Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2016-09-27 13:40:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2016-07-28 23:45:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2016-09-27 13:41:01.000000000 +0200 @@ -1,0 +2,10 @@ +Fri Sep 16 12:45:11 UTC 2016 - [email protected] + +- FIPS compatibility (no selfchecks, only crypto restrictions) + [openssh-7.2p2-fips.patch] +- PRNG re-seeding + [openssh-7.2p2-seed-prng.patch] +- preliminary version of GSSAPI KEX + [openssh-7.2p2-gssapi_key_exchange.patch] + +------------------------------------------------------------------- New: ---- openssh-7.2p2-fips.patch openssh-7.2p2-gssapi_key_exchange.patch openssh-7.2p2-seed-prng.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.nFleZ1/_old 2016-09-27 13:41:05.000000000 +0200 +++ /var/tmp/diff_new_pack.nFleZ1/_new 2016-09-27 13:41:05.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.nFleZ1/_old 2016-09-27 13:41:05.000000000 +0200 +++ /var/tmp/diff_new_pack.nFleZ1/_new 2016-09-27 13:41:05.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -125,6 +125,9 @@ Patch13: openssh-7.2p2-disable_short_DH_parameters.patch Patch14: openssh-7.2p2-seccomp_getuid.patch Patch15: openssh-7.2p2-seccomp_stat.patch +Patch16: openssh-7.2p2-fips.patch +Patch17: openssh-7.2p2-seed-prng.patch +Patch18: openssh-7.2p2-gssapi_key_exchange.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Conflicts: nonfreessh Recommends: audit @@ -192,6 +195,9 @@ %patch13 -p2 %patch14 -p2 %patch15 -p2 +%patch16 -p2 +%patch17 -p2 +%patch18 -p2 cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . %build ++++++ openssh-7.2p2-disable_short_DH_parameters.patch ++++++ --- /var/tmp/diff_new_pack.nFleZ1/_old 2016-09-27 13:41:05.000000000 +0200 +++ /var/tmp/diff_new_pack.nFleZ1/_new 2016-09-27 13:41:05.000000000 +0200 @@ -1,5 +1,5 @@ # HG changeset patch -# Parent c924f46e3639b3646e42dd7505c206d43d7180fa +# Parent c40dce555117c740f3df867e9fc2b07b64b3ad96 Raise minimal size of DH group parameters to 2048 bits like upstream did in 7.2. 1024b values are believed to be in breaking range for state adversaries @@ -101,7 +101,7 @@ goto out; if ((bits = BN_num_bits(p)) < 0 || (u_int)bits < kex->min || (u_int)bits > kex->max) { -+ if (bits < kex->min && bits >= DH_GRP_MIN_RFC) ++ if ((u_int)bits < kex->min && (u_int)bits >= DH_GRP_MIN_RFC) + logit("DH parameter offered by the server (%d bits) " + "is considered insecure. " + "You can lower the accepted the minimum " @@ -115,6 +115,61 @@ goto out; } p = g = NULL; /* belong to kex->dh now */ +diff --git a/openssh-7.2p2/kexgexs.c b/openssh-7.2p2/kexgexs.c +--- a/openssh-7.2p2/kexgexs.c ++++ b/openssh-7.2p2/kexgexs.c +@@ -49,16 +49,19 @@ + #ifdef GSSAPI + #include "ssh-gss.h" + #endif + #include "monitor_wrap.h" + #include "dispatch.h" + #include "ssherr.h" + #include "sshbuf.h" + ++/* import from dh.c */ ++extern int dh_grp_min; ++ + static int input_kex_dh_gex_request(int, u_int32_t, void *); + static int input_kex_dh_gex_init(int, u_int32_t, void *); + + int + kexgex_server(struct ssh *ssh) + { + ssh_dispatch_set(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST, + &input_kex_dh_gex_request); +@@ -78,23 +81,29 @@ input_kex_dh_gex_request(int type, u_int + if ((r = sshpkt_get_u32(ssh, &min)) != 0 || + (r = sshpkt_get_u32(ssh, &nbits)) != 0 || + (r = sshpkt_get_u32(ssh, &max)) != 0 || + (r = sshpkt_get_end(ssh)) != 0) + goto out; + kex->nbits = nbits; + kex->min = min; + kex->max = max; +- min = MAX(DH_GRP_MIN, min); ++ min = MAX(dh_grp_min, min); + max = MIN(DH_GRP_MAX, max); +- nbits = MAX(DH_GRP_MIN, nbits); ++ nbits = MAX(dh_grp_min, nbits); + nbits = MIN(DH_GRP_MAX, nbits); + + if (kex->max < kex->min || kex->nbits < kex->min || + kex->max < kex->nbits) { ++ if (kex->nbits < kex->min && kex->nbits >= DH_GRP_MIN_RFC) ++ logit("DH parameter requested by the client (%d bits) " ++ "is considered insecure. " ++ "You can lower the accepted minimum " ++ "via the KexDHMin option.", ++ kex->nbits); + r = SSH_ERR_DH_GEX_OUT_OF_RANGE; + goto out; + } + + /* Contact privileged parent */ + kex->dh = PRIVSEP(choose_dh(min, nbits, max)); + if (kex->dh == NULL) { + sshpkt_disconnect(ssh, "no matching DH grp found"); diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c --- a/openssh-7.2p2/readconf.c +++ b/openssh-7.2p2/readconf.c @@ -147,7 +202,7 @@ oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oKexAlgorithms, oKexDHMin, -+ oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, ++ oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, @@ -243,7 +298,7 @@ if (options->cipher == -1) options->cipher = SSH_CIPHER_NOT_SET; + if (options->kex_dhmin == -1) -+ options->kex_dhmin = DH_GRP_MIN; ++ options->kex_dhmin = DH_GRP_MIN_RFC; + else { + options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC); + options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX); @@ -278,10 +333,199 @@ int escape_char; /* Escape character; -2 = none */ u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */ +diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c +--- a/openssh-7.2p2/servconf.c ++++ b/openssh-7.2p2/servconf.c +@@ -52,16 +52,20 @@ + #include "channels.h" + #include "groupaccess.h" + #include "canohost.h" + #include "packet.h" + #include "hostfile.h" + #include "auth.h" + #include "myproposal.h" + #include "digest.h" ++#include "dh.h" ++ ++/* import from dh.c */ ++extern int dh_grp_min; + + static void add_listen_addr(ServerOptions *, char *, int); + static void add_one_listen_addr(ServerOptions *, char *, int); + + /* Use of privilege separation or not */ + extern int use_privsep; + extern Buffer cfg; + +@@ -134,16 +138,17 @@ initialize_server_options(ServerOptions + options->allow_agent_forwarding = -1; + options->num_allow_users = 0; + options->num_deny_users = 0; + options->num_allow_groups = 0; + options->num_deny_groups = 0; + options->ciphers = NULL; + options->macs = NULL; + options->kex_algorithms = NULL; ++ options->kex_dhmin = -1; + options->protocol = SSH_PROTO_UNKNOWN; + options->fwd_opts.gateway_ports = -1; + options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; + options->fwd_opts.streamlocal_bind_unlink = -1; + options->num_subsystems = 0; + options->max_startups_begin = -1; + options->max_startups_rate = -1; + options->max_startups = -1; +@@ -199,16 +204,23 @@ fill_default_server_options(ServerOption + int i; + + /* Portable-specific options */ + if (options->use_pam == -1) + options->use_pam = 0; + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; + ++ if (options->kex_dhmin == -1) ++ options->kex_dhmin = DH_GRP_MIN_RFC; ++ else { ++ options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC); ++ options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX); ++ } ++ dh_grp_min = options->kex_dhmin; + /* Standard Options */ + if (options->protocol == SSH_PROTO_UNKNOWN) + options->protocol = SSH_PROTO_2; + if (options->num_host_key_files == 0) { + /* fill default hostkeys for protocols */ + if (options->protocol & SSH_PROTO_1) + options->host_key_files[options->num_host_key_files++] = + _PATH_HOST_KEY_FILE; +@@ -423,17 +435,18 @@ typedef enum { + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sAcceptEnv, sPermitTunnel, + sMatch, sPermitOpen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, + sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, +- sKexAlgorithms, sIPQoS, sVersionAddendum, ++ sKexAlgorithms, sKexDHMin, ++ sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, + sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, + sStreamLocalBindMask, sStreamLocalBindUnlink, + sAllowStreamLocalForwarding, sFingerprintHash, + sDeprecated, sUnsupported + } ServerOpCodes; + + #define SSHCFG_GLOBAL 0x01 /* allowed in main section of sshd_config */ +@@ -561,16 +574,17 @@ static struct { + { "permitopen", sPermitOpen, SSHCFG_ALL }, + { "forcecommand", sForceCommand, SSHCFG_ALL }, + { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, + { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, + { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, ++ { "kexdhmin", sKexDHMin }, + { "ipqos", sIPQoS, SSHCFG_ALL }, + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, + { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, + { "authorizedprincipalscommand", sAuthorizedPrincipalsCommand, SSHCFG_ALL }, + { "authorizedprincipalscommanduser", sAuthorizedPrincipalsCommandUser, SSHCFG_ALL }, + { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, + { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL }, + { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, +@@ -1481,16 +1495,20 @@ process_server_config_line(ServerOptions + filename, linenum); + if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) + fatal("%s line %d: Bad SSH2 KexAlgorithms '%s'.", + filename, linenum, arg ? arg : "<NONE>"); + if (options->kex_algorithms == NULL) + options->kex_algorithms = xstrdup(arg); + break; + ++ case sKexDHMin: ++ intptr = &options->kex_dhmin; ++ goto parse_int; ++ + case sProtocol: + intptr = &options->protocol; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + value = proto_spec(arg); + if (value == SSH_PROTO_UNKNOWN) + fatal("%s line %d: Bad protocol spec '%s'.", +@@ -2247,16 +2265,17 @@ dump_config(ServerOptions *o) + dump_cfg_int(sLoginGraceTime, o->login_grace_time); + dump_cfg_int(sKeyRegenerationTime, o->key_regeneration_time); + dump_cfg_int(sX11DisplayOffset, o->x11_display_offset); + dump_cfg_int(sMaxAuthTries, o->max_authtries); + dump_cfg_int(sMaxSessions, o->max_sessions); + dump_cfg_int(sClientAliveInterval, o->client_alive_interval); + dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); + dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); ++ dump_cfg_int(sKexDHMin, o->kex_dhmin); + + /* formatted integer arguments */ + dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); + dump_cfg_fmtint(sIgnoreRhosts, o->ignore_rhosts); + dump_cfg_fmtint(sIgnoreUserKnownHosts, o->ignore_user_known_hosts); + dump_cfg_fmtint(sRhostsRSAAuthentication, o->rhosts_rsa_authentication); + dump_cfg_fmtint(sHostbasedAuthentication, o->hostbased_authentication); + dump_cfg_fmtint(sHostbasedUsesNameFromPacketOnly, +diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h +--- a/openssh-7.2p2/servconf.h ++++ b/openssh-7.2p2/servconf.h +@@ -88,16 +88,17 @@ typedef struct { + int permit_user_rc; /* If false, deny ~/.ssh/rc execution */ + int strict_modes; /* If true, require string home dir modes. */ + int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ + int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + char *ciphers; /* Supported SSH2 ciphers. */ + char *macs; /* Supported SSH2 macs. */ + char *kex_algorithms; /* SSH2 kex methods in order of preference. */ ++ int kex_dhmin; /* minimum bit length of the DH group parameter */ + int protocol; /* Supported protocol versions. */ + struct ForwardOptions fwd_opts; /* forwarding options */ + SyslogFacility log_facility; /* Facility for system logging. */ + LogLevel log_level; /* Level for system logging. */ + int rhosts_rsa_authentication; /* If true, permit rhosts RSA + * authentication. */ + int hostbased_authentication; /* If true, permit ssh2 hostbased auth */ + int hostbased_uses_name_from_packet_only; /* experimental */ +diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config +--- a/openssh-7.2p2/ssh_config ++++ b/openssh-7.2p2/ssh_config +@@ -12,16 +12,21 @@ + # Any configuration value is only changed the first time it is set. + # Thus, host-specific definitions should be at the beginning of the + # configuration file, and defaults at the end. + + # Site-wide defaults for some commonly used options. For a comprehensive + # list of available options, their meanings and defaults, please see the + # ssh_config(5) man page. + ++# Minimum accepted size of the DH parameter p. By default this is set to 1024 ++# to maintain compatibility with RFC4419, but should be set higher. ++# Upstream default is identical to setting this to 2048. ++#KexDHMin 1024 ++ + Host * + # ForwardAgent no + # ForwardX11 no + + # If you do not trust your remote host (or its administrator), you + # should not forward X11 connections to your local X11-display for + # security reasons: Someone stealing the authentification data on the + # remote side (the "spoofed" X-server by the remote sshd) can read your diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0 --- a/openssh-7.2p2/ssh_config.0 +++ b/openssh-7.2p2/ssh_config.0 -@@ -606,16 +606,29 @@ DESCRIPTION +@@ -606,16 +606,33 @@ DESCRIPTION ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, @@ -291,17 +535,21 @@ obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. + KexDHMin -+ Specifies the minimum accepted bit length of the DH group parameter p. -+ As per RFC4419, this is 1024 bits however, this has increasingly ++ Specifies the minimum accepted bit length of the DH group ++ parameter p. ++ ++ As per RFC4419, this is 1024 bits, however this has increasingly + been seen as insecure, which prompted the change to 2048 bits. + Setting this option allows the client to accept parameters shorter + than the current minimum, down to the RFC specified 1024 bits. + Using this option may be needed when connecting to servers that + only know short DH group parameters. -+ -+ Note that using this option can severly impact security and thus -+ should be viewed as a temporary fix of last resort and all efforts -+ should be made to fix the server. ++ ++ Note, that while by default this option is set to 1024 to maintain ++ maximum backward compatibility, using it can severly impact ++ security and thus should be viewed as a temporary fix of last ++ resort and all efforts should be made to fix the (broken) ++ counterparty. + LocalCommand Specifies a command to execute on the local machine after @@ -314,7 +562,7 @@ diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5 --- a/openssh-7.2p2/ssh_config.5 +++ b/openssh-7.2p2/ssh_config.5 -@@ -1092,16 +1092,28 @@ diffie-hellman-group14-sha1 +@@ -1092,16 +1092,32 @@ diffie-hellman-group14-sha1 .Ed .Pp The list of available key exchange algorithms may also be obtained using the @@ -324,17 +572,21 @@ with an argument of .Dq kex . +.It Cm KexDHMin -+Specifies the minimum accepted bit length of the DH group parameter p. -+As per RFC4419, this is 1024 bits however, this has increasingly ++Specifies the minimum accepted bit length of the DH group ++parameter p. ++.Pp ++As per RFC4419, this is 1024 bits, however this has increasingly +been seen as insecure, which prompted the change to 2048 bits. +Setting this option allows the client to accept parameters shorter +than the current minimum, down to the RFC specified 1024 bits. +Using this option may be needed when connecting to servers that +only know short DH group parameters. -+ -+Note that using this option can severly impact security and thus -+should be viewed as a temporary fix of last resort and all efforts -+should be made to fix the server. ++.Pp ++Note, that while by default this option is set to 1024 to maintain ++maximum backward compatibility, using it can severly impact ++security and thus should be viewed as a temporary fix of last ++resort and all efforts should be made to fix the (broken) ++counterparty. .It Cm LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. @@ -343,3 +595,101 @@ The following escape character substitutions will be performed: .Ql %d (local user's home directory), +diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config +--- a/openssh-7.2p2/sshd_config ++++ b/openssh-7.2p2/sshd_config +@@ -21,16 +21,21 @@ + # HostKey for protocol version 1 + #HostKey /etc/ssh/ssh_host_key + # HostKeys for protocol version 2 + #HostKey /etc/ssh/ssh_host_rsa_key + #HostKey /etc/ssh/ssh_host_dsa_key + #HostKey /etc/ssh/ssh_host_ecdsa_key + #HostKey /etc/ssh/ssh_host_ed25519_key + ++# Minimum accepted size of the DH parameter p. By default this is set to 1024 ++# to maintain compatibility with RFC4419, but should be set higher. ++# Upstream default is identical to setting this to 2048. ++#KexDHMin 1024 ++ + # Lifetime and size of ephemeral version 1 server key + #KeyRegenerationInterval 1h + #ServerKeyBits 1024 + + # Ciphers and keying + #RekeyLimit default none + + # Logging +diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0 +--- a/openssh-7.2p2/sshd_config.0 ++++ b/openssh-7.2p2/sshd_config.0 +@@ -539,16 +539,33 @@ DESCRIPTION + [email protected], + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, + diffie-hellman-group-exchange-sha256, + diffie-hellman-group14-sha1 + + The list of available key exchange algorithms may also be + obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. + ++ KexDHMin ++ Specifies the minimum accepted bit length of the DH group ++ parameter p. ++ ++ As per RFC4419, this is 1024 bits, however this has increasingly ++ been seen as insecure, which prompted the change to 2048 bits. ++ Setting this option allows the server to accept parameters shorter ++ than the current minimum, down to the RFC specified 1024 bits. ++ Using this option may be needed when some of the connectiong ++ clients only know short DH group parameters. ++ ++ Note, that while by default this option is set to 1024 to maintain ++ maximum backward compatibility, using it can severly impact ++ security and thus should be viewed as a temporary fix of last ++ resort and all efforts should be made to fix the (broken) ++ counterparty. ++ + KeyRegenerationInterval + In protocol version 1, the ephemeral server key is automatically + regenerated after this many seconds (if it has been used). The + purpose of regeneration is to prevent decrypting captured + sessions by later breaking into the machine and stealing the + keys. The key is never stored anywhere. If the value is 0, the + key is never regenerated. The default is 3600 (seconds). + +diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5 +--- a/openssh-7.2p2/sshd_config.5 ++++ b/openssh-7.2p2/sshd_config.5 +@@ -895,16 +895,32 @@ diffie-hellman-group14-sha1 + .Ed + .Pp + The list of available key exchange algorithms may also be obtained using the + .Fl Q + option of + .Xr ssh 1 + with an argument of + .Dq kex . ++.It Cm KexDHMin ++Specifies the minimum accepted bit length of the DH group ++parameter p. ++.Pp ++As per RFC4419, this is 1024 bits, however this has increasingly ++been seen as insecure, which prompted the change to 2048 bits. ++Setting this option allows the server to accept parameters shorter ++than the current minimum, down to the RFC specified 1024 bits. ++Using this option may be needed when some of the connectiong ++clients only know short DH group parameters. ++.Pp ++Note, that while by default this option is set to 1024 to maintain ++maximum backward compatibility, using it can severly impact ++security and thus should be viewed as a temporary fix of last ++resort and all efforts should be made to fix the (broken) ++counterparty. + .It Cm KeyRegenerationInterval + In protocol version 1, the ephemeral server key is automatically regenerated + after this many seconds (if it has been used). + The purpose of regeneration is to prevent + decrypting captured sessions by later breaking into the machine and + stealing the keys. + The key is never stored anywhere. + If the value is 0, the key is never regenerated. ++++++ openssh-7.2p2-fips.patch ++++++ ++++ 1834 lines (skipped) ++++++ openssh-7.2p2-gssapi_key_exchange.patch ++++++ ++++ 3963 lines (skipped) ++++++ openssh-7.2p2-seed-prng.patch ++++++ # HG changeset patch # Parent 36ab4b78afea8cea4e3bed1291a49ba05cbb9115 # extended support for (re-)seeding the OpenSSL PRNG from /dev/random # bnc#703221, FATE#312172 diff --git a/openssh-7.2p2/entropy.c b/openssh-7.2p2/entropy.c --- a/openssh-7.2p2/entropy.c +++ b/openssh-7.2p2/entropy.c @@ -49,16 +49,17 @@ #include "ssh.h" #include "misc.h" #include "xmalloc.h" #include "atomicio.h" #include "pathnames.h" #include "log.h" #include "buffer.h" +#include "openbsd-compat/port-linux.h" /* * Portable OpenSSH PRNG seeding: * If OpenSSL has not "internally seeded" itself (e.g. pulled data from * /dev/random), then collect RANDOM_SEED_SIZE bytes of randomness from * PRNGd. */ #ifndef OPENSSL_PRNG_ONLY @@ -224,16 +225,19 @@ seed_rng(void) } if (seed_from_prngd(buf, sizeof(buf)) == -1) fatal("Could not obtain seed from PRNGd"); RAND_add(buf, sizeof(buf), sizeof(buf)); memset(buf, '\0', sizeof(buf)); #endif /* OPENSSL_PRNG_ONLY */ + + linux_seed(); + if (RAND_status() != 1) fatal("PRNG is not seeded"); } #else /* WITH_OPENSSL */ /* Handled in arc4random() */ void diff --git a/openssh-7.2p2/openbsd-compat/Makefile.in b/openssh-7.2p2/openbsd-compat/Makefile.in --- a/openssh-7.2p2/openbsd-compat/Makefile.in +++ b/openssh-7.2p2/openbsd-compat/Makefile.in @@ -15,17 +15,17 @@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< all: libopenbsd-compat.a $(COMPAT): ../config.h $(OPENBSD): ../config.h diff --git a/openssh-7.2p2/openbsd-compat/port-linux-prng.c b/openssh-7.2p2/openbsd-compat/port-linux-prng.c new file mode 100644 --- /dev/null +++ b/openssh-7.2p2/openbsd-compat/port-linux-prng.c @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2011 Jan F. Chadima <[email protected]> + * (c) 2011 Petr Cerny <[email protected]> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Linux-specific portability code - prng support + */ + +#include "includes.h" +#include "defines.h" + +#include <errno.h> +#include <stdarg.h> +#include <string.h> +#include <stdio.h> +#include <openssl/rand.h> + +#include "log.h" +#include "port-linux.h" +#include "fips.h" + +#define RNG_BYTES_DEFAULT 6L +#define RNG_ENV_VAR "SSH_USE_STRONG_RNG" + +long rand_bytes = 0; +char *rand_file = NULL; + +static void +linux_seed_init(void) +{ + long elen = 0; + char *env = getenv(RNG_ENV_VAR); + + if (env) { + errno = 0; + elen = strtol(env, NULL, 10); + if (errno) { + elen = RNG_BYTES_DEFAULT; + debug("bogus value in the %s environment variable, " + "using %li bytes from /dev/random\n", + RNG_ENV_VAR, RNG_BYTES_DEFAULT); + } + } + + if (elen || fips_mode()) + rand_file = "/dev/random"; + else + rand_file = "/dev/urandom"; + + rand_bytes = MAX(elen, RNG_BYTES_DEFAULT); +} + +void +linux_seed(void) +{ + long len; + if (!rand_file) + linux_seed_init(); + + errno = 0; + len = RAND_load_file(rand_file, rand_bytes); + if (len != rand_bytes) { + if (errno) + fatal ("cannot read from %s, %s", rand_file, strerror(errno)); + else + fatal ("EOF reading %s", rand_file); + } +} diff --git a/openssh-7.2p2/openbsd-compat/port-linux.h b/openssh-7.2p2/openbsd-compat/port-linux.h --- a/openssh-7.2p2/openbsd-compat/port-linux.h +++ b/openssh-7.2p2/openbsd-compat/port-linux.h @@ -14,16 +14,20 @@ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifndef _PORT_LINUX_H #define _PORT_LINUX_H +extern long rand_bytes; +extern char *rand_file; +void linux_seed(void); + #ifdef WITH_SELINUX int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_exec_context(char *); void ssh_selinux_change_context(const char *); void ssh_selinux_setfscreatecon(const char *); #endif diff --git a/openssh-7.2p2/ssh-add.1 b/openssh-7.2p2/ssh-add.1 --- a/openssh-7.2p2/ssh-add.1 +++ b/openssh-7.2p2/ssh-add.1 @@ -166,16 +166,30 @@ or related script. (Note that on some machines it may be necessary to redirect the input from .Pa /dev/null to make this work.) .It Ev SSH_AUTH_SOCK Identifies the path of a .Ux Ns -domain socket used to communicate with the agent. +.It Ev SSH_USE_STRONG_RNG +The reseeding of the OpenSSL random generator is usually done from +.Cm /dev/urandom . +If the +.Cm SSH_USE_STRONG_RNG +environment variable is set to value other than +.Cm 0 +the OpenSSL random generator is reseeded from +.Cm /dev/random . +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. +Minimum is 6 bytes. +This setting is not recommended on the computers without the hardware +random generator because insufficient entropy causes the connection to +be blocked until enough entropy is available. .El .Sh FILES .Bl -tag -width Ds .It Pa ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. .It Pa ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. .It Pa ~/.ssh/id_ecdsa diff --git a/openssh-7.2p2/ssh-agent.1 b/openssh-7.2p2/ssh-agent.1 --- a/openssh-7.2p2/ssh-agent.1 +++ b/openssh-7.2p2/ssh-agent.1 @@ -196,16 +196,33 @@ line terminates. .Sh FILES .Bl -tag -width Ds .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt .Ux Ns -domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. .El +.Sh ENVIRONMENT +.Bl -tag -width Ds -compact +.Pp +.It Pa SSH_USE_STRONG_RNG +The reseeding of the OpenSSL random generator is usually done from +.Cm /dev/urandom . +If the +.Cm SSH_USE_STRONG_RNG +environment variable is set to value other than +.Cm 0 +the OpenSSL random generator is reseeded from +.Cm /dev/random . +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. +Minimum is 6 bytes. +This setting is not recommended on the computers without the hardware +random generator because insufficient entropy causes the connection to +be blocked until enough entropy is available. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-keygen 1 , .Xr sshd 8 .Sh AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. diff --git a/openssh-7.2p2/ssh-keygen.1 b/openssh-7.2p2/ssh-keygen.1 --- a/openssh-7.2p2/ssh-keygen.1 +++ b/openssh-7.2p2/ssh-keygen.1 @@ -841,16 +841,33 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. .Pp .It Pa /etc/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format is described in .Xr moduli 5 . .El +.Sh ENVIRONMENT +.Bl -tag -width Ds -compact +.Pp +.It Pa SSH_USE_STRONG_RNG +The reseeding of the OpenSSL random generator is usually done from +.Cm /dev/urandom . +If the +.Cm SSH_USE_STRONG_RNG +environment variable is set to value other than +.Cm 0 +the OpenSSL random generator is reseeded from +.Cm /dev/random . +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. +Minimum is 6 bytes. +This setting is not recommended on the computers without the hardware +random generator because insufficient entropy causes the connection to +be blocked until enough entropy is available. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr moduli 5 , .Xr sshd 8 .Rs .%R RFC 4716 diff --git a/openssh-7.2p2/ssh-keysign.8 b/openssh-7.2p2/ssh-keysign.8 --- a/openssh-7.2p2/ssh-keysign.8 +++ b/openssh-7.2p2/ssh-keysign.8 @@ -75,16 +75,33 @@ must be set-uid root if host-based authe .Pp .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub .It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub If these files exist they are assumed to contain public certificate information corresponding with the private keys above. .El +.Sh ENVIRONMENT +.Bl -tag -width Ds -compact +.Pp +.It Pa SSH_USE_STRONG_RNG +The reseeding of the OpenSSL random generator is usually done from +.Cm /dev/urandom . +If the +.Cm SSH_USE_STRONG_RNG +environment variable is set to value other than +.Cm 0 +the OpenSSL random generator is reseeded from +.Cm /dev/random . +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. +Minimum is 6 bytes. +This setting is not recommended on the computers without the hardware +random generator because insufficient entropy causes the connection to +be blocked until enough entropy is available. .Sh SEE ALSO .Xr ssh 1 , .Xr ssh-keygen 1 , .Xr ssh_config 5 , .Xr sshd 8 .Sh HISTORY .Nm first appeared in diff --git a/openssh-7.2p2/ssh.1 b/openssh-7.2p2/ssh.1 --- a/openssh-7.2p2/ssh.1 +++ b/openssh-7.2p2/ssh.1 @@ -1411,16 +1411,30 @@ reads and adds lines of the format .Dq VARNAME=value to the environment if the file exists and users are allowed to change their environment. For more information, see the .Cm PermitUserEnvironment option in .Xr sshd_config 5 . +.It Ev SSH_USE_STRONG_RNG +The reseeding of the OpenSSL random generator is usually done from +.Cm /dev/urandom . +If the +.Cm SSH_USE_STRONG_RNG +environment variable is set to value other than +.Cm 0 +the OpenSSL random generator is reseeded from +.Cm /dev/random . +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. +Minimum is 6 bytes. +This setting is not recommended on the computers without the hardware +random generator because insufficient entropy causes the connection to +be blocked until enough entropy is available. .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.rhosts This file is used for host-based authentication (see above). On some machines this file may need to be world-readable if the user's home directory is on an NFS partition, because .Xr sshd 8 diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8 --- a/openssh-7.2p2/sshd.8 +++ b/openssh-7.2p2/sshd.8 @@ -972,16 +972,33 @@ and not group or world-writable. .It Pa /var/run/sshd.pid Contains the process ID of the .Nm listening for connections (if there are several daemons running concurrently for different ports, this contains the process ID of the one started last). The content of this file is not sensitive; it can be world-readable. .El +.Sh ENVIRONMENT +.Bl -tag -width Ds -compact +.Pp +.It Pa SSH_USE_STRONG_RNG +The reseeding of the OpenSSL random generator is usually done from +.Cm /dev/urandom . +If the +.Cm SSH_USE_STRONG_RNG +environment variable is set to value other than +.Cm 0 +the OpenSSL random generator is reseeded from +.Cm /dev/random . +The number of bytes read is defined by the SSH_USE_STRONG_RNG value. +Minimum is 6 bytes. +This setting is not recommended on the computers without the hardware +random generator because insufficient entropy causes the connection to +be blocked until enough entropy is available. .Sh SEE ALSO .Xr scp 1 , .Xr sftp 1 , .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , diff --git a/openssh-7.2p2/sshd.c b/openssh-7.2p2/sshd.c --- a/openssh-7.2p2/sshd.c +++ b/openssh-7.2p2/sshd.c @@ -50,16 +50,18 @@ #ifdef HAVE_SYS_STAT_H # include <sys/stat.h> #endif #ifdef HAVE_SYS_TIME_H # include <sys/time.h> #endif #include "openbsd-compat/sys-tree.h" #include "openbsd-compat/sys-queue.h" +#include "openbsd-compat/port-linux.h" + #include <sys/wait.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #ifdef HAVE_PATHS_H #include <paths.h> #endif @@ -209,16 +211,23 @@ struct { Key **host_pubkeys; /* all public host keys */ Key **host_certificates; /* all public host certificates */ int have_ssh1_key; int have_ssh2_key; u_char ssh1_cookie[SSH_SESSION_KEY_LENGTH]; } sensitive_data; /* + * Every RESEED_AFTERth connection triggers call to linux_seed() to re-seed the + * random pool. + */ +#define RESEED_AFTER 100 +static int re_seeding_counter = RESEED_AFTER; + +/* * Flag indicating whether the RSA server key needs to be regenerated. * Is set in the SIGALRM handler and cleared when the key is regenerated. */ static volatile sig_atomic_t key_do_regen = 0; /* This is set to true when a signal is received. */ static volatile sig_atomic_t received_sighup = 0; static volatile sig_atomic_t received_sigterm = 0; @@ -1343,16 +1352,20 @@ server_accept_loop(int *sock_in, int *so for (j = 0; j < options.max_startups; j++) if (startup_pipes[j] == -1) { startup_pipes[j] = startup_p[0]; if (maxfd < startup_p[0]) maxfd = startup_p[0]; startups++; break; } + if(!(--re_seeding_counter)) { + re_seeding_counter = RESEED_AFTER; + linux_seed(); + } /* * Got connection. Fork a child to handle it, unless * we are in debugging mode. */ if (debug_flag) { /* * In debugging mode. Close the listening
