Adding debian version 1:9.7p1-5.debian/1%9.7p1-5

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

12 files changed, 301 insertions, 5 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index c9f38ee..4b1e161 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
-1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
+d4ae5b68870bf65747084f4ed3060bb13c586c9e
+d4ae5b68870bf65747084f4ed3060bb13c586c9e
 cf05e8418c088a6e5712344cecaf6ee2d5eb550f
 cf05e8418c088a6e5712344cecaf6ee2d5eb550f
 openssh_9.7p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 4aefd40..8c231b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+openssh (1:9.7p1-5) unstable; urgency=medium
+
+  [ Colin Watson ]
+  * Add "After=nss-user-lookup.target" to ssh.service and sshd@.service
+    (closes: #1069706).
+  * Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
+    set.
+
+  [ Andreas Hasenack ]
+  * Add autopkgtests for GSSAPI logins, including gssapi-keyex.
+
+  [ Luca Boccassi ]
+  * Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
+    (closes: #1070725).
+  * Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
+    Meyer).
+
+ -- Colin Watson <cjwatson@debian.org>  Thu, 16 May 2024 11:16:30 +0100
+
 openssh (1:9.7p1-4) unstable; urgency=medium
 
   * Rework systemd readiness notification and socket activation patches to
diff --git a/debian/openssh-client.tmpfiles b/debian/openssh-client.tmpfiles
new file mode 100644
index 0000000..aca99b4
--- /dev/null
+++ b/debian/openssh-client.tmpfiles
@@ -0,0 +1 @@
+x /tmp/ssh-*
diff --git a/debian/openssh-server.tmpfiles b/debian/openssh-server.tmpfiles
new file mode 100644
index 0000000..896aeb1
--- /dev/null
+++ b/debian/openssh-server.tmpfiles
@@ -0,0 +1 @@
+x /tmp/sshauth.*
diff --git a/debian/patches/pam-avoid-unknown-host.patch b/debian/patches/pam-avoid-unknown-host.patch
new file mode 100644
index 0000000..2887ee4
--- /dev/null
+++ b/debian/patches/pam-avoid-unknown-host.patch
@@ -0,0 +1,34 @@
+From d4ae5b68870bf65747084f4ed3060bb13c586c9e Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Mon, 20 Mar 2023 20:22:14 +0100
+Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN"
+
+When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
+socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
+set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
+query of "UNKNOWN", which times out multiple times, causing a
+substantial slowdown when logging in.
+
+To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
+
+Author: Daan De Meyer <daan.j.demeyer@gmail.com>
+Last-Update: 2024-04-03
+
+Patch-Name: pam-avoid-unknown-host.patch
+---
+ auth-pam.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth-pam.c b/auth-pam.c
+index b49d415e7..81de88bba 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
+ 		sshpam_laddr = get_local_ipaddr(
+ 		    ssh_packet_get_connection_in(ssh));
+ 	}
+-	if (sshpam_rhost != NULL) {
++	if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) {
+ 		debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
+ 		sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
+ 		    sshpam_rhost);
diff --git a/debian/patches/series b/debian/patches/series
index 0f25d97..6af9ea1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ skip-utimensat-test-on-zfs.patch
 zero-call-used-regs-m68k.patch
 regress-conch-dev-zero.patch
 configure-cache-vars.patch
+pam-avoid-unknown-host.patch
diff --git a/debian/rules b/debian/rules
index ad0b683..8aefb1a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -33,7 +33,7 @@ else
 endif
 
 # Change the version string to reflect distribution
-SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//')
+SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//; s/+salsaci+.*/+salsaci/')
 
 UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu))
 ifeq ($(UBUNTU),yes)
diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service
index 7495d9a..0eb0d67 100644
--- a/debian/systemd/ssh.service
+++ b/debian/systemd/ssh.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=OpenBSD Secure Shell server
 Documentation=man:sshd(8) man:sshd_config(5)
-After=network.target auditd.service
+After=network.target nss-user-lookup.target auditd.service
 ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
 
 [Service]
diff --git a/debian/systemd/sshd@.service b/debian/systemd/sshd@.service
index 29864a8..38ff431 100644
--- a/debian/systemd/sshd@.service
+++ b/debian/systemd/sshd@.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=OpenBSD Secure Shell server per-connection daemon
 Documentation=man:sshd(8) man:sshd_config(5)
-After=auditd.service
+After=nss-user-lookup.target auditd.service
 
 [Service]
 EnvironmentFile=-/etc/default/ssh
diff --git a/debian/tests/control b/debian/tests/control
index 3c7b14d..efd6c45 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -9,3 +9,9 @@ Depends: devscripts,
          python3-twisted,
          sudo,
          sysvinit-utils,
+
+Tests: ssh-gssapi
+Restrictions: needs-root allow-stderr isolation-container
+Depends: openssh-server,
+         krb5-kdc,
+         krb5-admin-server
diff --git a/debian/tests/ssh-gssapi b/debian/tests/ssh-gssapi
new file mode 100755
index 0000000..a9c18d9
--- /dev/null
+++ b/debian/tests/ssh-gssapi
@@ -0,0 +1,158 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+realm="EXAMPLE.FAKE"
+myhostname="sshd-gssapi.${realm,,}"
+testuser="testuser$$"
+adduser --quiet --disabled-password --gecos "" "${testuser}"
+password="secret"
+user_principal="${testuser}@${realm}"
+service_principal="host/${myhostname}"
+
+source debian/tests/util
+
+cleanup() {
+    if [ $? -ne 0 ]; then
+        echo "## Something failed"
+        echo
+        echo "## klist"
+        klist
+        echo
+        echo "## ssh server log"
+        journalctl -b -u ssh.service --lines 100
+        echo
+        echo "## Kerberos KDC logs"
+        journalctl -b -u krb5-kdc.service --lines 100
+        echo
+        echo "## Kerberos Admin server logs"
+        journalctl -b -u krb5-admin-server.service --lines 100
+        echo
+        echo "## Skipping cleanup to facilitate troubleshooting"
+    else
+        echo "## ALL TESTS PASSED"
+        echo "## Cleaning up"
+        rm -f /etc/krb5.keytab
+        rm -f /etc/ssh/sshd_config.d/gssapi.conf
+        rm -f /etc/ssh/ssh_config.d/gssapi.conf
+        rm -f /etc/ssh/ssh_config.d/dep8.conf
+    fi
+}
+
+trap cleanup EXIT
+
+setup() {
+    echo "## Setting up test environment"
+    adjust_hostname "${myhostname}"
+    echo "## Creating Kerberos realm ${realm}"
+    create_realm "${realm}" "${myhostname}"
+    echo "## Creating principals"
+    kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}"
+    kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}"
+    echo "## Extracting service principal ${service_principal}"
+    kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}"
+    cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF
+Host *
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+EOF
+    echo "## Adjusting /etc/krb5.conf"
+    cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${realm}
+    rdns = false
+    forwardable = true
+    dns_lookup_kdc = falase
+    dns_uri_lookup = false
+    dns_lookup_realm = false
+
+[realms]
+    ${realm} = {
+        kdc = ${myhostname}
+        admin_server = ${myhostname}
+    }
+EOF
+}
+
+configure_sshd() {
+    local auth_method="${1}"
+
+    if [ "${auth_method}" = "gssapi-with-mic" ]; then
+        # server
+        echo "## Configuring sshd for ${auth_method} authentication"
+        cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange no
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+    # client
+    cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+    GSSAPIAuthentication yes
+    GSSAPIKeyExchange no
+    PubkeyAuthentication no
+EOF
+    elif [ "${auth_method}" = "gssapi-keyex" ]; then
+        # server
+        echo "## Configuring sshd for ${auth_method} authentication"
+        cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+    # client
+    cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+    GSSAPIAuthentication yes
+    GSSAPIKeyExchange yes
+    PubkeyAuthentication no
+EOF
+    else
+        echo "## ERROR: unknown auth_method \"${auth_method}\""
+        return 1
+    fi
+    echo "## Restarting ssh"
+    systemctl restart ssh.service
+}
+
+_test_ssh_login() {
+    local auth_method="${1}"
+
+    kdestroy 2>/dev/null || :
+    configure_sshd "${auth_method}" || return $?
+    echo "## Obtaining TGT"
+    echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $?
+    klist
+    echo
+    echo "## ssh'ing into localhost using ${auth_method} auth"
+    timeout --verbose 30 ssh "${testuser}@${myhostname}" date || return $?
+    echo
+    echo "## checking that we got a service ticket for ssh (host/)"
+    klist | grep -F "${service_principal}" || return $?
+    echo
+    echo "## Checking ssh logs to confirm ${auth_method} auth was used"
+    journalctl -u ssh.service -b --grep "Accepted ${auth_method}"
+}
+
+test_gssapi_login() {
+    local auth_method="gssapi-with-mic"
+
+    _test_ssh_login "${auth_method}"
+}
+
+test_gssapi_keyex_login() {
+    local auth_method="gssapi-keyex"
+
+    _test_ssh_login "${auth_method}"
+}
+
+setup
+echo "## TESTS"
+echo
+run_test test_gssapi_login
+run_test test_gssapi_keyex_login
diff --git a/debian/tests/util b/debian/tests/util
new file mode 100644
index 0000000..e6035c4
--- /dev/null
+++ b/debian/tests/util
@@ -0,0 +1,76 @@
+# Copyright 2018 Canonical Ltd.
+# This code is licensed under the same terms as MIT Kerberos.
+
+set -e
+
+adjust_hostname() {
+    local myhostname="$1"
+
+    echo "${myhostname}" > /etc/hostname
+    hostname "${myhostname}"
+    if ! grep -qE "${myhostname}" /etc/hosts; then
+        # just so it's resolvable
+        echo "127.0.1.10 ${myhostname}" >> /etc/hosts
+    fi
+}
+
+create_realm() {
+    local realm_name="$1"
+    local kerberos_server="$2"
+
+    # start fresh
+    rm -rf /var/lib/krb5kdc/*
+    rm -rf /etc/krb5kdc/*
+    rm -f /etc/krb5.keytab
+
+    # setup some defaults
+    cat > /etc/krb5kdc/kdc.conf <<EOF
+[kdcdefaults]
+    kdc_ports = 750,88
+[realms]
+    ${realm_name} = {
+	    database_name = /var/lib/krb5kdc/principal
+	    admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+	    acl_file = /etc/krb5kdc/kadm5.acl
+	    key_stash_file = /etc/krb5kdc/stash
+	    kdc_ports = 750,88
+	    max_life = 10h 0m 0s
+	    max_renewable_life = 7d 0h 0m 0s
+	    default_principal_flags = +preauth
+    }
+EOF
+
+    cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${realm_name}
+    rdns = false
+
+[realms]
+	${realm_name} = {
+		kdc = ${kerberos_server}
+		admin_server = ${kerberos_server}
+	}
+EOF
+    echo "# */admin *" > /etc/krb5kdc/kadm5.acl
+
+    # create the realm
+    kdb5_util create -s -P secretpassword
+
+    # restart services
+    systemctl restart krb5-kdc.service krb5-admin-server.service
+}
+
+run_test() {
+    local testfunc="${1}"
+    local -i result=0
+    shift
+    echo "## TEST ${testfunc}"
+    "${testfunc}" "${@}" || result=$?
+    if [ ${result} -ne 0 ]; then
+        echo "## FAIL ${testfunc}"
+    else
+        echo "## PASS ${testfunc}"
+    fi
+    echo
+    return ${result}
+}