diff options
-rw-r--r-- | debian/.git-dpm | 4 | ||||
-rw-r--r-- | debian/changelog | 19 | ||||
-rw-r--r-- | debian/openssh-client.tmpfiles | 1 | ||||
-rw-r--r-- | debian/openssh-server.tmpfiles | 1 | ||||
-rw-r--r-- | debian/patches/pam-avoid-unknown-host.patch | 34 | ||||
-rw-r--r-- | debian/patches/series | 1 | ||||
-rwxr-xr-x | debian/rules | 2 | ||||
-rw-r--r-- | debian/systemd/ssh.service | 2 | ||||
-rw-r--r-- | debian/systemd/sshd@.service | 2 | ||||
-rw-r--r-- | debian/tests/control | 6 | ||||
-rwxr-xr-x | debian/tests/ssh-gssapi | 158 | ||||
-rw-r--r-- | debian/tests/util | 76 |
12 files changed, 301 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index c9f38ee..4b1e161 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea -1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea +d4ae5b68870bf65747084f4ed3060bb13c586c9e +d4ae5b68870bf65747084f4ed3060bb13c586c9e cf05e8418c088a6e5712344cecaf6ee2d5eb550f cf05e8418c088a6e5712344cecaf6ee2d5eb550f openssh_9.7p1.orig.tar.gz diff --git a/debian/changelog b/debian/changelog index 4aefd40..8c231b5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,22 @@ +openssh (1:9.7p1-5) unstable; urgency=medium + + [ Colin Watson ] + * Add "After=nss-user-lookup.target" to ssh.service and sshd@.service + (closes: #1069706). + * Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is + set. + + [ Andreas Hasenack ] + * Add autopkgtests for GSSAPI logins, including gssapi-keyex. + + [ Luca Boccassi ] + * Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/ + (closes: #1070725). + * Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De + Meyer). + + -- Colin Watson <cjwatson@debian.org> Thu, 16 May 2024 11:16:30 +0100 + openssh (1:9.7p1-4) unstable; urgency=medium * Rework systemd readiness notification and socket activation patches to diff --git a/debian/openssh-client.tmpfiles b/debian/openssh-client.tmpfiles new file mode 100644 index 0000000..aca99b4 --- /dev/null +++ b/debian/openssh-client.tmpfiles @@ -0,0 +1 @@ +x /tmp/ssh-* diff --git a/debian/openssh-server.tmpfiles b/debian/openssh-server.tmpfiles new file mode 100644 index 0000000..896aeb1 --- /dev/null +++ b/debian/openssh-server.tmpfiles @@ -0,0 +1 @@ +x /tmp/sshauth.* diff --git a/debian/patches/pam-avoid-unknown-host.patch b/debian/patches/pam-avoid-unknown-host.patch new file mode 100644 index 0000000..2887ee4 --- /dev/null +++ b/debian/patches/pam-avoid-unknown-host.patch @@ -0,0 +1,34 @@ +From d4ae5b68870bf65747084f4ed3060bb13c586c9e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer <daan.j.demeyer@gmail.com> +Date: Mon, 20 Mar 2023 20:22:14 +0100 +Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN" + +When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 +socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then +set as the value of PAM_RHOST, causing pam to try to do a reverse DNS +query of "UNKNOWN", which times out multiple times, causing a +substantial slowdown when logging in. + +To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". + +Author: Daan De Meyer <daan.j.demeyer@gmail.com> +Last-Update: 2024-04-03 + +Patch-Name: pam-avoid-unknown-host.patch +--- + auth-pam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth-pam.c b/auth-pam.c +index b49d415e7..81de88bba 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) + sshpam_laddr = get_local_ipaddr( + ssh_packet_get_connection_in(ssh)); + } +- if (sshpam_rhost != NULL) { ++ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { + debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); + sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, + sshpam_rhost); diff --git a/debian/patches/series b/debian/patches/series index 0f25d97..6af9ea1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,3 +28,4 @@ skip-utimensat-test-on-zfs.patch zero-call-used-regs-m68k.patch regress-conch-dev-zero.patch configure-cache-vars.patch +pam-avoid-unknown-host.patch diff --git a/debian/rules b/debian/rules index ad0b683..8aefb1a 100755 --- a/debian/rules +++ b/debian/rules @@ -33,7 +33,7 @@ else endif # Change the version string to reflect distribution -SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//') +SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//; s/+salsaci+.*/+salsaci/') UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu)) ifeq ($(UBUNTU),yes) diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service index 7495d9a..0eb0d67 100644 --- a/debian/systemd/ssh.service +++ b/debian/systemd/ssh.service @@ -1,7 +1,7 @@ [Unit] Description=OpenBSD Secure Shell server Documentation=man:sshd(8) man:sshd_config(5) -After=network.target auditd.service +After=network.target nss-user-lookup.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] diff --git a/debian/systemd/sshd@.service b/debian/systemd/sshd@.service index 29864a8..38ff431 100644 --- a/debian/systemd/sshd@.service +++ b/debian/systemd/sshd@.service @@ -1,7 +1,7 @@ [Unit] Description=OpenBSD Secure Shell server per-connection daemon Documentation=man:sshd(8) man:sshd_config(5) -After=auditd.service +After=nss-user-lookup.target auditd.service [Service] EnvironmentFile=-/etc/default/ssh diff --git a/debian/tests/control b/debian/tests/control index 3c7b14d..efd6c45 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -9,3 +9,9 @@ Depends: devscripts, python3-twisted, sudo, sysvinit-utils, + +Tests: ssh-gssapi +Restrictions: needs-root allow-stderr isolation-container +Depends: openssh-server, + krb5-kdc, + krb5-admin-server diff --git a/debian/tests/ssh-gssapi b/debian/tests/ssh-gssapi new file mode 100755 index 0000000..a9c18d9 --- /dev/null +++ b/debian/tests/ssh-gssapi @@ -0,0 +1,158 @@ +#!/bin/bash + +set -e +set -o pipefail + +realm="EXAMPLE.FAKE" +myhostname="sshd-gssapi.${realm,,}" +testuser="testuser$$" +adduser --quiet --disabled-password --gecos "" "${testuser}" +password="secret" +user_principal="${testuser}@${realm}" +service_principal="host/${myhostname}" + +source debian/tests/util + +cleanup() { + if [ $? -ne 0 ]; then + echo "## Something failed" + echo + echo "## klist" + klist + echo + echo "## ssh server log" + journalctl -b -u ssh.service --lines 100 + echo + echo "## Kerberos KDC logs" + journalctl -b -u krb5-kdc.service --lines 100 + echo + echo "## Kerberos Admin server logs" + journalctl -b -u krb5-admin-server.service --lines 100 + echo + echo "## Skipping cleanup to facilitate troubleshooting" + else + echo "## ALL TESTS PASSED" + echo "## Cleaning up" + rm -f /etc/krb5.keytab + rm -f /etc/ssh/sshd_config.d/gssapi.conf + rm -f /etc/ssh/ssh_config.d/gssapi.conf + rm -f /etc/ssh/ssh_config.d/dep8.conf + fi +} + +trap cleanup EXIT + +setup() { + echo "## Setting up test environment" + adjust_hostname "${myhostname}" + echo "## Creating Kerberos realm ${realm}" + create_realm "${realm}" "${myhostname}" + echo "## Creating principals" + kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}" + kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}" + echo "## Extracting service principal ${service_principal}" + kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}" + cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF +Host * + StrictHostKeyChecking no + UserKnownHostsFile /dev/null +EOF + echo "## Adjusting /etc/krb5.conf" + cat > /etc/krb5.conf <<EOF +[libdefaults] + default_realm = ${realm} + rdns = false + forwardable = true + dns_lookup_kdc = falase + dns_uri_lookup = false + dns_lookup_realm = false + +[realms] + ${realm} = { + kdc = ${myhostname} + admin_server = ${myhostname} + } +EOF +} + +configure_sshd() { + local auth_method="${1}" + + if [ "${auth_method}" = "gssapi-with-mic" ]; then + # server + echo "## Configuring sshd for ${auth_method} authentication" + cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF +GSSAPIAuthentication yes +GSSAPIKeyExchange no +GSSAPICleanupCredentials yes +PubkeyAuthentication no +AuthenticationMethods ${auth_method} +EOF + # client + cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF +Host * + GSSAPIAuthentication yes + GSSAPIKeyExchange no + PubkeyAuthentication no +EOF + elif [ "${auth_method}" = "gssapi-keyex" ]; then + # server + echo "## Configuring sshd for ${auth_method} authentication" + cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF +GSSAPIAuthentication yes +GSSAPIKeyExchange yes +GSSAPICleanupCredentials yes +PubkeyAuthentication no +AuthenticationMethods ${auth_method} +EOF + # client + cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF +Host * + GSSAPIAuthentication yes + GSSAPIKeyExchange yes + PubkeyAuthentication no +EOF + else + echo "## ERROR: unknown auth_method \"${auth_method}\"" + return 1 + fi + echo "## Restarting ssh" + systemctl restart ssh.service +} + +_test_ssh_login() { + local auth_method="${1}" + + kdestroy 2>/dev/null || : + configure_sshd "${auth_method}" || return $? + echo "## Obtaining TGT" + echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $? + klist + echo + echo "## ssh'ing into localhost using ${auth_method} auth" + timeout --verbose 30 ssh "${testuser}@${myhostname}" date || return $? + echo + echo "## checking that we got a service ticket for ssh (host/)" + klist | grep -F "${service_principal}" || return $? + echo + echo "## Checking ssh logs to confirm ${auth_method} auth was used" + journalctl -u ssh.service -b --grep "Accepted ${auth_method}" +} + +test_gssapi_login() { + local auth_method="gssapi-with-mic" + + _test_ssh_login "${auth_method}" +} + +test_gssapi_keyex_login() { + local auth_method="gssapi-keyex" + + _test_ssh_login "${auth_method}" +} + +setup +echo "## TESTS" +echo +run_test test_gssapi_login +run_test test_gssapi_keyex_login diff --git a/debian/tests/util b/debian/tests/util new file mode 100644 index 0000000..e6035c4 --- /dev/null +++ b/debian/tests/util @@ -0,0 +1,76 @@ +# Copyright 2018 Canonical Ltd. +# This code is licensed under the same terms as MIT Kerberos. + +set -e + +adjust_hostname() { + local myhostname="$1" + + echo "${myhostname}" > /etc/hostname + hostname "${myhostname}" + if ! grep -qE "${myhostname}" /etc/hosts; then + # just so it's resolvable + echo "127.0.1.10 ${myhostname}" >> /etc/hosts + fi +} + +create_realm() { + local realm_name="$1" + local kerberos_server="$2" + + # start fresh + rm -rf /var/lib/krb5kdc/* + rm -rf /etc/krb5kdc/* + rm -f /etc/krb5.keytab + + # setup some defaults + cat > /etc/krb5kdc/kdc.conf <<EOF +[kdcdefaults] + kdc_ports = 750,88 +[realms] + ${realm_name} = { + database_name = /var/lib/krb5kdc/principal + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + key_stash_file = /etc/krb5kdc/stash + kdc_ports = 750,88 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + default_principal_flags = +preauth + } +EOF + + cat > /etc/krb5.conf <<EOF +[libdefaults] + default_realm = ${realm_name} + rdns = false + +[realms] + ${realm_name} = { + kdc = ${kerberos_server} + admin_server = ${kerberos_server} + } +EOF + echo "# */admin *" > /etc/krb5kdc/kadm5.acl + + # create the realm + kdb5_util create -s -P secretpassword + + # restart services + systemctl restart krb5-kdc.service krb5-admin-server.service +} + +run_test() { + local testfunc="${1}" + local -i result=0 + shift + echo "## TEST ${testfunc}" + "${testfunc}" "${@}" || result=$? + if [ ${result} -ne 0 ]; then + echo "## FAIL ${testfunc}" + else + echo "## PASS ${testfunc}" + fi + echo + return ${result} +} |