diff --git a/openssh-7.9p1-log-sftp-only-connections.patch b/openssh-7.9p1-log-sftp-only-connections.patch new file mode 100644 index 0000000..3b3613d --- /dev/null +++ b/openssh-7.9p1-log-sftp-only-connections.patch @@ -0,0 +1,11 @@ +diff --git a/session.c b/session.c +--- a/session.c ++++ b/session.c +@@ -1859,6 +1859,7 @@ do_child(Session *s, const char *command) + + if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) { + printf("This service allows sftp connections only.\n"); ++ logit("The session allows sftp connections only"); + fflush(NULL); + exit(1); + } else if (s->is_subsystem == SUBSYSTEM_INT_SFTP) { diff --git a/openssh.spec b/openssh.spec index 73fdbda..aa9954c 100644 --- a/openssh.spec +++ b/openssh.spec @@ -237,6 +237,9 @@ Patch957: openssh-7.9p1-CVE-2018-20685.patch # - do not return 0 if the write fails (full disk) # - shellcheck reports (upstream #2902) Patch958: openssh-7.9p1-ssh-copy-id.patch +# log when a client requests an interactive session and only sftp is allowed +# https://bugzilla.mindrot.org/show_bug.cgi?id=2960 +Patch959: openssh-7.9p1-log-sftp-only-connections.patch License: BSD Requires: /sbin/nologin @@ -457,6 +460,7 @@ popd %patch956 -p1 -b .backports %patch957 -p1 -b .CVE-2018-20685 %patch958 -p1 -b .ssh-copy-id +%patch959 -p1 -b .log-sftp-only %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race