From 4722d4b7980d6fd8145e2e9f08492d951ea261d1 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 6 May 2024 03:26:58 +0200 Subject: Adding debian version 1:7.9p1-10+deb10u2. Signed-off-by: Daniel Baumann --- debian/patches/authorized-keys-man-symlink.patch | 26 + debian/patches/check-filenames-in-scp-client.patch | 187 ++ debian/patches/conch-old-privkey-format.patch | 71 + debian/patches/debian-banner.patch | 111 + debian/patches/debian-config.patch | 238 ++ debian/patches/dnssec-sshfp.patch | 94 + debian/patches/doc-hash-tab-completion.patch | 28 + debian/patches/fix-key-type-check.patch | 88 + debian/patches/gnome-ssh-askpass2-icon.patch | 26 + debian/patches/gssapi.patch | 3353 ++++++++++++++++++++ ...orce-update-at-beginning-and-end-transfer.patch | 120 + debian/patches/keepalive-extensions.patch | 134 + .../patches/mention-ssh-keygen-on-keychange.patch | 44 + debian/patches/no-openssl-version-status.patch | 62 + debian/patches/openbsd-docs.patch | 148 + debian/patches/package-versioning.patch | 61 + .../patches/request-rsa-sha2-cert-signatures.patch | 39 + debian/patches/restore-authorized_keys2.patch | 35 + debian/patches/restore-tcp-wrappers.patch | 172 + debian/patches/revert-ipqos-defaults.patch | 93 + debian/patches/sandbox-seccomp-ipc.patch | 48 + .../sanitize-scp-filenames-via-snmprintf.patch | 276 ++ .../scp-disallow-dot-or-empty-filename.patch | 32 + debian/patches/scp-handle-braces.patch | 353 +++ debian/patches/scp-quoting.patch | 41 + debian/patches/seccomp-handle-shm.patch | 38 + debian/patches/seccomp-s390-flock-ipc.patch | 47 + .../patches/seccomp-s390-ioctl-ep11-crypto.patch | 33 + debian/patches/selinux-role.patch | 472 +++ debian/patches/series | 36 + debian/patches/shell-path.patch | 39 + debian/patches/ssh-agent-setgid.patch | 40 + debian/patches/ssh-argv0.patch | 31 + debian/patches/ssh-vulnkey-compat.patch | 42 + debian/patches/syslog-level-silent.patch | 47 + debian/patches/systemd-readiness.patch | 84 + debian/patches/user-group-modes.patch | 210 ++ 37 files changed, 6999 insertions(+) create mode 100644 debian/patches/authorized-keys-man-symlink.patch create mode 100644 debian/patches/check-filenames-in-scp-client.patch create mode 100644 debian/patches/conch-old-privkey-format.patch create mode 100644 debian/patches/debian-banner.patch create mode 100644 debian/patches/debian-config.patch create mode 100644 debian/patches/dnssec-sshfp.patch create mode 100644 debian/patches/doc-hash-tab-completion.patch create mode 100644 debian/patches/fix-key-type-check.patch create mode 100644 debian/patches/gnome-ssh-askpass2-icon.patch create mode 100644 debian/patches/gssapi.patch create mode 100644 debian/patches/have-progressmeter-force-update-at-beginning-and-end-transfer.patch create mode 100644 debian/patches/keepalive-extensions.patch create mode 100644 debian/patches/mention-ssh-keygen-on-keychange.patch create mode 100644 debian/patches/no-openssl-version-status.patch create mode 100644 debian/patches/openbsd-docs.patch create mode 100644 debian/patches/package-versioning.patch create mode 100644 debian/patches/request-rsa-sha2-cert-signatures.patch create mode 100644 debian/patches/restore-authorized_keys2.patch create mode 100644 debian/patches/restore-tcp-wrappers.patch create mode 100644 debian/patches/revert-ipqos-defaults.patch create mode 100644 debian/patches/sandbox-seccomp-ipc.patch create mode 100644 debian/patches/sanitize-scp-filenames-via-snmprintf.patch create mode 100644 debian/patches/scp-disallow-dot-or-empty-filename.patch create mode 100644 debian/patches/scp-handle-braces.patch create mode 100644 debian/patches/scp-quoting.patch create mode 100644 debian/patches/seccomp-handle-shm.patch create mode 100644 debian/patches/seccomp-s390-flock-ipc.patch create mode 100644 debian/patches/seccomp-s390-ioctl-ep11-crypto.patch create mode 100644 debian/patches/selinux-role.patch create mode 100644 debian/patches/series create mode 100644 debian/patches/shell-path.patch create mode 100644 debian/patches/ssh-agent-setgid.patch create mode 100644 debian/patches/ssh-argv0.patch create mode 100644 debian/patches/ssh-vulnkey-compat.patch create mode 100644 debian/patches/syslog-level-silent.patch create mode 100644 debian/patches/systemd-readiness.patch create mode 100644 debian/patches/user-group-modes.patch (limited to 'debian/patches') diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch new file mode 100644 index 0000000..c895e63 --- /dev/null +++ b/debian/patches/authorized-keys-man-symlink.patch @@ -0,0 +1,26 @@ +From 67a6cbb29f77920718884e783238f4a00fe64001 Mon Sep 17 00:00:00 2001 +From: Tomas Pospisek +Date: Sun, 9 Feb 2014 16:10:07 +0000 +Subject: Install authorized_keys(5) as a symlink to sshd(8) + +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720 +Bug-Debian: http://bugs.debian.org/441817 +Last-Update: 2013-09-14 + +Patch-Name: authorized-keys-man-symlink.patch +--- + Makefile.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Makefile.in b/Makefile.in +index 70050ffb6..ee166114d 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -356,6 +356,7 @@ install-files: + $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 + $(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5 + $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 ++ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5 + $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 + $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 + $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 diff --git a/debian/patches/check-filenames-in-scp-client.patch b/debian/patches/check-filenames-in-scp-client.patch new file mode 100644 index 0000000..519358c --- /dev/null +++ b/debian/patches/check-filenames-in-scp-client.patch @@ -0,0 +1,187 @@ +From 125924e47db3713a85a70e0f8d6c23818d2ea054 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Sat, 26 Jan 2019 22:41:28 +0000 +Subject: upstream: check in scp client that filenames sent during + +remote->local directory copies satisfy the wildcard specified by the user. + +This checking provides some protection against a malicious server +sending unexpected filenames, but it comes at a risk of rejecting wanted +files due to differences between client and server wildcard expansion rules. + +For this reason, this also adds a new -T flag to disable the check. + +reported by Harry Sintonen +fix approach suggested by markus@; +has been in snaps for ~1wk courtesy deraadt@ + +OpenBSD-Commit-ID: 00f44b50d2be8e321973f3c6d014260f8f7a8eda + +CVE-2019-6111 + +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=391ffc4b9d31fa1f4ad566499fef9176ff8a07dc +Last-Update: 2019-02-08 + +Patch-Name: check-filenames-in-scp-client.patch +--- + scp.1 | 12 +++++++++++- + scp.c | 37 +++++++++++++++++++++++++++++-------- + 2 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/scp.1 b/scp.1 +index 0e5cc1b2d..397e77091 100644 +--- a/scp.1 ++++ b/scp.1 +@@ -18,7 +18,7 @@ + .Nd secure copy (remote file copy program) + .Sh SYNOPSIS + .Nm scp +-.Op Fl 346BCpqrv ++.Op Fl 346BCpqrTv + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +@@ -208,6 +208,16 @@ to use for the encrypted connection. + The program must understand + .Xr ssh 1 + options. ++.It Fl T ++Disable strict filename checking. ++By default when copying files from a remote host to a local directory ++.Nm ++checks that the received filenames match those requested on the command-line ++to prevent the remote end from sending unexpected or unwanted files. ++Because of differences in how various operating systems and shells interpret ++filename wildcards, these checks may cause wanted files to be rejected. ++This option disables these checks at the expense of fully trusting that ++the server will not send unexpected filenames. + .It Fl v + Verbose mode. + Causes +diff --git a/scp.c b/scp.c +index 1971c80cd..035037bcc 100644 +--- a/scp.c ++++ b/scp.c +@@ -94,6 +94,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -383,14 +384,14 @@ void verifydir(char *); + struct passwd *pwd; + uid_t userid; + int errs, remin, remout; +-int pflag, iamremote, iamrecursive, targetshouldbedirectory; ++int Tflag, pflag, iamremote, iamrecursive, targetshouldbedirectory; + + #define CMDNEEDS 64 + char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ + + int response(void); + void rsource(char *, struct stat *); +-void sink(int, char *[]); ++void sink(int, char *[], const char *); + void source(int, char *[]); + void tolocal(int, char *[]); + void toremote(int, char *[]); +@@ -429,8 +430,9 @@ main(int argc, char **argv) + addargs(&args, "-oRemoteCommand=none"); + addargs(&args, "-oRequestTTY=no"); + +- fflag = tflag = 0; +- while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1) ++ fflag = Tflag = tflag = 0; ++ while ((ch = getopt(argc, argv, ++ "dfl:prtTvBCc:i:P:q12346S:o:F:")) != -1) { + switch (ch) { + /* User-visible flags. */ + case '1': +@@ -509,9 +511,13 @@ main(int argc, char **argv) + setmode(0, O_BINARY); + #endif + break; ++ case 'T': ++ Tflag = 1; ++ break; + default: + usage(); + } ++ } + argc -= optind; + argv += optind; + +@@ -542,7 +548,7 @@ main(int argc, char **argv) + } + if (tflag) { + /* Receive data. */ +- sink(argc, argv); ++ sink(argc, argv, NULL); + exit(errs != 0); + } + if (argc < 2) +@@ -800,7 +806,7 @@ tolocal(int argc, char **argv) + continue; + } + free(bp); +- sink(1, argv + argc - 1); ++ sink(1, argv + argc - 1, src); + (void) close(remin); + remin = remout = -1; + } +@@ -976,7 +982,7 @@ rsource(char *name, struct stat *statp) + (sizeof(type) != 4 && sizeof(type) != 8)) + + void +-sink(int argc, char **argv) ++sink(int argc, char **argv, const char *src) + { + static BUF buffer; + struct stat stb; +@@ -992,6 +998,7 @@ sink(int argc, char **argv) + unsigned long long ull; + int setimes, targisdir, wrerrno = 0; + char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; ++ char *src_copy = NULL, *restrict_pattern = NULL; + struct timeval tv[2]; + + #define atime tv[0] +@@ -1016,6 +1023,17 @@ sink(int argc, char **argv) + (void) atomicio(vwrite, remout, "", 1); + if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode)) + targisdir = 1; ++ if (src != NULL && !iamrecursive && !Tflag) { ++ /* ++ * Prepare to try to restrict incoming filenames to match ++ * the requested destination file glob. ++ */ ++ if ((src_copy = strdup(src)) == NULL) ++ fatal("strdup failed"); ++ if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) { ++ *restrict_pattern++ = '\0'; ++ } ++ } + for (first = 1;; first = 0) { + cp = buf; + if (atomicio(read, remin, cp, 1) != 1) +@@ -1120,6 +1138,9 @@ sink(int argc, char **argv) + run_err("error: unexpected filename: %s", cp); + exit(1); + } ++ if (restrict_pattern != NULL && ++ fnmatch(restrict_pattern, cp, 0) != 0) ++ SCREWUP("filename does not match request"); + if (targisdir) { + static char *namebuf; + static size_t cursize; +@@ -1157,7 +1178,7 @@ sink(int argc, char **argv) + goto bad; + } + vect[0] = xstrdup(np); +- sink(1, vect); ++ sink(1, vect, src); + if (setimes) { + setimes = 0; + if (utimes(vect[0], tv) < 0) diff --git a/debian/patches/conch-old-privkey-format.patch b/debian/patches/conch-old-privkey-format.patch new file mode 100644 index 0000000..90bb3e9 --- /dev/null +++ b/debian/patches/conch-old-privkey-format.patch @@ -0,0 +1,71 @@ +From 1d2a55436d4b556269f42ad5f7e16608b5a8ed74 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Thu, 30 Aug 2018 00:58:56 +0100 +Subject: Work around conch interoperability failure + +Twisted Conch fails to read private keys in the new format +(https://twistedmatrix.com/trac/ticket/9515). Work around this until it +can be fixed in Twisted. + +Forwarded: not-needed +Last-Update: 2018-08-30 + +Patch-Name: conch-old-privkey-format.patch +--- + regress/Makefile | 5 +++-- + regress/conch-ciphers.sh | 2 +- + regress/test-exec.sh | 12 ++++++++++++ + 3 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/regress/Makefile b/regress/Makefile +index 647b4a049..6e462a4f6 100644 +--- a/regress/Makefile ++++ b/regress/Makefile +@@ -110,8 +110,9 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \ + modpipe netcat no_identity_config \ + pidfile putty.rsa2 ready regress.log \ + remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \ +- rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \ +- rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ ++ rsa1 rsa1-agent rsa1-agent.pub rsa1.pub \ ++ rsa_oldfmt rsa_oldfmt.pub \ ++ rsa_ssh2_cr.prv rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \ + scp-ssh-wrapper.scp setuid-allowed sftp-server.log \ + sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \ + ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \ +diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh +index 199d863a0..c7df19fd4 100644 +--- a/regress/conch-ciphers.sh ++++ b/regress/conch-ciphers.sh +@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \ + rm -f ${COPY} + # XXX the 2nd "cat" seems to be needed because of buggy FD handling + # in conch +- ${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \ ++ ${CONCH} --identity $OBJ/rsa_oldfmt --port $PORT --user $USER -e none \ + --known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \ + 127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY} + if [ $? -ne 0 ]; then +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index 40d46e3cd..1bbd47f25 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -504,6 +504,18 @@ REGRESS_INTEROP_CONCH=no + if test -x "$CONCH" ; then + REGRESS_INTEROP_CONCH=yes + fi ++case "$SCRIPT" in ++*conch*) ;; ++*) REGRESS_INTEROP_CONCH=no ++esac ++ ++if test "$REGRESS_INTEROP_CONCH" = "yes" ; then ++ # Convert rsa key to old format to work around ++ # https://twistedmatrix.com/trac/ticket/9515 ++ cp $OBJ/rsa $OBJ/rsa_oldfmt ++ cp $OBJ/rsa.pub $OBJ/rsa_oldfmt.pub ++ ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/rsa_oldfmt >/dev/null ++fi + + # If PuTTY is present and we are running a PuTTY test, prepare keys and + # configuration diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch new file mode 100644 index 0000000..7963b03 --- /dev/null +++ b/debian/patches/debian-banner.patch @@ -0,0 +1,111 @@ +From a18385c6866da4d69f46b64626ae5d60b4cf4a66 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 9 Feb 2014 16:10:06 +0000 +Subject: Add DebianBanner server configuration option + +Setting this to "no" causes sshd to omit the Debian revision from its +initial protocol handshake, for those scared by package-versioning.patch. + +Bug-Debian: http://bugs.debian.org/562048 +Forwarded: not-needed +Last-Update: 2018-10-19 + +Patch-Name: debian-banner.patch +--- + servconf.c | 9 +++++++++ + servconf.h | 2 ++ + sshd.c | 3 ++- + sshd_config.5 | 5 +++++ + 4 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/servconf.c b/servconf.c +index 6caf1db38..c5dd617ef 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -182,6 +182,7 @@ initialize_server_options(ServerOptions *options) + options->fingerprint_hash = -1; + options->disable_forwarding = -1; + options->expose_userauth_info = -1; ++ options->debian_banner = -1; + } + + /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ +@@ -417,6 +418,8 @@ fill_default_server_options(ServerOptions *options) + options->disable_forwarding = 0; + if (options->expose_userauth_info == -1) + options->expose_userauth_info = 0; ++ if (options->debian_banner == -1) ++ options->debian_banner = 1; + + assemble_algorithms(options); + +@@ -504,6 +507,7 @@ typedef enum { + sStreamLocalBindMask, sStreamLocalBindUnlink, + sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, + sExposeAuthInfo, sRDomain, ++ sDebianBanner, + sDeprecated, sIgnore, sUnsupported + } ServerOpCodes; + +@@ -661,6 +665,7 @@ static struct { + { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, + { "rdomain", sRDomain, SSHCFG_ALL }, + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, ++ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, + { NULL, sBadOption, 0 } + }; + +@@ -2173,6 +2178,10 @@ process_server_config_line(ServerOptions *options, char *line, + *charptr = xstrdup(arg); + break; + ++ case sDebianBanner: ++ intptr = &options->debian_banner; ++ goto parse_flag; ++ + case sDeprecated: + case sIgnore: + case sUnsupported: +diff --git a/servconf.h b/servconf.h +index 3b76da816..4e3c54042 100644 +--- a/servconf.h ++++ b/servconf.h +@@ -212,6 +212,8 @@ typedef struct { + int fingerprint_hash; + int expose_userauth_info; + u_int64_t timing_secret; ++ ++ int debian_banner; + } ServerOptions; + + /* Information about the incoming connection as used by Match */ +diff --git a/sshd.c b/sshd.c +index 9481272fc..d7e77d343 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -384,7 +384,8 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) + char remote_version[256]; /* Must be at least as big as buf. */ + + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, ++ options.debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum); + +diff --git a/sshd_config.5 b/sshd_config.5 +index e7e55dd71..37e6be38f 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -543,6 +543,11 @@ or + .Cm no . + The default is + .Cm yes . ++.It Cm DebianBanner ++Specifies whether the distribution-specified extra version suffix is ++included during initial protocol handshake. ++The default is ++.Cm yes . + .It Cm DenyGroups + This keyword can be followed by a list of group name patterns, separated + by spaces. diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch new file mode 100644 index 0000000..4866d52 --- /dev/null +++ b/debian/patches/debian-config.patch @@ -0,0 +1,238 @@ +From a433d9baa031d7136a8cf3e3807ebff83a3a8634 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:10:18 +0000 +Subject: Various Debian-specific configuration changes + +ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause +fewer problems with existing setups (http://bugs.debian.org/237021). + +ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024). + +ssh: Enable HashKnownHosts by default to try to limit the spread of ssh +worms. + +ssh: Enable GSSAPIAuthentication by default. + +sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable +PrintMotd. + +sshd: Enable X11Forwarding. + +sshd: Set 'AcceptEnv LANG LC_*' by default. + +sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server. + +Document all of this. + +Author: Russ Allbery +Forwarded: not-needed +Last-Update: 2017-10-04 + +Patch-Name: debian-config.patch +--- + readconf.c | 2 +- + ssh.1 | 21 +++++++++++++++++++++ + ssh_config | 6 +++++- + ssh_config.5 | 19 ++++++++++++++++++- + sshd_config | 16 ++++++++++------ + sshd_config.5 | 22 ++++++++++++++++++++++ + 6 files changed, 77 insertions(+), 9 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 6b01f20d2..661b8bf40 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -2000,7 +2000,7 @@ fill_default_options(Options * options) + if (options->forward_x11 == -1) + options->forward_x11 = 0; + if (options->forward_x11_trusted == -1) +- options->forward_x11_trusted = 0; ++ options->forward_x11_trusted = 1; + if (options->forward_x11_timeout == -1) + options->forward_x11_timeout = 1200; + /* +diff --git a/ssh.1 b/ssh.1 +index ad1ed0f86..1bcc8edab 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -782,6 +782,16 @@ directive in + .Xr ssh_config 5 + for more information. + .Pp ++(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension ++restrictions by default, because too many programs currently crash in this ++mode. ++Set the ++.Cm ForwardX11Trusted ++option to ++.Dq no ++to restore the upstream behaviour. ++This may change in future depending on client-side improvements.) ++.Pp + .It Fl x + Disables X11 forwarding. + .Pp +@@ -790,6 +800,17 @@ Enables trusted X11 forwarding. + Trusted X11 forwardings are not subjected to the X11 SECURITY extension + controls. + .Pp ++(Debian-specific: This option does nothing in the default configuration: it ++is equivalent to ++.Dq Cm ForwardX11Trusted No yes , ++which is the default as described above. ++Set the ++.Cm ForwardX11Trusted ++option to ++.Dq no ++to restore the upstream behaviour. ++This may change in future depending on client-side improvements.) ++.Pp + .It Fl y + Send log information using the + .Xr syslog 3 +diff --git a/ssh_config b/ssh_config +index bcb9f153d..1b676fb2c 100644 +--- a/ssh_config ++++ b/ssh_config +@@ -17,9 +17,10 @@ + # list of available options, their meanings and defaults, please see the + # ssh_config(5) man page. + +-# Host * ++Host * + # ForwardAgent no + # ForwardX11 no ++# ForwardX11Trusted yes + # PasswordAuthentication yes + # HostbasedAuthentication no + # GSSAPIAuthentication no +@@ -46,3 +47,6 @@ + # VisualHostKey no + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h ++ SendEnv LANG LC_* ++ HashKnownHosts yes ++ GSSAPIAuthentication yes +diff --git a/ssh_config.5 b/ssh_config.5 +index a91355726..1a8e24bd1 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more + host-specific declarations should be given near the beginning of the + file, and general defaults at the end. + .Pp ++Note that the Debian ++.Ic openssh-client ++package sets several options as standard in ++.Pa /etc/ssh/ssh_config ++which are not the default in ++.Xr ssh 1 : ++.Pp ++.Bl -bullet -offset indent -compact ++.It ++.Cm SendEnv No LANG LC_* ++.It ++.Cm HashKnownHosts No yes ++.It ++.Cm GSSAPIAuthentication No yes ++.El ++.Pp + The file contains keyword-argument pairs, one per line. + Lines starting with + .Ql # +@@ -699,11 +715,12 @@ elapsed. + .It Cm ForwardX11Trusted + If this option is set to + .Cm yes , ++(the Debian-specific default), + remote X11 clients will have full access to the original X11 display. + .Pp + If this option is set to + .Cm no +-(the default), ++(the upstream default), + remote X11 clients will be considered untrusted and prevented + from stealing or tampering with data belonging to trusted X11 + clients. +diff --git a/sshd_config b/sshd_config +index 2c48105f8..ed8272f6d 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -57,8 +57,9 @@ AuthorizedKeysFile .ssh/authorized_keys + #PasswordAuthentication yes + #PermitEmptyPasswords no + +-# Change to no to disable s/key passwords +-#ChallengeResponseAuthentication yes ++# Change to yes to enable challenge-response passwords (beware issues with ++# some PAM modules and threads) ++ChallengeResponseAuthentication no + + # Kerberos options + #KerberosAuthentication no +@@ -81,16 +82,16 @@ AuthorizedKeysFile .ssh/authorized_keys + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. +-#UsePAM no ++UsePAM yes + + #AllowAgentForwarding yes + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PermitTTY yes +-#PrintMotd yes ++PrintMotd no + #PrintLastLog yes + #TCPKeepAlive yes + #PermitUserEnvironment no +@@ -107,8 +108,11 @@ AuthorizedKeysFile .ssh/authorized_keys + # no default banner path + #Banner none + ++# Allow client to pass locale environment variables ++AcceptEnv LANG LC_* ++ + # override default of no subsystems +-Subsystem sftp /usr/libexec/sftp-server ++Subsystem sftp /usr/lib/openssh/sftp-server + + # Example of overriding settings on a per-user basis + #Match User anoncvs +diff --git a/sshd_config.5 b/sshd_config.5 +index 23f71fd1d..ba50a30f1 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -56,6 +56,28 @@ Arguments may optionally be enclosed in double quotes + .Pq \&" + in order to represent arguments containing spaces. + .Pp ++Note that the Debian ++.Ic openssh-server ++package sets several options as standard in ++.Pa /etc/ssh/sshd_config ++which are not the default in ++.Xr sshd 8 : ++.Pp ++.Bl -bullet -offset indent -compact ++.It ++.Cm ChallengeResponseAuthentication No no ++.It ++.Cm X11Forwarding No yes ++.It ++.Cm PrintMotd No no ++.It ++.Cm AcceptEnv No LANG LC_* ++.It ++.Cm Subsystem No sftp /usr/lib/openssh/sftp-server ++.It ++.Cm UsePAM No yes ++.El ++.Pp + The possible + keywords and their meanings are as follows (note that + keywords are case-insensitive and arguments are case-sensitive): diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch new file mode 100644 index 0000000..e2acdf1 --- /dev/null +++ b/debian/patches/dnssec-sshfp.patch @@ -0,0 +1,94 @@ +From 0ee33d93c5c7a5fbb8b027aa24e7c9668125fda9 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:10:01 +0000 +Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf + +This allows SSHFP DNS records to be verified if glibc 2.11 is installed. + +Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup +Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049 +Last-Update: 2010-04-06 + +Patch-Name: dnssec-sshfp.patch +--- + dns.c | 14 +++++++++++++- + openbsd-compat/getrrsetbyname.c | 10 +++++----- + openbsd-compat/getrrsetbyname.h | 3 +++ + 3 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/dns.c b/dns.c +index ff1a2c41c..82ec97199 100644 +--- a/dns.c ++++ b/dns.c +@@ -211,6 +211,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, + { + u_int counter; + int result; ++ unsigned int rrset_flags = 0; + struct rrsetinfo *fingerprints = NULL; + + u_int8_t hostkey_algorithm; +@@ -234,8 +235,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, + return -1; + } + ++ /* ++ * Original getrrsetbyname function, found on OpenBSD for example, ++ * doesn't accept any flag and prerequisite for obtaining AD bit in ++ * DNS response is set by "options edns0" in resolv.conf. ++ * ++ * Our version is more clever and use RRSET_FORCE_EDNS0 flag. ++ */ ++#ifndef HAVE_GETRRSETBYNAME ++ rrset_flags |= RRSET_FORCE_EDNS0; ++#endif + result = getrrsetbyname(hostname, DNS_RDATACLASS_IN, +- DNS_RDATATYPE_SSHFP, 0, &fingerprints); ++ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints); ++ + if (result) { + verbose("DNS lookup error: %s", dns_result_totext(result)); + return -1; +diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c +index dc6fe0533..e061a290a 100644 +--- a/openbsd-compat/getrrsetbyname.c ++++ b/openbsd-compat/getrrsetbyname.c +@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, + goto fail; + } + +- /* don't allow flags yet, unimplemented */ +- if (flags) { ++ /* Allow RRSET_FORCE_EDNS0 flag only. */ ++ if ((flags & !RRSET_FORCE_EDNS0) != 0) { + result = ERRSET_INVAL; + goto fail; + } +@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, + #endif /* DEBUG */ + + #ifdef RES_USE_DNSSEC +- /* turn on DNSSEC if EDNS0 is configured */ +- if (_resp->options & RES_USE_EDNS0) +- _resp->options |= RES_USE_DNSSEC; ++ /* turn on DNSSEC if required */ ++ if (flags & RRSET_FORCE_EDNS0) ++ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); + #endif /* RES_USE_DNSEC */ + + /* make query */ +diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h +index 1283f5506..dbbc85a2a 100644 +--- a/openbsd-compat/getrrsetbyname.h ++++ b/openbsd-compat/getrrsetbyname.h +@@ -72,6 +72,9 @@ + #ifndef RRSET_VALIDATED + # define RRSET_VALIDATED 1 + #endif ++#ifndef RRSET_FORCE_EDNS0 ++# define RRSET_FORCE_EDNS0 0x0001 ++#endif + + /* + * Return codes for getrrsetbyname() diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch new file mode 100644 index 0000000..c6bc432 --- /dev/null +++ b/debian/patches/doc-hash-tab-completion.patch @@ -0,0 +1,28 @@ +From 1d0c41a7e0b2426733ddb598248d0488c9c00a8b Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:10:11 +0000 +Subject: Document that HashKnownHosts may break tab-completion + +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727 +Bug-Debian: http://bugs.debian.org/430154 +Last-Update: 2013-09-14 + +Patch-Name: doc-hash-tab-completion.patch +--- + ssh_config.5 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ssh_config.5 b/ssh_config.5 +index 7d55fa820..a91355726 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -793,6 +793,9 @@ Note that existing names and addresses in known hosts files + will not be converted automatically, + but may be manually hashed using + .Xr ssh-keygen 1 . ++Use of this option may break facilities such as tab-completion that rely ++on being able to read unhashed host names from ++.Pa ~/.ssh/known_hosts . + .It Cm HostbasedAuthentication + Specifies whether to try rhosts based authentication with public key + authentication. diff --git a/debian/patches/fix-key-type-check.patch b/debian/patches/fix-key-type-check.patch new file mode 100644 index 0000000..846df57 --- /dev/null +++ b/debian/patches/fix-key-type-check.patch @@ -0,0 +1,88 @@ +From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 16 Nov 2018 02:43:56 +0000 +Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and + +PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were +specified, then authentication would always fail for RSA keys as the monitor +checks only the base key (not the signature algorithm) type against +*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker + +OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2 +Last-Update: 2019-02-28 + +Patch-Name: fix-key-type-check.patch +--- + monitor.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +diff --git a/monitor.c b/monitor.c +index 08fddabd7..037d6d333 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: monitor.c,v 1.186 2018/07/20 03:46:34 djm Exp $ */ ++/* $OpenBSD: monitor.c,v 1.188 2018/11/16 02:43:56 djm Exp $ */ + /* + * Copyright 2002 Niels Provos + * Copyright 2002 Markus Friedl +@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m) + return (0); + } + ++/* ++ * Check that the key type appears in the supplied pattern list, ignoring ++ * mismatches in the signature algorithm. (Signature algorithm checks are ++ * performed in the unprivileged authentication code). ++ * Returns 1 on success, 0 otherwise. ++ */ ++static int ++key_base_type_match(const char *method, const struct sshkey *key, ++ const char *list) ++{ ++ char *s, *l, *ol = xstrdup(list); ++ int found = 0; ++ ++ l = ol; ++ for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) { ++ if (sshkey_type_from_name(s) == key->type) { ++ found = 1; ++ break; ++ } ++ } ++ if (!found) { ++ error("%s key type %s is not in permitted list %s", method, ++ sshkey_ssh_name(key), list); ++ } ++ ++ free(ol); ++ return found; ++} ++ + int + mm_answer_authpassword(int sock, struct sshbuf *m) + { +@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) + break; + if (auth2_key_already_used(authctxt, key)) + break; +- if (match_pattern_list(sshkey_ssh_name(key), +- options.pubkey_key_types, 0) != 1) ++ if (!key_base_type_match(auth_method, key, ++ options.pubkey_key_types)) + break; + allowed = user_key_allowed(ssh, authctxt->pw, key, + pubkey_auth_attempt, &opts); +@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) + break; + if (auth2_key_already_used(authctxt, key)) + break; +- if (match_pattern_list(sshkey_ssh_name(key), +- options.hostbased_key_types, 0) != 1) ++ if (!key_base_type_match(auth_method, key, ++ options.hostbased_key_types)) + break; + allowed = hostbased_key_allowed(authctxt->pw, + cuser, chost, key); diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch new file mode 100644 index 0000000..b6d4f12 --- /dev/null +++ b/debian/patches/gnome-ssh-askpass2-icon.patch @@ -0,0 +1,26 @@ +From df56506f727e37c13346259bdcd5975e257a259d Mon Sep 17 00:00:00 2001 +From: Vincent Untz +Date: Sun, 9 Feb 2014 16:10:16 +0000 +Subject: Give the ssh-askpass-gnome window a default icon + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152 +Last-Update: 2010-02-28 + +Patch-Name: gnome-ssh-askpass2-icon.patch +--- + contrib/gnome-ssh-askpass2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c +index 535a69274..e37a13382 100644 +--- a/contrib/gnome-ssh-askpass2.c ++++ b/contrib/gnome-ssh-askpass2.c +@@ -211,6 +211,8 @@ main(int argc, char **argv) + + gtk_init(&argc, &argv); + ++ gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL); ++ + if (argc > 1) { + message = g_strjoinv(" ", argv + 1); + } else { diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch new file mode 100644 index 0000000..f62bf66 --- /dev/null +++ b/debian/patches/gssapi.patch @@ -0,0 +1,3353 @@ +From 72b1d308e6400194ef6e4e7dd45bfa48fa39b5e6 Mon Sep 17 00:00:00 2001 +From: Simon Wilkinson +Date: Sun, 9 Feb 2014 16:09:48 +0000 +Subject: GSSAPI key exchange support + +This patch has been rejected upstream: "None of the OpenSSH developers are +in favour of adding this, and this situation has not changed for several +years. This is not a slight on Simon's patch, which is of fine quality, but +just that a) we don't trust GSSAPI implementations that much and b) we don't +like adding new KEX since they are pre-auth attack surface. This one is +particularly scary, since it requires hooks out to typically root-owned +system resources." + +However, quite a lot of people rely on this in Debian, and it's better to +have it merged into the main openssh package rather than having separate +-krb5 packages (as we used to have). It seems to have a generally good +security history. + +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 +Last-Updated: 2018-10-20 + +Patch-Name: gssapi.patch +--- + ChangeLog.gssapi | 113 ++++++++++++++++ + Makefile.in | 3 +- + auth-krb5.c | 17 ++- + auth.c | 96 +------------ + auth2-gss.c | 54 +++++++- + auth2.c | 2 + + canohost.c | 93 +++++++++++++ + canohost.h | 3 + + clientloop.c | 15 ++- + config.h.in | 6 + + configure.ac | 24 ++++ + gss-genr.c | 280 +++++++++++++++++++++++++++++++++++++- + gss-serv-krb5.c | 85 +++++++++++- + gss-serv.c | 184 +++++++++++++++++++++++-- + kex.c | 19 +++ + kex.h | 14 ++ + kexgssc.c | 341 +++++++++++++++++++++++++++++++++++++++++++++++ + kexgsss.c | 300 +++++++++++++++++++++++++++++++++++++++++ + monitor.c | 122 +++++++++++++++-- + monitor.h | 3 + + monitor_wrap.c | 53 +++++++- + monitor_wrap.h | 4 +- + opacket.c | 2 +- + opacket.h | 2 +- + readconf.c | 43 ++++++ + readconf.h | 5 + + servconf.c | 26 ++++ + servconf.h | 2 + + ssh-gss.h | 41 +++++- + ssh_config | 2 + + ssh_config.5 | 32 +++++ + sshconnect2.c | 133 +++++++++++++++++- + sshd.c | 110 +++++++++++++++ + sshd_config | 2 + + sshd_config.5 | 10 ++ + sshkey.c | 3 +- + sshkey.h | 1 + + 37 files changed, 2099 insertions(+), 146 deletions(-) + create mode 100644 ChangeLog.gssapi + create mode 100644 kexgssc.c + create mode 100644 kexgsss.c + +diff --git a/ChangeLog.gssapi b/ChangeLog.gssapi +new file mode 100644 +index 000000000..f117a336a +--- /dev/null ++++ b/ChangeLog.gssapi +@@ -0,0 +1,113 @@ ++20110101 ++ - Finally update for OpenSSH 5.6p1 ++ - Add GSSAPIServerIdentity option from Jim Basney ++ ++20100308 ++ - [ Makefile.in, key.c, key.h ] ++ Updates for OpenSSH 5.4p1 ++ - [ servconf.c ] ++ Include GSSAPI options in the sshd -T configuration dump, and flag ++ some older configuration options as being unsupported. Thanks to Colin ++ Watson. ++ - ++ ++20100124 ++ - [ sshconnect2.c ] ++ Adapt to deal with additional element in Authmethod structure. Thanks to ++ Colin Watson ++ ++20090615 ++ - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c ++ sshd.c ] ++ Fix issues identified by Greg Hudson following a code review ++ Check return value of gss_indicate_mechs ++ Protect GSSAPI calls in monitor, so they can only be used if enabled ++ Check return values of bignum functions in key exchange ++ Use BN_clear_free to clear other side's DH value ++ Make ssh_gssapi_id_kex more robust ++ Only configure kex table pointers if GSSAPI is enabled ++ Don't leak mechanism list, or gss mechanism list ++ Cast data.length before printing ++ If serverkey isn't provided, use an empty string, rather than NULL ++ ++20090201 ++ - [ gss-genr.c gss-serv.c kex.h kexgssc.c readconf.c readconf.h ssh-gss.h ++ ssh_config.5 sshconnet2.c ] ++ Add support for the GSSAPIClientIdentity option, which allows the user ++ to specify which GSSAPI identity to use to contact a given server ++ ++20080404 ++ - [ gss-serv.c ] ++ Add code to actually implement GSSAPIStrictAcceptCheck, which had somehow ++ been omitted from a previous version of this patch. Reported by Borislav ++ Stoichkov ++ ++20070317 ++ - [ gss-serv-krb5.c ] ++ Remove C99ism, where new_ccname was being declared in the middle of a ++ function ++ ++20061220 ++ - [ servconf.c ] ++ Make default for GSSAPIStrictAcceptorCheck be Yes, to match previous, and ++ documented, behaviour. Reported by Dan Watson. ++ ++20060910 ++ - [ gss-genr.c kexgssc.c kexgsss.c kex.h monitor.c sshconnect2.c sshd.c ++ ssh-gss.h ] ++ add support for gss-group14-sha1 key exchange mechanisms ++ - [ gss-serv.c servconf.c servconf.h sshd_config sshd_config.5 ] ++ Add GSSAPIStrictAcceptorCheck option to allow the disabling of ++ acceptor principal checking on multi-homed machines. ++ ++ - [ sshd_config ssh_config ] ++ Add settings for GSSAPIKeyExchange and GSSAPITrustDNS to the sample ++ configuration files ++ - [ kexgss.c kegsss.c sshconnect2.c sshd.c ] ++ Code cleanup. Replace strlen/xmalloc/snprintf sequences with xasprintf() ++ Limit length of error messages displayed by client ++ ++20060909 ++ - [ gss-genr.c gss-serv.c ] ++ move ssh_gssapi_acquire_cred() and ssh_gssapi_server_ctx to be server ++ only, where they belong ++ ++ ++20060829 ++ - [ gss-serv-krb5.c ] ++ Fix CCAPI credentials cache name when creating KRB5CCNAME environment ++ variable ++ ++20060828 ++ - [ gss-genr.c ] ++ Avoid Heimdal context freeing problem ++ ++ ++20060818 ++ - [ gss-genr.c ssh-gss.h sshconnect2.c ] ++ Make sure that SPENGO is disabled ++ ++ ++20060421 ++ - [ gssgenr.c, sshconnect2.c ] ++ a few type changes (signed versus unsigned, int versus size_t) to ++ fix compiler errors/warnings ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ kexgssc.c, sshconnect2.c ] ++ fix uninitialized variable warnings ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ gssgenr.c ] ++ pass oid to gss_display_status (helpful when using GSSAPI mechglue) ++ (from jbasney AT ncsa.uiuc.edu) ++ ++ - [ gss-serv-krb5.c ] ++ #ifdef HAVE_GSSAPI_KRB5 should be #ifdef HAVE_GSSAPI_KRB5_H ++ (from jbasney AT ncsa.uiuc.edu) ++ ++ - [ readconf.c, readconf.h, ssh_config.5, sshconnect2.c ++ add client-side GssapiKeyExchange option ++ (from jbasney AT ncsa.uiuc.edu) ++ - [ sshconnect2.c ] ++ add support for GssapiTrustDns option for gssapi-with-mic ++ (from jbasney AT ncsa.uiuc.edu) ++ +diff --git a/Makefile.in b/Makefile.in +index 126b2c742..70050ffb6 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -100,6 +100,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ + kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ + kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ + kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ ++ kexgssc.o \ + platform-pledge.o platform-tracing.o platform-misc.o + + SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ +@@ -113,7 +114,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ + auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ + auth2-none.o auth2-passwd.o auth2-pubkey.o \ + monitor.o monitor_wrap.o auth-krb5.o \ +- auth2-gss.o gss-serv.o gss-serv-krb5.o \ ++ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + sftp-server.o sftp-common.o \ + sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ +diff --git a/auth-krb5.c b/auth-krb5.c +index 3096f1c8e..204752e1b 100644 +--- a/auth-krb5.c ++++ b/auth-krb5.c +@@ -182,8 +182,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) + + len = strlen(authctxt->krb5_ticket_file) + 6; + authctxt->krb5_ccname = xmalloc(len); ++#ifdef USE_CCAPI ++ snprintf(authctxt->krb5_ccname, len, "API:%s", ++ authctxt->krb5_ticket_file); ++#else + snprintf(authctxt->krb5_ccname, len, "FILE:%s", + authctxt->krb5_ticket_file); ++#endif + + #ifdef USE_PAM + if (options.use_pam) +@@ -240,15 +245,22 @@ krb5_cleanup_proc(Authctxt *authctxt) + #ifndef HEIMDAL + krb5_error_code + ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { +- int tmpfd, ret, oerrno; ++ int ret, oerrno; + char ccname[40]; + mode_t old_umask; ++#ifdef USE_CCAPI ++ char cctemplate[] = "API:krb5cc_%d"; ++#else ++ char cctemplate[] = "FILE:/tmp/krb5cc_%d_XXXXXXXXXX"; ++ int tmpfd; ++#endif + + ret = snprintf(ccname, sizeof(ccname), +- "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid()); ++ cctemplate, geteuid()); + if (ret < 0 || (size_t)ret >= sizeof(ccname)) + return ENOMEM; + ++#ifndef USE_CCAPI + old_umask = umask(0177); + tmpfd = mkstemp(ccname + strlen("FILE:")); + oerrno = errno; +@@ -265,6 +277,7 @@ ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) { + return oerrno; + } + close(tmpfd); ++#endif + + return (krb5_cc_resolve(ctx, ccname, ccache)); + } +diff --git a/auth.c b/auth.c +index 3ca3762cc..d8e6b4a3d 100644 +--- a/auth.c ++++ b/auth.c +@@ -399,7 +399,8 @@ auth_root_allowed(struct ssh *ssh, const char *method) + case PERMIT_NO_PASSWD: + if (strcmp(method, "publickey") == 0 || + strcmp(method, "hostbased") == 0 || +- strcmp(method, "gssapi-with-mic") == 0) ++ strcmp(method, "gssapi-with-mic") == 0 || ++ strcmp(method, "gssapi-keyex") == 0) + return 1; + break; + case PERMIT_FORCED_ONLY: +@@ -737,99 +738,6 @@ fakepw(void) + return (&fake); + } + +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- + /* + * Return the canonical name of the host in the other side of the current + * connection. The host name is cached, so it is efficient to call this +diff --git a/auth2-gss.c b/auth2-gss.c +index 9351e0428..1f12bb113 100644 +--- a/auth2-gss.c ++++ b/auth2-gss.c +@@ -1,7 +1,7 @@ + /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ + + /* +- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. ++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -54,6 +54,46 @@ static int input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh); + static int input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh); + static int input_gssapi_errtok(int, u_int32_t, struct ssh *); + ++/* ++ * The 'gssapi_keyex' userauth mechanism. ++ */ ++static int ++userauth_gsskeyex(struct ssh *ssh) ++{ ++ Authctxt *authctxt = ssh->authctxt; ++ int r, authenticated = 0; ++ struct sshbuf *b; ++ gss_buffer_desc mic, gssbuf; ++ u_char *p; ++ size_t len; ++ ++ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || ++ (r = sshpkt_get_end(ssh)) != 0) ++ fatal("%s: %s", __func__, ssh_err(r)); ++ if ((b = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new failed", __func__); ++ mic.value = p; ++ mic.length = len; ++ ++ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, ++ "gssapi-keyex"); ++ ++ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) ++ fatal("%s: sshbuf_mutable_ptr failed", __func__); ++ gssbuf.length = sshbuf_len(b); ++ ++ /* gss_kex_context is NULL with privsep, so we can't check it here */ ++ if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gss_kex_context, ++ &gssbuf, &mic)))) ++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, ++ authctxt->pw)); ++ ++ sshbuf_free(b); ++ free(mic.value); ++ ++ return (authenticated); ++} ++ + /* + * We only support those mechanisms that we know about (ie ones that we know + * how to check local user kuserok and the like) +@@ -260,7 +300,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) + if ((r = sshpkt_get_end(ssh)) != 0) + fatal("%s: %s", __func__, ssh_err(r)); + +- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); ++ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, ++ authctxt->pw)); + + if ((!use_privsep || mm_is_monitor()) && + (displayname = ssh_gssapi_displayname()) != NULL) +@@ -306,7 +347,8 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) + gssbuf.length = sshbuf_len(b); + + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) +- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); ++ authenticated = ++ PRIVSEP(ssh_gssapi_userok(authctxt->user, authctxt->pw)); + else + logit("GSSAPI MIC check failed"); + +@@ -326,6 +368,12 @@ input_gssapi_mic(int type, u_int32_t plen, struct ssh *ssh) + return 0; + } + ++Authmethod method_gsskeyex = { ++ "gssapi-keyex", ++ userauth_gsskeyex, ++ &options.gss_authentication ++}; ++ + Authmethod method_gssapi = { + "gssapi-with-mic", + userauth_gssapi, +diff --git a/auth2.c b/auth2.c +index 4d19957a6..a77742819 100644 +--- a/auth2.c ++++ b/auth2.c +@@ -74,6 +74,7 @@ extern Authmethod method_passwd; + extern Authmethod method_kbdint; + extern Authmethod method_hostbased; + #ifdef GSSAPI ++extern Authmethod method_gsskeyex; + extern Authmethod method_gssapi; + #endif + +@@ -81,6 +82,7 @@ Authmethod *authmethods[] = { + &method_none, + &method_pubkey, + #ifdef GSSAPI ++ &method_gsskeyex, + &method_gssapi, + #endif + &method_passwd, +diff --git a/canohost.c b/canohost.c +index f71a08568..404731d24 100644 +--- a/canohost.c ++++ b/canohost.c +@@ -35,6 +35,99 @@ + #include "canohost.h" + #include "misc.h" + ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ + void + ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) + { +diff --git a/canohost.h b/canohost.h +index 26d62855a..0cadc9f18 100644 +--- a/canohost.h ++++ b/canohost.h +@@ -15,6 +15,9 @@ + #ifndef _CANOHOST_H + #define _CANOHOST_H + ++struct ssh; ++ ++char *remote_hostname(struct ssh *); + char *get_peer_ipaddr(int); + int get_peer_port(int); + char *get_local_ipaddr(int); +diff --git a/clientloop.c b/clientloop.c +index 8d312cdaa..1464634b0 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -112,6 +112,10 @@ + #include "ssherr.h" + #include "hostfile.h" + ++#ifdef GSSAPI ++#include "ssh-gss.h" ++#endif ++ + /* import options */ + extern Options options; + +@@ -1370,9 +1374,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, + break; + + /* Do channel operations unless rekeying in progress. */ +- if (!ssh_packet_is_rekeying(ssh)) ++ if (!ssh_packet_is_rekeying(ssh)) { + channel_after_select(ssh, readset, writeset); + ++#ifdef GSSAPI ++ if (options.gss_renewal_rekey && ++ ssh_gssapi_credentials_updated(NULL)) { ++ debug("credentials updated - forcing rekey"); ++ need_rekeying = 1; ++ } ++#endif ++ } ++ + /* Buffer input from the connection. */ + client_process_net_input(readset); + +diff --git a/config.h.in b/config.h.in +index 91b65db8f..209760c7c 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -1845,6 +1845,9 @@ + /* Use btmp to log bad logins */ + #undef USE_BTMP + ++/* platform uses an in-memory credentials cache */ ++#undef USE_CCAPI ++ + /* Use libedit for sftp */ + #undef USE_LIBEDIT + +@@ -1860,6 +1863,9 @@ + /* Use PIPES instead of a socketpair() */ + #undef USE_PIPES + ++/* platform has the Security Authorization Session API */ ++#undef USE_SECURITY_SESSION_API ++ + /* Define if you have Solaris privileges */ + #undef USE_SOLARIS_PRIVS + +diff --git a/configure.ac b/configure.ac +index 7379ab358..023e7cc55 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -664,6 +664,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + [Use tunnel device compatibility to OpenBSD]) + AC_DEFINE([SSH_TUN_PREPEND_AF], [1], + [Prepend the address family to IP tunnel traffic]) ++ AC_MSG_CHECKING([if we have the Security Authorization Session API]) ++ AC_TRY_COMPILE([#include ], ++ [SessionCreate(0, 0);], ++ [ac_cv_use_security_session_api="yes" ++ AC_DEFINE([USE_SECURITY_SESSION_API], [1], ++ [platform has the Security Authorization Session API]) ++ LIBS="$LIBS -framework Security" ++ AC_MSG_RESULT([yes])], ++ [ac_cv_use_security_session_api="no" ++ AC_MSG_RESULT([no])]) ++ AC_MSG_CHECKING([if we have an in-memory credentials cache]) ++ AC_TRY_COMPILE( ++ [#include ], ++ [cc_context_t c; ++ (void) cc_initialize (&c, 0, NULL, NULL);], ++ [AC_DEFINE([USE_CCAPI], [1], ++ [platform uses an in-memory credentials cache]) ++ LIBS="$LIBS -framework Security" ++ AC_MSG_RESULT([yes]) ++ if test "x$ac_cv_use_security_session_api" = "xno"; then ++ AC_MSG_ERROR([*** Need a security framework to use the credentials cache API ***]) ++ fi], ++ [AC_MSG_RESULT([no])] ++ ) + m4_pattern_allow([AU_IPv]) + AC_CHECK_DECL([AU_IPv4], [], + AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) +diff --git a/gss-genr.c b/gss-genr.c +index d56257b4a..491e62cee 100644 +--- a/gss-genr.c ++++ b/gss-genr.c +@@ -1,7 +1,7 @@ + /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */ + + /* +- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. ++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -39,14 +39,37 @@ + #include "xmalloc.h" + #include "ssherr.h" + #include "sshbuf.h" ++#include "sshkey.h" + #include "log.h" + #include "ssh2.h" ++#include "cipher.h" ++#include "kex.h" ++#include "digest.h" + + #include "ssh-gss.h" + + extern u_char *session_id2; + extern u_int session_id2_len; + ++typedef struct { ++ char *encoded; ++ gss_OID oid; ++} ssh_gss_kex_mapping; ++ ++/* ++ * XXX - It would be nice to find a more elegant way of handling the ++ * XXX passing of the key exchange context to the userauth routines ++ */ ++ ++Gssctxt *gss_kex_context = NULL; ++ ++static ssh_gss_kex_mapping *gss_enc2oid = NULL; ++ ++int ++ssh_gssapi_oid_table_ok(void) { ++ return (gss_enc2oid != NULL); ++} ++ + /* sshbuf_get for gss_buffer_desc */ + int + ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) +@@ -62,6 +85,143 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) + return 0; + } + ++/* ++ * Return a list of the gss-group1-sha1 mechanisms supported by this program ++ * ++ * We test mechanisms to ensure that we can use them, to avoid starting ++ * a key exchange with a bad mechanism ++ */ ++ ++char * ++ssh_gssapi_client_mechanisms(const char *host, const char *client) { ++ gss_OID_set gss_supported; ++ OM_uint32 min_status; ++ ++ if (GSS_ERROR(gss_indicate_mechs(&min_status, &gss_supported))) ++ return NULL; ++ ++ return(ssh_gssapi_kex_mechs(gss_supported, ssh_gssapi_check_mechanism, ++ host, client)); ++} ++ ++char * ++ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, ++ const char *host, const char *client) { ++ struct sshbuf *buf; ++ size_t i; ++ int r, oidpos, enclen; ++ char *mechs, *encoded; ++ u_char digest[SSH_DIGEST_MAX_LENGTH]; ++ char deroid[2]; ++ struct ssh_digest_ctx *md; ++ ++ if (gss_enc2oid != NULL) { ++ for (i = 0; gss_enc2oid[i].encoded != NULL; i++) ++ free(gss_enc2oid[i].encoded); ++ free(gss_enc2oid); ++ } ++ ++ gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * ++ (gss_supported->count + 1)); ++ ++ if ((buf = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new failed", __func__); ++ ++ oidpos = 0; ++ for (i = 0; i < gss_supported->count; i++) { ++ if (gss_supported->elements[i].length < 128 && ++ (*check)(NULL, &(gss_supported->elements[i]), host, client)) { ++ ++ deroid[0] = SSH_GSS_OIDTYPE; ++ deroid[1] = gss_supported->elements[i].length; ++ ++ if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL || ++ ssh_digest_update(md, deroid, 2) != 0 || ++ ssh_digest_update(md, ++ gss_supported->elements[i].elements, ++ gss_supported->elements[i].length) != 0 || ++ ssh_digest_final(md, digest, sizeof(digest)) != 0) ++ fatal("%s: digest failed", __func__); ++ ++ encoded = xmalloc(ssh_digest_bytes(SSH_DIGEST_MD5) ++ * 2); ++ enclen = __b64_ntop(digest, ++ ssh_digest_bytes(SSH_DIGEST_MD5), encoded, ++ ssh_digest_bytes(SSH_DIGEST_MD5) * 2); ++ ++ if (oidpos != 0) { ++ if ((r = sshbuf_put_u8(buf, ',')) != 0) ++ fatal("%s: buffer error: %s", ++ __func__, ssh_err(r)); ++ } ++ ++ if ((r = sshbuf_put(buf, KEX_GSS_GEX_SHA1_ID, ++ sizeof(KEX_GSS_GEX_SHA1_ID) - 1)) != 0 || ++ (r = sshbuf_put(buf, encoded, enclen)) != 0 || ++ (r = sshbuf_put_u8(buf, ',')) != 0 || ++ (r = sshbuf_put(buf, KEX_GSS_GRP1_SHA1_ID, ++ sizeof(KEX_GSS_GRP1_SHA1_ID) - 1)) != 0 || ++ (r = sshbuf_put(buf, encoded, enclen)) != 0 || ++ (r = sshbuf_put_u8(buf, ',')) != 0 || ++ (r = sshbuf_put(buf, KEX_GSS_GRP14_SHA1_ID, ++ sizeof(KEX_GSS_GRP14_SHA1_ID) - 1)) != 0 || ++ (r = sshbuf_put(buf, encoded, enclen)) != 0) ++ fatal("%s: buffer error: %s", ++ __func__, ssh_err(r)); ++ ++ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); ++ gss_enc2oid[oidpos].encoded = encoded; ++ oidpos++; ++ } ++ } ++ gss_enc2oid[oidpos].oid = NULL; ++ gss_enc2oid[oidpos].encoded = NULL; ++ ++ if ((mechs = sshbuf_dup_string(buf)) == NULL) ++ fatal("%s: sshbuf_dup_string failed", __func__); ++ ++ if (strlen(mechs) == 0) { ++ free(mechs); ++ mechs = NULL; ++ } ++ ++ return (mechs); ++} ++ ++gss_OID ++ssh_gssapi_id_kex(Gssctxt *ctx, char *name, int kex_type) { ++ int i = 0; ++ ++ switch (kex_type) { ++ case KEX_GSS_GRP1_SHA1: ++ if (strlen(name) < sizeof(KEX_GSS_GRP1_SHA1_ID)) ++ return GSS_C_NO_OID; ++ name += sizeof(KEX_GSS_GRP1_SHA1_ID) - 1; ++ break; ++ case KEX_GSS_GRP14_SHA1: ++ if (strlen(name) < sizeof(KEX_GSS_GRP14_SHA1_ID)) ++ return GSS_C_NO_OID; ++ name += sizeof(KEX_GSS_GRP14_SHA1_ID) - 1; ++ break; ++ case KEX_GSS_GEX_SHA1: ++ if (strlen(name) < sizeof(KEX_GSS_GEX_SHA1_ID)) ++ return GSS_C_NO_OID; ++ name += sizeof(KEX_GSS_GEX_SHA1_ID) - 1; ++ break; ++ default: ++ return GSS_C_NO_OID; ++ } ++ ++ while (gss_enc2oid[i].encoded != NULL && ++ strcmp(name, gss_enc2oid[i].encoded) != 0) ++ i++; ++ ++ if (gss_enc2oid[i].oid != NULL && ctx != NULL) ++ ssh_gssapi_set_oid(ctx, gss_enc2oid[i].oid); ++ ++ return gss_enc2oid[i].oid; ++} ++ + /* Check that the OID in a data stream matches that in the context */ + int + ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) +@@ -218,7 +378,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, + } + + ctx->major = gss_init_sec_context(&ctx->minor, +- GSS_C_NO_CREDENTIAL, &ctx->context, ctx->name, ctx->oid, ++ ctx->client_creds, &ctx->context, ctx->name, ctx->oid, + GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, + 0, NULL, recv_tok, NULL, send_tok, flags, NULL); + +@@ -247,9 +407,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) + return (ctx->major); + } + ++OM_uint32 ++ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) ++{ ++ gss_buffer_desc gssbuf; ++ gss_name_t gssname; ++ OM_uint32 status; ++ gss_OID_set oidset; ++ ++ gssbuf.value = (void *) name; ++ gssbuf.length = strlen(gssbuf.value); ++ ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ ++ ctx->major = gss_import_name(&ctx->minor, &gssbuf, ++ GSS_C_NT_USER_NAME, &gssname); ++ ++ if (!ctx->major) ++ ctx->major = gss_acquire_cred(&ctx->minor, ++ gssname, 0, oidset, GSS_C_INITIATE, ++ &ctx->client_creds, NULL, NULL); ++ ++ gss_release_name(&status, &gssname); ++ gss_release_oid_set(&status, &oidset); ++ ++ if (ctx->major) ++ ssh_gssapi_error(ctx); ++ ++ return(ctx->major); ++} ++ + OM_uint32 + ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) + { ++ if (ctx == NULL) ++ return -1; ++ + if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, + GSS_C_QOP_DEFAULT, buffer, hash))) + ssh_gssapi_error(ctx); +@@ -257,6 +451,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) + return (ctx->major); + } + ++/* Priviledged when used by server */ ++OM_uint32 ++ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) ++{ ++ if (ctx == NULL) ++ return -1; ++ ++ ctx->major = gss_verify_mic(&ctx->minor, ctx->context, ++ gssbuf, gssmic, NULL); ++ ++ return (ctx->major); ++} ++ + void + ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, + const char *context) +@@ -273,11 +480,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, + } + + int +-ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) ++ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host, ++ const char *client) + { + gss_buffer_desc token = GSS_C_EMPTY_BUFFER; + OM_uint32 major, minor; + gss_OID_desc spnego_oid = {6, (void *)"\x2B\x06\x01\x05\x05\x02"}; ++ Gssctxt *intctx = NULL; ++ ++ if (ctx == NULL) ++ ctx = &intctx; + + /* RFC 4462 says we MUST NOT do SPNEGO */ + if (oid->length == spnego_oid.length && +@@ -287,6 +499,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) + ssh_gssapi_build_ctx(ctx); + ssh_gssapi_set_oid(*ctx, oid); + major = ssh_gssapi_import_name(*ctx, host); ++ ++ if (!GSS_ERROR(major) && client) ++ major = ssh_gssapi_client_identity(*ctx, client); ++ + if (!GSS_ERROR(major)) { + major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, + NULL); +@@ -296,10 +512,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) + GSS_C_NO_BUFFER); + } + +- if (GSS_ERROR(major)) ++ if (GSS_ERROR(major) || intctx != NULL) + ssh_gssapi_delete_ctx(ctx); + + return (!GSS_ERROR(major)); + } + ++int ++ssh_gssapi_credentials_updated(Gssctxt *ctxt) { ++ static gss_name_t saved_name = GSS_C_NO_NAME; ++ static OM_uint32 saved_lifetime = 0; ++ static gss_OID saved_mech = GSS_C_NO_OID; ++ static gss_name_t name; ++ static OM_uint32 last_call = 0; ++ OM_uint32 lifetime, now, major, minor; ++ int equal; ++ ++ now = time(NULL); ++ ++ if (ctxt) { ++ debug("Rekey has happened - updating saved versions"); ++ ++ if (saved_name != GSS_C_NO_NAME) ++ gss_release_name(&minor, &saved_name); ++ ++ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, ++ &saved_name, &saved_lifetime, NULL, NULL); ++ ++ if (!GSS_ERROR(major)) { ++ saved_mech = ctxt->oid; ++ saved_lifetime+= now; ++ } else { ++ /* Handle the error */ ++ } ++ return 0; ++ } ++ ++ if (now - last_call < 10) ++ return 0; ++ ++ last_call = now; ++ ++ if (saved_mech == GSS_C_NO_OID) ++ return 0; ++ ++ major = gss_inquire_cred(&minor, GSS_C_NO_CREDENTIAL, ++ &name, &lifetime, NULL, NULL); ++ if (major == GSS_S_CREDENTIALS_EXPIRED) ++ return 0; ++ else if (GSS_ERROR(major)) ++ return 0; ++ ++ major = gss_compare_name(&minor, saved_name, name, &equal); ++ gss_release_name(&minor, &name); ++ if (GSS_ERROR(major)) ++ return 0; ++ ++ if (equal && (saved_lifetime < lifetime + now - 10)) ++ return 1; ++ ++ return 0; ++} ++ + #endif /* GSSAPI */ +diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c +index a151bc1e4..90f8692f5 100644 +--- a/gss-serv-krb5.c ++++ b/gss-serv-krb5.c +@@ -1,7 +1,7 @@ + /* $OpenBSD: gss-serv-krb5.c,v 1.9 2018/07/09 21:37:55 markus Exp $ */ + + /* +- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. ++ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -120,8 +120,8 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + krb5_error_code problem; + krb5_principal princ; + OM_uint32 maj_status, min_status; +- int len; + const char *errmsg; ++ const char *new_ccname; + + if (client->creds == NULL) { + debug("No credentials stored"); +@@ -180,11 +180,16 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + return; + } + +- client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); ++ new_ccname = krb5_cc_get_name(krb_context, ccache); ++ + client->store.envvar = "KRB5CCNAME"; +- len = strlen(client->store.filename) + 6; +- client->store.envval = xmalloc(len); +- snprintf(client->store.envval, len, "FILE:%s", client->store.filename); ++#ifdef USE_CCAPI ++ xasprintf(&client->store.envval, "API:%s", new_ccname); ++ client->store.filename = NULL; ++#else ++ xasprintf(&client->store.envval, "FILE:%s", new_ccname); ++ client->store.filename = xstrdup(new_ccname); ++#endif + + #ifdef USE_PAM + if (options.use_pam) +@@ -196,6 +201,71 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) + return; + } + ++int ++ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store, ++ ssh_gssapi_client *client) ++{ ++ krb5_ccache ccache = NULL; ++ krb5_principal principal = NULL; ++ char *name = NULL; ++ krb5_error_code problem; ++ OM_uint32 maj_status, min_status; ++ ++ if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) { ++ logit("krb5_cc_resolve(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ return 0; ++ } ++ ++ /* Find out who the principal in this cache is */ ++ if ((problem = krb5_cc_get_principal(krb_context, ccache, ++ &principal))) { ++ logit("krb5_cc_get_principal(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ if ((problem = krb5_unparse_name(krb_context, principal, &name))) { ++ logit("krb5_unparse_name(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ ++ if (strcmp(name,client->exportedname.value)!=0) { ++ debug("Name in local credentials cache differs. Not storing"); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ krb5_free_unparsed_name(krb_context, name); ++ return 0; ++ } ++ krb5_free_unparsed_name(krb_context, name); ++ ++ /* Name matches, so lets get on with it! */ ++ ++ if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) { ++ logit("krb5_cc_initialize(): %.100s", ++ krb5_get_err_text(krb_context, problem)); ++ krb5_free_principal(krb_context, principal); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ krb5_free_principal(krb_context, principal); ++ ++ if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, ++ ccache))) { ++ logit("gss_krb5_copy_ccache() failed. Sorry!"); ++ krb5_cc_close(krb_context, ccache); ++ return 0; ++ } ++ ++ return 1; ++} ++ + ssh_gssapi_mech gssapi_kerberos_mech = { + "toWM5Slw5Ew8Mqkay+al2g==", + "Kerberos", +@@ -203,7 +273,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = { + NULL, + &ssh_gssapi_krb5_userok, + NULL, +- &ssh_gssapi_krb5_storecreds ++ &ssh_gssapi_krb5_storecreds, ++ &ssh_gssapi_krb5_updatecreds + }; + + #endif /* KRB5 */ +diff --git a/gss-serv.c b/gss-serv.c +index ab3a15f0f..6c087a1b1 100644 +--- a/gss-serv.c ++++ b/gss-serv.c +@@ -1,7 +1,7 @@ + /* $OpenBSD: gss-serv.c,v 1.31 2018/07/09 21:37:55 markus Exp $ */ + + /* +- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. ++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -44,17 +44,22 @@ + #include "session.h" + #include "misc.h" + #include "servconf.h" ++#include "uidswap.h" + + #include "ssh-gss.h" ++#include "monitor_wrap.h" ++ ++extern ServerOptions options; + + extern ServerOptions options; + + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, +- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL, NULL}}; ++ GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, NULL, ++ {NULL, NULL, NULL, NULL, NULL}, 0, 0}; + + ssh_gssapi_mech gssapi_null_mech = +- { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL}; ++ { NULL, NULL, {0, NULL}, NULL, NULL, NULL, NULL, NULL}; + + #ifdef KRB5 + extern ssh_gssapi_mech gssapi_kerberos_mech; +@@ -140,6 +145,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) + return (ssh_gssapi_acquire_cred(*ctx)); + } + ++/* Unprivileged */ ++char * ++ssh_gssapi_server_mechanisms(void) { ++ if (supported_oids == NULL) ++ ssh_gssapi_prepare_supported_oids(); ++ return (ssh_gssapi_kex_mechs(supported_oids, ++ &ssh_gssapi_server_check_mech, NULL, NULL)); ++} ++ ++/* Unprivileged */ ++int ++ssh_gssapi_server_check_mech(Gssctxt **dum, gss_OID oid, const char *data, ++ const char *dummy) { ++ Gssctxt *ctx = NULL; ++ int res; ++ ++ res = !GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctx, oid))); ++ ssh_gssapi_delete_ctx(&ctx); ++ ++ return (res); ++} ++ + /* Unprivileged */ + void + ssh_gssapi_supported_oids(gss_OID_set *oidset) +@@ -150,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) + gss_OID_set supported; + + gss_create_empty_oid_set(&min_status, oidset); +- gss_indicate_mechs(&min_status, &supported); ++ ++ if (GSS_ERROR(gss_indicate_mechs(&min_status, &supported))) ++ return; + + while (supported_mechs[i]->name != NULL) { + if (GSS_ERROR(gss_test_oid_set_member(&min_status, +@@ -276,8 +305,48 @@ OM_uint32 + ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) + { + int i = 0; ++ int equal = 0; ++ gss_name_t new_name = GSS_C_NO_NAME; ++ gss_buffer_desc ename = GSS_C_EMPTY_BUFFER; ++ ++ if (options.gss_store_rekey && client->used && ctx->client_creds) { ++ if (client->mech->oid.length != ctx->oid->length || ++ (memcmp(client->mech->oid.elements, ++ ctx->oid->elements, ctx->oid->length) !=0)) { ++ debug("Rekeyed credentials have different mechanism"); ++ return GSS_S_COMPLETE; ++ } ++ ++ if ((ctx->major = gss_inquire_cred_by_mech(&ctx->minor, ++ ctx->client_creds, ctx->oid, &new_name, ++ NULL, NULL, NULL))) { ++ ssh_gssapi_error(ctx); ++ return (ctx->major); ++ } ++ ++ ctx->major = gss_compare_name(&ctx->minor, client->name, ++ new_name, &equal); ++ ++ if (GSS_ERROR(ctx->major)) { ++ ssh_gssapi_error(ctx); ++ return (ctx->major); ++ } ++ ++ if (!equal) { ++ debug("Rekeyed credentials have different name"); ++ return GSS_S_COMPLETE; ++ } + +- gss_buffer_desc ename; ++ debug("Marking rekeyed credentials for export"); ++ ++ gss_release_name(&ctx->minor, &client->name); ++ gss_release_cred(&ctx->minor, &client->creds); ++ client->name = new_name; ++ client->creds = ctx->client_creds; ++ ctx->client_creds = GSS_C_NO_CREDENTIAL; ++ client->updated = 1; ++ return GSS_S_COMPLETE; ++ } + + client->mech = NULL; + +@@ -292,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) + if (client->mech == NULL) + return GSS_S_FAILURE; + ++ if (ctx->client_creds && ++ (ctx->major = gss_inquire_cred_by_mech(&ctx->minor, ++ ctx->client_creds, ctx->oid, &client->name, NULL, NULL, NULL))) { ++ ssh_gssapi_error(ctx); ++ return (ctx->major); ++ } ++ + if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, + &client->displayname, NULL))) { + ssh_gssapi_error(ctx); +@@ -309,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) + return (ctx->major); + } + ++ gss_release_buffer(&ctx->minor, &ename); ++ + /* We can't copy this structure, so we just move the pointer to it */ + client->creds = ctx->client_creds; + ctx->client_creds = GSS_C_NO_CREDENTIAL; +@@ -356,7 +434,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) + + /* Privileged */ + int +-ssh_gssapi_userok(char *user) ++ssh_gssapi_userok(char *user, struct passwd *pw) + { + OM_uint32 lmin; + +@@ -366,9 +444,11 @@ ssh_gssapi_userok(char *user) + return 0; + } + if (gssapi_client.mech && gssapi_client.mech->userok) +- if ((*gssapi_client.mech->userok)(&gssapi_client, user)) ++ if ((*gssapi_client.mech->userok)(&gssapi_client, user)) { ++ gssapi_client.used = 1; ++ gssapi_client.store.owner = pw; + return 1; +- else { ++ } else { + /* Destroy delegated credentials if userok fails */ + gss_release_buffer(&lmin, &gssapi_client.displayname); + gss_release_buffer(&lmin, &gssapi_client.exportedname); +@@ -382,14 +462,90 @@ ssh_gssapi_userok(char *user) + return (0); + } + +-/* Privileged */ +-OM_uint32 +-ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) ++/* These bits are only used for rekeying. The unpriviledged child is running ++ * as the user, the monitor is root. ++ * ++ * In the child, we want to : ++ * *) Ask the monitor to store our credentials into the store we specify ++ * *) If it succeeds, maybe do a PAM update ++ */ ++ ++/* Stuff for PAM */ ++ ++#ifdef USE_PAM ++static int ssh_gssapi_simple_conv(int n, const struct pam_message **msg, ++ struct pam_response **resp, void *data) + { +- ctx->major = gss_verify_mic(&ctx->minor, ctx->context, +- gssbuf, gssmic, NULL); ++ return (PAM_CONV_ERR); ++} ++#endif + +- return (ctx->major); ++void ++ssh_gssapi_rekey_creds(void) { ++ int ok; ++ int ret; ++#ifdef USE_PAM ++ pam_handle_t *pamh = NULL; ++ struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL}; ++ char *envstr; ++#endif ++ ++ if (gssapi_client.store.filename == NULL && ++ gssapi_client.store.envval == NULL && ++ gssapi_client.store.envvar == NULL) ++ return; ++ ++ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); ++ ++ if (!ok) ++ return; ++ ++ debug("Rekeyed credentials stored successfully"); ++ ++ /* Actually managing to play with the ssh pam stack from here will ++ * be next to impossible. In any case, we may want different options ++ * for rekeying. So, use our own :) ++ */ ++#ifdef USE_PAM ++ if (!use_privsep) { ++ debug("Not even going to try and do PAM with privsep disabled"); ++ return; ++ } ++ ++ ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, ++ &pamconv, &pamh); ++ if (ret) ++ return; ++ ++ xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, ++ gssapi_client.store.envval); ++ ++ ret = pam_putenv(pamh, envstr); ++ if (!ret) ++ pam_setcred(pamh, PAM_REINITIALIZE_CRED); ++ pam_end(pamh, PAM_SUCCESS); ++#endif ++} ++ ++int ++ssh_gssapi_update_creds(ssh_gssapi_ccache *store) { ++ int ok = 0; ++ ++ /* Check we've got credentials to store */ ++ if (!gssapi_client.updated) ++ return 0; ++ ++ gssapi_client.updated = 0; ++ ++ temporarily_use_uid(gssapi_client.store.owner); ++ if (gssapi_client.mech && gssapi_client.mech->updatecreds) ++ ok = (*gssapi_client.mech->updatecreds)(store, &gssapi_client); ++ else ++ debug("No update function for this mechanism"); ++ ++ restore_uid(); ++ ++ return ok; + } + + /* Privileged */ +diff --git a/kex.c b/kex.c +index 25f9f66f6..fb5bfaea5 100644 +--- a/kex.c ++++ b/kex.c +@@ -54,6 +54,10 @@ + #include "sshbuf.h" + #include "digest.h" + ++#ifdef GSSAPI ++#include "ssh-gss.h" ++#endif ++ + /* prototype */ + static int kex_choose_conf(struct ssh *); + static int kex_input_newkeys(int, u_int32_t, struct ssh *); +@@ -105,6 +109,14 @@ static const struct kexalg kexalgs[] = { + #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ + { NULL, -1, -1, -1}, + }; ++static const struct kexalg kexalg_prefixes[] = { ++#ifdef GSSAPI ++ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, ++ { KEX_GSS_GRP14_SHA1_ID, KEX_GSS_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, ++#endif ++ { NULL, -1, -1, -1 }, ++}; + + char * + kex_alg_list(char sep) +@@ -137,6 +149,10 @@ kex_alg_by_name(const char *name) + if (strcmp(k->name, name) == 0) + return k; + } ++ for (k = kexalg_prefixes; k->name != NULL; k++) { ++ if (strncmp(k->name, name, strlen(k->name)) == 0) ++ return k; ++ } + return NULL; + } + +@@ -653,6 +669,9 @@ kex_free(struct kex *kex) + sshbuf_free(kex->peer); + sshbuf_free(kex->my); + free(kex->session_id); ++#ifdef GSSAPI ++ free(kex->gss_host); ++#endif /* GSSAPI */ + free(kex->client_version_string); + free(kex->server_version_string); + free(kex->failed_choice); +diff --git a/kex.h b/kex.h +index 593de1208..4e5ead839 100644 +--- a/kex.h ++++ b/kex.h +@@ -100,6 +100,9 @@ enum kex_exchange { + KEX_DH_GEX_SHA256, + KEX_ECDH_SHA2, + KEX_C25519_SHA256, ++ KEX_GSS_GRP1_SHA1, ++ KEX_GSS_GRP14_SHA1, ++ KEX_GSS_GEX_SHA1, + KEX_MAX + }; + +@@ -148,6 +151,12 @@ struct kex { + u_int flags; + int hash_alg; + int ec_nid; ++#ifdef GSSAPI ++ int gss_deleg_creds; ++ int gss_trust_dns; ++ char *gss_host; ++ char *gss_client; ++#endif + char *client_version_string; + char *server_version_string; + char *failed_choice; +@@ -198,6 +207,11 @@ int kexecdh_server(struct ssh *); + int kexc25519_client(struct ssh *); + int kexc25519_server(struct ssh *); + ++#ifdef GSSAPI ++int kexgss_client(struct ssh *); ++int kexgss_server(struct ssh *); ++#endif ++ + int kex_dh_hash(int, const char *, const char *, + const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, + const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); +diff --git a/kexgssc.c b/kexgssc.c +new file mode 100644 +index 000000000..3c8ae08dd +--- /dev/null ++++ b/kexgssc.c +@@ -0,0 +1,341 @@ ++/* ++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "includes.h" ++ ++#ifdef GSSAPI ++ ++#include "includes.h" ++ ++#include ++#include ++ ++#include ++ ++#include "xmalloc.h" ++#include "sshbuf.h" ++#include "ssh2.h" ++#include "sshkey.h" ++#include "cipher.h" ++#include "kex.h" ++#include "log.h" ++#include "packet.h" ++#include "dh.h" ++#include "digest.h" ++ ++#include "ssh-gss.h" ++ ++int ++kexgss_client(struct ssh *ssh) { ++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; ++ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; ++ Gssctxt *ctxt; ++ OM_uint32 maj_status, min_status, ret_flags; ++ u_int klen, kout, slen = 0, strlen; ++ DH *dh; ++ BIGNUM *dh_server_pub = NULL; ++ BIGNUM *shared_secret = NULL; ++ const BIGNUM *pub_key, *dh_p, *dh_g; ++ BIGNUM *p = NULL; ++ BIGNUM *g = NULL; ++ u_char *kbuf; ++ u_char *serverhostkey = NULL; ++ u_char *empty = ""; ++ char *msg; ++ int type = 0; ++ int first = 1; ++ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; ++ u_char hash[SSH_DIGEST_MAX_LENGTH]; ++ size_t hashlen; ++ ++ /* Initialise our GSSAPI world */ ++ ssh_gssapi_build_ctx(&ctxt); ++ if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type) ++ == GSS_C_NO_OID) ++ fatal("Couldn't identify host exchange"); ++ ++ if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host)) ++ fatal("Couldn't import hostname"); ++ ++ if (ssh->kex->gss_client && ++ ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client)) ++ fatal("Couldn't acquire client credentials"); ++ ++ switch (ssh->kex->kex_type) { ++ case KEX_GSS_GRP1_SHA1: ++ dh = dh_new_group1(); ++ break; ++ case KEX_GSS_GRP14_SHA1: ++ dh = dh_new_group14(); ++ break; ++ case KEX_GSS_GEX_SHA1: ++ debug("Doing group exchange\n"); ++ nbits = dh_estimate(ssh->kex->we_need * 8); ++ packet_start(SSH2_MSG_KEXGSS_GROUPREQ); ++ packet_put_int(min); ++ packet_put_int(nbits); ++ packet_put_int(max); ++ ++ packet_send(); ++ ++ packet_read_expect(SSH2_MSG_KEXGSS_GROUP); ++ ++ if ((p = BN_new()) == NULL) ++ fatal("BN_new() failed"); ++ packet_get_bignum2(p); ++ if ((g = BN_new()) == NULL) ++ fatal("BN_new() failed"); ++ packet_get_bignum2(g); ++ packet_check_eom(); ++ ++ if (BN_num_bits(p) < min || BN_num_bits(p) > max) ++ fatal("GSSGRP_GEX group out of range: %d !< %d !< %d", ++ min, BN_num_bits(p), max); ++ ++ dh = dh_new_group(g, p); ++ break; ++ default: ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); ++ } ++ ++ /* Step 1 - e is dh->pub_key */ ++ dh_gen_key(dh, ssh->kex->we_need * 8); ++ DH_get0_key(dh, &pub_key, NULL); ++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g); ++ ++ /* This is f, we initialise it now to make life easier */ ++ dh_server_pub = BN_new(); ++ if (dh_server_pub == NULL) ++ fatal("dh_server_pub == NULL"); ++ ++ token_ptr = GSS_C_NO_BUFFER; ++ ++ do { ++ debug("Calling gss_init_sec_context"); ++ ++ maj_status = ssh_gssapi_init_ctx(ctxt, ++ ssh->kex->gss_deleg_creds, token_ptr, &send_tok, ++ &ret_flags); ++ ++ if (GSS_ERROR(maj_status)) { ++ if (send_tok.length != 0) { ++ packet_start(SSH2_MSG_KEXGSS_CONTINUE); ++ packet_put_string(send_tok.value, ++ send_tok.length); ++ } ++ fatal("gss_init_context failed"); ++ } ++ ++ /* If we've got an old receive buffer get rid of it */ ++ if (token_ptr != GSS_C_NO_BUFFER) ++ free(recv_tok.value); ++ ++ if (maj_status == GSS_S_COMPLETE) { ++ /* If mutual state flag is not true, kex fails */ ++ if (!(ret_flags & GSS_C_MUTUAL_FLAG)) ++ fatal("Mutual authentication failed"); ++ ++ /* If integ avail flag is not true kex fails */ ++ if (!(ret_flags & GSS_C_INTEG_FLAG)) ++ fatal("Integrity check failed"); ++ } ++ ++ /* ++ * If we have data to send, then the last message that we ++ * received cannot have been a 'complete'. ++ */ ++ if (send_tok.length != 0) { ++ if (first) { ++ packet_start(SSH2_MSG_KEXGSS_INIT); ++ packet_put_string(send_tok.value, ++ send_tok.length); ++ packet_put_bignum2(pub_key); ++ first = 0; ++ } else { ++ packet_start(SSH2_MSG_KEXGSS_CONTINUE); ++ packet_put_string(send_tok.value, ++ send_tok.length); ++ } ++ packet_send(); ++ gss_release_buffer(&min_status, &send_tok); ++ ++ /* If we've sent them data, they should reply */ ++ do { ++ type = packet_read(); ++ if (type == SSH2_MSG_KEXGSS_HOSTKEY) { ++ debug("Received KEXGSS_HOSTKEY"); ++ if (serverhostkey) ++ fatal("Server host key received more than once"); ++ serverhostkey = ++ packet_get_string(&slen); ++ } ++ } while (type == SSH2_MSG_KEXGSS_HOSTKEY); ++ ++ switch (type) { ++ case SSH2_MSG_KEXGSS_CONTINUE: ++ debug("Received GSSAPI_CONTINUE"); ++ if (maj_status == GSS_S_COMPLETE) ++ fatal("GSSAPI Continue received from server when complete"); ++ recv_tok.value = packet_get_string(&strlen); ++ recv_tok.length = strlen; ++ break; ++ case SSH2_MSG_KEXGSS_COMPLETE: ++ debug("Received GSSAPI_COMPLETE"); ++ packet_get_bignum2(dh_server_pub); ++ msg_tok.value = packet_get_string(&strlen); ++ msg_tok.length = strlen; ++ ++ /* Is there a token included? */ ++ if (packet_get_char()) { ++ recv_tok.value= ++ packet_get_string(&strlen); ++ recv_tok.length = strlen; ++ /* If we're already complete - protocol error */ ++ if (maj_status == GSS_S_COMPLETE) ++ packet_disconnect("Protocol error: received token when complete"); ++ } else { ++ /* No token included */ ++ if (maj_status != GSS_S_COMPLETE) ++ packet_disconnect("Protocol error: did not receive final token"); ++ } ++ break; ++ case SSH2_MSG_KEXGSS_ERROR: ++ debug("Received Error"); ++ maj_status = packet_get_int(); ++ min_status = packet_get_int(); ++ msg = packet_get_string(NULL); ++ (void) packet_get_string_ptr(NULL); ++ fatal("GSSAPI Error: \n%.400s",msg); ++ default: ++ packet_disconnect("Protocol error: didn't expect packet type %d", ++ type); ++ } ++ token_ptr = &recv_tok; ++ } else { ++ /* No data, and not complete */ ++ if (maj_status != GSS_S_COMPLETE) ++ fatal("Not complete, and no token output"); ++ } ++ } while (maj_status & GSS_S_CONTINUE_NEEDED); ++ ++ /* ++ * We _must_ have received a COMPLETE message in reply from the ++ * server, which will have set dh_server_pub and msg_tok ++ */ ++ ++ if (type != SSH2_MSG_KEXGSS_COMPLETE) ++ fatal("Didn't receive a SSH2_MSG_KEXGSS_COMPLETE when I expected it"); ++ ++ /* Check f in range [1, p-1] */ ++ if (!dh_pub_is_valid(dh, dh_server_pub)) ++ packet_disconnect("bad server public DH value"); ++ ++ /* compute K=f^x mod p */ ++ klen = DH_size(dh); ++ kbuf = xmalloc(klen); ++ kout = DH_compute_key(kbuf, dh_server_pub, dh); ++ if (kout < 0) ++ fatal("DH_compute_key: failed"); ++ ++ shared_secret = BN_new(); ++ if (shared_secret == NULL) ++ fatal("kexgss_client: BN_new failed"); ++ ++ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) ++ fatal("kexdh_client: BN_bin2bn failed"); ++ ++ memset(kbuf, 0, klen); ++ free(kbuf); ++ ++ hashlen = sizeof(hash); ++ switch (ssh->kex->kex_type) { ++ case KEX_GSS_GRP1_SHA1: ++ case KEX_GSS_GRP14_SHA1: ++ kex_dh_hash( ++ ssh->kex->hash_alg, ++ ssh->kex->client_version_string, ++ ssh->kex->server_version_string, ++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), ++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), ++ (serverhostkey ? serverhostkey : empty), slen, ++ pub_key, /* e */ ++ dh_server_pub, /* f */ ++ shared_secret, /* K */ ++ hash, &hashlen ++ ); ++ break; ++ case KEX_GSS_GEX_SHA1: ++ kexgex_hash( ++ ssh->kex->hash_alg, ++ ssh->kex->client_version_string, ++ ssh->kex->server_version_string, ++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), ++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), ++ (serverhostkey ? serverhostkey : empty), slen, ++ min, nbits, max, ++ dh_p, dh_g, ++ pub_key, ++ dh_server_pub, ++ shared_secret, ++ hash, &hashlen ++ ); ++ break; ++ default: ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); ++ } ++ ++ gssbuf.value = hash; ++ gssbuf.length = hashlen; ++ ++ /* Verify that the hash matches the MIC we just got. */ ++ if (GSS_ERROR(ssh_gssapi_checkmic(ctxt, &gssbuf, &msg_tok))) ++ packet_disconnect("Hash's MIC didn't verify"); ++ ++ free(msg_tok.value); ++ ++ DH_free(dh); ++ free(serverhostkey); ++ BN_clear_free(dh_server_pub); ++ ++ /* save session id */ ++ if (ssh->kex->session_id == NULL) { ++ ssh->kex->session_id_len = hashlen; ++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); ++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); ++ } ++ ++ if (ssh->kex->gss_deleg_creds) ++ ssh_gssapi_credentials_updated(ctxt); ++ ++ if (gss_kex_context == NULL) ++ gss_kex_context = ctxt; ++ else ++ ssh_gssapi_delete_ctx(&ctxt); ++ ++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); ++ BN_clear_free(shared_secret); ++ return kex_send_newkeys(ssh); ++} ++ ++#endif /* GSSAPI */ +diff --git a/kexgsss.c b/kexgsss.c +new file mode 100644 +index 000000000..18070f1d7 +--- /dev/null ++++ b/kexgsss.c +@@ -0,0 +1,300 @@ ++/* ++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR `AS IS'' AND ANY EXPRESS OR ++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES ++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. ++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, ++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, ++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY ++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF ++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++#include "includes.h" ++ ++#ifdef GSSAPI ++ ++#include ++ ++#include ++#include ++ ++#include "xmalloc.h" ++#include "sshbuf.h" ++#include "ssh2.h" ++#include "sshkey.h" ++#include "cipher.h" ++#include "kex.h" ++#include "log.h" ++#include "packet.h" ++#include "dh.h" ++#include "ssh-gss.h" ++#include "monitor_wrap.h" ++#include "misc.h" ++#include "servconf.h" ++#include "digest.h" ++ ++extern ServerOptions options; ++ ++int ++kexgss_server(struct ssh *ssh) ++{ ++ OM_uint32 maj_status, min_status; ++ ++ /* ++ * Some GSSAPI implementations use the input value of ret_flags (an ++ * output variable) as a means of triggering mechanism specific ++ * features. Initializing it to zero avoids inadvertently ++ * activating this non-standard behaviour. ++ */ ++ ++ OM_uint32 ret_flags = 0; ++ gss_buffer_desc gssbuf, recv_tok, msg_tok; ++ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; ++ Gssctxt *ctxt = NULL; ++ u_int slen, klen, kout; ++ u_char *kbuf; ++ DH *dh; ++ int min = -1, max = -1, nbits = -1; ++ const BIGNUM *pub_key, *dh_p, *dh_g; ++ BIGNUM *shared_secret = NULL; ++ BIGNUM *dh_client_pub = NULL; ++ int type = 0; ++ gss_OID oid; ++ char *mechs; ++ u_char hash[SSH_DIGEST_MAX_LENGTH]; ++ size_t hashlen; ++ ++ /* Initialise GSSAPI */ ++ ++ /* If we're rekeying, privsep means that some of the private structures ++ * in the GSSAPI code are no longer available. This kludges them back ++ * into life ++ */ ++ if (!ssh_gssapi_oid_table_ok()) { ++ mechs = ssh_gssapi_server_mechanisms(); ++ free(mechs); ++ } ++ ++ debug2("%s: Identifying %s", __func__, ssh->kex->name); ++ oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type); ++ if (oid == GSS_C_NO_OID) ++ fatal("Unknown gssapi mechanism"); ++ ++ debug2("%s: Acquiring credentials", __func__); ++ ++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) ++ fatal("Unable to acquire credentials for the server"); ++ ++ switch (ssh->kex->kex_type) { ++ case KEX_GSS_GRP1_SHA1: ++ dh = dh_new_group1(); ++ break; ++ case KEX_GSS_GRP14_SHA1: ++ dh = dh_new_group14(); ++ break; ++ case KEX_GSS_GEX_SHA1: ++ debug("Doing group exchange"); ++ packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); ++ min = packet_get_int(); ++ nbits = packet_get_int(); ++ max = packet_get_int(); ++ packet_check_eom(); ++ if (max < min || nbits < min || max < nbits) ++ fatal("GSS_GEX, bad parameters: %d !< %d !< %d", ++ min, nbits, max); ++ dh = PRIVSEP(choose_dh(MAX(DH_GRP_MIN, min), ++ nbits, MIN(DH_GRP_MAX, max))); ++ if (dh == NULL) ++ packet_disconnect("Protocol error: no matching group found"); ++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g); ++ ++ packet_start(SSH2_MSG_KEXGSS_GROUP); ++ packet_put_bignum2(dh_p); ++ packet_put_bignum2(dh_g); ++ packet_send(); ++ ++ packet_write_wait(); ++ break; ++ default: ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); ++ } ++ ++ dh_gen_key(dh, ssh->kex->we_need * 8); ++ ++ do { ++ debug("Wait SSH2_MSG_GSSAPI_INIT"); ++ type = packet_read(); ++ switch(type) { ++ case SSH2_MSG_KEXGSS_INIT: ++ if (dh_client_pub != NULL) ++ fatal("Received KEXGSS_INIT after initialising"); ++ recv_tok.value = packet_get_string(&slen); ++ recv_tok.length = slen; ++ ++ if ((dh_client_pub = BN_new()) == NULL) ++ fatal("dh_client_pub == NULL"); ++ ++ packet_get_bignum2(dh_client_pub); ++ ++ /* Send SSH_MSG_KEXGSS_HOSTKEY here, if we want */ ++ break; ++ case SSH2_MSG_KEXGSS_CONTINUE: ++ recv_tok.value = packet_get_string(&slen); ++ recv_tok.length = slen; ++ break; ++ default: ++ packet_disconnect( ++ "Protocol error: didn't expect packet type %d", ++ type); ++ } ++ ++ maj_status = PRIVSEP(ssh_gssapi_accept_ctx(ctxt, &recv_tok, ++ &send_tok, &ret_flags)); ++ ++ free(recv_tok.value); ++ ++ if (maj_status != GSS_S_COMPLETE && send_tok.length == 0) ++ fatal("Zero length token output when incomplete"); ++ ++ if (dh_client_pub == NULL) ++ fatal("No client public key"); ++ ++ if (maj_status & GSS_S_CONTINUE_NEEDED) { ++ debug("Sending GSSAPI_CONTINUE"); ++ packet_start(SSH2_MSG_KEXGSS_CONTINUE); ++ packet_put_string(send_tok.value, send_tok.length); ++ packet_send(); ++ gss_release_buffer(&min_status, &send_tok); ++ } ++ } while (maj_status & GSS_S_CONTINUE_NEEDED); ++ ++ if (GSS_ERROR(maj_status)) { ++ if (send_tok.length > 0) { ++ packet_start(SSH2_MSG_KEXGSS_CONTINUE); ++ packet_put_string(send_tok.value, send_tok.length); ++ packet_send(); ++ } ++ fatal("accept_ctx died"); ++ } ++ ++ if (!(ret_flags & GSS_C_MUTUAL_FLAG)) ++ fatal("Mutual Authentication flag wasn't set"); ++ ++ if (!(ret_flags & GSS_C_INTEG_FLAG)) ++ fatal("Integrity flag wasn't set"); ++ ++ if (!dh_pub_is_valid(dh, dh_client_pub)) ++ packet_disconnect("bad client public DH value"); ++ ++ klen = DH_size(dh); ++ kbuf = xmalloc(klen); ++ kout = DH_compute_key(kbuf, dh_client_pub, dh); ++ if (kout < 0) ++ fatal("DH_compute_key: failed"); ++ ++ shared_secret = BN_new(); ++ if (shared_secret == NULL) ++ fatal("kexgss_server: BN_new failed"); ++ ++ if (BN_bin2bn(kbuf, kout, shared_secret) == NULL) ++ fatal("kexgss_server: BN_bin2bn failed"); ++ ++ memset(kbuf, 0, klen); ++ free(kbuf); ++ ++ DH_get0_key(dh, &pub_key, NULL); ++ DH_get0_pqg(dh, &dh_p, NULL, &dh_g); ++ ++ hashlen = sizeof(hash); ++ switch (ssh->kex->kex_type) { ++ case KEX_GSS_GRP1_SHA1: ++ case KEX_GSS_GRP14_SHA1: ++ kex_dh_hash( ++ ssh->kex->hash_alg, ++ ssh->kex->client_version_string, ssh->kex->server_version_string, ++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), ++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), ++ NULL, 0, /* Change this if we start sending host keys */ ++ dh_client_pub, pub_key, shared_secret, ++ hash, &hashlen ++ ); ++ break; ++ case KEX_GSS_GEX_SHA1: ++ kexgex_hash( ++ ssh->kex->hash_alg, ++ ssh->kex->client_version_string, ssh->kex->server_version_string, ++ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer), ++ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my), ++ NULL, 0, ++ min, nbits, max, ++ dh_p, dh_g, ++ dh_client_pub, ++ pub_key, ++ shared_secret, ++ hash, &hashlen ++ ); ++ break; ++ default: ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); ++ } ++ ++ BN_clear_free(dh_client_pub); ++ ++ if (ssh->kex->session_id == NULL) { ++ ssh->kex->session_id_len = hashlen; ++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); ++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); ++ } ++ ++ gssbuf.value = hash; ++ gssbuf.length = hashlen; ++ ++ if (GSS_ERROR(PRIVSEP(ssh_gssapi_sign(ctxt,&gssbuf,&msg_tok)))) ++ fatal("Couldn't get MIC"); ++ ++ packet_start(SSH2_MSG_KEXGSS_COMPLETE); ++ packet_put_bignum2(pub_key); ++ packet_put_string(msg_tok.value,msg_tok.length); ++ ++ if (send_tok.length != 0) { ++ packet_put_char(1); /* true */ ++ packet_put_string(send_tok.value, send_tok.length); ++ } else { ++ packet_put_char(0); /* false */ ++ } ++ packet_send(); ++ ++ gss_release_buffer(&min_status, &send_tok); ++ gss_release_buffer(&min_status, &msg_tok); ++ ++ if (gss_kex_context == NULL) ++ gss_kex_context = ctxt; ++ else ++ ssh_gssapi_delete_ctx(&ctxt); ++ ++ DH_free(dh); ++ ++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); ++ BN_clear_free(shared_secret); ++ kex_send_newkeys(ssh); ++ ++ /* If this was a rekey, then save out any delegated credentials we ++ * just exchanged. */ ++ if (options.gss_store_rekey) ++ ssh_gssapi_rekey_creds(); ++ return 0; ++} ++#endif /* GSSAPI */ +diff --git a/monitor.c b/monitor.c +index 531b2993a..eabc1e89b 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -145,6 +145,8 @@ int mm_answer_gss_setup_ctx(int, struct sshbuf *); + int mm_answer_gss_accept_ctx(int, struct sshbuf *); + int mm_answer_gss_userok(int, struct sshbuf *); + int mm_answer_gss_checkmic(int, struct sshbuf *); ++int mm_answer_gss_sign(int, struct sshbuf *); ++int mm_answer_gss_updatecreds(int, struct sshbuf *); + #endif + + #ifdef SSH_AUDIT_EVENTS +@@ -215,11 +217,18 @@ struct mon_table mon_dispatch_proto20[] = { + {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, + {MONITOR_REQ_GSSUSEROK, MON_ONCE|MON_AUTHDECIDE, mm_answer_gss_userok}, + {MONITOR_REQ_GSSCHECKMIC, MON_ONCE, mm_answer_gss_checkmic}, ++ {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign}, + #endif + {0, 0, NULL} + }; + + struct mon_table mon_dispatch_postauth20[] = { ++#ifdef GSSAPI ++ {MONITOR_REQ_GSSSETUP, 0, mm_answer_gss_setup_ctx}, ++ {MONITOR_REQ_GSSSTEP, 0, mm_answer_gss_accept_ctx}, ++ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign}, ++ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds}, ++#endif + #ifdef WITH_OPENSSL + {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, + #endif +@@ -289,6 +298,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) + /* Permit requests for moduli and signatures */ + monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); ++#ifdef GSSAPI ++ /* and for the GSSAPI key exchange */ ++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); ++#endif + + /* The first few requests do not require asynchronous access */ + while (!authenticated) { +@@ -401,6 +414,10 @@ monitor_child_postauth(struct monitor *pmonitor) + monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); ++#ifdef GSSAPI ++ /* and for the GSSAPI key exchange */ ++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSETUP, 1); ++#endif + + if (auth_opts->permit_pty_flag) { + monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1); +@@ -1666,6 +1683,13 @@ monitor_apply_keystate(struct monitor *pmonitor) + # endif + #endif /* WITH_OPENSSL */ + kex->kex[KEX_C25519_SHA256] = kexc25519_server; ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; ++ } ++#endif + kex->load_host_public_key=&get_hostkey_public_by_type; + kex->load_host_private_key=&get_hostkey_private_by_type; + kex->host_key_index=&get_hostkey_index; +@@ -1756,8 +1780,8 @@ mm_answer_gss_setup_ctx(int sock, struct sshbuf *m) + u_char *p; + int r; + +- if (!options.gss_authentication) +- fatal("%s: GSSAPI authentication not enabled", __func__); ++ if (!options.gss_authentication && !options.gss_keyex) ++ fatal("%s: GSSAPI not enabled", __func__); + + if ((r = sshbuf_get_string(m, &p, &len)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -1789,8 +1813,8 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) + OM_uint32 flags = 0; /* GSI needs this */ + int r; + +- if (!options.gss_authentication) +- fatal("%s: GSSAPI authentication not enabled", __func__); ++ if (!options.gss_authentication && !options.gss_keyex) ++ fatal("%s: GSSAPI not enabled", __func__); + + if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +@@ -1810,6 +1834,7 @@ mm_answer_gss_accept_ctx(int sock, struct sshbuf *m) + monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); ++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSIGN, 1); + } + return (0); + } +@@ -1821,8 +1846,8 @@ mm_answer_gss_checkmic(int sock, struct sshbuf *m) + OM_uint32 ret; + int r; + +- if (!options.gss_authentication) +- fatal("%s: GSSAPI authentication not enabled", __func__); ++ if (!options.gss_authentication && !options.gss_keyex) ++ fatal("%s: GSSAPI not enabled", __func__); + + if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || + (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) +@@ -1851,10 +1876,11 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) + int r, authenticated; + const char *displayname; + +- if (!options.gss_authentication) +- fatal("%s: GSSAPI authentication not enabled", __func__); ++ if (!options.gss_authentication && !options.gss_keyex) ++ fatal("%s: GSSAPI not enabled", __func__); + +- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); ++ authenticated = authctxt->valid && ++ ssh_gssapi_userok(authctxt->user, authctxt->pw); + + sshbuf_reset(m); + if ((r = sshbuf_put_u32(m, authenticated)) != 0) +@@ -1871,5 +1897,83 @@ mm_answer_gss_userok(int sock, struct sshbuf *m) + /* Monitor loop will terminate if authenticated */ + return (authenticated); + } ++ ++int ++mm_answer_gss_sign(int socket, struct sshbuf *m) ++{ ++ gss_buffer_desc data; ++ gss_buffer_desc hash = GSS_C_EMPTY_BUFFER; ++ OM_uint32 major, minor; ++ size_t len; ++ u_char *p; ++ int r; ++ ++ if (!options.gss_authentication && !options.gss_keyex) ++ fatal("%s: GSSAPI not enabled", __func__); ++ ++ if ((r = sshbuf_get_string(m, &p, &len)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ data.value = p; ++ data.length = len; ++ if (data.length != 20) ++ fatal("%s: data length incorrect: %d", __func__, ++ (int) data.length); ++ ++ /* Save the session ID on the first time around */ ++ if (session_id2_len == 0) { ++ session_id2_len = data.length; ++ session_id2 = xmalloc(session_id2_len); ++ memcpy(session_id2, data.value, session_id2_len); ++ } ++ major = ssh_gssapi_sign(gsscontext, &data, &hash); ++ ++ free(data.value); ++ ++ sshbuf_reset(m); ++ if ((r = sshbuf_put_u32(m, major)) != 0 || ++ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ ++ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); ++ ++ gss_release_buffer(&minor, &hash); ++ ++ /* Turn on getpwnam permissions */ ++ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); ++ ++ /* And credential updating, for when rekeying */ ++ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUPCREDS, 1); ++ ++ return (0); ++} ++ ++int ++mm_answer_gss_updatecreds(int socket, struct sshbuf *m) { ++ ssh_gssapi_ccache store; ++ int r, ok; ++ ++ if (!options.gss_authentication && !options.gss_keyex) ++ fatal("%s: GSSAPI not enabled", __func__); ++ ++ if ((r = sshbuf_get_cstring(m, &store.filename, NULL)) != 0 || ++ (r = sshbuf_get_cstring(m, &store.envvar, NULL)) != 0 || ++ (r = sshbuf_get_cstring(m, &store.envval, NULL)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ ++ ok = ssh_gssapi_update_creds(&store); ++ ++ free(store.filename); ++ free(store.envvar); ++ free(store.envval); ++ ++ sshbuf_reset(m); ++ if ((r = sshbuf_put_u32(m, ok)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ ++ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); ++ ++ return(0); ++} ++ + #endif /* GSSAPI */ + +diff --git a/monitor.h b/monitor.h +index 16047299f..44fbed589 100644 +--- a/monitor.h ++++ b/monitor.h +@@ -63,6 +63,9 @@ enum monitor_reqtype { + MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111, + MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113, + ++ MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, ++ MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, ++ + }; + + struct monitor { +diff --git a/monitor_wrap.c b/monitor_wrap.c +index 732fb3476..1865a122a 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -984,7 +984,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) + } + + int +-mm_ssh_gssapi_userok(char *user) ++mm_ssh_gssapi_userok(char *user, struct passwd *pw) + { + struct sshbuf *m; + int r, authenticated = 0; +@@ -1003,4 +1003,55 @@ mm_ssh_gssapi_userok(char *user) + debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); + return (authenticated); + } ++ ++OM_uint32 ++mm_ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_desc *data, gss_buffer_desc *hash) ++{ ++ struct sshbuf *m; ++ OM_uint32 major; ++ int r; ++ ++ if ((m = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new failed", __func__); ++ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ ++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m); ++ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m); ++ ++ if ((r = sshbuf_get_u32(m, &major)) != 0 || ++ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ ++ sshbuf_free(m); ++ ++ return(major); ++} ++ ++int ++mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) ++{ ++ struct sshbuf *m; ++ int r, ok; ++ ++ if ((m = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new failed", __func__); ++ if ((r = sshbuf_put_cstring(m, ++ store->filename ? store->filename : "")) != 0 || ++ (r = sshbuf_put_cstring(m, ++ store->envvar ? store->envvar : "")) != 0 || ++ (r = sshbuf_put_cstring(m, ++ store->envval ? store->envval : "")) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ ++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m); ++ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m); ++ ++ if ((r = sshbuf_get_u32(m, &ok)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ sshbuf_free(m); ++ ++ return (ok); ++} ++ + #endif /* GSSAPI */ +diff --git a/monitor_wrap.h b/monitor_wrap.h +index 644da081d..7f93144ff 100644 +--- a/monitor_wrap.h ++++ b/monitor_wrap.h +@@ -60,8 +60,10 @@ int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t, + OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); + OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, + gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); +-int mm_ssh_gssapi_userok(char *user); ++int mm_ssh_gssapi_userok(char *user, struct passwd *); + OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); ++OM_uint32 mm_ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); ++int mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *); + #endif + + #ifdef USE_PAM +diff --git a/opacket.c b/opacket.c +index e637d7a71..7672c0b59 100644 +--- a/opacket.c ++++ b/opacket.c +@@ -80,7 +80,7 @@ ssh_packet_put_raw(struct ssh *ssh, const void *buf, u_int len) + + #ifdef WITH_OPENSSL + void +-ssh_packet_put_bignum2(struct ssh *ssh, BIGNUM * value) ++ssh_packet_put_bignum2(struct ssh *ssh, const BIGNUM * value) + { + int r; + +diff --git a/opacket.h b/opacket.h +index f92fe586e..1cf66a2d3 100644 +--- a/opacket.h ++++ b/opacket.h +@@ -7,7 +7,7 @@ void ssh_packet_start(struct ssh *, u_char); + void ssh_packet_put_char(struct ssh *, int ch); + void ssh_packet_put_int(struct ssh *, u_int value); + void ssh_packet_put_int64(struct ssh *, u_int64_t value); +-void ssh_packet_put_bignum2(struct ssh *, BIGNUM * value); ++void ssh_packet_put_bignum2(struct ssh *, const BIGNUM * value); + void ssh_packet_put_ecpoint(struct ssh *, const EC_GROUP *, const EC_POINT *); + void ssh_packet_put_string(struct ssh *, const void *buf, u_int len); + void ssh_packet_put_cstring(struct ssh *, const char *str); +diff --git a/readconf.c b/readconf.c +index 433811521..36bc5e59a 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -161,6 +161,8 @@ typedef enum { + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, oGssKeyEx, oGssClientIdentity, oGssRenewalRekey, ++ oGssServerIdentity, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -201,10 +203,20 @@ static struct { + /* Sometimes-unsupported options */ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, ++ { "gssapikeyexchange", oGssKeyEx }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, ++ { "gssapiclientidentity", oGssClientIdentity }, ++ { "gssapiserveridentity", oGssServerIdentity }, ++ { "gssapirenewalforcesrekey", oGssRenewalRekey }, + # else + { "gssapiauthentication", oUnsupported }, ++ { "gssapikeyexchange", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, ++ { "gssapiclientidentity", oUnsupported }, ++ { "gssapiserveridentity", oUnsupported }, ++ { "gssapirenewalforcesrekey", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "smartcarddevice", oPKCS11Provider }, +@@ -974,10 +986,30 @@ parse_time: + intptr = &options->gss_authentication; + goto parse_flag; + ++ case oGssKeyEx: ++ intptr = &options->gss_keyex; ++ goto parse_flag; ++ + case oGssDelegateCreds: + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ ++ case oGssClientIdentity: ++ charptr = &options->gss_client_identity; ++ goto parse_string; ++ ++ case oGssServerIdentity: ++ charptr = &options->gss_server_identity; ++ goto parse_string; ++ ++ case oGssRenewalRekey: ++ intptr = &options->gss_renewal_rekey; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1842,7 +1874,12 @@ initialize_options(Options * options) + options->pubkey_authentication = -1; + options->challenge_response_authentication = -1; + options->gss_authentication = -1; ++ options->gss_keyex = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; ++ options->gss_renewal_rekey = -1; ++ options->gss_client_identity = NULL; ++ options->gss_server_identity = NULL; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1988,8 +2025,14 @@ fill_default_options(Options * options) + options->challenge_response_authentication = 1; + if (options->gss_authentication == -1) + options->gss_authentication = 0; ++ if (options->gss_keyex == -1) ++ options->gss_keyex = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; ++ if (options->gss_renewal_rekey == -1) ++ options->gss_renewal_rekey = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +diff --git a/readconf.h b/readconf.h +index fc7e38251..8e4900d01 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -40,7 +40,12 @@ typedef struct { + int challenge_response_authentication; + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ ++ int gss_keyex; /* Try GSS key exchange */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ ++ int gss_renewal_rekey; /* Credential renewal forces rekey */ ++ char *gss_client_identity; /* Principal to initiate GSSAPI with */ ++ char *gss_server_identity; /* GSSAPI target principal */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +diff --git a/servconf.c b/servconf.c +index 932d363bb..4668b8a45 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -124,8 +124,10 @@ initialize_server_options(ServerOptions *options) + options->kerberos_ticket_cleanup = -1; + options->kerberos_get_afs_token = -1; + options->gss_authentication=-1; ++ options->gss_keyex = -1; + options->gss_cleanup_creds = -1; + options->gss_strict_acceptor = -1; ++ options->gss_store_rekey = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->challenge_response_authentication = -1; +@@ -337,10 +339,14 @@ fill_default_server_options(ServerOptions *options) + options->kerberos_get_afs_token = 0; + if (options->gss_authentication == -1) + options->gss_authentication = 0; ++ if (options->gss_keyex == -1) ++ options->gss_keyex = 0; + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; + if (options->gss_strict_acceptor == -1) + options->gss_strict_acceptor = 1; ++ if (options->gss_store_rekey == -1) ++ options->gss_store_rekey = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +@@ -485,6 +491,7 @@ typedef enum { + sHostKeyAlgorithms, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, ++ sGssKeyEx, sGssStoreRekey, + sAcceptEnv, sSetEnv, sPermitTunnel, + sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, + sUsePrivilegeSeparation, sAllowAgentForwarding, +@@ -559,12 +566,20 @@ static struct { + #ifdef GSSAPI + { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, + { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, ++ { "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL }, + { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, ++ { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, ++ { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, + #else + { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, + { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL }, + { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, + #endif ++ { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, ++ { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, + { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, + { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, + { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, +@@ -1468,6 +1483,10 @@ process_server_config_line(ServerOptions *options, char *line, + intptr = &options->gss_authentication; + goto parse_flag; + ++ case sGssKeyEx: ++ intptr = &options->gss_keyex; ++ goto parse_flag; ++ + case sGssCleanupCreds: + intptr = &options->gss_cleanup_creds; + goto parse_flag; +@@ -1476,6 +1495,10 @@ process_server_config_line(ServerOptions *options, char *line, + intptr = &options->gss_strict_acceptor; + goto parse_flag; + ++ case sGssStoreRekey: ++ intptr = &options->gss_store_rekey; ++ goto parse_flag; ++ + case sPasswordAuthentication: + intptr = &options->password_authentication; + goto parse_flag; +@@ -2560,7 +2583,10 @@ dump_config(ServerOptions *o) + #endif + #ifdef GSSAPI + dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); ++ dump_cfg_fmtint(sGssKeyEx, o->gss_keyex); + dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); ++ dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor); ++ dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey); + #endif + dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); + dump_cfg_fmtint(sKbdInteractiveAuthentication, +diff --git a/servconf.h b/servconf.h +index 0175e00e8..3b76da816 100644 +--- a/servconf.h ++++ b/servconf.h +@@ -125,8 +125,10 @@ typedef struct { + int kerberos_get_afs_token; /* If true, try to get AFS token if + * authenticated with Kerberos. */ + int gss_authentication; /* If true, permit GSSAPI authentication */ ++ int gss_keyex; /* If true, permit GSSAPI key exchange */ + int gss_cleanup_creds; /* If true, destroy cred cache on logout */ + int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */ ++ int gss_store_rekey; + int password_authentication; /* If true, permit password + * authentication. */ + int kbd_interactive_authentication; /* If true, permit */ +diff --git a/ssh-gss.h b/ssh-gss.h +index 36180d07a..350ce7882 100644 +--- a/ssh-gss.h ++++ b/ssh-gss.h +@@ -1,6 +1,6 @@ + /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */ + /* +- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. ++ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -61,10 +61,22 @@ + + #define SSH_GSS_OIDTYPE 0x06 + ++#define SSH2_MSG_KEXGSS_INIT 30 ++#define SSH2_MSG_KEXGSS_CONTINUE 31 ++#define SSH2_MSG_KEXGSS_COMPLETE 32 ++#define SSH2_MSG_KEXGSS_HOSTKEY 33 ++#define SSH2_MSG_KEXGSS_ERROR 34 ++#define SSH2_MSG_KEXGSS_GROUPREQ 40 ++#define SSH2_MSG_KEXGSS_GROUP 41 ++#define KEX_GSS_GRP1_SHA1_ID "gss-group1-sha1-" ++#define KEX_GSS_GRP14_SHA1_ID "gss-group14-sha1-" ++#define KEX_GSS_GEX_SHA1_ID "gss-gex-sha1-" ++ + typedef struct { + char *filename; + char *envvar; + char *envval; ++ struct passwd *owner; + void *data; + } ssh_gssapi_ccache; + +@@ -72,8 +84,11 @@ typedef struct { + gss_buffer_desc displayname; + gss_buffer_desc exportedname; + gss_cred_id_t creds; ++ gss_name_t name; + struct ssh_gssapi_mech_struct *mech; + ssh_gssapi_ccache store; ++ int used; ++ int updated; + } ssh_gssapi_client; + + typedef struct ssh_gssapi_mech_struct { +@@ -84,6 +99,7 @@ typedef struct ssh_gssapi_mech_struct { + int (*userok) (ssh_gssapi_client *, char *); + int (*localname) (ssh_gssapi_client *, char **); + void (*storecreds) (ssh_gssapi_client *); ++ int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *); + } ssh_gssapi_mech; + + typedef struct { +@@ -94,10 +110,11 @@ typedef struct { + gss_OID oid; /* client */ + gss_cred_id_t creds; /* server */ + gss_name_t client; /* server */ +- gss_cred_id_t client_creds; /* server */ ++ gss_cred_id_t client_creds; /* both */ + } Gssctxt; + + extern ssh_gssapi_mech *supported_mechs[]; ++extern Gssctxt *gss_kex_context; + + int ssh_gssapi_check_oid(Gssctxt *, void *, size_t); + void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t); +@@ -123,17 +140,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); + OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); + void ssh_gssapi_buildmic(struct sshbuf *, const char *, + const char *, const char *); +-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); ++int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); ++OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); ++int ssh_gssapi_credentials_updated(Gssctxt *); + + /* In the server */ ++typedef int ssh_gssapi_check_fn(Gssctxt **, gss_OID, const char *, ++ const char *); ++char *ssh_gssapi_client_mechanisms(const char *, const char *); ++char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *, ++ const char *); ++gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int); ++int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *, ++ const char *); + OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID); +-int ssh_gssapi_userok(char *name); ++int ssh_gssapi_userok(char *name, struct passwd *); + OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); + void ssh_gssapi_do_child(char ***, u_int *); + void ssh_gssapi_cleanup_creds(void); + void ssh_gssapi_storecreds(void); + const char *ssh_gssapi_displayname(void); + ++char *ssh_gssapi_server_mechanisms(void); ++int ssh_gssapi_oid_table_ok(void); ++ ++int ssh_gssapi_update_creds(ssh_gssapi_ccache *store); ++void ssh_gssapi_rekey_creds(void); ++ + #endif /* GSSAPI */ + + #endif /* _SSH_GSS_H */ +diff --git a/ssh_config b/ssh_config +index c12f5ef52..bcb9f153d 100644 +--- a/ssh_config ++++ b/ssh_config +@@ -24,6 +24,8 @@ + # HostbasedAuthentication no + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no ++# GSSAPIKeyExchange no ++# GSSAPITrustDNS no + # BatchMode no + # CheckHostIP yes + # AddressFamily any +diff --git a/ssh_config.5 b/ssh_config.5 +index 4d5b01d3e..16c79368a 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -736,10 +736,42 @@ The default is + Specifies whether user authentication based on GSSAPI is allowed. + The default is + .Cm no . ++.It Cm GSSAPIKeyExchange ++Specifies whether key exchange based on GSSAPI may be used. When using ++GSSAPI key exchange the server need not have a host key. ++The default is ++.Cm no . ++.It Cm GSSAPIClientIdentity ++If set, specifies the GSSAPI client identity that ssh should use when ++connecting to the server. The default is unset, which means that the default ++identity will be used. ++.It Cm GSSAPIServerIdentity ++If set, specifies the GSSAPI server identity that ssh should expect when ++connecting to the server. The default is unset, which means that the ++expected GSSAPI server identity will be determined from the target ++hostname. + .It Cm GSSAPIDelegateCredentials + Forward (delegate) credentials to the server. + The default is + .Cm no . ++.It Cm GSSAPIRenewalForcesRekey ++If set to ++.Cm yes ++then renewal of the client's GSSAPI credentials will force the rekeying of the ++ssh connection. With a compatible server, this can delegate the renewed ++credentials to a session on the server. ++The default is ++.Cm no . ++.It Cm GSSAPITrustDns ++Set to ++.Cm yes ++to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Cm no , ++the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Cm no . + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff --git a/sshconnect2.c b/sshconnect2.c +index 1675f3935..8c872a4fb 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -162,6 +162,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + struct kex *kex; + int r; + ++#ifdef GSSAPI ++ char *orig = NULL, *gss = NULL; ++ char *gss_host = NULL; ++#endif ++ + xxx_host = host; + xxx_hostaddr = hostaddr; + +@@ -194,6 +199,35 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + order_hostkeyalgs(host, hostaddr, port)); + } + ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ /* Add the GSSAPI mechanisms currently supported on this ++ * client to the key exchange algorithm proposal */ ++ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ ++ if (options.gss_server_identity) ++ gss_host = xstrdup(options.gss_server_identity); ++ else if (options.gss_trust_dns) ++ gss_host = remote_hostname(active_state); ++ else ++ gss_host = xstrdup(host); ++ ++ gss = ssh_gssapi_client_mechanisms(gss_host, ++ options.gss_client_identity); ++ if (gss) { ++ debug("Offering GSSAPI proposal: %s", gss); ++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], ++ "%s,%s", gss, orig); ++ ++ /* If we've got GSSAPI algorithms, then we also ++ * support the 'null' hostkey, as a last resort */ ++ orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]; ++ xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS], ++ "%s,null", orig); ++ } ++ } ++#endif ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits(options.rekey_limit, + options.rekey_interval); +@@ -215,15 +249,41 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + # endif + #endif + kex->kex[KEX_C25519_SHA256] = kexc25519_client; ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; ++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client; ++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; ++ } ++#endif + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; + kex->verify_host_key=&verify_host_key_callback; + ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ kex->gss_deleg_creds = options.gss_deleg_creds; ++ kex->gss_trust_dns = options.gss_trust_dns; ++ kex->gss_client = options.gss_client_identity; ++ kex->gss_host = gss_host; ++ } ++#endif ++ + ssh_dispatch_run_fatal(active_state, DISPATCH_BLOCK, &kex->done); + + /* remove ext-info from the KEX proposals for rekeying */ + myproposal[PROPOSAL_KEX_ALGS] = + compat_kex_proposal(options.kex_algorithms); ++#ifdef GSSAPI ++ /* repair myproposal after it was crumpled by the */ ++ /* ext-info removal above */ ++ if (gss) { ++ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ xasprintf(&myproposal[PROPOSAL_KEX_ALGS], ++ "%s,%s", gss, orig); ++ free(gss); ++ } ++#endif + if ((r = kex_prop2buf(kex->my, myproposal)) != 0) + fatal("kex_prop2buf: %s", ssh_err(r)); + +@@ -314,6 +374,7 @@ int input_gssapi_token(int type, u_int32_t, struct ssh *); + int input_gssapi_hash(int type, u_int32_t, struct ssh *); + int input_gssapi_error(int, u_int32_t, struct ssh *); + int input_gssapi_errtok(int, u_int32_t, struct ssh *); ++int userauth_gsskeyex(Authctxt *authctxt); + #endif + + void userauth(Authctxt *, char *); +@@ -330,6 +391,11 @@ static char *authmethods_get(void); + + Authmethod authmethods[] = { + #ifdef GSSAPI ++ {"gssapi-keyex", ++ userauth_gsskeyex, ++ NULL, ++ &options.gss_authentication, ++ NULL}, + {"gssapi-with-mic", + userauth_gssapi, + NULL, +@@ -686,25 +752,40 @@ userauth_gssapi(Authctxt *authctxt) + static u_int mech = 0; + OM_uint32 min; + int r, ok = 0; ++ char *gss_host; ++ ++ if (options.gss_server_identity) ++ gss_host = xstrdup(options.gss_server_identity); ++ else if (options.gss_trust_dns) ++ gss_host = remote_hostname(active_state); ++ else ++ gss_host = xstrdup(authctxt->host); + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ + + if (gss_supported == NULL) +- gss_indicate_mechs(&min, &gss_supported); ++ if (GSS_ERROR(gss_indicate_mechs(&min, &gss_supported))) { ++ gss_supported = NULL; ++ free(gss_host); ++ return 0; ++ } + + /* Check to see if the mechanism is usable before we offer it */ + while (mech < gss_supported->count && !ok) { + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host, ++ options.gss_client_identity)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + } + } + ++ free(gss_host); ++ + if (!ok) + return 0; + +@@ -935,6 +1016,54 @@ input_gssapi_error(int type, u_int32_t plen, struct ssh *ssh) + free(lang); + return r; + } ++ ++int ++userauth_gsskeyex(Authctxt *authctxt) ++{ ++ struct ssh *ssh = active_state; /* XXX */ ++ struct sshbuf *b; ++ gss_buffer_desc gssbuf; ++ gss_buffer_desc mic = GSS_C_EMPTY_BUFFER; ++ OM_uint32 ms; ++ int r; ++ ++ static int attempt = 0; ++ if (attempt++ >= 1) ++ return (0); ++ ++ if (gss_kex_context == NULL) { ++ debug("No valid Key exchange context"); ++ return (0); ++ } ++ ++ if ((b = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new failed", __func__); ++ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service, ++ "gssapi-keyex"); ++ ++ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) ++ fatal("%s: sshbuf_mutable_ptr failed", __func__); ++ gssbuf.length = sshbuf_len(b); ++ ++ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { ++ sshbuf_free(b); ++ return (0); ++ } ++ ++ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 || ++ (r = sshpkt_put_cstring(ssh, authctxt->server_user)) != 0 || ++ (r = sshpkt_put_cstring(ssh, authctxt->service)) != 0 || ++ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 || ++ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 || ++ (r = sshpkt_send(ssh)) != 0) ++ fatal("%s: %s", __func__, ssh_err(r)); ++ ++ sshbuf_free(b); ++ gss_release_buffer(&ms, &mic); ++ ++ return (1); ++} ++ + #endif /* GSSAPI */ + + int +diff --git a/sshd.c b/sshd.c +index ba26287ba..539a000fd 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -123,6 +123,10 @@ + #include "version.h" + #include "ssherr.h" + ++#ifdef USE_SECURITY_SESSION_API ++#include ++#endif ++ + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +@@ -1810,10 +1814,13 @@ main(int ac, char **av) + free(fp); + } + accumulate_host_timing_secret(cfg, NULL); ++#ifndef GSSAPI ++ /* The GSSAPI key exchange can run without a host key */ + if (!sensitive_data.have_ssh2_key) { + logit("sshd: no hostkeys available -- exiting."); + exit(1); + } ++#endif + + /* + * Load certificates. They are stored in an array at identical +@@ -2104,6 +2111,60 @@ main(int ac, char **av) + rdomain == NULL ? "" : "\""); + free(laddr); + ++#ifdef USE_SECURITY_SESSION_API ++ /* ++ * Create a new security session for use by the new user login if ++ * the current session is the root session or we are not launched ++ * by inetd (eg: debugging mode or server mode). We do not ++ * necessarily need to create a session if we are launched from ++ * inetd because Panther xinetd will create a session for us. ++ * ++ * The only case where this logic will fail is if there is an ++ * inetd running in a non-root session which is not creating ++ * new sessions for us. Then all the users will end up in the ++ * same session (bad). ++ * ++ * When the client exits, the session will be destroyed for us ++ * automatically. ++ * ++ * We must create the session before any credentials are stored ++ * (including AFS pags, which happens a few lines below). ++ */ ++ { ++ OSStatus err = 0; ++ SecuritySessionId sid = 0; ++ SessionAttributeBits sattrs = 0; ++ ++ err = SessionGetInfo(callerSecuritySession, &sid, &sattrs); ++ if (err) ++ error("SessionGetInfo() failed with error %.8X", ++ (unsigned) err); ++ else ++ debug("Current Session ID is %.8X / Session Attributes are %.8X", ++ (unsigned) sid, (unsigned) sattrs); ++ ++ if (inetd_flag && !(sattrs & sessionIsRoot)) ++ debug("Running in inetd mode in a non-root session... " ++ "assuming inetd created the session for us."); ++ else { ++ debug("Creating new security session..."); ++ err = SessionCreate(0, sessionHasTTY | sessionIsRemote); ++ if (err) ++ error("SessionCreate() failed with error %.8X", ++ (unsigned) err); ++ ++ err = SessionGetInfo(callerSecuritySession, &sid, ++ &sattrs); ++ if (err) ++ error("SessionGetInfo() failed with error %.8X", ++ (unsigned) err); ++ else ++ debug("New Session ID is %.8X / Session Attributes are %.8X", ++ (unsigned) sid, (unsigned) sattrs); ++ } ++ } ++#endif ++ + /* + * We don't want to listen forever unless the other side + * successfully authenticates itself. So we set up an alarm which is +@@ -2287,6 +2348,48 @@ do_ssh2_kex(void) + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( + list_hostkey_types()); + ++#ifdef GSSAPI ++ { ++ char *orig; ++ char *gss = NULL; ++ char *newstr = NULL; ++ orig = myproposal[PROPOSAL_KEX_ALGS]; ++ ++ /* ++ * If we don't have a host key, then there's no point advertising ++ * the other key exchange algorithms ++ */ ++ ++ if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) ++ orig = NULL; ++ ++ if (options.gss_keyex) ++ gss = ssh_gssapi_server_mechanisms(); ++ else ++ gss = NULL; ++ ++ if (gss && orig) ++ xasprintf(&newstr, "%s,%s", gss, orig); ++ else if (gss) ++ newstr = gss; ++ else if (orig) ++ newstr = orig; ++ ++ /* ++ * If we've got GSSAPI mechanisms, then we've got the 'null' host ++ * key alg, but we can't tell people about it unless its the only ++ * host key algorithm we support ++ */ ++ if (gss && (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS])) == 0) ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = "null"; ++ ++ if (newstr) ++ myproposal[PROPOSAL_KEX_ALGS] = newstr; ++ else ++ fatal("No supported key exchange algorithms"); ++ } ++#endif ++ + /* start key exchange */ + if ((r = kex_setup(active_state, myproposal)) != 0) + fatal("kex_setup: %s", ssh_err(r)); +@@ -2304,6 +2407,13 @@ do_ssh2_kex(void) + # endif + #endif + kex->kex[KEX_C25519_SHA256] = kexc25519_server; ++#ifdef GSSAPI ++ if (options.gss_keyex) { ++ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server; ++ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; ++ } ++#endif + kex->server = 1; + kex->client_version_string=client_version_string; + kex->server_version_string=server_version_string; +diff --git a/sshd_config b/sshd_config +index 19b7c91a1..2c48105f8 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -69,6 +69,8 @@ AuthorizedKeysFile .ssh/authorized_keys + # GSSAPI options + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes ++#GSSAPIStrictAcceptorCheck yes ++#GSSAPIKeyExchange no + + # Set this to 'yes' to enable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will +diff --git a/sshd_config.5 b/sshd_config.5 +index c6484370b..985eef5a2 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -648,6 +648,11 @@ The default is + Specifies whether user authentication based on GSSAPI is allowed. + The default is + .Cm no . ++.It Cm GSSAPIKeyExchange ++Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange ++doesn't rely on ssh keys to verify host identity. ++The default is ++.Cm no . + .It Cm GSSAPICleanupCredentials + Specifies whether to automatically destroy the user's credentials cache + on logout. +@@ -667,6 +672,11 @@ machine's default store. + This facility is provided to assist with operation on multi homed machines. + The default is + .Cm yes . ++.It Cm GSSAPIStoreCredentialsOnRekey ++Controls whether the user's GSSAPI credentials should be updated following a ++successful connection rekeying. This option can be used to accepted renewed ++or updated credentials from a compatible client. The default is ++.Cm no . + .It Cm HostbasedAcceptedKeyTypes + Specifies the key types that will be accepted for hostbased authentication + as a list of comma-separated patterns. +diff --git a/sshkey.c b/sshkey.c +index 6555c5ef8..a85c185fc 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -135,6 +135,7 @@ static const struct keytype keytypes[] = { + # endif /* OPENSSL_HAS_NISTP521 */ + # endif /* OPENSSL_HAS_ECC */ + #endif /* WITH_OPENSSL */ ++ { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, + { NULL, NULL, NULL, -1, -1, 0, 0 } + }; + +@@ -223,7 +224,7 @@ sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) + const struct keytype *kt; + + for (kt = keytypes; kt->type != -1; kt++) { +- if (kt->name == NULL) ++ if (kt->name == NULL || kt->type == KEY_NULL) + continue; + if (!include_sigonly && kt->sigonly) + continue; +diff --git a/sshkey.h b/sshkey.h +index f6a007fdf..f54deb0c0 100644 +--- a/sshkey.h ++++ b/sshkey.h +@@ -64,6 +64,7 @@ enum sshkey_types { + KEY_ED25519_CERT, + KEY_XMSS, + KEY_XMSS_CERT, ++ KEY_NULL, + KEY_UNSPEC + }; + diff --git a/debian/patches/have-progressmeter-force-update-at-beginning-and-end-transfer.patch b/debian/patches/have-progressmeter-force-update-at-beginning-and-end-transfer.patch new file mode 100644 index 0000000..767dbf2 --- /dev/null +++ b/debian/patches/have-progressmeter-force-update-at-beginning-and-end-transfer.patch @@ -0,0 +1,120 @@ +From 2a8f710447442e9a03e71c022859112ec2d77d17 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Thu, 24 Jan 2019 16:52:17 +0000 +Subject: upstream: Have progressmeter force an update at the beginning and + +end of each transfer. Fixes the problem recently introduces where very quick +transfers do not display the progressmeter at all. Spotted by naddy@ + +OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb +Last-Update: 2019-02-08 + +Patch-Name: have-progressmeter-force-update-at-beginning-and-end-transfer.patch +--- + progressmeter.c | 13 +++++-------- + progressmeter.h | 4 ++-- + scp.c | 2 +- + sftp-client.c | 2 +- + 4 files changed, 9 insertions(+), 12 deletions(-) + +diff --git a/progressmeter.c b/progressmeter.c +index add462dde..e385c1254 100644 +--- a/progressmeter.c ++++ b/progressmeter.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */ ++/* $OpenBSD: progressmeter.c,v 1.47 2019/01/24 16:52:17 dtucker Exp $ */ + /* + * Copyright (c) 2003 Nils Nordman. All rights reserved. + * +@@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t); + static void sig_winch(int); + static void setscreensize(void); + +-/* updates the progressmeter to reflect the current state of the transfer */ +-void refresh_progress_meter(void); +- + /* signal handler for updating the progress meter */ + static void sig_alarm(int); + +@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes) + } + + void +-refresh_progress_meter(void) ++refresh_progress_meter(int force_update) + { + char buf[MAX_WINSIZE + 1]; + off_t transferred; +@@ -131,7 +128,7 @@ refresh_progress_meter(void) + int hours, minutes, seconds; + int file_len; + +- if ((!alarm_fired && !win_resized) || !can_output()) ++ if ((!force_update && !alarm_fired && !win_resized) || !can_output()) + return; + alarm_fired = 0; + +@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr) + bytes_per_second = 0; + + setscreensize(); +- refresh_progress_meter(); ++ refresh_progress_meter(1); + + signal(SIGALRM, sig_alarm); + signal(SIGWINCH, sig_winch); +@@ -271,7 +268,7 @@ stop_progress_meter(void) + + /* Ensure we complete the progress */ + if (cur_pos != end_pos) +- refresh_progress_meter(); ++ refresh_progress_meter(1); + + atomicio(vwrite, STDOUT_FILENO, "\n", 1); + } +diff --git a/progressmeter.h b/progressmeter.h +index 8f6678060..1703ea75b 100644 +--- a/progressmeter.h ++++ b/progressmeter.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */ ++/* $OpenBSD: progressmeter.h,v 1.5 2019/01/24 16:52:17 dtucker Exp $ */ + /* + * Copyright (c) 2002 Nils Nordman. All rights reserved. + * +@@ -24,5 +24,5 @@ + */ + + void start_progress_meter(const char *, off_t, off_t *); +-void refresh_progress_meter(void); ++void refresh_progress_meter(int); + void stop_progress_meter(void); +diff --git a/scp.c b/scp.c +index 80308573c..1971c80cd 100644 +--- a/scp.c ++++ b/scp.c +@@ -593,7 +593,7 @@ scpio(void *_cnt, size_t s) + off_t *cnt = (off_t *)_cnt; + + *cnt += s; +- refresh_progress_meter(); ++ refresh_progress_meter(0); + if (limit_kbps > 0) + bandwidth_limit(&bwlimit, s); + return 0; +diff --git a/sftp-client.c b/sftp-client.c +index 2bc698f86..cf2887a40 100644 +--- a/sftp-client.c ++++ b/sftp-client.c +@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount) + { + struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; + +- refresh_progress_meter(); ++ refresh_progress_meter(0); + if (bwlimit != NULL) + bandwidth_limit(bwlimit, amount); + return 0; diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch new file mode 100644 index 0000000..4207302 --- /dev/null +++ b/debian/patches/keepalive-extensions.patch @@ -0,0 +1,134 @@ +From 7ba31c6ff505278fb9f33b695605ca3a093caba2 Mon Sep 17 00:00:00 2001 +From: Richard Kettlewell +Date: Sun, 9 Feb 2014 16:09:52 +0000 +Subject: Various keepalive extensions + +Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported +in previous versions of Debian's OpenSSH package but since superseded by +ServerAliveInterval. (We're probably stuck with this bit for +compatibility.) + +In batch mode, default ServerAliveInterval to five minutes. + +Adjust documentation to match and to give some more advice on use of +keepalives. + +Author: Ian Jackson +Author: Matthew Vernon +Author: Colin Watson +Last-Update: 2018-10-19 + +Patch-Name: keepalive-extensions.patch +--- + readconf.c | 14 ++++++++++++-- + ssh_config.5 | 21 +++++++++++++++++++-- + sshd_config.5 | 3 +++ + 3 files changed, 34 insertions(+), 4 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 5e655e924..052d4b1ac 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -175,6 +175,7 @@ typedef enum { + oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, + oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, + oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, ++ oProtocolKeepAlives, oSetupTimeOut, + oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported + } OpCodes; + +@@ -322,6 +323,8 @@ static struct { + { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, + { "ignoreunknown", oIgnoreUnknown }, + { "proxyjump", oProxyJump }, ++ { "protocolkeepalives", oProtocolKeepAlives }, ++ { "setuptimeout", oSetupTimeOut }, + + { NULL, oBadOption } + }; +@@ -1415,6 +1418,8 @@ parse_keytypes: + goto parse_flag; + + case oServerAliveInterval: ++ case oProtocolKeepAlives: /* Debian-specific compatibility alias */ ++ case oSetupTimeOut: /* Debian-specific compatibility alias */ + intptr = &options->server_alive_interval; + goto parse_time; + +@@ -2101,8 +2106,13 @@ fill_default_options(Options * options) + options->rekey_interval = 0; + if (options->verify_host_key_dns == -1) + options->verify_host_key_dns = 0; +- if (options->server_alive_interval == -1) +- options->server_alive_interval = 0; ++ if (options->server_alive_interval == -1) { ++ /* in batch mode, default is 5mins */ ++ if (options->batch_mode == 1) ++ options->server_alive_interval = 300; ++ else ++ options->server_alive_interval = 0; ++ } + if (options->server_alive_count_max == -1) + options->server_alive_count_max = 3; + if (options->control_master == -1) +diff --git a/ssh_config.5 b/ssh_config.5 +index 16c79368a..54e143c93 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -247,8 +247,12 @@ Valid arguments are + If set to + .Cm yes , + passphrase/password querying will be disabled. ++In addition, the ++.Cm ServerAliveInterval ++option will be set to 300 seconds by default (Debian-specific). + This option is useful in scripts and other batch jobs where no user +-is present to supply the password. ++is present to supply the password, ++and where it is desirable to detect a broken network swiftly. + The argument must be + .Cm yes + or +@@ -1485,7 +1489,14 @@ from the server, + will send a message through the encrypted + channel to request a response from the server. + The default +-is 0, indicating that these messages will not be sent to the server. ++is 0, indicating that these messages will not be sent to the server, ++or 300 if the ++.Cm BatchMode ++option is set (Debian-specific). ++.Cm ProtocolKeepAlives ++and ++.Cm SetupTimeOut ++are Debian-specific compatibility aliases for this option. + .It Cm SetEnv + Directly specify one or more environment variables and their contents to + be sent to the server. +@@ -1565,6 +1576,12 @@ Specifies whether the system should send TCP keepalive messages to the + other side. + If they are sent, death of the connection or crash of one + of the machines will be properly noticed. ++This option only uses TCP keepalives (as opposed to using ssh level ++keepalives), so takes a long time to notice when the connection dies. ++As such, you probably want ++the ++.Cm ServerAliveInterval ++option as well. + However, this means that + connections will die if the route is down temporarily, and some people + find it annoying. +diff --git a/sshd_config.5 b/sshd_config.5 +index 985eef5a2..e7e55dd71 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1577,6 +1577,9 @@ This avoids infinitely hanging sessions. + .Pp + To disable TCP keepalive messages, the value should be set to + .Cm no . ++.Pp ++This option was formerly called ++.Cm KeepAlive . + .It Cm TrustedUserCAKeys + Specifies a file containing public keys of certificate authorities that are + trusted to sign user certificates for authentication, or diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch new file mode 100644 index 0000000..75ed46d --- /dev/null +++ b/debian/patches/mention-ssh-keygen-on-keychange.patch @@ -0,0 +1,44 @@ +From bb8bb2621914ad600202e38d5b9b4f4544b191e5 Mon Sep 17 00:00:00 2001 +From: Scott Moser +Date: Sun, 9 Feb 2014 16:10:03 +0000 +Subject: Mention ssh-keygen in ssh fingerprint changed warning + +Author: Chris Lamb +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607 +Last-Update: 2017-08-22 + +Patch-Name: mention-ssh-keygen-on-keychange.patch +--- + sshconnect.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 700ea6c3c..158e8146f 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1121,9 +1121,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, + error("%s. This could either mean that", key_msg); + error("DNS SPOOFING is happening or the IP address for the host"); + error("and its host key have changed at the same time."); +- if (ip_status != HOST_NEW) ++ if (ip_status != HOST_NEW) { + error("Offending key for IP in %s:%lu", + ip_found->file, ip_found->line); ++ error(" remove with:"); ++ error(" ssh-keygen -f \"%s\" -R \"%s\"", ++ ip_found->file, ip); ++ } + } + /* The host key has changed. */ + warn_changed_key(host_key); +@@ -1132,6 +1136,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, + error("Offending %s key in %s:%lu", + sshkey_type(host_found->key), + host_found->file, host_found->line); ++ error(" remove with:"); ++ error(" ssh-keygen -f \"%s\" -R \"%s\"", ++ host_found->file, host); + + /* + * If strict host key checking is in use, the user will have diff --git a/debian/patches/no-openssl-version-status.patch b/debian/patches/no-openssl-version-status.patch new file mode 100644 index 0000000..3b2e05e --- /dev/null +++ b/debian/patches/no-openssl-version-status.patch @@ -0,0 +1,62 @@ +From 690051b3aa4ff72af57e4a82d640858357eef820 Mon Sep 17 00:00:00 2001 +From: Kurt Roeckx +Date: Sun, 9 Feb 2014 16:10:14 +0000 +Subject: Don't check the status field of the OpenSSL version + +There is no reason to check the version of OpenSSL (in Debian). If it's +not compatible the soname will change. OpenSSH seems to want to do a +check for the soname based on the version number, but wants to keep the +status of the release the same. Remove that check on the status since +it doesn't tell you anything about how compatible that version is. + +Author: Colin Watson +Bug-Debian: https://bugs.debian.org/93581 +Bug-Debian: https://bugs.debian.org/664383 +Bug-Debian: https://bugs.debian.org/732940 +Forwarded: not-needed +Last-Update: 2014-10-07 + +Patch-Name: no-openssl-version-status.patch +--- + openbsd-compat/openssl-compat.c | 6 +++--- + openbsd-compat/regress/opensslvertest.c | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c +index 8b4a36274..ea0b0c9fb 100644 +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -34,7 +34,7 @@ + /* + * OpenSSL version numbers: MNNFFPPS: major minor fix patch status + * We match major, minor, fix and status (not patch) for <1.0.0. +- * After that, we acceptable compatible fix versions (so we ++ * After that, we accept compatible fix and status versions (so we + * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed + * within a patch series. + */ +@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver) + } + + /* +- * For versions >= 1.0.0, major,minor,status must match and library ++ * For versions >= 1.0.0, major,minor must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) +diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c +index 5d019b598..58474873d 100644 +--- a/openbsd-compat/regress/opensslvertest.c ++++ b/openbsd-compat/regress/opensslvertest.c +@@ -35,6 +35,7 @@ struct version_test { + + /* built with 1.0.1b release headers */ + { 0x1000101fL, 0x1000101fL, 1},/* exact match */ ++ { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */ + { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ + { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ + { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch new file mode 100644 index 0000000..cdb905b --- /dev/null +++ b/debian/patches/openbsd-docs.patch @@ -0,0 +1,148 @@ +From 96c85e746d4f94c7d2748a200e5817ad8a987918 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:10:09 +0000 +Subject: Adjust various OpenBSD-specific references in manual pages + +No single bug reference for this patch, but history includes: + http://bugs.debian.org/154434 (login.conf(5)) + http://bugs.debian.org/513417 (/etc/rc) + http://bugs.debian.org/530692 (ssl(8)) + https://bugs.launchpad.net/bugs/456660 (ssl(8)) + +Forwarded: not-needed +Last-Update: 2017-10-04 + +Patch-Name: openbsd-docs.patch +--- + moduli.5 | 4 ++-- + ssh-keygen.1 | 12 ++++-------- + ssh.1 | 4 ++++ + sshd.8 | 5 ++--- + sshd_config.5 | 3 +-- + 5 files changed, 13 insertions(+), 15 deletions(-) + +diff --git a/moduli.5 b/moduli.5 +index ef0de0850..149846c8c 100644 +--- a/moduli.5 ++++ b/moduli.5 +@@ -21,7 +21,7 @@ + .Nd Diffie-Hellman moduli + .Sh DESCRIPTION + The +-.Pa /etc/moduli ++.Pa /etc/ssh/moduli + file contains prime numbers and generators for use by + .Xr sshd 8 + in the Diffie-Hellman Group Exchange key exchange method. +@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough + Diffie-Hellman output to sufficiently key the selected symmetric cipher. + .Xr sshd 8 + then randomly selects a modulus from +-.Fa /etc/moduli ++.Fa /etc/ssh/moduli + that best meets the size requirement. + .Sh SEE ALSO + .Xr ssh-keygen 1 , +diff --git a/ssh-keygen.1 b/ssh-keygen.1 +index bfa2eb5f3..da6b5ed76 100644 +--- a/ssh-keygen.1 ++++ b/ssh-keygen.1 +@@ -176,9 +176,7 @@ key in + .Pa ~/.ssh/id_ed25519 + or + .Pa ~/.ssh/id_rsa . +-Additionally, the system administrator may use this to generate host keys, +-as seen in +-.Pa /etc/rc . ++Additionally, the system administrator may use this to generate host keys. + .Pp + Normally this program generates the key and asks for a file in which + to store the private key. +@@ -229,9 +227,7 @@ If + .Fl f + has also been specified, its argument is used as a prefix to the + default path for the resulting host key files. +-This is used by +-.Pa /etc/rc +-to generate new host keys. ++This is used by system administration scripts to generate new host keys. + .It Fl a Ar rounds + When saving a private key this option specifies the number of KDF + (key derivation function) rounds used. +@@ -677,7 +673,7 @@ option. + Valid generator values are 2, 3, and 5. + .Pp + Screened DH groups may be installed in +-.Pa /etc/moduli . ++.Pa /etc/ssh/moduli . + It is important that this file contains moduli of a range of bit lengths and + that both ends of a connection share common moduli. + .Sh CERTIFICATES +@@ -877,7 +873,7 @@ on all machines + where the user wishes to log in using public key authentication. + There is no need to keep the contents of this file secret. + .Pp +-.It Pa /etc/moduli ++.It Pa /etc/ssh/moduli + Contains Diffie-Hellman groups used for DH-GEX. + The file format is described in + .Xr moduli 5 . +diff --git a/ssh.1 b/ssh.1 +index 81f29af43..5dfad6daa 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -860,6 +860,10 @@ implements public key authentication protocol automatically, + using one of the DSA, ECDSA, Ed25519 or RSA algorithms. + The HISTORY section of + .Xr ssl 8 ++(on non-OpenBSD systems, see ++.nh ++http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY) ++.hy + contains a brief discussion of the DSA and RSA algorithms. + .Pp + The file +diff --git a/sshd.8 b/sshd.8 +index 57a7fd66b..4abc01d66 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -65,7 +65,7 @@ over an insecure network. + .Nm + listens for connections from clients. + It is normally started at boot from +-.Pa /etc/rc . ++.Pa /etc/init.d/ssh . + It forks a new + daemon for each incoming connection. + The forked daemons handle +@@ -884,7 +884,7 @@ This file is for host-based authentication (see + .Xr ssh 1 ) . + It should only be writable by root. + .Pp +-.It Pa /etc/moduli ++.It Pa /etc/ssh/moduli + Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" + key exchange method. + The file format is described in +@@ -982,7 +982,6 @@ The content of this file is not sensitive; it can be world-readable. + .Xr ssh-keyscan 1 , + .Xr chroot 2 , + .Xr hosts_access 5 , +-.Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , + .Xr inetd 8 , +diff --git a/sshd_config.5 b/sshd_config.5 +index 37e6be38f..23f71fd1d 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -395,8 +395,7 @@ Certificates signed using other algorithms will not be accepted for + public key or host-based authentication. + .It Cm ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed (e.g. via +-PAM or through authentication styles supported in +-.Xr login.conf 5 ) ++PAM). + The default is + .Cm yes . + .It Cm ChrootDirectory diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch new file mode 100644 index 0000000..809c788 --- /dev/null +++ b/debian/patches/package-versioning.patch @@ -0,0 +1,61 @@ +From b258a00bedcf29200b394c671c6deb1e53157f32 Mon Sep 17 00:00:00 2001 +From: Matthew Vernon +Date: Sun, 9 Feb 2014 16:10:05 +0000 +Subject: Include the Debian version in our identification + +This makes it easier to audit networks for versions patched against security +vulnerabilities. It has little detrimental effect, as attackers will +generally just try attacks rather than bothering to scan for +vulnerable-looking version strings. (However, see debian-banner.patch.) + +Forwarded: not-needed +Last-Update: 2017-10-04 + +Patch-Name: package-versioning.patch +--- + sshconnect.c | 2 +- + sshd.c | 2 +- + version.h | 7 ++++++- + 3 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 158e8146f..b9418e277 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -609,7 +609,7 @@ send_client_banner(int connection_out, int minor1) + { + /* Send our own protocol version identification. */ + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); + if (atomicio(vwrite, connection_out, client_version_string, + strlen(client_version_string)) != strlen(client_version_string)) + fatal("write: %.100s", strerror(errno)); +diff --git a/sshd.c b/sshd.c +index 2bc6679e5..9481272fc 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -384,7 +384,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) + char remote_version[256]; /* Must be at least as big as buf. */ + + xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum); + +diff --git a/version.h b/version.h +index 422dfbc3a..5e1ce0426 100644 +--- a/version.h ++++ b/version.h +@@ -3,4 +3,9 @@ + #define SSH_VERSION "OpenSSH_7.9" + + #define SSH_PORTABLE "p1" +-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE ++#ifdef SSH_EXTRAVERSION ++#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION ++#else ++#define SSH_RELEASE SSH_RELEASE_MINIMUM ++#endif diff --git a/debian/patches/request-rsa-sha2-cert-signatures.patch b/debian/patches/request-rsa-sha2-cert-signatures.patch new file mode 100644 index 0000000..2c876be --- /dev/null +++ b/debian/patches/request-rsa-sha2-cert-signatures.patch @@ -0,0 +1,39 @@ +From d94226d4fcefbc398c5583e12b5d07ca33884ba4 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 27 Dec 2018 23:02:11 +0000 +Subject: upstream: Request RSA-SHA2 signatures for + +rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@ + +OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033 + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944 +Bug-Debian: https://bugs.debian.org/923419 +Last-Update: 2019-02-28 + +Patch-Name: request-rsa-sha2-cert-signatures.patch +--- + authfd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/authfd.c b/authfd.c +index ecdd869ab..62cbf8c19 100644 +--- a/authfd.c ++++ b/authfd.c +@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl) + static u_int + agent_encode_alg(const struct sshkey *key, const char *alg) + { +- if (alg != NULL && key->type == KEY_RSA) { +- if (strcmp(alg, "rsa-sha2-256") == 0) ++ if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) { ++ if (strcmp(alg, "rsa-sha2-256") == 0 || ++ strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0) + return SSH_AGENT_RSA_SHA2_256; +- else if (strcmp(alg, "rsa-sha2-512") == 0) ++ if (strcmp(alg, "rsa-sha2-512") == 0 || ++ strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0) + return SSH_AGENT_RSA_SHA2_512; + } + return 0; diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch new file mode 100644 index 0000000..fcb1ac7 --- /dev/null +++ b/debian/patches/restore-authorized_keys2.patch @@ -0,0 +1,35 @@ +From cebe4b82b280810172877a7f3d489c506c9a0691 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 5 Mar 2017 02:02:11 +0000 +Subject: Restore reading authorized_keys2 by default + +Upstream seems to intend to gradually phase this out, so don't assume +that this will remain the default forever. However, we were late in +adopting the upstream sshd_config changes, so it makes sense to extend +the grace period. + +Bug-Debian: https://bugs.debian.org/852320 +Forwarded: not-needed +Last-Update: 2017-03-05 + +Patch-Name: restore-authorized_keys2.patch +--- + sshd_config | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/sshd_config b/sshd_config +index ed8272f6d..ee9629102 100644 +--- a/sshd_config ++++ b/sshd_config +@@ -36,9 +36,8 @@ + + #PubkeyAuthentication yes + +-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +-# but this is overridden so installations will only check .ssh/authorized_keys +-AuthorizedKeysFile .ssh/authorized_keys ++# Expect .ssh/authorized_keys2 to be disregarded by default in future. ++#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 + + #AuthorizedPrincipalsFile none + diff --git a/debian/patches/restore-tcp-wrappers.patch b/debian/patches/restore-tcp-wrappers.patch new file mode 100644 index 0000000..fdc6cf1 --- /dev/null +++ b/debian/patches/restore-tcp-wrappers.patch @@ -0,0 +1,172 @@ +From 389e16d0109d8c49a761cd7c267438b05c9ab984 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Tue, 7 Oct 2014 13:22:41 +0100 +Subject: Restore TCP wrappers support + +Support for TCP wrappers was dropped in OpenSSH 6.7. See this message +and thread: + + https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html + +It is true that this reduces preauth attack surface in sshd. On the +other hand, this support seems to be quite widely used, and abruptly +dropping it (from the perspective of users who don't read +openssh-unix-dev) could easily cause more serious problems in practice. + +It's not entirely clear what the right long-term answer for Debian is, +but it at least probably doesn't involve dropping this feature shortly +before a freeze. + +Forwarded: not-needed +Last-Update: 2018-08-24 + +Patch-Name: restore-tcp-wrappers.patch +--- + configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + sshd.8 | 7 +++++++ + sshd.c | 25 +++++++++++++++++++++++ + 3 files changed, 89 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 023e7cc55..917300b43 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1517,6 +1517,62 @@ else + AC_MSG_RESULT([no]) + fi + ++# Check whether user wants TCP wrappers support ++TCPW_MSG="no" ++AC_ARG_WITH([tcp-wrappers], ++ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], ++ [ ++ if test "x$withval" != "xno" ; then ++ saved_LIBS="$LIBS" ++ saved_LDFLAGS="$LDFLAGS" ++ saved_CPPFLAGS="$CPPFLAGS" ++ if test -n "${withval}" && \ ++ test "x${withval}" != "xyes"; then ++ if test -d "${withval}/lib"; then ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval}/lib ${LDFLAGS}" ++ fi ++ else ++ if test -n "${need_dash_r}"; then ++ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" ++ else ++ LDFLAGS="-L${withval} ${LDFLAGS}" ++ fi ++ fi ++ if test -d "${withval}/include"; then ++ CPPFLAGS="-I${withval}/include ${CPPFLAGS}" ++ else ++ CPPFLAGS="-I${withval} ${CPPFLAGS}" ++ fi ++ fi ++ LIBS="-lwrap $LIBS" ++ AC_MSG_CHECKING([for libwrap]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++#include ++#include ++#include ++#include ++int deny_severity = 0, allow_severity = 0; ++ ]], [[ ++ hosts_access(0); ++ ]])], [ ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE([LIBWRAP], [1], ++ [Define if you want ++ TCP Wrappers support]) ++ SSHDLIBS="$SSHDLIBS -lwrap" ++ TCPW_MSG="yes" ++ ], [ ++ AC_MSG_ERROR([*** libwrap missing]) ++ ++ ]) ++ LIBS="$saved_LIBS" ++ fi ++ ] ++) ++ + # Check whether user wants to use ldns + LDNS_MSG="no" + AC_ARG_WITH(ldns, +@@ -5329,6 +5385,7 @@ echo " PAM support: $PAM_MSG" + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" + echo " SELinux support: $SELINUX_MSG" ++echo " TCP Wrappers support: $TCPW_MSG" + echo " MD5 password support: $MD5_MSG" + echo " libedit support: $LIBEDIT_MSG" + echo " libldns support: $LDNS_MSG" +diff --git a/sshd.8 b/sshd.8 +index fb133c14b..57a7fd66b 100644 +--- a/sshd.8 ++++ b/sshd.8 +@@ -873,6 +873,12 @@ the user's home directory becomes accessible. + This file should be writable only by the user, and need not be + readable by anyone else. + .Pp ++.It Pa /etc/hosts.allow ++.It Pa /etc/hosts.deny ++Access controls that should be enforced by tcp-wrappers are defined here. ++Further details are described in ++.Xr hosts_access 5 . ++.Pp + .It Pa /etc/hosts.equiv + This file is for host-based authentication (see + .Xr ssh 1 ) . +@@ -975,6 +981,7 @@ The content of this file is not sensitive; it can be world-readable. + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr chroot 2 , ++.Xr hosts_access 5 , + .Xr login.conf 5 , + .Xr moduli 5 , + .Xr sshd_config 5 , +diff --git a/sshd.c b/sshd.c +index 539a000fd..673db87f6 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -127,6 +127,13 @@ + #include + #endif + ++#ifdef LIBWRAP ++#include ++#include ++int allow_severity; ++int deny_severity; ++#endif /* LIBWRAP */ ++ + /* Re-exec fds */ + #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) + #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) +@@ -2099,6 +2106,24 @@ main(int ac, char **av) + #ifdef SSH_AUDIT_EVENTS + audit_connection_from(remote_ip, remote_port); + #endif ++#ifdef LIBWRAP ++ allow_severity = options.log_facility|LOG_INFO; ++ deny_severity = options.log_facility|LOG_WARNING; ++ /* Check whether logins are denied from this host. */ ++ if (packet_connection_is_on_socket()) { ++ struct request_info req; ++ ++ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); ++ fromhost(&req); ++ ++ if (!hosts_access(&req)) { ++ debug("Connection refused by tcp wrapper"); ++ refuse(&req); ++ /* NOTREACHED */ ++ fatal("libwrap refuse returns"); ++ } ++ } ++#endif /* LIBWRAP */ + + rdomain = ssh_packet_rdomain_in(ssh); + diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch new file mode 100644 index 0000000..a329b9b --- /dev/null +++ b/debian/patches/revert-ipqos-defaults.patch @@ -0,0 +1,93 @@ +From 6b56cd57db9061296231f14d537f1ebaf25e8877 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Mon, 8 Apr 2019 10:46:29 +0100 +Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP + AF21 for" + +This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379. + +The IPQoS default changes have some unfortunate interactions with +iptables (see https://bugs.debian.org/923880) and VMware, so I'm +temporarily reverting them until those have been fixed. + +Bug-Debian: https://bugs.debian.org/923879 +Bug-Debian: https://bugs.debian.org/926229 +Bug-Ubuntu: https://bugs.launchpad.net/1822370 +Last-Update: 2019-04-08 + +Patch-Name: revert-ipqos-defaults.patch +--- + readconf.c | 4 ++-- + servconf.c | 4 ++-- + ssh_config.5 | 6 ++---- + sshd_config.5 | 6 ++---- + 4 files changed, 8 insertions(+), 12 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 661b8bf40..6d046f063 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -2133,9 +2133,9 @@ fill_default_options(Options * options) + if (options->visual_host_key == -1) + options->visual_host_key = 0; + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; ++ options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +- options->ip_qos_bulk = IPTOS_DSCP_CS1; ++ options->ip_qos_bulk = IPTOS_THROUGHPUT; + if (options->request_tty == -1) + options->request_tty = REQUEST_TTY_AUTO; + if (options->proxy_use_fdpass == -1) +diff --git a/servconf.c b/servconf.c +index c5dd617ef..bf2669147 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -403,9 +403,9 @@ fill_default_server_options(ServerOptions *options) + if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; ++ options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +- options->ip_qos_bulk = IPTOS_DSCP_CS1; ++ options->ip_qos_bulk = IPTOS_THROUGHPUT; + if (options->version_addendum == NULL) + options->version_addendum = xstrdup(""); + if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) +diff --git a/ssh_config.5 b/ssh_config.5 +index 1a8e24bd1..f6c1b3b33 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1055,11 +1055,9 @@ If one argument is specified, it is used as the packet class unconditionally. + If two values are specified, the first is automatically selected for + interactive sessions and the second for non-interactive sessions. + The default is +-.Cm af21 +-(Low-Latency Data) ++.Cm lowdelay + for interactive sessions and +-.Cm cs1 +-(Lower Effort) ++.Cm throughput + for non-interactive sessions. + .It Cm KbdInteractiveAuthentication + Specifies whether to use keyboard-interactive authentication. +diff --git a/sshd_config.5 b/sshd_config.5 +index ba50a30f1..03f813e72 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -866,11 +866,9 @@ If one argument is specified, it is used as the packet class unconditionally. + If two values are specified, the first is automatically selected for + interactive sessions and the second for non-interactive sessions. + The default is +-.Cm af21 +-(Low-Latency Data) ++.Cm lowdelay + for interactive sessions and +-.Cm cs1 +-(Lower Effort) ++.Cm throughput + for non-interactive sessions. + .It Cm KbdInteractiveAuthentication + Specifies whether to allow keyboard-interactive authentication. diff --git a/debian/patches/sandbox-seccomp-ipc.patch b/debian/patches/sandbox-seccomp-ipc.patch new file mode 100644 index 0000000..51ce220 --- /dev/null +++ b/debian/patches/sandbox-seccomp-ipc.patch @@ -0,0 +1,48 @@ +From 6f794127bd7d332c1d88a3e35eda97dac4530a15 Mon Sep 17 00:00:00 2001 +From: Jeremy Drake +Date: Fri, 11 Oct 2019 18:31:05 -0700 +Subject: Deny (non-fatal) ipc in preauth privsep child. + +As noted in openssh/openssh-portable#149, i386 does not have have +_NR_shmget etc. Instead, it has a single ipc syscall (see man 2 ipc, +https://linux.die.net/man/2/ipc). Add this syscall, if present, to the +list of syscalls that seccomp will deny non-fatally. + +[cjwatson: For backporting to buster, I've dropped the previous change +to allow ipc on s390. Upstream refused that since it opens security +weaknesses and doesn't currently seem to be needed, so I'd already +dropped that for bullseye.] + +Bug-Debian: https://bugs.debian.org/946242 +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=30f704ebc0e9e32b3d12f5d9e8c1b705fdde2c89 +Last-Update: 2020-01-11 + +Patch-Name: sandbox-seccomp-ipc.patch +--- + sandbox-seccomp-filter.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e8f31555e..9b6aea8db 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -158,6 +158,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_shmdt + SC_DENY(__NR_shmdt, EACCES), + #endif ++#ifdef __NR_ipc ++ SC_DENY(__NR_ipc, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk +@@ -205,9 +208,6 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), + #endif +-#if defined(__NR_ipc) && defined(__s390__) +- SC_ALLOW(__NR_ipc), +-#endif + #ifdef __NR_madvise + SC_ALLOW(__NR_madvise), + #endif diff --git a/debian/patches/sanitize-scp-filenames-via-snmprintf.patch b/debian/patches/sanitize-scp-filenames-via-snmprintf.patch new file mode 100644 index 0000000..e58b8b1 --- /dev/null +++ b/debian/patches/sanitize-scp-filenames-via-snmprintf.patch @@ -0,0 +1,276 @@ +From 11b88754cadcad0ba79b4ffcc127223248dccb54 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Wed, 23 Jan 2019 08:01:46 +0000 +Subject: upstream: Sanitize scp filenames via snmprintf. To do this we move + +the progressmeter formatting outside of signal handler context and have the +atomicio callback called for EINTR too. bz#2434 with contributions from djm +and jjelen at redhat.com, ok djm@ + +OpenBSD-Commit-ID: 1af61c1f70e4f3bd8ab140b9f1fa699481db57d8 + +CVE-2019-6109 + +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=8976f1c4b2721c26e878151f52bdf346dfe2d54c +Bug-Debian: https://bugs.debian.org/793412 +Last-Update: 2019-02-08 + +Patch-Name: sanitize-scp-filenames-via-snmprintf.patch +--- + atomicio.c | 20 ++++++++++++++----- + progressmeter.c | 53 ++++++++++++++++++++++--------------------------- + progressmeter.h | 3 ++- + scp.c | 1 + + sftp-client.c | 16 ++++++++------- + 5 files changed, 51 insertions(+), 42 deletions(-) + +diff --git a/atomicio.c b/atomicio.c +index f854a06f5..d91bd7621 100644 +--- a/atomicio.c ++++ b/atomicio.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */ ++/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */ + /* + * Copyright (c) 2006 Damien Miller. All rights reserved. + * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved. +@@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n, + res = (f) (fd, s + pos, n - pos); + switch (res) { + case -1: +- if (errno == EINTR) ++ if (errno == EINTR) { ++ /* possible SIGALARM, update callback */ ++ if (cb != NULL && cb(cb_arg, 0) == -1) { ++ errno = EINTR; ++ return pos; ++ } + continue; +- if (errno == EAGAIN || errno == EWOULDBLOCK) { ++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) { + #ifndef BROKEN_READ_COMPARISON + (void)poll(&pfd, 1, -1); + #endif +@@ -122,9 +127,14 @@ atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd, + res = (f) (fd, iov, iovcnt); + switch (res) { + case -1: +- if (errno == EINTR) ++ if (errno == EINTR) { ++ /* possible SIGALARM, update callback */ ++ if (cb != NULL && cb(cb_arg, 0) == -1) { ++ errno = EINTR; ++ return pos; ++ } + continue; +- if (errno == EAGAIN || errno == EWOULDBLOCK) { ++ } else if (errno == EAGAIN || errno == EWOULDBLOCK) { + #ifndef BROKEN_READV_COMPARISON + (void)poll(&pfd, 1, -1); + #endif +diff --git a/progressmeter.c b/progressmeter.c +index fe9bf52e4..add462dde 100644 +--- a/progressmeter.c ++++ b/progressmeter.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */ ++/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */ + /* + * Copyright (c) 2003 Nils Nordman. All rights reserved. + * +@@ -31,6 +31,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -39,6 +40,7 @@ + #include "progressmeter.h" + #include "atomicio.h" + #include "misc.h" ++#include "utf8.h" + + #define DEFAULT_WINSIZE 80 + #define MAX_WINSIZE 512 +@@ -61,7 +63,7 @@ static void setscreensize(void); + void refresh_progress_meter(void); + + /* signal handler for updating the progress meter */ +-static void update_progress_meter(int); ++static void sig_alarm(int); + + static double start; /* start progress */ + static double last_update; /* last progress update */ +@@ -74,6 +76,7 @@ static long stalled; /* how long we have been stalled */ + static int bytes_per_second; /* current speed in bytes per second */ + static int win_size; /* terminal window size */ + static volatile sig_atomic_t win_resized; /* for window resizing */ ++static volatile sig_atomic_t alarm_fired; + + /* units for format_size */ + static const char unit[] = " KMGT"; +@@ -126,9 +129,17 @@ refresh_progress_meter(void) + off_t bytes_left; + int cur_speed; + int hours, minutes, seconds; +- int i, len; + int file_len; + ++ if ((!alarm_fired && !win_resized) || !can_output()) ++ return; ++ alarm_fired = 0; ++ ++ if (win_resized) { ++ setscreensize(); ++ win_resized = 0; ++ } ++ + transferred = *counter - (cur_pos ? cur_pos : start_pos); + cur_pos = *counter; + now = monotime_double(); +@@ -158,16 +169,11 @@ refresh_progress_meter(void) + + /* filename */ + buf[0] = '\0'; +- file_len = win_size - 35; ++ file_len = win_size - 36; + if (file_len > 0) { +- len = snprintf(buf, file_len + 1, "\r%s", file); +- if (len < 0) +- len = 0; +- if (len >= file_len + 1) +- len = file_len; +- for (i = len; i < file_len; i++) +- buf[i] = ' '; +- buf[file_len] = '\0'; ++ buf[0] = '\r'; ++ snmprintf(buf+1, sizeof(buf)-1 , &file_len, "%*s", ++ file_len * -1, file); + } + + /* percent of transfer done */ +@@ -228,22 +234,11 @@ refresh_progress_meter(void) + + /*ARGSUSED*/ + static void +-update_progress_meter(int ignore) ++sig_alarm(int ignore) + { +- int save_errno; +- +- save_errno = errno; +- +- if (win_resized) { +- setscreensize(); +- win_resized = 0; +- } +- if (can_output()) +- refresh_progress_meter(); +- +- signal(SIGALRM, update_progress_meter); ++ signal(SIGALRM, sig_alarm); ++ alarm_fired = 1; + alarm(UPDATE_INTERVAL); +- errno = save_errno; + } + + void +@@ -259,10 +254,9 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr) + bytes_per_second = 0; + + setscreensize(); +- if (can_output()) +- refresh_progress_meter(); ++ refresh_progress_meter(); + +- signal(SIGALRM, update_progress_meter); ++ signal(SIGALRM, sig_alarm); + signal(SIGWINCH, sig_winch); + alarm(UPDATE_INTERVAL); + } +@@ -286,6 +280,7 @@ stop_progress_meter(void) + static void + sig_winch(int sig) + { ++ signal(SIGWINCH, sig_winch); + win_resized = 1; + } + +diff --git a/progressmeter.h b/progressmeter.h +index bf179dca6..8f6678060 100644 +--- a/progressmeter.h ++++ b/progressmeter.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */ ++/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */ + /* + * Copyright (c) 2002 Nils Nordman. All rights reserved. + * +@@ -24,4 +24,5 @@ + */ + + void start_progress_meter(const char *, off_t, off_t *); ++void refresh_progress_meter(void); + void stop_progress_meter(void); +diff --git a/scp.c b/scp.c +index 7163d33dc..80308573c 100644 +--- a/scp.c ++++ b/scp.c +@@ -593,6 +593,7 @@ scpio(void *_cnt, size_t s) + off_t *cnt = (off_t *)_cnt; + + *cnt += s; ++ refresh_progress_meter(); + if (limit_kbps > 0) + bandwidth_limit(&bwlimit, s); + return 0; +diff --git a/sftp-client.c b/sftp-client.c +index 4986d6d8d..2bc698f86 100644 +--- a/sftp-client.c ++++ b/sftp-client.c +@@ -101,7 +101,9 @@ sftpio(void *_bwlimit, size_t amount) + { + struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit; + +- bandwidth_limit(bwlimit, amount); ++ refresh_progress_meter(); ++ if (bwlimit != NULL) ++ bandwidth_limit(bwlimit, amount); + return 0; + } + +@@ -121,8 +123,8 @@ send_msg(struct sftp_conn *conn, struct sshbuf *m) + iov[1].iov_base = (u_char *)sshbuf_ptr(m); + iov[1].iov_len = sshbuf_len(m); + +- if (atomiciov6(writev, conn->fd_out, iov, 2, +- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_out) != ++ if (atomiciov6(writev, conn->fd_out, iov, 2, sftpio, ++ conn->limit_kbps > 0 ? &conn->bwlimit_out : NULL) != + sshbuf_len(m) + sizeof(mlen)) + fatal("Couldn't send packet: %s", strerror(errno)); + +@@ -138,8 +140,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial) + + if ((r = sshbuf_reserve(m, 4, &p)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- if (atomicio6(read, conn->fd_in, p, 4, +- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) != 4) { ++ if (atomicio6(read, conn->fd_in, p, 4, sftpio, ++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) != 4) { + if (errno == EPIPE || errno == ECONNRESET) + fatal("Connection closed"); + else +@@ -157,8 +159,8 @@ get_msg_extended(struct sftp_conn *conn, struct sshbuf *m, int initial) + + if ((r = sshbuf_reserve(m, msg_len, &p)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- if (atomicio6(read, conn->fd_in, p, msg_len, +- conn->limit_kbps > 0 ? sftpio : NULL, &conn->bwlimit_in) ++ if (atomicio6(read, conn->fd_in, p, msg_len, sftpio, ++ conn->limit_kbps > 0 ? &conn->bwlimit_in : NULL) + != msg_len) { + if (errno == EPIPE) + fatal("Connection closed"); diff --git a/debian/patches/scp-disallow-dot-or-empty-filename.patch b/debian/patches/scp-disallow-dot-or-empty-filename.patch new file mode 100644 index 0000000..716f2ff --- /dev/null +++ b/debian/patches/scp-disallow-dot-or-empty-filename.patch @@ -0,0 +1,32 @@ +From dee21e97428e69d30e2d15c71f3e7cc08bf8e4f8 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 16 Nov 2018 03:03:10 +0000 +Subject: upstream: disallow empty incoming filename or ones that refer to the + +current directory; based on report/patch from Harry Sintonen + +OpenBSD-Commit-ID: f27651b30eaee2df49540ab68d030865c04f6de9 + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=6010c0303a422a9c5fa8860c061bf7105eb7f8b2 +Bug-Debian: https://bugs.debian.org/919101 +Last-Update: 2019-01-12 + +Patch-Name: scp-disallow-dot-or-empty-filename.patch +--- + scp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scp.c b/scp.c +index ed2864250..7163d33dc 100644 +--- a/scp.c ++++ b/scp.c +@@ -1114,7 +1114,8 @@ sink(int argc, char **argv) + SCREWUP("size out of range"); + size = (off_t)ull; + +- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { ++ if (*cp == '\0' || strchr(cp, '/') != NULL || ++ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { + run_err("error: unexpected filename: %s", cp); + exit(1); + } diff --git a/debian/patches/scp-handle-braces.patch b/debian/patches/scp-handle-braces.patch new file mode 100644 index 0000000..0cbdcfd --- /dev/null +++ b/debian/patches/scp-handle-braces.patch @@ -0,0 +1,353 @@ +From 7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Sun, 10 Feb 2019 11:15:52 +0000 +Subject: upstream: when checking that filenames sent by the server side + +match what the client requested, be prepared to handle shell-style brace +alternations, e.g. "{foo,bar}". + +"looks good to me" millert@ + in snaps for the last week courtesy +deraadt@ + +OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e + +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874 +Bug-Debian: https://bugs.debian.org/923486 +Last-Update: 2019-03-01 + +Patch-Name: scp-handle-braces.patch +--- + scp.c | 280 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 269 insertions(+), 11 deletions(-) + +diff --git a/scp.c b/scp.c +index 035037bcc..3888baab0 100644 +--- a/scp.c ++++ b/scp.c +@@ -635,6 +635,253 @@ parse_scp_uri(const char *uri, char **userp, char **hostp, int *portp, + return r; + } + ++/* Appends a string to an array; returns 0 on success, -1 on alloc failure */ ++static int ++append(char *cp, char ***ap, size_t *np) ++{ ++ char **tmp; ++ ++ if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL) ++ return -1; ++ tmp[(*np)] = cp; ++ (*np)++; ++ *ap = tmp; ++ return 0; ++} ++ ++/* ++ * Finds the start and end of the first brace pair in the pattern. ++ * returns 0 on success or -1 for invalid patterns. ++ */ ++static int ++find_brace(const char *pattern, int *startp, int *endp) ++{ ++ int i; ++ int in_bracket, brace_level; ++ ++ *startp = *endp = -1; ++ in_bracket = brace_level = 0; ++ for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) { ++ switch (pattern[i]) { ++ case '\\': ++ /* skip next character */ ++ if (pattern[i + 1] != '\0') ++ i++; ++ break; ++ case '[': ++ in_bracket = 1; ++ break; ++ case ']': ++ in_bracket = 0; ++ break; ++ case '{': ++ if (in_bracket) ++ break; ++ if (pattern[i + 1] == '}') { ++ /* Protect a single {}, for find(1), like csh */ ++ i++; /* skip */ ++ break; ++ } ++ if (*startp == -1) ++ *startp = i; ++ brace_level++; ++ break; ++ case '}': ++ if (in_bracket) ++ break; ++ if (*startp < 0) { ++ /* Unbalanced brace */ ++ return -1; ++ } ++ if (--brace_level <= 0) ++ *endp = i; ++ break; ++ } ++ } ++ /* unbalanced brackets/braces */ ++ if (*endp < 0 && (*startp >= 0 || in_bracket)) ++ return -1; ++ return 0; ++} ++ ++/* ++ * Assembles and records a successfully-expanded pattern, returns -1 on ++ * alloc failure. ++ */ ++static int ++emit_expansion(const char *pattern, int brace_start, int brace_end, ++ int sel_start, int sel_end, char ***patternsp, size_t *npatternsp) ++{ ++ char *cp; ++ int o = 0, tail_len = strlen(pattern + brace_end + 1); ++ ++ if ((cp = malloc(brace_start + (sel_end - sel_start) + ++ tail_len + 1)) == NULL) ++ return -1; ++ ++ /* Pattern before initial brace */ ++ if (brace_start > 0) { ++ memcpy(cp, pattern, brace_start); ++ o = brace_start; ++ } ++ /* Current braced selection */ ++ if (sel_end - sel_start > 0) { ++ memcpy(cp + o, pattern + sel_start, ++ sel_end - sel_start); ++ o += sel_end - sel_start; ++ } ++ /* Remainder of pattern after closing brace */ ++ if (tail_len > 0) { ++ memcpy(cp + o, pattern + brace_end + 1, tail_len); ++ o += tail_len; ++ } ++ cp[o] = '\0'; ++ if (append(cp, patternsp, npatternsp) != 0) { ++ free(cp); ++ return -1; ++ } ++ return 0; ++} ++ ++/* ++ * Expand the first encountered brace in pattern, appending the expanded ++ * patterns it yielded to the *patternsp array. ++ * ++ * Returns 0 on success or -1 on allocation failure. ++ * ++ * Signals whether expansion was performed via *expanded and whether ++ * pattern was invalid via *invalid. ++ */ ++static int ++brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp, ++ int *expanded, int *invalid) ++{ ++ int i; ++ int in_bracket, brace_start, brace_end, brace_level; ++ int sel_start, sel_end; ++ ++ *invalid = *expanded = 0; ++ ++ if (find_brace(pattern, &brace_start, &brace_end) != 0) { ++ *invalid = 1; ++ return 0; ++ } else if (brace_start == -1) ++ return 0; ++ ++ in_bracket = brace_level = 0; ++ for (i = sel_start = brace_start + 1; i < brace_end; i++) { ++ switch (pattern[i]) { ++ case '{': ++ if (in_bracket) ++ break; ++ brace_level++; ++ break; ++ case '}': ++ if (in_bracket) ++ break; ++ brace_level--; ++ break; ++ case '[': ++ in_bracket = 1; ++ break; ++ case ']': ++ in_bracket = 0; ++ break; ++ case '\\': ++ if (i < brace_end - 1) ++ i++; /* skip */ ++ break; ++ } ++ if (pattern[i] == ',' || i == brace_end - 1) { ++ if (in_bracket || brace_level > 0) ++ continue; ++ /* End of a selection, emit an expanded pattern */ ++ ++ /* Adjust end index for last selection */ ++ sel_end = (i == brace_end - 1) ? brace_end : i; ++ if (emit_expansion(pattern, brace_start, brace_end, ++ sel_start, sel_end, patternsp, npatternsp) != 0) ++ return -1; ++ /* move on to the next selection */ ++ sel_start = i + 1; ++ continue; ++ } ++ } ++ if (in_bracket || brace_level > 0) { ++ *invalid = 1; ++ return 0; ++ } ++ /* success */ ++ *expanded = 1; ++ return 0; ++} ++ ++/* Expand braces from pattern. Returns 0 on success, -1 on failure */ ++static int ++brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp) ++{ ++ char *cp, *cp2, **active = NULL, **done = NULL; ++ size_t i, nactive = 0, ndone = 0; ++ int ret = -1, invalid = 0, expanded = 0; ++ ++ *patternsp = NULL; ++ *npatternsp = 0; ++ ++ /* Start the worklist with the original pattern */ ++ if ((cp = strdup(pattern)) == NULL) ++ return -1; ++ if (append(cp, &active, &nactive) != 0) { ++ free(cp); ++ return -1; ++ } ++ while (nactive > 0) { ++ cp = active[nactive - 1]; ++ nactive--; ++ if (brace_expand_one(cp, &active, &nactive, ++ &expanded, &invalid) == -1) { ++ free(cp); ++ goto fail; ++ } ++ if (invalid) ++ fatal("%s: invalid brace pattern \"%s\"", __func__, cp); ++ if (expanded) { ++ /* ++ * Current entry expanded to new entries on the ++ * active list; discard the progenitor pattern. ++ */ ++ free(cp); ++ continue; ++ } ++ /* ++ * Pattern did not expand; append the finename component to ++ * the completed list ++ */ ++ if ((cp2 = strrchr(cp, '/')) != NULL) ++ *cp2++ = '\0'; ++ else ++ cp2 = cp; ++ if (append(xstrdup(cp2), &done, &ndone) != 0) { ++ free(cp); ++ goto fail; ++ } ++ free(cp); ++ } ++ /* success */ ++ *patternsp = done; ++ *npatternsp = ndone; ++ done = NULL; ++ ndone = 0; ++ ret = 0; ++ fail: ++ for (i = 0; i < nactive; i++) ++ free(active[i]); ++ free(active); ++ for (i = 0; i < ndone; i++) ++ free(done[i]); ++ free(done); ++ return ret; ++} ++ + void + toremote(int argc, char **argv) + { +@@ -998,7 +1245,8 @@ sink(int argc, char **argv, const char *src) + unsigned long long ull; + int setimes, targisdir, wrerrno = 0; + char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; +- char *src_copy = NULL, *restrict_pattern = NULL; ++ char **patterns = NULL; ++ size_t n, npatterns = 0; + struct timeval tv[2]; + + #define atime tv[0] +@@ -1028,16 +1276,13 @@ sink(int argc, char **argv, const char *src) + * Prepare to try to restrict incoming filenames to match + * the requested destination file glob. + */ +- if ((src_copy = strdup(src)) == NULL) +- fatal("strdup failed"); +- if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) { +- *restrict_pattern++ = '\0'; +- } ++ if (brace_expand(src, &patterns, &npatterns) != 0) ++ fatal("%s: could not expand pattern", __func__); + } + for (first = 1;; first = 0) { + cp = buf; + if (atomicio(read, remin, cp, 1) != 1) +- return; ++ goto done; + if (*cp++ == '\n') + SCREWUP("unexpected "); + do { +@@ -1063,7 +1308,7 @@ sink(int argc, char **argv, const char *src) + } + if (buf[0] == 'E') { + (void) atomicio(vwrite, remout, "", 1); +- return; ++ goto done; + } + if (ch == '\n') + *--cp = 0; +@@ -1138,9 +1383,14 @@ sink(int argc, char **argv, const char *src) + run_err("error: unexpected filename: %s", cp); + exit(1); + } +- if (restrict_pattern != NULL && +- fnmatch(restrict_pattern, cp, 0) != 0) +- SCREWUP("filename does not match request"); ++ if (npatterns > 0) { ++ for (n = 0; n < npatterns; n++) { ++ if (fnmatch(patterns[n], cp, 0) == 0) ++ break; ++ } ++ if (n >= npatterns) ++ SCREWUP("filename does not match request"); ++ } + if (targisdir) { + static char *namebuf; + static size_t cursize; +@@ -1299,7 +1549,15 @@ bad: run_err("%s: %s", np, strerror(errno)); + break; + } + } ++done: ++ for (n = 0; n < npatterns; n++) ++ free(patterns[n]); ++ free(patterns); ++ return; + screwup: ++ for (n = 0; n < npatterns; n++) ++ free(patterns[n]); ++ free(patterns); + run_err("protocol error: %s", why); + exit(1); + } diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch new file mode 100644 index 0000000..d054b2a --- /dev/null +++ b/debian/patches/scp-quoting.patch @@ -0,0 +1,41 @@ +From eefdc7046766b52e39f1b6eafcde22c1e013ce9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= +Date: Sun, 9 Feb 2014 16:09:59 +0000 +Subject: Adjust scp quoting in verbose mode + +Tweak scp's reporting of filenames in verbose mode to be a bit less +confusing with spaces. + +This should be revised to mimic real shell quoting. + +Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945 +Last-Update: 2010-02-27 + +Patch-Name: scp-quoting.patch +--- + scp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/scp.c b/scp.c +index 60682c687..ed2864250 100644 +--- a/scp.c ++++ b/scp.c +@@ -198,8 +198,16 @@ do_local_cmd(arglist *a) + + if (verbose_mode) { + fprintf(stderr, "Executing:"); +- for (i = 0; i < a->num; i++) +- fmprintf(stderr, " %s", a->list[i]); ++ for (i = 0; i < a->num; i++) { ++ if (i == 0) ++ fmprintf(stderr, " %s", a->list[i]); ++ else ++ /* ++ * TODO: misbehaves if a->list[i] contains a ++ * single quote ++ */ ++ fmprintf(stderr, " '%s'", a->list[i]); ++ } + fprintf(stderr, "\n"); + } + if ((pid = fork()) == -1) diff --git a/debian/patches/seccomp-handle-shm.patch b/debian/patches/seccomp-handle-shm.patch new file mode 100644 index 0000000..56bc941 --- /dev/null +++ b/debian/patches/seccomp-handle-shm.patch @@ -0,0 +1,38 @@ +From 35956d8211ef0a606a117ca3f0ba3ae163c31a39 Mon Sep 17 00:00:00 2001 +From: Lonnie Abelbeck +Date: Tue, 1 Oct 2019 09:05:09 -0500 +Subject: Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. + +New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt +in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. + +Bug: https://github.com/openssh/openssh-portable/pull/149 +Bug-Debian: https://bugs.debian.org/941663 +Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3ef92a657444f172b61f92d5da66d94fa8265602 +Last-Update: 2019-10-05 + +Patch-Name: seccomp-handle-shm.patch +--- + sandbox-seccomp-filter.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index ef4de8c65..e8f31555e 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -149,6 +149,15 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_stat64 + SC_DENY(__NR_stat64, EACCES), + #endif ++#ifdef __NR_shmget ++ SC_DENY(__NR_shmget, EACCES), ++#endif ++#ifdef __NR_shmat ++ SC_DENY(__NR_shmat, EACCES), ++#endif ++#ifdef __NR_shmdt ++ SC_DENY(__NR_shmdt, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch new file mode 100644 index 0000000..e864427 --- /dev/null +++ b/debian/patches/seccomp-s390-flock-ipc.patch @@ -0,0 +1,47 @@ +From 690939ba320d93e6f3ab5266bea94d8fb06c8bae Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Tue, 9 May 2017 10:53:04 -0300 +Subject: Allow flock and ipc syscall for s390 architecture + +In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock +and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 +implementation) which calls the libraries that will communicate with the +crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, +this is only need on s390 architecture. + +Signed-off-by: Eduardo Barretto + +Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 +Last-Update: 2018-10-19 + +Patch-Name: seccomp-s390-flock-ipc.patch +--- + sandbox-seccomp-filter.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 5edbc6946..d4bc20828 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_exit_group + SC_ALLOW(__NR_exit_group), + #endif ++#if defined(__NR_flock) && defined(__s390__) ++ SC_ALLOW(__NR_flock), ++#endif + #ifdef __NR_futex + SC_ALLOW(__NR_futex), + #endif +@@ -193,6 +196,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), + #endif ++#if defined(__NR_ipc) && defined(__s390__) ++ SC_ALLOW(__NR_ipc), ++#endif + #ifdef __NR_madvise + SC_ALLOW(__NR_madvise), + #endif diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch new file mode 100644 index 0000000..ecbe1d1 --- /dev/null +++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch @@ -0,0 +1,33 @@ +From 9ce189b9f22890421b7f8d3f49a39186d3ce3e14 Mon Sep 17 00:00:00 2001 +From: Eduardo Barretto +Date: Tue, 9 May 2017 13:33:30 -0300 +Subject: Enable specific ioctl call for EP11 crypto card (s390) + +The EP11 crypto card needs to make an ioctl call, which receives an +specific argument. This crypto card is for s390 only. + +Signed-off-by: Eduardo Barretto + +Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 +Last-Update: 2017-08-28 + +Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch +--- + sandbox-seccomp-filter.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index d4bc20828..ef4de8c65 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -256,6 +256,8 @@ static const struct sock_filter preauth_insns[] = { + SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), + SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), + SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), ++ /* Allow ioctls for EP11 crypto card on s390 */ ++ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), + #endif + #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) + /* diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 0000000..269a87c --- /dev/null +++ b/debian/patches/selinux-role.patch @@ -0,0 +1,472 @@ +From cf3f6ac19812e4d32874304b3854b055831c2124 Mon Sep 17 00:00:00 2001 +From: Manoj Srivastava +Date: Sun, 9 Feb 2014 16:09:49 +0000 +Subject: Handle SELinux authorisation roles + +Rejected upstream due to discomfort with magic usernames; a better approach +will need an SSH protocol change. In the meantime, this came from Debian's +SELinux maintainer, so we'll keep it until we have something better. + +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 +Bug-Debian: http://bugs.debian.org/394795 +Last-Update: 2018-08-24 + +Patch-Name: selinux-role.patch +--- + auth.h | 1 + + auth2.c | 10 ++++++++-- + monitor.c | 37 +++++++++++++++++++++++++++++++++---- + monitor.h | 2 ++ + monitor_wrap.c | 27 ++++++++++++++++++++++++--- + monitor_wrap.h | 3 ++- + openbsd-compat/port-linux.c | 21 ++++++++++++++------- + openbsd-compat/port-linux.h | 4 ++-- + platform.c | 4 ++-- + platform.h | 2 +- + session.c | 10 +++++----- + session.h | 2 +- + sshd.c | 2 +- + sshpty.c | 4 ++-- + sshpty.h | 2 +- + 15 files changed, 99 insertions(+), 32 deletions(-) + +diff --git a/auth.h b/auth.h +index 977562f0a..90802a5eb 100644 +--- a/auth.h ++++ b/auth.h +@@ -65,6 +65,7 @@ struct Authctxt { + char *service; + struct passwd *pw; /* set if 'valid' */ + char *style; ++ char *role; + + /* Method lists for multiple authentication */ + char **auth_methods; /* modified from server config */ +diff --git a/auth2.c b/auth2.c +index a77742819..3035926ba 100644 +--- a/auth2.c ++++ b/auth2.c +@@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) + { + Authctxt *authctxt = ssh->authctxt; + Authmethod *m = NULL; +- char *user, *service, *method, *style = NULL; ++ char *user, *service, *method, *style = NULL, *role = NULL; + int authenticated = 0; + double tstart = monotime_double(); + +@@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) + debug("userauth-request for user %s service %s method %s", user, service, method); + debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + ++ if ((role = strchr(user, '/')) != NULL) ++ *role++ = 0; ++ + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; ++ else if (role && (style = strchr(role, ':')) != NULL) ++ *style++ = '\0'; + + if (authctxt->attempt++ == 0) { + /* setup auth context */ +@@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) + use_privsep ? " [net]" : ""); + authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; ++ authctxt->role = role ? xstrdup(role) : NULL; + if (use_privsep) +- mm_inform_authserv(service, style); ++ mm_inform_authserv(service, style, role); + userauth_banner(); + if (auth2_setup_methods_lists(authctxt) != 0) + packet_disconnect("no authentication methods enabled"); +diff --git a/monitor.c b/monitor.c +index eabc1e89b..08fddabd7 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *); + int mm_answer_pwnamallow(int, struct sshbuf *); + int mm_answer_auth2_read_banner(int, struct sshbuf *); + int mm_answer_authserv(int, struct sshbuf *); ++int mm_answer_authrole(int, struct sshbuf *); + int mm_answer_authpassword(int, struct sshbuf *); + int mm_answer_bsdauthquery(int, struct sshbuf *); + int mm_answer_bsdauthrespond(int, struct sshbuf *); +@@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = { + {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, + {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, + {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, ++ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, + {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, + {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, + #ifdef USE_PAM +@@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) + + /* Allow service/style information on the auth context */ + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); ++ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); + + #ifdef USE_PAM +@@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) + monitor_permit_authentications(1); + + if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || +- (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0) ++ (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 || ++ (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- debug3("%s: service=%s, style=%s", +- __func__, authctxt->service, authctxt->style); ++ debug3("%s: service=%s, style=%s, role=%s", ++ __func__, authctxt->service, authctxt->style, authctxt->role); + + if (strlen(authctxt->style) == 0) { + free(authctxt->style); + authctxt->style = NULL; + } + ++ if (strlen(authctxt->role) == 0) { ++ free(authctxt->role); ++ authctxt->role = NULL; ++ } ++ ++ return (0); ++} ++ ++int ++mm_answer_authrole(int sock, struct sshbuf *m) ++{ ++ int r; ++ ++ monitor_permit_authentications(1); ++ ++ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ debug3("%s: role=%s", ++ __func__, authctxt->role); ++ ++ if (strlen(authctxt->role) == 0) { ++ free(authctxt->role); ++ authctxt->role = NULL; ++ } ++ + return (0); + } + +@@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m) + res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); + if (res == 0) + goto error; +- pty_setowner(authctxt->pw, s->tty); ++ pty_setowner(authctxt->pw, s->tty, authctxt->role); + + if ((r = sshbuf_put_u32(m, 1)) != 0 || + (r = sshbuf_put_cstring(m, s->tty)) != 0) +diff --git a/monitor.h b/monitor.h +index 44fbed589..8f65e684d 100644 +--- a/monitor.h ++++ b/monitor.h +@@ -66,6 +66,8 @@ enum monitor_reqtype { + MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, + MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, + ++ MONITOR_REQ_AUTHROLE = 154, ++ + }; + + struct monitor { +diff --git a/monitor_wrap.c b/monitor_wrap.c +index 1865a122a..fd4d7eb3b 100644 +--- a/monitor_wrap.c ++++ b/monitor_wrap.c +@@ -369,10 +369,10 @@ mm_auth2_read_banner(void) + return (banner); + } + +-/* Inform the privileged process about service and style */ ++/* Inform the privileged process about service, style, and role */ + + void +-mm_inform_authserv(char *service, char *style) ++mm_inform_authserv(char *service, char *style, char *role) + { + struct sshbuf *m; + int r; +@@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style) + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_cstring(m, service)) != 0 || +- (r = sshbuf_put_cstring(m, style ? style : "")) != 0) ++ (r = sshbuf_put_cstring(m, style ? style : "")) != 0 || ++ (r = sshbuf_put_cstring(m, role ? role : "")) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); +@@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style) + sshbuf_free(m); + } + ++/* Inform the privileged process about role */ ++ ++void ++mm_inform_authrole(char *role) ++{ ++ struct sshbuf *m; ++ int r; ++ ++ debug3("%s entering", __func__); ++ ++ if ((m = sshbuf_new()) == NULL) ++ fatal("%s: sshbuf_new failed", __func__); ++ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) ++ fatal("%s: buffer error: %s", __func__, ssh_err(r)); ++ ++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); ++ ++ sshbuf_free(m); ++} ++ + /* Do the password authentication */ + int + mm_auth_password(struct ssh *ssh, char *password) +diff --git a/monitor_wrap.h b/monitor_wrap.h +index 7f93144ff..79e78cc90 100644 +--- a/monitor_wrap.h ++++ b/monitor_wrap.h +@@ -43,7 +43,8 @@ int mm_is_monitor(void); + DH *mm_choose_dh(int, int, int); + int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t, + const char *, u_int compat); +-void mm_inform_authserv(char *, char *); ++void mm_inform_authserv(char *, char *, char *); ++void mm_inform_authrole(char *); + struct passwd *mm_getpwnamallow(const char *); + char *mm_auth2_read_banner(void); + int mm_auth_password(struct ssh *, char *); +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 622988822..3e6e07670 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -56,7 +56,7 @@ ssh_selinux_enabled(void) + + /* Return the default security context for the given username */ + static security_context_t +-ssh_selinux_getctxbyname(char *pwname) ++ssh_selinux_getctxbyname(char *pwname, const char *role) + { + security_context_t sc = NULL; + char *sename = NULL, *lvl = NULL; +@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname) + #endif + + #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL +- r = get_default_context_with_level(sename, lvl, NULL, &sc); ++ if (role != NULL && role[0]) ++ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, ++ &sc); ++ else ++ r = get_default_context_with_level(sename, lvl, NULL, &sc); + #else +- r = get_default_context(sename, NULL, &sc); ++ if (role != NULL && role[0]) ++ r = get_default_context_with_role(sename, role, NULL, &sc); ++ else ++ r = get_default_context(sename, NULL, &sc); + #endif + + if (r != 0) { +@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname) + + /* Set the execution context to the default for the specified user */ + void +-ssh_selinux_setup_exec_context(char *pwname) ++ssh_selinux_setup_exec_context(char *pwname, const char *role) + { + security_context_t user_ctx = NULL; + +@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname) + + debug3("%s: setting execution context", __func__); + +- user_ctx = ssh_selinux_getctxbyname(pwname); ++ user_ctx = ssh_selinux_getctxbyname(pwname, role); + if (setexeccon(user_ctx) != 0) { + switch (security_getenforce()) { + case -1: +@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname) + + /* Set the TTY context for the specified user */ + void +-ssh_selinux_setup_pty(char *pwname, const char *tty) ++ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) + { + security_context_t new_tty_ctx = NULL; + security_context_t user_ctx = NULL; +@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) + + debug3("%s: setting TTY context on %s", __func__, tty); + +- user_ctx = ssh_selinux_getctxbyname(pwname); ++ user_ctx = ssh_selinux_getctxbyname(pwname, role); + + /* XXX: should these calls fatal() upon failure in enforcing mode? */ + +diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h +index 3c22a854d..c88129428 100644 +--- a/openbsd-compat/port-linux.h ++++ b/openbsd-compat/port-linux.h +@@ -19,8 +19,8 @@ + + #ifdef WITH_SELINUX + int ssh_selinux_enabled(void); +-void ssh_selinux_setup_pty(char *, const char *); +-void ssh_selinux_setup_exec_context(char *); ++void ssh_selinux_setup_pty(char *, const char *, const char *); ++void ssh_selinux_setup_exec_context(char *, const char *); + void ssh_selinux_change_context(const char *); + void ssh_selinux_setfscreatecon(const char *); + #endif +diff --git a/platform.c b/platform.c +index 41acc9370..35654ea51 100644 +--- a/platform.c ++++ b/platform.c +@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) + * called if sshd is running as root. + */ + void +-platform_setusercontext_post_groups(struct passwd *pw) ++platform_setusercontext_post_groups(struct passwd *pw, const char *role) + { + #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) + /* +@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) + } + #endif /* HAVE_SETPCRED */ + #ifdef WITH_SELINUX +- ssh_selinux_setup_exec_context(pw->pw_name); ++ ssh_selinux_setup_exec_context(pw->pw_name, role); + #endif + } + +diff --git a/platform.h b/platform.h +index ea4f9c584..60d72ffe7 100644 +--- a/platform.h ++++ b/platform.h +@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid); + void platform_post_fork_child(void); + int platform_privileged_uidswap(void); + void platform_setusercontext(struct passwd *); +-void platform_setusercontext_post_groups(struct passwd *); ++void platform_setusercontext_post_groups(struct passwd *, const char *); + char *platform_get_krb5_client(const char *); + char *platform_krb5_get_principal_name(const char *); + int platform_sys_dir_uid(uid_t); +diff --git a/session.c b/session.c +index 2d0958d11..19f38637e 100644 +--- a/session.c ++++ b/session.c +@@ -1380,7 +1380,7 @@ safely_chroot(const char *path, uid_t uid) + + /* Set login name, uid, gid, and groups. */ + void +-do_setusercontext(struct passwd *pw) ++do_setusercontext(struct passwd *pw, const char *role) + { + char uidstr[32], *chroot_path, *tmp; + +@@ -1408,7 +1408,7 @@ do_setusercontext(struct passwd *pw) + endgrent(); + #endif + +- platform_setusercontext_post_groups(pw); ++ platform_setusercontext_post_groups(pw, role); + + if (!in_chroot && options.chroot_directory != NULL && + strcasecmp(options.chroot_directory, "none") != 0) { +@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) + + /* Force a password change */ + if (s->authctxt->force_pwchange) { +- do_setusercontext(pw); ++ do_setusercontext(pw, s->authctxt->role); + child_close_fds(ssh); + do_pwchange(s); + exit(1); +@@ -1565,7 +1565,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) + /* When PAM is enabled we rely on it to do the nologin check */ + if (!options.use_pam) + do_nologin(pw); +- do_setusercontext(pw); ++ do_setusercontext(pw, s->authctxt->role); + /* + * PAM session modules in do_setusercontext may have + * generated messages, so if this in an interactive +@@ -1955,7 +1955,7 @@ session_pty_req(struct ssh *ssh, Session *s) + ssh_tty_parse_modes(ssh, s->ttyfd); + + if (!use_privsep) +- pty_setowner(s->pw, s->tty); ++ pty_setowner(s->pw, s->tty, s->authctxt->role); + + /* Set window size from the packet. */ + pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); +diff --git a/session.h b/session.h +index ce59dabd9..675c91146 100644 +--- a/session.h ++++ b/session.h +@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); + Session *session_new(void); + Session *session_by_tty(char *); + void session_close(struct ssh *, Session *); +-void do_setusercontext(struct passwd *); ++void do_setusercontext(struct passwd *, const char *); + + const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); + +diff --git a/sshd.c b/sshd.c +index 673db87f6..2bc6679e5 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -683,7 +683,7 @@ privsep_postauth(Authctxt *authctxt) + reseed_prngs(); + + /* Drop privileges */ +- do_setusercontext(authctxt->pw); ++ do_setusercontext(authctxt->pw, authctxt->role); + + skip: + /* It is safe now to apply the key state */ +diff --git a/sshpty.c b/sshpty.c +index 4da84d05f..676ade50e 100644 +--- a/sshpty.c ++++ b/sshpty.c +@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, + } + + void +-pty_setowner(struct passwd *pw, const char *tty) ++pty_setowner(struct passwd *pw, const char *tty, const char *role) + { + struct group *grp; + gid_t gid; +@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty) + strerror(errno)); + + #ifdef WITH_SELINUX +- ssh_selinux_setup_pty(pw->pw_name, tty); ++ ssh_selinux_setup_pty(pw->pw_name, tty, role); + #endif + + if (st.st_uid != pw->pw_uid || st.st_gid != gid) { +diff --git a/sshpty.h b/sshpty.h +index 9ec7e9a15..de7e000ae 100644 +--- a/sshpty.h ++++ b/sshpty.h +@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t); + void pty_release(const char *); + void pty_make_controlling_tty(int *, const char *); + void pty_change_window_size(int, u_int, u_int, u_int, u_int); +-void pty_setowner(struct passwd *, const char *); ++void pty_setowner(struct passwd *, const char *, const char *); + void disconnect_controlling_tty(void); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..aed9546 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,36 @@ +gssapi.patch +restore-tcp-wrappers.patch +selinux-role.patch +ssh-vulnkey-compat.patch +keepalive-extensions.patch +syslog-level-silent.patch +user-group-modes.patch +scp-quoting.patch +shell-path.patch +dnssec-sshfp.patch +mention-ssh-keygen-on-keychange.patch +package-versioning.patch +debian-banner.patch +authorized-keys-man-symlink.patch +openbsd-docs.patch +ssh-argv0.patch +doc-hash-tab-completion.patch +ssh-agent-setgid.patch +no-openssl-version-status.patch +gnome-ssh-askpass2-icon.patch +systemd-readiness.patch +debian-config.patch +restore-authorized_keys2.patch +seccomp-s390-flock-ipc.patch +seccomp-s390-ioctl-ep11-crypto.patch +conch-old-privkey-format.patch +scp-disallow-dot-or-empty-filename.patch +sanitize-scp-filenames-via-snmprintf.patch +have-progressmeter-force-update-at-beginning-and-end-transfer.patch +check-filenames-in-scp-client.patch +fix-key-type-check.patch +request-rsa-sha2-cert-signatures.patch +scp-handle-braces.patch +revert-ipqos-defaults.patch +seccomp-handle-shm.patch +sandbox-seccomp-ipc.patch diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch new file mode 100644 index 0000000..ad574e8 --- /dev/null +++ b/debian/patches/shell-path.patch @@ -0,0 +1,39 @@ +From cabad6b7182cd6eaa8b760718200a316e7f578ed Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:10:00 +0000 +Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand + +There's some debate on the upstream bug about whether POSIX requires this. +I (Colin Watson) agree with Vincent and think it does. + +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494 +Bug-Debian: http://bugs.debian.org/492728 +Last-Update: 2013-09-14 + +Patch-Name: shell-path.patch +--- + sshconnect.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 6d819279e..700ea6c3c 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -229,7 +229,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, u_short port, + /* Execute the proxy command. Note that we gave up any + extra privileges above. */ + signal(SIGPIPE, SIG_DFL); +- execv(argv[0], argv); ++ execvp(argv[0], argv); + perror(argv[0]); + exit(1); + } +@@ -1534,7 +1534,7 @@ ssh_local_cmd(const char *args) + if (pid == 0) { + signal(SIGPIPE, SIG_DFL); + debug3("Executing %s -c \"%s\"", shell, args); +- execl(shell, shell, "-c", args, (char *)NULL); ++ execlp(shell, shell, "-c", args, (char *)NULL); + error("Couldn't execute %s -c \"%s\": %s", + shell, args, strerror(errno)); + _exit(1); diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch new file mode 100644 index 0000000..ed6ef3d --- /dev/null +++ b/debian/patches/ssh-agent-setgid.patch @@ -0,0 +1,40 @@ +From 6d4521d39a852dc5627187c045c933f4e1cb4601 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:10:13 +0000 +Subject: Document consequences of ssh-agent being setgid in ssh-agent(1) + +Bug-Debian: http://bugs.debian.org/711623 +Forwarded: no +Last-Update: 2013-06-08 + +Patch-Name: ssh-agent-setgid.patch +--- + ssh-agent.1 | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/ssh-agent.1 b/ssh-agent.1 +index 83b2b41c8..7230704a3 100644 +--- a/ssh-agent.1 ++++ b/ssh-agent.1 +@@ -206,6 +206,21 @@ environment variable holds the agent's process ID. + .Pp + The agent exits automatically when the command given on the command + line terminates. ++.Pp ++In Debian, ++.Nm ++is installed with the set-group-id bit set, to prevent ++.Xr ptrace 2 ++attacks retrieving private key material. ++This has the side-effect of causing the run-time linker to remove certain ++environment variables which might have security implications for set-id ++programs, including ++.Ev LD_PRELOAD , ++.Ev LD_LIBRARY_PATH , ++and ++.Ev TMPDIR . ++If you need to set any of these environment variables, you will need to do ++so in the program executed by ssh-agent. + .Sh FILES + .Bl -tag -width Ds + .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent. diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch new file mode 100644 index 0000000..bb1e109 --- /dev/null +++ b/debian/patches/ssh-argv0.patch @@ -0,0 +1,31 @@ +From d1064c2689df8d0894a68ac9671d14ab125bc91b Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:10:10 +0000 +Subject: ssh(1): Refer to ssh-argv0(1) + +Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks +to ssh with the name of the host you want to connect to. Debian ships an +ssh-argv0 script restoring this feature; this patch refers to its manual +page from ssh(1). + +Bug-Debian: http://bugs.debian.org/111341 +Forwarded: not-needed +Last-Update: 2013-09-14 + +Patch-Name: ssh-argv0.patch +--- + ssh.1 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ssh.1 b/ssh.1 +index 5dfad6daa..ad1ed0f86 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -1585,6 +1585,7 @@ if an error occurred. + .Xr sftp 1 , + .Xr ssh-add 1 , + .Xr ssh-agent 1 , ++.Xr ssh-argv0 1 , + .Xr ssh-keygen 1 , + .Xr ssh-keyscan 1 , + .Xr tun 4 , diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch new file mode 100644 index 0000000..ca3e090 --- /dev/null +++ b/debian/patches/ssh-vulnkey-compat.patch @@ -0,0 +1,42 @@ +From eccbd3637a2b8544fdcfdd5d1a00a9dfdac62aeb Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:09:50 +0000 +Subject: Accept obsolete ssh-vulnkey configuration options + +These options were used as part of Debian's response to CVE-2008-0166. +Nearly six years later, we no longer need to continue carrying the bulk +of that patch, but we do need to avoid failing when the associated +configuration options are still present. + +Last-Update: 2014-02-09 + +Patch-Name: ssh-vulnkey-compat.patch +--- + readconf.c | 1 + + servconf.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/readconf.c b/readconf.c +index 36bc5e59a..5e655e924 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -190,6 +190,7 @@ static struct { + { "fallbacktorsh", oDeprecated }, + { "globalknownhostsfile2", oDeprecated }, + { "rhostsauthentication", oDeprecated }, ++ { "useblacklistedkeys", oDeprecated }, + { "userknownhostsfile2", oDeprecated }, + { "useroaming", oDeprecated }, + { "usersh", oDeprecated }, +diff --git a/servconf.c b/servconf.c +index 4668b8a45..6caf1db38 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -600,6 +600,7 @@ static struct { + { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL }, + { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL }, + { "strictmodes", sStrictModes, SSHCFG_GLOBAL }, ++ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL }, + { "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL }, + { "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL }, + { "uselogin", sDeprecated, SSHCFG_GLOBAL }, diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch new file mode 100644 index 0000000..3093a41 --- /dev/null +++ b/debian/patches/syslog-level-silent.patch @@ -0,0 +1,47 @@ +From e755ec70d62bfb9b02159123f4e870b00010be77 Mon Sep 17 00:00:00 2001 +From: Jonathan David Amery +Date: Sun, 9 Feb 2014 16:09:54 +0000 +Subject: "LogLevel SILENT" compatibility + +"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to +match the behaviour of non-free SSH, in which -q does not suppress fatal +errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody +complained, so we've dropped most of it. The parts that remain are basic +configuration file compatibility, and an adjustment to "Pseudo-terminal will +not be allocated ..." which should be split out into a separate patch. + +Author: Matthew Vernon +Author: Colin Watson +Last-Update: 2013-09-14 + +Patch-Name: syslog-level-silent.patch +--- + log.c | 1 + + ssh.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/log.c b/log.c +index d9c2d136c..1749af6d1 100644 +--- a/log.c ++++ b/log.c +@@ -93,6 +93,7 @@ static struct { + LogLevel val; + } log_levels[] = + { ++ { "SILENT", SYSLOG_LEVEL_QUIET }, /* compatibility */ + { "QUIET", SYSLOG_LEVEL_QUIET }, + { "FATAL", SYSLOG_LEVEL_FATAL }, + { "ERROR", SYSLOG_LEVEL_ERROR }, +diff --git a/ssh.c b/ssh.c +index 0777c31e4..3140fed4c 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1258,7 +1258,7 @@ main(int ac, char **av) + /* Do not allocate a tty if stdin is not a tty. */ + if ((!isatty(fileno(stdin)) || stdin_null_flag) && + options.request_tty != REQUEST_TTY_FORCE) { +- if (tty_flag) ++ if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) + logit("Pseudo-terminal will not be allocated because " + "stdin is not a terminal."); + tty_flag = 0; diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch new file mode 100644 index 0000000..c5dee41 --- /dev/null +++ b/debian/patches/systemd-readiness.patch @@ -0,0 +1,84 @@ +From da34947128351bee9d2530574432190548f5be58 Mon Sep 17 00:00:00 2001 +From: Michael Biebl +Date: Mon, 21 Dec 2015 16:08:47 +0000 +Subject: Add systemd readiness notification support + +Bug-Debian: https://bugs.debian.org/778913 +Forwarded: no +Last-Update: 2017-08-22 + +Patch-Name: systemd-readiness.patch +--- + configure.ac | 24 ++++++++++++++++++++++++ + sshd.c | 9 +++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 917300b43..8a5db4cb5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4586,6 +4586,29 @@ AC_ARG_WITH([kerberos5], + AC_SUBST([GSSLIBS]) + AC_SUBST([K5LIBS]) + ++# Check whether user wants systemd support ++SYSTEMD_MSG="no" ++AC_ARG_WITH(systemd, ++ [ --with-systemd Enable systemd support], ++ [ if test "x$withval" != "xno" ; then ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) ++ if test "$PKGCONFIG" != "no"; then ++ AC_MSG_CHECKING([for libsystemd]) ++ if $PKGCONFIG --exists libsystemd; then ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) ++ SYSTEMD_MSG="yes" ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ fi ++ fi ] ++) ++ + # Looking for programs, paths and files + + PRIVSEP_PATH=/var/empty +@@ -5392,6 +5415,7 @@ echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" + echo " Solaris project support: $SP_MSG" + echo " Solaris privilege support: $SPP_MSG" ++echo " systemd support: $SYSTEMD_MSG" + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + echo " BSD Auth support: $BSD_AUTH_MSG" +diff --git a/sshd.c b/sshd.c +index d7e77d343..a1c3970b3 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -85,6 +85,10 @@ + #include + #endif + ++#ifdef HAVE_SYSTEMD ++#include ++#endif ++ + #include "xmalloc.h" + #include "ssh.h" + #include "ssh2.h" +@@ -1990,6 +1994,11 @@ main(int ac, char **av) + } + } + ++#ifdef HAVE_SYSTEMD ++ /* Signal systemd that we are ready to accept connections */ ++ sd_notify(0, "READY=1"); ++#endif ++ + /* Accept a connection and return in a forked child */ + server_accept_loop(&sock_in, &sock_out, + &newsock, config_s); diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch new file mode 100644 index 0000000..bc2390e --- /dev/null +++ b/debian/patches/user-group-modes.patch @@ -0,0 +1,210 @@ +From 7b931d36ad36a93d2b1811858ca29408ec44ecae Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Sun, 9 Feb 2014 16:09:58 +0000 +Subject: Allow harmless group-writability + +Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be +group-writable, provided that the group in question contains only the file's +owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding +about the contents of gr->gr_mem). Given that per-user groups and umask 002 +are the default setup in Debian (for good reasons - this makes operating in +setgid directories with other groups much easier), we need to permit this by +default. + +Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347 +Last-Update: 2017-10-04 + +Patch-Name: user-group-modes.patch +--- + auth-rhosts.c | 6 ++---- + auth.c | 3 +-- + misc.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++----- + misc.h | 2 ++ + readconf.c | 3 +-- + ssh.1 | 2 ++ + ssh_config.5 | 2 ++ + 7 files changed, 63 insertions(+), 13 deletions(-) + +diff --git a/auth-rhosts.c b/auth-rhosts.c +index 57296e1f6..546aa0495 100644 +--- a/auth-rhosts.c ++++ b/auth-rhosts.c +@@ -261,8 +261,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, + return 0; + } + if (options.strict_modes && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || +- (st.st_mode & 022) != 0)) { ++ !secure_permissions(&st, pw->pw_uid)) { + logit("Rhosts authentication refused for %.100s: " + "bad ownership or modes for home directory.", pw->pw_name); + auth_debug_add("Rhosts authentication refused for %.100s: " +@@ -288,8 +287,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname, + * allowing access to their account by anyone. + */ + if (options.strict_modes && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || +- (st.st_mode & 022) != 0)) { ++ !secure_permissions(&st, pw->pw_uid)) { + logit("Rhosts authentication refused for %.100s: bad modes for %.200s", + pw->pw_name, buf); + auth_debug_add("Bad file modes for %.200s", buf); +diff --git a/auth.c b/auth.c +index d8e6b4a3d..9d1d453f1 100644 +--- a/auth.c ++++ b/auth.c +@@ -473,8 +473,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host, + user_hostfile = tilde_expand_filename(userfile, pw->pw_uid); + if (options.strict_modes && + (stat(user_hostfile, &st) == 0) && +- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || +- (st.st_mode & 022) != 0)) { ++ !secure_permissions(&st, pw->pw_uid)) { + logit("Authentication refused for %.100s: " + "bad owner or modes for %.200s", + pw->pw_name, user_hostfile); +diff --git a/misc.c b/misc.c +index bdc06fdb3..5159e6692 100644 +--- a/misc.c ++++ b/misc.c +@@ -58,8 +58,9 @@ + #include + #ifdef HAVE_PATHS_H + # include +-#include + #endif ++#include ++#include + #ifdef SSH_TUN_OPENBSD + #include + #endif +@@ -1028,6 +1029,55 @@ percent_expand(const char *string, ...) + #undef EXPAND_MAX_KEYS + } + ++int ++secure_permissions(struct stat *st, uid_t uid) ++{ ++ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid) ++ return 0; ++ if ((st->st_mode & 002) != 0) ++ return 0; ++ if ((st->st_mode & 020) != 0) { ++ /* If the file is group-writable, the group in question must ++ * have exactly one member, namely the file's owner. ++ * (Zero-member groups are typically used by setgid ++ * binaries, and are unlikely to be suitable.) ++ */ ++ struct passwd *pw; ++ struct group *gr; ++ int members = 0; ++ ++ gr = getgrgid(st->st_gid); ++ if (!gr) ++ return 0; ++ ++ /* Check primary group memberships. */ ++ while ((pw = getpwent()) != NULL) { ++ if (pw->pw_gid == gr->gr_gid) { ++ ++members; ++ if (pw->pw_uid != uid) ++ return 0; ++ } ++ } ++ endpwent(); ++ ++ pw = getpwuid(st->st_uid); ++ if (!pw) ++ return 0; ++ ++ /* Check supplementary group memberships. */ ++ if (gr->gr_mem[0]) { ++ ++members; ++ if (strcmp(pw->pw_name, gr->gr_mem[0]) || ++ gr->gr_mem[1]) ++ return 0; ++ } ++ ++ if (!members) ++ return 0; ++ } ++ return 1; ++} ++ + int + tun_open(int tun, int mode, char **ifname) + { +@@ -1786,8 +1836,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, + snprintf(err, errlen, "%s is not a regular file", buf); + return -1; + } +- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) || +- (stp->st_mode & 022) != 0) { ++ if (!secure_permissions(stp, uid)) { + snprintf(err, errlen, "bad ownership or modes for file %s", + buf); + return -1; +@@ -1802,8 +1851,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, + strlcpy(buf, cp, sizeof(buf)); + + if (stat(buf, &st) < 0 || +- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || +- (st.st_mode & 022) != 0) { ++ !secure_permissions(&st, uid)) { + snprintf(err, errlen, + "bad ownership or modes for directory %s", buf); + return -1; +diff --git a/misc.h b/misc.h +index 31b207a8d..aaf966e65 100644 +--- a/misc.h ++++ b/misc.h +@@ -168,6 +168,8 @@ int safe_path_fd(int, const char *, struct passwd *, + char *read_passphrase(const char *, int); + int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); + ++int secure_permissions(struct stat *st, uid_t uid); ++ + #define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) + #define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) + #define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y)) +diff --git a/readconf.c b/readconf.c +index 052d4b1ac..6b01f20d2 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1820,8 +1820,7 @@ read_config_file_depth(const char *filename, struct passwd *pw, + + if (fstat(fileno(f), &sb) == -1) + fatal("fstat %s: %s", filename, strerror(errno)); +- if (((sb.st_uid != 0 && sb.st_uid != getuid()) || +- (sb.st_mode & 022) != 0)) ++ if (!secure_permissions(&sb, getuid())) + fatal("Bad owner or permissions on %s", filename); + } + +diff --git a/ssh.1 b/ssh.1 +index 7760c3075..81f29af43 100644 +--- a/ssh.1 ++++ b/ssh.1 +@@ -1485,6 +1485,8 @@ The file format and configuration options are described in + .Xr ssh_config 5 . + Because of the potential for abuse, this file must have strict permissions: + read/write for the user, and not writable by others. ++It may be group-writable provided that the group in question contains only ++the user. + .Pp + .It Pa ~/.ssh/environment + Contains additional definitions for environment variables; see +diff --git a/ssh_config.5 b/ssh_config.5 +index 54e143c93..7d55fa820 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1835,6 +1835,8 @@ The format of this file is described above. + This file is used by the SSH client. + Because of the potential for abuse, this file must have strict permissions: + read/write for the user, and not accessible by others. ++It may be group-writable provided that the group in question contains only ++the user. + .It Pa /etc/ssh/ssh_config + Systemwide configuration file. + This file provides defaults for those -- cgit v1.2.3