Date: Sunday, April 20, 2014 @ 21:41:25
Author: bisson
Revision: 211580
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
openssh/repos/testing-i686/
openssh/repos/testing-i686/PKGBUILD
(from rev 211579, openssh/trunk/PKGBUILD)
openssh/repos/testing-i686/curve25519pad.patch
(from rev 211579, openssh/trunk/curve25519pad.patch)
openssh/repos/testing-i686/install
(from rev 211579, openssh/trunk/install)
openssh/repos/testing-i686/sshd.pam
(from rev 211579, openssh/trunk/sshd.pam)
openssh/repos/testing-i686/sshd.service
(from rev 211579, openssh/trunk/sshd.service)
openssh/repos/testing-i686/sshd.socket
(from rev 211579, openssh/trunk/sshd.socket)
openssh/repos/testing-i686/[email protected]
(from rev 211579, openssh/trunk/[email protected])
openssh/repos/testing-i686/sshdgenkeys.service
(from rev 211579, openssh/trunk/sshdgenkeys.service)
openssh/repos/testing-x86_64/
openssh/repos/testing-x86_64/PKGBUILD
(from rev 211579, openssh/trunk/PKGBUILD)
openssh/repos/testing-x86_64/curve25519pad.patch
(from rev 211579, openssh/trunk/curve25519pad.patch)
openssh/repos/testing-x86_64/install
(from rev 211579, openssh/trunk/install)
openssh/repos/testing-x86_64/sshd.pam
(from rev 211579, openssh/trunk/sshd.pam)
openssh/repos/testing-x86_64/sshd.service
(from rev 211579, openssh/trunk/sshd.service)
openssh/repos/testing-x86_64/sshd.socket
(from rev 211579, openssh/trunk/sshd.socket)
openssh/repos/testing-x86_64/[email protected]
(from rev 211579, openssh/trunk/[email protected])
openssh/repos/testing-x86_64/sshdgenkeys.service
(from rev 211579, openssh/trunk/sshdgenkeys.service)
------------------------------------+
testing-i686/PKGBUILD | 95 +++++++++++++++++++
testing-i686/curve25519pad.patch | 171 +++++++++++++++++++++++++++++++++++
testing-i686/install | 10 ++
testing-i686/sshd.pam | 6 +
testing-i686/sshd.service | 17 +++
testing-i686/sshd.socket | 10 ++
testing-i686/[email protected] | 8 +
testing-i686/sshdgenkeys.service | 17 +++
testing-x86_64/PKGBUILD | 95 +++++++++++++++++++
testing-x86_64/curve25519pad.patch | 171 +++++++++++++++++++++++++++++++++++
testing-x86_64/install | 10 ++
testing-x86_64/sshd.pam | 6 +
testing-x86_64/sshd.service | 17 +++
testing-x86_64/sshd.socket | 10 ++
testing-x86_64/[email protected] | 8 +
testing-x86_64/sshdgenkeys.service | 17 +++
16 files changed, 668 insertions(+)
Copied: openssh/repos/testing-i686/PKGBUILD (from rev 211579,
openssh/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,95 @@
+# $Id$
+# Maintainer: Gaetan Bisson <[email protected]>
+# Contributor: Aaron Griffin <[email protected]>
+# Contributor: judd <[email protected]>
+
+pkgname=openssh
+pkgver=6.6p1
+pkgrel=2
+pkgdesc='Free version of the SSH connectivity tools'
+url='http://www.openssh.org/portable.html'
+license=('custom:BSD')
+arch=('i686' 'x86_64')
+makedepends=('linux-headers')
+depends=('krb5' 'openssl' 'libedit' 'ldns')
+optdepends=('xorg-xauth: X11 forwarding'
+ 'x11-ssh-askpass: input passphrase in X')
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
+ 'curve25519pad.patch'
+ 'sshdgenkeys.service'
+ '[email protected]'
+ 'sshd.service'
+ 'sshd.socket'
+ 'sshd.pam')
+sha1sums=('b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e' 'SKIP'
+ '13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad'
+ 'cc1ceec606c98c7407e7ac21ade23aed81e31405'
+ '6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
+ 'ec49c6beba923e201505f5669cea48cad29014db'
+ 'e12fa910b26a5634e5a6ac39ce1399a132cf6796'
+ 'd93dca5ebda4610ff7647187f8928a3de28703f3')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+
+install=install
+
+prepare() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p0 -i ../curve25519pad.patch
+}
+
+build() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --libexecdir=/usr/lib/ssh \
+ --sysconfdir=/etc/ssh \
+ --with-ldns \
+ --with-libedit \
+ --with-ssl-engine \
+ --with-pam \
+ --with-privsep-user=nobody \
+ --with-kerberos5=/usr \
+ --with-xauth=/usr/bin/xauth \
+ --with-mantype=man \
+ --with-md5-passwords \
+ --with-pid-dir=/run \
+
+ make
+}
+
+check() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make tests || true
+ # hard to suitably test connectivity:
+ # - fails with /bin/false as login shell
+ # - fails with firewall activated, etc.
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make DESTDIR="${pkgdir}" install
+
+ ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+ install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
+
+ install -Dm644 ../sshdgenkeys.service
"${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
+ install -Dm644 ../[email protected]
"${pkgdir}"/usr/lib/systemd/system/[email protected]
+ install -Dm644 ../sshd.service
"${pkgdir}"/usr/lib/systemd/system/sshd.service
+ install -Dm644 ../sshd.socket
"${pkgdir}"/usr/lib/systemd/system/sshd.socket
+ install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+ install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+ install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+ install -Dm644 contrib/ssh-copy-id.1
"${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+ sed \
+ -e '/^#ChallengeResponseAuthentication yes$/c
ChallengeResponseAuthentication no' \
+ -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+ -e '/^#UsePAM no$/c UsePAM yes' \
+ -i "${pkgdir}"/etc/ssh/sshd_config
+}
Copied: openssh/repos/testing-i686/curve25519pad.patch (from rev 211579,
openssh/trunk/curve25519pad.patch)
===================================================================
--- testing-i686/curve25519pad.patch (rev 0)
+++ testing-i686/curve25519pad.patch 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,171 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements [email protected] properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h 27 Feb 2014 23:01:54 -0000 1.82
++++ version.h 20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION "OpenSSH_6.6"
++#define SSH_VERSION "OpenSSH_6.6.1"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c 31 Dec 2013 01:25:41 -0000 1.82
++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { "OpenSSH_4*", 0 },
+ { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
++ { "OpenSSH_6.5*,"
++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { "OpenSSH*", SSH_NEW_OPENSSH },
+ { "*MindTerm*", 0 },
+ { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ if (*pkalg_prop == '\0')
+ fatal("No supported PK algorithms found");
+ return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++ if (!(datafellows & SSH_BUG_CURVE25519PAD))
++ return kex_prop;
++ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++ kex_prop = filter_proposal(kex_prop, "[email protected]");
++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++ if (*kex_prop == '\0')
++ fatal("No supported key exchange algorithms found");
++ return kex_prop;
+ }
+
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- compat.h 31 Dec 2013 01:25:41 -0000 1.42
++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_CURVE25519PAD 0x10000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+@@ -66,6 +67,7 @@ void compat_datafellows(const char *
+ int proto_spec(const char *);
+ char *compat_cipher_proposal(char *);
+ char *compat_pkalg_proposal(char *);
++char *compat_kex_proposal(char *);
+
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
++
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ }
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
+
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <[email protected]>
+ * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+
+ if (l > 8 * 1024)
+ fatal("%s: length %u too long", __func__, l);
++ /* Skip leading zero bytes */
++ for (; l > 0 && *s == 0; l--, s++)
++ ;
+ p = buf = xmalloc(l + 1);
+ /*
+ * If most significant bit is set then prepend a zero byte to
+_______________________________________________
+openssh-unix-dev mailing list
[email protected]
+https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
\ No newline at end of file
Copied: openssh/repos/testing-i686/install (from rev 211579,
openssh/trunk/install)
===================================================================
--- testing-i686/install (rev 0)
+++ testing-i686/install 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,10 @@
+post_upgrade() {
+ if [[ $(vercmp $2 6.2p2) = -1 ]]; then
+ cat <<EOF
+
+==> The sshd daemon has been moved to /usr/bin alongside all binaries.
+==> Please update this path in your scripts if applicable.
+
+EOF
+ fi
+}
Copied: openssh/repos/testing-i686/sshd.pam (from rev 211579,
openssh/trunk/sshd.pam)
===================================================================
--- testing-i686/sshd.pam (rev 0)
+++ testing-i686/sshd.pam 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,6 @@
+#%PAM-1.0
+#auth required pam_securetty.so #disable remote root
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
Copied: openssh/repos/testing-i686/sshd.service (from rev 211579,
openssh/trunk/sshd.service)
===================================================================
--- testing-i686/sshd.service (rev 0)
+++ testing-i686/sshd.service 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH Daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/sshd -D
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+# This service file runs an SSH daemon that forks for each incoming connection.
+# If you prefer to spawn on-demand daemons, use sshd.socket and [email protected].
Copied: openssh/repos/testing-i686/sshd.socket (from rev 211579,
openssh/trunk/sshd.socket)
===================================================================
--- testing-i686/sshd.socket (rev 0)
+++ testing-i686/sshd.socket 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,10 @@
+[Unit]
+Conflicts=sshd.service
+Wants=sshdgenkeys.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
Copied: openssh/repos/testing-i686/[email protected] (from rev 211579,
openssh/trunk/[email protected])
===================================================================
--- testing-i686/[email protected] (rev 0)
+++ testing-i686/[email protected] 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH Per-Connection Daemon
+After=sshdgenkeys.service
+
+[Service]
+ExecStart=-/usr/bin/sshd -i
+StandardInput=socket
+StandardError=syslog
Copied: openssh/repos/testing-i686/sshdgenkeys.service (from rev 211579,
openssh/trunk/sshdgenkeys.service)
===================================================================
--- testing-i686/sshdgenkeys.service (rev 0)
+++ testing-i686/sshdgenkeys.service 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,17 @@
+[Unit]
+Description=SSH Key Generation
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes
Copied: openssh/repos/testing-x86_64/PKGBUILD (from rev 211579,
openssh/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,95 @@
+# $Id$
+# Maintainer: Gaetan Bisson <[email protected]>
+# Contributor: Aaron Griffin <[email protected]>
+# Contributor: judd <[email protected]>
+
+pkgname=openssh
+pkgver=6.6p1
+pkgrel=2
+pkgdesc='Free version of the SSH connectivity tools'
+url='http://www.openssh.org/portable.html'
+license=('custom:BSD')
+arch=('i686' 'x86_64')
+makedepends=('linux-headers')
+depends=('krb5' 'openssl' 'libedit' 'ldns')
+optdepends=('xorg-xauth: X11 forwarding'
+ 'x11-ssh-askpass: input passphrase in X')
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
+ 'curve25519pad.patch'
+ 'sshdgenkeys.service'
+ '[email protected]'
+ 'sshd.service'
+ 'sshd.socket'
+ 'sshd.pam')
+sha1sums=('b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e' 'SKIP'
+ '13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad'
+ 'cc1ceec606c98c7407e7ac21ade23aed81e31405'
+ '6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
+ 'ec49c6beba923e201505f5669cea48cad29014db'
+ 'e12fa910b26a5634e5a6ac39ce1399a132cf6796'
+ 'd93dca5ebda4610ff7647187f8928a3de28703f3')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+
+install=install
+
+prepare() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+ patch -p0 -i ../curve25519pad.patch
+}
+
+build() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --libexecdir=/usr/lib/ssh \
+ --sysconfdir=/etc/ssh \
+ --with-ldns \
+ --with-libedit \
+ --with-ssl-engine \
+ --with-pam \
+ --with-privsep-user=nobody \
+ --with-kerberos5=/usr \
+ --with-xauth=/usr/bin/xauth \
+ --with-mantype=man \
+ --with-md5-passwords \
+ --with-pid-dir=/run \
+
+ make
+}
+
+check() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make tests || true
+ # hard to suitably test connectivity:
+ # - fails with /bin/false as login shell
+ # - fails with firewall activated, etc.
+}
+
+package() {
+ cd "${srcdir}/${pkgname}-${pkgver}"
+
+ make DESTDIR="${pkgdir}" install
+
+ ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+ install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
+
+ install -Dm644 ../sshdgenkeys.service
"${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
+ install -Dm644 ../[email protected]
"${pkgdir}"/usr/lib/systemd/system/[email protected]
+ install -Dm644 ../sshd.service
"${pkgdir}"/usr/lib/systemd/system/sshd.service
+ install -Dm644 ../sshd.socket
"${pkgdir}"/usr/lib/systemd/system/sshd.socket
+ install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+ install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+ install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+ install -Dm644 contrib/ssh-copy-id.1
"${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+ sed \
+ -e '/^#ChallengeResponseAuthentication yes$/c
ChallengeResponseAuthentication no' \
+ -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+ -e '/^#UsePAM no$/c UsePAM yes' \
+ -i "${pkgdir}"/etc/ssh/sshd_config
+}
Copied: openssh/repos/testing-x86_64/curve25519pad.patch (from rev 211579,
openssh/trunk/curve25519pad.patch)
===================================================================
--- testing-x86_64/curve25519pad.patch (rev 0)
+++ testing-x86_64/curve25519pad.patch 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,171 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements [email protected] properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h 27 Feb 2014 23:01:54 -0000 1.82
++++ version.h 20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION "OpenSSH_6.6"
++#define SSH_VERSION "OpenSSH_6.6.1"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c 31 Dec 2013 01:25:41 -0000 1.82
++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { "OpenSSH_4*", 0 },
+ { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
++ { "OpenSSH_6.5*,"
++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { "OpenSSH*", SSH_NEW_OPENSSH },
+ { "*MindTerm*", 0 },
+ { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ if (*pkalg_prop == '\0')
+ fatal("No supported PK algorithms found");
+ return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++ if (!(datafellows & SSH_BUG_CURVE25519PAD))
++ return kex_prop;
++ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++ kex_prop = filter_proposal(kex_prop, "[email protected]");
++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++ if (*kex_prop == '\0')
++ fatal("No supported key exchange algorithms found");
++ return kex_prop;
+ }
+
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- compat.h 31 Dec 2013 01:25:41 -0000 1.42
++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_CURVE25519PAD 0x10000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+@@ -66,6 +67,7 @@ void compat_datafellows(const char *
+ int proto_spec(const char *);
+ char *compat_cipher_proposal(char *);
+ char *compat_pkalg_proposal(char *);
++char *compat_kex_proposal(char *);
+
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
++
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ }
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
+
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <[email protected]>
+ * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+
+ if (l > 8 * 1024)
+ fatal("%s: length %u too long", __func__, l);
++ /* Skip leading zero bytes */
++ for (; l > 0 && *s == 0; l--, s++)
++ ;
+ p = buf = xmalloc(l + 1);
+ /*
+ * If most significant bit is set then prepend a zero byte to
+_______________________________________________
+openssh-unix-dev mailing list
[email protected]
+https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
\ No newline at end of file
Copied: openssh/repos/testing-x86_64/install (from rev 211579,
openssh/trunk/install)
===================================================================
--- testing-x86_64/install (rev 0)
+++ testing-x86_64/install 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,10 @@
+post_upgrade() {
+ if [[ $(vercmp $2 6.2p2) = -1 ]]; then
+ cat <<EOF
+
+==> The sshd daemon has been moved to /usr/bin alongside all binaries.
+==> Please update this path in your scripts if applicable.
+
+EOF
+ fi
+}
Copied: openssh/repos/testing-x86_64/sshd.pam (from rev 211579,
openssh/trunk/sshd.pam)
===================================================================
--- testing-x86_64/sshd.pam (rev 0)
+++ testing-x86_64/sshd.pam 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,6 @@
+#%PAM-1.0
+#auth required pam_securetty.so #disable remote root
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
Copied: openssh/repos/testing-x86_64/sshd.service (from rev 211579,
openssh/trunk/sshd.service)
===================================================================
--- testing-x86_64/sshd.service (rev 0)
+++ testing-x86_64/sshd.service 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH Daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/sshd -D
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+# This service file runs an SSH daemon that forks for each incoming connection.
+# If you prefer to spawn on-demand daemons, use sshd.socket and [email protected].
Copied: openssh/repos/testing-x86_64/sshd.socket (from rev 211579,
openssh/trunk/sshd.socket)
===================================================================
--- testing-x86_64/sshd.socket (rev 0)
+++ testing-x86_64/sshd.socket 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,10 @@
+[Unit]
+Conflicts=sshd.service
+Wants=sshdgenkeys.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
Copied: openssh/repos/testing-x86_64/[email protected] (from rev 211579,
openssh/trunk/[email protected])
===================================================================
--- testing-x86_64/[email protected] (rev 0)
+++ testing-x86_64/[email protected] 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH Per-Connection Daemon
+After=sshdgenkeys.service
+
+[Service]
+ExecStart=-/usr/bin/sshd -i
+StandardInput=socket
+StandardError=syslog
Copied: openssh/repos/testing-x86_64/sshdgenkeys.service (from rev 211579,
openssh/trunk/sshdgenkeys.service)
===================================================================
--- testing-x86_64/sshdgenkeys.service (rev 0)
+++ testing-x86_64/sshdgenkeys.service 2014-04-20 19:41:25 UTC (rev 211580)
@@ -0,0 +1,17 @@
+[Unit]
+Description=SSH Key Generation
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes
