From 03150f62813467397932b4a7b6a9e89326bd178b Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Aug 15 2022 07:28:25 +0000 Subject: OpenSSH Rebase to 9.0p1 Related: rhbz#2057466 --- diff --git a/.gitignore b/.gitignore index b0394a7..c32642a 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-8.7p1.tar.gz.asc /openssh-8.8p1.tar.gz /openssh-8.8p1.tar.gz.asc +/openssh-9.0p1.tar.gz +/openssh-9.0p1.tar.gz.asc diff --git a/openssh-5.8p2-sigpipe.patch b/openssh-5.8p2-sigpipe.patch index 56af045..554e346 100644 --- a/openssh-5.8p2-sigpipe.patch +++ b/openssh-5.8p2-sigpipe.patch @@ -1,12 +1,14 @@ diff -up openssh-5.8p2/ssh-keyscan.c.sigpipe openssh-5.8p2/ssh-keyscan.c --- openssh-5.8p2/ssh-keyscan.c.sigpipe 2011-08-23 18:30:33.873025916 +0200 +++ openssh-5.8p2/ssh-keyscan.c 2011-08-23 18:32:24.574025362 +0200 -@@ -715,6 +715,8 @@ main(int argc, char **argv) +@@ -715,6 +715,9 @@ main(int argc, char **argv) + if (maxfd > fdlim_get(0)) fdlim_set(maxfd); fdcon = xcalloc(maxfd, sizeof(con)); - ++ + signal(SIGPIPE, SIG_IGN); + - read_wait_nfdset = howmany(maxfd, NFDBITS); - read_wait = xcalloc(read_wait_nfdset, sizeof(fd_mask)); + read_wait = xcalloc(maxfd, sizeof(struct pollfd)); + for (j = 0; j < maxfd; j++) + read_wait[j].fd = -1; diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index 426c172..941c694 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -207,8 +207,8 @@ diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c -sftp_server_main(int argc, char **argv, struct passwd *user_pw) +sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler) { - fd_set *rset, *wset; - int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; + int i, r, in, out, ch, skipargs = 0, log_stderr = 0; + ssize_t len, olen; @@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv, extern char *__progname; diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 147d90d..1923ac8 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -1,37 +1,3 @@ -diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c ---- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100 -+++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100 -@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n - if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0) - return -1; - -- if (ai == NULL || ai->ai_addr == NULL) -+ if (ai == NULL || ai->ai_addr == NULL) { -+ freeaddrinfo(ai); - return -1; -+ } - - if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, - n) == -1) { -@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char * - if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0) - return -1; - -- if (ai == NULL || ai->ai_addr == NULL) -+ if (ai == NULL || ai->ai_addr == NULL) { -+ freeaddrinfo(ai); - return -1; -+ } - - if (sa != NULL) { -- if (slen < ai->ai_addrlen) -+ if (slen < ai->ai_addrlen) { -+ freeaddrinfo(ai); - return -1; -+ } - memcpy(sa, &ai->ai_addr, ai->ai_addrlen); - } - diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c --- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100 +++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100 @@ -65,15 +31,6 @@ diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c --- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100 -@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh, - debug("channel %d: connection failed: %s", - c->self, strerror(err)); - /* Try next address, if any */ -- if ((sock = connect_next(&c->connect_ctx)) > 0) { -+ if ((sock = connect_next(&c->connect_ctx)) >= 0) { - close(c->sock); - c->sock = c->rfd = c->wfd = sock; - channel_find_maxfd(ssh->chanctxt); @@ -3804,7 +3804,7 @@ int channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) { @@ -411,30 +368,6 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c continue; } lname = ls_file(fname, g.gl_statv[i], 1, -diff --git a/sftp-client.c b/sftp-client.c -index 9de9afa20f..ea98d9f8d0 100644 ---- a/sftp-client.c -+++ b/sftp-client.c -@@ -2195,6 +2195,7 @@ handle_dest_replies(struct sftp_conn *to, const char *to_path, int synchronous, - (*nreqsp)--; - } - debug3_f("done: %u outstanding replies", *nreqsp); -+ sshbuf_free(msg); - } - - int -diff --git a/sftp-server.c b/sftp-server.c -index 18d1949112..6380c4dd23 100644 ---- a/sftp-server.c -+++ b/sftp-server.c -@@ -1553,6 +1553,7 @@ process_extended_expand(u_int32_t id) - npath = xstrdup(path + 2); - free(path); - xasprintf(&path, "%s/%s", cwd, npath); -+ free(npath); - } else { - /* ~user expansions */ - if (tilde_expand(path, pw->pw_uid, &npath) != 0) { diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c --- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100 @@ -494,16 +427,6 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c return 0; } -@@ -1386,6 +1388,9 @@ server_accept_loop(int *sock_in, int *so - explicit_bzero(rnd, sizeof(rnd)); - } - } -+ -+ if (fdset != NULL) -+ free(fdset); - } - - /* @@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh) if (newstr) diff --git a/openssh-7.3p1-x11-max-displays.patch b/openssh-7.3p1-x11-max-displays.patch index 5af3e3b..ad181cb 100644 --- a/openssh-7.3p1-x11-max-displays.patch +++ b/openssh-7.3p1-x11-max-displays.patch @@ -10,8 +10,8 @@ diff -up openssh-7.4p1/channels.c.x11max openssh-7.4p1/channels.c +/* Minimum port number for X11 forwarding */ +#define X11_PORT_MIN 6000 - /* Per-channel callback for pre/post select() actions */ - typedef void chan_fn(struct ssh *, Channel *c, + /* Per-channel callback for pre/post IO actions */ + typedef void chan_fn(struct ssh *, Channel *c); @@ -4228,7 +4228,7 @@ channel_send_window_changes(void) */ int diff --git a/openssh-7.6p1-audit.patch b/openssh-7.6p1-audit.patch index 4473518..2d3aae9 100644 --- a/openssh-7.6p1-audit.patch +++ b/openssh-7.6p1-audit.patch @@ -729,7 +729,7 @@ diff -up openssh-8.6p1/auth2.c.audit openssh-8.6p1/auth2.c --- openssh-8.6p1/auth2.c.audit 2021-04-19 16:47:35.682061561 +0200 +++ openssh-8.6p1/auth2.c 2021-04-19 16:47:35.754062114 +0200 @@ -298,9 +298,6 @@ input_userauth_request(int type, u_int32 - } else { + authctxt->valid = 0; /* Invalid user, fake password information */ authctxt->pw = fakepw(); -#ifdef SSH_AUDIT_EVENTS @@ -1195,9 +1195,9 @@ diff -up openssh-8.6p1/monitor.c.audit openssh-8.6p1/monitor.c - ret = sshkey_verify(key, signature, signaturelen, data, datalen, - sigalg, ssh->compat, &sig_details); - debug3_f("%s %s signature %s%s%s", auth_method, sshkey_type(key), + debug3_f("%s %s signature using %s %s%s%s", auth_method, + sshkey_type(key), sigalg == NULL ? "default" : sigalg, (ret == 0) ? "verified" : "unverified", - (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : ""); @@ -1576,13 +1600,19 @@ mm_record_login(struct ssh *ssh, Session } @@ -2040,7 +2040,7 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c static char *listener_proctitle; @@ -279,6 +280,15 @@ close_listen_socks(void) - num_listen_socks = -1; + num_listen_socks = 0; } +/* @@ -2049,16 +2049,16 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c + */ +int listening_for_clients(void) +{ -+ return num_listen_socks >= 0; ++ return num_listen_socks > 0; +} + static void close_startup_pipes(void) { @@ -377,18 +387,45 @@ grace_alarm_handler(int sig) - } + ssh_remote_port(the_active_state)); } - + -/* Destroy the host and server keys. They will no longer be needed. */ +/* + * Destroy the host and server keys. They will no longer be needed. Careful, @@ -2196,8 +2196,8 @@ diff -up openssh-8.6p1/sshd.c.audit openssh-8.6p1/sshd.c -server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +server_accept_loop(struct ssh *ssh, int *sock_in, int *sock_out, int *newsock, int *config_s) { - fd_set *fdset; - int i, j, ret, maxfd; + struct pollfd *pfd = NULL; + int i, j, ret, npfd; @@ -1204,6 +1259,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", diff --git a/openssh-7.7p1-fips.patch b/openssh-7.7p1-fips.patch index cc513db..62468ac 100644 --- a/openssh-7.7p1-fips.patch +++ b/openssh-7.7p1-fips.patch @@ -321,7 +321,7 @@ diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c --- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200 @@ -66,6 +66,7 @@ - #include + #endif #include #include +#include diff --git a/openssh-7.8p1-UsePAM-warning.patch b/openssh-7.8p1-UsePAM-warning.patch index 8560c9f..a94419e 100644 --- a/openssh-7.8p1-UsePAM-warning.patch +++ b/openssh-7.8p1-UsePAM-warning.patch @@ -3,7 +3,7 @@ diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c +++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200 @@ -1749,6 +1749,10 @@ main(int ac, char **av) parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - cfg, &includes, NULL); + cfg, &includes, NULL, rexeced_flag); + /* 'UsePAM no' is not supported in Fedora */ + if (! options.use_pam) diff --git a/openssh-7.8p1-role-mls.patch b/openssh-7.8p1-role-mls.patch index 48f9f10..4dc460a 100644 --- a/openssh-7.8p1-role-mls.patch +++ b/openssh-7.8p1-role-mls.patch @@ -93,7 +93,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c (r = sshbuf_put_cstring(b, authctxt->user)) != 0 || +#endif (r = sshbuf_put_cstring(b, authctxt->service)) != 0 || - (r = sshbuf_put_cstring(b, "hostbased")) != 0 || + (r = sshbuf_put_cstring(b, method)) != 0 || (r = sshbuf_put_string(b, pkalg, alen)) != 0 || diff -up openssh/auth2-pubkey.c.role-mls openssh/auth2-pubkey.c --- openssh/auth2-pubkey.c.role-mls 2018-08-22 11:14:56.816430924 +0200 @@ -240,14 +240,14 @@ diff -up openssh-8.6p1/monitor.c.role-mls openssh-8.6p1/monitor.c mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m) { @@ -1251,7 +1280,7 @@ monitor_valid_userblob(struct ssh *ssh, - { struct sshbuf *b; + struct sshkey *hostkey = NULL; const u_char *p; - char *userstyle, *cp; + char *userstyle, *s, *cp; size_t len; u_char type; - int r, fail = 0; + int hostbound = 0, r, fail = 0; @@ -1282,6 +1311,8 @@ monitor_valid_userblob(struct ssh *ssh, fail++; if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) diff --git a/openssh-8.0p1-crypto-policies.patch b/openssh-8.0p1-crypto-policies.patch index 62616aa..2c3f212 100644 --- a/openssh-8.0p1-crypto-policies.patch +++ b/openssh-8.0p1-crypto-policies.patch @@ -92,7 +92,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -@@ -1219,29 +1216,25 @@ +@@ -1219,30 +1216,25 @@ and .Cm pam . .It Cm KexAlgorithms @@ -120,6 +120,7 @@ diff --color -ru a/ssh_config.5 b/ssh_config.5 -default set. -The default is: -.Bd -literal -offset indent +-sntrup761x25519-sha512@openssh.com, -curve25519-sha256,curve25519-sha256@libssh.org, -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -diffie-hellman-group-exchange-sha256, @@ -327,7 +328,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5 This option only applies to connections using GSSAPI. .It Cm HostbasedAcceptedAlgorithms Specifies the signature algorithms that will be accepted for hostbased -@@ -799,26 +794,13 @@ +@@ -799,25 +794,14 @@ .Ev SSH_AUTH_SOCK environment variable. .It Cm HostKeyAlgorithms @@ -338,7 +339,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5 +.Pp Specifies the host key signature algorithms that the server offers. --The default for this option is: + The default for this option is: -.Bd -literal -offset 3n -ssh-ed25519-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com, @@ -348,12 +349,11 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, --ssh-rsa-cert-v01@openssh.com, -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --rsa-sha2-512,rsa-sha2-256,ssh-rsa +-rsa-sha2-512,rsa-sha2-256 -.Ed -.Pp The list of available signature algorithms may also be obtained using @@ -389,12 +389,13 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5 The supported algorithms are: .Pp .Bl -item -compact -offset indent -@@ -1010,15 +997,6 @@ +@@ -1010,16 +997,6 @@ sntrup761x25519-sha512@openssh.com .El .Pp -The default is: -.Bd -literal -offset indent +-sntrup761x25519-sha512@openssh.com, -curve25519-sha256,curve25519-sha256@libssh.org, -ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, -diffie-hellman-group-exchange-sha256, @@ -452,7 +453,7 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5 The list of available MAC algorithms may also be obtained using .Qq ssh -Q mac . .It Cm Match -@@ -1548,37 +1522,25 @@ +@@ -1548,36 +1522,25 @@ The default is .Cm yes . .It Cm PubkeyAcceptedAlgorithms @@ -488,12 +489,11 @@ diff --color -ru a/sshd_config.5 b/sshd_config.5 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com, --ssh-rsa-cert-v01@openssh.com, -ssh-ed25519, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -sk-ssh-ed25519@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com, --rsa-sha2-512,rsa-sha2-256,ssh-rsa +-rsa-sha2-512,rsa-sha2-256 -.Ed +built-in openssh default set. .Pp diff --git a/openssh-8.0p1-gssapi-keyex.patch b/openssh-8.0p1-gssapi-keyex.patch index e26bebd..d5dfd7e 100644 --- a/openssh-8.0p1-gssapi-keyex.patch +++ b/openssh-8.0p1-gssapi-keyex.patch @@ -16,7 +16,7 @@ index e7549470..b68c1710 100644 monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ + loginrec.o auth-pam.o auth-shadow.o auth-sia.o \ srclimit.o sftp-server.o sftp-common.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ diff -up a/auth.c.gsskex b/auth.c @@ -135,7 +135,7 @@ index 9351e042..d6446c0c 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,7 +1,7 @@ - /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */ + /* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */ /* - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -224,7 +224,7 @@ index 9351e042..d6446c0c 100644 + Authmethod method_gssapi = { "gssapi-with-mic", - userauth_gssapi, + NULL, diff --git a/auth2.c b/auth2.c index 0e776224..1c217268 100644 --- a/auth2.c @@ -375,8 +375,8 @@ index ebd0dbca..1bdac6a4 100644 +#include "ssh-gss.h" +#endif + - /* import options */ - extern Options options; + /* Permitted RSA signature algorithms for UpdateHostkeys proofs */ + #define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256" @@ -1379,9 +1383,18 @@ client_loop(struct ssh *ssh, int have_pty, int escape_char_arg, break; @@ -384,7 +384,7 @@ index ebd0dbca..1bdac6a4 100644 /* Do channel operations unless rekeying in progress. */ - if (!ssh_packet_is_rekeying(ssh)) + if (!ssh_packet_is_rekeying(ssh)) { - channel_after_select(ssh, readset, writeset); + channel_after_poll(ssh, pfd, npfd_active); +#ifdef GSSAPI + if (options.gss_renewal_rekey && @@ -396,8 +396,8 @@ index ebd0dbca..1bdac6a4 100644 + } + /* Buffer input from the connection. */ - client_process_net_input(ssh, readset); - + if (conn_in_ready) + client_process_net_input(ssh); diff --git a/configure.ac b/configure.ac index b689db4b..efafb6bd 100644 --- a/configure.ac @@ -1370,9 +1370,9 @@ index ce85f043..574c7609 100644 +#ifdef GSSAPI + free(kex->gss_host); +#endif /* GSSAPI */ + sshbuf_free(kex->initial_sig); + sshkey_free(kex->initial_hostkey); free(kex->failed_choice); - free(kex->hostkey_alg); - free(kex->name); diff --git a/kex.h b/kex.h index a5ae6ac0..fe714141 100644 --- a/kex.h @@ -3011,7 +3011,7 @@ diff -up a/readconf.c.gsskex b/readconf.c options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; @@ -2463,8 +2516,18 @@ fill_default_options(Options * options) - options->pubkey_authentication = 1; + options->pubkey_authentication = SSH_PUBKEY_AUTH_ALL; if (options->gss_authentication == -1) options->gss_authentication = 0; + if (options->gss_keyex == -1) @@ -3886,7 +3886,7 @@ index 57995ee6..fd5b7724 100644 --- a/sshkey.c +++ b/sshkey.c @@ -154,6 +154,7 @@ static const struct keytype keytypes[] = { - KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1, 1, 0 }, + # endif /* ENABLE_SK */ # endif /* OPENSSL_HAS_ECC */ #endif /* WITH_OPENSSL */ + { "null", "null", NULL, KEY_NULL, 0, 0, 0 }, diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index 8592607..b3295a9 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -92,9 +92,9 @@ diff -up openssh-8.7p1/Makefile.in.pkcs11-uri openssh-8.7p1/Makefile.in rm -f regress/unittests/utf8/test_utf8 + rm -f regress/unittests/pkcs11/*.o + rm -f regress/unittests/pkcs11/test_pkcs11 - (cd openbsd-compat && $(MAKE) distclean) - if test -d pkg ; then \ - rm -fr pkg ; \ + rm -f regress/misc/sk-dummy/*.o + rm -f regress/misc/sk-dummy/*.lo + rm -f regress/misc/sk-dummy/sk-dummy.so @@ -513,6 +517,7 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/sshkey $(MKDIR_P) `pwd`/regress/unittests/sshsig @@ -876,22 +876,23 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c --- openssh-8.7p1/ssh-add.c.pkcs11-uri 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/ssh-add.c 2021-08-30 13:07:43.664700104 +0200 @@ -68,6 +68,7 @@ - #include "digest.h" #include "ssh-sk.h" #include "sk-api.h" + #include "hostfile.h" +#include "ssh-pkcs11-uri.h" /* argv0 */ extern char *__progname; -@@ -229,6 +230,32 @@ delete_all(int agent_fd, int qflag) +@@ -229,6 +230,34 @@ delete_all(int agent_fd, int qflag) return ret; } +#ifdef ENABLE_PKCS11 -+static int update_card(int, int, const char *, int, char *); ++static int update_card(int, int, const char *, int, struct dest_constraint **, size_t, char *); + +int -+update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag) ++update_pkcs11_uri(int agent_fd, int adding, const char *pkcs11_uri, int qflag, ++ struct dest_constraint **dest_constraints, size_t ndest_constraints) +{ + char *pin = NULL; + struct pkcs11_uri *uri; @@ -909,19 +910,20 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c + } + pkcs11_uri_cleanup(uri); + -+ return update_card(agent_fd, adding, pkcs11_uri, qflag, pin); ++ return update_card(agent_fd, adding, pkcs11_uri, qflag, ++ dest_constraints, ndest_constraints, pin); +} +#endif + static int add_file(int agent_fd, const char *filename, int key_only, int qflag, - const char *skprovider) + const char *skprovider, struct dest_constraint **dest_constraints, @@ -445,12 +472,11 @@ add_file(int agent_fd, const char *filen - } static int --update_card(int agent_fd, int add, const char *id, int qflag) -+update_card(int agent_fd, int add, const char *id, int qflag, char *pin) + update_card(int agent_fd, int add, const char *id, int qflag, +- struct dest_constraint **dest_constraints, size_t ndest_constraints) ++ struct dest_constraint **dest_constraints, size_t ndest_constraints, char *pin) { - char *pin = NULL; int r, ret = -1; @@ -931,15 +933,16 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c if ((pin = read_passphrase("Enter passphrase for PKCS#11: ", RP_ALLOW_STDIN)) == NULL) return -1; -@@ -630,6 +656,13 @@ static int - do_file(int agent_fd, int deleting, int key_only, char *file, int qflag, - const char *skprovider) +@@ -630,6 +656,14 @@ static int + const char *skprovider, struct dest_constraint **dest_constraints, + size_t ndest_constraints) { +#ifdef ENABLE_PKCS11 + if (strlen(file) >= strlen(PKCS11_URI_SCHEME) && + strncmp(file, PKCS11_URI_SCHEME, + strlen(PKCS11_URI_SCHEME)) == 0) { -+ return update_pkcs11_uri(agent_fd, !deleting, file, qflag); ++ return update_pkcs11_uri(agent_fd, !deleting, file, qflag, ++ dest_constraints, ndest_constraints); + } +#endif if (deleting) { @@ -949,8 +952,8 @@ diff -up openssh-8.7p1/ssh-add.c.pkcs11-uri openssh-8.7p1/ssh-add.c } if (pkcs11provider != NULL) { if (update_card(agent_fd, !deleting, pkcs11provider, -- qflag) == -1) -+ qflag, NULL) == -1) +- qflag, dest_constraints, ndest_constraints) == -1) ++ qflag, dest_constraints, ndest_constraints, NULL) == -1) ret = 1; goto done; } @@ -1080,7 +1083,7 @@ diff -up openssh-8.7p1/ssh-agent.c.pkcs11-uri openssh-8.7p1/ssh-agent.c + free(sane_uri); free(keys); free(comments); - send_status(e, success); + free_dest_constraints(dest_constraints, ndest_constraints); @@ -918,7 +976,7 @@ send: static void process_remove_smartcard_key(SocketEntry *e) @@ -1544,7 +1547,7 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c static RSA_METHOD *rsa_method; @@ -195,6 +286,55 @@ static EC_KEY_METHOD *ec_key_method; static int ec_key_idx = 0; - #endif + #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */ +/* + * This can't be in the ssh-pkcs11-uri, becase we can not depend on @@ -1739,9 +1742,9 @@ diff -up openssh-8.7p1/ssh-pkcs11.c.pkcs11-uri openssh-8.7p1/ssh-pkcs11.c struct pkcs11_key *k11; @@ -614,6 +764,12 @@ pkcs11_ecdsa_wrap(struct pkcs11_provider - k11->keyid = xmalloc(k11->keyid_len); - memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); - + k11->keyid = xmalloc(k11->keyid_len); + memcpy(k11->keyid, keyid_attrib->pValue, k11->keyid_len); + } + if (label_attrib->ulValueLen > 0 ) { + k11->label = xmalloc(label_attrib->ulValueLen+1); + memcpy(k11->label, label_attrib->pValue, label_attrib->ulValueLen); diff --git a/openssh-8.7p1-host-based-auth.patch b/openssh-8.7p1-host-based-auth.patch deleted file mode 100644 index 23efe91..0000000 --- a/openssh-8.7p1-host-based-auth.patch +++ /dev/null @@ -1,151 +0,0 @@ -diff --color -rup a/sshconnect2.c b/sshconnect2.c ---- a/sshconnect2.c 2022-07-11 17:00:02.618575727 +0200 -+++ b/sshconnect2.c 2022-07-11 17:03:05.096085690 +0200 -@@ -2288,9 +2288,9 @@ userauth_hostbased(struct ssh *ssh) - if (authctxt->sensitive->keys[i] == NULL || - authctxt->sensitive->keys[i]->type == KEY_UNSPEC) - continue; -- if (match_pattern_list( -+ if (!sshkey_match_keyname_to_sigalgs( - sshkey_ssh_name(authctxt->sensitive->keys[i]), -- authctxt->active_ktype, 0) != 1) -+ authctxt->active_ktype)) - continue; - /* we take and free the key */ - private = authctxt->sensitive->keys[i]; -@@ -2316,7 +2316,8 @@ userauth_hostbased(struct ssh *ssh) - error_f("sshkey_fingerprint failed"); - goto out; - } -- debug_f("trying hostkey %s %s", sshkey_ssh_name(private), fp); -+ debug_f("trying hostkey %s %s using sigalg %s", -+ sshkey_ssh_name(private), fp, authctxt->active_ktype); - - /* figure out a name for the client host */ - lname = get_local_name(ssh_packet_get_connection_in(ssh)); -diff --color -rup a/sshkey.c b/sshkey.c ---- a/sshkey.c 2022-07-11 17:00:02.609575554 +0200 -+++ b/sshkey.c 2022-07-11 17:12:30.905976443 +0200 -@@ -252,6 +252,29 @@ sshkey_ecdsa_nid_from_name(const char *n - return -1; - } - -+int -+sshkey_match_keyname_to_sigalgs(const char *keyname, const char *sigalgs) -+{ -+ int ktype; -+ -+ if (sigalgs == NULL || *sigalgs == '\0' || -+ (ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC) -+ return 0; -+ else if (ktype == KEY_RSA) { -+ return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 || -+ match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 || -+ match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1; -+ } else if (ktype == KEY_RSA_CERT) { -+ return match_pattern_list("ssh-rsa-cert-v01@openssh.com", -+ sigalgs, 0) == 1 || -+ match_pattern_list("rsa-sha2-256-cert-v01@openssh.com", -+ sigalgs, 0) == 1 || -+ match_pattern_list("rsa-sha2-512-cert-v01@openssh.com", -+ sigalgs, 0) == 1; -+ } else -+ return match_pattern_list(keyname, sigalgs, 0) == 1; -+} -+ - char * - sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep) - { -diff --color -rup a/sshkey.h b/sshkey.h ---- a/sshkey.h 2022-07-11 17:00:02.603575438 +0200 -+++ b/sshkey.h 2022-07-11 17:13:01.052556879 +0200 -@@ -194,6 +194,10 @@ int sshkey_is_cert(const struct sshkey - int sshkey_is_sk(const struct sshkey *); - int sshkey_type_is_cert(int); - int sshkey_type_plain(int); -+ -+/* Returns non-zero if key name match sigalgs pattern list. (handles RSA) */ -+int sshkey_match_keyname_to_sigalgs(const char *, const char *); -+ - int sshkey_to_certified(struct sshkey *); - int sshkey_drop_cert(struct sshkey *); - int sshkey_cert_copy(const struct sshkey *, struct sshkey *); -diff --color -rup a/ssh-keysign.c b/ssh-keysign.c ---- a/ssh-keysign.c 2021-08-20 06:03:49.000000000 +0200 -+++ b/ssh-keysign.c 2022-07-11 17:00:23.306973667 +0200 -@@ -62,7 +62,7 @@ - extern char *__progname; - - static int --valid_request(struct passwd *pw, char *host, struct sshkey **ret, -+valid_request(struct passwd *pw, char *host, struct sshkey **ret, char **pkalgp, - u_char *data, size_t datalen) - { - struct sshbuf *b; -@@ -75,6 +75,8 @@ valid_request(struct passwd *pw, char *h - - if (ret != NULL) - *ret = NULL; -+ if (pkalgp != NULL) -+ *pkalgp = NULL; - fail = 0; - - if ((b = sshbuf_from(data, datalen)) == NULL) -@@ -122,8 +124,6 @@ valid_request(struct passwd *pw, char *h - fail++; - } else if (key->type != pktype) - fail++; -- free(pkalg); -- free(pkblob); - - /* client host name, handle trailing dot */ - if ((r = sshbuf_get_cstring(b, &p, &len)) != 0) -@@ -154,8 +154,19 @@ valid_request(struct passwd *pw, char *h - - if (fail) - sshkey_free(key); -- else if (ret != NULL) -- *ret = key; -+ else { -+ if (ret != NULL) { -+ *ret = key; -+ key = NULL; -+ } -+ if (pkalgp != NULL) { -+ *pkalgp = pkalg; -+ pkalg = NULL; -+ } -+ } -+ sshkey_free(key); -+ free(pkalg); -+ free(pkblob); - - return (fail ? -1 : 0); - } -@@ -170,7 +181,7 @@ main(int argc, char **argv) - struct passwd *pw; - int r, key_fd[NUM_KEYTYPES], i, found, version = 2, fd; - u_char *signature, *data, rver; -- char *host, *fp; -+ char *host, *fp, *pkalg; - size_t slen, dlen; - - if (pledge("stdio rpath getpw dns id", NULL) != 0) -@@ -258,7 +269,7 @@ main(int argc, char **argv) - - if ((r = sshbuf_get_string(b, &data, &dlen)) != 0) - fatal_r(r, "%s: buffer error", __progname); -- if (valid_request(pw, host, &key, data, dlen) < 0) -+ if (valid_request(pw, host, &key, &pkalg, data, dlen) < 0) - fatal("%s: not a valid request", __progname); - free(host); - -@@ -279,7 +290,7 @@ main(int argc, char **argv) - } - - if ((r = sshkey_sign(keys[i], &signature, &slen, data, dlen, -- NULL, NULL, NULL, 0)) != 0) -+ pkalg, NULL, NULL, 0)) != 0) - fatal_r(r, "%s: sshkey_sign failed", __progname); - free(data); - diff --git a/openssh-8.7p1-ibmca.patch b/openssh-8.7p1-ibmca.patch index c9c12ee..88914bf 100644 --- a/openssh-8.7p1-ibmca.patch +++ b/openssh-8.7p1-ibmca.patch @@ -4,9 +4,8 @@ #include "includes.h" --#ifndef HAVE_CLOSEFROM -+#if (!defined HAVE_CLOSEFROM) || (defined __s390__) +-#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) ++#if !defined(HAVE_CLOSEFROM) || defined(BROKEN_CLOSEFROM) || (defined __s390__) #include - #include - + #include diff --git a/openssh-8.7p1-minimize-sha1-use.patch b/openssh-8.7p1-minimize-sha1-use.patch deleted file mode 100644 index cbaba49..0000000 --- a/openssh-8.7p1-minimize-sha1-use.patch +++ /dev/null @@ -1,194 +0,0 @@ -diff --color -ru a/clientloop.c b/clientloop.c ---- a/clientloop.c 2022-06-29 16:35:06.677597259 +0200 -+++ b/clientloop.c 2022-06-29 16:40:29.737926205 +0200 -@@ -116,6 +116,9 @@ - #include "ssh-gss.h" - #endif - -+/* Permitted RSA signature algorithms for UpdateHostkeys proofs */ -+#define HOSTKEY_PROOF_RSA_ALGS "rsa-sha2-512,rsa-sha2-256" -+ - /* import options */ - extern Options options; - -@@ -2110,8 +2113,10 @@ - struct hostkeys_update_ctx *ctx = (struct hostkeys_update_ctx *)_ctx; - size_t i, ndone; - struct sshbuf *signdata; -- int r, kexsigtype, use_kexsigtype; -+ int r, plaintype; - const u_char *sig; -+ const char *rsa_kexalg = NULL; -+ char *alg = NULL; - size_t siglen; - - if (ctx->nnew == 0) -@@ -2122,9 +2127,9 @@ - hostkeys_update_ctx_free(ctx); - return; - } -- kexsigtype = sshkey_type_plain( -- sshkey_type_from_name(ssh->kex->hostkey_alg)); -- -+ if (sshkey_type_plain(sshkey_type_from_name( -+ ssh->kex->hostkey_alg)) == KEY_RSA) -+ rsa_kexalg = ssh->kex->hostkey_alg; - if ((signdata = sshbuf_new()) == NULL) - fatal_f("sshbuf_new failed"); - /* -@@ -2135,6 +2140,7 @@ - for (ndone = i = 0; i < ctx->nkeys; i++) { - if (ctx->keys_match[i]) - continue; -+ plaintype = sshkey_type_plain(ctx->keys[i]->type); - /* Prepare data to be signed: session ID, unique string, key */ - sshbuf_reset(signdata); - if ( (r = sshbuf_put_cstring(signdata, -@@ -2148,19 +2154,33 @@ - error_fr(r, "parse sig"); - goto out; - } -+ if ((r = sshkey_get_sigtype(sig, siglen, &alg)) != 0) { -+ error_fr(r, "server gave unintelligible signature " -+ "for %s key %zu", sshkey_type(ctx->keys[i]), i); -+ goto out; -+ } - /* -- * For RSA keys, prefer to use the signature type negotiated -- * during KEX to the default (SHA1). -+ * Special case for RSA keys: if a RSA hostkey was negotiated, -+ * then use its signature type for verification of RSA hostkey -+ * proofs. Otherwise, accept only RSA-SHA256/512 signatures. - */ -- use_kexsigtype = kexsigtype == KEY_RSA && -- sshkey_type_plain(ctx->keys[i]->type) == KEY_RSA; -- debug3_f("verify %s key %zu using %s sigalg", -- sshkey_type(ctx->keys[i]), i, -- use_kexsigtype ? ssh->kex->hostkey_alg : "default"); -+ if (plaintype == KEY_RSA && rsa_kexalg == NULL && -+ match_pattern_list(alg, HOSTKEY_PROOF_RSA_ALGS, 0) != 1) { -+ debug_f("server used untrusted RSA signature algorithm " -+ "%s for key %zu, disregarding", alg, i); -+ free(alg); -+ /* zap the key from the list */ -+ sshkey_free(ctx->keys[i]); -+ ctx->keys[i] = NULL; -+ ndone++; -+ continue; -+ } -+ debug3_f("verify %s key %zu using sigalg %s", -+ sshkey_type(ctx->keys[i]), i, alg); -+ free(alg); - if ((r = sshkey_verify(ctx->keys[i], sig, siglen, - sshbuf_ptr(signdata), sshbuf_len(signdata), -- use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0, -- NULL)) != 0) { -+ plaintype == KEY_RSA ? rsa_kexalg : NULL, 0, NULL)) != 0) { - error_fr(r, "server gave bad signature for %s key %zu", - sshkey_type(ctx->keys[i]), i); - goto out; -diff --color -ru a/kex.c b/kex.c ---- a/kex.c 2022-06-29 16:35:06.775599179 +0200 -+++ b/kex.c 2022-06-29 16:42:00.839710940 +0200 -@@ -959,6 +959,18 @@ - return (1); - } - -+/* returns non-zero if proposal contains any algorithm from algs */ -+static int -+has_any_alg(const char *proposal, const char *algs) -+{ -+ char *cp; -+ -+ if ((cp = match_list(proposal, algs, NULL)) == NULL) -+ return 0; -+ free(cp); -+ return 1; -+} -+ - static int - kex_choose_conf(struct ssh *ssh) - { -@@ -994,6 +1006,16 @@ - free(ext); - } - -+ /* Check whether client supports rsa-sha2 algorithms */ -+ if (kex->server && (kex->flags & KEX_INITIAL)) { -+ if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS], -+ "rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com")) -+ kex->flags |= KEX_RSA_SHA2_256_SUPPORTED; -+ if (has_any_alg(peer[PROPOSAL_SERVER_HOST_KEY_ALGS], -+ "rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com")) -+ kex->flags |= KEX_RSA_SHA2_512_SUPPORTED; -+ } -+ - /* Algorithm Negotiation */ - if ((r = choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], - sprop[PROPOSAL_KEX_ALGS])) != 0) { -diff --color -ru a/kex.h b/kex.h ---- a/kex.h 2022-06-29 16:35:06.766599003 +0200 -+++ b/kex.h 2022-06-29 16:42:24.199168567 +0200 -@@ -116,6 +116,8 @@ - - #define KEX_INIT_SENT 0x0001 - #define KEX_INITIAL 0x0002 -+#define KEX_RSA_SHA2_256_SUPPORTED 0x0008 /* only set in server for now */ -+#define KEX_RSA_SHA2_512_SUPPORTED 0x0010 /* only set in server for now */ - - struct sshenc { - char *name; -diff --color -ru a/serverloop.c b/serverloop.c ---- a/serverloop.c 2021-08-20 06:03:49.000000000 +0200 -+++ b/serverloop.c 2022-06-29 16:45:05.902336428 +0200 -@@ -684,16 +684,18 @@ - struct sshbuf *resp = NULL; - struct sshbuf *sigbuf = NULL; - struct sshkey *key = NULL, *key_pub = NULL, *key_prv = NULL; -- int r, ndx, kexsigtype, use_kexsigtype, success = 0; -+ int r, ndx, success = 0; - const u_char *blob; -+ const char *sigalg, *kex_rsa_sigalg = NULL; - u_char *sig = 0; - size_t blen, slen; - - if ((resp = sshbuf_new()) == NULL || (sigbuf = sshbuf_new()) == NULL) - fatal_f("sshbuf_new"); - -- kexsigtype = sshkey_type_plain( -- sshkey_type_from_name(ssh->kex->hostkey_alg)); -+ if (sshkey_type_plain(sshkey_type_from_name( -+ ssh->kex->hostkey_alg)) == KEY_RSA) -+ kex_rsa_sigalg = ssh->kex->hostkey_alg; - while (ssh_packet_remaining(ssh) > 0) { - sshkey_free(key); - key = NULL; -@@ -726,16 +728,24 @@ - * For RSA keys, prefer to use the signature type negotiated - * during KEX to the default (SHA1). - */ -- use_kexsigtype = kexsigtype == KEY_RSA && -- sshkey_type_plain(key->type) == KEY_RSA; -+ sigalg = NULL; -+ if (sshkey_type_plain(key->type) == KEY_RSA) { -+ if (kex_rsa_sigalg != NULL) -+ sigalg = kex_rsa_sigalg; -+ else if (ssh->kex->flags & KEX_RSA_SHA2_512_SUPPORTED) -+ sigalg = "rsa-sha2-512"; -+ else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED) -+ sigalg = "rsa-sha2-256"; -+ } -+ debug3_f("sign %s key (index %d) using sigalg %s", -+ sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg); - if ((r = sshbuf_put_cstring(sigbuf, - "hostkeys-prove-00@openssh.com")) != 0 || - (r = sshbuf_put_stringb(sigbuf, - ssh->kex->session_id)) != 0 || - (r = sshkey_puts(key, sigbuf)) != 0 || - (r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen, -- sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), -- use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 || -+ sshbuf_ptr(sigbuf), sshbuf_len(sigbuf), sigalg)) != 0 || - (r = sshbuf_put_string(resp, sig, slen)) != 0) { - error_fr(r, "assemble signature"); - goto out; diff --git a/openssh-8.7p1-minrsabits.patch b/openssh-8.7p1-minrsabits.patch index 57019b6..4f11491 100644 --- a/openssh-8.7p1-minrsabits.patch +++ b/openssh-8.7p1-minrsabits.patch @@ -204,22 +204,25 @@ index a926cc007..cd13fb879 100644 break; case SSH_ERR_INTERNAL_ERROR: case SSH_ERR_ALLOC_FAIL: -@@ -1557,12 +1565,13 @@ main(int ac, char **av) +@@ -1565,7 +1573,7 @@ main(int ac, char **av) if ((o) >= sensitive_data.nkeys) \ fatal_f("pubkey out of array bounds"); \ check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \ - p, "pubkey"); \ + &(sensitive_data.keys[o]), p, "pubkey"); \ - } while (0) + if (sensitive_data.keys[o] != NULL) \ + debug2("hostbased key %d: %s key from \"%s\"", o, \ + sshkey_ssh_name(sensitive_data.keys[o]), p); \ +@@ -1573,7 +1581,8 @@ main(int ac, char **av) #define L_CERT(p,o) do { \ if ((o) >= sensitive_data.nkeys) \ fatal_f("cert out of array bounds"); \ - check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), p, "cert"); \ + check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), \ + &(sensitive_data.keys[o]), p, "cert"); \ - } while (0) - - if (options.hostbased_authentication == 1) { + if (sensitive_data.keys[o] != NULL) \ + debug2("hostbased key %d: %s cert from \"%s\"", o, \ + sshkey_ssh_name(sensitive_data.keys[o]), p); \ @@ -2244,7 +2253,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo) filename = default_client_percent_dollar_expand(cp, cinfo); free(cp); @@ -263,9 +266,9 @@ index 67f8e0309..d050c1656 100644 xxx_conn_info) == -1) fatal("Host key verification failed."); @@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt) - close(agent_fd); - } else { - for (j = 0; j < idlist->nkeys; j++) { + /* list of keys supported by the agent */ + if ((r = get_agent_identities(ssh, &agent_fd, &idlist)) == 0) { + for (j = 0; j < idlist->nkeys; j++) { + if ((r = sshkey_check_rsa_length(idlist->keys[j], + options.rsa_min_size)) != 0) { + debug_fr(r, "ignoring %s agent key", diff --git a/openssh-8.7p1-negotiate-supported-algs.patch b/openssh-8.7p1-negotiate-supported-algs.patch index 2fb9297..260ddb8 100644 --- a/openssh-8.7p1-negotiate-supported-algs.patch +++ b/openssh-8.7p1-negotiate-supported-algs.patch @@ -2,8 +2,8 @@ diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh --- a/regress/hostkey-agent.sh 2021-08-20 06:03:49.000000000 +0200 +++ b/regress/hostkey-agent.sh 2022-07-14 11:58:12.172786060 +0200 @@ -13,8 +13,12 @@ r=$? - grep -vi 'hostkey' $OBJ/sshd_proxy > $OBJ/sshd_proxy.orig - echo "HostKeyAgent $SSH_AUTH_SOCK" >> $OBJ/sshd_proxy.orig + + ${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA" +PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \ + grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"` @@ -12,18 +12,18 @@ diff --color -rup a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh trace "load hostkeys" -for k in $SSH_KEYTYPES ; do +for k in $SSH_ACCEPTED_KEYTYPES ; do - ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" - ( - printf 'localhost-with-alias,127.0.0.1,::1 ' + ${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k" + ${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \ + -I localhost-with-alias $OBJ/agent-key.$k.pub || \ @@ -31,7 +35,7 @@ cp $OBJ/known_hosts.orig $OBJ/known_host + unset SSH_AUTH_SOCK - for ps in yes; do -- for k in $SSH_KEYTYPES ; do -+ for k in $SSH_ACCEPTED_KEYTYPES ; do - verbose "key type $k privsep=$ps" - cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy - echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy +-for k in $SSH_KEYTYPES ; do ++for k in $SSH_ACCEPTED_KEYTYPES ; do + verbose "key type $k" + cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy + echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy diff --color -rup a/sshconnect2.c b/sshconnect2.c --- a/sshconnect2.c 2022-07-14 10:10:07.262975710 +0200 +++ b/sshconnect2.c 2022-07-14 10:10:32.068452067 +0200 diff --git a/openssh-8.7p1-recursive-scp.patch b/openssh-8.7p1-recursive-scp.patch index 25765fb..5b44d92 100644 --- a/openssh-8.7p1-recursive-scp.patch +++ b/openssh-8.7p1-recursive-scp.patch @@ -7,9 +7,9 @@ diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c if (upload_dir(conn, src, abs_dst, pflag, - SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) { + SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) { - error("failed to upload directory %s to %s", - src, abs_dst); - errs = 1; + error("failed to upload directory %s to %s", src, targ); + errs = 1; + } diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c --- openssh-8.7p1/sftp-client.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/sftp-client.c 2022-02-07 12:47:59.117516131 +0100 @@ -22,11 +22,13 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c { struct sshbuf *msg; u_int expected_id, count, id; -@@ -1012,9 +1012,38 @@ do_realpath_expand(struct sftp_conn *con - - if ((r = sshbuf_get_u32(msg, &status)) != 0) +@@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con + if ((r = sshbuf_get_u32(msg, &status)) != 0 || + (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0) fatal_fr(r, "parse status"); -- error("Couldn't canonicalize: %s", fx2txt(status)); +- error("%s %s: %s", expand ? "expand" : "realpath", +- path, *errmsg == '\0' ? fx2txt(status) : errmsg); +- free(errmsg); - sshbuf_free(msg); - return NULL; + if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) { @@ -35,29 +37,34 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c + sshbuf_free(msg); + return NULL; + } -+ ++ debug2("Sending SSH2_FXP_REALPATH \"%s\" - create dir", path); + send_string_request(conn, id, SSH2_FXP_REALPATH, + path, strlen(path)); + + get_msg(conn, msg); + if ((r = sshbuf_get_u8(msg, &type)) != 0 || -+ (r = sshbuf_get_u32(msg, &id)) != 0) ++ (r = sshbuf_get_u32(msg, &id)) != 0) + fatal_fr(r, "parse"); + + if (id != expected_id) + fatal("ID mismatch (%u != %u)", id, expected_id); + + if (type == SSH2_FXP_STATUS) { -+ u_int status; ++ free(errmsg); + -+ if ((r = sshbuf_get_u32(msg, &status)) != 0) ++ if ((r = sshbuf_get_u32(msg, &status)) != 0 || ++ (r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0) + fatal_fr(r, "parse status"); -+ error("Couldn't canonicalize: %s", fx2txt(status)); ++ error("%s %s: %s", expand ? "expand" : "realpath", ++ path, *errmsg == '\0' ? fx2txt(status) : errmsg); ++ free(errmsg); + sshbuf_free(msg); + return NULL; + } + } else { -+ error("Couldn't canonicalize: %s", fx2txt(status)); ++ error("%s %s: %s", expand ? "expand" : "realpath", ++ path, *errmsg == '\0' ? fx2txt(status) : errmsg); ++ free(errmsg); + sshbuf_free(msg); + return NULL; + } @@ -94,9 +101,9 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c - if ((src_canon = do_realpath(conn, src)) == NULL) { + if ((src_canon = do_realpath(conn, src, 0)) == NULL) { - error("Unable to canonicalize path \"%s\"", src); - return -1; - } + error("download \"%s\": path canonicalization failed", src); + return -1; + } @@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co int upload_dir(struct sftp_conn *conn, const char *src, const char *dst, @@ -109,18 +116,18 @@ diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c - if ((dst_canon = do_realpath(conn, dst)) == NULL) { + if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) { - error("Unable to canonicalize path \"%s\"", dst); - return -1; - } + error("upload \"%s\": path canonicalization failed", dst); + return -1; + } @@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st char *from_path_canon; int ret; - if ((from_path_canon = do_realpath(from, from_path)) == NULL) { + if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) { - error("Unable to canonicalize path \"%s\"", from_path); - return -1; - } + error("crossload \"%s\": path canonicalization failed", + from_path); + return -1; diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h --- openssh-8.7p1/sftp-client.h.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200 +++ openssh-8.7p1/sftp-client.h 2022-02-07 12:31:07.410740433 +0100 diff --git a/openssh-8.7p1-scp-clears-file.patch b/openssh-8.7p1-scp-clears-file.patch index 4c033da..3ecff1e 100644 --- a/openssh-8.7p1-scp-clears-file.patch +++ b/openssh-8.7p1-scp-clears-file.patch @@ -1,21 +1,20 @@ diff --color -rup a/scp.c b/scp.c --- a/scp.c 2022-07-26 14:51:40.560120817 +0200 +++ b/scp.c 2022-07-26 14:52:37.118213004 +0200 -@@ -1324,12 +1324,12 @@ source_sftp(int argc, char *src, char *t - - if (src_is_dir && iamrecursive) { - if (upload_dir(conn, src, abs_dst, pflag, +@@ -1324,11 +1324,11 @@ source_sftp(int argc, char *src, char *t + + if (src_is_dir && iamrecursive) { + if (upload_dir(conn, src, abs_dst, pflag, - SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) { + SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) { - error("failed to upload directory %s to %s", - src, abs_dst); - errs = 1; - } + error("failed to upload directory %s to %s", src, targ); + errs = 1; + } - } else if (do_upload(conn, src, abs_dst, pflag, 0, 0) != 0) { + } else if (do_upload(conn, src, abs_dst, pflag, 0, 0, 1) != 0) { - error("failed to upload file %s to %s", src, abs_dst); - errs = 1; - } + error("failed to upload file %s to %s", src, targ); + errs = 1; + } @@ -1566,11 +1566,11 @@ sink_sftp(int argc, char *dst, const cha debug("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); if (globpath_is_dir(g.gl_pathv[i]) && iamrecursive) { @@ -83,9 +82,9 @@ diff --color -rup a/sftp-client.c b/sftp-client.c - O_WRONLY | O_CREAT | (resume_flag ? 0 : O_TRUNC), mode | S_IWUSR); + local_fd = open(local_path, O_WRONLY | O_CREAT | + ((resume_flag || inplace_flag) ? 0 : O_TRUNC), mode | S_IWUSR); - if (local_fd == -1) { - error("Couldn't open local file \"%s\" for writing: %s", - local_path, strerror(errno)); + if (local_fd == -1) { + error("open local \"%s\": %s", local_path, strerror(errno)); + goto fail; @@ -1661,8 +1661,11 @@ do_download(struct sftp_conn *conn, cons /* Sanity check */ if (TAILQ_FIRST(&requests) != NULL) @@ -217,8 +216,8 @@ diff --color -rup a/sftp-client.c b/sftp-client.c + } + if (close(local_fd) == -1) { - error("Couldn't close local file \"%s\": %s", local_path, - strerror(errno)); + error("close local \"%s\": %s", local_path, strerror(errno)); + status = SSH2_FX_FAILURE; @@ -2041,7 +2063,7 @@ do_upload(struct sftp_conn *conn, const static int upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, @@ -241,9 +240,9 @@ diff --color -rup a/sftp-client.c b/sftp-client.c - preserve_flag, resume, fsync_flag) == -1) { + preserve_flag, resume, fsync_flag, + inplace_flag) == -1) { - error("Uploading of file %s to %s failed!", - new_src, new_dst); - ret = -1; + error("upload \"%s\" to \"%s\" failed", + new_src, new_dst); + ret = -1; @@ -2144,7 +2167,7 @@ upload_dir_internal(struct sftp_conn *co int upload_dir(struct sftp_conn *conn, const char *src, const char *dst, diff --git a/openssh-8.7p1-sftp-default-protocol.patch b/openssh-8.7p1-sftp-default-protocol.patch deleted file mode 100644 index c3527b1..0000000 --- a/openssh-8.7p1-sftp-default-protocol.patch +++ /dev/null @@ -1,87 +0,0 @@ -diff --git a/scp.1 b/scp.1 -index 68aac04b..a96e95ad 100644 ---- a/scp.1 -+++ b/scp.1 -@@ -18,7 +18,7 @@ - .Nd OpenSSH secure file copy - .Sh SYNOPSIS - .Nm scp --.Op Fl 346ABCOpqRrsTv -+.Op Fl 346ABCOpqRrTv - .Op Fl c Ar cipher - .Op Fl D Ar sftp_server_path - .Op Fl F Ar ssh_config -@@ -79,7 +76,9 @@ The options are as follows: - Copies between two remote hosts are transferred through the local host. - Without this option the data is copied directly between the two remote - hosts. --Note that, when using the original SCP protocol (the default), this option -+Note that, when using the original SCP protocol (via the -+.Fl O -+flag), this option - selects batch mode for the second host as - .Nm - cannot ask for passwords or passphrases for both hosts. -@@ -146,7 +145,6 @@ Limits the used bandwidth, specified in Kbit/s. - wildcard patterns and for expanding paths with a - .Sq ~ - prefix for older SFTP servers. --This mode is the default. - .It Fl o Ar ssh_option - Can be used to pass options to - .Nm ssh -@@ -258,8 +258,6 @@ to use for the encrypted connection. - The program must understand - .Xr ssh 1 - options. --.It Fl s --Use the SFTP protocol for transfers rather than the original scp protocol. - .It Fl T - Disable strict filename checking. - By default when copying files from a remote host to a local directory -@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems. - .Xr ssh_config 5 , - .Xr sftp-server 8 , - .Xr sshd 8 -+.Sh CAVEATS -+The original scp protocol (selected by the -+.Fl O -+flag) requires execution of the remote user's shell to perform -+.Xr glob 3 -+pattern matching. -+This requires careful quoting of any characters that have special meaning to -+the remote shell, such as quote characters. - .Sh HISTORY - .Nm - is based on the rcp program in - .Bx - source code from the Regents of the University of California. -+.Pp -+Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds), -+.Nm -+has use the SFTP protocol for transfers by default. - .Sh AUTHORS - .An Timo Rinne Aq Mt tri@iki.fi - .An Tatu Ylonen Aq Mt ylo@cs.hut.fi -diff --git a/scp.c b/scp.c -index e039350c..c7cf7529 100644 ---- a/scp.c -+++ b/scp.c -@@ -448,7 +448,7 @@ main(int argc, char **argv) - const char *errstr; - extern char *optarg; - extern int optind; -- enum scp_mode_e mode = MODE_SCP; -+ enum scp_mode_e mode = MODE_SFTP; - char *sftp_direct = NULL; - - /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ -@@ -1983,7 +1983,7 @@ void - usage(void) - { - (void) fprintf(stderr, -- "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" -+ "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" - " [-i identity_file] [-J destination] [-l limit]\n" - " [-o ssh_option] [-P port] [-S program] source ... target\n"); - exit(1); diff --git a/openssh-8.7p1-sftpscp-dir-create.patch b/openssh-8.7p1-sftpscp-dir-create.patch deleted file mode 100644 index bc504f9..0000000 --- a/openssh-8.7p1-sftpscp-dir-create.patch +++ /dev/null @@ -1,135 +0,0 @@ -diff -up openssh-8.7p1/scp.c.sftpdirs openssh-8.7p1/scp.c ---- openssh-8.7p1/scp.c.sftpdirs 2022-02-02 14:11:12.553447509 +0100 -+++ openssh-8.7p1/scp.c 2022-02-02 14:12:56.081316414 +0100 -@@ -130,6 +130,7 @@ - #include "misc.h" - #include "progressmeter.h" - #include "utf8.h" -+#include "sftp.h" - - #include "sftp-common.h" - #include "sftp-client.h" -@@ -1264,13 +1265,18 @@ tolocal(int argc, char **argv, enum scp_ - static char * - prepare_remote_path(struct sftp_conn *conn, const char *path) - { -+ size_t nslash; -+ - /* Handle ~ prefixed paths */ -- if (*path != '~') -- return xstrdup(path); - if (*path == '\0' || strcmp(path, "~") == 0) - return xstrdup("."); -- if (strncmp(path, "~/", 2) == 0) -- return xstrdup(path + 2); -+ if (*path != '~') -+ return xstrdup(path); -+ if (strncmp(path, "~/", 2) == 0) { -+ if ((nslash = strspn(path + 2, "/")) == strlen(path + 2)) -+ return xstrdup("."); -+ return xstrdup(path + 2 + nslash); -+ } - if (can_expand_path(conn)) - return do_expand_path(conn, path); - /* No protocol extension */ -@@ -1282,10 +1288,16 @@ void - source_sftp(int argc, char *src, char *targ, struct sftp_conn *conn) - { - char *target = NULL, *filename = NULL, *abs_dst = NULL; -- int target_is_dir; -- -+ int src_is_dir, target_is_dir; -+ Attrib a; -+ struct stat st; -+ -+ memset(&a, '\0', sizeof(a)); -+ if (stat(src, &st) != 0) -+ fatal("stat local \"%s\": %s", src, strerror(errno)); -+ src_is_dir = S_ISDIR(st.st_mode); - if ((filename = basename(src)) == NULL) -- fatal("basename %s: %s", src, strerror(errno)); -+ fatal("basename \"%s\": %s", src, strerror(errno)); - - /* - * No need to glob here - the local shell already took care of -@@ -1295,8 +1307,12 @@ source_sftp(int argc, char *src, char *t - cleanup_exit(255); - target_is_dir = remote_is_dir(conn, target); - if (targetshouldbedirectory && !target_is_dir) { -- fatal("Target is not a directory, but more files selected " -- "for upload"); -+ debug("target directory \"%s\" does not exist", target); -+ a.flags = SSH2_FILEXFER_ATTR_PERMISSIONS; -+ a.perm = st.st_mode | 0700; /* ensure writable */ -+ if (do_mkdir(conn, target, &a, 1) != 0) -+ cleanup_exit(255); /* error already logged */ -+ target_is_dir = 1; - } - if (target_is_dir) - abs_dst = path_append(target, filename); -@@ -1306,7 +1322,7 @@ source_sftp(int argc, char *src, char *t - } - debug3_f("copying local %s to remote %s", src, abs_dst); - -- if (local_is_dir(src) && iamrecursive) { -+ if (src_is_dir && iamrecursive) { - if (upload_dir(conn, src, abs_dst, pflag, - SFTP_PROGRESS_ONLY, 0, 0, 1) != 0) { - error("failed to upload directory %s to %s", -@@ -1487,14 +1506,15 @@ sink_sftp(int argc, char *dst, const cha - char *abs_dst = NULL; - glob_t g; - char *filename, *tmp = NULL; -- int i, r, err = 0; -+ int i, r, err = 0, dst_is_dir; -+ struct stat st; - - memset(&g, 0, sizeof(g)); -+ - /* - * Here, we need remote glob as SFTP can not depend on remote shell - * expansions - */ -- - if ((abs_src = prepare_remote_path(conn, src)) == NULL) { - err = -1; - goto out; -@@ -1510,11 +1530,24 @@ sink_sftp(int argc, char *dst, const cha - goto out; - } - -- if (g.gl_matchc > 1 && !local_is_dir(dst)) { -- error("Multiple files match pattern, but destination " -- "\"%s\" is not a directory", dst); -- err = -1; -- goto out; -+ if ((r = stat(dst, &st)) != 0) -+ debug2_f("stat local \"%s\": %s", dst, strerror(errno)); -+ dst_is_dir = r == 0 && S_ISDIR(st.st_mode); -+ -+ if (g.gl_matchc > 1 && !dst_is_dir) { -+ if (r == 0) { -+ error("Multiple files match pattern, but destination " -+ "\"%s\" is not a directory", dst); -+ err = -1; -+ goto out; -+ } -+ debug2_f("creating destination \"%s\"", dst); -+ if (mkdir(dst, 0777) != 0) { -+ error("local mkdir \"%s\": %s", dst, strerror(errno)); -+ err = -1; -+ goto out; -+ } -+ dst_is_dir = 1; - } - - for (i = 0; g.gl_pathv[i] && !interrupted; i++) { -@@ -1525,7 +1558,7 @@ sink_sftp(int argc, char *dst, const cha - goto out; - } - -- if (local_is_dir(dst)) -+ if (dst_is_dir) - abs_dst = path_append(dst, filename); - else - abs_dst = xstrdup(dst); diff --git a/openssh-8.8p1-skip-some-tests.patch b/openssh-8.8p1-skip-some-tests.patch index 7268eb3..27143f4 100644 --- a/openssh-8.8p1-skip-some-tests.patch +++ b/openssh-8.8p1-skip-some-tests.patch @@ -2,14 +2,14 @@ diff -up openssh-8.8p1/regress/hostkey-agent.sh.redhat openssh-8.8p1/regress/hos --- openssh-8.8p1/regress/hostkey-agent.sh.redhat 2022-08-10 15:54:42.084777662 +0200 +++ openssh-8.8p1/regress/hostkey-agent.sh 2022-08-10 17:01:25.651269994 +0200 @@ -36,6 +36,8 @@ unset SSH_AUTH_SOCK + unset SSH_AUTH_SOCK - for ps in yes; do - for k in $SSH_ACCEPTED_KEYTYPES ; do -+ [ "$k" == "ssh-rsa" ] && continue -+ [ "$k" == "ssh-dss" ] && continue - verbose "key type $k privsep=$ps" - cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy - echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy + for k in $SSH_ACCEPTED_KEYTYPES ; do ++ [ "$k" == "ssh-rsa" ] && continue ++ [ "$k" == "ssh-dss" ] && continue + verbose "key type $k" + cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy + echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy diff -up openssh-8.8p1/regress/hostkey-rotate.sh.redhat openssh-8.8p1/regress/hostkey-rotate.sh --- openssh-8.8p1/regress/hostkey-rotate.sh.redhat 2022-08-10 16:57:12.720029146 +0200 +++ openssh-8.8p1/regress/hostkey-rotate.sh 2022-08-10 17:15:48.274923865 +0200 diff --git a/openssh.spec b/openssh.spec index eb64acc..c5abcf3 100644 --- a/openssh.spec +++ b/openssh.spec @@ -50,10 +50,10 @@ %{?static_openssl:%global static_libcrypto 1} # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%global openssh_ver 8.8p1 -%global openssh_rel 4 +%global openssh_ver 9.0p1 +%global openssh_rel 1 %global pam_ssh_agent_ver 0.10.4 -%global pam_ssh_agent_rel 6 +%global pam_ssh_agent_rel 7 Summary: An open source implementation of SSH protocol version 2 Name: openssh @@ -195,16 +195,10 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch Patch974: openssh-8.0p1-keygen-strip-doseol.patch # sshd provides PAM an incorrect error code (#1879503) Patch975: openssh-8.0p1-preserve-pam-errors.patch -# Use SFTP protocol by default for scp command -Patch976: openssh-8.7p1-sftp-default-protocol.patch + # Implement kill switch for SCP protocol Patch977: openssh-8.7p1-scp-kill-switch.patch -# Create non-existent directories when scp works in sftp mode and some more minor fixes -# upstream commits: -# ba61123eef9c6356d438c90c1199a57a0d7bcb0a -# 63670d4e9030bcee490d5a9cce561373ac5b3b23 -# ac7c9ec894ed0825d04ef69c55babb49bab1d32e -Patch980: openssh-8.7p1-sftpscp-dir-create.patch + # Workaround for lack of sftp_realpath in older versions of RHEL # https://bugzilla.redhat.com/show_bug.cgi?id=2038854 # https://github.com/openssh/openssh-portable/pull/299 @@ -218,11 +212,6 @@ Patch983: openssh-8.7p1-evpgenkey.patch # From https://bugzilla.redhat.com/show_bug.cgi?id=1976202#c14 Patch984: openssh-8.7p1-ibmca.patch -# Minimize the use of SHA1 as a proof of possession for RSA key (#2031868) -# upstream commits: -# 291721bc7c840d113a49518f3fca70e86248b8e8 -# 0fa33683223c76289470a954404047bc762be84c -Patch1000: openssh-8.7p1-minimize-sha1-use.patch # Fix for scp clearing file when src and dest are the same (#2056884) # upstream commits: # 7b1cbcb7599d9f6a3bbad79d412604aa1203b5ee @@ -241,12 +230,7 @@ Patch1003: openssh-8.7p1-mem-leak.patch # upstream MR: # https://github.com/openssh-gsskex/openssh-gsskex/pull/21 Patch1004: openssh-8.7p1-gssapi-auth.patch -# Fix host-based authentication with rsa keys -# upstream commits: -# 7aa7b096cf2bafe2777085abdeed5ce00581f641 -# d9dbb5d9a0326e252d3c7bc13beb9c2434f59409 -# fdb1d58d0d3888b042e5a500f6ce524486aaf782 -Patch1005: openssh-8.7p1-host-based-auth.patch + # Don't propose disallowed algorithms during hostkey negotiation # upstream MR: # https://github.com/openssh/openssh-portable/pull/323 @@ -254,7 +238,7 @@ Patch1006: openssh-8.7p1-negotiate-supported-algs.patch # downstream only # we skip some ssh-rsa/ssh-dss tests to make native test suite pass -Patch1100: openssh-8.8p1-skip-some-tests.patch +#Patch1100: openssh-8.8p1-skip-some-tests.patch License: BSD Requires: /sbin/nologin @@ -432,9 +416,9 @@ popd %patch966 -p1 -b .x11-ipv6 %patch974 -p1 -b .keygen-strip-doseol %patch975 -p1 -b .preserve-pam-errors -%patch976 -p1 -b .sftp-by-default + %patch977 -p1 -b .kill-scp -%patch980 -p1 -b .sftpdirs + %patch981 -p1 -b .scp-sftpdirs %patch982 -p1 -b .minrsabits %patch983 -p1 -b .evpgenrsa @@ -444,15 +428,14 @@ popd %patch201 -p1 -b .audit-race %patch700 -p1 -b .fips -%patch1000 -p1 -b .minimize-sha1-use %patch1001 -p1 -b .scp-clears-file %patch1002 -p1 -b .ssh-manpage %patch1003 -p1 -b .mem-leak %patch1004 -p1 -b .gssapi-auth -%patch1005 -p1 -b .host-based-auth + %patch1006 -p1 -b .negotiate-supported-algs -%patch1100 -p1 -b .skipsshrsadsstests +#%patch1100 -p1 -b .skipsshrsadsstests %patch100 -p1 -b .coverity @@ -735,6 +718,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Thu Aug 11 2022 Dmitry Belyavskiy - 9.0p1-1 + 0.10.4-7 +- Rebase OpenSSH to 9.0p1 (rhbz#2057466) + * Wed Aug 10 2022 Dmitry Belyavskiy - 8.8p1-4 + 0.10.4-6 - Port patches from CentOS (rhbz#2117264) diff --git a/sources b/sources index c74ea92..72353b3 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (openssh-8.8p1.tar.gz) = d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df -SHA512 (openssh-8.8p1.tar.gz.asc) = 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4 +SHA512 (openssh-9.0p1.tar.gz) = 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9 +SHA512 (openssh-9.0p1.tar.gz.asc) = 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2 SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21