Hello community,
here is the log from the commit of package openssh for openSUSE:Factory checked
in at 2018-11-28 11:11:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssh (Old)
and /work/SRC/openSUSE:Factory/.openssh.new.19453 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh"
Wed Nov 28 11:11:24 2018 rev:123 rq:652023 version:7.9p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes
2018-10-23 20:34:05.768995508 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.19453/openssh-askpass-gnome.changes
2018-11-28 11:12:35.650966466 +0100
@@ -1,0 +2,7 @@
+Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez
<pmonrealgonza...@suse.com>
+
+- Version update to 7.9p1
+ * No actual changes for the askpass
+ * See main package changelog for details
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2018-10-23
20:34:06.312994858 +0200
+++ /work/SRC/openSUSE:Factory/.openssh.new.19453/openssh.changes
2018-11-28 11:12:35.750966326 +0100
@@ -1,0 +2,86 @@
+Mon Nov 26 11:07:42 UTC 2018 - Vítězslav Čížek <vci...@suse.com>
+
+- Fix build with openssl < 1.1.0
+ * add openssh-openssl-1_0_0-compatibility.patch
+
+-------------------------------------------------------------------
+Wed Oct 31 00:27:41 UTC 2018 - Cristian Rodríguez <crrodrig...@opensuse.org>
+
+- openssh-7.7p1-audit.patch: fix sshd fatal error in
+ mm_answer_keyverify: buffer error: incomplete message [bnc#1114008]
+
+-------------------------------------------------------------------
+Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez
<pmonrealgonza...@suse.com>
+
+- Version update to 7.9p1
+ * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms
+ option (see below) bans the use of DSA keys as certificate
+ authorities.
+ * sshd(8): the authentication success/failure log message has
+ changed format slightly. It now includes the certificate
+ fingerprint (previously it included only key ID and CA key
+ fingerprint).
+ * ssh(1), sshd(8): allow most port numbers to be specified using
+ service names from getservbyname(3) (typically /etc/services).
+ * sshd(8): support signalling sessions via the SSH protocol.
+ A limited subset of signals is supported and only for login or
+ command sessions (i.e. not subsystems) that were not subject to
+ a forced command via authorized_keys or sshd_config. bz#1424
+ * ssh(1): support "ssh -Q sig" to list supported signature options.
+ Also "ssh -Q help" to show the full set of supported queries.
+ * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
+ client and server configs to allow control over which signature
+ formats are allowed for CAs to sign certificates. For example,
+ this allows banning CAs that sign certificates using the RSA-SHA1
+ signature algorithm.
+ * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
+ revoke keys specified by SHA256 hash.
+ * ssh-keygen(1): allow creation of key revocation lists directly
+ from base64-encoded SHA256 fingerprints. This supports revoking
+ keys using only the information contained in sshd(8)
+ authentication log messages.
+
+- Removed obsolete configuration option --with-tcp-wrappers, and
+ --with-opensc for s390 and s390x.
+
+- Removed patch merged upstream
+ * openssh-7.7p1-openssl_1.1.0.patch
+
+- Refreshed patches
+ * openssh-7.7p1-audit.patch
+ * openssh-7.7p1-disable_short_DH_parameters.patch
+ * openssh-7.7p1-fips.patch
+ * openssh-7.7p1-gssapi_key_exchange.patch
+ * openssh-7.7p1-seccomp_ipc_flock.patch
+ * openssh-7.7p1-cavstest-ctr.patch
+ * openssh-7.7p1-ldap.patch
+
+-------------------------------------------------------------------
+Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchva...@suse.com>
+
+- Mention upstream bugs on multiple local patches
+- Adjust service to not spam restart and reload only on fails
+
+-------------------------------------------------------------------
+Fri Oct 19 13:11:34 UTC 2018 - Tomáš Chvátal <tchva...@suse.com>
+
+- Update openssh-7.7p1-sftp_force_permissions.patch from the
+ upstream bug, and mention the bug in the spec
+
+-------------------------------------------------------------------
+Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchva...@suse.com>
+
+- Drop patch openssh-7.7p1-allow_root_password_login.patch
+ * There is no reason to set less secure default value, if
+ users need the behaviour they can still set it up themselves
+- Drop patch openssh-7.7p1-blocksigalrm.patch
+ * We had a bug way in past about this but it was never reproduced
+ or even confirmed in the ticket, thus rather drop the patch
+
+-------------------------------------------------------------------
+Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchva...@suse.com>
+
+- Disable ssh1 protocol support as neither RH or Debian enable
+ this protocol by default anymore either.
+
+-------------------------------------------------------------------
Old:
----
openssh-7.7p1-allow_root_password_login.patch
openssh-7.7p1-blocksigalrm.patch
openssh-7.7p1-openssl_1.1.0.patch
openssh-7.8p1.tar.gz
openssh-7.8p1.tar.gz.asc
New:
----
openssh-7.9p1.tar.gz
openssh-7.9p1.tar.gz.asc
openssh-openssl-1_0_0-compatibility.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssh-askpass-gnome.spec ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.462965326 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.462965326 +0100
@@ -18,7 +18,7 @@
%define _name openssh
Name: openssh-askpass-gnome
-Version: 7.8p1
+Version: 7.9p1
Release: 0
Summary: A GNOME-Based Passphrase Dialog for OpenSSH
License: BSD-2-Clause
++++++ openssh.spec ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.478965304 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.478965304 +0100
@@ -27,8 +27,7 @@
%bcond_without susefirewall
%bcond_with tirpc
%endif
-%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d
-%define _fwdefdir %{_fwdir}/services
+%define _fwdefdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services
%define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r
's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' )
%define CHECKSUM_SUFFIX .hmac
%define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE"
@@ -37,7 +36,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: openssh
-Version: 7.8p1
+Version: 7.9p1
Release: 0
Summary: Secure Shell Client and Server (Remote Login Program)
License: BSD-2-Clause AND MIT
@@ -56,37 +55,49 @@
Source10: sshd.service
Source11: README.FIPS
Source12: cavs_driver-ssh.pl
-Patch0: openssh-7.7p1-allow_root_password_login.patch
Patch1: openssh-7.7p1-X11_trusted_forwarding.patch
Patch3: openssh-7.7p1-enable_PAM_by_default.patch
Patch4: openssh-7.7p1-eal3.patch
-Patch5: openssh-7.7p1-blocksigalrm.patch
Patch6: openssh-7.7p1-send_locale.patch
Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch
Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch
Patch9: openssh-7.7p1-pts_names_formatting.patch
Patch10: openssh-7.7p1-pam_check_locks.patch
Patch11: openssh-7.7p1-disable_short_DH_parameters.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch14: openssh-7.7p1-seccomp_stat.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch15: openssh-7.7p1-seccomp_ipc_flock.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch
+# Local FIPS patchset
Patch17: openssh-7.7p1-fips.patch
+# Local cavs patchset
Patch18: openssh-7.7p1-cavstest-ctr.patch
+# Local cavs patchset
Patch19: openssh-7.7p1-cavstest-kdf.patch
+# Local FIPS patchset
Patch20: openssh-7.7p1-fips_checks.patch
Patch21: openssh-7.7p1-seed-prng.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch22: openssh-7.7p1-systemd-notify.patch
Patch23: openssh-7.7p1-gssapi_key_exchange.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch24: openssh-7.7p1-audit.patch
-Patch25: openssh-7.7p1-openssl_1.1.0.patch
+# Local patch to disable runtime abi SSL checks, quite pointless for us
Patch26: openssh-7.7p1-disable_openssl_abi_check.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2641
Patch27: openssh-7.7p1-no_fork-no_pid_file.patch
Patch28: openssh-7.7p1-host_ident.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=1844
Patch29: openssh-7.7p1-sftp_force_permissions.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2143
Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch
Patch31: openssh-7.7p1-ldap.patch
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2213
Patch32: openssh-7.7p1-IPv6_X_forwarding.patch
Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch
+Patch34: openssh-openssl-1_0_0-compatibility.patch
BuildRequires: audit-devel
BuildRequires: autoconf
BuildRequires: groff
@@ -176,7 +187,6 @@
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/ssh \
- --with-tcp-wrappers \
--with-selinux \
--with-pid-dir=/run \
--with-systemd \
@@ -189,18 +199,13 @@
%else
--with-sandbox=rlimit \
%endif
-%ifnarch s390 s390x
- --with-opensc \
-%endif
--disable-strip \
--with-audit=linux \
--with-ldap \
--with-xauth=%{_bindir}/xauth \
--with-libedit \
- --with-ssh1 \
- --target=%{_target_cpu}-suse-linux \
+ --target=%{_target_cpu}-suse-linux
-### configure end
make %{?_smp_mflags}
%install
++++++ README.SUSE ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.518965247 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.518965247 +0100
@@ -5,16 +5,6 @@
* PAM authentication is enabled and mostly even required, do not turn it off.
-* root authentiation with password is enabled by default (PermitRootLogin yes).
- NOTE: this has security implications and is only done in order to not change
- behaviour of the server in an update. We strongly suggest setting this option
- either "prohibit-password" or even better to "no" (which disables direct
- remote root login entirely).
-
-* SSH protocol version 1 is enabled for maximum compatibility.
- NOTE: do not use protocol version 1. It is less secure then v2 and should
- generally be phased out.
-
* DSA authentication is enabled by default for maximum compatibility.
NOTE: do not use DSA authentication since it is being phased out for a reason
- the size of DSA keys is limited by the standard to 1024 bits which cannot
++++++ openssh-7.7p1-audit.patch ++++++
++++ 860 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssh/openssh-7.7p1-audit.patch
++++ and /work/SRC/openSUSE:Factory/.openssh.new.19453/openssh-7.7p1-audit.patch
++++++ openssh-7.7p1-cavstest-ctr.patch ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.554965197 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.554965197 +0100
@@ -2,15 +2,11 @@
# Parent cc1022edba2c5eeb0facba08468f65afc2466b63
CAVS test for OpenSSH's own CTR encryption mode implementation
-diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in
---- openssh-7.7p1/Makefile.in
-+++ openssh-7.7p1/Makefile.in
-@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@
-
- DESTDIR=
- VPATH=@srcdir@
- SSH_PROGRAM=@bindir@/ssh
- ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+Index: openssh-7.9p1/Makefile.in
+===================================================================
+--- openssh-7.9p1.orig/Makefile.in
++++ openssh-7.9p1/Makefile.in
+@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
@@ -18,17 +14,7 @@
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
STRIP_OPT=@STRIP_OPT@
- TEST_SHELL=@TEST_SHELL@
-
- PATHS= -DSSHDIR=\"$(sysconfdir)\" \
- -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
- -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-@@ -57,16 +58,18 @@ ENT=@ENT@
- XAUTH_PATH=@XAUTH_PATH@
- LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
- EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- MKDIR_P=@MKDIR_P@
+@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT)
ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT)
ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
@@ -37,17 +23,7 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
- xmss_commons.o \
- xmss_fast.o \
- xmss_hash.o \
- xmss_hash_address.o \
- xmss_wots.o
-@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss
- $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
-
- sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o
sftp-server.o sftp-server-main.o
- $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS)
-lssh -lopenbsd-compat $(LIBS)
-
+@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o
sftp-glob.o progressmeter.o
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o
sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
@@ -58,17 +34,7 @@
# test driver for the loginrec code - not built by default
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh
$(LIBS)
-
- $(MANPAGES): $(MANPAGES_IN)
- if test "$(MANTYPE)" = "cat"; then \
- manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
- else \
-@@ -339,16 +346,17 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT)
$(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT)
$(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT)
$(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+@@ -348,6 +355,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
@@ -76,15 +42,10 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
- $(INSTALL) -m 644 ssh-agent.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
- $(INSTALL) -m 644 ssh-keygen.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
- $(INSTALL) -m 644 ssh-keyscan.1.out
$(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
- $(INSTALL) -m 644 moduli.5.out
$(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
- $(INSTALL) -m 644 sshd_config.5.out
$(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
-diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c
-new file mode 100644
+Index: openssh-7.9p1/cavstest-ctr.c
+===================================================================
--- /dev/null
-+++ openssh-7.7p1/cavstest-ctr.c
++++ openssh-7.9p1/cavstest-ctr.c
@@ -0,0 +1,214 @@
+/*
+ *
@@ -238,7 +199,7 @@
+ usage();
+ }
+
-+ SSLeay_add_all_algorithms();
++ OpenSSL_add_all_algorithms();
+
+ c = cipher_by_name(algo);
+ if (c == NULL) {
@@ -300,15 +261,11 @@
+ printf("\n");
+ return 0;
+}
-diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c
---- openssh-7.7p1/cipher.c
-+++ openssh-7.7p1/cipher.c
-@@ -49,25 +49,16 @@
- #include "ssherr.h"
- #include "digest.h"
-
- #include "openbsd-compat/openssl-compat.h"
-
+Index: openssh-7.9p1/cipher.c
+===================================================================
+--- openssh-7.9p1.orig/cipher.c
++++ openssh-7.9p1/cipher.c
+@@ -54,15 +54,6 @@
#include "fips.h"
#include "log.h"
@@ -324,20 +281,11 @@
struct sshcipher {
char *name;
u_int block_size;
- u_int key_len;
- u_int iv_len; /* defaults to block_size */
- u_int auth_len;
- u_int flags;
- #define CFLAG_CBC (1<<0)
-diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h
---- openssh-7.7p1/cipher.h
-+++ openssh-7.7p1/cipher.h
-@@ -41,17 +41,25 @@
- #include <openssl/evp.h>
- #include "cipher-chachapoly.h"
- #include "cipher-aesctr.h"
-
- #define CIPHER_ENCRYPT 1
+Index: openssh-7.9p1/cipher.h
+===================================================================
+--- openssh-7.9p1.orig/cipher.h
++++ openssh-7.9p1/cipher.h
+@@ -46,7 +46,15 @@
#define CIPHER_DECRYPT 0
struct sshcipher;
@@ -354,8 +302,3 @@
const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *);
- int ciphers_valid(const char *);
- char *cipher_alg_list(char, int);
- int cipher_init(struct sshcipher_ctx **, const struct sshcipher *,
- const u_char *, u_int, const u_char *, u_int, int);
- int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
++++++ openssh-7.7p1-disable_short_DH_parameters.patch ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.570965174 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.570965174 +0100
@@ -12,23 +12,23 @@
CVE-2015-4000 (LOGJAM)
bsc#932483
-Index: openssh-7.8p1/dh.c
+Index: openssh-7.9p1/dh.c
===================================================================
---- openssh-7.8p1.orig/dh.c
-+++ openssh-7.8p1/dh.c
-@@ -43,6 +43,8 @@
- #include "misc.h"
- #include "ssherr.h"
+--- openssh-7.9p1.orig/dh.c
++++ openssh-7.9p1/dh.c
+@@ -45,6 +45,8 @@
+
+ #include "openbsd-compat/openssl-compat.h"
+int dh_grp_min = DH_GRP_MIN;
+
static int
parse_prime(int linenum, char *line, struct dhgroup *dhg)
{
-Index: openssh-7.8p1/dh.h
+Index: openssh-7.9p1/dh.h
===================================================================
---- openssh-7.8p1.orig/dh.h
-+++ openssh-7.8p1/dh.h
+--- openssh-7.9p1.orig/dh.h
++++ openssh-7.9p1/dh.h
@@ -50,6 +50,7 @@ u_int dh_estimate(int);
* Max value from RFC4419.
* Miniumum increased in light of DH precomputation attacks.
@@ -37,11 +37,11 @@
#define DH_GRP_MIN 2048
#define DH_GRP_MAX 8192
-Index: openssh-7.8p1/kexgexc.c
+Index: openssh-7.9p1/kexgexc.c
===================================================================
---- openssh-7.8p1.orig/kexgexc.c
-+++ openssh-7.8p1/kexgexc.c
-@@ -51,6 +51,9 @@
+--- openssh-7.9p1.orig/kexgexc.c
++++ openssh-7.9p1/kexgexc.c
+@@ -53,6 +53,9 @@
#include "sshbuf.h"
#include "misc.h"
@@ -51,7 +51,7 @@
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
-@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh)
+@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
@@ -60,7 +60,7 @@
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
-@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32
+@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32
goto out;
if ((bits = BN_num_bits(p)) < 0 ||
(u_int)bits < kex->min || (u_int)bits > kex->max) {
@@ -73,11 +73,11 @@
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
-Index: openssh-7.8p1/kexgexs.c
+Index: openssh-7.9p1/kexgexs.c
===================================================================
---- openssh-7.8p1.orig/kexgexs.c
-+++ openssh-7.8p1/kexgexs.c
-@@ -54,6 +54,9 @@
+--- openssh-7.9p1.orig/kexgexs.c
++++ openssh-7.9p1/kexgexs.c
+@@ -56,6 +56,9 @@
#include "sshbuf.h"
#include "misc.h"
@@ -87,7 +87,7 @@
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
-@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int
+@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
@@ -109,10 +109,10 @@
r = SSH_ERR_DH_GEX_OUT_OF_RANGE;
goto out;
}
-Index: openssh-7.8p1/readconf.c
+Index: openssh-7.9p1/readconf.c
===================================================================
---- openssh-7.8p1.orig/readconf.c
-+++ openssh-7.8p1/readconf.c
+--- openssh-7.9p1.orig/readconf.c
++++ openssh-7.9p1/readconf.c
@@ -67,6 +67,7 @@
#include "uidswap.h"
#include "myproposal.h"
@@ -130,7 +130,7 @@
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -291,6 +292,7 @@ static struct {
+@@ -292,6 +293,7 @@ static struct {
{ "remotecommand", oRemoteCommand },
{ "visualhostkey", oVisualHostKey },
{ "kexalgorithms", oKexAlgorithms },
@@ -138,7 +138,7 @@
{ "ipqos", oIPQoS },
{ "requesttty", oRequestTTY },
{ "proxyusefdpass", oProxyUseFdpass },
-@@ -312,6 +314,9 @@ static struct {
+@@ -313,6 +315,9 @@ static struct {
{ NULL, oBadOption }
};
@@ -148,7 +148,7 @@
/*
* Adds a local TCP/IP port forward to options. Never returns if there is an
* error.
-@@ -1206,6 +1211,10 @@ parse_int:
+@@ -1216,6 +1221,10 @@ parse_int:
options->kex_algorithms = xstrdup(arg);
break;
@@ -159,15 +159,15 @@
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
parse_keytypes:
-@@ -1835,6 +1844,7 @@ initialize_options(Options * options)
+@@ -1860,6 +1869,7 @@ initialize_options(Options * options)
options->ciphers = NULL;
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
options->hostkeyalgorithms = NULL;
+ options->ca_sign_algorithms = NULL;
options->num_identity_files = 0;
- options->num_certificate_files = 0;
-@@ -1988,6 +1998,13 @@ fill_default_options(Options * options)
+@@ -2014,6 +2024,13 @@ fill_default_options(Options * options)
options->connection_attempts = 1;
if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3;
@@ -181,22 +181,22 @@
/* options->hostkeyalgorithms, default set in myproposals.h */
if (options->add_keys_to_agent == -1)
options->add_keys_to_agent = 0;
-Index: openssh-7.8p1/readconf.h
+Index: openssh-7.9p1/readconf.h
===================================================================
---- openssh-7.8p1.orig/readconf.h
-+++ openssh-7.8p1/readconf.h
-@@ -67,6 +67,7 @@ typedef struct {
- char *macs; /* SSH2 macs in order of preference. */
+--- openssh-7.9p1.orig/readconf.h
++++ openssh-7.9p1/readconf.h
+@@ -68,6 +68,7 @@ typedef struct {
char *hostkeyalgorithms; /* SSH2 server key types in order of
preference. */
char *kex_algorithms; /* SSH2 kex methods in order of preference. */
-+ int kex_dhmin; /* minimum bit length of the DH group parameter
*/
+ char *ca_sign_algorithms; /* Allowed CA signature algorithms */
++ int kex_dhmin; /* minimum bit length of the DH group parameter
*/
char *hostname; /* Real host to connect. */
char *host_key_alias; /* hostname alias for .ssh/known_hosts */
char *proxy_command; /* Proxy command for connecting the host. */
-Index: openssh-7.8p1/servconf.c
+Index: openssh-7.9p1/servconf.c
===================================================================
---- openssh-7.8p1.orig/servconf.c
-+++ openssh-7.8p1/servconf.c
+--- openssh-7.9p1.orig/servconf.c
++++ openssh-7.9p1/servconf.c
@@ -64,6 +64,10 @@
#include "auth.h"
#include "myproposal.h"
@@ -213,10 +213,10 @@
options->macs = NULL;
options->kex_algorithms = NULL;
+ options->kex_dhmin = -1;
+ options->ca_sign_algorithms = NULL;
options->fwd_opts.gateway_ports = -1;
options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
- options->fwd_opts.streamlocal_bind_unlink = -1;
-@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption
+@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption
if (options->use_pam_check_locks == -1)
options->use_pam_check_locks = 0;
@@ -231,16 +231,16 @@
/* Standard Options */
if (options->num_host_key_files == 0) {
/* fill default hostkeys for protocols */
-@@ -490,7 +503,7 @@ typedef enum {
+@@ -494,7 +507,7 @@ typedef enum {
sHostCertificate,
sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser,
-- sKexAlgorithms, sIPQoS, sVersionAddendum,
-+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum,
+- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum,
++ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS,
sVersionAddendum,
sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
sStreamLocalBindMask, sStreamLocalBindUnlink,
-@@ -631,6 +644,7 @@ static struct {
+@@ -635,6 +648,7 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
@@ -248,7 +248,7 @@
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
{ "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
-@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions
+@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions
options->kex_algorithms = xstrdup(arg);
break;
@@ -259,7 +259,7 @@
case sSubsystem:
if (options->num_subsystems >= MAX_SUBSYSTEMS) {
fatal("%s line %d: too many subsystems defined.",
-@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o)
+@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
@@ -267,10 +267,10 @@
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
-Index: openssh-7.8p1/servconf.h
+Index: openssh-7.9p1/servconf.h
===================================================================
---- openssh-7.8p1.orig/servconf.h
-+++ openssh-7.8p1/servconf.h
+--- openssh-7.9p1.orig/servconf.h
++++ openssh-7.9p1/servconf.h
@@ -103,6 +103,7 @@ typedef struct {
char *ciphers; /* Supported SSH2 ciphers. */
char *macs; /* Supported SSH2 macs. */
@@ -279,10 +279,10 @@
struct ForwardOptions fwd_opts; /* forwarding options */
SyslogFacility log_facility; /* Facility for system logging. */
LogLevel log_level; /* Level for system logging. */
-Index: openssh-7.8p1/ssh_config
+Index: openssh-7.9p1/ssh_config
===================================================================
---- openssh-7.8p1.orig/ssh_config
-+++ openssh-7.8p1/ssh_config
+--- openssh-7.9p1.orig/ssh_config
++++ openssh-7.9p1/ssh_config
@@ -17,6 +17,11 @@
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
@@ -295,11 +295,11 @@
Host *
# ForwardAgent no
# ForwardX11 no
-Index: openssh-7.8p1/ssh_config.0
+Index: openssh-7.9p1/ssh_config.0
===================================================================
---- openssh-7.8p1.orig/ssh_config.0
-+++ openssh-7.8p1/ssh_config.0
-@@ -595,6 +595,23 @@ DESCRIPTION
+--- openssh-7.9p1.orig/ssh_config.0
++++ openssh-7.9p1/ssh_config.0
+@@ -610,6 +610,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
@@ -323,11 +323,11 @@
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
-Index: openssh-7.8p1/ssh_config.5
+Index: openssh-7.9p1/ssh_config.5
===================================================================
---- openssh-7.8p1.orig/ssh_config.5
-+++ openssh-7.8p1/ssh_config.5
-@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1
+--- openssh-7.9p1.orig/ssh_config.5
++++ openssh-7.9p1/ssh_config.5
+@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
@@ -350,10 +350,10 @@
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.
-Index: openssh-7.8p1/sshd_config
+Index: openssh-7.9p1/sshd_config
===================================================================
---- openssh-7.8p1.orig/sshd_config
-+++ openssh-7.8p1/sshd_config
+--- openssh-7.9p1.orig/sshd_config
++++ openssh-7.9p1/sshd_config
@@ -19,6 +19,13 @@
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
@@ -368,11 +368,11 @@
# Ciphers and keying
#RekeyLimit default none
-Index: openssh-7.8p1/sshd_config.0
+Index: openssh-7.9p1/sshd_config.0
===================================================================
---- openssh-7.8p1.orig/sshd_config.0
-+++ openssh-7.8p1/sshd_config.0
-@@ -545,6 +545,23 @@ DESCRIPTION
+--- openssh-7.9p1.orig/sshd_config.0
++++ openssh-7.9p1/sshd_config.0
+@@ -555,6 +555,23 @@ DESCRIPTION
The list of available key exchange algorithms may also be
obtained using "ssh -Q kex".
@@ -396,11 +396,11 @@
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
-Index: openssh-7.8p1/sshd_config.5
+Index: openssh-7.9p1/sshd_config.5
===================================================================
---- openssh-7.8p1.orig/sshd_config.5
-+++ openssh-7.8p1/sshd_config.5
-@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel
+--- openssh-7.9p1.orig/sshd_config.5
++++ openssh-7.9p1/sshd_config.5
+@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel
.Pp
The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex .
++++++ openssh-7.7p1-fips.patch ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.582965158 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.582965158 +0100
@@ -3,10 +3,10 @@
FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved
algorithms.
-Index: openssh-7.8p1/Makefile.in
+Index: openssh-7.9p1/Makefile.in
===================================================================
---- openssh-7.8p1.orig/Makefile.in
-+++ openssh-7.8p1/Makefile.in
+--- openssh-7.9p1.orig/Makefile.in
++++ openssh-7.9p1/Makefile.in
@@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
platform-pledge.o platform-tracing.o platform-misc.o
@@ -16,10 +16,10 @@
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect2.o mux.o
-Index: openssh-7.8p1/cipher-ctr.c
+Index: openssh-7.9p1/cipher-ctr.c
===================================================================
---- openssh-7.8p1.orig/cipher-ctr.c
-+++ openssh-7.8p1/cipher-ctr.c
+--- openssh-7.9p1.orig/cipher-ctr.c
++++ openssh-7.9p1/cipher-ctr.c
@@ -27,6 +27,8 @@
#include "xmalloc.h"
#include "log.h"
@@ -38,10 +38,10 @@
#endif
return (&aes_ctr);
}
-Index: openssh-7.8p1/cipher.c
+Index: openssh-7.9p1/cipher.c
===================================================================
---- openssh-7.8p1.orig/cipher.c
-+++ openssh-7.8p1/cipher.c
+--- openssh-7.9p1.orig/cipher.c
++++ openssh-7.9p1/cipher.c
@@ -51,6 +51,8 @@
#include "openbsd-compat/openssl-compat.h"
@@ -131,10 +131,10 @@
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-Index: openssh-7.8p1/dh.h
+Index: openssh-7.9p1/dh.h
===================================================================
---- openssh-7.8p1.orig/dh.h
-+++ openssh-7.8p1/dh.h
+--- openssh-7.9p1.orig/dh.h
++++ openssh-7.9p1/dh.h
@@ -52,6 +52,7 @@ u_int dh_estimate(int);
*/
#define DH_GRP_MIN_RFC 1024
@@ -143,10 +143,10 @@
#define DH_GRP_MAX 8192
/*
-Index: openssh-7.8p1/fips.c
+Index: openssh-7.9p1/fips.c
===================================================================
--- /dev/null
-+++ openssh-7.8p1/fips.c
++++ openssh-7.9p1/fips.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -385,10 +385,10 @@
+ return dh;
+}
+
-Index: openssh-7.8p1/fips.h
+Index: openssh-7.9p1/fips.h
===================================================================
--- /dev/null
-+++ openssh-7.8p1/fips.h
++++ openssh-7.9p1/fips.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2012 Petr Cerny. All rights reserved.
@@ -435,10 +435,10 @@
+
+#endif
+
-Index: openssh-7.8p1/hmac.c
+Index: openssh-7.9p1/hmac.c
===================================================================
---- openssh-7.8p1.orig/hmac.c
-+++ openssh-7.8p1/hmac.c
+--- openssh-7.9p1.orig/hmac.c
++++ openssh-7.9p1/hmac.c
@@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void *
size_t i;
u_char digest[16];
@@ -448,10 +448,10 @@
printf("ssh_hmac_start failed");
if (ssh_hmac_init(ctx, key, klen) < 0 ||
ssh_hmac_update(ctx, m, mlen) < 0 ||
-Index: openssh-7.8p1/kex.c
+Index: openssh-7.9p1/kex.c
===================================================================
---- openssh-7.8p1.orig/kex.c
-+++ openssh-7.8p1/kex.c
+--- openssh-7.9p1.orig/kex.c
++++ openssh-7.9p1/kex.c
@@ -54,6 +54,8 @@
#include "sshbuf.h"
#include "digest.h"
@@ -547,11 +547,11 @@
free(s);
return 0;
}
-Index: openssh-7.8p1/kexgexc.c
+Index: openssh-7.9p1/kexgexc.c
===================================================================
---- openssh-7.8p1.orig/kexgexc.c
-+++ openssh-7.8p1/kexgexc.c
-@@ -51,8 +51,7 @@
+--- openssh-7.9p1.orig/kexgexc.c
++++ openssh-7.9p1/kexgexc.c
+@@ -53,8 +53,7 @@
#include "sshbuf.h"
#include "misc.h"
@@ -561,7 +561,7 @@
static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *);
-@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh)
+@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
@@ -570,11 +570,11 @@
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
-Index: openssh-7.8p1/kexgexs.c
+Index: openssh-7.9p1/kexgexs.c
===================================================================
---- openssh-7.8p1.orig/kexgexs.c
-+++ openssh-7.8p1/kexgexs.c
-@@ -54,8 +54,7 @@
+--- openssh-7.9p1.orig/kexgexs.c
++++ openssh-7.9p1/kexgexs.c
+@@ -56,8 +56,7 @@
#include "sshbuf.h"
#include "misc.h"
@@ -584,7 +584,7 @@
static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *);
static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *);
-@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int
+@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
@@ -596,10 +596,10 @@
nbits = MINIMUM(DH_GRP_MAX, nbits);
if (kex->max < kex->min || kex->nbits < kex->min ||
-Index: openssh-7.8p1/mac.c
+Index: openssh-7.9p1/mac.c
===================================================================
---- openssh-7.8p1.orig/mac.c
-+++ openssh-7.8p1/mac.c
+--- openssh-7.9p1.orig/mac.c
++++ openssh-7.9p1/mac.c
@@ -40,6 +40,9 @@
#include "openbsd-compat/openssl-compat.h"
@@ -679,11 +679,11 @@
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
-Index: openssh-7.8p1/myproposal.h
+Index: openssh-7.9p1/myproposal.h
===================================================================
---- openssh-7.8p1.orig/myproposal.h
-+++ openssh-7.8p1/myproposal.h
-@@ -141,6 +141,8 @@
+--- openssh-7.9p1.orig/myproposal.h
++++ openssh-7.9p1/myproposal.h
+@@ -151,6 +151,8 @@
#else /* WITH_OPENSSL */
@@ -692,10 +692,10 @@
#define KEX_SERVER_KEX \
"curve25519-sha256," \
"curve25519-sha...@libssh.org"
-Index: openssh-7.8p1/readconf.c
+Index: openssh-7.9p1/readconf.c
===================================================================
---- openssh-7.8p1.orig/readconf.c
-+++ openssh-7.8p1/readconf.c
+--- openssh-7.9p1.orig/readconf.c
++++ openssh-7.9p1/readconf.c
@@ -68,6 +68,7 @@
#include "myproposal.h"
#include "digest.h"
@@ -704,7 +704,7 @@
/* Format of the configuration file:
-@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o)
+@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -728,7 +728,7 @@
/*
* Initializes options to special values that indicate that they have not yet
* been set. Read_config_file will only set options with this value. Options
-@@ -1999,9 +2017,9 @@ fill_default_options(Options * options)
+@@ -2025,9 +2043,9 @@ fill_default_options(Options * options)
if (options->number_of_password_prompts == -1)
options->number_of_password_prompts = 3;
if (options->kex_dhmin == -1)
@@ -740,7 +740,7 @@
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
}
dh_grp_min = options->kex_dhmin;
-@@ -2086,6 +2104,8 @@ fill_default_options(Options * options)
+@@ -2112,6 +2130,8 @@ fill_default_options(Options * options)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -749,19 +749,19 @@
if (options->update_hostkeys == -1)
options->update_hostkeys = 0;
-@@ -2110,6 +2130,7 @@ fill_default_options(Options * options)
- free(all_mac);
- free(all_kex);
+@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha
+ KEX_DEFAULT_PK_ALG, all_key) != 0)
+ fatal("%s: kex_assemble_names failed", __func__);
free(all_key);
-+ filter_fips_algorithms(options);
++ filter_fips_algorithms(o);
- #define CLEAR_ON_NONE(v) \
- do { \
-Index: openssh-7.8p1/readconf.h
-===================================================================
---- openssh-7.8p1.orig/readconf.h
-+++ openssh-7.8p1/readconf.h
-@@ -197,6 +197,7 @@ typedef struct {
+ /* Most interesting options first: user, host, port */
+ dump_cfg_string(oUser, o->user);
+Index: openssh-7.9p1/readconf.h
+===================================================================
+--- openssh-7.9p1.orig/readconf.h
++++ openssh-7.9p1/readconf.h
+@@ -198,6 +198,7 @@ typedef struct {
#define SSH_STRICT_HOSTKEY_YES 2
#define SSH_STRICT_HOSTKEY_ASK 3
@@ -769,10 +769,10 @@
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
-Index: openssh-7.8p1/servconf.c
+Index: openssh-7.9p1/servconf.c
===================================================================
---- openssh-7.8p1.orig/servconf.c
-+++ openssh-7.8p1/servconf.c
+--- openssh-7.9p1.orig/servconf.c
++++ openssh-7.9p1/servconf.c
@@ -65,6 +65,7 @@
#include "myproposal.h"
#include "digest.h"
@@ -781,7 +781,7 @@
/* import from dh.c */
extern int dh_grp_min;
-@@ -194,6 +195,23 @@ option_clear_or_none(const char *o)
+@@ -195,6 +196,23 @@ option_clear_or_none(const char *o)
return o == NULL || strcasecmp(o, "none") == 0;
}
@@ -805,16 +805,16 @@
static void
assemble_algorithms(ServerOptions *o)
{
-@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o)
- free(all_mac);
+@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o)
free(all_kex);
free(all_key);
+ free(all_sig);
+
+ filter_fips_algorithms_s(o);
}
static void
-@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption
+@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption
options->use_pam_check_locks = 0;
if (options->kex_dhmin == -1)
@@ -826,7 +826,7 @@
options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX);
}
dh_grp_min = options->kex_dhmin;
-@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption
+@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -835,10 +835,10 @@
if (options->disable_forwarding == -1)
options->disable_forwarding = 0;
if (options->expose_userauth_info == -1)
-Index: openssh-7.8p1/ssh-keygen.c
+Index: openssh-7.9p1/ssh-keygen.c
===================================================================
---- openssh-7.8p1.orig/ssh-keygen.c
-+++ openssh-7.8p1/ssh-keygen.c
+--- openssh-7.9p1.orig/ssh-keygen.c
++++ openssh-7.9p1/ssh-keygen.c
@@ -61,6 +61,8 @@
#include "utf8.h"
#include "authfd.h"
@@ -848,7 +848,7 @@
#ifdef WITH_OPENSSL
# define DEFAULT_KEY_TYPE_NAME "rsa"
#else
-@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw)
+@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw)
static void
do_gen_all_hostkeys(struct passwd *pw)
{
@@ -864,7 +864,7 @@
#ifdef WITH_OPENSSL
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
-@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw)
{ NULL, NULL, NULL }
};
@@ -882,7 +882,7 @@
int first = 0;
struct stat st;
struct sshkey *private, *public;
-@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw)
+@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw)
int i, type, fd, r;
FILE *f;
@@ -895,7 +895,7 @@
for (i = 0; key_types[i].key_type; i++) {
public = private = NULL;
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
-@@ -2727,6 +2748,15 @@ main(int argc, char **argv)
+@@ -2817,6 +2838,15 @@ main(int argc, char **argv)
key_type_name = DEFAULT_KEY_TYPE_NAME;
type = sshkey_type_from_name(key_type_name);
@@ -911,11 +911,11 @@
type_bits_valid(type, key_type_name, &bits);
if (!quiet)
-Index: openssh-7.8p1/ssh_config.0
+Index: openssh-7.9p1/ssh_config.0
===================================================================
---- openssh-7.8p1.orig/ssh_config.0
-+++ openssh-7.8p1/ssh_config.0
-@@ -343,6 +343,9 @@ DESCRIPTION
+--- openssh-7.9p1.orig/ssh_config.0
++++ openssh-7.9p1/ssh_config.0
+@@ -353,6 +353,9 @@ DESCRIPTION
Specifies the hash algorithm used when displaying key
fingerprints. Valid options are: md5 and sha256 (the default).
@@ -925,7 +925,7 @@
ForwardAgent
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must
-@@ -612,6 +615,9 @@ DESCRIPTION
+@@ -627,6 +630,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken)
counterparty.
@@ -935,11 +935,11 @@
LocalCommand
Specifies a command to execute on the local machine after
successfully connecting to the server. The command string
-Index: openssh-7.8p1/ssh_config.5
+Index: openssh-7.9p1/ssh_config.5
===================================================================
---- openssh-7.8p1.orig/ssh_config.5
-+++ openssh-7.8p1/ssh_config.5
-@@ -628,6 +628,8 @@ Valid options are:
+--- openssh-7.9p1.orig/ssh_config.5
++++ openssh-7.9p1/ssh_config.5
+@@ -642,6 +642,8 @@ Valid options are:
and
.Cm sha256
(the default).
@@ -948,7 +948,7 @@
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it
+@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it
security and thus should be viewed as a temporary fix of last
resort and all efforts should be made to fix the (broken)
counterparty.
@@ -958,10 +958,10 @@
.It Cm LocalCommand
Specifies a command to execute on the local machine after successfully
connecting to the server.
-Index: openssh-7.8p1/sshd.c
+Index: openssh-7.9p1/sshd.c
===================================================================
---- openssh-7.8p1.orig/sshd.c
-+++ openssh-7.8p1/sshd.c
+--- openssh-7.9p1.orig/sshd.c
++++ openssh-7.9p1/sshd.c
@@ -123,6 +123,8 @@
#include "version.h"
#include "ssherr.h"
@@ -971,11 +971,11 @@
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-Index: openssh-7.8p1/sshd_config.0
+Index: openssh-7.9p1/sshd_config.0
===================================================================
---- openssh-7.8p1.orig/sshd_config.0
-+++ openssh-7.8p1/sshd_config.0
-@@ -338,6 +338,9 @@ DESCRIPTION
+--- openssh-7.9p1.orig/sshd_config.0
++++ openssh-7.9p1/sshd_config.0
+@@ -348,6 +348,9 @@ DESCRIPTION
Specifies the hash algorithm used when logging key fingerprints.
Valid options are: md5 and sha256. The default is sha256.
@@ -985,7 +985,7 @@
ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if
-@@ -562,6 +565,9 @@ DESCRIPTION
+@@ -572,6 +575,9 @@ DESCRIPTION
resort and all efforts should be made to fix the (broken)
counterparty.
@@ -995,11 +995,11 @@
ListenAddress
Specifies the local addresses sshd(8) should listen on. The
following forms may be used:
-Index: openssh-7.8p1/sshd_config.5
+Index: openssh-7.9p1/sshd_config.5
===================================================================
---- openssh-7.8p1.orig/sshd_config.5
-+++ openssh-7.8p1/sshd_config.5
-@@ -592,6 +592,8 @@ and
+--- openssh-7.9p1.orig/sshd_config.5
++++ openssh-7.9p1/sshd_config.5
+@@ -603,6 +603,8 @@ and
.Cm sha256 .
The default is
.Cm sha256 .
++++++ openssh-7.7p1-gssapi_key_exchange.patch ++++++
++++ 1356 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/openssh/openssh-7.7p1-gssapi_key_exchange.patch
++++ and
/work/SRC/openSUSE:Factory/.openssh.new.19453/openssh-7.7p1-gssapi_key_exchange.patch
++++++ openssh-7.7p1-ldap.patch ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.602965130 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.602965130 +0100
@@ -10,10 +10,10 @@
# internal versions. ssh-keyconverter consequently fails to link as it lacks
# the proper flags, and libopenbsd-compat doesn't contain the b64_* functions)
-Index: openssh-7.8p1/HOWTO.ldap-keys
+Index: openssh-7.9p1/HOWTO.ldap-keys
===================================================================
--- /dev/null
-+++ openssh-7.8p1/HOWTO.ldap-keys
++++ openssh-7.9p1/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@@ -123,10 +123,10 @@
+ - frederic peters.
+ - Finlay dobbie.
+ - Stefan Fisher.
-Index: openssh-7.8p1/Makefile.in
+Index: openssh-7.9p1/Makefile.in
===================================================================
---- openssh-7.8p1.orig/Makefile.in
-+++ openssh-7.8p1/Makefile.in
+--- openssh-7.9p1.orig/Makefile.in
++++ openssh-7.9p1/Makefile.in
@@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@@ -146,7 +146,7 @@
XMSS_OBJS=\
ssh-xmss.o \
sshkey-xmss.o \
-@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o uidswap.o
@@ -157,7 +157,7 @@
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh
$(LIBS)
@@ -167,7 +167,7 @@
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o
sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS)
-lssh -lopenbsd-compat $(LIBS)
-@@ -363,6 +371,10 @@ install-files:
+@@ -361,6 +369,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT)
$(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT)
$(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT)
$(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -178,7 +178,7 @@
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT)
$(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT)
$(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT)
$(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT)
-@@ -381,6 +393,10 @@ install-files:
+@@ -379,6 +391,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out
$(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -189,7 +189,7 @@
install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -404,6 +420,13 @@ install-sysconf:
+@@ -402,6 +418,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install
will not overwrite"; \
fi
@@ -203,7 +203,7 @@
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
-@@ -441,6 +464,8 @@ uninstall:
+@@ -439,6 +462,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -212,7 +212,7 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -452,6 +477,7 @@ uninstall:
+@@ -450,6 +475,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -220,11 +220,11 @@
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
-Index: openssh-7.8p1/configure.ac
+Index: openssh-7.9p1/configure.ac
===================================================================
---- openssh-7.8p1.orig/configure.ac
-+++ openssh-7.8p1/configure.ac
-@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit],
+--- openssh-7.9p1.orig/configure.ac
++++ openssh-7.9p1/configure.ac
+@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit],
esac ]
)
@@ -331,10 +331,10 @@
AC_ARG_WITH([pie],
[ --with-pie Build Position Independent Executables if
possible], [
if test "x$withval" = "xno"; then
-Index: openssh-7.8p1/ldap-helper.c
+Index: openssh-7.9p1/ldap-helper.c
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldap-helper.c
++++ openssh-7.9p1/ldap-helper.c
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -491,10 +491,10 @@
+void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; }
+void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {}
+
-Index: openssh-7.8p1/ldap-helper.h
+Index: openssh-7.9p1/ldap-helper.h
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldap-helper.h
++++ openssh-7.9p1/ldap-helper.h
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -528,10 +528,10 @@
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
-Index: openssh-7.8p1/ldap.conf
+Index: openssh-7.9p1/ldap.conf
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldap.conf
++++ openssh-7.9p1/ldap.conf
@@ -0,0 +1,88 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@@ -621,10 +621,10 @@
+#tls_cert
+#tls_key
+
-Index: openssh-7.8p1/ldapbody.c
+Index: openssh-7.9p1/ldapbody.c
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldapbody.c
++++ openssh-7.9p1/ldapbody.c
@@ -0,0 +1,494 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1120,10 +1120,10 @@
+ return;
+}
+
-Index: openssh-7.8p1/ldapbody.h
+Index: openssh-7.9p1/ldapbody.h
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldapbody.h
++++ openssh-7.9p1/ldapbody.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1162,10 +1162,10 @@
+
+#endif /* LDAPBODY_H */
+
-Index: openssh-7.8p1/ldapconf.c
+Index: openssh-7.9p1/ldapconf.c
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldapconf.c
++++ openssh-7.9p1/ldapconf.c
@@ -0,0 +1,711 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1878,10 +1878,10 @@
+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
+}
+
-Index: openssh-7.8p1/ldapconf.h
+Index: openssh-7.9p1/ldapconf.h
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldapconf.h
++++ openssh-7.9p1/ldapconf.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1954,10 +1954,10 @@
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
-Index: openssh-7.8p1/ldapincludes.h
+Index: openssh-7.9p1/ldapincludes.h
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldapincludes.h
++++ openssh-7.9p1/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2000,10 +2000,10 @@
+#endif
+
+#endif /* LDAPINCLUDES_H */
-Index: openssh-7.8p1/ldapmisc.c
+Index: openssh-7.9p1/ldapmisc.c
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldapmisc.c
++++ openssh-7.9p1/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@@ -2084,10 +2084,10 @@
+}
+#endif
+
-Index: openssh-7.8p1/ldapmisc.h
+Index: openssh-7.9p1/ldapmisc.h
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ldapmisc.h
++++ openssh-7.9p1/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2124,10 +2124,10 @@
+
+#endif /* LDAPMISC_H */
+
-Index: openssh-7.8p1/openbsd-compat/base64.c
+Index: openssh-7.9p1/openbsd-compat/base64.c
===================================================================
---- openssh-7.8p1.orig/openbsd-compat/base64.c
-+++ openssh-7.8p1/openbsd-compat/base64.c
+--- openssh-7.9p1.orig/openbsd-compat/base64.c
++++ openssh-7.9p1/openbsd-compat/base64.c
@@ -46,7 +46,7 @@
#include "includes.h"
@@ -2155,10 +2155,10 @@
/* skips all whitespace anywhere.
converts characters, four at a time, starting at (or after)
-Index: openssh-7.8p1/openbsd-compat/base64.h
+Index: openssh-7.9p1/openbsd-compat/base64.h
===================================================================
---- openssh-7.8p1.orig/openbsd-compat/base64.h
-+++ openssh-7.8p1/openbsd-compat/base64.h
+--- openssh-7.9p1.orig/openbsd-compat/base64.h
++++ openssh-7.9p1/openbsd-compat/base64.h
@@ -45,16 +45,16 @@
#include "includes.h"
@@ -2180,10 +2180,10 @@
int b64_pton(char const *src, u_char *target, size_t targsize);
# endif /* !HAVE_B64_PTON */
# define __b64_pton(a,b,c) b64_pton(a,b,c)
-Index: openssh-7.8p1/openssh-lpk-openldap.schema
+Index: openssh-7.9p1/openssh-lpk-openldap.schema
===================================================================
--- /dev/null
-+++ openssh-7.8p1/openssh-lpk-openldap.schema
++++ openssh-7.9p1/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2206,10 +2206,10 @@
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-Index: openssh-7.8p1/openssh-lpk-sun.schema
+Index: openssh-7.9p1/openssh-lpk-sun.schema
===================================================================
--- /dev/null
-+++ openssh-7.8p1/openssh-lpk-sun.schema
++++ openssh-7.9p1/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2234,10 +2234,10 @@
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-Index: openssh-7.8p1/ssh-ldap-helper.8
+Index: openssh-7.9p1/ssh-ldap-helper.8
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ssh-ldap-helper.8
++++ openssh-7.9p1/ssh-ldap-helper.8
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@@ -2318,19 +2318,19 @@
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchad...@redhat.com
-Index: openssh-7.8p1/ssh-ldap-wrapper
+Index: openssh-7.9p1/ssh-ldap-wrapper
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ssh-ldap-wrapper
++++ openssh-7.9p1/ssh-ldap-wrapper
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec @LIBEXECDIR@/ssh-ldap-helper -s "$1"
+
-Index: openssh-7.8p1/ssh-ldap.conf.5
+Index: openssh-7.9p1/ssh-ldap.conf.5
===================================================================
--- /dev/null
-+++ openssh-7.8p1/ssh-ldap.conf.5
++++ openssh-7.9p1/ssh-ldap.conf.5
@@ -0,0 +1,376 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
++++++ openssh-7.7p1-seccomp_ipc_flock.patch ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.618965107 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.618965107 +0100
@@ -15,15 +15,11 @@
Signed-off-by: Eduardo Barretto <ebarre...@linux.vnet.ibm.com>
-diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c
b/openssh-7.7p1/sandbox-seccomp-filter.c
---- openssh-7.7p1/sandbox-seccomp-filter.c
-+++ openssh-7.7p1/sandbox-seccomp-filter.c
-@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
- SC_ALLOW(__NR_exit_group),
- #endif
- #ifdef __NR_geteuid
- SC_ALLOW(__NR_geteuid),
- #endif
+Index: openssh-7.9p1/sandbox-seccomp-filter.c
+===================================================================
+--- openssh-7.9p1.orig/sandbox-seccomp-filter.c
++++ openssh-7.9p1/sandbox-seccomp-filter.c
+@@ -175,6 +175,9 @@ static const struct sock_filter preauth_
#ifdef __NR_geteuid32
SC_ALLOW(__NR_geteuid32),
#endif
@@ -33,17 +29,7 @@
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
- #ifdef __NR_getpid
- SC_ALLOW(__NR_getpid),
- #endif
- #ifdef __NR_getrandom
- SC_ALLOW(__NR_getrandom),
-@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
- SC_ALLOW(__NR_gettimeofday),
- #endif
- #ifdef __NR_getuid
- SC_ALLOW(__NR_getuid),
- #endif
+@@ -193,6 +196,9 @@ static const struct sock_filter preauth_
#ifdef __NR_getuid32
SC_ALLOW(__NR_getuid32),
#endif
@@ -53,8 +39,3 @@
#ifdef __NR_madvise
SC_ALLOW(__NR_madvise),
#endif
- #ifdef __NR_mmap
- SC_ALLOW(__NR_mmap),
- #endif
- #ifdef __NR_mmap2
- SC_ALLOW(__NR_mmap2),
++++++ openssh-7.7p1-sftp_force_permissions.patch ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.630965090 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.630965090 +0100
@@ -1,123 +1,100 @@
-# HG changeset patch
-# Parent 37bba3ff816d9ab93ddcf23389a4eb29d7716006
-additional option for sftp-server to force file mode for new files
-FATE#312774
-http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.html
-http://marc.info/?l=openssh-unix-dev&m=128896838930893
-
-diff --git a/openssh-7.7p1/sftp-server.8 b/openssh-7.7p1/sftp-server.8
---- openssh-7.7p1/sftp-server.8
-+++ openssh-7.7p1/sftp-server.8
-@@ -33,16 +33,17 @@
- .Bk -words
- .Op Fl ehR
- .Op Fl d Ar start_directory
- .Op Fl f Ar log_facility
- .Op Fl l Ar log_level
+--- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000
++++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000
+@@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
.Op Fl u Ar umask
-+.Op Fl m Ar force_file_permissions
++.Op Fl m Ar force_file_dir_perms
.Ek
.Nm
.Fl Q Ar protocol_feature
- .Sh DESCRIPTION
- .Nm
- is a program that speaks the server side of SFTP protocol
- to stdout and expects client requests from stdin.
- .Nm
-@@ -133,16 +134,20 @@ Places this instance of
- into a read-only mode.
- Attempts to open files for writing, as well as other operations that change
- the state of the filesystem, will be denied.
- .It Fl u Ar umask
- Sets an explicit
+@@ -138,6 +139,10 @@
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
-+.It Fl m Ar force_file_permissions
-+Sets explicit file permissions to be applied to newly-created files instead
-+of the default or client requested mode. Numeric values include:
++.It Fl m Ar force_file_dir_perms
++Sets explicit permissions to be applied to newly-created files and directories
++instead of the default or client requested mode. Numeric values include:
+777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set.
.El
.Pp
On some systems,
- .Nm
- must be able to access
- .Pa /dev/log
- for logging to work, and use of
- .Nm
-diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c
---- openssh-7.7p1/sftp-server.c
-+++ openssh-7.7p1/sftp-server.c
-@@ -71,16 +71,20 @@ static u_int version;
- static int init_done;
-
- /* Disable writes */
- static int readonly;
-
- /* Requests that are allowed/denied */
- static char *request_whitelist, *request_blacklist;
+--- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000
++++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000
+@@ -65,6 +65,10 @@
+ /* Version of client */
+ static u_int version;
-+/* Force file permissions */
++/* Force file and directory permissions */
+int permforce = 0;
+long permforcemode;
+
- /* portable attributes, etc. */
- typedef struct Stat Stat;
+ /* SSH2_FXP_INIT received */
+ static int init_done;
- struct Stat {
+@@ -679,6 +683,7 @@
+ Attrib a;
char *name;
- char *long_name;
- Attrib attrib;
- };
-@@ -685,16 +689,20 @@ process_open(u_int32_t id)
+ int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE;
++ mode_t old_umask = 0;
+
if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
(r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */
- (r = decode_attrib(iqueue, &a)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
-
+@@ -688,6 +693,10 @@
debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
-+ if (permforce == 1) {
++ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
-+ (void)umask(0); /* so umask does not interfere */
++ old_umask = umask(0); /* so umask does not interfere */
+ }
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
- ((flags & O_ACCMODE) != O_RDONLY ||
- (flags & (O_CREAT|O_TRUNC)) != 0)) {
- verbose("Refusing open request in read-only mode");
- status = SSH2_FX_PERMISSION_DENIED;
- } else {
-@@ -1487,17 +1495,18 @@ sftp_server_cleanup_exit(int i)
- static void
- sftp_server_usage(void)
- {
- extern char *__progname;
+@@ -709,6 +718,8 @@
+ }
+ }
+ }
++ if (permforce == 1)
++ (void) umask(old_umask); /* restore umask to something sane */
+ if (status != SSH2_FX_OK)
+ send_status(id, status);
+ free(name);
+@@ -1110,6 +1121,7 @@
+ Attrib a;
+ char *name;
+ int r, mode, status = SSH2_FX_FAILURE;
++ mode_t old_umask = 0;
+
+ if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 ||
+ (r = decode_attrib(iqueue, &a)) != 0)
+@@ -1117,9 +1129,16 @@
+ mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ?
+ a.perm & 07777 : 0777;
++ if (permforce == 1) { /* Force perm if -m is set */
++ mode = permforcemode;
++ old_umask = umask(0); /* so umask does not interfere */
++ }
++
+ debug3("request %u: mkdir", id);
+ logit("mkdir name \"%s\" mode 0%o", name, mode);
+ r = mkdir(name, mode);
++ if (permforce == 1)
++ (void) umask(old_umask); /* restore umask to something sane */
+ status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK;
+ send_status(id, status);
+ free(name);
+@@ -1490,7 +1509,7 @@
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
- "[-p whitelisted_requests] [-u umask]\n"
-+ "[-p whitelisted_requests] [-u umask]\n\t"
-+ "[-m force_file_permissions]\n"
++ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n"
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
- }
-
- int
- sftp_server_main(int argc, char **argv, struct passwd *user_pw)
- {
-@@ -1516,17 +1525,17 @@ sftp_server_main(int argc, char **argv,
-
- ssh_malloc_init(); /* must be called before any mallocs */
- __progname = ssh_get_progname(argv[0]);
- log_init(__progname, log_level, log_facility, log_stderr);
-
+@@ -1516,7 +1535,7 @@
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
@@ -126,32 +103,19 @@
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
- fprintf(stderr, "Invalid query type\n");
- exit(1);
- }
- for (i = 0; handlers[i].handler != NULL; i++)
- printf("%s\n", handlers[i].name);
-@@ -1576,16 +1585,23 @@ sftp_server_main(int argc, char **argv,
- case 'u':
- errno = 0;
- mask = strtol(optarg, &cp, 8);
- if (mask < 0 || mask > 0777 || *cp != '\0' ||
- cp == optarg || (mask == 0 && errno != 0))
+@@ -1576,6 +1595,15 @@
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
+ case 'm':
++ /* Force permissions on file and directory received via
sftp */
+ permforce = 1;
+ permforcemode = strtol(optarg, &cp, 8);
-+ if (permforcemode < 0 || permforcemode > 0777 || *cp !=
'\0' ||
-+ cp == optarg || (permforcemode == 0 && errno !=
0))
-+ fatal("Invalid umask \"%s\"", optarg);
++ if (permforcemode < 0 || permforcemode > 0777 ||
++ *cp != '\0' || (permforcemode == 0 &&
++ errno != 0))
++ fatal("Invalid file mode \"%s\"", optarg);
+ break;
case 'h':
default:
sftp_server_usage();
- }
- }
-
- log_init(__progname, log_level, log_facility, log_stderr);
-
++++++ openssh-7.8p1.tar.gz -> openssh-7.9p1.tar.gz ++++++
++++ 12283 lines of diff (skipped)
++++++ openssh-openssl-1_0_0-compatibility.patch ++++++
Index: openssh-7.9p1/openbsd-compat/openssl-compat.c
===================================================================
--- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c 2018-11-26
11:47:17.417925053 +0100
+++ openssh-7.9p1/openbsd-compat/openssl-compat.c 2018-11-26
11:52:47.127727580 +0100
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(NULL);
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
Index: openssh-7.9p1/gss-genr.c
===================================================================
--- openssh-7.9p1.orig/gss-genr.c 2018-11-26 11:47:17.417925053 +0100
+++ openssh-7.9p1/gss-genr.c 2018-11-26 12:01:40.354642746 +0100
@@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
if ((buf = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ md = EVP_MD_CTX_create();
+#else
md = EVP_MD_CTX_new();
+#endif
oidpos = 0;
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
@@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
oidpos++;
}
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ EVP_MD_CTX_destroy(md);
+#else
EVP_MD_CTX_free(md);
+#endif
gss_enc2oid[oidpos].oid = NULL;
gss_enc2oid[oidpos].encoded = NULL;
++++++ sshd.service ++++++
--- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:37.018964545 +0100
+++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:37.022964540 +0100
@@ -10,7 +10,8 @@
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
-Restart=always
+Restart=on-failure
+RestartPreventExitStatus=255
TasksMax=infinity
[Install]
