Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2016-07-28 23:45:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2014-04-17 14:43:48.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-askpass-gnome.changes 2016-07-28 23:45:14.000000000 +0200 @@ -1,0 +2,15 @@ +Mon Jul 25 13:45:53 UTC 2016 - [email protected] + +- fixed url + +------------------------------------------------------------------- +Sun Apr 17 23:27:51 UTC 2016 - [email protected] + +- upgrade to 7.2p2 + +------------------------------------------------------------------- +Tue Feb 10 13:28:56 UTC 2015 - [email protected] + +- changing license to 2-clause BSD to match source + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2016-05-05 13:18:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2016-07-28 23:45:14.000000000 +0200 @@ -1,0 +2,594 @@ +Mon Jul 25 13:46:06 UTC 2016 - [email protected] + +- added gpg signature + +------------------------------------------------------------------- +Tue Jun 7 16:52:45 UTC 2016 - [email protected] + +- enable support for SSHv1 protocol and discourage its usage + (bsc#983307) +- enable DSA by default for backward compatibility and discourage + its usage (bsc#983784) + [openssh-7.2p2-allow_DSS_by_default.patch] + +------------------------------------------------------------------- +Mon May 30 00:30:16 UTC 2016 - [email protected] + +- enable trusted X11 forwarding by default + [openssh-7.2p2-X11_trusted_forwarding.patch] +- set UID for lastlog properly + [openssh-7.2p2-lastlog.patch] +- enable use of PAM by default + [openssh-7.2p2-enable_PAM_by_default.patch] +- copy command line arguments properly + [openssh-7.2p2-saveargv-fix.patch] +- do not use pthreads in PAM code + [openssh-7.2p2-dont_use_pthreads_in_PAM.patch] +- fix paths in documentation + [openssh-7.2p2-eal3.patch] +- prevent race consitions triggered by SIGALRM + [openssh-7.2p2-blocksigalrm.patch] +- do send and accept locale environment variables by default + [openssh-7.2p2-send_locale.patch] +- handle hostnames changes during X forwarding + [openssh-7.2p2-hostname_changes_when_forwarding_X.patch] +- try to remove xauth cookies on exit + [openssh-7.2p2-remove_xauth_cookies_on_exit.patch] +- properly format pts names for ?tmp? log files + [openssh-7.2p2-pts_names_formatting.patch] +- check locked accounts when using PAM + [openssh-7.2p2-pam_check_locks.patch] +- chenge default PermitRootLogin to 'yes' to prevent unwanted + surprises on updates from older versions. + See README.SUSE for details + [openssh-7.2p2-allow_root_password_login.patch] +- Disable DH parameters under 2048 bits by default and allow + lowering the limit back to the RFC 4419 specified minimum + through an option (bsc#932483, bsc#948902) + [openssh-7.2p2-disable_short_DH_parameters.patch] +- Add getuid() and stat() syscalls to the seccomp filter + (bsc#912436) + [openssh-7.2p2-seccomp_getuid.patch, + openssh-7.2p2-seccomp_stat.patch] + +------------------------------------------------------------------- +Fri May 27 23:27:51 UTC 2016 - [email protected] + +- upgrade to 7.2p2 + upstream package without any SUSE patches + Distilled upstream log: +- OpenSSH 6.7 + Potentially-incompatible changes: + * sshd(8): The default set of ciphers and MACs has been + altered to remove unsafe algorithms. In particular, CBC + ciphers and arcfour* are disabled by default. + The full set of algorithms remains available if configured + explicitly via the Ciphers and MACs sshd_config options. + * sshd(8): Support for tcpwrappers/libwrap has been removed. + * OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of + connections using the [email protected] KEX + exchange method to fail when connecting with something that + implements the specification correctly. OpenSSH 6.7 disables + this KEX method when speaking to one of the affected + versions. + New Features: + * ssh(1), sshd(8): Add support for Unix domain socket + forwarding. A remote TCP port may be forwarded to a local + Unix domain socket and vice versa or both ends may be a Unix + domain socket. + * ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for + ED25519 key types. + * sftp(1): Allow resumption of interrupted uploads. + * ssh(1): When rekeying, skip file/DNS lookups of the hostkey + if it is the same as the one sent during initial key exchange + * sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind + addresses when GatewayPorts=no; allows client to choose + address family + * sshd(8): Add a sshd_config PermitUserRC option to control + whether ~/.ssh/rc is executed, mirroring the no-user-rc + authorized_keys option + * ssh(1): Add a %C escape sequence for LocalCommand and + ControlPath that expands to a unique identifer based on a + hash of the tuple of (local host, remote user, hostname, + port). Helps avoid exceeding miserly pathname limits for Unix + domain sockets in multiplexing control paths + * sshd(8): Make the "Too many authentication failures" message + include the user, source address, port and protocol in a + format similar to the authentication success / failure + messages + Bugfixes: + * sshd(8): Fix remote forwarding with the same listen port but + different listen address. + * ssh(1): Fix inverted test that caused PKCS#11 keys that were + explicitly listed in ssh_config or on the commandline not to + be preferred. + * ssh-keygen(1): Fix bug in KRL generation: multiple + consecutive revoked certificate serial number ranges could be + serialised to an invalid format. Readers of a broken KRL + caused by this bug will fail closed, so no + should-have-been-revoked key will be accepted. + * ssh(1): Reflect stdio-forward ("ssh -W host:port ...") + failures in exit status. Previously we were always returning 0 + * ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly + in the randomart border + * ssh-agent(1): Only cleanup agent socket in the main agent + process and not in any subprocesses it may have started (e.g. + forked askpass). Fixes agent sockets being zapped when + askpass processes fatal() + * ssh-add(1): Make stdout line-buffered; saves partial output + getting lost when ssh-add fatal()s part-way through (e.g. + when listing keys from an agent that supports key types that + ssh-add doesn't) + * ssh-keygen(1): When hashing or removing hosts, don't choke on + @revoked markers and don't remove @cert-authority markers + * ssh(1): Don't fatal when hostname canonicalisation fails and + a ProxyCommand is in use; continue and allow the ProxyCommand + to connect anyway (e.g. to a host with a name outside the DNS + behind a bastion) + * scp(1): When copying local->remote fails during read, don't + send uninitialised heap to the remote end. + * sftp(1): Fix fatal "el_insertstr failed" errors when + tab-completing filenames with a single quote char somewhere + in the string + * ssh-keyscan(1): Scan for Ed25519 keys by default. + * ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, + down-convert any certificate keys to plain keys and attempt + SSHFP resolution. Prevents a server from skipping SSHFP + lookup and forcing a new-hostkey dialog by offering only + certificate keys. +- OpenSSH 6.8 + Potentially-incompatible changes: + * sshd(8): UseDNS now defaults to 'no'. Configurations that + match against the client host name (via sshd_config or + authorized_keys) may need to re-enable it or convert to + matching against addresses. + New Features: + * Add FingerprintHash option to ssh(1) and sshd(8), and + equivalent command-line flags to the other tools to control + algorithm used for key fingerprints. The default changes from + MD5 to SHA256 and format from hex to base64. + Fingerprints now have the hash algorithm prepended. An + example of the new format: + SHA256:mVPwvezndPv/ARoIadVY98vAC0g+P/5633yTC4d/wXE Please + note that visual host keys will also be different. + * ssh(1), sshd(8): Experimental host key rotation support. Add + a protocol extension for a server to inform a client of all + its available host keys after authentication has completed. + The client may record the keys in known_hosts, allowing it to + upgrade to better host key algorithms and a server to + gracefully rotate its keys. + The client side of this is controlled by a UpdateHostkeys + config option (default off). + * ssh(1): Add a ssh_config HostbasedKeyType option to control + which host public key types are tried during host-based + authentication. + * ssh(1), sshd(8): fix connection-killing host key mismatch + errors when sshd offers multiple ECDSA keys of different + lengths. + * ssh(1): when host name canonicalisation is enabled, try to + parse host names as addresses before looking them up for + canonicalisation. fixes bz#2074 and avoiding needless DNS + lookups in some cases. + * ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer + require OpenSSH to be compiled with OpenSSL support. + * ssh(1), ssh-keysign(8): Make ed25519 keys work for host based + authentication. + * sshd(8): SSH protocol v.1 workaround for the Meyer, et al, + Bleichenbacher Side Channel Attack. Fake up a bignum key + before RSA decryption. + * sshd(8): Remember which public keys have been used for + authentication and refuse to accept previously-used keys. + This allows AuthenticationMethods=publickey,publickey to + require that users authenticate using two _different_ public + keys. + * sshd(8): add sshd_config HostbasedAcceptedKeyTypes and + PubkeyAcceptedKeyTypes options to allow sshd to control what + public key types will be accepted. Currently defaults to all. + * sshd(8): Don't count partial authentication success as a + failure against MaxAuthTries. + * ssh(1): Add RevokedHostKeys option for the client to allow + text-file or KRL-based revocation of host keys. + * ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates + by serial number or key ID without scoping to a particular + CA. + * ssh(1): Add a "Match canonical" criteria that allows + ssh_config Match blocks to trigger only in the second config + pass. + * ssh(1): Add a -G option to ssh that causes it to parse its ++++ 397 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh.changes ++++ and /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes Old: ---- CVE-2016-0777_CVE-2016-0778.patch README.SuSE openssh-6.6p1-X11-forwarding.patch openssh-6.6p1-X_forward_with_disabled_ipv6.patch openssh-6.6p1-audit1-remove_duplicit_audit.patch openssh-6.6p1-audit2-better_audit_of_user_actions.patch openssh-6.6p1-audit3-key_auth_usage-fips.patch openssh-6.6p1-audit3-key_auth_usage.patch openssh-6.6p1-audit4-kex_results-fips.patch openssh-6.6p1-audit4-kex_results.patch openssh-6.6p1-audit5-session_key_destruction.patch openssh-6.6p1-audit6-server_key_destruction.patch openssh-6.6p1-audit7-libaudit_compat.patch openssh-6.6p1-audit8-libaudit_dns_timeouts.patch openssh-6.6p1-blocksigalrm.patch openssh-6.6p1-curve25519-6.6.1p1.patch openssh-6.6p1-default-protocol.patch openssh-6.6p1-disable-openssl-abi-check.patch openssh-6.6p1-eal3.patch openssh-6.6p1-fingerprint_hash.patch openssh-6.6p1-fips-checks.patch openssh-6.6p1-fips.patch openssh-6.6p1-gssapi_key_exchange.patch openssh-6.6p1-gssapimitm.patch openssh-6.6p1-host_ident.patch openssh-6.6p1-key-converter.patch openssh-6.6p1-lastlog.patch openssh-6.6p1-ldap.patch openssh-6.6p1-login_options.patch openssh-6.6p1-no_fork-no_pid_file.patch openssh-6.6p1-pam-check-locks.patch openssh-6.6p1-pam-fix2.patch openssh-6.6p1-pam-fix3.patch openssh-6.6p1-pts.patch openssh-6.6p1-saveargv-fix.patch openssh-6.6p1-seccomp_getuid.patch openssh-6.6p1-seccomp_stat.patch openssh-6.6p1-seed-prng.patch openssh-6.6p1-send_locale.patch openssh-6.6p1-sftp_force_permissions.patch openssh-6.6p1-sftp_homechroot.patch openssh-6.6p1-xauth.patch openssh-6.6p1-xauthlocalhostname.patch openssh-6.6p1.tar.gz openssh-6.6p1.tar.gz.asc openssh.keyring New: ---- README.FIPS README.SUSE cavs_driver-ssh.pl openssh-7.2p2-X11_trusted_forwarding.patch openssh-7.2p2-allow_DSS_by_default.patch openssh-7.2p2-allow_root_password_login.patch openssh-7.2p2-blocksigalrm.patch openssh-7.2p2-disable_short_DH_parameters.patch openssh-7.2p2-dont_use_pthreads_in_PAM.patch openssh-7.2p2-eal3.patch openssh-7.2p2-enable_PAM_by_default.patch openssh-7.2p2-hostname_changes_when_forwarding_X.patch openssh-7.2p2-lastlog.patch openssh-7.2p2-pam_check_locks.patch openssh-7.2p2-pts_names_formatting.patch openssh-7.2p2-remove_xauth_cookies_on_exit.patch openssh-7.2p2-seccomp_getuid.patch openssh-7.2p2-seccomp_stat.patch openssh-7.2p2-send_locale.patch openssh-7.2p2.tar.gz openssh-7.2p2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.A2ABBr/_old 2016-07-28 23:45:16.000000000 +0200 +++ /var/tmp/diff_new_pack.A2ABBr/_new 2016-07-28 23:45:16.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh-askpass-gnome # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,15 +26,16 @@ BuildRequires: pam-devel BuildRequires: tcpd-devel BuildRequires: update-desktop-files -Version: 6.6p1 +Version: 7.2p2 Release: 0 Requires: openssh = %{version} Summary: A GNOME-Based Passphrase Dialog for OpenSSH -License: BSD-3-Clause +License: BSD-2-Clause Group: Productivity/Networking/SSH Url: http://www.openssh.com/ %define _name openssh -Source: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc BuildRoot: %{_tmppath}/%{name}-%{version}-build %description ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.A2ABBr/_old 2016-07-28 23:45:16.000000000 +0200 +++ /var/tmp/diff_new_pack.A2ABBr/_new 2016-07-28 23:45:16.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssh # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -86,25 +86,20 @@ %if %{uses_systemd} BuildRequires: pkgconfig(systemd) %{?systemd_requires} -%else -PreReq: %{insserv_prereq} %endif -PreReq: pwdutils %{fillup_prereq} coreutils -Conflicts: nonfreessh -Recommends: xauth -Recommends: %{name}-helpers -Version: 6.6p1 +BuildRequires: tcpd-devel +PreReq: pwdutils %{insserv_prereq} %{fillup_prereq} coreutils +Version: 7.2p2 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) -License: BSD-3-Clause and MIT +License: BSD-2-Clause and MIT Group: Productivity/Networking/SSH Url: http://www.openssh.com/ -Source: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -Source42: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc -Source43: openssh.keyring +Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source1: sshd.init Source2: sshd.pamd -Source3: README.SuSE +Source3: README.SUSE Source4: README.kerberos Source5: ssh.reg Source6: ssh-askpass @@ -112,49 +107,32 @@ Source8: sysconfig.ssh Source9: sshd-gen-keys-start Source10: sshd.service -Patch0: openssh-6.6p1-curve25519-6.6.1p1.patch -Patch1: openssh-6.6p1-key-converter.patch -Patch2: openssh-6.6p1-X11-forwarding.patch -Patch3: openssh-6.6p1-lastlog.patch -Patch4: openssh-6.6p1-pam-fix2.patch -Patch5: openssh-6.6p1-saveargv-fix.patch -Patch6: openssh-6.6p1-pam-fix3.patch -Patch7: openssh-6.6p1-gssapimitm.patch -Patch8: openssh-6.6p1-eal3.patch -Patch9: openssh-6.6p1-blocksigalrm.patch -Patch10: openssh-6.6p1-send_locale.patch -Patch11: openssh-6.6p1-xauthlocalhostname.patch -Patch12: openssh-6.6p1-xauth.patch -Patch13: openssh-6.6p1-default-protocol.patch -Patch14: openssh-6.6p1-pts.patch -Patch15: openssh-6.6p1-pam-check-locks.patch -Patch16: openssh-6.6p1-fingerprint_hash.patch -Patch17: openssh-6.6p1-fips.patch -Patch18: openssh-6.6p1-audit1-remove_duplicit_audit.patch -Patch19: openssh-6.6p1-audit2-better_audit_of_user_actions.patch -Patch20: openssh-6.6p1-audit3-key_auth_usage.patch -Patch21: openssh-6.6p1-audit3-key_auth_usage-fips.patch -Patch22: openssh-6.6p1-audit4-kex_results.patch -Patch23: openssh-6.6p1-audit4-kex_results-fips.patch -Patch24: openssh-6.6p1-audit5-session_key_destruction.patch -Patch25: openssh-6.6p1-audit6-server_key_destruction.patch -Patch26: openssh-6.6p1-audit7-libaudit_compat.patch -Patch27: openssh-6.6p1-audit8-libaudit_dns_timeouts.patch -Patch28: openssh-6.6p1-seed-prng.patch -Patch29: openssh-6.6p1-gssapi_key_exchange.patch -Patch30: openssh-6.6p1-login_options.patch -Patch31: openssh-6.6p1-disable-openssl-abi-check.patch -Patch32: openssh-6.6p1-no_fork-no_pid_file.patch -Patch33: openssh-6.6p1-host_ident.patch -Patch34: openssh-6.6p1-sftp_homechroot.patch -Patch35: openssh-6.6p1-sftp_force_permissions.patch -Patch36: openssh-6.6p1-seccomp_getuid.patch -Patch37: openssh-6.6p1-seccomp_stat.patch -Patch38: openssh-6.6p1-X_forward_with_disabled_ipv6.patch -Patch39: openssh-6.6p1-fips-checks.patch -Patch40: openssh-6.6p1-ldap.patch -Patch41: CVE-2016-0777_CVE-2016-0778.patch +Source11: README.FIPS +Source12: cavs_driver-ssh.pl +Patch00: openssh-7.2p2-allow_root_password_login.patch +Patch01: openssh-7.2p2-allow_DSS_by_default.patch +Patch02: openssh-7.2p2-X11_trusted_forwarding.patch +Patch03: openssh-7.2p2-lastlog.patch +Patch04: openssh-7.2p2-enable_PAM_by_default.patch +Patch05: openssh-7.2p2-dont_use_pthreads_in_PAM.patch +Patch06: openssh-7.2p2-eal3.patch +Patch07: openssh-7.2p2-blocksigalrm.patch +Patch08: openssh-7.2p2-send_locale.patch +Patch09: openssh-7.2p2-hostname_changes_when_forwarding_X.patch +Patch10: openssh-7.2p2-remove_xauth_cookies_on_exit.patch +Patch11: openssh-7.2p2-pts_names_formatting.patch +Patch12: openssh-7.2p2-pam_check_locks.patch +Patch13: openssh-7.2p2-disable_short_DH_parameters.patch +Patch14: openssh-7.2p2-seccomp_getuid.patch +Patch15: openssh-7.2p2-seccomp_stat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build +Conflicts: nonfreessh +Recommends: audit +Recommends: xauth +Recommends: %{name}-helpers = %{version}-%{release} +Conflicts: %{name}-fips < %{version}-%{release} , %{name}-fips > %{version}-%{release} +%define CHECKSUM_SUFFIX .hmac +%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" %description SSH (Secure Shell) is a program for logging into and executing commands @@ -169,76 +147,59 @@ %package helpers Summary: OpenSSH AuthorizedKeysCommand helpers Group: Productivity/Networking/SSH -Requires: openssh +Requires: %{name} = %{version}-%{release} %description helpers Helper applications for OpenSSH which retrieve keys from various sources. %package fips -Summary: OpenSSH FIPS cryptomodule hashes +Summary: OpenSSH FIPS cryptomodule HMACs Group: Productivity/Networking/SSH -Requires: openssh +Requires: %{name} = %{version}-%{release} +Conflicts: %{name} < %{version}-%{release} , %{name} > %{version}-%{release} +Obsoletes: %{name}-hmac %description fips Hashes that together with the main package form the FIPS certifiable cryptomodule. +%package cavs +Summary: OpenSSH FIPS cryptomodule CAVS tests +Group: Productivity/Networking/SSH +Requires: %{name} = %{version}-%{release} + +%description cavs +FIPS140 CAVS tests related parts of the OpenSSH package + + %prep %setup -q -%patch0 -p2 -#patch1 -p2 -%patch2 -p2 -%patch3 -p2 -%patch4 -p2 -%patch5 -p2 -%patch6 -p2 -%patch7 -p2 -%patch8 -p2 -%patch9 -p2 +%patch00 -p2 +%patch01 -p2 +%patch02 -p2 +%patch03 -p2 +%patch04 -p2 +%patch05 -p2 +%patch06 -p2 +%patch07 -p2 +%patch08 -p2 +%patch09 -p2 %patch10 -p2 %patch11 -p2 %patch12 -p2 %patch13 -p2 %patch14 -p2 %patch15 -p2 -%patch16 -p2 -%patch17 -p2 -%patch18 -p2 -%patch19 -p2 -%patch20 -p2 -%patch21 -p2 -%patch22 -p2 -%patch23 -p2 -%patch24 -p2 -%patch25 -p2 -%patch26 -p2 -%if 0%{?suse_version} > 1310 -%patch27 -p2 -%endif -%patch28 -p2 -%patch29 -p2 -%patch30 -p2 -%patch31 -p2 -%patch32 -p2 -%patch33 -p2 -%patch34 -p2 -%patch35 -p2 -%patch36 -p2 -%patch37 -p2 -%patch38 -p2 -%patch39 -p2 -%patch40 -p2 -%patch41 -p0 -cp %{SOURCE3} %{SOURCE4} . +cp %{SOURCE3} %{SOURCE4} %{SOURCE11} . %build -# set libexec dir in the LDAP patch -sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ - $( grep -Rl @LIBEXECDIR@ \ - $( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) - ) +#### set libexec dir in the LDAP patch +###sed -i.libexec 's,@LIBEXECDIR@,%{_libexecdir}/ssh,' \ +### $( grep -Rl @LIBEXECDIR@ \ +### $( grep "^+++" %{PATCH40} | sed -r 's@^.+/([^/\t ]+).*$@\1@' ) +### ) autoreconf -fiv %ifarch s390 s390x %sparc @@ -247,22 +208,17 @@ PIEFLAGS="-fpie" %endif CFLAGS="%{optflags} $PIEFLAGS -fstack-protector" -#%if 0%{?suse_version} < 1230 -#CFLAGS="-lrt $CFLAGS" -#%endif CXXFLAGS="%{optflags} $PIEFLAGS -fstack-protector" LDFLAGS="-pie -Wl,--as-needed" -#%if 0%{?suse_version} < 1230 -#LDFLAGS="-lrt $LDFLAGS" -#%endif #CPPFLAGS="%{optflags} -DUSE_INTERNAL_B64" export LDFLAGS CFLAGS CXXFLAGS CPPFLAGS -./configure \ +%configure \ --prefix=%{_prefix} \ --mandir=%{_mandir} \ --infodir=%{_infodir} \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/ssh \ + --with-tcp-wrappers \ %if %{has_libselinux} --with-selinux \ %endif @@ -288,6 +244,7 @@ %if %{needs_libedit} --with-libedit \ %endif + --with-ssh1 \ --target=%{_target_cpu}-suse-linux \ ### configure end @@ -330,6 +287,7 @@ # askpass wrapper sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE6} > %{buildroot}%{_libexecdir}/ssh/ssh-askpass +sed -e "s,@LIBEXECDIR@,%{_libexecdir},g" < %{SOURCE12} > %{buildroot}%{_libexecdir}/ssh/cavs_driver-ssh.pl rm -f %{buildroot}%{_datadir}/Ssh.bin # sshd keys generator wrapper install -D -m 0755 %{SOURCE9} %{buildroot}%{_sbindir}/sshd-gen-keys-start @@ -342,13 +300,12 @@ # this shows up earlier because otherwise the %expand of # the macro is too late. %{expand:%%global __os_install_post {%__os_install_post - for b in \ %{_bindir}/ssh \ %{_sbindir}/sshd \ %{_libexecdir}/ssh/sftp-server \ ; do - ( printf "\03"; openssl dgst -sha256 -binary < %{buildroot}$b ) > %{buildroot}$b.chk + openssl dgst -sha256 -binary -hmac %{CHECKSUM_HMAC_KEY} < %{buildroot}$b > %{buildroot}$b%{CHECKSUM_SUFFIX} done }} @@ -376,6 +333,10 @@ %endif %postun +# The openssh-fips trigger script for openssh will normally restart sshd once +# it gets installed, so only restart the service here is openssh-fips is not +# present +rpm -q openssh-fips >& /dev/null && DISABLE_RESTART_ON_UPDATE=yes %if %{uses_systemd} %service_del_postun sshd.service %else @@ -383,13 +344,17 @@ %{insserv_cleanup} %endif +%triggerin -n openssh-fips -- %{name} = %{version}-%{release} +%restart_on_update sshd + %files %defattr(-,root,root) -%exclude %{_bindir}/*.chk -%exclude %{_sbindir}/*.chk -%exclude %{_libexecdir}/ssh/sftp-server.chk +%exclude %{_bindir}/ssh%{CHECKSUM_SUFFIX} +%exclude %{_sbindir}/sshd%{CHECKSUM_SUFFIX} +%exclude %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX} +%exclude %{_libexecdir}/ssh/cavs* %dir %attr(755,root,root) /var/lib/sshd -%doc README.SuSE README.kerberos ChangeLog OVERVIEW README TODO LICENCE CREDITS +%doc README.SUSE README.kerberos README.FIPS ChangeLog OVERVIEW README TODO LICENCE CREDITS %attr(0755,root,root) %dir %{_sysconfdir}/ssh %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli %verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config @@ -405,7 +370,7 @@ %attr(0755,root,root) %{_bindir}/* %attr(0755,root,root) %{_sbindir}/* %attr(0755,root,root) %dir %{_libexecdir}/ssh -%exclude %{_libexecdir}/ssh/ssh-ldap* +###%exclude %{_libexecdir}/ssh/ssh-ldap* %attr(0755,root,root) %{_libexecdir}/ssh/* %attr(0444,root,root) %doc %{_mandir}/man1/* %attr(0444,root,root) %doc %{_mandir}/man5/* @@ -424,15 +389,19 @@ %files helpers %defattr(-,root,root) %attr(0755,root,root) %dir %{_sysconfdir}/ssh -%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf +###%verify(not mode) %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ldap.conf %attr(0755,root,root) %dir %{_libexecdir}/ssh -%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* -%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema +###%attr(0755,root,root) %{_libexecdir}/ssh/ssh-ldap* +###%doc HOWTO.ldap-keys openssh-lpk-openldap.schema openssh-lpk-sun.schema %files fips %defattr(-,root,root) -%attr(0444,root,root) %{_bindir}/ssh.chk -%attr(0444,root,root) %{_sbindir}/sshd.chk -%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server.chk +%attr(0444,root,root) %{_bindir}/ssh%{CHECKSUM_SUFFIX} +%attr(0444,root,root) %{_sbindir}/sshd%{CHECKSUM_SUFFIX} +%attr(0444,root,root) %{_libexecdir}/ssh/sftp-server%{CHECKSUM_SUFFIX} + +%files cavs +%defattr(-,root,root) +%attr(0755,root,root) %{_libexecdir}/ssh/cavs* %changelog ++++++ README.SUSE ++++++ This is OpenSSH version 7.2p2 for SLE12 There are following changes in default settings of ssh client and server: * Accepting and sending of locale environment variables in protocol 2 is enabled. * PAM authentication is enabled. * root authentiation with password is enabled by default (PermitRootLogin yes). NOTE: this has security implications and is only done in order to not change behaviour of the server in an update. We strongly suggest setting this option either "prohibit-password" or even better to "no" (which disables direct remote root login entirely). * SSH protocol version 1 is enabled for maximum compatibility. NOTE: do not use protocol version 1. It is less secure then v2 and should generally be phased out. * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot be considered safe any more. For more information on differences in SUSE OpenSSH package see README.FIPS ++++++ cavs_driver-ssh.pl ++++++ #!/usr/bin/env perl # # CAVS test driver for OpenSSH # # Copyright (C) 2015, Stephan Mueller <[email protected]> # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # NO WARRANTY # # BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY # FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN # OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES # PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED # OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS # TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE # PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, # REPAIR OR CORRECTION. # # IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING # WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR # REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, # INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING # OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED # TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY # YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER # PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE # POSSIBILITY OF SUCH DAMAGES. # use strict; use warnings; use IPC::Open2; # Executing a program by feeding STDIN and retrieving # STDOUT # $1: data string to be piped to the app on STDIN # rest: program and args # returns: STDOUT of program as string sub pipe_through_program($@) { my $in = shift; my @args = @_; my ($CO, $CI); my $pid = open2($CO, $CI, @args); my $out = ""; my $len = length($in); my $first = 1; while (1) { my $rin = ""; my $win = ""; # Output of prog is FD that we read vec($rin,fileno($CO),1) = 1; # Input of prog is FD that we write # check for $first is needed because we can have NULL input # that is to be written to the app if ( $len > 0 || $first) { (vec($win,fileno($CI),1) = 1); $first=0; } # Let us wait for 100ms my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1); if ( $wout ) { my $written = syswrite($CI, $in, $len); die "broken pipe" if !defined $written; $len -= $written; substr($in, 0, $written) = ""; if ($len <= 0) { close $CI or die "broken pipe: $!"; } } if ( $rout ) { my $tmp_out = ""; my $bytes_read = sysread($CO, $tmp_out, 4096); $out .= $tmp_out; last if ($bytes_read == 0); } } close $CO or die "broken pipe: $!"; waitpid $pid, 0; return $out; } # Parser of CAVS test vector file # $1: Test vector file # $2: Output file for test results # return: nothing sub parse($$) { my $infile = shift; my $outfile = shift; my $out = ""; my $K = ""; my $H = ""; my $session_id = ""; my $ivlen = 0; my $eklen = ""; my $iklen = ""; open(IN, "<$infile"); while(<IN>) { my $line = $_; chomp($line); $line =~ s/\r//; if ($line =~ /\[SHA-1\]/) { $iklen = 20; } elsif ($line =~ /\[SHA-256\]/) { $iklen = 32; } elsif ($line =~ /\[SHA-384\]/) { $iklen = 48; } elsif ($line =~ /\[SHA-512\]/) { $iklen = 64; } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) { $ivlen = $1; $ivlen = $ivlen / 8; } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) { $eklen = $1; $eklen = $eklen / 8; } elsif ($line =~ /^K\s*=\s*(.*)/) { $K = $1; $K = substr($K, 8); $K = "00" . $K; } elsif ($line =~ /^H\s*=\s*(.*)/) { $H = $1; } elsif ($line =~ /^session_id\s*=\s*(.*)/) { $session_id = $1; } $out .= $line . "\n"; if ($K ne "" && $H ne "" && $session_id ne "" && $ivlen ne "" && $eklen ne "" && $iklen > 0) { $out .= pipe_through_program("", "@LIBEXECDIR@/ssh/cavstest-kdf -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen"); $K = ""; $H = ""; $session_id = ""; } } close IN; $out =~ s/\n/\r\n/g; # make it a dos file open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?"; print OUT $out; close OUT; } ############################################################ # # let us pretend to be C :-) sub main() { my $infile=$ARGV[0]; die "Error: Test vector file $infile not found" if (! -f $infile); my $outfile = $infile; # let us add .rsp regardless whether we could strip .req $outfile =~ s/\.req$//; $outfile .= ".rsp"; if (-f $outfile) { die "Output file $outfile could not be removed: $?" unless unlink($outfile); } print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n"; # Do the job parse($infile, $outfile); } ########################################### # Call it main(); 1; ++++++ openssh-7.2p2-X11_trusted_forwarding.patch ++++++ # HG changeset patch # Parent 48bbbfeff186061b7fd4795bff15f15f571e2c8f # enable trusted X11 forwarding by default in both sshd and sshsystem-wide # configuration # bnc#50836 (was suse #35836) Enable Trusted X11 forwarding by default, since the security benefits of having it disabled are negligible these days with XI2 being widely used. diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config --- a/openssh-7.2p2/ssh_config +++ b/openssh-7.2p2/ssh_config @@ -12,19 +12,30 @@ # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. -# Host * +Host * # ForwardAgent no # ForwardX11 no + +# If you do not trust your remote host (or its administrator), you +# should not forward X11 connections to your local X11-display for +# security reasons: Someone stealing the authentification data on the +# remote side (the "spoofed" X-server by the remote sshd) can read your +# keystrokes as you type, just like any other X11 client could do. +# Set this to "no" here for global effect or in your own ~/.ssh/config +# file if you want to have the remote X11 authentification data to +# expire after twenty minutes after remote login. + ForwardX11Trusted yes + # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # BatchMode no # CheckHostIP yes diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config --- a/openssh-7.2p2/sshd_config +++ b/openssh-7.2p2/sshd_config @@ -94,17 +94,17 @@ AuthorizedKeysFile .ssh/authorized_keys # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no -#X11Forwarding no +X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation sandbox ++++++ openssh-7.2p2-allow_DSS_by_default.patch ++++++ # HG changeset patch # Parent 2730f36bee0d6e141d8391b414a702e1add5a853 Enable DSS authentication by default to maintain compatibility with older versions. bsc#983784 diff --git a/openssh-7.2p2/myproposal.h b/openssh-7.2p2/myproposal.h --- a/openssh-7.2p2/myproposal.h +++ b/openssh-7.2p2/myproposal.h @@ -94,21 +94,23 @@ #define KEX_CLIENT_KEX KEX_COMMON_KEX \ "diffie-hellman-group-exchange-sha1," \ "diffie-hellman-group14-sha1" #define KEX_DEFAULT_PK_ALG \ HOSTKEY_ECDSA_CERT_METHODS \ "[email protected]," \ "[email protected]," \ + "[email protected]," \ HOSTKEY_ECDSA_METHODS \ "ssh-ed25519," \ "rsa-sha2-512," \ "rsa-sha2-256," \ - "ssh-rsa" + "ssh-rsa," \ + "ssh-dss" /* the actual algorithms */ #define KEX_SERVER_ENCRYPT \ "[email protected]," \ "aes128-ctr,aes192-ctr,aes256-ctr" \ AESGCM_CIPHER_MODES diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5 --- a/openssh-7.2p2/ssh_config.5 +++ b/openssh-7.2p2/ssh_config.5 @@ -887,19 +887,19 @@ Alternately if the specified value begin character, then the specified key types will be appended to the default set instead of replacing them. The default for this option is: .Bd -literal -offset 3n [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],[email protected], ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ssh-rsa +ssh-ed25519,ssh-rsa,ssh-dss .Ed .Pp If hostkeys are known for the destination host then this default is modified to prefer their algorithms. .Pp The list of available key types may also be obtained using the .Fl Q option of @@ -1325,19 +1325,19 @@ Alternately if the specified value begin character, then the key types after it will be appended to the default instead of replacing it. The default for this option is: .Bd -literal -offset 3n [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],[email protected], ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ssh-rsa +ssh-ed25519,ssh-rsa,ssh-dss .Ed .Pp The .Fl Q option of .Xr ssh 1 may be used to list supported key types. .It Cm PubkeyAuthentication diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5 --- a/openssh-7.2p2/sshd_config.5 +++ b/openssh-7.2p2/sshd_config.5 @@ -651,19 +651,19 @@ Alternately if the specified value begin character, then the specified key types will be appended to the default set instead of replacing them. The default for this option is: .Bd -literal -offset 3n [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],[email protected], ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ssh-rsa +ssh-ed25519,ssh-rsa,ssh-dss .Ed .Pp The .Fl Q option of .Xr ssh 1 may be used to list supported key types. .It Cm HostbasedAuthentication @@ -743,19 +743,19 @@ environment variable. Specifies the host key algorithms that the server offers. The default for this option is: .Bd -literal -offset 3n [email protected], [email protected], [email protected], [email protected], [email protected], [email protected],[email protected], ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ssh-rsa +ssh-ed25519,ssh-rsa,ssh-dss .Ed .Pp The list of available key types may also be obtained using the .Fl Q option of .Xr ssh 1 with an argument of .Dq key . ++++++ openssh-7.2p2-allow_root_password_login.patch ++++++ # HG changeset patch # Parent 8cf6984812ab2211ce60c0a9156892b3a7ee3aaf Allow root login with password by default. While less secure than upstream default of forbidding access to the root account with a password, we are temporarily introducing this change to keep the default used in older OpenSSH versions shipped with SLE. diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c --- a/openssh-7.2p2/servconf.c +++ b/openssh-7.2p2/servconf.c @@ -233,17 +233,17 @@ fill_default_server_options(ServerOption options->pid_file = xstrdup(_PATH_SSH_DAEMON_PID_FILE); if (options->server_key_bits == -1) options->server_key_bits = 1024; if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->key_regeneration_time == -1) options->key_regeneration_time = 3600; if (options->permit_root_login == PERMIT_NOT_SET) - options->permit_root_login = PERMIT_NO_PASSWD; + options->permit_root_login = PERMIT_YES; if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) options->ignore_user_known_hosts = 0; if (options->print_motd == -1) options->print_motd = 1; if (options->print_lastlog == -1) options->print_lastlog = 1; diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config --- a/openssh-7.2p2/sshd_config +++ b/openssh-7.2p2/sshd_config @@ -36,17 +36,17 @@ # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m -#PermitRootLogin prohibit-password +#PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0 --- a/openssh-7.2p2/sshd_config.0 +++ b/openssh-7.2p2/sshd_config.0 @@ -710,17 +710,17 @@ DESCRIPTION restrictions and permit any forwarding requests. An argument of M-bM-^@M-^\noneM-bM-^@M-^] can be used to prohibit all forwarding requests. By default all port forwarding requests are permitted. PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\prohibit-passwordM-bM-^@M-^], M-bM-^@M-^\without-passwordM-bM-^@M-^], M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], or M-bM-^@M-^\noM-bM-^@M-^]. The default is - M-bM-^@M-^\prohibit-passwordM-bM-^@M-^]. + M-bM-^@M-^\yesM-bM-^@M-^]. If this option is set to M-bM-^@M-^\prohibit-passwordM-bM-^@M-^] or M-bM-^@M-^\without-passwordM-bM-^@M-^], password and keyboard-interactive authentication are disabled for root. If this option is set to M-bM-^@M-^\forced-commands-onlyM-bM-^@M-^], root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5 --- a/openssh-7.2p2/sshd_config.5 +++ b/openssh-7.2p2/sshd_config.5 @@ -1213,17 +1213,17 @@ Specifies whether root can log in using The argument must be .Dq yes , .Dq prohibit-password , .Dq without-password , .Dq forced-commands-only , or .Dq no . The default is -.Dq prohibit-password . +.Dq yes . .Pp If this option is set to .Dq prohibit-password or .Dq without-password , password and keyboard-interactive authentication are disabled for root. .Pp If this option is set to ++++++ openssh-6.6p1-blocksigalrm.patch -> openssh-7.2p2-blocksigalrm.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.6p1-blocksigalrm.patch 2014-04-17 14:43:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-7.2p2-blocksigalrm.patch 2016-07-28 23:45:13.000000000 +0200 @@ -1,18 +1,21 @@ -# block SIGALRM while logging through syslog to prevent deadlocks (through -# grace_alarm_handler) -# bnc#57354 +# HG changeset patch +# Parent 5469eb754184144e42c341ccc038309e2880cadc +block SIGALRM while logging through syslog to prevent deadlocks +(through grace_alarm_handler()) -diff --git a/openssh-6.6p1/log.c b/openssh-6.6p1/log.c ---- a/openssh-6.6p1/log.c -+++ b/openssh-6.6p1/log.c -@@ -47,16 +47,17 @@ +bnc#57354 + +diff --git a/openssh-7.2p2/log.c b/openssh-7.2p2/log.c +--- a/openssh-7.2p2/log.c ++++ b/openssh-7.2p2/log.c +@@ -46,16 +46,17 @@ + #include <syslog.h> #include <unistd.h> #include <errno.h> #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS) # include <vis.h> #endif - #include "xmalloc.h" #include "log.h" +#include <signal.h> @@ -23,7 +26,7 @@ static char *argv0; static log_handler_fn *log_handler; static void *log_handler_ctx; -@@ -384,16 +385,17 @@ do_log(LogLevel level, const char *fmt, +@@ -383,16 +384,17 @@ do_log(LogLevel level, const char *fmt, { #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; @@ -41,7 +44,7 @@ switch (level) { case SYSLOG_LEVEL_FATAL: -@@ -442,20 +444,29 @@ do_log(LogLevel level, const char *fmt, +@@ -441,20 +443,29 @@ do_log(LogLevel level, const char *fmt, tmp_handler = log_handler; log_handler = NULL; tmp_handler(level, fmtbuf, log_handler_ctx); ++++++ openssh-7.2p2-disable_short_DH_parameters.patch ++++++ # HG changeset patch # Parent c924f46e3639b3646e42dd7505c206d43d7180fa Raise minimal size of DH group parameters to 2048 bits like upstream did in 7.2. 1024b values are believed to be in breaking range for state adversaries and the default moduli shipped with openssh have been around long enough to make it more likely for them to be broken. Also provide an option that allows the client to accept shorter (RFC4419 compliant) parameters. CVE-2015-4000 (LOGJAM) bsc#932483 diff --git a/openssh-7.2p2/dh.c b/openssh-7.2p2/dh.c --- a/openssh-7.2p2/dh.c +++ b/openssh-7.2p2/dh.c @@ -37,16 +37,18 @@ #include <limits.h> #include "dh.h" #include "pathnames.h" #include "log.h" #include "misc.h" #include "ssherr.h" +int dh_grp_min = DH_GRP_MIN; + static int parse_prime(int linenum, char *line, struct dhgroup *dhg) { char *cp, *arg; char *strsize, *gen, *prime; const char *errstr = NULL; long long n; diff --git a/openssh-7.2p2/dh.h b/openssh-7.2p2/dh.h --- a/openssh-7.2p2/dh.h +++ b/openssh-7.2p2/dh.h @@ -43,16 +43,17 @@ int dh_gen_key(DH *, int); int dh_pub_is_valid(DH *, BIGNUM *); u_int dh_estimate(int); /* * Max value from RFC4419. * Miniumum increased in light of DH precomputation attacks. */ +#define DH_GRP_MIN_RFC 1024 #define DH_GRP_MIN 2048 #define DH_GRP_MAX 8192 /* * Values for "type" field of moduli(5) * Specifies the internal structure of the prime modulus. */ #define MODULI_TYPE_UNKNOWN (0) diff --git a/openssh-7.2p2/kexgexc.c b/openssh-7.2p2/kexgexc.c --- a/openssh-7.2p2/kexgexc.c +++ b/openssh-7.2p2/kexgexc.c @@ -46,29 +46,32 @@ #include "packet.h" #include "dh.h" #include "ssh2.h" #include "compat.h" #include "dispatch.h" #include "ssherr.h" #include "sshbuf.h" +/* import from dh.c */ +extern int dh_grp_min; + static int input_kex_dh_gex_group(int, u_int32_t, void *); static int input_kex_dh_gex_reply(int, u_int32_t, void *); int kexgex_client(struct ssh *ssh) { struct kex *kex = ssh->kex; int r; u_int nbits; nbits = dh_estimate(kex->dh_need * 8); - kex->min = DH_GRP_MIN; + kex->min = dh_grp_min; kex->max = DH_GRP_MAX; kex->nbits = nbits; if (datafellows & SSH_BUG_DHGEX_LARGE) kex->nbits = MIN(kex->nbits, 4096); /* New GEX request */ if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST)) != 0 || (r = sshpkt_put_u32(ssh, kex->min)) != 0 || (r = sshpkt_put_u32(ssh, kex->nbits)) != 0 || @@ -104,16 +107,22 @@ input_kex_dh_gex_group(int type, u_int32 goto out; } if ((r = sshpkt_get_bignum2(ssh, p)) != 0 || (r = sshpkt_get_bignum2(ssh, g)) != 0 || (r = sshpkt_get_end(ssh)) != 0) goto out; if ((bits = BN_num_bits(p)) < 0 || (u_int)bits < kex->min || (u_int)bits > kex->max) { + if (bits < kex->min && bits >= DH_GRP_MIN_RFC) + logit("DH parameter offered by the server (%d bits) " + "is considered insecure. " + "You can lower the accepted the minimum " + "via the KexDHMin option.", + bits); r = SSH_ERR_DH_GEX_OUT_OF_RANGE; goto out; } if ((kex->dh = dh_new_group(g, p)) == NULL) { r = SSH_ERR_ALLOC_FAIL; goto out; } p = g = NULL; /* belong to kex->dh now */ diff --git a/openssh-7.2p2/readconf.c b/openssh-7.2p2/readconf.c --- a/openssh-7.2p2/readconf.c +++ b/openssh-7.2p2/readconf.c @@ -56,16 +56,17 @@ #include "misc.h" #include "readconf.h" #include "match.h" #include "kex.h" #include "mac.h" #include "uidswap.h" #include "myproposal.h" #include "digest.h" +#include "dh.h" /* Format of the configuration file: # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. @@ -148,17 +149,18 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, + oKexAlgorithms, oKexDHMin, + oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, oPubkeyAcceptedKeyTypes, oIgnoredUnknownOption, oDeprecated, oUnsupported } OpCodes; @@ -260,16 +262,17 @@ static struct { { "hashknownhosts", oHashKnownHosts }, { "tunnel", oTunnel }, { "tunneldevice", oTunnelDevice }, { "localcommand", oLocalCommand }, { "permitlocalcommand", oPermitLocalCommand }, { "visualhostkey", oVisualHostKey }, { "useroaming", oDeprecated }, { "kexalgorithms", oKexAlgorithms }, + { "kexdhmin", oKexDHMin }, { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, { "proxyusefdpass", oProxyUseFdpass }, { "canonicaldomains", oCanonicalDomains }, { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, { "canonicalizehostname", oCanonicalizeHostname }, { "canonicalizemaxdots", oCanonicalizeMaxDots }, { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, @@ -280,16 +283,19 @@ static struct { { "updatehostkeys", oUpdateHostkeys }, { "hostbasedkeytypes", oHostbasedKeyTypes }, { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } }; +/* import from dh.c */ +extern int dh_grp_min; + /* * Adds a local TCP/IP port forward to options. Never returns if there is an * error. */ void add_local_forward(Options *options, const struct Forward *newfwd) { @@ -1157,16 +1163,20 @@ parse_int: filename, linenum); if (!kex_names_valid(*arg == '+' ? arg + 1 : arg)) fatal("%.200s line %d: Bad SSH2 KexAlgorithms '%s'.", filename, linenum, arg ? arg : "<NONE>"); if (*activep && options->kex_algorithms == NULL) options->kex_algorithms = xstrdup(arg); break; + case oKexDHMin: + intptr = &options->kex_dhmin; + goto parse_int; + case oHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; parse_keytypes: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing argument.", filename, linenum); if (!sshkey_names_valid2(*arg == '+' ? arg + 1 : arg, 1)) @@ -1664,16 +1674,17 @@ initialize_options(Options * options) options->address_family = -1; options->connection_attempts = -1; options->connection_timeout = -1; options->number_of_password_prompts = -1; options->cipher = -1; options->ciphers = NULL; options->macs = NULL; options->kex_algorithms = NULL; + options->kex_dhmin = -1; options->hostkeyalgorithms = NULL; options->protocol = SSH_PROTO_UNKNOWN; options->num_identity_files = 0; options->num_certificate_files = 0; options->hostname = NULL; options->host_key_alias = NULL; options->proxy_command = NULL; options->user = NULL; @@ -1805,16 +1816,23 @@ fill_default_options(Options * options) options->address_family = AF_UNSPEC; if (options->connection_attempts == -1) options->connection_attempts = 1; if (options->number_of_password_prompts == -1) options->number_of_password_prompts = 3; /* Selected in ssh_login(). */ if (options->cipher == -1) options->cipher = SSH_CIPHER_NOT_SET; + if (options->kex_dhmin == -1) + options->kex_dhmin = DH_GRP_MIN; + else { + options->kex_dhmin = MAX(options->kex_dhmin, DH_GRP_MIN_RFC); + options->kex_dhmin = MIN(options->kex_dhmin, DH_GRP_MAX); + } + dh_grp_min = options->kex_dhmin; /* options->hostkeyalgorithms, default set in myproposals.h */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; if (options->add_keys_to_agent == -1) options->add_keys_to_agent = 0; if (options->num_identity_files == 0) { if (options->protocol & SSH_PROTO_1) { add_identity_file(options, "~/", diff --git a/openssh-7.2p2/readconf.h b/openssh-7.2p2/readconf.h --- a/openssh-7.2p2/readconf.h +++ b/openssh-7.2p2/readconf.h @@ -69,16 +69,17 @@ typedef struct { * aborting connection attempt */ int number_of_password_prompts; /* Max number of password * prompts. */ int cipher; /* Cipher to use. */ char *ciphers; /* SSH2 ciphers in order of preference. */ char *macs; /* SSH2 macs in order of preference. */ char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */ + int kex_dhmin; /* minimum bit length of the DH group parameter */ int protocol; /* Protocol in order of preference. */ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ char *proxy_command; /* Proxy command for connecting the host. */ char *user; /* User to log in as. */ int escape_char; /* Escape character; -2 = none */ u_int num_system_hostfiles; /* Paths for /etc/ssh/ssh_known_hosts */ diff --git a/openssh-7.2p2/ssh_config.0 b/openssh-7.2p2/ssh_config.0 --- a/openssh-7.2p2/ssh_config.0 +++ b/openssh-7.2p2/ssh_config.0 @@ -606,16 +606,29 @@ DESCRIPTION ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1 The list of available key exchange algorithms may also be obtained using the -Q option of ssh(1) with an argument of M-bM-^@M-^\kexM-bM-^@M-^]. + KexDHMin + Specifies the minimum accepted bit length of the DH group parameter p. + As per RFC4419, this is 1024 bits however, this has increasingly + been seen as insecure, which prompted the change to 2048 bits. + Setting this option allows the client to accept parameters shorter + than the current minimum, down to the RFC specified 1024 bits. + Using this option may be needed when connecting to servers that + only know short DH group parameters. + + Note that using this option can severly impact security and thus + should be viewed as a temporary fix of last resort and all efforts + should be made to fix the server. + LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user's shell. The following escape character substitutions will be performed: M-bM-^@M-^X%dM-bM-^@M-^Y (local user's home directory), M-bM-^@M-^X%hM-bM-^@M-^Y (remote host name), M-bM-^@M-^X%lM-bM-^@M-^Y (local host name), M-bM-^@M-^X%nM-bM-^@M-^Y (host name as provided on the command line), M-bM-^@M-^X%pM-bM-^@M-^Y (remote port), M-bM-^@M-^X%rM-bM-^@M-^Y (remote user name) or diff --git a/openssh-7.2p2/ssh_config.5 b/openssh-7.2p2/ssh_config.5 --- a/openssh-7.2p2/ssh_config.5 +++ b/openssh-7.2p2/ssh_config.5 @@ -1092,16 +1092,28 @@ diffie-hellman-group14-sha1 .Ed .Pp The list of available key exchange algorithms may also be obtained using the .Fl Q option of .Xr ssh 1 with an argument of .Dq kex . +.It Cm KexDHMin +Specifies the minimum accepted bit length of the DH group parameter p. +As per RFC4419, this is 1024 bits however, this has increasingly +been seen as insecure, which prompted the change to 2048 bits. +Setting this option allows the client to accept parameters shorter +than the current minimum, down to the RFC specified 1024 bits. +Using this option may be needed when connecting to servers that +only know short DH group parameters. + +Note that using this option can severly impact security and thus +should be viewed as a temporary fix of last resort and all efforts +should be made to fix the server. .It Cm LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string extends to the end of the line, and is executed with the user's shell. The following escape character substitutions will be performed: .Ql %d (local user's home directory), ++++++ openssh-7.2p2-dont_use_pthreads_in_PAM.patch ++++++ # HG changeset patch # Parent 2aa634b7522f34ddbd380c96df4e750df0608604 # posix threads are generally not supported nor safe # (see upstream log from 2005-05-24) # --used to be called '-pam-fix3' diff --git a/openssh-7.2p2/auth-pam.c b/openssh-7.2p2/auth-pam.c --- a/openssh-7.2p2/auth-pam.c +++ b/openssh-7.2p2/auth-pam.c @@ -782,17 +782,19 @@ sshpam_query(void *ctx, char **name, cha } if (type == PAM_SUCCESS) { if (!sshpam_authctxt->valid || (sshpam_authctxt->pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)) fatal("Internal error: PAM auth " "succeeded when it should have " "failed"); +#ifndef UNSUPPORTED_POSIX_THREADS_HACK import_environments(&buffer); +#endif *num = 0; **echo_on = 0; ctxt->pam_done = 1; free(msg); return (0); } error("PAM: %s for %s%.100s from %.100s", msg, sshpam_authctxt->valid ? "" : "illegal user ", ++++++ openssh-6.6p1-eal3.patch -> openssh-7.2p2-eal3.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.6p1-eal3.patch 2014-04-17 14:43:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-7.2p2-eal3.patch 2016-07-28 23:45:13.000000000 +0200 @@ -1,9 +1,11 @@ -# fix paths and references in sshd man pages +# HG changeset patch +# Parent bbb49b3f344cf24e9bbd7eb7a7c40fea21be77eb +fix paths and references in sshd man pages -diff --git a/openssh-6.6p1/sshd.8 b/openssh-6.6p1/sshd.8 ---- a/openssh-6.6p1/sshd.8 -+++ b/openssh-6.6p1/sshd.8 -@@ -875,17 +875,17 @@ See +diff --git a/openssh-7.2p2/sshd.8 b/openssh-7.2p2/sshd.8 +--- a/openssh-7.2p2/sshd.8 ++++ b/openssh-7.2p2/sshd.8 +@@ -901,17 +901,17 @@ See If this file exists, .Nm refuses to let anyone except root log in. @@ -22,7 +24,8 @@ .It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_dsa_key .It Pa /etc/ssh/ssh_host_ecdsa_key -@@ -956,17 +956,17 @@ The content of this file is not sensitiv +@@ -981,17 +981,17 @@ The content of this file is not sensitiv + .Xr scp 1 , .Xr sftp 1 , .Xr ssh 1 , .Xr ssh-add 1 , @@ -30,7 +33,6 @@ .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , .Xr chroot 2 , - .Xr hosts_access 5 , -.Xr login.conf 5 , +.Xr login.defs 5 , .Xr moduli 5 , @@ -41,19 +43,19 @@ OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, -diff --git a/openssh-6.6p1/sshd_config.5 b/openssh-6.6p1/sshd_config.5 ---- a/openssh-6.6p1/sshd_config.5 -+++ b/openssh-6.6p1/sshd_config.5 -@@ -278,18 +278,17 @@ The contents of the specified file are s +diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5 +--- a/openssh-7.2p2/sshd_config.5 ++++ b/openssh-7.2p2/sshd_config.5 +@@ -370,18 +370,17 @@ for details). + The contents of the specified file are sent to the remote user before authentication is allowed. If the argument is .Dq none then no banner is displayed. - This option is only available for protocol version 2. By default, no banner is displayed. .It Cm ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed (e.g. via --PAM or though authentication styles supported in +-PAM or through authentication styles supported in -.Xr login.conf 5 ) +PAM) The default is @@ -62,9 +64,9 @@ Specifies the pathname of a directory to .Xr chroot 2 to after authentication. - All components of the pathname must be root-owned directories that are - not writable by any other user or group. -@@ -576,17 +575,17 @@ and + At session startup + .Xr sshd 8 +@@ -766,17 +765,17 @@ and .Pa .shosts files will not be used in .Cm RhostsRSAAuthentication ++++++ openssh-7.2p2-enable_PAM_by_default.patch ++++++ # HG changeset patch # Parent 477d43e9a3889d36b58ff19cf3cb9583e1abf9ce # force PAM in defaullt install (this was removed from upstream in 3.8p1) # bnc#46749 # --used to be called '-pam-fix2' diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config --- a/openssh-7.2p2/sshd_config +++ b/openssh-7.2p2/sshd_config @@ -64,17 +64,17 @@ AuthorizedKeysFile .ssh/authorized_keys #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes @@ -89,17 +89,17 @@ AuthorizedKeysFile .ssh/authorized_keys # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. -#UsePAM no +UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes ++++++ openssh-7.2p2-hostname_changes_when_forwarding_X.patch ++++++ # HG changeset patch # Parent b5245fb016a3b83611d4b4ae0c1fe3423cadd6fe # -- uset do be called '-xauthlocalhostname' handle hostname changes when forwarding X bnc#98627 diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c --- a/openssh-7.2p2/session.c +++ b/openssh-7.2p2/session.c @@ -1154,17 +1154,17 @@ copy_environment(char **source, char *** debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); free(var_name); } } static char ** -do_setup_env(Session *s, const char *shell) +do_setup_env(Session *s, const char *shell, int *env_size) { char buf[256]; u_int i, envsize; char **env, *laddr; struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; #endif @@ -1341,25 +1341,27 @@ do_setup_env(Session *s, const char *she read_environment_file(&env, &envsize, buf); } if (debug_flag) { /* dump the environment */ fprintf(stderr, "Environment:\n"); for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } + + *env_size = envsize; return env; } /* * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found * first in this order). */ static void -do_rc_files(Session *s, const char *shell) +do_rc_files(Session *s, const char *shell, char **env, int *env_size) { FILE *f = NULL; char cmd[1024]; int do_xauth; struct stat st; do_xauth = s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL; @@ -1404,22 +1406,30 @@ do_rc_files(Session *s, const char *shel "%.500s add %.100s %.100s %.100s\n", options.xauth_location, s->auth_display, s->auth_proto, s->auth_data); } snprintf(cmd, sizeof cmd, "%s -q -", options.xauth_location); f = popen(cmd, "w"); if (f) { + char hostname[MAXHOSTNAMELEN]; + fprintf(f, "remove %s\n", s->auth_display); fprintf(f, "add %s %s %s\n", s->auth_display, s->auth_proto, s->auth_data); pclose(f); + if (gethostname(hostname,sizeof(hostname)) >= 0) + child_set_env(&env,env_size,"XAUTHLOCALHOSTNAME", + hostname); + else + debug("Cannot set up XAUTHLOCALHOSTNAME %s\n", + strerror(errno)); } else { fprintf(stderr, "Could not run %s\n", cmd); } } } static void @@ -1681,16 +1691,17 @@ child_close_fds(void) * ids, and executing the command or shell. */ #define ARGV_MAX 10 void do_child(Session *s, const char *command) { extern char **environ; char **env; + int env_size; char *argv[ARGV_MAX]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; int r = 0; /* remove hostkey from the child's memory */ destroy_sensitive_data(); @@ -1747,17 +1758,17 @@ do_child(Session *s, const char *command * legal, and means /bin/sh. */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ - env = do_setup_env(s, shell); + env = do_setup_env(s, shell, &env_size); #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif /* we have to stash the hostname before we close our socket. */ if (options.use_login) hostname = get_remote_name_or_ip(utmp_len, @@ -1816,17 +1827,17 @@ do_child(Session *s, const char *command } if (r) exit(1); } closefrom(STDERR_FILENO + 1); if (!options.use_login) - do_rc_files(s, shell); + do_rc_files(s, shell, env, &env_size); /* restore SIGPIPE for child */ signal(SIGPIPE, SIG_DFL); if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) { printf("This service allows sftp connections only.\n"); fflush(NULL); exit(1); ++++++ openssh-6.6p1-lastlog.patch -> openssh-7.2p2-lastlog.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.6p1-lastlog.patch 2014-04-17 14:43:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-7.2p2-lastlog.patch 2016-07-28 23:45:14.000000000 +0200 @@ -1,10 +1,12 @@ +# HG changeset patch +# Parent 2ee086fa64dd40d0d50b13fa3a784717bfdd7e4b # set uid for functions that use it to seek in lastlog and wtmp files # bnc#18024 (was suse #3024) -diff --git a/openssh-6.6p1/sshlogin.c b/openssh-6.6p1/sshlogin.c ---- a/openssh-6.6p1/sshlogin.c -+++ b/openssh-6.6p1/sshlogin.c -@@ -128,16 +128,17 @@ record_login(pid_t pid, const char *tty, +diff --git a/openssh-7.2p2/sshlogin.c b/openssh-7.2p2/sshlogin.c +--- a/openssh-7.2p2/sshlogin.c ++++ b/openssh-7.2p2/sshlogin.c +@@ -129,16 +129,17 @@ record_login(pid_t pid, const char *tty, { struct logininfo *li; ++++++ openssh-7.2p2-pam_check_locks.patch ++++++ # HG changeset patch # Parent 5b217a9abc32fa963a125ae29c766c015db53bde new option UsePAMCheckLocks to enforce checking for locked accounts while UsePAM is used bnc#708678, FATE#312033 diff --git a/openssh-7.2p2/auth.c b/openssh-7.2p2/auth.c --- a/openssh-7.2p2/auth.c +++ b/openssh-7.2p2/auth.c @@ -104,17 +104,17 @@ allowed_user(struct passwd * pw) struct spwd *spw = NULL; #endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; #ifdef USE_SHADOW - if (!options.use_pam) + if (!options.use_pam || options.use_pam_check_locks) spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) return 0; #endif /* HAS_SHADOW_EXPIRE */ #endif /* USE_SHADOW */ /* grab passwd field for locked account check */ @@ -124,17 +124,17 @@ allowed_user(struct passwd * pw) #ifdef USE_LIBIAF passwd = get_iaf_password(pw); #else passwd = spw->sp_pwdp; #endif /* USE_LIBIAF */ #endif /* check for locked account */ - if (!options.use_pam && passwd && *passwd) { + if ((!options.use_pam || options.use_pam_check_locks) && passwd && *passwd) { int locked = 0; #ifdef LOCKED_PASSWD_STRING if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0) locked = 1; #endif #ifdef LOCKED_PASSWD_PREFIX if (strncmp(passwd, LOCKED_PASSWD_PREFIX, diff --git a/openssh-7.2p2/servconf.c b/openssh-7.2p2/servconf.c --- a/openssh-7.2p2/servconf.c +++ b/openssh-7.2p2/servconf.c @@ -69,16 +69,17 @@ extern Buffer cfg; void initialize_server_options(ServerOptions *options) { memset(options, 0, sizeof(*options)); /* Portable-specific options */ options->use_pam = -1; + options->use_pam_check_locks = -1; /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; options->queued_listen_addrs = NULL; options->num_queued_listens = 0; options->listen_addrs = NULL; options->address_family = -1; @@ -195,16 +196,18 @@ assemble_algorithms(ServerOptions *o) void fill_default_server_options(ServerOptions *options) { int i; /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; + if (options->use_pam_check_locks == -1) + options->use_pam_check_locks = 0; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_2; if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ if (options->protocol & SSH_PROTO_1) options->host_key_files[options->num_host_key_files++] = @@ -391,17 +394,17 @@ fill_default_server_options(ServerOption #endif } /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ - sUsePAM, + sUsePAM, sUsePAMChecklocks, /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, @@ -441,18 +444,20 @@ typedef enum { static struct { const char *name; ServerOpCodes opcode; u_int flags; } keywords[] = { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUsePAMChecklocks, SSHCFG_GLOBAL }, #else { "usepam", sUnsupported, SSHCFG_GLOBAL }, + { "usepamchecklocks", sUnsupported, SSHCFG_GLOBAL }, #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ { "port", sPort, SSHCFG_GLOBAL }, { "hostkey", sHostKeyFile, SSHCFG_GLOBAL }, { "hostdsakey", sHostKeyFile, SSHCFG_GLOBAL }, /* alias */ { "hostkeyagent", sHostKeyAgent, SSHCFG_GLOBAL }, { "pidfile", sPidFile, SSHCFG_GLOBAL }, @@ -1005,16 +1010,19 @@ process_server_config_line(ServerOptions } } switch (opcode) { /* Portable-specific options */ case sUsePAM: intptr = &options->use_pam; goto parse_flag; + case sUsePAMChecklocks: + intptr = &options->use_pam_check_locks; + goto parse_flag; /* Standard Options */ case sBadOption: return -1; case sPort: /* ignore ports from configfile if cmdline specifies ports */ if (options->ports_from_cmdline) return 0; diff --git a/openssh-7.2p2/servconf.h b/openssh-7.2p2/servconf.h --- a/openssh-7.2p2/servconf.h +++ b/openssh-7.2p2/servconf.h @@ -167,16 +167,17 @@ typedef struct { */ u_int num_authkeys_files; /* Files containing public keys */ char *authorized_keys_files[MAX_AUTHKEYS_FILES]; char *adm_forced_command; int use_pam; /* Enable auth via PAM */ + int use_pam_check_locks; /* internally check for locked accounts even when using PAM */ int permit_tun; int num_permitted_opens; char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; diff --git a/openssh-7.2p2/sshd_config.0 b/openssh-7.2p2/sshd_config.0 --- a/openssh-7.2p2/sshd_config.0 +++ b/openssh-7.2p2/sshd_config.0 @@ -946,16 +946,24 @@ DESCRIPTION Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you should disable either PasswordAuthentication or ChallengeResponseAuthentication. If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is M-bM-^@M-^\noM-bM-^@M-^]. + UsePAMCheckLocks + When set to ``yes'', the checks whether the account has been + locked with `passwd -l' are performed even when PAM authentication + is enabled via UsePAM. This is to ensure that it is not possible + to log in with e.g. a public key (in such a case PAM is used only + to set up the session and some PAM modules will not check whether + the account is locked in this scenario). The default is ``no''. + UsePrivilegeSeparation Specifies whether sshd(8) separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by containing any corruption within the unprivileged processes. The argument must be M-bM-^@M-^\yesM-bM-^@M-^], M-bM-^@M-^\noM-bM-^@M-^], or M-bM-^@M-^\sandboxM-bM-^@M-^]. If diff --git a/openssh-7.2p2/sshd_config.5 b/openssh-7.2p2/sshd_config.5 --- a/openssh-7.2p2/sshd_config.5 +++ b/openssh-7.2p2/sshd_config.5 @@ -1578,16 +1578,28 @@ or .Pp If .Cm UsePAM is enabled, you will not be able to run .Xr sshd 8 as a non-root user. The default is .Dq no . +.It Cm UsePAMCheckLocks +When set to +.Dq yes +, the checks whether the account has been locked with +.Pa passwd -l +are performed even when PAM authentication is enabled via +.Cm UsePAM . +This is to ensure that it is not possible to log in with e.g. a +public key (in such a case PAM is used only to set up the session and some PAM +modules will not check whether the account is locked in this scenario). The +default is +.Dq no . .It Cm UsePrivilegeSeparation Specifies whether .Xr sshd 8 separates privileges by creating an unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege ++++++ openssh-7.2p2-pts_names_formatting.patch ++++++ # HG changeset patch # Parent 870f97b01b9ed00bac9ff0b8014a998434a6161b # use same lines naming as utempter (prevents problems with using different # formats in ?tmp? files) # --used to be called '-pts' diff --git a/openssh-7.2p2/loginrec.c b/openssh-7.2p2/loginrec.c --- a/openssh-7.2p2/loginrec.c +++ b/openssh-7.2p2/loginrec.c @@ -541,17 +541,17 @@ getlast_entry(struct logininfo *li) /* * 'line' string utility functions * * These functions process the 'line' string into one of three forms: * * 1. The full filename (including '/dev') * 2. The stripped name (excluding '/dev') * 3. The abbreviated name (e.g. /dev/ttyp00 -> yp00 - * /dev/pts/1 -> ts/1 ) + * /dev/pts/1 -> /1 ) * * Form 3 is used on some systems to identify a .tmp.? entry when * attempting to remove it. Typically both addition and removal is * performed by one application - say, sshd - so as long as the choice * uniquely identifies a terminal it's ok. */ @@ -602,16 +602,20 @@ line_abbrevname(char *dst, const char *s /* Always skip prefix if present */ if (strncmp(src, "/dev/", 5) == 0) src += 5; #ifdef WITH_ABBREV_NO_TTY if (strncmp(src, "tty", 3) == 0) src += 3; #endif + if (strncmp(src, "pts/", 4) == 0) { + src += 3; + if (strlen(src) > 4) src++; + } len = strlen(src); if (len > 0) { if (((int)len - dstsize) > 0) src += ((int)len - dstsize); /* note: _don't_ change this to strlcpy */ ++++++ openssh-7.2p2-remove_xauth_cookies_on_exit.patch ++++++ # HG changeset patch # Parent 07998e381c9867b8b6f7b9205261811934bef40f # --used to be called '-xauth' try to remove xauth cookies on logout bnc#98815 diff --git a/openssh-7.2p2/session.c b/openssh-7.2p2/session.c --- a/openssh-7.2p2/session.c +++ b/openssh-7.2p2/session.c @@ -2540,16 +2540,44 @@ session_close(Session *s) u_int i; verbose("Close session: user %s from %.200s port %d id %d", s->pw->pw_name, get_remote_ipaddr(), get_remote_port(), s->self); + if ((s->display != NULL) && (s->auth_proto != NULL) && + (s->auth_data != NULL) && (options.xauth_location != NULL)) { + pid_t pid; + FILE *f; + char cmd[1024]; + struct passwd * pw = s->pw; + + if (!(pid = fork())) { + permanently_set_uid(pw); + + /* Remove authority data from .Xauthority if appropriate. */ + debug("Running %.500s remove %.100s\n", + options.xauth_location, s->auth_display); + + snprintf(cmd, sizeof cmd, "unset XAUTHORITY && HOME=\"%.200s\" %s -q -", + s->pw->pw_dir, options.xauth_location); + f = popen(cmd, "w"); + if (f) { + fprintf(f, "remove %s\n", s->auth_display); + pclose(f); + } else + error("Could not run %s\n", cmd); + exit(0); + } else if (pid > 0) { + waitpid(pid, NULL, 0); + } + } + if (s->ttyfd != -1) session_pty_cleanup(s); free(s->term); free(s->display); free(s->x11_chanids); free(s->auth_display); free(s->auth_data); free(s->auth_proto); ++++++ openssh-6.6p1-seccomp_getuid.patch -> openssh-7.2p2-seccomp_getuid.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.6p1-seccomp_getuid.patch 2014-04-26 17:02:04.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-7.2p2-seccomp_getuid.patch 2016-07-28 23:45:14.000000000 +0200 @@ -1,29 +1,31 @@ # HG changeset patch -# Parent bde6f1a808f345e141a976ebc3e37903c81a09cb +# Parent 3582dd949a01d8eca2816986ca4bc0c87c96bed3 add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread from being killed by the seccomp filter -diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c ---- a/openssh-6.6p1/sandbox-seccomp-filter.c -+++ b/openssh-6.6p1/sandbox-seccomp-filter.c -@@ -85,16 +85,20 @@ static const struct sock_filter preauth_ - offsetof(struct seccomp_data, arch)), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_AUDIT_ARCH, 1, 0), - BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), - /* Load the syscall number for checking. */ - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, - offsetof(struct seccomp_data, nr)), - SC_DENY(open, EACCES), +diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c +--- a/openssh-7.2p2/sandbox-seccomp-filter.c ++++ b/openssh-7.2p2/sandbox-seccomp-filter.c +@@ -142,16 +142,22 @@ static const struct sock_filter preauth_ + SC_ALLOW(exit_group), + #endif + #ifdef __NR_getpgid + SC_ALLOW(getpgid), + #endif + #ifdef __NR_getpid SC_ALLOW(getpid), + #endif ++#ifdef __NR_getuid + SC_ALLOW(getuid), ++#endif +#ifdef __NR_getuid32 + SC_ALLOW(getuid32), +#endif + #ifdef __NR_getrandom + SC_ALLOW(getrandom), + #endif + #ifdef __NR_gettimeofday SC_ALLOW(gettimeofday), - SC_ALLOW(clock_gettime), - #ifdef __NR_time /* not defined on EABI ARM */ - SC_ALLOW(time), #endif - SC_ALLOW(read), - SC_ALLOW(write), - SC_ALLOW(close), + #ifdef __NR_madvise + SC_ALLOW(madvise), ++++++ openssh-6.6p1-seccomp_stat.patch -> openssh-7.2p2-seccomp_stat.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.6p1-seccomp_stat.patch 2016-05-05 13:18:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-7.2p2-seccomp_stat.patch 2016-07-28 23:45:14.000000000 +0200 @@ -1,28 +1,30 @@ # HG changeset patch -# Parent 8c8249d4e830ade9dfa1d2294c6218bbe439cb4a +# Parent d3afe6b01f8769713bde6c175e29a50412799e27 Allow the stat() syscall for OpenSSL re-seed patch (which causes OpenSSL use stat() on some file) bnc#912436 -diff --git a/openssh-6.6p1/sandbox-seccomp-filter.c b/openssh-6.6p1/sandbox-seccomp-filter.c ---- a/openssh-6.6p1/sandbox-seccomp-filter.c -+++ b/openssh-6.6p1/sandbox-seccomp-filter.c -@@ -97,16 +97,17 @@ static const struct sock_filter preauth_ - SC_ALLOW(gettimeofday), +diff --git a/openssh-7.2p2/sandbox-seccomp-filter.c b/openssh-7.2p2/sandbox-seccomp-filter.c +--- a/openssh-7.2p2/sandbox-seccomp-filter.c ++++ b/openssh-7.2p2/sandbox-seccomp-filter.c +@@ -130,16 +130,19 @@ static const struct sock_filter preauth_ + SC_ALLOW(brk), + #endif + #ifdef __NR_clock_gettime SC_ALLOW(clock_gettime), - #ifdef __NR_time /* not defined on EABI ARM */ - SC_ALLOW(time), #endif - SC_ALLOW(read), - SC_ALLOW(write), + #ifdef __NR_close SC_ALLOW(close), + #endif ++#ifdef __NR_stat + SC_ALLOW(stat), - #ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ - SC_ALLOW(shutdown), ++#endif + #ifdef __NR_exit + SC_ALLOW(exit), #endif - SC_ALLOW(brk), - SC_ALLOW(poll), - #ifdef __NR__newselect - SC_ALLOW(_newselect), - #else + #ifdef __NR_exit_group + SC_ALLOW(exit_group), + #endif + #ifdef __NR_getpgid + SC_ALLOW(getpgid), ++++++ openssh-6.6p1-send_locale.patch -> openssh-7.2p2-send_locale.patch ++++++ --- /work/SRC/openSUSE:Factory/openssh/openssh-6.6p1-send_locale.patch 2014-04-17 14:43:48.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh-7.2p2-send_locale.patch 2016-07-28 23:45:14.000000000 +0200 @@ -1,28 +1,37 @@ -# send locales in default configuration -# bnc#65747 +# HG changeset patch +# Parent 505927e61d1a7848f0003adb3619cc726b8e5d15 +send locales in default configuration +bnc#65747 -diff --git a/openssh-6.6p1/ssh_config b/openssh-6.6p1/ssh_config ---- a/openssh-6.6p1/ssh_config -+++ b/openssh-6.6p1/ssh_config -@@ -58,9 +58,14 @@ ForwardX11Trusted yes - # ProxyCommand ssh -q -W %h:%p gateway.example.com - - # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication - # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included - # in this release. The use of 'gssapi' is deprecated due to the presence of - # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. - # GSSAPIEnableMITMAttack no +diff --git a/openssh-7.2p2/ssh_config b/openssh-7.2p2/ssh_config +--- a/openssh-7.2p2/ssh_config ++++ b/openssh-7.2p2/ssh_config +@@ -26,16 +26,21 @@ Host * + # security reasons: Someone stealing the authentification data on the + # remote side (the "spoofed" X-server by the remote sshd) can read your + # keystrokes as you type, just like any other X11 client could do. + # Set this to "no" here for global effect or in your own ~/.ssh/config + # file if you want to have the remote X11 authentification data to + # expire after twenty minutes after remote login. + ForwardX11Trusted yes +# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). -+SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+SendEnv LC_IDENTIFICATION LC_ALL ++ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES ++ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT ++ SendEnv LC_IDENTIFICATION LC_ALL + - # RekeyLimit 1G 1h -diff --git a/openssh-6.6p1/sshd_config b/openssh-6.6p1/sshd_config ---- a/openssh-6.6p1/sshd_config -+++ b/openssh-6.6p1/sshd_config -@@ -127,14 +127,19 @@ UsePrivilegeSeparation sandbox # Defaul + # RhostsRSAAuthentication no + # RSAAuthentication yes + # PasswordAuthentication yes + # HostbasedAuthentication no + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no + # BatchMode no + # CheckHostIP yes +diff --git a/openssh-7.2p2/sshd_config b/openssh-7.2p2/sshd_config +--- a/openssh-7.2p2/sshd_config ++++ b/openssh-7.2p2/sshd_config +@@ -120,14 +120,19 @@ X11Forwarding yes #VersionAddendum none # no default banner path ++++++ openssh-6.6p1.tar.gz -> openssh-7.2p2.tar.gz ++++++ ++++ 146817 lines of diff (skipped) ++++++ ssh-askpass ++++++ --- /var/tmp/diff_new_pack.A2ABBr/_old 2016-07-28 23:45:17.000000000 +0200 +++ /var/tmp/diff_new_pack.A2ABBr/_new 2016-07-28 23:45:17.000000000 +0200 @@ -24,13 +24,6 @@ fi fi -if [ -n "$SSH_AUTH_SOCK" ] ; then - # Ensure that ssh can use the ssh support of the gpg-agent - case "$SSH_AUTH_SOCK" in - */S.gpg-agent.ssh) gpg-connect-agent /bye < /dev/null ;; - esac -fi - GNOME_SSH_ASKPASS="@LIBEXECDIR@/ssh/gnome-ssh-askpass" KDE_SSH_ASKPASS="@LIBEXECDIR@/ssh/ksshaskpass" X11_SSH_ASKPASS="@LIBEXECDIR@/ssh/x11-ssh-askpass" ++++++ sshd.init ++++++ --- /var/tmp/diff_new_pack.A2ABBr/_old 2016-07-28 23:45:17.000000000 +0200 +++ /var/tmp/diff_new_pack.A2ABBr/_new 2016-07-28 23:45:17.000000000 +0200 @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (c) 1995-2013 SuSE GmbH Nuernberg, Germany. +# Copyright (c) 1995-2013 SUSE # # Author: Jiri Smid <[email protected]> # @@ -39,12 +39,12 @@ # rc_reset clear local rc status (overall remains) # rc_exit exit appropriate to overall rc status -soft_stop() { +function soft_stop () { echo -n "Shutting down the listening SSH daemon" killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN } -force_stop() { +function force_stop () { echo -n "Shutting down SSH daemon *with all active connections*" trap '' TERM killall sshd 2>/dev/null
