openkylin
/
openssh
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

changed debian/source/format to native

This commit is contained in:
Lu zhiping 2022-06-16 16:57:14 +08:00
parent f70d7ae8c1
commit 2d0df78df5
27 changed files with 1 additions and 6426 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
debian/patches/authorized-keys-man-symlink.patch vendored
View File

@ -1,26 +0,0 @@
From b0cb3badf4d423f8ea7bf950e55ca72878cc224b Mon Sep 17 00:00:00 2001
From: Tomas Pospisek <tpo_deb@sourcepole.ch>
Date: Sun, 9 Feb 2014 16:10:07 +0000
Subject: Install authorized_keys(5) as a symlink to sshd(8)
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1720
Bug-Debian: http://bugs.debian.org/441817
Last-Update: 2013-09-14
Patch-Name: authorized-keys-man-symlink.patch
---
Makefile.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile.in b/Makefile.in
index b68c1710f..bff1db49b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -402,6 +402,7 @@ install-files:
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8

68
debian/patches/conch-old-privkey-format.patch vendored
View File

@ -1,68 +0,0 @@
From 39d3bb41ec288e8ba2384c65248440603f65349c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 30 Aug 2018 00:58:56 +0100
Subject: Work around conch interoperability failure
Twisted Conch fails to read private keys in the new format
(https://twistedmatrix.com/trac/ticket/9515). Work around this until it
can be fixed in Twisted.
Forwarded: not-needed
Last-Update: 2019-10-09
Patch-Name: conch-old-privkey-format.patch
---
regress/Makefile | 2 +-
regress/conch-ciphers.sh | 2 +-
regress/test-exec.sh | 12 ++++++++++++
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/regress/Makefile b/regress/Makefile
index 774c10d41..01e257a94 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -120,7 +120,7 @@ CLEANFILES= *.core actual agent-key.* authorized_keys_${USERNAME} \
rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
- ssh-rsa_oldfmt \
+ ssh-rsa_oldfmt ssh-rsa_oldfmt.pub \
ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
sshd_config.* sshd_proxy sshd_proxy.* sshd_proxy_bak \
diff --git a/regress/conch-ciphers.sh b/regress/conch-ciphers.sh
index 6678813a2..6ff5da20b 100644
--- a/regress/conch-ciphers.sh
+++ b/regress/conch-ciphers.sh
@@ -16,7 +16,7 @@ for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
rm -f ${COPY}
# XXX the 2nd "cat" seems to be needed because of buggy FD handling
# in conch
- ${CONCH} --identity $OBJ/ssh-rsa --port $PORT --user $USER -e none \
+ ${CONCH} --identity $OBJ/ssh-rsa_oldfmt --port $PORT --user $USER -e none \
--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
if [ $? -ne 0 ]; then
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index f5e3ee6f5..a3a40719f 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -573,6 +573,18 @@ REGRESS_INTEROP_CONCH=no
if test -x "$CONCH" ; then
REGRESS_INTEROP_CONCH=yes
fi
+case "$SCRIPT" in
+*conch*) ;;
+*) REGRESS_INTEROP_CONCH=no
+esac
+
+if test "$REGRESS_INTEROP_CONCH" = "yes" ; then
+ # Convert rsa key to old format to work around
+ # https://twistedmatrix.com/trac/ticket/9515
+ cp $OBJ/ssh-rsa $OBJ/ssh-rsa_oldfmt
+ cp $OBJ/ssh-rsa.pub $OBJ/ssh-rsa_oldfmt.pub
+ ${SSHKEYGEN} -p -N '' -m PEM -f $OBJ/ssh-rsa_oldfmt >/dev/null
+fi
# If PuTTY is present and we are running a PuTTY test, prepare keys and
# configuration

163
debian/patches/debian-banner.patch vendored
View File

@ -1,163 +0,0 @@
From 7d20d00ea24ec0c3fffacc80ab271d0699d198c6 Mon Sep 17 00:00:00 2001
From: Kees Cook <kees@debian.org>
Date: Sun, 9 Feb 2014 16:10:06 +0000
Subject: Add DebianBanner server configuration option
Setting this to "no" causes sshd to omit the Debian revision from its
initial protocol handshake, for those scared by package-versioning.patch.
Bug-Debian: http://bugs.debian.org/562048
Forwarded: not-needed
Last-Update: 2020-02-21
Patch-Name: debian-banner.patch
---
kex.c | 5 +++--
kex.h | 2 +-
servconf.c | 9 +++++++++
servconf.h | 2 ++
sshconnect.c | 2 +-
sshd.c | 3 ++-
sshd_config.5 | 5 +++++
7 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/kex.c b/kex.c
index f638942d3..2abfbb95a 100644
--- a/kex.c
+++ b/kex.c
@@ -1226,7 +1226,7 @@ send_error(struct ssh *ssh, char *msg)
*/
int
kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- const char *version_addendum)
+ int debian_banner, const char *version_addendum)
{
int remote_major, remote_minor, mismatch;
size_t len, i, n;
@@ -1244,7 +1244,8 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+ debian_banner ? SSH_RELEASE : SSH_RELEASE_MINIMUM,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/kex.h b/kex.h
index fe7141414..938dca03b 100644
--- a/kex.h
+++ b/kex.h
@@ -194,7 +194,7 @@ char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
int kex_gss_names_valid(const char *);
-int kex_exchange_identification(struct ssh *, int, const char *);
+int kex_exchange_identification(struct ssh *, int, int, const char *);
struct kex *kex_new(void);
int kex_ready(struct ssh *, char *[PROPOSAL_MAX]);
diff --git a/servconf.c b/servconf.c
index bf3cd84a4..7bbc25c2e 100644
--- a/servconf.c
+++ b/servconf.c
@@ -194,6 +194,7 @@ initialize_server_options(ServerOptions *options)
options->fingerprint_hash = -1;
options->disable_forwarding = -1;
options->expose_userauth_info = -1;
+ options->debian_banner = -1;
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -468,6 +469,8 @@ fill_default_server_options(ServerOptions *options)
options->expose_userauth_info = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("internal");
+ if (options->debian_banner == -1)
+ options->debian_banner = 1;
assemble_algorithms(options);
@@ -556,6 +559,7 @@ typedef enum {
sStreamLocalBindMask, sStreamLocalBindUnlink,
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding,
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider,
+ sDebianBanner,
sDeprecated, sIgnore, sUnsupported
} ServerOpCodes;
@@ -719,6 +723,7 @@ static struct {
{ "rdomain", sRDomain, SSHCFG_ALL },
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },
+ { "debianbanner", sDebianBanner, SSHCFG_GLOBAL },
{ NULL, sBadOption, 0 }
};
@@ -2382,6 +2387,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
*charptr = xstrdup(arg);
break;
+ case sDebianBanner:
+ intptr = &options->debian_banner;
+ goto parse_flag;
+
case sDeprecated:
case sIgnore:
case sUnsupported:
diff --git a/servconf.h b/servconf.h
index 3f47ea25e..3fa05fcac 100644
--- a/servconf.h
+++ b/servconf.h
@@ -221,6 +221,8 @@ typedef struct {
int expose_userauth_info;
u_int64_t timing_secret;
char *sk_provider;
+
+ int debian_banner;
} ServerOptions;
/* Information about the incoming connection as used by Match */
diff --git a/sshconnect.c b/sshconnect.c
index b796d3c8a..9f2412e0d 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1292,7 +1292,7 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const char *orighost,
lowercase(host);
/* Exchange protocol version identification strings with the server. */
- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
+ if (kex_exchange_identification(ssh, timeout_ms, 1, NULL) != 0)
cleanup_exit(255); /* error already logged */
/* Put the connection into non-blocking mode. */
diff --git a/sshd.c b/sshd.c
index 65916fc6d..da876a900 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2187,7 +2187,8 @@ main(int ac, char **av)
if (!debug_flag)
alarm(options.login_grace_time);
- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
+ if (kex_exchange_identification(ssh, -1, options.debian_banner,
+ options.version_addendum) != 0)
cleanup_exit(255); /* error already logged */
ssh_packet_set_nonblocking(ssh);
diff --git a/sshd_config.5 b/sshd_config.5
index ebd09f891..c926f584c 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -542,6 +542,11 @@ or
.Cm no .
The default is
.Cm yes .
+.It Cm DebianBanner
+Specifies whether the distribution-specified extra version suffix is
+included during initial protocol handshake.
+The default is
+.Cm yes .
.It Cm DenyGroups
This keyword can be followed by a list of group name patterns, separated
by spaces.

270
debian/patches/debian-config.patch vendored
View File

@ -1,270 +0,0 @@
From 8086961f9f4ad834e9c3b09b6e2c80273be1c506 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
ssh: Enable ForwardX11Trusted, returning to earlier semantics which cause
fewer problems with existing setups (http://bugs.debian.org/237021).
ssh: Set 'SendEnv LANG LC_*' by default (http://bugs.debian.org/264024).
ssh: Enable HashKnownHosts by default to try to limit the spread of ssh
worms.
ssh: Enable GSSAPIAuthentication by default.
ssh: Include /etc/ssh/ssh_config.d/*.conf.
sshd: Enable PAM, disable ChallengeResponseAuthentication, and disable
PrintMotd.
sshd: Enable X11Forwarding.
sshd: Set 'AcceptEnv LANG LC_*' by default.
sshd: Change sftp subsystem path to /usr/lib/openssh/sftp-server.
sshd: Include /etc/ssh/sshd_config.d/*.conf.
Document all of this.
Author: Russ Allbery <rra@debian.org>
Forwarded: not-needed
Last-Update: 2020-02-21
Patch-Name: debian-config.patch
---
readconf.c | 2 +-
ssh.1 | 24 ++++++++++++++++++++++++
ssh_config | 8 +++++++-
ssh_config.5 | 26 +++++++++++++++++++++++++-
sshd_config | 18 ++++++++++++------
sshd_config.5 | 29 +++++++++++++++++++++++++++++
6 files changed, 98 insertions(+), 9 deletions(-)
diff --git a/readconf.c b/readconf.c
index 7f251dd4a..e82024678 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2087,7 +2087,7 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
- options->forward_x11_trusted = 0;
+ options->forward_x11_trusted = 1;
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
/*
diff --git a/ssh.1 b/ssh.1
index b33a8049f..a8967c2f8 100644
--- a/ssh.1
+++ b/ssh.1
@@ -809,6 +809,16 @@ directive in
.Xr ssh_config 5
for more information.
.Pp
+(Debian-specific: X11 forwarding is not subjected to X11 SECURITY extension
+restrictions by default, because too many programs currently crash in this
+mode.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl x
Disables X11 forwarding.
.Pp
@@ -817,6 +827,20 @@ Enables trusted X11 forwarding.
Trusted X11 forwardings are not subjected to the X11 SECURITY extension
controls.
.Pp
+(Debian-specific: In the default configuration, this option is equivalent to
+.Fl X ,
+since
+.Cm ForwardX11Trusted
+defaults to
+.Dq yes
+as described above.
+Set the
+.Cm ForwardX11Trusted
+option to
+.Dq no
+to restore the upstream behaviour.
+This may change in future depending on client-side improvements.)
+.Pp
.It Fl y
Send log information using the
.Xr syslog 3
diff --git a/ssh_config b/ssh_config
index 1ff999b68..8a55237b9 100644
--- a/ssh_config
+++ b/ssh_config
@@ -17,9 +17,12 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
-# Host *
+Include /etc/ssh/ssh_config.d/*.conf
+
+Host *
# ForwardAgent no
# ForwardX11 no
+# ForwardX11Trusted yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -45,3 +48,6 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+ SendEnv LANG LC_*
+ HashKnownHosts yes
+ GSSAPIAuthentication yes
diff --git a/ssh_config.5 b/ssh_config.5
index c6eaa63e7..34dc2d51b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -71,6 +71,29 @@ Since the first obtained value for each parameter is used, more
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.
.Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/ssh_config.d/*.conf
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
+.Pa /etc/ssh/ssh_config.d/*.conf
+files are included at the start of the system-wide configuration file, so
+options set there will override those in
+.Pa /etc/ssh/ssh_config.
+.Pp
The file contains keyword-argument pairs, one per line.
Lines starting with
.Ql #
@@ -729,11 +752,12 @@ elapsed.
.It Cm ForwardX11Trusted
If this option is set to
.Cm yes ,
+(the Debian-specific default),
remote X11 clients will have full access to the original X11 display.
.Pp
If this option is set to
.Cm no
-(the default),
+(the upstream default),
remote X11 clients will be considered untrusted and prevented
from stealing or tampering with data belonging to trusted X11
clients.
diff --git a/sshd_config b/sshd_config
index 2c48105f8..459c1b230 100644
--- a/sshd_config
+++ b/sshd_config
@@ -10,6 +10,8 @@
# possible, but leave them commented. Uncommented options override the
# default value.
+Include /etc/ssh/sshd_config.d/*.conf
+
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
@@ -57,8 +59,9 @@ AuthorizedKeysFile .ssh/authorized_keys
#PasswordAuthentication yes
#PermitEmptyPasswords no
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
@@ -81,16 +84,16 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
-#PrintMotd yes
+PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
@@ -107,8 +110,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# no default banner path
#Banner none
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
+Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
diff --git a/sshd_config.5 b/sshd_config.5
index 25f4b8117..e8271be74 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -56,6 +56,35 @@ Arguments may optionally be enclosed in double quotes
.Pq \&"
in order to represent arguments containing spaces.
.Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Include /etc/ssh/sshd_config.d/*.conf
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
+.Pa /etc/ssh/sshd_config.d/*.conf
+files are included at the start of the configuration file, so options set
+there will override those in
+.Pa /etc/ssh/sshd_config.
+.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):

94
debian/patches/dnssec-sshfp.patch vendored
View File

@ -1,94 +0,0 @@
From 74c1c0ef7689ea68dc8263f73c00ff8675f9f0fe Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:01 +0000
Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
This allows SSHFP DNS records to be verified if glibc 2.11 is installed.
Origin: vendor, https://cvs.fedoraproject.org/viewvc/F-12/openssh/openssh-5.2p1-edns.patch?revision=1.1&view=markup
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572049
Last-Update: 2010-04-06
Patch-Name: dnssec-sshfp.patch
---
dns.c | 14 +++++++++++++-
openbsd-compat/getrrsetbyname.c | 10 +++++-----
openbsd-compat/getrrsetbyname.h | 3 +++
3 files changed, 21 insertions(+), 6 deletions(-)
diff --git a/dns.c b/dns.c
index e4f9bf830..9c9fe6413 100644
--- a/dns.c
+++ b/dns.c
@@ -210,6 +210,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
{
u_int counter;
int result;
+ unsigned int rrset_flags = 0;
struct rrsetinfo *fingerprints = NULL;
u_int8_t hostkey_algorithm;
@@ -233,8 +234,19 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
return -1;
}
+ /*
+ * Original getrrsetbyname function, found on OpenBSD for example,
+ * doesn't accept any flag and prerequisite for obtaining AD bit in
+ * DNS response is set by "options edns0" in resolv.conf.
+ *
+ * Our version is more clever and use RRSET_FORCE_EDNS0 flag.
+ */
+#ifndef HAVE_GETRRSETBYNAME
+ rrset_flags |= RRSET_FORCE_EDNS0;
+#endif
result = getrrsetbyname(hostname, DNS_RDATACLASS_IN,
- DNS_RDATATYPE_SSHFP, 0, &fingerprints);
+ DNS_RDATATYPE_SSHFP, rrset_flags, &fingerprints);
+
if (result) {
verbose("DNS lookup error: %s", dns_result_totext(result));
return -1;
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index dc6fe0533..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
goto fail;
}
- /* don't allow flags yet, unimplemented */
- if (flags) {
+ /* Allow RRSET_FORCE_EDNS0 flag only. */
+ if ((flags & !RRSET_FORCE_EDNS0) != 0) {
result = ERRSET_INVAL;
goto fail;
}
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
#endif /* DEBUG */
#ifdef RES_USE_DNSSEC
- /* turn on DNSSEC if EDNS0 is configured */
- if (_resp->options & RES_USE_EDNS0)
- _resp->options |= RES_USE_DNSSEC;
+ /* turn on DNSSEC if required */
+ if (flags & RRSET_FORCE_EDNS0)
+ _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
#endif /* RES_USE_DNSEC */
/* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
#ifndef RRSET_VALIDATED
# define RRSET_VALIDATED 1
#endif
+#ifndef RRSET_FORCE_EDNS0
+# define RRSET_FORCE_EDNS0 0x0001
+#endif
/*
* Return codes for getrrsetbyname()

28
debian/patches/doc-hash-tab-completion.patch vendored
View File

@ -1,28 +0,0 @@
From a14ddfc3f607b0bf29046bfb4b26a6d827fa58c7 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:11 +0000
Subject: Document that HashKnownHosts may break tab-completion
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1727
Bug-Debian: http://bugs.debian.org/430154
Last-Update: 2013-09-14
Patch-Name: doc-hash-tab-completion.patch
---
ssh_config.5 | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
index e61a0fd43..c6eaa63e7 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -848,6 +848,9 @@ Note that existing names and addresses in known hosts files
will not be converted automatically,
but may be manually hashed using
.Xr ssh-keygen 1 .
+Use of this option may break facilities such as tab-completion that rely
+on being able to read unhashed host names from
+.Pa ~/.ssh/known_hosts .
.It Cm HostbasedAuthentication
Specifies whether to try rhosts based authentication with public key
authentication.

26
debian/patches/gnome-ssh-askpass2-icon.patch vendored
View File

@ -1,26 +0,0 @@
From 63da84c3570afb4fa6bab38fdac3e9af45d0ec54 Mon Sep 17 00:00:00 2001
From: Vincent Untz <vuntz@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:16 +0000
Subject: Give the ssh-askpass-gnome window a default icon
Bug-Ubuntu: https://bugs.launchpad.net/bugs/27152
Last-Update: 2010-02-28
Patch-Name: gnome-ssh-askpass2-icon.patch
---
contrib/gnome-ssh-askpass2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
index bc83a2d67..88cdfaeff 100644
--- a/contrib/gnome-ssh-askpass2.c
+++ b/contrib/gnome-ssh-askpass2.c
@@ -233,6 +233,8 @@ main(int argc, char **argv)
gtk_init(&argc, &argv);
+ gtk_window_set_default_icon_from_file ("/usr/share/pixmaps/ssh-askpass-gnome.png", NULL);
+
if (argc > 1) {
message = g_strjoinv(" ", argv + 1);
} else {

3983
debian/patches/gssapi.patch vendored
View File

File diff suppressed because it is too large Load Diff

135
debian/patches/keepalive-extensions.patch vendored
View File

@ -1,135 +0,0 @@
From 3558be2914c0127489faae40ce2eae66142c3287 Mon Sep 17 00:00:00 2001
From: Richard Kettlewell <rjk@greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:52 +0000
Subject: Various keepalive extensions
Add compatibility aliases for ProtocolKeepAlives and SetupTimeOut, supported
in previous versions of Debian's OpenSSH package but since superseded by
ServerAliveInterval. (We're probably stuck with this bit for
compatibility.)
In batch mode, default ServerAliveInterval to five minutes.
Adjust documentation to match and to give some more advice on use of
keepalives.
Author: Ian Jackson <ian@chiark.greenend.org.uk>
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2020-02-21
Patch-Name: keepalive-extensions.patch
---
readconf.c | 14 ++++++++++++--
ssh_config.5 | 21 +++++++++++++++++++--
sshd_config.5 | 3 +++
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/readconf.c b/readconf.c
index 0fc996871..2399208f8 100644
--- a/readconf.c
+++ b/readconf.c
@@ -176,6 +176,7 @@ typedef enum {
oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump,
oSecurityKeyProvider,
+ oProtocolKeepAlives, oSetupTimeOut,
oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported
} OpCodes;
@@ -326,6 +327,8 @@ static struct {
{ "ignoreunknown", oIgnoreUnknown },
{ "proxyjump", oProxyJump },
{ "securitykeyprovider", oSecurityKeyProvider },
+ { "protocolkeepalives", oProtocolKeepAlives },
+ { "setuptimeout", oSetupTimeOut },
{ NULL, oBadOption }
};
@@ -1495,6 +1498,8 @@ parse_keytypes:
goto parse_flag;
case oServerAliveInterval:
+ case oProtocolKeepAlives: /* Debian-specific compatibility alias */
+ case oSetupTimeOut: /* Debian-specific compatibility alias */
intptr = &options->server_alive_interval;
goto parse_time;
@@ -2198,8 +2203,13 @@ fill_default_options(Options * options)
options->rekey_interval = 0;
if (options->verify_host_key_dns == -1)
options->verify_host_key_dns = 0;
- if (options->server_alive_interval == -1)
- options->server_alive_interval = 0;
+ if (options->server_alive_interval == -1) {
+ /* in batch mode, default is 5mins */
+ if (options->batch_mode == 1)
+ options->server_alive_interval = 300;
+ else
+ options->server_alive_interval = 0;
+ }
if (options->server_alive_count_max == -1)
options->server_alive_count_max = 3;
if (options->control_master == -1)
diff --git a/ssh_config.5 b/ssh_config.5
index 3f4906972..3079db19b 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -266,9 +266,13 @@ If set to
.Cm yes ,
user interaction such as password prompts and host key confirmation requests
will be disabled.
+In addition, the
+.Cm ServerAliveInterval
+option will be set to 300 seconds by default (Debian-specific).
This option is useful in scripts and other batch jobs where no user
is present to interact with
-.Xr ssh 1 .
+.Xr ssh 1 ,
+and where it is desirable to detect a broken network swiftly.
The argument must be
.Cm yes
or
@@ -1593,7 +1597,14 @@ from the server,
will send a message through the encrypted
channel to request a response from the server.
The default
-is 0, indicating that these messages will not be sent to the server.
+is 0, indicating that these messages will not be sent to the server,
+or 300 if the
+.Cm BatchMode
+option is set (Debian-specific).
+.Cm ProtocolKeepAlives
+and
+.Cm SetupTimeOut
+are Debian-specific compatibility aliases for this option.
.It Cm SetEnv
Directly specify one or more environment variables and their contents to
be sent to the server.
@@ -1673,6 +1684,12 @@ Specifies whether the system should send TCP keepalive messages to the
other side.
If they are sent, death of the connection or crash of one
of the machines will be properly noticed.
+This option only uses TCP keepalives (as opposed to using ssh level
+keepalives), so takes a long time to notice when the connection dies.
+As such, you probably want
+the
+.Cm ServerAliveInterval
+option as well.
However, this means that
connections will die if the route is down temporarily, and some people
find it annoying.
diff --git a/sshd_config.5 b/sshd_config.5
index f6b41a2f8..ebd09f891 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1668,6 +1668,9 @@ This avoids infinitely hanging sessions.
.Pp
To disable TCP keepalive messages, the value should be set to
.Cm no .
+.Pp
+This option was formerly called
+.Cm KeepAlive .
.It Cm TrustedUserCAKeys
Specifies a file containing public keys of certificate authorities that are
trusted to sign user certificates for authentication, or

44
debian/patches/mention-ssh-keygen-on-keychange.patch vendored
View File

@ -1,44 +0,0 @@
From c18e3c8125fc4553951705a1da8c86395d219bb1 Mon Sep 17 00:00:00 2001
From: Scott Moser <smoser@ubuntu.com>
Date: Sun, 9 Feb 2014 16:10:03 +0000
Subject: Mention ssh-keygen in ssh fingerprint changed warning
Author: Chris Lamb <lamby@debian.org>
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1843
Bug-Ubuntu: https://bugs.launchpad.net/bugs/686607
Last-Update: 2017-08-22
Patch-Name: mention-ssh-keygen-on-keychange.patch
---
sshconnect.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sshconnect.c b/sshconnect.c
index 4a5d4a003..b796d3c8a 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -991,9 +991,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
error("%s. This could either mean that", key_msg);
error("DNS SPOOFING is happening or the IP address for the host");
error("and its host key have changed at the same time.");
- if (ip_status != HOST_NEW)
+ if (ip_status != HOST_NEW) {
error("Offending key for IP in %s:%lu",
ip_found->file, ip_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f \"%s\" -R \"%s\"",
+ ip_found->file, ip);
+ }
}
/* The host key has changed. */
warn_changed_key(host_key);
@@ -1002,6 +1006,9 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
+ error(" remove with:");
+ error(" ssh-keygen -f \"%s\" -R \"%s\"",
+ host_found->file, host);
/*
* If strict host key checking is in use, the user will have

62
debian/patches/no-openssl-version-status.patch vendored
View File

@ -1,62 +0,0 @@
From ba0377ab3e6b68f7ab747f500991a0445c7f4086 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sun, 9 Feb 2014 16:10:14 +0000
Subject: Don't check the status field of the OpenSSL version
There is no reason to check the version of OpenSSL (in Debian). If it's
not compatible the soname will change. OpenSSH seems to want to do a
check for the soname based on the version number, but wants to keep the
status of the release the same. Remove that check on the status since
it doesn't tell you anything about how compatible that version is.
Author: Colin Watson <cjwatson@debian.org>
Bug-Debian: https://bugs.debian.org/93581
Bug-Debian: https://bugs.debian.org/664383
Bug-Debian: https://bugs.debian.org/732940
Forwarded: not-needed
Last-Update: 2014-10-07
Patch-Name: no-openssl-version-status.patch
---
openbsd-compat/openssl-compat.c | 6 +++---
openbsd-compat/regress/opensslvertest.c | 1 +
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index a37ca61bf..c1749210d 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -34,7 +34,7 @@
/*
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
* We match major, minor, fix and status (not patch) for <1.0.0.
- * After that, we acceptable compatible fix versions (so we
+ * After that, we accept compatible fix and status versions (so we
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
* within a patch series.
*/
@@ -55,10 +55,10 @@ ssh_compatible_openssl(long headerver, long libver)
}
/*
- * For versions >= 1.0.0, major,minor,status must match and library
+ * For versions >= 1.0.0, major,minor must match and library
* fix version must be equal to or newer than the header.
*/
- mask = 0xfff0000fL; /* major,minor,status */
+ mask = 0xfff00000L; /* major,minor */
hfix = (headerver & 0x000ff000) >> 12;
lfix = (libver & 0x000ff000) >> 12;
if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
index 5d019b598..58474873d 100644
--- a/openbsd-compat/regress/opensslvertest.c
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -35,6 +35,7 @@ struct version_test {
/* built with 1.0.1b release headers */
{ 0x1000101fL, 0x1000101fL, 1},/* exact match */
+ { 0x1000101fL, 0x10001010L, 1}, /* different status: ok */
{ 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
{ 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
{ 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */

148
debian/patches/openbsd-docs.patch vendored
View File

@ -1,148 +0,0 @@
From 39fe318a4b572deeb3f7d03e55d319c0ab112a28 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:09 +0000
Subject: Adjust various OpenBSD-specific references in manual pages
No single bug reference for this patch, but history includes:
http://bugs.debian.org/154434 (login.conf(5))
http://bugs.debian.org/513417 (/etc/rc)
http://bugs.debian.org/530692 (ssl(8))
https://bugs.launchpad.net/bugs/456660 (ssl(8))
Forwarded: not-needed
Last-Update: 2017-10-04
Patch-Name: openbsd-docs.patch
---
moduli.5 | 4 ++--
ssh-keygen.1 | 12 ++++--------
ssh.1 | 4 ++++
sshd.8 | 5 ++---
sshd_config.5 | 3 +--
5 files changed, 13 insertions(+), 15 deletions(-)
diff --git a/moduli.5 b/moduli.5
index ef0de0850..149846c8c 100644
--- a/moduli.5
+++ b/moduli.5
@@ -21,7 +21,7 @@
.Nd Diffie-Hellman moduli
.Sh DESCRIPTION
The
-.Pa /etc/moduli
+.Pa /etc/ssh/moduli
file contains prime numbers and generators for use by
.Xr sshd 8
in the Diffie-Hellman Group Exchange key exchange method.
@@ -110,7 +110,7 @@ first estimates the size of the modulus required to produce enough
Diffie-Hellman output to sufficiently key the selected symmetric cipher.
.Xr sshd 8
then randomly selects a modulus from
-.Fa /etc/moduli
+.Fa /etc/ssh/moduli
that best meets the size requirement.
.Sh SEE ALSO
.Xr ssh-keygen 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 7af564297..d6a7870e0 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -196,9 +196,7 @@ key in
.Pa ~/.ssh/id_ed25519_sk
or
.Pa ~/.ssh/id_rsa .
-Additionally, the system administrator may use this to generate host keys,
-as seen in
-.Pa /etc/rc .
+Additionally, the system administrator may use this to generate host keys.
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
@@ -261,9 +259,7 @@ If
.Fl f
has also been specified, its argument is used as a prefix to the
default path for the resulting host key files.
-This is used by
-.Pa /etc/rc
-to generate new host keys.
+This is used by system administration scripts to generate new host keys.
.It Fl a Ar rounds
When saving a private key, this option specifies the number of KDF
(key derivation function) rounds used.
@@ -783,7 +779,7 @@ option.
Valid generator values are 2, 3, and 5.
.Pp
Screened DH groups may be installed in
-.Pa /etc/moduli .
+.Pa /etc/ssh/moduli .
It is important that this file contains moduli of a range of bit lengths and
that both ends of a connection share common moduli.
.Pp
@@ -1154,7 +1150,7 @@ on all machines
where the user wishes to log in using public key authentication.
There is no need to keep the contents of this file secret.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
diff --git a/ssh.1 b/ssh.1
index cf991e4ee..17b0e984f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -887,6 +887,10 @@ implements public key authentication protocol automatically,
using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
The HISTORY section of
.Xr ssl 8
+(on non-OpenBSD systems, see
+.nh
+http://www.openbsd.org/cgi\-bin/man.cgi?query=ssl&sektion=8#HISTORY)
+.hy
contains a brief discussion of the DSA and RSA algorithms.
.Pp
The file
diff --git a/sshd.8 b/sshd.8
index 730520231..5ce0ea4fa 100644
--- a/sshd.8
+++ b/sshd.8
@@ -65,7 +65,7 @@ over an insecure network.
.Nm
listens for connections from clients.
It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/init.d/ssh .
It forks a new
daemon for each incoming connection.
The forked daemons handle
@@ -904,7 +904,7 @@ This file is for host-based authentication (see
.Xr ssh 1 ) .
It should only be writable by root.
.Pp
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange"
key exchange method.
The file format is described in
@@ -1002,7 +1002,6 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
-.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
.Xr inetd 8 ,
diff --git a/sshd_config.5 b/sshd_config.5
index c926f584c..25f4b8117 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -387,8 +387,7 @@ Certificates signed using other algorithms will not be accepted for
public key or host-based authentication.
.It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or through authentication styles supported in
-.Xr login.conf 5 )
+PAM).
The default is
.Cm yes .
.It Cm ChrootDirectory

47
debian/patches/package-versioning.patch vendored
View File

@ -1,47 +0,0 @@
From a4f868858c3395cacb59c58786b501317b9a3d03 Mon Sep 17 00:00:00 2001
From: Matthew Vernon <matthew@debian.org>
Date: Sun, 9 Feb 2014 16:10:05 +0000
Subject: Include the Debian version in our identification
This makes it easier to audit networks for versions patched against security
vulnerabilities. It has little detrimental effect, as attackers will
generally just try attacks rather than bothering to scan for
vulnerable-looking version strings. (However, see debian-banner.patch.)
Forwarded: not-needed
Last-Update: 2019-06-05
Patch-Name: package-versioning.patch
---
kex.c | 2 +-
version.h | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/kex.c b/kex.c
index 574c76093..f638942d3 100644
--- a/kex.c
+++ b/kex.c
@@ -1244,7 +1244,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
diff --git a/version.h b/version.h
index c2affcb2a..d79126cc3 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,9 @@
#define SSH_VERSION "OpenSSH_8.2"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+#define SSH_RELEASE_MINIMUM SSH_VERSION SSH_PORTABLE
+#ifdef SSH_EXTRAVERSION
+#define SSH_RELEASE SSH_RELEASE_MINIMUM " " SSH_EXTRAVERSION
+#else
+#define SSH_RELEASE SSH_RELEASE_MINIMUM
+#endif

35
debian/patches/restore-authorized_keys2.patch vendored
View File

@ -1,35 +0,0 @@
From 58390cbd5e07df92729b794beb491f7352b26993 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
Upstream seems to intend to gradually phase this out, so don't assume
that this will remain the default forever. However, we were late in
adopting the upstream sshd_config changes, so it makes sense to extend
the grace period.
Bug-Debian: https://bugs.debian.org/852320
Forwarded: not-needed
Last-Update: 2017-03-05
Patch-Name: restore-authorized_keys2.patch
---
sshd_config | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sshd_config b/sshd_config
index 459c1b230..dc0db5706 100644
--- a/sshd_config
+++ b/sshd_config
@@ -38,9 +38,8 @@ Include /etc/ssh/sshd_config.d/*.conf
#PubkeyAuthentication yes
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none

172
debian/patches/restore-tcp-wrappers.patch vendored
View File

@ -1,172 +0,0 @@
From 31d42cd8624f29508f772447e617ab043a6487d9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 7 Oct 2014 13:22:41 +0100
Subject: Restore TCP wrappers support
Support for TCP wrappers was dropped in OpenSSH 6.7. See this message
and thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html
It is true that this reduces preauth attack surface in sshd. On the
other hand, this support seems to be quite widely used, and abruptly
dropping it (from the perspective of users who don't read
openssh-unix-dev) could easily cause more serious problems in practice.
It's not entirely clear what the right long-term answer for Debian is,
but it at least probably doesn't involve dropping this feature shortly
before a freeze.
Forwarded: not-needed
Last-Update: 2019-06-05
Patch-Name: restore-tcp-wrappers.patch
---
configure.ac | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++
sshd.8 | 7 +++++++
sshd.c | 25 +++++++++++++++++++++++
3 files changed, 89 insertions(+)
diff --git a/configure.ac b/configure.ac
index efafb6bd8..cee7cbc51 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1556,6 +1556,62 @@ else
AC_MSG_RESULT([no])
fi
+# Check whether user wants TCP wrappers support
+TCPW_MSG="no"
+AC_ARG_WITH([tcp-wrappers],
+ [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
+ [
+ if test "x$withval" != "xno" ; then
+ saved_LIBS="$LIBS"
+ saved_LDFLAGS="$LDFLAGS"
+ saved_CPPFLAGS="$CPPFLAGS"
+ if test -n "${withval}" && \
+ test "x${withval}" != "xyes"; then
+ if test -d "${withval}/lib"; then
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ else
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval} ${LDFLAGS}"
+ fi
+ fi
+ if test -d "${withval}/include"; then
+ CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
+ else
+ CPPFLAGS="-I${withval} ${CPPFLAGS}"
+ fi
+ fi
+ LIBS="-lwrap $LIBS"
+ AC_MSG_CHECKING([for libwrap])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <tcpd.h>
+int deny_severity = 0, allow_severity = 0;
+ ]], [[
+ hosts_access(0);
+ ]])], [
+ AC_MSG_RESULT([yes])
+ AC_DEFINE([LIBWRAP], [1],
+ [Define if you want
+ TCP Wrappers support])
+ SSHDLIBS="$SSHDLIBS -lwrap"
+ TCPW_MSG="yes"
+ ], [
+ AC_MSG_ERROR([*** libwrap missing])
+
+ ])
+ LIBS="$saved_LIBS"
+ fi
+ ]
+)
+
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5413,6 +5469,7 @@ echo " PAM support: $PAM_MSG"
echo " OSF SIA support: $SIA_MSG"
echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
+echo " TCP Wrappers support: $TCPW_MSG"
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " libldns support: $LDNS_MSG"
diff --git a/sshd.8 b/sshd.8
index c5f8987d2..730520231 100644
--- a/sshd.8
+++ b/sshd.8
@@ -893,6 +893,12 @@ the user's home directory becomes accessible.
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
+.It Pa /etc/hosts.allow
+.It Pa /etc/hosts.deny
+Access controls that should be enforced by tcp-wrappers are defined here.
+Further details are described in
+.Xr hosts_access 5 .
+.Pp
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -995,6 +1001,7 @@ The content of this file is not sensitive; it can be world-readable.
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
+.Xr hosts_access 5 ,
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff --git a/sshd.c b/sshd.c
index d92f03aaf..62dc55cf2 100644
--- a/sshd.c
+++ b/sshd.c
@@ -124,6 +124,13 @@
#include "ssherr.h"
#include "sk-api.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
+#include <syslog.h>
+int allow_severity;
+int deny_severity;
+#endif /* LIBWRAP */
+
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
@@ -2138,6 +2145,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
+#ifdef LIBWRAP
+ allow_severity = options.log_facility|LOG_INFO;
+ deny_severity = options.log_facility|LOG_WARNING;
+ /* Check whether logins are denied from this host. */
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ struct request_info req;
+
+ request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ debug("Connection refused by tcp wrapper");
+ refuse(&req);
+ /* NOTREACHED */
+ fatal("libwrap refuse returns");
+ }
+ }
+#endif /* LIBWRAP */
rdomain = ssh_packet_rdomain_in(ssh);

93
debian/patches/revert-ipqos-defaults.patch vendored
View File

@ -1,93 +0,0 @@
From 86fe78ef4686485394b464cf9d3393ce27b33979 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
AF21 for"
This reverts commit 5ee8448ad7c306f05a9f56769f95336a8269f379.
The IPQoS default changes have some unfortunate interactions with
iptables (see https://bugs.debian.org/923880) and VMware, so I'm
temporarily reverting them until those have been fixed.
Bug-Debian: https://bugs.debian.org/923879
Bug-Debian: https://bugs.debian.org/926229
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1822370
Last-Update: 2019-04-08
Patch-Name: revert-ipqos-defaults.patch
---
readconf.c | 4 ++--
servconf.c | 4 ++--
ssh_config.5 | 6 ++----
sshd_config.5 | 6 ++----
4 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/readconf.c b/readconf.c
index e82024678..1b9494d7c 100644
--- a/readconf.c
+++ b/readconf.c
@@ -2230,9 +2230,9 @@ fill_default_options(Options * options)
if (options->visual_host_key == -1)
options->visual_host_key = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->request_tty == -1)
options->request_tty = REQUEST_TTY_AUTO;
if (options->proxy_use_fdpass == -1)
diff --git a/servconf.c b/servconf.c
index 7bbc25c2e..470ad3619 100644
--- a/servconf.c
+++ b/servconf.c
@@ -452,9 +452,9 @@ fill_default_server_options(ServerOptions *options)
if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
if (options->ip_qos_bulk == -1)
- options->ip_qos_bulk = IPTOS_DSCP_CS1;
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
diff --git a/ssh_config.5 b/ssh_config.5
index 34dc2d51b..91beb6f50 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1140,11 +1140,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to use keyboard-interactive authentication.
diff --git a/sshd_config.5 b/sshd_config.5
index e8271be74..d25b2f3d5 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -914,11 +914,9 @@ If one argument is specified, it is used as the packet class unconditionally.
If two values are specified, the first is automatically selected for
interactive sessions and the second for non-interactive sessions.
The default is
-.Cm af21
-(Low-Latency Data)
+.Cm lowdelay
for interactive sessions and
-.Cm cs1
-(Lower Effort)
+.Cm throughput
for non-interactive sessions.
.It Cm KbdInteractiveAuthentication
Specifies whether to allow keyboard-interactive authentication.

41
debian/patches/scp-quoting.patch vendored
View File

@ -1,41 +0,0 @@
From 5166a6af68da4778c7e2c2d117bb56361c7aa361 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:59 +0000
Subject: Adjust scp quoting in verbose mode
Tweak scp's reporting of filenames in verbose mode to be a bit less
confusing with spaces.
This should be revised to mimic real shell quoting.
Bug-Ubuntu: https://bugs.launchpad.net/bugs/89945
Last-Update: 2010-02-27
Patch-Name: scp-quoting.patch
---
scp.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/scp.c b/scp.c
index 6901e0c94..9b64aa5f4 100644
--- a/scp.c
+++ b/scp.c
@@ -201,8 +201,16 @@ do_local_cmd(arglist *a)
if (verbose_mode) {
fprintf(stderr, "Executing:");
- for (i = 0; i < a->num; i++)
- fmprintf(stderr, " %s", a->list[i]);
+ for (i = 0; i < a->num; i++) {
+ if (i == 0)
+ fmprintf(stderr, " %s", a->list[i]);
+ else
+ /*
+ * TODO: misbehaves if a->list[i] contains a
+ * single quote
+ */
+ fmprintf(stderr, " '%s'", a->list[i]);
+ }
fprintf(stderr, "\n");
}
if ((pid = fork()) == -1)

472
debian/patches/selinux-role.patch vendored
View File

@ -1,472 +0,0 @@
From b108c6bbe4b3691600a272b27fa24d9080018db7 Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2020-02-21
Patch-Name: selinux-role.patch
---
auth.h | 1 +
auth2.c | 10 ++++++++--
monitor.c | 37 +++++++++++++++++++++++++++++++++----
monitor.h | 2 ++
monitor_wrap.c | 27 ++++++++++++++++++++++++---
monitor_wrap.h | 3 ++-
openbsd-compat/port-linux.c | 21 ++++++++++++++-------
openbsd-compat/port-linux.h | 4 ++--
platform.c | 4 ++--
platform.h | 2 +-
session.c | 10 +++++-----
session.h | 2 +-
sshd.c | 2 +-
sshpty.c | 4 ++--
sshpty.h | 2 +-
15 files changed, 99 insertions(+), 32 deletions(-)
diff --git a/auth.h b/auth.h
index becc672b5..5da9fe75f 100644
--- a/auth.h
+++ b/auth.h
@@ -63,6 +63,7 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+ char *role;
/* Method lists for multiple authentication */
char **auth_methods; /* modified from server config */
diff --git a/auth2.c b/auth2.c
index 1c217268c..92a6bcaf4 100644
--- a/auth2.c
+++ b/auth2.c
@@ -265,7 +265,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
Authmethod *m = NULL;
- char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL;
int r, authenticated = 0;
double tstart = monotime_double();
@@ -279,8 +279,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
+ else if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
if (authctxt->attempt++ == 0) {
/* setup auth context */
@@ -307,8 +312,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
+ authctxt->role = role ? xstrdup(role) : NULL;
if (use_privsep)
- mm_inform_authserv(service, style);
+ mm_inform_authserv(service, style, role);
userauth_banner(ssh);
if (auth2_setup_methods_lists(authctxt) != 0)
ssh_packet_disconnect(ssh,
diff --git a/monitor.c b/monitor.c
index ebf76c7f9..947fdfadc 100644
--- a/monitor.c
+++ b/monitor.c
@@ -118,6 +118,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
@@ -198,6 +199,7 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -820,6 +822,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
#ifdef USE_PAM
@@ -853,16 +856,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit_authentications(1);
if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
- (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0)
+ (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- debug3("%s: service=%s, style=%s",
- __func__, authctxt->service, authctxt->style);
+ debug3("%s: service=%s, style=%s, role=%s",
+ __func__, authctxt->service, authctxt->style, authctxt->role);
if (strlen(authctxt->style) == 0) {
free(authctxt->style);
authctxt->style = NULL;
}
+ if (strlen(authctxt->role) == 0) {
+ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+
+int
+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
+{
+ int r;
+
+ monitor_permit_authentications(1);
+
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ free(authctxt->role);
+ authctxt->role = NULL;
+ }
+
return (0);
}
@@ -1554,7 +1583,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
if (res == 0)
goto error;
- pty_setowner(authctxt->pw, s->tty);
+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
if ((r = sshbuf_put_u32(m, 1)) != 0 ||
(r = sshbuf_put_cstring(m, s->tty)) != 0)
diff --git a/monitor.h b/monitor.h
index 2b1a2d590..4d87284aa 100644
--- a/monitor.h
+++ b/monitor.h
@@ -65,6 +65,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
+
+ MONITOR_REQ_AUTHROLE = 154,
};
struct ssh;
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 6edb509a3..b49c268d3 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
return (banner);
}
-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
void
-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
{
struct sshbuf *m;
int r;
@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if ((r = sshbuf_put_cstring(m, service)) != 0 ||
- (r = sshbuf_put_cstring(m, style ? style : "")) != 0)
+ (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
+ (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
sshbuf_free(m);
}
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+ struct sshbuf *m;
+ int r;
+
+ debug3("%s entering", __func__);
+
+ if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
+
+ sshbuf_free(m);
+}
+
/* Do the password authentication */
int
mm_auth_password(struct ssh *ssh, char *password)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 485590c18..370b08e17 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -47,7 +47,8 @@ DH *mm_choose_dh(int, int, int);
#endif
int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
const u_char *, size_t, const char *, const char *, u_int compat);
-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
struct passwd *mm_getpwnamallow(struct ssh *, const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 622988822..3e6e07670 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -56,7 +56,7 @@ ssh_selinux_enabled(void)
/* Return the default security context for the given username */
static security_context_t
-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
{
security_context_t sc = NULL;
char *sename = NULL, *lvl = NULL;
@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname)
#endif
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+ &sc);
+ else
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
#else
- r = get_default_context(sename, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_role(sename, role, NULL, &sc);
+ else
+ r = get_default_context(sename, NULL, &sc);
#endif
if (r != 0) {
@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname)
/* Set the execution context to the default for the specified user */
void
-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
{
security_context_t user_ctx = NULL;
@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname)
debug3("%s: setting execution context", __func__);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
if (setexeccon(user_ctx) != 0) {
switch (security_getenforce()) {
case -1:
@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname)
/* Set the TTY context for the specified user */
void
-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
{
security_context_t new_tty_ctx = NULL;
security_context_t user_ctx = NULL;
@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
debug3("%s: setting TTY context on %s", __func__, tty);
- user_ctx = ssh_selinux_getctxbyname(pwname);
+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
/* XXX: should these calls fatal() upon failure in enforcing mode? */
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 3c22a854d..c88129428 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -19,8 +19,8 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
-void ssh_selinux_setup_pty(char *, const char *);
-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
#endif
diff --git a/platform.c b/platform.c
index 44ba71dc5..2defe9425 100644
--- a/platform.c
+++ b/platform.c
@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
* called if sshd is running as root.
*/
void
-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
{
#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
/*
@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
+ ssh_selinux_setup_exec_context(pw->pw_name, role);
#endif
}
diff --git a/platform.h b/platform.h
index ea4f9c584..60d72ffe7 100644
--- a/platform.h
+++ b/platform.h
@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
void platform_post_fork_child(void);
int platform_privileged_uidswap(void);
void platform_setusercontext(struct passwd *);
-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
char *platform_get_krb5_client(const char *);
char *platform_krb5_get_principal_name(const char *);
int platform_sys_dir_uid(uid_t);
diff --git a/session.c b/session.c
index 06a33442a..871799590 100644
--- a/session.c
+++ b/session.c
@@ -1360,7 +1360,7 @@ safely_chroot(const char *path, uid_t uid)
/* Set login name, uid, gid, and groups. */
void
-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
{
char uidstr[32], *chroot_path, *tmp;
@@ -1388,7 +1388,7 @@ do_setusercontext(struct passwd *pw)
endgrent();
#endif
- platform_setusercontext_post_groups(pw);
+ platform_setusercontext_post_groups(pw, role);
if (!in_chroot && options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1529,7 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* Force a password change */
if (s->authctxt->force_pwchange) {
- do_setusercontext(pw);
+ do_setusercontext(pw, s->authctxt->role);
child_close_fds(ssh);
do_pwchange(s);
exit(1);
@@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* When PAM is enabled we rely on it to do the nologin check */
if (!options.use_pam)
do_nologin(pw);
- do_setusercontext(pw);
+ do_setusercontext(pw, s->authctxt->role);
/*
* PAM session modules in do_setusercontext may have
* generated messages, so if this in an interactive
@@ -1946,7 +1946,7 @@ session_pty_req(struct ssh *ssh, Session *s)
sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
if (!use_privsep)
- pty_setowner(s->pw, s->tty);
+ pty_setowner(s->pw, s->tty, s->authctxt->role);
/* Set window size from the packet. */
pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
diff --git a/session.h b/session.h
index ce59dabd9..675c91146 100644
--- a/session.h
+++ b/session.h
@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);
Session *session_new(void);
Session *session_by_tty(char *);
void session_close(struct ssh *, Session *);
-void do_setusercontext(struct passwd *);
+void do_setusercontext(struct passwd *, const char *);
const char *session_get_remote_name_or_ip(struct ssh *, u_int, int);
diff --git a/sshd.c b/sshd.c
index 62dc55cf2..65916fc6d 100644
--- a/sshd.c
+++ b/sshd.c
@@ -595,7 +595,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
reseed_prngs();
/* Drop privileges */
- do_setusercontext(authctxt->pw);
+ do_setusercontext(authctxt->pw, authctxt->role);
skip:
/* It is safe now to apply the key state */
diff --git a/sshpty.c b/sshpty.c
index bce09e255..308449b37 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
}
void
-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
{
struct group *grp;
gid_t gid;
@@ -186,7 +186,7 @@ pty_setowner(struct passwd *pw, const char *tty)
strerror(errno));
#ifdef WITH_SELINUX
- ssh_selinux_setup_pty(pw->pw_name, tty);
+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
#endif
if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
diff --git a/sshpty.h b/sshpty.h
index 9ec7e9a15..de7e000ae 100644
--- a/sshpty.h
+++ b/sshpty.h
@@ -24,5 +24,5 @@ int pty_allocate(int *, int *, char *, size_t);
void pty_release(const char *);
void pty_make_controlling_tty(int *, const char *);
void pty_change_window_size(int, u_int, u_int, u_int, u_int);
-void pty_setowner(struct passwd *, const char *);
+void pty_setowner(struct passwd *, const char *, const char *);
void disconnect_controlling_tty(void);

25
debian/patches/series vendored
View File

@ -1,25 +0,0 @@
gssapi.patch
restore-tcp-wrappers.patch
selinux-role.patch
ssh-vulnkey-compat.patch
keepalive-extensions.patch
syslog-level-silent.patch
user-group-modes.patch
scp-quoting.patch
shell-path.patch
dnssec-sshfp.patch
mention-ssh-keygen-on-keychange.patch
package-versioning.patch
debian-banner.patch
authorized-keys-man-symlink.patch
openbsd-docs.patch
ssh-argv0.patch
doc-hash-tab-completion.patch
ssh-agent-setgid.patch
no-openssl-version-status.patch
gnome-ssh-askpass2-icon.patch
systemd-readiness.patch
debian-config.patch
restore-authorized_keys2.patch
conch-old-privkey-format.patch
revert-ipqos-defaults.patch

39
debian/patches/shell-path.patch vendored
View File

@ -1,39 +0,0 @@
From c19bcc02b07b450d585d0fd10ccd96174aeb3b7c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:00 +0000
Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
There's some debate on the upstream bug about whether POSIX requires this.
I (Colin Watson) agree with Vincent and think it does.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1494
Bug-Debian: http://bugs.debian.org/492728
Last-Update: 2020-02-21
Patch-Name: shell-path.patch
---
sshconnect.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
index 4711af782..4a5d4a003 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -260,7 +260,7 @@ ssh_proxy_connect(struct ssh *ssh, const char *host, const char *host_arg,
/* Execute the proxy command. Note that we gave up any
extra privileges above. */
ssh_signal(SIGPIPE, SIG_DFL);
- execv(argv[0], argv);
+ execvp(argv[0], argv);
perror(argv[0]);
exit(1);
}
@@ -1388,7 +1388,7 @@ ssh_local_cmd(const char *args)
if (pid == 0) {
ssh_signal(SIGPIPE, SIG_DFL);
debug3("Executing %s -c \"%s\"", shell, args);
- execl(shell, shell, "-c", args, (char *)NULL);
+ execlp(shell, shell, "-c", args, (char *)NULL);
error("Couldn't execute %s -c \"%s\": %s",
shell, args, strerror(errno));
_exit(1);

40
debian/patches/ssh-agent-setgid.patch vendored
View File

@ -1,40 +0,0 @@
From ad09303388f0172ab6e028aaf27d87cf873d123d Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:13 +0000
Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
Bug-Debian: http://bugs.debian.org/711623
Forwarded: no
Last-Update: 2020-02-21
Patch-Name: ssh-agent-setgid.patch
---
ssh-agent.1 | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/ssh-agent.1 b/ssh-agent.1
index fff0db6bc..99e4f6d2e 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -201,6 +201,21 @@ socket and stores its pathname in this variable.
It is accessible only to the current user,
but is easily abused by root or another instance of the same user.
.El
+.Pp
+In Debian,
+.Nm
+is installed with the set-group-id bit set, to prevent
+.Xr ptrace 2
+attacks retrieving private key material.
+This has the side-effect of causing the run-time linker to remove certain
+environment variables which might have security implications for set-id
+programs, including
+.Ev LD_PRELOAD ,
+.Ev LD_LIBRARY_PATH ,
+and
+.Ev TMPDIR .
+If you need to set any of these environment variables, you will need to do
+so in the program executed by ssh-agent.
.Sh FILES
.Bl -tag -width Ds
.It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>

31
debian/patches/ssh-argv0.patch vendored
View File

@ -1,31 +0,0 @@
From 4b1e0000a099f988553ccc4b274e1790b5114c12 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:10 +0000
Subject: ssh(1): Refer to ssh-argv0(1)
Old versions of OpenSSH (up to 2.5 or thereabouts) allowed creating symlinks
to ssh with the name of the host you want to connect to. Debian ships an
ssh-argv0 script restoring this feature; this patch refers to its manual
page from ssh(1).
Bug-Debian: http://bugs.debian.org/111341
Forwarded: not-needed
Last-Update: 2013-09-14
Patch-Name: ssh-argv0.patch
---
ssh.1 | 1 +
1 file changed, 1 insertion(+)
diff --git a/ssh.1 b/ssh.1
index 17b0e984f..b33a8049f 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1610,6 +1610,7 @@ if an error occurred.
.Xr sftp 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
+.Xr ssh-argv0 1 ,
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr tun 4 ,

42
debian/patches/ssh-vulnkey-compat.patch vendored
View File

@ -1,42 +0,0 @@
From 11d571f137c76d8c2e38b1c1a537b04cc279f8e3 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Sun, 9 Feb 2014 16:09:50 +0000
Subject: Accept obsolete ssh-vulnkey configuration options
These options were used as part of Debian's response to CVE-2008-0166.
Nearly six years later, we no longer need to continue carrying the bulk
of that patch, but we do need to avoid failing when the associated
configuration options are still present.
Last-Update: 2014-02-09
Patch-Name: ssh-vulnkey-compat.patch
---
readconf.c | 1 +
servconf.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/readconf.c b/readconf.c
index da8022dd0..0fc996871 100644
--- a/readconf.c
+++ b/readconf.c
@@ -191,6 +191,7 @@ static struct {
{ "fallbacktorsh", oDeprecated },
{ "globalknownhostsfile2", oDeprecated },
{ "rhostsauthentication", oDeprecated },
+ { "useblacklistedkeys", oDeprecated },
{ "userknownhostsfile2", oDeprecated },
{ "useroaming", oDeprecated },
{ "usersh", oDeprecated },
diff --git a/servconf.c b/servconf.c
index 191575a16..bf3cd84a4 100644
--- a/servconf.c
+++ b/servconf.c
@@ -656,6 +656,7 @@ static struct {
{ "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
{ "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
{ "strictmodes", sStrictModes, SSHCFG_GLOBAL },
+ { "permitblacklistedkeys", sDeprecated, SSHCFG_GLOBAL },
{ "permitemptypasswords", sEmptyPasswd, SSHCFG_ALL },
{ "permituserenvironment", sPermitUserEnvironment, SSHCFG_GLOBAL },
{ "uselogin", sDeprecated, SSHCFG_GLOBAL },

47
debian/patches/syslog-level-silent.patch vendored
View File

@ -1,47 +0,0 @@
From 387c2c1954773733bae9fca21a92db62c31180bd Mon Sep 17 00:00:00 2001
From: Natalie Amery <nmamery@chiark.greenend.org.uk>
Date: Sun, 9 Feb 2014 16:09:54 +0000
Subject: "LogLevel SILENT" compatibility
"LogLevel SILENT" (-qq) was introduced in Debian openssh 1:3.0.1p1-1 to
match the behaviour of non-free SSH, in which -q does not suppress fatal
errors. However, this was unintentionally broken in 1:4.6p1-2 and nobody
complained, so we've dropped most of it. The parts that remain are basic
configuration file compatibility, and an adjustment to "Pseudo-terminal will
not be allocated ..." which should be split out into a separate patch.
Author: Matthew Vernon <matthew@debian.org>
Author: Colin Watson <cjwatson@debian.org>
Last-Update: 2013-09-14
Patch-Name: syslog-level-silent.patch
---
log.c | 1 +
ssh.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/log.c b/log.c
index d9c2d136c..1749af6d1 100644
--- a/log.c
+++ b/log.c
@@ -93,6 +93,7 @@ static struct {
LogLevel val;
} log_levels[] =
{
+ { "SILENT", SYSLOG_LEVEL_QUIET }, /* compatibility */
{ "QUIET", SYSLOG_LEVEL_QUIET },
{ "FATAL", SYSLOG_LEVEL_FATAL },
{ "ERROR", SYSLOG_LEVEL_ERROR },
diff --git a/ssh.c b/ssh.c
index 110cf9c19..6138fd4d3 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1305,7 +1305,7 @@ main(int ac, char **av)
/* Do not allocate a tty if stdin is not a tty. */
if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
options.request_tty != REQUEST_TTY_FORCE) {
- if (tty_flag)
+ if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
logit("Pseudo-terminal will not be allocated because "
"stdin is not a terminal.");
tty_flag = 0;

84
debian/patches/systemd-readiness.patch vendored
View File

@ -1,84 +0,0 @@
From a208834b2d1811dac7054d7fdcdd04672f8b19f6 Mon Sep 17 00:00:00 2001
From: Michael Biebl <biebl@debian.org>
Date: Mon, 21 Dec 2015 16:08:47 +0000
Subject: Add systemd readiness notification support
Bug-Debian: https://bugs.debian.org/778913
Forwarded: no
Last-Update: 2017-08-22
Patch-Name: systemd-readiness.patch
---
configure.ac | 24 ++++++++++++++++++++++++
sshd.c | 9 +++++++++
2 files changed, 33 insertions(+)
diff --git a/configure.ac b/configure.ac
index cee7cbc51..5db3013de 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4664,6 +4664,29 @@ AC_ARG_WITH([kerberos5],
AC_SUBST([GSSLIBS])
AC_SUBST([K5LIBS])
+# Check whether user wants systemd support
+SYSTEMD_MSG="no"
+AC_ARG_WITH(systemd,
+ [ --with-systemd Enable systemd support],
+ [ if test "x$withval" != "xno" ; then
+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
+ if test "$PKGCONFIG" != "no"; then
+ AC_MSG_CHECKING([for libsystemd])
+ if $PKGCONFIG --exists libsystemd; then
+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
+ AC_MSG_RESULT([yes])
+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
+ SYSTEMD_MSG="yes"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ fi
+ fi ]
+)
+
# Looking for programs, paths and files
PRIVSEP_PATH=/var/empty
@@ -5476,6 +5499,7 @@ echo " libldns support: $LDNS_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
+echo " systemd support: $SYSTEMD_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
diff --git a/sshd.c b/sshd.c
index da876a900..c069505a0 100644
--- a/sshd.c
+++ b/sshd.c
@@ -85,6 +85,10 @@
#include <prot.h>
#endif
+#ifdef HAVE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "xmalloc.h"
#include "ssh.h"
#include "ssh2.h"
@@ -2027,6 +2031,11 @@ main(int ac, char **av)
}
}
+#ifdef HAVE_SYSTEMD
+ /* Signal systemd that we are ready to accept connections */
+ sd_notify(0, "READY=1");
+#endif
+
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);

210
debian/patches/user-group-modes.patch vendored
View File

@ -1,210 +0,0 @@
From 3309e464e5ae6c940ddd584eed4d2d403f4c168c Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:09:58 +0000
Subject: Allow harmless group-writability
Allow secure files (~/.ssh/config, ~/.ssh/authorized_keys, etc.) to be
group-writable, provided that the group in question contains only the file's
owner. Rejected upstream for IMO incorrect reasons (e.g. a misunderstanding
about the contents of gr->gr_mem). Given that per-user groups and umask 002
are the default setup in Debian (for good reasons - this makes operating in
setgid directories with other groups much easier), we need to permit this by
default.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1060
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=314347
Last-Update: 2019-10-09
Patch-Name: user-group-modes.patch
---
auth-rhosts.c | 6 ++----
auth.c | 3 +--
misc.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++-----
misc.h | 2 ++
readconf.c | 3 +--
ssh.1 | 2 ++
ssh_config.5 | 2 ++
7 files changed, 63 insertions(+), 13 deletions(-)
diff --git a/auth-rhosts.c b/auth-rhosts.c
index 7a10210b6..587f53721 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -260,8 +260,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
return 0;
}
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Rhosts authentication refused for %.100s: "
"bad ownership or modes for home directory.", pw->pw_name);
auth_debug_add("Rhosts authentication refused for %.100s: "
@@ -287,8 +286,7 @@ auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
* allowing access to their account by anyone.
*/
if (options.strict_modes &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
pw->pw_name, buf);
auth_debug_add("Bad file modes for %.200s", buf);
diff --git a/auth.c b/auth.c
index 687c57b42..aed3c13ac 100644
--- a/auth.c
+++ b/auth.c
@@ -474,8 +474,7 @@ check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
if (options.strict_modes &&
(stat(user_hostfile, &st) == 0) &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
+ !secure_permissions(&st, pw->pw_uid)) {
logit("Authentication refused for %.100s: "
"bad owner or modes for %.200s",
pw->pw_name, user_hostfile);
diff --git a/misc.c b/misc.c
index 3a31d5c18..073d3be19 100644
--- a/misc.c
+++ b/misc.c
@@ -61,8 +61,9 @@
#include <netdb.h>
#ifdef HAVE_PATHS_H
# include <paths.h>
-#include <pwd.h>
#endif
+#include <pwd.h>
+#include <grp.h>
#ifdef SSH_TUN_OPENBSD
#include <net/if.h>
#endif
@@ -1124,6 +1125,55 @@ percent_expand(const char *string, ...)
#undef EXPAND_MAX_KEYS
}
+int
+secure_permissions(struct stat *st, uid_t uid)
+{
+ if (!platform_sys_dir_uid(st->st_uid) && st->st_uid != uid)
+ return 0;
+ if ((st->st_mode & 002) != 0)
+ return 0;
+ if ((st->st_mode & 020) != 0) {
+ /* If the file is group-writable, the group in question must
+ * have exactly one member, namely the file's owner.
+ * (Zero-member groups are typically used by setgid
+ * binaries, and are unlikely to be suitable.)
+ */
+ struct passwd *pw;
+ struct group *gr;
+ int members = 0;
+
+ gr = getgrgid(st->st_gid);
+ if (!gr)
+ return 0;
+
+ /* Check primary group memberships. */
+ while ((pw = getpwent()) != NULL) {
+ if (pw->pw_gid == gr->gr_gid) {
+ ++members;
+ if (pw->pw_uid != uid)
+ return 0;
+ }
+ }
+ endpwent();
+
+ pw = getpwuid(st->st_uid);
+ if (!pw)
+ return 0;
+
+ /* Check supplementary group memberships. */
+ if (gr->gr_mem[0]) {
+ ++members;
+ if (strcmp(pw->pw_name, gr->gr_mem[0]) ||
+ gr->gr_mem[1])
+ return 0;
+ }
+
+ if (!members)
+ return 0;
+ }
+ return 1;
+}
+
int
tun_open(int tun, int mode, char **ifname)
{
@@ -1909,8 +1959,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
snprintf(err, errlen, "%s is not a regular file", buf);
return -1;
}
- if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
- (stp->st_mode & 022) != 0) {
+ if (!secure_permissions(stp, uid)) {
snprintf(err, errlen, "bad ownership or modes for file %s",
buf);
return -1;
@@ -1925,8 +1974,7 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
strlcpy(buf, cp, sizeof(buf));
if (stat(buf, &st) == -1 ||
- (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
- (st.st_mode & 022) != 0) {
+ !secure_permissions(&st, uid)) {
snprintf(err, errlen,
"bad ownership or modes for directory %s", buf);
return -1;
diff --git a/misc.h b/misc.h
index 4a05db2da..5db594b91 100644
--- a/misc.h
+++ b/misc.h
@@ -188,6 +188,8 @@ struct notifier_ctx *notify_start(int, const char *, ...)
__attribute__((format(printf, 2, 3)));
void notify_complete(struct notifier_ctx *);
+int secure_permissions(struct stat *st, uid_t uid);
+
#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b))
#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b))
#define ROUNDUP(x, y) ((((x)+((y)-1))/(y))*(y))
diff --git a/readconf.c b/readconf.c
index 2399208f8..7f251dd4a 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1902,8 +1902,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
- if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
- (sb.st_mode & 022) != 0))
+ if (!secure_permissions(&sb, getuid()))
fatal("Bad owner or permissions on %s", filename);
}
diff --git a/ssh.1 b/ssh.1
index db5c65bc7..cf991e4ee 100644
--- a/ssh.1
+++ b/ssh.1
@@ -1506,6 +1506,8 @@ The file format and configuration options are described in
.Xr ssh_config 5 .
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
.Pp
.It Pa ~/.ssh/environment
Contains additional definitions for environment variables; see
diff --git a/ssh_config.5 b/ssh_config.5
index 3079db19b..e61a0fd43 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1952,6 +1952,8 @@ The format of this file is described above.
This file is used by the SSH client.
Because of the potential for abuse, this file must have strict permissions:
read/write for the user, and not writable by others.
+It may be group-writable provided that the group in question contains only
+the user.
.It Pa /etc/ssh/ssh_config
Systemwide configuration file.
This file provides defaults for those

2
debian/source/format vendored
View File

@ -1 +1 @@
3.0 (quilt)
3.0 (native)