From 647ff1f9aea86fe3247ff5e240f46c4fe5d5bba6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 17 May 2024 19:01:42 +0200 Subject: Merging debian version 1:9.7p1-5. Signed-off-by: Daniel Baumann --- debian/.git-dpm | 4 +- debian/changelog | 19 ++++ debian/openssh-client.tmpfiles | 1 + debian/openssh-server.tmpfiles | 1 + debian/patches/pam-avoid-unknown-host.patch | 34 ++++++ debian/patches/series | 1 + debian/rules | 2 +- debian/systemd/ssh.service | 2 +- debian/systemd/sshd@.service | 2 +- debian/tests/control | 6 ++ debian/tests/ssh-gssapi | 158 ++++++++++++++++++++++++++++ debian/tests/util | 76 +++++++++++++ 12 files changed, 301 insertions(+), 5 deletions(-) create mode 100644 debian/openssh-client.tmpfiles create mode 100644 debian/openssh-server.tmpfiles create mode 100644 debian/patches/pam-avoid-unknown-host.patch create mode 100755 debian/tests/ssh-gssapi create mode 100644 debian/tests/util diff --git a/debian/.git-dpm b/debian/.git-dpm index c9f38ee..4b1e161 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea -1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea +d4ae5b68870bf65747084f4ed3060bb13c586c9e +d4ae5b68870bf65747084f4ed3060bb13c586c9e cf05e8418c088a6e5712344cecaf6ee2d5eb550f cf05e8418c088a6e5712344cecaf6ee2d5eb550f openssh_9.7p1.orig.tar.gz diff --git a/debian/changelog b/debian/changelog index a03acc3..4847013 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,22 @@ +openssh (1:9.7p1-5) unstable; urgency=medium + + [ Colin Watson ] + * Add "After=nss-user-lookup.target" to ssh.service and sshd@.service + (closes: #1069706). + * Avoid cleanup of /tmp/sshauth.*, created by sshd if ExposeAuthInfo is + set. + + [ Andreas Hasenack ] + * Add autopkgtests for GSSAPI logins, including gssapi-keyex. + + [ Luca Boccassi ] + * Install tmpfiles.d to avoid cleanup of ssh-agent socket in /tmp/ + (closes: #1070725). + * Only set PAM_RHOST if the remote host is not "UNKNOWN" (thanks, Daan De + Meyer). + + -- Colin Watson Thu, 16 May 2024 11:16:30 +0100 + openssh (1:9.7p1-4~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: diff --git a/debian/openssh-client.tmpfiles b/debian/openssh-client.tmpfiles new file mode 100644 index 0000000..aca99b4 --- /dev/null +++ b/debian/openssh-client.tmpfiles @@ -0,0 +1 @@ +x /tmp/ssh-* diff --git a/debian/openssh-server.tmpfiles b/debian/openssh-server.tmpfiles new file mode 100644 index 0000000..896aeb1 --- /dev/null +++ b/debian/openssh-server.tmpfiles @@ -0,0 +1 @@ +x /tmp/sshauth.* diff --git a/debian/patches/pam-avoid-unknown-host.patch b/debian/patches/pam-avoid-unknown-host.patch new file mode 100644 index 0000000..2887ee4 --- /dev/null +++ b/debian/patches/pam-avoid-unknown-host.patch @@ -0,0 +1,34 @@ +From d4ae5b68870bf65747084f4ed3060bb13c586c9e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 20 Mar 2023 20:22:14 +0100 +Subject: Only set PAM_RHOST if the remote host is not "UNKNOWN" + +When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 +socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then +set as the value of PAM_RHOST, causing pam to try to do a reverse DNS +query of "UNKNOWN", which times out multiple times, causing a +substantial slowdown when logging in. + +To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". + +Author: Daan De Meyer +Last-Update: 2024-04-03 + +Patch-Name: pam-avoid-unknown-host.patch +--- + auth-pam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth-pam.c b/auth-pam.c +index b49d415e7..81de88bba 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -735,7 +735,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) + sshpam_laddr = get_local_ipaddr( + ssh_packet_get_connection_in(ssh)); + } +- if (sshpam_rhost != NULL) { ++ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { + debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); + sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, + sshpam_rhost); diff --git a/debian/patches/series b/debian/patches/series index 311759a..48c673a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -28,6 +28,7 @@ skip-utimensat-test-on-zfs.patch zero-call-used-regs-m68k.patch regress-conch-dev-zero.patch configure-cache-vars.patch +pam-avoid-unknown-host.patch progress-linux/0001-ssh-keygen-default-rsa-size.patch progress-linux/0002-ssh-keygen-default-ecdsa-size.patch progress-linux/0003-ssh_config-update.patch diff --git a/debian/rules b/debian/rules index 6431a78..acb3140 100755 --- a/debian/rules +++ b/debian/rules @@ -33,7 +33,7 @@ else endif # Change the version string to reflect distribution -SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//') +SSH_EXTRAVERSION := $(DEB_VENDOR)-$(shell echo '$(DEB_VERSION)' | sed -e 's/.*-//; s/+salsaci+.*/+salsaci/') UBUNTU := $(shell $(call dpkg_vendor_derives_from,Ubuntu)) ifeq ($(UBUNTU),yes) diff --git a/debian/systemd/ssh.service b/debian/systemd/ssh.service index 7495d9a..0eb0d67 100644 --- a/debian/systemd/ssh.service +++ b/debian/systemd/ssh.service @@ -1,7 +1,7 @@ [Unit] Description=OpenBSD Secure Shell server Documentation=man:sshd(8) man:sshd_config(5) -After=network.target auditd.service +After=network.target nss-user-lookup.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] diff --git a/debian/systemd/sshd@.service b/debian/systemd/sshd@.service index 29864a8..38ff431 100644 --- a/debian/systemd/sshd@.service +++ b/debian/systemd/sshd@.service @@ -1,7 +1,7 @@ [Unit] Description=OpenBSD Secure Shell server per-connection daemon Documentation=man:sshd(8) man:sshd_config(5) -After=auditd.service +After=nss-user-lookup.target auditd.service [Service] EnvironmentFile=-/etc/default/ssh diff --git a/debian/tests/control b/debian/tests/control index 3c7b14d..efd6c45 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -9,3 +9,9 @@ Depends: devscripts, python3-twisted, sudo, sysvinit-utils, + +Tests: ssh-gssapi +Restrictions: needs-root allow-stderr isolation-container +Depends: openssh-server, + krb5-kdc, + krb5-admin-server diff --git a/debian/tests/ssh-gssapi b/debian/tests/ssh-gssapi new file mode 100755 index 0000000..a9c18d9 --- /dev/null +++ b/debian/tests/ssh-gssapi @@ -0,0 +1,158 @@ +#!/bin/bash + +set -e +set -o pipefail + +realm="EXAMPLE.FAKE" +myhostname="sshd-gssapi.${realm,,}" +testuser="testuser$$" +adduser --quiet --disabled-password --gecos "" "${testuser}" +password="secret" +user_principal="${testuser}@${realm}" +service_principal="host/${myhostname}" + +source debian/tests/util + +cleanup() { + if [ $? -ne 0 ]; then + echo "## Something failed" + echo + echo "## klist" + klist + echo + echo "## ssh server log" + journalctl -b -u ssh.service --lines 100 + echo + echo "## Kerberos KDC logs" + journalctl -b -u krb5-kdc.service --lines 100 + echo + echo "## Kerberos Admin server logs" + journalctl -b -u krb5-admin-server.service --lines 100 + echo + echo "## Skipping cleanup to facilitate troubleshooting" + else + echo "## ALL TESTS PASSED" + echo "## Cleaning up" + rm -f /etc/krb5.keytab + rm -f /etc/ssh/sshd_config.d/gssapi.conf + rm -f /etc/ssh/ssh_config.d/gssapi.conf + rm -f /etc/ssh/ssh_config.d/dep8.conf + fi +} + +trap cleanup EXIT + +setup() { + echo "## Setting up test environment" + adjust_hostname "${myhostname}" + echo "## Creating Kerberos realm ${realm}" + create_realm "${realm}" "${myhostname}" + echo "## Creating principals" + kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}" + kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}" + echo "## Extracting service principal ${service_principal}" + kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}" + cat > /etc/ssh/ssh_config.d/dep8.conf < /etc/krb5.conf < /etc/ssh/sshd_config.d/gssapi.conf < /etc/ssh/ssh_config.d/gssapi.conf < /etc/ssh/sshd_config.d/gssapi.conf < /etc/ssh/ssh_config.d/gssapi.conf </dev/null || : + configure_sshd "${auth_method}" || return $? + echo "## Obtaining TGT" + echo "${password}" | timeout --verbose 30 kinit "${user_principal}" || return $? + klist + echo + echo "## ssh'ing into localhost using ${auth_method} auth" + timeout --verbose 30 ssh "${testuser}@${myhostname}" date || return $? + echo + echo "## checking that we got a service ticket for ssh (host/)" + klist | grep -F "${service_principal}" || return $? + echo + echo "## Checking ssh logs to confirm ${auth_method} auth was used" + journalctl -u ssh.service -b --grep "Accepted ${auth_method}" +} + +test_gssapi_login() { + local auth_method="gssapi-with-mic" + + _test_ssh_login "${auth_method}" +} + +test_gssapi_keyex_login() { + local auth_method="gssapi-keyex" + + _test_ssh_login "${auth_method}" +} + +setup +echo "## TESTS" +echo +run_test test_gssapi_login +run_test test_gssapi_keyex_login diff --git a/debian/tests/util b/debian/tests/util new file mode 100644 index 0000000..e6035c4 --- /dev/null +++ b/debian/tests/util @@ -0,0 +1,76 @@ +# Copyright 2018 Canonical Ltd. +# This code is licensed under the same terms as MIT Kerberos. + +set -e + +adjust_hostname() { + local myhostname="$1" + + echo "${myhostname}" > /etc/hostname + hostname "${myhostname}" + if ! grep -qE "${myhostname}" /etc/hosts; then + # just so it's resolvable + echo "127.0.1.10 ${myhostname}" >> /etc/hosts + fi +} + +create_realm() { + local realm_name="$1" + local kerberos_server="$2" + + # start fresh + rm -rf /var/lib/krb5kdc/* + rm -rf /etc/krb5kdc/* + rm -f /etc/krb5.keytab + + # setup some defaults + cat > /etc/krb5kdc/kdc.conf < /etc/krb5.conf < /etc/krb5kdc/kadm5.acl + + # create the realm + kdb5_util create -s -P secretpassword + + # restart services + systemctl restart krb5-kdc.service krb5-admin-server.service +} + +run_test() { + local testfunc="${1}" + local -i result=0 + shift + echo "## TEST ${testfunc}" + "${testfunc}" "${@}" || result=$? + if [ ${result} -ne 0 ]; then + echo "## FAIL ${testfunc}" + else + echo "## PASS ${testfunc}" + fi + echo + return ${result} +} -- cgit v1.2.3