summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog19
-rw-r--r--debian/openssh-client.tmpfiles1
-rw-r--r--debian/openssh-server.tmpfiles1
-rw-r--r--debian/patches/pam-avoid-unknown-host.patch34
-rw-r--r--debian/patches/series1
-rwxr-xr-xdebian/rules2
-rw-r--r--debian/systemd/ssh.service2
-rw-r--r--debian/systemd/sshd@.service2
-rw-r--r--debian/tests/control6
-rwxr-xr-xdebian/tests/ssh-gssapi158
-rw-r--r--debian/tests/util76
12 files changed, 301 insertions, 5 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c9f38ee..4b1e161 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
-1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
+d4ae5b68870bf65747084f4ed3060bb13c586c9e
+d4ae5b68870bf65747084f4ed3060bb13c586c9e
cf05e8418c088a6e5712344cecaf6ee2d5eb550f
cf05e8418c088a6e5712344cecaf6ee2d5eb550f
openssh_9.7p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index 4aefd40..8c231b5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,22 @@
+openssh (1:9.7p1-5) unstable; urgency=medium
+
+ [ Colin Watson ]
+ * Add "After=nss-user-lookup.target" to ssh.service and sshd@.service
+ (closes: #1069706).
+ * Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is
+ set.
+
+ [ Andreas Hasenack ]
+ * Add autopkgtests for GSSAPI logins, including gssapi-keyex.
+
+ [ Luca Boccassi ]
+ * Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/
+ (closes: #1070725).
+ * Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De
+ Meyer).
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 16 May 2024 11:16:30 +0100
+
openssh (1:9.7p1-4) unstable; urgency=medium
* Rework systemd readiness notification and socket activation patches to
diff --git a/debian/openssh-client.tmpfiles b/debian/openssh-client.tmpfiles
new file mode 100644
index 0000000..aca99b4
--- /dev/null
+++ b/debian/openssh-client.tmpfiles
@@ -0,0 +1 @@
+x /tmp/ssh-*
diff --git a/debian/openssh-server.tmpfiles b/debian/openssh-server.tmpfiles
new file mode 100644
index 0000000..896aeb1
--- /dev/null
+++ b/debian/openssh-server.tmpfiles
@@ -0,0 +1 @@
+x /tmp/sshauth.*
diff --git a/debian/patches/pam-avoid-unknown-host.patch b/debian/patches/pam-avoid-unknown-host.patch
new file mode 100644
index 0000000..2887ee4
--- /dev/null
+++ b/debian/patches/pam-avoid-unknown-host.patch
@@ -0,0 +1,34 @@
+From d4ae5b68870bf65747084f4ed3060bb13c586c9e Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Mon, 20 Mar 2023 20:22:14 +0100
+Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN"
+
+When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
+socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
+set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
+query of "UNKNOWN", which times out multiple times, causing a
+substantial slowdown when logging in.
+
+To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
+
+Author: Daan De Meyer <daan.j.demeyer@gmail.com>
+Last-Update: 2024-04-03
+
+Patch-Name: pam-avoid-unknown-host.patch
+---
+ auth-pam.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth-pam.c b/auth-pam.c
+index b49d415e7..81de88bba 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
+ sshpam_laddr = get_local_ipaddr(
+ ssh_packet_get_connection_in(ssh));
+ }
+- if (sshpam_rhost != NULL) {
++ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) {
+ debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
+ sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
+ sshpam_rhost);
diff --git a/debian/patches/series b/debian/patches/series
index 0f25d97..6af9ea1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,4 @@ skip-utimensat-test-on-zfs.patch
zero-call-used-regs-m68k.patch
regress-conch-dev-zero.patch
configure-cache-vars.patch
+pam-avoid-unknown-host.patch
diff --git a/debian/rules b/debian/rules
index ad0b683..8aefb1a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -33,7 +33,7 @@ else
endif
# Change the version string to reflect distribution
-SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//')
+SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//; s/+salsaci+.*/+salsaci/')
UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu))
ifeq ($(UBUNTU),yes)
diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service
index 7495d9a..0eb0d67 100644
--- a/debian/systemd/ssh.service
+++ b/debian/systemd/ssh.service
@@ -1,7 +1,7 @@
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
-After=network.target auditd.service
+After=network.target nss-user-lookup.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
diff --git a/debian/systemd/sshd@.service b/debian/systemd/sshd@.service
index 29864a8..38ff431 100644
--- a/debian/systemd/sshd@.service
+++ b/debian/systemd/sshd@.service
@@ -1,7 +1,7 @@
[Unit]
Description=OpenBSD Secure Shell server per-connection daemon
Documentation=man:sshd(8) man:sshd_config(5)
-After=auditd.service
+After=nss-user-lookup.target auditd.service
[Service]
EnvironmentFile=-/etc/default/ssh
diff --git a/debian/tests/control b/debian/tests/control
index 3c7b14d..efd6c45 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -9,3 +9,9 @@ Depends: devscripts,
python3-twisted,
sudo,
sysvinit-utils,
+
+Tests: ssh-gssapi
+Restrictions: needs-root allow-stderr isolation-container
+Depends: openssh-server,
+ krb5-kdc,
+ krb5-admin-server
diff --git a/debian/tests/ssh-gssapi b/debian/tests/ssh-gssapi
new file mode 100755
index 0000000..a9c18d9
--- /dev/null
+++ b/debian/tests/ssh-gssapi
@@ -0,0 +1,158 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+realm="EXAMPLE.FAKE"
+myhostname="sshd-gssapi.${realm,,}"
+testuser="testuser$$"
+adduser --quiet --disabled-password --gecos "" "${testuser}"
+password="secret"
+user_principal="${testuser}@${realm}"
+service_principal="host/${myhostname}"
+
+source debian/tests/util
+
+cleanup() {
+ if [ $? -ne 0 ]; then
+ echo "## Something failed"
+ echo
+ echo "## klist"
+ klist
+ echo
+ echo "## ssh server log"
+ journalctl -b -u ssh.service --lines 100
+ echo
+ echo "## Kerberos KDC logs"
+ journalctl -b -u krb5-kdc.service --lines 100
+ echo
+ echo "## Kerberos Admin server logs"
+ journalctl -b -u krb5-admin-server.service --lines 100
+ echo
+ echo "## Skipping cleanup to facilitate troubleshooting"
+ else
+ echo "## ALL TESTS PASSED"
+ echo "## Cleaning up"
+ rm -f /etc/krb5.keytab
+ rm -f /etc/ssh/sshd_config.d/gssapi.conf
+ rm -f /etc/ssh/ssh_config.d/gssapi.conf
+ rm -f /etc/ssh/ssh_config.d/dep8.conf
+ fi
+}
+
+trap cleanup EXIT
+
+setup() {
+ echo "## Setting up test environment"
+ adjust_hostname "${myhostname}"
+ echo "## Creating Kerberos realm ${realm}"
+ create_realm "${realm}" "${myhostname}"
+ echo "## Creating principals"
+ kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}"
+ kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}"
+ echo "## Extracting service principal ${service_principal}"
+ kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}"
+ cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF
+Host *
+ StrictHostKeyChecking no
+ UserKnownHostsFile /dev/null
+EOF
+ echo "## Adjusting /etc/krb5.conf"
+ cat > /etc/krb5.conf <<EOF
+[libdefaults]
+ default_realm = ${realm}
+ rdns = false
+ forwardable = true
+ dns_lookup_kdc = falase
+ dns_uri_lookup = false
+ dns_lookup_realm = false
+
+[realms]
+ ${realm} = {
+ kdc = ${myhostname}
+ admin_server = ${myhostname}
+ }
+EOF
+}
+
+configure_sshd() {
+ local auth_method="${1}"
+
+ if [ "${auth_method}" = "gssapi-with-mic" ]; then
+ # server
+ echo "## Configuring sshd for ${auth_method} authentication"
+ cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange no
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+ # client
+ cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange no
+ PubkeyAuthentication no
+EOF
+ elif [ "${auth_method}" = "gssapi-keyex" ]; then
+ # server
+ echo "## Configuring sshd for ${auth_method} authentication"
+ cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+ # client
+ cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+ GSSAPIAuthentication yes
+ GSSAPIKeyExchange yes
+ PubkeyAuthentication no
+EOF
+ else
+ echo "## ERROR: unknown auth_method \"${auth_method}\""
+ return 1
+ fi
+ echo "## Restarting ssh"
+ systemctl restart ssh.service
+}
+
+_test_ssh_login() {
+ local auth_method="${1}"
+
+ kdestroy 2>/dev/null || :
+ configure_sshd "${auth_method}" || return $?
+ echo "## Obtaining TGT"
+ echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $?
+ klist
+ echo
+ echo "## ssh'ing into localhost using ${auth_method} auth"
+ timeout --verbose 30 ssh "${testuser}@${myhostname}" date || return $?
+ echo
+ echo "## checking that we got a service ticket for ssh (host/)"
+ klist | grep -F "${service_principal}" || return $?
+ echo
+ echo "## Checking ssh logs to confirm ${auth_method} auth was used"
+ journalctl -u ssh.service -b --grep "Accepted ${auth_method}"
+}
+
+test_gssapi_login() {
+ local auth_method="gssapi-with-mic"
+
+ _test_ssh_login "${auth_method}"
+}
+
+test_gssapi_keyex_login() {
+ local auth_method="gssapi-keyex"
+
+ _test_ssh_login "${auth_method}"
+}
+
+setup
+echo "## TESTS"
+echo
+run_test test_gssapi_login
+run_test test_gssapi_keyex_login
diff --git a/debian/tests/util b/debian/tests/util
new file mode 100644
index 0000000..e6035c4
--- /dev/null
+++ b/debian/tests/util
@@ -0,0 +1,76 @@
+# Copyright 2018 Canonical Ltd.
+# This code is licensed under the same terms as MIT Kerberos.
+
+set -e
+
+adjust_hostname() {
+ local myhostname="$1"
+
+ echo "${myhostname}" > /etc/hostname
+ hostname "${myhostname}"
+ if ! grep -qE "${myhostname}" /etc/hosts; then
+ # just so it's resolvable
+ echo "127.0.1.10 ${myhostname}" >> /etc/hosts
+ fi
+}
+
+create_realm() {
+ local realm_name="$1"
+ local kerberos_server="$2"
+
+ # start fresh
+ rm -rf /var/lib/krb5kdc/*
+ rm -rf /etc/krb5kdc/*
+ rm -f /etc/krb5.keytab
+
+ # setup some defaults
+ cat > /etc/krb5kdc/kdc.conf <<EOF
+[kdcdefaults]
+ kdc_ports = 750,88
+[realms]
+ ${realm_name} = {
+ database_name = /var/lib/krb5kdc/principal
+ admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+ acl_file = /etc/krb5kdc/kadm5.acl
+ key_stash_file = /etc/krb5kdc/stash
+ kdc_ports = 750,88
+ max_life = 10h 0m 0s
+ max_renewable_life = 7d 0h 0m 0s
+ default_principal_flags = +preauth
+ }
+EOF
+
+ cat > /etc/krb5.conf <<EOF
+[libdefaults]
+ default_realm = ${realm_name}
+ rdns = false
+
+[realms]
+ ${realm_name} = {
+ kdc = ${kerberos_server}
+ admin_server = ${kerberos_server}
+ }
+EOF
+ echo "# */admin *" > /etc/krb5kdc/kadm5.acl
+
+ # create the realm
+ kdb5_util create -s -P secretpassword
+
+ # restart services
+ systemctl restart krb5-kdc.service krb5-admin-server.service
+}
+
+run_test() {
+ local testfunc="${1}"
+ local -i result=0
+ shift
+ echo "## TEST ${testfunc}"
+ "${testfunc}" "${@}" || result=$?
+ if [ ${result} -ne 0 ]; then
+ echo "## FAIL ${testfunc}"
+ else
+ echo "## PASS ${testfunc}"
+ fi
+ echo
+ return ${result}
+}