Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2024-08-29 15:42:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.2698 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssh" Thu Aug 29 15:42:55 2024 rev:183 rq:1196434 version:9.8p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2024-08-22 12:34:44.668863513 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-askpass-gnome.changes 2024-08-29 15:43:26.885433583 +0200 @@ -1,0 +2,7 @@ +Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> + +- Update to openssh 9.8p1: + * No changes for askpass, see main package changelog for + details. + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-08-22 12:34:44.724865841 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes 2024-08-29 15:43:27.253448884 +0200 @@ -1,0 +2,309 @@ +Fri Aug 23 12:10:00 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> + +- Add patch to fix sshd not logging in the audit failed login + attempts (submitted to upstream in + https://github.com/openssh/openssh-portable/pull/516): + * fix-audit-fail-attempt.patch +- Use --enable-dsa-keys when building openssh. It's required if + the user sets the crypto-policy mode to LEGACY, where DSA keys + should be allowed. The option was added by upstream in 9.7 and + set to disabled by default. +- These two changes fix 2 of the 3 issues reported in bsc#1229650. + +------------------------------------------------------------------- +Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> + +- Fix a dbus connection leaked in the logind patch that was + missing a sd_bus_unref call (found by Matthias Gerstner): + * logind_set_tty.patch +- Add a patch that fixes a small memory leak when parsing the + subsystem configuration option: + * fix-memleak-in-process_server_config_line_depth.patch + +------------------------------------------------------------------- +Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> + +- Update to openssh 9.8p1: + = Security + * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387). + A critical vulnerability in sshd(8) was present in Portable + OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may + allow arbitrary code execution with root privileges. + Successful exploitation has been demonstrated on 32-bit + Linux/glibc systems with ASLR. Under lab conditions, the attack + requires on average 6-8 hours of continuous connections up to + the maximum the server will accept. Exploitation on 64-bit + systems is believed to be possible but has not been + demonstrated at this time. It's likely that these attacks will + be improved upon. + Exploitation on non-glibc systems is conceivable but has not + been examined. Systems that lack ASLR or users of downstream + Linux distributions that have modified OpenSSH to disable + per-connection ASLR re-randomisation (yes - this is a thing, no + - we don't understand why) may potentially have an easier path + to exploitation. OpenBSD is not vulnerable. + We thank the Qualys Security Advisory Team for discovering, + reporting and demonstrating exploitability of this problem, and + for providing detailed feedback on additional mitigation + measures. + * 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318, + CVE-2024-39894). + In OpenSSH version 9.5 through 9.7 (inclusive), when connected + to an OpenSSH server version 9.5 or later, a logic error in the + ssh(1) ObscureKeystrokeTiming feature (on by default) rendered + this feature ineffective - a passive observer could still + detect which network packets contained real keystrokes when the + countermeasure was active because both fake and real keystroke + packets were being sent unconditionally. + This bug was found by Philippos Giavridis and also + independently by Jacky Wei En Kung, Daniel Hugenroth and + Alastair Beresford of the University of Cambridge Computer Lab. + Worse, the unconditional sending of both fake and real + keystroke packets broke another long-standing timing attack + mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke + echo packets for traffic received on TTYs in echo-off mode, + such as when entering a password into su(8) or sudo(8). This + bug rendered these fake keystroke echoes ineffective and could + allow a passive observer of a SSH session to once again detect + when echo was off and obtain fairly limited timing information + about keystrokes in this situation (20ms granularity by + default). + This additional implication of the bug was identified by + Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and + we thank them for their detailed analysis. + This bug does not affect connections when + ObscureKeystrokeTiming was disabled or sessions where no TTY + was requested. + + = Future deprecation notice + * OpenSSH plans to remove support for the DSA signature algorithm + in early 2025. This release disables DSA by default at compile + time. + DSA, as specified in the SSHv2 protocol, is inherently weak - + being limited to a 160 bit private key and use of the SHA1 + digest. Its estimated security level is only 80 bits symmetric + equivalent. + OpenSSH has disabled DSA keys by default since 2015 but has + retained run-time optional support for them. DSA was the only + mandatory-to-implement algorithm in the SSHv2 RFCs, mostly + because alternative algorithms were encumbered by patents when + the SSHv2 protocol was specified. + This has not been the case for decades at this point and better + algorithms are well supported by all actively-maintained SSH + implementations. We do not consider the costs of maintaining + DSA in OpenSSH to be justified and hope that removing it from + OpenSSH can accelerate its wider deprecation in supporting + cryptography libraries. + This release, and its deactivation of DSA by default at + compile-time, marks the second step in our timeline to finally + deprecate DSA. The final step of removing DSA support entirely + is planned for the first OpenSSH release of 2025. + DSA support may be re-enabled in OpenBSD by setting + "DSAKEY=yes" in Makefile.inc. To enable DSA support in + portable OpenSSH, pass the "--enable-dsa-keys" option to + configure. + + = Potentially-incompatible changes + * all: as mentioned above, the DSA signature algorithm is now + disabled at compile time. + * sshd(8): the server will now block client addresses that + repeatedly fail authentication, repeatedly connect without ever + completing authentication or that crash the server. See the + discussion of PerSourcePenalties below for more information. + Operators of servers that accept connections from many users, + or servers that accept connections from addresses behind NAT or + proxies may need to consider these settings. + * sshd(8): the server has been split into a listener binary, + sshd(8), and a per-session binary "sshd-session". This allows + for a much smaller listener binary, as it no longer needs to + support the SSH protocol. As part of this work, support for + disabling privilege separation (which previously required code + changes to disable) and disabling re-execution of sshd(8) has + been removed. Further separation of sshd-session into + additional, minimal binaries is planned for the future. + * sshd(8): several log messages have changed. In particular, some + log messages will be tagged with as originating from a process + named "sshd-session" rather than "sshd". + * ssh-keyscan(1): this tool previously emitted comment lines + containing the hostname and SSH protocol banner to standard + error. This release now emits them to standard output, but adds + a new "-q" flag to silence them altogether. + * sshd(8): (portable OpenSSH only) sshd will no longer use + argv[0] as the PAM service name. A new "PAMServiceName" + sshd_config(5) directive allows selecting the service name at + runtime. This defaults to "sshd". bz2101 + * (portable OpenSSH only) Automatically-generated files, such as + configure, config.h.in, etc will now be checked in to the + portable OpenSSH git release branch (e.g. V_9_8). This should + ensure that the contents of the signed release branch exactly + match the contents of the signed release tarball. + + = New features + * sshd(8): as described above, sshd(8) will now penalise client + addresses that, for various reasons, do not successfully + complete authentication. This feature is controlled by a new + sshd_config(5) PerSourcePenalties option and is on by default. + sshd(8) will now identify situations where the session did not + authenticate as expected. These conditions include when the + client repeatedly attempted authentication unsucessfully + (possibly indicating an attack against one or more accounts, + e.g. password guessing), or when client behaviour caused sshd + to crash (possibly indicating attempts to exploit bugs in + sshd). + When such a condition is observed, sshd will record a penalty + of some duration (e.g. 30 seconds) against the client's + address. If this time is above a minimum configurable + threshold, then all connections from the client address will be + refused (along with any others in the same + PerSourceNetBlockSize CIDR range) until the penalty expire. + Repeated offenses by the same client address will accrue + greater penalties, up to a configurable maximum. Address ranges + may be fully exempted from penalties, e.g. to guarantee access + from a set of trusted management addresses, using the new + sshd_config(5) PerSourcePenaltyExemptList option. + We hope these options will make it significantly more difficult + for attackers to find accounts with weak/guessable passwords or + exploit bugs in sshd(8) itself. This option is enabled by + default. + * ssh(8): allow the HostkeyAlgorithms directive to disable the + implicit fallback from certificate host key to plain host keys. + + = Bugfixes + * misc: fix a number of inaccuracies in the PROTOCOL.* + documentation files. GHPR430 GHPR487 + * all: switch to strtonum(3) for more robust integer parsing in + most places. + * ssh(1), sshd(8): correctly restore sigprocmask around ppoll() + * ssh-keysign(8): stricter validation of messaging socket fd + GHPR492 + * sftp(1): flush stdout after writing "sftp>" prompt when not + using editline. GHPR480 + * sftp-server(8): fix home-directory extension implementation, + it previously always returned the current user's home directory + contrary to the spec. GHPR477 + * ssh-keyscan(1): do not close stdin to prevent error messages + when stdin is read multiple times. E.g. + echo localhost | ssh-keyscan -f - -f - + * regression tests: fix rekey test that was testing the same KEX + algorithm repeatedly instead of testing all of them. bz3692 + * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms + directive documentation, especially around what is supported + vs available. bz3701. + + = Portability + * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules + unconditionally. The previous behaviour was to expose it only + when particular authentication methods were in use. + * build: fix OpenSSL ED25519 support detection. An incorrect + function signature in configure.ac previously prevented + enabling the recently added support for ED25519 private keys in + PEM PKCS8 format. + * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY + environment variable to enable SSH_ASKPASS, similarly to the + X11 DISPLAY environment variable. GHPR479 + * build: improve detection of the -fzero-call-used-regs compiler + flag. bz3673. + * build: relax OpenSSL version check to accept all OpenSSL 3.x + versions. + * sshd(8): add support for notifying systemd on server listen and + reload, using a standalone implementation that doesn't depend + on libsystemd. bz2641 + +- Update to openssh 9.7p1: + + = New features + * ssh(1), sshd(8): add a "global" ChannelTimeout type that + watches all open channels and will close all open channels if + there is no traffic on any of them for the specified interval. + This is in addition to the existing per-channel timeouts added + recently. + This supports situations like having both session and x11 + forwarding channels open where one may be idle for an extended + period but the other is actively used. The global timeout could + close both channels when both have been idle for too long. + * All: make DSA key support compile-time optional, defaulting to + on. + + = Bugfixes + * sshd(8): don't append an unnecessary space to the end of + subsystem arguments (bz3667) + * ssh(1): fix the multiplexing "channel proxy" mode, broken when + keystroke timing obfuscation was added. (GHPR#463) + * ssh(1), sshd(8): fix spurious configuration parsing errors when + options that accept array arguments are overridden (bz3657). + * ssh-agent(1): fix potential spin in signal handler (bz3670) + * Many fixes to manual pages and other documentation, including + GHPR#462, GHPR#454, GHPR#442 and GHPR#441. + * Greatly improve interop testing against PuTTY. + + = Portability + * Improve the error message when the autoconf OpenSSL header + check fails (bz#3668) + * Improve detection of broken toolchain -fzero-call-used-regs + support (bz3645). + * Fix regress/misc/fuzz-harness fuzzers and make them compile + without warnings when using clang16 +- Use gcc-11 in SLE to avoid a "parameter name omitted" error +- Rebase patches: + * logind_set_tty.patch + * openssh-6.6.1p1-selinux-contexts.patch + * openssh-6.6p1-keycat.patch + * openssh-6.6p1-privsep-selinux.patch + * openssh-7.6p1-cleanup-selinux.patch + * openssh-7.7p1-cavstest-ctr.patch + * openssh-7.7p1-cavstest-kdf.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-fips_checks.patch + * openssh-7.7p1-ldap.patch + * openssh-7.7p1-pam_check_locks.patch + * openssh-7.7p1-systemd-notify.patch + * openssh-7.8p1-role-mls.patch + * openssh-8.0p1-gssapi-keyex.patch + * openssh-8.1p1-audit.patch + * openssh-8.4p1-vendordir.patch + * openssh-9.6p1-crypto-policies-man.patch + * openssh-mitigate-lingering-secrets.patch + * openssh-reenable-dh-group14-sha1-default.patch + * wtmpdb.patch +- Thanks to Fedora developers for an initial version of the + rebase of the following patches: + * openssh-8.0p1-gssapi-keyex.patch + * openssh-7.8p1-role-mls.patch + * openssh-8.1p1-audit.patch +- Remove patches that are already included in 9.8p1: + * fix-CVE-2024-6387.patch + * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch + * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch + * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch +- Remove patch that is now merged into + openssh-7.7p1-cavstest-ctr.patch and + openssh-7.7p1-cavstest-kdf.patch where it belongs: + * fix-missing-lz.patch + +------------------------------------------------------------------- +Mon Jul 15 17:49:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com> + +- Add sshd.socket and sshd@.service units as alternative to the + sshd.service that makes systemd listen to the ssh port + and run sshd per incoming connection. To enable this, + disable sshd.service and enable sshd.socket . If you want to + use a non standard sshd port with sshd.socket you can do + "systemctl edit sshd.socket" and add something like: + + [Socket] + ListenStream=8022 + + which listens on port 8022 as well as on port 22. If you want + to reset the list of listened ports and just use 8022, use: ++++ 12 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes Old: ---- 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch fix-CVE-2024-6387.patch fix-missing-lz.patch openssh-9.6p1.tar.gz openssh-9.6p1.tar.gz.asc New: ---- fix-audit-fail-attempt.patch fix-memleak-in-process_server_config_line_depth.patch openssh-9.8p1.tar.gz openssh-9.8p1.tar.gz.asc sshd.socket sshd@.service BETA DEBUG BEGIN: Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * fix-CVE-2024-6387.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Remove patch that is now merged into Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Remove patches that are already included in 9.8p1: /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-CVE-2024-6387.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- openssh-7.7p1-cavstest-kdf.patch where it belongs: /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-missing-lz.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- BETA DEBUG END: BETA DEBUG BEGIN: New:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- https://github.com/openssh/openssh-portable/pull/516): /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-audit-fail-attempt.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Use --enable-dsa-keys when building openssh. It's required if New:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- subsystem configuration option: /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: * fix-memleak-in-process_server_config_line_depth.patch /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.173528718 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.177528885 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 9.6p1 +Version: 9.8p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.225530880 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.229531046 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,7 +39,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 9.6p1 +Version: 9.8p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -61,6 +61,8 @@ Source13: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring Source14: sysusers-sshd.conf Source15: sshd-sle.pamd +Source16: sshd@.service +Source17: sshd.socket Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch @@ -119,7 +121,6 @@ Patch51: wtmpdb.patch Patch52: logind_set_tty.patch Patch54: openssh-mitigate-lingering-secrets.patch -Patch100: fix-missing-lz.patch Patch102: openssh-7.8p1-role-mls.patch Patch103: openssh-6.6p1-privsep-selinux.patch Patch104: openssh-6.6p1-keycat.patch @@ -128,19 +129,17 @@ # PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support Patch107: openssh-9.6p1-crypto-policies.patch Patch108: openssh-9.6p1-crypto-policies-man.patch -# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387 -Patch109: fix-CVE-2024-6387.patch -# PATCH-FIX-UPSTREAM -Patch110: 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch -# PATCH-FIX-UPSTREAM -Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch -# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894 -Patch112: 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch +Patch109: fix-memleak-in-process_server_config_line_depth.patch +# PATCH-FIX-UPSTREAM alarrosa@suse.com -- https://github.com/openssh/openssh-portable/pull/516 +Patch110: fix-audit-fail-attempt.patch %if 0%{with allow_root_password_login_by_default} Patch1000: openssh-7.7p1-allow_root_password_login.patch %endif BuildRequires: audit-devel BuildRequires: automake +%if 0%{?sle_version} >= 150500 +BuildRequires: gcc11 +%endif BuildRequires: groff BuildRequires: libedit-devel BuildRequires: libselinux-devel @@ -328,6 +327,9 @@ ) %build +%if 0%{?sle_version} >= 150500 +export CC=gcc-11 +%endif autoreconf -fiv %ifarch s390 s390x %{sparc} PIEFLAGS="-fPIE" @@ -368,6 +370,7 @@ --disable-lastlog \ --with-logind \ %endif + --enable-dsa-keys \ --with-security-key-builtin \ --target=%{_target_cpu}-suse-linux @@ -392,6 +395,8 @@ install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/ %endif install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service +install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service +install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket ln -s service %{buildroot}%{_sbindir}/rcsshd install -d -m 755 %{buildroot}%{_fillupdir} install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir} @@ -471,11 +476,11 @@ test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config.rpmsave.old ||: %endif -%service_add_pre sshd.service +%service_add_pre sshd.service sshd.socket %post server %{fillup_only -n ssh} -%service_add_post sshd.service +%service_add_post sshd.service sshd.socket %if ! %{defined _distconfdir} test -f /etc/ssh/sshd_config && (grep -q "^Include /etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \ @@ -487,16 +492,16 @@ %endif %preun server -%service_del_preun sshd.service +%service_del_preun sshd.service sshd.socket %postun server # The openssh-fips trigger script for openssh will normally restart sshd once # it gets installed, so only restart the service here if openssh-fips is not # present. if rpm -q openssh-fips >/dev/null 2>/dev/null; then -%service_del_postun_without_restart sshd.service +%service_del_postun_without_restart sshd.service sshd.socket else -%service_del_postun sshd.service +%service_del_postun sshd.service sshd.socket fi %if ! %{defined _distconfdir} @@ -584,11 +589,14 @@ %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf %endif %attr(0644,root,root) %{_unitdir}/sshd.service +%attr(0644,root,root) %{_unitdir}/sshd@.service +%attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_sysusersdir}/sshd.conf %attr(0444,root,root) %{_mandir}/man5/sshd_config* %attr(0444,root,root) %{_mandir}/man8/sftp-server.8* %attr(0444,root,root) %{_mandir}/man8/sshd.8* %attr(0755,root,root) %{_libexecdir}/ssh/sftp-server +%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session %if 0%{?suse_version} < 1600 %dir %{_sysconfdir}/slp.reg.d %config %{_sysconfdir}/slp.reg.d/ssh.reg ++++++ fix-audit-fail-attempt.patch ++++++ Index: openssh-9.8p1/sshd-session.c =================================================================== --- openssh-9.8p1.orig/sshd-session.c +++ openssh-9.8p1/sshd-session.c @@ -1624,9 +1624,6 @@ cleanup_exit(int i) } } } - /* Override default fatal exit value when auth was attempted */ - if (i == 255 && auth_attempted) - _exit(EXIT_AUTH_ATTEMPTED); #ifdef SSH_AUDIT_EVENTS /* done after do_cleanup so it can cancel the PAM auth 'thread' */ if (the_active_state != NULL && @@ -1636,5 +1633,8 @@ cleanup_exit(int i) #endif clobber_stack(); + /* Override default fatal exit value when auth was attempted */ + if (i == 255 && auth_attempted) + _exit(EXIT_AUTH_ATTEMPTED); _exit(i); } ++++++ fix-memleak-in-process_server_config_line_depth.patch ++++++ From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001 From: Antonio Larrosa <alarrosa@suse.com> Date: Mon, 12 Aug 2024 11:32:42 +0200 Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth The return value of argv_assemble is owned by the caller and should be free'd. When processing the sSubsystem case there are two calls to argv_assemble but only one of them is freed. This patch fixes the small (29 bytes according to valgrind) memory leak. The output from valgrind: ==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913 ==115369== at 0x4845794: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==115369== by 0x124A22: argv_assemble (misc.c:2165) ==115369== by 0x1385E5: process_server_config_line_depth.constprop.0 (servconf.c:2004) ==115369== by 0x13984D: parse_server_config_depth.constprop.0 (servconf.c:3032) ==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049) ==115369== by 0x111C6E: main (sshd.c:1445) Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515 --- servconf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/servconf.c b/servconf.c index 5a20d6f8..0b989b95 100644 --- a/servconf.c +++ b/servconf.c @@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options, char *line, xasprintf(&options->subsystem_args[options->num_subsystems], "%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2); free(arg2); + free(arg); argv_consume(&ac); options->num_subsystems++; break; -- 2.45.2 ++++++ logind_set_tty.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.365536701 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.369536868 +0200 @@ -14,11 +14,11 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD) - scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) - $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS) + $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) diff --git a/configure.ac b/configure.ac index a12c6f7ad..860df3379 100644 --- a/configure.ac @@ -106,7 +106,7 @@ #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN if (li->type == LTYPE_LOGIN && !sys_auth_record_login(li->username,li->hostname,li->line, -@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li) +@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li) } #endif @@ -171,9 +171,12 @@ + + free(dbus_path); + -+ if (sd_bus_flush(bus) < 0) ++ if (sd_bus_flush(bus) < 0) { ++ sd_bus_unref(bus); + return (0); ++ } + ++ sd_bus_unref(bus); + return (1); +} + ++++++ openssh-6.6.1p1-selinux-contexts.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.385537533 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.389537699 +0200 @@ -104,10 +104,10 @@ #endif #ifdef LINUX_OOM_ADJUST -Index: openssh-9.6p1/sshd.c +Index: openssh-9.6p1/sshd-session.c =================================================================== ---- openssh-9.6p1.orig/sshd.c -+++ openssh-9.6p1/sshd.c +--- openssh-9.6p1.orig/sshd-session.c ++++ openssh-9.6p1/sshd-session.c @@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh) demote_sensitive_data(ssh); ++++++ openssh-6.6p1-keycat.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.405538365 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.409538531 +0200 @@ -37,14 +37,14 @@ =================================================================== --- openssh-9.3p2.orig/Makefile.in +++ openssh-9.3p2/Makefile.in -@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh +@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign +SSH_KEYCAT=$(libexecdir)/ssh-keycat + SSHD_SESSION=$(libexecdir)/sshd-session SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper - SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@ K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ @@ -53,12 +53,12 @@ LIBEDIT=@LIBEDIT@ LIBFIDO2=@LIBFIDO2@ LIBWTMPDB=@LIBWTMPDB@ -@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@ +@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@ .SUFFIXES: .lo --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -99,9 +99,9 @@ =================================================================== --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c -@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt; +@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt; + extern Authctxt *the_authctxt; extern int inetd_flag; - extern int rexeced_flag; +/* Wrapper around is_selinux_enabled() to log its return value once only */ +int @@ -129,14 +129,14 @@ { const char *reqlvl; char *role; -@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void) +@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void) ssh_selinux_get_role_level(&role, &reqlvl); - rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); - if (inetd_flag && !rexeced_flag) { + if (inetd_flag) { use_current = "1"; } else { use_current = ""; ++++++ openssh-6.6p1-privsep-selinux.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.425539196 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.429539363 +0200 @@ -52,7 +52,7 @@ platform_setusercontext(pw); - if (platform_privileged_uidswap()) { -+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) { ++ if (platform_privileged_uidswap() && !is_child) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { @@ -98,11 +98,11 @@ exit(sftp_server_main(i, argv, s->pw)); } -Index: openssh-9.3p2/sshd.c +Index: openssh-9.3p2/sshd-session.c =================================================================== ---- openssh-9.3p2.orig/sshd.c -+++ openssh-9.3p2/sshd.c -@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh) +--- openssh-9.3p2.orig/sshd-session.c ++++ openssh-9.3p2/sshd-session.c +@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh) /* Demote the private keys to public keys. */ demote_sensitive_data(ssh); @@ -113,14 +113,13 @@ /* Demote the child */ if (privsep_chroot) { /* Change our root directory */ -@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct - - #ifdef DISABLE_FD_PASSING - if (1) { -+#elif defined(WITH_SELINUX) -+ if (0) { -+ /* even root user can be confined by SELinux */ - #else - if (authctxt->pw->pw_uid == 0) { +@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct + * fd passing, as AFAIK PTY allocation on this platform doesn't require + * special privileges to begin with. + */ +-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) ++#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) && !defined(WITH_SELINUX) + skip_privdrop = 1; #endif + ++++++ openssh-7.6p1-cleanup-selinux.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.445540028 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.449540194 +0200 @@ -9,16 +9,16 @@ +extern int inetd_flag; +extern int rexeced_flag; +extern Authctxt *the_authctxt; + extern struct authmethod_cfg methodcfg_pubkey; static char * - format_key(const struct sshkey *key) @@ -459,7 +462,8 @@ match_principals_command(struct passwd * if ((pid = subprocess("AuthorizedPrincipalsCommand", command, ac, av, &f, SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0) + runas_pw, temporarily_use_uid, restore_uid, -+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) ++ inetd_flag, the_authctxt)) == 0) goto out; uid_swapped = 1; @@ -28,7 +28,7 @@ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0) + runas_pw, temporarily_use_uid, restore_uid, -+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) ++ inetd_flag, the_authctxt)) == 0) goto out; uid_swapped = 1; @@ -87,14 +87,13 @@ =================================================================== --- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c +++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c -@@ -49,11 +49,6 @@ +@@ -49,10 +49,6 @@ #include <unistd.h> #endif -extern ServerOptions options; -extern Authctxt *the_authctxt; -extern int inetd_flag; --extern int rexeced_flag; - /* Wrapper around is_selinux_enabled() to log its return value once only */ int @@ -133,7 +132,7 @@ if (r == 0) { /* If launched from xinetd, we must use current level */ -- if (inetd_flag && !rexeced_flag) { +- if (inetd_flag) { + if (inetd) { security_context_t sshdsc=NULL; @@ -157,7 +156,7 @@ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); -- if (inetd_flag && !rexeced_flag) { +- if (inetd_flag) { + if (inetd) { use_current = "1"; } else { @@ -222,56 +221,46 @@ =================================================================== --- openssh-9.3p2.orig/platform.c +++ openssh-9.3p2/platform.c -@@ -34,6 +34,9 @@ +@@ -34,6 +34,8 @@ + #include "openbsd-compat/openbsd-compat.h" - extern int use_privsep; extern ServerOptions options; +extern int inetd_flag; -+extern int rexeced_flag; +extern Authctxt *the_authctxt; - void - platform_pre_listen(void) -@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru + /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */ + int +@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX - sshd_selinux_setup_exec_context(pw->pw_name); + sshd_selinux_setup_exec_context(pw->pw_name, -+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, ++ inetd_flag, do_pam_putenv, the_authctxt, + options.use_pam); #endif } -Index: openssh-9.3p2/sshd.c +Index: openssh-9.3p2/sshd-session.c =================================================================== ---- openssh-9.3p2.orig/sshd.c -+++ openssh-9.3p2/sshd.c +--- openssh-9.3p2.orig/sshd-session.c ++++ openssh-9.3p2/sshd-session.c @@ -166,7 +166,7 @@ int debug_flag = 0; - static int test_flag = 0; + int debug_flag = 0; /* Flag indicating that the daemon is being started from inetd. */ -static int inetd_flag = 0; +int inetd_flag = 0; - /* Flag indicating that sshd should not detach and become a daemon. */ - static int no_daemon_flag = 0; -@@ -179,7 +179,7 @@ static char **saved_argv; - static int saved_argc; - - /* re-exec */ --static int rexeced_flag = 0; -+int rexeced_flag = 0; - static int rexec_flag = 1; - static int rexec_argc = 0; - static char **rexec_argv; + /* debug goes to stderr unless inetd_flag is set */ + static int log_stderr = 0; @@ -2396,7 +2396,9 @@ main(int ac, char **av) } #endif #ifdef WITH_SELINUX - sshd_selinux_setup_exec_context(authctxt->pw->pw_name); + sshd_selinux_setup_exec_context(authctxt->pw->pw_name, -+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt, ++ inetd_flag, do_pam_putenv, the_authctxt, + options.use_pam); #endif #ifdef USE_PAM ++++++ openssh-7.7p1-cavstest-ctr.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.481541525 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.485541691 +0200 @@ -7,7 +7,7 @@ --- openssh-8.8p1.orig/Makefile.in +++ openssh-8.8p1/Makefile.in @@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign + SSHD_SESSION=$(libexecdir)/sshd-session SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper +CAVSTEST_CTR=$(libexecdir)/cavstest-ctr @@ -16,7 +16,7 @@ STRIP_OPT=@STRIP_OPT@ @@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@ - TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT) + @@ -29,7 +29,7 @@ +# FIPS tests +cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o -+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) ++ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++++++ openssh-7.7p1-cavstest-kdf.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.501542357 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.505542523 +0200 @@ -16,7 +16,7 @@ STRIP_OPT=@STRIP_OPT@ @@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@ - TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) -TARGETS += cavstest-ctr$(EXEEXT) +TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT) @@ -25,10 +25,10 @@ ssh-xmss.o \ @@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o - $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz +cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o -+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) ++ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz + # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.533543687 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.537543853 +0200 @@ -389,17 +389,17 @@ ssh_hmac_update(ctx, m, mlen) < 0 || Index: openssh-9.6p1/kex.c =================================================================== ---- openssh-9.6p1.orig/kex.c -+++ openssh-9.6p1/kex.c +--- openssh-9.6p1.orig/kex-names.c ++++ openssh-9.6p1/kex-names.c @@ -64,6 +64,8 @@ - #include "digest.h" + #include "ssherr.h" #include "xmalloc.h" +#include "fips.h" + - /* prototype */ - static int kex_choose_conf(struct ssh *, uint32_t seq); - static int kex_input_newkeys(int, u_int32_t, struct ssh *); + struct kexalg { + char *name; + u_int type; @@ -87,7 +89,7 @@ struct kexalg { int ec_nid; int hash_alg; @@ -647,8 +647,8 @@ #include "digest.h" +#include "fips.h" - static void add_listen_addr(ServerOptions *, const char *, - const char *, int); + #if !defined(SSHD_PAM_SERVICE) + # define SSHD_PAM_SERVICE "sshd" @@ -207,6 +208,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -785,8 +785,8 @@ --- openssh-9.6p1.orig/sshd.c +++ openssh-9.6p1/sshd.c @@ -128,6 +128,8 @@ + #include "addr.h" #include "srclimit.h" - #include "dh.h" +#include "fips.h" + ++++++ openssh-7.7p1-fips_checks.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.557544685 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.561544852 +0200 @@ -459,14 +459,14 @@ --- openssh-8.8p1.orig/sshd.c +++ openssh-8.8p1/sshd.c @@ -1547,6 +1547,10 @@ main(int ac, char **av) - struct connection_info *connection_info = NULL; + struct connection_info connection_info; sigset_t sigmask; + /* initialize fips - can go before ssh_malloc_init(), since that is a + * OpenBSD-only thing (as of OpenSSH 7.6p1) */ + fips_ssh_init(); + + memset(&connection_info, 0, sizeof(connection_info)); #ifdef HAVE_SECUREWARE (void)set_auth_parameters(ac, av); - #endif ++++++ openssh-7.7p1-ldap.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.585545849 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.589546015 +0200 @@ -128,7 +128,7 @@ --- openssh-8.9p1.orig/Makefile.in +++ openssh-8.9p1/Makefile.in @@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign + SSHD_SESSION=$(libexecdir)/sshd-session SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper +SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -168,7 +168,7 @@ $(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -421,6 +429,10 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT) $(DESTDIR)$(SSHD_SESSION)$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \ ++++++ openssh-7.7p1-pam_check_locks.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.605546681 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.609546847 +0200 @@ -32,17 +32,17 @@ --- openssh-8.8p1.orig/servconf.c +++ openssh-8.8p1/servconf.c @@ -92,6 +92,7 @@ initialize_server_options(ServerOptions - /* Portable-specific options */ options->use_pam = -1; + options->pam_service_name = NULL; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; @@ -278,6 +279,8 @@ fill_default_server_options(ServerOption - /* Portable-specific options */ - if (options->use_pam == -1) options->use_pam = 0; + if (options->pam_service_name == NULL) + options->pam_service_name = xstrdup(SSHD_PAM_SERVICE); + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; @@ -52,26 +52,27 @@ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ -- sUsePAM, -+ sUsePAM, sUsePAMChecklocks, +- sUsePAM, sPAMServiceName, ++ sUsePAM, sPAMServiceName, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -@@ -535,8 +538,10 @@ static struct { - /* Portable-specific options */ +@@ -535,9 +538,11 @@ static struct { #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "pamservicename", sPAMServiceName, SSHCFG_ALL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "pamservicename", sUnsupported, SSHCFG_ALL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ @@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO - case sUsePAM: - intptr = &options->use_pam; - goto parse_flag; + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; @@ -83,9 +84,9 @@ --- openssh-8.8p1.orig/servconf.h +++ openssh-8.8p1/servconf.h @@ -200,6 +200,7 @@ typedef struct { - char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + char *pam_service_name; + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; ++++++ openssh-7.7p1-systemd-notify.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.645548344 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.649548510 +0200 @@ -61,7 +61,7 @@ + #include "xmalloc.h" #include "ssh.h" - #include "ssh2.h" + #include "sshpty.h" @@ -308,6 +312,10 @@ sighup_handler(int sig) static void sighup_restart(void) @@ -84,5 +84,5 @@ + /* Accept a connection and return in a forked child */ server_accept_loop(&sock_in, &sock_out, - &newsock, config_s); + &newsock, config_s, log_stderr); ++++++ openssh-7.8p1-role-mls.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.665549175 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.669549342 +0200 @@ -1,8 +1,7 @@ -Index: openssh-9.6p1/auth2.c -=================================================================== ---- openssh-9.6p1.orig/auth2.c -+++ openssh-9.6p1/auth2.c -@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32 +diff -up openssh/auth2.c.role-mls openssh/auth2.c +--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200 +@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32 Authctxt *authctxt = ssh->authctxt; Authmethod *m = NULL; char *user = NULL, *service = NULL, *method = NULL, *style = NULL; @@ -12,7 +11,7 @@ int r, authenticated = 0; double tstart = monotime_double(); -@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32 +@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32 debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -24,36 +23,32 @@ if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32 - use_privsep ? " [net]" : ""); +@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32 + setproctitle("%s [net]", authctxt->valid ? user : "unknown"); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) +#ifdef WITH_SELINUX + authctxt->role = role ? xstrdup(role) : NULL; +#endif -+ if (use_privsep) { - mm_inform_authserv(service, style); + mm_inform_authserv(service, style); +#ifdef WITH_SELINUX -+ mm_inform_authrole(role); ++ mm_inform_authrole(role); +#endif -+ } userauth_banner(ssh); if ((r = kex_server_update_ext_info(ssh)) != 0) fatal_fr(r, "kex_server_update_ext_info failed"); -Index: openssh-9.6p1/auth2-gss.c -=================================================================== ---- openssh-9.6p1.orig/auth2-gss.c -+++ openssh-9.6p1/auth2-gss.c -@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple +diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c +--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200 +@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ssh->authctxt; Gssctxt *gssctxt; int r, authenticated = 0; + char *micuser; struct sshbuf *b; gss_buffer_desc mic, gssbuf; - const char *displayname; -@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple + u_char *p; +@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple fatal_f("sshbuf_new failed"); mic.value = p; mic.length = len; @@ -68,7 +63,7 @@ "gssapi-with-mic", ssh->kex->session_id); if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) -@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple +@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple logit("GSSAPI MIC check failed"); sshbuf_free(b); @@ -76,12 +71,11 @@ + free(micuser); free(mic.value); - if ((!use_privsep || mm_is_monitor()) && -Index: openssh-9.6p1/auth2-hostbased.c -=================================================================== ---- openssh-9.6p1.orig/auth2-hostbased.c -+++ openssh-9.6p1/auth2-hostbased.c -@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons + authctxt->postponed = 0; +diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c +--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 +@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh) /* reconstruct packet */ if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || @@ -98,11 +92,10 @@ (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || (r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 || -Index: openssh-9.6p1/auth2-pubkey.c -=================================================================== ---- openssh-9.6p1.orig/auth2-pubkey.c -+++ openssh-9.6p1/auth2-pubkey.c -@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c +diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c +--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200 ++++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200 +@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh) goto done; } /* reconstruct packet */ @@ -121,10 +114,9 @@ if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_cstring(b, userstyle)) != 0 || (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || -Index: openssh-9.6p1/auth.h -=================================================================== ---- openssh-9.6p1.orig/auth.h -+++ openssh-9.6p1/auth.h +diff -up openssh/auth.h.role-mls openssh/auth.h +--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200 @@ -65,6 +65,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ @@ -135,11 +127,10 @@ /* Method lists for multiple authentication */ char **auth_methods; /* modified from server config */ -Index: openssh-9.6p1/auth-pam.c -=================================================================== ---- openssh-9.6p1.orig/auth-pam.c -+++ openssh-9.6p1/auth-pam.c -@@ -1242,7 +1242,7 @@ is_pam_session_open(void) +diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c +--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200 +@@ -1172,7 +1172,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ int @@ -148,24 +139,22 @@ { int ret = 1; char *compound; -Index: openssh-9.6p1/auth-pam.h -=================================================================== ---- openssh-9.6p1.orig/auth-pam.h -+++ openssh-9.6p1/auth-pam.h +diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h +--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200 @@ -33,7 +33,7 @@ u_int do_pam_account(void); void do_pam_session(struct ssh *); - void do_pam_setcred(int ); + void do_pam_setcred(void); void do_pam_chauthtok(void); -int do_pam_putenv(char *, char *); +int do_pam_putenv(char *, const char *); char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -Index: openssh-9.6p1/misc.c -=================================================================== ---- openssh-9.6p1.orig/misc.c -+++ openssh-9.6p1/misc.c -@@ -771,6 +771,7 @@ char * +diff -up openssh/misc.c.role-mls openssh/misc.c +--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200 +@@ -542,6 +542,7 @@ char * colon(char *cp) { int flag = 0; @@ -173,7 +162,7 @@ if (*cp == ':') /* Leading colon is part of file name. */ return NULL; -@@ -786,6 +787,13 @@ colon(char *cp) +@@ -557,6 +558,13 @@ colon(char *cp) return (cp); if (*cp == '/') return NULL; @@ -187,11 +176,10 @@ } return NULL; } -Index: openssh-9.6p1/monitor.c -=================================================================== ---- openssh-9.6p1.orig/monitor.c -+++ openssh-9.6p1/monitor.c -@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st +diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c +--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200 ++++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200 +@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *); int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *); int mm_answer_authserv(struct ssh *, int, struct sshbuf *); @@ -201,7 +189,7 @@ int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); -@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[] +@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -211,7 +199,7 @@ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in +@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -221,7 +209,7 @@ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); #ifdef USE_PAM -@@ -908,6 +917,26 @@ key_base_type_match(const char *method, +@@ -877,6 +886,26 @@ key_base_type_match(const char *method, return found; } @@ -248,16 +236,16 @@ int mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) { -@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh, +@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh, struct sshbuf *b; - struct sshkey *hostkey = NULL; + struct sshkey *hostkey = NULL; const u_char *p; - char *userstyle, *cp; + char *userstyle, *s, *cp; size_t len; u_char type; int hostbound = 0, r, fail = 0; -@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh, +@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh, fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) fatal_fr(r, "parse userstyle"); @@ -266,7 +254,7 @@ xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char +@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char { struct sshbuf *b; const u_char *p; @@ -275,7 +263,7 @@ size_t len; int r, fail = 0; u_char type; -@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char +@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) fatal_fr(r, "parse userstyle"); @@ -284,10 +272,9 @@ xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -Index: openssh-9.6p1/monitor.h -=================================================================== ---- openssh-9.6p1.orig/monitor.h -+++ openssh-9.6p1/monitor.h +diff -up openssh/monitor.h.role-mls openssh/monitor.h +--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200 @@ -55,6 +55,10 @@ enum monitor_reqtype { MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_TERM = 50, @@ -299,11 +286,10 @@ MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, -Index: openssh-9.6p1/monitor_wrap.c -=================================================================== ---- openssh-9.6p1.orig/monitor_wrap.c -+++ openssh-9.6p1/monitor_wrap.c -@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char * +diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c +--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200 ++++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200 +@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char * sshbuf_free(m); } @@ -331,11 +317,10 @@ /* Do the password authentication */ int mm_auth_password(struct ssh *ssh, char *password) -Index: openssh-9.6p1/monitor_wrap.h -=================================================================== ---- openssh-9.6p1.orig/monitor_wrap.h -+++ openssh-9.6p1/monitor_wrap.h -@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct +diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h +--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200 ++++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200 +@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int); const u_char *, size_t, const char *, const char *, const char *, u_int compat); void mm_inform_authserv(char *, char *); @@ -345,11 +330,10 @@ struct passwd *mm_getpwnamallow(struct ssh *, const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct ssh *, char *); -Index: openssh-9.6p1/openbsd-compat/Makefile.in -=================================================================== ---- openssh-9.6p1.orig/openbsd-compat/Makefile.in -+++ openssh-9.6p1/openbsd-compat/Makefile.in -@@ -100,7 +100,8 @@ PORTS= port-aix.o \ +diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in +--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200 +@@ -92,7 +92,8 @@ PORTS= port-aix.o \ port-prngd.o \ port-solaris.o \ port-net.o \ @@ -359,11 +343,10 @@ .c.o: $(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $< -Index: openssh-9.6p1/openbsd-compat/port-linux.c -=================================================================== ---- openssh-9.6p1.orig/openbsd-compat/port-linux.c -+++ openssh-9.6p1/openbsd-compat/port-linux.c -@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname) +diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/port-linux.c +--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949 +0200 +@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname) return sc; } @@ -401,7 +384,7 @@ /* Set the TTY context for the specified user */ void ssh_selinux_setup_pty(char *pwname, const char *tty) -@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons +@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons debug3("%s: setting TTY context on %s", __func__, tty); @@ -414,10 +397,9 @@ /* XXX: should these calls fatal() upon failure in enforcing mode? */ -Index: openssh-9.6p1/openbsd-compat/port-linux.h -=================================================================== ---- openssh-9.6p1.orig/openbsd-compat/port-linux.h -+++ openssh-9.6p1/openbsd-compat/port-linux.h +diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/port-linux.h +--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949 +0200 @@ -20,9 +20,10 @@ #ifdef WITH_SELINUX int ssh_selinux_enabled(void); @@ -430,11 +412,10 @@ #endif #ifdef LINUX_OOM_ADJUST -Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c -=================================================================== ---- /dev/null -+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c -@@ -0,0 +1,421 @@ +diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c +--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 ++++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 +@@ -0,0 +1,420 @@ +/* + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> @@ -488,7 +469,6 @@ +extern ServerOptions options; +extern Authctxt *the_authctxt; +extern int inetd_flag; -+extern int rexeced_flag; + +/* Send audit message */ +static int @@ -694,7 +674,7 @@ + + if (r == 0) { + /* If launched from xinetd, we must use current level */ -+ if (inetd_flag && !rexeced_flag) { ++ if (inetd_flag) { + security_context_t sshdsc=NULL; + + if (getcon_raw(&sshdsc) < 0) @@ -768,7 +748,7 @@ + + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + -+ if (inetd_flag && !rexeced_flag) { ++ if (inetd_flag) { + use_current = "1"; + } else { + use_current = ""; @@ -856,11 +836,10 @@ +#endif +#endif + -Index: openssh-9.6p1/platform.c -=================================================================== ---- openssh-9.6p1.orig/platform.c -+++ openssh-9.6p1/platform.c -@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru +diff -up openssh/platform.c.role-mls openssh/platform.c +--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200 +@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX @@ -869,11 +848,10 @@ #endif } -Index: openssh-9.6p1/sshd.c -=================================================================== ---- openssh-9.6p1.orig/sshd.c -+++ openssh-9.6p1/sshd.c -@@ -2387,6 +2387,9 @@ main(int ac, char **av) +diff -up openssh/sshd.c.role-mls openssh/sshd.c +--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200 ++++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200 +@@ -2186,6 +2186,9 @@ main(int ac, char **av) restore_uid(); } #endif @@ -882,5 +860,5 @@ +#endif #ifdef USE_PAM if (options.use_pam) { - do_pam_setcred(1); + do_pam_setcred(); ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ ++++ 2563 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-8.0p1-gssapi-keyex.patch ++++++ openssh-8.1p1-audit.patch ++++++ ++++ 875 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-8.1p1-audit.patch ++++++ openssh-8.4p1-vendordir.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.745552502 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.749552668 +0200 @@ -123,28 +123,21 @@ =================================================================== --- openssh-8.9p1.orig/sshd.c +++ openssh-8.9p1/sshd.c -@@ -148,7 +148,7 @@ extern char *__progname; - ServerOptions options; - - /* Name of the server configuration file. */ --char *config_file_name = _PATH_SERVER_CONFIG_FILE; -+char *config_file_name = NULL; - - /* - * Debug mode flag. This can be set on the command line. If debug -@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av) - int - main(int ac, char **av) - { -+ struct stat st; - struct ssh *ssh = NULL; +@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av) extern char *optarg; extern int optind; + int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0; +- char *config_file_name = _PATH_SERVER_CONFIG_FILE; ++ char *config_file_name = NULL; ++ struct stat st; + int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0; + int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0; + int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0; @@ -1806,7 +1807,21 @@ main(int ac, char **av) - */ - (void)atomicio(vwrite, startup_pipe, "\0", 1); - } -+ } else if (config_file_name == NULL) { + /* Fetch our configuration */ + if ((cfg = sshbuf_new()) == NULL) + fatal("sshbuf_new config failed"); ++ if (config_file_name == NULL) { + /* If only the vendor configuration file exists, use that. + * Else use the standard configuration file. + */ @@ -157,11 +150,12 @@ + config_file_name = _PATH_SERVER_CONFIG_FILE; + } + load_server_config(config_file_name, cfg); - } else if (strcasecmp(config_file_name, "none") != 0) +- if (strcasecmp(config_file_name, "none") != 0) ++ } else if (strcasecmp(config_file_name, "none") != 0) + /* load config specified on commandline */ load_server_config(config_file_name, cfg); - parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, + parse_server_config(&options, config_file_name, cfg, Index: openssh-8.9p1/sshd_config.5 =================================================================== --- openssh-8.9p1.orig/sshd_config.5 ++++++ openssh-9.6p1-crypto-policies-man.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:29.761553168 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:29.765553333 +0200 @@ -84,13 +84,14 @@ The list of key exchange algorithms that are offered for GSSAPI key exchange. Possible values are .Bd -literal -offset 3n -@@ -991,9 +993,8 @@ gss-nistp256-sha256-, +@@ -991,10 +993,8 @@ gss-nistp256-sha256-, gss-curve25519-sha256- .Ed .Pp -The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . - This option only applies to protocol version 2 connections using GSSAPI. +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. +.Pp .It Cm HashKnownHosts Indicates that @@ -159,7 +160,7 @@ .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key -@@ -1311,31 +1313,26 @@ it may be zero or more of: +@@ -1311,36 +1313,30 @@ it may be zero or more of: and .Cm pam . .It Cm KexAlgorithms @@ -169,8 +170,12 @@ +existing policies with sub-policies are present in manual page +.Xr update-crypto-policies 8 . +.Pp - Specifies the available KEX (Key Exchange) algorithms. + Specifies the permitted KEX (Key Exchange) algorithms that will be used and + their preference order. + The selected algorithm will the the first algorithm in this list that + the server also supports. Multiple algorithms must be comma-separated. + .Pp If the specified list begins with a .Sq + -character, then the specified algorithms will be appended to the default set @@ -186,6 +191,7 @@ .Sq ^ character, then the specified algorithms will be placed at the head of the -default set. +-.Pp -The default is: -.Bd -literal -offset indent -sntrup761x25519-sha512@openssh.com, @@ -199,7 +205,7 @@ -.Ed +built-in openssh default set. .Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q kex . @@ -1445,37 +1442,34 @@ function, and all code in the file. @@ -386,7 +392,7 @@ The list of available ciphers may also be obtained using .Qq ssh -Q cipher . .It Cm ClientAliveCountMax -@@ -764,52 +760,45 @@ For this to work +@@ -764,53 +760,45 @@ For this to work .Cm GSSAPIKeyExchange needs to be enabled in the server and also used by the client. .It Cm GSSAPIKexAlgorithms @@ -415,8 +421,9 @@ .Ed -.Pp -The default is --.Dq gss-gex-sha1-,gss-group14-sha1- . - This option only applies to protocol version 2 connections using GSSAPI. +-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . + This option only applies to connections using GSSAPI. .It Cm HostbasedAcceptedAlgorithms +The default is handled system-wide by +.Xr crypto-policies 7 . @@ -492,7 +499,7 @@ The list of available signature algorithms may also be obtained using .Qq ssh -Q HostKeyAlgorithms . .It Cm IgnoreRhosts -@@ -1027,20 +1006,26 @@ file on logout. +@@ -1027,24 +1006,30 @@ file on logout. The default is .Cm yes . .It Cm KexAlgorithms @@ -502,9 +509,13 @@ +existing policies with sub-policies are present in manual page +.Xr update-crypto-policies 8 . +.Pp - Specifies the available KEX (Key Exchange) algorithms. + Specifies the permitted KEX (Key Exchange) algorithms that the server will + offer to clients. + The ordering of this list is not important, as the client specifies the + preference order. Multiple algorithms must be comma-separated. - Alternately if the specified list begins with a + .Pp + If the specified list begins with a .Sq + -character, then the specified algorithms will be appended to the default set -instead of replacing them. @@ -520,9 +531,9 @@ character, then the specified algorithms will be placed at the head of the -default set. +built-in openssh default set. + .Pp The supported algorithms are: .Pp - .Bl -item -compact -offset indent @@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521 sntrup761x25519-sha512@openssh.com .El @@ -537,7 +548,7 @@ -diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 -.Ed -.Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using .Qq ssh -Q KexAlgorithms . .It Cm ListenAddress @@ -1167,21 +1142,27 @@ function, and all code in the ++++++ openssh-9.6p1.tar.gz -> openssh-9.8p1.tar.gz ++++++ ++++ 23852 lines of diff (skipped) ++++++ openssh-mitigate-lingering-secrets.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:30.153569467 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:30.157569633 +0200 @@ -207,9 +207,9 @@ --- openssh-9.3p2.orig/packet.h +++ openssh-9.3p2/packet.h @@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *); + void ssh_packet_close(struct ssh *); void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *); void ssh_packet_clear_keys(struct ssh *); - void ssh_packet_clear_keys_noaudit(struct ssh *); +void ssh_clear_curkeys(struct ssh *, int); void ssh_clear_newkeys(struct ssh *, int); @@ -264,12 +264,12 @@ /* Macros for decoding/encoding integers */ #define PEEK_U64(p) \ (((u_int64_t)(((const u_char *)(p))[0]) << 56) | \ -Index: openssh-9.3p2/sshd.c +Index: openssh-9.3p2/sshd-session.c =================================================================== ---- openssh-9.3p2.orig/sshd.c -+++ openssh-9.3p2/sshd.c -@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *); - static char *listener_proctitle; +--- openssh-9.3p2.orig/sshd-session.c ++++ openssh-9.3p2/sshd-session.c +@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *); + static void do_ssh2_kex(struct ssh *); /* + * Clear some stack space. This is a bit naive, but hopefully helps mitigate @@ -285,10 +285,10 @@ +} + +/* - * Close all listening sockets - */ - static void -@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh, + * Signal handler for the alarm after the login grace period has expired. + * As usual, this may only take signal-safe actions, even though it is + * terminal. +@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh, sensitive_data.host_certificates[i] = NULL; } } @@ -297,32 +297,32 @@ } /* Demote private to public keys for network child */ -@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh) - static void - privsep_postauth(struct ssh *ssh, Authctxt *authctxt) +@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh) { + int skip_privdrop = 0; + + clobber_stack(); + - #ifdef DISABLE_FD_PASSING - if (1) { - #else -@@ -2360,6 +2377,7 @@ main(int ac, char **av) - if (use_privsep) { - mm_send_keystate(ssh, pmonitor); - ssh_packet_clear_keys(ssh); -+ clobber_stack(); - exit(0); - } + /* + * Hack for systems that don't support FD passing: retain privileges + * in the post-auth privsep process so it can allocate PTYs directly. +@@ -1354,6 +1356,7 @@ main(int ac, char **av) + */ + mm_send_keystate(ssh, pmonitor); + ssh_packet_clear_keys(ssh); ++ clobber_stack(); + exit(0); + + authenticated: +@@ -1431,6 +1434,7 @@ main(int ac, char **av) -@@ -2436,6 +2454,7 @@ main(int ac, char **av) - if (use_privsep) - mm_terminate(); + mm_terminate(); + clobber_stack(); exit(0); } -@@ -2596,8 +2615,10 @@ cleanup_exit(int i) +@@ -1577,8 +1581,10 @@ cleanup_exit(int i) /* cleanup_exit can be called at the very least from the privsep wrappers used for auditing. Make sure we don't recurse indefinitely. */ @@ -332,10 +332,10 @@ _exit(i); + } in_cleanup = 1; - if (the_active_state != NULL && the_authctxt != NULL) { - do_cleanup(the_active_state, the_authctxt); -@@ -2623,5 +2644,7 @@ cleanup_exit(int i) - (!use_privsep || mm_is_monitor())) + extern int auth_attempted; /* monitor.c */ + +@@ -1604,5 +1610,7 @@ cleanup_exit(int i) + mm_is_monitor()) audit_event(the_active_state, SSH_CONNECTION_ABANDON); #endif + ++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:30.177570465 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:30.181570631 +0200 @@ -25,7 +25,7 @@ +diffie-hellman-group14-sha1 .Ed .Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using Index: openssh-8.9p1/sshd_config.5 =================================================================== --- openssh-8.9p1.orig/sshd_config.5 @@ -38,5 +38,5 @@ +diffie-hellman-group14-sha256,diffie-hellman-group14-sha1 .Ed .Pp - The list of available key exchange algorithms may also be obtained using + The list of supported key exchange algorithms may also be obtained using ++++++ sshd.socket ++++++ [Unit] Description=OpenSSH Server Socket Conflicts=sshd.service [Socket] ListenStream=22 Accept=yes [Install] WantedBy=sockets.target ++++++ sshd@.service ++++++ [Unit] Description=OpenSSH Per-Connection Server Daemon Documentation=man:systemd-ssh-generator(8) man:sshd(8) After=network.target [Service] EnvironmentFile=-/etc/sysconfig/ssh ExecStartPre=/usr/sbin/sshd-gen-keys-start ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS StandardInput=socket ++++++ wtmpdb.patch ++++++ --- /var/tmp/diff_new_pack.kVY3db/_old 2024-08-29 15:43:30.369578448 +0200 +++ /var/tmp/diff_new_pack.kVY3db/_new 2024-08-29 15:43:30.373578614 +0200 @@ -174,12 +174,16 @@ AR=@AR@ AWK=@AWK@ RANLIB=@RANLIB@ -@@ -212,7 +213,7 @@ +@@ -212,10 +213,10 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) -- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) -+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) +- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) ++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) + + sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS) +- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) ++ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)