PR#6: SELinux + Kerberos + PKCS#11 update - rpms/openssh

		`@@ -19,7 +19,7 @@`

		`if (!sshd_selinux_enabled())`
		`return;`
		`- @@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)`
		`+ @@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)`
		`}`
		`}`

		`@@ -30,46 +30,60 @@`
		`+ char line[1024], preauth_context = NULL, cp, *arg;`
		`+ const char *contexts_path;`
		`+ FILE *contexts_file;`
		`+ + struct stat sb;`
		`+`
		`+ contexts_path = selinux_openssh_contexts_path();`
		`- + if (contexts_path != NULL) {`
		`- + if ((contexts_file = fopen(contexts_path, "r")) != NULL) {`
		`- + struct stat sb;`
		`+ + if (contexts_path == NULL) {`
		`+ + debug3("%s: Failed to get the path to SELinux context", __func__);`
		`+ + return;`
		`+ + }`
		`+`
		`- + if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {`
		`- + while (fgets(line, sizeof(line), contexts_file)) {`
		`- + /* Strip trailing whitespace */`
		`- + for (len = strlen(line) - 1; len > 0; len--) {`
		`- + if (strchr(" \t\r\n", line[len]) == NULL)`
		`- + break;`
		`- + line[len] = '\0';`
		`- + }`
		`+ + if ((contexts_file = fopen(contexts_path, "r")) == NULL) {`
		`+ + debug("%s: Failed to open SELinux context file", __func__);`
		`+ + return;`
		`+ + }`
		`+`
		`- + if (line[0] == '\0')`
		`- + continue;`
		`+ + if (fstat(fileno(contexts_file), &sb) != 0 \|\|`
		`+ + sb.st_uid != 0 \|\| (sb.st_mode & 022) != 0) {`
		`+ + logit("%s: SELinux context file needs to be owned by root"`
		`+ + " and not writable by anyone else", __func__);`
		`+ + fclose(contexts_file);`
		`+ + return;`
		`+ + }`
		`+`
		`- + cp = line;`
		`- + arg = strdelim(&cp);`
		`- + if (arg && *arg == '\0')`
		`- + arg = strdelim(&cp);`
		`+ + while (fgets(line, sizeof(line), contexts_file)) {`
		`+ + /* Strip trailing whitespace */`
		`+ + for (len = strlen(line) - 1; len > 0; len--) {`
		`+ + if (strchr(" \t\r\n", line[len]) == NULL)`
		`+ + break;`
		`+ + line[len] = '\0';`
		`+ + }`
		`+`
		`- + if (arg && strcmp(arg, "privsep_preauth") == 0) {`
		`- + arg = strdelim(&cp);`
		`- + if (!arg \|\| *arg == '\0') {`
		`- + debug("%s: privsep_preauth is empty", __func__);`
		`- + fclose(contexts_file);`
		`- + return;`
		`- + }`
		`- + preauth_context = xstrdup(arg);`
		`- + }`
		`- + }`
		`+ + if (line[0] == '\0')`
		`+ + continue;`
		`+ +`
		`+ + cp = line;`
		`+ + arg = strdelim(&cp);`
		`+ + if (arg && *arg == '\0')`
		`+ + arg = strdelim(&cp);`
		`+ +`
		`+ + if (arg && strcmp(arg, "privsep_preauth") == 0) {`
		`+ + arg = strdelim(&cp);`
		`+ + if (!arg \|\| *arg == '\0') {`
		`+ + debug("%s: privsep_preauth is empty", __func__);`
		`+ + fclose(contexts_file);`
		`+ + return;`
		`+ }`
		`- + fclose(contexts_file);`
		`+ + preauth_context = xstrdup(arg);`
		`+ }`
		`+ }`
		`+ + fclose(contexts_file);`
		`+`
		`- + if (preauth_context == NULL)`
		`- + preauth_context = xstrdup("sshd_net_t");`
		`+ + if (preauth_context == NULL) {`
		`+ + debug("%s: Unable to find 'privsep_preauth' option in"`
		`+ + " SELinux context file", __func__);`
		`+ + return;`
		`+ + }`
		`+`
		`+ ssh_selinux_change_context(preauth_context);`
		`+ free(preauth_context);`

openssh-6.6p1-privsep-selinux.patch

file modified

+3 -3

		`@@ -25,15 +25,15 @@`
		`+ return;`
		`+`
		`+ if (getexeccon((security_context_t *)&ctx) != 0) {`
		`- + logit("%s: getcon failed with %s", __func__, strerror (errno));`
		`+ + logit("%s: getexeccon failed with %s", __func__, strerror(errno));`
		`+ return;`
		`+ }`
		`+ if (ctx != NULL) {`
		`+ /* unset exec context before we will lose this capabililty */`
		`+ if (setexeccon(NULL) != 0)`
		`- + fatal("%s: setexeccon failed with %s", __func__, strerror (errno));`
		`+ + fatal("%s: setexeccon failed with %s", __func__, strerror(errno));`
		`+ if (setcon(ctx) != 0)`
		`- + fatal("%s: setcon failed with %s", __func__, strerror (errno));`
		`+ + fatal("%s: setcon failed with %s", __func__, strerror(errno));`
		`+ freecon(ctx);`
		`+ }`
		`+}`

openssh-7.1p2-audit-race-condition.patch

file modified

+2 -2

		`@@ -172,8 +172,8 @@`
		`* Performs common processing for the child, such as setting up the`
		`* environment, closing extra file descriptors, setting the user and group`
		`@@ -1554,13 +1608,6 @@ do_child(Session s, const char command`
		`- struct passwd *pw = s->pw;`
		`- int r = 0;`
		`+ pw = s->pw;`
		`+ }`

		`- /* remove hostkey from the child's memory */`
		`- destroy_sensitive_data(1);`

openssh-7.6p1-audit.patch

file modified

+1 -1

		`@@ -1806,7 +1806,7 @@`
		`if (s->ttyfd != -1)`
		`ret = do_exec_pty(ssh, s, command);`
		`@@ -1499,8 +1511,11 @@ do_child(struct ssh ssh, Session s, co`
		`- int r = 0;`
		`+ }`

		`/* remove hostkey from the child's memory */`
		`- destroy_sensitive_data();`

openssh-7.6p1-pkcs11-ecdsa.patch

file modified

+15 -2

		`@@ -466,7 +466,7 @@`
		`{ CKA_ID, NULL, 0 },`
		`{ CKA_LABEL, NULL, 0 }`
		`};`
		`- @@ -569,29 +772,60 @@ pkcs11_fetch_keys(struct pkcs11_provider`
		`+ @@ -569,37 +772,72 @@ pkcs11_fetch_keys(struct pkcs11_provider`
		`{ CKA_SUBJECT, NULL, 0 },`
		`{ CKA_VALUE, NULL, 0 }`
		`};`
		`@@ -532,7 +532,20 @@`
		`+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,`
		`cert_attribs, keysp, nkeys) < 0)`
		`return (-1);`
		`- return (0);`
		`+ if (*nkeys == 0) {`
		`+ /* Try once more without the label filter */`
		`+ filter_size--;`
		`+ if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,`
		`+ pubkey_attribs, keysp, nkeys) < 0 \|\|`
		`+ - pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,`
		`+ +#ifdef ENABLE_PKCS11_ECDSA`
		`+ + pkcs11_fetch_keys_filter(p, slotidx, ecdsa_filter, filter_size,`
		`+ + ecdsa_attribs, keysp, nkeys) < 0\|\|`
		`+ +#endif /* ENABLE_PKCS11_ECDSA */`
		`+ + pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size - 1,`
		`+ cert_attribs, keysp, nkeys) < 0)`
		`+ return (-1);`
		`+ }`
		`@@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p`
		`CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],`
		`struct sshkey **keysp, int nkeys)`

openssh-7.6p1-pkcs11-uri.patch

file modified

+13 -2

		`@@ -3785,7 +3785,7 @@`
		`return (0);`
		`}`

		`- @@ -404,38 +537,62 @@ pkcs11_open_session(struct pkcs11_provid`
		`+ @@ -404,39 +537,72 @@ pkcs11_open_session(struct pkcs11_provid`
		`* keysp points to an (possibly empty) array with *nkeys keys.`
		`*/`
		`static int pkcs11_fetch_keys_filter(struct pkcs11_provider *, CK_ULONG,`
		`@@ -3854,8 +3854,18 @@`
		`+ pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,`
		`+ cert_attribs, keysp, nkeys) < 0)`
		`return (-1);`
		`+ + if (*nkeys == 0) {`
		`+ + /* Try once more without the label filter */`
		`+ + filter_size--;`
		`+ + if (pkcs11_fetch_keys_filter(p, slotidx, pubkey_filter, filter_size,`
		`+ + pubkey_attribs, keysp, nkeys) < 0 \|\|`
		`+ + pkcs11_fetch_keys_filter(p, slotidx, cert_filter, filter_size,`
		`+ + cert_attribs, keysp, nkeys) < 0)`
		`+ + return (-1);`
		`+ + }`
		`return (0);`
		`}`
		`+`
		`@@ -462,14 +619,15 @@ have_rsa_key(const RSA *rsa)`

		`static int`
		`@@ -3989,7 +3999,7 @@`
		`free(attribs[i].pValue);`
		`}`
		`if ((rv = f->C_FindObjectsFinal(session)) != CKR_OK)`
		`- @@ -592,126 +750,239 @@ pkcs11_fetch_keys_filter(struct pkcs11_p`
		`+ @@ -592,126 +750,240 @@ pkcs11_fetch_keys_filter(struct pkcs11_p`
		`int`
		`pkcs11_add_provider(char provider_id, char pin, struct sshkey ***keyp)`
		`{`
		`@@ -4276,6 +4286,7 @@`
		`- free(p->slotlist);`
		`- free(p->slotinfo);`
		`- free(p);`
		`+ + TAILQ_REMOVE(&pkcs11_providers, p, next);`
		`+ pkcs11_provider_unref(p);`
		`}`
		`- if (handle)`

openssh-7.7p1-fips.patch

file modified

+154 -80

		`@@ -1,6 +1,6 @@`
		`- diff -up openssh-7.7p1/cipher.c.fips openssh-7.7p1/cipher.c`
		`- --- openssh-7.7p1/cipher.c.fips 2018-08-08 10:08:40.814719906 +0200`
		`- +++ openssh-7.7p1/cipher.c 2018-08-08 10:08:40.821719965 +0200`
		`+ diff -up openssh-7.9p1/cipher.c.fips openssh-7.9p1/cipher.c`
		`+ --- openssh-7.9p1/cipher.c.fips 2019-03-11 17:06:37.614877975 +0100`
		`+ +++ openssh-7.9p1/cipher.c 2019-03-11 17:06:37.620878031 +0100`
		`@@ -39,6 +39,8 @@`

		`#include <sys/types.h>`
		`@@ -10,7 +10,7 @@`
		`#include <string.h>`
		`#include <stdarg.h>`
		`#include <stdio.h>`
		`- @@ -90,6 +92,33 @@ static const struct sshcipher ciphers[]`
		`+ @@ -92,6 +94,33 @@ static const struct sshcipher ciphers[]`
		`{ NULL, 0, 0, 0, 0, 0, NULL }`
		`};`

		`@@ -44,7 +44,7 @@`
		`/--/`

		`/* Returns a comma-separated list of supported ciphers. */`
		`- @@ -100,7 +129,7 @@ cipher_alg_list(char sep, int auth_only)`
		`+ @@ -102,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)`
		`size_t nlen, rlen = 0;`
		`const struct sshcipher *c;`

		`@@ -53,7 +53,7 @@`
		`if ((c->flags & CFLAG_INTERNAL) != 0)`
		`continue;`
		`if (auth_only && c->auth_len == 0)`
		`- @@ -172,7 +201,7 @@ const struct sshcipher *`
		`+ @@ -174,7 +203,7 @@ const struct sshcipher *`
		`cipher_by_name(const char *name)`
		`{`
		`const struct sshcipher *c;`
		`@@ -62,9 +62,9 @@`
		`if (strcmp(c->name, name) == 0)`
		`return c;`
		`return NULL;`
		`- diff -up openssh-7.7p1/cipher-ctr.c.fips openssh-7.7p1/cipher-ctr.c`
		`- --- openssh-7.7p1/cipher-ctr.c.fips 2018-08-08 10:08:40.709719021 +0200`
		`- +++ openssh-7.7p1/cipher-ctr.c 2018-08-08 10:08:40.821719965 +0200`
		`+ diff -up openssh-7.9p1/cipher-ctr.c.fips openssh-7.9p1/cipher-ctr.c`
		`+ --- openssh-7.9p1/cipher-ctr.c.fips 2019-03-11 17:06:37.519877082 +0100`
		`+ +++ openssh-7.9p1/cipher-ctr.c 2019-03-11 17:06:37.620878031 +0100`
		`@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)`
		`aes_ctr.do_cipher = ssh_aes_ctr;`
		`#ifndef SSH_OLD_EVP`
		`@@ -75,10 +75,10 @@`
		`#endif`
		`return (&aes_ctr);`
		`}`
		`- diff -up openssh-7.7p1/clientloop.c.fips openssh-7.7p1/clientloop.c`
		`- --- openssh-7.7p1/clientloop.c.fips 2018-08-08 10:08:40.769719527 +0200`
		`- +++ openssh-7.7p1/clientloop.c 2018-08-08 10:08:40.822719973 +0200`
		`- @@ -1978,7 +1978,8 @@ key_accepted_by_hostkeyalgs(const struct`
		`+ diff -up openssh-7.9p1/clientloop.c.fips openssh-7.9p1/clientloop.c`
		`+ --- openssh-7.9p1/clientloop.c.fips 2019-03-11 17:06:37.523877120 +0100`
		`+ +++ openssh-7.9p1/clientloop.c 2019-03-11 17:06:37.620878031 +0100`
		`+ @@ -2014,7 +2014,8 @@ key_accepted_by_hostkeyalgs(const struct`
		`{`
		`const char *ktype = sshkey_ssh_name(key);`
		`const char *hostkeyalgs = options.hostkeyalgorithms != NULL ?`
		`@@ -88,10 +88,73 @@`

		`if (key == NULL \|\| key->type == KEY_UNSPEC)`
		`return 0;`
		`- diff -up openssh-7.7p1/dh.h.fips openssh-7.7p1/dh.h`
		`- --- openssh-7.7p1/dh.h.fips 2018-04-02 07:38:28.000000000 +0200`
		`- +++ openssh-7.7p1/dh.h 2018-08-08 10:08:40.822719973 +0200`
		`- @@ -51,6 +51,7 @@ u_int dh_estimate(int);`
		`+ diff -up openssh-7.9p1/dh.c.fips openssh-7.9p1/dh.c`
		`+ --- openssh-7.9p1/dh.c.fips 2018-10-17 02:01:20.000000000 +0200`
		`+ +++ openssh-7.9p1/dh.c 2019-03-11 17:08:11.769763057 +0100`
		`+ @@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max`
		`+ int best, bestcount, which, linenum;`
		`+ struct dhgroup dhg;`
		`+`
		`+ + if (FIPS_mode()) {`
		`+ + logit("Using arbitrary primes is not allowed in FIPS mode."`
		`+ + " Falling back to known groups.");`
		`+ + return (dh_new_group_fallback(max));`
		`+ + }`
		`+ +`
		`+ if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) {`
		`+ logit("WARNING: could not open %s (%s), using fixed modulus",`
		`+ _PATH_DH_MODULI, strerror(errno));`
		`+ @@ -489,4 +495,38 @@ dh_estimate(int bits)`
		`+ return 8192;`
		`+ }`
		`+`
		`+ +/*`
		`+ + * Compares the received DH parameters with known-good groups,`
		`+ + * which might be either from group14, group16 or group18.`
		`+ + */`
		`+ +int`
		`+ +dh_is_known_group(const DH *dh)`
		`+ +{`
		`+ + const BIGNUM p, g;`
		`+ + const BIGNUM known_p, known_g;`
		`+ + DH *known = NULL;`
		`+ + int bits = 0, rv = 0;`
		`+ +`
		`+ + DH_get0_pqg(dh, &p, NULL, &g);`
		`+ + bits = BN_num_bits(p);`
		`+ +`
		`+ + if (bits <= 3072) {`
		`+ + known = dh_new_group14();`
		`+ + } else if (bits <= 6144) {`
		`+ + known = dh_new_group16();`
		`+ + } else {`
		`+ + known = dh_new_group18();`
		`+ + }`
		`+ +`
		`+ + DH_get0_pqg(known, &known_p, NULL, &known_g);`
		`+ +`
		`+ + if (BN_cmp(g, known_g) == 0 &&`
		`+ + BN_cmp(p, known_p) == 0) {`
		`+ + rv = 1;`
		`+ + }`
		`+ +`
		`+ + DH_free(known);`
		`+ + return rv;`
		`+ +}`
		`+ +`
		`+ #endif /* WITH_OPENSSL */`
		`+ diff -up openssh-7.9p1/dh.h.fips openssh-7.9p1/dh.h`
		`+ --- openssh-7.9p1/dh.h.fips 2018-10-17 02:01:20.000000000 +0200`
		`+ +++ openssh-7.9p1/dh.h 2019-03-11 17:08:18.718828381 +0100`
		`+ @@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int);`
		`+`
		`+ int dh_gen_key(DH *, int);`
		`+ int dh_pub_is_valid(const DH , const BIGNUM );`
		`+ +int dh_is_known_group(const DH *);`
		`+`
		`+ u_int dh_estimate(int);`
		`+`
		`+ @@ -51,6 +52,7 @@ u_int dh_estimate(int);`
		`* Miniumum increased in light of DH precomputation attacks.`
		`*/`
		`#define DH_GRP_MIN 2048`
		`@@ -99,10 +162,10 @@`
		`#define DH_GRP_MAX 8192`

		`/*`
		`- diff -up openssh-7.7p1/entropy.c.fips openssh-7.7p1/entropy.c`
		`- --- openssh-7.7p1/entropy.c.fips 2018-08-08 10:08:40.698718928 +0200`
		`- +++ openssh-7.7p1/entropy.c 2018-08-08 10:08:40.822719973 +0200`
		`- @@ -217,6 +217,11 @@ seed_rng(void)`
		`+ diff -up openssh-7.9p1/entropy.c.fips openssh-7.9p1/entropy.c`
		`+ --- openssh-7.9p1/entropy.c.fips 2018-10-17 02:01:20.000000000 +0200`
		`+ +++ openssh-7.9p1/entropy.c 2019-03-11 17:06:37.621878041 +0100`
		`+ @@ -223,6 +223,11 @@ seed_rng(void)`
		`fatal("OpenSSL version mismatch. Built against %lx, you "`
		`"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());`

		`@@ -114,9 +177,9 @@`
		`#ifndef OPENSSL_PRNG_ONLY`
		`if (RAND_status() == 1) {`
		`debug3("RNG is ready, skipping seeding");`
		`- diff -up openssh-7.7p1/kex.c.fips openssh-7.7p1/kex.c`
		`- --- openssh-7.7p1/kex.c.fips 2018-08-08 10:08:40.815719915 +0200`
		`- +++ openssh-7.7p1/kex.c 2018-08-08 10:11:24.109081924 +0200`
		`+ diff -up openssh-7.9p1/kex.c.fips openssh-7.9p1/kex.c`
		`+ --- openssh-7.9p1/kex.c.fips 2019-03-11 17:06:37.614877975 +0100`
		`+ +++ openssh-7.9p1/kex.c 2019-03-11 17:06:37.621878041 +0100`
		`@@ -35,6 +35,7 @@`
		`#ifdef WITH_OPENSSL`
		`#include <openssl/crypto.h>`
		`@@ -182,9 +245,9 @@`
		`free(s);`
		`return 0;`
		`}`
		`- diff -up openssh-7.7p1/kexgexc.c.fips openssh-7.7p1/kexgexc.c`
		`- --- openssh-7.7p1/kexgexc.c.fips 2018-04-02 07:38:28.000000000 +0200`
		`- +++ openssh-7.7p1/kexgexc.c 2018-08-08 10:08:40.822719973 +0200`
		`+ diff -up openssh-7.9p1/kexgexc.c.fips openssh-7.9p1/kexgexc.c`
		`+ --- openssh-7.9p1/kexgexc.c.fips 2018-10-17 02:01:20.000000000 +0200`
		`+ +++ openssh-7.9p1/kexgexc.c 2019-03-11 17:06:37.621878041 +0100`
		`@@ -28,6 +28,7 @@`

		`#ifdef WITH_OPENSSL`
		`@@ -193,7 +256,7 @@`
		`#include <sys/types.h>`

		`#include <openssl/dh.h>`
		`- @@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)`
		`+ @@ -65,7 +66,7 @@ kexgex_client(struct ssh *ssh)`

		`nbits = dh_estimate(kex->dh_need * 8);`

		`@@ -202,10 +265,21 @@`
		`kex->max = DH_GRP_MAX;`
		`kex->nbits = nbits;`
		`if (datafellows & SSH_BUG_DHGEX_LARGE)`
		`- diff -up openssh-7.7p1/kexgexs.c.fips openssh-7.7p1/kexgexs.c`
		`- --- openssh-7.7p1/kexgexs.c.fips 2018-04-02 07:38:28.000000000 +0200`
		`- +++ openssh-7.7p1/kexgexs.c 2018-08-08 10:08:40.823719982 +0200`
		`- @@ -82,9 +82,9 @@ input_kex_dh_gex_request(int type, u_int`
		`+ @@ -118,6 +119,10 @@ input_kex_dh_gex_group(int type, u_int32`
		`+ r = SSH_ERR_ALLOC_FAIL;`
		`+ goto out;`
		`+ }`
		`+ + if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) {`
		`+ + r = SSH_ERR_INVALID_ARGUMENT;`
		`+ + goto out;`
		`+ + }`
		`+ p = g = NULL; /* belong to kex->dh now */`
		`+`
		`+ /* generate and send 'e', client DH public key */`
		`+ diff -up openssh-7.9p1/kexgexs.c.fips openssh-7.9p1/kexgexs.c`
		`+ --- openssh-7.9p1/kexgexs.c.fips 2018-10-17 02:01:20.000000000 +0200`
		`+ +++ openssh-7.9p1/kexgexs.c 2019-03-11 17:06:37.621878041 +0100`
		`+ @@ -85,9 +85,9 @@ input_kex_dh_gex_request(int type, u_int`
		`kex->nbits = nbits;`
		`kex->min = min;`
		`kex->max = max;`
		`@@ -217,9 +291,9 @@`
		`nbits = MINIMUM(DH_GRP_MAX, nbits);`

		`if (kex->max < kex->min \|\| kex->nbits < kex->min \|\|`
		`- diff -up openssh-7.7p1/mac.c.fips openssh-7.7p1/mac.c`
		`- --- openssh-7.7p1/mac.c.fips 2018-08-08 10:08:40.815719915 +0200`
		`- +++ openssh-7.7p1/mac.c 2018-08-08 10:11:56.915352642 +0200`
		`+ diff -up openssh-7.9p1/mac.c.fips openssh-7.9p1/mac.c`
		`+ --- openssh-7.9p1/mac.c.fips 2019-03-11 17:06:37.614877975 +0100`
		`+ +++ openssh-7.9p1/mac.c 2019-03-11 17:06:37.621878041 +0100`
		`@@ -27,6 +27,8 @@`

		`#include <sys/types.h>`
		`@@ -281,9 +355,9 @@`
		`if (strcmp(name, m->name) != 0)`
		`continue;`
		`if (mac != NULL)`
		`- diff -up openssh-7.7p1/Makefile.in.fips openssh-7.7p1/Makefile.in`
		`- --- openssh-7.7p1/Makefile.in.fips 2018-08-08 10:08:40.815719915 +0200`
		`- +++ openssh-7.7p1/Makefile.in 2018-08-08 10:08:40.823719982 +0200`
		`+ diff -up openssh-7.9p1/Makefile.in.fips openssh-7.9p1/Makefile.in`
		`+ --- openssh-7.9p1/Makefile.in.fips 2019-03-11 17:06:37.615877984 +0100`
		`+ +++ openssh-7.9p1/Makefile.in 2019-03-11 17:06:37.621878041 +0100`
		`@@ -179,25 +179,25 @@ libssh.a: $(LIBSSH_OBJS)`
		`$(RANLIB) $@`

		`@@ -325,10 +399,10 @@`

		`sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o`
		`$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)`
		`- diff -up openssh-7.7p1/myproposal.h.fips openssh-7.7p1/myproposal.h`
		`- --- openssh-7.7p1/myproposal.h.fips 2018-04-02 07:38:28.000000000 +0200`
		`- +++ openssh-7.7p1/myproposal.h 2018-08-08 10:08:40.823719982 +0200`
		`- @@ -114,6 +114,14 @@`
		`+ diff -up openssh-7.9p1/myproposal.h.fips openssh-7.9p1/myproposal.h`
		`+ --- openssh-7.9p1/myproposal.h.fips 2018-10-17 02:01:20.000000000 +0200`
		`+ +++ openssh-7.9p1/myproposal.h 2019-03-11 17:06:37.621878041 +0100`
		`+ @@ -116,6 +116,14 @@`
		`"rsa-sha2-256," \`
		`"ssh-rsa"`

		`@@ -343,7 +417,7 @@`
		`/* the actual algorithms */`

		`#define KEX_SERVER_ENCRYPT \`
		`- @@ -137,6 +145,38 @@`
		`+ @@ -139,6 +147,38 @@`

		`#define KEX_CLIENT_MAC KEX_SERVER_MAC`

		`@@ -382,10 +456,10 @@`
		`/* Not a KEX value, but here so all the algorithm defaults are together */`
		`#define SSH_ALLOWED_CA_SIGALGS \`
		`"ecdsa-sha2-nistp256," \`
		`- diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c`
		`- --- openssh-7.7p1/readconf.c.fips 2018-08-08 10:08:40.769719527 +0200`
		`- +++ openssh-7.7p1/readconf.c 2018-08-08 10:08:40.824719990 +0200`
		`- @@ -2081,18 +2081,19 @@ fill_default_options(Options * options)`
		`+ diff -up openssh-7.9p1/readconf.c.fips openssh-7.9p1/readconf.c`
		`+ --- openssh-7.9p1/readconf.c.fips 2019-03-11 17:06:37.601877853 +0100`
		`+ +++ openssh-7.9p1/readconf.c 2019-03-11 17:06:37.622878050 +0100`
		`+ @@ -2178,18 +2178,19 @@ fill_default_options(Options * options)`
		`all_kex = kex_alg_list(',');`
		`all_key = sshkey_alg_list(0, 0, 1, ',');`
		`all_sig = sshkey_alg_list(0, 1, 1, ',');`
		`@@ -413,9 +487,9 @@`
		`#undef ASSEMBLE`
		`free(all_cipher);`
		`free(all_mac);`
		`- diff -up openssh-7.7p1/sandbox-seccomp-filter.c.fips openssh-7.7p1/sandbox-seccomp-filter.c`
		`- --- openssh-7.7p1/sandbox-seccomp-filter.c.fips 2018-08-08 10:08:40.794719737 +0200`
		`- +++ openssh-7.7p1/sandbox-seccomp-filter.c 2018-08-08 10:08:40.824719990 +0200`
		`+ diff -up openssh-7.9p1/sandbox-seccomp-filter.c.fips openssh-7.9p1/sandbox-seccomp-filter.c`
		`+ --- openssh-7.9p1/sandbox-seccomp-filter.c.fips 2019-03-11 17:06:37.586877712 +0100`
		`+ +++ openssh-7.9p1/sandbox-seccomp-filter.c 2019-03-11 17:06:37.622878050 +0100`
		`@@ -137,6 +137,9 @@ static const struct sock_filter preauth_`
		`#ifdef __NR_open`
		`SC_DENY(__NR_open, EACCES),`
		`@@ -426,10 +500,10 @@`
		`#ifdef __NR_openat`
		`SC_DENY(__NR_openat, EACCES),`
		`#endif`
		`- diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c`
		`- --- openssh-7.7p1/servconf.c.fips 2018-08-08 10:08:40.778719603 +0200`
		`- +++ openssh-7.7p1/servconf.c 2018-08-08 10:08:40.824719990 +0200`
		`- @@ -196,18 +196,19 @@ option_clear_or_none(const char *o)`
		`+ diff -up openssh-7.9p1/servconf.c.fips openssh-7.9p1/servconf.c`
		`+ --- openssh-7.9p1/servconf.c.fips 2019-03-11 17:06:37.568877543 +0100`
		`+ +++ openssh-7.9p1/servconf.c 2019-03-11 17:06:37.622878050 +0100`
		`+ @@ -209,18 +209,19 @@ assemble_algorithms(ServerOptions *o)`
		`all_kex = kex_alg_list(',');`
		`all_key = sshkey_alg_list(0, 0, 1, ',');`
		`all_sig = sshkey_alg_list(0, 1, 1, ',');`
		`@@ -458,9 +532,9 @@`
		`#undef ASSEMBLE`
		`free(all_cipher);`
		`free(all_mac);`
		`- diff -up openssh-7.7p1/ssh.c.fips openssh-7.7p1/ssh.c`
		`- --- openssh-7.7p1/ssh.c.fips 2018-08-08 10:08:40.811719881 +0200`
		`- +++ openssh-7.7p1/ssh.c 2018-08-08 10:08:40.825719999 +0200`
		`+ diff -up openssh-7.9p1/ssh.c.fips openssh-7.9p1/ssh.c`
		`+ --- openssh-7.9p1/ssh.c.fips 2019-03-11 17:06:37.602877862 +0100`
		`+ +++ openssh-7.9p1/ssh.c 2019-03-11 17:06:37.623878060 +0100`
		`@@ -76,6 +76,8 @@`
		`#include <openssl/evp.h>`
		`#include <openssl/err.h>`
		`@@ -470,7 +544,7 @@`
		`#include "openbsd-compat/openssl-compat.h"`
		`#include "openbsd-compat/sys-queue.h"`

		`- @@ -579,6 +581,16 @@ main(int ac, char **av)`
		`+ @@ -600,6 +602,16 @@ main(int ac, char **av)`
		`sanitise_stdfd();`

		`__progname = ssh_get_progname(av[0]);`
		`@@ -487,7 +561,7 @@`

		`#ifndef HAVE_SETPROCTITLE`
		`/* Prepare for later setproctitle emulation */`
		`- @@ -1045,7 +1055,6 @@ main(int ac, char **av)`
		`+ @@ -1047,7 +1059,6 @@ main(int ac, char **av)`
		`host_arg = xstrdup(host);`

		`#ifdef WITH_OPENSSL`
		`@@ -495,7 +569,7 @@`
		`ERR_load_crypto_strings();`
		`#endif`

		`- @@ -1268,6 +1277,10 @@ main(int ac, char **av)`
		`+ @@ -1283,6 +1294,10 @@ main(int ac, char **av)`

		`seed_rng();`

		`@@ -506,9 +580,9 @@`
		`if (options.user == NULL)`
		`options.user = xstrdup(pw->pw_name);`

		`- diff -up openssh-7.7p1/sshconnect2.c.fips openssh-7.7p1/sshconnect2.c`
		`- --- openssh-7.7p1/sshconnect2.c.fips 2018-08-08 10:08:40.786719670 +0200`
		`- +++ openssh-7.7p1/sshconnect2.c 2018-08-08 10:08:40.825719999 +0200`
		`+ diff -up openssh-7.9p1/sshconnect2.c.fips openssh-7.9p1/sshconnect2.c`
		`+ --- openssh-7.9p1/sshconnect2.c.fips 2019-03-11 17:06:37.580877655 +0100`
		`+ +++ openssh-7.9p1/sshconnect2.c 2019-03-11 17:06:37.623878060 +0100`
		`@@ -44,6 +44,8 @@`
		`#include <vis.h>`
		`#endif`
		`@@ -574,10 +648,10 @@`
		`}`
		`}`
		`#endif`
		`- @@ -322,14 +330,16 @@ ssh_kex2(char host, struct sockaddr ho`
		`+ @@ -326,14 +334,16 @@ ssh_kex2(char host, struct sockaddr ho`
		`if (options.hostkeyalgorithms != NULL) {`
		`all_key = sshkey_alg_list(0, 0, 1, ',');`
		`- if (kex_assemble_names(&options.hostkeyalgorithms,`
		`+ if (kex_assemble_names(&options.hostkeyalgorithms,`
		`- KEX_DEFAULT_PK_ALG, all_key) != 0)`
		`+ (FIPS_mode() ? KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG),`
		`+ all_key) != 0)`
		`@@ -593,9 +667,9 @@`
		`/* Prefer algorithms that we already have keys for */`
		`myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =`
		`compat_pkalg_proposal(`
		`- diff -up openssh-7.7p1/sshd.c.fips openssh-7.7p1/sshd.c`
		`- --- openssh-7.7p1/sshd.c.fips 2018-08-08 10:08:40.818719940 +0200`
		`- +++ openssh-7.7p1/sshd.c 2018-08-08 10:08:40.826720007 +0200`
		`+ diff -up openssh-7.9p1/sshd.c.fips openssh-7.9p1/sshd.c`
		`+ --- openssh-7.9p1/sshd.c.fips 2019-03-11 17:06:37.617878003 +0100`
		`+ +++ openssh-7.9p1/sshd.c 2019-03-11 17:06:37.624878069 +0100`
		`@@ -66,6 +66,7 @@`
		`#include <grp.h>`
		`#include <pwd.h>`
		`@@ -613,7 +687,7 @@`
		`#include "openbsd-compat/openssl-compat.h"`
		`#endif`

		`- @@ -1534,6 +1537,18 @@ main(int ac, char **av)`
		`+ @@ -1581,6 +1584,18 @@ main(int ac, char **av)`
		`#endif`
		`__progname = ssh_get_progname(av[0]);`

		`@@ -632,7 +706,7 @@`
		`/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */`
		`saved_argc = ac;`
		`rexec_argc = ac;`
		`- @@ -1675,7 +1690,7 @@ main(int ac, char **av)`
		`+ @@ -1722,7 +1737,7 @@ main(int ac, char **av)`
		`else`
		`closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);`

		`@@ -641,7 +715,7 @@`
		`OpenSSL_add_all_algorithms();`
		`#endif`

		`- @@ -1979,6 +1994,10 @@ main(int ac, char **av)`
		`+ @@ -2036,6 +2051,10 @@ main(int ac, char **av)`
		`/* Reinitialize the log (because of the fork above). */`
		`log_init(__progname, options.log_level, options.log_facility, log_stderr);`

		`@@ -652,7 +726,7 @@`
		`/* Chdir to the root directory so that the current disk can be`
		`unmounted if desired. */`
		`if (chdir("/") == -1)`
		`- @@ -2359,10 +2378,14 @@ do_ssh2_kex(void)`
		`+ @@ -2412,10 +2431,14 @@ do_ssh2_kex(void)`
		`if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)`
		`orig = NULL;`

		`@@ -671,9 +745,9 @@`

		`if (gss && orig)`
		`xasprintf(&newstr, "%s,%s", gss, orig);`
		`- diff -up openssh-7.7p1/sshkey.c.fips openssh-7.7p1/sshkey.c`
		`- --- openssh-7.7p1/sshkey.c.fips 2018-08-08 10:08:40.818719940 +0200`
		`- +++ openssh-7.7p1/sshkey.c 2018-08-08 10:08:40.826720007 +0200`
		`+ diff -up openssh-7.9p1/sshkey.c.fips openssh-7.9p1/sshkey.c`
		`+ --- openssh-7.9p1/sshkey.c.fips 2019-03-11 17:06:37.617878003 +0100`
		`+ +++ openssh-7.9p1/sshkey.c 2019-03-11 17:06:37.624878069 +0100`
		`@@ -34,6 +34,7 @@`
		`#include <openssl/evp.h>`
		`#include <openssl/err.h>`
		`@@ -690,7 +764,7 @@`

		`#include "xmss_fast.h"`

		`- @@ -1526,6 +1528,8 @@ rsa_generate_private_key(u_int bits, RSA`
		`+ @@ -1514,6 +1516,8 @@ rsa_generate_private_key(u_int bits, RSA`
		`}`
		`if (!BN_set_word(f4, RSA_F4) \|\|`
		`!RSA_generate_key_ex(private, bits, f4, NULL)) {`
		`@@ -699,10 +773,10 @@`
		`ret = SSH_ERR_LIBCRYPTO_ERROR;`
		`goto out;`
		`}`
		`- diff -up openssh-7.7p1/ssh-keygen.c.fips openssh-7.7p1/ssh-keygen.c`
		`- --- openssh-7.7p1/ssh-keygen.c.fips 2018-08-08 10:08:40.801719797 +0200`
		`- +++ openssh-7.7p1/ssh-keygen.c 2018-08-08 10:08:40.827720016 +0200`
		`- @@ -229,6 +229,12 @@ type_bits_valid(int type, const char *na`
		`+ diff -up openssh-7.9p1/ssh-keygen.c.fips openssh-7.9p1/ssh-keygen.c`
		`+ --- openssh-7.9p1/ssh-keygen.c.fips 2019-03-11 17:06:37.590877750 +0100`
		`+ +++ openssh-7.9p1/ssh-keygen.c 2019-03-11 17:06:37.625878079 +0100`
		`+ @@ -230,6 +230,12 @@ type_bits_valid(int type, const char *na`
		`OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;`
		`if (*bitsp > maxbits)`
		`fatal("key bits exceeds maximum %d", maxbits);`

openssh-7.7p1-gssapi-new-unique.patch

file modified

+56 -56

		`@@ -113,29 +113,12 @@`
		`if (authctxt->krb5_user) {`
		`krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);`
		`authctxt->krb5_user = NULL;`
		`- @@ -237,36 +287,188 @@ krb5_cleanup_proc(Authctxt *authctxt)`
		`+ @@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)`
		`}`
		`}`

		`-#ifndef HEIMDAL`
		`- -krb5_error_code`
		`- -ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {`
		`- - int tmpfd, ret, oerrno;`
		`- - char ccname[40];`
		`- - mode_t old_umask;`
		`-`
		`- - ret = snprintf(ccname, sizeof(ccname),`
		`- - "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());`
		`- - if (ret < 0 \|\| (size_t)ret >= sizeof(ccname))`
		`- - return ENOMEM;`
		`- -`
		`- - old_umask = umask(0177);`
		`- - tmpfd = mkstemp(ccname + strlen("FILE:"));`
		`- - oerrno = errno;`
		`- - umask(old_umask);`
		`- - if (tmpfd == -1) {`
		`- - logit("mkstemp(): %.100s", strerror(oerrno));`
		`- - return oerrno;`
		`+ +`
		`+#if !defined(HEIMDAL)`
		`+int`
		`+ssh_asprintf_append(char *dsc, const char fmt, ...) {`
		`@@ -200,9 +183,8 @@`
		`+ /* unknown token, fallback to the default */`
		`+ goto cleanup;`
		`+ }`
		`- }`
		`-`
		`- - if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {`
		`+ + }`
		`+ +`
		`+ if (ssh_asprintf_append(&r, "%s", p_o) == -1)`
		`+ goto cleanup;`
		`+`
		`@@ -216,7 +198,10 @@`
		`+ return -1;`
		`+}`
		`+`
		`- +krb5_error_code`
		`+ krb5_error_code`
		`+ -ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {`
		`+ - int tmpfd, ret, oerrno;`
		`+ - char ccname[40];`
		`+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {`
		`+ profile_t p;`
		`+ int ret = 0;`
		`@@ -241,9 +226,22 @@`
		`+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache ccache, int need_environment) {`
		`+ int tmpfd, ret, oerrno, type_len;`
		`+ char *ccname = NULL;`
		`- + mode_t old_umask;`
		`+ mode_t old_umask;`
		`+ char type = NULL, colon = NULL;`
		`- +`
		`+`
		`+ - ret = snprintf(ccname, sizeof(ccname),`
		`+ - "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());`
		`+ - if (ret < 0 \|\| (size_t)ret >= sizeof(ccname))`
		`+ - return ENOMEM;`
		`+ -`
		`+ - old_umask = umask(0177);`
		`+ - tmpfd = mkstemp(ccname + strlen("FILE:"));`
		`+ - oerrno = errno;`
		`+ - umask(old_umask);`
		`+ - if (tmpfd == -1) {`
		`+ - logit("mkstemp(): %.100s", strerror(oerrno));`
		`+ - return oerrno;`
		`+ - }`
		`+ debug3("%s: called", __func__);`
		`+ if (need_environment)`
		`+ *need_environment = 0;`
		`@@ -258,7 +256,8 @@`
		`+ "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());`
		`+ if (ret < 0)`
		`+ return ENOMEM;`
		`- +`
		`+`
		`+ - if (fchmod(tmpfd,S_IRUSR \| S_IWUSR) == -1) {`
		`+ old_umask = umask(0177);`
		`+ tmpfd = mkstemp(ccname + strlen("FILE:"));`
		`oerrno = errno;`
		`@@ -345,11 +344,10 @@`
		`+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache , int );`
		`#endif`
		`#endif`
		`- diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c`
		`- index 795992d9..0623a107 100644`
		`- --- a/gss-serv-krb5.c`
		`- +++ b/gss-serv-krb5.c`
		`- @@ -114,7 +114,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client client, char name)`
		`+ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c`
		`+ --- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100`
		`+ +++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100`
		`+ @@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri`
		`/* This writes out any forwarded credentials from the structure populated`
		`* during userauth. Called after we have setuid to the user */`

		`@@ -358,12 +356,9 @@`
		`ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)`
		`{`
		`krb5_ccache ccache;`
		`- @@ -121,16 +121,17 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)`
		`- krb5_error_code problem;`
		`- krb5_principal princ;`
		`+ @@ -276,14 +276,15 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl`
		`OM_uint32 maj_status, min_status;`
		`- - const char new_ccname, new_cctype;`
		`- + int len;`
		`+ const char new_ccname, new_cctype;`
		`const char *errmsg;`
		`+ int set_env = 0;`

		`@@ -379,7 +374,7 @@`

		`#ifdef HEIMDAL`
		`# ifdef HAVE_KRB5_CC_NEW_UNIQUE`
		`- @@ -144,14 +145,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)`
		`+ @@ -297,14 +298,14 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl`
		`krb5_get_err_text(krb_context, problem));`
		`# endif`
		`krb5_free_error_message(krb_context, errmsg);`
		`@@ -398,7 +393,7 @@`
		`}`
		`#endif /* #ifdef HEIMDAL */`

		`- @@ -160,7 +161,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)`
		`+ @@ -313,7 +314,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl`
		`errmsg = krb5_get_error_message(krb_context, problem);`
		`logit("krb5_parse_name(): %.100s", errmsg);`
		`krb5_free_error_message(krb_context, errmsg);`
		`@@ -407,7 +402,7 @@`
		`}`

		`if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {`
		`- @@ -169,7 +170,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)`
		`+ @@ -322,7 +323,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl`
		`krb5_free_error_message(krb_context, errmsg);`
		`krb5_free_principal(krb_context, princ);`
		`krb5_cc_destroy(krb_context, ccache);`
		`@@ -416,7 +411,7 @@`
		`}`

		`krb5_free_principal(krb_context, princ);`
		`- @@ -178,37 +179,27 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)`
		`+ @@ -331,29 +332,19 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl`
		`client->creds, ccache))) {`
		`logit("gss_krb5_copy_ccache() failed");`
		`krb5_cc_destroy(krb_context, ccache);`
		`@@ -424,8 +419,8 @@`
		`+ return 0;`
		`}`

		`- - new_cctype = krb5_cc_get_type(krb_context, ccache);`
		`- - new_ccname = krb5_cc_get_name(krb_context, ccache);`
		`+ new_cctype = krb5_cc_get_type(krb_context, ccache);`
		`+ new_ccname = krb5_cc_get_name(krb_context, ccache);`
		`-`
		`- client->store.envvar = "KRB5CCNAME";`
		`-#ifdef USE_CCAPI`
		`@@ -433,21 +428,17 @@`
		`-#else`
		`- if (new_ccname[0] == ':')`
		`- new_ccname++;`
		`- - xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);`
		`+ xasprintf(&client->store.envval, "%s:%s", new_cctype, new_ccname);`
		`- if (strcmp(new_cctype, "DIR") == 0) {`
		`- char *p;`
		`- p = strrchr(client->store.envval, '/');`
		`- if (p)`
		`- *p = '\0';`
		`- - }`
		`- -#endif`
		`+ +`
		`+ if (set_env) {`
		`- + const char *filename = krb5_cc_get_name(krb_context, ccache);`
		`+ client->store.envvar = "KRB5CCNAME";`
		`- + len = strlen(filename) + 6;`
		`- + client->store.envval = xmalloc(len);`
		`- + snprintf(client->store.envval, len, "FILE:%s", filename);`
		`- + }`
		`+ }`
		`+ -#endif`

		`#ifdef USE_PAM`
		`- if (options.use_pam)`
		`@@ -455,7 +446,7 @@`
		`do_pam_putenv(client->store.envvar, client->store.envval);`
		`#endif`

		`- krb5_cc_close(krb_context, ccache);`
		`+ @@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl`

		`client->store.data = krb_context;`

		`@@ -486,11 +477,20 @@`
		`}`

		`/* This allows GSSAPI methods to do things to the childs environment based`
		`- diff --git a/servconf.c b/servconf.c`
		`- index cb578658..a6e01df2 100644`
		`- --- a/servconf.c`
		`- +++ b/servconf.c`
		`- @@ -122,6 +122,7 @@ initialize_server_options(ServerOptions *options)`
		`+ @@ -496,8 +498,7 @@ ssh_gssapi_rekey_creds() {`
		`+ char *envstr;`
		`+ #endif`
		`+`
		`+ - if (gssapi_client.store.envval == NULL &&`
		`+ - gssapi_client.store.envvar == NULL)`
		`+ + if (gssapi_client.store.envval == NULL)`
		`+ return;`
		`+`
		`+ ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));`
		`+ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c`
		`+ --- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100`
		`+ +++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100`
		`+ @@ -123,6 +123,7 @@ initialize_server_options(ServerOptions`
		`options->kerberos_or_local_passwd = -1;`
		`options->kerberos_ticket_cleanup = -1;`
		`options->kerberos_get_afs_token = -1;`

openssh-7.8p1-gsskex.patch

file modified

+1 -1

		`@@ -693,7 +693,7 @@`
		`+ debug("%s: krb5_cc_resolve(): %.100s", __func__,`
		`+ krb5_get_err_text(gssapi_client.store.data, problem));`
		`+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {`
		`- + debug("%s: krb5_cc_resolve(): %.100s", __func__,`
		`+ + debug("%s: krb5_cc_destroy(): %.100s", __func__,`
		`+ krb5_get_err_text(gssapi_client.store.data, problem));`
		`+ } else {`
		`+ krb5_free_context(gssapi_client.store.data);`

openssh-7.9p1-updated-cached-pw.patch

file added

+23

		`@@ -0,0 +1,23 @@`
		`+ diff -up openssh-7.4p1/session.c.update-pw openssh-7.4p1/session.c`
		`+ --- openssh-7.4p1/session.c.update-pw 2019-03-04 14:10:57.287054645 +0100`
		`+ +++ openssh-7.4p1/session.c 2019-03-04 14:12:39.259997218 +0100`
		`+ @@ -1522,9 +1522,18 @@ do_child(Session s, const char command`
		`+ char **env;`
		`+ char *argv[ARGV_MAX];`
		`+ const char shell, shell0;`
		`+ - struct passwd *pw = s->pw;`
		`+ + struct passwd *pw = NULL;`
		`+ int r = 0;`
		`+`
		`+ + /* Update the users passwd structure after successful login */`
		`+ + pw = getpwuid(s->pw->pw_uid);`
		`+ + if (pw != NULL) {`
		`+ + free(s->pw);`
		`+ + s->pw = pw;`
		`+ + } else {`
		`+ + pw = s->pw;`
		`+ + }`
		`+ +`
		`+ /* remove hostkey from the child's memory */`
		`+ destroy_sensitive_data();`
		`+ packet_clear_keys();`

openssh.spec

file modified

+11 -1

		`@@ -66,7 +66,7 @@`

		`# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1`
		`%global openssh_ver 7.9p1`
		`- %global openssh_rel 4`
		`+ %global openssh_rel 5`
		`%global pam_ssh_agent_ver 0.10.3`
		`%global pam_ssh_agent_rel 6`

		`@@ -240,6 +240,8 @@`
		`# log when a client requests an interactive session and only sftp is allowed`
		`# https://bugzilla.mindrot.org/show_bug.cgi?id=2960`
		`Patch959: openssh-7.9p1-log-sftp-only-connections.patch`
		`+ # Update cached passwd structure after PAM authentication (#1674541)`
		`+ Patch960: openssh-7.9p1-updated-cached-pw.patch`

		`License: BSD`
		`Requires: /sbin/nologin`
		`@@ -461,6 +463,7 @@`
		`%patch957 -p1 -b .CVE-2018-20685`
		`%patch958 -p1 -b .ssh-copy-id`
		`%patch959 -p1 -b .log-sftp-only`
		`+ %patch960 -p1 -b .update-pw`

		`%patch200 -p1 -b .audit`
		`%patch201 -p1 -b .audit-race`
		`@@ -768,6 +771,13 @@`
		`%endif`

		`%changelog`
		`+ * Mon Mar 11 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-5 + 0.10.3.6`
		`+ - Fix kerberos cleanup procedures with GSSAPI`
		`+ - Update cached passwd structure after PAM authentication`
		`+ - Do not fall back to sshd_net_t SELinux context`
		`+ - Fix corner cases of PKCS#11 URI implementation`
		`+ - Do not negotiate arbitrary primes with DH GEX in FIPS`
		`+`
		`* Wed Feb 06 2019 Jakub Jelen <jjelen@redhat.com> - 7.9p1-4 + 0.10.3.6`
		`- Log when a client requests an interactive session and only sftp is allowed`
		`- Fix minor issues in ssh-copy-id`