Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2021-01-19 16:00:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Tue Jan 19 16:00:43 2021 rev:147 rq:863947 version:8.4p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2021-01-15 19:43:33.397773139 +0100 +++ /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh.changes 2021-01-19 16:00:54.711263653 +0100 @@ -1,0 +2,130 @@ +Mon Jan 18 00:30:37 UTC 2021 - Dirk M??ller <dmuel...@suse.com> + +- update to 8.4p1: + Security + ======== + * ssh-agent(1): restrict ssh-agent from signing web challenges for + FIDO/U2F keys. + * ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating + a FIDO resident key. + * ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for + each use. These keys may be generated using ssh-keygen using a new + "verify-required" option. When a PIN-required key is used, the user + will be prompted for a PIN to complete the signature operation. + New Features + ------------ + * sshd(8): authorized_keys now supports a new "verify-required" + option to require FIDO signatures assert that the token verified + that the user was present before making the signature. The FIDO + protocol supports multiple methods for user-verification, but + currently OpenSSH only supports PIN verification. + + * sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn + signatures. Webauthn is a standard for using FIDO keys in web + browsers. These signatures are a slightly different format to plain + FIDO signatures and thus require explicit support. + + * ssh(1): allow some keywords to expand shell-style ${ENV} + environment variables. The supported keywords are CertificateFile, + ControlPath, IdentityAgent and IdentityFile, plus LocalForward and + RemoteForward when used for Unix domain socket paths. bz#3140 + + * ssh(1), ssh-agent(1): allow some additional control over the use of + ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable, + including forcibly enabling and disabling its use. bz#69 + + * ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time + limit for keys in addition to its current flag options. Time- + limited keys will automatically be removed from ssh-agent after + their expiry time has passed. + + * scp(1), sftp(1): allow the -A flag to explicitly enable agent + forwarding in scp and sftp. The default remains to not forward an + agent, even when ssh_config enables it. + + * ssh(1): add a '%k' TOKEN that expands to the effective HostKey of + the destination. This allows, e.g., keeping host keys in individual + files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654 + + * ssh(1): add %-TOKEN, environment variable and tilde expansion to + the UserKnownHostsFile directive, allowing the path to be + completed by the configuration (e.g. bz#1654) + + * ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted + from stdin. bz#3180 + + * sshd(8): improve logging for MaxStartups connection throttling. + sshd will now log when it starts and stops throttling and periodically + while in this state. bz#3055 + + Bugfixes + -------- + * ssh(1), ssh-keygen(1): better support for multiple attached FIDO + tokens. In cases where OpenSSH cannot unambiguously determine which + token to direct a request to, the user is now required to select a + token by touching it. In cases of operations that require a PIN to + be verified, this avoids sending the wrong PIN to the wrong token + and incrementing the token's PIN failure counter (tokens + effectively erase their keys after too many PIN failures). + * sshd(8): fix Include before Match in sshd_config; bz#3122 + * ssh(1): close stdin/out/error when forking after authentication + completes ("ssh -f ...") bz#3137 + * ssh(1), sshd(8): limit the amount of channel input data buffered, + avoiding peers that advertise large windows but are slow to read + from causing high memory consumption. + * ssh-agent(1): handle multiple requests sent in a single write() to + the agent. + * sshd(8): allow sshd_config longer than 256k + * sshd(8): avoid spurious "Unable to load host key" message when sshd + load a private key but no public counterpart + * ssh(1): prefer the default hostkey algorithm list whenever we have + a hostkey that matches its best-preference algorithm. + * sshd(1): when ordering the hostkey algorithms to request from a + server, prefer certificate types if the known_hosts files contain a key + marked as a @cert-authority; bz#3157 + * ssh(1): perform host key fingerprint comparisons for the "Are you + sure you want to continue connecting (yes/no/[fingerprint])?" + prompt with case sensitivity. + * sshd(8): ensure that address/masklen mismatches in sshd_config + yield fatal errors at daemon start time rather than later when + they are evaluated. + * ssh-keygen(1): ensure that certificate extensions are lexically + sorted. Previously if the user specified a custom extension then + the everything would be in order except the custom ones. bz#3198 + * ssh(1): also compare username when checking for JumpHost loops. + bz#3057 + * ssh-keygen(1): preserve group/world read permission on known_hosts + files across runs of "ssh-keygen -Rf /path". The old behaviour was + to remove all rights for group/other. bz#3146 + * ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen + manual page and usage(). + * sshd(8): explicitly construct path to ~/.ssh/rc rather than + relying on it being relative to the current directory, so that it + can still be found if the shell startup changes its directory. + bz#3185 + * sshd(8): when redirecting sshd's log output to a file, undo this + redirection after the session child process is forked(). Fixes + missing log messages when using this feature under some + circumstances. + * sshd(8): start ClientAliveInterval bookkeeping before first pass + through select() loop; fixed theoretical case where busy sshd may + ignore timeouts from client. + * ssh(1): only reset the ServerAliveInterval check when we receive + traffic from the server and ignore traffic from a port forwarding + client, preventing a client from keeping a connection alive when + it should be terminated. bz#2265 + * ssh-keygen(1): avoid spurious error message when ssh-keygen + creates files outside ~/.ssh + * sftp-client(1): fix off-by-one error that caused sftp downloads to + make one more concurrent request that desired. This prevented using + sftp(1) in unpipelined request/response mode, which is useful when + debugging. bz#3054 + * ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect() + helpers. bz#3071 + * ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to + write to it so we don't leave an empty .ssh directory when it's not + needed. bz#3156 + * ssh(1), sshd(8): fix multiplier when parsing time specifications + when handling seconds after other units. bz#3171 + +------------------------------------------------------------------- Old: ---- openssh-8.3p1.tar.gz openssh-8.3p1.tar.gz.asc New: ---- openssh-8.4p1.tar.gz openssh-8.4p1.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.271266011 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.275266016 +0100 @@ -18,14 +18,14 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 8.3p1 +Version: 8.4p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause Group: Productivity/Networking/SSH -URL: http://www.openssh.com/ -Source: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz -Source42: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc +URL: https://www.openssh.com/ +Source: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz +Source42: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{_name}-%{version}.tar.gz.asc Requires: %{_name} = %{version} Supplements: packageand(openssh-clients:libgtk-3-0) %if 0%{?suse_version} >= 1550 ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.303266059 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.307266065 +0100 @@ -38,14 +38,14 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 8.3p1 +Version: 8.4p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT Group: Productivity/Networking/SSH URL: https://www.openssh.com/ -Source0: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz -Source1: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc +Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz +Source1: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source2: sshd.pamd Source3: README.SUSE Source4: README.kerberos @@ -108,7 +108,7 @@ Patch41: openssh-fips-ensure-approved-moduli.patch Patch42: openssh-link-with-sk.patch BuildRequires: audit-devel -BuildRequires: autoconf +BuildRequires: automake BuildRequires: groff BuildRequires: libedit-devel BuildRequires: libselinux-devel ++++++ openssh-7.7p1-allow_root_password_login.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.407266216 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.407266216 +0100 @@ -5,11 +5,11 @@ temporarily introducing this change to keep the default used in older OpenSSH versions shipped with SLE. -Index: openssh-7.9p1/servconf.c +Index: openssh-8.4p1/servconf.c =================================================================== ---- openssh-7.9p1.orig/servconf.c -+++ openssh-7.9p1/servconf.c -@@ -292,7 +292,7 @@ fill_default_server_options(ServerOption +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -329,7 +329,7 @@ fill_default_server_options(ServerOption if (options->login_grace_time == -1) options->login_grace_time = 120; if (options->permit_root_login == PERMIT_NOT_SET) @@ -18,10 +18,10 @@ if (options->ignore_rhosts == -1) options->ignore_rhosts = 1; if (options->ignore_user_known_hosts == -1) -Index: openssh-7.9p1/sshd_config +Index: openssh-8.4p1/sshd_config =================================================================== ---- openssh-7.9p1.orig/sshd_config -+++ openssh-7.9p1/sshd_config +--- openssh-8.4p1.orig/sshd_config ++++ openssh-8.4p1/sshd_config @@ -29,7 +29,7 @@ # Authentication: @@ -31,11 +31,11 @@ #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 -Index: openssh-7.9p1/sshd_config.0 +Index: openssh-8.4p1/sshd_config.0 =================================================================== ---- openssh-7.9p1.orig/sshd_config.0 -+++ openssh-7.9p1/sshd_config.0 -@@ -749,7 +749,7 @@ DESCRIPTION +--- openssh-8.4p1.orig/sshd_config.0 ++++ openssh-8.4p1/sshd_config.0 +@@ -778,7 +778,7 @@ DESCRIPTION PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The @@ -44,11 +44,11 @@ If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive -Index: openssh-7.9p1/sshd_config.5 +Index: openssh-8.4p1/sshd_config.5 =================================================================== ---- openssh-7.9p1.orig/sshd_config.5 -+++ openssh-7.9p1/sshd_config.5 -@@ -1285,7 +1285,7 @@ The argument must be +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 +@@ -1331,7 +1331,7 @@ The argument must be or .Cm no . The default is ++++++ openssh-7.7p1-cavstest-ctr.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.423266241 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.427266246 +0100 @@ -2,10 +2,10 @@ # Parent cc1022edba2c5eeb0facba08468f65afc2466b63 CAVS test for OpenSSH's own CTR encryption mode implementation -diff --git a/Makefile.in b/Makefile.in -index d5c37b5..5d4fcd2 100644 ---- a/Makefile.in -+++ b/Makefile.in +Index: openssh-8.4p1/Makefile.in +=================================================================== +--- openssh-8.4p1.orig/Makefile.in ++++ openssh-8.4p1/Makefile.in @@ -25,6 +25,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper @@ -14,7 +14,7 @@ PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -70,6 +71,8 @@ MKDIR_P=@MKDIR_P@ +@@ -68,6 +69,8 @@ MKDIR_P=@MKDIR_P@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) @@ -23,7 +23,7 @@ XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -244,6 +247,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTPSERVER_OBJS) +@@ -242,6 +245,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) $(LD) -o $@ $(SFTP_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) @@ -34,7 +34,7 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -398,6 +405,7 @@ install-files: +@@ -400,6 +407,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) @@ -42,11 +42,10 @@ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -diff --git a/cavstest-ctr.c b/cavstest-ctr.c -new file mode 100644 -index 0000000..f81cb72 +Index: openssh-8.4p1/cavstest-ctr.c +=================================================================== --- /dev/null -+++ b/cavstest-ctr.c ++++ openssh-8.4p1/cavstest-ctr.c @@ -0,0 +1,214 @@ +/* + * @@ -262,10 +261,10 @@ + printf("\n"); + return 0; +} -diff --git a/cipher.c b/cipher.c -index 2f5430b..599b54a 100644 ---- a/cipher.c -+++ b/cipher.c +Index: openssh-8.4p1/cipher.c +=================================================================== +--- openssh-8.4p1.orig/cipher.c ++++ openssh-8.4p1/cipher.c @@ -58,15 +58,6 @@ #define EVP_CIPHER_CTX void #endif @@ -282,10 +281,10 @@ struct sshcipher { char *name; u_int block_size; -diff --git a/cipher.h b/cipher.h -index 1a591cd..10ccb28 100644 ---- a/cipher.h -+++ b/cipher.h +Index: openssh-8.4p1/cipher.h +=================================================================== +--- openssh-8.4p1.orig/cipher.h ++++ openssh-8.4p1/cipher.h @@ -48,7 +48,15 @@ #define CIPHER_DECRYPT 0 ++++++ openssh-7.7p1-cavstest-kdf.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.447266277 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.447266277 +0100 @@ -2,10 +2,10 @@ # Parent 1e1d5a2ab8bddfc800f570755f9ea1addcc878c1 CAVS test for KDF implementation in OpenSSH -diff --git a/Makefile.in b/Makefile.in -index 5d4fcd2..9eab827 100644 ---- a/Makefile.in -+++ b/Makefile.in +Index: openssh-8.4p1/Makefile.in +=================================================================== +--- openssh-8.4p1.orig/Makefile.in ++++ openssh-8.4p1/Makefile.in @@ -26,6 +26,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper @@ -14,7 +14,7 @@ PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ -@@ -71,7 +72,7 @@ MKDIR_P=@MKDIR_P@ +@@ -69,7 +70,7 @@ MKDIR_P=@MKDIR_P@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) @@ -23,7 +23,7 @@ XMSS_OBJS=\ ssh-xmss.o \ -@@ -251,6 +252,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(SFTP_OBJS) +@@ -249,6 +250,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a $(S cavstest-ctr$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-sk.o sk-usbhid.o cavstest-ctr.o $(LD) -o $@ cavstest-ctr.o ssh-sk.o sk-usbhid.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LIBFIDO2) @@ -33,7 +33,7 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) -@@ -406,6 +410,7 @@ install-files: +@@ -408,6 +412,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) @@ -41,11 +41,10 @@ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -diff --git a/cavstest-kdf.c b/cavstest-kdf.c -new file mode 100644 -index 0000000..a6ecf45 +Index: openssh-8.4p1/cavstest-kdf.c +=================================================================== --- /dev/null -+++ b/cavstest-kdf.c ++++ openssh-8.4p1/cavstest-kdf.c @@ -0,0 +1,402 @@ +/* + * Copyright (C) 2015, Stephan Mueller <smuel...@chronox.de> ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.479266325 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.479266325 +0100 @@ -3,11 +3,11 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved algorithms. -diff --git a/Makefile.in b/Makefile.in -index 62cd072..d5c37b5 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -114,6 +114,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ +Index: openssh-8.4p1/Makefile.in +=================================================================== +--- openssh-8.4p1.orig/Makefile.in ++++ openssh-8.4p1/Makefile.in +@@ -112,6 +112,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ SKOBJS= ssh-sk-client.o @@ -16,10 +16,10 @@ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect2.o mux.o $(SKOBJS) -diff --git a/cipher-ctr.c b/cipher-ctr.c -index 32771f2..b66f92f 100644 ---- a/cipher-ctr.c -+++ b/cipher-ctr.c +Index: openssh-8.4p1/cipher-ctr.c +=================================================================== +--- openssh-8.4p1.orig/cipher-ctr.c ++++ openssh-8.4p1/cipher-ctr.c @@ -27,6 +27,8 @@ #include "xmalloc.h" #include "log.h" @@ -38,10 +38,10 @@ #endif return (&aes_ctr); } -diff --git a/cipher.c b/cipher.c -index 8195199..2f5430b 100644 ---- a/cipher.c -+++ b/cipher.c +Index: openssh-8.4p1/cipher.c +=================================================================== +--- openssh-8.4p1.orig/cipher.c ++++ openssh-8.4p1/cipher.c @@ -51,6 +51,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -61,7 +61,7 @@ #ifdef WITH_OPENSSL #ifndef OPENSSL_NO_DES { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] = { +@@ -114,8 +117,52 @@ static const struct sshcipher ciphers[] { NULL, 0, 0, 0, 0, 0, NULL } }; @@ -132,11 +132,10 @@ if (strcmp(c->name, name) == 0) return c; return NULL; -diff --git a/fips.c b/fips.c -new file mode 100644 -index 0000000..23e3876 +Index: openssh-8.4p1/fips.c +=================================================================== --- /dev/null -+++ b/fips.c ++++ openssh-8.4p1/fips.c @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -350,11 +349,10 @@ + return dgst; +} + -diff --git a/fips.h b/fips.h -new file mode 100644 -index 0000000..a115a61 +Index: openssh-8.4p1/fips.h +=================================================================== --- /dev/null -+++ b/fips.h ++++ openssh-8.4p1/fips.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -400,11 +398,11 @@ + +#endif + -diff --git a/hmac.c b/hmac.c -index 7b58801..5a92074 100644 ---- a/hmac.c -+++ b/hmac.c -@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen) +Index: openssh-8.4p1/hmac.c +=================================================================== +--- openssh-8.4p1.orig/hmac.c ++++ openssh-8.4p1/hmac.c +@@ -145,7 +145,7 @@ hmac_test(void *key, size_t klen, void * size_t i; u_char digest[16]; @@ -413,11 +411,11 @@ printf("ssh_hmac_start failed"); if (ssh_hmac_init(ctx, key, klen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 || -diff --git a/kex.c b/kex.c -index b09fbac..a5e4be7 100644 ---- a/kex.c -+++ b/kex.c -@@ -63,6 +63,8 @@ +Index: openssh-8.4p1/kex.c +=================================================================== +--- openssh-8.4p1.orig/kex.c ++++ openssh-8.4p1/kex.c +@@ -62,6 +62,8 @@ #include "sshbuf.h" #include "digest.h" @@ -426,7 +424,7 @@ /* prototype */ static int kex_choose_conf(struct ssh *); static int kex_input_newkeys(int, u_int32_t, struct ssh *); -@@ -86,7 +88,7 @@ struct kexalg { +@@ -85,7 +87,7 @@ struct kexalg { int ec_nid; int hash_alg; }; @@ -435,7 +433,7 @@ #ifdef WITH_OPENSSL { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 }, -@@ -117,6 +119,47 @@ static const struct kexalg kexalgs[] = { +@@ -116,6 +118,47 @@ static const struct kexalg kexalgs[] = { { NULL, 0, -1, -1}, }; @@ -483,7 +481,7 @@ char * kex_alg_list(char sep) { -@@ -124,7 +167,7 @@ kex_alg_list(char sep) +@@ -123,7 +166,7 @@ kex_alg_list(char sep) size_t nlen, rlen = 0; const struct kexalg *k; @@ -492,7 +490,7 @@ if (ret != NULL) ret[rlen++] = sep; nlen = strlen(k->name); -@@ -144,7 +187,7 @@ kex_alg_by_name(const char *name) +@@ -143,7 +186,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -501,7 +499,7 @@ if (strcmp(k->name, name) == 0) return k; } -@@ -164,7 +207,10 @@ kex_names_valid(const char *names) +@@ -163,7 +206,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -512,10 +510,10 @@ free(s); return 0; } -diff --git a/mac.c b/mac.c -index f3dda66..90d71c8 100644 ---- a/mac.c -+++ b/mac.c +Index: openssh-8.4p1/mac.c +=================================================================== +--- openssh-8.4p1.orig/mac.c ++++ openssh-8.4p1/mac.c @@ -41,6 +41,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -586,7 +584,7 @@ if (ret != NULL) ret[rlen++] = sep; nlen = strlen(m->name); -@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name) +@@ -126,7 +164,7 @@ mac_setup(struct sshmac *mac, char *name { const struct macalg *m; @@ -595,10 +593,10 @@ if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -diff --git a/readconf.c b/readconf.c -index 26e80c5..595f053 100644 ---- a/readconf.c -+++ b/readconf.c +Index: openssh-8.4p1/readconf.c +=================================================================== +--- openssh-8.4p1.orig/readconf.c ++++ openssh-8.4p1/readconf.c @@ -68,6 +68,8 @@ #include "myproposal.h" #include "digest.h" @@ -608,7 +606,7 @@ /* Format of the configuration file: # Configuration data is parsed as follows: -@@ -1908,6 +1910,23 @@ option_clear_or_none(const char *o) +@@ -1949,6 +1951,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -632,7 +630,7 @@ /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -2196,6 +2215,9 @@ fill_default_options(Options * options) +@@ -2240,6 +2259,9 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -642,7 +640,7 @@ #ifdef ENABLE_SK_INTERNAL if (options->sk_provider == NULL) options->sk_provider = xstrdup("internal"); -@@ -2229,6 +2251,7 @@ fill_default_options(Options * options) +@@ -2273,6 +2295,7 @@ fill_default_options(Options * options) ASSEMBLE(pubkey_key_types, def_key, all_key); ASSEMBLE(ca_sign_algorithms, def_sig, all_sig); #undef ASSEMBLE @@ -650,7 +648,7 @@ free(all_cipher); free(all_mac); free(all_kex); -@@ -2240,6 +2263,8 @@ fill_default_options(Options * options) +@@ -2284,6 +2307,8 @@ fill_default_options(Options * options) kex_default_pk_alg_filtered = def_key; /* save for later use */ free(def_sig); @@ -659,11 +657,11 @@ #define CLEAR_ON_NONE(v) \ do { \ if (option_clear_or_none(v)) { \ -diff --git a/readconf.h b/readconf.h -index e143a10..ef18d5c 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -199,6 +199,7 @@ typedef struct { +Index: openssh-8.4p1/readconf.h +=================================================================== +--- openssh-8.4p1.orig/readconf.h ++++ openssh-8.4p1/readconf.h +@@ -200,6 +200,7 @@ typedef struct { #define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_ASK 3 @@ -671,11 +669,11 @@ const char *kex_default_pk_alg(void); char *ssh_connection_hash(const char *thishost, const char *host, const char *portstr, const char *user); -diff --git a/servconf.c b/servconf.c -index 6be7274..9a51bfb 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -69,6 +69,7 @@ +Index: openssh-8.4p1/servconf.c +=================================================================== +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -70,6 +70,7 @@ #include "auth.h" #include "myproposal.h" #include "digest.h" @@ -683,7 +681,7 @@ static void add_listen_addr(ServerOptions *, const char *, const char *, int); -@@ -200,6 +201,23 @@ option_clear_or_none(const char *o) +@@ -201,6 +202,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -707,7 +705,7 @@ static void assemble_algorithms(ServerOptions *o) { -@@ -241,6 +259,8 @@ assemble_algorithms(ServerOptions *o) +@@ -242,6 +260,8 @@ assemble_algorithms(ServerOptions *o) free(def_kex); free(def_key); free(def_sig); @@ -716,7 +714,7 @@ } static void -@@ -453,6 +473,8 @@ fill_default_server_options(ServerOptions *options) +@@ -454,6 +474,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -725,10 +723,10 @@ if (options->disable_forwarding == -1) options->disable_forwarding = 0; if (options->expose_userauth_info == -1) -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 944faca..c1ecc54 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c +Index: openssh-8.4p1/ssh-keygen.c +=================================================================== +--- openssh-8.4p1.orig/ssh-keygen.c ++++ openssh-8.4p1/ssh-keygen.c @@ -66,6 +66,8 @@ #include "ssh-sk.h" #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */ @@ -738,7 +736,7 @@ #ifdef WITH_OPENSSL # define DEFAULT_KEY_TYPE_NAME "rsa" #else -@@ -1032,11 +1034,13 @@ do_fingerprint(struct passwd *pw) +@@ -1036,11 +1038,13 @@ do_fingerprint(struct passwd *pw) static void do_gen_all_hostkeys(struct passwd *pw) { @@ -754,7 +752,7 @@ #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, -@@ -1051,6 +1055,17 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1055,6 +1059,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; @@ -772,7 +770,7 @@ u_int32_t bits = 0; int first = 0; struct stat st; -@@ -1058,6 +1073,12 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1062,6 +1077,12 @@ do_gen_all_hostkeys(struct passwd *pw) char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file; int i, type, fd, r; @@ -785,7 +783,7 @@ for (i = 0; key_types[i].key_type; i++) { public = private = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL; -@@ -3532,6 +3553,15 @@ main(int argc, char **argv) +@@ -3586,6 +3607,15 @@ main(int argc, char **argv) key_type_name = DEFAULT_KEY_TYPE_NAME; type = sshkey_type_from_name(key_type_name); @@ -801,11 +799,11 @@ type_bits_valid(type, key_type_name, &bits); if (!quiet) -diff --git a/ssh_config.5 b/ssh_config.5 -index c45fb8d..55d4b5e 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -669,6 +669,8 @@ Valid options are: +Index: openssh-8.4p1/ssh_config.5 +=================================================================== +--- openssh-8.4p1.orig/ssh_config.5 ++++ openssh-8.4p1/ssh_config.5 +@@ -682,6 +682,8 @@ Valid options are: and .Cm sha256 (the default). @@ -814,11 +812,11 @@ .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -diff --git a/sshd.c b/sshd.c -index a24241c..e18078f 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -128,6 +128,8 @@ +Index: openssh-8.4p1/sshd.c +=================================================================== +--- openssh-8.4p1.orig/sshd.c ++++ openssh-8.4p1/sshd.c +@@ -124,6 +124,8 @@ #include "ssherr.h" #include "sk-api.h" @@ -827,10 +825,10 @@ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -diff --git a/sshd_config.5 b/sshd_config.5 -index 52552d2..35affe5 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 +Index: openssh-8.4p1/sshd_config.5 +=================================================================== +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 @@ -594,6 +594,8 @@ and .Cm sha256 . The default is ++++++ openssh-7.7p1-fips_checks.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.499266355 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.499266355 +0100 @@ -14,11 +14,10 @@ # file is not found (or the hash matches), proceed in non-FIPS mode and abort # otherwise. -diff --git a/fips-check.c b/fips-check.c -new file mode 100644 -index 0000000..eceb031 +Index: openssh-8.4p1/fips-check.c +=================================================================== --- /dev/null -+++ b/fips-check.c ++++ openssh-8.4p1/fips-check.c @@ -0,0 +1,34 @@ +#include "includes.h" +#include <fcntl.h> @@ -54,10 +53,10 @@ + fips_ssh_init(); + return 0; +} -diff --git a/fips.c b/fips.c -index 23e3876..297ae99 100644 ---- a/fips.c -+++ b/fips.c +Index: openssh-8.4p1/fips.c +=================================================================== +--- openssh-8.4p1.orig/fips.c ++++ openssh-8.4p1/fips.c @@ -35,30 +35,293 @@ #include "log.h" #include "xmalloc.h" @@ -246,7 +245,9 @@ { int fips_required = 0; - char *env = getenv(SSH_FORCE_FIPS_ENV); -- ++ int fips_fd; ++ char fips_sys = 0; + - if (env) { - errno = 0; - fips_required = strtol(env, NULL, 10); @@ -256,9 +257,6 @@ - fips_required = 0; - } else - fips_required = 1; -+ int fips_fd; -+ char fips_sys = 0; -+ + struct stat dummy; + if (-1 == stat(FIPS_PROC_PATH, &dummy)) { + switch (errno) { @@ -364,10 +362,10 @@ int fips_mode(void) { -diff --git a/fips.h b/fips.h -index a115a61..3404684 100644 ---- a/fips.h -+++ b/fips.h +Index: openssh-8.4p1/fips.h +=================================================================== +--- openssh-8.4p1.orig/fips.h ++++ openssh-8.4p1/fips.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -404,15 +402,15 @@ int fips_mode(void); int fips_correct_dgst(int); int fips_dgst_min(void); -@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum fp_type); +@@ -41,4 +56,3 @@ enum fp_type fips_correct_fp_type(enum int fips_filter_crypto(char **, fips_filters); #endif - -diff --git a/sftp-server.c b/sftp-server.c -index 359204f..d6395fd 100644 ---- a/sftp-server.c -+++ b/sftp-server.c +Index: openssh-8.4p1/sftp-server.c +=================================================================== +--- openssh-8.4p1.orig/sftp-server.c ++++ openssh-8.4p1/sftp-server.c @@ -53,6 +53,8 @@ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ @@ -422,7 +420,7 @@ /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; -@@ -1576,6 +1578,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) +@@ -1577,6 +1579,9 @@ sftp_server_main(int argc, char **argv, extern char *optarg; extern char *__progname; @@ -432,10 +430,10 @@ __progname = ssh_get_progname(argv[0]); log_init(__progname, log_level, log_facility, log_stderr); -diff --git a/ssh.c b/ssh.c -index 98b6ce7..dce28fd 100644 ---- a/ssh.c -+++ b/ssh.c +Index: openssh-8.4p1/ssh.c +=================================================================== +--- openssh-8.4p1.orig/ssh.c ++++ openssh-8.4p1/ssh.c @@ -113,6 +113,8 @@ #include "ssh-pkcs11.h" #endif @@ -445,9 +443,9 @@ extern char *__progname; /* Saves a copy of argv for setproctitle emulation */ -@@ -630,6 +632,10 @@ main(int ac, char **av) - struct addrinfo *addrs = NULL; +@@ -658,6 +660,10 @@ main(int ac, char **av) size_t n, len; + u_int j; + /* initialize fips - can go before ssh_malloc_init(), since that is a + * OpenBSD-only thing (as of OpenSSH 7.6p1) */ @@ -456,11 +454,11 @@ /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); -diff --git a/sshd.c b/sshd.c -index b2146a6..6092f0f 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1505,6 +1505,10 @@ main(int ac, char **av) +Index: openssh-8.4p1/sshd.c +=================================================================== +--- openssh-8.4p1.orig/sshd.c ++++ openssh-8.4p1/sshd.c +@@ -1545,6 +1545,10 @@ main(int ac, char **av) Authctxt *authctxt; struct connection_info *connection_info = NULL; ++++++ openssh-7.7p1-hostname_changes_when_forwarding_X.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.519266385 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.523266392 +0100 @@ -3,11 +3,11 @@ # -- uset do be called '-xauthlocalhostname' handle hostname changes when forwarding X -diff --git a/session.c b/session.c -index 18cdfa8..85a9ee2 100644 ---- a/session.c -+++ b/session.c -@@ -985,7 +985,7 @@ copy_environment(char **source, char ***env, u_int *envsize) +Index: openssh-8.4p1/session.c +=================================================================== +--- openssh-8.4p1.orig/session.c ++++ openssh-8.4p1/session.c +@@ -985,7 +985,7 @@ copy_environment(char **source, char *** #endif static char ** @@ -16,7 +16,7 @@ { char buf[256]; size_t n; -@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) +@@ -1195,6 +1195,8 @@ do_setup_env(struct ssh *ssh, Session *s for (i = 0; env[i]; i++) fprintf(stderr, " %.200s\n", env[i]); } @@ -25,7 +25,7 @@ return env; } -@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) +@@ -1203,7 +1205,7 @@ do_setup_env(struct ssh *ssh, Session *s * first in this order). */ static void @@ -33,9 +33,9 @@ +do_rc_files(struct ssh *ssh, Session *s, const char *shell, char **env, int *env_size) { FILE *f = NULL; - char cmd[1024]; -@@ -1258,12 +1260,20 @@ do_rc_files(struct ssh *ssh, Session *s, const char *shell) - options.xauth_location); + char *cmd = NULL, *user_rc = NULL; +@@ -1260,12 +1262,20 @@ do_rc_files(struct ssh *ssh, Session *s, + fatal("%s: xasprintf: %s", __func__, strerror(errno)); f = popen(cmd, "w"); if (f) { + char hostname[MAXHOSTNAMELEN]; @@ -55,7 +55,7 @@ } else { fprintf(stderr, "Could not run %s\n", cmd); -@@ -1519,6 +1529,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1526,6 +1536,7 @@ do_child(struct ssh *ssh, Session *s, co char **env, *argv[ARGV_MAX], remote_id[512]; const char *shell, *shell0; struct passwd *pw = s->pw; @@ -63,7 +63,7 @@ int r = 0; sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id)); -@@ -1575,7 +1586,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1582,7 +1593,7 @@ do_child(struct ssh *ssh, Session *s, co * Make sure $SHELL points to the shell from the password file, * even if shell is overridden from login.conf */ @@ -72,7 +72,7 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); -@@ -1639,7 +1650,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1646,7 +1657,7 @@ do_child(struct ssh *ssh, Session *s, co closefrom(STDERR_FILENO + 1); ++++++ openssh-7.7p1-pam_check_locks.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.543266421 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.547266428 +0100 @@ -5,11 +5,11 @@ bnc#708678, FATE#312033 -Index: openssh-7.8p1/auth.c +Index: openssh-8.4p1/auth.c =================================================================== ---- openssh-7.8p1.orig/auth.c -+++ openssh-7.8p1/auth.c -@@ -112,7 +112,7 @@ allowed_user(struct passwd * pw) +--- openssh-8.4p1.orig/auth.c ++++ openssh-8.4p1/auth.c +@@ -113,7 +113,7 @@ allowed_user(struct ssh *ssh, struct pas return 0; #ifdef USE_SHADOW @@ -18,7 +18,7 @@ spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) -@@ -132,7 +132,7 @@ allowed_user(struct passwd * pw) +@@ -133,7 +133,7 @@ allowed_user(struct ssh *ssh, struct pas #endif /* check for locked account */ @@ -27,11 +27,11 @@ int locked = 0; #ifdef LOCKED_PASSWD_STRING -Index: openssh-7.8p1/servconf.c +Index: openssh-8.4p1/servconf.c =================================================================== ---- openssh-7.8p1.orig/servconf.c -+++ openssh-7.8p1/servconf.c -@@ -83,6 +83,7 @@ initialize_server_options(ServerOptions +--- openssh-8.4p1.orig/servconf.c ++++ openssh-8.4p1/servconf.c +@@ -92,6 +92,7 @@ initialize_server_options(ServerOptions /* Portable-specific options */ options->use_pam = -1; @@ -39,7 +39,7 @@ /* Standard Options */ options->num_ports = 0; -@@ -259,6 +260,8 @@ fill_default_server_options(ServerOption +@@ -300,6 +301,8 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) options->use_pam = 0; @@ -48,7 +48,7 @@ /* Standard Options */ if (options->num_host_key_files == 0) { -@@ -459,7 +462,7 @@ fill_default_server_options(ServerOption +@@ -501,7 +504,7 @@ fill_default_server_options(ServerOption typedef enum { sBadOption, /* == unknown option */ /* Portable-specific options */ @@ -57,7 +57,7 @@ /* Standard Options */ sPort, sHostKeyFile, sLoginGraceTime, sPermitRootLogin, sLogFacility, sLogLevel, -@@ -509,8 +512,10 @@ static struct { +@@ -553,8 +556,10 @@ static struct { /* Portable-specific options */ #ifdef USE_PAM { "usepam", sUsePAM, SSHCFG_GLOBAL }, @@ -68,7 +68,7 @@ #endif { "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL }, /* Standard Options */ -@@ -1250,6 +1255,9 @@ process_server_config_line(ServerOptions +@@ -1318,6 +1323,9 @@ process_server_config_line_depth(ServerO case sUsePAM: intptr = &options->use_pam; goto parse_flag; @@ -78,11 +78,11 @@ /* Standard Options */ case sBadOption: -Index: openssh-7.8p1/servconf.h +Index: openssh-8.4p1/servconf.h =================================================================== ---- openssh-7.8p1.orig/servconf.h -+++ openssh-7.8p1/servconf.h -@@ -181,6 +181,7 @@ typedef struct { +--- openssh-8.4p1.orig/servconf.h ++++ openssh-8.4p1/servconf.h +@@ -195,6 +195,7 @@ typedef struct { char *adm_forced_command; int use_pam; /* Enable auth via PAM */ @@ -90,11 +90,11 @@ int permit_tun; -Index: openssh-7.8p1/sshd_config.0 +Index: openssh-8.4p1/sshd_config.0 =================================================================== ---- openssh-7.8p1.orig/sshd_config.0 -+++ openssh-7.8p1/sshd_config.0 -@@ -961,6 +961,14 @@ DESCRIPTION +--- openssh-8.4p1.orig/sshd_config.0 ++++ openssh-8.4p1/sshd_config.0 +@@ -1032,6 +1032,14 @@ DESCRIPTION If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user. The default is no. @@ -109,11 +109,11 @@ VersionAddendum Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default -Index: openssh-7.8p1/sshd_config.5 +Index: openssh-8.4p1/sshd_config.5 =================================================================== ---- openssh-7.8p1.orig/sshd_config.5 -+++ openssh-7.8p1/sshd_config.5 -@@ -1613,6 +1613,18 @@ is enabled, you will not be able to run +--- openssh-8.4p1.orig/sshd_config.5 ++++ openssh-8.4p1/sshd_config.5 +@@ -1718,6 +1718,18 @@ is enabled, you will not be able to run as a non-root user. The default is .Cm no . ++++++ openssh-7.7p1-sftp_force_permissions.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.583266482 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.583266482 +0100 @@ -1,14 +1,16 @@ ---- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000 -+++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000 -@@ -38,6 +38,7 @@ - .Op Fl P Ar blacklisted_requests - .Op Fl p Ar whitelisted_requests +Index: openssh-8.4p1/sftp-server.8 +=================================================================== +--- openssh-8.4p1.orig/sftp-server.8 ++++ openssh-8.4p1/sftp-server.8 +@@ -38,6 +38,7 @@ + .Op Fl P Ar denied_requests + .Op Fl p Ar allowed_requests .Op Fl u Ar umask +.Op Fl m Ar force_file_dir_perms .Ek .Nm .Fl Q Ar protocol_feature -@@ -138,6 +139,10 @@ +@@ -138,6 +139,10 @@ Sets an explicit .Xr umask 2 to be applied to newly-created files and directories, instead of the user's default mask. @@ -19,9 +21,11 @@ .El .Pp On some systems, ---- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000 -+++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000 -@@ -65,6 +65,10 @@ +Index: openssh-8.4p1/sftp-server.c +=================================================================== +--- openssh-8.4p1.orig/sftp-server.c ++++ openssh-8.4p1/sftp-server.c +@@ -69,6 +69,10 @@ struct sshbuf *oqueue; /* Version of client */ static u_int version; @@ -32,7 +36,7 @@ /* SSH2_FXP_INIT received */ static int init_done; -@@ -679,6 +683,7 @@ +@@ -687,6 +691,7 @@ process_open(u_int32_t id) Attrib a; char *name; int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE; @@ -40,7 +44,7 @@ if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */ -@@ -688,6 +693,10 @@ +@@ -696,6 +701,10 @@ process_open(u_int32_t id) debug3("request %u: open flags %d", id, pflags); flags = flags_from_portable(pflags); mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666; @@ -51,7 +55,7 @@ logit("open \"%s\" flags %s mode 0%o", name, string_from_portable(pflags), mode); if (readonly && -@@ -709,6 +718,8 @@ +@@ -717,6 +726,8 @@ process_open(u_int32_t id) } } } @@ -60,7 +64,7 @@ if (status != SSH2_FX_OK) send_status(id, status); free(name); -@@ -1110,6 +1121,7 @@ +@@ -1131,6 +1142,7 @@ process_mkdir(u_int32_t id) Attrib a; char *name; int r, mode, status = SSH2_FX_FAILURE; @@ -68,7 +72,7 @@ if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || (r = decode_attrib(iqueue, &a)) != 0) -@@ -1117,9 +1129,16 @@ +@@ -1138,9 +1150,16 @@ process_mkdir(u_int32_t id) mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm & 07777 : 0777; @@ -85,16 +89,16 @@ status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); free(name); -@@ -1490,7 +1509,7 @@ +@@ -1560,7 +1579,7 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " - "[-l log_level]\n\t[-P blacklisted_requests] " -- "[-p whitelisted_requests] [-u umask]\n" -+ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n" + "[-l log_level]\n\t[-P denied_requests] " +- "[-p allowed_requests] [-u umask]\n" ++ "[-p allowed_requests] [-u umask] [-m force_file_dir_perms]\n" " %s -Q protocol_feature\n", __progname, __progname); exit(1); -@@ -1516,7 +1535,7 @@ +@@ -1588,7 +1607,7 @@ sftp_server_main(int argc, char **argv, pw = pwcopy(user_pw); while (!skipargs && (ch = getopt(argc, argv, @@ -103,7 +107,7 @@ switch (ch) { case 'Q': if (strcasecmp(optarg, "requests") != 0) { -@@ -1576,6 +1595,15 @@ +@@ -1650,6 +1669,15 @@ sftp_server_main(int argc, char **argv, fatal("Invalid umask \"%s\"", optarg); (void)umask((mode_t)mask); break; ++++++ openssh-7.7p1-sftp_print_diagnostic_messages.patch ++++++ --- /var/tmp/diff_new_pack.w6q0YJ/_old 2021-01-19 16:00:56.603266512 +0100 +++ /var/tmp/diff_new_pack.w6q0YJ/_new 2021-01-19 16:00:56.603266512 +0100 @@ -2,11 +2,11 @@ # Parent 60bdbe6dd8d6bc011883472363d56e1d97f68835 Put back sftp client diagnostic messages in batch mode -diff --git a/sftp.1 b/sftp.1 -index a305b37..6e802ec 100644 ---- a/sftp.1 -+++ b/sftp.1 -@@ -282,6 +282,9 @@ Specifies the port to connect to on the remote host. +Index: openssh-8.4p1/sftp.1 +=================================================================== +--- openssh-8.4p1.orig/sftp.1 ++++ openssh-8.4p1/sftp.1 +@@ -287,6 +287,9 @@ Specifies the port to connect to on the .It Fl p Preserves modification times, access times, and modes from the original files transferred. @@ -16,10 +16,10 @@ .It Fl q Quiet mode: disables the progress meter as well as warning and diagnostic messages from -diff --git a/sftp.c b/sftp.c -index 2799e4a..52b2c23 100644 ---- a/sftp.c -+++ b/sftp.c +Index: openssh-8.4p1/sftp.c +=================================================================== +--- openssh-8.4p1.orig/sftp.c ++++ openssh-8.4p1/sftp.c @@ -85,6 +85,9 @@ static volatile pid_t sshpid = -1; /* Suppress diagnositic messages */ int quiet = 0; @@ -30,15 +30,15 @@ /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; -@@ -2409,7 +2412,7 @@ main(int argc, char **argv) +@@ -2408,7 +2411,7 @@ main(int argc, char **argv) infile = stdin; while ((ch = getopt(argc, argv, -- "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { -+ "1246afhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { +- "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { ++ "1246AafhNpQqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) { switch (ch) { /* Passed through to ssh(1) */ - case '4': + case 'A': @@ -2426,6 +2429,9 @@ main(int argc, char **argv) addargs(&args, "-%c", ch); addargs(&args, "%s", optarg); @@ -56,5 +56,5 @@ + if (batchmode && loud) + quiet = 0; - if (!isatty(STDERR_FILENO)) - showprogress = 0; + /* Do this last because we want the user to be able to override it */ + addargs(&args, "-oForwardAgent no"); ++++++ openssh-8.1p1-audit.patch ++++++ ++++ 1001 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-8.1p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.28504/openssh-8.1p1-audit.patch ++++++ openssh-8.3p1.tar.gz -> openssh-8.4p1.tar.gz ++++++ ++++ 18641 lines of diff (skipped)