From 415d616004de7a6d999a38d93bbbc5a34b460751 Mon Sep 17 00:00:00 2001 From: Johannes Löthberg Date: Wed, 6 Aug 2014 04:30:10 +0100 Subject: openssh → openssh-princ-fp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .SRCINFO | 46 ++++++++++ GSS_AUTH_KRB5_PRINC-env4openssh.diff | 14 +++ PKGBUILD | 102 +++++++++++++++++++++ curve25519pad.patch | 171 +++++++++++++++++++++++++++++++++++ install | 10 ++ pubkey_fingerprint.patch | 10 ++ sshd.pam | 6 ++ sshd.service | 17 ++++ sshd.socket | 10 ++ sshd@.service | 8 ++ sshdgenkeys.service | 17 ++++ 11 files changed, 411 insertions(+) create mode 100644 .SRCINFO create mode 100644 GSS_AUTH_KRB5_PRINC-env4openssh.diff create mode 100644 PKGBUILD create mode 100644 curve25519pad.patch create mode 100644 install create mode 100644 pubkey_fingerprint.patch create mode 100644 sshd.pam create mode 100644 sshd.service create mode 100644 sshd.socket create mode 100644 sshd@.service create mode 100644 sshdgenkeys.service diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 0000000..246d995 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,46 @@ +# Generated by makepkg 4.2.1 +# Mon Jun 1 14:54:07 UTC 2015 +pkgbase = openssh-princ-fp + pkgdesc = Free version of the SSH connectivity tools + pkgver = 6.6p1 + pkgrel = 1 + url = http://www.openssh.org/portable.html + install = install + arch = i686 + arch = x86_64 + license = custom:BSD + makedepends = linux-headers + depends = krb5 + depends = openssl + depends = libedit + depends = ldns + optdepends = xorg-xauth: X11 forwarding + optdepends = x11-ssh-askpass: input passphrase in X + conflicts = openssh + replaces = openssh + backup = etc/ssh/ssh_config + backup = etc/ssh/sshd_config + backup = etc/pam.d/sshd + source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-princ-fp-6.6p1.tar.gz + source = ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-princ-fp-6.6p1.tar.gz.asc + source = GSS_AUTH_KRB5_PRINC-env4openssh.diff + source = pubkey_fingerprint.patch + source = curve25519pad.patch + source = sshdgenkeys.service + source = sshd@.service + source = sshd.service + source = sshd.socket + source = sshd.pam + sha1sums = b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e + sha1sums = SKIP + sha1sums = 34f85eeb736fab630926f1ac59e752556cae43ee + sha1sums = 83ba34572eb6c1ee250034a69a7eb9e9137d7068 + sha1sums = 13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad + sha1sums = cc1ceec606c98c7407e7ac21ade23aed81e31405 + sha1sums = 6a0ff3305692cf83aca96e10f3bb51e1c26fccda + sha1sums = ec49c6beba923e201505f5669cea48cad29014db + sha1sums = e12fa910b26a5634e5a6ac39ce1399a132cf6796 + sha1sums = d93dca5ebda4610ff7647187f8928a3de28703f3 + +pkgname = openssh-princ-fp + diff --git a/GSS_AUTH_KRB5_PRINC-env4openssh.diff b/GSS_AUTH_KRB5_PRINC-env4openssh.diff new file mode 100644 index 0000000..60b555f --- /dev/null +++ b/GSS_AUTH_KRB5_PRINC-env4openssh.diff @@ -0,0 +1,14 @@ +--- gss-serv-krb5.c.orig 2012-07-12 14:33:31.117551679 +0200 ++++ gss-serv-krb5.c 2012-07-12 14:34:30.319020970 +0200 +@@ -104,6 +104,11 @@ + } else + retval = 0; + ++#ifdef USE_PAM ++ if (options.use_pam) ++ do_pam_putenv("GSS_AUTH_KRB5_PRINC", (char *)client->displayname.value); ++#endif ++ + krb5_free_principal(krb_context, princ); + return retval; + } diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 0000000..a730206 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,102 @@ +pkgname=openssh-princ-fp +pkgver=6.6p1 +pkgrel=1 + +pkgdesc='Free version of the SSH connectivity tools' +url='http://www.openssh.org/portable.html' +arch=('i686' 'x86_64') +license=('custom:BSD') + +depends=('krb5' 'openssl' 'libedit' 'ldns') +optdepends=('xorg-xauth: X11 forwarding' + 'x11-ssh-askpass: input passphrase in X') +makedepends=('linux-headers') + +conflicts=('openssh') +replaces=('openssh') + +backup=('etc/ssh/ssh_config' 'etc/ssh/sshd_config' 'etc/pam.d/sshd') + +install=install + +source=("ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${pkgname}-${pkgver}.tar.gz"{,.asc} + 'GSS_AUTH_KRB5_PRINC-env4openssh.diff' + 'pubkey_fingerprint.patch' + 'curve25519pad.patch' + 'sshdgenkeys.service' + 'sshd@.service' + 'sshd.service' + 'sshd.socket' + 'sshd.pam') +sha1sums=('b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e' 'SKIP' + '34f85eeb736fab630926f1ac59e752556cae43ee' + '83ba34572eb6c1ee250034a69a7eb9e9137d7068' + '13b74b57b3d9b9a256eeb44b4fca29a8f27aa7ad' + 'cc1ceec606c98c7407e7ac21ade23aed81e31405' + '6a0ff3305692cf83aca96e10f3bb51e1c26fccda' + 'ec49c6beba923e201505f5669cea48cad29014db' + 'e12fa910b26a5634e5a6ac39ce1399a132cf6796' + 'd93dca5ebda4610ff7647187f8928a3de28703f3') + +prepare() { + cd "${srcdir}/${pkgname}-${pkgver}" + patch -p0 -i ../GSS_AUTH_KRB5_PRINC-env4openssh.diff + patch -p0 -i ../pubkey_fingerprint.patch + patch -p0 -i ../curve25519pad.patch +} + +build() { + cd "${srcdir}/${pkgname}-${pkgver}" + + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --libexecdir=/usr/lib/ssh \ + --sysconfdir=/etc/ssh \ + --with-ldns \ + --with-libedit \ + --with-ssl-engine \ + --with-pam \ + --with-privsep-user=nobody \ + --with-kerberos5=/usr \ + --with-xauth=/usr/bin/xauth \ + --with-mantype=man \ + --with-md5-passwords \ + --with-pid-dir=/run \ + + make +} + +check() { + cd "${srcdir}/${pkgname}-${pkgver}" + + make tests || true + # hard to suitably test connectivity: + # - fails with /bin/false as login shell + # - fails with firewall activated, etc. +} + +package() { + cd "${srcdir}/${pkgname}-${pkgver}" + + make DESTDIR="${pkgdir}" install + + ln -sf ssh.1.gz "${pkgdir}"/usr/share/man/man1/slogin.1.gz + install -Dm644 LICENCE "${pkgdir}/usr/share/licenses/${pkgname}/LICENCE" + + install -Dm644 ../sshdgenkeys.service "${pkgdir}"/usr/lib/systemd/system/sshdgenkeys.service + install -Dm644 ../sshd@.service "${pkgdir}"/usr/lib/systemd/system/sshd@.service + install -Dm644 ../sshd.service "${pkgdir}"/usr/lib/systemd/system/sshd.service + install -Dm644 ../sshd.socket "${pkgdir}"/usr/lib/systemd/system/sshd.socket + install -Dm644 ../sshd.pam "${pkgdir}"/etc/pam.d/sshd + + install -Dm755 contrib/findssl.sh "${pkgdir}"/usr/bin/findssl.sh + install -Dm755 contrib/ssh-copy-id "${pkgdir}"/usr/bin/ssh-copy-id + install -Dm644 contrib/ssh-copy-id.1 "${pkgdir}"/usr/share/man/man1/ssh-copy-id.1 + + sed \ + -e '/^#ChallengeResponseAuthentication yes$/c ChallengeResponseAuthentication no' \ + -e '/^#PrintMotd yes$/c PrintMotd no # pam does that' \ + -e '/^#UsePAM no$/c UsePAM yes' \ + -i "${pkgdir}"/etc/ssh/sshd_config +} diff --git a/curve25519pad.patch b/curve25519pad.patch new file mode 100644 index 0000000..9774a93 --- /dev/null +++ b/curve25519pad.patch @@ -0,0 +1,171 @@ +Hi, + +So I screwed up when writing the support for the curve25519 KEX method +that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left +leading zero bytes where they should have been skipped. The impact of +this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a +peer that implements curve25519-sha256@libssh.org properly about 0.2% +of the time (one in every 512ish connections). + +We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 +key exchange for previous versions, but I'd recommend distributors +of OpenSSH apply this patch so the affected code doesn't become +too entrenched in LTS releases. + +The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as +to distinguish itself from the incorrect versions so the compatibility +code to disable the affected KEX isn't activated. + +I've committed this on the 6.6 branch too. + +Apologies for the hassle. + +-d + +Index: version.h +=================================================================== +RCS file: /var/cvs/openssh/version.h,v +retrieving revision 1.82 +diff -u -p -r1.82 version.h +--- version.h 27 Feb 2014 23:01:54 -0000 1.82 ++++ version.h 20 Apr 2014 03:35:15 -0000 +@@ -1,6 +1,6 @@ + /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ + +-#define SSH_VERSION "OpenSSH_6.6" ++#define SSH_VERSION "OpenSSH_6.6.1" + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +Index: compat.c +=================================================================== +RCS file: /var/cvs/openssh/compat.c,v +retrieving revision 1.82 +retrieving revision 1.85 +diff -u -p -r1.82 -r1.85 +--- compat.c 31 Dec 2013 01:25:41 -0000 1.82 ++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85 +@@ -95,6 +95,9 @@ compat_datafellows(const char *version) + { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, + { "OpenSSH_4*", 0 }, + { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, ++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, ++ { "OpenSSH_6.5*," ++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, + { "OpenSSH*", SSH_NEW_OPENSSH }, + { "*MindTerm*", 0 }, + { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| +@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop + return cipher_prop; + } + +- + char * + compat_pkalg_proposal(char *pkalg_prop) + { +@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) + if (*pkalg_prop == '\0') + fatal("No supported PK algorithms found"); + return pkalg_prop; ++} ++ ++char * ++compat_kex_proposal(char *kex_prop) ++{ ++ if (!(datafellows & SSH_BUG_CURVE25519PAD)) ++ return kex_prop; ++ debug2("%s: original KEX proposal: %s", __func__, kex_prop); ++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); ++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); ++ if (*kex_prop == '\0') ++ fatal("No supported key exchange algorithms found"); ++ return kex_prop; + } + +Index: compat.h +=================================================================== +RCS file: /var/cvs/openssh/compat.h,v +retrieving revision 1.42 +retrieving revision 1.43 +diff -u -p -r1.42 -r1.43 +--- compat.h 31 Dec 2013 01:25:41 -0000 1.42 ++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43 +@@ -59,6 +59,7 @@ + #define SSH_BUG_RFWD_ADDR 0x02000000 + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 ++#define SSH_BUG_CURVE25519PAD 0x10000000 + + void enable_compat13(void); + void enable_compat20(void); +@@ -66,6 +67,7 @@ void compat_datafellows(const char * + int proto_spec(const char *); + char *compat_cipher_proposal(char *); + char *compat_pkalg_proposal(char *); ++char *compat_kex_proposal(char *); + + extern int compat13; + extern int compat20; +Index: sshd.c +=================================================================== +RCS file: /var/cvs/openssh/sshd.c,v +retrieving revision 1.448 +retrieving revision 1.453 +diff -u -p -r1.448 -r1.453 +--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448 ++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453 +@@ -2462,6 +2438,9 @@ do_ssh2_kex(void) + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); +Index: sshconnect2.c +=================================================================== +RCS file: /var/cvs/openssh/sshconnect2.c,v +retrieving revision 1.197 +retrieving revision 1.199 +diff -u -p -r1.197 -r1.199 +--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197 ++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199 +@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); + + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, +Index: bufaux.c +=================================================================== +RCS file: /var/cvs/openssh/bufaux.c,v +retrieving revision 1.62 +retrieving revision 1.63 +diff -u -p -r1.62 -r1.63 +--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62 ++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ ++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); ++ /* Skip leading zero bytes */ ++ for (; l > 0 && *s == 0; l--, s++) ++ ; + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to +_______________________________________________ +openssh-unix-dev mailing list +openssh-unix-dev@mindrot.org +https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev \ No newline at end of file diff --git a/install b/install new file mode 100644 index 0000000..6f0cd37 --- /dev/null +++ b/install @@ -0,0 +1,10 @@ +post_upgrade() { + if [[ $(vercmp $2 6.2p2) = -1 ]]; then + cat < The sshd daemon has been moved to /usr/bin alongside all binaries. +==> Please update this path in your scripts if applicable. + +EOF + fi +} diff --git a/pubkey_fingerprint.patch b/pubkey_fingerprint.patch new file mode 100644 index 0000000..4956fe7 --- /dev/null +++ b/pubkey_fingerprint.patch @@ -0,0 +1,10 @@ +--- auth2-pubkey.c 2013-12-31 02:25:41.000000000 +0100 ++++ auth2-pubkey.c 2014-08-06 03:08:06.841409407 +0200 +@@ -409,6 +409,7 @@ + fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + debug("matching key found: file %s, line %lu %s %s", + file, linenum, key_type(found), fp); ++ do_pam_putenv("SSH_FINGERPRINT", fp); + free(fp); + break; + } diff --git a/sshd.pam b/sshd.pam new file mode 100644 index 0000000..7ecef08 --- /dev/null +++ b/sshd.pam @@ -0,0 +1,6 @@ +#%PAM-1.0 +#auth required pam_securetty.so #disable remote root +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/sshd.service b/sshd.service new file mode 100644 index 0000000..55ed953 --- /dev/null +++ b/sshd.service @@ -0,0 +1,17 @@ +[Unit] +Description=OpenSSH Daemon +Wants=sshdgenkeys.service +After=sshdgenkeys.service +After=network.target + +[Service] +ExecStart=/usr/bin/sshd -D +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=always + +[Install] +WantedBy=multi-user.target + +# This service file runs an SSH daemon that forks for each incoming connection. +# If you prefer to spawn on-demand daemons, use sshd.socket and sshd@.service. diff --git a/sshd.socket b/sshd.socket new file mode 100644 index 0000000..e09e328 --- /dev/null +++ b/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Conflicts=sshd.service +Wants=sshdgenkeys.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/sshd@.service b/sshd@.service new file mode 100644 index 0000000..7ce3d37 --- /dev/null +++ b/sshd@.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH Per-Connection Daemon +After=sshdgenkeys.service + +[Service] +ExecStart=-/usr/bin/sshd -i +StandardInput=socket +StandardError=syslog diff --git a/sshdgenkeys.service b/sshdgenkeys.service new file mode 100644 index 0000000..1d01b7a --- /dev/null +++ b/sshdgenkeys.service @@ -0,0 +1,17 @@ +[Unit] +Description=SSH Key Generation +ConditionPathExists=|!/etc/ssh/ssh_host_key +ConditionPathExists=|!/etc/ssh/ssh_host_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub + +[Service] +ExecStart=/usr/bin/ssh-keygen -A +Type=oneshot +RemainAfterExit=yes -- cgit v1.2.3-54-g00ecf