40 @@ index bce2ab8..bc3e53e 100644 + if (newkeys == NULL) + return; + ++ free(newkeys->enc.name); + enc_destroy(&newkeys->enc); -+ mac_destroy(&newkeys->mac); ++ ++ if (newkeys->mac.enabled) { ++ mac_clear(&newkeys->mac); ++ free(newkeys->mac.name); ++ mac_destroy(&newkeys->mac); ++ } ++ ++ free(newkeys->comp.name); ++ + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + ++void ++newkeys_destroy_and_free(Newkeys *newkeys) ++{ ++ if (newkeys == NULL) ++ return; ++ ++ newkeys_destroy(newkeys); ++ free(newkeys); ++} ++ diff --git a/kex.h b/kex.h index 313bb51..c643250 100644 --- a/kex.h +++ b/kex.h -@@ -182,6 +182,8 @@ void kexgss_client(Kex *); +@@ -182,6 +182,9 @@ void kexgss_client(Kex *); void kexgss_server(Kex *); #endif +void newkeys_destroy(Newkeys *newkeys); ++void newkeys_destroy_and_free(Newkeys *newkeys); + void kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, @@ -1394,7 +1414,7 @@ index 8b18086..5a65114 100644 } -@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { +@@ -2277,3 +2374,84 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { #endif /* GSSAPI */ @@ -1476,7 +1496,6 @@ index 8b18086..5a65114 100644 + free(fp); + buffer_clear(m); + -+ mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m); + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ @@ -1495,7 +1514,7 @@ index ff79fbb..6dfb234 100644 + MONITOR_REQ_AUDIT_UNSUPPORTED = 118, MONITOR_ANS_AUDIT_UNSUPPORTED = 119, + MONITOR_REQ_AUDIT_KEX = 120, MONITOR_ANS_AUDIT_KEX = 121, + MONITOR_REQ_AUDIT_SESSION_KEY_FREE = 122, MONITOR_ANS_AUDIT_SESSION_KEY_FREE = 123, -+ MONITOR_REQ_AUDIT_SERVER_KEY_FREE = 124, MONITOR_ANS_AUDIT_SERVER_KEY_FREE = 125 ++ MONITOR_REQ_AUDIT_SERVER_KEY_FREE = 124 }; @@ -1595,7 +1614,7 @@ index d1e1caa..6df236a 100644 buffer_free(&m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1354,3 +1391,71 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) +@@ -1354,3 +1391,69 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) #endif /* GSSAPI */ @@ -1662,8 +1681,6 @@ index d1e1caa..6df236a 100644 + buffer_put_int64(&m, uid); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m); -+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, -+ &m); + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ @@ -1756,32 +1773,6 @@ index 660a9fc..f5b122b 100644 } /* Sets remote side protocol flags. */ -@@ -736,6 +747,25 @@ packet_send1(void) - */ - } - -+static void -+newkeys_destroy_and_free(Newkeys *newkeys) -+{ -+ if (newkeys == NULL) -+ return; -+ -+ free(newkeys->enc.name); -+ -+ if (newkeys->mac.enabled) { -+ mac_clear(&newkeys->mac); -+ free(newkeys->mac.name); -+ } -+ -+ free(newkeys->comp.name); -+ -+ newkeys_destroy(newkeys); -+ free(newkeys); -+} -+ - void - set_newkeys(int mode) - { @@ -761,6 +791,7 @@ set_newkeys(int mode) } if (active_state->newkeys[mode] != NULL) { @@ -1934,7 +1925,7 @@ index df43592..b186ca1 100644 - PRIVSEP(audit_run_command(shell)); + s->command = xstrdup(shell); } -+ if (s->command != NULL) ++ if (s->command != NULL && s->ptyfd == -1) + s->command_handle = PRIVSEP(audit_run_command(s->command)); #endif if (s->ttyfd != -1) @@ -1979,7 +1970,7 @@ index df43592..b186ca1 100644 session_by_tty(char *tty) { int i; -@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status) +@@ -2531,6 +2560,32 @@ session_exit_message(Session *s, int status) chan_write_failed(c); } @@ -1988,7 +1979,8 @@ index df43592..b186ca1 100644 +session_end_command2(Session *s) +{ + if (s->command != NULL) { -+ audit_end_command(s->command_handle, s->command); ++ if (s->command_handle != -1) ++ audit_end_command(s->command_handle, s->command); + free(s->command); + s->command = NULL; + s->command_handle = -1; @@ -1999,7 +1991,8 @@ index df43592..b186ca1 100644 +session_end_command(Session *s) +{ + if (s->command != NULL) { -+ PRIVSEP(audit_end_command(s->command_handle, s->command)); ++ if (s->command_handle != -1) ++ PRIVSEP(audit_end_command(s->command_handle, s->command)); + free(s->command); + s->command = NULL; + s->command_handle = -1; @@ -2215,7 +2208,7 @@ index 8a0740a..2813aa2 100644 else if (pmonitor->m_pid != 0) { verbose("User child is on pid %ld", (long)pmonitor->m_pid); buffer_clear(&loginmsg); -+ newkeys_destroy(current_keys[MODE_OUT]); ++ newkeys_destroy(current_keys[MODE_OUT]); + newkeys_destroy(current_keys[MODE_IN]); + audit_session_key_free_body(2, getpid(), getuid()); + packet_destroy_all(0, 0); diff --git a/SOURCES/openssh-6.6p1-authentication-limits-bypass.patch b/SOURCES/openssh-6.6p1-authentication-limits-bypass.patch new file mode 100644 index 0000000..10bde94 --- /dev/null +++ b/SOURCES/openssh-6.6p1-authentication-limits-bypass.patch @@ -0,0 +1,47 @@ +From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Sat, 18 Jul 2015 07:57:14 +0000 +Subject: upstream commit + +only query each keyboard-interactive device once per + authentication request regardless of how many times it is listed; ok markus@ + +Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1 +--- + auth2-chall.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/auth2-chall.c b/auth2-chall.c +index ddabe1a..4aff09d 100644 +--- a/auth2-chall.c ++++ b/auth2-chall.c +@@ -83,6 +83,7 @@ struct KbdintAuthctxt + void *ctxt; + KbdintDevice *device; + u_int nreq; ++ u_int devices_done; + }; + + #ifdef USE_PAM +@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt) + if (len == 0) + break; + for (i = 0; devices[i]; i++) { +- if (!auth2_method_allowed(authctxt, ++ if ((kbdintctxt->devices_done & (1 << i)) != 0 || ++ !auth2_method_allowed(authctxt, + "keyboard-interactive", devices[i]->name)) + continue; +- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0) ++ if (strncmp(kbdintctxt->devices, devices[i]->name, ++ len) == 0) { + kbdintctxt->device = devices[i]; ++ kbdintctxt->devices_done |= 1 << i; ++ } + } + t = kbdintctxt->devices; + kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL; +-- +cgit v0.11.2 + + diff --git a/SOURCES/openssh-6.6p1-document-TERM-env.patch b/SOURCES/openssh-6.6p1-document-TERM-env.patch new file mode 100644 index 0000000..66445d9 --- /dev/null +++ b/SOURCES/openssh-6.6p1-document-TERM-env.patch @@ -0,0 +1,32 @@ +diff --git a/ssh_config.5 b/ssh_config.5 +index e7accd6..c95fda6 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1253,6 +1253,10 @@ should be sent to the server. + Note that environment passing is only supported for protocol 2. + The server must also support it, and the server must be configured to + accept these environment variables. ++Note that the ++.Ev TERM ++environment variable is always sent whenever a ++pseudo-terminal is requested as it is required by the protocol. + Refer to + .Cm AcceptEnv + in +diff --git a/sshd_config.5 b/sshd_config.5 +index aa9525d..2320128 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -70,7 +70,11 @@ See + in + .Xr ssh_config 5 + for how to configure the client. +-Note that environment passing is only supported for protocol 2. ++Note that environment passing is only supported for protocol 2, and ++that the ++.Ev TERM ++environment variable is always sent whenever the client ++requests a pseudo-terminal as it is required by the protocol. + Variables are specified by name, which may contain the wildcard characters + .Ql * + and diff --git a/SOURCES/openssh-6.6p1-fips.patch b/SOURCES/openssh-6.6p1-fips.patch index 9227b37..77760db 100644 --- a/SOURCES/openssh-6.6p1-fips.patch +++ b/SOURCES/openssh-6.6p1-fips.patch @@ -1,7 +1,6 @@ -diff --git a/Makefile.in b/Makefile.in -index 3bb7f00..294bef5 100644 ---- a/Makefile.in -+++ b/Makefile.in +diff -up openssh-6.6p1/Makefile.in.fips openssh-6.6p1/Makefile.in +--- openssh-6.6p1/Makefile.in.fips 2015-08-13 15:09:43.343350136 +0200 ++++ openssh-6.6p1/Makefile.in 2015-08-13 15:09:43.356350114 +0200 @@ -154,25 +154,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ @@ -34,7 +33,7 @@ index 3bb7f00..294bef5 100644 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o +@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libs $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o @@ -43,11 +42,10 @@ index 3bb7f00..294bef5 100644 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff --git a/auth-rsa.c b/auth-rsa.c -index f225b0b..8bafcd6 100644 ---- a/auth-rsa.c -+++ b/auth-rsa.c -@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, +diff -up openssh-6.6p1/auth-rsa.c.fips openssh-6.6p1/auth-rsa.c +--- openssh-6.6p1/auth-rsa.c.fips 2015-08-13 15:09:43.344350134 +0200 ++++ openssh-6.6p1/auth-rsa.c 2015-08-13 15:09:43.354350118 +0200 +@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *p "actual %d vs. announced %d.", file, linenum, BN_num_bits(key->rsa->n), bits); @@ -56,11 +54,10 @@ index f225b0b..8bafcd6 100644 debug("matching key found: file %s, line %lu %s %s", file, linenum, key_type(key), fp); free(fp); -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 6d1c872..3808ec8 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) +diff -up openssh-6.6p1/auth2-pubkey.c.fips openssh-6.6p1/auth2-pubkey.c +--- openssh-6.6p1/auth2-pubkey.c.fips 2015-08-13 15:09:43.345350133 +0200 ++++ openssh-6.6p1/auth2-pubkey.c 2015-08-13 15:09:43.353350119 +0200 +@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, con } if (key_is_cert(key)) { @@ -70,7 +67,7 @@ index 6d1c872..3808ec8 100644 auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", key_type(key), key->cert->key_id, (unsigned long long)key->cert->serial, -@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) +@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, con extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); } else { @@ -79,10 +76,9 @@ index 6d1c872..3808ec8 100644 auth_info(authctxt, "%s %s%s%s", key_type(key), fp, extra == NULL ? "" : ", ", extra == NULL ? "" : extra); free(fp); -diff --git a/authfile.c b/authfile.c -index ec4f4ff..2b3d650 100644 ---- a/authfile.c -+++ b/authfile.c +diff -up openssh-6.6p1/authfile.c.fips openssh-6.6p1/authfile.c +--- openssh-6.6p1/authfile.c.fips 2015-08-13 15:09:43.213350355 +0200 ++++ openssh-6.6p1/authfile.c 2015-08-13 15:09:43.354350118 +0200 @@ -46,6 +46,7 @@ #include #include @@ -91,7 +87,19 @@ index ec4f4ff..2b3d650 100644 /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" -@@ -1068,7 +1069,7 @@ Key * +@@ -1008,7 +1009,10 @@ key_parse_private_type(Buffer *blob, int + + switch (type) { + case KEY_RSA1: +- return key_parse_private_rsa1(blob, passphrase, commentp); ++ if (! FIPS_mode()) ++ return key_parse_private_rsa1(blob, passphrase, commentp); ++ error("%s: cannot parse rsa1 key in FIPS mode", __func__); ++ break; + case KEY_DSA: + case KEY_ECDSA: + case KEY_RSA: +@@ -1068,7 +1072,7 @@ Key * key_parse_private(Buffer *buffer, const char *filename, const char *passphrase, char **commentp) { @@ -100,7 +108,7 @@ index ec4f4ff..2b3d650 100644 /* it's a SSH v1 key if the public key part is readable */ pub = key_parse_public_rsa1(buffer, commentp); -@@ -1080,9 +1081,10 @@ key_parse_private(Buffer *buffer, const char *filename, +@@ -1080,9 +1084,10 @@ key_parse_private(Buffer *buffer, const *commentp = xstrdup(filename); } else { key_free(pub); @@ -114,10 +122,9 @@ index ec4f4ff..2b3d650 100644 } return prv; } -diff --git a/cipher-ctr.c b/cipher-ctr.c -index 73e9c7c..40ee395 100644 ---- a/cipher-ctr.c -+++ b/cipher-ctr.c +diff -up openssh-6.6p1/cipher-ctr.c.fips openssh-6.6p1/cipher-ctr.c +--- openssh-6.6p1/cipher-ctr.c.fips 2015-08-13 15:09:43.254350286 +0200 ++++ openssh-6.6p1/cipher-ctr.c 2015-08-13 15:09:43.354350118 +0200 @@ -179,7 +179,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -128,10 +135,9 @@ index 73e9c7c..40ee395 100644 #endif return (&aes_ctr); } -diff --git a/cipher.c b/cipher.c -index 226e56d..b19443c 100644 ---- a/cipher.c -+++ b/cipher.c +diff -up openssh-6.6p1/cipher.c.fips openssh-6.6p1/cipher.c +--- openssh-6.6p1/cipher.c.fips 2015-08-13 15:09:43.345350133 +0200 ++++ openssh-6.6p1/cipher.c 2015-08-13 15:09:43.354350118 +0200 @@ -39,6 +39,8 @@ #include @@ -203,10 +209,9 @@ index 226e56d..b19443c 100644 if (strcasecmp(c->name, name) == 0) return c->number; return -1; -diff --git a/dh.h b/dh.h -index 48f7b68..9ff39f4 100644 ---- a/dh.h -+++ b/dh.h +diff -up openssh-6.6p1/dh.h.fips openssh-6.6p1/dh.h +--- openssh-6.6p1/dh.h.fips 2013-10-10 01:32:40.000000000 +0200 ++++ openssh-6.6p1/dh.h 2015-08-13 15:09:43.354350118 +0200 @@ -45,6 +45,7 @@ int dh_estimate(int); /* Min and max values from RFC4419. */ @@ -215,10 +220,9 @@ index 48f7b68..9ff39f4 100644 #define DH_GRP_MAX 8192 /* -diff --git a/entropy.c b/entropy.c -index b361a04..5616643 100644 ---- a/entropy.c -+++ b/entropy.c +diff -up openssh-6.6p1/entropy.c.fips openssh-6.6p1/entropy.c +--- openssh-6.6p1/entropy.c.fips 2015-08-13 15:09:43.238350313 +0200 ++++ openssh-6.6p1/entropy.c 2015-08-13 15:09:43.355350116 +0200 @@ -222,6 +222,9 @@ seed_rng(void) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); @@ -229,10 +233,9 @@ index b361a04..5616643 100644 #ifndef OPENSSL_PRNG_ONLY if (RAND_status() == 1) { debug3("RNG is ready, skipping seeding"); -diff --git a/kex.c b/kex.c -index bc3e53e..ede7b67 100644 ---- a/kex.c -+++ b/kex.c +diff -up openssh-6.6p1/kex.c.fips openssh-6.6p1/kex.c +--- openssh-6.6p1/kex.c.fips 2015-08-13 15:09:43.350350124 +0200 ++++ openssh-6.6p1/kex.c 2015-08-13 15:09:43.355350116 +0200 @@ -34,6 +34,7 @@ #include @@ -288,10 +291,9 @@ index bc3e53e..ede7b67 100644 free(s); return 0; } -diff --git a/kexecdhc.c b/kexecdhc.c -index 2f7629c..20c9946 100644 ---- a/kexecdhc.c -+++ b/kexecdhc.c +diff -up openssh-6.6p1/kexecdhc.c.fips openssh-6.6p1/kexecdhc.c +--- openssh-6.6p1/kexecdhc.c.fips 2014-02-04 01:20:15.000000000 +0100 ++++ openssh-6.6p1/kexecdhc.c 2015-08-13 15:09:43.355350116 +0200 @@ -154,6 +154,7 @@ kexecdh_client(Kex *kex) kex_derive_keys_bn(kex, hash, hashlen, shared_secret); @@ -300,10 +302,9 @@ index 2f7629c..20c9946 100644 kex_finish(kex); } #else /* OPENSSL_HAS_ECC */ -diff --git a/kexecdhs.c b/kexecdhs.c -index 2700b72..0820894 100644 ---- a/kexecdhs.c -+++ b/kexecdhs.c +diff -up openssh-6.6p1/kexecdhs.c.fips openssh-6.6p1/kexecdhs.c +--- openssh-6.6p1/kexecdhs.c.fips 2014-02-04 01:20:15.000000000 +0100 ++++ openssh-6.6p1/kexecdhs.c 2015-08-13 15:09:43.355350116 +0200 @@ -150,6 +150,7 @@ kexecdh_server(Kex *kex) kex_derive_keys_bn(kex, hash, hashlen, shared_secret); @@ -312,10 +313,9 @@ index 2700b72..0820894 100644 kex_finish(kex); } #else /* OPENSSL_HAS_ECC */ -diff --git a/kexgexc.c b/kexgexc.c -index 355b7ba..427e11f 100644 ---- a/kexgexc.c -+++ b/kexgexc.c +diff -up openssh-6.6p1/kexgexc.c.fips openssh-6.6p1/kexgexc.c +--- openssh-6.6p1/kexgexc.c.fips 2014-02-04 01:20:15.000000000 +0100 ++++ openssh-6.6p1/kexgexc.c 2015-08-13 15:09:43.355350116 +0200 @@ -26,6 +26,8 @@ #include "includes.h" @@ -341,10 +341,9 @@ index 355b7ba..427e11f 100644 max = DH_GRP_MAX; packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); packet_put_int(min); -diff --git a/kexgexs.c b/kexgexs.c -index 770ad28..9d4fc6d 100644 ---- a/kexgexs.c -+++ b/kexgexs.c +diff -up openssh-6.6p1/kexgexs.c.fips openssh-6.6p1/kexgexs.c +--- openssh-6.6p1/kexgexs.c.fips 2014-02-04 01:20:15.000000000 +0100 ++++ openssh-6.6p1/kexgexs.c 2015-08-13 15:09:43.355350116 +0200 @@ -76,16 +76,16 @@ kexgex_server(Kex *kex) omin = min = packet_get_int(); onbits = nbits = packet_get_int(); @@ -365,10 +364,9 @@ index 770ad28..9d4fc6d 100644 omax = max = DH_GRP_MAX; break; default: -diff --git a/key.c b/key.c -index 62f3edb..a2050f6 100644 ---- a/key.c -+++ b/key.c +diff -up openssh-6.6p1/key.c.fips openssh-6.6p1/key.c +--- openssh-6.6p1/key.c.fips 2015-08-13 15:09:43.345350133 +0200 ++++ openssh-6.6p1/key.c 2015-08-13 15:09:43.356350114 +0200 @@ -42,6 +42,7 @@ #include "crypto_api.h" @@ -407,10 +405,9 @@ index 62f3edb..a2050f6 100644 BN_free(f4); return private; } -diff --git a/mac.c b/mac.c -index 9388af4..cd7b034 100644 ---- a/mac.c -+++ b/mac.c +diff -up openssh-6.6p1/mac.c.fips openssh-6.6p1/mac.c +--- openssh-6.6p1/mac.c.fips 2015-08-13 15:09:43.346350131 +0200 ++++ openssh-6.6p1/mac.c 2015-08-13 15:09:43.356350114 +0200 @@ -27,6 +27,8 @@ #include @@ -472,10 +469,9 @@ index 9388af4..cd7b034 100644 if (strcmp(name, m->name) != 0) continue; if (mac != NULL) { -diff --git a/myproposal.h b/myproposal.h -index 3a0f5ae..4f35a44 100644 ---- a/myproposal.h -+++ b/myproposal.h +diff -up openssh-6.6p1/myproposal.h.fips openssh-6.6p1/myproposal.h +--- openssh-6.6p1/myproposal.h.fips 2013-12-07 01:24:02.000000000 +0100 ++++ openssh-6.6p1/myproposal.h 2015-08-13 15:10:30.288271102 +0200 @@ -88,6 +88,12 @@ "diffie-hellman-group14-sha1," \ "diffie-hellman-group1-sha1" @@ -512,11 +508,10 @@ index 3a0f5ae..4f35a44 100644 static char *myproposal[PROPOSAL_MAX] = { KEX_DEFAULT_KEX, -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 66198e6..ccf22c8 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bitsp) +diff -up openssh-6.6p1/ssh-keygen.c.fips openssh-6.6p1/ssh-keygen.c +--- openssh-6.6p1/ssh-keygen.c.fips 2015-08-13 15:09:43.296350215 +0200 ++++ openssh-6.6p1/ssh-keygen.c 2015-08-13 15:09:43.360350107 +0200 +@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bit fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); exit(1); } @@ -548,10 +543,9 @@ index 66198e6..ccf22c8 100644 printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), fp, key_type(keys[i])); if (log_level >= SYSLOG_LEVEL_VERBOSE) -diff --git a/ssh.c b/ssh.c -index 1e6cb90..ea9193f 100644 ---- a/ssh.c -+++ b/ssh.c +diff -up openssh-6.6p1/ssh.c.fips openssh-6.6p1/ssh.c +--- openssh-6.6p1/ssh.c.fips 2014-02-27 00:17:13.000000000 +0100 ++++ openssh-6.6p1/ssh.c 2015-08-13 15:09:43.357350112 +0200 @@ -73,6 +73,8 @@ #include @@ -617,11 +611,10 @@ index 1e6cb90..ea9193f 100644 /* Open a connection to the remote host. */ if (ssh_connect(host, addrs, &hostaddr, options.port, options.address_family, options.connection_attempts, -diff --git a/sshconnect2.c b/sshconnect2.c -index b00658b..6a1562c 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -44,6 +44,8 @@ +diff -up openssh-6.6p1/sshconnect2.c.fips openssh-6.6p1/sshconnect2.c +--- openssh-6.6p1/sshconnect2.c.fips 2015-08-13 15:09:43.342350138 +0200 ++++ openssh-6.6p1/sshconnect2.c 2015-08-13 15:09:43.357350112 +0200 +@@ -46,6 +46,8 @@ #include #endif @@ -630,7 +623,7 @@ index b00658b..6a1562c 100644 #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -168,20 +170,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -170,21 +172,26 @@ ssh_kex2(char *host, struct sockaddr *ho #ifdef GSSAPI if (options.gss_keyex) { @@ -643,7 +636,8 @@ index b00658b..6a1562c 100644 - else - gss_host = host; - -- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); +- gss = ssh_gssapi_client_mechanisms(gss_host, +- options.gss_client_identity, options.gss_kex_algorithms); - if (gss) { - debug("Offering GSSAPI proposal: %s", gss); - xasprintf(&myproposal[PROPOSAL_KEX_ALGS], @@ -652,7 +646,7 @@ index b00658b..6a1562c 100644 + logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); + options.gss_keyex = 0; + } else { -+ /* Add the GSSAPI mechanisms currently supported on this ++ /* Add the GSSAPI mechanisms currently supported on this + * client to the key exchange algorithm proposal */ + orig = myproposal[PROPOSAL_KEX_ALGS]; + @@ -661,7 +655,8 @@ index b00658b..6a1562c 100644 + else + gss_host = host; + -+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); ++ gss = ssh_gssapi_client_mechanisms(gss_host, ++ options.gss_client_identity, options.gss_kex_algorithms); + if (gss) { + debug("Offering GSSAPI proposal: %s", gss); + xasprintf(&myproposal[PROPOSAL_KEX_ALGS], @@ -670,7 +665,7 @@ index b00658b..6a1562c 100644 } } #endif -@@ -193,6 +200,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -681,7 +676,7 @@ index b00658b..6a1562c 100644 } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -208,7 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -693,7 +688,7 @@ index b00658b..6a1562c 100644 if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(options.hostkeyalgorithms); -@@ -220,9 +235,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *ho } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -706,10 +701,9 @@ index b00658b..6a1562c 100644 #ifdef GSSAPI /* If we've got GSSAPI algorithms, then we also support the * 'null' hostkey, as a last resort */ -diff --git a/sshd.c b/sshd.c -index b561ec8..e977de3 100644 ---- a/sshd.c -+++ b/sshd.c +diff -up openssh-6.6p1/sshd.c.fips openssh-6.6p1/sshd.c +--- openssh-6.6p1/sshd.c.fips 2015-08-13 15:09:43.352350121 +0200 ++++ openssh-6.6p1/sshd.c 2015-08-13 15:09:43.359350109 +0200 @@ -75,6 +75,8 @@ #include #include @@ -719,7 +713,7 @@ index b561ec8..e977de3 100644 #include "openbsd-compat/openssl-compat.h" #ifdef HAVE_SECUREWARE -@@ -1468,6 +1470,18 @@ main(int ac, char **av) +@@ -1473,6 +1475,18 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); @@ -738,7 +732,7 @@ index b561ec8..e977de3 100644 /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; -@@ -1619,8 +1633,6 @@ main(int ac, char **av) +@@ -1624,8 +1638,6 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -747,7 +741,7 @@ index b561ec8..e977de3 100644 /* If requested, redirect the logs to the specified logfile. */ if (logfile != NULL) { log_redirect_stderr_to(logfile); -@@ -1798,6 +1810,10 @@ main(int ac, char **av) +@@ -1803,6 +1815,10 @@ main(int ac, char **av) debug("private host key: #%d type %d %s", i, keytype, key_type(key ? key : pubkey)); } @@ -758,7 +752,7 @@ index b561ec8..e977de3 100644 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1961,6 +1977,10 @@ main(int ac, char **av) +@@ -1966,6 +1982,10 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -769,7 +763,7 @@ index b561ec8..e977de3 100644 /* Chdir to the root directory so that the current disk can be unmounted if desired. */ if (chdir("/") == -1) -@@ -2530,6 +2550,9 @@ do_ssh2_kex(void) +@@ -2537,6 +2557,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -779,7 +773,7 @@ index b561ec8..e977de3 100644 } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2539,6 +2562,9 @@ do_ssh2_kex(void) +@@ -2546,6 +2569,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -789,7 +783,7 @@ index b561ec8..e977de3 100644 } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = -@@ -2549,6 +2575,8 @@ do_ssh2_kex(void) +@@ -2556,6 +2582,8 @@ do_ssh2_kex(void) } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -798,7 +792,7 @@ index b561ec8..e977de3 100644 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( myproposal[PROPOSAL_KEX_ALGS]); -@@ -2575,10 +2603,14 @@ do_ssh2_kex(void) +@@ -2582,10 +2610,14 @@ do_ssh2_kex(void) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) orig = NULL; diff --git a/SOURCES/openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch b/SOURCES/openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch new file mode 100644 index 0000000..358986b --- /dev/null +++ b/SOURCES/openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch @@ -0,0 +1,15 @@ +diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id +index 8e1091c..4bba5d6 100644 +--- a/contrib/ssh-copy-id ++++ b/contrib/ssh-copy-id +@@ -274,9 +274,7 @@ case "$REMOTE_VERSION" in + populate_new_ids 0 + fi + [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" " +- umask 077 ; ++ exec sh -c 'umask 077; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \ +- mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; +- if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \ + || exit 1 + ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) + ;; diff --git a/SOURCES/openssh-6.6p1-gssKexAlgorithms.patch b/SOURCES/openssh-6.6p1-gssKexAlgorithms.patch new file mode 100644 index 0000000..fec7e7f --- /dev/null +++ b/SOURCES/openssh-6.6p1-gssKexAlgorithms.patch @@ -0,0 +1,398 @@ +diff -up openssh-6.6p1/gss-genr.c.gsskexalg openssh-6.6p1/gss-genr.c +--- openssh-6.6p1/gss-genr.c.gsskexalg 2015-08-14 16:07:33.271343064 +0200 ++++ openssh-6.6p1/gss-genr.c 2015-08-14 16:07:33.338342936 +0200 +@@ -76,7 +76,8 @@ ssh_gssapi_oid_table_ok() { + */ + + char * +-ssh_gssapi_client_mechanisms(const char *host, const char *client) { ++ssh_gssapi_client_mechanisms(const char *host, const char *client, ++ const char *kex) { + gss_OID_set gss_supported; + OM_uint32 min_status; + +@@ -84,12 +85,12 @@ ssh_gssapi_client_mechanisms(const char + return NULL; + + return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism, +- host, client)); ++ host, client, kex)); + } + + char * + ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, +- const char *host, const char *client) { ++ const char *host, const char *client, const char *kex) { + Buffer buf; + size_t i; + int oidpos, enclen; +@@ -98,6 +99,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup + char deroid[2]; + const EVP_MD *evp_md = EVP_md5(); + EVP_MD_CTX md; ++ char *s, *cp, *p; + + if (gss_enc2oid != NULL) { + for (i = 0; gss_enc2oid[i].encoded != NULL; i++) +@@ -111,6 +113,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup + buffer_init(&buf); + + oidpos = 0; ++ s = cp = xstrdup(kex); + for (i = 0; i < gss_supported->count; i++) { + if (gss_supported->elements[i].length < 128 && + (*check)(NULL, &(gss_supported->elements[i]), host, client)) { +@@ -129,26 +132,22 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup + enclen = __b64_ntop(digest, EVP_MD_size(evp_md), + encoded, EVP_MD_size(evp_md) * 2); + +- if (oidpos != 0) +- buffer_put_char(&buf, ','); +- +- buffer_append(&buf, KEX_GSS_GEX_SHA1_ID, +- sizeof(KEX_GSS_GEX_SHA1_ID) - 1); +- buffer_append(&buf, encoded, enclen); +- buffer_put_char(&buf, ','); +- buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, +- sizeof(KEX_GSS_GRP1_SHA1_ID) - 1); +- buffer_append(&buf, encoded, enclen); +- buffer_put_char(&buf, ','); +- buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID, +- sizeof(KEX_GSS_GRP14_SHA1_ID) - 1); +- buffer_append(&buf, encoded, enclen); ++ cp = strncpy(s, kex, strlen(kex)); ++ for ((p = strsep(&cp, ",")); p && *p != '\0'; ++ (p = strsep(&cp, ","))) { ++ if (buffer_len(&buf) != 0) ++ buffer_put_char(&buf, ','); ++ buffer_append(&buf, p, ++ strlen(p)); ++ buffer_append(&buf, encoded, enclen); ++ } + + gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); + gss_enc2oid[oidpos].encoded = encoded; + oidpos++; + } + } ++ free(s); + gss_enc2oid[oidpos].oid = NULL; + gss_enc2oid[oidpos].encoded = NULL; + +diff -up openssh-6.6p1/gss-serv.c.gsskexalg openssh-6.6p1/gss-serv.c +--- openssh-6.6p1/gss-serv.c.gsskexalg 2015-08-14 16:07:33.296343016 +0200 ++++ openssh-6.6p1/gss-serv.c 2015-08-14 16:07:33.338342936 +0200 +@@ -151,7 +151,7 @@ ssh_gssapi_server_mechanisms() { + + ssh_gssapi_supported_oids(&supported); + return (ssh_gssapi_kex_mechs(supported, &ssh_gssapi_server_check_mech, +- NULL, NULL)); ++ NULL, NULL, options.gss_kex_algorithms)); + } + + /* Unprivileged */ +diff -up openssh-6.6p1/kex.c.gsskexalg openssh-6.6p1/kex.c +--- openssh-6.6p1/kex.c.gsskexalg 2015-08-14 16:07:33.271343064 +0200 ++++ openssh-6.6p1/kex.c 2015-08-14 16:07:33.339342935 +0200 +@@ -160,6 +160,29 @@ kex_names_valid(const char *names) + return 1; + } + ++/* Validate GSS KEX method name list */ ++int ++gss_kex_names_valid(const char *names) ++{ ++ char *s, *cp, *p; ++ ++ if (names == NULL || *names == '\0') ++ return 0; ++ s = cp = xstrdup(names); ++ for ((p = strsep(&cp, ",")); p && *p != '\0'; ++ (p = strsep(&cp, ","))) { ++ if (strncmp(p, "gss-", 4) != 0 ++ || kex_alg_by_name(p) == NULL) { ++ error("Unsupported KEX algorithm \"%.100s\"", p); ++ free(s); ++ return 0; ++ } ++ } ++ debug3("gss kex names ok: [%s]", names); ++ free(s); ++ return 1; ++} ++ + /* put algorithm proposal into buffer */ + static void + kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX]) +diff -up openssh-6.6p1/readconf.c.gsskexalg openssh-6.6p1/readconf.c +--- openssh-6.6p1/readconf.c.gsskexalg 2015-08-14 16:07:33.274343058 +0200 ++++ openssh-6.6p1/readconf.c 2015-08-14 16:14:17.600574919 +0200 +@@ -55,6 +55,7 @@ + #include "kex.h" + #include "mac.h" + #include "uidswap.h" ++#include "ssh-gss.h" + + /* Format of the configuration file: + +@@ -142,7 +143,7 @@ typedef enum { + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, +- oGssServerIdentity, ++ oGssServerIdentity, oGssKexAlgorithms, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -191,6 +192,7 @@ static struct { + { "gssapiclientidentity", oGssClientIdentity }, + { "gssapiserveridentity", oGssServerIdentity }, + { "gssapirenewalforcesrekey", oGssRenewalRekey }, ++ { "gssapikexalgorithms", oGssKexAlgorithms }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapikeyexchange", oUnsupported }, +@@ -198,6 +200,7 @@ static struct { + { "gssapitrustdns", oUnsupported }, + { "gssapiclientidentity", oUnsupported }, + { "gssapirenewalforcesrekey", oUnsupported }, ++ { "gssapikexalgorithms", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -876,6 +879,18 @@ parse_time: + intptr = &options->gss_renewal_rekey; + goto parse_flag; + ++ case oGssKexAlgorithms: ++ arg = strdelim(&s); ++ if (!arg || *arg == '\0') ++ fatal("%.200s line %d: Missing argument.", ++ filename, linenum); ++ if (!gss_kex_names_valid(arg)) ++ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.", ++ filename, linenum, arg ? arg : ""); ++ if (*activep && options->gss_kex_algorithms == NULL) ++ options->gss_kex_algorithms = xstrdup(arg); ++ break; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1534,6 +1549,7 @@ initialize_options(Options * options) + options->gss_renewal_rekey = -1; + options->gss_client_identity = NULL; + options->gss_server_identity = NULL; ++ options->gss_kex_algorithms = NULL; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1660,6 +1676,8 @@ fill_default_options(Options * options) + options->gss_trust_dns = 0; + if (options->gss_renewal_rekey == -1) + options->gss_renewal_rekey = 0; ++ if (options->gss_kex_algorithms == NULL) ++ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX); + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +diff -up openssh-6.6p1/readconf.h.gsskexalg openssh-6.6p1/readconf.h +--- openssh-6.6p1/readconf.h.gsskexalg 2015-08-14 16:07:33.274343058 +0200 ++++ openssh-6.6p1/readconf.h 2015-08-14 16:07:33.339342935 +0200 +@@ -60,6 +60,7 @@ typedef struct { + int gss_renewal_rekey; /* Credential renewal forces rekey */ + char *gss_client_identity; /* Principal to initiate GSSAPI with */ + char *gss_server_identity; /* GSSAPI target principal */ ++ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +diff -up openssh-6.6p1/servconf.c.gsskexalg openssh-6.6p1/servconf.c +--- openssh-6.6p1/servconf.c.gsskexalg 2015-08-14 16:07:45.704319443 +0200 ++++ openssh-6.6p1/servconf.c 2015-08-14 16:14:15.306579277 +0200 +@@ -54,6 +54,7 @@ + #include "packet.h" + #include "hostfile.h" + #include "auth.h" ++#include "ssh-gss.h" + + static void add_listen_addr(ServerOptions *, char *, int); + static void add_one_listen_addr(ServerOptions *, char *, int); +@@ -112,6 +113,7 @@ initialize_server_options(ServerOptions + options->gss_cleanup_creds = -1; + options->gss_strict_acceptor = -1; + options->gss_store_rekey = -1; ++ options->gss_kex_algorithms = NULL; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -258,6 +260,8 @@ fill_default_server_options(ServerOption + options->gss_strict_acceptor = 1; + if (options->gss_store_rekey == -1) + options->gss_store_rekey = 0; ++ if (options->gss_kex_algorithms == NULL) ++ options->gss_kex_algorithms = strdup(GSS_KEX_DEFAULT_KEX); + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -360,7 +364,7 @@ typedef enum { + sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, + sClientAliveCountMax, sAuthorizedKeysFile, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, +- sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, ++ sGssKeyEx, sGssStoreRekey, sGssKexAlgorithms, sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, +@@ -434,6 +438,7 @@ static struct { + { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, + { "gssapienablek5users", sGssEnablek5users, SSHCFG_ALL }, ++ { "gssapikexalgorithms", sGssKexAlgorithms, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, +@@ -442,6 +447,7 @@ static struct { + { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, + { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, + { "gssapienablek5users", sUnsupported, SSHCFG_ALL }, ++ { "gssapikexalgorithms", sUnsupported, SSHCFG_GLOBAL }, + #endif + { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, + { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, +@@ -1137,6 +1143,18 @@ process_server_config_line(ServerOptions + intptr = &options->gss_store_rekey; + goto parse_flag; + ++ case sGssKexAlgorithms: ++ arg = strdelim(&cp); ++ if (!arg || *arg == '\0') ++ fatal("%.200s line %d: Missing argument.", ++ filename, linenum); ++ if (!gss_kex_names_valid(arg)) ++ fatal("%.200s line %d: Bad GSSAPI KexAlgorithms '%s'.", ++ filename, linenum, arg ? arg : ""); ++ if (*activep && options->gss_kex_algorithms == NULL) ++ options->gss_kex_algorithms = xstrdup(arg); ++ break; ++ + case sPasswordAuthentication: + intptr = &options->password_authentication; + goto parse_flag; +@@ -2068,6 +2086,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); + dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); + dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); ++ dump_cfg_string(sGssKexAlgorithms, o->gss_kex_algorithms); + #endif + dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); + dump_cfg_fmtint(sKbdInteractiveAuthentication, +diff -up openssh-6.6p1/servconf.h.gsskexalg openssh-6.6p1/servconf.h +--- openssh-6.6p1/servconf.h.gsskexalg 2015-08-14 16:07:48.160314777 +0200 ++++ openssh-6.6p1/servconf.h 2015-08-14 16:09:34.447112854 +0200 +@@ -116,6 +116,7 @@ typedef struct { + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ + int gss_store_rekey; ++ char *gss_kex_algorithms; /* GSSAPI kex methods to be offered by client. */ + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +diff -up openssh-6.6p1/sshconnect2.c.gsskexalg openssh-6.6p1/sshconnect2.c +--- openssh-6.6p1/sshconnect2.c.gsskexalg 2015-08-14 16:07:33.304343001 +0200 ++++ openssh-6.6p1/sshconnect2.c 2015-08-14 16:07:33.339342935 +0200 +@@ -179,7 +179,8 @@ ssh_kex2(char *host, struct sockaddr *ho + else + gss_host = host; + +- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); ++ gss = ssh_gssapi_client_mechanisms(gss_host, ++ options.gss_client_identity, options.gss_kex_algorithms); + if (gss) { + debug("Offering GSSAPI proposal: %s", gss); + xasprintf(&myproposal[PROPOSAL_KEX_ALGS], +diff -up openssh-6.6p1/ssh-gss.h.gsskexalg openssh-6.6p1/ssh-gss.h +--- openssh-6.6p1/ssh-gss.h.gsskexalg 2015-08-14 16:07:33.278343050 +0200 ++++ openssh-6.6p1/ssh-gss.h 2015-08-14 16:07:33.340342932 +0200 +@@ -76,6 +76,11 @@ extern char **k5users_allowed_cmds; + #define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" + #define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" + ++#define GSS_KEX_DEFAULT_KEX \ ++ KEX_GSS_GEX_SHA1_ID "," \ ++ KEX_GSS_GRP1_SHA1_ID "," \ ++ KEX_GSS_GRP14_SHA1_ID ++ + typedef struct { + char *filename; + char *envvar; +@@ -147,9 +152,9 @@ int ssh_gssapi_credentials_updated(Gssct + /* In the server */ + typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, + const char *); +-char *ssh_gssapi_client_mechanisms(const char *, const char *); ++char *ssh_gssapi_client_mechanisms(const char *, const char *, const char *); + char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *, +- const char *); ++ const char *, const char *); + gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); + int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, + const char *); +diff --git a/ssh.1 b/ssh.1 +index 4a7d1cd..c795c40 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -449,6 +449,7 @@ For full details of the options listed below, and their possible values, see + .It GSSAPIDelegateCredentials + .It GSSAPIRenewalForcesRekey + .It GSSAPITrustDns ++.It GSSAPIKexAlgorithms + .It HashKnownHosts + .It Host + .It HostbasedAuthentication +diff --git a/ssh_config.5 b/ssh_config.5 +index c95fda6..a2af9c4 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -719,6 +719,18 @@ command line will be passed untouched to the GSSAPI library. + The default is + .Dq no . + This option only applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPIKexAlgorithms ++The list of key exchange algorithms that are offered for GSSAPI ++key exchange. Possible values are ++.Bd -literal -offset 3n ++gss-gex-sha1-, ++gss-group1-sha1-, ++gss-group14-sha1- ++.Ed ++.Pp ++The default is ++.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff --git a/sshd_config.5 b/sshd_config.5 +index 5e8c6c6..4c670aa 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -545,6 +545,18 @@ Controls whether the user's GSSAPI credentials should be updated following a + successful connection rekeying. This option can be used to accepted renewed + or updated credentials from a compatible client. The default is + .Dq no . ++.It Cm GSSAPIKexAlgorithms ++The list of key exchange algorithms that are accepted by GSSAPI ++key exchange. Possible values are ++.Bd -literal -offset 3n ++gss-gex-sha1-, ++gss-group1-sha1-, ++gss-group14-sha1- ++.Ed ++.Pp ++The default is ++.Dq gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1- . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HostbasedAuthentication + Specifies whether rhosts or /etc/hosts.equiv authentication together + with successful public key client host authentication is allowed diff --git a/SOURCES/openssh-6.6p1-ldap.patch b/SOURCES/openssh-6.6p1-ldap.patch index 961cdf5..fb8dd2b 100644 --- a/SOURCES/openssh-6.6p1-ldap.patch +++ b/SOURCES/openssh-6.6p1-ldap.patch @@ -3,7 +3,7 @@ new file mode 100644 index 0000000..dd5f5cc --- /dev/null +++ b/HOWTO.ldap-keys -@@ -0,0 +1,108 @@ +@@ -0,0 +1,125 @@ + +HOW TO START + @@ -51,6 +51,9 @@ index 0000000..dd5f5cc + * There are some debug options + * Example + /usr/libexec/openssh -s -f /etc/ldap.conf -w -d >> /tmp/ldapdebuglog.txt ++7) Configure SELinux boolean which allows ldap-helper to bind ldap server ++ Run this command ++ # setsebool -P authlogin_nsswitch_use_ldap on + +HOW TO MIGRATE FROM LPK + @@ -66,6 +69,20 @@ index 0000000..dd5f5cc + * ssh-ldap-helper -d -d -d -d -s +3) use tcpdump ... other ldap client etc. + ++HOW TO CONFIGURE SSH FOR OTHER LDAP CONFIGURATION / SERVER /SCHEMA ++ ++You can adjust search format string in /etc/ldap.conf using ++ 1) SSH_Filter option to limit results for only specified users ++ (this appends search condition after original query) ++ 2) Account_Class option to define own user class name ++ (default is posixAccount) ++ 3) Search_Format option to define your own search string using expansion ++ characters %u for username and %f for above mentioned filter and ++ %c for above mentioned object class. ++ ++Example: ++Search_Format (&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f) ++ +ADVANTAGES + +1) Blocking an user account can be done directly from LDAP (if sshd is using PubkeyAuthentication + AuthorizedKeysCommand with ldap only). @@ -619,7 +636,7 @@ new file mode 100644 index 0000000..3029108 --- /dev/null +++ b/ldapbody.c -@@ -0,0 +1,494 @@ +@@ -0,0 +1,493 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -653,8 +670,9 @@ index 0000000..3029108 +#include "ldapbody.h" +#include +#include ++#include "misc.h" + -+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)" ++#define LDAPSEARCH_FORMAT "(&(objectclass=%c)(objectclass=ldapPublicKey)(uid=%u)%f)" +#define PUBKEYATTR "sshPublicKey" +#define LDAP_LOGFILE "%s/ldap.%d" + @@ -1041,8 +1059,8 @@ index 0000000..3029108 +process_user (const char *user, FILE *output) +{ + LDAPMessage *res, *e; -+ char *buffer; -+ int bufflen, rc, i; ++ char *buffer, *format; ++ int rc, i; + struct timeval timeout; + + debug ("LDAP process user"); @@ -1055,12 +1073,10 @@ index 0000000..3029108 + } + + /* build filter for LDAP request */ -+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user); -+ if (options.ssh_filter != NULL) -+ bufflen += strlen (options.ssh_filter); -+ buffer = xmalloc (bufflen); -+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL); -+ buffer[bufflen - 1] = 0; ++ format = LDAPSEARCH_FORMAT; ++ if (options.search_format != NULL) ++ format = options.search_format; ++ buffer = percent_expand(format, "c", options.account_class, "u", user, "f", options.ssh_filter, (char *)NULL); + + debug3 ("LDAP search scope = %d %s", options.scope, buffer); + @@ -1162,7 +1178,7 @@ new file mode 100644 index 0000000..525060a --- /dev/null +++ b/ldapconf.c -@@ -0,0 +1,720 @@ +@@ -0,0 +1,729 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1206,7 +1222,7 @@ index 0000000..525060a + lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals, + lRestart, lTLS_CheckPeer, lTLS_CaCertFile, + lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key, -+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, ++ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter, lSearch_Format, + lAccountClass, lDeprecated, lUnsupported +} OpCodes; + @@ -1259,6 +1275,7 @@ index 0000000..525060a + { "LogDir", lLogDir }, + { "Debug", lDebug }, + { "SSH_Filter", lSSH_Filter }, ++ { "Search_Format", lSearch_Format }, + { "AccountClass", lAccountClass }, + { NULL, lBadOption } +}; @@ -1479,6 +1496,7 @@ index 0000000..525060a + else + fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum); + if (*intptr == -1) ++ *intptr = value; + break; + + case lSSLPath: @@ -1543,6 +1561,7 @@ index 0000000..525060a + else + fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum); + if (*intptr == -1) ++ *intptr = value; + break; + + case lTLS_CaCertFile: @@ -1581,6 +1600,10 @@ index 0000000..525060a + xstringptr = &options.ssh_filter; + goto parse_xstring; + ++ case lSearch_Format: ++ charptr = &options.search_format; ++ goto parse_string; ++ + case lAccountClass: + charptr = &options.account_class; + goto parse_string; @@ -1688,6 +1711,7 @@ index 0000000..525060a + options.logdir = NULL; + options.debug = -1; + options.ssh_filter = NULL; ++ options.search_format = NULL; + options.account_class = NULL; +} + @@ -1880,6 +1904,7 @@ index 0000000..525060a + dump_cfg_string(lLogDir, options.logdir); + dump_cfg_int(lDebug, options.debug); + dump_cfg_string(lSSH_Filter, options.ssh_filter); ++ dump_cfg_string(lSearch_Format, options.search_format); + dump_cfg_string(lAccountClass, options.logdir); +} + @@ -1888,7 +1913,7 @@ new file mode 100644 index 0000000..2cb550c --- /dev/null +++ b/ldapconf.h -@@ -0,0 +1,72 @@ +@@ -0,0 +1,73 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* + * Copyright (c) 2009 Jan F. Chadima. All rights reserved. @@ -1950,6 +1975,7 @@ index 0000000..2cb550c + char *logdir; + int debug; + char *ssh_filter; ++ char *search_format; + char *account_class; +} Options; + @@ -2649,8 +2675,14 @@ index 0000000..f7081b8 +Specifies the debug level used for logging by the LDAP client library. +There is no default. +.It Cm SSH_Filter -+Specifies the user filter applied on the LDAP serch. ++Specifies the user filter applied on the LDAP search. +The default is no filter. ++.It Cm search_format ++Specifies the user format of search string in LDAP substituting %u for user name ++and %f for additional ssh filter ++.Cm SSH_Filter ++(optional). ++The default value is (&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%u)%f) +.It Cm AccountClass +Specifies the LDAP class used to find user accounts. +The default is posixAccount. @@ -2670,3 +2702,51 @@ index 0000000..f7081b8 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com +diff --git a/openssh-lpk-openldap.ldif b/openssh-lpk-openldap.ldif +new file mode 100644 +index 0000000..9adf4b8 +--- /dev/null ++++ b/openssh-lpk-openldap.ldif +@@ -0,0 +1,19 @@ ++# ++# LDAP Public Key Patch schema for use with openssh-ldappubkey ++# useful with PKA-LDAP also ++# ++# Author: Eric AUGE ++# ++# LDIF for openLDAP Directory Server. ++# Based on the original schema, modified by Jakub Jelen. ++# ++ ++dn: cn=openssh-lpk,cn=schema,cn=config ++objectClass: olcSchemaConfig ++cn: openssh-lpk ++olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 ++ NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' ++ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) ++olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 ++ NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass' ++ SUP top AUXILIARY MUST ( sshPublicKey $ uid ) ) +diff --git a/openssh-lpk-sun.ldif b/openssh-lpk-sun.ldif +new file mode 100644 +index 0000000..9adf4b8 +--- /dev/null ++++ b/openssh-lpk-sun.ldif +@@ -0,0 +1,17 @@ ++# ++# LDAP Public Key Patch schema for use with openssh-ldappubkey ++# useful with PKA-LDAP also ++# ++# Author: Eric AUGE ++# ++# LDIF for Sun Directory Server. ++# Based on the original schema, modified by Jakub Jelen. ++# ++ ++dn: cn=schema ++attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 ++ NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' ++ EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) ++objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 ++ NAME 'ldapPublicKey' DESC 'MANDATORY: OpenSSH LPK objectclass' ++ SUP top AUXILIARY MUST ( sshPublicKey $ uid ) ) diff --git a/SOURCES/openssh-6.6p1-memory-problems.patch b/SOURCES/openssh-6.6p1-memory-problems.patch new file mode 100644 index 0000000..f359193 --- /dev/null +++ b/SOURCES/openssh-6.6p1-memory-problems.patch @@ -0,0 +1,43 @@ +diff --git a/servconf.c b/servconf.c +index ad5869b..0255ed3 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -1910,6 +1910,8 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) + dst->n = src->n; \ + } while (0) + ++ u_int i; ++ + M_CP_INTOPT(password_authentication); + M_CP_INTOPT(gss_authentication); + M_CP_INTOPT(rsa_authentication); +@@ -1947,8 +1949,10 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) + } while(0) + #define M_CP_STRARRAYOPT(n, num_n) do {\ + if (src->num_n != 0) { \ ++ for (i = 0; i < dst->num_n; i++) \ ++ free(dst->n[i]); \ + for (dst->num_n = 0; dst->num_n < src->num_n; dst->num_n++) \ +- dst->n[dst->num_n] = xstrdup(src->n[dst->num_n]); \ ++ dst->n[dst->num_n] = src->n[dst->num_n]; \ + } \ + } while(0) + +diff --git a/sshd.c b/sshd.c +index 7e43153..f2a08f6 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2160,10 +2160,12 @@ main(int ac, char **av) + } + #endif /* LIBWRAP */ + ++ char *addr = get_local_ipaddr(sock_in); + /* Log the connection. */ + verbose("Connection from %s port %d on %s port %d", + remote_ip, remote_port, +- get_local_ipaddr(sock_in), get_local_port()); ++ addr, get_local_port()); ++ free(addr); + + /* + * We don't want to listen forever unless the other side diff --git a/SOURCES/openssh-6.6p1-security-7.0.patch b/SOURCES/openssh-6.6p1-security-7.0.patch new file mode 100644 index 0000000..1e6963d --- /dev/null +++ b/SOURCES/openssh-6.6p1-security-7.0.patch @@ -0,0 +1,44 @@ +diff --git a/monitor.c b/monitor.c +index b410965..f1b873d 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1084,9 +1084,7 @@ extern KbdintDevice sshpam_device; + int + mm_answer_pam_init_ctx(int sock, Buffer *m) + { +- + debug3("%s", __func__); +- authctxt->user = buffer_get_string(m, NULL); + sshpam_ctxt = (sshpam_device.init_ctx)(authctxt); + sshpam_authok = NULL; + buffer_clear(m); +@@ -1166,14 +1166,16 @@ mm_answer_pam_respond(int sock, Buffer *m) + int + mm_answer_pam_free_ctx(int sock, Buffer *m) + { ++ int r = sshpam_authok != NULL && sshpam_authok == sshpam_ctxt; + + debug3("%s", __func__); + (sshpam_device.free_ctx)(sshpam_ctxt); ++ sshpam_ctxt = sshpam_authok = NULL; + buffer_clear(m); + mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); + auth_method = "keyboard-interactive"; + auth_submethod = "pam"; +- return (sshpam_authok == sshpam_ctxt); ++ return r; + } + #endif + +diff --git a/monitor_wrap.c b/monitor_wrap.c +index e6217b3..eac421b 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -614,7 +614,6 @@ mm_sshpam_init_ctx(Authctxt *authctxt) + + debug3("%s", __func__); + buffer_init(&m); +- buffer_put_cstring(&m, authctxt->user); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m); diff --git a/SOURCES/openssh-6.6p1-sftp-force-permission.patch b/SOURCES/openssh-6.6p1-sftp-force-permission.patch new file mode 100644 index 0000000..2853bdd --- /dev/null +++ b/SOURCES/openssh-6.6p1-sftp-force-permission.patch @@ -0,0 +1,81 @@ +diff -up openssh-6.6p1/sftp-server.8.sftp-force-mode openssh-6.6p1/sftp-server.8 +--- openssh-6.6p1/sftp-server.8.sftp-force-mode 2013-10-15 03:07:05.000000000 +0200 ++++ openssh-6.6p1/sftp-server.8 2015-04-20 14:04:47.427562510 +0200 +@@ -38,6 +38,7 @@ + .Op Fl P Ar blacklisted_requests + .Op Fl p Ar whitelisted_requests + .Op Fl u Ar umask ++.Op Fl m Ar force_file_perms + .Ek + .Nm + .Fl Q Ar protocol_feature +@@ -138,6 +139,10 @@ Sets an explicit + .Xr umask 2 + to be applied to newly-created files and directories, instead of the + user's default mask. ++.It Fl m Ar force_file_perms ++Sets explicit file permissions to be applied to newly-created files instead ++of the default or client requested mode. Numeric values include: ++777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set. + .El + .Pp + For logging to work, +diff -up openssh-6.6p1/sftp-server.c.sftp-force-mode openssh-6.6p1/sftp-server.c +--- openssh-6.6p1/sftp-server.c.sftp-force-mode 2015-04-20 14:04:47.420562526 +0200 ++++ openssh-6.6p1/sftp-server.c 2015-04-20 14:07:13.799231025 +0200 +@@ -71,6 +71,10 @@ static Buffer oqueue; + /* Version of client */ + static u_int version; + ++/* Force file permissions */ ++int permforce = 0; ++long permforcemode; ++ + /* SSH2_FXP_INIT received */ + static int init_done; + +@@ -675,6 +679,10 @@ process_open(u_int32_t id) + a = get_attrib(); + flags = flags_from_portable(pflags); + mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; ++ if (permforce == 1) { /* Force perm if -m is set */ ++ mode = permforcemode; ++ (void)umask(0); /* so umask does not interfere */ ++ } + logit("open \"%s\" flags %s mode 0%o", + name, string_from_portable(pflags), mode); + if (readonly && +@@ -1430,7 +1438,7 @@ sftp_server_usage(void) + fprintf(stderr, + "usage: %s [-ehR] [-d start_directory] [-f log_facility] " + "[-l log_level]\n\t[-P blacklisted_requests] " +- "[-p whitelisted_requests] [-u umask]\n" ++ "[-p whitelisted_requests] [-u umask] [-m force_file_perms]\n" + " %s -Q protocol_feature\n", + __progname, __progname); + exit(1); +@@ -1455,7 +1463,7 @@ sftp_server_main(int argc, char **argv, + pw = pwcopy(user_pw); + + while (!skipargs && (ch = getopt(argc, argv, +- "d:f:l:P:p:Q:u:cehR")) != -1) { ++ "d:f:l:P:p:Q:u:m:cehR")) != -1) { + switch (ch) { + case 'Q': + if (strcasecmp(optarg, "requests") != 0) { +@@ -1515,6 +1523,15 @@ sftp_server_main(int argc, char **argv, + fatal("Invalid umask \"%s\"", optarg); + (void)umask((mode_t)mask); + break; ++ case 'm': ++ /* Force permissions on file received via sftp */ ++ permforce = 1; ++ permforcemode = strtol(optarg, &cp, 8); ++ if (permforcemode < 0 || permforcemode > 0777 || ++ *cp != '\0' || (permforcemode == 0 && ++ errno != 0)) ++ fatal("Invalid file mode \"%s\"", optarg); ++ break; + case 'h': + default: + sftp_server_usage(); diff --git a/SOURCES/openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch b/SOURCES/openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch new file mode 100644 index 0000000..3435cf2 --- /dev/null +++ b/SOURCES/openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch @@ -0,0 +1,214 @@ +diff -up openssh-6.6p1/channels.c.security openssh-6.6p1/channels.c +--- openssh-6.6p1/channels.c.security 2015-07-01 19:27:08.521162690 +0200 ++++ openssh-6.6p1/channels.c 2015-07-01 19:27:08.597162521 +0200 +@@ -151,6 +151,9 @@ static char *x11_saved_proto = NULL; + static char *x11_saved_data = NULL; + static u_int x11_saved_data_len = 0; + ++/* Deadline after which all X11 connections are refused */ ++static u_int x11_refuse_time; ++ + /* + * Fake X11 authentication data. This is what the server will be sending us; + * we should replace any occurrences of this by the real data. +@@ -894,6 +897,13 @@ x11_open_helper(Buffer *b) + u_char *ucp; + u_int proto_len, data_len; + ++ /* Is this being called after the refusal deadline? */ ++ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { ++ verbose("Rejected X11 connection after ForwardX11Timeout " ++ "expired"); ++ return -1; ++ } ++ + /* Check if the fixed size part of the packet is in buffer. */ + if (buffer_len(b) < 12) + return 0; +@@ -1457,6 +1467,12 @@ channel_set_reuseaddr(int fd) + error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); + } + ++void ++channel_set_x11_refuse_time(u_int refuse_time) ++{ ++ x11_refuse_time = refuse_time; ++} ++ + /* + * This socket is listening for connections to a forwarded TCP/IP port. + */ +diff -up openssh-6.6p1/channels.h.security openssh-6.6p1/channels.h +--- openssh-6.6p1/channels.h.security 2015-07-01 19:27:08.597162521 +0200 ++++ openssh-6.6p1/channels.h 2015-07-01 19:43:32.900950560 +0200 +@@ -279,6 +279,7 @@ int permitopen_port(const char *); + + /* x11 forwarding */ + ++void channel_set_x11_refuse_time(u_int); + int x11_connect_display(void); + int x11_create_display_inet(int, int, int, u_int *, int **); + void x11_input_open(int, u_int32_t, void *); +diff -up openssh-6.6p1/clientloop.c.security openssh-6.6p1/clientloop.c +--- openssh-6.6p1/clientloop.c.security 2015-07-01 19:27:08.540162648 +0200 ++++ openssh-6.6p1/clientloop.c 2015-07-01 19:44:51.139761508 +0200 +@@ -164,7 +164,7 @@ static int connection_in; /* Connection + static int connection_out; /* Connection to server (output). */ + static int need_rekeying; /* Set to non-zero if rekeying is requested. */ + static int session_closed; /* In SSH2: login session closed. */ +-static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ ++static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ + + static void client_init_dispatch(void); + int session_ident = -1; +@@ -302,7 +302,8 @@ client_x11_display_valid(const char *dis + return 1; + } + +-#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" ++#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" ++#define X11_TIMEOUT_SLACK 60 + void + client_x11_get_proto(const char *display, const char *xauth_path, + u_int trusted, u_int timeout, char **_proto, char **_data) +@@ -315,7 +316,7 @@ client_x11_get_proto(const char *display + int got_data = 0, generated = 0, do_unlink = 0, i; + char *xauthdir, *xauthfile; + struct stat st; +- u_int now; ++ u_int now, x11_timeout_real; + + xauthdir = xauthfile = NULL; + *_proto = proto; +@@ -348,6 +349,15 @@ client_x11_get_proto(const char *display + xauthdir = xmalloc(MAXPATHLEN); + xauthfile = xmalloc(MAXPATHLEN); + mktemp_proto(xauthdir, MAXPATHLEN); ++ /* ++ * The authentication cookie should briefly outlive ++ * ssh's willingness to forward X11 connections to ++ * avoid nasty fail-open behaviour in the X server. ++ */ ++ if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK) ++ x11_timeout_real = UINT_MAX; ++ else ++ x11_timeout_real = timeout + X11_TIMEOUT_SLACK; + if (mkdtemp(xauthdir) != NULL) { + do_unlink = 1; + snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", +@@ -355,17 +365,20 @@ client_x11_get_proto(const char *display + snprintf(cmd, sizeof(cmd), + "%s -f %s generate %s " SSH_X11_PROTO + " untrusted timeout %u 2>" _PATH_DEVNULL, +- xauth_path, xauthfile, display, timeout); ++ xauth_path, xauthfile, display, ++ x11_timeout_real); + debug2("x11_get_proto: %s", cmd); +- if (system(cmd) == 0) +- generated = 1; + if (x11_refuse_time == 0) { + now = monotime() + 1; + if (UINT_MAX - timeout < now) + x11_refuse_time = UINT_MAX; + else + x11_refuse_time = now + timeout; ++ channel_set_x11_refuse_time( ++ x11_refuse_time); + } ++ if (system(cmd) == 0) ++ generated = 1; + } + } + +@@ -1884,7 +1897,7 @@ client_request_x11(const char *request_t + "malicious server."); + return NULL; + } +- if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) { ++ if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { + verbose("Rejected X11 connection after ForwardX11Timeout " + "expired"); + return NULL; +diff -up openssh-6.6p1/ssh-agent.c.security openssh-6.6p1/ssh-agent.c +--- openssh-6.6p1/ssh-agent.c.security 2015-07-01 19:27:08.597162521 +0200 ++++ openssh-6.6p1/ssh-agent.c 2015-07-01 19:42:35.691088800 +0200 +@@ -64,6 +64,9 @@ + #include + #include + #include ++#ifdef HAVE_UTIL_H ++#include ++#endif + + #include "xmalloc.h" + #include "ssh.h" +@@ -129,8 +130,12 @@ char socket_name[MAXPATHLEN]; + char socket_dir[MAXPATHLEN]; + + /* locking */ ++#define LOCK_SIZE 32 ++#define LOCK_SALT_SIZE 16 ++#define LOCK_ROUNDS 1 + int locked = 0; +-char *lock_passwd = NULL; ++char lock_passwd[LOCK_SIZE]; ++char lock_salt[LOCK_SALT_SIZE]; + + extern char *__progname; + +@@ -548,22 +553,45 @@ send: + static void + process_lock_agent(SocketEntry *e, int lock) + { +- int success = 0; +- char *passwd; ++ int success = 0, delay; ++ char *passwd, passwdhash[LOCK_SIZE]; ++ static u_int fail_count = 0; ++ size_t pwlen; + + passwd = buffer_get_string(&e->request, NULL); +- if (locked && !lock && strcmp(passwd, lock_passwd) == 0) { +- locked = 0; +- explicit_bzero(lock_passwd, strlen(lock_passwd)); +- free(lock_passwd); +- lock_passwd = NULL; +- success = 1; ++ pwlen = strlen(passwd); ++ if (pwlen == 0) { ++ debug("empty password not supported"); ++ } else if (locked && !lock) { ++ if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), ++ passwdhash, sizeof(passwdhash), LOCK_ROUNDS) < 0) ++ fatal("bcrypt_pbkdf"); ++ if (timingsafe_bcmp(passwdhash, lock_passwd, LOCK_SIZE) == 0) { ++ debug("agent unlocked"); ++ locked = 0; ++ fail_count = 0; ++ explicit_bzero(lock_passwd, sizeof(lock_passwd)); ++ success = 1; ++ } else { ++ /* delay in 0.1s increments up to 10s */ ++ if (fail_count < 100) ++ fail_count++; ++ delay = 100000 * fail_count; ++ debug("unlock failed, delaying %0.1lf seconds", ++ (double)delay/1000000); ++ usleep(delay); ++ } ++ explicit_bzero(passwdhash, sizeof(passwdhash)); + } else if (!locked && lock) { ++ debug("agent locked"); + locked = 1; +- lock_passwd = xstrdup(passwd); ++ arc4random_buf(lock_salt, sizeof(lock_salt)); ++ if (bcrypt_pbkdf(passwd, pwlen, lock_salt, sizeof(lock_salt), ++ lock_passwd, sizeof(lock_passwd), LOCK_ROUNDS) < 0) ++ fatal("bcrypt_pbkdf"); + success = 1; + } +- explicit_bzero(passwd, strlen(passwd)); ++ explicit_bzero(passwd, pwlen); + free(passwd); + + buffer_put_int(&e->output, 1); diff --git a/SOURCES/openssh-6.6p1-test-mode-all-values.patch b/SOURCES/openssh-6.6p1-test-mode-all-values.patch new file mode 100644 index 0000000..05f83a0 --- /dev/null +++ b/SOURCES/openssh-6.6p1-test-mode-all-values.patch @@ -0,0 +1,73 @@ +diff --git a/servconf.c b/servconf.c +index ad5869b..1171c33 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -1990,6 +1990,8 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) + { + u_int i; + ++ if (count <= 0) ++ return; + printf("%s", lookup_opcode_name(code)); + for (i = 0; i < count; i++) + printf(" %s", vals[i]); +@@ -2028,7 +2030,7 @@ dump_config(ServerOptions *o) + + /* integer arguments */ + #ifdef USE_PAM +- dump_cfg_int(sUsePAM, o->use_pam); ++ dump_cfg_fmtint(sUsePAM, o->use_pam); + #endif + dump_cfg_int(sServerKeyBits, o->server_key_bits); + dump_cfg_int(sLoginGraceTime, o->login_grace_time); +@@ -2084,6 +2086,7 @@ dump_config(ServerOptions *o) + dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); + dump_cfg_fmtint(sUseDNS, o->use_dns); + dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); ++ dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding); + dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); + dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users); +@@ -2094,14 +2097,15 @@ dump_config(ServerOptions *o) + dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : + cipher_alg_list(',', 0)); + dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); +- dump_cfg_string(sBanner, o->banner); ++ dump_cfg_string(sBanner, o->banner == NULL ? "none" : o->banner); + dump_cfg_string(sForceCommand, o->adm_forced_command); + dump_cfg_string(sChrootDirectory, o->chroot_directory); + dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys); + dump_cfg_string(sRevokedKeys, o->revoked_keys_file); + dump_cfg_string(sAuthorizedPrincipalsFile, + o->authorized_principals_file); +- dump_cfg_string(sVersionAddendum, o->version_addendum); ++ dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0' ? ++ "none" : o->version_addendum); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); + dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); + dump_cfg_string(sHostKeyAgent, o->host_key_agent); +@@ -2117,7 +2121,7 @@ dump_config(ServerOptions *o) + o->authorized_keys_files); + dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, + o->host_key_files); +- dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files, ++ dump_cfg_strarray(sHostCertificate, o->num_host_cert_files, + o->host_cert_files); + dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users); + dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users); +diff --git a/ssh.1 b/ssh.1 +index f65e42f..4a7d1cd 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -444,7 +444,11 @@ For full details of the options listed below, and their possible values, see + .It GatewayPorts + .It GlobalKnownHostsFile + .It GSSAPIAuthentication ++.It GSSAPIKeyExchange ++.It GSSAPIClientIdentity + .It GSSAPIDelegateCredentials ++.It GSSAPIRenewalForcesRekey ++.It GSSAPITrustDns + .It HashKnownHosts + .It Host + .It HostbasedAuthentication diff --git a/SOURCES/sshd.pam b/SOURCES/sshd.pam index a80e450..0f5c061 100644 --- a/SOURCES/sshd.pam +++ b/SOURCES/sshd.pam @@ -2,6 +2,8 @@ auth required pam_sepermit.so auth substack password-auth auth include postlogin +# Used with polkit to reauthorize users in remote sessions +-auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth @@ -10,6 +12,9 @@ session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params +session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin +# Used with polkit to reauthorize users in remote sessions +-session optional pam_reauthorize.so prepare diff --git a/SOURCES/sshd.service b/SOURCES/sshd.service index 4e3ea9b..eb87d32 100644 --- a/SOURCES/sshd.service +++ b/SOURCES/sshd.service @@ -1,5 +1,6 @@ [Unit] Description=OpenSSH server daemon +Documentation=man:sshd(8) man:sshd_config(5) After=network.target sshd-keygen.service Wants=sshd-keygen.service diff --git a/SOURCES/sshd.socket b/SOURCES/sshd.socket index 94b9533..caa50c4 100644 --- a/SOURCES/sshd.socket +++ b/SOURCES/sshd.socket @@ -1,5 +1,6 @@ [Unit] Description=OpenSSH Server Socket +Documentation=man:sshd(8) man:sshd_config(5) Conflicts=sshd.service [Socket] diff --git a/SOURCES/sshd@.service b/SOURCES/sshd@.service index 0189d71..9fed0db 100644 --- a/SOURCES/sshd@.service +++ b/SOURCES/sshd@.service @@ -1,5 +1,6 @@ [Unit] Description=OpenSSH per-connection server daemon +Documentation=man:sshd(8) man:sshd_config(5) Wants=sshd-keygen.service After=sshd-keygen.service diff --git a/SPECS/openssh.spec b/SPECS/openssh.spec index c4abf71..22c77f1 100644 --- a/SPECS/openssh.spec +++ b/SPECS/openssh.spec @@ -64,7 +64,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 6.6.1p1 -%define openssh_rel 12 +%define openssh_rel 22 %define pam_ssh_agent_ver 0.9.3 %define pam_ssh_agent_rel 9 @@ -219,6 +219,31 @@ Patch916: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch Patch918: openssh-6.6.1p1-log-in-chroot.patch # MLS labeling according to chosen sensitivity (#1202843) Patch919: openssh-6.6.1p1-mls-fix-labeling.patch +# sshd test mode show all config values (#1187597) +Patch920: openssh-6.6p1-test-mode-all-values.patch +# Add sftp option to force mode of created files (#1191055) +Patch921: openssh-6.6p1-sftp-force-permission.patch +# TERM env variable is always accepted by sshd, regardless the empty AcceptEnv setting (#1162683) +Patch922: openssh-6.6p1-document-TERM-env.patch +# fix ssh-copy-id on non-sh remote shells (#1201758) +Patch923: openssh-6.6p1-fix-ssh-copy-id-on-non-sh-shell.patch +# fix memory problem (#1223218) +Patch924: openssh-6.6p1-memory-problems.patch +# Enhance AllowGroups documentation in man page (#1150007) +Patch925: openssh-6.6p1-allowGroups-documentation.patch +# authentication limits (MaxAuthTries) bypass [security] (#1246521) +Patch926: openssh-6.6p1-authentication-limits-bypass.patch +# CVE-2015-5352: Security fixes backported from openssh-6.9 (#1247864) +# XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231) +# weakness of agent locking (ssh-add -x) to password guessing (#1238238) +Patch927: openssh-6.6p1-ssh-agent-and-xsecurity-bypass.patch +# provide option GssKexAlgorithms to disable vulnerable groun1 kex +Patch928: openssh-6.6p1-gssKexAlgorithms.patch +# Vulnerabilities published with openssh-7.0 (#1265807): +# Privilege separation weakness related to PAM support +# Use-after-free bug related to PAM support +Patch929: openssh-6.6p1-security-7.0.patch + License: BSD Group: Applications/Internet @@ -442,6 +467,16 @@ popd %patch918 -p1 -b .log-in-chroot %patch919 -p1 -b .mls-labels %patch802 -p1 -b .GSSAPIEnablek5users +%patch920 -p1 -b .sshd-t +%patch921 -p1 -b .sftp-force-mode +%patch922 -p1 -b .term +%patch923 -p1 -b .ssh-copy-id +%patch924 -p1 -b .memory-problems +%patch925 -p1 -b .allowGroups +%patch926 -p1 -b .kbd +%patch927 -p1 -b .xsecurity +%patch928 -p1 -b .gsskexalg +%patch929 -p1 -b .security7 %patch200 -p1 -b .audit %patch201 -p1 -b .audit-fps @@ -735,6 +770,7 @@ getent passwd sshd >/dev/null || \ %files ldap %defattr(-,root,root) %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema ldap.conf +%doc openssh-lpk-openldap.ldif openssh-lpk-sun.ldif %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-helper %attr(0755,root,root) %{_libexecdir}/openssh/ssh-ldap-wrapper %attr(0644,root,root) %{_mandir}/man8/ssh-ldap-helper.8* @@ -765,6 +801,57 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Fri Sep 25 2015 Jakub Jelen 6.6.1p1-22 + 0.9.3-9 +- Use the correct constant for glob limits (#1160377) + +* Thu Sep 24 2015 Jakub Jelen 6.6.1p1-21 + 0.9.3-9 +- Extend memory limit for remote glob in sftp acc. to stat limit (#1160377) + +* Thu Sep 24 2015 Jakub Jelen 6.6.1p1-20 + 0.9.3-9 +- Fix vulnerabilities published with openssh-7.0 (#1265807) + - Privilege separation weakness related to PAM support + - Use-after-free bug related to PAM support + +* Thu Sep 24 2015 Jakub Jelen 6.6.1p1-19 + 0.9.3-9 +- Increase limit of files for glob match in sftp to 8192 (#1160377) + +* Tue Aug 18 2015 Jakub Jelen 6.6.1p1-18 + 0.9.3-9 +- Add GSSAPIKexAlgorithms option for server and client application (#1253062) + +* Wed Jul 29 2015 Jakub Jelen 6.6.1p1-17 + 0.9.3-9 +- Security fixes released with openssh-6.9 (CVE-2015-5352) (#1247864) + - XSECURITY restrictions bypass under certain conditions in ssh(1) (#1238231) + - weakness of agent locking (ssh-add -x) to password guessing (#1238238) + +* Mon Jul 27 2015 Jakub Jelen 6.6.1p1-16 + 0.9.3-9 +- only query each keyboard-interactive device once (CVE-2015-5600) (#1245971) + +* Wed Jul 15 2015 Jakub Jelen 6.6.1p1-15 + 0.9.3-9 +- One more typo in manual page documenting TERM variable (#1162683) +- Fix race condition with auditing messages answers (#1240613) + +* Mon Jun 15 2015 Jakub Jelen 6.6.1p1-14 + 0.9.3-9 +- Fix ldif schema to have correct spacing on newlines (#1184938) +- Add missing values for sshd test mode (#1187597) +- ssh-copy-id: tcsh doesnt work with multiline strings (#1201758) +- Fix memory problems with newkeys and array transfers (#1223218) +- Enhance AllowGroups documentation in man page (#1150007) + +* Mon May 11 2015 Jakub Jelen 6.6.1p1-13 + 0.9.3-9 +- Increase limit of files for glob match in sftp (#1160377) +- Add pam_reauthorize.so to /etc/pam.d/sshd (#1204233) +- Show all config values in sshd test mode (#1187597) +- Document required selinux boolean for working ssh-ldap-helper (#1178116) +- Consistent usage of pam_namespace in sshd (#1125110) +- Fix auditing when using combination of ForcedCommand and PTY (#1199112) +- Add sftp option to force mode of created files (#1197989) +- Ability to specify an arbitrary LDAP filter in ldap.conf for ssh-ldap-helper (#1201753) +- Provide documentation line for systemd service and socket (#1181591) +- Provide LDIF version of LPK schema (#1184938) +- Document TERM environment variable (#1162683) +- Fix ssh-copy-id on non-sh remote shells (#1201758) +- Do not read RSA1 hostkeys for HostBased authentication in FIPS (#1197666) + * Thu Mar 19 2015 Jakub Jelen 6.6.1p1-12 + 0.9.3-9 - Fix labeling in MLS according to selected sensitivity (#1202843)