Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2024-08-21 23:24:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.2698 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Wed Aug 21 23:24:44 2024 rev:181 rq:1194679 version:9.8p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes
2024-02-27 22:43:13.539393967 +0100
+++ /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-askpass-gnome.changes
2024-08-21 23:24:58.322973174 +0200
@@ -1,0 +2,7 @@
+Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Update to openssh 9.8p1:
+ * No changes for askpass, see main package changelog for
+ details.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2024-07-08
19:07:02.296058655 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes
2024-08-21 23:24:59.355016179 +0200
@@ -1,0 +2,296 @@
+Mon Aug 12 08:55:38 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Fix a dbus connection leaked in the logind patch that was
+ missing a sd_bus_unref call (found by Matthias Gerstner):
+ * logind_set_tty.patch
+- Add a patch that fixes a small memory leak when parsing the
+ subsystem configuration option:
+ * fix-memleak-in-process_server_config_line_depth.patch
+
+-------------------------------------------------------------------
+Thu Aug 1 09:17:11 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Update to openssh 9.8p1:
+ = Security
+ * 1) Race condition in sshd(8) (bsc#1226642, CVE-2024-6387).
+ A critical vulnerability in sshd(8) was present in Portable
+ OpenSSH versions between 8.5p1 and 9.7p1 (inclusive) that may
+ allow arbitrary code execution with root privileges.
+ Successful exploitation has been demonstrated on 32-bit
+ Linux/glibc systems with ASLR. Under lab conditions, the attack
+ requires on average 6-8 hours of continuous connections up to
+ the maximum the server will accept. Exploitation on 64-bit
+ systems is believed to be possible but has not been
+ demonstrated at this time. It's likely that these attacks will
+ be improved upon.
+ Exploitation on non-glibc systems is conceivable but has not
+ been examined. Systems that lack ASLR or users of downstream
+ Linux distributions that have modified OpenSSH to disable
+ per-connection ASLR re-randomisation (yes - this is a thing, no
+ - we don't understand why) may potentially have an easier path
+ to exploitation. OpenBSD is not vulnerable.
+ We thank the Qualys Security Advisory Team for discovering,
+ reporting and demonstrating exploitability of this problem, and
+ for providing detailed feedback on additional mitigation
+ measures.
+ * 2) Logic error in ssh(1) ObscureKeystrokeTiming (bsc#1227318,
+ CVE-2024-39894).
+ In OpenSSH version 9.5 through 9.7 (inclusive), when connected
+ to an OpenSSH server version 9.5 or later, a logic error in the
+ ssh(1) ObscureKeystrokeTiming feature (on by default) rendered
+ this feature ineffective - a passive observer could still
+ detect which network packets contained real keystrokes when the
+ countermeasure was active because both fake and real keystroke
+ packets were being sent unconditionally.
+ This bug was found by Philippos Giavridis and also
+ independently by Jacky Wei En Kung, Daniel Hugenroth and
+ Alastair Beresford of the University of Cambridge Computer Lab.
+ Worse, the unconditional sending of both fake and real
+ keystroke packets broke another long-standing timing attack
+ mitigation. Since OpenSSH 2.9.9 sshd(8) has sent fake keystoke
+ echo packets for traffic received on TTYs in echo-off mode,
+ such as when entering a password into su(8) or sudo(8). This
+ bug rendered these fake keystroke echoes ineffective and could
+ allow a passive observer of a SSH session to once again detect
+ when echo was off and obtain fairly limited timing information
+ about keystrokes in this situation (20ms granularity by
+ default).
+ This additional implication of the bug was identified by
+ Jacky Wei En Kung, Daniel Hugenroth and Alastair Beresford and
+ we thank them for their detailed analysis.
+ This bug does not affect connections when
+ ObscureKeystrokeTiming was disabled or sessions where no TTY
+ was requested.
+
+ = Future deprecation notice
+ * OpenSSH plans to remove support for the DSA signature algorithm
+ in early 2025. This release disables DSA by default at compile
+ time.
+ DSA, as specified in the SSHv2 protocol, is inherently weak -
+ being limited to a 160 bit private key and use of the SHA1
+ digest. Its estimated security level is only 80 bits symmetric
+ equivalent.
+ OpenSSH has disabled DSA keys by default since 2015 but has
+ retained run-time optional support for them. DSA was the only
+ mandatory-to-implement algorithm in the SSHv2 RFCs, mostly
+ because alternative algorithms were encumbered by patents when
+ the SSHv2 protocol was specified.
+ This has not been the case for decades at this point and better
+ algorithms are well supported by all actively-maintained SSH
+ implementations. We do not consider the costs of maintaining
+ DSA in OpenSSH to be justified and hope that removing it from
+ OpenSSH can accelerate its wider deprecation in supporting
+ cryptography libraries.
+ This release, and its deactivation of DSA by default at
+ compile-time, marks the second step in our timeline to finally
+ deprecate DSA. The final step of removing DSA support entirely
+ is planned for the first OpenSSH release of 2025.
+ DSA support may be re-enabled in OpenBSD by setting
+ "DSAKEY=yes" in Makefile.inc. To enable DSA support in
+ portable OpenSSH, pass the "--enable-dsa-keys" option to
+ configure.
+
+ = Potentially-incompatible changes
+ * all: as mentioned above, the DSA signature algorithm is now
+ disabled at compile time.
+ * sshd(8): the server will now block client addresses that
+ repeatedly fail authentication, repeatedly connect without ever
+ completing authentication or that crash the server. See the
+ discussion of PerSourcePenalties below for more information.
+ Operators of servers that accept connections from many users,
+ or servers that accept connections from addresses behind NAT or
+ proxies may need to consider these settings.
+ * sshd(8): the server has been split into a listener binary,
+ sshd(8), and a per-session binary "sshd-session". This allows
+ for a much smaller listener binary, as it no longer needs to
+ support the SSH protocol. As part of this work, support for
+ disabling privilege separation (which previously required code
+ changes to disable) and disabling re-execution of sshd(8) has
+ been removed. Further separation of sshd-session into
+ additional, minimal binaries is planned for the future.
+ * sshd(8): several log messages have changed. In particular, some
+ log messages will be tagged with as originating from a process
+ named "sshd-session" rather than "sshd".
+ * ssh-keyscan(1): this tool previously emitted comment lines
+ containing the hostname and SSH protocol banner to standard
+ error. This release now emits them to standard output, but adds
+ a new "-q" flag to silence them altogether.
+ * sshd(8): (portable OpenSSH only) sshd will no longer use
+ argv[0] as the PAM service name. A new "PAMServiceName"
+ sshd_config(5) directive allows selecting the service name at
+ runtime. This defaults to "sshd". bz2101
+ * (portable OpenSSH only) Automatically-generated files, such as
+ configure, config.h.in, etc will now be checked in to the
+ portable OpenSSH git release branch (e.g. V_9_8). This should
+ ensure that the contents of the signed release branch exactly
+ match the contents of the signed release tarball.
+
+ = New features
+ * sshd(8): as described above, sshd(8) will now penalise client
+ addresses that, for various reasons, do not successfully
+ complete authentication. This feature is controlled by a new
+ sshd_config(5) PerSourcePenalties option and is on by default.
+ sshd(8) will now identify situations where the session did not
+ authenticate as expected. These conditions include when the
+ client repeatedly attempted authentication unsucessfully
+ (possibly indicating an attack against one or more accounts,
+ e.g. password guessing), or when client behaviour caused sshd
+ to crash (possibly indicating attempts to exploit bugs in
+ sshd).
+ When such a condition is observed, sshd will record a penalty
+ of some duration (e.g. 30 seconds) against the client's
+ address. If this time is above a minimum configurable
+ threshold, then all connections from the client address will be
+ refused (along with any others in the same
+ PerSourceNetBlockSize CIDR range) until the penalty expire.
+ Repeated offenses by the same client address will accrue
+ greater penalties, up to a configurable maximum. Address ranges
+ may be fully exempted from penalties, e.g. to guarantee access
+ from a set of trusted management addresses, using the new
+ sshd_config(5) PerSourcePenaltyExemptList option.
+ We hope these options will make it significantly more difficult
+ for attackers to find accounts with weak/guessable passwords or
+ exploit bugs in sshd(8) itself. This option is enabled by
+ default.
+ * ssh(8): allow the HostkeyAlgorithms directive to disable the
+ implicit fallback from certificate host key to plain host keys.
+
+ = Bugfixes
+ * misc: fix a number of inaccuracies in the PROTOCOL.*
+ documentation files. GHPR430 GHPR487
+ * all: switch to strtonum(3) for more robust integer parsing in
+ most places.
+ * ssh(1), sshd(8): correctly restore sigprocmask around ppoll()
+ * ssh-keysign(8): stricter validation of messaging socket fd
+ GHPR492
+ * sftp(1): flush stdout after writing "sftp>" prompt when not
+ using editline. GHPR480
+ * sftp-server(8): fix home-directory extension implementation,
+ it previously always returned the current user's home directory
+ contrary to the spec. GHPR477
+ * ssh-keyscan(1): do not close stdin to prevent error messages
+ when stdin is read multiple times. E.g.
+ echo localhost | ssh-keyscan -f - -f -
+ * regression tests: fix rekey test that was testing the same KEX
+ algorithm repeatedly instead of testing all of them. bz3692
+ * ssh_config(5), sshd_config(5): clarify the KEXAlgorithms
+ directive documentation, especially around what is supported
+ vs available. bz3701.
+
+ = Portability
+ * sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
+ unconditionally. The previous behaviour was to expose it only
+ when particular authentication methods were in use.
+ * build: fix OpenSSL ED25519 support detection. An incorrect
+ function signature in configure.ac previously prevented
+ enabling the recently added support for ED25519 private keys in
+ PEM PKCS8 format.
+ * ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
+ environment variable to enable SSH_ASKPASS, similarly to the
+ X11 DISPLAY environment variable. GHPR479
+ * build: improve detection of the -fzero-call-used-regs compiler
+ flag. bz3673.
+ * build: relax OpenSSL version check to accept all OpenSSL 3.x
+ versions.
+ * sshd(8): add support for notifying systemd on server listen and
+ reload, using a standalone implementation that doesn't depend
+ on libsystemd. bz2641
+
+- Update to openssh 9.7p1:
+
+ = New features
+ * ssh(1), sshd(8): add a "global" ChannelTimeout type that
+ watches all open channels and will close all open channels if
+ there is no traffic on any of them for the specified interval.
+ This is in addition to the existing per-channel timeouts added
+ recently.
+ This supports situations like having both session and x11
+ forwarding channels open where one may be idle for an extended
+ period but the other is actively used. The global timeout could
+ close both channels when both have been idle for too long.
+ * All: make DSA key support compile-time optional, defaulting to
+ on.
+
+ = Bugfixes
+ * sshd(8): don't append an unnecessary space to the end of
+ subsystem arguments (bz3667)
+ * ssh(1): fix the multiplexing "channel proxy" mode, broken when
+ keystroke timing obfuscation was added. (GHPR#463)
+ * ssh(1), sshd(8): fix spurious configuration parsing errors when
+ options that accept array arguments are overridden (bz3657).
+ * ssh-agent(1): fix potential spin in signal handler (bz3670)
+ * Many fixes to manual pages and other documentation, including
+ GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
+ * Greatly improve interop testing against PuTTY.
+
+ = Portability
+ * Improve the error message when the autoconf OpenSSL header
+ check fails (bz#3668)
+ * Improve detection of broken toolchain -fzero-call-used-regs
+ support (bz3645).
+ * Fix regress/misc/fuzz-harness fuzzers and make them compile
+ without warnings when using clang16
+- Use gcc-11 in SLE to avoid a "parameter name omitted" error
+- Rebase patches:
+ * logind_set_tty.patch
+ * openssh-6.6.1p1-selinux-contexts.patch
+ * openssh-6.6p1-keycat.patch
+ * openssh-6.6p1-privsep-selinux.patch
+ * openssh-7.6p1-cleanup-selinux.patch
+ * openssh-7.7p1-cavstest-ctr.patch
+ * openssh-7.7p1-cavstest-kdf.patch
+ * openssh-7.7p1-fips.patch
+ * openssh-7.7p1-fips_checks.patch
+ * openssh-7.7p1-ldap.patch
+ * openssh-7.7p1-pam_check_locks.patch
+ * openssh-7.7p1-systemd-notify.patch
+ * openssh-7.8p1-role-mls.patch
+ * openssh-8.0p1-gssapi-keyex.patch
+ * openssh-8.1p1-audit.patch
+ * openssh-8.4p1-vendordir.patch
+ * openssh-9.6p1-crypto-policies-man.patch
+ * openssh-mitigate-lingering-secrets.patch
+ * openssh-reenable-dh-group14-sha1-default.patch
+ * wtmpdb.patch
+- Thanks to Fedora developers for an initial version of the
+ rebase of the following patches:
+ * openssh-8.0p1-gssapi-keyex.patch
+ * openssh-7.8p1-role-mls.patch
+ * openssh-8.1p1-audit.patch
+- Remove patches that are already included in 9.8p1:
+ * fix-CVE-2024-6387.patch
+ * 0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
+ * 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
+ * 0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+- Remove patch that is now merged into
+ openssh-7.7p1-cavstest-ctr.patch and
+ openssh-7.7p1-cavstest-kdf.patch where it belongs:
+ * fix-missing-lz.patch
+
+-------------------------------------------------------------------
+Mon Jul 15 17:49:06 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Add sshd.socket and sshd@.service units as alternative to the
+ sshd.service that makes systemd listen to the ssh port
+ and run sshd per incoming connection. To enable this,
+ disable sshd.service and enable sshd.socket . If you want to
+ use a non standard sshd port with sshd.socket you can do
+ "systemctl edit sshd.socket" and add something like:
+
+ [Socket]
+ ListenStream=8022
+
+ which listens on port 8022 as well as on port 22. If you want
+ to reset the list of listened ports and just use 8022, use:
+
+ [Socket]
+ ListenStream=
+ ListenStream=8022
+- To enable a vsock listener in sshd (which allows to connect to
+ libvirt VMs), the systemd-experimental package needs to be
+ installed in the guest system, the libvirt-ssh-proxy package
+ needs to be installed in the host and the vm needs to have
+ vsock support (in virt-manager, click in "Add hardware" and
+ add "VSOCK VirtIO").
+
+-------------------------------------------------------------------
Old:
----
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
fix-CVE-2024-6387.patch
fix-missing-lz.patch
openssh-9.6p1.tar.gz
openssh-9.6p1.tar.gz.asc
New:
----
fix-memleak-in-process_server_config_line_depth.patch
openssh-9.8p1.tar.gz
openssh-9.8p1.tar.gz.asc
sshd.socket
sshd@.service
BETA DEBUG BEGIN:
Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- *
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: *
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- *
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- *
fix-CVE-2024-6387.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: *
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- *
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- *
0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: *
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Remove patch
that is now merged into
Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-- Remove
patches that are already included in 9.8p1:
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: *
fix-CVE-2024-6387.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- *
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
Old:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-
openssh-7.7p1-cavstest-kdf.patch where it belongs:
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: *
fix-missing-lz.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-
BETA DEBUG END:
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes- subsystem
configuration option:
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes: *
fix-memleak-in-process_server_config_line_depth.patch
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh.changes-
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.367100023 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.367100023 +0200
@@ -1,7 +1,7 @@
#
# spec file for package openssh-askpass-gnome
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 9.6p1
+Version: 9.8p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.403101523 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.403101523 +0200
@@ -1,7 +1,7 @@
#
# spec file for package openssh
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -39,7 +39,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 9.6p1
+Version: 9.8p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -61,6 +61,8 @@
Source13:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc#/openssh.keyring
Source14: sysusers-sshd.conf
Source15: sshd-sle.pamd
+Source16: sshd@.service
+Source17: sshd.socket
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
@@ -119,7 +121,6 @@
Patch51: wtmpdb.patch
Patch52: logind_set_tty.patch
Patch54: openssh-mitigate-lingering-secrets.patch
-Patch100: fix-missing-lz.patch
Patch102: openssh-7.8p1-role-mls.patch
Patch103: openssh-6.6p1-privsep-selinux.patch
Patch104: openssh-6.6p1-keycat.patch
@@ -128,19 +129,15 @@
# PATCH-FIX-OPENSUSE bsc#1211301 Add crypto-policies support
Patch107: openssh-9.6p1-crypto-policies.patch
Patch108: openssh-9.6p1-crypto-policies-man.patch
-# PATCH-FIX-UPSTREAM bsc#1226642 fix CVE-2024-6387
-Patch109: fix-CVE-2024-6387.patch
-# PATCH-FIX-UPSTREAM
-Patch110:
0001-upstream-fix-proxy-multiplexing-mode_-broken-when-keystroke.patch
-# PATCH-FIX-UPSTREAM
-Patch111: 0001-upstream-correctly-restore-sigprocmask-around-ppoll.patch
-# PATCH-FIX-UPSTREAM bsc#1227318 CVE-2024-39894
-Patch112:
0001-upstream-when-sending-ObscureKeystrokeTiming-chaff-packets_.patch
+Patch109: fix-memleak-in-process_server_config_line_depth.patch
%if 0%{with allow_root_password_login_by_default}
Patch1000: openssh-7.7p1-allow_root_password_login.patch
%endif
BuildRequires: audit-devel
BuildRequires: automake
+%if 0%{?sle_version} >= 150500
+BuildRequires: gcc11
+%endif
BuildRequires: groff
BuildRequires: libedit-devel
BuildRequires: libselinux-devel
@@ -328,6 +325,9 @@
)
%build
+%if 0%{?sle_version} >= 150500
+export CC=gcc-11
+%endif
autoreconf -fiv
%ifarch s390 s390x %{sparc}
PIEFLAGS="-fPIE"
@@ -392,6 +392,8 @@
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/slp.reg.d/
%endif
install -D -m 0644 %{SOURCE10} %{buildroot}%{_unitdir}/sshd.service
+install -D -m 0644 %{SOURCE16} %{buildroot}%{_unitdir}/sshd@.service
+install -D -m 0644 %{SOURCE17} %{buildroot}%{_unitdir}/sshd.socket
ln -s service %{buildroot}%{_sbindir}/rcsshd
install -d -m 755 %{buildroot}%{_fillupdir}
install -m 644 %{SOURCE8} %{buildroot}%{_fillupdir}
@@ -471,11 +473,11 @@
test -f /etc/ssh/sshd_config.rpmsave && mv -v /etc/ssh/sshd_config.rpmsave
/etc/ssh/sshd_config.rpmsave.old ||:
%endif
-%service_add_pre sshd.service
+%service_add_pre sshd.service sshd.socket
%post server
%{fillup_only -n ssh}
-%service_add_post sshd.service
+%service_add_post sshd.service sshd.socket
%if ! %{defined _distconfdir}
test -f /etc/ssh/sshd_config && (grep -q "^Include
/etc/ssh/sshd_config\.d/\*\.conf" /etc/ssh/sshd_config || ( \
@@ -487,16 +489,16 @@
%endif
%preun server
-%service_del_preun sshd.service
+%service_del_preun sshd.service sshd.socket
%postun server
# The openssh-fips trigger script for openssh will normally restart sshd once
# it gets installed, so only restart the service here if openssh-fips is not
# present.
if rpm -q openssh-fips >/dev/null 2>/dev/null; then
-%service_del_postun_without_restart sshd.service
+%service_del_postun_without_restart sshd.service sshd.socket
else
-%service_del_postun sshd.service
+%service_del_postun sshd.service sshd.socket
fi
%if ! %{defined _distconfdir}
@@ -584,11 +586,14 @@
%attr(0600,root,root) %config(noreplace)
%{_sysconfdir}/ssh/sshd_config.d/40-suse-crypto-policies.conf
%endif
%attr(0644,root,root) %{_unitdir}/sshd.service
+%attr(0644,root,root) %{_unitdir}/sshd@.service
+%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_sysusersdir}/sshd.conf
%attr(0444,root,root) %{_mandir}/man5/sshd_config*
%attr(0444,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0444,root,root) %{_mandir}/man8/sshd.8*
%attr(0755,root,root) %{_libexecdir}/ssh/sftp-server
+%attr(0755,root,root) %{_libexecdir}/ssh/sshd-session
%if 0%{?suse_version} < 1600
%dir %{_sysconfdir}/slp.reg.d
%config %{_sysconfdir}/slp.reg.d/ssh.reg
++++++ fix-memleak-in-process_server_config_line_depth.patch ++++++
>From fcc66557503124ab98491a598b706a24eb3cf0e1 Mon Sep 17 00:00:00 2001
From: Antonio Larrosa <alarr...@suse.com>
Date: Mon, 12 Aug 2024 11:32:42 +0200
Subject: [PATCH] Fix a small memory leak in process_server_config_line_depth
The return value of argv_assemble is owned by the caller and should be
free'd. When processing the sSubsystem case there are two calls to
argv_assemble but only one of them is freed. This patch fixes the small
(29 bytes according to valgrind) memory leak.
The output from valgrind:
==115369== 29 bytes in 1 blocks are definitely lost in loss record 573 of 913
==115369== at 0x4845794: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==115369== by 0x124A22: argv_assemble (misc.c:2165)
==115369== by 0x1385E5: process_server_config_line_depth.constprop.0
(servconf.c:2004)
==115369== by 0x13984D: parse_server_config_depth.constprop.0
(servconf.c:3032)
==115369== by 0x139986: parse_server_config.constprop.0 (servconf.c:3049)
==115369== by 0x111C6E: main (sshd.c:1445)
Submitted to upstream at https://github.com/openssh/openssh-portable/pull/515
---
servconf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/servconf.c b/servconf.c
index 5a20d6f8..0b989b95 100644
--- a/servconf.c
+++ b/servconf.c
@@ -2006,6 +2006,7 @@ process_server_config_line_depth(ServerOptions *options,
char *line,
xasprintf(&options->subsystem_args[options->num_subsystems],
"%s%s%s", arg, *arg2 == '\0' ? "" : " ", arg2);
free(arg2);
+ free(arg);
argv_consume(&ac);
options->num_subsystems++;
break;
--
2.45.2
++++++ logind_set_tty.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.503105691 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.507105857 +0200
@@ -14,11 +14,11 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
-+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(CHANNELLIBS) $(LIBWTMPDB) $(LIBSYSTEMD)
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
- $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
+ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat
$(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
diff --git a/configure.ac b/configure.ac
index a12c6f7ad..860df3379 100644
--- a/configure.ac
@@ -106,7 +106,7 @@
#ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN
if (li->type == LTYPE_LOGIN &&
!sys_auth_record_login(li->username,li->hostname,li->line,
-@@ -1476,6 +1486,88 @@ wtmpdb_write_entry(struct logininfo *li)
+@@ -1476,6 +1486,91 @@ wtmpdb_write_entry(struct logininfo *li)
}
#endif
@@ -171,9 +171,12 @@
+
+ free(dbus_path);
+
-+ if (sd_bus_flush(bus) < 0)
++ if (sd_bus_flush(bus) < 0) {
++ sd_bus_unref(bus);
+ return (0);
++ }
+
++ sd_bus_unref(bus);
+ return (1);
+}
+
++++++ openssh-6.6.1p1-selinux-contexts.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.519106357 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.523106524 +0200
@@ -104,10 +104,10 @@
#endif
#ifdef LINUX_OOM_ADJUST
-Index: openssh-9.6p1/sshd.c
+Index: openssh-9.6p1/sshd-session.c
===================================================================
---- openssh-9.6p1.orig/sshd.c
-+++ openssh-9.6p1/sshd.c
+--- openssh-9.6p1.orig/sshd-session.c
++++ openssh-9.6p1/sshd-session.c
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
demote_sensitive_data(ssh);
++++++ openssh-6.6p1-keycat.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.539107191 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.543107357 +0200
@@ -37,14 +37,14 @@
===================================================================
--- openssh-9.3p2.orig/Makefile.in
+++ openssh-9.3p2/Makefile.in
-@@ -24,6 +24,7 @@ SSH_PROGRAM=@bindir@/ssh
+@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+SSH_KEYCAT=$(libexecdir)/ssh-keycat
+ SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -57,6 +58,7 @@ CHANNELLIBS=@CHANNELLIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
@@ -53,12 +53,12 @@
LIBEDIT=@LIBEDIT@
LIBFIDO2=@LIBFIDO2@
LIBWTMPDB=@LIBWTMPDB@
-@@ -75,7 +77,7 @@ MKDIR_P=@MKDIR_P@
+@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT}
ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT)
sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT}
ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT)
sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@@ -99,9 +99,9 @@
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
-@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
+@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
+ extern Authctxt *the_authctxt;
extern int inetd_flag;
- extern int rexeced_flag;
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+int
@@ -129,14 +129,14 @@
{
const char *reqlvl;
char *role;
-@@ -329,16 +343,16 @@ sshd_selinux_setup_pam_variables(void)
+@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl);
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- if (inetd_flag && !rexeced_flag) {
+ if (inetd_flag) {
use_current = "1";
} else {
use_current = "";
++++++ openssh-6.6p1-privsep-selinux.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.555107858 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.559108024 +0200
@@ -52,7 +52,7 @@
platform_setusercontext(pw);
- if (platform_privileged_uidswap()) {
-+ if (platform_privileged_uidswap() && (!is_child || !use_privsep)) {
++ if (platform_privileged_uidswap() && !is_child) {
#ifdef HAVE_LOGIN_CAP
if (setusercontext(lc, pw, pw->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) {
@@ -98,11 +98,11 @@
exit(sftp_server_main(i, argv, s->pw));
}
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.3p2/sshd-session.c
===================================================================
---- openssh-9.3p2.orig/sshd.c
-+++ openssh-9.3p2/sshd.c
-@@ -510,6 +510,10 @@ privsep_preauth_child(struct ssh *ssh)
+--- openssh-9.3p2.orig/sshd-session.c
++++ openssh-9.3p2/sshd-session.c
+@@ -342,6 +342,10 @@ privsep_preauth_child(struct ssh *ssh)
/* Demote the private keys to public keys. */
demote_sensitive_data(ssh);
@@ -113,14 +113,13 @@
/* Demote the child */
if (privsep_chroot) {
/* Change our root directory */
-@@ -602,6 +606,9 @@ privsep_postauth(struct ssh *ssh, Authct
-
- #ifdef DISABLE_FD_PASSING
- if (1) {
-+#elif defined(WITH_SELINUX)
-+ if (0) {
-+ /* even root user can be confined by SELinux */
- #else
- if (authctxt->pw->pw_uid == 0) {
+@@ -444,7 +448,7 @@ privsep_postauth(struct ssh *ssh, Authct
+ * fd passing, as AFAIK PTY allocation on this platform doesn't require
+ * special privileges to begin with.
+ */
+-#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN)
++#if defined(DISABLE_FD_PASSING) && !defined(HAVE_CYGWIN) &&
!defined(WITH_SELINUX)
+ skip_privdrop = 1;
#endif
+
++++++ openssh-7.6p1-cleanup-selinux.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.571108524 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.575108691 +0200
@@ -9,16 +9,16 @@
+extern int inetd_flag;
+extern int rexeced_flag;
+extern Authctxt *the_authctxt;
+ extern struct authmethod_cfg methodcfg_pubkey;
static char *
- format_key(const struct sshkey *key)
@@ -459,7 +462,8 @@ match_principals_command(struct passwd *
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
-+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
++ inetd_flag, the_authctxt)) == 0)
goto out;
uid_swapped = 1;
@@ -28,7 +28,7 @@
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
- runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
-+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
++ inetd_flag, the_authctxt)) == 0)
goto out;
uid_swapped = 1;
@@ -87,14 +87,13 @@
===================================================================
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
-@@ -49,11 +49,6 @@
+@@ -49,10 +49,6 @@
#include <unistd.h>
#endif
-extern ServerOptions options;
-extern Authctxt *the_authctxt;
-extern int inetd_flag;
--extern int rexeced_flag;
-
/* Wrapper around is_selinux_enabled() to log its return value once only */
int
@@ -133,7 +132,7 @@
if (r == 0) {
/* If launched from xinetd, we must use current level */
-- if (inetd_flag && !rexeced_flag) {
+- if (inetd_flag) {
+ if (inetd) {
security_context_t sshdsc=NULL;
@@ -157,7 +156,7 @@
rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
-- if (inetd_flag && !rexeced_flag) {
+- if (inetd_flag) {
+ if (inetd) {
use_current = "1";
} else {
@@ -222,56 +221,46 @@
===================================================================
--- openssh-9.3p2.orig/platform.c
+++ openssh-9.3p2/platform.c
-@@ -34,6 +34,9 @@
+@@ -34,6 +34,8 @@
+ #include "openbsd-compat/openbsd-compat.h"
- extern int use_privsep;
extern ServerOptions options;
+extern int inetd_flag;
-+extern int rexeced_flag;
+extern Authctxt *the_authctxt;
- void
- platform_pre_listen(void)
-@@ -185,7 +188,9 @@ platform_setusercontext_post_groups(stru
+ /* return 1 if we are running with privilege to swap UIDs, 0 otherwise */
+ int
+@@ -185,7 +187,9 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(pw->pw_name);
+ sshd_selinux_setup_exec_context(pw->pw_name,
-+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
++ inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
}
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.3p2/sshd-session.c
===================================================================
---- openssh-9.3p2.orig/sshd.c
-+++ openssh-9.3p2/sshd.c
+--- openssh-9.3p2.orig/sshd-session.c
++++ openssh-9.3p2/sshd-session.c
@@ -166,7 +166,7 @@ int debug_flag = 0;
- static int test_flag = 0;
+ int debug_flag = 0;
/* Flag indicating that the daemon is being started from inetd. */
-static int inetd_flag = 0;
+int inetd_flag = 0;
- /* Flag indicating that sshd should not detach and become a daemon. */
- static int no_daemon_flag = 0;
-@@ -179,7 +179,7 @@ static char **saved_argv;
- static int saved_argc;
-
- /* re-exec */
--static int rexeced_flag = 0;
-+int rexeced_flag = 0;
- static int rexec_flag = 1;
- static int rexec_argc = 0;
- static char **rexec_argv;
+ /* debug goes to stderr unless inetd_flag is set */
+ static int log_stderr = 0;
@@ -2396,7 +2396,9 @@ main(int ac, char **av)
}
#endif
#ifdef WITH_SELINUX
- sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+ sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
-+ (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
++ inetd_flag, do_pam_putenv, the_authctxt,
+ options.use_pam);
#endif
#ifdef USE_PAM
++++++ openssh-7.7p1-cavstest-ctr.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.599109691 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.603109858 +0200
@@ -7,7 +7,7 @@
--- openssh-8.8p1.orig/Makefile.in
+++ openssh-8.8p1/Makefile.in
@@ -26,6 +26,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+CAVSTEST_CTR=$(libexecdir)/cavstest-ctr
@@ -16,7 +16,7 @@
STRIP_OPT=@STRIP_OPT@
@@ -69,6 +70,8 @@ MKDIR_P=@MKDIR_P@
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT}
ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT)
sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT)
+
@@ -29,7 +29,7 @@
+# FIPS tests
+cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
cavstest-ctr.o
-+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
++++++ openssh-7.7p1-cavstest-kdf.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.615110358 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.619110524 +0200
@@ -16,7 +16,7 @@
STRIP_OPT=@STRIP_OPT@
@@ -70,7 +71,7 @@ MKDIR_P=@MKDIR_P@
- TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
ssh-sk-helper$(EXEEXT)
+ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) sshd-session$(EXEEXT) ssh-add$(EXEEXT)
ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT}
ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT)
sftp$(EXEEXT) ssh-sk-helper$(EXEEXT)
-TARGETS += cavstest-ctr$(EXEEXT)
+TARGETS += cavstest-ctr$(EXEEXT) cavstest-kdf$(EXEEXT)
@@ -25,10 +25,10 @@
ssh-xmss.o \
@@ -252,6 +253,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S
cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
cavstest-ctr.o
- $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
+ $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o
cavstest-kdf.o
-+ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2)
++ $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh
-lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz
+
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.643111525 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.647111691 +0200
@@ -389,17 +389,17 @@
ssh_hmac_update(ctx, m, mlen) < 0 ||
Index: openssh-9.6p1/kex.c
===================================================================
---- openssh-9.6p1.orig/kex.c
-+++ openssh-9.6p1/kex.c
+--- openssh-9.6p1.orig/kex-names.c
++++ openssh-9.6p1/kex-names.c
@@ -64,6 +64,8 @@
- #include "digest.h"
+ #include "ssherr.h"
#include "xmalloc.h"
+#include "fips.h"
+
- /* prototype */
- static int kex_choose_conf(struct ssh *, uint32_t seq);
- static int kex_input_newkeys(int, u_int32_t, struct ssh *);
+ struct kexalg {
+ char *name;
+ u_int type;
@@ -87,7 +89,7 @@ struct kexalg {
int ec_nid;
int hash_alg;
@@ -647,8 +647,8 @@
#include "digest.h"
+#include "fips.h"
- static void add_listen_addr(ServerOptions *, const char *,
- const char *, int);
+ #if !defined(SSHD_PAM_SERVICE)
+ # define SSHD_PAM_SERVICE "sshd"
@@ -207,6 +208,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -785,8 +785,8 @@
--- openssh-9.6p1.orig/sshd.c
+++ openssh-9.6p1/sshd.c
@@ -128,6 +128,8 @@
+ #include "addr.h"
#include "srclimit.h"
- #include "dh.h"
+#include "fips.h"
+
++++++ openssh-7.7p1-fips_checks.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.659112192 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.663112358 +0200
@@ -459,14 +459,14 @@
--- openssh-8.8p1.orig/sshd.c
+++ openssh-8.8p1/sshd.c
@@ -1547,6 +1547,10 @@ main(int ac, char **av)
- struct connection_info *connection_info = NULL;
+ struct connection_info connection_info;
sigset_t sigmask;
+ /* initialize fips - can go before ssh_malloc_init(), since that is a
+ * OpenBSD-only thing (as of OpenSSH 7.6p1) */
+ fips_ssh_init();
+
+ memset(&connection_info, 0, sizeof(connection_info));
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
- #endif
++++++ openssh-7.7p1-ldap.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.683113191 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.687113358 +0200
@@ -128,7 +128,7 @@
--- openssh-8.9p1.orig/Makefile.in
+++ openssh-8.9p1/Makefile.in
@@ -27,6 +27,8 @@ SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSHD_SESSION=$(libexecdir)/sshd-session
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -168,7 +168,7 @@
$(LD) -o $@ $(SFTPSERVER_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
@@ -421,6 +429,10 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd-session$(EXEEXT)
$(DESTDIR)$(SSHD_SESSION)$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
++++++ openssh-7.7p1-pam_check_locks.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.707114192 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.711114358 +0200
@@ -32,17 +32,17 @@
--- openssh-8.8p1.orig/servconf.c
+++ openssh-8.8p1/servconf.c
@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions
-
/* Portable-specific options */
options->use_pam = -1;
+ options->pam_service_name = NULL;
+ options->use_pam_check_locks = -1;
/* Standard Options */
options->num_ports = 0;
@@ -278,6 +279,8 @@ fill_default_server_options(ServerOption
- /* Portable-specific options */
- if (options->use_pam == -1)
options->use_pam = 0;
+ if (options->pam_service_name == NULL)
+ options->pam_service_name = xstrdup(SSHD_PAM_SERVICE);
+ if (options->use_pam_check_locks == -1)
+ options->use_pam_check_locks = 0;
@@ -52,26 +52,27 @@
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
-- sUsePAM,
-+ sUsePAM, sUsePAMChecklocks,
+- sUsePAM, sPAMServiceName,
++ sUsePAM, sPAMServiceName, sUsePAMChecklocks,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-@@ -535,8 +538,10 @@ static struct {
- /* Portable-specific options */
+@@ -535,9 +538,11 @@ static struct {
#ifdef USE_PAM
{ "usepam", sUsePAM, SSHCFG_GLOBAL },
+ { "pamservicename", sPAMServiceName, SSHCFG_ALL },
+ { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL },
#else
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
+ { "pamservicename", sUnsupported, SSHCFG_ALL },
+ { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
/* Standard Options */
@@ -1331,6 +1336,9 @@ process_server_config_line_depth(ServerO
- case sUsePAM:
- intptr = &options->use_pam;
- goto parse_flag;
+ if (*activep && *charptr == NULL)
+ *charptr = xstrdup(arg);
+ break;
+ case sUsePAMChecklocks:
+ intptr = &options->use_pam_check_locks;
+ goto parse_flag;
@@ -83,9 +84,9 @@
--- openssh-8.8p1.orig/servconf.h
+++ openssh-8.8p1/servconf.h
@@ -200,6 +200,7 @@ typedef struct {
- char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
+ char *pam_service_name;
+ int use_pam_check_locks; /* internally check for locked accounts
even when using PAM */
int permit_tun;
++++++ openssh-7.7p1-systemd-notify.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.743115692 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.747115858 +0200
@@ -61,7 +61,7 @@
+
#include "xmalloc.h"
#include "ssh.h"
- #include "ssh2.h"
+ #include "sshpty.h"
@@ -308,6 +312,10 @@ sighup_handler(int sig)
static void
sighup_restart(void)
@@ -84,5 +84,5 @@
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
- &newsock, config_s);
+ &newsock, config_s, log_stderr);
++++++ openssh-7.8p1-role-mls.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.763116526 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.763116526 +0200
@@ -1,8 +1,7 @@
-Index: openssh-9.6p1/auth2.c
-===================================================================
---- openssh-9.6p1.orig/auth2.c
-+++ openssh-9.6p1/auth2.c
-@@ -273,6 +273,9 @@ input_userauth_request(int type, u_int32
+diff -up openssh/auth2.c.role-mls openssh/auth2.c
+--- openssh/auth2.c.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/auth2.c 2018-08-22 11:14:56.815430916 +0200
+@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
@@ -12,7 +11,7 @@
int r, authenticated = 0;
double tstart = monotime_double();
-@@ -286,6 +289,11 @@ input_userauth_request(int type, u_int32
+@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user,
service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@@ -24,36 +23,32 @@
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
-@@ -313,8 +321,15 @@ input_userauth_request(int type, u_int32
- use_privsep ? " [net]" : "");
+@@ -314,7 +314,13 @@ input_userauth_request(int type, u_int32
+ setproctitle("%s [net]", authctxt->valid ? user : "unknown");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
-- if (use_privsep)
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
-+ if (use_privsep) {
- mm_inform_authserv(service, style);
+ mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
-+ mm_inform_authrole(role);
++ mm_inform_authrole(role);
+#endif
-+ }
userauth_banner(ssh);
if ((r = kex_server_update_ext_info(ssh)) != 0)
fatal_fr(r, "kex_server_update_ext_info failed");
-Index: openssh-9.6p1/auth2-gss.c
-===================================================================
---- openssh-9.6p1.orig/auth2-gss.c
-+++ openssh-9.6p1/auth2-gss.c
-@@ -331,6 +331,7 @@ input_gssapi_mic(int type, u_int32_t ple
+diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
+--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200
+@@ -281,6 +281,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ssh->authctxt;
Gssctxt *gssctxt;
int r, authenticated = 0;
+ char *micuser;
struct sshbuf *b;
gss_buffer_desc mic, gssbuf;
- const char *displayname;
-@@ -348,7 +349,13 @@ input_gssapi_mic(int type, u_int32_t ple
+ u_char *p;
+@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal_f("sshbuf_new failed");
mic.value = p;
mic.length = len;
@@ -68,7 +63,7 @@
"gssapi-with-mic", ssh->kex->session_id);
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
-@@ -362,6 +369,8 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
sshbuf_free(b);
@@ -76,12 +71,11 @@
+ free(micuser);
free(mic.value);
- if ((!use_privsep || mm_is_monitor()) &&
-Index: openssh-9.6p1/auth2-hostbased.c
-===================================================================
---- openssh-9.6p1.orig/auth2-hostbased.c
-+++ openssh-9.6p1/auth2-hostbased.c
-@@ -128,7 +128,16 @@ userauth_hostbased(struct ssh *ssh, cons
+ authctxt->postponed = 0;
+diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
+--- openssh/auth2-hostbased.c.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
+@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
/* reconstruct packet */
if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
@@ -98,11 +92,10 @@
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
(r = sshbuf_put_cstring(b, method)) != 0 ||
(r = sshbuf_put_string(b, pkalg, alen)) != 0 ||
-Index: openssh-9.6p1/auth2-pubkey.c
-===================================================================
---- openssh-9.6p1.orig/auth2-pubkey.c
-+++ openssh-9.6p1/auth2-pubkey.c
-@@ -200,9 +200,16 @@ userauth_pubkey(struct ssh *ssh, const c
+diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c
+--- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200
++++ openssh/auth2-pubkey.c 2018-08-22 11:17:07.331483958 +0200
+@@ -169,9 +169,16 @@ userauth_pubkey(struct ssh *ssh)
goto done;
}
/* reconstruct packet */
@@ -121,10 +114,9 @@
if ((r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
(r = sshbuf_put_cstring(b, userstyle)) != 0 ||
(r = sshbuf_put_cstring(b, authctxt->service)) != 0 ||
-Index: openssh-9.6p1/auth.h
-===================================================================
---- openssh-9.6p1.orig/auth.h
-+++ openssh-9.6p1/auth.h
+diff -up openssh/auth.h.role-mls openssh/auth.h
+--- openssh/auth.h.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/auth.h 2018-08-22 11:14:56.816430924 +0200
@@ -65,6 +65,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
@@ -135,11 +127,10 @@
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
-Index: openssh-9.6p1/auth-pam.c
-===================================================================
---- openssh-9.6p1.orig/auth-pam.c
-+++ openssh-9.6p1/auth-pam.c
-@@ -1242,7 +1242,7 @@ is_pam_session_open(void)
+diff -up openssh/auth-pam.c.role-mls openssh/auth-pam.c
+--- openssh/auth-pam.c.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/auth-pam.c 2018-08-22 11:14:56.816430924 +0200
+@@ -1172,7 +1172,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
@@ -148,24 +139,22 @@
{
int ret = 1;
char *compound;
-Index: openssh-9.6p1/auth-pam.h
-===================================================================
---- openssh-9.6p1.orig/auth-pam.h
-+++ openssh-9.6p1/auth-pam.h
+diff -up openssh/auth-pam.h.role-mls openssh/auth-pam.h
+--- openssh/auth-pam.h.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/auth-pam.h 2018-08-22 11:14:56.817430932 +0200
@@ -33,7 +33,7 @@ u_int do_pam_account(void);
void do_pam_session(struct ssh *);
- void do_pam_setcred(int );
+ void do_pam_setcred(void);
void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
-Index: openssh-9.6p1/misc.c
-===================================================================
---- openssh-9.6p1.orig/misc.c
-+++ openssh-9.6p1/misc.c
-@@ -771,6 +771,7 @@ char *
+diff -up openssh/misc.c.role-mls openssh/misc.c
+--- openssh/misc.c.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/misc.c 2018-08-22 11:14:56.817430932 +0200
+@@ -542,6 +542,7 @@ char *
colon(char *cp)
{
int flag = 0;
@@ -173,7 +162,7 @@
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
-@@ -786,6 +787,13 @@ colon(char *cp)
+@@ -557,6 +558,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
@@ -187,11 +176,10 @@
}
return NULL;
}
-Index: openssh-9.6p1/monitor.c
-===================================================================
---- openssh-9.6p1.orig/monitor.c
-+++ openssh-9.6p1/monitor.c
-@@ -120,6 +120,9 @@ int mm_answer_sign(struct ssh *, int, st
+diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c
+--- openssh-8.6p1/monitor.c.role-mls 2021-04-16 05:55:25.000000000 +0200
++++ openssh-8.6p1/monitor.c 2021-05-21 14:21:56.719414087 +0200
+@@ -117,6 +117,9 @@ int mm_answer_sign(struct ssh *, int, st
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
@@ -201,7 +189,7 @@
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
-@@ -200,6 +203,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -195,6 +198,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -211,7 +199,7 @@
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -834,6 +840,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
+@@ -803,6 +809,9 @@ mm_answer_pwnamallow(struct ssh *ssh, in
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -221,7 +209,7 @@
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
-@@ -908,6 +917,26 @@ key_base_type_match(const char *method,
+@@ -877,6 +886,26 @@ key_base_type_match(const char *method,
return found;
}
@@ -248,16 +236,16 @@
int
mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
{
-@@ -1280,7 +1309,7 @@ monitor_valid_userblob(struct ssh *ssh,
+@@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh,
struct sshbuf *b;
- struct sshkey *hostkey = NULL;
+ struct sshkey *hostkey = NULL;
const u_char *p;
- char *userstyle, *cp;
+ char *userstyle, *s, *cp;
size_t len;
u_char type;
int hostbound = 0, r, fail = 0;
-@@ -1311,6 +1340,8 @@ monitor_valid_userblob(struct ssh *ssh,
+@@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh,
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
@@ -266,7 +254,7 @@
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-@@ -1361,7 +1392,7 @@ monitor_valid_hostbasedblob(const u_char
+@@ -1317,7 +1348,7 @@ monitor_valid_hostbasedblob(const u_char
{
struct sshbuf *b;
const u_char *p;
@@ -275,7 +263,7 @@
size_t len;
int r, fail = 0;
u_char type;
-@@ -1382,6 +1413,8 @@ monitor_valid_hostbasedblob(const u_char
+@@ -1338,6 +1370,8 @@ monitor_valid_hostbasedblob(const u_char
fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal_fr(r, "parse userstyle");
@@ -284,10 +272,9 @@
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-Index: openssh-9.6p1/monitor.h
-===================================================================
---- openssh-9.6p1.orig/monitor.h
-+++ openssh-9.6p1/monitor.h
+diff -up openssh/monitor.h.role-mls openssh/monitor.h
+--- openssh/monitor.h.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/monitor.h 2018-08-22 11:14:56.818430941 +0200
@@ -55,6 +55,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
@@ -299,11 +286,10 @@
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-Index: openssh-9.6p1/monitor_wrap.c
-===================================================================
---- openssh-9.6p1.orig/monitor_wrap.c
-+++ openssh-9.6p1/monitor_wrap.c
-@@ -396,6 +396,27 @@ mm_inform_authserv(char *service, char *
+diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
+--- openssh/monitor_wrap.c.role-mls 2018-08-22 11:14:56.818430941 +0200
++++ openssh/monitor_wrap.c 2018-08-22 11:21:47.938747968 +0200
+@@ -390,6 +390,27 @@ mm_inform_authserv(char *service, char *
sshbuf_free(m);
}
@@ -331,11 +317,10 @@
/* Do the password authentication */
int
mm_auth_password(struct ssh *ssh, char *password)
-Index: openssh-9.6p1/monitor_wrap.h
-===================================================================
---- openssh-9.6p1.orig/monitor_wrap.h
-+++ openssh-9.6p1/monitor_wrap.h
-@@ -49,6 +49,9 @@ int mm_sshkey_sign(struct ssh *, struct
+diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
+--- openssh/monitor_wrap.h.role-mls 2018-08-22 11:14:56.818430941 +0200
++++ openssh/monitor_wrap.h 2018-08-22 11:22:10.439929513 +0200
+@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
const u_char *, size_t, const char *, const char *,
const char *, u_int compat);
void mm_inform_authserv(char *, char *);
@@ -345,11 +330,10 @@
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
-Index: openssh-9.6p1/openbsd-compat/Makefile.in
-===================================================================
---- openssh-9.6p1.orig/openbsd-compat/Makefile.in
-+++ openssh-9.6p1/openbsd-compat/Makefile.in
-@@ -100,7 +100,8 @@ PORTS= port-aix.o \
+diff -up openssh/openbsd-compat/Makefile.in.role-mls
openssh/openbsd-compat/Makefile.in
+--- openssh/openbsd-compat/Makefile.in.role-mls 2018-08-20
07:57:29.000000000 +0200
++++ openssh/openbsd-compat/Makefile.in 2018-08-22 11:14:56.819430949 +0200
+@@ -92,7 +92,8 @@ PORTS= port-aix.o \
port-prngd.o \
port-solaris.o \
port-net.o \
@@ -359,11 +343,10 @@
.c.o:
$(CC) $(CFLAGS_NOPIE) $(PICFLAG) $(CPPFLAGS) -c $<
-Index: openssh-9.6p1/openbsd-compat/port-linux.c
-===================================================================
---- openssh-9.6p1.orig/openbsd-compat/port-linux.c
-+++ openssh-9.6p1/openbsd-compat/port-linux.c
-@@ -101,37 +101,6 @@ ssh_selinux_getctxbyname(char *pwname)
+diff -up openssh/openbsd-compat/port-linux.c.role-mls
openssh/openbsd-compat/port-linux.c
+--- openssh/openbsd-compat/port-linux.c.role-mls 2018-08-20
07:57:29.000000000 +0200
++++ openssh/openbsd-compat/port-linux.c 2018-08-22 11:14:56.819430949
+0200
+@@ -100,37 +100,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
@@ -401,7 +384,7 @@
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
-@@ -144,7 +113,11 @@ ssh_selinux_setup_pty(char *pwname, cons
+@@ -145,7 +114,11 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty);
@@ -414,10 +397,9 @@
/* XXX: should these calls fatal() upon failure in enforcing mode? */
-Index: openssh-9.6p1/openbsd-compat/port-linux.h
-===================================================================
---- openssh-9.6p1.orig/openbsd-compat/port-linux.h
-+++ openssh-9.6p1/openbsd-compat/port-linux.h
+diff -up openssh/openbsd-compat/port-linux.h.role-mls
openssh/openbsd-compat/port-linux.h
+--- openssh/openbsd-compat/port-linux.h.role-mls 2018-08-20
07:57:29.000000000 +0200
++++ openssh/openbsd-compat/port-linux.h 2018-08-22 11:14:56.819430949
+0200
@@ -20,9 +20,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
@@ -430,11 +412,10 @@
#endif
#ifdef LINUX_OOM_ADJUST
-Index: openssh-9.6p1/openbsd-compat/port-linux-sshd.c
-===================================================================
---- /dev/null
-+++ openssh-9.6p1/openbsd-compat/port-linux-sshd.c
-@@ -0,0 +1,421 @@
+diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls
openssh/openbsd-compat/port-linux-sshd.c
+--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22
11:14:56.819430949 +0200
++++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949
+0200
+@@ -0,0 +1,420 @@
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwa...@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plaut...@redhat.com>
@@ -488,7 +469,6 @@
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern int inetd_flag;
-+extern int rexeced_flag;
+
+/* Send audit message */
+static int
@@ -694,7 +674,7 @@
+
+ if (r == 0) {
+ /* If launched from xinetd, we must use current level */
-+ if (inetd_flag && !rexeced_flag) {
++ if (inetd_flag) {
+ security_context_t sshdsc=NULL;
+
+ if (getcon_raw(&sshdsc) < 0)
@@ -768,7 +748,7 @@
+
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+
-+ if (inetd_flag && !rexeced_flag) {
++ if (inetd_flag) {
+ use_current = "1";
+ } else {
+ use_current = "";
@@ -856,11 +836,10 @@
+#endif
+#endif
+
-Index: openssh-9.6p1/platform.c
-===================================================================
---- openssh-9.6p1.orig/platform.c
-+++ openssh-9.6p1/platform.c
-@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(stru
+diff -up openssh/platform.c.role-mls openssh/platform.c
+--- openssh/platform.c.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/platform.c 2018-08-22 11:14:56.819430949 +0200
+@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
@@ -869,11 +848,10 @@
#endif
}
-Index: openssh-9.6p1/sshd.c
-===================================================================
---- openssh-9.6p1.orig/sshd.c
-+++ openssh-9.6p1/sshd.c
-@@ -2387,6 +2387,9 @@ main(int ac, char **av)
+diff -up openssh/sshd.c.role-mls openssh/sshd.c
+--- openssh/sshd-session.c.role-mls 2018-08-20 07:57:29.000000000 +0200
++++ openssh/sshd-session.c 2018-08-22 11:14:56.820430957 +0200
+@@ -2186,6 +2186,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
@@ -882,5 +860,5 @@
+#endif
#ifdef USE_PAM
if (options.use_pam) {
- do_pam_setcred(1);
+ do_pam_setcred();
++++++ openssh-8.0p1-gssapi-keyex.patch ++++++
++++ 2563 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.0p1-gssapi-keyex.patch
++++ and
/work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-8.0p1-gssapi-keyex.patch
++++++ openssh-8.1p1-audit.patch ++++++
++++ 875 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch
++++ and /work/SRC/openSUSE:Factory/.openssh.new.2698/openssh-8.1p1-audit.patch
++++++ openssh-8.4p1-vendordir.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.851120192 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.855120359 +0200
@@ -123,28 +123,21 @@
===================================================================
--- openssh-8.9p1.orig/sshd.c
+++ openssh-8.9p1/sshd.c
-@@ -148,7 +148,7 @@ extern char *__progname;
- ServerOptions options;
-
- /* Name of the server configuration file. */
--char *config_file_name = _PATH_SERVER_CONFIG_FILE;
-+char *config_file_name = NULL;
-
- /*
- * Debug mode flag. This can be set on the command line. If debug
-@@ -1591,6 +1591,7 @@ prepare_proctitle(int ac, char **av)
- int
- main(int ac, char **av)
- {
-+ struct stat st;
- struct ssh *ssh = NULL;
+@@ -1201,7 +1201,8 @@ prepare_proctitle(int ac, char **av)
extern char *optarg;
extern int optind;
+ int log_stderr = 0, inetd_flag = 0, test_flag = 0, no_daemon_flag = 0;
+- char *config_file_name = _PATH_SERVER_CONFIG_FILE;
++ char *config_file_name = NULL;
++ struct stat st;
+ int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
+ int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
+ int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
@@ -1806,7 +1807,21 @@ main(int ac, char **av)
- */
- (void)atomicio(vwrite, startup_pipe, "\0", 1);
- }
-+ } else if (config_file_name == NULL) {
+ /* Fetch our configuration */
+ if ((cfg = sshbuf_new()) == NULL)
+ fatal("sshbuf_new config failed");
++ if (config_file_name == NULL) {
+ /* If only the vendor configuration file exists, use that.
+ * Else use the standard configuration file.
+ */
@@ -157,11 +150,12 @@
+ config_file_name = _PATH_SERVER_CONFIG_FILE;
+ }
+ load_server_config(config_file_name, cfg);
- } else if (strcasecmp(config_file_name, "none") != 0)
+- if (strcasecmp(config_file_name, "none") != 0)
++ } else if (strcasecmp(config_file_name, "none") != 0)
+ /* load config specified on commandline */
load_server_config(config_file_name, cfg);
- parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
+ parse_server_config(&options, config_file_name, cfg,
Index: openssh-8.9p1/sshd_config.5
===================================================================
--- openssh-8.9p1.orig/sshd_config.5
++++++ openssh-9.6p1-crypto-policies-man.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:01.871121026 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:01.875121193 +0200
@@ -84,13 +84,14 @@
The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are
.Bd -literal -offset 3n
-@@ -991,9 +993,8 @@ gss-nistp256-sha256-,
+@@ -991,10 +993,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256-
.Ed
.Pp
-The default is
--.Dq gss-gex-sha1-,gss-group14-sha1- .
- This option only applies to protocol version 2 connections using GSSAPI.
+-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
+-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
+ This option only applies to connections using GSSAPI.
+.Pp
.It Cm HashKnownHosts
Indicates that
@@ -159,7 +160,7 @@
.It Cm HostKeyAlias
Specifies an alias that should be used instead of the
real host name when looking up or saving the host key
-@@ -1311,31 +1313,26 @@ it may be zero or more of:
+@@ -1311,36 +1313,30 @@ it may be zero or more of:
and
.Cm pam .
.It Cm KexAlgorithms
@@ -169,8 +170,12 @@
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
- Specifies the available KEX (Key Exchange) algorithms.
+ Specifies the permitted KEX (Key Exchange) algorithms that will be used and
+ their preference order.
+ The selected algorithm will the the first algorithm in this list that
+ the server also supports.
Multiple algorithms must be comma-separated.
+ .Pp
If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
@@ -186,6 +191,7 @@
.Sq ^
character, then the specified algorithms will be placed at the head of the
-default set.
+-.Pp
-The default is:
-.Bd -literal -offset indent
-sntrup761x25519-sha...@openssh.com,
@@ -199,7 +205,7 @@
-.Ed
+built-in openssh default set.
.Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -1445,37 +1442,34 @@ function, and all code in the
file.
@@ -386,7 +392,7 @@
The list of available ciphers may also be obtained using
.Qq ssh -Q cipher .
.It Cm ClientAliveCountMax
-@@ -764,52 +760,45 @@ For this to work
+@@ -764,53 +760,45 @@ For this to work
.Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms
@@ -415,8 +421,9 @@
.Ed
-.Pp
-The default is
--.Dq gss-gex-sha1-,gss-group14-sha1- .
- This option only applies to protocol version 2 connections using GSSAPI.
+-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
+-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
+ This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedAlgorithms
+The default is handled system-wide by
+.Xr crypto-policies 7 .
@@ -492,7 +499,7 @@
The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts
-@@ -1027,20 +1006,26 @@ file on logout.
+@@ -1027,24 +1006,30 @@ file on logout.
The default is
.Cm yes .
.It Cm KexAlgorithms
@@ -502,9 +509,13 @@
+existing policies with sub-policies are present in manual page
+.Xr update-crypto-policies 8 .
+.Pp
- Specifies the available KEX (Key Exchange) algorithms.
+ Specifies the permitted KEX (Key Exchange) algorithms that the server will
+ offer to clients.
+ The ordering of this list is not important, as the client specifies the
+ preference order.
Multiple algorithms must be comma-separated.
- Alternately if the specified list begins with a
+ .Pp
+ If the specified list begins with a
.Sq +
-character, then the specified algorithms will be appended to the default set
-instead of replacing them.
@@ -520,9 +531,9 @@
character, then the specified algorithms will be placed at the head of the
-default set.
+built-in openssh default set.
+ .Pp
The supported algorithms are:
.Pp
- .Bl -item -compact -offset indent
@@ -1072,16 +1057,6 @@ ecdh-sha2-nistp521
sntrup761x25519-sha...@openssh.com
.El
@@ -537,7 +548,7 @@
-diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
-.Ed
-.Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress
@@ -1167,21 +1142,27 @@ function, and all code in the
++++++ openssh-9.6p1.tar.gz -> openssh-9.8p1.tar.gz ++++++
++++ 23852 lines of diff (skipped)
++++++ openssh-mitigate-lingering-secrets.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:02.295138695 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:02.299138861 +0200
@@ -207,9 +207,9 @@
--- openssh-9.3p2.orig/packet.h
+++ openssh-9.3p2/packet.h
@@ -103,6 +103,7 @@ void ssh_packet_close(struct ssh *);
+ void ssh_packet_close(struct ssh *);
void ssh_packet_set_input_hook(struct ssh *, ssh_packet_hook_fn *, void *);
void ssh_packet_clear_keys(struct ssh *);
- void ssh_packet_clear_keys_noaudit(struct ssh *);
+void ssh_clear_curkeys(struct ssh *, int);
void ssh_clear_newkeys(struct ssh *, int);
@@ -264,12 +264,12 @@
/* Macros for decoding/encoding integers */
#define PEEK_U64(p) \
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \
-Index: openssh-9.3p2/sshd.c
+Index: openssh-9.3p2/sshd-session.c
===================================================================
---- openssh-9.3p2.orig/sshd.c
-+++ openssh-9.3p2/sshd.c
-@@ -272,6 +272,19 @@ static void do_ssh2_kex(struct ssh *);
- static char *listener_proctitle;
+--- openssh-9.3p2.orig/sshd-session.c
++++ openssh-9.3p2/sshd-session.c
+@@ -197,6 +197,19 @@ static void do_ssh2_kex(struct ssh *);
+ static void do_ssh2_kex(struct ssh *);
/*
+ * Clear some stack space. This is a bit naive, but hopefully helps mitigate
@@ -285,10 +285,10 @@
+}
+
+/*
- * Close all listening sockets
- */
- static void
-@@ -430,6 +443,8 @@ destroy_sensitive_data(struct ssh *ssh,
+ * Signal handler for the alarm after the login grace period has expired.
+ * As usual, this may only take signal-safe actions, even though it is
+ * terminal.
+@@ -260,6 +260,8 @@ destroy_sensitive_data(struct ssh *ssh,
sensitive_data.host_certificates[i] = NULL;
}
}
@@ -297,32 +297,32 @@
}
/* Demote private to public keys for network child */
-@@ -600,6 +615,8 @@ privsep_preauth(struct ssh *ssh)
- static void
- privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
+@@ -431,6 +432,8 @@ privsep_preauth(struct ssh *ssh)
{
+ int skip_privdrop = 0;
+
+ clobber_stack();
+
- #ifdef DISABLE_FD_PASSING
- if (1) {
- #else
-@@ -2360,6 +2377,7 @@ main(int ac, char **av)
- if (use_privsep) {
- mm_send_keystate(ssh, pmonitor);
- ssh_packet_clear_keys(ssh);
-+ clobber_stack();
- exit(0);
- }
+ /*
+ * Hack for systems that don't support FD passing: retain privileges
+ * in the post-auth privsep process so it can allocate PTYs directly.
+@@ -1354,6 +1356,7 @@ main(int ac, char **av)
+ */
+ mm_send_keystate(ssh, pmonitor);
+ ssh_packet_clear_keys(ssh);
++ clobber_stack();
+ exit(0);
+
+ authenticated:
+@@ -1431,6 +1434,7 @@ main(int ac, char **av)
-@@ -2436,6 +2454,7 @@ main(int ac, char **av)
- if (use_privsep)
- mm_terminate();
+ mm_terminate();
+ clobber_stack();
exit(0);
}
-@@ -2596,8 +2615,10 @@ cleanup_exit(int i)
+@@ -1577,8 +1581,10 @@ cleanup_exit(int i)
/* cleanup_exit can be called at the very least from the privsep
wrappers used for auditing. Make sure we don't recurse
indefinitely. */
@@ -332,10 +332,10 @@
_exit(i);
+ }
in_cleanup = 1;
- if (the_active_state != NULL && the_authctxt != NULL) {
- do_cleanup(the_active_state, the_authctxt);
-@@ -2623,5 +2644,7 @@ cleanup_exit(int i)
- (!use_privsep || mm_is_monitor()))
+ extern int auth_attempted; /* monitor.c */
+
+@@ -1604,5 +1610,7 @@ cleanup_exit(int i)
+ mm_is_monitor())
audit_event(the_active_state, SSH_CONNECTION_ABANDON);
#endif
+
++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:02.315139528 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:02.319139695 +0200
@@ -25,7 +25,7 @@
+diffie-hellman-group14-sha1
.Ed
.Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
Index: openssh-8.9p1/sshd_config.5
===================================================================
--- openssh-8.9p1.orig/sshd_config.5
@@ -38,5 +38,5 @@
+diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
.Ed
.Pp
- The list of available key exchange algorithms may also be obtained using
+ The list of supported key exchange algorithms may also be obtained using
++++++ sshd.socket ++++++
[Unit]
Description=OpenSSH Server Socket
Conflicts=sshd.service
[Socket]
ListenStream=22
Accept=yes
[Install]
WantedBy=sockets.target
++++++ sshd@.service ++++++
[Unit]
Description=OpenSSH Per-Connection Server Daemon
Documentation=man:systemd-ssh-generator(8) man:sshd(8)
After=network.target
[Service]
EnvironmentFile=-/etc/sysconfig/ssh
ExecStartPre=/usr/sbin/sshd-gen-keys-start
ExecStartPre=/usr/sbin/sshd -t $SSHD_OPTS
ExecStart=-/usr/sbin/sshd -i $SSHD_OPTS
StandardInput=socket
++++++ wtmpdb.patch ++++++
--- /var/tmp/diff_new_pack.YPTahY/_old 2024-08-21 23:25:02.471146029 +0200
+++ /var/tmp/diff_new_pack.YPTahY/_new 2024-08-21 23:25:02.475146196 +0200
@@ -174,12 +174,16 @@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
-@@ -212,7 +213,7 @@
+@@ -212,10 +213,10 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
$(GSSLIBS) $(CHANNELLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
-- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
-+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(CHANNELLIBS)
++ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS)
$(LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
+
+ sshd-session$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHD_SESSION_OBJS)
+- $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat
$(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS)
++ $(LD) -o $@ $(SSHD_SESSION_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat
$(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS)
$(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
