Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2023-06-06 19:54:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.15902 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Tue Jun 6 19:54:55 2023 rev:164 rq:1090577 version:9.3p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2021-10-11 16:48:39.866172377 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh-askpass-gnome.changes 2023-06-06 19:55:08.426075279 +0200 @@ -1,0 +2,14 @@ +Sun May 28 09:16:44 UTC 2023 - Andreas Stieger <andreas.stie...@gmx.de> + +- openssh-askpass-gnome: require only openssh-clients, not the full + openssh (including -server), to avoid pulling in excessive + dependencies when installing git on Gnome (boo#1211446) + +------------------------------------------------------------------- +Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarr...@suse.com> + +- Update to openssh 9.3p1 + * No changes for askpass, see main package changelog for + details + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2023-04-15 22:32:05.581173030 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes 2023-06-06 19:55:08.530075896 +0200 @@ -1,0 +2,476 @@ +Thu May 11 07:01:54 UTC 2023 - Antonio Larrosa <alarr...@suse.com> + +- Update to openssh 9.3p1: + = Security + * ssh-add(1): when adding smartcard keys to ssh-agent(1) with the + per-hop destination constraints (ssh-add -h ...) added in + OpenSSH 8.9, a logic error prevented the constraints from being + communicated to the agent. This resulted in the keys being added + without constraints. The common cases of non-smartcard keys and + keys without destination constraints are unaffected. This + problem was reported by Luci Stanescu. + + * ssh(1): Portable OpenSSH provides an implementation of the + getrrsetbyname(3) function if the standard library does not + provide it, for use by the VerifyHostKeyDNS feature. A + specifically crafted DNS response could cause this function to + perform an out-of-bounds read of adjacent stack data, but this + condition does not appear to be exploitable beyond denial-of- + service to the ssh(1) client. + The getrrsetbyname(3) replacement is only included if the + system's standard library lacks this function and portable + OpenSSH was not compiled with the ldns library (--with-ldns). + getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to + fetch SSHFP records. This problem was found by the Coverity + static analyzer. + + = New features + * ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 + when outputting SSHFP fingerprints to allow algorithm + selection. bz3493 + * sshd(8): add a `sshd -G` option that parses and prints the + effective configuration without attempting to load private keys + and perform other checks. This allows usage of the option + before keys have been generated and for configuration + evaluation and verification by unprivileged users. + + = Bugfixes + * scp(1), sftp(1): fix progressmeter corruption on wide displays; + bz3534 + * ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing + usability of private keys as some systems are starting to + disable RSA/SHA1 in libcrypto. + * sftp-server(8): fix a memory leak. GHPR363 + * ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol + compatibility code and simplify what's left. + * Fix a number of low-impact Coverity static analysis findings. + These include several reported via bz2687 + * ssh_config(5), sshd_config(5): mention that some options are + not first-match-wins. + * Rework logging for the regression tests. Regression tests will + now capture separate logs for each ssh and sshd invocation in + a test. + * ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage + says it should; bz3532. + * ssh(1): ensure that there is a terminating newline when adding + a new entry to known_hosts; bz3529 + + = Portability + * sshd(8): harden Linux seccomp sandbox. Move to an allowlist of + mmap(2), madvise(2) and futex(2) flags, removing some + concerning kernel attack surface. + * sshd(8): improve Linux seccomp-bpf sandbox for older systems; + bz3537 + +- Update to openssh 9.2p1: + = Security + * sshd(8): fix a pre-authentication double-free memory fault + introduced in OpenSSH 9.1. This is not believed to be + exploitable, and it occurs in the unprivileged pre-auth process + that is subject to chroot(2) and is further sandboxed on most + major platforms. + * ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen + option would ignore its first argument unless it was one of the + special keywords "any" or "none", causing the permission list + to fail open if only one permission was specified. bz3515 + * ssh(1): if the CanonicalizeHostname and + CanonicalizePermittedCNAMEs options were enabled, and the + system/libc resolver did not check that names in DNS responses + were valid, then use of these options could allow an attacker + with control of DNS to include invalid characters (possibly + including wildcards) in names added to known_hosts files when + they were updated. These names would still have to match the + CanonicalizePermittedCNAMEs allow-list, so practical + exploitation appears unlikely. + + = Potentially-incompatible changes + * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option + that controls whether the client-side ~C escape sequence that + provides a command-line is available. Among other things, the + ~C command-line could be used to add additional port-forwards + at runtime. + This option defaults to "no", disabling the ~C command-line + that was previously enabled by default. Turning off the + command-line allows platforms that support sandboxing of the + ssh(1) client (currently only OpenBSD) to use a stricter + default sandbox policy. + + = New features + * sshd(8): add support for channel inactivity timeouts via a new + sshd_config(5) ChannelTimeout directive. This allows channels + that have not seen traffic in a configurable interval to be + automatically closed. Different timeouts may be applied to + session, X11, agent and TCP forwarding channels. + * sshd(8): add a sshd_config UnusedConnectionTimeout option to + terminate client connections that have no open channels for a + length of time. This complements the ChannelTimeout option + above. + * sshd(8): add a -V (version) option to sshd like the ssh client + has. + * ssh(1): add a "Host" line to the output of ssh -G showing the + original hostname argument. bz3343 + * scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to + allow control over some SFTP protocol parameters: the copy + buffer length and the number of in-flight requests, both of + which are used during upload/download. Previously these could + be controlled in sftp(1) only. This makes them available in + both SFTP protocol clients using the same option character + sequence. + * ssh-keyscan(1): allow scanning of complete CIDR address ranges, + e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, + then it will be expanded to all possible addresses in the range + including the all-0s and all-1s addresses. bz#976 + * ssh(1): support dynamic remote port forwarding in escape + command-line's -R processing. bz#3499 + + = Bugfixes + * ssh(1): when restoring non-blocking mode to stdio fds, restore + exactly the flags that ssh started with and don't just clobber + them with zero, as this could also remove the append flag from + the set. bz3523 + * ssh(1): avoid printf("%s", NULL) if using + UserKnownHostsFile=none and a hostkey in one of the system + known hosts file changes. + * scp(1): switch scp from using pipes to a socket-pair for + communication with its ssh sub-processes, matching how sftp(1) + operates. + * sshd(8): clear signal mask early in main(); sshd may have been + started with one or more signals masked (sigprocmask(2) is not + cleared on fork/exec) and this could interfere with various + things, e.g. the login grace timer. Execution environments that + fail to clear the signal mask before running sshd are clearly + broken, but apparently they do exist. + * ssh(1): warn if no host keys for hostbased auth can be loaded. + * sshd(8): Add server debugging for hostbased auth that is queued + and sent to the client after successful authentication, but + also logged to assist in diagnosis of HostbasedAuthentication + problems. bz3507 + * ssh(1): document use of the IdentityFile option as being usable + to list public keys as well as private keys. GHPR352 + * sshd(8): check for and disallow MaxStartups values less than or + equal to zero during config parsing, rather than failing later + at runtime. bz3489 + * ssh-keygen(1): fix parsing of hex cert expiry times specified + on the command-line when acting as a CA. + * scp(1): when scp(1) is using the SFTP protocol for transport + (the default), better match scp/rcp's handling of globs that + don't match the globbed characters but do match literally (e.g. + trying to transfer a file named "foo.[1]"). Previously scp(1) + in SFTP mode would not match these pathnames but legacy scp/rcp + mode would. bz3488 + * ssh-agent(1): document the "-O no-restrict-websafe" + command-line option. + * ssh(1): honour user's umask(2) if it is more restrictive then + the ssh default (022). + + = Portability + * sshd(8): allow writev(2) in the Linux seccomp sandbox. This + seems to be used by recent glibcs at least in some + configurations during error conditions. bz3512. + * sshd(8): simply handling of SSH_CONNECTION PAM env var, + removing global variable and checking the return value from + pam_putenv. bz3508 + * sshd(8): disable SANDBOX_SECCOMP_FILTER_DEBUG that was + mistakenly enabled during the OpenSSH 9.1 release cycle. + * misc: update autotools and regenerate the config files using + the latest autotools + * all: use -fzero-call-used-regs=used on clang 15 instead of + -fzero-call-used-reg=all, as some versions of clang 15 have + miscompile code when it was enabled. bz3475 + * sshd(8): defer PRNG seeding until after the initial + closefrom(2) call. PRNG seeding will initialize OpenSSL, and + some engine providers (e.g. Intel's QAT) will open descriptors + for their own use that closefrom(2) could clobber. bz3483 + * misc: in the poll(2)/ppoll(2) compatibility code, avoid + assuming the layout of fd_set. + * sftp-server(8), ssh-agent(1): fix ptrace(2) disabling on older + FreeBSD kernels. Some versions do not support using id 0 to + refer to the current PID for procctl, so try again with + getpid() explicitly before failing. + * configure.ac: fix -Wstrict-prototypes in configure test code. + Clang 16 now warns on this and legacy prototypes will be + removed in C23. GHPR355 + * configure.ac: fix setres*id checks to work with clang-16. glibc + has the prototypes for setresuid behind _GNU_SOURCE, and + clang 16 will error out on implicit function definitions. + bz3497 + ++++ 279 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes ++++ and /work/SRC/openSUSE:Factory/.openssh.new.15902/openssh.changes Old: ---- openssh-8.9p1.tar.gz openssh-8.9p1.tar.gz.asc New: ---- _multibuild fix-missing-lz.patch openssh-9.3p1.tar.gz openssh-9.3p1.tar.gz.asc wtmpdb.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.670088583 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.674088607 +0200 @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 8.9p1 +Version: 9.3p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause @@ -26,7 +26,7 @@ URL: https://www.openssh.com/ Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc -Requires: %{_name} = %{version} +Requires: %{_name}-clients = %{version} Supplements: packageand(openssh-clients:libgtk-3-0) %if 0%{?suse_version} >= 1550 BuildRequires: gtk3-devel ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.718088867 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.726088915 +0200 @@ -24,13 +24,20 @@ %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %define CHECKSUM_SUFFIX .hmac %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" +%bcond_without ldap + +%if 0%{?suse_version} >= 1550 +%bcond_without wtmpdb +%else +%bcond_with wtmpdb +%endif #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 8.9p1 +Version: 9.3p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -107,17 +114,21 @@ Patch48: openssh-8.4p1-pam_motd.patch Patch49: openssh-do-not-send-empty-message.patch Patch50: openssh-openssl-3.patch +Patch51: wtmpdb.patch +Patch100: fix-missing-lz.patch BuildRequires: audit-devel BuildRequires: automake BuildRequires: groff BuildRequires: libedit-devel BuildRequires: libselinux-devel +%if %{with ldap} BuildRequires: openldap2-devel +%endif BuildRequires: openssl-devel BuildRequires: pam-devel BuildRequires: pkgconfig BuildRequires: zlib-devel -BuildRequires: pkgconfig(libfido2) +BuildRequires: pkgconfig(libfido2) >= 1.2.0 BuildRequires: pkgconfig(libsystemd) BuildRequires: sysuser-shadow BuildRequires: sysuser-tools @@ -128,6 +139,9 @@ %else BuildRequires: krb5-mini-devel %endif +%if %{with wtmpdb} +BuildRequires: pkgconfig(libwtmpdb) +%endif Requires(pre): findutils Requires(pre): grep @@ -215,6 +229,7 @@ This package contains clients for making secure connections to Secure Shell servers. +%if %{with ldap} %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH @@ -231,6 +246,7 @@ This package contains helper applications for OpenSSH which retrieve keys from various sources. +%endif %package fips Summary: OpenSSH FIPS crypto module HMACs @@ -262,7 +278,7 @@ # set libexec dir in the LDAP patch sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" openssh-7.7p1-ldap.patch | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) + $( grep "^+++" %{PATCH31} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) ) %build @@ -294,9 +310,14 @@ %endif --disable-strip \ --with-audit=linux \ +%if %{with ldap} --with-ldap \ +%endif --with-xauth=%{_bindir}/xauth \ --with-libedit \ +%if %{with wtmpdb} + --with-wtmpdb \ +%endif --with-security-key-builtin \ --target=%{_target_cpu}-suse-linux @@ -327,12 +348,16 @@ install -m 644 contrib/ssh-copy-id.1 %{buildroot}%{_mandir}/man1 sed -i -e s@%{_prefix}/libexec@%{_libexecdir}@g %{buildroot}%{_sysconfdir}/ssh/sshd_config +echo "PermitRootLogin yes" > %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf + # Move /etc to /usr/etc/ssh +%if %{defined _distconfdir} mkdir -p %{buildroot}%{_distconfdir}/ssh/ssh{,d}_config.d mv %{buildroot}%{_sysconfdir}/ssh/moduli %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/ssh_config %{buildroot}%{_distconfdir}/ssh/ mv %{buildroot}%{_sysconfdir}/ssh/sshd_config %{buildroot}%{_distconfdir}/ssh/ -echo "PermitRootLogin yes" > %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf +mv %{buildroot}%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf %{buildroot}%{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf +%endif %if 0%{?suse_version} < 1550 # install firewall definitions @@ -426,9 +451,15 @@ %license LICENCE %doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh +%if %{defined _distconfdir} %attr(0755,root,root) %dir %{_distconfdir}/ssh -%attr(0755,root,root) %dir /usr/etc/ssh/ssh_config.d %attr(0600,root,root) %{_distconfdir}/ssh/moduli +%attr(0755,root,root) %dir %{_distconfdir}/ssh/ssh_config.d +%else +%attr(0755,root,root) %dir %{_sysconfdir}/ssh +%attr(0600,root,root) %{_sysconfdir}/ssh/moduli +%attr(0755,root,root) %dir %{_sysconfdir}/ssh/ssh_config.d +%endif %attr(0444,root,root) %{_mandir}/man1/ssh-keygen.1* %attr(0444,root,root) %{_mandir}/man5/moduli.5* %attr(0755,root,root) %{_bindir}/ssh-keygen* @@ -439,12 +470,13 @@ %attr(0755,root,root) %{_sbindir}/sshd-gen-keys-start %dir %attr(0755,root,root) %{_localstatedir}/lib/sshd %dir %attr(0755,root,root) %{_sysconfdir}/ssh/sshd_config.d +%if %{defined _distconfdir} %attr(0755,root,root) %dir %{_distconfdir}/ssh -%attr(0755,root,root) %dir /usr/etc/ssh/sshd_config.d +%attr(0755,root,root) %dir %{_distconfdir}/ssh/sshd_config.d %attr(0640,root,root) %{_distconfdir}/ssh/sshd_config -%if %{defined _distconfdir} %attr(0644,root,root) %{_pam_vendordir}/sshd %else +%attr(0640,root,root) %{_sysconfdir}/ssh/sshd_config %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/sshd %endif %attr(0644,root,root) %{_unitdir}/sshd.service @@ -463,11 +495,19 @@ %endif %files server-config-rootlogin +%if %{defined _distconfdir} %{_distconfdir}/ssh/sshd_config.d/50-permit-root-login.conf +%else +%{_sysconfdir}/ssh/sshd_config.d/50-permit-root-login.conf +%endif %files clients %dir %attr(0755,root,root) %{_sysconfdir}/ssh/ssh_config.d +%if %{defined _distconfdir} %attr(0644,root,root) %{_distconfdir}/ssh/ssh_config +%else +%attr(0644,root,root) %{_sysconfdir}/ssh/ssh_config +%endif %attr(0755,root,root) %{_bindir}/ssh %attr(0755,root,root) %{_bindir}/scp* %attr(0755,root,root) %{_bindir}/sftp* @@ -492,6 +532,7 @@ %attr(0444,root,root) %{_mandir}/man8/ssh-sk-helper.8* %attr(0444,root,root) %{_mandir}/man8/ssh-keysign.8* +%if %{with ldap} %files helpers %attr(0755,root,root) %dir %{_sysconfdir}/ssh %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf @@ -500,6 +541,7 @@ %attr(0444,root,root) %{_mandir}/man5/ssh-ldap* %attr(0444,root,root) %{_mandir}/man8/ssh-ldap* %doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema +%endif %files fips %attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX} ++++++ _multibuild ++++++ <multibuild> <package>openssh-askpass-gnome</package> </multibuild> ++++++ fix-missing-lz.patch ++++++ Index: openssh-9.3p1/Makefile.in =================================================================== --- openssh-9.3p1.orig/Makefile.in +++ openssh-9.3p1/Makefile.in @@ -250,17 +250,17 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o $(SFTPSERVER_OBJS) - $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + $(LD) -o $@ $(SFTPSERVER_OBJS) ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) # FIPS tests cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o - $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz cavstest-kdf$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-kdf.o - $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) + $(LD) -o $@ cavstest-kdf.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) -lz # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.926090101 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.930090124 +0200 @@ -16,28 +16,28 @@ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect2.o mux.o $(SKOBJS) -Index: openssh-8.8p1/cipher-ctr.c -=================================================================== ---- openssh-8.8p1.orig/cipher-ctr.c -+++ openssh-8.8p1/cipher-ctr.c -@@ -27,6 +27,8 @@ - #include "xmalloc.h" - #include "log.h" - -+#include "fips.h" -+ - /* compatibility with old or broken OpenSSL versions */ - #include "openbsd-compat/openssl-compat.h" - -@@ -139,6 +141,8 @@ evp_aes_128_ctr(void) - #ifndef SSH_OLD_EVP - aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | - EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; -+ if (fips_mode()) -+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS; - #endif - return (&aes_ctr); - } +#Index: openssh-8.8p1/cipher-ctr.c +#=================================================================== +#--- openssh-8.8p1.orig/cipher-ctr.c +#+++ openssh-8.8p1/cipher-ctr.c +#@@ -27,6 +27,8 @@ +# #include "xmalloc.h" +# #include "log.h" +# +#+#include "fips.h" +#+ +# /* compatibility with old or broken OpenSSL versions */ +# #include "openbsd-compat/openssl-compat.h" +# +#@@ -139,6 +141,8 @@ evp_aes_128_ctr(void) +# #ifndef SSH_OLD_EVP +# aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | +# EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; +#+ if (fips_mode()) +#+ aes_ctr.flags |= EVP_CIPH_FLAG_FIPS; +# #endif +# return (&aes_ctr); +# } Index: openssh-8.8p1/cipher.c =================================================================== --- openssh-8.8p1.orig/cipher.c @@ -416,8 +416,8 @@ --- openssh-8.8p1.orig/kex.c +++ openssh-8.8p1/kex.c @@ -62,6 +62,8 @@ - #include "sshbuf.h" #include "digest.h" + #include "xmalloc.h" +#include "fips.h" + @@ -743,7 +743,8 @@ + struct Key_types key_types_all[] = { #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, - { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, + #ifdef OPENSSL_HAS_ECC +# { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, @@ -1056,6 +1060,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; ++++++ openssh-7.7p1-fips_checks.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.962090314 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.970090361 +0200 @@ -459,8 +459,8 @@ --- openssh-8.8p1.orig/sshd.c +++ openssh-8.8p1/sshd.c @@ -1547,6 +1547,10 @@ main(int ac, char **av) - Authctxt *authctxt; struct connection_info *connection_info = NULL; + sigset_t sigmask; + /* initialize fips - can go before ssh_malloc_init(), since that is a + * OpenBSD-only thing (as of OpenSSH 7.6p1) */ ++++++ openssh-7.7p1-ldap.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:10.994090504 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:10.998090527 +0200 @@ -148,7 +148,7 @@ sshkey-xmss.o \ @@ -162,8 +167,8 @@ SFTPSERVER_OBJS=sftp-common.o sftp-serve - SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS) + SFTP_OBJS= sftp.o sftp-usergroup.o progressmeter.o $(SFTP_CLIENT_OBJS) -MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-sk-helper.8.out sshd_config.5.out ssh_config.5.out -MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-sk-helper.8 sshd_config.5 ssh_config.5 @@ -159,7 +159,7 @@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out @@ -246,6 +251,9 @@ ssh-sk-helper$(EXEEXT): $(LIBCOMPAT) lib ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) - $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(CHANNELLIBS) +ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) ++++++ openssh-7.7p1-pam_check_locks.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.014090622 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.018090646 +0200 @@ -10,23 +10,23 @@ --- openssh-8.8p1.orig/auth.c +++ openssh-8.8p1/auth.c @@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas + if (!pw || !pw->pw_name) return 0; - #ifdef USE_SHADOW -- if (!options.use_pam) -+ if (!options.use_pam || options.use_pam_check_locks) - spw = getspnam(pw->pw_name); - #ifdef HAS_SHADOW_EXPIRE - if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) -@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas - #endif - - /* check for locked account */ -- if (!options.use_pam && passwd && *passwd) { -+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { - int locked = 0; - - #ifdef LOCKED_PASSWD_STRING +- if (!options.use_pam && platform_locked_account(pw)) { ++ if ((!options.use_pam || options.use_pam_check_locks) && platform_locked_account(pw)) { + logit("User %.100s not allowed because account is locked", + pw->pw_name); + return 0; +#@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas +# #endif +# +# /* check for locked account */ +#- if (!options.use_pam && passwd && *passwd) { +#+ if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { +# int locked = 0; +# +# #ifdef LOCKED_PASSWD_STRING Index: openssh-8.8p1/servconf.c =================================================================== --- openssh-8.8p1.orig/servconf.c ++++++ openssh-7.7p1-seccomp_ipc_flock.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.038090765 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.046090812 +0200 @@ -37,6 +37,6 @@ + SC_ALLOW(__NR_ipc), +#endif #ifdef __NR_madvise - SC_ALLOW(__NR_madvise), - #endif + SC_ALLOW_ARG(__NR_madvise, 2, MADV_NORMAL), + # ifdef MADV_FREE ++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.070090955 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.070090955 +0200 @@ -34,8 +34,8 @@ infile = stdin; while ((ch = getopt(argc, argv, -- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { -+ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { +- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) { ++ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:X:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ case 'A': ++++++ openssh-7.7p1-systemd-notify.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.082091026 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.086091049 +0200 @@ -8,8 +8,9 @@ --- openssh-8.8p1.orig/configure.ac +++ openssh-8.8p1/configure.ac @@ -4751,6 +4751,30 @@ AC_ARG_WITH([kerberos5], - AC_SUBST([GSSLIBS]) +# AC_SUBST([GSSLIBS]) AC_SUBST([K5LIBS]) + AC_SUBST([CHANNELLIBS]) +# Check whether user wants systemd support +SYSTEMD_MSG="no" ++++++ openssh-8.0p1-gssapi-keyex.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.110091192 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.114091215 +0200 @@ -12,7 +12,8 @@ @@ -132,7 +133,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ - auth2-none.o auth2-passwd.o auth2-pubkey.o \ +# auth2-none.o auth2-passwd.o auth2-pubkey.o \ + auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-pubkeyfile.o \ monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ @@ -379,22 +380,38 @@ /* import options */ extern Options options; -@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt - break; - - /* Do channel operations unless rekeying in progress. */ -- if (!ssh_packet_is_rekeying(ssh)) -+ if (!ssh_packet_is_rekeying(ssh)) { - channel_after_poll(ssh, pfd, npfd_active); +#@@ -1349,9 +1353,18 @@ client_loop(struct ssh *ssh, int have_pt +## Replaced with the section below +# break; +# +# /* Do channel operations unless rekeying in progress. */ +#- if (!ssh_packet_is_rekeying(ssh)) +#+ if (!ssh_packet_is_rekeying(ssh)) { +# channel_after_poll(ssh, pfd, npfd_active); +# +#+#ifdef GSSAPI +#+ if (options.gss_renewal_rekey && +#+ ssh_gssapi_credentials_updated(NULL)) { +#+ debug("credentials updated - forcing rekey"); +#+ need_rekeying = 1; +#+ } +#+#endif +#+ } +#+ +# /* Buffer input from the connection. */ +# if (conn_in_ready) +# client_process_net_input(ssh); +@@ -1349,6 +1353,14 @@ client_loop(struct ssh *ssh, int have_pt + /* Do channel operations. */ + channel_after_poll(ssh, pfd, npfd_active); +#ifdef GSSAPI -+ if (options.gss_renewal_rekey && -+ ssh_gssapi_credentials_updated(NULL)) { -+ debug("credentials updated - forcing rekey"); -+ need_rekeying = 1; -+ } -+#endif ++ if (options.gss_renewal_rekey && ++ ssh_gssapi_credentials_updated(NULL)) { ++ debug("credentials updated - forcing rekey"); ++ need_rekeying = 1; + } ++#endif + /* Buffer input from the connection. */ if (conn_in_ready) @@ -1257,15 +1274,9 @@ =================================================================== --- openssh-8.9p1.orig/kex.c +++ openssh-8.9p1/kex.c -@@ -57,11 +57,16 @@ - #include "misc.h" - #include "dispatch.h" - #include "monitor.h" -+#include "xmalloc.h" - - #include "ssherr.h" - #include "sshbuf.h" +@@ -57,6 +57,10 @@ #include "digest.h" + #include "xmalloc.h" +#ifdef GSSAPI +#include "ssh-gss.h" @@ -1274,7 +1285,7 @@ #include "fips.h" /* prototype */ -@@ -119,6 +124,19 @@ static const struct kexalg kexalgs_all[] +@@ -119,6 +123,19 @@ static const struct kexalg kexalgs_all[] #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ { NULL, 0, -1, -1}, }; @@ -1294,7 +1305,7 @@ static const struct kexalg kexalgs_fips140_2[] = { #ifdef WITH_OPENSSL -@@ -146,12 +164,12 @@ static const struct kexalg kexalgs_fips1 +@@ -146,12 +163,12 @@ static const struct kexalg kexalgs_fips1 /* Returns array of macs available depending on selected FIPS mode */ static const struct kexalg * @@ -1309,7 +1320,7 @@ case 1: return kexalgs_fips140_2; default: -@@ -162,13 +180,13 @@ fips_select_kexalgs(void) +@@ -162,13 +179,13 @@ fips_select_kexalgs(void) } char * @@ -1325,7 +1336,7 @@ if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -183,15 +201,31 @@ kex_alg_list(char sep) +@@ -183,15 +200,31 @@ kex_alg_list(char sep) return ret; } @@ -1358,7 +1369,7 @@ return NULL; } -@@ -363,6 +397,29 @@ kex_assemble_names(char **listp, const c +@@ -363,6 +396,29 @@ kex_assemble_names(char **listp, const c return r; } @@ -1385,10 +1396,10 @@ + return 1; +} + - /* put algorithm proposal into buffer */ - int - kex_prop2buf(struct sshbuf *b, char *proposal[PROPOSAL_MAX]) -@@ -765,6 +822,9 @@ kex_free(struct kex *kex) + /* + * Fill out a proposal array with dynamically allocated values, which may + * be modified as required for compatibility reasons. +@@ -765,6 +821,9 @@ kex_free(struct kex *kex) sshbuf_free(kex->session_id); sshbuf_free(kex->initial_sig); sshkey_free(kex->initial_hostkey); @@ -1439,9 +1450,9 @@ char *kex_names_cat(const char *, const char *); int kex_assemble_names(char **, const char *, const char *); +int kex_gss_names_valid(const char *); - - int kex_exchange_identification(struct ssh *, int, const char *); - + void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX], + const char *, const char *, const char *, const char *, const char *); + void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]); @@ -209,6 +226,12 @@ int kexgex_client(struct ssh *); int kexgex_server(struct ssh *); int kex_gen_client(struct ssh *); @@ -3511,8 +3522,8 @@ extern Options options; /* -@@ -220,6 +218,11 @@ ssh_kex2(struct ssh *ssh, char *host, st - char *s, *all_key; +@@ -220,10 +218,44 @@ ssh_kex2(struct ssh *ssh, char *host, st + char *s, *all_key, *hkalgs = NULL; int r, use_known_hosts_order = 0; +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3523,9 +3534,6 @@ xxx_host = host; xxx_hostaddr = hostaddr; xxx_conn_info = cinfo; -@@ -264,6 +267,35 @@ ssh_kex2(struct ssh *ssh, char *host, st - compat_pkalg_proposal(ssh, options.hostkeyalgorithms); - } +#if defined(GSSAPI) && defined(WITH_OPENSSL) + if (options.gss_keyex) { @@ -3559,7 +3567,7 @@ if (options.rekey_limit || options.rekey_interval) ssh_packet_set_rekey_limits(ssh, options.rekey_limit, options.rekey_interval); -@@ -282,16 +314,46 @@ ssh_kex2(struct ssh *ssh, char *host, st +@@ -282,17 +314,47 @@ ssh_kex2(struct ssh *ssh, char *host, st # ifdef OPENSSL_HAS_ECC ssh->kex->kex[KEX_ECDH_SHA2] = kex_gen_client; # endif @@ -3592,6 +3600,7 @@ ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); /* remove ext-info from the KEX proposals for rekeying */ + free(myproposal[PROPOSAL_KEX_ALGS]); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, options.kex_algorithms); +#if defined(GSSAPI) && defined(WITH_OPENSSL) @@ -3751,8 +3760,13 @@ exit(1); } @@ -2397,6 +2398,48 @@ do_ssh2_kex(struct ssh *ssh) - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( - ssh, list_hostkey_types()); +# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( +# ssh, list_hostkey_types()); +# myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = +# compat_pkalg_proposal(ssh, list_hostkey_types()); +# + + free(hkalgs); +#if defined(GSSAPI) && defined(WITH_OPENSSL) + { @@ -3884,22 +3898,40 @@ =================================================================== --- openssh-8.9p1.orig/sshkey.c +++ openssh-8.9p1/sshkey.c -@@ -162,6 +162,7 @@ static const struct keytype keytypes[] = - # endif /* ENABLE_SK */ - # endif /* OPENSSL_HAS_ECC */ - #endif /* WITH_OPENSSL */ -+ { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, - { NULL, NULL, NULL, -1, -1, 0, 0 } +@@ -127,6 +127,17 @@ + extern const struct sshkey_impl sshkey_xmss_impl; + extern const struct sshkey_impl sshkey_xmss_cert_impl; + #endif ++const struct sshkey_impl sshkey_null_impl = { ++ /* .name = */ "null", ++ /* .shortname = */ "null", ++ /* .sigalg = */ NULL, ++ /* .type = */ KEY_NULL, ++ /* .nid = */ 0, ++ /* .cert = */ 0, ++ /* .sigonly = */ 0, ++ /* .keybits = */ 0, ++ /* .funcs = */ NULL, ++}; + + const struct sshkey_impl * const keyimpls[] = { + &sshkey_ed25519_impl, +@@ -162,6 +179,7 @@ static const struct keytype keytypes[] = + &sshkey_xmss_impl, + &sshkey_xmss_cert_impl, + #endif ++ &sshkey_null_impl, + NULL }; -@@ -286,7 +287,7 @@ sshkey_alg_list(int certs_only, int plai - const struct keytype *kt; +@@ -286,7 +304,7 @@ sshkey_alg_list(int certs_only, int plai - for (kt = keytypes; kt->type != -1; kt++) { -- if (kt->name == NULL) -+ if (kt->name == NULL || kt->type == KEY_NULL) + for (i = 0; keyimpls[i] != NULL; i++) { + impl = keyimpls[i]; +- if (impl->name == NULL) ++ if (impl->name == NULL || impl->type == KEY_NULL) continue; - if (!include_sigonly && kt->sigonly) + if (!include_sigonly && impl->sigonly) continue; Index: openssh-8.9p1/sshkey.h =================================================================== ++++++ openssh-8.1p1-audit.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.130091310 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.134091334 +0200 @@ -768,8 +768,8 @@ +int user_key_verify(struct ssh *, const struct sshkey *, const u_char *, size_t, + const u_char *, size_t, const char *, u_int, struct sshkey_sig_details **); - FILE *auth_openkeyfile(const char *, struct passwd *, int); - FILE *auth_openprincipals(const char *, struct passwd *, int); + int auth_key_is_revoked(struct sshkey *); + @@ -209,6 +211,8 @@ struct sshkey *get_hostkey_private_by_ty int get_hostkey_index(struct sshkey *, int, struct ssh *); int sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *, @@ -843,8 +843,8 @@ +} + static int - match_principals_option(const char *principal_list, struct sshkey_cert *cert) - { + match_principals_file(struct passwd *pw, char *file, + struct sshkey_cert *cert, struct sshauthopt **authoptsp) Index: openssh-8.9p1/auth2.c =================================================================== --- openssh-8.9p1.orig/auth2.c @@ -934,9 +934,9 @@ --- openssh-8.9p1.orig/kex.c +++ openssh-8.9p1/kex.c @@ -62,6 +62,7 @@ - #include "ssherr.h" #include "sshbuf.h" #include "digest.h" + #include "xmalloc.h" +#include "audit.h" #ifdef GSSAPI @@ -2165,7 +2165,7 @@ @@ -71,10 +77,12 @@ void session_unused(int); int session_input_channel_req(struct ssh *, Channel *, const char *); void session_close_by_pid(struct ssh *ssh, pid_t, int); - void session_close_by_channel(struct ssh *, int, void *); + void session_close_by_channel(struct ssh *, int, int, void *); -void session_destroy_all(struct ssh *, void (*)(Session *)); +void session_destroy_all(struct ssh *, void (*)(struct ssh*, Session *)); void session_pty_cleanup2(Session *); @@ -2357,7 +2357,7 @@ +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s) { struct pollfd *pfd = NULL; - int i, j, ret; + int i, j, ret, npfd; @@ -1179,6 +1234,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", ++++++ openssh-8.1p1-ed25519-use-openssl-rng.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.150091429 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.154091452 +0200 @@ -9,7 +9,7 @@ --- a/ed25519.c +++ b/ed25519.c @@ -9,6 +9,13 @@ - #include "includes.h" + #include "crypto_api.h" +#ifdef WITH_OPENSSL @@ -19,12 +19,12 @@ + +#include "log.h" + - #include "ge25519.h" - - static void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen) + #define int8 crypto_int8 + #define uint8 crypto_uint8 + #define int16 crypto_int16 @@ -33,7 +40,15 @@ int crypto_sign_ed25519_keypair( - unsigned char extsk[64]; - int i; + sc25519 scsk; + ge25519 gepk; +#ifdef WITH_OPENSSL + /* Use FIPS approved RNG */ @@ -32,12 +32,12 @@ + fatal("Couldn't obtain random bytes (error 0x%lx)", + (unsigned long)ERR_get_error()); +#else - randombytes(sk, 32); + randombytes(sk,32); +#endif + - crypto_hash_sha512(extsk, sk, 32); - extsk[0] &= 248; - extsk[31] &= 127; + crypto_hash_sha512(az,sk,32); + az[0] &= 248; + az[31] &= 127; diff --git a/kexc25519.c b/kexc25519.c index f13d766..2604eda 100644 --- a/kexc25519.c ++++++ openssh-8.4p1-vendordir.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.182091618 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.194091689 +0200 @@ -106,7 +106,7 @@ +.Pq Pa /usr/etc/ssh/ssh_config .El .Pp - For each parameter, the first obtained value + Unless noted otherwise, for each parameter, the first obtained value @@ -2220,6 +2223,11 @@ This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. ++++++ openssh-8.9p1.tar.gz -> openssh-9.3p1.tar.gz ++++++ ++++ 73040 lines of diff (skipped) ++++++ openssh-reenable-dh-group14-sha1-default.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.846095555 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.846095555 +0200 @@ -31,7 +31,7 @@ --- openssh-8.9p1.orig/sshd_config.5 +++ openssh-8.9p1/sshd_config.5 @@ -996,7 +996,7 @@ ecdh-sha2-nistp256,ecdh-sha2-nistp384,ec - sntrup761x25519-sha...@openssh.com, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group16-sha512,diffie-hellman-group18-sha512, -diffie-hellman-group14-sha256 ++++++ openssh-whitelist-syscalls.patch ++++++ --- /var/tmp/diff_new_pack.7IQSvn/_old 2023-06-06 19:55:11.858095626 +0200 +++ /var/tmp/diff_new_pack.7IQSvn/_new 2023-06-06 19:55:11.862095650 +0200 @@ -14,7 +14,7 @@ #endif @@ -213,6 +216,9 @@ static const struct sock_filter preauth_ #ifdef __NR_futex_time64 - SC_ALLOW(__NR_futex_time64), + SC_FUTEX(__NR_futex_time64), #endif +#ifdef __NR_futex_time64 + SC_ALLOW(__NR_futex_time64), ++++++ wtmpdb.patch ++++++ diff -ur openssh-8.9p1.old/configure.ac openssh-8.9p1/configure.ac --- openssh-8.9p1.old/configure.ac 2022-02-23 12:31:11.000000000 +0100 +++ openssh-8.9p1/configure.ac 2023-04-17 14:52:21.499002203 +0200 @@ -1703,6 +1703,49 @@ fi ] ) +# Check whether user wants wtmpdb support +WTMPDB_MSG="no" +AC_ARG_WITH([wtmpdb], + [ --with-wtmpdb[[=PATH]] Enable wtmpdb support for sshd], + [ if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) + if test "x$PKGCONFIG" != "xno"; then + AC_MSG_CHECKING([if $PKGCONFIG knows about wtmpdb]) + if "$PKGCONFIG" libwtmpdb; then + AC_MSG_RESULT([yes]) + use_pkgconfig_for_libwtmpdb=yes + else + AC_MSG_RESULT([no]) + fi + fi + else + CPPFLAGS="$CPPFLAGS -I${withval}/include" + if test -n "${rpath_opt}"; then + LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + fi + if test "x$use_pkgconfig_for_libwtmpdb" = "xyes"; then + LIBWTMPDB=`$PKGCONFIG --libs libwtmpdb` + CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libwtmpdb`" + else + LIBWTMPDB="-lwtmpdb" + fi + OTHERLIBS=`echo $LIBWTMPDB | sed 's/-lwtmpdb//'` + AC_CHECK_LIB([wtmpdb], [wtmpdb_login], + [ AC_DEFINE([USE_WTMPDB], [1], [Use libwtmpdb for sshd]) + WTMPDB_MSG="yes" + AC_SUBST([LIBWTMPDB]) + ], + [ AC_MSG_ERROR([libwtmpdb not found]) ], + [ $OTHERLIBS ] + ) + fi ] +) + + AUDIT_MODULE=none AC_ARG_WITH([audit], [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], diff -ur openssh-8.9p1.old/loginrec.c openssh-8.9p1/loginrec.c --- openssh-8.9p1.old/loginrec.c 2022-02-23 12:31:11.000000000 +0100 +++ openssh-8.9p1/loginrec.c 2023-04-18 10:05:04.311193333 +0200 @@ -187,6 +187,10 @@ # include <util.h> #endif +#ifdef USE_WTMPDB +# include <wtmpdb.h> +#endif + /** ** prototypes for helper functions in this file **/ @@ -207,6 +211,9 @@ int wtmpx_write_entry(struct logininfo *li); int lastlog_write_entry(struct logininfo *li); int syslogin_write_entry(struct logininfo *li); +#ifdef USE_WTMPDB +int wtmpdb_write_entry(struct logininfo *li); +#endif int getlast_entry(struct logininfo *li); int lastlog_get_entry(struct logininfo *li); @@ -467,6 +474,9 @@ #ifdef USE_WTMPX wtmpx_write_entry(li); #endif +#ifdef USE_WTMPDB + wtmpdb_write_entry(li); +#endif #ifdef CUSTOM_SYS_AUTH_RECORD_LOGIN if (li->type == LTYPE_LOGIN && !sys_auth_record_login(li->username,li->hostname,li->line, @@ -1409,6 +1419,64 @@ } #endif /* USE_WTMPX */ +#ifdef USE_WTMPDB +static int +wtmpdb_perform_login(struct logininfo *li) +{ + uint64_t login_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec; + const char *tty; + + if (strncmp(li->line, "/dev/", 5) == 0) + tty = &(li->line[5]); + else + tty = li->line; + + li->wtmpdb_id = wtmpdb_login(NULL, USER_PROCESS, li->username, + login_time, tty, li->hostname, 0, 0); + if (li->wtmpdb_id < 0) + return (0); + + return (1); +} + + +static int +wtmpdb_perform_logout(struct logininfo *li) +{ + uint64_t logout_time = li->tv_sec * ((uint64_t) 1000000ULL) + li->tv_usec; + + if (li->wtmpdb_id == 0) { + const char *tty; + + if (strncmp(li->line, "/dev/", 5) == 0) + tty = &(li->line[5]); + else + tty = li->line; + + li->wtmpdb_id = wtmpdb_get_id(NULL, tty, NULL); + } + wtmpdb_logout(NULL, li->wtmpdb_id, logout_time, NULL); + + return (1); +} + + +int +wtmpdb_write_entry(struct logininfo *li) +{ + switch(li->type) { + case LTYPE_LOGIN: + return (wtmpdb_perform_login(li)); + case LTYPE_LOGOUT: + return (wtmpdb_perform_logout(li)); + default: + logit("%s: invalid type field", __func__); + return (0); + } +} +#endif + + /** ** Low-level libutil login() functions **/ diff -ur openssh-8.9p1.old/loginrec.h openssh-8.9p1/loginrec.h --- openssh-8.9p1.old/loginrec.h 2022-02-23 12:31:11.000000000 +0100 +++ openssh-8.9p1/loginrec.h 2023-04-17 14:58:20.808850750 +0200 @@ -79,6 +79,9 @@ unsigned int tv_sec; unsigned int tv_usec; union login_netinfo hostaddr; /* caller's host address(es) */ +#ifdef USE_WTMPDB + int64_t wtmpdb_id; /* ID for wtmpdb_logout */ +#endif }; /* struct logininfo */ /* diff -ur openssh-8.9p1.old/Makefile.in openssh-8.9p1/Makefile.in --- openssh-8.9p1.old/Makefile.in 2022-02-23 12:31:11.000000000 +0100 +++ openssh-8.9p1/Makefile.in 2023-04-17 14:44:32.156538001 +0200 @@ -55,6 +55,7 @@ SSHDLIBS=@SSHDLIBS@ LIBEDIT=@LIBEDIT@ LIBFIDO2=@LIBFIDO2@ +LIBWTMPDB=@LIBWTMPDB@ AR=@AR@ AWK=@AWK@ RANLIB=@RANLIB@ @@ -212,7 +213,7 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(GSSLIBS) $(CHANNELLIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) $(CHANNELLIBS) $(LIBWTMPDB) scp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SCP_OBJS) $(LD) -o $@ $(SCP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)