From f7f8b483b075d7b76dc0caff587292c2f68e2bf8 Mon Sep 17 00:00:00 2001 From: bach Date: Nov 05 2012 13:43:22 +0000 Subject: adapt openssh-6.1p1-akc.patch to the upstream version - https://bugzilla.mindrot.org/show_bug.cgi?id=1663 --- diff --git a/openssh-5.9p1-keycat.patch b/openssh-5.9p1-keycat.patch index 74c3ecf..bbe57e0 100644 --- a/openssh-5.9p1-keycat.patch +++ b/openssh-5.9p1-keycat.patch @@ -1,6 +1,24 @@ -diff -up openssh-5.9p0/HOWTO.ssh-keycat.keycat openssh-5.9p0/HOWTO.ssh-keycat ---- openssh-5.9p0/HOWTO.ssh-keycat.keycat 2011-08-31 11:51:49.886087176 +0200 -+++ openssh-5.9p0/HOWTO.ssh-keycat 2011-08-31 11:51:49.890087179 +0200 +diff -up openssh-6.1p1/auth2-pubkey.c.keycat openssh-6.1p1/auth2-pubkey.c +--- openssh-6.1p1/auth2-pubkey.c.keycat 2012-11-01 13:37:59.000000000 +0100 ++++ openssh-6.1p1/auth2-pubkey.c 2012-11-01 14:03:47.402279914 +0100 +@@ -564,6 +564,14 @@ user_key_command_allowed2(struct passwd + } + closefrom(STDERR_FILENO + 1); + ++#ifdef WITH_SELINUX ++ if (ssh_selinux_setup_env_variables() < 0) { ++ error ("failed to copy environment: %s", ++ strerror(errno)); ++ _exit(127); ++ } ++#endif ++ + execl(options.authorized_keys_command, + options.authorized_keys_command, pw->pw_name, NULL); + +diff -up openssh-6.1p1/HOWTO.ssh-keycat.keycat openssh-6.1p1/HOWTO.ssh-keycat +--- openssh-6.1p1/HOWTO.ssh-keycat.keycat 2012-11-01 13:37:59.417280097 +0100 ++++ openssh-6.1p1/HOWTO.ssh-keycat 2012-11-01 13:37:59.417280097 +0100 @@ -0,0 +1,12 @@ +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +of an user in any environment. This includes environments with @@ -14,9 +32,9 @@ diff -up openssh-5.9p0/HOWTO.ssh-keycat.keycat openssh-5.9p0/HOWTO.ssh-keycat + PubkeyAuthentication yes + + -diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in ---- openssh-5.9p0/Makefile.in.keycat 2011-08-31 11:51:48.367122382 +0200 -+++ openssh-5.9p0/Makefile.in 2011-08-31 12:03:46.433088864 +0200 +diff -up openssh-6.1p1/Makefile.in.keycat openssh-6.1p1/Makefile.in +--- openssh-6.1p1/Makefile.in.keycat 2012-11-01 13:37:59.413280097 +0100 ++++ openssh-6.1p1/Makefile.in 2012-11-01 13:37:59.418280097 +0100 @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -34,7 +52,7 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \ canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ -@@ -167,6 +168,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) +@@ -168,6 +169,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) @@ -44,7 +62,7 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -266,6 +270,7 @@ install-files: +@@ -267,6 +271,7 @@ install-files: $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ fi @@ -52,28 +70,10 @@ diff -up openssh-5.9p0/Makefile.in.keycat openssh-5.9p0/Makefile.in $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff -up openssh-5.9p0/auth2-pubkey.c.keycat openssh-5.9p0/auth2-pubkey.c ---- openssh-5.9p0/auth2-pubkey.c.keycat 2011-08-31 11:51:47.066149816 +0200 -+++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:51:50.143087097 +0200 -@@ -579,6 +579,14 @@ user_key_via_command_allowed2(struct pas - close(i); - } - -+#ifdef WITH_SELINUX -+ if (ssh_selinux_setup_env_variables() < 0) { -+ error ("failed to copy environment: %s", -+ strerror(errno)); -+ _exit(127); -+ } -+#endif -+ - execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL); - - /* if we got here, it didn't work */ -diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd-compat/port-linux.c ---- openssh-5.9p0/openbsd-compat/port-linux.c.keycat 2011-08-31 11:51:46.275119773 +0200 -+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:51:50.240087963 +0200 -@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname, +diff -up openssh-6.1p1/openbsd-compat/port-linux.c.keycat openssh-6.1p1/openbsd-compat/port-linux.c +--- openssh-6.1p1/openbsd-compat/port-linux.c.keycat 2012-11-01 13:37:59.367280097 +0100 ++++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-01 13:37:59.419280097 +0100 +@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname, /* Setup environment variables for pam_selinux */ static int @@ -82,7 +82,7 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd- { const char *reqlvl; char *role; -@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void) +@@ -326,16 +326,16 @@ ssh_selinux_setup_pam_variables(void) ssh_selinux_get_role_level(&role, &reqlvl); @@ -102,7 +102,7 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd- if (role != NULL) xfree(role); -@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void) +@@ -343,6 +343,24 @@ ssh_selinux_setup_pam_variables(void) return rv; } @@ -127,9 +127,9 @@ diff -up openssh-5.9p0/openbsd-compat/port-linux.c.keycat openssh-5.9p0/openbsd- /* Set the execution context to the default for the specified user */ void ssh_selinux_setup_exec_context(char *pwname) -diff -up openssh-5.9p0/ssh-keycat.c.keycat openssh-5.9p0/ssh-keycat.c ---- openssh-5.9p0/ssh-keycat.c.keycat 2011-08-31 11:51:50.354136025 +0200 -+++ openssh-5.9p0/ssh-keycat.c 2011-08-31 11:51:50.359087309 +0200 +diff -up openssh-6.1p1/ssh-keycat.c.keycat openssh-6.1p1/ssh-keycat.c +--- openssh-6.1p1/ssh-keycat.c.keycat 2012-11-01 13:37:59.420280097 +0100 ++++ openssh-6.1p1/ssh-keycat.c 2012-11-01 13:37:59.420280097 +0100 @@ -0,0 +1,238 @@ +/* + * Redistribution and use in source and binary forms, with or without diff --git a/openssh-6.0p1-ldap.patch b/openssh-6.0p1-ldap.patch index 10389dc..b6f19ba 100644 --- a/openssh-6.0p1-ldap.patch +++ b/openssh-6.0p1-ldap.patch @@ -1,8 +1,8 @@ -diff -up openssh-6.0p1/configure.ac.ldap openssh-6.0p1/configure.ac ---- openssh-6.0p1/configure.ac.ldap 2012-08-06 20:41:38.392454225 +0200 -+++ openssh-6.0p1/configure.ac 2012-08-06 20:41:38.398454202 +0200 -@@ -1523,6 +1523,106 @@ AC_ARG_WITH(authorized-keys-command, - ] +diff -up openssh-6.1p1/configure.ac.ldap openssh-6.1p1/configure.ac +--- openssh-6.1p1/configure.ac.ldap 2012-07-06 03:49:29.000000000 +0200 ++++ openssh-6.1p1/configure.ac 2012-11-01 13:35:14.830280116 +0100 +@@ -1512,6 +1512,106 @@ AC_ARG_WITH([audit], + esac ] ) +# Check whether user wants LDAP support @@ -108,9 +108,9 @@ diff -up openssh-6.0p1/configure.ac.ldap openssh-6.0p1/configure.ac dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ arc4random \ -diff -up openssh-6.0p1/HOWTO.ldap-keys.ldap openssh-6.0p1/HOWTO.ldap-keys ---- openssh-6.0p1/HOWTO.ldap-keys.ldap 2012-08-06 20:41:38.399454198 +0200 -+++ openssh-6.0p1/HOWTO.ldap-keys 2012-08-06 20:41:38.399454198 +0200 +diff -up openssh-6.1p1/HOWTO.ldap-keys.ldap openssh-6.1p1/HOWTO.ldap-keys +--- openssh-6.1p1/HOWTO.ldap-keys.ldap 2012-11-01 12:57:17.915280385 +0100 ++++ openssh-6.1p1/HOWTO.ldap-keys 2012-11-01 12:57:17.915280385 +0100 @@ -0,0 +1,108 @@ + +HOW TO START @@ -220,9 +220,9 @@ diff -up openssh-6.0p1/HOWTO.ldap-keys.ldap openssh-6.0p1/HOWTO.ldap-keys +5) Author + Jan F. Chadima + -diff -up openssh-6.0p1/ldapbody.c.ldap openssh-6.0p1/ldapbody.c ---- openssh-6.0p1/ldapbody.c.ldap 2012-08-06 20:41:38.399454198 +0200 -+++ openssh-6.0p1/ldapbody.c 2012-08-06 20:41:38.399454198 +0200 +diff -up openssh-6.1p1/ldapbody.c.ldap openssh-6.1p1/ldapbody.c +--- openssh-6.1p1/ldapbody.c.ldap 2012-11-01 12:57:17.916280385 +0100 ++++ openssh-6.1p1/ldapbody.c 2012-11-01 12:57:17.916280385 +0100 @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -718,9 +718,9 @@ diff -up openssh-6.0p1/ldapbody.c.ldap openssh-6.0p1/ldapbody.c + return; +} + -diff -up openssh-6.0p1/ldapbody.h.ldap openssh-6.0p1/ldapbody.h ---- openssh-6.0p1/ldapbody.h.ldap 2012-08-06 20:41:38.399454198 +0200 -+++ openssh-6.0p1/ldapbody.h 2012-08-06 20:41:38.400454194 +0200 +diff -up openssh-6.1p1/ldapbody.h.ldap openssh-6.1p1/ldapbody.h +--- openssh-6.1p1/ldapbody.h.ldap 2012-11-01 12:57:17.916280385 +0100 ++++ openssh-6.1p1/ldapbody.h 2012-11-01 12:57:17.916280385 +0100 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -759,9 +759,9 @@ diff -up openssh-6.0p1/ldapbody.h.ldap openssh-6.0p1/ldapbody.h + +#endif /* LDAPBODY_H */ + -diff -up openssh-6.0p1/ldapconf.c.ldap openssh-6.0p1/ldapconf.c ---- openssh-6.0p1/ldapconf.c.ldap 2012-08-06 20:41:38.400454194 +0200 -+++ openssh-6.0p1/ldapconf.c 2012-08-06 20:41:38.400454194 +0200 +diff -up openssh-6.1p1/ldapconf.c.ldap openssh-6.1p1/ldapconf.c +--- openssh-6.1p1/ldapconf.c.ldap 2012-11-01 12:57:17.917280385 +0100 ++++ openssh-6.1p1/ldapconf.c 2012-11-01 12:57:17.917280385 +0100 @@ -0,0 +1,682 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1445,9 +1445,9 @@ diff -up openssh-6.0p1/ldapconf.c.ldap openssh-6.0p1/ldapconf.c + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -diff -up openssh-6.0p1/ldapconf.h.ldap openssh-6.0p1/ldapconf.h ---- openssh-6.0p1/ldapconf.h.ldap 2012-08-06 20:41:38.400454194 +0200 -+++ openssh-6.0p1/ldapconf.h 2012-08-06 20:41:38.400454194 +0200 +diff -up openssh-6.1p1/ldapconf.h.ldap openssh-6.1p1/ldapconf.h +--- openssh-6.1p1/ldapconf.h.ldap 2012-11-01 12:57:17.918280385 +0100 ++++ openssh-6.1p1/ldapconf.h 2012-11-01 12:57:17.918280385 +0100 @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1520,9 +1520,9 @@ diff -up openssh-6.0p1/ldapconf.h.ldap openssh-6.0p1/ldapconf.h +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff -up openssh-6.0p1/ldap.conf.ldap openssh-6.0p1/ldap.conf ---- openssh-6.0p1/ldap.conf.ldap 2012-08-06 20:41:38.401454190 +0200 -+++ openssh-6.0p1/ldap.conf 2012-08-06 20:41:38.401454190 +0200 +diff -up openssh-6.1p1/ldap.conf.ldap openssh-6.1p1/ldap.conf +--- openssh-6.1p1/ldap.conf.ldap 2012-11-01 12:57:17.918280385 +0100 ++++ openssh-6.1p1/ldap.conf 2012-11-01 12:57:17.918280385 +0100 @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -1612,9 +1612,9 @@ diff -up openssh-6.0p1/ldap.conf.ldap openssh-6.0p1/ldap.conf +#tls_cert +#tls_key + -diff -up openssh-6.0p1/ldap-helper.c.ldap openssh-6.0p1/ldap-helper.c ---- openssh-6.0p1/ldap-helper.c.ldap 2012-08-06 20:41:38.401454190 +0200 -+++ openssh-6.0p1/ldap-helper.c 2012-08-06 20:41:38.401454190 +0200 +diff -up openssh-6.1p1/ldap-helper.c.ldap openssh-6.1p1/ldap-helper.c +--- openssh-6.1p1/ldap-helper.c.ldap 2012-11-01 12:57:17.919280385 +0100 ++++ openssh-6.1p1/ldap-helper.c 2012-11-01 12:57:17.919280385 +0100 @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1771,9 +1771,9 @@ diff -up openssh-6.0p1/ldap-helper.c.ldap openssh-6.0p1/ldap-helper.c +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff -up openssh-6.0p1/ldap-helper.h.ldap openssh-6.0p1/ldap-helper.h ---- openssh-6.0p1/ldap-helper.h.ldap 2012-08-06 20:41:38.401454190 +0200 -+++ openssh-6.0p1/ldap-helper.h 2012-08-06 20:41:38.401454190 +0200 +diff -up openssh-6.1p1/ldap-helper.h.ldap openssh-6.1p1/ldap-helper.h +--- openssh-6.1p1/ldap-helper.h.ldap 2012-11-01 12:57:17.919280385 +0100 ++++ openssh-6.1p1/ldap-helper.h 2012-11-01 12:57:17.919280385 +0100 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1807,9 +1807,9 @@ diff -up openssh-6.0p1/ldap-helper.h.ldap openssh-6.0p1/ldap-helper.h +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff -up openssh-6.0p1/ldapincludes.h.ldap openssh-6.0p1/ldapincludes.h ---- openssh-6.0p1/ldapincludes.h.ldap 2012-08-06 20:41:38.402454186 +0200 -+++ openssh-6.0p1/ldapincludes.h 2012-08-06 20:41:38.402454186 +0200 +diff -up openssh-6.1p1/ldapincludes.h.ldap openssh-6.1p1/ldapincludes.h +--- openssh-6.1p1/ldapincludes.h.ldap 2012-11-01 12:57:17.920280385 +0100 ++++ openssh-6.1p1/ldapincludes.h 2012-11-01 12:57:17.920280385 +0100 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1852,9 +1852,9 @@ diff -up openssh-6.0p1/ldapincludes.h.ldap openssh-6.0p1/ldapincludes.h +#endif + +#endif /* LDAPINCLUDES_H */ -diff -up openssh-6.0p1/ldapmisc.c.ldap openssh-6.0p1/ldapmisc.c ---- openssh-6.0p1/ldapmisc.c.ldap 2012-08-06 20:41:38.402454186 +0200 -+++ openssh-6.0p1/ldapmisc.c 2012-08-06 20:41:38.402454186 +0200 +diff -up openssh-6.1p1/ldapmisc.c.ldap openssh-6.1p1/ldapmisc.c +--- openssh-6.1p1/ldapmisc.c.ldap 2012-11-01 12:57:17.920280385 +0100 ++++ openssh-6.1p1/ldapmisc.c 2012-11-01 12:57:17.920280385 +0100 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -1935,9 +1935,9 @@ diff -up openssh-6.0p1/ldapmisc.c.ldap openssh-6.0p1/ldapmisc.c +} +#endif + -diff -up openssh-6.0p1/ldapmisc.h.ldap openssh-6.0p1/ldapmisc.h ---- openssh-6.0p1/ldapmisc.h.ldap 2012-08-06 20:41:38.402454186 +0200 -+++ openssh-6.0p1/ldapmisc.h 2012-08-06 20:41:38.402454186 +0200 +diff -up openssh-6.1p1/ldapmisc.h.ldap openssh-6.1p1/ldapmisc.h +--- openssh-6.1p1/ldapmisc.h.ldap 2012-11-01 12:57:17.921280385 +0100 ++++ openssh-6.1p1/ldapmisc.h 2012-11-01 12:57:17.921280385 +0100 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1974,9 +1974,9 @@ diff -up openssh-6.0p1/ldapmisc.h.ldap openssh-6.0p1/ldapmisc.h + +#endif /* LDAPMISC_H */ + -diff -up openssh-6.0p1/Makefile.in.ldap openssh-6.0p1/Makefile.in ---- openssh-6.0p1/Makefile.in.ldap 2012-08-06 20:41:38.336454444 +0200 -+++ openssh-6.0p1/Makefile.in 2012-08-06 20:41:38.403454183 +0200 +diff -up openssh-6.1p1/Makefile.in.ldap openssh-6.1p1/Makefile.in +--- openssh-6.1p1/Makefile.in.ldap 2012-11-01 12:57:17.750280385 +0100 ++++ openssh-6.1p1/Makefile.in 2012-11-01 12:57:17.922280385 +0100 @@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server @@ -2071,9 +2071,9 @@ diff -up openssh-6.0p1/Makefile.in.ldap openssh-6.0p1/Makefile.in -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 tests interop-tests: $(TARGETS) -diff -up openssh-6.0p1/openssh-lpk-openldap.schema.ldap openssh-6.0p1/openssh-lpk-openldap.schema ---- openssh-6.0p1/openssh-lpk-openldap.schema.ldap 2012-08-06 20:41:38.404454179 +0200 -+++ openssh-6.0p1/openssh-lpk-openldap.schema 2012-08-06 20:41:38.404454179 +0200 +diff -up openssh-6.1p1/openssh-lpk-openldap.schema.ldap openssh-6.1p1/openssh-lpk-openldap.schema +--- openssh-6.1p1/openssh-lpk-openldap.schema.ldap 2012-11-01 12:57:17.922280385 +0100 ++++ openssh-6.1p1/openssh-lpk-openldap.schema 2012-11-01 12:57:17.922280385 +0100 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2096,9 +2096,9 @@ diff -up openssh-6.0p1/openssh-lpk-openldap.schema.ldap openssh-6.0p1/openssh-lp + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-6.0p1/openssh-lpk-sun.schema.ldap openssh-6.0p1/openssh-lpk-sun.schema ---- openssh-6.0p1/openssh-lpk-sun.schema.ldap 2012-08-06 20:41:38.404454179 +0200 -+++ openssh-6.0p1/openssh-lpk-sun.schema 2012-08-06 20:41:38.404454179 +0200 +diff -up openssh-6.1p1/openssh-lpk-sun.schema.ldap openssh-6.1p1/openssh-lpk-sun.schema +--- openssh-6.1p1/openssh-lpk-sun.schema.ldap 2012-11-01 12:57:17.922280385 +0100 ++++ openssh-6.1p1/openssh-lpk-sun.schema 2012-11-01 12:57:17.922280385 +0100 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2123,9 +2123,9 @@ diff -up openssh-6.0p1/openssh-lpk-sun.schema.ldap openssh-6.0p1/openssh-lpk-sun + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff -up openssh-6.0p1/ssh-ldap.conf.5.ldap openssh-6.0p1/ssh-ldap.conf.5 ---- openssh-6.0p1/ssh-ldap.conf.5.ldap 2012-08-06 20:41:38.405454175 +0200 -+++ openssh-6.0p1/ssh-ldap.conf.5 2012-08-06 20:41:38.405454175 +0200 +diff -up openssh-6.1p1/ssh-ldap.conf.5.ldap openssh-6.1p1/ssh-ldap.conf.5 +--- openssh-6.1p1/ssh-ldap.conf.5.ldap 2012-11-01 12:57:17.923280385 +0100 ++++ openssh-6.1p1/ssh-ldap.conf.5 2012-11-01 12:57:17.923280385 +0100 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2503,9 +2503,9 @@ diff -up openssh-6.0p1/ssh-ldap.conf.5.ldap openssh-6.0p1/ssh-ldap.conf.5 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff -up openssh-6.0p1/ssh-ldap-helper.8.ldap openssh-6.0p1/ssh-ldap-helper.8 ---- openssh-6.0p1/ssh-ldap-helper.8.ldap 2012-08-06 20:41:38.405454175 +0200 -+++ openssh-6.0p1/ssh-ldap-helper.8 2012-08-06 20:41:38.405454175 +0200 +diff -up openssh-6.1p1/ssh-ldap-helper.8.ldap openssh-6.1p1/ssh-ldap-helper.8 +--- openssh-6.1p1/ssh-ldap-helper.8.ldap 2012-11-01 12:57:17.924280385 +0100 ++++ openssh-6.1p1/ssh-ldap-helper.8 2012-11-01 12:57:17.924280385 +0100 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2586,9 +2586,9 @@ diff -up openssh-6.0p1/ssh-ldap-helper.8.ldap openssh-6.0p1/ssh-ldap-helper.8 +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff -up openssh-6.0p1/ssh-ldap-wrapper.ldap openssh-6.0p1/ssh-ldap-wrapper ---- openssh-6.0p1/ssh-ldap-wrapper.ldap 2012-08-06 20:41:38.405454175 +0200 -+++ openssh-6.0p1/ssh-ldap-wrapper 2012-08-06 20:41:38.405454175 +0200 +diff -up openssh-6.1p1/ssh-ldap-wrapper.ldap openssh-6.1p1/ssh-ldap-wrapper +--- openssh-6.1p1/ssh-ldap-wrapper.ldap 2012-11-01 12:57:17.924280385 +0100 ++++ openssh-6.1p1/ssh-ldap-wrapper 2012-11-01 12:57:17.924280385 +0100 @@ -0,0 +1,4 @@ +#!/bin/sh + diff --git a/openssh-6.1p1-akc.patch b/openssh-6.1p1-akc.patch index 49fa169..bf7a313 100644 --- a/openssh-6.1p1-akc.patch +++ b/openssh-6.1p1-akc.patch @@ -1,20 +1,148 @@ +diff -up openssh-6.1p1/auth.c.akc openssh-6.1p1/auth.c +--- openssh-6.1p1/auth.c.akc 2012-11-02 14:00:49.181077248 +0100 ++++ openssh-6.1p1/auth.c 2012-11-02 14:00:49.253077860 +0100 +@@ -413,39 +413,41 @@ check_key_in_hostfiles(struct passwd *pw + + + /* +- * Check a given file for security. This is defined as all components ++ * Check a given path for security. This is defined as all components + * of the path to the file must be owned by either the owner of + * of the file or root and no directories must be group or world writable. + * + * XXX Should any specific check be done for sym links ? + * +- * Takes an open file descriptor, the file name, a uid and and ++ * Takes an the file name, its stat information (preferably from fstat() to ++ * avoid races), the uid of the expected owner, their home directory and an + * error buffer plus max size as arguments. + * + * Returns 0 on success and -1 on failure + */ +-static int +-secure_filename(FILE *f, const char *file, struct passwd *pw, +- char *err, size_t errlen) ++int ++auth_secure_path(const char *name, struct stat *stp, const char *pw_dir, ++ uid_t uid, char *err, size_t errlen) + { +- uid_t uid = pw->pw_uid; + char buf[MAXPATHLEN], homedir[MAXPATHLEN]; + char *cp; + int comparehome = 0; + struct stat st; + +- if (realpath(file, buf) == NULL) { +- snprintf(err, errlen, "realpath %s failed: %s", file, ++ if (realpath(name, buf) == NULL) { ++ snprintf(err, errlen, "realpath %s failed: %s", name, + strerror(errno)); + return -1; + } +- if (realpath(pw->pw_dir, homedir) != NULL) ++ if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL) + comparehome = 1; + +- /* check the open file to avoid races */ +- if (fstat(fileno(f), &st) < 0 || +- (st.st_uid != 0 && st.st_uid != uid) || +- (st.st_mode & 022) != 0) { ++ if (!S_ISREG(stp->st_mode)) { ++ snprintf(err, errlen, "%s is not a regular file", buf); ++ return -1; ++ } ++ if ((stp->st_uid != 0 && stp->st_uid != uid) || ++ (stp->st_mode & 022) != 0) { + snprintf(err, errlen, "bad ownership or modes for file %s", + buf); + return -1; +@@ -481,6 +483,31 @@ secure_filename(FILE *f, const char *fil + return 0; + } + ++/* ++ * Version of secure_path() that accepts an open file descriptor to ++ * avoid races. ++ * ++ * Returns 0 on success and -1 on failure ++ */ ++static int ++secure_filename(FILE *f, const char *file, struct passwd *pw, ++ char *err, size_t errlen) ++{ ++ uid_t uid = pw->pw_uid; ++ char buf[MAXPATHLEN], homedir[MAXPATHLEN]; ++ char *cp; ++ int comparehome = 0; ++ struct stat st; ++ ++ /* check the open file to avoid races */ ++ if (fstat(fileno(f), &st) < 0) { ++ snprintf(err, errlen, "cannot stat file %s: %s", ++ buf, strerror(errno)); ++ return -1; ++ } ++ return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen); ++} ++ + static FILE * + auth_openfile(const char *file, struct passwd *pw, int strict_modes, + int log_missing, char *file_type) +diff -up openssh-6.1p1/auth.h.akc openssh-6.1p1/auth.h +--- openssh-6.1p1/auth.h.akc 2012-11-02 14:00:49.239077742 +0100 ++++ openssh-6.1p1/auth.h 2012-11-02 14:00:49.253077860 +0100 +@@ -123,6 +123,10 @@ int auth_rhosts_rsa_key_allowed(struct + int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); + int user_key_allowed(struct passwd *, Key *); + ++struct stat; ++int auth_secure_path(const char *, struct stat *, const char *, uid_t, ++ char *, size_t); ++ + #ifdef KRB5 + int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); + int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c ---- openssh-6.1p1/auth2-pubkey.c.akc 2012-09-14 20:20:48.459445650 +0200 -+++ openssh-6.1p1/auth2-pubkey.c 2012-09-14 20:20:48.520446072 +0200 -@@ -27,6 +27,7 @@ +--- openssh-6.1p1/auth2-pubkey.c.akc 2012-11-02 14:00:49.241077758 +0100 ++++ openssh-6.1p1/auth2-pubkey.c 2012-11-02 14:00:49.252077852 +0100 +@@ -27,9 +27,13 @@ #include #include +#include ++#include #include ++#include #include -@@ -277,27 +278,15 @@ match_principals_file(char *file, struct ++#include + #include + #include + #include +@@ -260,7 +264,7 @@ match_principals_file(char *file, struct + if (strcmp(cp, cert->principals[i]) == 0) { + debug3("matched principal \"%.100s\" " + "from file \"%s\" on line %lu", +- cert->principals[i], file, linenum); ++ cert->principals[i], file, linenum); + if (auth_parse_options(pw, line_opts, + file, linenum) != 1) + continue; +@@ -273,31 +277,22 @@ match_principals_file(char *file, struct + fclose(f); + restore_uid(); + return 0; +-} ++} - /* return 1 if user allows given key */ +-/* return 1 if user allows given key */ ++/* ++ * Checks whether key is allowed in authorized_keys-format file, ++ * returns 1 if the key is allowed or 0 otherwise. ++ */ static int -user_key_allowed2(struct passwd *pw, Key *key, char *file) -+user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw) ++check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) { char line[SSH_MAX_PUBKEY_BYTES]; const char *reason; @@ -38,7 +166,7 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c found_key = 0; found = key_new(key_is_cert(key) ? KEY_UNSPEC : key->type); -@@ -390,8 +379,6 @@ user_key_allowed2(struct passwd *pw, Key +@@ -390,8 +385,6 @@ user_key_allowed2(struct passwd *pw, Key break; } } @@ -47,12 +175,15 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c key_free(found); if (!found_key) debug2("key not found"); -@@ -453,13 +440,191 @@ user_cert_trusted_ca(struct passwd *pw, +@@ -453,7 +446,173 @@ user_cert_trusted_ca(struct passwd *pw, return ret; } -/* check whether given key is in .ssh/authorized_keys* */ -+/* return 1 if user allows given key */ ++/* ++ * Checks whether key is allowed in file. ++ * returns 1 if the key is allowed or 0 otherwise. ++ */ +static int +user_key_allowed2(struct passwd *pw, Key *key, char *file) +{ @@ -63,10 +194,8 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c + temporarily_use_uid(pw); + + debug("trying public key file %s", file); -+ f = auth_openkeyfile(file, pw, options.strict_modes); -+ -+ if (f) { -+ found_key = user_search_key_in_file (f, file, key, pw); ++ if ((f = auth_openkeyfile(file, pw, options.strict_modes)) != NULL) { ++ found_key = check_authkeys_file(f, file, key, pw); + fclose(f); + } + @@ -74,211 +203,173 @@ diff -up openssh-6.1p1/auth2-pubkey.c.akc openssh-6.1p1/auth2-pubkey.c + return found_key; +} + -+#ifdef WITH_AUTHORIZED_KEYS_COMMAND -+ -+#define WHITESPACE " \t\r\n" -+ -+/* return 1 if user allows given key */ ++/* ++ * Checks whether key is allowed in output of command. ++ * returns 1 if the key is allowed or 0 otherwise. ++ */ +static int -+user_key_via_command_allowed2(struct passwd *pw, Key *key) ++user_key_command_allowed2(struct passwd *user_pw, Key *key) +{ + FILE *f; -+ int found_key = 0; -+ char *progname = NULL; -+ char *cp; -+ struct passwd *runas_pw; ++ int ok, found_key = 0; ++ struct passwd *pw; + struct stat st; -+ int childdescriptors[2], i; -+ pid_t pstat, pid, child; ++ int status, devnull, p[2], i; ++ pid_t pid; ++ char errmsg[512]; + -+ if (options.authorized_keys_command == NULL || options.authorized_keys_command[0] != '/') ++ if (options.authorized_keys_command == NULL || ++ options.authorized_keys_command[0] != '/') + return 0; + -+ /* get the run as identity from config */ -+ runas_pw = (options.authorized_keys_command_runas == NULL)? pw -+ : getpwnam (options.authorized_keys_command_runas); -+ if (!runas_pw) { -+ error("%s: getpwnam(\"%s\"): %s", __func__, -+ options.authorized_keys_command_runas, strerror(errno)); -+ return 0; ++ /* If no user specified to run commands the default to target user */ ++ if (options.authorized_keys_command_user == NULL) ++ pw = user_pw; ++ else { ++ pw = getpwnam(options.authorized_keys_command_user); ++ if (pw == NULL) { ++ error("AuthorizedKeyCommandUser \"%s\" not found: %s", ++ options.authorized_keys_command, strerror(errno)); ++ return 0; ++ } + } + -+ /* Temporarily use the specified uid. */ -+ if (runas_pw->pw_uid != 0) -+ temporarily_use_uid(runas_pw); -+ -+ progname = xstrdup(options.authorized_keys_command); -+ -+ debug3("%s: checking program '%s'", __func__, progname); -+ -+ if (stat (progname, &st) < 0) { -+ error("%s: stat(\"%s\"): %s", __func__, -+ progname, strerror(errno)); -+ goto go_away; ++ temporarily_use_uid(pw); ++ if (stat(options.authorized_keys_command, &st) < 0) { ++ error("Could not stat AuthorizedKeysCommand \"%s\": %s", ++ options.authorized_keys_command, strerror(errno)); ++ goto out; + } + -+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) { -+ error("bad ownership or modes for AuthorizedKeysCommand \"%s\"", -+ progname); -+ goto go_away; ++ if (auth_secure_path(options.authorized_keys_command, &st, NULL, 0, ++ errmsg, sizeof(errmsg)) != 0) { ++ error("Unsafe AuthorizedKeysCommand: %s", errmsg); ++ goto out; + } + -+ if (!S_ISREG(st.st_mode)) { -+ error("AuthorizedKeysCommand \"%s\" is not a regular file", -+ progname); -+ goto go_away; -+ } ++ /* open the pipe and read the keys */ ++ if (pipe(p) != 0) { ++ error("%s: pipe: %s", __func__, strerror(errno)); ++ goto out; ++ } ++ ++ debug3("Running AuthorizedKeysCommand: \"%s\" as \"%s\"", ++ options.authorized_keys_command, pw->pw_name); + + /* -+ * Descend the path, checking that each component is a -+ * root-owned directory with strict permissions. ++ * Don't want to call this in the child, where it can fatal() and ++ * run cleanup_exit() code. + */ -+ do { -+ if ((cp = strrchr(progname, '/')) == NULL) -+ break; -+ else -+ *cp = '\0'; -+ -+ debug3("%s: checking component '%s'", __func__, (*progname == '\0' ? "/" : progname)); ++ restore_uid(); + -+ if (stat((*progname == '\0' ? "/" : progname), &st) != 0) { -+ error("%s: stat(\"%s\"): %s", __func__, -+ progname, strerror(errno)); -+ goto go_away; -+ } -+ if (st.st_uid != 0 || (st.st_mode & 022) != 0) { -+ error("bad ownership or modes for AuthorizedKeysCommand path component \"%s\"", -+ progname); -+ goto go_away; ++ switch ((pid = fork())) { ++ case -1: /* error */ ++ error("%s: fork: %s", __func__, strerror(errno)); ++ close(p[0]); ++ close(p[1]); ++ return 0; ++ case 0: /* child */ ++ for (i = 0; i < NSIG; i++) ++ signal(i, SIG_DFL); ++ ++ /* Don't use permanently_set_uid() here to avoid fatal() */ ++ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { ++ error("setresgid %u: %s", (u_int)pw->pw_gid, ++ strerror(errno)); ++ _exit(1); + } -+ if (!S_ISDIR(st.st_mode)) { -+ error("AuthorizedKeysCommand path component \"%s\" is not a directory", -+ progname); -+ goto go_away; ++ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { ++ error("setresuid %u: %s", (u_int)pw->pw_uid, ++ strerror(errno)); ++ _exit(1); + } -+ } while (1); -+ -+ /* open the pipe and read the keys */ -+ if (pipe(childdescriptors)) { -+ error("failed to pipe(2) for AuthorizedKeysCommand: %s", -+ strerror(errno)); -+ goto go_away; -+ } + -+ child = fork(); -+ if (child == -1) { -+ error("failed to fork(2) for AuthorizedKeysCommand: %s", -+ strerror(errno)); -+ goto go_away; -+ } else if (child == 0) { -+ /* we're in the child process here -- we should never return from this block. */ -+ /* permanently drop privs in child process */ -+ if (runas_pw->pw_uid != 0) { -+ restore_uid(); -+ permanently_set_uid(runas_pw); -+ } -+ -+ close(childdescriptors[0]); -+ /* put the write end of the pipe on stdout (FD 1) */ -+ if (dup2(childdescriptors[1], 1) == -1) { -+ error("failed to dup2(2) from AuthorizedKeysCommand: %s", ++ close(p[0]); ++ if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { ++ error("%s: open %s: %s", __func__, _PATH_DEVNULL, + strerror(errno)); -+ _exit(127); ++ _exit(1); + } -+ -+ debug3("about to execl() AuthorizedKeysCommand: \"%s\" \"%s\"", options.authorized_keys_command, pw->pw_name); -+ /* see session.c:child_close_fds() */ -+ for (i = 3; i < 64; ++i) { -+ close(i); ++ if (dup2(devnull, STDIN_FILENO) == -1 || ++ dup2(p[1], STDOUT_FILENO) == -1 || ++ dup2(devnull, STDERR_FILENO) == -1) { ++ error("%s: dup2: %s", __func__, strerror(errno)); ++ _exit(1); + } ++ closefrom(STDERR_FILENO + 1); + -+ execl(options.authorized_keys_command, options.authorized_keys_command, pw->pw_name, NULL); ++ execl(options.authorized_keys_command, ++ options.authorized_keys_command, pw->pw_name, NULL); + -+ /* if we got here, it didn't work */ -+ error("failed to execl AuthorizedKeysCommand: %s", strerror(errno)); /* this won't work because we closed the fds above */ ++ error("AuthorizedKeysCommand %s exec failed: %s", ++ options.authorized_keys_command, strerror(errno)); + _exit(127); ++ default: /* parent */ ++ break; + } + -+ close(childdescriptors[1]); -+ f = fdopen(childdescriptors[0], "r"); -+ if (!f) { -+ error("%s: could not buffer FDs from AuthorizedKeysCommand (\"%s\", \"r\"): %s", __func__, -+ options.authorized_keys_command, strerror (errno)); -+ goto go_away; -+ } ++ temporarily_use_uid(pw); + -+ found_key = user_search_key_in_file (f, options.authorized_keys_command, key, pw); -+ fclose (f); -+ do { -+ pid = waitpid(child, &pstat, 0); -+ } while (pid == -1 && errno == EINTR); ++ close(p[1]); ++ if ((f = fdopen(p[0], "r")) == NULL) { ++ error("%s: fdopen: %s", __func__, strerror(errno)); ++ close(p[0]); ++ /* Don't leave zombie child */ ++ while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) ++ ; ++ goto out; ++ } ++ ok = check_authkeys_file(f, options.authorized_keys_command, key, pw); ++ fclose(f); + -+ /* what about the return value from the child process? */ -+go_away: -+ if (progname) -+ xfree (progname); ++ while (waitpid(pid, &status, 0) == -1) { ++ if (errno != EINTR) { ++ error("%s: waitpid: %s", __func__, strerror(errno)); ++ goto out; ++ } ++ } ++ if (WIFSIGNALED(status)) { ++ error("AuthorizedKeysCommand %s exited on signal %d", ++ options.authorized_keys_command, WTERMSIG(status)); ++ goto out; ++ } else if (WEXITSTATUS(status) != 0) { ++ error("AuthorizedKeysCommand %s returned status %d", ++ options.authorized_keys_command, WEXITSTATUS(status)); ++ goto out; ++ } ++ found_key = ok; ++ out: ++ restore_uid(); + -+ if (runas_pw->pw_uid != 0) -+ restore_uid(); + return found_key; +} -+#endif + -+/* check whether given key is in 0) + return success; -+#endif + - if (auth_key_is_revoked(key)) - return 0; - if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key)) -diff -up openssh-6.1p1/configure.ac.akc openssh-6.1p1/configure.ac ---- openssh-6.1p1/configure.ac.akc 2012-07-06 03:49:29.000000000 +0200 -+++ openssh-6.1p1/configure.ac 2012-09-14 20:20:48.525446106 +0200 -@@ -1512,6 +1512,18 @@ AC_ARG_WITH([audit], - esac ] - ) - -+# Check whether user wants AuthorizedKeysCommand support -+AKC_MSG="no" -+AC_ARG_WITH(authorized-keys-command, -+ [ --with-authorized-keys-command Enable AuthorizedKeysCommand support], -+ [ -+ if test "x$withval" != "xno" ; then -+ AC_DEFINE([WITH_AUTHORIZED_KEYS_COMMAND], 1, [Enable AuthorizedKeysCommand support]) -+ AKC_MSG="yes" -+ fi -+ ] -+) -+ - dnl Checks for library functions. Please keep in alphabetical order - AC_CHECK_FUNCS([ \ - arc4random \ -@@ -4407,6 +4419,7 @@ echo " SELinux support - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " AuthorizedKeysCommand support: $AKC_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" + for (i = 0; !success && i < options.num_authkeys_files; i++) { + file = expand_authorized_keys( + options.authorized_keys_files[i], pw); diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c ---- openssh-6.1p1/servconf.c.akc 2012-09-14 20:20:48.138443423 +0200 -+++ openssh-6.1p1/servconf.c 2012-09-14 20:27:34.546107295 +0200 +--- openssh-6.1p1/servconf.c.akc 2012-11-02 14:00:49.186077290 +0100 ++++ openssh-6.1p1/servconf.c 2012-11-02 14:26:32.086138017 +0100 @@ -139,6 +139,8 @@ initialize_server_options(ServerOptions options->num_permitted_opens = -1; options->adm_forced_command = NULL; options->chroot_directory = NULL; + options->authorized_keys_command = NULL; -+ options->authorized_keys_command_runas = NULL; ++ options->authorized_keys_command_user = NULL; options->zero_knowledge_password_authentication = -1; options->revoked_keys_file = NULL; options->trusted_user_ca_keys = NULL; @@ -286,43 +377,40 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c sZeroKnowledgePasswordAuthentication, sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sVersionAddendum, -+ sAuthorizedKeysCommand, sAuthorizedKeysCommandRunAs, ++ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sDeprecated, sUnsupported } ServerOpCodes; -@@ -461,6 +464,14 @@ static struct { +@@ -460,6 +463,9 @@ static struct { + { "requiredauthentications1", sRequiredAuthentications1, SSHCFG_ALL }, { "requiredauthentications2", sRequiredAuthentications2, SSHCFG_ALL }, { "ipqos", sIPQoS, SSHCFG_ALL }, - { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, -+#ifdef WITH_AUTHORIZED_KEYS_COMMAND + { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, -+ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandRunAs, SSHCFG_ALL }, -+#else -+ { "authorizedkeyscommand", sUnsupported, SSHCFG_ALL }, -+ { "authorizedkeyscommandrunas", sUnsupported, SSHCFG_ALL }, -+#endif -+ ++ { "authorizedkeyscommandrunas", sAuthorizedKeysCommandUser, SSHCFG_ALL }, ++ { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, + { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; - -@@ -1532,6 +1543,24 @@ process_server_config_line(ServerOptions +@@ -1532,6 +1538,26 @@ process_server_config_line(ServerOptions } return 0; + case sAuthorizedKeysCommand: + len = strspn(cp, WHITESPACE); -+ if (*activep && options->authorized_keys_command == NULL) ++ if (*activep && options->authorized_keys_command == NULL) { + options->authorized_keys_command = xstrdup(cp + len); ++ if (*options->authorized_keys_command != '/') { ++ fatal("%.200s line %d: AuthorizedKeysCommand " ++ "must be an absolute path", ++ filename, linenum); ++ } ++ } + return 0; + -+ case sAuthorizedKeysCommandRunAs: -+ charptr = &options->authorized_keys_command_runas; ++ case sAuthorizedKeysCommandUser: ++ charptr = &options->authorized_keys_command_user; + + arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing account.", -+ filename, linenum); -+ + if (*activep && *charptr == NULL) + *charptr = xstrdup(arg); + break; @@ -330,52 +418,76 @@ diff -up openssh-6.1p1/servconf.c.akc openssh-6.1p1/servconf.c case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); -@@ -1682,6 +1711,8 @@ copy_set_server_options(ServerOptions *d +@@ -1682,6 +1708,8 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(hostbased_uses_name_from_packet_only); M_CP_INTOPT(kbd_interactive_authentication); M_CP_INTOPT(zero_knowledge_password_authentication); + M_CP_STROPT(authorized_keys_command); -+ M_CP_STROPT(authorized_keys_command_runas); ++ M_CP_STROPT(authorized_keys_command_user); M_CP_INTOPT(permit_root_login); M_CP_INTOPT(permit_empty_passwd); -@@ -1942,6 +1973,8 @@ dump_config(ServerOptions *o) +@@ -1942,6 +1970,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); dump_cfg_string(sVersionAddendum, o->version_addendum); + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); -+ dump_cfg_string(sAuthorizedKeysCommandRunAs, o->authorized_keys_command_runas); ++ dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); diff -up openssh-6.1p1/servconf.h.akc openssh-6.1p1/servconf.h ---- openssh-6.1p1/servconf.h.akc 2012-09-14 20:20:48.000000000 +0200 -+++ openssh-6.1p1/servconf.h 2012-09-14 20:23:16.691844577 +0200 +--- openssh-6.1p1/servconf.h.akc 2012-11-02 14:00:49.186077290 +0100 ++++ openssh-6.1p1/servconf.h 2012-11-02 14:00:49.254077869 +0100 @@ -169,6 +169,8 @@ typedef struct { char *revoked_keys_file; char *trusted_user_ca_keys; char *authorized_principals_file; + char *authorized_keys_command; -+ char *authorized_keys_command_runas; ++ char *authorized_keys_command_user; char *version_addendum; /* Appended to SSH banner */ } ServerOptions; +diff -up openssh-6.1p1/sshd.c.akc openssh-6.1p1/sshd.c +--- openssh-6.1p1/sshd.c.akc 2012-11-02 14:00:49.249077826 +0100 ++++ openssh-6.1p1/sshd.c 2012-11-02 14:00:49.254077869 +0100 +@@ -366,9 +366,20 @@ main_sigchld_handler(int sig) + static void + grace_alarm_handler(int sig) + { ++ pid_t pgid; ++ + if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) + kill(pmonitor->m_pid, SIGALRM); + ++ /* ++ * Try to kill any processes that we have spawned, E.g. authorized ++ * keys command helpers. ++ */ ++ if ((pgid = getpgid(0)) == getpid()) { ++ signal(SIGTERM, SIG_IGN); ++ killpg(pgid, SIGTERM); ++ } ++ + /* Log error and exit. */ + sigdie("Timeout before authentication for %s", get_remote_ipaddr()); + } diff -up openssh-6.1p1/sshd_config.akc openssh-6.1p1/sshd_config --- openssh-6.1p1/sshd_config.akc 2012-07-31 04:21:34.000000000 +0200 -+++ openssh-6.1p1/sshd_config 2012-09-14 20:30:46.950095769 +0200 ++++ openssh-6.1p1/sshd_config 2012-11-02 14:00:49.255077878 +0100 @@ -49,6 +49,9 @@ # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys +#AuthorizedKeysCommand none -+#AuthorizedKeysCommandRunAs nobody ++#AuthorizedKeysCommandUser nobody + #AuthorizedPrincipalsFile none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0 --- openssh-6.1p1/sshd_config.0.akc 2012-08-29 02:53:04.000000000 +0200 -+++ openssh-6.1p1/sshd_config.0 2012-09-14 20:32:23.539624859 +0200 ++++ openssh-6.1p1/sshd_config.0 2012-11-02 14:00:49.255077878 +0100 @@ -71,6 +71,23 @@ DESCRIPTION See PATTERNS in ssh_config(5) for more information on patterns. @@ -411,38 +523,39 @@ diff -up openssh-6.1p1/sshd_config.0.akc openssh-6.1p1/sshd_config.0 GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication, HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication, diff -up openssh-6.1p1/sshd_config.5.akc openssh-6.1p1/sshd_config.5 ---- openssh-6.1p1/sshd_config.5.akc 2012-09-14 20:20:48.142443448 +0200 -+++ openssh-6.1p1/sshd_config.5 2012-09-14 20:29:56.003873873 +0200 -@@ -151,6 +151,19 @@ See +--- openssh-6.1p1/sshd_config.5.akc 2012-11-02 14:00:49.187077299 +0100 ++++ openssh-6.1p1/sshd_config.5 2012-11-02 14:00:49.255077878 +0100 +@@ -151,6 +151,20 @@ See in .Xr ssh_config 5 for more information on patterns. +.It Cm AuthorizedKeysCommand -+Specifies a program to be used for lookup of the user's -+public keys. The program will be invoked with its first -+argument the name of the user being authorized, and should produce -+on standard output AuthorizedKeys lines (see AUTHORIZED_KEYS -+in sshd(8)). By default (or when set to the empty string) there is no -+AuthorizedKeysCommand run. If the AuthorizedKeysCommand does not successfully -+authorize the user, authorization falls through to the -+AuthorizedKeysFile. Note that this option has an effect -+only with PubkeyAuthentication turned on. -+.It Cm AuthorizedKeysCommandRunAs -+Specifies the user under whose account the AuthorizedKeysCommand is run. Empty -+string (the default value) means the user being authorized is used. ++Specifies a program to be used for lookup of the user's public keys. ++The program will be invoked with a single argument of the username ++being authenticated, and should produce on standard output zero or ++more lines of authorized_keys output (see AUTHORIZED_KEYS in ++.Xr sshd 8 ) ++If a key supplied by AuthorizedKeysCommand does not successfully authenticate ++and authorize the user then public key authentication continues using the usual ++.Cm AuthorizedKeysFile ++files. ++By default, no AuthorizedKeysCommand is run. ++.It Cm AuthorizedKeysCommandUser ++Specifies the user under whose account the AuthorizedKeysCommand is run. ++The default is the user being authenticated. .It Cm AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. -@@ -712,6 +725,8 @@ Available keywords are +@@ -712,6 +726,8 @@ Available keywords are .Cm AllowTcpForwarding , .Cm AllowUsers , .Cm AuthorizedKeysFile , +.Cm AuthorizedKeysCommand , -+.Cm AuthorizedKeysCommandRunAs , ++.Cm AuthorizedKeysCommandUser , .Cm AuthorizedPrincipalsFile , .Cm Banner , .Cm ChrootDirectory , -@@ -726,6 +741,7 @@ Available keywords are +@@ -726,6 +742,7 @@ Available keywords are .Cm KerberosAuthentication , .Cm MaxAuthTries , .Cm MaxSessions , diff --git a/openssh.spec b/openssh.spec index 77a8431..901eafc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -507,7 +507,6 @@ fi --disable-strip \ --without-zlib-version-check \ --with-ssl-engine \ - --with-authorized-keys-command \ --with-ipaddr-display \ %if %{ldap} --with-ldap \