openssh → openssh-princ-fp

11 files changed, 411 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 0000000..246d995
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,46 @@
+# Generated by makepkg 4.2.1
+# Mon Jun  1 14:54:07 UTC 2015
+pkgbase = openssh-princ-fp
+	pkgdesc = Free version of the SSH connectivity tools
+	pkgver = 6.6p1
+	pkgrel = 1
+	url = http://www.openssh.org/portable.html
+	install = install
+	arch = i686
+	arch = x86_64
+	license = custom:BSD
+	makedepends = linux-headers
+	depends = krb5
+	depends = openssl
+	depends = libedit
+	depends = ldns
+	optdepends = xorg-xauth: X11 forwarding
+	optdepends = x11-ssh-askpass: input passphrase in X
+	conflicts = openssh
+	replaces = openssh
+	backup = etc/ssh/ssh_config
+	backup = etc/ssh/sshd_config
+	backup = etc/pam.d/sshd
+	source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-princ-fp-6.6p1.tar.gz
+	source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-princ-fp-6.6p1.tar.gz.asc
+	source = GSS_AUTH_KRB5_PRINC-env4openssh.diff
+	source = pubkey_fingerprint.patch
+	source = curve25519pad.patch
+	source = sshdgenkeys.service
+	source = sshd@.service
+	source = sshd.service
+	source = sshd.socket
+	source = sshd.pam
+	sha1sums = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
+	sha1sums = SKIP
+	sha1sums = 34f85eeb736fab630926f1ac59e752556cae43ee
+	sha1sums = 83ba34572eb6c1ee250034a69a7eb9e9137d7068
+	sha1sums = 13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad
+	sha1sums = cc1ceec606c98c7407e7ac21ade23aed81e31405
+	sha1sums = 6a0ff3305692cf83aca96e10f3bb51e1c26fccda
+	sha1sums = ec49c6beba923e201505f5669cea48cad29014db
+	sha1sums = e12fa910b26a5634e5a6ac39ce1399a132cf6796
+	sha1sums = d93dca5ebda4610ff7647187f8928a3de28703f3
+
+pkgname = openssh-princ-fp
+
diff --git a/GSS_AUTH_KRB5_PRINC-env4openssh.diff b/GSS_AUTH_KRB5_PRINC-env4openssh.diff
new file mode 100644
index 0000000..60b555f
--- /dev/null
+++ b/GSS_AUTH_KRB5_PRINC-env4openssh.diff
@@ -0,0 +1,14 @@
+--- gss-serv-krb5.c.orig	2012-07-12 14:33:31.117551679 +0200
++++ gss-serv-krb5.c	2012-07-12 14:34:30.319020970 +0200
+@@ -104,6 +104,11 @@
+ 	} else
+ 		retval = 0;
+ 
++#ifdef USE_PAM
++        if (options.use_pam)
++             do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value);
++#endif
++
+ 	krb5_free_principal(krb_context, princ);
+ 	return retval;
+ }
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 0000000..a730206
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,102 @@
+pkgname=openssh-princ-fp
+pkgver=6.6p1
+pkgrel=1
+
+pkgdesc='Free version of the SSH connectivity tools'
+url='http://www.openssh.org/portable.html'
+arch=('i686' 'x86_64')
+license=('custom:BSD')
+
+depends=('krb5' 'openssl' 'libedit' 'ldns')
+optdepends=('xorg-xauth: X11 forwarding'
+            'x11-ssh-askpass: input passphrase in X')
+makedepends=('linux-headers')
+
+conflicts=('openssh')
+replaces=('openssh')
+
+backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd')
+
+install=install
+
+source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc}
+        'GSS_AUTH_KRB5_PRINC-env4openssh.diff'
+        'pubkey_fingerprint.patch'
+        'curve25519pad.patch'
+        'sshdgenkeys.service'
+        'sshd@.service'
+        'sshd.service'
+        'sshd.socket'
+        'sshd.pam')
+sha1sums=('b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e' 'SKIP'
+          '34f85eeb736fab630926f1ac59e752556cae43ee'
+          '83ba34572eb6c1ee250034a69a7eb9e9137d7068'
+          '13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad'
+          'cc1ceec606c98c7407e7ac21ade23aed81e31405'
+          '6a0ff3305692cf83aca96e10f3bb51e1c26fccda'
+          'ec49c6beba923e201505f5669cea48cad29014db'
+          'e12fa910b26a5634e5a6ac39ce1399a132cf6796'
+          'd93dca5ebda4610ff7647187f8928a3de28703f3')
+
+prepare() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+	patch -p0 -i ../GSS_AUTH_KRB5_PRINC-env4openssh.diff
+	patch -p0 -i ../pubkey_fingerprint.patch
+	patch -p0 -i ../curve25519pad.patch
+}
+
+build() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+
+	./configure \
+		--prefix=/usr \
+		--sbindir=/usr/bin \
+		--libexecdir=/usr/lib/ssh \
+		--sysconfdir=/etc/ssh \
+		--with-ldns \
+		--with-libedit \
+		--with-ssl-engine \
+		--with-pam \
+		--with-privsep-user=nobody \
+		--with-kerberos5=/usr \
+		--with-xauth=/usr/bin/xauth \
+		--with-mantype=man \
+		--with-md5-passwords \
+		--with-pid-dir=/run \
+
+	make
+}
+
+check() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+
+	make tests || true
+	# hard to suitably test connectivity:
+	# - fails with /bin/false as login shell
+	# - fails with firewall activated, etc.
+}
+
+package() {
+	cd "${srcdir}/${pkgname}-${pkgver}"
+
+	make DESTDIR="${pkgdir}" install
+
+	ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz
+	install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE"
+
+	install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service
+	install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service
+	install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service
+	install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket
+	install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd
+
+	install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh
+	install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id
+	install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1
+
+	sed \
+		-e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \
+		-e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \
+		-e '/^#UsePAM no$/c UsePAM yes' \
+		-i "${pkgdir}"/etc/ssh/sshd_config
+}
diff --git a/curve25519pad.patch b/curve25519pad.patch
new file mode 100644
index 0000000..9774a93
--- /dev/null
+++ b/curve25519pad.patch
@@ -0,0 +1,171 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256@libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h	27 Feb 2014 23:01:54 -0000	1.82
++++ version.h	20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+ 
+-#define SSH_VERSION	"OpenSSH_6.6"
++#define SSH_VERSION	"OpenSSH_6.6.1"
+ 
+ #define SSH_PORTABLE	"p1"
+ #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c	31 Dec 2013 01:25:41 -0000	1.82
++++ compat.c	20 Apr 2014 03:33:59 -0000	1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ 		{ "OpenSSH_4*",		0 },
+ 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
++		{ "OpenSSH_6.5*,"
++		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
+ 		{ "*MindTerm*",		0 },
+ 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ 	return cipher_prop;
+ }
+ 
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ 	if (*pkalg_prop == '\0')
+ 		fatal("No supported PK algorithms found");
+ 	return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++	if (!(datafellows & SSH_BUG_CURVE25519PAD))
++		return kex_prop;
++	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
++	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++	if (*kex_prop == '\0')
++		fatal("No supported key exchange algorithms found");
++	return kex_prop;
+ }
+ 
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- compat.h	31 Dec 2013 01:25:41 -0000	1.42
++++ compat.h	20 Apr 2014 03:25:31 -0000	1.43
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR	0x02000000
+ #define SSH_NEW_OPENSSH		0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT	0x08000000
++#define SSH_BUG_CURVE25519PAD	0x10000000
+ 
+ void     enable_compat13(void);
+ void     enable_compat20(void);
+@@ -66,6 +67,7 @@ void     compat_datafellows(const char *
+ int	 proto_spec(const char *);
+ char	*compat_cipher_proposal(char *);
+ char	*compat_pkalg_proposal(char *);
++char	*compat_kex_proposal(char *);
+ 
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- sshd.c	26 Feb 2014 23:20:08 -0000	1.448
++++ sshd.c	20 Apr 2014 03:28:41 -0000	1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+ 
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
++
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ 		    (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- sshconnect2.c	4 Feb 2014 00:20:16 -0000	1.197
++++ sshconnect2.c	20 Apr 2014 03:25:31 -0000	1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ 	}
+ 	if (options.kex_algorithms != NULL)
+ 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++	    myproposal[PROPOSAL_KEX_ALGS]);
+ 
+ 	if (options.rekey_limit || options.rekey_interval)
+ 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- bufaux.c	4 Feb 2014 00:20:15 -0000	1.62
++++ bufaux.c	20 Apr 2014 03:24:50 -0000	1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+  * Author: Tatu Ylonen <ylo@cs.hut.fi>
+  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+ 
+ 	if (l > 8 * 1024)
+ 		fatal("%s: length %u too long", __func__, l);
++	/* Skip leading zero bytes */
++	for (; l > 0 && *s == 0; l--, s++)
++		;
+ 	p = buf = xmalloc(l + 1);
+ 	/*
+ 	 * If most significant bit is set then prepend a zero byte to
+_______________________________________________
+openssh-unix-dev mailing list
+openssh-unix-dev@mindrot.org
+https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
\ No newline at end of file
diff --git a/install b/install
new file mode 100644
index 0000000..6f0cd37
--- /dev/null
+++ b/install
@@ -0,0 +1,10 @@
+post_upgrade() {
+	if [[ $(vercmp $2 6.2p2) = -1 ]]; then
+		cat <<EOF
+
+==> The sshd daemon has been moved to /usr/bin alongside all binaries.
+==> Please update this path in your scripts if applicable.
+
+EOF
+	fi
+}
diff --git a/pubkey_fingerprint.patch b/pubkey_fingerprint.patch
new file mode 100644
index 0000000..4956fe7
--- /dev/null
+++ b/pubkey_fingerprint.patch
@@ -0,0 +1,10 @@
+--- auth2-pubkey.c	2013-12-31 02:25:41.000000000 +0100
++++ auth2-pubkey.c	2014-08-06 03:08:06.841409407 +0200
+@@ -409,6 +409,7 @@
+ 			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
+ 			debug("matching key found: file %s, line %lu %s %s",
+ 			    file, linenum, key_type(found), fp);
++			do_pam_putenv("SSH_FINGERPRINT", fp);
+ 			free(fp);
+ 			break;
+ 		}
diff --git a/sshd.pam b/sshd.pam
new file mode 100644
index 0000000..7ecef08
--- /dev/null
+++ b/sshd.pam
@@ -0,0 +1,6 @@
+#%PAM-1.0
+#auth     required  pam_securetty.so     #disable remote root
+auth      include   system-remote-login
+account   include   system-remote-login
+password  include   system-remote-login
+session   include   system-remote-login
diff --git a/sshd.service b/sshd.service
new file mode 100644
index 0000000..55ed953
--- /dev/null
+++ b/sshd.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=OpenSSH Daemon
+Wants=sshdgenkeys.service
+After=sshdgenkeys.service
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/sshd -D
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+
+# This service file runs an SSH daemon that forks for each incoming connection.
+# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service.
diff --git a/sshd.socket b/sshd.socket
new file mode 100644
index 0000000..e09e328
--- /dev/null
+++ b/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Conflicts=sshd.service
+Wants=sshdgenkeys.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/sshd@.service b/sshd@.service
new file mode 100644
index 0000000..7ce3d37
--- /dev/null
+++ b/sshd@.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH Per-Connection Daemon
+After=sshdgenkeys.service
+
+[Service]
+ExecStart=-/usr/bin/sshd -i
+StandardInput=socket
+StandardError=syslog
diff --git a/sshdgenkeys.service b/sshdgenkeys.service
new file mode 100644
index 0000000..1d01b7a
--- /dev/null
+++ b/sshdgenkeys.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=SSH Key Generation
+ConditionPathExists=|!/etc/ssh/ssh_host_key
+ConditionPathExists=|!/etc/ssh/ssh_host_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
+ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
+
+[Service]
+ExecStart=/usr/bin/ssh-keygen -A
+Type=oneshot
+RemainAfterExit=yes